Create Windows 10 Kernel-based Virtual Machine (KVM) on Linux Debian server

There are many tutorials out there about how to create KVM, but not many go in to details on how to do it if your guest OS is Windows and also scares info on the problems you may encounter. This is why I decided to put in brief the steps how to do it and describe the problems I had to deal with.

This guide assumes you already have a working Debian 9 installation /the steps should in general work for Debian 10 as well/. Commands has to be executed as root.

Before you start is a good idea to check some hardware capabilities of the host computer, especially if it is not relatively new.

First you need to check if your CPU supports virtualisation, to do this run the command:

 

egrep -c ‘(vmx|svm)’ /proc/cpuinfo

 

If the output of the command is 1 or 2 you are good, 0 means no go for you.

Then you need to check if the hardware virtualisation is enabled and if not you need to change the settings in your BIOS. Run this command and read the output:

 

dmesg | grep “disabled by bios”

 

If the output is “kvm: disabled by bios” you need to alter the BIOS settings, otherwise you are fine.

When ready you need to install quite a lot of packages, so in your terminal type the command:

 

apt-get install –no-install-recommends qemu-kvm libvirt-daemon-system libvirt-clients libvirt-daemon-system libvirt-dev libguestfs-tools genisoimage virtinst libosinfo-bin virt-viewer virt-manager acpid

 

Be patient, it will take some time. The reason of –no-install-recommends switch is to avoid installation on packages related to GUI, which I personally avoid on server installations.

When the installation is finished you will have to change your network interfaces so the virtual machine becomes part of your LAN. For this you will have to create a bridge interface, make sure you have the bridge-utils package installed. If it happens to have a OpenVPN server already running on the Debian server as I did, make sure you change your VPN interface to TAP and add it to the bridge, otherwise you won’t be able to browse your network.

This is how my /etc/network/interfaces file looked like after the configuration change:

 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
# allow-hotplug enp2s0
# iface enp2s0 inet static
# address 192.168.1.2
# netmask 255.255.255.0
# gateway 192.168.1.1

######################################
# bridge part, coment above int conf                      #
######################################

auto enp2s0
iface enp2s0 inet manual

auto tap0
iface tap0 inet manual

auto br0
iface br0 inet static
address 192.168.1.2
broadcast 192.168.1.255
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports enp2s0 tap0
bridge_stp off
bridge_waitport 0
bridge_fd 0
dns-nameservers 8.8.8.8
dns-nameservers 8.8.4.4
dns-nameservers 192.168.1.2

 

Restart the networking service (or reboot) and test your connectivity is working as intended.

Next step is to let regular user to manage the VM:

adduser your_user libvirt
adduser your_user libvirt-qemu

Then reload group membership:

newgrp libvirt
newgrp libvirt-qemu

Verify your group membership with id command:

id

 

Check virtual machine network and state

virsh net-list –all
virsh list –all

 

Bridge networking has to be configured for the VM as well, so do the following:

Create a file using a text editor

 

nano /root/bridged.xml

 

Append the following config in the file, make sure bridge interface name is the same as in your interfaces configuration:

 

<network>
<name>br0</name>
<forward mode=”bridge”/>
<bridge name=”br0″/>
</network>

 

Save and close the file. Then run the following commands to apply this configuration to the VM:

 

virsh net-define –file /root/bridged.xml
virsh net-autostart br0
virsh net-start br0

 

Veryfy bridged network

 

virsh net-list –all

 

In order Windows 10 to recognise your virtual hard disk during its installation you will need to get the vertio drivers. Create “virtio” (or some other name) folder in /var/lib/libvirt/boot/ and download the drivers (checking for the latest version is probably a good idea):

 

cd /var/lib/libvirt/boot/virtio/

wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.173-2/virtio-win-0.1.173.iso

 

Next create the VM’s virtual disk, adjust to your needs:

qemu-img create -f qcow2 /var/lib/libvirt/images/windows_10_x64.qcow2 80G

 

With the disk set it is time to create the VM:

 

virt-install \
–virt-type=kvm \
–hvm \
–name=windows10 \
–ram=2048 \
–cpu=host \
–vcpus=2 \
–os-type=windows \
–os-variant=win10 \
–disk path=/var/lib/libvirt/images/windows_10_x64.qcow2,format=qcow2,bus=virtio \
–disk /var/lib/libvirt/boot/Win10_1909_EnglishInternational_x64.iso,device=cdrom,bus=ide \
–disk /var/lib/libvirt/boot/virtio/virtio-win-0.1.173.iso,device=cdrom,bus=ide \
–network=bridge=br0,model=virtio \
–graphics vnc

 

If stumble upon error stating that the access to the KVM kernel module is denied do the following:

Open the file qemu.conf and edit the following:

 

nano /etc/libvirt/qemu.conf

#user = root -> user = root
#group = “root” – > group = “kvm”

 

After a successful VM creation you will need a VNC client to connect to the VM and start the installation of Windows. In the installation process you will have to navigate to the folder containing the virtio disk driver, mind in my case it was drive E:, but may not be the same for you. The path for me was: E:\viostor\w10\amd64. After the installation you can run RDC on Windows and set users to connect to your VM directly without third party software.

To have your VM starting automatically when the host starts or is rebooted run the commands:

First make sure libvirtd service is stared on boot:

 

systemctl enable libvirtd

 

Then run:

 

virsh autostart Your_VM_Name_Here

 

If you  try to shutdown your VM from host terminal with the virsh shutdown VM_Name_Here without success this might be due to not working acpi event handler. To fix this edit the content of powerbtn file (create the file if does not exist):

nano /etc/acpi/events/powerbtn

 

Then type these lines (delete anything in the file if the file exists)

 

event=button/power
action=/sbin/poweroff

 

and restart the acpid service

 

service acpid restart

 

And this is the end of it in general, next is to post the script to shutdown, backup and then start the KVM when time is available.

Have fun!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisement

Bash script for complete system backup on external hard drive using tar

Some time ago I posted a script to backup Linux system to external drive using rsync. As the task this time was to create an archive of the whole system and the old backup files to be removed the script had to be changed a bit. Here is the version of it with the use of tar command. As before your external drive’s mount point has to be defined in fstab file.

And this is the script, it does not need much explanation:

 

#!/bin/bash

# Script to create full system archived backup to external USB drive.

# Specify the mount point, backup path and other stuff here (DO NOT end mount_point with a forward-slash).

mount_point=’/mnt/WD’
current_year=`date +%Y`
current_day=`date +’%Y-%m-%d_%H:%M:%S’`
backup_path=${mount_point}’/backup/’${current_year}
files_to_keep=2

echo “#####”
echo “”

# Check whether target volume is mounted, and mount it if not.

if ! mountpoint -q ${mount_point}/; then
   echo “Mounting the external USB drive.”
   echo “Mountpoint is ${mount_point}”
      if ! mount ${mount_point}; then
         echo “An error code was returned by mount command!”
         exit 5
      else echo “Mounted successfully.”
      fi
else echo “${mount_point} is already mounted.”;
fi

# Target volume **must** be mounted by this point.

if ! mountpoint -q ${mount_point}/; then
   echo “Mounting failed! Cannot run backup without backup volume!”
   exit 1
fi

echo “Preparing the archive using tar.”

mkdir –parents ${backup_path}/

tar czf ${backup_path}/${current_day}_backup.tar.gz –exclude=${backup_path}/${current_day}_backup.tar.gz –exclude=/dev/* –exclude=/mnt/* –exclude=/proc/* –exclude=/sys/* –exclude=/run/* –exclude=/media/* –exclude=/tmp/* –exclude=/lost+found /

# Delete old backup files

cd ${backup_path}/

rm -f `ls -t *_backup.tar.gz | awk “NR>$files_to_keep”`

cd /

# Dismounting target volume

if ! umount ${mount_point}; then
   echo “An error code was returned by command!”
   exit 5
else
echo “Dismounted successfully.”;
fi

 

And you are good to go! 🙂

Configure BT Echolife/Huawai HG612 as ADSL modem only device

Quite a lot of information on this little, but rather useful device (which in fact is a VDSL/ADSL modem router) can be found at kitz.co.uk, but a step by step guide of how to use this device as a ADSL modem only is not easy to find, so I decided to put my adventures in writing.

First thing first – to get a hold on a device like this you have to visit eBay, as these are made for BT and are the cheapest possible option to get a hold on a device capable of being VDSL/ADSL modem, compared to NETGEAR DM200 with its bad reputation or the pricey DrayTek Vigor 130.

What basically has to happen is to set the WAN interface of the device in bridging mode, so it just passes on the frames to your cable router. The device is by default configured to be a VDSL bridge for the BT network in UK, so it has to be unlocked first, which is a fairly easy procedure, which I have only performed with HG612 type 3B device.

Navigate to https://mega.co.nz/#F!LdJFDIJL!e_E1twsIg2kTet8mPjrb4w and go to B030SP08 folder, where you will need to download the firmware. The file you would most likely want is called bcm96368MVWG_fs_kernel_HG612V100R001C01B030SP08_webgui, which you could probably guess by the name has the web GUI, unless you would like to try the hard way of course…

When ready, do the following:

Configure your computer’s Ethernet port with the IP address 192.168.1.2 and subnet mask 255.255.255.0

With the HG612 powered off, connect a cable between the LAN2 port (you may need to remove the “not in use” sticker) and the Ethernet port on your computer.

Hold down the reset button on the back of the HG612 whilst inserting the power cable. Keep the reset button held for about 5–10 seconds after powering up, then release.

After about 10 seconds you should be able to access the HG612’s “Update Software” web page at the address http://192.168.1.1

Follow the on-screen instructions to upload the latest firmware, you will be notified the process will take 2 minutes – please be patient, give it 3 minutes, go to the toilet, make yourself a coffee, but do not interrupt or power off.

When this is done navigate again to http://192.168.1.1 and you should be greeted by the login page, use default username and password which are both “admin”. Navigate to BASIC -> DSL, tick ALL and then Submit.

 

 

Next step is important, configuring the ATM interface. It has to be configured as Ethernet over ATM type so it can translate the PPPoA frames to PPPoE and pass it on to your cable router to do the authentication, this is a handy function you won’t easily find on many devices, especially cheap once. More about the technology behind can be found at https://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet#PPPoEoE-to-PPPoA_converting_modem

Navigate to BASIC -> ATM and choose these options: for the virtual identifiers use 0/38, these are for UK, if it happens so you are somewhere else round the globe check these with your ISP. Leave DSL latency as it is – Path1. For the DSL link type pick the correct one, EoA, this is kind of important. Encapsulation mode – pick VCMUX, again check with your ISP if not sure or see what it is on the router you are supplied, if available. Service type is UBR without PCR. When ready press Submit.

 

 

We are almost ready… Now we have to assign the ATM interface to be the WAN interface. You have few things to do before that though, as by default the device is set to be a VDSL modem, not a ADSL. You have to either remove the PTM interface from the WAN setup, or disable it. In my case I just disabled it, thinking it might one day save me a few clicks.

Go to BASIC -> WAN and select the PTM interface, there untick the WAN connection option and also untick the Port binding LAN1. Click submit when ready.

 

 

Now while you are still there click on the New tab so you can assign the ATM to WAN. From the Layer 2 interface drop-down menu pick atm1/(0_0_38), thick WAN connection so it enables the interface on the WAN, Service list live as it is – INTERNET, Port binding – tick LAN1, this will be the port you connect to your cable router, LAN2 will remain the port you can connect to HG612 if you want to do some configuration changes in the future. For Connection mode select Bridge. And final, but important bit, set Bridge type as PPPoE_Bridged. Click Submit button.

 

 

And this is it! You have a pure ADSL modem only device which passes the WAN IP to the WAN port on your cable router as nature intended! 🙂

On your cable router under the WAN interface configuration choose Connection type PPPoE, add your username and password and you should be good to go, enjoy!

Install Windows 10 64 bit on iMac 7.1 Early 2007 or how to make your old Mac usefull again

As title says it I was given the task to resurrect an iMac and put it back in business! 🙂

Unlike Microsoft, Apple are very picky on how you gonna use your computer and are unpleasantly pushy on dragging you to buy more of their stuff. Simply said as some of you may already know you can not use old, but quite descent hardware wise Mac with Apple’s latest OS due to firmware restrictions. Luckily you can still make some use of it with Windows or Linux.

The iMac in question had a faulty hard drive, which luckily was not too difficult to replace. But as usual the troubles came soon after! 🙂

With a freshly burned DVD with Windows 10 x64 a thought I will be quickly in the game, but NO – got stuck with a black screen and a message to pick the boot type and irresponsive keyboard! It turns out though the computer is 64 bit architecture its EFI is 32 bit and you have no chance to boot it from Windows 10 installation media…

Thanks to good and clever people online help is available! I read this post, downloaded the exe file provided and it all went well!

As the steps I took are slightly different I wanted to have a note of it.

First of course you will need the Windows 10 x64 image file, which you can download from Microsoft. Under Windows 10 with right click on the file select “Mount”.

Just to make life organised create a folder with a name of your choice, in my case it was “NewISO”.

Run Command Prompt as administrator and navigate to where you have the OSCDIMG.EXE file saved /or just type the full path to it/.

Then run the command:

oscdimg -n -m -bf:\boot\etfsboot.com f:\ c:\NewISO\win10_efi32.iso

where f is the drive letter where the image file is mounted.

After this you will have e 64 bit Windows 10 image file with 32 bit EFI, do not worry about the warning message related to NT 3.5, just burn it on DVD or USB stick and use it.

Final words – I do not quite know how this program, which is a Microsoft genuine tool, manages to change the boot loader. I would advice you to download it from the post link above or at least make sure you use the same version, which is 2.54, as this may have something to do with the success of the procedure and a newer one may just put back 64 bit EFI again. I will be glad if someone more knowledgeable explains it in detail.

Install Pydio web file manager on Debian 9 with MySQL 8

If you came across my previous post regarding setting up Nginx for user access control you might be thinking that the setup is okay for two or just a few users, but what if the users are more? Yes, it gets a bit inconvenient and it lacks flexibility. In the previous work I have already installed Nginx, MySQL and PHP, so I will not be explaining that again here and now is the time to use them with, in my case, a good web file management platform. As I have not used such before and I went looking around, reading and picking. On the end I picked Pydio as it is a very well documented, there are lots of tutorials on how to install it on Debian, even a very good Nginx configuration file on Pydio’s web site itself – https://pydio.com/en/docs/kb/system/installing-debiannginx and also Pydio is in active development as well.

But as usual I had a slightly bumpy way and I thought I better write it down, you never know who you gonna help! 😉

I changed my Nginx configuration a bit, so people are not allowed to “wonder” on the server, especially on Pydio directories, though that did not make the software to not show its warning message about that on install.

I installed Pydio the “wget” way, as finding out it can be done via apt came later, never mind… 🙂

wget https://download.pydio.com/pub/core/archives/pydio-core-8.0.2.zip

unzip pydio-core-8.0.2.zip

mv <extracted directory name> /var/www/html/pydio

chown -R www-data:www-data /var/www/html/pydio

If your workspaces will be located somewhere else make sure they are owed by www-data, so the software can manipulate the files and the folders.

Adjust your php.ini and make sure those are covered, in my case:

file_uploads = On

post_max_size = 1G

upload_max_filesize = 1G

max_file_uploads = 200

output_buffering = Off

In /var/www/html/pydio/conf/bootstrap_conf.php add setlocale(LC_ALL, “en_US.UTF-8”); and uncomment define(“AJXP_LOCALE”, “en_EN.UTF-8”);

Now it is time to set up database, user and password in MySQL. This is where I had a funny surprise, after a have done it and started the installation Pydio could not connect to my MySQL server and I got the message that the server does not accept the client authentication method. MySQL 8 by default now accepts better SHA-256 Pluggable Authentication /which I did not know/, which seemingly my client was not able to support /or I could not figure out how to change that from client side/. To go around that add in /etc/mysql/my.cnf:

[mysqld]

default_authentication_plugin=mysql_native_password

and restart MySQL server.

Now you can create Pydio database and user.

mysql -u root -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 8

Server version: 8.0.11 MySQL Community Server – GPL

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> CREATE DATABASE pydio;

Query OK, 1 row affected (0.13 sec)

mysql> CREATE USER ‘pydio_user’@’localhost’ IDENTIFIED BY ‘your_password’;

mysql> GRANT ALL PRIVILEGES ON pydio.* TO ‘pydio_user’@’localhost’;

mysql> FLUSH PRIVILEGES;

Now navigate to Pydio and start the installation process, it is very easy to follow.

And that’s pretty much it.

Install and configure Nginx web sever, MySQL and PHP support with Let’s Encrypt and DDNS on Debian 9

Without going in too much details, I have been asked to build a server with certain requirements witch let me to that project and I thought it might be a good idea to describe the process as a reference as well as something to help others.

The assumption here is that you know how to install Debian, beware there are some changes if this is your first try on Debian 9. Make sure you know your network interfaces names, use the ip command or dmesg to find them out. Also as this setup is with DDNS make sure before you sign up for a DDNS service to check if the domain you want is included in the DNS Public Suffix List, otherwise you will not be able to use Let’s Encrypt services. You can check it here. I have used one of noip.com listed once.

Before everything else I installed the NO-IP’s DUC software. There is a good bash script to help you with that, which you can find here.

It did not quite work for me, I was missing the killall command, which can be installed with apt install psmisc and also on restart the service was not active, so what I did is to add a symbolic link in my rc.3 folder pointing to the script in /etc/init.d folder. You can also follow the guide on NO-IP’s web site and see how it goes.

Then comes Nginx, to install it run

apt install nginx,

in /etc/nginx/nginx.conf I changed the keep alive parameter down to 25.

Once the installation is finished next comes MySQL. MySQL is not Debian’s default database any more, so to install it you have to have the sources in your apt repository list. Navigate to https://dev.mysql.com/downloads/repo/apt/ to check on the latest version and correct download link, at the time of writing 0.8.10-1. Go to your download folder or create one and run

wget https://dev.mysql.com/get/mysql-apt-config_0.8.10-1_all.deb

and install it using dpkg:

dpkg -i mysql-apt-config_0.8.10-1_all.deb

Now having the right information in sources.list file we can install MySQL:

apt update

apt install mysql-community-client mysql-community-server

To have PHP installed run:

apt install php7.0-fpm php7.0-gd php-pear php7.0-mysqlnd php7.0-curl php7.0-intl php-imagick php7.0-imap php7.0-mcrypt php-memcache php7.0-intl php7.0-pspell php7.0-recode php7.0-tidy php7.0-xmlrpc php7.0-xsl

Have a look at the file /etc/php/7.0/fpm/php.ini if you need to change something, probably at least date.timezone to match your location.

Reload PHP: systemctl reload php7.0-fpm.service

Not much will be discussed here on MySQL and PHP. I wanted them installed for future development on multi level user login and file management, but in this instance I have only used the built in basic authentication in Nginx. (P.S. After finishing reading you can now check the next post where this is discussed.)

Before that though we will generate Let’s Encrypt certificates and this will be done using the default Nginx configuration. With your preferred editor open the file /etc/nginx/sites-available/default and set your domain name in the server_name line as well as the web root folder if different from default. The line should look like this after editing:

server_name yourhost.provider.com;

Replace yourhost.provider.com with your own domain name and then install Certbot:

apt install certbot python-certbot-nginx

Now we request an SSL certificate from Let’s Encrypt:

certbot certonly –webroot -d yourhost.provider.com

Read carefully the questions and give the appropriate answers. The newly generated SSL certificate is in a subfolder of /etc/letsencrypt/live/ folder. The exact path is shown in the Certbot output. Now it is time to create your own Nginx web server file. In mine I have the HTTP traffic redirected to the HTTPS, the web root denied for everyone so no one sees its content, two folders for two users and autoindex option on so users can see the file content in the folders. This is the configuration file:

server {

listen [::]:80;

listen 80;

server_name yourhost.provider.com;

# redirect http to https

return 301 https://yourhost.provider.com$request_uri;

}

server {

listen [::]:443 ssl http2;

listen 443 ssl http2;

server_name yourhost.provider.com;

root /var/www/html;

index index.php index.html index.htm;

ssl on;

ssl_certificate_key /etc/letsencrypt/live/yourhost.provider.com/privkey.pem;

ssl_certificate /etc/letsencrypt/live/yourhost.provider.com/fullchain.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS’;

ssl_prefer_server_ciphers on;

# Rest of the config

location = / {

deny all;

}

location ^~ /test1/ {

auth_basic “Restricted Access”;

auth_basic_user_file /etc/nginx/users/.test1;

try_files $uri $uri/ =404;

autoindex on;

}

location ^~ /test2/ {

auth_basic “Restricted Access”;

auth_basic_user_file /etc/nginx/users/.test2;

try_files $uri $uri/ =404;

autoindex on;

}

# pass PHP scripts to FastCGI server

location ~ \.php$ {

include snippets/fastcgi-php.conf;

# With php-fpm (or other unix sockets):

fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

# With php-cgi (or other tcp sockets):

# fastcgi_pass 127.0.0.1:9000;

}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).

location ~ /\. {

deny all;

access_log off;

log_not_found off;

}

}

It is useful to run nginx -t before reloading the service with systemctl restart nginx.service.

To create the files with the Nginx users and passwords I used the handy python script htpasswd.py, but if you are having troubles running it you are very likely to be missing the Trac package, which you can easily install:

apt install trac

To actually get the script just do:

cd /usr/local/bin

wget https://trac.edgewall.org/export/16537/trunk/contrib/htpasswd.py

chmod 755 /usr/local/bin/htpasswd.py

though check the Trac website for the latest download link.

To create a file /in my case/ do:

htpasswd.py -c -b /etc/nginx/users/.test1 user password

Do not use -c option if you want to add more users to the same file.

Finally it is not a bad idea to add firewall rules, these are my set as a bash script, but you can always change it the way it suits your needs. I use iptables-persistent package to save the rules and load them at boot:

#!/bin/bash

# Flush previous rules, delete chains and reset counters

iptables -F

iptables -X

iptables -Z

iptables -t nat -F

# INPUT

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn’t use lo0

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections

iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

iptables -A INPUT -p tcp –dport 443 -j ACCEPT

# Allows SSH connections

# The –dport number is the same as in /etc/ssh/sshd_config

iptables -A INPUT -p tcp -s 192.168.0.0/16 -m conntrack –ctstate NEW,ESTABLISHED –dport 22 -j ACCEPT

# Allow Samba connections

iptables -A INPUT -p tcp -s 192.168.0.0/16 –dport 445 -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.0.0/16 –dport 139 -j ACCEPT

iptables -A INPUT -p udp -s 192.168.0.0/16 –dport 137 -j ACCEPT

iptables -A INPUT -p udp -s 192.168.0.0/16 –dport 138 -j ACCEPT

# Allow ping

# note that blocking other types of icmp packets is considered a bad idea by some

# remove -m icmp –icmp-type 8 from this line to allow all kinds of icmp:

# https://security.stackexchange.com/questions/22711

iptables -A INPUT -p icmp -j ACCEPT

# log iptables denied calls (access via ‘dmesg’ command)

iptables -A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7

# REST

# Drop invalid state packets

iptables -A INPUT -m conntrack –ctstate INVALID -j DROP

iptables -A OUTPUT -m conntrack –ctstate INVALID -j DROP

iptables -A FORWARD -m conntrack –ctstate INVALID -j DROP

# Reject all other inbound – default deny unless explicitly allowed policy:

iptables -A INPUT -j REJECT

iptables -A FORWARD -j REJECT

# Allows all outbound traffic

# You could modify this to only allow certain traffic

iptables -A OUTPUT -j ACCEPT

And that’s it, if I haven’t forgotten something… 🙂

Applescript Apps fail to launch after upgrade to macOS Sierra and High Sierra – workaround

If you recently upgraded your Apple Mac to the latest Sierra versions of the OS you might be from the unlucky once with Applescript applications which does not launch anymore. And if you tried without joy any of this:

• saving the apps in the Application folder;
• manually creating executable applet within the Applescript app;
• disabling SIP;
• disabling Gatekeeper /GUI or via Terminal/;
• signed the app with developer ID;

PANIC NOT! 🙂 There is still hope, thanks to the good old Terminal, bash shell and the handy command osascript!

Basically the idea is this, with the osascript command you are able to run a Applescript without triggering the launch of Script Editor, so if you type in Terminal

osascript /path/to/script/YourScript.scpt

the script will be executed nicely and without a hassle.

But what if you happen to have just the Applescript app, not the code of the script itself? Luckily osascript command can handle this as well! You simply have to dig a bit in to the app and point to the compiled script in it, something like this:

osascript /path/to/Applescript.app/Contents/Resources/Scripts/main.scpt

Luckily in Sierra this bypasses all the clutches the OS offers. 🙂

This can be used in a bash script for convenience, something like that as an example:

#!/bin/bash

osascript /path/to/Applescript.app/Contents/Resources/Scripts/main.scpt && trap ‘/usr/bin/osascript -e “tell application \”terminal\” to quit”‘ 0

I think that’s pretty much it, hope you will find it helpful.

Configure Roundcube Webmail to “remember” username in login form in Debian 8

Roundcube is very well made webmail client written in PHP and all the aspects of the program experiences are taken very seriously, like the security as an example.

If installed by default Roundcube does not allow the browser to remember your username details. If you are like me a bit unhappy to type it every time – this is the article for you. Of course when I first decided to change this behaviour I went to see if there is anything in the official documentation, but I could not find the answer there nor I managed to find a decent answer to that online. So I had to take the hard way and do it myself digging the content of the program’s files… 🙂

My Roundcube installation is on a Debian system, but in general the steps should be the same for any Linux installation.

First of all find your installation folder, on a Debian system it should be /usr/share/roundcube.

 

Navigate to include folder:

cd /usr/share/roundcube/program/include/

Open the file rcmail_output_html.php with your favourite text editor.

nano rcmail_output_html.php

 

In this file find the lines with this content /line 1792 in my case/:

// set atocomplete attribute

$user_attrib = $autocomplete > 0 ? array() : array(‘autocomplete’ => ‘off’);

 

Now at the end of the line change ‘off’ to ‘on’ so it looks like this:

// set atocomplete attribute

$user_attrib = $autocomplete > 0 ? array() : array(‘autocomplete’ => ‘on’);

 

And that’s all, just reload Roundcube’s login page so your change takes effect. Keep in mind after update you may /most likely will/ need to change this again.

GRUB bootloader repair with chroot

I had to do this quite often lately, so I thought it deserves going to the blog… 🙂 If you are having computers with multiple OS to boot sooner or later you will end up in a situation of having GRUB corrupt.

My latest adventure was after Windows 10 Anniversary update. The update messed up the hard drive partition table and on boot the computer ends up to GRUB’s rescue console. You can try the steps from this post and fix GRUB from its rescue console, though it did not work for me and you will notice at the end you still need to reinstall grub and recreate the boot menu:

http://www.legendiary.at/2016/01/04/windows-10-update-changes-partition-table-and-breaks-grub/

So I got one of my flash drives with live Linux on it and went for the well-known classic approach 🙂 Please mind your flash and hard disk Linux kernel architecture /32 or 64 bit/, they must match.

Boot your computer of the flash drive, run a terminal, make sure you are root /or use sudo/ when execute the commands and follow these steps:

1. List your drives and partitions with a command of your choice and make a note of the Linux partition

 

          fdisk –l

 

2. Mount your Linux partition to a folder and link required system folders to their alternatives in that folder. Substitute sdXY below with the correct Linux partition for your system.*

 

          mount /dev/sdXY /mnt

 

          mount –bind /dev /mnt/dev

          mount –bind /dev/pts /mnt/dev/pts

          mount –bind /proc /mnt/proc

          mount –bind /sys /mnt/sys

 

3. Use chroot to change your root directory.

 

          chroot /mnt

 

4. Recreate GRUB menu and install it on the boot drive. This commands are for Debian and its family, for other distributions you have to use the correct commands.

 

          update-grub

 

          grub-install /dev/sdX

 

Reboot your computer and enjoy the boot menu you are used to. 🙂

*You can substitute the multiple mount commands with a single line if you wish to:

          for i in /dev /dev/pts /proc /sys; do mount -B $i /mnt$i; done

** Just a quick addition to the post to bring it up to current times. If your happen to have a EFI bootloader you will have to mount the EFI partition as well, like this:

mount /dev/sdXZ /mnt/boot/efi

XtraFinder error message “XtraFinder Beta has expired!” fix with applescript

I was recently asked to help with the annoying XtraFinder’s message “XtraFinder Beta has expired!” and make it disappear without user input. As what was suggested in the official support page did not work I went to see what is available online, Google is your friend, right!? 🙂

Well unfortunately I found only one good and interesting blog post on the subject involving Hopper Disassembler, but that did not worked for me, whatever I tried I did not manage to produce an executable file which will actually work. The tutorial is for XtraFinder version 0.25 where mine was 0.25.8 and though the assembler instructions and the function looked the same I think that matters.

As I am not an assembler guru I went back to the good old applescript to make a few clicks on behalf of a human 🙂 Please check the script below and change it if you need to. The script app has to be in your log in items and will/should work fine even after you upgrade to the latest version of XtraFinder, currently 0.25.9 /which by the way fixes the nag messages, until the time for the next update probably, which if not on time will probably start the receiving of the expire message again.. or may be not… :-)/.

So here we go:

 

delay 3

tell application “XtraFinder” to activate

delay 1

tell application “System Events”

 if exists (window 1 of process “XtraFinder”) then

  tell process “XtraFinder”

   set XfinderMess to the value of static text 1 of window 1 of application process “XtraFinder” of application “System Events”

   if XfinderMess = “System Integrity Protection is enabled.” then

    click button “OK” of window 1 of application process “XtraFinder” of application “System Events”

    delay 10

    tell application “System Events”

     if exists (window 1 of process “Finder”) then

      tell process “Finder”

       set finderMess1 to the value of static text 1 of window 1 of application process “Finder” of application “System Events”

       if finderMess1 = “XtraFinder Beta has expired!” then

        click button “OK” of window 1 of application process “Finder” of application “System Events”

        delay 6

        tell application “System Events”

         if exists (window 1 of process “Finder”) then

          tell process “Finder”

           set finderMess2 to the value of static text 1 of window 1 of application process “Finder” of application “System Events”

           if finderMess2 = “You’re up-to-date!” then

            click button “OK” of window 1 of application process “Finder” of application “System Events”

           end if

          end tell

         else 

          quit

         end if 

        end tell

       end if

      end tell

     else

      quit

     end if

    end tell

   end if

  end tell

 else

  quit

 end if

end tell

 

Enjoy 🙂