lundi 6 mars 2017

python rename files & folders recursively... Replace accents and all non alphanum by "."

python rename files & folders recursively. Replace accents and all non alphanum by "." :
regular expression --> [^0-9a-zA-Z_-]

Utilisation : par exemple les fichiers d'une médiathèque qui pourraient contenir des caractères ou des mots parasites.

ChangeWords.txt : fichier contenant les chaînes de caractères à changer / supprimer avec une syntaxe simple : xxxxx;. ou xxxxx est à la chaînes à remplacer ";" le caractère délimiteur et "." la chaîne de remplacement. Par principe, les chaînes de remplacement sont inscrites en minuscules bien que la recherche et remplacement s'opère en "case insensitive".

DeleteFiles.txt contient le nom des fichiers à supprimer. Typiquement certains sites envoient des fichiers tels que listedesalbums.txt ou blueray.720p.txt (...). Dans ce cas il suffira de saisir le nom de ces fichiers afin qu'ils soient supprimés. Toutefois, comme le script opére le renommage en premier, un nom de fichier arrivé par exemple en "fichier pub du site bidule.txt" sera renommé en fichier.pub.du.site.bidule.txt. C'est donc ce nom qu'il faudra inscrire pour suppression

rname.01.py est le script
Pour faire fonctionner le script vous devez créer un répertoire ou déposer les fichiers dans un répertoire existant, puis l'appeler comme suit :

python /opt/rname/rnanme.py /myfolder


ou /opt/rname/rnanme.py est le répertoire qui contient le script et les fichiers DeleteFiles.txt et le fichier ChangeWords.txt

/myfolder est le répertoire qui contient les dossiers et fichiers à renommer

NB :
  • le script supprime les accents et remplace les espaces par des . 
  • une suite de plusieurs point '....' sera converti en un seul
le code et les fichiers sont sur https://github.com/SadarSSI/rname/tree/master

lundi 6 juin 2016

VMDK to qcow / LVM

Change the vmdk file to qemu format ex :

qemu-img convert -f vmdk myvm.vmdk -O qcow2 myvm.qcow2

Or, copy the vmdk to an LVM based disk of the same size or larger


dd if=myvm.vmdk of=/dev/myVG/myvm


That's all !!

rsync via proxy socks

rsync --ignore-errors --force --human-readable --progress --partial --bwlimit=80 -hav /mnt/share/jessie -e "ssh -o 'ProxyCommand nc -x localhost:10998 opera 22'" root@srv01:/mnt/vol01/08500.vm/virtualbox/disk/jessie

dimanche 4 octobre 2015

apache 2.2 ssh over ssl on debian 8 jessie

# install apache2 and modules
aptitude install libalgorithm-merge-perl libhtml-form-perl libhtml-format-perl libhttp-daemon-perl libssl-doc apache2 apache2-utils apache2.2-common libapache2-mod-proxy-html openssl libpcre3-dev libcrypt-ssleay-perl libcurl4-openssl-dev libwww-perl libalgorithm-diff-xs-perl

# enable modules
a2enmod proxy proxy_connect proxy_html proxy_http rewrite ssl xml2enc

# test config
apache2ctl configtest

# create self signed certificates if you need http://sadar-ssi.blogspot.fr/2014/11/openssl-certificates-self-signed.html

# disable default
a2dissite 000-default

#----------- create config
touch /etc/apache2/sites-available/my-site.conf
nano /etc/apache2/sites-available/my-site.conf

#--------------------------------------------------------------------------------
 <VirtualHost *:80>  
     ServerName my-server  
     ServerAdmin my-user@my-user.org  
     Redirect permanent / https://my-server  
     HostnameLookups On  
 </VirtualHost>  
   
 <VirtualHost *:443>  
     ServerName my-server  
     ServerAlias my-server.dtdns.net  
     ServerAdmin my-user@my-user.org  
     ServerSignature off 
 
     SSLEngine on
     SSLCompression Off
     SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
     SSLOptions +StdEnvVars
     SSLproxyengine on
     SSLVerifyClient none
     SSLHonorCipherOrder on
     SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA2m56:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:!aNULL:!eNULL:!LOW:!3DES:
!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
   
       
     SSLProxyVerify none  
     SSLProxyCheckPeerCN off  
       
     SSLCACertificateFile     /etc/ssl/localcerts/my-ca.crt  
     SSLCertificateFile       /etc/ssl/localcerts/my-server.crt  
     SSLCertificateKeyFile   /etc/ssl/localcerts/my-server.nopassphrase.key  
       
     SSLCipherSuite HIGH:!aNULL:!MD5  
     SSLHonorCipherOrder on  
       
     LogLevel info  
   
     DocumentRoot /var/www/my-server  
     <Directory /var/www/my-server>      
       SSLVerifyDepth 1  
       SSLVerifyClient require    
       AuthType Basic  
       AuthName "my-server !!!! ---> @|@ <---"  
       require valid-user  
       AuthBasicProvider file        
       AuthUserFile /var/www/my-server/.htpasswd  
   
       Options Indexes FollowSymLinks MultiViews  
       AllowOverride None  
       Order allow,deny  
       allow from all  
     </Directory>  
   
     HostnameLookups On  
     Proxyrequests On  
     ProxyVia full  
   
     AllowCONNECT 22  
   
     <Proxy *>  
      Order deny,allow  
      Deny from all  
      Allow from all  
     </Proxy>  
   
     <ProxyMatch (my-server1|my-server2)>  
       Order deny,allow  
       Allow from all  
     </ProxyMatch>        
       
 </VirtualHost>  
   
#--------------------------------------------------------------------------------

Create htpasswd from command line
htpasswd -cbm /var/www/my-server/.htpasswd my-user my-password

Update / add htpasswd from command line
htpasswd -bm /var/www/my-server/.htpasswd my-user my-password

#------------------------------
chown -R www-data:www-data /var/www/my-server

#------------------------------ enable site configuration
a2ensite my-server.conf

mardi 16 décembre 2014

ssh tunnelling : how to mount vpn via ssh...

# on remote server edit /etc/ssh/sshd_config and add
 PermitTunnel yes

# restart ssh
sudo service ssh restart


 #From local computer connect to the remote server (ex : VM Virtualbox in my case)
 ssh -D 10998 -vv -N -C -w 0:0 my-remote-server

#on remote serveur (@home)
ifconfig tun0 172.16.0.1 netmask 255.255.255.252
ifconfig tun0 up

# verify
ifconfig

# active ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# activate routing
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# on local computer route subnet 192.168.1.0 @home
route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.0.1 tun0

# on local windows use local proxy socks on 10998
# exemple with chrome & Falcon Proxy plugin

lundi 15 décembre 2014

install guacamole ubuntu server 14.x

# install packages & dependencies
aptitude install make libssh2-1-dev libtelnet-dev libpango1.0-dev libossp-uuid-dev libcairo2-dev libpng12-dev freerdp-x11 libssh2-1 libvncserver-dev libfreerdp-dev libvorbis-dev libssl0.9.8 gcc libssh-dev libpulse-dev tomcat7 tomcat7-admin tomcat7-docs

# download lasted version
cd /usr/local/src
wget http://downloads.sourceforge.net/project/guacamole/current/source/guacamole-server-0.9.3.tar.gz
wget http://downloads.sourceforge.net/project/guacamole/current/binary/guacamole-0.9.3.war

# decompress sources
tar xvzf guacamole-server-0.9.3.tar.gz
cd guacamole-server-0.9.3

#compil version
./configure --with-init-dir=/etc/init.d

# see results
#------------------------------------------------------------------------------------------------------------------------

------------------------------------------------
guacamole-server version 0.9.3
------------------------------------------------

   Library status:

     freerdp ............. yes
     pango ............... yes
     libssh2 ............. yes
     libssl .............. yes
     libtelnet ........... yes
     libVNCServer ........ yes
     libvorbis ........... yes
     libpulse ............ yes

   Protocol support:

      RDP ....... yes
      SSH ....... yes
      Telnet .... yes
      VNC ....... yes

   Init scripts: /etc/init.d

Type "make" to compile guacamole-server.

#------------------------------------------------------------------------------------------------------------------------
make
make install
cd ..

# ldconfig & test service
ldconfig ; service guacd restart

#create the settings files for Guacamole
mkdir /etc/guacamole
nano /etc/guacamole/guacamole.properties

#---------------------------------------------------------------------------------------
# http://guac-dev.org/doc/gug/configuring-guacamole.html
# initial-setup
# --------------------------------------------------------------------

# Hostname + port
guacd-hostname: localhost
guacd-port: 4822

# lib-directory
lib-directory: /var/lib/tomcat7/webapps/guacamole/WEB-INF/classes

# auth-provider
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

# basic-user-mapping
basic-user-mapping: /etc/guacamole/user-mapping.xml

#---------------------------------------------------------------------------------------

# Now create the file /etc/guacamole/user-mapping.xml

nano /etc/guacamole/user-mapping.xml

#---------------------------------------------------------------------------------------

 <user-mapping>  
   
   <authorize username="my-user" password="my-passwd">  
   
     <connection name="host1">  
       <protocol>vnc</protocol>  
       <param name="hostname">host1</param>  
       <param name="port">5900</param>  
       <!--  <param name="password">VNCPASS</param> -->  
     </connection>  
   
     <connection name="host2">  
       <protocol>vnc</protocol>  
       <param name="hostname">host2</param>  
       <param name="port">5900</param>  
       <!--  <param name="password">VNCPASS</param> -->  
     </connection>  
   
   </authorize>  
     
 </user-mapping>  

#---------------------------------------------------------------------------------------

# Create a symbolic link of the properties file for Tomcat7
mkdir /usr/share/tomcat7/.guacamole
ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole
 
# Copy the guacamole war file to the Tomcat 7 webapps directory
cp -fv guacamole-0.9.3.war /var/lib/tomcat7/webapps/guacamole.war

# restart the Guacamole (guacd) service
service guacd restart

# restart Tomcat 7
service tomcat7 restart

# check tomcat log
tail -f -n 40 /var/log/tomcat7/catalina.out | ccze

# check netstat
netstat -putlanv | grep -i list

# try to connect
http://your-server:8080/guacamole

#---------------------------------------------------------------------------------------
# Apache2 Proxy Installation and Configuration
 
# Install apache proxy module
sudo apt-get install -y libapache2-mod-proxy-html libxml2-dev
 
# Enable apache proxy modules
sudo a2enmod proxy proxy_http proxy_ajp rewrite
 
# change apache site
 <Location /guacamole/>  
      Order allow,deny  
      Allow from all  
      ProxyPass ajp://hostname:8009/guacamole/ max=20 flushpackets=on  
      ProxyPassReverse ajp://hostname:8009/guacamole/  
 </Location>        
# change /etc/tomcat7/server.xml 
   <Connector port="8009" protocol="AJP/1.3"  
         redirectPort="8443" proxyPort="443"  
         tomcatAuthentication="false" secure="true" />  
   
   <Connector port="8080" protocol="HTTP/1.1"  
         connectionTimeout="20000"  
         URIEncoding="UTF-8"  
         redirectPort="8443" />  


dimanche 23 novembre 2014

openssl certificates self signed

Script de création pour une AC auto-signée

Il suffit de mettre un passwor et un nom pour l'ac

NB : $(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;) -->génère un password de 25 caractères aplhnum aléatoire.

Vous pouvez le changer et mettre ce que bon vous semble ! ;-))

#-----------------------------------------------
#!/bin/sh

CertPath=/etc/ssl/localcerts
mkdir -p $CertPath

# Creation d'une autorite de certification

ACpasswd=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ACName=my-ca

# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="My Organisation"
OUdpt="IT Department"
CNdpt="$ACName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"

printf "\n\033[1;33mCréation de certificats auto-signés pour $ACName\033[0m\n"
printf "\n\033[1;33mACName=$ACName\033[0m"
printf "\n\033[1;33mACpasswd=$ACpasswd\033[0m\n"

printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
sleep 1

# Suppresion des anciens fichiers si présents
rm $CertPath/$ACName*

# Sauvagarde des clés
echo "ACName=$ACName"       >  $CertPath/$ACName"-key.txt"
echo "ACpasswd=$ACpasswd" >> $CertPath/$ACName"-key.txt"

# creation des certificats
printf "\n\033[1;33mopenssl genrsa -out $CertPath/$ACName.key 2048\033[0m\n"
openssl genrsa -out "$CertPath/$ACName.key" 2048

printf "\n\033[1;33mopenssl req -new -key $CertPath/$ACName.key -out $CertPath/$ACName.csr -passin pass:$ACpasswd -subj $Subj\033[0m\n"
openssl req -new -key "$CertPath/$ACName.key" -out "$CertPath/$ACName.csr" -passin pass:$ACpasswd -subj "$Subj"

printf "\n\033[1;33mopenssl x509 -req -days 365 -in $CertPath/$ACName.csr -out $CertPath/$ACName.crt -signkey $CertPath/$ACName.key\033[0m\n"
openssl x509 -req -days 365 -in "$CertPath/$ACName.csr" -out "$CertPath/$ACName.crt" -signkey "$CertPath/$ACName.key"

printf "\n\033[1;33mopenssl x509 -in $CertPath/$ACName.crt -text\033[0m\n"
openssl x509 -in "$CertPath/$ACName.crt" -text

printf "\n\033[1;33mopenssl rsa -in $CertPath/$ACName.key -passin pass:$ACpasswd -pubout -out $CertPath/$ACName.public.key\033[0m\n"
openssl rsa -in "$CertPath/$ACName.key" -passin pass:$ACpasswd -pubout -out "$CertPath/$ACName.public.key"

printf "\n\033[1;33mcat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem\033[0m\n"
cat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem

# echo "openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt"
# openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt

echo "openssl x509 -in $CertPath/$ACName.crt -text -noout"
openssl x509 -in $CertPath/$ACName.crt -text -noout

#--------------------------

Script de création pour un certificat serveur autosigné via l'AC créée par le script précédent
Les paramètres à renseigner sont

ServerName-->nom du serveur (utile pour les paramètres subj)
#-------------------------------------------------
#!/bin/sh

CertPath=/etc/ssl/localcerts

# Nom de l'autorite de certification
ACName=my-ca

# server parameters
ServerPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerName=myserver

# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$ServerName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"

printf "\n\033[1;33mCréation de certificats auto-signés pour $ServerName\033[0m\n"
printf "\n\033[1;33mServerName=$ServerName\033[0m"
printf "\n\033[1;33mServerPassph=$ServerPassph\033[0m\n"
printf "\033[1;33mServerExpKey=$ServerExpKey\033[0m\n"
printf "\033[1;33mServerPemKey=$ServerPemKey\033[0m\n"

printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 2

# Suppresion des anciens fichiers si présents
rm $CertPath/$ServerName*

# Sauvagarde des clés
echo "ServerName=$ServerName" > $CertPath/$ServerName"-key.txt"
echo "ServerPassph=$ServerPassph" >>$CertPath/$ServerName"-key.txt"
echo "ServerExpKey=$ServerExpKey" >>$CertPath/$ServerName"-key.txt"
echo "ServerPemKey=$ServerPemKey" >>$CertPath/$ServerName"-key.txt"

#Creation et signature du certificat serveur
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj "$Subj"

printf "\n\033[1;33mopenssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj "$Subj"

printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650\033[0m\n"
openssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650

printf "\n\033[1;33mopenssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out $CertPath/$ServerName.nopassphrase.key\033[0m\n"
openssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out "$CertPath/$ServerName.nopassphrase.key"

#--------------------------------------------

Script de création d'un certificat utilisateur pour limiter les accès https

#--------------------------------------------
#!/bin/sh

CertPath=/etc/ssl/localcerts

# Nom de l'autorite de certification
ACName=my-ca

# user parameters
UserPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserKey=myUserKey

# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$UserKey"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"

printf "\n\033[1;33mCréation des certificats auto-signés pour $UserKey\033[0m\n"
printf "\n\033[1;33mUserPassph=$UserPassph\033[0m"
printf "\n\033[1;33mUserExpKey=$UserExpKey\033[0m"
printf "\n\033[1;33mUserPemKey=$UserPemKey\033[0m"
printf "\n\033[1;33mUserKey=$UserKey\033[0m\n"

printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 1

# Suppresion des anciens fichiers si présents
rm $CertPath/$UserKey*

# Sauvagarde des clés
echo "UserKey=$UserKey"       > $CertPath/$UserKey"-key.txt"
echo "UserPassph=$UserPassph" >>$CertPath/$UserKey"-key.txt"
echo "UserExpKey=$UserExpKey" >>$CertPath/$UserKey"-key.txt"
echo "UserPemKey=$UserPemKey" >>$CertPath/$UserKey"-key.txt"

#Creation et signature du certificat user
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj "$Subj"

printf "\n\033[1;33mopenssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj "$Subj"

printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825\033[0m\n"
openssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825

printf "\n\033[1;33mopenssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey.key -out $CertPath/$UserKey.p12 -name $UserKey certificate -passin pass:$UserPassph -passout pass:$UserPassph\033[0m\n"
openssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey -out $CertPath/$UserKey.p12 -name "$UserKey certificate" -passin pass:$UserPassph -passout pass:$UserPassph

printf "\n\033[1;33mopenssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph\033[0m"
openssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph

samedi 22 novembre 2014

apache 2.2.22 patch proxy ssh over https (ssh & reverse proxy) debian 7

# install apache
aptitude install apache2 apache2-utils apache2.2-common libapache2-mod-proxy-html openssl build-essential libpcre3-dev libcrypt-ssleay-perl libcurl4-openssl-dev libwww-perl

#--------------------------- patch apache 2.2.22 (bug https + reverse proxy + ssh -------------------------

mkdir -p /opt/apache2
cd /opt/apache2

apt-get source apache2
lwp-request https://issues.apache.org/bugzilla/attachment.cgi?id=22248 > /tmp/httpd-2.2.9-proxytunnel.patch

cd apache2-2.2.22/
cat /tmp/httpd-2.2.9-proxytunnel.patch | patch -p1

./configure --enable-modules=all --enable-mods-shared=all --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http --enable-ssl

make all
find -name "*proxy*.so" | xargs cp -vt /usr/lib/apache2/modules

#--------------------------- end patch apache 2.2.22


#----------- activate mod
a2enmod proxy proxy_connect proxy_html proxy_http rewrite ssl

apache2ctl configtest
apache2ctl restart

# create self signed certificates if you need http://sadar-ssi.blogspot.fr/2014/11/openssl-certificates-self-signed.html


# disable default
a2dissite 000-default

#----------- create config
touch /etc/apache2/sites-available/my-site.conf
nano /etc/apache2/sites-available/my-site.conf

#--------------------------------------------------------------------------------
 <VirtualHost *:80>  
     ServerName my-server  
     ServerAdmin my-user@my-user.org  
     Redirect permanent / https://my-server  
     HostnameLookups On  
 </VirtualHost>  
   
 <VirtualHost *:443>  
     ServerName my-server  
     ServerAlias my-server.dtdns.net  
     ServerAdmin my-user@my-user.org  
     ServerSignature off  
   
     SSLEngine on  
     SSLOptions +StdEnvVars  
     SSLproxyengine on  
     SSLVerifyClient none  
       
     SSLProxyVerify none  
     SSLProxyCheckPeerCN off  
       
     SSLCACertificateFile     /etc/ssl/localcerts/my-ca.crt  
     SSLCertificateFile       /etc/ssl/localcerts/my-server.crt  
     SSLCertificateKeyFile   /etc/ssl/localcerts/my-server.nopassphrase.key  
       
     SSLCipherSuite HIGH:!aNULL:!MD5  
     SSLHonorCipherOrder on  
       
     LogLevel info  
   
     DocumentRoot /var/www/my-server  
     <Directory /var/www/my-server>      
       SSLVerifyDepth 1  
       SSLVerifyClient require    
       AuthType Basic  
       AuthName "my-server !!!! ---> @|@ <---"  
       require valid-user  
       AuthBasicProvider file        
       AuthUserFile /var/www/my-server/.htpasswd  
   
       Options Indexes FollowSymLinks MultiViews  
       AllowOverride None  
       Order allow,deny  
       allow from all  
     </Directory>  
   
     HostnameLookups On  
     Proxyrequests On  
     ProxyVia full  
   
     AllowCONNECT 22  
   
     <Proxy *>  
      Order deny,allow  
      Deny from all  
      Allow from all  
     </Proxy>  
   
     <ProxyMatch (my-server1|my-server2)>  
       Order deny,allow  
       Allow from all  
     </ProxyMatch>        
       
 </VirtualHost>  
   
#--------------------------------------------------------------------------------

Create htpasswd from command line
htpasswd -cbm /var/www/my-server/.htpasswd my-user my-password

Update / add htpasswd from command line
htpasswd -bm /var/www/my-server/.htpasswd my-user my-password

#------------------------------
chown -R www-data:www-data /var/www/my-server

#------------------------------ enable site configuration
a2ensite my-server.conf

samedi 8 novembre 2014

webvirtmgr

How to authorize webvirtmgr to connect remote host



Create SSH private key and ssh config options (On system where WebVirtMgr is installed):

$ sudo su - nginx -s /bin/bash

$ ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (path-to-id-rsa-in-nginx-home): Just hit Enter here!

$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config

$ chmod 0600 ~/.ssh/config

Add webvirt user (on qemu-kvm/libvirt host server):

$ sudo adduser webvirtmgr

$ sudo passwd webvirtmgr

Back to webvirtmgr host and copy public key to qemu-kvm/libvirt host server:

$ sudo su - nginx -s /bin/bash

$ ssh-copy-id webvirtmgr@qemu-kvm-libvirt-host

Or if you changed the default SSH port use:

$ ssh-copy-id -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host

Now you can test the connection by entering:

$ ssh webvirtmgr@qemu-kvm-libvirt-host

For a non-standard SSH port use:

$ ssh -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host

You should connect without entering a password.

Set up permissions to manage libvirt (on qemu-kvm/libvirt host server):

On Ubuntu:

$ sudo adduser webvirtmgr libvirtd

#------------------------------------------------------------------------------------------------

Create SSH public key in folder /var/www/.ssh/id_rsa:

$ sudo ssh-keygen
Enter file in which to save the key (/root/.ssh/id_rsa): /var/www/.ssh/id_rsa

Change owner and permissions for folder /var/www/.ssh (Ubuntu: "www-data."; Fedora,CentOS: "apache."):

$ sudo chmod -R 0600 /var/www/.ssh/config
$ sudo chown -R apache:apache /var/www/.ssh

Set up SSH public key (On libvirt Host Server)


On remote serveur : create user for manager libvirt:

$ sudo adduser webvirtmgr

Copy /var/www/.ssh/id_rsa.pub to folder (on server) .ssh/authorized_keys user webvirtmgr:

$ sudo mkdir /home/webvirtmgr/.ssh
$ sudo chmod 700 /home/webvirtmgr/.ssh
$ sudo cp /var/www/.ssh/id_rsa.pub /home/webvirtmgr/.ssh/authorized_keys
$ sudo chmod 0600 /home/webvirtmgr/.ssh/authorized_keys
$ sudo chown -R webvirtmgr:webvirtmgr /home/webvirtmgr/.ssh

Set up permissions to manage libvirt

Ubuntu:

$ sudo adduser webvirtmgr libvirtd


[Remote libvirt SSH access]
Identity=unix-user:webvirtmgr
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

mercredi 23 juillet 2014

VNC server on mint

aptitude install x11vnc

gedit /etc/mdm/Init/Default

#insert before exit 0
#

if [ -z "$(pidof x11vnc)" ]; then nohup x11vnc -norc -forever -shared -autoport 5900 -avahi -env X11VNC_AVAHI_NAME=`hostname` -desktop "`hostname`'s Remote Desktop" -scale_cursor 0.5 -repeat -bg -o /var/log/x11vnc.log 2>/dev/null 1>&2; fi

# cmde line putty

-L 5999:192.168.1.xx:5900

# cnx to host --> 127.0.0.1:5999

dimanche 22 juin 2014

UBUNTU 14.04 logout : Logging out function disappeared?

# command
gsettings get org.gnome.desktop.lockdown disable-log-out

# should be return "false"
# if it's "true", then you need to set it to false to be able to log out, as user in terminal:

gsettings set org.gnome.desktop.lockdown disable-log-out false


vendredi 4 avril 2014

SquidGard FATAL: Error db_open: No such file or directory



cd /var/lib/squidguard/db
rsync -arpogvt rsync://ftp.ut-capitole.fr/blacklist .
mv -fv dest/* .
rm -rf /var/lib/squidguard/db/dest/
chown -R proxy:proxy /var/lib/squidguard/

# verify
squidGuard -d

# that's all !

KVM and virsh essential command

LVM KVM to Virtualbox
#----------------------------------------------------------------
dd if=/dev/Volume01/Disk of=/tmp/image.raw
qemu-img convert -O vdi /tmp/image.raw test.vdi
rm /tmp/image.raw
#--------------------- 

# change @MAC

virsh edit

# Copy VM script bash
#--------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash

activevm="$1"
targetpath=/home/kvm
remote=edouard
localvmsource=$(virsh dumpxml $activevm | grep 'source dev=' | cut -d "'" -f2)
remotevmd=$(ssh root@$remote "virsh dumpxml $activevm | grep 'source dev=' ")
remotevmdest=$(echo "$remotevmd" | grep 'source dev=' | cut -d "'" -f2)

lvmsize=$(lvs | sed -n "/$activevm/s/ \+/ /gp" | head -n1 | cut -f 5 -d ' ' | sed -e 's/,/./g' -e 's/.$//' | awk '{print int($1+0.5)}')G
VMActive=$(virsh list | grep $1 | wc -l)

echo "Sauvegarde de $activevm, localvmsource=$localvmsourc$localvmsource, lvmsize=$lvmsize, VMActive=$VMActive"
echo "sur $remote remotevmdest=$remotevmdest"

if [ "$VMActive" -gt 0 ]
then
virsh shutdown $activevm

while [ "$VMActive" -gt 0 ]
do
VMActive=$(virsh list | grep $1 | wc -l)
echo "Waiting shutdown $activevm..."
sleep 5
done
fi

echo "copy de la vm......."
echo "dd bs=4M if=$localvmsource | pv -s $lvmsize | dd of=$localvmsource.backup"
dd bs=4M if=$localvmsource | pv -s $lvmsize | dd of=$localvmsource.backup

echo "."
echo "Restart VM : $activevm"
virsh start $activevm

echo "."
echo "virsh list --all"
virsh list --all

echo "."
echo "Copy lvm to bzip2..."
echo "dd if=/dev/lvm-kvm/$activevm.backup | pv -s $lvmsize | bzip2 -cf | dd of=$targetpath/$activevm.bz2 conv=noerror"
dd if=/dev/lvm-kvm/$activevm.backup | pv -s $lvmsize | bzip2 -cf | dd of=$targetpath/$activevm.bz2 conv=noerror

echo "."
if ping -c 1 $remote &> /dev/null # copy on remote if active/exist
then
echo "Copy sur $remote"
echo "dd if=$localvmsource bs=512K | pv -s $lvmsize | ssh root@$remote 'dd bs=512K of=$remotevmdest' "
sleep 2;
dd if=$localvmsource bs=512K | pv -s $lvmsize | ssh root@$remote "dd bs=512K of=$remotevmdest"
fi
#--------------------------------------------------------------------------------------------------------------------------------------------

# problème de perfs dans une VM KVM
ethtool -K [interface] gro off tso off

vendredi 21 mars 2014

Apache secure ssl

# see recent
http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html

# secure apache2 source https://www.argure.nl/index.php/forward-secrecy-in-apache-on-debian-wheezy-or-how-to-ace-the-ssltest-with-a-perfect-100/
#-------------------------------------------------------------------------------------
Once you’ve got your certificate installed (or while waiting for one), lets get to configuring apache2, starting with the default ssl configuration:
# cd /etc/apache2
# nano mods-available/ssl.conf

Find this line on line 60:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
Replace it with:
SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL

Find this line on line 73:
#SSLHonorCipherOrder On
Uncomment it:
SSLHonorCipherOrder On

Find this line on line 78:
SSLProtocol all
Replace it with:
SSLProtocol all -SSLv3

If you plan to run multiple virtual hosts on the same IP address (for instance, hosting both example.tld and anotherexample.tld on the same ivp4), find this line on line 86:
#SSLStrictSNIVHostCheck On
And uncomment it:
SSLStrictSNIVHostCheck On

Next up, if you place files in /srv like I do, we need to allow access:
# nano apache2.conf

Find this block on line 170:
#
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#

And uncomment it:

Options Indexes FollowSymLinks
AllowOverride None
Require all granted


By default apache2 sends inode info in the etag headers. This is a potential security flaw, so lets remove them:
# nano conf-available/etag.conf

And add:
FileETag MTime Size

Next up, if your Certificate Authority uses intermediate certs, apache2 needs to know about them so they can be sent to the client. Some CA’s have a chain of intermediate certs, in which case you need to concatenate them in a single .pem file. You should not include the root CA, as this causes additional overhead and is useless, since those certificates should sit on the client machine.

Some CA’s (like StartSSL), have also started offering certificates using the SHA-2 algorithm rather than SHA-1 which should be avoided. SHA-512 is ideal in my opinion, but SHA-256 is also good and is much more common. The alternatives like SHA-384 and SHA-224 are very rare.

I personally use StartSSL with Class 2 validation and that is what will be assumed. Your certificate authority likely has a guide on where to find the intermediate certificates.

#Get the intermediate certificate:
cd /etc/ssl/localcerts
wget https://startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem


#Now lets include the intermediate certificate, along with some other configuration directives for mod_ssl.
cd /etc/apache2
nano conf-available/ssl-custom.conf

#Add the following line:
SSLCertificateChainFile /etc/ssl/localcerts/sub.class2.server.sha2.ca.pem

#apache2 now also supports OCSP stapling, which is a good thing since it reduces tcp overhead, and also protects the #client’s privacy as it doesn’t send requests to your CA, so lets add these lines as well:

SSLUseStapling On
SSLStaplingCache "shmcb:/cache/stapling_cache(128000)"

(Note, OCSP stapling won’t actually work if your CA uses an intermediate certificate like with StartSSL, but it is a good idea to enable regardless as increased deployment will lead to further development of this method.)

Earlier we patched apache2 and generated a custom DH pool, so let’s include that as well by adding:
SSLDHParametersFile /etc/ssl/dh4096.pem

Some browsers (*cough IE*) have not followed standards for a long time and keeps an SSL session open longer than is needed, which increases server load, so lets stop that behaviour by adding these lines:

BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Finally, if you rewrite plain HTTP to HTTPS (and I recommend this, and is assumed later), you will want to send a HSTS header to clients. This tells a client to always use HTTPS for requests to your server, and not even try HTTP. This is faster for the client, and reduces load on your server somewhat. Do this by adding:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"


Close and save ssl-custom.conf. There are also some small security tweaks which are in apache2 but are disabled by default. Luckily, they are easily enabled:
nano conf-available/security.conf

First, take a look at this block, starting at line 55:
#
# Require all denied
#


If you use subversion to manage your websites, uncomment that block. I personally use git, so I uncommented it and changed ‘svn’ to ‘git’, resulting in:

Require all denied


Next, find this line on line 64:
#Header set X-Content-Type-Options: "nosniff"
Uncomment it:
Header set X-Content-Type-Options: "nosniff"

And this line on line 71:
#Header set X-Frame-Options: "sameorigin"
Uncomment that one as well:
Header set X-Frame-Options: "sameorigin"

Lastly, this header was present in apache2.2 but was removed in 2.4 for a reason I don’t know about. It tells the XSS filter in modern browsers to completely block access to a page if it detects a cross site scripting attack. I personally like to add it:
Header set X-XSS-Protection: "1; mode=block"

#Close and save. Next, we will need to enable the modules
a2enmod ssl headers

#And enable the configurations we just made:
a2enconf etag.conf ssl-custom.conf

# proxy modules
a2enmod proxy_connect proxy_http proxy_html mod_auth_digest proxy_wstunnel.load rewrite.load xml2enc.load

#Disable the ‘default’ site:
a2dissite 000-default

Create dir for virtualhost

mkdir -p /var/log/apache2/sadar /srv/sadar
touch /var/log/apache2/sadar/access.log /var/log/apache2/sadar/error.log
chown -R root:adm /var/log/apache2/sadar

touch /srv/sadar/index.html
chown -R www-data:www-data /srv/sadar

Next up, lets make a configuration

nano /etc/apache2/sites-available/sadar.conf

#----------------------------------------------------------------------------- sadar.conf -------------------------------------


ServerName sadar
ServerAdmin sadar@sadar-ssi.org
Redirect permanent / https://sadar/
HostnameLookups On



ServerName sadar
ServerAdmin sadar@sadar-ssi.org
ServerSignature off

DocumentRoot /srv/sadar

LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/sadar/error.log
CustomLog ${APACHE_LOG_DIR}/sadar/access.log combined

SSLEngine on
SSLproxyengine on
SSLCertificateFile /etc/ssl/localcerts/sadar-certificate.crt
SSLCertificateKeyFile /etc/ssl/localcerts/sadar-certificate.key
SSLVerifyClient none


Options FollowSymLinks
AllowOverride None



Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all


HostnameLookups On
Proxyrequests On
ProxyVia full

AllowCONNECT 22


Order deny,allow
Deny from all



Order deny,allow
Allow from all





# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

#---------------------------------------------------------------------------- sadar.conf -------------------------------------

# activate site
a2ensite sadar

#restart apache
service apache2 restart

# into ./ssh/config
Host my-remote-ssh
Hostname my-host-ssh
Port 22
DynamicForward *:11999
IdentityFile ./private-keys/remote-ssh.ppk
ProxyCommand proxytunnel -v -p my-local-proxy:80 --passfile=proxy/auth -r my-remote-proxy:443 -d %h:%p -H "User-Agent: Yaaaaaaaaa" -X

mardi 4 mars 2014

virtualbox essentials commands

# start vm
VMName=template
vboxheadless --startvm $VMName & sleep 2; tail -f $(cat .config/VirtualBox/VirtualBox.xml|grep "SystemProperties defaultMachineFolder"| cut -d'=' -f2 | cut -d' ' -f1 | sed -e 's/\"//g')/$VMName/Logs/VBox.log | ccze

#poweroff vm
VMName=template
vboxmanage controlvm $VMName poweroff

# list active vm
vboxmanage list runningvms

# list all vm
vboxmanage list vms

# change nic bridget to nat
VMName=template
vboxmanage modifyvm $VMName --nic1 nat ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName nic1 nat ; vboxmanage showvminfo $VMName| grep -i nic

# add port forwarding rule
VMName=template
vboxmanage modifyvm $VMName --natpf1 "ssh,tcp,127.0.0.1,2222,,22" ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName natpf1 "ssh,tcp,127.0.0.1,2222,,22" ; vboxmanage showvminfo $VMName| grep -i nic

#------ change UUID don't work !!! --------------------------------------------------------------
# list hdd
vboxmanage list hdds

# show vm info
vboxmanage showvminfo my-vm --details

# show hd info
vboxmanage showhdinfo /path-to-vm/my-vm.vdi

# detach controler
vboxmanage storageattach my-vm --storagectl "SATA" --port 0 --device 0 --medium none

#close medim disk
vboxmanage closemedium disk /path-to-vm/my-vm.vdi

# reattach the disk
vboxmanage storageattach my-vm --storagectl "SATA" --port 0 --device 0 --type hdd --medium /path-to-vm/my-vm.vdi

VMName=my-vm
VMNameDiskPath=/path-to-vm/disk.vdi
vboxmanage storageattach $VMName --storagectl "SATA" --port 0 --device 0 --medium none
vboxmanage closemedium disk $VMNameDiskPath
vboxmanage storageattach $VMName --storagectl "SATA" --port 0 --device 0 --type hdd --medium $VMNameDiskPath

# Nat forwarding tunnelling dynamic port
#----------------------------------------- ./.ssh/config
Host *
ForwardX11 yes
KeepAlive yes
ServerAliveInterval 15
ServerAliveCountMax 3

Host homvdsk
Hostname myhostname.com
Port 443
ProxyCommand /usr/bin/corkscrew myproxy 80 %h %p ~/.ssh/auth
DynamicForward *:10998


vboxmanage controlvm $VMName natpf1 "proxy,tcp,,10999,,10998" ; vboxmanage showvminfo $VMName| grep -i nic


# delete port forwarding rule
VMName=template
vboxmanage modifyvm $VMName --natpf1 delete ssh ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName natpf1 delete ssh ; vboxmanage showvminfo $VMName| grep -i nic

# clone vm
VMSource=template
VMTarget=clonedvm
vboxmanage clonevm $VMSource --name $VMTarget --register --mode all ; vboxmanage list vms

# delete vm (all files)
VMName=template
vboxmanage unregistervm $VMName --delete

# use lvm volume
VBoxManage internalcommands createrawvmdk -filename /path/to/file.vmdk -rawdisk /dev/volumegroup/logicalvolume

vendredi 31 janvier 2014

NFS export & error read-only error on client

# For example /etc/export

/mnt/vol01 192.168.1.0/24(ro,sync,no_subtree_check)
/mnt/vol01/dir1 192.168.1.0/24(ro,sync,no_subtree_check)

/mnt/vol01/inet/btorrent 192.168.1.0/24(rw,sync,no_subtree_check,all_squash)
/mnt/vol01/dir1/dir2 torrenthost(rw,sync,no_subtree_check,all_squash)

# mount torrenthost
mount -t nfs nfsserver:/mnt/vol01/inet/btorrent /mnt/share.nfs/btorrent
mount -t nfs nfsserver:/mnt/vol01/dir1/dir2 /mnt/share.nfs/dir2

touch /mnt/share.nfs/dir2/xx --> read-only...;-//

# Change /etc/export
/mnt/vol01 192.168.1.0/24(ro,sync,no_subtree_check,fsid=0)
/mnt/vol01/dir1 192.168.1.0/24(ro,sync,no_subtree_check,fsid=1)

/mnt/vol01/inet/btorrent 192.168.1.0/24(rw,sync,no_subtree_check,all_squash,fsid=2)
/mnt/vol01/dir1/dir2 torrenthost(rw,sync,no_subtree_check,all_squash,fsid=3)

et voilà !!!

mardi 28 janvier 2014

perl CPAN

#cpan prerequis
aptitude install build-essential libterm-readline-gnu-perl

#cpan mini
cpan install Bundle::CPAN

#Install all dependencies

o conf prerequisites_policy follow
o conf commit

mardi 21 janvier 2014

ssh tunneling, rebond, proxytunnel, reverse, authent, regenerate server keys, VNC via ssh, flushdns (W7)

# ssh over https via proxy see
http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html

# rebond ssh via une gateway/server ssh par exemple
ssh -t server-gateway ssh root@server-cible

#-------------------------------- KVM virt-manager ----------------------------------------------------------------
# Depuis un lan sans restriction de sortie (derrière une box quelconque...)
# Exemple pour virt-manager via un rebond ssh entrant en 443 et la connexion virt-manager se fait sur localhost:8888

ssh -L 8888:my-virt-manager-server:22 user@server-rebond -p 443
; puis d'une autre ligne de commande
virt-manager -c qemu+ssh://root@localhost:8888/system

# Depuis un lan d'entreprise avec un proxy http et rebond via un serveur https pour atteindre le serveur KVM
# NB : les variables peuvent être positionnée via le .bashrc, .profile via un export...

# c'est beaucoup plus simple de mettre le tout dans le fichier /home/user/.ssh/config
# par exemple
host *
ForwardX11 yes
KeepAlive yes
ServerAliveInterval 28
ServerAliveCountMax 5
forwardagent yes
IdentityFile ./privatekey.ppk

Host mysrv
Hostname mysrv
ProxyCommand proxytunnel -v -p $PrxyServ:$PrxyPort --proxyauth=$PrxyUser:$PrxyUserPwd -r mysrvname.domain.net:443 -d %h:%p -X -R $https-usr:$https-pwd -H "User-Agent: boum-boum"

# la commande permettant d'établir un pont entre le poste situé derrière un firwall d'entreprise avec une restriction de sortie via un proxy http

ssh -N -C -L 8888:server-kvm:22 mysrv

# depuis une autre ligne de commande lancer simplement

virt-manager -c qemu+ssh://root@localhost:8888/system

#-------------------------------- VNC ----------------------------------------------------------------
# installer le serveur vnc (celui qui fonctionne hein !)

aptitude install x11vnc

# si le serveur X11vnc n'est pas lancé en tant que deamon, il faudra au préalable se connecter sur le serveur en ssh pour
# 1 - voir les process qui fonctionnent pour récupérer les paramètres derrière le "-auth"

ps wwwwaux | grep -v grep | grep auth

root 1167 0.4 2.2 358532 69440 tty7 Ssl+ août27 6:02 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
loli 2310 0.0 0.4 341996 12764 ? Sl août27 0:00 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1



# 2- puis sur le poste distant, lancer le process x11vnc avec les paramètres suivants

x11vnc -geometry 1024x768 -ncache 10 -localhost -display :0 -auth /var/run/lightdm/root/:0 -o /var/log/x11vnc.log -repeat -norc -forever -shared


# puis établir (si ce n'est fait) via une connexion

ssh -N -C -L 5900:pc-vnc:5900 mysrv

# depuis la vm lancer
vncviewer 127.0.0.1:5900

#-------------------------------- rsync via proxy socks ----------------------------------------------
# 1) établir la connexion vers le serveur distant en montant un port dynamique...

ssh -D*:10998 jessievdsk

# 2)
rsync --ignore-errors --force --human-readable --progress --partial --bwlimit=80 -hav /mnt/share/jessie -e "ssh -o 'ProxyCommand nc -x localhost:10998 rmtsrv 22'" root@rmtsvr:/mnt/vol3To/virtualbox/disk/jessie

#-----------------------------------------------------------------------------------------------------
# Authentification par clef publique / clef privé
# dans /etc/ssh/sshd_config
# vérifier les valeurs suivantes PubkeyAuthentication yes et RSAAuthentication yes
# et changer PasswordAuthentication yes par PasswordAuthentication no

#change hostname
nano /etc/hostname

#change hostname
hostname -F /etc/hostname

# How to generate new host keys on an existing server (duplicate a vm for example)
rm -rf /etc/ssh/ssh_host_*
ssh-keygen -A
dpkg-reconfigure openssh-server
service ssh restart

#To change the passphrase on your default DSA key:
ssh-keygen -p -f /root/olwen/private.04.ppk


#-------------------------------- Flush DNS W7 -------------------------------------------------------

# Flush DNS W7
ipconfig /flushdns