I was commenting on the seeming madness and complexity of our work firewall design recently:

We just drew a network diagram on the wall of just our firewalls, 12’ wide, 6’ tall… at the end, I jumped up and yelled “THE ARISTOCRATS”. Seemed required.

And someone asked “are you secure?”. Now, I could go with what we tell management - that we’re as secure as budgets allow - or a variety of other answers. This time, full objective honesty seemed to rule.

I learnt some new things today about how to deal with filenames in bash.

$ touch foo
$ ls foo*
foo
$ mv foo{,z}
$ ls foo*
fooz

Alternatively…

$ touch foo[1,2,3]
$ ls foo*
foo1 foo2 foo3
$ find . -name "foo*" -exec mv {}{,old} \;
$ ls foo*
foo1old	foo2old	foo3old

Silliness, I know. But handy when you want to rename a bunch of things, or just rename one without messing it up.

Setting up a loopback swap file is something I do fairly commonly on my virtual servers - RAM costs extra money - whereas SSD storage is common and included! Repartitioning’s too much messing around on DigitalOcean, so I set up a loopback file and it just works.

Here’s the commands to make a 2GB file (change count for different sizes):

yaleman@server:~# sudo dd if=/dev/zero of=/swap.img bs=1024 count=2097152
2097152+0 records in
2097152+0 records out
2147483648 bytes (2.1 GB) copied, 9.69851 s, 221 MB/s
yaleman@server:~# sudo chmod 0600 /swap.img
yaleman@server:~# sudo mkswap /swap.img
Setting up swapspace version 1, size = 2097148 KiB
no label, UUID=a78f6315-aba5-4d88-bb67-211f1a0c5e56

Edit the filesystem table:

I was asked by a friend to give a quick rundown on Mikrotik CAPSMAN configuration, so I dumped the config and added some notes. :)

Packages

I’m currently running v6.38 but was running about v6.2 only a week or so ago - make sure you have the “wireless” package enabled. Older RouterOS versions required the capsman-v2 package, which is now deprecated.

  > /sys package print
  Flags: X - disabled
   #   NAME                   VERSION
   0   routeros-mipsbe          6.38
   1   system    				6.38
   2   ipv6      				6.38
   3   wireless  6.38

If there was an X, enable it (in this example /sys package enable 3) - remember you’ll need to reboot after enabling a package.

A quick command for checking if your Active Directory servers are all listening on LDAP. Guess who had an issue with that today? :)

dig +short domainname.internal | xargs -I{} /usr/sbin/hping3 -p 389 -q -c 1 {} 2>&1 | egrep "(transmitted|hping)"

You’ll need hping3 - it’s installable from apt-get on Debian, can’t comment about any other distributions.

A quick explanation for each part:

• dig +short domainname.internal - pull the IPs of the hosts in the domain entry - they’ll be your domain controllers
• sudo is required because hping uses raw sockets
• xargs runs the next command on each input line
• hping3 -p 389 - connect on TCP to the LDAP port
• 2>&1 - redirect STDERR to STDOUT to make it more easily filtered
• egrep - filter only the required lines

This’ll hit each server once and show an output like:

Santa’s here with presents!

 Today we have a white Wookie with a very sweet bowcaster.

Santa’s sleigh

 Santa’s hover-sleigh, ready to deliver presents to everyone

Today we have a cute puppy and his toys