iOS Apps that support automation

This is a list of some of the iOS Apps that I use that are actually useful and become even more powerful when combined with the Workflow app.

Apps that support X-URL-Callback or a at least a URL Shem.

 

Pythonista write and execute Python scripts right on iOS.

Today helps build and keep track of your habits.

WaterMinder keep track of your daily water intake.

RemoteBoot WOL start a computer via “wake on lan”.

Anki a great flashcard app.

Things a todo list app thats better than apples native one.

 

you can find some more on the following links they might however not be as useful.

 

Apps with Siri shortcuts (for the Siri Shortcut app).

None yet. We will see the first once as iOS 12 comes out.

Making “CMS Made Simple” GDPR Compliant

Please Note: This might not be all required steps. These are just the steps I have found to work for me.

 

In the database

Open the Database for your “CMS Made Simple” instance and type

select * from cms_templates where template_content like ‘%fonts.googleapis.com%’;

to check if there is a template violating the GDPR.

 

Now all you have to do is to change the CSS. You could do that with an SQL Update or just the Database Administration Tool of your choice.

What I did is to change the URL from fonts.googleapis.com to  GDPRVIOLATION-GOOGLE-FONTSAPI this way it will fail loading in the Browser thus its GDPR compliant and in the future when there is a knock-off google fonts server available in Europe we can just direct the URL to that one instead.

 

On the filesystem

Since “CMS Made Simple” is caching the template CSS on disk. We need to remove it there as well so the CMS can refresh our modified CSS text.

Caching is done in the directory tmp.

Delete every file in tmp/templates_c and tmp/cache DO NOT REMOVE THE DIRECTORIES.

Install Kali in 1&1 Cloud

Note

I wrote this article to help my future self to get this done faster next time. I make it public hoping it might be helpful for someone else as well.

Why would I do that?

To somehow find a way to make money with it – of course.

 

Installation

  • Setup a cloud server with the properties you want it to have
  • Insert the Kali ISO file into the virtual “DVD-Drive”
  • Start the Server
  • Open the KVM console
  • In the GRUB menu select graphical install
  • Select what you would normally but be carful at the following pints
    • Network
      • To access a network more manual configuration has to be made skip this for now
    • Mirrors
      • Since the network has not been configured yet validating the mirror will fail just skip this point for now
  • After installation shutdown, remove the ISO image and start the server

Configure Network (and internet access)

  • In the File /etc/resolv.conf we need to configure a DNS server. Add a line with “nameserver 8.8.8.8” (or change the IP for a different name server)
  • In the File /etc/network/interfaces add the following lines:

    auto eth0
    iface eth0 net static
    address YOUSERVERPUBLICIP
    gateway 10.255.255.1
    pointopoint 10.255.255.1

  • Restart the eth0 interface by typing “ifconfig eth0 down && ifconfig eth0 up” into a shell

 

Configure Mirrors (so updates will work)

  • In the File /etc/apt/sources.list add the following lines
    deb http://http.kali.org/kali kali-rolling main non-free contrib
    deb-src http://http.kali.org/kali kali-rolling main non-free contrib
  • Now type “apt-get update” to fetch the packages form the newly added repositories

 

Finally

Have fun & make money!

Making Servers And Websites Stand Hacker Attacks

Introduction

I recently got a coment from someone asking how to defend against hacker attacks. So here is the post with some of my thoughts on that matter.

General Information

First of all, its important to note that on some articles the autor makes a difference if he says Hacker or Cracker. The difference would be that a hacker is hacking stuff like servers, phones, websites and so on to show the weekness and help both the owner and society to be more conceus of the problems assosiated with modern tecnology and how to protect against those. Whilest the clracker is also hacking system he is more focust on the criminal aspect like stealing account passwords or even moey from your bank account. For simplicity I will not make such a distinguishment in this article.

 

In order to know how we can protect against hacker attacks we must first understand two things.

  • Why would anyone want to hack a system
  • How can a system be hacked

The why question is a rather simple one. The answer to that is very similar if not equal as to that in the real, physical world. Its one or a combination of those: for funn, for profit (stealing money),  and probably many more.

The how question involves a little knowledge of the system. The holywood style where no hacks seems to be impolible is of course bullshit. The are prettty good mecanisms in todays tecnology that prevent hacking attacks. A notable exceptions are industrie automation and CCTV those are verry verry easy to hack for someone with even moderate skill (If you  want to know more on that just visit the DEFCON youtube chanel).

 

Making systems hacker proof

Well, forget about hacker proof you  can oly make it harder but not imposible.

Your Website

  • Use an encrypted connection to your website. If you dont everyone can just sniff your network traffic and just read the password. Those connections are usualy indicated by the browser with a lock symbol next to the website adress. In order to encrypt your website you will have to get a TLS certificate which can cost quite some money. A free alternative is Lets Encrypt I suggest you check that out.
  • Use strong passwords. Well that one is obviouse, the more charactes in a password the more time it would take to find a password by trying all posible variations. Also if your password can be found in a dictionarry it will be found. You should also avoid very common passwords like “love” or “12345” and so on. Also it is recomended that you use one password for one service or website. You could even go to the extreme and change a password every X month.  However that is not practical. My personal opinoion is that its ok to have multible passwords for one kind of service for example one for all social media one for all online banking and so on provided those passwords are changed regularly and combined with One Time Passwords.
  • Use One Time Passwords when ever posible. You remember the last time you did some online banking and Im not speaking of PayPal I mean the old feshioned one. You moast likely got a unique number send to your phone by SMS. Well, you can install a OTP Pluin in your CMS two. The advantage here is, that even if someone gets ahold of your password he still needs to know a unique number which is genereated by an app on your phone so only you can know. Google Authenticator is one such app.
  • Also you should update your website frequently to get the moast recent security fixes. Now here some CMS have a auto update feature. The advantage here clearly is that you dont have to do anything to get the newest version…..except if the auto update fails. So my suggestion would be to not use this feature instead update manualy.
  • Defenetly automatic backups are a great idea as freqent as posible. Manualy does not work because you cant do a backup by hand every day.

 

 

Your Linux Server

Wen it comes to your linux server theres an overwhelming mass on options you have. I do however suggest not to overdo those because the more security layers you add the harder overall managament will get. Usability usualy suffers from security so wheight that out very carefully you dont want to get hacked yet you want a system thas usable.

Here are some thoughts you could start with:

  • Bruteforce protection (Also read: Fail2Ban)
  • Disable network services you dont need
  • Regular automated backup
  • Get the file permissions right
  • Do only install software form trusted sources. Every linux distribution has its own repository its like the AppStore for servers. It usualy has everything you need.
  • When installing new software search for spesific security considerations.

If youre more advanced and wnat to have even better security you could also do those things:

  • Install a sandbox like AppArmor
  • Run regular integrity tests (Make and compare checksums of files to see what a hacker might have changed)
  • If you run regular server integrity tests with cron and get the results via email. Those emails would be send in plain text for everyone to read – this includes the hacker who wnats to hack your server. So my suggestion here would be to use either GPG or S/MIME to encrypt those confidential emails. (Also read: Encrypt cron emails with S/Mime or Encrypt cron emails with GPG)

 

Remember: Linux server security is way to large of a subject to fit in on one website. I encourage you to continue researching the entire internet on this topic.

 

Your Windows Server

Dont use a windows server if security is an issue. A Linux server might seem very complicated to maintain at the beginning and I promise you – that wont change with time. But its defenitly the secure version of both.

Go fore windows if you dont know linux and dont want to spend time on that. Windows is way easier to maintain and the licence cost isnt so bad if compared with the time you spend on linux servers.

Encrypting cron emails with S/MIME

Introduction

You might have your server setup in such a way that it runs a few tasks with cron so you don’t have to worry about them. Except.. you should. That is if the scheduled tasks send mission critical information over the internet. Now assume you have some kind of security audit software running like say lynis. You sure don’t want that report in the wrong hands since an attacker could really use that information to break into your server way easier than otherwise.

Assumptions

  • You have a S/MIME Certificate
  • You have root access to your linux web server
  • Your server runs on a recent Ubuntu

Encrypting

There are basically two ways of encrypting emails one is GPG and the other S/MIME. Refer to Encrypting cron emails with GPG if you prefer GPG. If you don’t know GPG I highly recommend checking that out as well since I personally consider it way more secure.

  1.  Upload your S/MIME certificate to /home/smime.pem
  2. Create a file /home/smimecron.sh with following content
    emailTo=example@example.com
    emailFrom=example@example.com
    ifne /usr/bin/openssl smime -encrypt -text -from $emailFrom -to $emailTo -subject cronlog /home/smime.pem | sendmail $emailTo
  3. Make the script executable chmod a+x /home/smimecron.sh
  4. For this script to work we need the program ifne installed. Usually if a command has no output to /dev/stdout or /dev/stderr gpg would encrypt an empty string and you would receive an encrypted email that has no content once decrypted. This would be annoying ifne  prevents this. To install it run.
    apt-get install moreutils
  5. Add the line SMIME_CMD = /home/smimecron.sh  somewhere at the top of your /etc/crontab
  6. Now you can use it by adding  | $SMIME_CMD  after a command something like this:
    * * * * * root echo "test" | $SMIME_CMD

     

  7. WARNING: Everyone with write access to /home/smimecron.sh could GAIN ROOT ACCESS. So make sure only root can write to it.

Fail2Ban Report

Introduction

See where the Attacks against your server come from.

 

Report Layout

The Report will look something like this:

------------------------------------------------------
Server attack statistics for the SSH service

Count, IP, Country
37   121.18.238.104  CN, China
42   221.194.44.231  CN, China
37   221.194.47.208  CN, China
42   221.194.44.195  CN, China
9    180.140.162.115 CN, China
38   121.18.238.98   CN, China
44   221.194.47.224  CN, China
11   180.140.161.30  CN, China
35   121.18.238.114  CN, China
42   121.18.238.109  CN, China
31   119.249.54.71   CN, China
38   221.194.47.249  CN, China
8    91.197.232.109  RU, Russian Federation
36   221.194.44.224  CN, China
14   59.63.166.83    CN, China
16   222.47.26.17    CN, China
------------------------------------------------------

 

Report Script

https://gist.github.com/philippmayrth/9f5b140e3f9dfe56eeaabe09d3e59a3b

Encrypting cron emails with GPG

Introduction

You might have your server setup in such a way that it runs a few tasks with cron so you don’t have to worry about them. Except.. you should. That is if the scheduled tasks send mission critical information over the internet. Now assume you have some kind of security audit software running like say lynis. You sure don’t want that report in the wrong hands since an attacker could really use that information to break into your server way easier than otherwise.

 

Assumptions

  • You are familiar with GPG
  • You have root access to your linux web server
  • Your server runs on a recent Ubuntu
  • Cron is already configured to send emails

 

Encrypting

There are basically two ways of encrypting emails one is GPG and the other S/MIME. We will be using GPG. Further this article assumes you are familiar with GPG.

 

  1. Upload your public key (ending in .asc) to your server /home is a good place.
  2. That the key can actually be read by the command we will be using, it has to be slightly modified. To be precise the ASCII amor has to be removed we need the key in binary form. This is archived by the following command.
    gpg --dearmor < /home/YOURPUBLICKEY.asc > /home/YOURPUBLICKEY.asc.gpg
  3. Add this line at the top of your /etc/crontab just after MAILTO=you@example.de. You need to replace the email address and the public key path.
    GPG_CMD = "ifne /usr/bin/gpg --batch --armor --trust-model always --no-default-keyring --keyring /home/YOURPUBLICKEY.asc.gpg --recipient you@example.de --encrypt"
  4. For this command to work we need the program ifne installed. Usually if a command has no output to /dev/stdout or /dev/stderr gpg would encrypt an empty string and you would receive an encrypted email that has no content once decrypted. This would be annoying ifne  prevents this. To install it run.
    apt-get install moreutils
  5. Now in /etc/crontab you can simply pipe the output to gpg and enjoy encrypted emails.
    * * * * * root /bin/echo "gpg test" | GPG_CMD

     

 

 

If you want to have a more in depth understanding of what is going on here I suggest you read this article as well. This is also where some of the inspiration for the exact parameters to gpg came from.

Server Authentication With Client Certificate X.509

Introduction

Basics of setting up certificate based authentication on Apache.

 

Assumptions

Your Server is already configured to use SSL/TLS. This is required because the browser refuses to use its certificate for authentication on an insecure connection.

 

Creating all the files we need

WARNING: Further investigation has to be made whether this is the optimal way.

WARNING: The key sizes and expiration dates must be adjusted to suite your need.

 

Create the CA

openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem

Create a signing request and signing it with the CA private key

openssl genrsa -out alice.key 2028
openssl req -new -key alice.key -out alice.csr
openssl x509 -sha256 -req -in alice.csr -out alice.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095

Convert the alice.crt to alice.p12 so a browser knows what to do with it. (Note: On safari the .p12 file has to have a password for the import to work)

openssl pkcs12 -export -clcerts -in alice.crt -inkey alice.key -out alice.p12

Convert the .p12 to .pam so tools like curl can use it

openssl pkcs12 -in alice.p12 -out alice.pem -clcerts

 

Configuring Apache

copy your CA.pem in a file readable by apache. In my case it is /home/CA.pem but this might differ for your server.

in your virtual hosts configuration file add SSLCACertificateFile  and SSLVerifyClient  like shown below.

<IfModule mod_ssl.c>
<VirtualHost *:443>

    SSLCACertificateFile /home/CA.pem
    SSLVerifyClient require


# ..... your additional configuration here
# .....

</VirtualHost>
</IfModule>

 

 

Finally… we can use it

To use the certificate with curl

curl -E alice.pem https://restricted.example.de

 

To install in Safari on a Mac just double click the .p12 file and follow the instructions

To install on iOS the file can be send by email (messengers don’t work) and installed by tapping on it and following the instructions. If the file is considered a production file it should NOT be send over the internet instead plug in a usb cord and transfer via iTunes.

 

Change OS on the Fly

How to change the OS of your Raspberry Pi while it is running.

WARNING: This guide is incomplete

 

  1. Download Raspbian from https://www.raspberrypi.org/downloads/raspbian/
  2. Burn the image to a spare SD card
  3. Boot the Pi with it and SSH into it
  4. Download Ubuntu Core from http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-pi3.img.xz
  5. Running fdisk -l  and fdisk -l ubuntu-core-16-pi3.img  shows that the raspbian boot partition  has only 63MiB while Ubuntu Core needs 128MiB here.

 

There are basically two ways of installing a noter OS while the RPi is running.

One is overriding the boot and root partitions and the other is to override the content of them. Overriding the content will result in a lot of artefacts let on the system but might be easier to implement and those artefacts can be removed in subsequent updates.

Overriding the partitions itself maybe even recreating is damn complicated while easy for the boot partition the root partition is of the EXT4 type that means it can’t be unmounted while its used. Now its not exactly fun nor possible to SSH into a machine stop the SSHD and other services which are using the partition basically locking yourself out and THEN shrinking the partition. So one way around this would be to use the boot process itself to shrink the partition while its not yet mounted this might work with the cmdline.txt on the /boot partition   however I’m not sure which tools are a viable running a simple which fdisk  gives /sbin/fdisk so thats on the root partition so not a viable during the boot process. A way around would probably be to use a custom initrd.img that supplies the needed tools and partitioning with that.

 

Basically the point where I don’t yet have a satisfying solution. If you do know a better way let me know.

 

 

Boot process

http://elinux.org/RPi_Software#Overview

 

LED meanings during boot process

Red LED on: Power OK

Red LED blink or off: Problem with Power

Green LED off: bootloader.bin not found. Make sure there is a FAT32 partition with that file on the sd card. It is interesting to not that the RPi does not use a MBR (Master Boot Record) instead the firmere (in the SoC or GPU?) looks for the first FAT32 partition and looks for the bootloader.bin file there. This means that no nasty placing to a specific disk sector has to be made the file can just be copied over which is nice.

Green LED blink 5 times periodically : bootloader.bin found. Problems with the next stage (missing or invalid?) start.elf.

Green LED blink 7 times periodically: kernel.img not found.

Green LED blink 2 times only once on startup: (fixup.dat or cmdline.txt or config.txt not found? / everything ok turning off led for later sd card access indicator?)

 

Helpful links

RPi boot error led blink codes: http://www.techradar.com/how-to/computing/how-to-fix-raspberry-pi-boot-problems-1310697/2

https://www.tummy.com/blogs/2007/07/30/reducing-the-size-of-your-root-partition/