Factory reset LinkSys SPA942 from handset

Standard

Please do this only if instructed by your sysadmin or you know what you are doing. THIS WILL ERASE ALL YOUR CONFIGUARTION DATA and YOUR PHONE WILL STOP WORKING. You would only want to do this if your want to completely reconfigure your phone.

  1. Press the button under the button with the envelope (the button above the lit button in this picture – may not be lit on your phone)

2. Scroll down with the bottom of the scroll key to number 14

3. Press the Select button

4. Press OK to confirm the factory reset – ALL CONFIGURATION DATA WILL BE DELTETED. YOUR PHONE WILL STOP WORKING.

5. This is what you see during the reset process.

When complete you can reconfigure the phone.

Setup pi-hole ad filter server on AWS in 2 minutes

Standard

We assume you have an AWS account (if not get one here https://aws.amazon.com/) and you know the basics on how to start an instance in AWS (https://aws.amazon.com/ec2/spot/spot-getting-started/).

  • Start an AWS server type in the region of your choice (they start at US$1 per month for spot instances. I use T3A.NANO or T4G.NANO)
  • Open the right ports in the AWS security group (TCP 80, 53, 443, 4711 and UDP 53 at least for an IPv4 server). Of course only for your own IP addresses. DO NOT OPEN THE SERVER FOR ALL. YOUR MACHINE WILL BE ADBUSED VERY QUICKLY. (Some more info)
  • Use OS: Ubuntu 20.04 LTS
  • Assign fixed IP address (Elastic IP)
  • Log into the command line interface of your new server
  • Update with
    apt -y update && apt -y upgrade && reboot
  • Run
    curl -sSL https://install.pi-hole.net | bash
  • Follow the guided installation process. Suggested settings are fine. Although I disable IPv6, because I don’t want to use it. 
  • Take note of the admin password or change it with
    pihole -a -p
  • reboot
  • Ready to go
  • Assign the fixed public IP address to your computers as a DNS server and enjoy browsing with less ads (you can tweak pihole so it is even better at blocking the right stuff, but this is not a subject for this quick guide. Read https://pi-hole.net/ )

The following is optional. You don’t need it, but I like to use my own caching name server. So I don’t have to use the public DNS servers. Reasoning for this is another discussion and I will not cover here. (see https://docs.pi-hole.net/guides/dns/unbound/ under “caching”) 

  1. Install the DNS server on your pihole server
    apt install unbound -y
  2. Edit unbound configuration
    vim /etc/unbound/unbound.conf.d/pi-hole.conf
    A new file is created. Put the following into it:

    server:
    # If no logfile is specified, syslog is used
    # logfile: “/var/log/unbound/unbound.log”
    verbosity: 0

    interface: 127.0.0.1
    port: 6236
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: “/var/lib/unbound/root.hints”

    # Trust glue only if it is within the server’s authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don’t use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10


  3. Make Named/Bind start automatically
    systemctl enable --now unbound
  4. reboot
  5. Then log into the admin interface and go to Settings / DNS and add this:

    Disable the other public DNS services. So you only use your own Caching DNS and click save. 
  6. Ready to go. 
  7. If you have a backup from a previous installation you can now go to the GUI / Settings / Teleporter and upload the backup file. I would also reboot after restoring the backup. 

And even more optional is the setup of a swap file, if you chose a server with little RAM. 

These instructions are very good. 

https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-20-04

Adding more DNS lists to get a higher degree of blocking, but also the chance to block stuff you may want I add these lists in “Group Management / Adlists” in the Pi-hole GUI: 

https://adaway.org/hosts.txt

https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt

https://www.technoy.de/lists/blocklist.txt

There are more lists to be found here: 
https://firebog.net/

https://www.technoy.de/lists/blocklists-fuer-pihole/ (in German, but very good)

Remember after adding blocklists you need to update Gravity in “Tools/Update Gravity” in the GUI. Otherwise the list will not be used. 

MAINTANANCE

From time to time you should run the following from the command line to keep everything up-to-date

apt -y update && apt -y upgrade && iphole -up && reboot

BACKUP

You should backup your configuration of pi-hole. So you won’t loose all your hard work in case your server crashes. I do this because I am using AWS spot (Android/ARCH) instances, which are extremely cheap, but AWS can close/terminate them when demand is high on their servers. Backup will help you get back up and running quickly. 

GUI: Settings/Teleporter

Basic squid authentication

Standard

squid.conf

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

# Choose the port you want. Below we set it to default 3128.
http_port 3128

Then on the command line add your user:
htpasswd -c /etc/squid3/passwords username_you_like

and restart squid
service squid3 restart
service squid3 restart

Procmail recipe – smart recipes

Standard

Smart recipes

I use the following handy recipe to forward puzzles that any friend sends to me, while I keep a copy of it myself. That is, I have to perform two tasks at the same time. Here’s how you can go about it:

# forward puzzles to a friend
#and also keep a copy
:0
* ^Subject:.*(puzzle)
{
  :0 c
  ! myfriend@buddy.com

  :0
  puzzle
}

Here we use a nested block (enclosed in braces) instead of an action line. This block allows us to put multiple recipes within it, which are used only if the parent recipe is true.

In both the recipes in the block, we don’t have any condition statements. In the first action, the c flag is used to copy the message. Typically, a message will only run through the first recipe that is true. That is, if we don’t use the c flag, we can’t run the mail through the second recipe. The bang (!) before the email address indicates we want to forward the mail. The second recipe in the block delivers the mail to the puzzle directory.

SOPHOS UTM 9 (Sophos SG Firewall) update firmware

Standard

NOTE: This description is NOT for Sophos XG firewall. That is a completely different product.

Easiest way to manually update / upgrade the firmware in Sophos UTM (aka ASTARO aka Sophos SG firewall) is via the ssh command line interface.

  1. Log into the SSH with Putty or from another ssh server and become root / su.
  2. cd /var/up2date/sys
  3. wget all the needed updates from http://download.astaro.com/UTM/v9/up2date/ :
    wget http://download.astaro.com/UTM/v9/up2date/u2d-sys-9.601005-602003.tgz.gpg
    etc….
  4. Make updates visible and available in the GUI with:
    auisys.plx -showdesc --verbose
  5. Run updates from the GUI or run this command to execute the updates / upgrades in the CLI:
    auisys.plx --verbose
  6. The system will automatically reboot when the updates / upgrades are done.

Continue reading

Setup Sophos XG firewall on Vultr.com virtual server

Standard

There are some tricks required to overcome Sophos’ install idiosyncrasies when trying to install Sophos XG firewall from ISO on a Vultr virtual server.

Sophos UTM (the predecessor) used to be easy to install, but with XG Firewall Sophos have gone back to inflexibility with some basics, that, in my opinion, are unnecessary (SOPHOS, these are things you should fix):

  • 2 network interfaces needed
  • Pre initialisation command line does not allow setting default gateway of any interfaces
  • Pre initialisation command line does not allow setting static IP of all interfaces (only on interface 1)
  • Changing network settings in web admin during initialisation causes loss of access (in this setup case)

So these problems require certain things from Vultr:

  • 2 instances (1 for the XG and another – Linux or Windows – to initially manage the XG)
  • 2 IP addresses in the same subnet (necessary because the XG will only see IPs in the same subnet)
  • Console access to the running instances, which is provided freely by Vultr.
  • Download link to Sophos’ XG ISO

Step by step what I did:

  1. Started 10 (yes ten) servers of the cheapest kind in the hope to get 2 IP addresses in the same subnet, which I did.
  2. Shutdown the other 8 servers as soon as possible, as they cost money.
  3. “Converted” those 2 IP addresses to “reserved IP addresses” – this way you keep them to assign them to the 2 instances you need for this setup process.
  4. Shutdown the 2 instances whose IP addresses you have taken.
  5. Download the Sophos XG ISO to Vultr
  6. Start an instance to install from that ISO and assign one of those 2 reserved IP addresses
  7. Go through the off ISO setup process for Sophos XG. Follow those instructions
  8. Remove ISO from instance. This will reboot the instance and setup will continue.
  9. Login and set the port 1 IP address to the IP address you have allocated above. Then the web interface becomes visible to this network subnet only.
  10. Start another instance of choice with the other reserved IP address in the same subnet. I used a Linux instance, which I ssh’d into and made a tunnel to the XG web interface https://<IP>:4444, but there is no reason (other than cost) why you could not use a Windows instance to access the same web interface from there.
  11. In the Sophos web interface setup enter new password, disable install new firmware and agree to license
  12. select “Continue offline” and confirm you want to continue
  13. Give your machine a name and select your timezone (although you can also change that later)
  14. Continue after basic setup complete.
  15. The next step is critical to get right put only the IP address and the subnet mask exactly like in the command interface in the “LAN Address and Internal Client Network Size” fields. Otherwise you will loose access to the instance and have to start from scratch.
    And disable DHCP
  16. Continue without ticks on network protection (can be changed later)
  17. put your email addresses in the next step  (can be changed later)
  18. Finish. The XG will reboot
  19. Once setup is complete go back into the web interface and login with your new password. You will get the normal XG web interface and you can then make the adjustments in your network settings to get internet access on your XG and register and update etc.
  20. IMPORTANT: make sure you give yourself access to the admin interface from the WAN link otherwise you are locking yourself out and you can start again. See System/Administration/Device Access

Optional extras:

  • I did not register or install licenses or even started a trial and only updated the XG after setup and then I made a snapshot of the XG, because I wanted to release the reserved IP address, as it costs extra unnecessarily. When you create an instance from the snapshot it will have a new dynamic IP address, which is different and you will need to set this in the console interface, which works perfectly for setting the default gateway after setup (Sophos, why not during setup?). Then you can access your new XG via the new IP address. (Yes you can start multiple, because each can get their own IP, serial number and license).
  • Shutdown all unneeded instances and delete the reserved IPs

 

 

Upgrade PHP and MySQL Centos 6.x

Standard

The method I found most simple is:

wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -ivh remi-release-6.rpm
vim /etc/yum.repos.d/remi.repo     (you need to enable the parts you want in this file)
yum -y upgrade php*
yum -y update
reboot

done.

Sentora virtual domains SSL setup – Let’s Encrypt Certificates

Standard

I won’t discuss here why you would want to use Let’s Encrypt Certificates, but 3 of the main reasons for me are:

  1. Certificates are free
  2. Certificates are automatically updated. So it becomes a set and forget affair. No more fiddling around every 1, 2 or 3 years.
  3. Automatic updates are done every 3 months. So the certificates are always fresh.

And now for the setup on a fully up-to-date Sentora Centos 6.7 server

Run

yum -y install mod_ssl wget nc netcat; wget -O - https://get.acme.sh | sh

This will install the stand alone certificate management software, that will get and update your certificates from Let’s Encrypt

This is how you use it (issue a certificate for example.com where the http site files are actually located in /home/wwwroot/example.com):

/root/.acme.sh/acme.sh --issue -d example.com -w /home/wwwroot/example.com

There will be an output containing a variety of information you will need to configure APACHE. Keep it.

Then just add this to your crontab:
So your certificates will be automatically updated/renewed

vim /etc/crontab
34 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

 

Now the APACHE setup

If you have SSL enabled on your Sentora admin panel disable it and see below how to integrate it again.

Add this to

# Custom SSL Apache config
Include /etc/zpanel/configs/apache/httpd-ssl-vhosts.conf

to:

vim /etc/sentora/configs/apache/httpd.conf

create the file:

vim /etc/zpanel/configs/apache/httpd-ssl-vhosts.conf

And fill it with the details for your sites like this (Hint: You will find this in /etc/zpanel/configs/apache/httpd-vhosts.conf):

# This is need only once for multiple SSL/https virtual hosts
NameVirtualHost *:443

# DOMAIN: example.com
<virtualhost *:443>
ServerName example.com
ServerAdmin admin@example.com
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/example_com"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/example_com:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/example.com-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/example.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/example.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/example_com">
Options +FollowSymLinks -Indexes
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 404 /_errorpages/404.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)
RewriteEngine on
RewriteOptions inherit

# Custom VH settings (if any exist)
SSLEngine On
SSLCertificateFile /etc/ssl/certs/domain_name.com/domain_name_com.crt
SSLCertificateKeyFile /etc/ssl/certs/domain_name.com/domain_name_com.key
SSLCACertificateFile /etc/ssl/certs/domain_name.com/gs_root.pem
SSLCertificateChainFile /etc/ssl/certs/domain_name.com/gs_intermediate_ca.crt
 
</virtualhost>
# END DOMAIN: example.com



And now you can add the details for Sentora panel again and re-enable the redirection to ssl for the panel:

# This is need only once for multiple SSL/https virtual hosts
NameVirtualHost *:443

#Configuration for Sentora control panel.
 <VirtualHost *:443>
 ServerAdmin admin@blue.net.au
 DocumentRoot "/etc/sentora/panel/"
 ServerName sentorapanel.example.com
 ErrorLog "/var/sentora/logs/sentora-error.log"
 CustomLog "/var/sentora/logs/sentora-access.log" combined
 CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
 AddType application/x-httpd-php .php
 <Directory "/etc/sentora/panel/">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Order allow,deny
 Allow from all
 </Directory>
# Custom settings are loaded below this line (if any exist)
SSLEngine On
SSLCertificateFile /root/.acme.sh/sentorapanel.example.com/sentorapanel.example.com.cer
SSLCertificateKeyFile /root/.acme.sh/sentorapanel.example.com/sentorapanel.example.com.key
SSLCACertificateFile /root/.acme.sh/sentorapanel.example.com/ca.cer
SSLCertificateChainFile /root/.acme.sh/sentorapanel.example.com/fullchain.cer

 </VirtualHost>
# END Configuration for Sentora control panel.


# DOMAIN: example.com
<virtualhost *:443>
ServerName example.com
ServerAdmin admin@example.com
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/example_com"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/example_com:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/example.com-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/example.com-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/example.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/example_com">
Options +FollowSymLinks -Indexes
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 404 /_errorpages/404.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)
RewriteEngine on
RewriteOptions inherit

# Custom VH settings (if any exist)
SSLEngine On
SSLCertificateFile /etc/ssl/certs/domain_name.com/domain_name_com.crt
SSLCertificateKeyFile /etc/ssl/certs/domain_name.com/domain_name_com.key
SSLCACertificateFile /etc/ssl/certs/domain_name.com/gs_root.pem
SSLCertificateChainFile /etc/ssl/certs/domain_name.com/gs_intermediate_ca.crt
 
</virtualhost>
# END DOMAIN: example.com

 

You might also want to redirect all traffic to your https now.

Put this into your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

 

 

 

 

Chocolatey – a software management system for Windows

Standard

Chocolatey (https://chocolatey.org/) is a software manager for Windows. There are almost 5000 packages. The one you use are certainly in there. All mine are.

Install choco from an administrator command line:

@powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%chocolateybin"

Then run installs like:

choco install -y ccleaner

https://chocolatey.org/packages contains a list  of all the packages

I recommend the GUI:

choco install -y chocolateygui chocolatey-core.extension

But I like the command line, too.

And I like, that you can update all your installed packages at once (yes they need to be installed by choc first):

choco upgrade -y

Sysadmin

windirstat winrar treesizefree TeraCopy Recuva nmap lockhunter ccleaner autoruns

User

sublimetext3 vlc WhatsApp XnView WindowsLiveInstaller WindowsLiveWriter PDFXchangeEditor paint.net notepadplusplus.install libreoffice lastpass irfanview GoogleChrome-AllUsers Firefox dropbox ditto