IP-Adressen in Apache Logfiles anonymisieren mit PipedLogs
Ich hatte gestern eine Aufgabe, für die ich zunächst keine einfache Lösung gesehen habe: Ich wollte in den Apache-Logfiles die IP-Adressen anonymisieren. Also aus den geloggten IP-Adressen Teile entfernen um noch ein rudimentäres Logging der einzelnen Besucher zu haben, aber nicht mehr ihre kompletten IPs mitzuschreiben.
So sollte aus einer 212.122.113.145 eine ***.***.*13.145 werden.
Dies sollte - um möglichst grosse Sicherheit zu garantieren - nicht nachträglich geschehen, sondern live im Logvorgang des Apache.
Es sollten also niemals die kompletten IPs auf der Platte landen
Nach etwas Recherche bin ich auf eine mir bis dahin unbekannte Apache-Funktionalität gestossen: PipedLogs.
PipedLogs ermöglichen es in der Apachekonfiguration für einen VirtualHost nicht einen Logfile anzugeben sondern ein Skript festzulegen, das bei jedem Logvorgang gestartet wird und als Standardeingabe die Logzeile vom Apache erhält.
In der Config vom entsprechenden VirtualHost sieht das Ganze so aus:
LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog "|/root/scripts/anonymize_apache" common
Jeder Logentry wird somit durchgereicht an das Script /root/scripts/anonymize_apache
Der Rest ist nur noch eine Kleinigkeit mit der BASH:
#!/bin/bash
#/root/scripts/anonymize_apache
# Von Standardeingabe lesen
read logline
# Mit sed die gewünschten Teile der IP wegschnippseln
anon=$(echo $logline | sed -r 's/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]/***.***.*/g' )
# Das Ergebnis anonymisiert ins Logfile zurückschreiben
echo $anon >> /var/log/apache2/myvirtualhost.anon.log
Edit: Habe nach dem Verfassen des Artikels ein Skript gefunden, das mehr Funktionalität bietet als mein Dreizeiler:
https://www.privacyfoundation.ch/de/service/anonip.html
Cleaning up Cyanogenmod 13 Nexus 5x (bullhead)
This is just the backup of my personal crap removal and tweak script for CM13
#!/system/bin/sh
echo "MOUNTING /system r/w"
mount -o rw,remount,rw /system
echo "KILLING CRAP from /system/app"
rm -rf /system/app/NfcNci
rm -rf /system/app/PrintSpooler
rm -rf /system/app/LockClock
rm -rf /system/app/RCSBootstraputil
rm -rf /system/app/RcsImsBootstraputil
rm -rf /system/app/Profiles
echo "KILLING CRAP from /system/priv-app"
rm -rf /system/priv-app/AudioFX
rm -rf /system/priv-app/CellBroadcastReceiver
rm -rf /system/priv-app/CMBugReport
rm -rf /system/priv-app/CNEService
rm -rf /system/priv-app/GCS
rm -rf /system/priv-app/HotwordEnrollment
rm -rf /system/priv-app/LifetimeService
rm -rf /system/priv-app/ManagedProvisioning
rm -rf /system/priv-app/ThemeChooser
rm -rf /system/priv-app/ThemesProvider
rm -rf /system/priv-app/CMBugReport
rm -rf /system/priv-app/OneTimeInitializer
echo "MUTING CAMERA ETC."
chmod ugo-rwx /system/media/audio/ui/camera_click.ogg
chmod ugo-rwx /system/media/audio/ui/camera_focus.ogg
chmod ugo-rwx /system/media/audio/ui/VideoRecord.ogg
chmod ugo-rwx /system/media/audio/ui/VideoStop.ogg
chmod ugo-rwx /system/media/audio/ui/Lock.ogg
echo "MOUNTING /system r/o"
mount -o ro,remount,ro /system
echo "FIXING Volume"
mount -o rw,remount,rw /
cp /sdcard/mixer_paths.xml /etc
mount -o ro,remount,ro /
echo "DONE"
Increase headphones volume in CyanogenMod 13
Time for bleeding ears:
- Mount /etc read/writeable with your favourite file explorer (Root Explorer can do it for example)
- Locate /etc/mixer_paths.xml
- Open it with your favourite text editor.
- Play with the values for "RX1 Digital Volume" and "RX2 Digital Volume" in the "Headphones" path
- Save
- Reboot
- Check the results
Be careful, it can get very loud and noisy if you push it too far. I set mine to 94 on a serranoltex device (SAMSUNG S4 Mini INT) and it's too loud for some of my MP3 at max volume, still great for most of my others.
LPIC 101 Lernvideos
Ich hatte schon seit ewigen Zeiten vor endlich mal LPIC2 zu machen. Die 201 habe ich bereits vor einigen Jahren bestanden und es bisher immer verklüngelt die 202 zu machen. Irgendwie hat man ja in seiner Freizeit (fast) immer was besseres zu tun 😉 Trotztdem dachte ich mir, dass es doch noch ein schönes Ziel für 2015 wäre, das Ganze endlich hinter mich zu bringen.
So weit so gut. Ich habe mich also bei LPI eingeloggt um mich für die 202 anzumelden und dabei mit Schrecken festgestellt, dass mein Level 1 vor 3 Monaten abgelaufen war. Meine Hoffnung war nun, dass ich die Prüfung 202 trotzdem ablegen kann, da ich 201 bereits besitze aber dem war leider nicht so.
"Sie müssen zunächst für Level 1 zertifiziert sein um Level 2 Prüfungen abzulegen". Verdammt! Immerhin ist kein erneutes Ablegen der 201 notwendig. Trotzdem war ich natürlich alles andere als begeistert mich noch einmal durch die 1 zu quälen.
Nach einigen Tagen des Haderns habe ich mich entschlossen noch einmal LPIC1 zu machen und das Ganze mit kommentierten Lernvideos zu begleiten. Deshalb heute nach meiner bestandenen 101-400 Prüfung auch meine erste Videoserie auf YouTube. Vielleicht hilft es jemandem, der gerade auch für die 101 lernt.
Meine LPIC 101 Videos gibt es hier: Lets Learn LPIC 101 deutsch - Youtube
Increase Headphone Volume in Cyanogenmod 12
Being used to the extremely loud headphone volume of AIWA walkmen from the 1990s, my Android volume was always a bit too low for my ears.
I tried to play around with CMs included "DSP Manager" but it never worked as I expected and I disliked to need an additional app to increase volume on my device.
In Cyanogenmod headphone volumes are configured in /system/etc/snd_soc_msm/snd_soc_msm_2x
(Maybe this will work in every recent Android distribution, no idea though, I am on CM12 Lollipop)
Just edit this file and search for the stanzas called "Headphones" and "PROXY Rx Headphones"
Inside of those you will find "RX# Digital Volume" with a percentage value.
Mine were set to 69.4%. I rose them to 75% and rebooted. Now my ears bleed. Nice.
The settings will be lost after updates so I created a small script to run after updates which will replace the original file with my modified one.
#!/system/bin/sh # The file on /sdcard is my modified backup cp /sdcard/snd_soc_msm_2x /system/etc/snd_soc_msm/snd_soc_msm_2x
Debian Jessie LXC networking. Containers with public and NATed IPs
It took me some time to get this working so it's time for a blog post:
Scenario
This was a setup for a server in a data center with a public IP address. The server has one physical interface with a public routable IP address. Additionaly I ordered another public IP address for the server to be used in one of the LXC containers.
I have two containers.
Container A
"A" gets a public routable IP-address to be reachable from the internet without NATing
Container B
"B" gets a private IP address and can only be reached thru NAT and port-mappings
Host
Host has 5.5.5.1 as main public IP
Container A has 5.5.5.2 as "virtual" IP
Container B has 10.10.10.1 as NATed private IP
HOST SETUP:
#NETWORKING CONFIG ON HOST #/etc/network/interfaces auto lo iface lo inet loopback allow-hotplug eth0 iface eth0 inet manual pre-up ifconfig eth0 up pre-down ifconfig eth0 down auto br0 iface br0 inet static address 5.5.5.1 broadcast broadcast.ip netmask netmask.ip gateway gateway.ip bridge_ports eth0 bridge_fd 0 bridge_maxwait 0 auto br1 iface br1 inet static address 10.10.10.100 netmask 255.255.255.0 bridge_fd 0 bridge_maxwait 0 pre-up brctl addbr br1 up iptables -t nat -F POSTROUTING # Exclude boxes with static IPs from Natting up iptables -A PREROUTING -t nat -i br0 -p tcp -s 5.5.5.2 -j ACCEPT # Enable Forwarding for NATed boxes up iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o br0 -j MASQUERADE # example PORT FORWARDINGS FOR Mailserver up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 25 -j DNAT --to 10.10.10.1:25 up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 465 -j DNAT --to 10.10.10.1:465 up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 587 -j DNAT --to 10.10.10.1:587 # example PORT FORWARDINGS FOR Webserver up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 80 -j DNAT --to 10.10.10.2:80 up iptables -A PREROUTING -t nat -i br0 -p tcp --dport 443 -j DNAT --to 10.10.10.2:443 post-down iptables -F post-down iptables -t nat -F post-down brctl delbr br1
#IP forwarding must be enabled in the kernel as well (don't forget reboot) #/etc/sysctl.conf net.ipv4.ip_forward=1
CONTAINER A Setup (static virtual public IP):
lxc.utsname = containershostname lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 # This is the MAC for the public IP i got from my provider # container gets IP by providers DHCP lxc.network.hwaddr = 00:11:22:33:44:55
CONTAINER B Setup (static NATed private IP):
lxc.network.type = veth lxc.network.flags = up lxc.network.link = br1 lxc.network.ipv4= 10.10.10.1 lxc.network.ipv4.gateway = 10.10.10.100
Android Kernel und weitere Images unter Ubuntu flashen mit adb und fastboot
apt-get install android-tools-fastboot # USB-Debugging im Handy aktivieren # Handy per USB connecten adb devices # gerät sollte angezeigt werden adb reboot-bootloader # Gerät rebootet in Fastboot Mode fastboot devices fastboot flash boot filename_of_boot.img fastboot reboot # Weitere Images flashen fastboot flash bootloader bootloader.img fastboot reload-bootloader fastboot flash radio radio.img fastboot flash recovery recovery.img fastboot flash system system.img fastboot flash vendor vendor.img
Schriftfarbe von Objekten auf dem Cinnamon Desktop ändern
Heute mal etwas kosmetisches, das mich ewig genervt hat: Je nach GTK3-Theme ändert sich die Schriftfarbe von Ordnern und Dateien auf dem Cinnamon-Desktop, so dass die Schrift bei manchen Wallpapers kaum noch lesbar ist.
Man kann das Ganze zum Glück global ändern, habe nur ewig gebraucht um herauszufinden wo.
Hier ein Beispiel für weisse Font:
# Datei anlegen: $HOME/.config/gtk-3.0/gtk.css
.nemo-desktop.nemo-canvas-item {
color: #FFFFFF;
background-color: #5E80A0;
text-shadow: 1px 1px @desktop_item_text_shadow;
}
Using Android without Google – The hard way
I have been trying to get rid of Google completely on my Android phone. As I have made some nice progress I'd like to share what I did and which problems I had to overcome:
OS I removed my stock version of Android and replaced it with Cyanogen Mod (http://www.cyanogenmod.org/) CM doesn't ship the Google Services, you have to install them manualy afterwards. I didn't do that, so most of Google was gone already. This produced a lot of problems, because Google Play isn't available plus the Maps Framework is used by many 3rd party apps.
Appstore The biggest showstopper is the missig appstore. I installed F-Droid (https://f-droid.org/) which is a nice appstore that provides open-source apps only. This provided me with some apps i use regualry (Twitter-client and some others) but is in no way a replacement for Google Play. Now I had to decide if I wanted to trust other 3rd party appstores or not. I decided to don't. Amazon has it's own "trustworthy" appstore, but apps are patched and crippled. didn't want to have that. Decided to download needed apps with another Android device. After that I grab them from /data/app on the other device with Root Explorer (https://play.google.com/store/apps/details?id=com.speedsoftware.rootexplorer&hl=de) and sync them to my real device with Owncloud. This ugly process basicly made me use less apps on my phone because it's such a hassle to get them on it. I got used to it after some time and reduced my app selection to a sane minimum.
Contacts, Mail and Calendar sync I setup an installation of Horde Groupware (http://www.horde.org) on my personal server. Horde features "Microsoft Active Sync" compatibility. On Android, I just had to add an Active Sync Account to sync all my stuff to my own server. Works perfectly.
Maps Framework Many apps that embed a Google Map somewhere use the "Google Maps Framework" which comes with Google Maps. A specific app I use often depends on the framework. The app won't start without the framework, even I don't need the embedded maps inside. Luckyly some guy from XDA wrote a script that simulates an installed Maps framework without it being there actually. (Couldn't find link, too long ago)
Maps Checked out many mapping applications based on OpenStreetMaps. MapFactor worked best for me (https://play.google.com/store/apps/details?id=com.mapfactor.navigator&hl=de). It's not as good as Google Maps but it works.
Browser Andorid browser that ships with Android has builtin Google-Search. I replaced it with Lightning (https://play.google.com/store/apps/details?id=acr.browser.barebones), a small and quick open souce browser which can be configured to use many different search engines. I set it to Startpage.
Music My PlayStore license for Poweramp didn't work on my devices without Google Licensing Services, provided by Play (a problem with many pay-apps, not all though). Luckily the dev offers a version, bound to an e-mail account. I re-bought the software.
That's basicly it. I'll sniff the traffic of my phone, if I find the time, to verfiy I really got rid of Google on my phone. (I bet i forgot something)
VAULT – A small script to create and mount encfs encrypted directories on the fly
This small script will allow you to create, mount and unmount encfs directories on the fly.
As the need for encryption seems to rise all the time, usable solutions always come in handy.
You can create a safe storage for sensible data quickly and easily with this script.
All you need to do to is to install encfs with your distrubutions package manager and adjust the tiny CONFIG section to your needs.
The script will take care of the rest (hopefully).
Comments welcome.
#!/bin/bash # # VAULT # DR 20140624 # http://www.daniel-ritter.de/blog/vault-create-and-mount-encfs-encrypted-directories-on-the-fly # # # CREATE AND MOUNT ENCFS ENCRYPTED DIRECTORIES ON THE FLY # # ENCFS NEEDS TO BE INSTALLED (apt-get install encfs for Debian/Ubuntu) # ADJUST CONFIG SECTION TO YOUR NEEDS # # NO GUARANTEES, KNOW WHAT YOU ARE DOING # THIS IS LICENSED WITH GPL # http://www.gnu.org/licenses/gpl.txt # CONFIG VAULTBASEDIR=/home/myusername FILEMANAGER=nautilus # END OF CONFIG clear echo "VAULT" echo # INITIAL SETUP creates directories and sets up encryption if [ ! -d "$VAULTBASEDIR/.vault_dec" ];then echo "NO VAULT FOUND. CREATING..." echo echo encfs $VAULTBASEDIR/.vault $VAULTBASEDIR/.vault_dec touch $VAULTBASEDIR/.vault_dec/mounted fusermount -u $VAULTBASEDIR/.vault_dec echo echo echo "VAULT CREATED. RUN vault TO LOCK AND UNLOCK IT." exit fi # VAULT is unlocked, lock it if [[ -e $VAULTBASEDIR/.vault_dec/mounted ]];then echo "Locking VAULT" echo fusermount -u $VAULTBASEDIR/.vault_dec ls -la $VAULTBASEDIR/.vault_dec echo echo echo "LOCKED" # VAULT IS LOCKED, unlock it and open filemanager else echo "UNLOCKING VAULT" encfs $VAULTBASEDIR/.vault $VAULTBASEDIR/.vault_dec $FILEMANAGER $VAULTBASEDIR/.vault_dec fi
Monitorswitcher mit YAD und xrandr
Da ich häufiger mal den Video-Output von meinem Notebook ändern muss, habe ich ein kleines Script geschrieben, das mir die Aufgabe erheblich erleichtert. Ich habe mir das Script auf einen Keyboard-Shortcut gelegt und kann so in Sekundenschnelle die gewünschte Anzeige wählen. Für das grafische Interface benutze ich YAD, zur eigentlichen Einstellung des Outputs xrandr.
#!/bin/bash
action=$(yad --width 300 --title "OUTPUT" \
--button="Monitor + Notebook :1" \
--button="Notebook:2" \
--button="Monitor:3" \
--button="TV MODE:4")
ret=$?
# Notebook + Monitor
if [[ $ret -eq 1 ]]; then
xrandr --output LVDS1 --mode 1366x768 --output DP1 --mode 1920x1200 --left-of LVDS1 --primary --output VGA1 --off
fi
# Notebook Only
if [[ $ret -eq 2 ]]; then
xrandr --output LVDS1 --mode 1366x768 --output VGA1 --off --output DP1 --off
fi
# Monitor Only
if [[ $ret -eq 3 ]]; then
xrandr --output DP1 --mode 1920x1200 --primary --output VGA1 --off --output LVDS1 --off
fi
# TV MODE (Monitor + TV)
if [[ $ret -eq 4 ]]; then
xrandr --output DP1 --mode 1920x1200 --right-of VGA1 --primary --output VGA1 --mode 1920x1080 --output LVDS1 --off
fi
exit 0
Pound Reverse Proxy für HTTP und HTTPS – Quick and dirty Howto auf Debian Squeeze
Pound ist ein Loadbalancer und Reverse Proxy für HTTP und HTTPS. Hier ein Quick and Dirty Setup für das HTTPS-Proxying eines HTTP-Servers. Praktisch um zum Beispiel einem Webdienst, der kein HTTPS unterstützt, trotzdem eine sichere Verbindung zu spendieren.
Pound installieren
apt-get install pound
SSL-Key und Zertifikat generieren
Pound erwartet Zertifikat und Key in einer! Datei.
cd /etc/ssl mkdir pound cd pound openssl req -x509 -newkey rsa:1024 -keyout pound.pem -out pound.pem -days 9999999 -nodes
Pound konfigurieren
(Alle eingehenden Verbindungen an https://192.168.1.2:9999 werden weitergeleitet an 127.0.0.1:8000)
#/etc/pound/pound.cfg ###################################################################### ## global options: User "www-data" Group "www-data" #RootJail "/chroot/pound" ## Logging: (goes to syslog by default) ## 0 no logging ## 1 normal ## 2 extended ## 3 Apache-style (common log format) LogLevel 1 ## check backend every X secs: Alive 30 ## use hardware-accelleration card supported by openssl(1): #SSLEngine "" # poundctl control socket Control "/var/run/pound/poundctl.socket" ###################################################################### ## listen, redirect and ... to: ## redirect all requests on port 8080 ("ListenHTTP") to the local webserver (see "Service" below): ListenHTTPS Address 192.168.1.2 Port 9999 Cert "/etc/ssl/pound/pound.pem" ## allow PUT and DELETE also (by default only GET, POST and HEAD)?: xHTTP 1 Service BackEnd Address 127.0.0.1 Port 8000 End End End
In Debian den Daemon enablen
#/etc/default/pound startup=1
Pound starten
/etc/init.d/pound start