вторник, 4 марта 2025 г.

Alt linux в WSL

# ALT Linux в WSL

Нам нужен tar файл из архива:
https://ftp.altlinux.org/pub/distributions/ALTLinux/p11/images/cloud/x86_64/alt-p11-rootfs-systemd-x86_64.tar.xz


```powershell
$distro_name = "alt-p11"
$distro_storage = "c:\vm\_wsl\$($distro_name)"
$distro_tarball = "c:\users\public\iso\alt-p11-rootfs-systemd-x86_64.tar"

7z e c:\users\public\iso\alt-p11-rootfs-systemd-x86_64.tar.xz

wsl --unregister $distro_name
wsl --import $distro_name $distro_storage $distro_tarball
wsl -d alt-p11

```

```bash
apt-get update; apt-get install -y passwd sudo

wsluser=appc
adduser -G wheel $wsluser
echo -e "$wsluser ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers.d/$wsluser
passwd $wsluser

cat > /etc/wsl.conf <<EOF
[user]
default=$wsluser

[automount]
enabled = true
mountFsTab = false
root = /mnt/
options = "metadata,umask=22,fmask=11"

[network]
generateHosts = true
generateResolvConf = true
EOF

```

```powershell
wsl --terminate $distro_name
wsl -d $distro_name

```

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

четверг, 13 февраля 2025 г.

Не запускается sshd на Windows 10 The process terminated unexpectedly.

Помогло исправить разрешение на 
C:\ProgramData\ssh\logs
Оставил в списке только System и группу Администраторы и 

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

среда, 12 февраля 2025 г.

Конвертер Windows DHCP в kea-dhcp4.conf


powershell Convert-WindowsDHCPToKea.ps1 \      -in_xml "/var/tmp/win_dhcp.xml" \      -in_template "/etc/kea/kea-dhcp4.conf" \      -out_confdir "/etc/kea" \      -split "all" \      -out_dhcp4_conf "/etc/kea/kea-dhcp4.conf.json" \      -out_confd "/etc/kea/conf.d"

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

вторник, 3 декабря 2024 г.

Полезные фильтры для LDAP запросов в AD


List all users

To do this we select all the users ((objectClass=user)) and all the people ((objectClass=person)) of the LDAP:

(&(objectCategory=person)(objectClass=user))  

List of all kerberoastables users

To do this we select all the users ((objectClass=user)) having a Service Principal Name (SPN) defined ((servicePrincipalName=*)) and we remove from our results:

  • The user krbtgt (which by definition has an SPN) with the filter (!(cn=krbtgt)).
  • Disabled users, with the filter (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Which gives us:

(&(objectClass=user)(servicePrincipalName=*)(!(cn=krbtgt))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))  

List of all asrep-roastables users

To do this we select all the users ((objectClass=user)) that have "Do not require Kerberos preauthentication" flag set in their userAccountControl:

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))  

Find all Users that need to change password on next login.

(&(objectCategory=user)(pwdLastSet=0))  

Find all Users that are almost Locked-Out

(&(objectCategory=user)(badPwdCount>=4))  

Find all Users with *pass* or *pwd* in their description

(&(objectCategory=user)(|(description=*pass*)(description=*pwd*)))  

List of all users protected by adminCount

The adminCount attribute specifies that a given object has had its access control lists (ACLs) changed to a more secure value by the Active Directory system because it is a member of one of the administrative groups, either directly or transitively.

(&(objectCategory=user)(adminCount=1))  

Groups

List all groups

(objectCategory=group)  

List of all groups protected by adminCount

The adminCount attribute specifies that a given object has had its access control lists (ACLs) changed to a more secure value by the Active Directory system because it is a member of one of the administrative groups, either directly or transitively.

(&(objectCategory=group)(adminCount=1))  

Services

Listing all servicePrincipalName

(servicePrincipalName=*)  

Listing specific services from their servicePrincipalName

To list specific services, we can use the beginning of the servicePrincipalName attribute:

(servicePrincipalName=http/*)  

Here is a few examples of servicePrincipalName:

  • ldap/DC01.LAB.local
  • kadmin/changepw (of kerberos service CN=krbtgt,CN=Users,DC=LAB,DC=local)
  • MSSQLSvc/DC01.LAB.local

Computers

Listing all computers with a given Operating System

For example to list all the machines under Windows XP:

(&(objectCategory=Computer)(operatingSystem=Windows XP*))  

With operatingSystem in:

  • Windows Server 2022*
  • Windows Server 2019*
  • Windows Server 2016*
  • Windows Server 2008*
  • Windows 11*
  • Windows 10*
  • Windows 8*
  • Windows 7*
  • Windows Vista*
  • Windows XP*
  • Windows Server 2003*
  • Windows 2000*

Find all Workstations

(sAMAccountType=805306369)  

This is useful to check for shadow credentials on machine accounts:

(&(objectClass=computer)(msDS-KeyCredentialLink=*))  

Find all computers having an Obsolete OS

(&(objectCategory=Computer)(|(operatingSystem=Windows 2000*)(operatingSystem=Windows Vista*)(operatingSystem=W

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

WSL ansible и правильные права на локальные диски

Linux права на диске C или D
Create this file in your wsl: /etc/wsl.conf

Content:

[automount]
enabled = true
mountFsTab = false
root = /mnt/
options = "metadata,umask=22,fmask=11"

[network]
generateHosts = true
generateResolvConf = true

After that all /mnt/c/foo will have different folder permissions (not 777 any more) and you will be able to use chmod.
It requires you to have the latest WSL as far as I know.

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

среда, 13 ноября 2024 г.

Анало ipconfig registerdns в Linux

COMP=$(hostname -s)
DOM=$(hostname -d)
IP=$(hostname -i | cut -f1 -d' ')
DC=$(dig +short m48.dzm | head -n 1)

cat > /var/tmp/nsupdate.txt << EOF
server $DC
zone $DOM
update add ${COMP}.${DOM} 86400 A ${IP}
show
send
EOF
cat /var/tmp/nsupdate.txt

kdestroy
kinit -k ${COMP^^}\$
klist

nsupdate -g -v /var/tmp/nsupdate.txt


воскресенье, 24 марта 2024 г.

pxe boot grub efi legacy bios

grub-mkimage -d /usr/lib/grub/i386-pc/ -O i386-pc-pxe -o ./booti386 -p '(tftp)/grub' pxe tftp
grub-mkimage -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi -o ./bootx64.efi -p '(tftp)/grub' efinet tftp
cp -r /usr/lib/grub/x86_64-efi
and after '/usr/lib/grub/x86_64-efi'
ion.
cp -r /usr/lib/grub/x86_64-efi ./
cp -r /usr/lib/grub/i386-pc ./
grub/grub.cfg

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

kickstart для минимальной установки redos для шаблона proxmox

lang en_US
keyboard --xlayouts='us'
timezone Europe/Moscow

zerombr
clearpart --all --initlabel
bootloader --location=mbr --append="net.ifnames=0"
autopart --type=plain

network --bootproto=dhcp --device=link --activate --onboot=on

firstboot --disable

#selinux
#selinux --enforcing
selinux --permissive
#selinux --disabledfirewall --enabled --ssh

#firewall
#firewall --enabled
firewall --disabled

authconfig --enableshadow --passalgo=sha512
#rootpw --plaintext redos --lock
rootpw --lock
#user --name=redos --groups=wheel --password=redos --gecos="defaultuser"
#sshkey --username=appc "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA7YUTXCKAMavLy98/Kep6eDKK2NyVEc/kUklZUbBubg4DfFHDO2KDXtFN7uq8HPcYR7uqFLqkRijhBwJbnPGLpp2mA+iOHLpJvD/tGpDyNt/ImM0hQG3+dzPLtvzc9Ln5mY2RUfOUTFEx7dqGVuwPQXMhZLCEkpIcGicPTpdG0CIu/GdELUtwgrZZ+reNXMG82VnFBVDZObL7H1YsmrgyyWBUMAzwf+EeUFk9Q4k8qsV8utONo3AvscaESxyt5UDvVuV7PrPxp28a03k9ybMMrXjPzuEaM2P0pxGT0VsIoR/fG78MwkSPTveX0QgDU4gBihOAcH2/2WHGBE+1pr9saw== appc@appc-pc"
#sshkey --username=root "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA7YUTXCKAMavLy98/Kep6eDKK2NyVEc/kUklZUbBubg4DfFHDO2KDXtFN7uq8HPcYR7uqFLqkRijhBwJbnPGLpp2mA+iOHLpJvD/tGpDyNt/ImM0hQG3+dzPLtvzc9Ln5mY2RUfOUTFEx7dqGVuwPQXMhZLCEkpIcGicPTpdG0CIu/GdELUtwgrZZ+reNXMG82VnFBVDZObL7H1YsmrgyyWBUMAzwf+EeUFk9Q4k8qsV8utONo3AvscaESxyt5UDvVuV7PrPxp28a03k9ybMMrXjPzuEaM2P0pxGT0VsIoR/fG78MwkSPTveX0QgDU4gBihOAcH2/2WHGBE+1pr9saw== appc@appc-pc"

%packages --multilib --ignoremissing
@Core
cloud-init
qemu-guest-agent
#net if name eth0 net.ifnames=0
-biosdevname
%end

#%post --nochroot --erroronfail --log=/tmp/ks-post.log
%post --erroronfail --log=/tmp/ks-post.log
echo post $(pwd)
#rootdir="/mnt/sysimage"
rootdir=""
echo issue
echo "\4" >> $rootdir/etc/issue
echo "\6" >> $rootdir/etc/issue
echo "" >> $rootdir/etc/issue

echo sudo
#echo "redos ALL:(ALL) NOPASSWD:ALL" > /etc/sudoers.d/redos

cat > $rootdir/etc/cloud/cloud.cfg.d/90-redos.cfg << EOF
datasource_list: [ NoCloud, ConfigDrive, None ]
runcmd:
  - rm -f /etc/machine-id
  - systemd-machine-id-setup
# System and/or distro specific settings
# (not accessible to handlers/transforms)
system_info:
   # This will affect which distro class gets used
   distro: redos
   # Default user name + that default users groups (if added/used)
   default_user:
     name: redos
     lock_passwd: True
     gecos: RedOS Cloud User
     groups: [wheel]
     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
     shell: /bin/bash
   # Other config here will be given to the distro class and/or path classes
   paths:
      cloud_dir: /var/lib/cloud/
      templates_dir: /etc/cloud/templates/
   network:
      renderers: ['netplan', 'networkd', 'etcnet']
   ssh_svcname: sshd

EOF
%end

services --enabled=cloud-init,cloud-config,cloud-final,cloud-init-local
#метод завершения установки
#reboot
shutdown

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Посмотреть список адресов в табличном виде powershell

ForEach-Object { Get-NetIPAddress -AddressFamily ipv4 } | Format-Table InterfaceIndex,InterfaceAlias,IPAddress

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

VYOS 1.5 qcow2

Собирал на ВМ с Debian 12

https://codingpackets.com/blog/vyos-qemu-image-build/

https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312191154/vyos-1.5-rolling-202312191154-amd64.iso

sudo ansible-playbook qemu.yml \
   -e disk_size=10 \
   -e cloud_init=true \
   -e cloud_init_ds=NoCloud,ConfigDrive,None \
   -e guest_agent=qemu \
   -e keep_user=false \
   -e enable_ssh=true \
   -e iso_local=/home/appc/vyos-1.5-rolling-202312191154-amd64.iso

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

вторник, 30 января 2024 г.

SSTP + DST NAT NGINX APACHE share tcp 443

Взято вот туть:
https://forum.mikrotik.com/viewtopic.php?f=9&t=134358#

/interface sstp-server server set certificate=vpn.company.com.crt_0 enabled=yes port=10443
# добавим в список sstp-conn пакеты пришедшие на порт 443 для tls-host
/ip firewall mangle add \
action=add-src-to-address-list \
address-list=sstp-conn \
address-list-timeout=5s \
chain=prerouting \
dst-address-type=local \
dst-port=443 \
protocol=tcp \
tls-host=vpn.company.com

#отправим все пакеты заменим порт назначения 443 на порт 10443 в пакетах пришедших с адресов из списка sstp-vpn
/ip firewall nat add \
action=dst-nat \
chain=dstnat \
dst-address-type=local \
dst-port=443 \
protocol=tcp \
src-address-list=sstp-conn \
to-ports=10443

# правило для публикации веб сервера
/ip firewall nat add \
action=dst-nat \
chain=dstnat \
dst-address-type=local \
dst-port=80,443 \
protocol=tcp \
to-addresses=192.168.88.2

# чтобы наше правило в таблице mangle работало каждый раз, надо модифицировать fasttrack
# отключим fasttrack для пакетов идущих на адрес 443 (правило должно быть выше в списке чем правило fasttrack
/ip firewall filter add chain=forward dst-port=443 connection-state=established,related
# или будем fasttrack только те соединения которые уже набрали хотя бы 10 килобайт, тогда надо заменить правло с fasttrack
/ip firewall filter add action=fasttrack-connection chain=forward connection-bytes=10240-0 connection-state=established,related

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

понедельник, 15 января 2024 г.

Добавить открытый ssh ключ пользователю на микротике

#add ssh pub key to user
:local username "aratner";
:local userpubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8z/rBphuDpGKHpcDtWDISCZFWybdH3fSKzVxWouLG0JuEhqZSpJT9Hd+16teA8daRPb1gY+l9+mRnCqTVDKxpnMq7jkjlfNKQPunDHhr3u7JDjeBel2JrgXs/GANMSbxyC5aRNP7XYs4TooRDUFr0XXvdglcYyP+34I0M+p9m94taK1q5FtL+JrpRXXGnhYzQn/GaV0rM9Qj21GFVWPfuqqG8wWwhaYPkeibJNhMcBy+qKRK0fIiklv68fWmIwd0Os9qEAJ4XTuVP8yfKR/Cu1hXPm/4+9JfXaw3Lh9e/J54NkRcyeT3wb0BgOpXMXnexl6HTUK59EcMaLGEaU+4F aratner@croc.ru";
#create file
/file print file="$username_sshpubkey";
#create file with key
/file set "$username_sshpubkey.txt" contents="$userpubkey";
#set key for user
/user ssh-keys import user="$username" public-key-file="$username_sshpubkey.txt";

#mkirotik #ssh

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

gnome chrome dock

Создаём для каждого профиля "ярлык"
chrome-profile-name=gmail-chrome
cat > $HOME/Desktop/$chrome-profile-name.desktop << EOF
[Desktop Entry]
Version=1.0
Name=$chrome-profile-name
GenericName=$chrome-profile-name
Exec=/usr/bin/google-chrome --user-data-dir=$HOME/$chrome-profile-name  --class="$chrome-profile-name"
Icon=$HOME/$chrome-profile-name/icon.png
StartupWMClass=$chrome-profile-name
Comment=Chromium Alternate
Terminal=false
X-MultipleArgs=false
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml_xml;x-scheme-handler/http;x-scheme-handler/https;
StartupNotify=true
Actions=NewWindow;Incognito;TempProfile;
X-AppInstall-Package=chromium-browser
EOF

Это нужно, чтобы хромы запущенные с разными профилями вели себя как разные приложения в доке.

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

netboot.xyz podman

storage="/rpool/containers"
newpodname="netbootxyz"
newpodlocalpath="$storage/$newpodname"

mkdir -p $newpodlocalpath/{config,assets}

podman run -d \
  --name=$newpodname-app \
  -p 3000:3000                       `# sets webapp port` \
  -p 69:69/udp                       `# sets tftp port` \
  -p 8069:80                         `# optional` \
  -v $newpodlocalpath/config:/config   `# optional` \
  -v $newpodlocalpath/assets:/assets   `# optional` \
  --restart unless-stopped \
  docker.io/netbootxyz/netbootxyz

cd /etc/systemd/system
podman generate systemd --files --name ${ $newpodname}-app
systemctl daemon-reload
systemctl enable container-${newpodname}-app
systemctl stop  container-${newpodname}-app
systemctl start  container-${newpodname}-app

#    -e MENU_VERSION=2.0.59             `# optional` \
#  --pod=$newpodname \

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

nexus podman

storage="/rpool/containers"
newpodname="nexus"
newpodlocalpath="$storage/$newpodname"

podman pod create \
  --name $newpodname \
  -p 8081:8081

mkdir -p "$newpodlocalpath/data"
chown -R 200:200 "$newpodlocalpath/data"
podman run -d \
  --pod $newpodname \
  --name $newpodname-app \
  -v $newpodlocalpath/data:/nexus-data \
  docker.io/sonatype/nexus3

cd /etc/systemd/system
podman generate systemd --files --name ${newpodname}
systemctl daemon-reload
systemctl enable pod-${newpodname}
systemctl stop pod-${newpodname}
systemctl start pod-${newpodname}

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090