meresgr Lab

In the following post I will describe how to configure your existing OpenVPN server to support OTP MFA along with LDAP authentication. I already had a working OpenVPN + Radius authentication with Active Directory on a Debian Server, but in order to add OTP as MFA, I had to switch to LDAP authentication. Packages installed: sudo apt install libpam-ldapd oathtool libpam-oath qrencode pamtester After installing libpam-ldapd , you are asked to Configure nslcd and nssswitch . You may enter some default config and edit this later. The most importand config file is /etc/nslcd.conf , and after each edit remember to restart nslcd service!   sudo service nslcd restart /etc/nslcd.conf uri ldap://ldap.local # The search base that will be used for all queries. base dc=domain,dc=com binddn cn=user,ou=hosted,dc=domain,dc=com bindpw pass tls_reqcert never tls_cacertfile /etc/ssl/certs/ca-certificates.crt # Mappings for Active Directory pagesize 1000 referrals off idle_timelimit 800 filter passwd ...

In this post I am going to explain how I used SNMP traps on a Linux Debian system in order to get some telegram notifications. I used them in order to be informed in case our company UPS systems runs on battery. First of all, you have to setup and test a Telegram Notification script. I used the one here: https://github.com/samsulmaarif/telegram-notify , it is very easy to install and use. The binary is installed in: /usr/local/bin/telegram-notify We assume that you already have a telegram bot running. The two things you 've got to find are your bot api-key and chat id or Channel id. In case you are not yet using a telegram bot, there are plenty of guides showing how to setup one and how to get your user-id. In order to get SNMP traps from your UPS Network management card, you should first enable them in the "Notifications". Just enter your Linux hostname as a trap receiver. First install snmpd and snmptrapd sudo apt install snmpd snmptrapd Edit your config files: The o...

Cisco recommends dual DNS: public (external) and local (internal) DNS in order that Mobile and Remote Access can work more efficiently. Pinpoint entries (a zone created for a single host only) as suggested by Cisco could be a solution, but our DNS server is authoritative for the parent domain, so this wouldn't work. With the follwing setup and by using RPZ, jabber requests coming from the internet, are forwarded to Expressway-Edge and requests coming from the internal network are forwarded to Expressway-Core. Public (External) Records needed : _collab-edge._tls.example.com      SRV 10 10 8443 expe1.example.com. Local (Internal) Records needed: _cisco-uds._tcp.example.com        SRV    10 10 8443 cucm1.example.com _cuplogin._tcp.example.com         SRV    10 10 8443 cup1.example.com Cisco states that a client first searches for internal DNS records: For example, Adam McKenzie's s...

You can still use Adobe Flash as of January 2021 by "whitelisting" certain sites. I mostly use it to manage some old Enterprise Appliances. All you have to do is edit your mms.cfg file, located in:   C:\Windows\System32\Macromed\Flash   or C:\Windows\SysWOW64\Macromed\Flash So, the file should look be edited as following: EOLUninstallDisable=1 AutoUpdateDisable=1 EnableAllowList=1 AllowListRootMovieOnly=1 AllowListURLPattern=*://mydomain.example.com According to the Adobe Flash Admin guide, AllowListUrlPattern syntax is the follwing: AllowListUrlPattern = <scheme> ://<host>:<port>/<path> <scheme> = ‘*’ | ‘http’ | ‘https’ <host> = <any char except ‘.’ and ‘*’> <port> (optional) = <any valid port number> <path> = ‘/’ <any chars>   With EnableAllowList=1 set, administrators can then specify a discrete URL or pattern to allow

Before shutting down your system, copy the output of your current fstab in order to mount your partitions: # cat /etc/fstab Boot from a live cd (I used an ubuntu 14.04) You 've got to mount somewhere the original filesystem in order to copy it, preferably as read-only: Assuming our old disk is /dev/sda with 3 partitions (all of them LVM): # mkdir /mnt/olddisk /mnt/olddisk/oldboot /mnt/olddisk/oldroot /mnt/olddisk/oldvar # mount -o ro /dev/mapper/vg1-lv_XXX /mnt/olddisk/oldboot # mount -o ro /dev/mapper/vg1-lv_XXY /mnt/olddisk/oldroot # mount -o ro /dev/mapper/vg1-lv_XXZ /mnt/olddisk/oldvar Your old fstab should look like this # cat /mnt/olddisk/oldroot/etc/fstab / dev / mapper / vg1-lv_XXX / ext3 defaults 1 1 / dev / mapper / vg1-lv_XXY / boot ext3 defaults 1 2 / dev / mapper / vg1-lv_XXZ / var ext3 defaults 1 2 tmpfs / dev / shm ...

In my previous post I explained how to run a custom script triggered by an IFTTT reipe. In this post I will explain how to get a SIP call when an IFTTT action is triggered. I assume you have created the recipe, linked Dropbox and configured incrontab as explained here . Requirements: -A cli SIP client, pjsua (from the pjsip library) is perfect for this job -expect package (in order to "talk" to pjsua with spawn) -festival package (this includes text2wave for text-to-speech) I didn't find pjsip as a package for Debian, so I had to download it from  http://www.pjsip.org and compile it manually, it's straightforward (configure-make dep-make). pjsua is located inside the /pjsip-apps folder so you may either copy it somewhere convenient or create a soflink in order to run it. Create your pjsip conf file (this may depend on your SIP provider) and paste: --null-audio --registrar sip:your.sip.provider.com --realm=* --id sip:sipuser@your.sip.provider.com --us...