Now I want that ns2 will be automatically updated with the new zones from ns1 but, unfortunately, I wasn’t able to find anything ready on internet.

At the end I wrote a simple script that simply connect [...]]]> My situation, ns1 and ns2, master and slave. On ns1 I’ve installed smbind to simply manage my zones.

Now I want that ns2 will be automatically updated with the new zones from ns1 but, unfortunately, I wasn’t able to find anything ready on internet.

At the end I wrote a simple script that simply connect to the first machine via ssh, take the bind file with zones, and, if anything changed, adapt it for the slave server, copy in the bind directory and reload bind.

Obviously it needs to be adapted to your needs, I run it every hour.

#!/bin/bash

VERSION=”0.1″

# bind_auto_slave
# Author:  info@farlock.org
#
# Description: copy bind file from master server, edit it and reload bind on slave
#
# ChangeLog: 0.1 – 28/04/17 – First Release

MASTER_SERVER=”ns1.xxx.com”
MASTER_SERVER_PORT=”22″
MASTER_SERVER_USER=”root”
MASTER_FILE=”/etc/smbind/smbind.conf”

SLAVE_FILE=”/etc/bind/ns1.conf”
SED_ARGUMENT=”s/master;/slave;\n\t\t\tmasters { servers_name; };/” # Argument that must be passed to sed

#SED_ARGUMENT=”s/master;/slave;/”

# First of all download file from master
TMP_FILE=$(mktemp)
chmod g+r,o+r $TMP_FILE
scp -q -P $MASTER_SERVER_PORT $MASTER_SERVER:$MASTER_FILE $TMP_FILE
if [ $? -ne 0 ] ; then
echo “Error downloading file from $MASTER_SERVER”
exit 11
fi

# Execute sed on it
#echo sed $SED_ARGUMENT $TMP_FILE
sed -i “$SED_ARGUMENT” $TMP_FILE
if [ $? -ne 0 ] ; then
echo “Error executing sed on file $TMP_FILE”
exit 12
fi

# Check differences
diff -q $TMP_FILE $SLAVE_FILE > /dev/null
if [ $? -ne 0 ] ; then # files differ
mv $TMP_FILE $SLAVE_FILE
service bind9 reload
if [ $? -ne 0 ] ; then
echo “Error reloading bind9 on slave server”
exit 13
fi
else
rm $TMP_FILE
fi

exit 0

È possibile rinnovare il certificato della Certification Authority e del server in scadenza e far si che i client continuino a collegarsi. Nel caso di alcuni software (vedi openvpn), il client dispone anche di copia del certificato [...]]]> Esempio classico: il certificato di openvpn dopo 10 anni scade, il certificato originale era stato creato con easy-rsa

È possibile rinnovare il certificato della Certification Authority e del server in scadenza e far si che i client continuino a collegarsi.
Nel caso di alcuni software (vedi openvpn), il client dispone anche di copia del certificato server, purtroppo in questo caso andrà comunque inviata la nuova accoppiata (CA + server) al client.
Potremmo comunque installare sul server i nuovi certificati prima della scadenza e rinnovare man mano tutti i clienti senza che nessuno di essi smetta di funzionare.
Passaggi, in questo caso il vecchio certificato era stato prodotto con easy-rsa:

cd /etc/openvpn/extern-rsa

# carichiamo le variabili di easy-rsa (attenzione ai punti):

. ./vars

# Se non abbiamo la csr originale possiamo ricrearla partendo dal certificato e dalla chiave:

openssl x509 -x509toreq -in keys/ca.crt -signkey keys/ca.key -out keys/ca_2016.csr

# Ricreiamo un nuovo certificato CA con una nuova data di scadenza, estensioni per la CA e seriale 00 (attenzione: se il certificato CA non ha questo seriale openssl lo rifiuta, mentre i sistemi microsoft lo accettano )

openssl ca -config /etc/openvpn/extern-rsa/openssl.cnf -out keys/ca_2016.crt -set_serial 0000 -extensions v3_ca -days 7200 -keyfile keys/ca.key -selfsign -infiles keys/ca_2016.csr

# Ricrieamo ora il certificato per il server, presupponendo che abbiamo ancora il csr, altrimenti possiamo ricrearli con il passaggio sopra.

openssl ca -config /etc/openvpn/extern-rsa/openssl.cnf -out keys/extern_2016.crt -extensions server -days 7200 -infiles keys/extern.csr

Per verificare che tutto sia ok possiamo controllare un certificato già generato e ancora valido con la vecchia CA:

openssl verify -CAfile keys/ca.crt -verbose keys/test.crt

e in seguito con la nuova:

openssl verify -CAfile keys/ca_2016.crt -verbose keys/test.crt

In entrambi i casi il risultato sarà OK.

Possiamo anche controllare il nuovo certificato server con la vecchia CA e viceversa:

openssl verify -CAfile keys/ca.crt -verbose keys/extern_2016.crt
openssl verify -CAfile keys/ca_2016.crt -verbose keys/extern.crt

Il risultato sarà sempre OK, se cosi non fosse c’è stato qualche problema nei passaggi precedenti (attenzione al serial ad esempio)

Linux Machine:

Mikrotik RouterBoard:

CATOP=./personalCA

CAKEY=./cakey.pem

CAREQ=./careq.pem

CACERT=./cacert.pem

cd /etc/ssl

mkdir $CATOP

mkdir $CATOP/certs

mkdir $CATOP/crl

mkdir $CATOP/newcerts

mkdir $CATOP/private

echo “00” > $CATOP/serial

echo “00” > $CATOP/crlnumber

touch $CATOP/index.txt

export OPENSSL_CONF=/etc/ssl/essetigiCA.cnf

copy /etc/ssl/openssl.cnf to personalCA.cnf and edit OrganizationName, Country, State, ecc fields.

Then execute:

openssl req -new -keyout $CATOP/private/$CAKEY -out $CATOP/$CAREQ

write a complex passhprase [...]]]> Launch this commands:

CATOP=./personalCA

CAKEY=./cakey.pem

CAREQ=./careq.pem

CACERT=./cacert.pem

cd /etc/ssl

mkdir $CATOP

mkdir $CATOP/certs

mkdir $CATOP/crl

mkdir $CATOP/newcerts

mkdir $CATOP/private

echo “00” > $CATOP/serial

echo “00” > $CATOP/crlnumber

touch $CATOP/index.txt

export OPENSSL_CONF=/etc/ssl/essetigiCA.cnf

copy /etc/ssl/openssl.cnf to personalCA.cnf and edit OrganizationName, Country, State, ecc fields.

Then execute:

openssl req -new -keyout $CATOP/private/$CAKEY -out $CATOP/$CAREQ

write a complex passhprase and remember it! Without it the CA is completely useless. It asks also for information about the CA.

Now we create our CA, it asks for the passphrase:

openssl ca -out $CATOP/$CACERT $CADAYS -extensions v3_ca -days 36500 -keyfile $CATOP/private/$CAKEY -selfsign -infiles $CATOP/$CAREQ

Server certificate:

openssl req -new -nodes -keyout $CATOP/private/server_key.pem -out $CATOP/certs/server_req.pem

openssl ca -out $CATOP/certs/server_cert.pem -days 13000 -extensions server_cert -infiles $CATOP/certs/server_req.pem

client certificate:

openssl req -new -nodes -keyout $CATOP/private/client01_key.pem -out $CATOP/certs/client01_req.pem

openssl ca -out $CATOP/certs/client01_cert.pem -days 10000  -infiles $CATOP/certs/client01_req.pem

That’s all.

Download clonezilla-live-1.2.8-42-i686.zip and clonezilla-live-1.2.8-42-amd64.zip on a local directory and unzip them. Obviously you can use only one of them.

# wget http://www.kernel.org/pub/linux/utils/boot/syslinux/syslinux-4.04.tar.bz2

# tar xjvf syslinux-4.04.tar.bz2 # cp syslinux-4.04/core/pxelinux.0 /srv/tftp/ # cp syslinux-4.04/com32/menu/vesamenu.c32 /srv/tftp # mkdir /srv/tftp/clonezilla-amd64 # cp [...]]]> We assume that our server has ip 192.168.171.11, and root directory of tftp server is /srv/tftp

Download clonezilla-live-1.2.8-42-i686.zip and clonezilla-live-1.2.8-42-amd64.zip on a local directory and unzip them. Obviously you can use only one of them.

# wget http://www.kernel.org/pub/linux/utils/boot/syslinux/syslinux-4.04.tar.bz2

# tar xjvf syslinux-4.04.tar.bz2
# cp syslinux-4.04/core/pxelinux.0 /srv/tftp/
# cp syslinux-4.04/com32/menu/vesamenu.c32 /srv/tftp
# mkdir /srv/tftp/clonezilla-amd64
# cp clonezilla-live-1.2.8-42-amd64/live/* /srv/tftp/clonezilla-amd64/
# mkdir /srv/tftp/clonezilla-i686
# cp clonezilla-live-1.2.8-42-i686/live/* /srv/tftp/clonezilla-i686/
# mkdir /srv/tftp/pxelinux.cfg

edit, or add at the end of /etc/dhcp/dhcpd.conf

authoritative;

subnet 192.168.171.0 netmask 255.255.255.0 {

range 192.168.171.101 192.168.171.190;

option domain-name “spsarone.local”;

option domain-name-servers 192.168.171.11;

option broadcast-address 192.168.171.255;

option routers 192.168.171.1;

next-server 192.168.171.11;

#    get-lease-hostnames true;

option subnet-mask 255.255.255.0;

filename “/pxelinux.0”;

}

copy attached file default.txt to /srv/tftp/pxelinux.cfg/default

default

All the operations described here are executed on a standard i686 linux pc (debian).

Download openwrt 8.09.2 and default config file:

cd /usr/src/nslu2/test svn checkout svn://svn.openwrt.org/openwrt/branches/8.09 8.09.2 wget http://downloads.openwrt.org/kamikaze/8.09.2/ixp4xx/ixp4xx.config

go into [...]]]> Now I want to use an easycap DC60 device also on my NSLU2 with openwrt, so similar for sheevaplug i’ve to compile the module.

All the operations described here are executed on a standard i686 linux pc (debian).

Download openwrt 8.09.2 and default config file:

cd /usr/src/nslu2/test
svn checkout svn://svn.openwrt.org/openwrt/branches/8.09 8.09.2
wget http://downloads.openwrt.org/kamikaze/8.09.2/ixp4xx/ixp4xx.config

go into 8.09.2 directory and

make menuconfig

now choose “Load an alternate config file and select ixp4xx.config” just downloaded, then

make V=99

When all done we have all things necessary.

In this example we try to compile easycap driver, but you can adapt it to any external modules:

cd /usr/src
wget “http://downloads.sourceforge.net/project/easycapdc60/easycap_dc60.0.7.1.tar.gz?use_mirror=netcologne”
cd easycap_dc60.0.7.1
make clean

Edit src/MakeFile (vi src/Makefile) and replace KERNELDIR line with this:

KERNELDIR ?= /usr/src/nslu2/test/8.09.2/build_dir/toolchain-armeb_gcc4.1.2/linux-2.6.26.8/

we need to make a symbolic link to resolve an issue:

ln -s /usr/src/nslu2/test/8.09.2/build_dir/toolchain-armeb_gcc4.1.2/linux-2.6.26.8/include/config/video/usbvideo.h /usr/src/nslu2/test/8.09.2/build_dir/linux-ixp4xx_generic/linux-2.6.26.8/include/config/video

and now compile it:

make clean
make ARCH=arm CROSS_COMPILE=/usr/src/nslu2/test/8.09.2/build_dir/armeb/OpenWrt-SDK-ixp4xx-for-Linux-i686/staging_dir/toolchain-armeb_gcc4.1.2/bin/armeb-linux-uclibc-

All done!

Login to your nslu and copy the new kernel mod in /lib/modules/`uname -r`/kernel/drivers/media/video

scp 192.168.1.220:/usr/src/easycap_dc60.0.7.1/src/easycap.ko /lib/modules/`uname -r`/kernel/drivers/media/video
depmod -a

try to insmod it and enjoy

With new version of easycap 0.8.3 there is some difference, when you have unzipped easycap source edit install.sh and just before the line:

make 1>>${WORKDIR}/make.out 2>>${WORKDIR}/make.err

insert an exit 0, so the script will terminate there. Now we can launch the script with KERNELDIR as parameter:

./install.sh /usr/src/nslu2/test/8.09.2/build_dir/toolchain-armeb_gcc4.1.2/linux-2.6.26.8/

now some needed steps:

cd /usr/src/nslu2/test/8.09.2/build_dir/toolchain-armeb_gcc4.1.2/linux-2.6.26.8

check in .config that MODVERSIONS is disabled and BIG_ENDIAN is enabled!

# make ARCH=arm CROSS_COMPILE=/usr/src/nslu2/test/8.09.2/build_dir/armeb/OpenWrt-SDK-ixp4xx-for-Linux-i686/staging_dir/toolchain-armeb_gcc4.1.2/bin/armeb-linux-uclibc- prepare
# make ARCH=arm CROSS_COMPILE=/usr/src/nslu2/test/8.09.2/build_dir/armeb/OpenWrt-SDK-ixp4xx-for-Linux-i686/staging_dir/toolchain-armeb_gcc4.1.2/bin/armeb-linux-uclibc- scripts/mod/

and then make it:

cd /usr/src/easycap_dc60.0.8.3
make ARCH=arm CROSS_COMPILE=/usr/src/nslu2/test/8.09.2/build_dir/armeb/OpenWrt-SDK-ixp4xx-for-Linux-i686/staging_dir/toolchain-armeb_gcc4.1.2/bin/armeb-linux-uclibc-

now in src/easycap.ko we have the module for our NSLU2!

Attached here you can find the already compiled module for openwrt kamikaze 8.09.2

easycap.ko

Il tutto è reso possibile dal software prodotto da NetDirect, Barry. Scarichiamolo a questo indirizzo http://www.netdirect.ca/software/packages/barry.

Grazie a barry (in particolare l’eseguibile è pppob) ci viene fornita una [...]]]> In questa breve guida andrò ad illustrare come usare il nostro BlackBerry Storm 9700 quale modem HSDPA/UMTS/GPRS. Ovviamente il metodo illustrato funziona con (teoricamente) qualsiasi terminale BlackBerry.

Il tutto è reso possibile dal software prodotto da NetDirect, Barry. Scarichiamolo a questo indirizzo http://www.netdirect.ca/software/packages/barry.

Grazie a barry (in particolare l’eseguibile è pppob) ci viene fornita una seriale virtuale sulla quale possiamo poi eseguire il demone ppp.

Nei repository Debian è disponibile una versione pacchettizzata, vi consiglio comunque di scaricare l’ultima da sourceforge.net (sono presenti già le versioni binarie pacchettizzate).

Installiamo le dipendenze necessarie e i due pacchetti scaricati:

apt-get update

apt-get install libboost-serialization1.34.1 libfuse2 libstdc++6 libusb-0.1-4 libgcc1zlib1g

dpkg -i libbarry0_0.16-0_i386.deb barry-util_0.16-0_i386.deb

Fatto questo ci troveremo in /etc/chatscripts e in /etc/ppp/peers alcuni file barry-* di esempio. Io personalmente ho preso quello di att-cingular (connessione tramite APN standard) e li ho modificati come segue (il mio provider è Tre).

/etc/ppp/peers/Berry

connect “/usr/sbin/chat -v -f /etc/chatscripts/Berry”

# Authentication options – no need for ISP to authenticate to us, but
#                          we may need a login here: user/password/name
noauth
user tre
password tre
name Berry

# Handle the default route and DNS
#nodefaultroute
defaultroute
usepeerdns
replacedefaultroute

# Disable unsupported options
noipdefault
#nodetach
nodeflate
nobsdcomp
noaccomp
#default-asyncmap
nocrtscts
nopcomp
nomagic

# This is disabled by default for a Barry config, but this
# has caused connection issues in the past.  If you are unable
# to get an ip with your provider, try commenting this out.
# See:
# http://www.mail-archive.com/barry-devel@lists.sourceforge.net/msg01871.html
#novj

passive

#nomultilink
ipcp-restart 7
ipcp-accept-local
ipcp-accept-remote
lcp-echo-interval 0
lcp-echo-failure 999

# Limit size of packets
mtu 1492

# Verbosity
debug
#debug debug debug

# Call pppob for the USB link
pty “/usr/sbin/pppob”

/etc/chatscripts/Berry

SAY ‘Setting abort string\n’
ABORT ERROR

SAY ‘Initializing modem\n’
#OK AT
” ATZ

SAY ‘Carrier Information\n’
OK AT+CGDCONT=1,”IP”,”tre.it”
OK ATI
OK ATDT*99#

SAY ‘Connecting\n’
CONNECT

Attenzione, nel file peers/Berry ho commentato l’opzione “novj“, altrimenti non mi veniva assegnato l’indirizzo IP dal provider, fate alcune prove con e senza l’opzione!

Se il vs provider è diverso basta modificare l’apn nel file chatscripts/Berry, sostiuite “tre.it” con l’apn corretto (ibox.tim.it per TIM, web.omnitel.it per Vodafone, internet.wind per Wind Privati, internet.wind.biz per Wind Aziende).

Una volta salvati i nuovi file lanciate da riga di comando:

pppd call Berry

In /var/log/syslog potrete seguire l’output del demone fino alla corretta assegnazione dell’indirizzo.

In caso di problemi lanciate il demone ppp con le seguenti opzioni:

pppd nodetach debug call Berry

In questo modo l’output vi viene presentato direttamente sullo standard output.

ATTENZIONE: con il mio Bold l’eseguibile pppob a volte rimane in esecuzione anche al termine della connessione, così facendo al tentativo successivo non sarà più possibile connettersi. Lanciamo semplicemente questo comando

killall -9 pppob

prima di ogni connessione, ogni processo appeso verrà terminato e riusciremo a connetterci.