Iptables Conntrack

I am subscribed to Cloudflare blog as they are in general really good. And definitely, you always learn something new (and want to cry because you have so much to learn from these guys).

This time was a dissection of conntrack in iptables to improve their firewall performance.

https://blog.cloudflare.com/conntrack-tales-one-thousand-and-one-flows

I never thought about the limits of the conntrack table and how important is to have in mind (or make a tattoo of) the iptables diagram.

Ensaladilla Rusa (Russian Salad)

This blog is mainly for “Today I learned…” (TIL). And that can be anything…. so don’t get surprised. It could be worse ™

“Ensaladilla Rusa” (Russian Salad) is a typical Spanish dish. I remember we had it nearly every week in summer time. With the hot weather, having something fresh, it was a bless. Like “gazpacho” 🙂

But I have never tried it on my own until last weekend. I love cooking (I dont consider myself a good cook though), it is relaxing and I regard it as a very important part of my upbringing and culture. I want to keep it and enjoy it! It has to be simple, humble, tasty, etc. Dont like fancy or over the top things.

So back to the track… You can find many recipes in google/youtube, it is like “Tortilla Española”, each home has its own. This is the one I tried and I liked the result:

Ingredients for the salad

  • 1kg potatoes
  • 500g of frozen vegetables mix (peas, carrots, corn, beans)
  • 1 can of tuna (or 2)
  • 4 boiled eggs (salt and vinegar in the water so the shell doesn’t break)

Ingredient for the mayonesse

  • 1 egg
  • salt
  • juice of 1/2 lemon (you will have to taste and maybe you dont need to use all of it)
  • 500ml oil (I mixed 250ml sunflower oil + 250ml virgin olive oil)

Process:

  • Boil the potatoes with enough water and salt (skin included). Be sure the potatoes are similar size so the go tender around the same time. Cut them if needed. They are ready when you can cross a knife through the potato without effort. This is not mash potatoes though 🙂 Let them cool down
  • I put the frozen salad in boiling water for 1-2 minutes so they became eatable again.
  • Boil the eggs with enough water (salt and vinegar). Around 10 minutes. Let cool down a bit under a bit of cold water. Then remove the shell (it shouldn’t be too difficult) and cut them in small cubes.
  • Peel the potatoes with your hand and cut them in little cubes (like the eggs)
  • In a glass try, mix the potatoes, vegetables, eggs and tuna. Let them cool in the fridge.
  • Once you get your mayonnaise, add it to the mix. Cool a bit in the fridge and ready to eat!

Mayonnaise Process:

  • Put in your hand mixer glass, the egg, salt, some lemon juice and a bit of oil to cover the mixer head.
  • Start mixing and it will become white. Then start adding the rest of oil bit a bit.
  • The mix shouldn’t be liquid neither solid. Something like heavier egg whites.
  • Taste it, very important. Add more salt? More lemon? Mine had a strong lemony flavour but remember you will add it to the salad.
  • Ready to use with the salad.

Shito Ryu – Remembering

Somehow today while working out at home, paid attention to my old black belt and crossed my mind that I could try to remember some of my old Karate. It has been a long time since I donned my kimono and I am supper rusty but I did it. It was really special, so many old memories. I remembered how to wear it and how to put the belt! So many years grinning have paid off 🙂

I was pretty sure I could find videos of my Karate style Shito Rye in Youtube and quickly found a good one:

https://youtu.be/_BUqaOb8Gbo

Funny enough I could remember most of the moves. So my goal it is to practice a bit every day.

Update:

I have been practising all lock-down weeks so I am quite happy. Adding new katas:

Shito-Ryu Kata – Matsukaze

SSH Keys

I already use RSA ssh keys to access my VPS but a friend of mine send me a link about ED25519 public-key algorithm. But why ssh-keys? Mainly to avoid to type your password every single time.

https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54

I will not explain the maths behind because I can’t (but I would love to understand) so wikipedia can do a better work (and in the main time, think of donating a few bucks 🙂

https://en.wikipedia.org/wiki/EdDSA

If you still want to generate RSA keys (you can have both), this is my go-to link:

https://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/

Summary, just in case the links disappear:

# create your key RSA or Ed25519

$ ssh-keygen -t rsa -f ~/.ssh/id_rsa4096 -b 4096 -C "user@origin"

or

$ ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "user@origin"

# Add your priv key into your ssh-agent so it is used when connecting to the destination

$ ssh-add ~/.ssh/id_xxx

# Copy your PUBLIC!!! key to the remote server you want to login with that key (and so you dont need to type a password)

$ ssh-copy-id -i .ssh/id_xxx.pub user@remove_server

# Test your new ssh-key

$ ssh -i ~/.ssh/id_xxx user@remove_server

Linux Network Namespaces

At work, we use a vendor whose Network Operating System (NOS) is based in Linux. I am a network engineer so I was troubleshooting an issue inside a VRF. I couldn’t use much of the normal commands in the default VRF. So I opened a ticket with the vendor and learned a bit how the VRFs are implemented under the hoods. Obviously (not for me) they use Linux Namespaces, after googling the meaning of the commands they sent. My search brought me to the following links:

This is a good intro:

https://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/

From this link, I took some examples in my quick search

https://kashyapc.fedorapeople.org/virt/openstack/neutron/neutron-diagnostics.txt

At the end I used commands like these:

$ sudo ip netns list
$ sudo ip netns exec ns-INET ip link list
$ sudo ip netns exec ns-VRF1 arp -a
$ sudo ip netns exec ns-VRF1 route -n
$ sudo ip netns exec ns-VRF1 telnet -b src_ip dst_ip port
$ sudo ip netns exec ns-VRF1 tcpdump -i lo4 -nn  tcp 179
$ sudo ip netns exec ns-VRF1 ss --tcp --info
$ sudo ip netns exec ns-VRF1 ss --tcp --info -nt src IP

As well, “ss” is such a useful command for troubleshooting and I always feel that I dont make the most of it:

How I created this blog

Still in progress:

1- Get a VPS:

There are so many options, AWS, GCP, OVH, etc. I used OVH as it was pretty cheap initially and chose the most basic VPS. I use Debian as OS.

https://www.ovh.co.uk/vps/

2- Get a domain

There are many place to buy domains, you dont need anything fancy and spend big. Just google. I used OVH too

https://www.ovh.co.uk/domains/

3- Install LAMP

I used several links.

https://linuxconfig.org/how-to-install-a-lamp-server-on-debian-9-stretch-linux

The above should give you a working database (MariaDB/MySQL), PHP(7.0) and a web server (Apache2).

I found an issue trying to get apache and php to work.:

https://stackoverflow.com/questions/47024111/apache-installing-and-running-php-files

https://askubuntu.com/questions/451708/php-script-not-executing-on-apache-server

At the end I had to remove a module, add php7.0 module and restart. Afterwards I could thest apache was executing php. Once that was configured I removed the php file as recommended.

sudo a2dismod mpm_event
sudo a2enmod php7.0
sudo systemctl restart apache2

If apache+php dont work properly, the next steps will fail.

4- Install PHPmyAdmin

I used these links:

https://www.hostingadvice.com/how-to/install-phpmyadmin-on-ubuntu/

https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-on-debian-9

4- Get SSL cert:

You can get this for free: https://letsencrypt.org/

It is so easy to get your certs generated, installed and renewed, that I can’t believe it:

https://certbot.eff.org/lets-encrypt/debianstretch-apache

5- Install WordPress

https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lamp-on-debian-9

Still needed some tweaking as I am pretty clueless with Apache to make work WordPress:

https://www.rosehosting.com/blog/how-to-set-up-apache-virtual-hosts-on-debian-9/

6- Security

Keep in mind that you will create several user/pass.

  • mysql root user/pass
  • phpmyadmin user/pass
  • wordpressuser for mysql
  • wordpressuser for UI

Be conscious with the security, you don’t want your server/apps to be hacked and used for doggy activity.

Will ask for help to some friends and will another post how to secure this environment.