FreeIPA as AD replication

Can FreeIPA replace my Active Directory Server?

No. But with FreeIPA v2, you can replicate users and passwords from an AD server to FreeIPA server.

With FreeIPA v3, you can create a trust with Active Directory and SSO (single sign on) from a Windows machine to Linux machine.

REF: https://www.freeipa.org/page/About#Can_FreeIPA_replace_my_Active_Directory_Server.3F
https://www.digitalocean.com/community/tutorials/how-to-configure-a-freeipa-client-on-centos-7?utm_medium=newsletter&utm_source=newsletter&utm_campaign=03162017

mount.cifs for mixed OSes

CIFS is really useful in a mixed OS environment. Ex:

mount.cifs //sharehost/share$ -o guest /mnt/share

guest

don't prompt for a password

KNOPPIX Cheat Codes: mkimage

for persistent data which was done by knoppix mkimage, latest KNOPPIX provides 'install to flash' on GUI desktop for user to boot from usb with persistent data. Step by Step.

knoppix mkimage                     Create persistent image as needed [→ Tip]

mkimage 
If Knoppix isn't started in forensic mode and if no persistent image or partition is found, then Knoppix DVD version 7.4.1 and upward only offers the option to create persistent image (ext2-formatted file, not partition) by this new cheatcode.

REF: http://knoppix.net/wiki3/index.php?title=Cheat_Codes

honeypot strategy

REF: https://en.wikipedia.org/wiki/Honeypot_(computing)

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site, but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, who are then blocked. This is similar to the police baiting a criminal, conducting undercover surveillance, and finally punishing the criminal.

docker in kvm

REF: https://forum.proxmox.com/threads/docker-support-in-proxmox.27474/

tomProxmox Staff Member

Staff Member

Joined:

Aug 29, 2006

Messages:

11,584

Likes Received:

112

docker runs perfectly as qemu guest, in the OS of your choice.

#2tom, May 19, 2016

NewsCaster Chinese intro

NewsCaster是Live新聞播出控制的自動化解決方案，由美國NewsMaker公司出品。本系統以1U機架伺服器的型態運作。NewsCaster通過IP網路與TriCaster導播機，以及其他IP-based解決方案共同協作，是相當新穎的新一代Live新聞播出控制的IP解決方案。

REF: http://www.newsmakersystems.com/product-connect.php

Upgrade to macOS Sierra

REF: https://www.apple.com/macos/how-to-upgrade/#hardware-requirements

Mac Hardware Requirements
For details about your Mac model, click the Apple icon at the top left of your screen, choose About This Mac, then choose More Info. These Mac models are compatible with macOS Sierra:

MacBook (Late 2009 or newer)
MacBook Pro (Mid 2010 or newer)
MacBook Air (Late 2010 or newer)
Mac mini (Mid 2010 or newer)
iMac (Late 2009 or newer)
Mac Pro (Mid 2010 or newer)

VMware: Memory Reservation

REF: https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsa.doc%2FGUID-8AE3622F-A657-4D02-9F6C-34A53C5B1C51.html

Procedure

1	In the vSphere Client, right-click a virtual machine from the inventory and select Edit Settings.
2	In the Virtual Machine Properties window, select the Resources tab and select Memory.
3	In the Resource Allocation panel, set appropriate memory reservations. ■ To avoid memory overcommitment for VSA 5.0, select the Reserve all guest memory (All locked) check box. ■ To enable memory overcommitment for VSA 5.1, deselect the Reserve all guest memory (All locked) check box.
4	Click OK.

KVM overcommiting Memory

REF: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/chap-Virtualization-Tips_and_tricks-Overcommitting_with_KVM.html

Overcommitting is not an ideal solution for all memory issues as the recommended method to deal with memory shortage is to allocate less memory per guest so that the sum of all guests memory (+4G for the host O/S) is lower than the host physical machine's physical memory. If the guest virtual machines need more memory, then increase the guest virtual machines' swap space allocation. If however, should you decide to overcommit, do so with caution.

Linux KVM certified guests

Dell有被Ubuntu 16.04LTS認證：

https://certification.ubuntu.com/server/models/?release=16.04%20LTS&vendors=Dell

而pve4.4的kernel就是base on Ubuntu 16.04LTS :

https://pve.proxmox.com/wiki/Proxmox_VE_Kernel

而KVM這個虛擬技術也被Red Hat認證可以跑 RHEL7 (CentOS 7) :

https://access.redhat.com/articles/973133

這樣，從企業應用的角度來說，說明了 pve 4.4 跑 CentOS 7 KVM guest 是經過充份驗證的。

docker issue when nested

Docker may encounter issues when running inside other container such as LXC. It's better to use full virtualization such as KVM instead.

REF: http://stackoverflow.com/questions/22085657/can-docker-run-inside-a-linux-container

Check_MK: zpool status

ZFS status can be monitored by zpool from Check_MK. Also available for LInux now.

ZFS Storage Pool status

Distribution:	official part of Check_MK
License:	GPL
Supported Agents:	Solaris

Checks the current state of a ZFS storage pool. The information is read by the agent from /usr/sbin/zpool status -x. If the zpool is healthy you're OK. If an inventoried zpool has been destroyed or has an error the check goes CRITICAL. If the extend state information from zpool status indicates any CRC or other errors, the check will go to WARNING. 

Discovery

The inventory will create one service per host if there are any pools.

REF: https://mathias-kettner.de/checkmk_check_zpool_status.html

python process xls

python3 can process xls easily with its packages.

# apt-get install python3 python3-pip
# pip3 install openpyxl --upgrade
# pip3 install pandas --upgrade

TV marketing

• statement
• framework
• news, programs, activities

Dell Administration Portal

ASI, Asynchronous serial interface

REF: https://en.wikipedia.org/wiki/Asynchronous_serial_interface

Asynchronous Serial Interface, or ASI, is a physical (connector and electrical) definition for serial data over 75-ohm coaxial cable at rates at or less than 270 megabits per second. Electrically, the signal is typically around 1 volt.^[1]

ASI has one purpose only: the transmission of an MPEG Transport Stream (MPEG-TS).^[2] [3] ASI is designed for that one purpose: the transport of the MPEG transport stream over coaxial cable, usually as part of its run within a transmission facility before conversion to fiber or wireless carriage.

Apache Struts2 S2-045 exploit

REF: https://kknews.cc/tech/923mlrb.html

漏洞編號：

CVE-2017-5638

漏洞名稱：

基於 Jakarta plugin插件的Struts遠程代碼執行漏洞

官方評級：

高危

漏洞描述：

惡意用戶可在上傳文件時通過修改HTTP請求頭中的Content-Type值來觸發該漏洞，進而執行系統命令。目前針對此漏洞的EXP已經開始在網絡流傳，為了廣大用戶的資產安全，請大家儘快進行漏洞檢測及修復。

Taiwan Cyber Security Summit 2017

• unemployment rate zero
• cyber training
• rehea,rse, simulation
• exercise replay
• cobalt strike
• common sc, netsh and attacks
• know the enemy, know yourself
• follow trends, use what you have
• look forward, remember the past
• hunt the hunters
• small drones
• ARP spoof, fake AP, following, hijacking Amazon
• robot crime, theft
• mobile MDM firewall, how about IoT, robots
• fast response, mitigate disaster
• cyber kill chain, break it
• digital DNA, Threat platform
• sandbox sleep 90min bypass

EPG 電子節目指南

Latest TV sets are requried to have text-to-speech feature on EPG.

REF: https://zh.m.wikipedia.org/zh-tw/%E7%94%B5%E5%AD%90%E8%8A%82%E7%9B%AE%E6%8C%87%E5%8D%97

電子節目指南（英語：Electronic program guide，縮寫：EPG）又名節目指南、電子節目表或者電子節目導覽，是一種電視節目單，通常伴隨數位電視訊號或數位廣播訊號傳送。這些訊號可以通過有線電視、衛星電視、或地面電視被接收。

OTT load balancing

• DNS for front end balancing via big data estimation.
• Streaming infra auto-scaling.

import tax procedure

• 詢問海關服務課
• 取得稅則稅號
• 貨品來自何國
• 進口稅 + 營業稅5%

Unable to ssh log in to container

REF: https://kb.plesk.com/en/112597

Sep 26 12:30:53 suse sshd[3190]: pam_loginuid(sshd:session): set_loginuid failed

There are two other ways to work around the issue:
1. Change BIND startup scripts so as not to mount the "/proc" filesystem as "read-only."

2. Disable "pam_loginuid.so" in the authentication rules:

~# sed '/pam_loginuid.so/s/^/#/g' -i  /etc/pam.d/*

TCP Wrappers for service restrictions

REF: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-tcpwrappers-access.html

The following is a list of the most common accepted patterns for a client list entry:

• Hostname beginning with a period (.) — Placing a period at the beginning of a hostname, matches all hosts sharing the listed components of the name. The following example applies to any host within the example.com domain:

  ALL : .example.com

• IP address ending with a period (.) — Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address. The following example applies to any host within the 192.168.x.x network:

  ALL : 192.168.

• IP address/netmask pair — Netmask expressions can also be used as a pattern to control access to a particular group of IP addresses. The following example applies to any host with an address of 192.168.0.0 through 192.168.1.255:

  ALL : 192.168.0.0/255.255.254.0

good PM

estimation <=> promise

modeling:
data model, data flow diagram
=> structured analysis
object oriented analysis & design, OOAD
SA system analyst, SD system designer

• scope
• enhancement
• requirement
• system analysis
• domain knowledge
• domain know how
• model prototype
• metaphor

Digital Disk Recorder, DDR

REF: http://www.drastic.tv/support-59/legacysoftwarehardware/69-vvwdigitaldiskrecorders/149-what-is-a-ddr

Many companies have claimed to have created a Digital Disk Recorder, or DDR, yet the term remains largely undefined. Drastic Technologies has been working with and creating nonlinear VTR and animation solutions for over ten years. Drastic's background in single frame animation, broadcast VTR control, MIDI systems and automation, audio post editing and traditional video editing systems have culminated in the design and implementation of the Titan Series DDRs. The following description serves as a guide to Drastic's interpretation of what constitutes a DDR. This synopsis is based on Drastic's experience in the markets it has been serving.

NDI: NewTek Connector Pro

REF: https://www.newtek.com/software/ndi-connect/
Transform your workflow, expand your connectivity options, and multiply your sources—with a standard PC—serving up video over IP, with support for common IP standards to include NDI™, ASPEN, and SMPTE 2022.

Check_MK: network topology

Network topology may be achieved by scanning host parents and NagVis Addon.

REF: https://mathias-kettner.de/checkmk_scan_parents.html

fwbuilder as GUI for rules

fwbuilder is a convenient tool as GUI for building iptables or pf rules. Its templates are also good demos for Firewall training.
 

NDI: MLT melt consumer

NDI module should work like avformat below.

>melt -query consumer=avformat
>melt myfile.mp4 -consumer avformat:output.avi acodec=libmp3lame vcodec=libx264

REF: https://www.mltframework.org/docs/melt/

Windows CAL

大部分企業都使用Windows Server做File Server，權限的確是可以設定的很細，但有時候細到網管人員也會很煩。最好先勸業務單位考慮單純一些的權限管理結構。

還有，使用 Windows Server 要買授權，每台Server要買Server License，每個連進來使用的工作站，也要買 Client Access License(CAL)，每個CAL約台幣1,000元，如果是很多志工都要使用，成本很高。若是行政人員要用，那才比較可行。CAL還真是很要考慮的成本。

iptables OUTPUT drop

OUTPUT drop is a good practice for 'deny by default' policy. Example as below.

*filter

:FORWARD DROP [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT DROP [0:0]

-F OUTPUT

-A OUTPUT -d 127.0.0.1 -p tcp --sport 123 -j ACCEPT

-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

COMMIT

NDI: LAN setup

from the official 'Getting started with NDI', this protocol utilizes its own codec with 50-100Mbps bandwidth consumption. Therefore a 1Gbps may run up to only 4 channels in reality, since the physical limit may be bounded to 400-600Mbps.