Fix the PHP Fatal: [ionCube Loader] issue on DirectAdmin


When updating / recompiling PHP with Custombuild on a DirectAdmin server I sometimes see that Apache seems to start, but immediately crashes due to errors regarding ionCube. You don’t see the error when restarting Apache for exaple, but checking the logs or listing the installed PHP modules results in the following error:

[root@server]# php -m
PHP Fatal error: [ionCube Loader] The Loader must appear as the first entry in the php.ini file in Unknown on line 0

I mostly see this behaviour on servers running CentOS and the first thing that I did was locating all php.ini files and remove all ioncube references from these configs. Unfortunately that didn’t work out and the error persists. Upon some internet searching I found out that the issue is caused by the internal “php.ini” that DirectAdmin itself uses. That file is called “directadmin.ini” and is located in:

I’ve removed the ioncube loader reference from the config and Apache could start and continue to work again.

This is a rather small post compared to the ones I normally publish, since this is a easy fix I wanted it to keep it as simple as possible hoping it will help others.

Updating IPMI firmware on a SuperMicro server


Super_Micro_Computer_Logo.svgLast week we moved to a new office building and a old SuperMicro server popped up. In particular a SuperMicro X8DTL-IF in a 936A-R1200B chassis. It’s a rather old server now, but since I want to use this machine for SAN-like testing and purposes it comes in handy for me! In the past this machine was used as a big storage box containing backupdata and never received system maintance like BIOS updates for example. So upon examining the unit I found out that it was running the stock firmwares that were present at the time of delivery so the IPMI firmware running is version 02.02 whereas the current version is 03.13. In this post I will explain how to update the IPMI firmware on this mainboard using the webinterface.

Management interface:
The machine has a management network interface which works by using IPMI. The management interface can be reached via the webbrowser if you browse to it’s assigned IP-address. Even when the machine itself is powered off (but connected to mains) the management interface is accessible and allows you to perform several maintance related tasks like remote power management, KVM and console redirection. If you access it via the browser a login screen like below appears:
The default username is ADMIN and the password is ADMIN.

Checking the IPMI firmware version:
Once logged in to the interface go to System -> System Information and the following information should be displayed (version numbers may vary):

Getting the IPMI firmware update:
I cannot give downloads for this as this is updated regularly and may vary per board used. Please navigate to the SuperMicro website and browse to the board that you use. On the specitications page go to “IPMI Firmware” link. You should end up with a .ZIP file containing a .bin file. Extract that to a convenient place.

Updating the IPMI firmware:
The update process is pretty straight-forward. In the web interface go to Maintenance -> Firmware update. On the page that shows up you will need to enable update mode by clicking the Enter Update Mode and confirm that you want to do so on the popup that shows up.
A file selector button appears, point to the .bin file that is in the downloaded .ZIP file and select the Upload file button. Once the file is uploaded a confirmation screen appears which shows the current running version and the newly installing version:
If you want your current settings to be preserved, leave the checkbox ticked. Not ticking the box will reset all settings to factory defaults.

Click on the Start Upgrade button to start the upgrade, the progress will be showed after clicking the button:

When the update is finished the management interface will reboot and you will return back to the login screen.

Checking the new installed firmware:
Log back in to the web interface to check if the firmware was installed successfully, go to System -> System Information to check the new version. In this case the upgrade has succeeded:

Install Composer on Ubuntu 14.04


logo-composer-transparentI run a newsgroup indexer privately which has switched to Composer for managing PHP dependencies. As Composer is not in the default Ubuntu 14.04 repositories I had to install it manually. This is a really simple process, but since I had to search a while for this I wanted to spend a small post about it. You will need root (or an account that can sudo) in order to install Composer.

Instaling the requirements:
For Composer to work, some dependencies need to be installed if they are not installed already:
apt-get update
apt-get install php5-cli git curl

Install Composer:
Now we need to download and put the Composer binary into place. Here we will install it directly to /usr/local/bin/:
curl -sS | sudo php -- --install-dir=/usr/local/bin --filename=composer

Testing Composer:
Now that Composer is installed, run the program to see if it outputs it’s help file:
Running composer as root/super user is highly discouraged as packages, plugins and scripts cannot always be trusted
/ ____/___ ____ ___ ____ ____ ________ _____
/ / / __ \/ __ `__ \/ __ \/ __ \/ ___/ _ \/ ___/
/ /___/ /_/ / / / / / / /_/ / /_/ (__ ) __/ /
\____/\____/_/ /_/ /_/ .___/\____/____/\___/_/
Composer version 1.1.2 2016-05-31 19:48:11

command [options] [arguments]

-h, --help Display this help message
-q, --quiet Do not output any message
-V, --version Display this application version
--ansi Force ANSI output
--no-ansi Disable ANSI output
-n, --no-interaction Do not ask any interactive question
--profile Display timing and memory usage information
--no-plugins Whether to disable plugins.
-d, --working-dir=WORKING-DIR If specified, use the given directory as working directory.
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

Available commands:
about Short information about Composer
archive Create an archive of this composer package
browse Opens the package's repository URL or homepage in your browser.
clear-cache Clears composer's internal package cache.
clearcache Clears composer's internal package cache.
config Set config options
create-project Create new project from a package into given directory.
depends Shows which packages cause the given package to be installed
diagnose Diagnoses the system to identify common errors.
dump-autoload Dumps the autoloader
dumpautoload Dumps the autoloader
exec Execute a vendored binary/script
global Allows running commands in the global composer dir ($COMPOSER_HOME).
help Displays help for a command
home Opens the package's repository URL or homepage in your browser.
info Show information about packages
init Creates a basic composer.json file in current directory.
install Installs the project dependencies from the composer.lock file if present, or falls back on the composer.json.
licenses Show information about licenses of dependencies
list Lists commands
outdated Shows a list of installed packages that have updates available, including their latest version.
prohibits Shows which packages prevent the given package from being installed
remove Removes a package from the require or require-dev
require Adds required packages to your composer.json and installs them
run-script Run the scripts defined in composer.json.
search Search for packages
self-update Updates composer.phar to the latest version.
selfupdate Updates composer.phar to the latest version.
show Show information about packages
status Show a list of locally modified packages
suggests Show package suggestions
update Updates your dependencies to the latest version according to composer.json, and updates the composer.lock file.
validate Validates a composer.json and composer.lock
why Shows which packages cause the given package to be installed
why-not Shows which packages prevent the given package from being installed

That’s it!

In Server

Upgrading MySQL from the commandline on a cPanel server


Recently I had to upgrade MySQL on a cPanel server. Although this can be easily done from within WHM itself I wanted to perform this from the commandline as that is more my way of working. The documentation on upgrading MySQL from the commandline on a cPanel server is not easily found, that’s why I want to share these instructions here.

Important notice:
Be aware that after upgrading MySQL you need to recompile PHP as well if you want the MySQL extension to work with the upgraded MySQL version. The recompile of PHP can be done using the EasyApache option from within WHM or /scripts/easyapache.

Changing the cPanel configuration file:
In order to upgrade MySQL we need to alter the cPanel configuration file. Log in via SSH as the root user and open the following configuration file:
vim /var/cpanel/cpanel.config

Search for the line starting with:

In my case the server was running MySQL 5.5, so the line looked like this:

I want to upgrade to MySQL 5.6, so change the line to (for this example):

Save the changes.

Upgrading MySQL:
Since the configuration is changed, we need to make sure cPanel sees the change and downloads the correct RPM’s for MySQL and install it. Run the following command (the output of the command is underneath it):
[2016-06-01 10:26:01 +0200]
[2016-06-01 10:26:01 +0200] Problems were detected with cPanel-provided files which are RPM controlled.
[2016-06-01 10:26:01 +0200] If you did not make these changes intentionally, you can correct them by running:
[2016-06-01 10:26:01 +0200]
[2016-06-01 10:26:01 +0200] > /usr/local/cpanel/scripts/check_cpanel_rpms --fix
[2016-06-01 10:26:01 +0200] The following RPMs are missing from your system:
[2016-06-01 10:26:01 +0200] MySQL56-client-5.6.30-1.cp1156
[2016-06-01 10:26:01 +0200] MySQL56-devel-5.6.30-1.cp1156
[2016-06-01 10:26:01 +0200] MySQL56-server-5.6.30-1.cp1156
[2016-06-01 10:26:01 +0200] MySQL56-shared-5.6.30-1.cp1156
[2016-06-01 10:26:01 +0200] MySQL56-test-5.6.30-1.cp1156
[2016-06-01 10:26:03 +0200]
[2016-06-01 10:26:03 +0200] The following RPMs are unneeded on your system and should be uninstalled:
[2016-06-01 10:26:03 +0200] MySQL55-client-5.5.49-1.cp1156
[2016-06-01 10:26:03 +0200] MySQL55-devel-5.5.49-1.cp1156
[2016-06-01 10:26:03 +0200] MySQL55-server-5.5.49-1.cp1156
[2016-06-01 10:26:03 +0200] MySQL55-shared-5.5.49-1.cp1156
[2016-06-01 10:26:03 +0200] MySQL55-test-5.5.49-1.cp1156
Do you want to repair these RPMs?(y/n):

It’s wise to check the versions above before performing the upgrade, make sure that the new version matches the one you set and that the old version is the version you are currently running. If everything is correct we can start the upgrade by saying yes here and the upgrade will start:

[2016-06-01 10:51:49 +0200] Removing 0 broken rpms:
[2016-06-01 10:51:49 +0200] rpm: no packages given for erase
[2016-06-01 10:51:50 +0200] Downloading
[2016-06-01 10:51:50 +0200] Successfully verified signature for cpanel (key types: release).
[2016-06-01 10:51:50 +0200] Downloading
[2016-06-01 10:51:50 +0200] Downloading
[2016-06-01 10:51:51 +0200] Downloading
[2016-06-01 10:51:51 +0200] Downloading
[2016-06-01 10:51:51 +0200] Downloading
[2016-06-01 10:51:52 +0200] Disabling service monitoring.
[2016-06-01 10:51:57 +0200] Hooks system enabled.
[2016-06-01 10:51:57 +0200] Checking for and running RPM::Versions 'pre' hooks for any RPMs about to be installed
[2016-06-01 10:51:57 +0200] All required 'pre' hooks have been run
[2016-06-01 10:51:58 +0200] Uninstalling unneeded rpms: MySQL55-server MySQL55-devel MySQL55-test MySQL55-shared MySQL55-client
[2016-06-01 10:52:22 +0200] Installing new rpms: MySQL56-client-5.6.30-1.cp1156.x86_64.rpm MySQL56-devel-5.6.30-1.cp1156.x86_64.rpm MySQL56-server-5.6.30-1.cp1156.x86_64.rpm MySQL56-shared-5.6.30-1.cp1156.x86_64.rpm MySQL56-test-5.6.30-1.cp1156.x86_64.rpm
[2016-06-01 10:52:22 +0200] Preparing packages for installation...
[2016-06-01 10:52:23 +0200] MySQL56-client-5.6.30-1.cp1156
[2016-06-01 10:52:23 +0200] MySQL56-test-5.6.30-1.cp1156
[2016-06-01 10:52:30 +0200] MySQL56-devel-5.6.30-1.cp1156
[2016-06-01 10:52:30 +0200] Giving mysqld 5 seconds to exit nicely
[2016-06-01 10:52:36 +0200] MySQL56-server-5.6.30-1.cp1156
[2016-06-01 10:52:57 +0200] Waiting for “mysql” to start ……waiting for “mysql” to initialize ………finished.
[2016-06-01 10:52:57 +0200]
[2016-06-01 10:52:57 +0200] Startup Log
[2016-06-01 10:52:57 +0200] Starting MySQL..... SUCCESS!
[2016-06-01 10:52:57 +0200]
[2016-06-01 10:52:57 +0200] Log Messages
[2016-06-01 10:52:57 +0200] 2016-06-01 10:52:56 30359 [Note] /usr/sbin/mysqld: ready for connections.
[2016-06-01 10:52:57 +0200]
[2016-06-01 10:52:57 +0200] mysql started successfully.
[2016-06-01 10:55:44 +0200] Looking for 'mysql' as: /usr/bin/mysql
[2016-06-01 10:55:44 +0200] Looking for 'mysqlcheck' as: /usr/bin/mysqlcheck
[2016-06-01 10:55:44 +0200] Running 'mysqlcheck with default connection arguments
[2016-06-01 10:55:44 +0200] Running 'mysqlcheck with default connection arguments
[2016-06-01 10:55:44 +0200] mysql.columns_priv OK
[2016-06-01 10:55:44 +0200] mysql.db OK
[2016-06-01 10:55:44 +0200] mysql.event OK
[2016-06-01 10:55:44 +0200] mysql.func OK
[2016-06-01 10:55:44 +0200] mysql.general_log OK
[2016-06-01 10:55:44 +0200] mysql.help_category OK
[2016-06-01 10:55:44 +0200] mysql.help_keyword OK
[2016-06-01 10:55:44 +0200] mysql.help_relation OK
[2016-06-01 10:55:44 +0200] mysql.help_topic OK
[2016-06-01 10:55:44 +0200] OK
[2016-06-01 10:55:44 +0200] mysql.ndb_binlog_index OK
[2016-06-01 10:55:44 +0200] mysql.plugin OK
[2016-06-01 10:55:44 +0200] mysql.proc OK
[2016-06-01 10:55:44 +0200] mysql.procs_priv OK
[2016-06-01 10:55:44 +0200] mysql.proxies_priv OK
[2016-06-01 10:55:44 +0200] mysql.servers OK
[2016-06-01 10:55:44 +0200] mysql.slow_log OK
[2016-06-01 10:55:44 +0200] mysql.tables_priv OK
[2016-06-01 10:55:44 +0200] mysql.time_zone OK
[2016-06-01 10:55:44 +0200] mysql.time_zone_leap_second OK
[2016-06-01 10:55:44 +0200] mysql.time_zone_name OK
[2016-06-01 10:55:44 +0200] mysql.time_zone_transition OK
[2016-06-01 10:55:44 +0200] mysql.time_zone_transition_type OK
[2016-06-01 10:55:44 +0200] mysql.user OK
[2016-06-01 10:55:44 +0200] Running 'mysql_fix_privilege_tables'...
[2016-06-01 10:55:44 +0200] Running 'mysqlcheck with default connection arguments
[2016-06-01 10:55:44 +0200] Running 'mysqlcheck with default connection arguments
SNIP:long output of MySQL repair:SNIP
[2016-06-01 10:55:44 +0200] OK
[2016-06-01 10:55:46 +0200] The 'mysql' service passed the check.
[2016-06-01 10:55:46 +0200] The 'mysql' service passed the check.
[2016-06-01 10:55:52 +0200] Starting MySQL SUCCESS!
[2016-06-01 10:55:52 +0200] Checking MySQL server status after update
[2016-06-01 10:55:52 +0200] The 'mysql' service passed the check.
[2016-06-01 10:55:52 +0200] SUCCESS! MySQL running (30359)
[2016-06-01 10:55:52 +0200] MySQL56-shared-5.6.30-1.cp1156
[2016-06-01 10:55:52 +0200] Hooks system enabled.
[2016-06-01 10:55:52 +0200] Checking for and running RPM::Versions 'post' hooks for any RPMs about to be installed
[2016-06-01 10:55:52 +0200] All required 'post' hooks have been run
[2016-06-01 10:55:52 +0200] Restoring service monitoring.

After this you will be left at the commandline again, let’s check if the server is running the new MySQL version:
mysql --version
mysql Ver 14.14 Distrib 5.6.30, for Linux (x86_64) using EditLine wrapper

That’s it!

As said at the beginning of this post, don’t forget to run EasyApache if you want PHP to work with the upgraded version of MySQL!

In cPanel

How to restore the Windows MBR


Partition-Magic-iconI recently made some changes to my gaming desktop at home which has a 256GB SSD for Windows and a 2-port RAID card with 2 x 2TB disks in RAID0 setup. The RAID setup also holds a small partition for a Linux install and therefore GRUB was installed to the SSD (as this is my primary boot device). As I am phasing out the RAID setup I soon came to the (hard) conclusion that Windows would no longer boot as soon as the RAID card is no longer present in the system. The effect is quite logical as /boot/grub/ resides on the partition containing the Linux install and this is no longer available, so GRUB cannot load it’s core files anymore resulting in a GRUB rescue prompt.

This small post will cover how to restore the MBR (Master Boot Record) from within Windows itself. So in order to complete this process I’ve put the RAID card back into the system so GRUB works for now and was able to boot back into Windows (10 in my case).

Restore the MBR from within Windows 10:
When in Windows, open an elevated commandprompt. You can do this by pressing the Windows-key or clicking on the startmenu icon and type “cmd”. Right-click on the commandprompt icon and let it run as Administrator.

Windows has a tool called “bootsect.exe” which is able to restore the MBR on your disk so it’s bootable again. In my case I want my system drive to have it’s MBR restored, so that’s the C: drive:

bootsect.exe /nt60 c: /mbr

A small explanation on the options we supply:

/nt60: this defines the boot installation method. NT60 is used for Windows Vista and above (so including 7, 8, 8.1 and 10) and defines the BOOTMGR method used in these newer versions. There is a option /nt52 which are all Windows versions before Windows Vista (so XP, 2003, 2000 etc) and this defines the older NTLDR method used in these versions.
c: this is the drive letter used. It’s also possible to replace the driveletter for the word “SYS” and Windows will automatically use the system drive.
/mbr: this defines the boot method that is going to be installed to disk, for MBR this is the best option :).

More information about the parameters that you can pass can be found on this Technet article from Microsoft.

If you enter the command you will see some output regarding the partition that is being changed and whether is wat successful or not. In my case it gave an error because the drive being updated is also the system drive and therefore cannot unmount it. It states that the update may have gone wrong but in my case worked as expected. Upon removing the RAID card again and booting from the SSD resulted in a booting Windows 10!

This is a very small and simple post but I had a hard time finding the right information as most methods are based on live CD’s or Windows recovery media and posts found often refer to the older NTLDR method. As they are suitable as well, you will need to have this ready in order to use it. Since I was still able to boot into Windows using a workaround I was able to solve it on the running Windows system itself which is better. Should you not be able to boot into Windows anymore then the live CD’s are the best way to fix your MBR.

Install OPNSense on the Monowall Appliance box


alixRecently I got my hands on a Monowall Appliance box that’s basically a PC Engines ALIX2 series board with the matching PC Engines case. In my case specifically is a “alix2d13“. This is a small board featuring 3 network ports with a AMD Geode CPU which makes a perfect small home router device. This post will explain how to install OPNSense (a fork of pfSense) on the device. We’ll use OPNSense as it has a way better and much more clear interface (based on Bootstrap) which makes managing the appliance so much easier and more intuitive with almost the same extensive options that pfSense offers.

The specifications for the device are as follows:
CPU: AMD Geode LX800 running at 500MHz (32-bit)
LAN: 3x VIA VT6105M 10/100 RJ-45
USB: 2x USB2 connectors
HDD: Internal CF-card slot
Other: Has serial port for management and installation. Has a free internal USB, I2C, COM and LPC header on-board. Also has a mini-PCI connector for Wi-Fi cards.

A picture of the PCB can be found here.

For this post to complete you’ll need some tools and cables, like:
– A compactflash card and capable reader. For the OPNSense image we are using a 4GB CF card is a minimum requirement.
– The OPNsense image. You can download the correct image from this location and will need the nano-i386 version (this is a pre-installed image).
– 2 network cables. One for the LAN and one for the WAN-part.

Connect a network cable to the middle network port as this is the WAN-port to a switch/modem that is able to deliver internet to the device (for updates etc). Connect the 2nd cable to the left port (as seen from the device facing forwards) and connect it to a normal switch or regular PC for managing the Webgui.

– A DB-9 serial cable. For communicating with the OPNSense installation a serial cable is needed (not perse). Anything from DB-9 to whatever serial device you have may work. I assume a DB-9 to DB-9 cable will work if you have a PC with a DB-9 connector

Writing the image to the CF-card:
After you’ve downloaded the nano-i386 image we need to extract it, in my case this was:
bzip2 -d OPNsense-16.1-OpenSSL-nano-i386.img.bz2

Now connect your CF-card to your cardreader and look up the device name. On my reader it was the next disk in line: /dev/sdb
We have to write the image using the commandline to the CF-card:
dd if=OPNsense-16.1-OpenSSL-nano-i386.img of=/dev/sdb bs=1M
This may take several minutes to complete and nearly took 10 minutes on my old CF-card. After it’s done writing the image, eject it.

Place the CF-card in your appliance:
Now you have to open up the appliance to install the newly created CF-card. Remove the 2 screws on both sides and lift up the cover. Now remove the 4 screws of the PCB in every corner and lift the mainboard facing the front side up. Remove any installed CF-card and insert the new one. Place the PCB back in it’s casing and place back the screws in the corners. You may also put back the cover and screw the housing screws back again.

Optional: Connect the serial cable:
You may want to connect a serial cable to the appliance in order to see the boot process and be able to log in using the local console. A note on the baud settings for the device is:

BIOS mode: 38400 8N1
Bootloader mode: 9600 8N1
OPNSense/OS mode: 115200 8N1

My best experience was using minicom (freely available) and defaulting the serial settings to 115200 8N1. After that you can change the serial port setup to 9600 8N1 for just that session. If you’ve set this up power up the appliance and some junk (because of a different baudrate of the bios) and soon a bootloader menu will appear with 2 options. Both are OPNSense but I noticed that the default “1” won’t boot on my box and had to choose “2” and press enter. Some junk will appear again. After about 30 seconds exit minicom (Control + A -> Q) and reopen minicom again and press enter. A spinning cursor should appear stating that the device is now actually booting!

The console for booting will look something like below (like was on my box):
data=0x787de8+0x190b08 syms=[0x4+0xfbcc0+0x4+0x19395f]
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2015 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 10.2-RELEASE-p11 #0 82ad3de(stable/16.1): Thu Jan 28 12:52:30 CET 2016
root@sensey32:/usr/obj/usr/src/sys/SMP i386
FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
CPU: Geode(TM) Integrated Processor by AMD PCS (498.06-MHz 586-class CPU)
Origin="AuthenticAMD" Id=0x5a2 Family=0x5 Model=0xa Stepping=2
AMD Features=0xc0400000
real memory = 268435456 (256 MB)
avail memory = 226594816 (216 MB)
pnpbios: Bad PnP BIOS data checksum
random device not loaded; using insecure entropy
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc080aaa0, 0) error 1
wlan: mac acl policy registered
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xc080a940, 0) error 1
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc080a9f0, 0) error 1
netmap: loaded module
random: initialized
kbd0 at kbdmux0
module_register_init: MOD_LOAD (vesa, 0xc11d4a10, 0) error 19
K6-family MTRR support enabled (2 registers)
ACPI BIOS Error (bug): A valid RSDP was not found (20150515/tbxfroot-258)
ACPI: Table initialisation failed: AE_NOT_FOUND
ACPI: Try disabling either ACPI or apic support.
cryptosoft0: on motherboard
padlock0: No ACE support.
pcib0 pcibus 0 on motherboard
pci0: on pcib0
pci0: at device 1.2 (no driver attached)
vr0: port 0x1000-0x10ff mem 0xe0000000-0xe00000ff irq 10 at device 9.0 on pci0
vr0: Quirks: 0x2
vr0: Revision: 0x96
miibus0: on vr0
ukphy0: PHY 1 on miibus0
ukphy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr0: Ethernet address: 00:0d:b9:1d:36:c4
vr1: port 0x1400-0x14ff mem 0xe0040000-0xe00400ff irq 11 at device 10.0 on pci0
vr1: Quirks: 0x2
vr1: Revision: 0x96
miibus1: on vr1
ukphy1: PHY 1 on miibus1
ukphy1: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr1: Ethernet address: 00:0d:b9:1d:36:c5
vr2: port 0x1800-0x18ff mem 0xe0080000-0xe00800ff irq 15 at device 11.0 on pci0
vr2: Quirks: 0x2
vr2: Revision: 0x96
miibus2: on vr2
ukphy2: PHY 1 on miibus2
ukphy2: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
vr2: Ethernet address: 00:0d:b9:1d:36:c6
isab0: port 0x6000-0x6007,0x6100-0x61ff,0x6200-0x623f,0x9d00-0x9d7f,0x9c00-0x9c3f at device 15.0 on pci0
isa0: on isab0
atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 15.2 on pci0
ata0: at channel 0 on atapci0
ata1: at channel 1 on atapci0
ohci0: mem 0xefffe000-0xefffefff irq 12 at device 15.4 on pci0
usbus0 on ohci0
ehci0: mem 0xefffd000-0xefffdfff irq 12 at device 15.5 on pci0
usbus1: EHCI version 1.0
usbus1 on ehci0
cpu0 on motherboard
pmtimer0 on isa0
orm0: at iomem 0xe0000-0xea7ff pnpid ORM0000 on isa0
atrtc0: at port 0x70 irq 8 on isa0
Event timer "RTC" frequency 32768 Hz quality 0
attimer0: at port 0x40 on isa0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
ppc0: parallel port not found.
uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0
Timecounters tick every 1.000 msec
IPsec: Initialized Security Association Processing.
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 480Mbps High Speed USB v2.0
ugen0.1: at usbus0
uhub0: on usbus0
ugen1.1: at usbus1
uhub1: on usbus1
ada0 at ata0 bus 0 scbus0 target 0 lun 0
ada0: ATA-5 device
ada0: Serial Number 7DF70706170700203379
ada0: 100.000MB/s transfers (UDMA5, PIO 512bytes)
ada0: 3811MB (7806960 512 byte sectors: 16H 63S/T 7745C)
ada0: Previously was known as ad0
GEOM_PART: integrity check failed (ada0, MBR)
GEOM_PART: integrity check failed (diskid/DISK-7DF70706170700203379, MBR)
random: unblocking device.
Timecounter "TSC" frequency 498061374 Hz quality 800
Root mount waiting for: usbus1 usbus0
uhub0: 4 ports with 4 removable, self powered
Root mount waiting for: usbus1
uhub1: 4 ports with 4 removable, self powered
Trying to mount root from ufs:/dev/ufs/OPNsense0 [rw,async,noatime]...
WARNING: /tmp/nanobsd.94731 was not properly dismounted
Mounting filesystems...
tunefs: soft updates remains unchanged as enabled
GEOM_PART: integrity check failed (diskid/DISK-7DF70706170700203379, MBR)
tunefs: file system reloaded
camcontrol: subcommand "identify" requires a valid device identifier
WARNING: /tmp/nanobsd.94731 was not properly dismounted
ldconfig: Cannot mmap "/var/run/": Invalid argument
Updating motd:.
Configuring crash dump device: /dev/null
Setting up memory disks...done.
..ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/ipsec /usr/local/lib/libnet11
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Starting configd.
Launching the init system... done.
Initializing................... done.
Starting device manager (devd)...done.
Loading configuration...done.
Setting up extended sysctls...done.
Setting timezone...done.
Configuring loopback interface...done.
Starting syslog...done.
Starting Secure Shell Services...done.
Setting up polling defaults...done.
Setting up interfaces microcode...done.
Configuring loopback interface...done.
Creating wireless clone interfaces...done.
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring QinQ interfaces...done.
Configuring WAN interface...done.
Configuring LAN interface...done.
Syncing OpenVPN settings...done.
Configuring firewall.....done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...done.
Configuring CRON...done.
Starting DNS forwarder...done.
Starting NTP time client...done.
Starting DHCP service...done.
Starting DHCPv6 service...done.
Configuring firewall.....done.
Generating RRD graphs...done.
Starting syslog...done.
Starting CRON... done.

*** Welcome to OPNsense 16.1 (i386/OpenSSL) on OPNsense ***

WAN (vr1) -> v4/DHCP4:
LAN (vr0) -> v4:

FreeBSD/i386 (OPNsense.localdomain) (ttyu0)


You may login with username “root” and password “opnsense”. If you succeed a menu will be showed:

FreeBSD 10.2-RELEASE-p11 (SMP) #0 82ad3de(stable/16.1): Thu Jan 28 12:52:30 CET 2016

Welcome to FreeBSD!

Release Notes, Errata:
Security Advisories:
FreeBSD Handbook:
Questions List:
FreeBSD Forums:

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier

Edit /etc/motd to change this login announcement.

0) Logout 7) Ping host
1) Assign Interfaces 8) Shell
2) Set interface(s) IP address 9) pfTop
3) Reset the root password 10) Filter Logs
4) Reset to factory defaults 11) Restart web interface
5) Halt system 12) Upgrade from console
6) Reboot system 13) Restore a configuration

Enter an option:

It’s best to change the root password first by selecting option 8 and issue “passwd”. Enter the new password twice and press Control + D to exit to the menu.

Now we want to update the software to make sure the firewall is up-to-date choose option 12:

Enter an option: 12

This will automatically fetch all available updates, apply them,
and reboot if necessary. Proceed with this action? [y/N]: y

Updating OPNsense repository catalogue...
Fetching meta.txz: 100% 1 KiB 1.5kB/s 00:01
Fetching packagesite.txz: 100% 69 KiB 70.7kB/s 00:01
Processing entries: 100%
OPNsense repository update completed. 233 packages processed.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
New version of pkg detected; it needs to be installed first.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
pkg: 1.6.2 -> 1.6.4_2

The process will require 15 KiB more space.
2 MiB to be downloaded.
Fetching pkg-1.6.4_2.txz: 100% 2 MiB 2.5MB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Upgrading pkg from 1.6.2 to 1.6.4_2...
[1/1] Extracting pkg-1.6.4_2: 100%
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (91 candidates): 100%
Processing candidates (91 candidates): 100%
The following 67 package(s) will be affected (of 0 checked):

A long list of updates will be applied and may take up to 2 hours to complete (on my box). The device will reboot once the update has finished as there is a kernel update applied as well. After that reboot the firewall is up-to-date and the console is not needed anymore.

Updates may also be applied using the web interface and are not bound to the console!

Connecting to the Webgui:
If you’ve connected a network cable to the left port and into a regular PC you should have gotten a DHCP address from the OPNSense box and should be able to browse to “”. The credentials by default are “root” for the username and “opnsense” for the password. The GUI is based on bootstrap and is very responsive and intuitive to use. Screenshots can be found here.

You’ll start the setup wizard if you log in for the first time, it’s best to walk through the steps so you can choose a password, hostname etcetera, this part is done in 2 minutes at most.

Updating using the WebGUI:
If you log in you’ll be left at the Dashboard which gives a small overview on the network status and from there you can check for updates as well. If updates are found you’ll see it there and may click on the link that will appear to update. Mostly it’s first “pkg” whereafter you need to check for updates again as there will be a longer list available. Apply the updates using the “Apply updates” button. You may check the live status for the upgrade in your browser but you may not close the tab or go to a different part of the interface as the update will halt!

Now that updating is finished the appliance is up-to-date and may be used to set up the firewall further.

There are a lot of possibilities with this image as it comes with built-in VPN server support etcetera. One of the nice features is that it can use the cryptoengine that is present in the Geode LX processors. If you login on the Web GUI you may go to “General” -> “Settings” to select the cryptoengine in the dropdown menu for this Geode CPU. The only cipher it accelerates is AES-128CBC and offers a true RNG device for hardware number generating. The cryptoengine can then be used for the OpenVPN server setup if you let it communicate using the AES-128CBC cipher and will decrease the load on the CPU significantly.

Keeping your DirectAdmin server up-to-date


At work I mainly see servers running DirectAdmin which is a very good and easy-to-use controlpanel for people that want to offer hosting to their customers. DirectAdmin’s approach of software differs from others because DirectAdmin delivers all used software by themselves. This means that, besides from keeping your OS up-to-date, you have to update all DirectAdmin related software as well and this is a issue that’s pretty easy to forget and forgotten. DirectAdmin has a very simple update manager named “custombuild” which can apply all of it’s own updates for you.

This post will explain how to let DirectAdmin check for updates, show the updates that are available and apply them.

In this post I assume you have SSH root access or at least a sudo account.

Apply the operating system updates:
Although I won’t go in-depth about OS-updates here, it’s still wise to apply them before updating DirectAdmin.

For Debian/Ubuntu based systems:
apt-get update && apt-get dist-upgrade

For RedHat/CentOS based systems:
yum update

Updating the custombuild software list:
DirectAdmin comes with custombuild which is the update manager in this case. First we want to navigate to the custombuild directory:
cd /usr/local/directadmin/custombuild/

We want to clean all downloaded software sources first to save space and build issues:
./build clean

Now we want to update the software list:
./build update

Show the available updates:
Now that the software list is updated we can see which updates can be applied, custombuild has a function for this:
./build versions

Latest version of DirectAdmin: 1.49.1
Installed version of DirectAdmin: 1.44.3

DirectAdmin 1.44.3 to 1.49.1 update is available.

Latest version of Apache: 2.4.18
Installed version of Apache: 2.4.7

Apache 2.4.7 to 2.4.18 update is available.

Latest version of PCRE: 8.20
Installed version of PCRE: 8.20

Latest version of curl: 7.47.0
Installed version of curl: 7.34.0

cURL 7.34.0 to 7.47.0 update is available.

Latest version of FreeType: 2.6.2
Installed version of FreeType: 2.5.2

FreeType 2.5.2 to 2.6.2 update is available.

Latest version of dovecot: 2.2.21
Installed version of dovecot: 2.2.10

Dovecot 2.2.10 to 2.2.21 update is available.

Latest version of Exim: 4.86
Installed version of Exim: 4.82

Exim 4.82 to 4.86 update is available.

Latest version of MySQL: 5.5.48
Installed version of MySQL: 5.5.35

MySQL 5.5.35 to 5.5.48 update is available.

Latest version of PHP (CLI): 5.3.29
Installed version of PHP (CLI): 5.3.28

PHP5 (CLI) 5.3.28 to 5.3.29 update is available.

Latest version of RoundCube webmail: 1.1.4
Installed version of RoundCube webmail: 0.9.5

RoundCube webmail 0.9.5 to 1.1.4 update is available.

Latest version of phpMyAdmin:
Installed version of phpMyAdmin:

Latest version of SquirrelMail: 1.4.22
Installed version of SquirrelMail: 1.4.22

If you want to update all the available versions run: /usr/local/directadmin/custombuild/build update_versions

As you can see there are alot of updates pending on this random server I’ve picked, now we want to apply all the updates that are shown above.

Updating the software using custombuild:
Now we want to apply all mentioned updates on the server. This can be performed with:
./build update_versions

This update process may take some time as all software is compiled on the server and usually takes from 5 until 60 minutes to complete and depends on the amount of updates that needs to be applied and the speed/resources of the server.

A note on the updates:
For Apache, PHP and MySQL only the subreleases are applied. As seen in this case PHP will be updated from 5.3.28 to 5.3.29 and MySQL from 5.5.35 to 5.5.48. Custombuild will never upgrade this to a newer major release unless you explicitly specify it. All other software will be updated to the latest version DirectAdmin delivers at that time.

Also note that any 3rd party compiled modules for PHP and Apache may need to recompiled manually if PHP and/or Apache was updated. Refer to the installation manual of the module to see how this can be achieved.

In this particular case PHP is pretty outdated and is EOL as we speak. Here PHP should be updated to at least 5.6 but since this is not my machine I cannot force this.

If you want to update PHP, MySQL or Apache to a newer major release you can specify this in the “options.conf” inside the custombuild directory. Make sure that your websites are capable of running on the newer version(s) that you want to apply or that you need to update the websites afterwards or before starting the update.

Troubleshooting update issues:
Most of the time the updates will apply without errors, but are always possible to receive, below are a couple of cases that may show up:

One of the most common errors is when compiling PHP and/or FreeType which will halt the update process about libxml and/or libpng. This can be easily be solved by running the update for these parts of software first:

For libxml:
./build libxml2 d

For libpng:
./build libpng d

For FreeType:
./build freetype d

Once finished you can resume the update process:
./build update_versions

The update of MySQL may be interrupted about libaio missing on your system which mainly occurs on RedHat/CentOS based systems, it is easy to solve it by installing libaio:
yum install libaio libaio-devel

Once finished you can resume the update process:
./build update_versions

Increase the size of /tmp on a cPanel server


I regularly see cPanel servers at work that have a very small /tmp disk (512MB default) and can result in issues with PHP sessions and other temporary files that are put there. Based on how you use the server and the amount of data that is placed in /tmp it is sometimes necessary to increase the size of that folder.

In this case you can’t just edit a fstab entry as it is not based on tmpfs like most Linux server do, but cPanel uses a static file that is mounted as /tmp, that file is called tmpDSK and is located in /usr/.

If we want to increase the size of /tmp we need to increase the size of the /usr/tmpDSK file, which I’ll explain how to do so below:

Stopping all services that use /tmp:
We need to unmount the /tmp location but need to stop all services that are currently using the mountpoint. Mostly this will be Apache, MySQL and cPanel, but we can check this out easily by running the following command:
lsof /tmp

This will result in something like the list below:
mysqld 27607 mysql 4u REG 7,1 0 13 /tmp/ibyXz7YL (deleted)
mysqld 27607 mysql 5u REG 7,1 0 14 /tmp/ibGyCv33 (deleted)
mysqld 27607 mysql 6u REG 7,1 0 15 /tmp/ibJIYT7l (deleted)
mysqld 27607 mysql 7u REG 7,1 0 16 /tmp/ibWsbsjW (deleted)
mysqld 27607 mysql 11u REG 7,1 0 17 /tmp/ibvEV7Ge (deleted)

In this example I only needed to stop the MySQL service, but to make sure that everything is stopped I stop Apache and cPanel as well:
/etc/init.d/crond stop
/etc/init.d/httpd stop
/etc/init.d/mysql stop
/etc/init.d/cpanel stop

For Systemd based systems:
systemctl stop crond.service
systemctl stop httpd.service
systemctl stop mysql.service
ssytemctl stop cpanel.service

Unmounting /tmp and removing it:
Now that everything is stopped, check again with “lsof /tmp” to see if anything is still using it, if not we can unmount the /tmp location:
umount /tmp

We now need to remove the file that is used as the /tmp disk:
rm -f /usr/tmpDSK

Increasing the size of /tmp:
Now we need to edit the following script:

Search for the following line:
my $tmpdsksize = 512000

The notation is in bytes, so in the above config it would create a 512MB file, increase it to 1024000 or 2048000 for 1GB or 2GB tmpDSK files.

I see that line mostly around line 175 in the script, saves some searching!

Recreate and mount /tmp:
Now that we have set the new size for the tmpDSK file we need to recreate it. For this you need to run the script we edited earlier (it will ask 2 questions in the process, you should answer them both with “y”):

This will result in alot of output, example below from a cPanel machine:
umount: /usr/testDSK: not found
Building /usr/testDSK...10240+0 records in
10240+0 records out
10485760 bytes (10 MB) copied, 0.0554831 s, 189 MB/s
mke2fs 1.41.12 (17-May-2010)
/usr/testDSK is not a block special device.
Proceed anyway? (y,n) Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
2560 inodes, 10240 blocks
512 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=10485760
2 block groups
8192 blocks per group, 8192 fragments per group
1280 inodes per group
Superblock backups stored on blocks:

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
tune2fs 1.41.12 (17-May-2010)
Creating journal inode: done
This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
*** Notice *** No loop module detected
If the loopback block device is built as a module, try running `modprobe loop` as root via ssh and running this script again.
If the loopback block device is built into the kernel itself, you can ignore this message.
Would you like to secure /tmp & /var/tmp at boot time? (y/n) y
Would you like to secure /tmp & /var/tmp now? (y/n) y
Securing /tmp & /var/tmp
Calculating size on /tmp
/tmp calculated to be 2000 M based on available disk space in /usr
No separate partition for tmp!
Building /usr/tmpDSK...2048000+0 records in
2048000+0 records out
2097152000 bytes (2.1 GB) copied, 16.693 s, 126 MB/s
mke2fs 1.41.12 (17-May-2010)
/usr/tmpDSK is not a block special device.
Proceed anyway? (y,n) Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
128000 inodes, 512000 blocks
25600 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=524288000
16 block groups
32768 blocks per group, 32768 fragments per group
8000 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 34 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
tune2fs 1.41.12 (17-May-2010)
Creating journal inode: done
This filesystem will be automatically checked every 34 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Setting up /tmp... Done
Setting up /var/tmp... Done
Checking fstab for entries ...Done
Logrotate TMPDIR already configured
Process Complete

After the script finishes the /tmp is remounted with the newly configured size (in this example 2GB):
# df -h /tmp
Filesystem Size Used Avail Use% Mounted on
/usr/tmpDSK 2.0G 67M 1.8G 4% /tmp

A update of cPanel may change the script that we have changed, this has no effect on the /tmp size as it is a file and is only changed once you run the securetmp script again!

Starting the services:
Now that /tmp is mounted with the new size we need to start the services that we stopped earlier:
/etc/init.d/crond start
/etc/init.d/httpd start
/etc/init.d/mysql start
/etc/init.d/cpanel start

For Systemd based systems:
systemctl start crond.service
systemctl start httpd.service
systemctl start mysql.service
ssytemctl start cpanel.service

That’s it, the size of /tmp is now increased!

Using the TPM module for SSH key signing


tpmIn my previous post we were implementing 2FA on SSH so you can login via password and/or key and with a extra token for more security. One other thing that comes with security, especially on laptops, is handling private data like keys, password and certificates. On most laptops that are intended for business work contain a so called TPM chip, or the Trusted Platform Module chip.

In this guide we will create a SSH key that is signed by the TPM. Via this way the key is known as “Trusted” and therefore cannot be forged in whatever way possible. The guide is aimed at Arch Linux but the tools that are installed are in general available for other Linux distro’s as well using the default repo’s or addon repo’s. This post covers the basic method of key signing using the TPM and offers a trusted way to generate keys. I will investigate the other method by creating trusted keys where you save the keys itself in the TPM, that will be covered in a future post!

Also using the TPM module to sign the keys makes sure that the keys are genuine and cannot be forged or modified by software on the machine which can be performed when creating keys using a software solution only. Using a SSH key that is signed by the TPM instead of software only indicates that the key has been generated without forging possibilities and marks the key as safe or “Trusted” as it cannot be altered or changed.

What is a TPM and what can it do?
The TPM is a module that offers secure generation of keys and the storage of those keys as well as limiting access to the keys. It also functions as a RNG (Random Number Generator). The TPM can also be used for disk encryption, the module will not encrypt the data itself but will function as a secure storage for the signing keys that are generated when configuring the encryption, Microsoft is using it this way for it’s BitLocker encryption software, but others like dm-crypt can use it this way as well.
It can also be used to save passwords itself, the password itself doesn’t have to be secure (although that’s stupid) but since it’s a hardware module a dictionary attack can be prevented this way as the hardware can block access to the TPM after a certain threshold.

This is just a summary, a more detailed explanation of the TPM and it’s use can be found on the Wikipedia article here.

Installing software:
In order to take use of the TPM module we need to install a set of tools:
yaourt -Sy tpm-tools tpmmanager trousers simple-tpm-pk11-git opencryptoki

So, what are we installing above:
trousers is the TPM software that handles the interaction between the user and the TPM and is the so-called TCS (Trusted Computing Software).
tpm-tools is a set of commandline utilities for communicating with the TPM (via trousers).
tpmmanager provides a GTK GUI for operation and handling the TPM.
simple-tpm-pk11-gitis the software to create and store SSH-keys via the TPM module.
opencryptoki is the PKCS#11 implementation for Linux.

Starting the TCS daemon:
In order to communicate with the TPM we need to enable and start the TCS daemon (tcsd):
systemctl enable tcsd.service
systemctl start tcsd.service

Enabling the TPM:
In order to use the TPM module we need to enable it in the BIOS, the instructions vary per vendor so for specifics you should refer to the manual of your model.

This step only applies if you have never used the TPM module before. If you have already configured your TPM and took ownership of it you can continue at the “Creating and securing a SSH key” part.

Testing the TPM:
If you have enabled the TPM we want to make sure that it works and is accessible, you can run the following command:


It should return output like this:

TPM Test Results: 0000

It may output other codes, the zeroes indicate that the selftest went okay in this case!

Taking ownership of the TPM:
In order to use the TPM you need to take ownership of it, this may sound very bossy but in this case you need to take over control of the TPM in order to store your own personal information in it in which this approach makes sense.

To take ownership of the TPM, run the following command:

It will then ask for a password like below:
Enter owner password:
Confirm password:
Enter SRK password:
Confirm password:

The first set of passwords is the password you set on the TPM. The second password set is the password for signing the SRK (Storage Root Key) and is the unique key that is generated when taking ownership of the TPM.

It’s wise to use different passwords here so if one takes over the TPM they cannot access the root key itself due to a different password!

Creating and securing a SSH key:
We’ve installed the “simple-tpm-pk11” package which can help us creating a SSH key and secure it using the TPM. The basic idea is that the SSH key will be created and signed using the TPM module. The TPM seals the keys using a 2048-bit RSA key called the storage root key (SRK).

First we need to create a directory to store the PKCS11 key in:
mkdir ~/.simple-tpm-pk11

Now generate a new key using the PKCS11 mechanism and the TPM, if you did not set a password on the SRK you can issue the following command:
stpm-keygen -o ~/.simple-tpm-pk11/my.key

If you have signed the SRK with a password you need to change the command to:
stpm-keygen -s -o ~/.simple-tpm-pk11/my.key

The output will look like below (and the SRK pin option is only shown if you have signed the SRK with a password):
Enter SRK PIN:
Modulus size: 256
Exponent size: 3
Size: 2048
Blob size: 559

Create a configfile which points to the key:
nano .simple-tpm-pk11/config

If you don’t have a password set on the SRK insert the following and save it:
key my.key

If you have set a password on the SRK you need to insert the following and save it:
key my.key
srk_pin [password]

In my opinion leaving the password just there sucks a bit regarding security and the use of the TPM. But as this file is created within your homedir it is not accessible by other users and only for you and root.

We also need to configure SSH to use the PKCS11 provider:
nano ~/.ssh/config

And insert the following into the file and save it:
Host *
PKCS11Provider /usr/lib/

Now that we have a private key created we can use this private key against the TPM and create a public key which can be used for SSH authentication, for this we need the PKCS11 library again:
ssh-keygen -D /usr/lib/

This should result in a public key being generated like below:
ssh-rsa AAAAB3NzaC1yc2E[snip]ALbgm2f

If you receive the following error you have either a incorrect or corrupt private key or a SRK pin is active but not set in the PKCS11 config:
C_GetTokenInfo failed: 6
no keys
cannot read public key from pkcs11

The generated public key can be put on different Linux systems in the authorized_keys keys file in that users homedir/.ssh folder so that you can access that machine using public key authentication.

Note that you can only have 1 public key created using the earlier created private key, you should decide if 1 key is enough for your usage criteria.

Setting up a OpenVPN server on Linux


openvpn-logoI sometimes want to access my home network when working remotely in order to access my private files or machines in my network. Opening up the Samba ports for example in your router to the bad world outside is the most stupid thing to do, so in order to gain access we need to setup a VPN connection. There are several ways to accomplish this and in this example I will be installing the versatile OpenVPN software which can act as a server and client and is opensource (and therefore available on almost any platform).

In this post we will set up the OpenVPN server (service), create the needed keys for the VPN authorization, set up the VPN tunnel interface and create a sample client config to connect with. The instructions are run as root.

Installing the software:
For the server-side we only need to install 2 packages and after installation copy the easy-rsa key generation tools:

For Debian / Ubuntu:
apt-get install openvpn easy-rsa

For Arch Linux:
pacman -Sy openvpn easy-rsa

Setting up the CA:
Copy the easy-rsa key generation tools:
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Now open the following file to change the variables used for key generation later on:
nano /etc/openvpn/easy-rsa/vars

Scroll a bit down until you reach the following block and change it to your situation and save your changes:
export KEY_COUNTRY=""
export KEY_PROVINCE=""
export KEY_CITY=""
export KEY_ORG=""
export KEY_EMAIL=""
export KEY_OU=""

Now we will generate the actual CA using the following commands:
cd /etc/openvpn/easy-rsa/
mkdir keys
source ./vars

It will ask several questions and the answers should already be filled with the content you changed earlier so we can just enter through the questions to accept them. Should you have made a typo you can change it in the appropriate question.

Create the server certificate and key:
Now that the CA bundle is generated we need to create a certificate and key for the server itself as well:
./build-key-server `hostname`

This will generate a certificate and key based on the hostname of the server at that time which should be sufficient for most setups, should you not want this you can change `hostname` for the hostname you want. It will ask you if you want a password on the certificate which I answered no to as I will sign the client certificates later on. The last 2 questions should be answered yes to (for signing and committing the certificate).

Now we want to generate the Diffie-Hellmann keys as a last step in creating the server certificate:

It says it will take a long time, on my Celeron system it took a couple of seconds… 🙂

Copy the generated certificate and key into the /etc/openvpn folder:
cd keys
cp `hostname`.crt `hostname`.key ca.crt dh2048.pem /etc/openvpn/

Create the client certificate and key:
Now that the CA and the server cert/key are generated and moved into place we need to start creating certificates for the clients that will need access to the VPN. The steps are almost the same as for the server:
cd /etc/openvpn/easy-rsa/
./build-key CLIENT_NAME

The questions asked are the same as when generating the server certificate but for better security you should set a password on the client certificate and key. Should the certificate get leaked on the internet they are useless as the password is still needed. Would you have a certificate without password they would immediately have access unless the certificate is revoked on the server. At the end you need to sign and commit the certificate by answering “y” 2 times.

Now we want the needed client-side files together. Therefore create a folder, in my case I’ve used /root/CLIENT_NAME/ (substitute CLIENT_NAME for the actual client name):
mkdir /root/CLIENT_NAME
cd /root/CLIENT_NAME
cp /etc/openvpn/ca.crt ./
cp /etc/openvpn/easy-rsa/keys/CLIENT_NAME.crt ./
cp /etc/openvpn/easy-rsa/keys/CLIENT_NAME.key ./

Now that we have the files for the client together we want to zip it for easy distribution:
zip ca.crt CLIENT_NAME.crt CLIENT_NAME.key

You can email this zip or put it on removable media for easier distribution!

We are generating the client certificate on the server itself, that itself is no big deal but you need to keep in mind that if someone ever gains unwanted access to your server they are able to steal the certificates/keys generated. For best security you should remove the certificate and matching key once these have been distributed to the client itself!

Adding extra clients:
That is simple, just follow the steps metioned above!

Setting up the OpenVPN server:
Now that all certificates are generated we can start configuring the OpenVPN server, we start by creating a new configuration file:
nano /etc/openvpn/server.conf

The options may vary based on what you want to achieve with the VPN, my setup is done as follows:
# Global configuration
port 1194
proto udp
dev tun
topology subnet
# Certificate location
ca ca.crt
key SERVER_HOSTNAME.key # This file should be kept secret
dh dh2048.pem
# Network configuration
push "route"
ifconfig-pool-persist ipp.txt
keepalive 10 120
# Logging
status openvpn-status.log
verb 3

A little explanation on the config: we use UDP port 1194 for the OpenVPN service and will use a TUN device (virtual) for the system. The certificate section is self-explanatory, here SERVER_NAME needs to be changed with the actual name used. For the network part we bind the TUN device to the range. The route that’s being pushed is optional should you want access to the internal network of the server as well which is what we want mostly, since my network is build up on the range I push it as shown. We also use LZO compression on the VPN sessions initiated, there is a sidenote though because it will be more resource consuming for the CPU to compress/decompress the data. If you use a embedded device for the VPN server you want to disable this, for any “modern” hardware this can be left on.

Now that the configuration is performed we want to start the OpenVPN service:

For Debian / Ubuntu:
service openvpn start

For Arch Linux:
systemctl enable openvpn@server.service
systemctl start openvpn@server.service

Note the @server for the Arch Linux method. The name you put there is a direct link to the OpenVPN config, so here we named it “server.conf” which makes openvpn@server. Have you changed the name of this config you should also change it in the openvpn@ part!

Now that the OpenVPN server has started we can check if it’s running, you can check this by listing the interfaces on the system, a ifconfig on my Arch Linux server will show the tun device:

tun0: flags=4305 mtu 1500
inet netmask destination
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Reaching the network behind the OpenVPN server:
With the setup above you will be able to reach the VPN server and work on that machine. If you want to be able to access the machines on the same network as the VPN server we need to make some additional changes.

We need to enable ipv4 forwarding first in systctl:
sysctl -w net.ipv4.ip_forward=1

If you want to make this change permanent after a reboot you need to add this option to:

We also need a couple of iptables entries, the following will do:
iptables -I FORWARD -i tun0 -o enp5s0 -s -d -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -i tun0 -o enp5s0 -s -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o enp5s0 -s -j MASQUERADE
iptables -t nat -I POSTROUTING -o enp5s0 -s -j MASQUERADE

You need to change the interface names matching the ones on your server. In this example enp5s0 is my network interface, the tun0 normally don’t need to change.

You need to save these rules to a file, say:

Make it executable:
chmod +x iptables-vpn.ipt

Now you can insert the iptables entries after a reboot by logging in as root and issuing:

In addition you may need to open up port 1194 in your router/gateway/modem in order to gain access from outside your home network to the VPN server, refer to the manual of your model on how to achieve this.

That’s it! You’ve now set up a OpenVPN server! Distribute the client certificate and keyfile with the CA certificate to the client that needs to connect to the VPN server and configure the clientside based on certificate authentication.

Setting up the client:
I won’t go extremely in-depth here because there are many ways to do this. I wanted to access the VPN from my laptop, so I needed a GUI program in my desktop environment which could assist me. The Network Manager packages can aid in this, so we need to install it:

For Debian / Ubuntu:
sudo apt-get install network-manager-openvpn-gnome

For Arch Linux:
sudo pacman -Sy networkmanager-openvpn

You may need to log out and log in again in order to see the new option for setting up a OpenVPN connection. Now you can add a new OpenVPN connection:

VPN tab: Enter the server URL/IP in the gateway field, the connection type needs to be “Certificates (TLS)” and enter a name for the VPN connection. Select the certificates in the matching fields. Select the advanced button and on the new window check the “LZO compression”.
IPv4 tab: Select the “Routes…” button and select “Use only for resources on this connection”. If you don’t check this, all connections will flow through the VPN instead of the network you are trying to reach.
IPv6 tab: The same as for IPv4 tab and should only be set if you use IPv6.

Revoking a client certificate:
An essential part of maintaining a VPN server is to be able to revoke a client certificate (for example if a client is compromised) and denying access to the VPN. For this we need to set up a CRL (Certificate Revoking List) and configure OpenVPN to check that list first if a client connects.

First we need to create the CRL:
cd /etc/openvpn/easy-rsa/
source ./vars
./revoke-full CLIENT_NAME

Change CLIENT_NAME to the actual client name you wish to revoke.

Once the client certificate has been revoked, a file “index.txt” will be created in the keys folder:
Which will contain the revoked client information.

You may wish to examine the CRL file a bit further:
openssl crl -in keys/crl.pem -text

We also need to change the OpenVPN server config to actually check the CRL file if a client connects, open up the config:
nano /etc/openvpn/server.conf

Add the following line in the config:
crl-verify keys/crl.pem

And restart OpenVPN to make the change active:

For Debian / Ubuntu:
service openvpn restart

For Arch Linux:
systemctl restart openvpn@server.service

If now a client connects with a revoked certificate you will see a log entry in the syslog with this information!