=^.^=

Redirect All HTTP URLs to HTTPS while Preserving Path on Apache with mod_rewrite

karma

To ensure all requests to a service end up shoved onto HTTPs, whether they come from errant resource calls on a webpage or the casual user simply entering the hostname in their browser's addressbar without specifying the protocol or having an always-use-https browser plugin (you know, normal folk), you can use the following snippet in your httpd.conf, VirtualHost blocks or .htaccess files in DocumentRoots (or anywhere else, for reasons unknown) and it will make sure they end up getting to where they originally intendeds to go - but with TLS.

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

Now head on over to Let's Encrypt and get yourself a nice, free 90 day SSL certificate for your hostname or, if you prefer, a wildcard cert to plaster on everything that ends in your domain. Try to get certbot to automatically renew it automagically - so you're not driven mental every three months.

Install and Configure SNMP on RHEL/Fedora/CentOS, Debian/Ubuntu and Oracle Solaris 11 and 10

karma

Simple Network Management Protocol (SNMP) is a ubiquitous and ancient protocol for monitoring the status, viewing and setting the configuration of networked hosts and devices like servers, switches, access points, routers and more. This is accomplished by GETting or SETting variables organized into Management Information Bases (MIBs). Some MIBs are standardized which provides monitoring and management software (an SNMP Agent) a consistent interface to perform common functions (e.g. collect network traffic statistics regardless of target operating system and SNMP implementation) and may be included by default or easily activated with a particular implementation or agent. Other MIBs are proprietary and allow custom functionality to be implemented (e.g. collect environmental data from or send a sophisticated configuration profile to a specialty enterprise device) and definitions of such MIBs may be provided by a hardware vendor or a community effort to extend the functionality of their existing SNMP agent or provide support to third-party agents. General-purpose monitoring/graphing software like Cacti for example often ship with support for several MIBs and both corporate vendors and community members generously release their own definitions which unlock special functionality and support features not otherwise available.

Generally one of the first things you will do on a new server is configure the SNMP daemon (SNMPD) from the net-snmp package (Microsoft Windows has its own implementation which can be installed via Add/Remove Windows Components https://kb.paessler.com/en/topic/663-how-do-i-install-the-snmp-service-on-windows-systems) so you can:

  • Track resource consumption and perform diagnostics and troubleshooting from a centralized location
  • Make decisions about resource allocation, deployments and hardware purchases
  • Establish a baseline so when things go awry you can use clues about changes in resources to help make determinations

Although it's good to set up proactive alerts for expected scenarios not every scenario can be foreseen and not every alert is successfully triggered, received, properly interpreted or acknowledged. A centralized statistics aggregator is an invaluable tool in emergency diagnostics - not just for seeing things that are obvious on their face. It is invaluable to be able to "go back in time" and compare observations to past, expected behaviour. Some real world examples of things SNMP in conjunction with a simple statistics aggregator like Cacti have helped me detect are:

  • Various forms of DoS attack
  • Malicious and malfunction instigated broadcast storms
  • Pending storage exhaustion
  • New an unexpected sources of radio interference
  • Misconfigured or unconfigured traffic shaping and QoS
  • Impending and actual link saturation
  • Unthrottled website scraping
  • Spam/phishing backdoored website pages
  • Various ISP customer and corporate user use policy violations

to name just a few.


To install snmpd on Debian and its derivatives (Ubuntu) run:
apt-get install snmp snmpd libsnmp-dev

The default configuration file provided by the package has snmpd listening only on the local ipv4 and ipv6 interfaces. If you would like to open up network access edit /etc/snmp/snmpd.conf to reflect:
... # agentaddress: The IP address and port number that the agent will listen on. # By default the agent listens to any and all traffic from any # interface on the default SNMP port (161). This allows you to # specify which address, interface, transport type and port(s) that you # want the agent to listen on. Multiple definitions of this token # are concatenated together (using ':'s). # arguments: [transport:]port[@interface/address],... # agentaddress 127.0.0.1,[::1] agentAddress udp:161 ...
By not specifying an IP address snmpd is instructed to listen on all available interfaces (i.e. 0.0.0.0).

Also open up access to the full dataset:
... # rocommunity: a SNMPv1/SNMPv2c read-only access community name # arguments: community [default|hostname|network/bits] [oid | -V view] # Read-only access to everyone to the systemonly view # rocommunity public default -V systemonly rocommunity public 192.168.0.0/24 rocommunity6 public default -V systemonly ...
Specify an IP address, list of addresses or a subnet in CIDR format as shown above to allow queries from authorized clients only.

Now enable the service and punch a hole in the firewall:
systemctl enable snmpd systemctl start snmpd ufw allow from 192.168.0.0/24 to any port snmp ufw enable


To install the SNMP daemon and associated utilities on a modern flavour of Redhat and derivatives (Fedora, RHEL, CentOS Stream, Alpine, Rocky, etc...) run:
dnf install net-snmp net-snmp-utils systemctl enable snmpd systemctl start snmpd

To install them on a legacy iteration (i.e. CentOS 7 and earlier) run:
yum install net-snmp net-snmp-utils chkconfig snmpd on service snmpd start

If you are using firewalld punch a hole in the firewall thus:
firewall-cmd --zone=public --add-port=161/udp --permanent firewall-cmd --zone=public --add-port=161/tcp --permanent

If you are using the iptables service to load rules via iptables-restore instead edit /etc/sysconfig/iptables to include:
... -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.0/24 -p udp -m udp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT ...

Then reload the firewall ruleset:
systemctl restart iptables


On Oracle Solaris 10 SNMP is installed and enabled as part of the standard distribution. It runs under the service name sma. Configuration is stored in /etc/sma/snmp/snmpd.conf and follows the same scheme as the Linux variant as covered previously.

After making any configuration change restart the agent:
svcadm restart sma

If you are running an installation of Communications Messaging Server and would like to enable interoperability it is necessary to configure the AgentX protocol:
cat >> /etc/sma/snmp/snmpd.conf # Messaging Server's subagent requires the AgentX protocol master agentx ^D # Control-D exits the iunterface, appending the above to the flatfile


On Oracle Solaris 11 net-snmp should roll out with a standard installation; if this is not the case for you it can be installed after the fact thus:
pkg install net-snmp

Solaris' SNMP package is sourced from the same codebase as Linux, therefore configuration is identical as demonstrated for linux per the above examples. You will find the configuration flatfile located at /etc/net-snmp/snmp/snmpd.conf

To launch the service and enable it to start at next boot run:
svcadm enable net-snmp

Restart the daemon after any change to the configuration:
svcadm restart net-snmp


Bonus points: I use a quick-and-dirty abbreviated snmpd.conf where I want to give public read-only access to vital statistics (i.e. traffic statistics for cacti, storage consumption for nagios/icinga) and limit access to a private management subnet, you may find it has some utility versus wading through the reams of comments and particularly obtuse syntax used in these flatfiles:
com2sec local 127.0.0.1/32 public com2sec local 192.168.0.0/24 public group MyROGroup v1 local group MyROGroup v2c local group MyROGroup usm local view all included .1 80 access MyROGroup "" any noauth exact all none none syslocation Physical/Virtual Location syscontact Administrator's Name <[email protected]>

Automated Number Announcement Circuit (ANAC) Numbers

karma

An Automated Number Announcement Circuit or ANAC is a voice POTS (Plain Old Telephone System) or VoIP resource, usually provided by carriers although there are a number of privately hosted services, that vocalizes the telephone number you called it from. Some ANAC numbers only work when you are calling them from the same carrier that provides them and will error out if you attempt to call from another provider's system. ANACs are essential assets for fone phreaking. I use them frequently enough - and the Wikipedia article that used to list several keeps getting whittled down due to WP:DIRECTORY violations - that I'm starting a living list of them here. If you have any ANAC numbers you would like to share please join us on Telegram or on Discord and drop me a line (pun intended).

Included at the bottom of the list are some toll free numbers; it should be noted that toll-free service is provided on tiers of geographical reach. Some toll free numbers only work in Canada or the United States, a portion of the United States, or both Canada and the United States - so your ability to reach a toll free ANAC may vary based on your location. All of the toll-free numbers have been tested from Ontario, Canada as of December 31, 2023.

Country Carrier Number Notes
Canada Bell Canada (NPA) 958-2580 416 613 519 905 705 Ontario, does not work for 249 overlay. 450 418 438 514 579 581 819 873 Quebec. Additionally a milliwatt test tone is available at (NPA) 958-1111 (tested December 31 2023).
Canada Rogers Communications (NPA) 555-0311 Only works for Rogers Communications subscribers. 403 Alberta, 519 613 Ontario
Canada SaskTel (NPA) 958-1115 306 Saskatchewan
Canada Eastlink (NPA) 958-2222 PEI
Canada Telus (NPA) 958-6111 403 780 Alberta, 250 BC
Canada Bell Aliant (NPA) 958-9999 506 NB, 709 NL
Canada Manitoba Telecom (NPA) 959-4444 204 Manitoba; 959 is used since 958 is a regular Winnipeg exchange, not a test prefix
Canada (819) 320-1112 Quebec
Canada (819) 320-1180 Most of Quebec
United States 958 A three-digit number in many former NYNEX/Bell Atlantic areas, now Verizon or FairPoint (207 Maine, 212 New York, 215 Pennsylvania, 315 New York, 413 Massachusetts, 508 Massachusetts, 516 New York, 603 New Hampshire, 609 New Jersey, 610 Pennsylvania, 617 Massachusetts, 718 New York, 732 New Jersey, 856 New Jersey, 958 New Jersey)
United States Verizon 959-1114 For all former GTE points in California (area codes 310, 714, 760, 805); also Southwestern Virginia (276), Farmersburg/North Terre Haute/South Terre Haute/Riley Indiana (812) and Durham, North Carolina (919)
United States PacBell (AT&T) 959-1122 California area codes 209, 213, 310, 408, 415, 510, 530, 619, 650, 714, 760, 805, 831, 909, 916 and 925
United States Southwestern Bell (AT&T) 959-1122 417 Missouri, 620 Kansas, 816 Missouri, 913 Kansas, 817 Texas, 972 Texas and 682 Texas
United States CenturyLink 959-3111
United States 1010-732-1770-988-9664 Generally a universal ANAC number in the US, but phones with 1010 blockage or no long distance carrier will give an intercept message.
Australia 1800 801 920
Australia Telstra 127 22 123 Telstra landlines only
Ireland 19 9000 Announces the line number on all Eir lines, including lines where calls are carried by another provider using carrier preselect and lines provided by local-loop unbundling. The number is called out without the leading 0. For example, 021 XXX XXXX is read back as "21 XXX XXXX".
Israel *110 Not working in all networks
New Zealand 1956 or 0 (8) 320-1231 Area code and number
New Zealand 1957 or 0 (8) 320-1234 Local number
United Kingdom Openreach 17070 Openreach Linetest Facilities
United Kingdom Openreach 020 8759 9036 Same recording as 17070 but useful on LLU and cable lines where 17070's functionality is limited. Not usable on mobiles.
Toll Free (USA) MCI (800) 444-2222 Works from Canada
Toll Free (USA) MCI (800) 444-3333 Works from Canada
Toll Free (USA) MCI (800) 437-7950 Works from Canada
Toll Free (USA) (800) 444-4444 "The number you have dialed can not be reached from your calling area" from Canada

An extensive list of North American ANACs can be found at these locations:

Install arping on OPNsense

karma

For reasons unknown one of my favourite and most essential tools arping is not available in OPNsense's package repository. On OPNsense, the preferred method of incorporating mainline FreeBSD packages (according to the official documentation) is to use opnsense-code to install the ports system which, bringing back bittersweet memories of my Gentoo days (search these articles for portage) builds software and its dependencies directly on the local machine, from source code - wholesome like a fresh squeezed glass of lemonade.
opnsense-code ports cd /usr/ports/net/arping make install