Watermarking images by hand is a pain, it's a lot easier to drop a bunch of images into a directory, and watermark them using imagemagick. This snippet details the command to use

Read more…

Despite the more colloquial meaning that most are more familiar with, nonce is an important definition within computing, and particularly crypto

Literally N-once, a nonce is an arbitrary number intended to be used just once during a communication - it's often used as a sort of salt to ensure that replay attacks cannot simply use old communications, as well as for IVs etc when encryption

This short snippet will generate a nonce in both Python2 and Python3

Read more…

Various services require a token to be submitted using a HMAC. Although SHA1-HMAC is common, other hashing algorithms are sometimes required. This Python 3 snippet allows you to specify the hashing algorithm to use

Read more…

Although the version of curl in the Ubuntu repos is sufficiently recent to support HTTP/2, Ubuntu have compiled the packages without nghttp2 support, so if you try and use --http2 you'll probably receive the output curl: (1) Unsupported protocol

This snippet details how to install deps, and then compile curl with http/2 support - it can then be installed alongside, or over the top of the existing curl (alongside is better IMO).

Read more…

My NAS sits there quietly doing it's job most of the time. However, recently I needed to troubleshoot a cron that appeared not to be running, so went looking for log entries.

Turns out Debian 8's default behaviour was to send cron loglines to journald only (i.e. no passthrough to rsyslog).

To make matters worse, there's no journal rotation set up by default, so the loglines go back _months_ and JournalD is hysterically bad at actually getting through them in a reasonable time

So, before fixing the lack of rotation (by setting SystemMaxUse in /etc/systemd/journald.conf) I wanted to rotate the logs and then clear out stuff older than about a month

This snippet details how to rotate and then vacuum JournalD's logs based on a time interval

Read more…

Ever since I discovered it, I've preferred tshark as a means of extracting information and stats from a packet capture, particularly when that information needs to be communicated onwards via email - it's far better to provide simple tabulated data than 40 odd screenshots trying to highlight what you mean.

TShark uses the same underlying libraries as Wireshark, so you get the benefit of it's dissectors allowing you to easily filter by traffic type (-Y "ssh"), or to build more advanced filters

There's no way any list of examples could ever be exhaustive, but this list is intended to provide various examples containing some nuts and bolts which you can piece together to create useful commands (most examples exclude basics like -e ip.src for brevity's sake

If you're wanting to build a new command based on some field you can see in wireshark, the easiest way to find out the name to pass to tshark, is just to filter by it in wireshark and then pinch the name out of the filter field

Some of these examples are lifted, almost directly, from my PAS project, others from my own notes

Read more…

You should never put a management controller like an iLOM onto the open internet, they're not designed for that level of exposure and are near guaranteed to be compromised. To allow remote access, use either a VPN, or tunnel via a jumpbox.

If possible, it's far simpler and easier to use SShuttle to tunnel out to an iLO via your jumpbox instead.

If, for whatever reason that isn't is possible, then it's possible to set up a straight SSH tunnel in order to reach a remote iLOM and be able to use the virtual console. The ports required differ slightly between iLO3 and iLO4 - for iLO3 you will need to run SSH as root because you need to bind to a privileged port.

Once the tunnel's up, you can then just visit https://localhost:12443 in your browser

Read more…

Matroska (MKV) containers are pretty good, as they can contain multiple subtitle tracks allowing you to select the desired subtitle language from your player

Player support isn't always so great though, so sometimes you want to be able to extract the subtitles out to a SRT file so that it can the be burned into a MP4, or loaded alongside

This command uses ffmpeg to extract subtitle tracks from a video contianer (doesn't necessarily need to be MKV) to a SRT file

Read more…

A little while ago, 3 new candidates were put forward - Preload, Preconnect and Prefetch - known collectively as Resource Hints.

Embedding these into a HTML base page is straight-forward and well documented. But, what if you need to do something different?

In MISC-35 I decided to embed a search box into various sites (for example, this one) that would take the user to a third party search engine with a site: operator prepended to the query

The only problem was, that the search would take longer than comfortable to run, as upon hitting "Search" the browser would need to resolve DNS, connect, do a HTTPS handshake and then place the necessary request

It's possible to work around this though, by using the preconnect hint. I didn't want the user's browser to pre-connect every time they loaded a page, so wanted it gated on whether they were interacting with the search box itself

This snipper shows how to use Javascript to tell a modern browser to preconnect to a specific service (the exact URL doesn't matter, only the protocol and hostname)

Although I've not (yet) had cause to do so, you can use the same technique with preload and prefetch too (as well as their subtypes like dns-prefetch)

Read more…

LUA isn't strictly typed, and doesn't have a built-in mechanism for type checking paramaters and variables.

Sometimes, though, we need to check that a value is of a given type - a LUA component of a WAF might, for example, want to check that a specific query-string argument is numeric

This snippet focuses solely on that use-case - checking that a variable/string is numeric in format

Read more…