December 31, 2015

php code to normalize US phone number

This is the power of regex

This is a US phone formatter that works on more versions of numbers than any of the current answers.
$numbers = explode("\n", '(111) 222-3333
((111) 222-3333
111 222-3333
    123-456-7890   -Hello!
+1 - 1234567890 

foreach($numbers as $number)
    print preg_replace('~.*(\d{3})[^\d]{0,7}(\d{3})[^\d]{0,7}(\d{4}).*~', '($1) $2-$3', $number). "\n";

And here is a breakdown of the regex:
Cell: +1 999-(555 0001)

.*          zero or more of anything "Cell: +1 "
(\d{3})     three digits "999"
[^\d]{0,7}  zero or up to 7 of something not a digit "-("
(\d{3})     three digits "555"
[^\d]{0,7}  zero or up to 7 of something not a digit " "
(\d{4})     four digits "0001"
.*          zero or more of anything ")"
Updated: March 11, 2015 to use {0,7} instead of {,7}

December 15, 2015

Linux routing based on IPtables MARK


This page is a small HOWTO about the advanced linux routing...

First of all let me tell you where you can find the best source of information about the advanced routing under Linux. Most of you probably know or heard about the Linux Advanced Routing & Traffic Control site. There you can see a very comprehensive source of knowledge based not only on documentation but by easy to understand examples...
Credits: Linux Advanced Routing & Traffic Control, Thea
Ok, then...
This page will show you how to set a linux box to use 2 different ISPs on the same time...

First example:
Goal: To route packets that came from 4 network to different ISPs

Let's presume that you have two ISPs. In the following examples I'll use RDS and ASTRAL (two large ISPs from my country)
For the ASCII art and lynx console browser fans I'll use this kind of chart:
                                           +-------------+        /
                                           |    ISP 1    |       /
                             +-------------+    (RDS)    +------+
                             |             | gw |     /
                      +------+-------+     +-------------+    / 
+----------------+    |     eth1     |                       /
|                |    |              |                      |
| Local networks +----+ Linux router |                      |  Internet cloud
|                |    |              |                      |
+----------------+    |     eth2     |                       \
                      +------+-------+     +-------------+    \
                             |             |    ISP 2    |     \
                             +-------------+  (ASTRAL)   +------+
                                           | gw |       \
                                           +-------------+        \________
We will work only on Linux router box. From the root prompter do:
echo 1 RDS >> /etc/iproute2/rt_tables
echo 2 ASTRAL >> /etc/iproute2/rt_tables
The /etc/iproute2/rt_tables content after previous commands:
# reserved values
255     local
254     main
253     default
0       unspec
# local
#1      inr.ruhep
Now we have three routing tables as follows: RDS table, ASTRAL table and the main table...
Let's fill up every table with the defaults routes:

The next step is to have some routing rules and routes:

For the RDS table:
ip route add default via dev eth1 table RDS
ip rule add from table RDS
ip rule add from table RDS 
For the ASTRAL table:
ip route add default via dev eth2 table ASTRAL
ip rule add from table ASTRAL
ip rule add from table ASTRAL
To see the routing tables:
ip route show table ASTRAL
ip route show table RDS
ip route show table main  # it's the same as "route -n" but in different format...
To see the routing tables:
ip rule show   # all the rule list
ip rule show | grep ASTRAL # only for ASRAL
ip rule show | grep RDS  # only for RDS
Let me explain the above rules.
The packets that came from the and networks will go to the RDS routing table and then (because we have a default route) will be passed to the RDS gateway. And similar, the packets that came from the and network will go to the ASTRAL gateway...
What is happening with the packets that came from other networks that are not shown in the above rules? Well, they just simply go to main routing table and follow the routing rules that reside there... If you want to block them to go to internet just delete the default route from the main table... (of course, doing that your router can not longer go to interent).

Second example:
Goal: To route the packets having the destination port 22/tcp to the RDS and 80/tcp to the ASTRAL (no matter what network generates them).
This example it is almost the same as the first one except that we will use iptables to mark the packets.

Same chart...
                                           +-------------+        /
                                           |    ISP 1    |       /
                             +-------------+    (RDS)    +------+
                             |             | gw |     /
                      +------+-------+     +-------------+    / 
+----------------+    |     eth1     |                       /
|                |    |              |                      |
| Local networks +----+ Linux router |                      |  Internet cloud
|                |    |              |                      |
+----------------+    |     eth2     |                       \
                      +------+-------+     +-------------+    \
                             |             |    ISP 2    |     \
                             +-------------+  (ASTRAL)   +------+
                                           | gw |       \
                                           +-------------+        \________

Same /etc/iproute2/rt_tables content:
# reserved values
255     local
254     main
253     default
0       unspec
# local
#1      inr.ruhep
Before you start check your iptables configuration. I strongly recommend to read about iptables if you are unsure about what you will doing next.
For more documentation go to iptables home page or you can download a good documentation from this site (Security & Privacy Section) or directly from here.

To mark the packets that have the 22 and 80 as destination port we will use the MANGLE table...
iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -i eth0 -p tcp --dprot 80 -j MARK --set-mark 2
For the RDS table:
ip route add default via dev eth1 table RDS # the same like in the first example
For the ASTRAL table:
ip route add default via dev eth2 table ASTRAL # the same like in the first example
The next step is to have some routing rules based by the marked packets:

For the RDS:
ip rule add from all fwmark 1 table RDS
For the ASTRAL:
ip rule add from all fwmark 2 table ASTRAL
You can use the same commands to see the routing tables and rule lists as in the first example.
Now you have a routing solution based by the destination port...

December 14, 2015

RE: How to receive a million packets per second

rsyslogd dynamically create log file based on msg content

This is tested on a Ubuntu 10.04 system (should work on newer Ubuntu/Debian system too)

1. Create file /etc/rsyslog.d/30test.conf, with the following content:

$template DynFile,"/tmp/test-%msg:7:18%.log"
:msg,startswith," ABCD-001122334455" ?DynFile
#:syslogtag,startswith,"test" ?DynFile
#:syslogtag,startswith,"test" /tmp/test.log

2. Open file /etc/rsyslog.conf, and make the following modification for the following line:
$FileCreateMode 0644
comment out the following lines:
#$PrivDropToUser syslog
#$PrivDropToGroup syslog

3. sudo service rsyslog restart
4. logger -t test "ABCD-001122334455sdfsfsdfsdfsdfsdfs-----------"
5. Now check file /tmp/test-*.log, and you should see file /tmp/test-001122334455.log

To Log message with a defined template
1. First define the template
      $template shortlog,"%msg:10:1000%"
2. Use the template by appending ";template-name" to the end of the output file


a. Property msg starts with a space " ". 
b. Eventually we should try to figure out why dropPriviledge does causes issues here.


A good debugs tip:
1. add /etc/rsyslog.d/debug.conf
*.* /var/log/all.log;RSYSLOG_DebugFormat
#Note here ";RSYSLOG_DebugFormat" is the output template
2. restart rsyslog
3. watch the file /var/log/all.log to see all log messages with property names

Log with UNIX Timestamp
$template unixTS,"%timegenerated:::date-unixtimestamp%,%msg%\n"
:msg,contains,"[UFW " /var/log/ufw.log;unixTS

#Note here ";unixTS" is the output template
Also refer to the rsyslog PDF version of the manual (Chapter 1) for overview of how rsyslogd processes messages)

Syntax Check
rsyslogd -N1

===============UPDATE: New Syntax for Syslog version 7 and newer =============
rsyslog's new syntax is called "RainerScript". To generate dynamic files using output templates, generate a file in /etc/rsyslogd.conf/10-mytest.conf with the following content, and then restart service rsyslogd. The following example only logs message from the application "abc" and the message itself starts with "ABC" to a dynamic file name.

template(name="myfilename" type="string" string="/tmp/my-%programname%.log")
template(name="shortlog" type="string" string="%msg:10:$%\n")
if  $programname == 'abc' and $msg startswith " ABC"  then {
    action(type="omfile" dynaFile="myfilename" template="shortlog" )


=============UPDATE: More examples==================
1. variables are set using "set" and they start with "$!" in Rainer Scripts
2. variables only work inside the if block
3. Inside template the variables are surrounded by %%. e.g. "%$!devid%"
4. "stop" has replaced the "~" to discard a particular message.

template(name="devid" type="string" string="%$!devid%")
if ($programname == 'charon') then {
    if ($msg contains "deleting IKE_SA")  then {
        set $!devid= re_extract($msg, "([A-Z0-9])+-([A-Z0-9])", 0, 0, "unknown");
        #action(type="omfile" file="/var/log/delete.log" template="devid" )
        action(type="omfwd" Target="" Port="15140" Protocol="tcp" template="devid" )
        #action(type="omprog" binary="/usr/bin/" template="devid")

:programname,isequal,"charon" stop

December 2, 2015

dnsmasq with Ubuntu 14.04

To make it work, you may need to edit the file

and uncomment this line:

November 25, 2015

jquery ajax error handling

    url: '',
    type: 'GET',
    dataType: 'json',
    success: function() { alert("Success"); },
    error: function(jqXHR, textStatus, errorThrown) {
        alert('An error occurred');
        $('#result').html('<p>status code: '+jqXHR.status+'</p><p>errorThrown: ' + errorThrown + '</p><p>jqXHR.responseText:</p><div>'+jqXHR.responseText + '</div>');

PHP code to analyze an the section of the 8 empty boxes below and find out how many boxes (letters in the word) are there. In this case, it should be 8.


if(preg_match('/[.](jpg)$/', $filename)) {
    $img = imagecreatefromjpeg($tmp_img);
} else if (preg_match('/[.](gif)$/', $filename)) {
    $img = imagecreatefromgif($tmp_img);
} else if (preg_match('/[.](png)$/', $filename)) {
    $img = imagecreatefrompng($tmp_img);

list($width, $height) = getimagesize($tmp_img);


for ($j = 0; $j < $width; $j++) {
    $x = $j; // Get X coords

    $rgb = imagecolorat($img, $x, $y); // Get pixel color
    $r = ($rgb >> 16) & 0xFF;
    $g = ($rgb >> 8) & 0xFF;
    $b = $rgb & 0xFF;
    printf("%d ",$sum);
    if ($sum0>80 && $sum<40){
        echo "Box $count\n";
    if ($sum>80 || $sum<40){ //80 is light threshold, 40 is dard threshold

November 24, 2015

use runit to manage user space daemons

In debian/Ubuntu, install "runit".

then in /etc/service directory, create your user service directory. In this example, we use "nc" (netcat listen)

cd /etc/service; mkdir nc
now create a file called "run", with the following content:
DIR=$(dirname $(readlink -f "$0"))
name=$(basename "$DIR")
echo "$d service $name started" >> /var/log/runit.log
exec nc -l -p 8889

Only the first line and last line are must have. The mittle 4 lines are for logging purpose. 
Now "chmod +x run" 

Now nc should be running (automatically picked up by runsvdir which scans /etc/service directory for changes). list of commands:
sv status nc
sv stop nc (or sv down nc)
sv start nc (or sv up nc)
sv restart nc
sv reload nc (send HUP signal)

sv status /etc/service/* (check all service status)

touch a file "nc/down" to stop the auto-restart

create a file "nc/finish" with the following content:
DIR=$(dirname $(readlink -f "$0"))
name=$(basename "$DIR")
echo "$d service $name  stopped" >> /var/run/runit.log

This script is run every time nc exits.

Internally, 3 core executables: sv, runsv (the actual daemon monitor), and runsvdir (monitors the entire /etc/service directory)

bash get script directory

DIR=$(dirname "$(readlink -f "$0")")
echo $DIR

Openwrt iptables add NFQUEUE support

opkg install kmod-nfnetlink_3.10.49-1_ar71xx.ipk
opkg install kmod-nfnetlink-queue_3.10.49-1_ar71xx.ipk
opkg install kmod-ipt-nfqueue_3.10.49-1_ar71xx.ipk
opkg install iptables-mod-nfqueue_1.4.21-1_ar71xx.ipk
modprobe xt_NFQUEUE

modprobe nfnetlink_queue
(the last command automatically loads nfnetlink module)

Application program will need the following libraries:

libnfnetlink_1.0.1-1_ar71xx.ipk (libnetfilter_queue in openwrt 14.07 seems to be in the "old" package directory. You can build your own).

Then you can direct desired traffic to the user space's queue application using iptables:

 iptables -A OUTPUT -p TCP --dport 54321 -j NFQUEUE

Queue application has to be running. Otherwise, packet will stop flowing.

November 17, 2015

How to solve: automake is missing on your system

rm aclocal.m4

and then do "./configure"

November 9, 2015

supervisord add new program

After adding new program in /etc/supervisord.conf, do:

sudo supervisorctl reread
sudo supervisorctl update

This will make it run

November 3, 2015

apache .htaccess pass URI to PHP

1. enable mod_rewrite : a2enmod rewrite
2. enable .htaccess by adding the following to the enabled site conf file:
        <Directory "/var/www/html">
        AllowOverride All

 3. Create  .htaccess at /var/www/html with the following content
  Options +FollowSymLinks
  RewriteEngine On

  RewriteCond %{SCRIPT_FILENAME} !-d
  RewriteCond %{SCRIPT_FILENAME} !-f

  RewriteRule ^.*$ ./index.php

October 30, 2015

Use adcli to join Linux computer to a Windows Domain Controller


The computer that runs Windows Server 2008 R2 and is the domain controller: WIN-HPTI079TSF6, or
IP address of the domain controller:

Linux computer name: git, full name with domain:
Linux computer IP address:

1. Set up Linux /etc/resolv.conf to point it to the Domain Controller which should also be a DNS server


2. (Not needed anymore since Step 1's Name server would resolve this) 
Set up Linux /etc/hosts file so that the domain controller name resolves:

3.Set up your krb5.conf 

$ cat /etc/krb5.conf
        default_realm = DOMAIN1.NCST.COM
        kdc_timesync = 1
        ccache_type = 4
        DOMAIN1.NCST.COM = {
                kdc =
                admin_server =

4. (Not needed)
On the domain controller DNS server, add DNS A record for ""

5. Finally, use the adcli command to join:
./adcli join -v --login-user=Administrator -H -N GIT -D  -R DOMAIN1.NCST.COM

 --show-details   --show-password

The result:
* Using fully qualified name:
 * Using domain name:
 * Using computer account name: GIT
 * Using domain realm:
 * Discovering domain controllers:
 * Sending netlogon pings to domain controller: cldap://
 * Received NetLogon info from:
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-zKaph4/krb5.d/adcli-krb5-conf-FxUjvg                                                                             
 Password for Administrator@DOMAIN1.NCST.COM:
 * Authenticated as user: Administrator@DOMAIN1.NCST.COM
 * Looked up short domain name: DOMAIN1
 * Using fully qualified name:
 * Using domain name:
 * Using computer account name: GIT
 * Using domain realm:
 * Enrolling computer name: GIT
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab                                             
 * Using fully qualified name:
 * Using domain name:
 * Using computer account name: GIT
 * Using domain realm:
 * Looked up short domain name: DOMAIN1
 * Computer account for GIT$ does not exist
 * Found well known computer container at: CN=Computers,DC=domain1,DC=ncst,DC=com
 * Calculated computer account: CN=GIT,CN=Computers,DC=domain1,DC=ncst,DC=com
 * Created computer account: CN=GIT,CN=Computers,DC=domain1,DC=ncst,DC=com
 * Set computer password                                                           
 * Retrieved kvno '2' for computer account in directory: CN=GIT,CN=Computers,DC=domain1,DC=ncst,DC=com
 * Modifying computer account: dNSHostName
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: GIT$@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/GIT@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/GIT@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab                                                              

 * Added the entries to the keytab: RestrictedKrbHost/ FILE:/etc/krb5.keytab

** You can also add  --show-details   --show-password to the command to show the machine password

October 26, 2015

The 3 Records you must know for good email delivery

The 3 Records you must know for good email delivery are:
  • Reverse DNS (PTR)
  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)
These are the 3 core records you must have correct for sending email.   Of course, you need an MX record if you want to receive email, but that’s another topic.

SPF wizards

October 20, 2015

gvim on Windows: how to set font to GB2312

The Windows version of VIM that I am using is the Win-32 console and OLE GVIM flavor.  Assuming you took the defaults during the installation of the program, you will find the VIM init file in the %DRIVE%\Program Files\Vim called _vimrc.  Edit this file and add a line that looks like the following:
set guifont=Lucida_Console:h10
This will use the Lucida Console font in size 10 regular.  You can use other fonts, sizes and settings. The syntax is basically:
set guifont=font-family:size:style
Here is a snippet from the VIM help guide:
 For the Win32 GUI     *E244* *E245*
 - takes these options in the font name:
  hXX - height is XX (points, can be floating-point)
  wXX - width is XX (points, can be floating-point)
  b   - bold
  i   - italic
  u   - underline
  s   - strikeout
  cXX - character set XX. valid charsets are: ANSI, ARABIC,

   Use a ':' to separate the options.
 - A '_' can be used in the place of a space, so you don't need to use
   backslashes to escape the spaces.
 - Examples:
     :set guifont=courier_new:h12:w5:b:cRUSSIAN
     :set guifont=Andale_Mono:h7.5:w4.5

October 17, 2015

Ubunut 14.04 install Strongswan IKE2 for Windows 7

1. sudo apt-get install strongswan  strongswan-plugin-eap-mschapv2
2. generate certificates using the following commands (change to your actual domain name or IP address) (Source:
ipsec pki --gen --type rsa --size 4096 --outform pem > vpnca.key.pem
ipsec pki --self --flag serverAuth --in vpnca.key.pem --type rsa --digest sha1 \
    --dn "C=US, O=Example Company, CN=Example VPN CA" --ca > vpnca.crt.der
ipsec pki --gen --type rsa --size 4096 --outform pem >
ipsec pki --pub --in --type rsa >
ipsec pki --issue --cacert vpnca.crt.der --cakey vpnca.key.pem --digest sha1 \
    --dn "C=US, O=Example Company," \
    --san "" --flag serverAuth --outform pem \
    < > 
openssl rsa -in -out -outform DER

sudo cp vpnca.crt.der /etc/ipsec.d/cacerts
sudo cp /etc/ipsec.d/certs
sudo cp /etc/ipsec.d/private

3. import the above vpnca.crt.der file to your windows certificate store (as CER file). To install the trusted CA certificate locally, call up the Microsoft Management Console (mmc) and add the Certificates Snap-In. Then, It is of the utmost importance that you select Computer account, Go into the Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates folder,and select the Import action which will start the Certificate Import Wizard (

4. Edit /etc/ipsec.conf to be as follows: (source:

# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

conn win7 
    #rightsendcert=never   # see note

5. Edit /etc/strongswan.conf to be as follows:
charon {
        dns1 =
        dns2 =
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf

6. Edit /etc/ipsec.secrets to be as follows (make sure there is a space between the name and the ":", otherwise strongswan won't recognize the name):


carol : EAP "abcd1234"
dave  : EAP "fghj5678"

7. ipsec start; and then use ipsec status/statusall to check status;
8. Change server ip_forward to 1; and add NAT rule: 
    sudo iptables -t nat -A POSTROUTING  -o eth0 -j MASQUERADE
9.Server configuration is complete. Follow this guide to configure your Windows 7 client:  or this guide:

October 9, 2015

strongswan load test on ubuntu 14.04

Getting strongswan load test to run on 14.04.

Mostly from this post on the mailing list:

1. you will need to first access the following link

and then 

- copy the RSA private-key into 2 files and name them "initiator_key.pem" 
and "responder_key.pem"

- copy the self-signed cert into 3 files and name 
them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem"

On the Initiator GW/PC/Machine
- Please note that the load-tester plugin can only act in and as a road-warrior-
client simulator mode. So you should be enabling the load-tester plugin on only 
the initiator linux-machine running the strongswan package

- The ipsec.conf file on this initiator is NEVER used or NOT required just 
comment out all config statments

- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the 
respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder

- in the ipsec.secrets file, include the statement 
: RSA initiator_key.pem

- The strongswan.conf file should be as below:

charon {
    reuse_ikesa = no
    threads = 32

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # example: 10 connections, 5 in parallel
            initiators = 5
            iterations = 2
            # use a delay of 100ms, overall time is: iterations * delay = 100s
            delay = 100
            # address of the gateway
            responder =
            load = yes
            # IKE-proposal to use
            proposal = aes128-sha1-modp2048
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            # do not delete the IKE_SA after it has been established (default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no

On the Responder GW/PC/Machine
- do not enable load-tester plugin here. just configure this machine as a Road-

- the ipsec.conf file should be as below:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

conn rw-server


- copy the cacert.pem, responder_cert.pem and responder_key.pem to the 
respective locations under ipsec.d folder

- The ipsec.secrets file should have an entry as below:

: RSA responder_key.pem

2. That's it, now you start strongswan ipsec on both initiator and responder 
(first on this) using "ipsec start" or "ipsec start --nofork"

Use the following commands to examine the results:

ipsec status
ipsec statusall
ip route show route 220
ip -s xfrm state
ip -s xfrm policy

You may also want to know why if your strongswan is not logging at all: 

ubuntu 14.04 strongswan not logging

It turns out that ubuntu uses "AppArmor" to limit where strongswan can write files. You can install apparmor-utils and use the command "aa-complain" to turn strongswan binaries from "enforce" mode to "complain" mode:

# apt-get install apparmor-utils
# aa-status
# aa-complain /usr/lib/ipsec/charon
Setting /usr/lib/ipsec/charon to complain mode.

Just for reference,a strongswan conf file for logging:

charon {
    reuse_ikesa = no
        threads = 32

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf

       filelog {
               /var/log/charon.log {
                time_format = %b %e %T
                append = yes
                default = 1

This link is where I got the inspiration:

October 6, 2015

openssl performance test

openssl speed -elapsed -multi 8 -evp aes-128-cbc

or aes-128-gcm

Forward traffic from one IP address to another

The first thing to do is do enable IP forwarding. This is done either by using:
 echo "1" > /proc/sys/net/ipv4/ip_forward
 sysctl net.ipv4.ip_forward=1

Then, we will add a rule telling to forward the traffic on port 1111 to ip on port 1111:
 iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination

and finally, we ask Iptables to masquerade:

iptables -t nat -A POSTROUTING -j MASQUERADE

Disable “Waiting for network configuration” messages on Ubuntu boot

sudo vim /etc/init/failsafe.conf
I changed the first sleep command to
sleep 5
and then commented out the following lines:
$PLYMOUTH message --text="Waiting for network configuration..." || :
sleep 40
$PLYMOUTH message --text="Waiting up to 60 more seconds for network configuration..." || :
sleep 59
Just place a ‘#’ character at the beginning of each of those lines. Now it will just wait 5 seconds and then continue on.
To my surprise, the network was actually working just fine even though the script thinks it is not.

Just a note, do NOT remove the failsafe.conf file, otherwise it will hang the boot process indefinitely waiting for the network to be “configured.”

Windows netsh wlan command lines

To export a profile with password in clear, so that you can import it later:

netsh wlan export profile name="default2"  key=clear

list existing profiles: netsh wlan show profiles

  • To delete existing WLAN profile:  netsh wlan delete profile name=”profilename”
  • To Export WLAN profile to XML file: netsh wlan export profile name=”SSID”  This will export the WLAN configuration to .\ folder in XML format as Connection-SSID.XML
  • Import WLAN profile to the target computer: netsh wlan add profile filename=”c:\temp\filename.xml”  

netsh wlan show interfaces
netsh wlan show drivers
netsh wlan show networks
netsh wlan connect name="ProfileName"
netsh wlan disconnect
netsh wlan dump > myconfig.txt
netsh exec myconfig.txt

To make your wifi an access point:
netsh wlan set hostednetwork mode=allow ssid=SomeSSID key=passphrase
netsh wlan start hostednetwork

October 5, 2015

mysql logging

Running the following was the simplest way to dump queries to a log file without restarting
SET global log_output = 'FILE';
SET global general_log_file='/Applications/MAMP/logs/mysql_general.log';
SET global general_log = 1;
can be turned off with
SET global general_log = 0;

September 27, 2015

Linux VNC alternative: x2go

The ideal Linux terminal server has finally come true.
It is called X2Go, and it's open source and free. It's based on the NX protocol and works great, with Windows/Mac/Linux clients. 

September 26, 2015

use supervisor to monitor your process

sudo apt-get install -y supervisor

Let's create a configuration for it called webhooks.conf. This file will be created at /etc/supervisor/conf.d/webhooks.conf:
command=/usr/bin/node /srv/http.js
environment=SECRET_PASSPHRASE='this is secret',SECRET_TWO='another secret'
supervisorctl reread
supervisorctl update

September 25, 2015

hg-git push: no changes found

If you use hg-git, and you know you have new changesets, but hg push is telling you "no changes found", using the following command may solve the problem:

hg bookmark -f master

This is because hg-git uses bookmark to simulate git branches. Somehow this bookmark wasn't moved with your latest hg update. So, this should fix it.

docker make file

    docker build --rm -t logtest:v1 .
    @docker rm  `docker ps -a  | awk '/Exited/ || /Created/ {print  $$1}'`
    @docker rmi `docker images | awk '/^<none>/{print $$3}'`
    docker ps -a
    docker images

Docker to find host IP address

netstat -nr | awk '/^0\.0\.0\.0/{print $2}'

September 17, 2015

join Linux to Windows domain

Use likewise-open

 PowerBroker Identity Services – Open Edition git repository: git://

Windows Machine Authentication:
A few very helpful links to me:
Many corporation deploy 802.1x machine authentication, because it's more secure than username authentication. Here's a guide of how to do such authentication.

The basic idea is that when a machine joins an AD domain, DC generates a password corresponding to that machine name. The password is transparent to administrators, but an open source software "likewise open" can get this password. So we can use machine name and password to do a 802.1x machine authentication, with PEAP-MSCHAPV2, other than EAP-TLS certificate.

The client is configured to provide some form of credentials when it connects to an 802.1x network.  These credentials could be in the form of a username/password, machine account/password, certificate, or a number of other lesser used credentials.

The RADIUS server (ISE in your case), just needs to be able to verify if the supplied credentials are accurate.  To verify username/password credentials, it can look in the local user database, or reach out to external repositories, such as AD.  To verify machine account/password credentials, it will need to reach out to AD.  To verify certificates, it need to have the CA cert of the server that signed the client certificates installed.

In short, the client is the one that decides the credentials to supply, and ISE just needs to be able to validate them.

When discussing machone or user account authentication, you can do one or the other or even do both on a per client basis.

If you only want to do machine authentication, that's fine.  A benefit to machine authentication is that it can be done before a user actually logs into the PC.  So things like login scripts can be run.  But you can only do this on a PC that is in AD (unless you want to consider enabling EAP-TLS with certificates).

If you only want to do user authentication, that's fine as well.  This will happen after the user has logged into the OS.  So your laptop will not have a network connect if it's just sitting at a login prompt.

You can also do both.  Historically how this has worked is that the PC will do machine authentication when it first boots up.  Then once a user logs in, it will do a new authentication with the user credentials.  Not very many people did this.  With the latest anyconnect client and ISE, you can actually do both at the same time now (I think they call it EAP chaining).  But again, not many people do this.

September 16, 2015

Using netcat to send udp broadcast packet

1. You need to be root  on Linux
2. make sure you use the traditional netcat. In Ubuntu, that's nc.traditional
3. to send broadcast to broadcast address port 8080, do this:

       echo -n "hello" | nc -b -u 8080 
4. OR, use ncat:

       echo -n "hello" | ncat -u 8080 

5. OR, use socat:
echo -n "hello" | socat - udp-datagram:,broadcast

August 31, 2015

Why do some WiFi routers block multicast packets going from wired to wireless

It's usually due to bugs in the Wi-Fi home gateway routers (APs), or sometimes in the wireless client chipsets/drivers/software.
On Wi-Fi, sending multicasts from the AP to the wireless clients (this is known in the standard as "From the Distribution System" or "FromDS") is tricky, so there are lots of ways it can fail, and it's easy to introduce bugs.
  1. Even though the radio medium is unreliable enough that 802.11 unicasts are required to have link-level acknowledgements (ACKs) and get retransmitted several times if there's no ACK, FromDS multicasts are never ACKed because they'd need to be ACKed by all the wireless clients of the AP, which could be quite an "ACK storm". So instead, FromDS multicasts have to be sent at a low data rate; using a simpler, slower, easy-to-decode-even-at-low-signal-to-noise-ratios modulation scheme, that can hopefully be received reliably by all the clients of the AP. Some APs let the administrator set the multicast rate, and some administrators unwittingly set it too high for some of their clients to receive reliably, breaking multicast delivery to those clients.
  2. When WPA (TKIP) or WPA2 (AES-CCMP) encryption is in use, FromDS multicasts have to be encrypted with a separate encryption key that is known to all of the clients (this is called the Group Key).
  3. When a client leaves the network, or every hour or so, just for good measure, the Group Key needs to be changed so that the client that left no longer has access to decrypt the multicasts. This "Group Key Rotation" process sometimes has problems. If a client doesn't acknowledge receipt of the new group key, the AP is supposed to de-authenticate that client, but if it fails to do that due to a bug, a client could have the wrong group key and thus be "deaf" to multicasts without realizing it.
  4. When WPA2 "mixed mode" is enabled (that is, when both WPA and WPA2 are enabled at the same time), the FromDS multicasts typically have to be encoded with the TKIP cipher, so that all clients are guaranteed to know how to decode it.
  5. FromDS multicasts have to be queued up by the AP and only transmitted at times when all clients who care about multicasts can be expected to have their receivers powered on. The time between the "safe to transmit FromDS multicasts" periods is called the "DTIM interval". If the AP or clients screw up their DTIM interval handling, it could result in clients unable to receive multicasts reliably.
  6. Some APs have features to keep wireless clients from being able to talk directly to each other, to maybe keep your wireless guests from hacking your other wireless guests. These features usually block multicasts from WLAN devices to other WLAN devices, and could well be implemented in a naive way that even blocks multicasts from LAN to WLAN.
The crazy thing is, "ToDS" multicasts are done just like ToDS unicasts, and so they rarely break. And since ToDS multicasts (not FromDS multicasts) are all that are needed when a wireless client gets a DHCP lease and ARPs to find its default gateway, most clients are able to get connected and surf the web, check email, etc. even when FromDS multicasts are broken. So a lot of people don't realize they have multicast problems on their network until they try to do things like mDNS (a.k.a. IETF ZeroConf, Apple Bonjour, Avahi, etc.).
A couple other things to note, regarding wired to wireless multicast transmissions:
  1. Most LAN multicasts, such as mDNS, are done using special multicast address ranges that are not meant to be routed across routers. Since Wi-Fi-capable home gateways with NAT enabled count as routers, mDNS is not meant to cross from WAN to [W]LAN. But it SHOULD work from LAN to WLAN.
  2. Because multicasts on Wi-Fi have to be sent at a low data rate, they take up a lot of airtime. So they're "expensive", and you don't want to have too many of them. That's the opposite of how things work on wired Ethernet, where multicasts are "less expensive" than sending separate unicasts to each machine "tuning into a multicast video stream" for example. Because of this, many Wi-Fi APs will do "IGMP Snooping" to watch which machines are sending Internet Group Management Protocol (IGMP) requests, expressing their desire to tune into a given multicast stream. Wi-Fi APs that do IGMP Snooping won't automatically forward some classes of multicasts onto the wireless network unless they see a wireless client try to subscribe to that stream via IGMP. The documents that describe how to do IGMP Snooping properly make it clear that certain classes of low-bandwidth multicasts (mDNS fits in this category) are supposed to always be forwarded even if no one has explicitly asked for them via IGMP. However, I wouldn't be surprised if there are broken IGMP Snooping implementations out there that absolutely never forward any kind of multicast until it sees an IGMP request for it.
tl;dr: Bugs. Lots of opportunities for bugs. And occasional poorly-designed features and configuration errors. Your best defense is to buy high-quality APs from companies that care about making sure multicasts work. Since Apple loves Bonjour (mDNS) so much, Apple's APs are probably the most consistently excellent at passing multicasts reliably, and Apple's Wi-Fi client devices are probably the most consistently excellent at receiving multicasts reliably.

August 13, 2015

how to start/stop and disable/enable a service in Ubuntu

Look at the 2nd answer.


Currently there are actually 2 different ways for software to be started as a service in Ubuntu. A service is defined here as a program run by the system in the background, as opposed to one started and run directly by the user.
The traditional way to start services in Linux was to place a script in /etc/init.d, and then use the update-rc.d command (or in RedHat based distros, chkconfig) to enable/disable it. This command, btw, uses some mildly complicated logic to create symlinks in /etc/rc#.d, that control the order of starting services. If you run ls /etc/rc2.d you can see the order that services will be killed (K##xxxx) and started (S##xxxx).
The issue with that was that when booting the system, everything had to be done in serial, one thing after another, making system boot times really slow. Attempts were made to parallelize this, but they were haphazard and hard to take full advantage of. This was the main reason that Upstart was created.
Upstart uses job definition files in /etc/init to define on what events a service should be started. So, while the system is booting, upstart processes various events, and then can start multiple services in parallel. This allows them to fully utilize the resources of the system, for instance, by starting a disk-bound service up while another CPU-bound service runs, or while the network is waiting for a dynamic IP address to be assigned.
You can see all of the upstart job files by running ls /etc/init/*.conf
Let me just stop here and say that if you don't know what a service is, or what it does, DO NOT disable it!
Not all services have been converted to upstart. While working on the server team at Canonical for the past few months, I've worked on a number of converted job files, and the nicest part is that it allows one to get rid of all the script "magic" and just put in a few commands here and there to define exactly how to start the service, and nothing more. But for now, only a handful of traditional network services, like squid and samba, have been converted.
In order to figure out if a service is upstart based, you can run the status command:
status servicename
If its an upstart job, it will show this:
$ status statd
statd start/running, process 942
But if its not, you'll see something more like this:
$ status apache2
status: Unknown job: apache2
In this case, apache2 has not been converted to upstart. So, to disable apache2 you just run
sudo update-rc.d apache2 disable
sudo service apache2 stop
Upstart job definitions do not have an update-rc.d command. To disable the job, you need to edit the job file directly to disable it. There are two ways to do this.
If you want to still be able to manually start it, then you need to comment out the 'start on' condition. Say you want to install samba, but not have it start automatically.. here is its job file (in natty):
description "SMB/CIFS File Server"
author      "Steve Langasek <>"

start on local-filesystems
stop on runlevel [!2345]


pre-start script

    [ -r /etc/default/samba ] && . /etc/default/samba

    [ "$RUN_MODE" = inetd ] && { stop; exit 0; }

    install -o root -g root -m 755 -d /var/run/samba
end script

exec smbd -F
To disable it, you can just put a # in front of the 'start on local-filesystems'. Note that while it won't start back up on boot, you still need to stop it this time with
sudo service smbd stop
If, however, you never want it to start, I'd suggest actually removing the package. If, however, you want it installed, but not startable, you can also do:
mv /etc/init/smbd.conf /etc/init/smbd.conf.disabled
Starting with the version of upstart that will be in 11.04, there is a new keyword that disables the 'start on' and 'stop on' stanzas, it is 'manual'. So another way to disable the service as of 11.04 is to do:
command using sudo
echo 'manual' | sudo tee /etc/init/mysql.override

command from root shell
echo manual >> /etc/init/mysql.override
And, hopefully real soon, you will be able to create an "override" file to disable a service without editing the job definition at all, by just putting the 'manual' keyword in it.

July 16, 2015

gvim display GB2312 chinese

set guifont=NSimSun:h12:cGB2312

July 11, 2015

Simple Golang Example of os.exec on Windows

package main

import (

func doCmd(cmd string) string {
parts := strings.Fields(cmd)
head := parts[0]
parts = parts[1:len(parts)]
out, err := exec.Command(head, parts...).Output()
if err != nil {
return string(out)

func main() {
cmd := "netsh wlan show networks mode=bssid"
out := doCmd(cmd)
fmt.Printf("%s\n", out)

Windows 7 WiFi scripting

To display all wireless interfaces:
netsh wlan show interfaces
To show the wireless drivers installed run this command. This is particularly interesting as exploits in drivers do exist and most admins do not pay as close attention to driver versions as other types of software:
netsh wlan show drivers
To list available wireless networks (similar to Linux’s iwlist scan option)
netsh wlan show networks
netsh wlan show networks mode=bssid (this shows more BSSID and signal strength)
To view profiles of networks saved on this machine:
netsh wlan show profiles
To make Windows connect to the specified profile (usually named after the SSID of the network):
netsh wlan connect name="ProfileName"
To export the profile details to an XML file (which includes an encrypted version of the PSK if applicable):
netsh wlan export profile name="ProfileName"

To delete a profile
netsh wlan delete profile name="ProfileName"

To Add a profile
netsh wlan add profile filename=c:\temp\myprofile.xml

XML for a WPA2-PSK Wifi networks looks like this

<?xml version="1.0"?>
<WLANProfile xmlns="">
<hex>HEX-of-your-network-name, for example, "abc" would be "616263"</hex>

Now crucially, here are the commands to turn the Windows 7 (or Server 2008 R2) into an Access Point sharing its existing wireless connection out to others:
netsh wlan set hostednetwork mode=allow ssid=SomeSSID key=passphrase
The hosted network is now created but it is not yet started. To start it, issue the command:
netsh wlan start hostednetwork
Your Windows box is now advertising a network “SomeSSID” (in this case) which other machines can connect to. No notification is given on the Windows box that this has happened and no further notification happens when someone connects.

Vivek stated Microsoft’s response was it wasn’t being exploited “in the wild” therefore nothing would be done about it. Happy WiFi backdooring. :-)

A simple C++ logger class


#ifndef __LOG1_H__

#define __LOG1_H__

#include <sstream>
#include <string>
#include <stdio.h>

class Log
    std::ostringstream& Get();
    std::ostringstream os;

inline Log::~Log()
    os << std::endl;
    fprintf(stderr, "%s", os.str().c_str());

inline std::ostringstream& Log::Get()
    os << " " <<  ": ";
    return os;

#define log() Log().Get()

#endif //__LOG_H__

log() << "A loop with " << count << " iterations";

June 23, 2015

linux process with a lot of open sockets

etc/sysctl.conf file:

# General gigabit tuning:
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_syncookies = 1
# this gives the kernel more memory for tcp
# which you need with many (100k+) open socket connections
net.ipv4.tcp_mem = 50576   64768   98152
net.core.netdev_max_backlog = 2500

then run as root: sysctl -p


sudo bash
ulimit -n 999999

May 27, 2015

ath9k create multiple interfaces

  • To create/delete virtual interfaces:
    iw dev wlan0 interface add [virtual-sta-name] type station
    iw dev wlan0 interface add [virtual-ap-name] type __ap
    ip link set [interface-name] address [unique-mac-addr]
  • To delete virtual interface:
    iw dev [dev-name] del
  • use iw to check wlan device status

    $ cat /proc/net/wireless 
    Inter-| sta-|   Quality        |   Discarded packets               | Missed | WE
     face | tus | link level noise |  nwid  crypt   frag  retry   misc | beacon | 22
     wlan0: 0000   56.  -54.  -256        0      0      0      0      0        0
    $ iw dev wlan0 link
    Connected to 00:10:7A:93:AE:BF (on wlan0)
        freq: 2462
        RX: 89045514 bytes (194863 packets)
        TX: 34783321 bytes (164504 packets)
        signal: -54 dBm
        tx bitrate: 48.0 MBit/s

    May 26, 2015

    openwrt unbind led gpios

    # Turn off the LEDs
    root@OpenWrt:/# echo "leds-gpio" > /sys/bus/platform/drivers/leds-gpio/unbind
    root@OpenWrt:/# cat /sys/kernel/debug/gpio
    GPIOs 0-21, ar2315-gpio:
    gpio-0   (sysfs               ) in  lo
    gpio-5   (reset               ) in  hi
    gpio-6   (sysfs               ) in  lo

    Now you can use gpio export (i.e echo 11 > /sys/class/gpio/export), and change 'direction' and 'value'  of the gpio to directly control it.

    use time to test multiple commans

    /usr/bin/time /bin/sh -c 'ls;pwd;ls'

    May 20, 2015

    cross compile openJDK for ARM


    when I cross-compile OpenJDK 9 for ARM32 I pass the following configure 
    # these options tell openjdk to do a cross compile build.
    # these two options enable zero
    # specific options to make the build find the X and freetype headers and 
    librarys found on the ARM32 root filesystem.
    # the sysroot shall point to the ARM32 root file system, the build will 
    use librarys inside the sys root during linking native libraries.
    # The tools dir contains binarys to run on the host x86 system, you may 
    point this to your system root dir /
    # in my case the tools i use have been compiled by buildroot thus I use 
    the buildroot tools dir.
    # OpenJDK 9 require OpenJDK 8, i point with boot jdk to an OpenJDK 8 
    image that can be run on the host x86 system.
    # some parts of the openjdk build still expect that the cross compile 
    tools are found in the system PATH
    # on my system i have to explicitly tell where the tools are located 
    because my cross compile toolchain is not found on the path.
    # i use gcc to do the linking instead of ld because the openjdk build 
    passes -Xlinker -z
    when running make i pass the following options to make
    # BUILD_CC and BUILD_LD shall point to host x86 executables.
    #and finally the target, this will build compact profiles, jre and jdk 
    all images profiles CONF=linux-arm-normal-zero-release
    I have automated these configure and make options for openjdk 9 into 
    buildroot build scripts
    > I've done Zero builds before but have never used OpenJDK's cross-compile
    > feature to build it on ARMv7. There is an Arm32 bit JIT in IcedTea[1],
    > but I don't know if that can be cross-compiled.
    If you cross compile icedtea then you need to make sure that the 
    bytecode generator tool is compiled by the host x86 toolchain.
    openembedded meta-java contains buildscripts that can cross compile the 
    Arm32 JIT found in IcedTea.