networks: the Wifi client does not have Internet access and can only ping the controller

I currently have a problem, the problem only happened on Monday, the client usually connects to the Wi-Fi connection (aruba), the ip and the profile match, but it can only ping the aruba controller, not the local network. It usually resolves after I haven't done anything for a minute, is there any suggestion of what to check?

authentication: OAuth2 flow architecture with an API and a static JS client

I am building a very secure awareness application. (All applications must be safety conscious, but this may contain many red data).

Assuming I will use a Vue / React JavaScript Single Page application that will authenticate with Google for user login:

  • There will be a Sign In With Google button on the page.

  • That button will take the user to Google, where the user may or may not give my site access to their resources.

  • Google will redirect to a callback URL, which I provided to Google when I signed up for API access.

  • That callback must have a password that allows me to make another call to get an access token and an update token.

I have 2 main questions:

Since I have a Vue / React JavaScript SPA that calls an API for resources (compared to a more traditional Rails / Django / Laravel / etc site), how does the redirect flow work? Should:

  1. Redirect to the static site that makes the second ajax call to get the access token / update token and then send it to the server?
  2. Redirect to the API that makes the second ajax call internally and stores that data in the user in the database (or associated table) that redirects to the static site.
  3. Configure another complete micro service to perform authentication and update the user object.
  4. Anything else…

Once I choose a method to obtain the access token, when the user visits my site, the Vue / React application will take the object of the user who will give him the access token. Where should I store the access token securely on the client side?

  1. Have the server configure the access token as an http cookie only as one in JWT, but that is not something I have read about.
  2. I could store the access token in local storage, but that's not sure if the JavaScript on my site could be composed.

ssh keys: how can I make Ansible use the signed SSH client certificate for connections?

I have implemented the SSH CA client signature on my servers. Sshd is configured on my servers with the following directive:

TrustedUserCAKeys /etc/ssh/trusted-users-ca.pem

I modified my local ssh configuration file so that my certificate is also sent, when I connect to my servers:

Host *.internal.headincloud.be
        User centos
        IdentityFile ~/.ssh/datacenter-hic-deploy
        CertificateFile = ~/.ssh/datacenter-hic-deploy-cert.pub

This seems to work fine, and I can connect to my server without the need to implement an authorized_keys file.

However, Ansible cannot connect my servers:

TASK [Gathering Facts] *********************************************************************************************************************************************************************
fatal: [postgres-01]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to remote host "192.168.90.40". Make sure this host can be reached over ssh", "unreachable": true}

As I mentioned, I can connect via ssh very well.

I suspect that Ansible is not sending the certificate file, and that is why I cannot connect.

I tried to modify my ansible.cfg as follows:

ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -i ~/.ssh/datacenter-hic-deploy-cert.pub

or

ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -i /Users/jeroenjacobs/.ssh/datacenter-hic-deploy-cert.pub

None of those jobs.

I can't find a way to tell Ansible how to do this. Anyone an idea?

SSL certificate – httpd and curl: Configure the https prom connection for a p12 file form client validation

I am displaying an httpd. I need to configure ssl to validate the client according to its client certificate.

To do that I have a p12 file containing private key, client certificate and ca chain certificates:

CA chain certificates:

➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----

Customer certificate:

➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----

Client's private key:

➜ ~ openssl pkcs12 -in fitxers.p12 -nocerts
Bag Attributes
    ...
-----BEGIN PRIVATE KEY-----
$$$$$$$...
-----END PRIVATE KEY-----

To divide this p12 separate cert file and key files:

➜ ~ openssl pkcs12 -in container.p12 -nocerts -out client.key.pem
➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys -out client.crt
➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys -out cacerts.crt

So, from now on, I configured my httpd as:

SSLEngine On
SSLCACertificateFile /usr/local/apache2/conf/cacerts.crt
...

I am trying to make the connection using curl:

curl --cert client.crt --key client.key.pem https://localhost:8080/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

In the httpd server logs I get:

(Tue Sep 17 11:17:28.144219 2019) (ssl:info) (pid 8:tid 139871525332736) (client 10.0.2.4:52926) AH01964: Connection to child 68 established (server 10.0.2.47:443)
(Tue Sep 17 11:17:28.148318 2019) (ssl:debug) (pid 8:tid 139871525332736) ssl_engine_kernel.c(2375): (client 10.0.2.4:52926) AH02645: Server name not provided via TLS extension (using default/first virtual host)
(Tue Sep 17 11:17:28.155178 2019) (ssl:info) (pid 8:tid 139871525332736) (client 10.0.2.4:52926) AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
(Tue Sep 17 11:17:28.155569 2019) (ssl:info) (pid 8:tid 139871525332736) SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
(Tue Sep 17 11:17:28.155609 2019) (ssl:info) (pid 8:tid 139871525332736) (client 10.0.2.4:52926) AH01998: Connection closed to child 68 with abortive shutdown (server 10.0.2.47:443)
(Tue Sep 17 11:19:01.114529 2019) (ssl:info) (pid 8:tid 139871448463104) (client 10.255.0.2:48060) AH01964: Connection to child 69 established (server 10.0.2.47:443)
(Tue Sep 17 11:19:01.114667 2019) (ssl:debug) (pid 8:tid 139871448463104) ssl_engine_kernel.c(2354): (client 10.255.0.2:48060) AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
(Tue Sep 17 11:19:01.114674 2019) (ssl:debug) (pid 8:tid 139871448463104) ssl_engine_kernel.c(2354): (client 10.255.0.2:48060) AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
(Tue Sep 17 11:19:01.114679 2019) (core:debug) (pid 8:tid 139871448463104) protocol.c(2314): (client 10.255.0.2:48060) AH03155: select protocol from , choices=h2,http/1.1 for server 10.0.2.47
(Tue Sep 17 11:19:01.117705 2019) (ssl:info) (pid 8:tid 139871448463104) (client 10.255.0.2:48060) AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
(Tue Sep 17 11:19:01.117827 2019) (ssl:info) (pid 8:tid 139871448463104) SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)
(Tue Sep 17 11:19:01.117858 2019) (ssl:info) (pid 8:tid 139871448463104) (client 10.255.0.2:48060) AH01998: Connection closed to child 69 with abortive shutdown (server 10.0.2.47:443)

I have also tried to use cacerts.pem with curl --cacert ./cacerts.pem --cert client.crt --key client.key.pem https://localhost:8080/token -v

Any ideas?

Architecture: What is the cleanest way to code predictable client / server components?

I would post this as a comment, but I haven't been in this section of StackExchange long enough to have 50 points.

The question of how an architect any The code is greatly reduced to three factors:

  1. Better practices
  2. Design patterns
  3. Opinion

The answer to: "What is the cleanest way to code the architect (server)" really depends on what the server is doing?

However, there is one really important thing to keep in mind: encapsulation.

It doesn't matter if you are writing a video game or banking software, "Server" and "Client" are best treated as two different pieces of software that communicate with each other.

Speaking of a C ++ / C # fund:

I would put the server code in a .dll and create a user interface in the client application to interact with this library. (And if necessary, a separate UI for server administration). All server code will run completely independently.

(If you are using Java .jar is an equivalent close to .dll)

If you want reference material, a good place to start would be to look at a simple tutorial of the client-server chat program.

From there, you will also want to look at the multi-threaded design.

Finally, do some research on systems analysis (specifically diagramming a system in a flowchart). The secret to do ANY The "clean" code is to design it first as a flow chart.

Ultimately, it will be reduced to standard design patterns and OOP principles. But it will be a good start to: A. Treat "client" and "server" as completely separate programs. and B. see "server" like any other type of software, as in the code that executes the instructions. (Many people who start with server-side coding see it as this special type of unique program. It isn't, it's just a program.)

Some examples:

Runescape is a great example of encapsulation.

The client is almost completely UI. Show images for the player and take the entry (text, mouse clicks). This entry is sent to the server. The server then sends instructions to the client about what to display.

Another example would be games like Empyrion or Jedi Academy. These games run the server weather or not the players are really connected. While there are user interface functions in the game to control the server, the server itself runs as a separate program. (You can often see a console window). When it is time to exit, the client application simply sends a command to the server to shut down.

hmac: is it safe to share an Azure SAS token with an untrusted client?

We need to host files in Azure Blob Store and allow end users access to their generated "declarations" (pdf) for a short period of time.

We are considering achieving this by generating a short-lived SAS token and sending it to the user (this user can be anyone on the Internet, therefore, "untrustworthy").

Are SAS tokens safe enough? They are HMAC-SHA256 tokens, so I am not sure if a person could try to discover our genuine secret account key by brute force (that is, generate tokens with random keys until a key matches the hmac-sha256 signature).

web application: is there any danger for client port scanning?

Are there security risks associated with scanning client-side ports? Or, more specifically, a "trustworthy" site (eg, Banking Website) that loads javascript trying to connect to multiple localhost ports?

This seems suspicious to me, but it seems to be an emerging (or standard?) Practice, as mentioned in the previous questions here:

Strange Payment Gate

In addition, some Redditors noted that Facebook and banking sites also do this:

why is Facebook checking my open ports? from AskNetsec

Why is my internet banking is scanning for VNC/RDP? from AskNetsec

And even cybersecurity researcher Paul Moore also sought to sue for this:

Is the Halifax Conducting “Unauthorised” Port Scans?

https://www.theregister.co.uk/2018/08/07/halifax_bank_ports_scans/

So what is really happening? Why are they doing this? Can there be security or privacy risks involved?

This answer suggests that they may be doing it for some kind of threat detection or anti-fraud process, but all this still seems suspicious.

How to allow the OpenVPN client (W10) to use the DNS server (BIND9) that resides on the OpenVPN server (Ubuntu 16.04)?

I have Ubuntu 16.04 (Desktop Edition) with the OpenVPN server and BIND9 installed. I used a script when I installed OpenVPN. My OpenVPN client is a W10 netbook with 4G USB modem.
When I choose to use Google DNS during the installation of OpenVPN, I can browse the Internet through OpenVPN very well (on my OpenVPN W10 client machine). But if I choose to use a current DNS configuration (that is, my own BIND9 server), then I can connect from client to server, but DNS does not work. I know that I have to edit the OpenVPN server.conf server configuration file and also to edit the client.ovpn client OpenVPN file. And I don't know exactly if my DNS server (BIND9) is configured correctly to play this type of role.
When I go to the W10 CMD and do ipconfig / all I see is the DNS server with a correct IP of my BIND9 (in reality, it is a public IP of my Ubuntu machine). However, DNS does not work on a client machine and I could not find a complete step-by-step manual on how to enable this scheme.

multi-thread – Reverse-TCP client and server in python

I have written a small project, initially designed to help me remotely control my home PC from my office. I had to deal with an annoying firewall, so I wrote it as a reverse TCP (which means it is the client that connects to the server, but the server is the one that gives the orders).

Anyway, I have now tried to convert my simple socket server into a ThreadedTcpServer, but when each client connects for the first time, I am using an unsecured thread dictionary to keep each client's thread safe queue.

I am sure that it is not the best practice, and I would love to receive your opinion on the alternatives. As you can see, I tried to implement a threading.Lock() object at some point, but completely paralyzed my program and I could not understand the logic of it. Everything seems fine without him, but I bet I'm missing something, so I came here to tell me what.

Full server.py code:

import argparse
import os
import queue
import threading
from pathlib import Path
from socketserver import ThreadingTCPServer, BaseRequestHandler
from typing import Dict

import tools
from tools.headers import Header, ServerCommandHeader, Protocols, footer

__version__ = 2
client_dir = Path(tools.script_dir).parent.joinpath('clientdata')

# shared_dict_lock = threading.Lock()
shared_queue_dict = {}  # type: Dict(str, queue.Queue)


class InputThread(threading.Thread):
    def __init__(self) -> None:
        super().__init__(name='InputThread', daemon=True)

    def run(self) -> None:
        while True:
            # with shared_dict_lock:
            cmd = input()
            if cmd == 'clients':
                print(shared_queue_dict.keys())
                return
            try:
                first, last, cmd = cmd.split(maxsplit=2)
                client = f'{first} {last}'
                if client not in shared_queue_dict.keys():
                    raise ValueError
            except ValueError:
                print('You must enter a connected client AND the command!')
            else:
                cmd = ServerCommandHeader(cmd)
                shared_queue_dict(client).put(cmd, True)


class OmniCHandler(BaseRequestHandler):
    def __init__(self, *args, **kwargs):
        self.header = None
        self.client_name = 'Anonymous Client'
        super().__init__(*args, **kwargs)

    def handle(self):
        raw_data = b''
        while Header.header_end_marker.encode() not in raw_data:
            raw_data += self.request.recv(tools.network.BUFFER)
            # print(f'Received packet: {raw_data}')
        self.header = Header.from_bytes(raw_data)
        # print(f'Received: {self.header}')
        try:
            self.client_name = self.header.metadata('sender')
        except KeyError:
            self.client_name = 'Anonymous Client'
        protocol = self.header.protocol()
        if protocol == Protocols.CREG:
            self.handle_client_registration()
        elif protocol == Protocols.CRES:
            self.handle_client_response()
        elif protocol == Protocols.FT:
            self.handle_incoming_file_transfer()
        else:
            print(f'Unknown protocol from client {self.client_name}: {self.header}')

    def handle_client_registration(self):
        # print(f'Client connected: {self.client_name} {self.client_address}')
        # with shared_dict_lock:
        if self.client_name not in shared_queue_dict:
            shared_queue_dict(self.client_name) = queue.Queue()
        print(f'Client registered: {self.client_name} {self.client_address}')
        # print(shared_queue_dict)
        while True:
            # with shared_dict_lock:
            cmd = shared_queue_dict(self.client_name).get(True)  # type: ServerCommandHeader
            # print(f'Sending command: {cmd}')
            self.request.send(bytes(cmd))

    def handle_client_response(self):
        server_cmd = self.header.metadata('command')
        response = self.header.metadata('response')
        print(f'Reply from {self.client_name} {self.client_address}: {response} (command was: {server_cmd})')

    def handle_incoming_file_transfer(self):
        self.request.send(bytes(self.header))  # Reply with same header to confirm start of file transfer
        dest_path = str(self.header.metadata('dest_path'))
        source_path = str(self.header.metadata('source_path'))
        if ':' in dest_path:
            dest_path = source_path.replace(':', '')
            dest_path = client_dir.joinpath(dest_path)
        # print(source_path, dest_path)
        dest_path = client_dir.joinpath(self.client_name).joinpath(dest_path)
        os.makedirs(str(dest_path.parent), exist_ok=True)

        data = b''
        with open(str(dest_path), 'wb') as f:
            while bytes(footer) not in data:
                f.write(data)
                data = self.request.recv(tools.network.BUFFER)


class OmniCServer(ThreadingTCPServer):
    def __init__(self, server_address: tuple) -> None:
        self.input_thread = InputThread()
        super().__init__(server_address=server_address, RequestHandlerClass=OmniCHandler)

    def serve_forever(self, *args, **kwargs):
        self.input_thread.start()
        super().serve_forever(*args, **kwargs)


if __name__ == '__main__':
    main_parser = argparse.ArgumentParser()
    main_parser.add_argument('--port', default=9999, type=int, help='Port to listen for new connections')
    parser_args = main_parser.parse_args()
    server = OmniCServer(('localhost', parser_args.port))
    server.serve_forever()

I tried to scale it to fit multiple use cases and allow more extensions to be incorporated as well. I would love to receive your opinion in general. If interested, the complete project is here: https://github.com/ofersadan85/OmniClient

magento2 – Magento 2 how to verify if the client changes his password?

You can verify / compare the customer's previous password and the updated password value with the following code.

encryptor = $encryptor;
        $this->_messageManager = $messageManager;
        $this->objectManager = $objectManager;
    }

    public function execute(MagentoFrameworkEventObserver $observer)
    {
        $customer = $observer->getEvent()->getCustomer();
        $currentPasswordHash = $this->getCurrentPasswordHash($customer->getEntityId());
        try{
            $newPasswordHash = $this->encryptor->encrypt("new password value");
            if($currentPasswordHash == $newPasswordHash){
                // password is same
                $this->_messageManager->addWarning(__("New Password is same as current password. Please choose another one"));
            }
        }catch(Exception $e){
            echo 'Error::'.$e->getMessage();
        }
    }

    private function getCurrentPasswordHash($customerId){
        $resource = $this->objectManager->get('MagentoFrameworkAppResourceConnection');
        $connection = $resource->getConnection();
        $sql = "Select password_hash from customer_entity WHERE entity_id = ".$customerId;
        $hash = $connection->fetchOne($sql);
        return $hash;
    }
}

Also, if you want to use decrypt password values ​​to compare and verify, you can use the following line of code in your observer.

$decrypt = $this->encryptor->decrypt("password hash");

I hope that helps!!!