Mar 202016

python-lockHello World!

It’s been a while since my last post, so I’ve decided to make a magnificent one 🙂

Jokes apart, this setup took me a full sunday hence I thought to recap for future references.

The whole story started with a Python script on my Mac OS X unable to retrieve a JSON response from a specific https site, whereas the exact same script run like a champ in Kali Linux.

And to make things even more complicated, the same URL was working fine using cURL or wget on OS X!

Comparing two network packet captures, I’ve found that the issue was in the Client Hello part of the SSL handshake: the Python script was proposing a TLSv1.0 encrypted communication that the server was not available to accept. The correctly working commands and scripts were all using TLSv1.2.

This led me to discover that OS X El Capitan includes by default an old (and vulnerable) version of OpenSSL: 0.9.8zg, not supporting TLSv1.2 I needed. Consequently, also Python 2.7.10 included in El Capitan was having issues with TLS since the bundled pyOpenSSL module was linked to that OpenSSL version.

To upgrade, I did the following:

  • Upgrade OpenSSL
    Not that easy, since you have first to install latest OpenSSL via install (this is the easy part, go brew update and brew install openssl).
    But then you need to rename the system openssl (/usr/bin/openssl) into something else and sudo ln -s <your brew openssl executable> /usr/bin/openssl
    Before you can do it, you need to reboot your Mac in recovery mode (CMD+R when you hear the chimes at boot), then select the Terminal from the Utilities menu and type in csrutil disable. With this command you will disable the System Integrity Protection and lowering your system security level until you reverse the change.
    Type also the command reboot to restart your machine, open a Terminal and proceed with the linking described above.
    Reboot again, access to Recovery Mode and restore the System Protection Utility with the commands:
    csrutil enable
  • Upgrade Python to 2.7.11
    This is trivial… just grab your version here and install from DMG image.
  • Upgrade pyOpenSSL module to one linked with TLSv1.2 support
    It took me a while to find the right command, since you need to issue it with the proper user indication:
    pip install –upgrade pyopenssl==0.15.1 –user python

That should give you an OS X environment fully enable with upgraded OpenSSL (at the time of writing mine is 1.0.2g) and your python environment correctly supporting TLSv1.2

Happy encryption!

Jun 212015

It was a while I did not post anything on this blog, so I will engage into something cool now 🙂

And into something I will need one day or another: a collection of very, very useful networking commands available for Linux.

Let’s start with an easy one: iperf and its variant with more options, netperf.
Very useful to measure TCP/UDP performances between two hosts by pumping traffic either mono or bidirectionally.
In the simplest usage, on one server you run iperf -s and get the following output:

$ iperf -s
Server listening on TCP port 5001
TCP window size:  128 KByte (default)


On the client, you run iperf -c <destination_host) -f m (this option is to get output in Mbps) and after few seconds you’ll see:

root@facchina:~# iperf -c -f m
Client connecting to, TCP port 5001
TCP window size: 0.02 MByte (default)
[  3] local port 48643 connected with port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  1122 MBytes   941 Mbits/sec

 Rather cool, huh? And there are countless options…

The second one I’m sharing with you is tcptrack. Fantastic tool to keep track of the tcp connections happening on your machine and how much they are active. When you type tcptrack -i <interface> here’s what you get:



Let’s continue with bmon, specifically conceived to monitor interface traffic while keeping historical info in the view:



Another great one to detect programs eating bandwidth is nethogs, shown here below in a running sample:nethogs


And then, a really cool one I use VERY frequenty: iftop, to chech the bandwidth used by every connection on the machine.


To conclude this list of tools I selected speedometer, a very nice and clean tool to display network traffic information with quite many options

That’s all folks… enjoy!


Dec 212014

That. Was. Easy.

These are the three words that a fancy button says whenever I press it. That button was gifted by an ex-colleague of mine and it says it all! Once you did it, that was easy 🙂

Exactly when you try to configure a remote port monitoring on an HP v1910 switch. Once upon a time (and I’m really speaking about 20 years ago) a company called 3Com had a slogan saying “the network that go the distance” Then they have been bought approx 4 years ago by HP, but that philosophy remained. A philosophy which says that it does not matter if you have a small switch, but the features you need must be there. Maybe a bit hidden… maybe only from CLI.

It happens that some good 3Com switched were rebranded HP around the second half 2010. All those switches, under the name of the v1910 series, are lifetime warranted!!! If you do not believe it, just click here and insert your switch serial number.

But beside the good policies, I’ve decided to write this nice post since today I reached the nirvana of my home network: two HP 1910v switches, respectively 16 and 24 ports, configured for remote port monitoring.

Continue reading »

Oct 142014

With a decent approximation, it is now well over 30 years that I use keyboard.

And there have been oh so many times I’ve cursed the difficulty to reproduce accented characters on US keyboards, forcing the user to find alternative ways like to write the accented vowel followed by an apostrophe (for example, a’ instead of à)… not correct, but still understandable.

Until today when my colleague SerKill (yes, that is his nickname) revealed to me the existence of US International Keyboard layout.

If you configure your laptop to use it (on a Mac, it is System Preferences – Keyboard – Input Sources…), when you want to make an accented vowel letter you simply press first the accent and then the letter.

The accent key you have to press depends if you want to have acute or grave accented vowel as shown in the keyboard layout below:

It is true that you never stop learning…

Thanks, SerKill!

Oct 122014

Pretty long title for a pretty long work, which took me more than initially thought. And because I’ve sorted out blending multiple info from multiple sites, here we go with a unified post.

Let’s start with the goal.

I wanted to have root access to my home machine via SSH/SFTP with a strong authentication system; but I also wanted to offer to a friend of mine an access to an externally connected hard drive with a simple password.

And to keep everything more secure, I wanted to have this guy chrooted into the directory he can login.

I will not cover the strong authentication setup since there are very good instructions on their site.

To enable the strong authentication only for root, I had to modify a little bit my /etc/ssh/sshd_config file as shown below.

  • disable PAM integration, by putting a hash at the beginning of the line:
    # UsePAM yes

    This is needed since we’re going to use the Match Group directive

  • inserted the following lines below the Subsystem sftp /usr/lib/openssh/sftp-server section
    Match Group root
    ForceCommand /usr/sbin/login_duo

Save and exit, restart the ssh service and test that if you try to ssh the system, after you type in root username and the password something appears similar to what reported below:

$ ssh root@
root@'s password: 
Duo two-factor login for root
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXX 1791
 2. Phone call to +XX XXX XXX 1791
 3. SMS passcodes to +XX XXX XXX 1791
Passcode or option (1-3):

Once you choose (for example) 1 and confirm on your authentication device, login will complete.

To enable chromed access for my friend without forcing him to enroll to strong auth, I have created an sftp group with the command:

groupadd sftp

Then I have him to this group with the command:

usermod -G sftp <login name>

I have also disabled his shell with the command:

usermod -s /bin/bash

and set his home directory to my external disk with the command:

usermod -d /media/external/friend

Finally I have created the following entries for sftp in /etc/ssh/sshd_config file under the Subsystem sftp /usr/lib/openssh/sftp-server section as shown below.

Match Group sftp
 ChrootDirectory /media/external/friend
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp

NOTABENE: the directory friend must be owned by root with 700 rights. Because my friend is part of the sftp group, to allow him to upload content I needed to create a directory upload below the directory friend and had to chown such directory to his login name as shown below:


If you want to have some more background info about why you need to change ownership and set rights are mentioned, check here.

Once you complete all the editing, remember to restart the ssh service with the command

service ssh restart



Oct 072014

I’ve just activated a strong auth system to access this blog as Administrator.

It is a system we also use where I work and it is amazing for the simplicity and security blend that it adds to the authentication process.

They have huge integration with a number of systems and technologies, and you can find WordPress specific one here.

It is free up to ten users, but also paid versions have negligible prices (like 1$/user/month).

It really rocks for usability and strength of auth process.


Sep 272014

While reviewing a wireshark video, I have seen this awesome technique to use shark to get very good statistics on whats going on the network in terms of errors.

Hence I’ve decided to report the command here since it could be very useful to do network monitoring.

The command should go all in one line…

tshark -r <filename>.pcap -q -z io,stat,1,"COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission","COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack","COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment","COUNT(tcp.analysis.fast_retransmission)tcp.analysis.fast_retransmission","COUNT(tcp.analysis.out_of_order)tcp.analysis.out_of_order”

The output should be something like this:

Sep 122014

This error, or more precisely

NTFS-3G could not mount /dev/disk#
at /Volumes/XXXXXXXX because the following problem occurred:

Did not receive a signal within 15.000000 seconds.

started to appear when I installed MacFuse and NTFS-3G on a new MacBookPro 2014 running Mavericks.

It is pretty harmful, since the NTFS volume would mount as well… but annoying.

Since I understand quite few people are experiencing this on the Net and I want to remember the solution I adopted, I have decided to report here the fix I’ve found.

Continue reading »

Jul 142014

The main reason of almost every post on this blog is the same.

Need to do something, dig the Net, take a while to find stuff so I think to make a note on my… virtual hints book 😉

This time the need was to move a Windows 8.1 virtual machine from VMware Fusion for OS X 10.9.4 to VirtualBox on Linux.

The best option is to export and import the VM in OVA (Open Virtual Appliance) format, but there is no GUI option to export in Fusion. It took me a while to understand that Fusion comes with OVF Tool included, as a command line, and located in the default path “/Applications/VMware OVF Tool

A working example of a command line is:

./ovftool --acceptAllEulas /Users/marco/Documents/Virtual\ Machines.localized/Windows\ 8.1\ x64.vmwarevm/Windows\ 8.1\ x64.vmx /Users/marco/Desktop/Win81.ova

The green part of the command above refers to specific names I gave to the VM in Fusion and to the OVA file.

–acceptAllEulas is an option to make the command less interactive.


Apr 132014

First of, a BIG thank you to my friend Luca Ferrarotti who inspired, actively contributed and helped me with this HowTo.

Then, something I wanted to write since a very long time. Other articles in this blog instruct about how to use OS X or iOS to build a native client to site IPSec VPN terminated on McAfee (formerly Stonesoft) Next Generation Firewall. Since I joined Stonesoft many years ago, lots of people enquired me and Support and my SE colleagues about how to build this configuration… here you are. Your voice has been listened!

I wrote this article using McAfee Next Generation Firewall version 5.5.6 and McAfee Security Management Center 5.7.0, while on client side I am on Ubuntu 12.04.4 LTS. Continue reading »