init - PoC

README.md

@@ -0,0 +1,3 @@
+# Backup and code for ittavern.com
+
+Currently PoC with new SSG.

config.py

@@ -0,0 +1,22 @@
+"""Configuration file for picopaper blog"""
+
+BLOG_TITLE = "Ittavern.com"
+BLOG_DESCRIPTION = "Sysadmin doing syadmin stuff"
+THEME = "tavern"
+
+# Exclude specific feeds from the main page (they'll still have their own /feed/name/ pages)
+EXCLUDE_FEEDS_FROM_MAIN = ['draft','private']  # e.g., ['python', 'drafts']
+
+# Navigation bar items - list of dictionaries with 'text' and 'url' keys
+NAVBAR_ITEMS = [
+    {'text': 'Articles', 'url': '/'},
+    {'text': 'Tools', 'url': '/tools/'},
+    {'text': 'Feeds', 'url': '/feed/'},
+    {'text': 'About', 'url': '/about/'}
+]
+
+# Logo settings
+HIDE_LOGO = False
+HIDE_TITLE = True
+LOGO_PATH = "/images/logo.png"  
+

items/2022-11-15_long_cyberchef-how-to-remove-empty-lines.md

@@ -0,0 +1,13 @@
+# CyberChef - How to remove empty lines
+
+So, since I am too stupid to remove empty lines easily, I present to you my overcomplicated solution.
+
+Search for the `Find / Replace` in the operations and replace `^(?:[\t ]*(?:\r?\n|\r))+` with nothing.
+
+![screenshot of the cyberchef interface with the described workflow](/images/blog/cyberchef-remove-empty-lines.png)
+
+It uses Perl's regex to find specific line breaks that indicate an empty line. Regex is still magic to me.
+
+[Reference](https://www.ultraedit.com/support/tutorials-power-tips/ultraedit/remove-blank-lines.html)
+
+---

items/2022-11-17_long_nginx-check-your-public-ip.md

@@ -0,0 +1,19 @@
+# Nginx - check your public IP
+
+Sometimes you just need your public IP, and nothing more. A simple config change in nginx can offer you exactly this.
+
+Add the following `location` segment to the `server` segment of your choice. *You could replace `/ip` with another term*.
+
+`location /ip { default_type text/plain; return 200 $remote_addr;}`
+
+Now, if you visit the destination of the `server` segment with the subdirectory `/ip`, you'll find your IP. Try it out and visit [https://brrl.net/ip](https://brrl.net/ip).
+
+The neat part is that it works well in the CLI too:
+: `curl brrl.net/ip`
+: `wget -qO- brrl.net/ip`
+: Powershell
+: `Invoke-RestMethod brrl.net/ip` or `irm brrl.net/ip`
+
+Depending on your setup, some tweaking is necessary in regards to TLS, redirects, and so on.
+
+---

items/2022-11-20_long_tmux-synchronize-the-input-of-all-panes-within-a-window.md

@@ -0,0 +1,21 @@
+# Tmux - synchronize the input of all panes within a window
+
+So, you've got a tmux window with 10 panes, and you want to clear the panes, switch to a different directory, stop multiple process, and so on. There is a simple way to do it:
+
+`Prefix` + `:set synchronize-panes on`
+
+*Just in case: the default `prefix` is `CTRL` + `b`.*
+
+The input of all panes within a window will be synchronized until you turn it off again:
+
+`Prefix` + `:set synchronize-panes off`
+
+### Create keybinding
+
+If you need this function often, you could create a simple keybind for it. For examples, if you want to add it to `Prefix` + `e`, add this to your config file:
+
+`bind e set-window-option synchronize-panes`
+
+Load this config with `Prefix` + `:source-file ~/.tmux.conf` (or wherever your config file is located) and you can turn pane synchronization on and off with `Prefix` + `e`.
+
+---

items/2022-11-21_long_getting-started-with-tmux.md

@@ -0,0 +1,128 @@
+# Getting started with tmux
+
+Tmux is a terminal multiplexer. It allows you to work with multiple terminal sessions at once. 
+
+## Installation
+
+It is easy to install, and there are many guides already out there, so I won't cover it in this blog post. 
+
+## Tmux terminology
+
+So, let us start with the basics.
+
+`tmux server (programm) > session > window > pane`
+
+The tmux server starts after running tmux. You can work on the attached sessions or detach them so they run in the background. Every server can have multiple sessions, every session can have multiple windows, and we can split a window into multiple panes. The pane is a normal terminal window at the end.
+
+![tmux-overview](/images/blog/tmux-primer-1.png)
+
+There are a lot of use cases for it. Tmux makes is easy to separate projects in different windows or sessions.
+
+#### The prefix or lead and meta-key
+
+The default prefix (or sometimes called 'lead') is `CTRL` + `b` (or `C-b`) and it is usually the start of a tmux shortcut or to use a tmux command. When you see something like: `Prefix` + `c`, press `CTRL` + `b`, and then `c`. I prefer `CTRL` + `s` for example. I'll explain how to change it in the next section.
+
+As a side note: you'll find some shortcuts with an `M` in them. This is the `meta`-key. It is `ALT` for Linux, I think `CMD` in MacOS, and sometimes even `ESC`. The `meta`-key is rarely used, but worth looking it up.
+
+#### The config file
+
+You can temporarily change your tmux config by entering the setting:
+
+`Prefix` + `:set -g prefix C-s`
+
+This would change the `Prefix` as we described it before. If you want to make changes permanently, edit the config file. On Linux, the config file is usually in the home directory of the user `~/.tmux.conf`. If there is no config file, simply create it, and restart tmux - or reload it (will show in the end of this section). Just put `set -g prefix C-s` into the config file and tmux will use it after the restart.
+
+There are many ways to customize tmux. Some examples: Vim-like bindings for pane movements, enabling mouse support, setting keyboard shortcuts, and so on.
+
+The easiest way to reload the config file after changes is to use the following tmux command: `Prefix` + `:source-file ~/.tmux.conf` *(change the path accordingly)*. 
+
+## Working with panes
+
+As mentioned before, you can split a window in multiple panes. You can split the window vertically or horizontally as you wish and change it as much as you want. I won't cover everything in this post, but I'll show you the basics.
+
+Split horizontally:
+: `Prefix` + `%`
+
+Split vertically:
+: `Prefix` + `"`
+
+Move to another pane:
+: `Prefix` + `ARROW KEY`
+
+Convert the current pane into a new window:
+: `Prefix` + `!`
+
+Close current pane:
+: `Prefix` + `x`
+
+There are shortcuts for resizing, moving panes around, and so on, but those aren't that important for this primer.
+
+Side note: I just wrote a separate post about sending input to all panes within a window. Feel free to check it out [here](https://ittavern.com/tmux-synchronize-the-input-of-all-panes-within-a-window/).
+
+## Working with windows
+
+I prefer to separate my projects with windows instead of sessions, but that is my personal preference.
+
+Create a new window:
+: `Prefix` + `c`
+
+Rename current window:
+: `Prefix` + `,`
+
+Close current window:
+: `Prefix` + `&`
+
+Switch to next window:
+: `Prefix` + `n`
+
+Switch to previous window:
+: `Prefix` + `p`
+
+Switch to window by number:
+: `Prefix` + `0`-`9`
+
+## Working with sessions
+
+Let me start with a shortcut that I just learned recently.
+
+Overview:
+: `Prefix` + `w`
+
+This gives you a quick overview of all sessions and windows and lets you switch quickly.
+
+Show all sessions:
+: `tmux ls`
+: `Prefix` + `s`
+
+Create new session:
+: `tmux new -s new-session`
+: `:new -s new-session`
+
+Rename session:
+: `Prefix` + `$`
+
+Kill the session:
+: `:kill-session`
+
+Detach session (will be active in the background):
+: `Prefix` + `d`
+
+Close a session:
+: `tmux kill-session -t old-session`
+
+Attach session:
+: `tmux attach -t old-session`
+
+Move to next session:
+: `Prefix` + `)`
+
+Move to previous session:
+: `Prefix` + `(`
+
+# Conclusion
+
+This post hopefully will help you to get started with tmux. I'll cover more topics and features of tmux in the future.
+
+Any notes or questions? - Feel free to reach out.
+
+---

items/2022-11-23_long_nginx-simple-permanent-or-temporary-redirects.md

@@ -0,0 +1,62 @@
+# Nginx - simple permanent or temporary redirects
+
+## Temporary or permanent redirect
+
+First you have to decide whether the redirect will be permanent (`301`), or just temporary (`302`). If you are uncertain, just pick temporary and switch later.
+
+Use cases from my understanding:
+
+Permanent `301` redirects:
+: switching to another domain
+: merging multiple domains
+: switching from HTTP to HTTPs
+: better SEO experience
+
+
+Temporary `302` redirect:
+: testing (A/B testing, etc)
+: single redirects to another domain
+: redirect to a maintenance page
+: redirect traffic for load balancing
+
+Both do the same, but still have their use cases. Switching them up could cause problems with various indexes of search engines, SEO, wrongly being flagged as a spammer, and so on. 
+
+## Simple redirects in nginx
+
+For this example, I am going to use temporary `302` redirects. 
+
+#### Simple redirect of a sub-domain to a single URL
+
+```
+server {
+    listen      80;
+    listen      443;
+    server_name  test2.brrl.net;
+    location / {
+          return 302 https://www.youtube.com/watch?v=dQw4w9WgXcQ;
+    }
+}
+```
+
+That is a simple redirect of the root of the sub-domain. Try it out: [https://test2.brrl.net](https://test2.brrl.net).
+
+If you want to create a redirection of a subdirectory like `/status`, simply change it accordingly:
+
+```
+server {
+    listen      80;
+    listen      443;
+    server_name  brrl.net;
+    location /status {
+          return 302 https://status.brrl.net/status/overview;
+    }
+}
+```
+
+With this config block, only the subdirectory `/status` would be redirected. For example: [https://brrl.net/status](https://brrl.net/status) redirects to [https://status.brrl.net/status/overview](https://status.brrl.net/status/overview).
+
+#### other redirects
+
+There are many more forms of redirects, but I am familiar enough to write about that. I might add more redirects later on, but I'll have to test beforehand.
+
+---

items/2022-12-03_long_my-use-cases-for-cyberchef.md

@@ -0,0 +1,141 @@
+# My use cases for CyberChef
+
+### Formatting MAC addresses
+
+Cisco seems to require a different format for every solution they have. I use this almost daily, so change the format of one or multiple MAC addresses.
+
+Input:
+`aa-aa-aa-bb-bb-bb`
+
+Output:
+```
+aaaaaabbbbbb
+AAAAAABBBBBB
+aa-aa-aa-bb-bb-bb
+AA-AA-AA-BB-BB-BB
+aa:aa:aa:bb:bb:bb
+AA:AA:AA:BB:BB:BB
+aaaa.aabb.bbbb
+AAAA.AABB.BBBB
+```
+
+[Try it yourself](https://baked.brrl.net/#recipe=Format_MAC_addresses('Both',true,true,true,true,false)&input=YWEtYWEtYWEtYmItYmItYmI)
+
+**Tipp**: the easiest way to change the format of multiple formats, is to choose the desired format, input 1 MAC address per line, and remove the empty lines with a `Find/ Replace` operation with the following regex search `^(?:[\t ]*(?:\r?\n|\r))+`. For more information, visit [this post](https://ittavern.com/cyberchef-how-to-remove-empty-lines/).
+
+
+### Looking up Linux permissions
+
+Simple way to switch between various representations and shows the permissions.
+
+Input:
+`-rw-r--r--`
+
+
+Output:
+```
+Textual representation: -rw-r--r--
+Octal representation:   0644
+File type: Regular file
+
+ +---------+-------+-------+-------+
+ |         | User  | Group | Other |
+ +---------+-------+-------+-------+
+ |    Read |   X   |   X   |   X   |
+ +---------+-------+-------+-------+
+ |   Write |   X   |       |       |
+ +---------+-------+-------+-------+
+ | Execute |       |       |       |
+ +---------+-------+-------+-------+
+```
+
+[Try it yourself](https://baked.brrl.net/#recipe=Parse_UNIX_file_permissions\(\)&input=LXJ3LXItLXItLQo)
+
+### Working with IT subnets
+
+This function makes my life easier. It shows me the general network information and the range of a IP addresses for a subnet.
+
+Input:
+
+`10.121.10.8/28`
+
+Output:
+
+```
+Network: 10.121.10.8
+CIDR: 28
+Mask: 255.255.255.240
+Range: 10.121.10.0 - 10.121.10.15
+Total addresses in range: 16
+
+10.121.10.0
+10.121.10.1
+10.121.10.2
+10.121.10.3
+10.121.10.4
+[...]
+```
+
+[Try it yourself](https://baked.brrl.net/#recipe=Parse_IP_range\(true,true,false\)&input=MTAuMTIxLjEwLjgvMjg)
+
+### Converting blog titles to an URL-friendly format
+
+I've created a small 'Recipe' to format my titles to URL/ text file friendly formats.
+
+Input:
+
+`My use cases for CyberChef`
+
+Output:
+
+`my-use-cases-for-cyberchef`
+
+[Try it yourself](https://baked.brrl.net/#recipe=Find_/_Replace\(%7B'option':'Regex','string':'-'%7D,'',true,false,true,false\)Find_/_Replace\(%7B'option':'Regex','string':'%20%20'%7D,'%20',true,false,true,false\)Find_/_Replace\(%7B'option':'Regex','string':'%5C%5C.'%7D,'',true,false,true,false\)Find_/_Replace\(%7B'option':'Regex','string':'%20'%7D,'-',true,false,true,false\)To_Lower_case\(\)&input=TXkgdXNlIGNhc2VzIGZvciBDeWJlckNoZWY)
+
+### Finding the difference in text
+
+I only use this function for small configuration files or texts. For larger ones, I prefer vimdiff or Notepad++.
+
+[Try it yourself](https://baked.brrl.net/#recipe=Diff\('%5C%5Cn%5C%5Cn','Character',true,true,false,true\)&input=SSBzd2VhciwgdGhlcmUgaXMgbm90aGluZyBtaXNzaW5nLgoKSSBzd2VhciwgdGhlcmUgaXMgbWlzc2luZy4)
+
+### Changing chars to upper/lower case
+
+I rarely use this function, but it has its use cases. Some passwords contain many characters, that can be difficult to differentiate, like `l`, `I`, `1`, `O`,`0`, and so on. I tend to use this feature if I only have 1 more try left, just to make sure.
+
+And I know that copy+paste exists, but that isn't always an option.
+
+[Try it yourself](https://baked.brrl.net/#recipe=To_Upper_case\('All'\)&input=VEhsU18xU19hX1A0UzV3b3JE)
+
+### Adding or remove line numbers
+
+This is self-explanatory. I do not need this feature that often, but comes in handy from time to time.
+
+### Hashing things
+
+If you need a hash of a string or file, CyberChef offers many algorithms. SHA, MD, bcrypt, and so on.
+
+[Try it yourself](https://baked.brrl.net/#recipe=SHA2\('512',64,160\)&input=VEhsU18xU19hX1A0UzV3b3JE)
+
+### Generating QR codes
+
+I use it monthly to generate the QR code for our guest WLAN. Add `WIFI:S:MySSID;T:WPA;P:TH1S_P455W0RD;;` into the input field and it generates the QR code for you. I regularly use it for URLs too.
+
+[Try it yourself](https://baked.brrl.net/#recipe=Generate_QR_Code\('PNG',8,2,'Medium'\)&input=V0lGSTpTOk15U1NJRDtUOldQQTtQOlRIMVNfUDQ1NVcwUkQ7Ow)
+
+### Generating dummy texts / Lorem Ipsum
+
+Really helpful to generate dummy text for all kinds of mock-ups.
+
+[Try it yourself](https://baked.brrl.net/#recipe=Generate_Lorem_Ipsum\(3,'Paragraphs'\))
+
+### Various utilities
+
+I won't go into too much detail since it is fairly self-explanatory. Sorting lines, convert masses or distances, remove white spaces, Find/Replace, find unique strings, converting hexdumps, converting date/time formats, and so many more.
+
+## Conclusion
+
+CyberChef has become a great tool with many use cases. It is more the quick and dirty solution, but this is often all I need. 
+
+The source code can be found [here](https://github.com/gchq/CyberChef).
+
+---

items/2022-12-03_long_tmux-reload-tmuxconf-configuration-file.md

@@ -0,0 +1,22 @@
+# Tmux - reload .tmux.conf configuration file
+
+Restarting the tmux server every time you change the configuration is tedious and unnecessary. 
+
+From the shell:
+: `tmux source-file ~/.tmux.conf`
+
+As a tmux command:
+: `Prefix` + `:source-file ~/.tmux.conf`
+: *Just in case: the default prefix is `CTRL` + `b`*
+
+Those methods reload the tmux configuration without affection the sessions or windows.
+
+**Info**: some changes still require a restart of the tmux server. If you were to remove a key bind, you would need to restart the tmux server or explicitly unbind the key.
+
+The server stops running if all sessions are closed or you kill it with `tmux kill-server` or kill the process with `pkill/kill`. `tmux kill-server` will send a `SIGTERM`, where `tmux kill-pane/kill-window/kill-session` will send a `SIGHUP`.
+
+#### **Side note** to the location of the configuration file:
+
+Tmux looks in `/etc/tmux.conf` for a system-wide configuration file, and then for a configuration file in the current user's home directory, e.x. `~/.tmux.conf`. If these files don't exist, tmux uses the default settings.
+
+---

items/2022-12-08_long_podman-docker-expose-port-only-to-the-localhost-of-the-host-machine.md

@@ -0,0 +1,21 @@
+# Podman / Docker - expose port only to the localhost of the host machine
+
+There are good reasons to expose a port of a docker container only to the localhost of the host machine. Security reasons or the use of a reverse proxy are only 2 of them (please don't ask for more). And it is fairly easy.
+
+It is a simple modification to the argument of the `-p` flag while when running `podman run`:
+
+`podman run -d -p 8080:80/tcp docker.io/library/httpd`
+
+From the manual:
+
+`-p, --publish strings         Publish a container's port, or a range of ports, to the host (default [])`
+
+This is a quick example which sets up a web server. The first part before the colon - in this case `8080` - is the exposed port on the host machine, on which the container would be reachable. The second part after the colon - `80/tcp` - is the used port within the container. 
+
+To limit the exposed port to the localhost of the host machine, just add the host loopback address in front of the host part like: `127.0.0.1:`. The new command would then be:
+
+`podman run -d -p 127.0.0.1:8080:80/tcp docker.io/library/httpd`
+
+That's it.
+
+---

items/2022-12-09_long_linux-connect-to-a-serial-port-with-screen.md

@@ -0,0 +1,57 @@
+# Linux - connect to a serial port with screen
+
+There are a bunch of programs out there, that can get you connected to a serial port of a switch, but using `screen` was the best and easiest solution I've found. Works perfectly in the CLI, can be run in the background, and easy to set up - if it is not already installed.
+
+It worked with various combinations of serial-to-usb-cables, Cisco switches, and Linux machines. Let us start with the command itself:
+
+* `sudo screen /dev/ttyUSB0 9600`
+    * `sudo screen` - run `screen` as sudo
+    * `/dev/ttyUSB0` - the tty number of the usb cable / adapter
+    * `9600` - the speed of the serial connection
+
+You can kill the session with `CTRL` + `a`, then `k`, and confirm it with `y`.
+
+### Finding the device / the tty number
+
+Find the tty number while you are already connected:
+
+`sudo dmesg | grep tty`
+
+Output:
+
+```markdown
+kuser@pleasejustwork:~$ sudo dmesg | grep tty
+[    0.134050] printk: console [tty0] enabled
+[1724834.635665] usb 3-1: FTDI USB Serial Device converter now attached to ttyUSB0
+```
+
+Shows the device while plugging it in:
+
+`sudo dmesg -wH | grep tty`
+
+Output:
+
+```markdown
+kuser@pleasejustwork:~$ sudo dmesg -wH | grep tty
+[sudo] password for kuser: 
+[  +0,000022] printk: console [tty0] enabled
+[  +0,001283] usb 3-1: FTDI USB Serial Device converter now attached to ttyUSB0
+```
+
+This is helpful if you are connected to multiple devices. 
+
+### Finding the correct speed
+
+I haven't had to change this yet, but just in case:
+
+`sudo stty -F /dev/ttyUSB0`
+
+Output:
+
+```markdown
+kuser@pleasejustwork:~$ sudo stty -F /dev/ttyUSB0
+speed 9600 baud; line = 0;
+-brkint -imaxbel
+```
+
+---

items/2022-12-10_long_eicar-test-file-riskless-method-to-test-your-antivirus-and-firewall-solution.md

@@ -0,0 +1,34 @@
+# EICAR test file - riskless method to test your antivirus and firewall solution
+
+Disclaimer: There are more meaningful, and more advanced solutions to test your security solutions, but for a quick, simple, and riskless test, the upcoming test files are more than enough.
+
+## EICAR test file
+
+The most common test file to test said solutions is the [EICAR Anti-Virus Test File](https://en.wikipedia.org/wiki/EICAR_test_file). The European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO) developed the test file, and is in the end a simple text file with a plain string of ASCII characters.
+
+`X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
+
+Most solutions will prevent you from downloading it or put it into quarantine, since it will be treated as a threat. That said, some providers - for example Malwarebytes [[1]](https://forums.malwarebytes.com/topic/9994-malwarebytes-cant-detect-eicar-test-virus/)[[2]](https://forums.malwarebytes.com/topic/191650-malwarebytes-3-frequently-asked-questions/?do=findComment&comment=1077438) - refused to add fake malware / test files to their database since they don't see any benefits. 
+
+More information and the download link can be found [here](https://www.eicar.org/download-anti-malware-testfile/).
+
+Some additional information about the EICAR test file:
+
+* [Anatomy of the EICAR Antivirus Test File](https://blog.nintechnet.com/anatomy-of-the-eicar-antivirus-test-file/)
+* [EICAR‘s TEST FILE HISTORY](https://web.archive.org/web/20151216140407/https://www.eicar.org/files/01_-_eicar_test_file_history.pdf)
+* [The Use and Misuse of Test Files in Anti-Malware Testing](https://www.amtso.org/wp-content/uploads/2018/05/AMTSO-Use-and-Misuse-of-Test-Files-in-Anti-Malware-Testing-FINAL.pdf)
+
+#### Vendor specific test files
+
+Various vendors have specific test files for their solutions, but I am not too familiar with them.
+
+* [Broadcom SOCAR cloud test file](https://knowledge.broadcom.com/external/article?legacyId=TECH216647)
+* [Cisco AMP test file](https://docs.umbrella.com/umbrella-user-guide/docs/test-file-analysis)
+* [FireEye test files](https://community.fireeye.dev/t/testing-sample-files/33)
+* [McAfee](https://www.mcafee.com/support/?locale=en-US&articleId=TS101121&page=shell&shell=article-view)
+* [Palo Alto Networks test file](https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/submit-files-for-wildfire-analysis/verify-wildfire-submissions/test-a-sample-malware-file) + [Additional Malware Test Files](https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/latest-wildfire-cloud-features/additional-malware-test-files)
+* [Panda cloud test file](https://www.pandasecurity.com/en/support/card?Id=40066)
+
+Just use your favorite search engine to look for <name of your solution> + 'test file'. For more advanced tests, reach out to the vendor of choice.
+
+---

items/2022-12-10_long_linux-how-to-work-with-complex-commands.md

@@ -0,0 +1,55 @@
+# Linux - How to work with complex commands
+
+It can frustrate to work on complex commands in the terminal. I'll present you some tips on how to manage them. If you have another tip, I'd appreciate a quick message. 
+
+### Use backslash`\` to add a line break
+
+This is fairly simple. Having one or multiple long lines with no structure can be messy and confusing. By adding `\` for a line break adds more structure. A really simple example:
+
+`podman run -d --restart=always -p 127.0.0.1:3001:3001 -v /path/data:/app/data --name status.brrl.net docker.io/louislam/uptime-kuma:latest`
+
+With line breaks:
+
+```markdown
+podman run -d \
+  --restart=always \
+  -p 127.0.0.1:3001:3001 \
+  -v /path/data:/app/data \
+  --name status.brrl.net \
+  docker.io/louislam/uptime-kuma:latest
+```
+
+It is easier to read and work with, at least in my opinion.
+
+### Work on complex commands in your favorite $EDITOR
+
+I'lll show you now, how you can edit complex commands in your favorite CLI editor. 
+
+Enter command `fc`, or keep `CTRL` pressed and enter `x` and `e` as keyboard shortcut. This will open your default CLI editor. After finishing working on the command you want to run, simply 'save and close', and the command will run right after.
+*I am going to show you how yo set your default editor at the end of the post.*
+
+The `fc` command is normally used to show the command history or re-edit already entered commands, but we can use it to work on complex commands. `fc --help` to find out more.
+
+### Set default editor in the CLI
+
+There are various ways to set the default editors, so you might have to look it up for your setup.
+
+In general, it works to set the `$EDITOR` environment variable with the editor of choice. On most distros it should be 'nano', but you might prefer something else.
+
+If we want to change our default editor to 'vim' temporarily, we can enter this command:
+
+`export EDITOR="/bin/vim"`
+
+You can double-check with:
+
+`echo $EDITOR` or `env | grep EDITOR`
+
+and
+
+`$EDITOR test.txt`
+
+**Important:** To change the default editor permanently, add `export EDITOR="/bin/vim"` to your `.bashrc` or whatever config file you use.
+
+From now on, whenever you want to edit a command with `fc`, your favorite editor will open.
+
+---

items/2022-12-11_long_nginx-simple-and-native-authentication-function.md

@@ -0,0 +1,74 @@
+# nginx - simple and native authentication function
+
+**Important disclaimer**: This solution is not secure! - It is fine for a quick and temporary solution for your local network, but it is not a secure solution for important ressources that are available over the internet.
+
+As a side note: without TLS (HTTPs), the credentials will be sent in plain text, and are easily accessable. 
+
+### Creating the user
+
+Even though you could do it per hand, it is recommended to use the Apache utility to create the user.
+
+The package needed is called `apache2-utils` for Debian derivatives and `httpd-tools` for RHEL derivatives. 
+
+`sudo htpasswd -c /etc/nginx/htpasswd AzureDiamond` *# The username is case-sensitive and the path and name of the password file can be changed*
+
+Now it is time to choose a secure password:
+
+```markdown
+New password:
+Re-type new password:
+Adding password for user AzureDiamond
+```
+
+You now can find the password file with the hashed password in the location of your choice:
+
+```markdown
+cat /etc/nginx/htpasswd
+AzureDiamond:$apr1$8xZ0m9Yq$NVBN9veofzoV9vBoBK7z40
+```
+
+**Side note:** You can remove a user with the following command:
+
+`sudo htpasswd -D /etc/nginx/htpasswd AzureDiamond` *# remember to choose the correct file*
+
+### Change your nginx config
+
+We can now add 2 line to our `server` or `location` segment to activate the authentication feature:
+
+```markdown
+auth_basic "You shall not pass!";
+auth_basic_user_file /etc/nginx/htpasswd;
+```
+
+Check the nginx config with `sudo nginx -t` and if it confirms the correct syntax, restart the nginx service with `sudo systemctl restart nginx`.
+
+[You can test it here: https://ittavern.com/azurediamond](https://ittavern.com/azurediamond)
+
+### Exclude subdirectories
+
+If you, for example, add the authentication to the root directory of your site, you can exclude chosen subdirectories by adding the following line to the `location` segment:
+
+```markdown
+location /api/ {
+        auth_basic off;
+}
+```
+
+
+### White- / blacklist IPs
+
+More step further, just work with white- and blacklists by adding chosen IPs like this to the chosen segment:
+
+```markdown
+    deny  8.8.8.8;
+    allow 9.9.9.9;
+    allow 10.10.10.0/24;
+    deny  all;
+```
+
+---
+
+
+Special thanks to ruffy, for informing me about the processes behind it and the security risks.
+
+---

items/2022-12-12_long_getting-started-with-nmap.md

@@ -0,0 +1,273 @@
+# Getting started with nmap
+
+**Disclaimer**: Only scan networks you have permission for. Many VPS providers do not allow the scanning of other networks and can cause you trouble. Please be aware of it.
+
+## Installation
+
+I won't cover the installation of nmap in this blog post. It is available for many OSs, and a simple lookup with your favorite search engine will give you enough results to get it done.
+
+## What is nmap?
+
+Nmap (Network mapper) is an open-source network and security auditing tool. It is used for network host and service discovery and has a wide range of use cases. It can scan ports, discover live hosts, detect service and OS versions, run vulnerability scans, and be used with many scripts.
+
+I'll show you the basics of nmap in this post. This is more than enough to get started.
+
+**Important**: I recommend using nmap as **root** since not all scans are available for non-root users. The kernel constrain standard users from using all functions of the NIC.
+    
+
+## Specify the hosts or networks to scan <a href="#target" id="target">#</a>
+
+You'll start by defining the range of the scan. This is mandatory and there are multiple ways to do it.
+
+Single address / host name:
+: `nmap 10.10.20.1`
+: `nmap scanme.nmap.org` *# You have permission to scan this domain / host. Visit [this page](http://scanme.nmap.org/) for more information. As mentioned before, be aware that many server providers prohibit the scan of other networks.*
+
+There are several ways to define a range of targets:
+: `nmap 10.10.10.1 10.10.10.2 10.10.10.3`
+: `nmap 10.10.10.1,2,3`
+: `nmap 10.10.10.1-50`
+: `nmap 10.10.10.0/24`
+
+Use a file with a list of targets (hosts/network):
+: `nmap -iL /path/to/file.txt`
+
+**Side note**: The list can have various formats. All hosts in one single line, separated by spaces, or you can put every host in a separate line or even combine it like this:
+
+```markdown
+10.10.10.1 10.10.20.2
+10.10.30.3
+```
+
+Nmap would scan 3 hosts.
+
+Choose a random number of hosts within a chosen range:
+: `nmap 10.10.10.0/24 -iR 5`
+
+#### Exclude hosts and networks from scans <a href="#target-exclusion" id="target-exclusion">#</a>
+
+Choose hosts or networks that should be excluded:
+: `nmap 192.168.0.0/24 --exclude 192.168.0.2`
+
+Use a file with a list of exclusions:
+: `nmap 10.10.10.0/24 --excludefile /path/to/file.txt`
+
+## SPECIFIC PORT RANGES <a href="#ports" id="ports">#</a>
+
+**Side note**: Without a flag, it runs the 1000 common TCP ports by default. [Source](https://nmap.org/book/port-scanning.html) 
+
+For a quick scan that only scans the first 100 ports, use the `-F` flag:
+: `nmap 10.10.10.1 -F`
+
+Scan of a single port:
+: `nmap 10.10.10.0/24 -p 22`
+
+Scan of several ports:
+: `nmap 10.10.10.0/24 -p 22,80`
+: `nmap 10.10.10.0/24 -p 1-100`
+: `nmap 10.10.10.0/24 -p 80,90-100`
+
+`-p-` would scan ALL ports (0 to 65535):
+: `nmap 10.10.10.0/24 -p-`
+
+TCP is the default protocol. You can specifically choose TCP or UDP like this:
+
+TCP *(default)*:
+: `nmap 10.10.10.0/24 -p T:53`
+
+UDP:
+: `nmap 10.10.10.0/24 -p U:53`
+
+Combine both:
+: `nmap 10.10.10.0/24 -p T:53,U:53`
+
+**Important**: the `T:` and `U:` must be capitalized since it is case-sensitive.
+
+If you only want to scan UDP ports, use the `-sU` flag to do so.
+
+I am not familiar with it, but you can work with protocol names like this:
+: `nmap 10.10.10.0/24 -p smtp` *# Thanks to k3vinw*
+
+#### Exlude ports from scan <a href="#ports-exclusion" id="ports-explusion">#</a>
+
+Simply us the `--exlude-ports` option and the ports / port range:
+: `nmap 10.10.10.1 -p 1-100 --exlude-ports 22,53`
+
+
+#### Set the source port
+
+Use the `-g` flag to specify the source port of the scan:
+: `nmap 10.10.10.1 -g 12345`
+
+## Save output to file <a href="#output" id="output">#</a>
+
+There are 3 formats you can pick between:
+
+Console output:
+: `-oN results.txt`
+
+'Grepable' console output:
+: `-oG results.txt`
+
+XML format:
+: `-oX results.txt`
+
+Saves output of ALL 3 formats:
+: `-oA results.txt`
+
+If you want to append the results to a file, simply add the `--append-output` option to the command.
+
+## Port states <a href="#port-states" id="port-states">#</a>
+
+Nmap distinguishes the state of the port in six categories. This section is copied from the [official documentation](https://nmap.org/book/man-port-scanning-basics.html) since it is explained really well.
+
+**open**
+
+> An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network. 
+
+**closed**
+
+> A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next. 
+
+**filtered**
+
+> Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.
+
+**unfiltered**
+
+> The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open. 
+
+**open|filtered**
+
+> map places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
+
+**closed|filtered**
+
+> This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
+
+## Scan timing / timing templates <a href="#scan-timing" id="scan-timing">#</a>
+
+With these timing templates, you can decide how aggressively and fast you want to scan your targets. The lower the number, the slower scan and vice versa. You can choose them with the `-T` flag like this: 
+: `-T0` paranoid
+: `-T1` sneaky
+: `-T2` polite
+: `-T3` normal (default)
+: `-T4` aggressive
+: `-T5` insane
+
+`-T0` and `-T1`, for example, are used for IDS evasion. The scans are less aggressive, have more delay, look more random, and so on. `-T5` is really aggressive, fast and rather unreliable due loss of packets. 
+
+A detailed table of differences can be found in the [official documentation](https://nmap.org/book/performance-timing-templates.html)
+
+## Scripts <a href="#scripts" id="scripts">#</a>
+
+**Disclaimer + Important:**  Scripts are not run in a sandbox and thus could accidentally or maliciously damage your system or invade your privacy. Never run scripts from third parties unless you trust the authors or have carefully audited the scripts yourself. 
+
+The Nmap Scripting Engine (NSE) allows you to use, and share various scripts. The scripts are written in Lua.
+
+There are different categories of scripts. The current categories are: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
+
+Run a script:
+: `--script filename / category / directory`
+: *all scripts in the category or directory would be loaded*
+
+Nmap scripting is way beyond the scope of this post, and since I am not too familiar, I rather keep it short. I mostly use scripts for finding SMBv1 servers (`smb-os-discovery`), display of SSH authentication information (`ssh-auth-methods`) or all available DHCP server (`broadcast-dhcp-discover`). The last one is great for debug DHCP problems or find rogue DHCP servers. 
+
+Often enough scripts are used to find vulnerabilities. One example can be found [on Github](https://github.com/Diverto/nse-log4shell). A helpful script to check against **log4shell or LogJam vulnerabilities** (CVE-2021-44228).
+
+For more information about scripts for nmap, check out the following blog post: [Getting started with nmap scripts](https://ittavern.com/getting-started-with-nmap-scripts/)
+
+## Helpful additional scan options <a href="#more-options" id="more-options">#</a>
+
+Verbosity of the scan:
+: `-v` / `-vv` / `-vvv`
+
+Increase verbosity on debug level:
+: `-d` / `-dd` / ... or `-d1` to `-d9`
+: often used if a bug in nmap is suspected
+
+Choose the interface for the scan:
+: `-e interfacename`
+
+skip reverse DNS look-up:
+: `-n`
+
+force reverse DNS, even when host is offine:
+: `-R`
+
+use the DNS resolver of the system:
+: `--system-dns`
+
+use a specific DNS server for requests:
+: `--dns-servers <server1>[,<server2>[,...]]`
+
+show the results every X seconds/minutes:
+: `--stats-every 1m / 10s`
+: really great for long scans to check the progress
+
+Scan IPv6 addresses:
+: `-6 ::ffff:1234:abcd`
+
+detecting the version of services running on the target:
+: `-sV`
+
+detecting operating system of the target by fingerprinting:
+: `-O`
+
+TCP Syn scan - Stealth mode:
+: `-sS`
+: sending TCP/SYN packet, waits for TCP/ACK. Slower, but less aggressive
+
+TCP full connect - 3-way-handshake: 
+: `-sT`
+: it is more acurate, but slower and noisier:
+
+ICMP echo request / ping for a quick scan:
+: `-sP`
+
+No ICMP echo request / ping, nmap assumes the host is up:
+: `-Pn`
+
+ICMP echo request:
+: `-PE`
+
+ICMP Timestamp request:
+: `-PP` 
+
+ICMP netmask request:
+: `-PM`
+
+TCP SYN ping:
+: `-PS PORTNUMBER`
+: *Port 40125 is the default, if no port entered*
+
+TCP ACK Ping use 
+: `-PA  PORTNUMBER`
+: *Port 40125 is the default, if no port entered*
+
+
+#### IDS/ FW Evasion <a href="#evasion" id="evasion">#</a>
+
+This is a topic for another time and unnecessary for beginners, but just some IDS/FW evasion methods.
+
+Decoy mode - tries to hide your IP in a pool of other IPs
+: `nmap -D 10.10.10.22,10.10.10.44,10.10.10.66 10.10.10.1`
+: `10.10.10.22` *# your own IP*
+: `10.10.10.44` *# decoy IP*
+: `10.10.10.66` *# decoy IP*
+: `10.10.10.1` *# IP of target*
+
+Change the source IP:
+: `-S`
+
+Spoof another MAC address:
+: `--spoof-mac MAC-ADDRESS / prefix / vendor name`
+
+Using a HTTP/SOCKS4 proxy:
+: `--proxies URL,[url2],...`
+
+# Conclusion
+
+Nmap is unbelievably powerful and invaluable for my day-to-day work. I hope I could provide you some insight into the possibilities of nmap. If you think I forgot something, feel free to reach out.
+
+---

items/2022-12-13_long_ways-to-support-open-source-projects.md

@@ -0,0 +1,61 @@
+# Ways to support open-source projects
+
+There are many ways to support your favorite open-source project. Even though code contributions are the most obvious method, not everyone - including me - can do so. I just want to share some ideas, on how someone can support the open-source space.
+
+#### Coding
+
+As mentioned before, the most obvious contribution to an open-source project might be to code yourself. This can be a small bug fix, a new feature, or even becoming a maintainer of the whole project, depending on your time and capabilities.
+
+
+#### Financial support & self-hosting
+
+Consider donating money to the project. A lot of open-source projects are maintained by people who spend their spare time to code. Even small contributions help to pay the bills for hosting, coffee, pizza, and so on.
+
+Check the project for the following options to donate money: [Patreon](https://www.patreon.com/search?q=open-source), [Liberapay](https://liberapay.com/explore/), [Open Collective](https://opencollective.com/discover?show=open%20source), ["buy me a coffee"](https://www.buymeacoffee.com/explore/opensource), PayPal (+ credit cards), direct wire transfer or cryptocurrencies.
+
+*Just for the protocol: Donations != Claims/ Commissions. Please do not donate money and demand or expect a feature you have requested. That is not how it works.*
+
+Not everyone is in the position to donate money, but I would consider it one of the easiest ways to support a project.
+
+Another method is to self-host a service. An example would be to host a Gitea instance, and keep it open for public use. This opens the door for new people to try it out and get used to it. 
+
+#### Provide feedback, bug reports, & more
+
+Found a bug? Got an idea for a new feature or improvements? Found a security vulnerability? Reach out to the project team respectfully. Please be clear about what you mean and read the docs before you do.
+
+Use your individual skills to improve the project.
+
+#### Translations 
+
+Providing a multilingual program or service can be challenging. From the technical standpoint of the localization, to the actual translation itself.
+
+There are various ways for the technical implementation. From managed services like [crowdin](https://crowdin.com/) or [Transifex](https://www.transifex.com/), to simple text files within the git repo.  The how-to should be described in the documentation.
+
+Helping your favorite project to translate it to another language helps to make it more accessible for new people.
+
+
+#### Provide help to the community
+
+Being an active member of the community is an important part. Helping new users to solve problems or answer questions is a great way to build a healthy community. A significant side effect is that team member have more time to tackle coding related problems instead of answering questions. Some projects have forums, some use their bug trackers, some mailing-lists, some their social media accounts. 
+
+
+#### Create and share content
+
+It doesn't matter what format you choose, but creating content about your favorite project is a great way to grow the community. Share your favorite functions, your use cases, exciting stories, or tutorials and guides. As mentioned, the format plays a secondary role: videos, blog posts, infographics, social media posts, and so on.
+
+
+#### Send some appreciation
+
+As mentioned before, many open-source projects are maintained by people that spend their free time to work on it. Sending them a simple 'Thank you' and 1-2 sentences, what the project is used for, can bring some joy and motivation. 
+
+
+#### Spread the word
+
+Talk about it. Tell people why it is your favorite project, recommend it respectfully to others, and spread the word. I use Vim by the way. This is fairly similiar to a previous point and is self-explanatory anyway.
+
+
+## and ...
+
+I bet there are many more ways to support your favorite projects. Feel free to let me know.
+
+---

items/2022-12-14_long_ssh-how-to-use-public-key-authentication-on-linux.md

@@ -0,0 +1,204 @@
+# SSH - How to use public key authentication on Linux
+
+**Disclaimer**: 
+
+* Please read the whole post before you start. This will help you avoid a lock-out
+
+## Generating a secure key pair
+
+SSH keys use asymmetric cryptographic algorithms that generate a pair of separate keys (a key pair). A private and a public key.
+
+We are using the command `ssh-keygen` to generate our secure key pair. There are 3 common algorithms to choose from.
+
+We are going to create a private and public key with the name `nameofthekey` in the `.ssh` directory of the current user. You should choose a expressive name, which makes it easier to work with multiple keys. Please make sure that the directory `~/.ssh/` exists.
+
+**Important**: Please do use a secure password for the key generation.
+
+[RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) *(Rivest–Shamir–Adleman)*
+: `ssh-keygen -t rsa -b 4096 -f ~/.ssh/nameofthekey`
+
+
+
+[ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) *(Elliptic Curve Digital Signature Algorithm)*
+: `ssh-keygen -t ecdsa -b 521 -f key1 ~/.ssh/nameofthekey`
+
+[EdDSA ed25519](https://en.wikipedia.org/wiki/EdDSA#Ed25519):
+: `ssh-keygen -t ed25519 -f ~/.ssh/nameofthekey`
+
+Explanation:
+: `ssh-keygen` # can be run as a standard user, man ssh-keygen for more information
+: `-t [dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]` *# choose Algorithm*
+: `-b bits` *# number of bits to use*
+: `-f /path/and/name-of-keypair` *# choose a name for the keys*
+
+```markdown
+ssh-keygen -t rsa -b 4096 -f ~/.ssh/nameofthekey
+
+Generating public/private rsa key pair.
+Enter passphrase (empty for no passphrase): 
+Enter same passphrase again: 
+Your identification has been saved in name
+Your public key has been saved in name.pub
+The key fingerprint is:
+SHA256:8KkCBz2GFXusy6URXF4Z/8xVl+6dFhYV0MoDtqIqBfA kuser@pleasejustwork
+The key's randomart image is:
++---[RSA 4096]----+
+|    o.. oo   .o.B|
+| . = = ... o   =.|
+|  = B =   o + + .|
+|   E = o o = = + |
+|  . = . S . + + +|
+|   + * o       +.|
+|    * o       .  |
+|   . o           |
+|    .            |
++----[SHA256]-----+
+```
+
+This would give us 2 files: private key `nameofthekey`, and public key `nameofthekey.pub`.
+
+
+**nameofthekey.pub** - public key
+
+Example:
+```markdown
+ssh-rsa ktLfCNsABzCw9wE4U3JS8mn1t8jw2Q01wRvCaexpuE2adZYxgw4sNJfBOp3SmLEYeF3rcP1u9ffb2J8FOqFWj3egwjVvVrlDHwi6Jr1aTxOmNlGtNHfJiKuJxD3HxPFAuSImsR5IZF6Bki0LxQGxM4jx8NgDFQ5BWO0tJ0pNzSJdXOLwW0jqbdqdEHELnYZLmll6oeJ9j1LZx6GY5vjYxzeCxZTrHoFQPE2vdYsx7ajIKDzQpNdM9zhYRO10OM kuser@pleasejustwork
+```
+
+**nameofthekey** - private, password protected
+
+Example:
+```markdown
+-----BEGIN OPENSSH PRIVATE KEY-----
+iEnCTyTmiYVhFvUIYhlq07FZV3EaVpQalFqSRicpeaDqifcDLqdp5NAx11JT17iNhgRDMrTM7Pcs6kLFbXC8LWbhlJVTkhu9k5wIG9Ec6qBthyAzmnO7SpqFCtKAXmuG8uFJF9SeyLsXTFiIuK8UqfgG9SLvXSrhPFqSVWFVxQqmXiXL5MQ7iKOKAAAlwisfwrJ1DTNkd2C9nel7sorAU3gWQGh2beuEjzkRsYucR9lxO6jzLEejNSwyS7TNuOiEnCTyTmiYVhFvUIYhlq07FZV3EaVpQalFqSRicpeaDqifcDLqdp5NAx11JT17iNhgRDMrTM7Pcs6kLFbXC8LWbhlJVTkhu9k5wIG9Ec6qBthyAzmnO7SpqFCtKAXmuG8uFJF9SeyLsXTFiIuK8UqfgG9SLvXSrhPFqSVWFVxQqmXiXL5MQ7iKOKAAAlwisfwrJ1DTNkd2C9nel7sorAU3gWQGh2beuEjzkRsYucR9lxO6jzLEejNSwyS7TNuO
+-----END OPENSSH PRIVATE KEY-----
+```
+
+## The correct permissions on the client
+
+It is important to have the correct permissions for your key. For 2 reasons: restrict the access of other users, and some servers require it, when the 'StrictModes' is enabled. Later more.
+
+```
+sudo chmod 700 ~/.ssh
+sudo chmod 644 ~/.ssh/authorized_keys
+sudo chmod 644 ~/.ssh/known_hosts
+sudo chmod 644 ~/.ssh/config
+sudo chmod 600 ~/.ssh/nameofthekey        # private key
+sudo chmod 644 ~/.ssh/nameofthekey.pub    # public key
+```
+
+## Get your public key on the server
+
+You need access to the destination server in one way or another to add the newly generated **public** key. There are multiple ways.
+
+In the end, the public key must be added to the `~/.ssh/authorized_keys` file. If it does not exist, it must be created. There can be multiple public keys in this file - one line per key, and there can be multiple `authorized_keys`, IF it is configured on the server.
+
+#### No direct access to the server
+
+Ask someone with access to add your public key to the `~/.ssh/authorized_keys` file.
+
+#### Direct access via ssh and password auth
+
+You most likely already have access to the server via ssh and normal password authentication. There are now multiple ways to add your public key to the server.
+
+Simply use `ssh-copy-id`:
+: `ssh-copy-id -i ~/.ssh/nameofthekey.pub remote-user@remote-server`
+: This does everything for you, and adds your public key to the `authorized_keys` file on the remote machine.
+
+Different way would be to copy the public key to the remote machine via `scp` / `rsync`, or something different, and redirect `>>` it to `~/.ssh/authorized_keys`. Another way would be to connect to the server, and copy-paste the content of the public key to `~/.ssh/authorized_keys`. Remember, if the path or file does not exist, just create it.
+
+In the end, your chosen public key must be in the file `~/.ssh/authorized_keys` before you should continue.
+
+
+## Configuration of the ssh server
+
+**Important**: Some tips on how to work on the configuration file on the remote machine. 
+
+* do a backup of the configuration file before you do any changes! 
+* create 2 ssh sessions - 1 for working and testing, the other one as a backup. 
+* reload the config of the ssh server, rather than restarting the service. This does not kill the backup session.
+* test the public key authentication before you turn off password authentication
+
+---
+
+We now have to edit the ssh server config file on the remote machine: `/etc/ssh/sshd_config` or in the config directory `/etc/ssh/sshd_conf.d`. It depends on your setup.
+
+#### Enabling public key authentication on the server
+
+Enable public key authentication in the config file:
+: `PubkeyAuthentication yes`
+
+Now, reload the config of the ssh server. Assuming you are using `systemd`:
+: `sudo systemctl reload sshd`
+
+Before we continue, please do try to connect to the remote machine with your ssh key:
+: `ssh -i ~/.ssh/nameofthekey remote-user@remote-server` *# choose the private key!*
+: enter the password for your private key, and you should be connected.
+
+#### Enable the strict mode
+
+Open the `sshd_config` file and add:
+: `StrictModes yes`
+: this makes sure, that the permissions are correct on the client side. You won't be able to connect to the server, if the permissions are not correct! 
+
+Now, reload the config of the ssh server:
+: `sudo systemctl reload sshd`
+
+**Important**: Please test the connection once more!
+
+If you successfully connected to the remote machine, you can proceed to turn off password authentication.
+
+#### Disable password authentication
+
+**Last chance**: make sure that you have tested the public key authentication, and / or have another option to access the machine.
+
+Open the `sshd_config` file and change one option:
+: `PasswordAuthentication no`
+
+This will disable the possibility to authenticate with a password, but you should still be able to log in with your public key, after reloading the config.
+
+Reload the config of the ssh server:
+: `sudo systemctl reload sshd`
+
+**This should be it!**
+
+[More SSH hardening options can be found here.](https://ittavern.com/ssh-server-hardening/)
+
+## Debugging
+
+Some debugging options on client:
+: `-v` / `-vv` / `-vvv`
+: `ssh -vvv -i ~/.ssh/nameofthekey remote-user@remote-server`
+
+Some debugging options on server:
+: `sudo journalctl -u ssh`
+: `sudo grep ip.of.your.machine /var/log/auth.log`
+
+You can change the log level of the server by editing the config file:
+: `LogLevel INFO` *# default*
+: `LogLevel DEBUG` *# enable DEBUG mode*
+
+Don't forget to turn it off again before it fills up your storage.
+
+
+## Manage private key identities with an agent
+
+Nobody wants to enter their password for the private key every time they want to connect to a server. By using `ssh-add` - the OpenSSH auth agent - you can add your private key once for the session, and do not have to enter your private key password every time.
+
+Check for identities:
+: `ssh-add -L`
+
+Add private key identity:
+: `ssh-add ~/.ssh/nameofthekey` *# choose the private key and enter the password*
+
+Remove all identities:
+: `ssh-add -D`
+
+#### Troubleshooting
+
+If you run into:
+: `Could not open a connection to your authentication agent.`
+
+Just run `eval "$(ssh-agent)"` OR `` `eval ssh-agent` `` and right after `exec ssh-agent bash`. This restarts the agent and sets the correct environment variables from my understanding.
+
+---

items/2022-12-15_long_10-prompts-1000-ai-generated-images-openai-dall-e.md

@@ -0,0 +1,257 @@
+# 10 prompts - 1000 AI generated images - openAI Dall-E
+
+## Table of content
+
+* <a href="#cats">1 - Cats</a> 
+* <a href="#robot">2 - Robot</a> 
+* <a href="#donut">3 - Donut</a> 
+* <a href="#dackel">4 - Dackel</a> 
+* <a href="#poster">5 - Poster</a> 
+* <a href="#citylife">6 - Citylife</a> 
+* <a href="#dolphin">7 - Dolphin</a> 
+* <a href="#light">8 - Light</a> 
+* <a href="#monster">9 - Monster</a> 
+* <a href="#cyberpunk">10 - Cyberpunk</a> 
+* <a href="#tech">Technical write-up</a> 
+
+## What is this all about?
+
+We were curious about how much variance the AI has. So, what would be the results if we were to request 100 images with the same prompt? - I won't review the results and rather just present the results to you.
+
+
+These **prompts** are a result of a quick **brain storming**. If you have suggestions, please let me know. I might create more posts like this in the future. The goal was to have a wide range to motives, styles, and so.
+
+These **images are unedited**. Generated - downloaded - created a montage; that is it. **These images are free for personal or commercial use and do not require any form of mentioning**. [Dall-e](https://labs.openai.com/about) gives ownership of the images to me, and I give you permission to do with it, whatever you want.
+
+The resolution of the originals is 1024x1024 and I might provide a download link at some point. If you want a single image, feel free to reach out.
+
+With testing, the **total costs** were around **20 EUR**. I'd say that it is acceptable. 
+
+You can find a **technical write-up** at the end of the post. But as a disclaimer: not best-practice. Feedback is still appreciated.
+
+
+# Gallery
+
+**So, enjoy!**
+
+## 1 - Cats <a href="#cats" id="cats">#</a>
+
+> photo of a kitten on a carpet in the living room, digital art
+
+<img src="/images/ai/1/montage_cats.jpg"
+     alt="cats"
+     style="width: 100%;">
+
+---
+
+## 2 - Robot <a href="#robot" id="robot">#</a>
+
+> small robot wandering around in an post-apocalyptic world, digital art
+
+<img src="/images/ai/1/montage_robot.jpg"
+     alt="robot"
+     style="width: 100%;">
+
+---
+
+## 3 - Donut <a href="#donut" id="donut">#</a>
+
+> minimalist logo of a donut shop
+
+<img src="/images/ai/1/montage_donut.jpg"
+     alt="donut"
+     style="width: 100%;">
+
+---
+
+## 4 - Dackel <a href="#dackel" id="dackel">#</a>
+
+> dackel in a suit in a library, digital art
+
+<img src="/images/ai/1/montage_dackel.jpg"
+     alt="dackel"
+     style="width: 100%;">
+
+---
+
+## 5 - Poster <a href="#poster" id="poster">#</a>
+
+> movie poster for an action movie from the 80s, digital art
+
+<img src="/images/ai/1/montage_poster.jpg"
+     alt="poster"
+     style="width: 100%;">
+
+---
+
+## 6 - Citylife <a href="#citylife" id="citylife">#</a>
+
+> a black and white photo of the life in new york
+
+<img src="/images/ai/1/montage_citylife.jpg"
+     alt="citylife"
+     style="width: 100%;">
+
+---
+
+## 7 - Dolphin <a href="#dolphin" id="dolphin">#</a>
+
+> sticker illustration of a cute dolphin
+
+<img src="/images/ai/1/montage_dolphin.jpg"
+     alt="dolphin"
+     style="width: 100%;">
+
+---
+
+## 8 - Light <a href="#light id="light">#</a>
+
+> area view of a city with street lights at night, digital art
+
+<img src="/images/ai/1/montage_light.jpg"
+     alt="light"
+     style="width: 100%;">
+
+---
+
+## 9 - Monster <a href="#monster" id="monster">#</a>
+
+> detailed sketch of an evil monster, digital art
+
+<img src="/images/ai/1/montage_monster.jpg"
+     alt="monster"
+     style="width: 100%;">
+
+---
+
+## 10 - Cyberpunk <a href="#cyberpunk" id="cyberpunk">#</a>
+
+> realistic photo of a colorful cyberpunk city in the rain at night, digital art
+
+<img src="/images/ai/1/montage_cyberpunk.jpg"
+     alt="cyberpunk"
+     style="width: 100%;">
+
+---
+
+
+## Tech write-up <a id="tech">#</a> 
+
+**Side note**: To be clear, this is not best-practice. It got its job done, and that is all I needed. Still, feel free to reach out, happy to learn!
+
+First, openai Dall-E API offers to generate the following sizes, with 3 different prices:
+
+```
+Resolution 	Price
+1024×1024 	$0.020 / image
+512×512 	$0.018 / image
+256×256 	$0.016 / image
+```
+
+I've generated the largest resolution. 
+
+### Limitations
+
+So, I've decided to use the API via curl, the first limit I encountered is the '10 images per request'.
+
+```markdown
+{
+  "error": {
+    "code": null,
+    "message": "20 is greater than the maximum of 10 - 'n'",
+    "param": null,
+    "type": "invalid_request_error"
+  }
+}
+```
+
+The next one would be the rate limit of 50 images per 5 minutes.
+
+```markdown
+{
+  "error": {
+    "code": null,
+    "message": "Rate limit reached for images per minute. Limit: 50/5min. Current: 60/5min. Please visit https://help.openai.com/en/articles/68839691 to learn how to increase your rate limit.",
+    "param": null,
+    "type": "requests"
+  }
+}
+```
+
+In the end, the download of the generated images was limited too. After every category I had to switch to another VPN server location to bypass the limit.
+
+### Script to download them all!
+
+I did a small break after every category to check the result of the script, and whether all images were generated and downloaded. 
+
+I'll add some comments later, but in short:
+: generate images and put curl response to file
+: get URL from output file and remove the quotation marks `"`
+: download images via curl
+: wait one minute to avoid rate limit
+
+```bash
+#!/bin/bash
+
+# For for-loop for the whole script due to the limitations
+# Curl request to generate the images via API, and the save the output via -o flag to a file
+
+for i in {1..10};
+do
+  echo $i
+
+  curl -o output.txt https://api.openai.com/v1/images/generations \
+    -H "Content-Type: application/json" \
+    -H "Authorization: Bearer sk-sdsdskdsdsdsdeefefe" \
+    -d '{
+      "prompt": "small robot wandering around in an post-apocalyptic world, digital art",
+      "n":10,
+      "size":"1024x1024"
+    }'
+
+# Gets the URLs of the generate images, removes quotation marks, and saves it to a new file (one URL per line)
+  cat output.txt | jq '.data[].url' | sed 's/"//g' > output_url.txt
+
+# Finally, download images with curl to the current directory. I was told that this is not bet practice, but it worked.
+  cat output_url.txt  | while read f; do curl "${f}" -O; done;
+
+# wait 60 seconds before we start it all over again
+  sleep 60
+done
+```
+
+Things to improve: start/stop, logs, error and information notification, speed
+
+### Rename everything
+
+In the next step, I had to rename all the files. The file names were cryptic and difficult to work with.
+
+```bash
+#!/bin/bash
+a=1
+n=cats
+for i in ./1_cats/*; do
+  new=$(printf "./1_cats/"$n"_%04d.jpg" "$a")
+  mv -i -- "$i" "$new"
+  let a=a+1
+done
+```
+
+The name scheme would look like: `cats_0001.png`
+
+### Create montage with imagemagick
+
+In the last step, I used `imagemagick` to create a montage with the following command.
+
+
+`montage -geometry 200x200+2+2 -tile 4x -set label '%f' *.jpg montag.jpg`
+
+Explanation:
+: `montage` *# imagemagick function to create montages*
+: `-geometry 200x200+2+2` *# size per image + min size of the padding between the images*
+: `-tile 4x` *# setting for the layout, 4 columns, unlimited rows. 3x4 would be a limit of 3 columns and 4 rows*
+: `-set label '%f'` *# adds the filename of the image on the montage*
+: `*.jpg` *# use ALL `.jpg` file within this directory for the montage*
+: `montag.jpg` *# name and format of the final montage*
+
+---

items/2022-12-17_long_my-it-edc-tool-kit-v2212.md

@@ -0,0 +1,145 @@
+# My IT EDC tool kit v2212
+
+**Side note:** This is not an ad, and there are no affiliate links. Just a show case of my current EDC kit for professional and private use.
+
+![edc-kit-preview](/images/blog/edc/2022-12/preview.png) 
+
+## What is an EDC kit?
+
+EDC stands for 'Every Day Carry'. It is - as the name implies - a kit that you bring with you every day. As someone who likes to watch EDC kit show cases or read blog posts about EDCs, there is an unlimited range of use cases, tools, sizes, combinations, and so on. I recently bought a new bag and switched out various tools, so I thought it would be a great timing to show you the status quo.
+
+For me personally, I like to be prepared. If I have the right tool with me, it will save me time and headaches. I am a Network Administrator for a living, and especially at work, it is a sign of professionalism to have certain tools at hand, and get the job done quickly. I have to carry more weight around, and some tools are rarely used, but it is worth it. I like to compare my EDC kit with others, I like to do research on new tools, and I like to use my tools!
+
+I most often use my kit at work. As mentioned before - I am working as a Network Administrator. Installing and working on switches / servers, UPS, server racks, and sometimes even those machines from hell - printers.
+
+As a side note: there is not 'the perfect EDC kit'. Times changes, tools are getting replaced, new situations come up, and it is impossible to have a tool for every (!) situation.
+
+## General information
+
+![edc-kit-overview](/images/blog/edc/2022-12/overview.png)
+
+The **bag** is the Maxpedition BEEFY Pocket Organizer. 
+
+**Fully packed:**
+
+**Lenghts**: 21 cm
+**Width**: 16 cm
+**Heights**: 14 cm
+
+**Weights**: 2,5 kg
+
+It is as clunky as it looks, but it fits perfectly into my 2 bags.
+
+# Categories
+
+I don't think it is necessary to show every tool separately, so I've categorised them. I've added some notes, but most should be self-explanatory.
+
+
+## Building / dismantling 
+
+I split this category into two parts, since it is different to work on a server rack or a smartphone. 
+
+### Heavy
+
+![edc-kit-tools](/images/blog/edc/2022-12/inst-big.png)
+
+1. **bits and socket set** *(Wera Tool-Checks Plus)*
+2. **pliers** *(Knipex Cobra 87 01 150)* 
+3. **wrenchs** - size 10 and 12, I might add size 8 at some point
+4. **screwdriver handle for bits** (Wera 05051462001)
+5. **Multitool** *(Gerber Suspension)*
+6. **decent 1/4-inch square ratchet **- the Wera set got a small ratchet, but I destroyed at least 3 already
+7. **various 1/4-inch square/hexagon adapters and extension** *(Milwaukee, Wera, Bosch)*
+
+### Fine
+
+![edc-kit-tools](/images/blog/edc/2022-12/inst-sma.png)
+
+1. **various plastic tools**
+2. **mini crowbar**
+3. **thin ratchet wrench** - a recent addition. Would have been helpful in the past. Has extra short bits, but works with normal bits too
+4. **precision screwdriver set** *(HOTO)*
+
+## Connecting things 
+
+### Network
+
+![edc-kit-tools](/images/blog/edc/2022-12/conn-net.png)
+
+1. **7,5m RJ45 network cable** - it is clipped to the bag
+2. **spare 1m RJ45 network cable** - just in case
+3. **USB-to-RJ45 adapter** - there are multiple use cases for it: connecting to an additional device, troubleshooting a different network route, and as a spare part (just let your laptop drop while the RJ45 cable is plugged in)
+
+### USB
+
+![edc-kit-tools](/images/blog/edc/2022-12/conn-usb.png)
+
+Welcome to dongle hell! My idea is to have 1 long cable, and adapters for every situations since a bunch of cables have a certain volume. I have had no problems with this solution, **yet**.
+
+
+1. **3m USB Type-C/Type-C cable** - clipped to the bag
+2. **USB HDMI capture card** - Troubleshooting session / server etc
+3. **spare 32GB USB stick** - I lose 1 per month
+4. **SD- and micro-SD USB adapter**
+5. **micro-SD-to-SD adapter**
+6. **charging USB protection** - not sure how those are called, but they prevent data transfers, so I can charge my devices securely at unknown USB sockets
+7. **female USB Type-C to male micro-USB adapter**
+8. **female USB Type-C to male mini-USB adapter** - jep, MINI USB, and yeah, I use them fairly often. Cisco switches uses mini-USB for console interfaces on the front.
+9. **2 spare USB wireless cards** - same as the USB to RJ45 adapter, but with more driver problems
+10. **female standard A USB to male USB Type-C adapter** - USB Type-C-only devices are way to common
+11. **female USB Type-C to male standard A USB adapter**
+12. **female micro-USB to female USB Type-C adapter**
+
+Forgot the 1m USB Type-C to Type-C cable. Too lazy to re-shoot. Sue me.
+
+
+## Fixating - keeping things together
+
+![edc-kit-tools](/images/blog/edc/2022-12/fixating.png)
+
+1. **around 5m of paracord**
+2. **zip ties**
+3. **superglue**
+4. **velcro cable ties**
+5. **duct tape**
+
+## Light - Let there be light
+
+![edc-kit-tools](/images/blog/edc/2022-12/light.png)
+
+1. **Brennenstuhl LED torch PL200**
+2. **EMOS Ultimate 50 flashlight**
+
+Seems redundant, but they have their own use cases. The magnet on the torch is great!
+
+## Misc
+
+![edc-kit-tools](/images/blog/edc/2022-12/misc.png)
+
+1. **snip** *(Klein)* - great to for stripping cables
+2. **telescope magnet** - this is a recent addition. The last screw recovery took way too long without it
+3. **plastic razor blades** - if you have to scrap something off a sensitive surface (stickers, glue, etc)
+4. **lighter**
+5. **1m mini measuring tape** *(Stanley)*
+6. **female USB Type-C to various DC connector adapter**
+
+And the gloves in the front. I am a fan of mechanixx gloves, and this pair is great. Thin enough to enjoy precise work, and protective enough against evil cut cable tie ends.
+
+### Spares
+
+![edc-kit-tools](/images/blog/edc/2022-12/spares.png)
+
+1. **various types of batteries**
+2. **spare mask, disinfection wipes, plaster**
+3. **cash**
+4. **small notebook**
+5. **spare cage nuts** - nothing is more annoying than forgetting cage nuts, nothing
+
+
+## Conclusion
+
+So, this is it. All in all, I am pretty happy with my current EDC kit, and I won't change much any time soon - at least that is what I am telling myself.
+
+You have tips, tool suggestions, or questions? - Feel free to reach out!
+
+---

items/2022-12-20_long_online-security-guide.md

@@ -0,0 +1,218 @@
+# Online Security Guide
+
+## What is this about?
+
+Let me start with; **there is no perfect security**. Your goal is to make it as difficult as possible to 'break in', so it is simply not worth it. There is a balance between security and usability, and you must find a good middle ground. 
+
+I keep it as short as possible and focus on the 'what' and 'why', not the 'how'. There are many ways to achieve the goals, but this is a topic for itself, and depends on the circumstances.
+
+## "I am not a target" <a href="#i-am-not-a-target" id="i-am-not-a-target">#</a>
+
+Unfortunately, anyone is, and yes, ANYONE can become a victim of a cybercrime. Cybercrime is highly lucrative, and criminals become more creative every year. Automation makes it simple to find easy targets or attack a large group of targets. 
+
+I'll try to provide you with enough information for safe internet use. If you feel overwhelmed, tackle one topic at a time, and keep improving. **It is never too late to care about your online security**.
+
+## TLDR - 5 most crucial  tips <a href="#tldr" id="tldr">#</a>
+
+
+If you only take away these five things, I will be more than happy. These steps alone take your security to the next level and are crucial. I'll go into more detail later in the post.
+
+1. **Password hygiene**; unique password for every account and a password length of at least 16 characters
+2. enable **Multifactor-authentication** (MFA, or 2FA) wherever you can
+3. **check twice, click once**; be more careful about what you click
+4. **keep your device and software up-to-date**
+5. **do not overshare**; everything can and will be used against you
+
+The rest of the post contains the reasoning, examples, and further points.
+
+## Account Security <a href="account-security" id="#account-security">#</a>
+
+### Delete accounts that are no longer required
+
+Archive and delete the account of the service. The account can't get hacked if it does not exist.
+
+### Never share your credentials
+
+You lose control over the account when you share your credentials. Even if you trust the other side, you often enough do not have control over the security measurements of the other site. 
+If you need to share credentials, change them as soon as the other site doesn't need them anymore. 
+
+### Use a separate email address for logins only
+
+The theory is to treat the secondary email as some kind of password. Communicate 'contact@yourdomain.com' publicly, keep 'wehjcejn@anotherdomain.org' private, and use this second email address only for logins. It is up to you how far you go: different alias, different domain, different account, different provider,...
+
+Having separate email addresses has multiple benefits, but the most important is that  brute-force attacks and other methods with your public email address are pointless. The attacker needs the private email address and your password (and your MFA, obviously).
+
+### Provide wrong answers to security questions
+
+Name of your first pet? Keyboard. Childhood nickname? 1513sd_!rg. Be creative. 
+
+Answering security questions truthfully makes you vulnerable to social engineering attacks. If you answer them truthfully, the attacker could gather information via social media and other platforms to answer those 'security questions'. Please keep in mind to document your fake answers in a secure place and do backups. 
+
+---
+
+## Password Security  <a href="#password-security" id="password-security">#</a>
+
+**Summarized: Generate and store a random and unique 16+ characters password for every account in your password manager.**
+
+### Use a unique password per account
+
+**Account breaches are inevitable**. There will be leaks, and user data will go public, which is out of your control. Vulnerabilities, rogue employees, misconfiguration, and a thousand ways how that can happen.
+
+Imagine you have the same email and password on every service. If only one service leaks your credentials, attackers gain access to all your accounts. As mentioned before, automation makes it easy to find out and lock you out quickly.
+
+Having a unique password for every service **limits the damage to the breached service**. Another benefit is that you do not have to change the credentials of all accounts if a single service leaks your credentials. 
+
+**Side note**: variations of a secure password don't count. `securepassword1`, `securepassword2` and `securepassword3` might be unique, but not secure. Just generate them randomly with your password manager. 
+
+### Use a sufficient password lenght
+
+Obligatory xkcd comic:
+
+![xkcd-password-936](/images/blog/xkcd-password-936.png)
+
+[Source](https://xkcd.com/936/)
+
+Complexity is good, length is great, and the combination of both is king. No matter the complexity, every password with less than 10 characters should be considered insecure. 12+ characters is a must, and I'd instead recommend 16+ characters. And why not more? - If you use a password generator, nothing speaks against a 30+ character password. 
+
+**Side note**: passphrases are great too, and they can be used for temporary passwords, where copy and paste is not an option. `dolphin chase mall nightmare` as a passphrase is secure enough, and easy to remember or share over the phone (I know, I know, not best practice, but sometimes there is no other way). 
+
+### Use a password manager
+
+There are various solutions for every use case. Know your needs: offline availability, mobile-friendly, self-hosted or managed solution, open-source or proprietary, and so on.
+
+Every solution has pros and cons. Knowing them is half the battle. 
+
+**Important**: Do regular backups of your password database. Most services provide such option, and use it. Don't forget to keep them encrypted. 
+
+### Generate random passwords
+
+I think I've mentioned it before, but just to be sure: generate random and long passwords. Using personal information for password creation makes it easy to guess.
+
+The same applies to passphrases; `firstname lastname 2022` is long, but not secure (assuming the attacker knows a little more).
+
+### Keep it in a secure place
+
+Self-explanatory; even the password manager needs a master password, which should not be written on a post-it and stuck on the monitor. 
+
+### *Controversial*: changing passwords regularly
+
+Companies love - or sometimes have - to force their employees to change their passwords every `n` months. Anyone who had to endure it knows that this rather encourages bad password choices: `winter2022`,`spring2023`,`summer2023`, and so on.
+
+It does not hurt to change passwords regularly, but it is not worth the hassle, and you should be fine if you follow the other tips. 
+
+---
+
+## Multi-/2-factor authentication  <a href="#mfa" id="mfa">#</a>
+
+This authentication method requires the user to provide two or more factors to access the desired service. Those factors can be: **knowledge** (something you know (e.x. pin, password, security question)), **possession** (something you have (e.x. security token, security key, second device)), and **inherence** (something you are (e.x. fingerprint, iris)).
+
+MFA protects you from various attacks and risks. Even if the attacker knows your email/username and  password, they wouldn't be able to log into your account without the second factor.
+
+#### Something you have
+
+**Side note**: this applies to digital and hardware access.
+
+**Recommended**: TOTP (Time-based One-time password):
+: in short: the service provides you with a secure string, this secure string must be inserted into a TOTP generator, and that generator generates a new PIN every 30 seconds based on the current time and the secure string. There are mobile app, password managers, and desktop programs that can do it.
+: **Important**: keep the secure string private, and do your backups!
+: Another way to generate TOTPs is to use hardware tokens. The process is slightly different, depending on the vendor you use.
+
+**Recommended**: Hardware keys:
+: plug it into the device, add the key to the service of your choice, and with the next login, the service would request you to press the bottom on the key to verify, that you are in possession of the authorized key.
+: **Important**: I recommend buying a second one as a backup. Some vendors provide tools to copy the configuration/ secrets to another key, or simply add both keys to the service.
+
+Email-based MFA:
+: maybe the most common method is MFA over email. You either get sent a verifying link or a pin to confirm your access to the email address. It has its own risks, since the breached email account could cause more 'damage'.
+
+MFA over text message:
+: same as Email-based MFA, but over text. It is **not** recommended to use this, when other options are available. Still, better than no MFA.
+
+Push notifications to other devices/ sessions:
+: in this case, you have to confirm a new login or activity on another device or session already verified in the system. 
+
+Certificates:
+: user or device certificates can be created, and installed on a device. You can now limit access to a service to devices with a valid certificate that the service trusts. You can rarely find this on personal services, but I wanted to add it.
+
+Smart cards:
+: there can be special smart cards for your device, or USB smart cards. You add the smart card to the service as a trusted smart card, and you can login as long the smart card is connected. 
+: **Side note**: some hardware keys can be configured to act like a smart card, but it depends on the model.
+
+#### Something you are
+
+I won't go into detail, but here are some ways of biometric authentications: fingerprint scanning, facial recognition, voice recognition, iris/retinal scan, vein scan, hand geometry, and there are many more.
+
+I've read somewhere that **biometric features should be considered usernames** rather than passwords and I agree. 
+
+First, they are more or less **not private**. There are multiple presentations in which they show how to get enough information of a fingerprint from a picture (!) to reconstruct it, and successfully authorize a login with it. (I can't find the link to the video, sorry!) Second, you **can't change it**. You can't change your fingerprint, your iris, and so on. 
+
+A 'password' that is not private and cannot be changed is not secure.
+
+There are more security, accessibility and privacy concerns, but those a out of scope of this post.
+
+#### Something you know
+
+Security questions:
+: you have to answer security questions, and you have to provide those answers to gain access to certain resources and so on.
+
+PIN:
+: just a simple PIN, besides the password.
+
+---
+
+**Important**: I cannot stress enough how important backups are. Even though MFA is a must and brings your online security to the next level, there is a legit risk of getting locked out if you lose access to the second factor. 
+
+## Do not overshare  <a href="#over-sharing" id="over-sharing">#</a>
+
+I might be paranoid, but the internet can be a dangerous place. As the police would say: '**everything you say can and will be used against you**'. This section relates to targeted rather than automated attacks.
+
+In the time of social media - we do not speak enough about oversharing. The danger of getting doxed, or getting targeted increases with every piece of information you share. The easiest example would be if someone brags about cryptocurrency earnings, and would immediately get targeted by group X, that specializes in certain attacks. 
+
+Something you can do is **lie, share wrong information about yourself,  use an alias**, and so on. It depends on the platform, but regularly **deleting old posts** can prevent further information gathering in the future. 
+
+Be skeptical and keep in mind: **the internet does not forget**.
+
+
+## Check twice, click once  <a href="#check-twice" id="check-twice">#</a>
+
+The best security strategy is worthless if someone clicks and downloads anything negligently.
+
+It also applies here: be skeptical. If it is too good to be true, it often is. 
+
+To provide some examples: 2 ways to deal with suspicious messages would be to, first, **verify the request over a different channel and do not use the contact information of the suspicious message**. Like asking your boss over the phone, if you really should send the money to this new client - just in case his email account is compromised. Second, if you receive a suspicious message of service provider X, **do not click on any links**. Instead, open your browser, login to provider X's service, and confirm the request there, or simply call them. Only click on links if it is necessary.
+
+**Side note**: suspicious can be everything you did not expect or is out of the norm. 
+
+Being careful is an important part of being secure online.
+
+## Secure your device  <a href="#secure-device" id="secure-device">#</a>
+
+**Keep your operating system, browser, antivirus, and everything else up-to-date**. I cannot stress enough how important that is. 
+
+Use **firewalls, antivirus, and ad-blockers** to block unwanted connections and content. 
+
+**Encrypt** everything you can to limit the damage of a security incident and protect your critical data. 
+
+Do **regular backups** to prevent data loss. That includes hardware damage, mal-/ransomware, theft, and so on. Store them in a secure place. 
+
+So, **VPN services**. In the end, it is a paid man-in-the-middle that masks/hides your activity from your ISP and your origin from the destination. But everything you hide from the ISP can be seen by the chosen VPN provider. It is simply a shift of trust. 
+
+I personally would recommend the use of a VPN, since the benefits outweigh the risks, but a VPN is not the high-end security solution that many providers promise to deliver. You cann download malware, your credit card information can be stolen, and you can still be tracked.
+
+Do your research. There are good and bad VPN providers, and NEVER use free VPN or proxy providers!
+
+In the end, I have to mention **Tor**. Tor routes your traffic through of network of nodes and makes it almost to track back. It is an important tool, but I am afraid that a detailed description is out of the scope of this post.
+
+## Conclusion  <a href="#conclusion" id="conclusion">#</a>
+
+So, I hope I could provide some new ideas on how to protect your online activity. Just start with the five most important points that I showed at the start, and tackle other topics later. And keep in mind, there is no perfect security, just making it more complex, and limiting the damage in case of a security incident.
+
+Questions:
+: Should I add more examples, or is it already too long?
+: Should I add recommendations, or should this be a neutral guide? Could be seen as bias and promotion.
+: Should I write more about Tor?
+: Should I write more about the risks of doxing, ransomware, theft, and how the tips help against it?
+: Should I add label like 'must', 'important', 'optional', and so on?
+
+**Feel free to reach out to send questions, more tips, different topics, and so on. I'd appreciate your feedback. The guide will be updated accordingly.**
+
+---

items/2022-12-25_long_guide-to-wireshark-display-filters.md

@@ -0,0 +1,345 @@
+# Guide to Wireshark display filters
+
+# The goal of this post
+
+This post is a quick reference for using the display filters in Wireshark. The display filter is used to filter a packet capture file or live traffic, and it is essential to know at least the basics if you want to use Wireshark for troubleshooting and other evaluations.
+
+In this post, I'll focus on the display filters for IPv4 only. Wireshark offers a wide range of tools that are out of this post's scope. IPv6 will be added at some point.
+
+There is no way to list every filter, and I try to concentrate on the most commonly used ones. In general, it is recommended to use the right-click function to add specific protocols/ fields/ values, etc, to the filter. 
+
+![filter-selection](/images/blog/wireshark-filter-selection.png)
+
+Nevertheless, a list of all display filters can be found [here](https://www.wireshark.org/docs/dfref/). I've added links to the specific category to every protocol in the rest of the post.
+
+If you think I forgot something important or want to share more tips, feel free to reach out. I'd appreciate it, and I am happy to learn.
+
+In an attempt to keep it to the basics, I left out topics like functions, variables, macros, arithmetic operators, and some other advanced things. As mentioned before, I'll add IPv6 filters, some more context for when I use certain filters, more topics like OSPF, HTTP/s, and so others, and some more functions.
+
+## Difference display filter and capture filter
+
+### Capture filter 
+![capture-filter](/images/blog/wireshark-capture-filter.png)
+
+The capture filter - as the name suggests - is a filter for the capturing of packets itself. With this filter turned on, you can start packet capture, and everything filtered out won't be saved. This is mainly for long packet captures or connections/devices with a lot of traffic helpful, and often enough necessary. Capture filters can have a different syntax and won't be tackled in this post. 
+
+### Display filter
+![display-filter](/images/blog/wireshark-display-filter.png)
+
+The display filter hides filtered packets and is mainly used on already saved packet capture files or live traffic. 
+
+---
+
+Just so you know the difference when you search for more commands.
+
+## Saving display filters <a href="#saving" id="saving">#</a>
+
+There are two common ways to save filters. They can then be used in later sessions or help you switch between different filters, especially since certain filters can get very long.
+
+### Display filter bookmark
+
+![filter-bookmark](/images/blog/wireshark-display-filter-bookmark.png)
+
+### Display filter buttons
+
+![filter-buttons](/images/blog/wireshark-display-filter-button.png)
+
+## Color of the display filter bar <a href="#color" id="color">#</a>
+
+Green:
+: Filter is accepted, syntax is ok
+
+Red:
+: Filter is NOT accepted, syntax is wrong
+
+Yellow:
+: Filter is accepted, syntax is ok, BUT the filter results might not be clear, e.x. if you reference a field that is present in multiple protocols
+: *(haven't found too much information about it)*
+
+
+## Operators <a href="#operators" id="operators">#</a>
+
+### Logical operators
+
+It runs from left to right and can be grouped with parentheses `()`.
+
+Logical `AND`:
+: `and` / `&&`
+
+Logical `OR`:
+: `or` / `||`
+
+Logical `NOT`:
+: `not` / `!`
+: e.x. `!ip.src == 10.10.10.1` - this would filter out everything with the source IP of `10.10.10.1`
+
+(Logical `XOR`):
+: `xor` / `^^`
+: **Side note**: read it multiple times, but does not work for me. I just 'craft' something like this:
+: `(x and !y)or(!x and y)`
+
+
+### Comparison operators
+
+Equal:
+: `eq` / `==`
+
+Not Equal:
+: `ne` / `!=`
+
+Greater Than:
+: `gt` / `>`
+
+Less Than:
+: `lt` / `<`
+
+Greater than or Equal to:
+: `ge` / `>=`
+
+Less than or Equal to:
+: `le` / `<=`
+
+### Content filter
+
+Filters for protocol, field, or slice that contains a specific value:
+: `contains`
+
+'Does the protocol or text string match the given case-insensitive Perl-compatible regular expression':
+: `matches` / `~`
+
+### Boolean
+
+The following formats are accepted:
+
+```
+option == 1
+option == True
+option == TRUE
+
+option == 0
+option == False
+option == FALSE
+```
+
+### Escape characters 
+
+I prefer to use the 'raw string' function, instead of fighting with escape characters:
+: `smb.path contains r"\\SERVER\SHARE"`
+
+List of escape sequences:
+
+```
+smb.path contains "\\\\SERVER\\SHARE"
+\'          single quote
+\"          double quote
+\\          backslash
+\a          audible bell
+\b          backspace
+\f          form feed
+\n          line feed
+\r          carriage return
+\t          horizontal tab
+\v          vertical tab
+\NNN        arbitrary octal value
+\xNN        arbitrary hexadecimal value
+\uNNNN      Unicode codepoint U+NNNN
+\UNNNNNNNN  Unicode codepoint U+NNNNNNNN
+```
+
+# Time filter <a href="#time-filter" id="time-filter">#</a>
+
+`frame.time >= "Dec 23, 2022 17:00:00" && frame.time <= "Dec 23, 2022 17:05:00"`
+
+This filter is a simple time filter. Right-click on `frame.time` / Arrival time in the frame, and add it to the filter to work with it. Directly right-clicking on the 'time' column and applying the filter won't work since it inserts another format. I bet you can configure this, but I never bothered to try.
+
+If you want to add more filters, simply put the time segment into parentheses, and add the new filter after or before it.
+
+---
+
+**Side note**: I am not sure if I am happy with the following format, and I might change it at some point. It is food enough for now, though.
+
+[Full reference (eth)](https://www.wireshark.org/docs/dfref/e/eth.html)
+
+You can choose between multiple MAC address formats:
+: `aa-bb-cc-dd-ee-ff` *# dash delimiter*
+: `aa:bb:cc:dd:ee:ff` *# colon delimiter*
+: `aabb.ccdd.eeff` *# Cisco style*
+
+MAC / Ethernet address:
+: `eth.addr==aa-bb-cc-dd-ee-ff` *# Source+Destination MAC address*
+: `eth.src==aa-bb-cc-dd-ee-ff` *# Source MAC address*
+: `eth.dst==aa-bb-cc-dd-ee-ff` *# Destination MAC address*
+
+VLAN:
+: `eth.vlan.id==1`
+
+## IP <a href="#ip" id="ip">#</a>
+
+[Full reference (ip)](https://www.wireshark.org/docs/dfref/i/ip.html)
+
+Filter for IP protocol:
+: `ip`
+
+Filter IP addresses:
+: `ip.addr == 10.10.10.10` *# source+destination IP address*
+: `ip.src == 10.10.20.50` *# source IP address*
+: `ip.dst == 10.10.20.50` *# destination IP address*
+
+**Side note**: You can filter whole subnets with CIDR notation like `10.10.20.0/24` too.
+
+Filter packet TTL:
+: `ip.ttl == 64`
+
+## ICMP <a href="#ICMP" id="ICMP">#</a>
+
+[Full reference (icmp)](https://www.wireshark.org/docs/dfref/i/icmp.html)
+
+Filter for `ICMP`:
+: `icmp`
+
+ICMP echo request (ping):
+: `icmp.type == 8`
+
+ICMP echo reply (ping):
+: `icmp.type == 0`
+
+
+## ARP <a href="#arp" id="arp">#</a>
+
+[Full reference (arp)](https://www.wireshark.org/docs/dfref/a/arp.html)
+
+Target MAC address:
+: `arp.dst.hw_mac` 	
+
+Sender hardware address:
+: `arp.src.hw` 	
+
+Target IP address:
+: `arp.dst.proto_ipv4` 	
+
+Sender IP address:
+: `arp.src.proto_ipv4`	
+
+## TCP <a href="#tcp" id="tcp">#</a>
+
+[Full reference (tcp)](https://www.wireshark.org/docs/dfref/t/tcp.html)
+
+Filter for TCP:
+: `tcp`
+
+Filter TCP ports:
+: `tcp.port == 53` *# source+destination TCP port*
+: `tcp.srcport == 68` *# source TCP port*
+: `tcp.dstport == 68` *# destination TCP port*
+
+**Side note**: filtering 'TCP streams' is helpful, but it is easier to right click on the TCP segment, and filter there instead of tpying in a filter.
+
+### Examples
+
+General troubleshooting for packet loss:
+: `tcp.analysis.flags && !tcp.analysis.window_update`
+: displays all retransmissions, duplicate ACKs, other TCP errors. I'll use this in combination with IP filters to get a feeling for the connection quality.
+
+Look for 3-way-handshakes:
+: `((tcp.flags == 0x02) || (tcp.flags == 0x12) ) || ((tcp.flags == 0x10) && (tcp.ack==1) && (tcp.len==0))`
+
+Fitlers for TCP resets flag:
+: `tcp.flags.reset==1`
+
+## UDP <a href="#udp" id="udp">#</a>
+
+[Full reference (udp)](https://www.wireshark.org/docs/dfref/u/udp.html)
+
+Filter for UDP:
+: `udp`
+
+Filter UDP ports:
+: `udp.port == 53` *# source+destination UDP port*
+: `udp.srcport == 68` *# source UDP port*
+: `udp.dstport == 68` *# destination UDP port*
+
+## DHCP <a href="#dhcp" id="dhcp">#</a>
+
+[Full reference (dhcp)](https://www.wireshark.org/docs/dfref/d/dhcp.html)
+
+Filter for dhcp
+: `dhcp`
+
+Filter for type (DORA)
+: `dhcp.option.dhcp == 1` *# Discover*
+: `dhcp.option.dhcp == 2` *# Offer*
+: `dhcp.option.dhcp == 3` *# Request*
+: `dhcp.option.dhcp == 5` *# Discover*
+
+Search for `hostname`:
+: `dhcp.option.hostname == "pleasejustwork"`
+
+Seach for various options:
+: `dhcp.option.type == 3` *# Search for a specific option number*
+: `dhcp.option.dhcp_server_id == 10.10.20.1` *# Option: (54) DHCP Server Identifier*
+: `dhcp.option.type == 51` *# Option: (51) IP Address Lease Time*
+: `dhcp.option.subnet_mask == 255.255.255.0` *# Option: (1) Subnet Mask (255.255.255.0)*
+: `dhcp.option.router == 10.10.20.1` *# Option: (3) Router*
+: `dhcp.option.domain_name_server == 9.9.9.9` *# Option: (6) Domain Name Server*
+: I won't list all of them, but you can find all options [here](https://www.wireshark.org/docs/dfref/d/dhcp.html).
+
+### Examples
+
+Search for a DHCP discover message of specific MAC address:
+: `(dhcp.hw.mac_addr == aa:bb:cc:dd:ee:ff) && (dhcp.option.dhcp == 1)`
+: `(eth.src == aa:bb:cc:dd:ee:ff) && (dhcp.option.dhcp == 1)`
+
+Finding rogue DHCP server:
+: `dhcp && !dhcp.option.dhcp == 1 && !dhcp.option.dhcp_server_id == 10.10.20.1` 
+: it is DHCP, it is not a discover message, and is not our DHCP server for this network
+: `(udp.dstport == 68) && !(dhcp.option.dhcp_server_id == 10.10.20.1)`
+: this is another option to check for the dst port '68' and filter out our DHCP server
+
+Check if other DNS server are getting populated:
+: `dhcp.option.dhcp == 2 && !(dhcp.option.domain_name_server == 9.9.9.9)  &&  !(dhcp.option.domain_name_server == 149.112.112.112)`
+
+## DNS <a href="#dns" id="dns">#</a>
+
+[Full reference (dns)](https://www.wireshark.org/docs/dfref/d/dns.html)
+
+Filter for DNS queries:
+: `dns`
+
+Filter for DNS queries:
+: `dns.flags.response == 0`
+
+Filter for DNS responses:
+: `dns.flags.response == 1`
+
+Filter the domain on the DNS quieries:
+: `dns.qry.name == "ittavern.com"` *# Discover*
+
+Filter common DNS records:
+: `dns.qry.type == 1` *# `A` record*
+: `dns.qry.type == 28` *# `AAAA` record*
+: `dns.qry.type == 16` *# `txt` record*
+: `dns.qry.type == 5` *# `CNAME` record*
+: `dns.qry.type == 33` *# `srv` record*
+: `dns.qry.type == 15` *# `MX` record*
+: `dns.qry.type == 2` *# `NS` record*
+
+Filter for the DNS server answer:
+: `dns.a == 94.130.76.189`  *# answer of a `A` record*
+: `dns.txt == "v=spf1 include:spf.protection.outlook.com -all"` *# answer of a `TXT` record request*
+: and so on
+
+### Examples
+
+Look up what DNS servers are used:
+: `(ip.dst == 10.64.0.1) && (dns)`
+
+Show only DNS traffic of one client:
+: `dns && (ip.dst==10.10.20.1 or ip.src==10.10.20.1)`
+
+Check for slow responses:
+: `dns.flags.rcode == 0 && dns.time > .3` *# might needs some fine tuning depending on the env*
+
+Show DNS requests that couldn't be resolved:
+: `dns.flags.rcode != 0` 
+
+---

items/2023-01-01_long_visual-guide-to-ssh-tunneling-and-port-forwarding.md

@@ -0,0 +1,227 @@
+# Visual guide to SSH tunneling and port forwarding
+
+To make it quick, I wish I had known about port forwarding and tunneling earlier. With this blog post, I try to understand it better myself and share some experiences and tips with you.
+
+**Topics**: use cases, configuration, SSH jumphosts, local/remote/dynamic port forwarding, and limitations
+
+## Use cases <a href="#use-cases" id="use-cases">#</a>
+
+SSH tunneling and port forwarding can be used to forward TCP traffic over a secure SSH connection from the SSH client to the SSH server, or vice versa. TCP ports or UNIX sockets can be used, but in this post I'll focus on TCP ports only.
+
+I won't go into details, but the following post should show enough examples and options to find use in your day-to-day work.
+
+Security:
+: encrypt insecure connections (FTP, other legacy protocols)
+: access web admin panels via secure SSH tunnel (Pub Key Authentication)
+: having potentially less ports exposed (only 22, instead of additional 80/443)
+
+Troubleshooting:
+: bypassing firewalls/content filters
+: choosing different routes
+
+Connection:
+: reach server behind NAT
+: use jumphost to reach internal servers over the internet
+: exposing local ports to the internet
+
+There are many more use cases, but this overview should give you a sense of possibilities.
+
+# Port forwarding
+
+Before we start: the options of the following examples and be combined and configured to suit your setup. As a side note: if the `bind_address` isn't set, localhost will be the default
+
+## Configuration / Preparation <a href="#configuration" id="configuration">#</a>
+
+* The **local and remote users must have the necessary permissions** on the local and remote machines respectivly to open ports. **Ports between 0-1024 require root privileges** - if not configured differently - and the rest of the ports can be configured by standard users.
+* **configure clients and network firewalls accordingly**
+
+SSH port forwarding must be enabled on the server:
+: `AllowTcpForwarding yes`
+: *It is enabled by default, if I recall it correctly*
+
+If you forward ports on interfaces other than 127.0.01, then you'll need to enable `GatewayPorts` on the SSH server:
+: `GatewayPorts yes`
+
+Remember to **restart the ssh server service**.
+
+## SSH jumphost / SSH tunnel <a href="#jumphost" id="jumphost">#</a>
+
+Transparently connecting to a remote host through one or more hosts.
+
+`ssh -J user@REMOTE-MACHINE:22 -p 22 user@10.99.99.1`
+
+![ssh-port-forwarding-info](/images/blog/ssh-jh-1.png)
+
+**Side note**: The port addressing can be removed, if the default port 22 is used!
+
+On REMOTE-MACHINE as jumphost:
+
+```markdown
+[user@REMOTE-MACHINE]$ ss | grep -i ssh
+tcp   ESTAB 0      0                                             167.135.173.108:ssh    192.160.140.207:45960
+tcp   ESTAB 0      0                                             10.99.99.2:49770      10.99.99.1:ssh
+```
+
+Explanation:
+: `167.135.173.108` - public IP of REMOTE-MACHINE
+: `92.160.120.207` - public IP of LOCAL-MACHINE
+: `10.99.99.2` - internal IP of REMOTE-MACHINE
+: `10.99.99.1` - internal IP of REMOTE-WEBAPP
+
+#### Using multiple jumphosts
+
+Jumphosts must be separated by commas:
+: `ssh -J user@REMOTE-MACHINE:22,user@ANOTHER-REMOTE-MACHINE:22 -p 22 user@10.99.99.1`
+
+
+## Local Port Forwarding <a href="#local-port-forwarding" id="local-port-forwarding">#</a>
+
+#### Example 1
+
+`ssh -L 10.10.10.1:8001:localhost:8000 user@REMOTE-MACHINE`
+
+
+![ssh-port-forwarding-info](/images/blog/ssh-lpf-1.png)
+
+Access logs of the webserver on REMOTE-MACHINE that only listens on 127.0.0.1:
+: `127.0.0.1 - - [30/Dec/2022 18:05:15] "GET / HTTP/1.1" 200`
+: the request originates from LOCAL-MACHINE
+
+
+#### Example 2
+
+`ssh -L 8001:10.99.99.1:8000 user@REMOTE-MACHINE`
+
+![ssh-port-forwarding-info](/images/blog/ssh-lpf-2.png)
+
+Access logs of the webserver on REMOTE-WEBAPP:
+: `10.99.99.2 - - [30/Dec/2022 21:28:42] "GET / HTTP/1.1" 200`
+: the request originates from the intern IP of LOCAL-MACHINE (10.99.99.2)
+
+
+## Remote Port Forwarding <a href="#remote-port-forwarding" id="remote-port-forwarding">#</a>
+
+#### Example 1+2
+
+`ssh -R 8000:localhost:8001 user@REMOTE-MACHINE`
+
+![ssh-port-forwarding-info](/images/blog/ssh-rpf-1.png)
+
+`ssh -R 8000:10.10.10.2:8001 user@REMOTE-MACHINE`
+
+![ssh-port-forwarding-info](/images/blog/ssh-rpf-2.png)
+
+
+#### Example 3
+
+`ssh -R 10.99.99.2:8000:10.10.10.2:8001 user@REMOTE-MACHINE`
+
+![ssh-port-forwarding-info](/images/blog/ssh-rpf-3.png)
+
+ **Important**: `GatewayPorts yes` must be enabled on the SSH server to listen on another interface than the loopback interface.
+
+## Dynamic port forwarding <a href="#dynamic-port-forwarding" id="dynamic-port-forwarding">#</a>
+
+To forward more than one port, SSH uses the [SOCKS](https://en.wikipedia.org/wiki/SOCKS) protocol. This is a transparent proxy protocol and SSH makes us of the most recent version SOCKS5.
+
+Default port for SOCKS5 server is 1080 as defined in [RFC 1928](https://datatracker.ietf.org/doc/html/rfc1928).
+
+The client must be configured correctly to use a SOCKS proxy. Either on the application or OS layer.
+
+#### Example
+
+`ssh -D 10.10.10.1:5555 user@REMOTE-MACHINE`
+
+![ssh-port-forwarding-info](/images/blog/ssh-dpf-1.png)
+
+Use `curl` on a 'LOCAL' client to test the correct connection/path:
+: `curl -L -x socks5://10.10.10.1:5555 brrl.net/ip`
+: *If everything works out, you should get the public IP of the REMOTE-MACHINE back*
+
+
+## SSH TUN/TAP tunneling
+
+I won't go into detail, but you can create a bi-directional TCP tunnel with the `-w` flag. The interfaces must be created beforehand, and I haven't tested it yet.
+
+`-w local_tun[:remote_tun]`
+
+
+## How to run SSH in the background <a href="#background" id="background">#</a>
+
+The native way to run the tunnel in the background would be `-fN`:
+: `-f` - run in the background
+: `-N` - no shell
+
+`ssh -fN -L 8001:127.0.0.1:8000 user@REMOTE-MACHINE`
+
+Others than that: use screen or some other tools.
+
+#### Stop the SSH running in the background
+
+```markdown
+user@pleasejustwork:~$ ps -ef | grep ssh
+[...]
+user      19255       1  0 11:40 ?        00:00:00 ssh -fN -L 8001:127.0.0.1:8000 user@REMOTE-MACHINE
+[...]
+```
+
+Kill the process with the PID:
+: `kill 19255`
+
+## Keep SSH connection alive
+
+I won't go into detail, but there are different ways to keep the SSH connection alive.
+
+#### Handle timeouts with heartbeats
+
+Both options can be set on the client or server, or both.
+
+`ClientAliveInterval` will send a request every `n` seconds to keep the connection alive:
+: `ClientAliveInterval 15`
+
+`ClientAliveCountMax` is the number of heartbeat requests sent after not receiving an respond from the other side of the connection before terminating the connection: 
+: `ClientAliveCountMax 3`
+: `3` is the default, and setting it to `0` will disable connection termination. In this example, the connection would drop after around 45 seconds without any responds. 
+
+#### Reconnecting after termination
+
+There are mutliple ways to do it; autossh, scripts, cronjobs, and so on.
+
+This is beyond this post and I might write about in the future. 
+
+## Limitations <a href="#limitations" id="limitations">#</a>
+
+#### UDP
+
+SSH depends on a reliable delivery to be able to decrypt everything correctly. UDP does not offer any reliability and is therefore not supported and recommended to use over the SSH tunnel.
+
+That said, there are ways to do it as described in [this post](http://zarb.org/~gc/html/udp-in-ssh-tunneling.html). I still need to test it.
+
+#### TCP-over-TCP
+
+It lowers the throughput due to more overhead and increases the latency. On connections with packet loss or high latencies (e.x. satellite) it can cause a [TCP meltdown](https://openvpn.net/faq/what-is-tcp-meltdown/).
+
+[This post](http://sites.inka.de/sites/bigred/devel/tcp-tcp.html) is a great write-up.
+
+Nevertheless, I'd been using OpenVPN-over-TCP for a while, and it worked flawlessly. Less throughput than UDP, but reliable. So, it highly depends on your setup.
+
+#### Not a VPN replacement
+
+Overall, it is not a VPN replacement. SSH tunneling can be used as such, but a VPN is better suited for better performance.
+
+#### Potential security risk
+
+If you do not need those features, it is recommended to turn them of. Threat actors could use said features to avoid firewalls and other security measures.
+
+
+---
+
+General links:
+: [SSH manual](https://www.man7.org/linux/man-pages/man1/ssh.1.html)
+: [sshd_config manual](https://www.man7.org/linux/man-pages/man5/sshd_config.5.html)
+
+The inspiration of this blog post are the following [unix.stackexchange answer](https://unix.stackexchange.com/a/115906) and [blog post of Dirk Loss](http://dirk-loss.de/ssh-port-forwarding.htm).
+
+Thanks to Frank and ruffy for valuable feedback!
+
+---

items/2023-01-03_long_linux-unmount-a-busy-target-safely.md

@@ -0,0 +1,111 @@
+# Linux - unmount a busy target safely
+
+# Goal - removing target without data loss
+
+Unplugging or `unmount -l` (lazy unmount) can cause data loss. I want to share a way o avoid data loss.
+
+**Side note**: `unmount -l` will let you unmount the device, but as far as I know only 'hides' the mountpoint, and active processes can still write on said device.
+
+#### The problem
+
+`Error unmounting /dev/sdc1: target is busy`
+
+So, there are now different ways to unmount the target safely.
+
+**Side note**: the most common case is that you are still in a directory of said target. It happened way too often to me.
+
+## Preparation
+
+Those steps are not necessary, but help you troubleshoot. 
+
+#### Finding the mount point
+
+We are going to use `df -h` to find the mount point of the busy target. It is often not necessary, but it can be helpful.
+
+```bash
+kuser@pleasejustwork:~$ df -h
+[...]
+/dev/sdc1        59G   25G   35G  42% /media/kuser/hdd-target
+```
+
+#### Check if the device is still actively in use
+
+Additionally, you can check the activity of said device with [iostat](https://www.man7.org/linux/man-pages/man1/iostat.1.html). 
+
+```bash
+kuser@pleasejustwork:~$ iostat 1 -p sdc
+
+vg-cpu:  %user   %nice %system %iowait  %steal   %idle
+           1,14    0,00    0,63    2,66    0,00   95,56
+
+Device             tps    kB_read/s    kB_wrtn/s    kB_dscd/s    kB_read    kB_wrtn    kB_dscd
+sdc              13,00         0,00         7,50         0,00          0          7          0
+sdc1             13,00         0,00         7,50         0,00          0          7          0
+```
+
+`iostat` is powerful, but in this case the most important columns here are `kB_read/s    kB_wrtn/s`. If there is anything but `0,00`, the device is in use.
+
+If there is any activity and you unplug or unmount the device forcefully, data loss will most likely occur. 
+
+## Finding the process
+
+### Using 'fuser'
+
+More information can be found in the [manual of 'fuser'](https://linux.die.net/man/1/fuser).
+
+```bash
+kuser@pleasejustwork:~$ fuser -vm /dev/sdc1
+                     USER        PID ACCESS COMMAND
+/dev/sdc1:           root     kernel mount /media/kuser/hdd-target
+                     kuser     43966 F.c.. kate
+                     kuser     44842 ..c.. kate
+```
+
+I prefer 'fuser' since it is installed on most OS and does the job too.
+
+### Using 'lsof'
+
+More information can be found in the [manual of 'lsof' (list open files)](https://linux.die.net/man/8/lsof).
+
+```bash
+kuser@pleasejustwork:~$ lsof /dev/sdc1
+COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
+kate    43966 kuser  cwd    DIR   8,33    32768    1 /media/kuser/hdd-target
+kate    43966 kuser   24w   REG   8,33      142 2176 /media/kuser/hdd-target/.busybusy.txt.kate-swp
+```
+
+or
+
+```bash
+kuser@pleasejustwork:~$ lsof /media/kuser/hdd-target
+COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
+kate    43966 kuser  cwd    DIR   8,33    32768    1 /media/kuser/hdd-target
+kate    43966 kuser   24w   REG   8,33      142 2176 /media/kuser/hdd-target/.busybusy.txt.kate-swp
+```
+
+### Kill process / close program
+
+Kill process by PID:
+: `sudo kill -9 43966`
+
+or simply close the program that is using the file in the GUI.
+
+### Unmount
+
+Try to unmount again.
+
+
+
+## Some other methods
+
+I have had no problems with those yet, but some notable mentions.
+
+Some other things to look into: 
+: check the swap partition: `cat /proc/swaps`
+: stop nfs-kernel-server
+: stop samba/smb server
+: check for symbolic links
+
+There are more scenarios in which a target can be busy, but this should cover 95% of cases.
+
+---

items/2023-01-05_long_ssh-run-script-or-command-at-login.md

@@ -0,0 +1,99 @@
+# SSH - run script or command at login
+
+There a multiple use cases to run a script on login. Configuration, starting services, logging, sending a notification, and so on. I want to show you different ways to do so. 
+
+#### Example script
+
+The example script will notify me via push notification on my smartphone as soon as a new SSH connection is established. You can use a simple command or a script, and I will use a script for this blog post.
+
+`/path/to/script/notify-at-login.sh`
+
+```bash
+#!/bin/bash
+
+# 1 - Script without output!
+# IMPORTANT: Script with output break non-interactive sessions (scp, rsync, etc)
+
+curl -d "\"$SSH_CONNECTION\" - \"$USER\" logged in" ntfy.sh/reallyecurestringfornotifications >/dev/null 2>&1
+
+# If you only want to run the script for an interactive SSH login and need the output displayed, place the script right after section  2 and remove the redirect. 
+
+# 2 - Check if session is non-interactive  (remote command, rsync, scp, etc)
+
+if [[ $SSH_ORIGINAL_COMMAND ]]; then
+    eval "$SSH_ORIGINAL_COMMAND"
+    exit
+fi
+
+# 3 - choose your favorite shell for the SSH session
+
+/bin/bash
+```
+
+Remember to make it executable:
+: `sudo chmod +x /path/to/script/notify-at-login.sh`
+
+**Side note**: I am using [ntfy](https://github.com/binwiederhier/ntfy) to send push notifications to my smartphone. In this example, the push notification would look this:
+
+`92.160.50.201 40248 195.21.0.14 22 - <user> logged in`
+
+#### Output on non-interactive connections
+
+Just a reminder that you have to avoid any output of your script or command on non-interactive connections like rsync. Either prevent output from being displayed for non-interactive connections or all connections. The example script shows you one way to do so.
+
+## ForceCommand
+
+I prefer this method, and had been working pretty well so far. The user will run the command and it can't really be avoided by the client.
+
+Use the `ForceCommand` option in your `/etc/ssh/sshd_config` file to run the script:
+: `ForceCommand /path/to/script/notify-at-login.sh`
+
+ForceCommand ignores any command or script supplied by the client and ~/.ssh/rc by default.
+
+## PAM_exec
+
+Put the script into a new directory `/etc/pam_scripts`, set the directory's permission to `0755` and the owner and group must be `root`. The files permissions are `0700`, must be executable and the owner and group must be `root` as well. 
+
+Directory:
+: `sudo mkdir /etc/pam_scripts`
+: `sudo chmod 0755 /etc/pam_scripts`
+: `sudo chown root:root /etc/pam_scripts`
+
+Script:
+: `sudo chmod 0700 /etc/pam_scripts/notify-at-login.sh` 
+: `sudo chown root:root /etc/pam_scripts/notify-at-login.sh`
+
+Enable `UsePAM` in the `/etc/ssh/sshd_config`:
+: `UsePAM yes`
+
+Tell PAM to run the script at SSH login by adding the following line to `etc/pam.d/sshd`:
+: `session required pam_exec.so /etc/pam_scripts/notify-at-login.sh`
+
+All scripts added to the `/etc/pam_scripts/` directory will be run as `root` at login.
+
+## Shell startup & sshrc file
+
+You can run the script by your preferred startup file (`.profile` / `.bashrc`, etc) or use the SSH-specific profiles that run additionally before the user shell is loaded.
+
+For all users:
+: `/etc/ssh/sshrc` *# runs only if there is no user-specific configuration file `~/.ssh/rc`*
+
+Per user configuration in home dir:
+: `~/.ssh/rc`
+
+
+```markdown
+     ~/.ssh/rc
+             Commands in this file are executed by ssh when the user
+             logs in, just before the user's shell (or command) is
+             started.  See the sshd(8) manual page for more information.
+```
+
+Run the script via the startup file by adding the following line to it:
+: `. /path/to/script/notify-at-login.sh`
+
+Both the shell startup and sshrc files will be run by the user.
+
+**Side note**: if security is a concern - like a login notification - it is not recommended to use this method. Profile config files can be avoided by `ssh user@server bash --norc --noprofile` and `~/.ssh/rc` can be changed by the user after the first login.
+
+---

items/2023-01-10_long_backup-guide.md

@@ -0,0 +1,281 @@
+# Backup Guide - how to secure crucial data
+
+This guide tries to share thoughts about various backup strategies, risks, storage mediums, and other things to consider. I won't go into technical details or suggest any tools since every backup strategy must be created individually, and there is a wide range of requirements. I rather want to give you some kind of checklist with things to think about. **There is not a perfect strategy solution or template that fits all needs.**
+
+I've tried to keep this guide accessible for personal and corporate backups.
+
+
+# WHY DO YOU NEED BACKUPS
+
+The main goal of backups is data loss prevention. There are numerous risks that could cause data loss, and we try to prevent them with a backup strategy that fits our needs. I'll go into more detail in the next section.
+
+#### Risks <a href="#risks" id="risks">#</a>
+
+The following risks exist for data in production and for your backups! - There are many more, but this section will give you a feeling of the most common risks.
+
+Environment threats:
+: flooding/water/humidity
+: fire/high temperature
+: earthquake/shock
+: EMP/Electricity
+
+Human errors:
+: loss of a device
+: misconfiguration
+: unintentional `sudo rm -rf / --no-preserve-root` 
+: lost access (password,key,...)
+
+Threat actors:
+: ransomware
+: rogue employees
+: hardware theft
+: data tampering
+
+Hardware/software:
+: hardware failure
+: bugs
+: bitrot
+
+Some 'disasters' affect only a single hard drive, some devices, or the whole network. A decent backup strategy mitigates those risks and helps to recover as fast as possible.
+
+**Side note**: Backups do not prevent those risks, but minimize the damage and help to recover from them.
+
+#### RAID/snapshots are no backups! <a href="#raid-is-not-a-backup" id="raid-is-not-a-backup">#</a>
+
+**RAID** - *redundant array of independent disks* - is a method to either increase the performance, the availability and resiliency, or both. Misconfigured, it can even cause more damage; for example, a RAID0 can make the whole array useless after a disk failure. Don't let me get started with broken hardware RAID controllers or RAID expansions.
+
+It protects against one of the most common data loss reasons: disk failure. It does not help you in case of human errors, ransomware, file corruption, and other use cases in which a backup would normally help you. And yeah, data recovery, in general, is not a function of RAID.
+
+**A RAID is not a backup.**
+
+**Snapshots** are short-term roll-back solutions in case of an update failure, system misconfiguration, and other critical measures. They are not independent of the VM environment, and they are often stored on the same disk as the server and still are a single point of failure. Since most snapshot solutions are not application-aware, data corruption of databases or other applications can occur when they are in progress while the snapshot was created. 
+
+Snapshots, therefore, should not be considered a valid backup!
+
+Both solutions can be part of your backup strategy but can't replace a regular backup.
+
+# Determine what to backup and why <a href="#what-to-backup" id="what-to-backup">#</a>
+
+What and why you backup specific files highly depend on your needs. It is helpful to have an inventory of critical infrastructure to determine what to backup. 
+
+Furthermore, it is helpful to categorize data. **System data** (e.x. operating system), **application data** (e.x. configuration files), and **operational data** (e.x. data sheets, databases, emails). Operational data is the most important since it is necessary for daily business. This step recommends checking the size and kind of data to plan for the backup storage requirements. 
+
+**Side note**: I am not too familiar with certain laws or compliances like HIPAA, SOC2, PCI DSS, and so on, but talking with legal might be a good idea.
+
+It is essential to know some processes and communicate with different departments. What is business critical, and what could wait in case of a disaster? And nobody needs a working frontend when the databases are not up and running. Knowing the processes will help you to avoid problems in the recovery phase. That said, those problems should be apparent when you test your recovery procedure.
+
+Some other category is the frequency with which the data gets updated. An example would be: frequent (e.x. databases), rare (e.x. static content like intranet or docs), and already archived data (important, but don't have to be recovered immediately).
+
+Remember to provide some kind of backup solution for devices like laptops and smartphones. 
+
+# Data Retention Policy <a href="#data-retention-policy" id="data-retention-policy">#</a>
+
+With the Data Retention Policy, we try to specify how long to retain certain data. There are various factors you should consider: usefulness, compliance, laws, and so on.
+
+Some system data, like old configuration files, can be deleted after a short time, but operational data, like invoices or contracts, must be stored for five and more years. 
+
+**Side note**: as mentioned before, this highly depends on your setup, and speaking to the relevant departments is recommended. 
+    
+#### Backup/data deletion <a href="#data-deletion" id="data-deletion">#</a>
+
+Deleting data or backups seems not worth talking about, but data can be easily recovered if it is not done correctly.
+
+The methods differ from medium to medium. The most secure way would be to destroy the medium properly. Re-writing the medium with random ones and zeros multiple times and/or doing full encryption and destroying the key would be options if you want to resell the medium. Other than that, special tools can be used that differ from medium to medium.
+
+Some laws/compliances require you to destroy data in a certain way. To make sure, speak with legal or a specific contact person.
+
+To be secure, store your backups encrypted in the first place.
+
+# Decide the backup frequency <a href="#data-frequency" id="data-frequency">#</a>
+
+The frequency of your backups will determine the impact of a disaster in terms of data loss. The more frequently you do backups; the less is data loss in case a disaster occurs. There are two metrics you could consider: **RTO** and **RPO**.
+
+![explanation-rto-rpo](/images/blog/backup-rto-rpo.png)
+
+
+#### RPO (Recovery Point Objective)
+
+With the RPO we want to determine how much data loss can be tolerated in case of a disaster. A RPO of 12 hours requires you to do two backups a day to fulfill this requirement. It wouldn't be sufficient to have daily backups the the RPO was 3 hours.
+
+Every system can have its own RPO. 
+
+#### RTO (Recovery Time Objective)
+
+With the RTO we want to determine the maximum tolerable amount of down time after **any** disaster. A RTO of 3 hours says that the system needs to be productive within 3 hours after a disaster. Some metrics to consider: cost per hour in case of a down time and external requirements like laws or contracts. 
+
+Like the RPO, every system can have its own RTO, and the RTO ends when data is recovered and it is up again.
+
+
+# Document everything <a href="#documentaion" id="documentaion">#</a>
+
+As in so many areas; documentation is king. 
+
+- what and why do you backup
+- the frequency of backups
+- the backup process
+- the access to the backups
+- the recovery process
+
+It will be hectic and stressful if the DRP or backup plan is needed, so the better the documentation is, the faster you can recover your systems.
+
+Something that should not be overlooked is a **contact list**. What people must be contacted to recover data and how can we reach them? Where is the offsite backup stored, and e.x. how can we reach the bank? This will save a lot of time.
+
+Don't forget to **store** the documents **securely, but accessible**. Detached from the backup, like printed out, or on a USB stick in a safe.
+
+
+# How to backup! <a href="#how-to-backup" id="how-to-backup">#</a>
+
+As mentioned before, there is no perfect solution, and you must find a backup strategy that works for you. Like everything, it has pros and cons, and you have to decide what works for you. I'll show you some points to consider.
+
+#### 3-2-1 rule <a href="#3-2-1-rule" id="3-2-1-rule">#</a>
+
+I want to start with the well-known **3-2-1 rule**:
+: have **3** copies of your data
+: have **2** different storage methods/mediums
+: have **1** copy offsite
+
+The 3-2-1 rules should be considered the bare minimum of every backup strategy. I'll go into more detail in the following points.
+
+#### Have multiple copies of your data <a href="#multiple-copies" id="multiple-copies">#</a>
+
+Who would have known? But just to be sure, consider some points.
+
+Sounds obvious, but avoid storing backups of a system on the same system or storage. 
+
+Spread copies over multiple mediums and use different methods. Every storage medium/method has its risks, and having copies on multiple mediums increases the resiliency overall.
+
+#### Locations <a href="#locations" id="locations">#</a>
+
+Make use of **different locations**. 
+
+Some examples would be:
+- store a full backup in a bank vault or a different trusted location
+- store backups from data center A in data center B, and vice versa
+- store a backup in the cloud
+
+Just make sure that you can access the offsite backups whenever you can and add this factor into your strategy.
+
+
+#### Encrypt backup storage and transfer <a href="#encryption" id="encryption">#</a>
+
+This is especially important for offsite backups but can be necessary for local backups too. Make sure that you use a **secure encryption method**, **use a secure password/password** or another method, and **encrypt the transit and storage**! Still will protect the integrity of your data from tampering of a third party, and makes your data worthless in case a third party gets access to the backups.
+
+**Important**: **Do not lose the keys!** - Backup your decryption method, store it securely (not with your backups), and ensure that the decryption key is **accessible in any disaster scenario**!
+
+#### Think about the right tools <a href="#right-tools" id="right-tools">#</a>
+
+Could you access your backups in 10 years? Is the technology still around? Is the de-/encrpytion service provider still in business?
+
+It is recommended to use **well-known open-source services**. Niche and proprietary services can be attractive short term, but they add a layer of dependency.
+
+**Side note**:  store an unencrypted version of the encryption tool with your backups, so it will be available if it is needed.
+
+Try to **automate** as much as possible, so backups won't be forgotten, and make sure that the **backup process doesn't disrupt** the daily business.
+
+#### Store backups immutable/read-only <a href="#immutable-storage" id="immutable-storage">#</a>
+
+Keeping the backup storage immutable prevents anyone from tampering with the backups and increases the data integrity. There are cases in which you have to delete certain data from backups, but in general, it is recommended to store them immutable.
+
+#### Choose the right storage medium <a href="#storage-medium" id="storage-medium">#</a>
+
+There are multiple factors that will play into the choice of a storage medium. 
+
+- How much data do you have to store?
+- How long do you need to store it?
+- How much money do you want to spend?
+- and many more
+
+One example could be M-Discs: they claim to have a lifetime of [1000 years](http://www.mdisc.com/) and have a capacity between 25 and 100 GB. It can be an option for personal backups or small but critical company backups, but a 10 TB backup of operational data? - That is not a practical solution. 
+
+Things to consider:
+
+- lifetime/sustainably
+- accessibility
+- future proof technology
+- setup costs
+- operational cost over time/per GB/TB
+- practically
+- write/read speed
+- ...
+
+The choice of medium will affect the recovery process and speed and is overall important.
+
+#### Have the recovery process in mind <a href="#recovery-process" id="recovery-process">#</a>
+
+Think backward from a recovery standpoint. You have to recover system 'A' and what else must be up to get system 'A'
+running again? This might give you another perspective.
+
+#### Avoid single point of failures <a href="#single-point-of-failure" id="single-point-of-failure">#</a>
+
+![explanation-single-point](/images/blog/backup-single-point.png)
+
+There are plenty of examples: single backup server, a single person with access to backups, single internet connection with cloud backups only, and so on.
+
+#### Use different backup types <a href="#backup-types" id="backup-types">#</a>
+
+I won't go into detail, but the main goal is to save time and storage. 
+
+**Full backups** - as the name implies - is a backup of all data.
+
+![explanation-dif](/images/blog/backup-diff-backup.png)
+
+**Differential backups** store the changes from the last full backup.
+
+![explanation-inc-backup](/images/blog/backup-inc-backup.png)
+
+**Incremental backups** store the changes from the last full backup or incremental backup.
+
+
+#### Restrict and secure access to the backups <a href="#backup-access" id="backup-access">#</a>
+
+Backups should only be accessible by trusted parties. Admins only, separate network, MFA, and other security measurements are recommended. The goal is further to limit the risks of tampering, theft or deletion.
+
+**Side note**: make sure that you do not lock yourself out. This is critical and should be tested regularly.
+
+# Trust but verify <a href="#verification" id="verification">#</a>
+
+![explanation-monitoring](/images/blog/backup-monitoring.png)
+
+**Monitor** your backup process and backup storage. Check the **logs** regularly and implement some kind of **alerting/notification** system.
+
+Things to look for: failed backup jobs, unusual activities, access attempts, and so.
+
+**Side note**: More details follow in the recovery section, but make sure to monitor and test the health of the backup medium too.
+
+Let third party/experts **audit** your backup strategy. It is easy to overlook certain things, and it can be beneficial to have another perspective.
+
+
+# Test recoverability regularly <a href="#test-recover-process" id="test-recover-process">#</a>
+
+![explanation-recovery](/images/blog/backup-recovery.png)
+
+Test your back regularly. From A to B, and play through various scenarios.
+
+- do you still have access to everything?
+- can you encrypt the backup?
+- can you recover the needed system/data?
+- Did a process change?
+- is the documentation/manual still up to date?
+- are we still in our required recovery time?
+- is the contact list still up-to-date?
+
+Something you should do too:
+
+- update contact list
+- manual/documentation
+- include new coworkers to show them the process
+- check health of hardware (storage, etc)
+
+It is recommended to test it with **different hardware/software** to increase the resilience. If this is not an option, keep backup hardware and spare parts around.
+
+#### Re-evaluate the backup strategy regularly
+
+Systems, processes, people, requirements, and almost anything else change over time. This requires re-evaluating the backup strategy regularly. Notes from the test recoveries and conversations with contact persons should help to adjust the strategy accordingly.
+
+# Conclusion
+
+Creating a good backup strategy can be challenging, but it is crucial in the end.
+
+This is the first version of this guide and I try to get into more detail in the future.
+
+---

items/2023-01-17_long_ssh-troubleshooting-guide.md

@@ -0,0 +1,220 @@
+# SSH Troubleshooting Guide
+
+I won't go into specific cases in this blog post. This is a general guide on how to gather the necessary information that will help you to get your problem fixed.
+
+In this post, I'll use a **Linux** client and server as a reference. 
+
+
+## Logging <a href="#logging" id="logging">#</a>
+
+**Client**
+
+Get the verbose logging with the `-v` flag. This normally is enough, but if you need even more information, use `-vv` and `-vvv`.
+
+**Server**
+
+You can find the logs for your SSH Server here `/var/log/auth.log` or `/var/log/secure`.
+
+For troubleshooting sessions, it is recommended to increase the log level from the default `LogLevel INFO` to `LogLevel DEBUG1` in your SSH server configuration `sshd_config`. This will gives you all the necessary information. The following log levels are available: `QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3`. Remember to **restart the SSH server** after changing this setting.
+
+Another method is to check `journalctl` if you use systemd. The logs should be available via `sudo journalctl -r -u ssh -u sshd`.
+
+Often enough, restarting the server is not an option. You simply can add anoher process with the same options, but inceased debug level and another port. This allows you to monitor the logs for a specific client without interupting the main SSH server.
+
+`sudo /usr/sbin/sshd -dDp 2222`
+
+**Side note**: make sure to use the absolute path or you will be greeted by the following error message `sshd re-exec requires execution with an absolute path`.
+
+Thanks to [youRFate on Lobste.rs](https://lobste.rs/s/wombsw/ssh_troubleshooting_guide#c_fia3jk) for the tip!
+
+## Common errors
+
+As mentioned, there are many more, but the following list will give you a great starting point.
+
+#### Hostname resolution <a href="#hostname" id="hostname">#</a>
+
+```markdown
+error output
+ssh: Could not resolve hostname example.com: Name or service not known
+```
+
+This error message implies a problem with the DNS.
+
+- check that the hostname is correct
+- use the IP instead to test general connectivity
+- check hostname resolution with `nslookup` or other tools
+
+
+#### Connection timeout <a href="#timeout" id="timeout">#</a>
+
+```markdown
+Error output
+ssh: connect to host 10.10.10.10 port 22: connection timed out
+```
+
+This error tells you that you can't reach the server at all.
+
+Wrong destination IP:
+: verify that the destination IP is correct
+
+Routing:
+: can the client reach the destination? Check the routing table and use ICMP to double-check (ping and traceroute). Consider that ICMP sometimes is blocked by network firewalls!
+
+Firewalls:
+: check the firewalls on the client, server, and network firewalls and make sure that the connection is allowed.
+
+#### Connection refused <a href="#refused" id="refused">#</a>
+
+```markdown
+Error output
+ssh: connect to host 10.10.10.10 port 22: connection refused
+```
+
+You can reach the server, but the server refuses the connection
+
+Wrong destination IP:
+: verify that the destination IP is correct
+
+Listening SSH server port:
+: is the default SSH port `22` used? You can check it with the `Port 22` in the `/etc/ssh/sshd_conf` file on the server.
+: is the server listening on the communicated port? Check on the server with `ss -tulpen | grep -i :22` (use `netstat` on older Linux versions) or use tools like `nmap` to find the listening port (disclaimer: do not scan server you do not have the permission for)
+
+SSH server running:
+: make sure that the SSH server is running, e.x. with `systemctl status sshd`
+
+
+#### Permission denied <a href="#permission" id="permission">#</a>
+
+`Permission denied (publickey,password)` 
+
+Most likely a problem with the authentication.
+
+Wrong user credentials:
+: make sure that you use the correct username and password or private key.
+: as a side note: the login as `root` is often forbidden by common security measures. 
+
+Missing permissions on the server:
+: make sure that the user is allowed to log in via SSH.
+: `/etc/ssh/sshd_config` > `AllowUsers` or `AllowGroups`
+
+Wrong authentication method:
+: most commonly, you'd log in via password or public key authentication.
+: use the `-v` on the client to look for the following entry: `debug1: Authentications that can continue: password,publickey`. This gives you information on what the server accepts.
+: to force an authentication option on the client, you could use the `-o` flag with SSH options. To force the login via password you could use something like this: `ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@10.10.10.10`.
+: if the desired option is unavailable, it must be configured on the server. `/etc/ssh/sshd_config`: `PubkeyAuthentication yes` and `PasswordAuthentication yes`. [It is recommended to use public key authentication only](https://ittavern.com/ssh-how-to-use-public-key-authentication-on-linux/).
+
+Wrong permission and/or ownership of SSH-related files:
+: most SSH servers check how permissive e.x. the SSH keys are, and can deny access if they are too permissive. 
+
+```markdown
+sudo chmod 700 ~/.ssh
+sudo chmod 644 ~/.ssh/authorized_keys
+sudo chmod 644 ~/.ssh/known_hosts
+sudo chmod 644 ~/.ssh/config
+sudo chmod 600 ~/.ssh/nameofthekey        # private key
+sudo chmod 644 ~/.ssh/nameofthekey.pub    # public key
+```
+
+Public key is missing in the `~/.ssh/authorized_keys` file:
+: the public key must be added to the a.m. file. A how-to can be found in [this post](https://ittavern.com/ssh-how-to-use-public-key-authentication-on-linux/).
+
+Private key no longer accepted on the server:
+: some private keys are no longer considered secure, so the server could refuse the login with those keys.
+: the best solution would be to update the SSH applications and generate new keys.
+: a workaround would be to add the insecure key algorithm to the SSH server config to the accepted keys `PubkeyAcceptedKeyTypes`.
+
+
+#### SSH protocol version <a href="#ssh-version" id="ssh-version">#</a>
+
+`Protocol major versions differ: 1 vs. 2`
+
+The client and server do not work with the same protocol version. That said that you should only use SSHv2 and disable SSHv1.
+
+**Client**
+
+With the `-v` flag you can see what the server offers:
+: `debug1: Remote protocol version 2.0 [...]`
+
+With the flags `-1` and `-2` you can decide whether the client should use SSH protocol version 1 or 2, respectivly. 
+
+**Server**
+
+On the server, you can check the provided SSH protocol version in the configuration file:
+: `grep Protocol /etc/ssh/sshd_config`
+: `Protocol 1` *# SSHv1*
+: `Protocol 2` *# SSHv2*
+: `Protocol 1,2` *# SSHv1 + SSHv2*
+
+If this option is missing, the mordern SSH server will use SSHv2 by default. It is worth adding it just to be sure and have it documented.
+
+#### Failed host key verification <a href="#hostkey" id="hostkey">#</a>
+
+```markdown
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
+Someone could be eavesdropping on you right now (man-in-the-middle attack)!
+It is also possible that a host key has just been changed.
+```
+
+Clearing the host key from `~/.ssh/known_hosts` our use `ssh-keygen -R <ip-of-destination`. You should be able to connect normally.
+
+If you were not informed about any changes, please contact the SSH server administrator to verify that everything is still secure.
+
+#### Unable to negotiate ciphers, MACs, or KexAlgorithms <a href="#ciphers" id="ciphers">#</a>
+
+```
+Unable to negotiate with 10.10.10.10: no matching key exchange method found.
+Their offer: diffie-hellman-group1-sha1
+```
+
+Use the `-vv` flag on the client to output the necessary information. On the server, you can see the information with the `LogLevel DEBUG2` and check with the following commands what is accepted by the server.
+
+[Ciphers](https://man.openbsd.org/ssh_config#Ciphers):
+: `ssh -Q cipher`
+
+[MACs](https://man.openbsd.org/ssh_config#MACs): 
+: `ssh -Q mac`
+
+[KexAlgorithms](https://man.openbsd.org/ssh_config#KexAlgorithms): 
+: `ssh -Q kex`
+
+Most commonly old SSH software is the reason for those errors. They still support old and insecure methods, which are no longer supported by modern applications.
+
+There are workarounds with the `-o` flag to set temporary options, but I am not too familiar with it.
+
+`ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 user@10.10.10.10`
+
+
+#### Connect without startup file <a href="#startup-file" id="startup-file">#</a>
+
+This is not that common but there are ways to lock you out after changes to the startup files like `.bashrc`, `.profile`, and so on. You simply can avoid loading those profile files with the following command.
+
+`ssh -t user@host bash --norc --noprofile`
+
+
+#### Handling SSH sessions with escape sequences <a href="#escape-sequence" id="escape-sequence">#</a>
+
+SSH provides some **escape sequences** with which you can kill the session on the client. 
+
+```markdown
+Supported escape sequences:
+ ~.   - terminate connection (and any multiplexed sessions)
+ ~B   - send a BREAK to the remote system
+ ~C   - open a command line
+ ~R   - request rekey
+ ~V/v - decrease/increase verbosity (LogLevel)
+ ~^Z  - suspend ssh
+ ~#   - list forwarded connections
+ ~&   - background ssh (when waiting for connections to terminate)
+ ~?   - this message
+ ~~   - send the escape character by typing it twice
+(Note that escapes are only recognized immediately after newline.)
+```
+
+**Side note**: Start with a `RETURN` and keep `SHIFT` pressed while typing `~` and e.x. `?` to get this message. This depends on your keyboard layout. 
+
+You can send the sequence through one or more **SSH tunnel** by adding `~` in front of the sequence. 
+
+---

items/2023-01-19_long_difference-between-rss-and-atom.md

@@ -0,0 +1,74 @@
+# Difference between RSS and Atom
+
+I was curious about what the difference between RSS and Atom was. This blog post is a small primer to RSS and Atom feeds and describes the differences between both. I've linked links to the technical specification at the end of this post. 
+
+# General
+
+[RSS](https://en.wikipedia.org/wiki/RSS) (Really Simple Syndication) and [Atom](https://en.wikipedia.org/wiki/Atom_(web_standard)) are often used interchangeably, and most feed readers can process both formats. Both use an open dialect of XML, which is computer-readable and allows feed-/RSS-/Atom readers to subscribe to a feed and pull new content to the client. RSS was released in 1999, and Atom followed a little bit later in 2005. The Harvard university specified RSS with the current version of 2.0, Atom is an IETF standard, and the current version is 1.0.
+
+Those feeds provide a privacy-friendly way to consume the content. The content provider can't track the behavior on your feed reader, and most tracking methods do not work either. 
+
+The most common **use case** is to stay up-to-date on blogs/news sites and podcasts. But you can use RSS for even more: e.x. stay up-to-date on your favorite Youtube videos without an account. Simply visit the Youtube channel, open the homepage source code, and search for `rssURL`. Just copy the link like this `https://www.youtube.com/feeds/videos.xml?channel_id=UCW6xlqxSY3gGur4PkGPEUeA` into your feed reader, and you get notified when a new video is being published. 
+
+RSS uses either `.rss` or `.xml` as **file extension**, and Atom uses `.atom` or `.xml`.
+
+## Main differences
+
+In general: RSS has a broader adoption, but Atoms provides more features. I will try to describe some of them.
+
+#### Content payloads
+
+RSS only provides escaped HTML or plain text. Atom can provide various types of content within the same payload. 
+
+Atom is therefore recommended for more complex content. 
+
+#### Internationalization
+
+RSS provides internationalization at the feed level and Atom at every individual element level. This means that you only need one feed per language for RSS and only one link for all languages for Atom.
+Furthermore, Atom provides better support for international characters.
+
+#### Markdown format
+
+RSS does not support custom XML markup. Almost all text formatting is getting lost, and is especially in long-format text content troublesome since it hinders accessibility. It is recommended to use Atom if you want to preserve as much formatting as possible. 
+
+#### Autodiscovery
+
+Both support **autodiscovery** which allows browsers and feed readers to automatically detect the RSS feed. 
+
+RSS:
+
+```
+<link rel="alternate" type="application/rss+xml" 
+  title="The Title of your blog or whatever" 
+  href="/rss/" />
+```
+
+Atom:
+
+```
+<link rel="alternate" type="application/atom+xml." 
+  title="The Title of your blog or whatever" 
+  href="/rss/" />
+```
+
+#### Implementation
+
+Without having worked on them: Atom seems easier to work with since the code is reusable and more strict, and RSS is less strict but a bit more complex. I won't be able to quantify this, but I've read this multiple times.
+
+# Further reading
+
+I won't go into technical details, but there are great resources, such as the blog post of Sam Ruby:
+: [Rss20AndAtom10Compared](http://www.intertwingly.net/wiki/pie/Rss20AndAtom10Compared)
+: [RSS 2.0 Specification](https://cyber.harvard.edu/rss/rss.html)
+: [RFC5023 The Atom Publishing Protocol](https://www.rfc-editor.org/rfc/rfc5023)
+: [RFC4287 The Atom Syndication Format](https://www.rfc-editor.org/rfc/rfc4287)
+: [XML RSS](https://www.w3schools.com/XML/xml_rss.asp)
+
+
+# Conclusion
+
+It is recommended to use Atom, since it is simpler to work with and has a wider feature set. Nevertheless, RSS will do the trick too.
+
+I am currently using RSS and am probably going to switch to Atom in the future.
+
+---

items/2023-01-24_long_basics-of-power-over-ethernet.md

@@ -0,0 +1,90 @@
+# Basics of Power over Ethernet (PoE)
+
+**Power over Ethernet - or short 'PoE'** - allows you to supply DC power for another device over the ethernet network cable. The most common **Power Source Equipment (PSE)** types are switches and routers (**endspan**), but you could just as well put a PoE-injector (**midspan**) between a standard switch and the **Powered Device (PD)**. Especially in corporate environments, PoE devices are growing in popularity, and just to list some **examples of PDs**: VoIP hardware, wireless access points, access control terminals, security cameras, and many more.
+
+The main advantage is that you only need one cable for data and power for each device, don't need an extra power outlet at the location of the device, and can control the power supply over the PSE interface. For example, this is great for access points mounted under the ceiling where 'simply unplug it' is not an option.
+
+On the other side, devices that provide PoE functionality are regularly more expensive, are getting warmer due to the power supply, and consume more electricity. That said, if the switch is dead, so are the connected PoE devices. This makes the use of an USV almost inevitable, especially if you power critical infrastructure with it.
+
+PoE generally requires Cat5+ cables and has a normal working distance of 100m. An extender can be used to increase the distance.
+
+The usage of PoE over a connection should not have any effect on the transfer or latency of the data connection. That said, cheap hardware can still do, and I had 3 cases in which turning off PoE explicitly on a switch port helped to solve a problem with disconnecting a non-PoE device. I still blame the printers.
+
+# Specification <a href="#specification" id="specification">#</a>
+
+The following standards were created by the Institute of Electrical and Electronics Engineers (IEEE), and the following overview should give you a quick insight of the differences of the common standards.
+
+**Important**: 802.3at/PoE+ and 802.3bt/PoE++ are backward compatible, as long as the PSE supports the higher standard (802.3at PSE supports 802.3af PD, but it does not work the other way around).
+
+[IEEE 802.3af-2003](https://standards.ieee.org/ieee/802.3af/1090/):
+: known as **PoE** 
+: **Type 1**
+: max power delivered by PSE 15,4W / max power available at PD 12,95W
+: <a href="#power-classes">power management classes</a> 1-3
+: supported cabling Cat3 and Cat5+
+: supported <a href="#modes">modes</a> are A and B
+    
+[IEEE 802.3at-2009](https://standards.ieee.org/ieee/802.3at/4553/):
+: known as **PoE+** or **PoE Plus **
+: **Type 2**
+: max power delivered by PSE 30W / max power available at PD 25,5W
+: <a href="#power-classes">power management classes</a> 1-4
+: supported cabling Cat5+
+: supported <a href="#modes">modes</a> are A and B
+
+[IEEE 802.3bt-2018](https://standards.ieee.org/ieee/802.3bt/6749/):
+: known as **PoE++** or **4PPoE**
+: **Type 3**
+: max power delivered by PSE 60W / max power available at PD 51W
+: <a href="#power-classes">power management classes</a> 1-6
+: supported cabling Cat5+
+: supported <a href="#modes">modes</a> are A,B and 4PPoE
+: **Type 4**
+: max power delivered by PS 100W / max power available at PD 71,3W
+: <a href="#power-classes">power management classes</a> 1-8
+: supported cabling Cat5+
+: supported <a href="#modes">mode</a> is only 4PPoE *(as all 4 pairs are required)*
+
+
+**UPoE/UPoE+** are Cisco proprietary and I won't go into detail. I think it is still worth mentioning.
+
+# Active PoE / Passive PoE <a href="#active-passive" id="active-passive">#</a>
+
+Active and passive PoE are **not inter-compatible** and PSE and PD must support the same type.
+
+PSE with **active PoE** does a handshake with the PD to determine how much power the PD requires and only after this handshake power will be sent to PD. Furthermore, active PoE connection often will be monitored and the PSE can turn off the power if there are any risks. Active PoE is more expensive but more common, reliable, and secure.
+
+**Side note**: the above-mentioned standards are active PoE. Passive PoE has no standards.
+
+**Passive PoE** - or 'Always-On PoE' - does not require any handshake and sends the configured power immediately. This means you need to know the requirements of the PD; otherwise, you could easily destroy your hardware. It was often used before the IEEE standards and is less expensive, but it is not recommended anymore since most modern PDs support active PoE.
+
+**Side note**: some passive PoE PSEs can have a shorter distance and be limited to 100Mb/s. 
+
+# Power management classes <a href="#power-classes" id="power-classes">#</a>
+
+Power management classes prevent the over-powering of PDs.
+
+Class - power at PD:
+: **Class 0** - 0W - 12.95W *(default)*
+: **Class 1** - 0W - 3.84W (802.3af,802.3at,802.3bt)
+: **Class 2** - 3,84W - 6,49W *(802.3af,802.3at,802.3bt)*
+: **Class 3** - 6,49W - 12,95W *(802.3af,802.3at,802.3bt)*
+: **Class 4** - 12,95W - 25,5W *(802.3at,802.3bt)*
+: **Class 5** - 40W *(802.3bt Type 3+4)*
+: **Class 6** - 51W *(802.3bt Type 3+4)*
+: **Class 7** - 62W *(802.3bt Type 4)*
+: **Class 8** - 71,3W *(802.3bt Type 4)*
+
+# Modes <a href="#modes" id="modes">#</a>
+
+There are three modes available. The following modes determine what pairs the power will be delivered to the PD. **Mode A** provides the power over the same pairs that are used for the data transfer (T568A pairs #1 + #2, T568B pairs #2 + #3) and **Mode B** delivers the power over the spare pairs (T568A + T568B pairs #3 + #4). **4PPoE** stands for 4-pairs Power over Ethernet - and as the name implies - uses all four pairs to deliver the power to the PD.
+
+The **PSE decides** what mode will be used and PD have to support at least mode A **and** B by the IEEE standard.
+
+#### Compatible vs compliant
+
+'Compliant' means that the required standards are met by the PD, and 'compatible' means, that it can work with a standard, but don't have to. 'Compatible' often means mode B only, but this depends on the PD. 
+
+That said, I don't think that this is the case in 100%. I've seen multiple devices that are 'compliant', but are marked 'compatible'. I've read about this multiple times and I thought it would be worth mentioning.
+
+---

items/2023-01-28_long_getting-started-with-gnu-screen.md

@@ -0,0 +1,212 @@
+# Getting started with GNU screen - Beginners Guide
+
+[Screen](https://www.gnu.org/software/screen/) is a terminal multiplexer and has a wide feature set. It allows you to split your terminal window into multiple windows (split screen feature), detach sessions to let commands run in the background, connect to a device via serial interface, and many more. 
+Screen sessions keep running even if you disconnect, which is especially great for unreliable connections. There are more advanced use cases, but we will focus on the basics.
+
+# Basics <a href="#basics" id="basics">#</a>
+
+You can have multiple **sessions** within the screen and each session can contain multiple **windows**. When you use the split screen function, each panel would be a window called **region** in screen.
+
+```markdown
+ screen
+    │
+    │
+    ├───── session 29324.x
+    │         │
+    │         ├────── window 0: name x
+    │         │
+    │         └────── window 1: name y
+    │
+    └───── session 29399.a
+               │
+               ├───── window 0: name a
+               │
+               └───── window 1: name b
+```
+
+#### Escape combination (Prefix) <a href="#prefix" id="prefix">#</a>
+
+In this blog post, I'll call the **escape combination** 'prefix', but there are multiple names for it: meta key, leading key, escape combination, and some others.
+
+The prefix tells the terminal that the following command or shortcut will be used in the screen context. Almost every shortcut starts with it and the **default prefix** is `CTRL` + `a`. So, if you see `Prefix` in the reference section, I mean this key combination. I'll show you how to change the prefix as an example in the configuration section.
+
+A list of all default key bindings can be found in the [official documentaion](https://www.gnu.org/software/screen/manual/html_node/Default-Key-Bindings.html).
+
+## Configuration files <a href="#configuration" id="configuration">#</a>
+
+Screen won't create the startup configuration file by default but will look for these two files if it gets started.
+
+`~/.screenrc` / `/usr/local/etc/screenrc`
+
+**Comments** in the configuration file start with a `#`.
+
+The following two sections will show some simple examples of different configurations.
+
+#### Example 1: change prefix for screen
+
+Adding the following line to you your configuration file changes the prefix to `CTRL` + `f`:
+: `escape ^Ff`
+
+You can change it to a difference key combination, especially as the default prefix key combination is commonly used otherwise.
+
+
+#### Example 2: turn off the copyright message at the start
+
+```markdown
+#Do not show copyright msg at the start of a session
+startup_message off
+```
+
+Simply add these lines to your configuration file, and the copyright message won't appear again.
+
+
+## Logging <a href="#logging" id="logging">#</a>
+
+Before we start with the sessions and windows, it might be beneficial to talk about logging. For most troubleshooting sessions, it is required to save the logs. I am going to show you some ways to do it.
+
+#### Hardcopy
+
+Use `Prefix` + `h` to create an output file with the content of the current screen window you are in. It will be saved as `hardcopy.n` (*'n' for the number of the current window *) in the directory from where you have started the screen initially. If you repeat the shortcut, the initial file will be overwritten. 
+
+If you want to **append** the output to a file, you can add `hardcopy_append on` to your configuration file.
+
+If you want to change the directory in which the harcopy files will be saved, simply add `hardcopydir /your/dir/` to your configuration file. 
+
+#### Continuous logging
+
+Logging is disabled by default. 
+
+You can start a logged screen session with `-L` flag + `-Logfile /path/to/logfile.txt`. If you are already in a session, you can activate it with `Prefix` + `SHIFT` + `h`. The output file will be called `screenlog.n`, where 'n' is the number of the current window.
+
+
+## Working with sessions <a href="#sessions" id="sessions">#</a>
+
+Show all sessions:
+: `screen -ls`
+
+```markdown
+kuser@pleasejustwork:~$ screen -ls
+There are screens on:
+        29265.demo-session      (27.01.2023 02:19:51)   (Detached)
+        26508.pts-8.pleasejustwork      (26.01.2023 23:20:50)   (Detached)
+2 Sockets in /run/screen/S-kuser.
+```
+
+Start a new session:
+: `screen`
+
+Start a new session with a specific name:
+: `screen -S nameofthissession`
+
+Start a new detached session and run a command:
+: `screen -d -m ping 10.10.10.10`
+
+Detach the current session:
+: `Prefix` + `d`
+
+Create new session if there is none, or re-attach the last session:
+: `screen -d -RR`
+
+Re-attach session in terminal:
+: `screen -r 2232` *# screen will auto complete if the prompt is unique*
+: `screen -r nameofthissession` *# either use the session number or the name*
+
+Kill session in terminal:
+: `screen -X -S nameofsession quit`
+: `screen -X 269 quit` *# auto-completes if unique*
+
+Rename session in terminal:
+: `screen -S OLDSESSIONNAME -X sessionname NEWSESSIONNAME`
+: `Prefix` + `:sessionname NEW-NAME` *# screen command to change the current session name*
+
+## Working with Windows <a href="#windows" id="windows">#</a>
+
+Show list of all windows of current session:
+: `Prefix` + `SHIFT` + `w`
+
+Rename the current windows:
+: `Prefix` + `SHIFT` + `a`
+
+Jump to the next window:
+: `Prefix` + `SPACE`
+
+Jump to the previous window:
+: `Prefix` + `p`
+
+Kill the current window:
+: `exit`
+: `Prefix` + `k`
+
+## Working with Regions / Split screen <a href="#split-screen" id="split-screen">#</a>
+
+Screen has the feature to show multiple windows in a split screen. Every window would then be a so called 'Region' in screen.
+
+Horizontally split window into two regions:
+: `Prefix` + `SHIFT` +`s`
+
+Vertically split window into two regions:
+: `Prefix` + `|`
+
+Jump to the next region:
+: `Prefix` + `Tab`
+
+Close the current region:
+: `Prefix` + `x`
+: *the window won't be terminated and just the split screen will be removed.*
+
+Close all but the current region:
+: `Prefix` + `q`
+
+Fit the regions to a resized terminal window:
+: `Prefix` + `SHIFT` +`f`
+
+#### Layouts
+
+You could create layouts, and save and reuse them later. This topic is out of the scope of this post and I am going to write about it later. You can get a reference and further information in the [official documentaion](https://www.gnu.org/software/screen/manual/screen.html#Layout).
+
+## Screen commands <a href="#commands" id="commands">#</a>
+
+It can be used to try out configurations and screen-specific commands.
+
+`Prefix` + `:` + config
+`Prefix` + `:logfile ~/path/to/new/logfile.txt`
+
+I am not too familiar with screen commands, so I won't go into detail. A list of all commands can be found in the [official documentaion](https://www.gnu.org/software/screen/manual/screen.html#Command-Summary).
+
+
+# Check if you are still in a screen session <a href="#active-session" id="active-session">#</a>
+
+
+Screen sets an environment variable `STY`. If the output is empty, you are not in a screen session.
+
+```markdown
+kuser@pleasejustwork:~$ echo $STY
+22829.demo
+```
+
+This won't work if you start up screen and SSH into a remote machine. Without further configuration, the variables stay local.
+
+---
+
+Another environment variable you could try is `TERM`.
+
+```markdown
+kuser@pleasejustwork:~$ screen
+kuser@pleasejustwork:~$ echo $TERM
+screen.xterm-256color
+kuser@pleasejustwork:~$ exit
+kuser@pleasejustwork:~$ echo $TERM
+xterm-256color
+```
+
+Screen will add the prefix `screen.` in front of it.
+
+This works even after connecting to a remote machine but presumes that you didn't mess with the `TERM` variable.
+
+---
+
+Another method would be to work with the screen prefix. You could simply use `Prefix` + `CTRL` + `t` to let screen tell you the time in the bottom left corner.
+
+ ![screen-time](/images/blog/screen-show-time.png) 
+
+---

items/2023-02-03_long_basics-of-the-linux-bash-command-history.md

@@ -0,0 +1,220 @@
+# Basics of the Linux Bash Command History with Examples
+
+The bash command history shows the previously used commands. By default, the history is saved in memory per session and can be saved to a file for later sessions. We will explore ways to show, search and modify the history in this blog post.
+
+I use RHEL and Debian-based Linux distributions and bash in this blog post as a reference.
+
+# Configuration <a href="#configuration" id="configuration">#</a>
+
+I want to start with ways to configure the behavior of the bash history.
+
+The configuration of the history can be changed in the bash startup file. Those can typically be found in the home directory of the user.
+
+System-wide `/etc/profile` or in the home directory `~/.bashrc` or `~/.profile`. There are more, but just to list some examples.
+
+If you want to use an option for one session only, you can just type it in like this:
+
+`HISTFILE=/dev/null` or `unset HISTFILE`
+
+In both ways, you would disable the history for the current bash session.
+
+
+# The basics <a href="#basics" id="basics">#</a>
+
+The bash history should be enabled by default, but you might want to change some settings.
+
+The history file that is stored on disk can be found with the following command:
+: `echo $HISTFILE`
+
+The default location for the history on disk is `~/.bash_history`.
+
+Add the following option to change the name and storage location of the history file on disk:
+: `HISTFILE=/path/to/the/history.txt`
+
+Show the complete history from memory:
+: `history`
+
+Just show the last number of commands:
+: `history 20`
+
+Read history from disk to memory:
+: `history -r`
+
+Append history entries from memory to disk:
+: `history -a`
+
+Overwrite the disk history with the memory history:
+: `history -w`
+
+Since I am used to working with multiple sessions and I want to share the history of them, I've added the following line to my startup file to append every entry to the history on disk.
+
+`export PROMPT_COMMAND='history -a'`
+
+Delete a specific history entry or range:
+: `history -d 20` *# one specific entry*
+: `history -d 15-20` *# range*
+: `history -d -5` *# last 'n' of entries*
+    
+#### Disabling bash command history <a href="#disable" id="disable">#</a>
+
+As mentioned above, there are multiple options to disable the bash command history.
+
+`HISTFILE=/dev/null` or `unset HISTFILE`
+
+#### Number of history entries
+
+The following option sets the number of entries that are displayed if you enter `history`:
+: `HISTSIZE=20`
+
+The following option sets the maximum number of entries in the history on disk:
+: `HISTFILESIZE=2000`
+
+
+# Search function <a href="#search" id="search">#</a>
+
+You can start a **reversed search** through the history by pressing `CTRL` + `r` and entering the search term. You can jump to the next result by pressing `CTRL` + `r` again. After finding the desired command, you can press `TAB` to get filled to the current command line or press `ENTER` to run the command immediately.
+
+If you skipped through your desired command, you can cancel the current search request with `CTRL` + `g` and start from the top again.
+
+There is no native way to jump forward again - but you could add a forward search by adding `stty -ixon` to your startup file. The keyboard shortcut for the forward search is `CTRL` + `s`.
+
+#### Using 'grep'
+
+I prefer to use grep to find commands. Simply use one of these examples to do so. 
+
+```bash
+history | grep SEARCHTERM
+or
+grep SEARCHTERM $HISTFILE
+```
+
+**Side note**: use the `-i` flag if you want search case-insentitive.
+
+
+#### Add comments to commands
+
+You can add comments to commands with `#`. This makes it easy to find commands again or document the thoughts behind the command in troubleshooting sessions and later reviews.
+
+```bash
+kuser@pleasejustwork:$ echo nightmare # dolphins chasing me in a mall
+nightmare
+```
+
+# Exclusions <a href="#exclusion" id="exclusion">#</a>
+
+We can add exclusion with the `HISTIGNORE` option in your startup file. This can be useful for privacy and security reasons.
+
+There are some predefined options we can choose from:
+: `ignorespaces`     - if the command starts with a `SPACE`, it will be excluded
+: `ignoredups`       - duplicate commands will be excluded
+: `ignoreboth`       - both above-mentioned options together
+
+If those options are not enough, you can create your own rules. For example, the `ignoreboth` rule could be written like this:
+
+`HISTIGNORE="&:[ ]*"`  *# the ampersand `&` means no duplicates, `:` is the separator, `[ ]*` checks if the command begins with a `SPACE`*
+
+You can add commands too. 
+
+`HISTIGNORE="ls:pwd:cd"`
+
+# Timestamps <a href="#timestamps" id="timestamps">#</a>
+
+Timestamps are often important for reviews of troubleshooting sessions. With the `HISTTIMEFORMAT` option, you can add timestamps in various formats to your history.
+
+The default history looks like this:
+
+```bash
+kuser@pleasejustwork:$ history 6
+ 1150  history
+ 1151  vim .bash_history 
+ 1152  vim .bashrc 
+ 1153  source .bashrc
+ 1154  ls
+ 1155  history
+```
+
+And the same lines look like this after adding `HISTTIMEFORMAT="%F %T "` to the configuration:
+
+```bash
+kuser@pleasejustwork:$ history 6
+ 1150  02/02/23 18:03:32 history
+ 1151  02/02/23 18:03:45 vim .bash_history 
+ 1152  02/02/23 18:05:03 vim .bashrc 
+ 1153  02/02/23 18:05:22 source .bashrc
+ 1154  02/02/23 18:05:26 ls
+ 1155  02/02/23 18:05:30 history
+```
+
+You can adjust the format with the following placeholders:
+
+```bash
+    %d: day
+    %m: month
+    %y: year
+    %H: hour
+    %M: minutes
+    %S: seconds
+    %F: full date (Y-M-D format)
+    %T: time (H:M:S format)
+    %c: complete date and timestamp (day-D-M-Y H:M:S format)
+```
+
+# Re-run commands <a href="#rerun" id="rerun">#</a>
+
+`!!` is a variable for the previous command and, for example, can be used to run the last command as 'sudo' .
+
+```bash
+kuser@pleasejustwork:$ whoami
+kuser
+kuser@pleasejustwork:$ sudo !!
+[sudo] password for kuser: 
+root
+```
+
+---
+
+`!` can be used to re-run the last command starting with a chosen term.
+
+```bash
+kuser@pleasejustwork:$ history 5
+   41  ping ittavern.com         # !ping
+   42  whoami                    # !whoami
+   43  nmap -sP 10.10.10.0/24    # !nmap
+   44  vim .bashrc               # !vim
+   45  history
+kuser@pleasejustwork:$ !who      # runs immediately and auto-completes
+kuser
+```
+
+---
+
+`!n` would run the 'n' command in the history, and `!-n` refers to the current command minus 'n'
+
+```bash
+kuser@pleasejustwork:$ history 5
+   41  ping ittavern.com         # !41 / !-5
+   42  whoami                    # !42 / !-4
+   43  nmap -sP 10.10.10.0/24    # !43 / !-3
+   44  vim .bashrc               # !44 / !-2
+   45  history                   # !45 / !-1 / !!
+kuser@pleasejustwork:$ !-4       # runs immediately
+kuser
+```
+
+#### modify and re-run previous command
+
+With the following syntax, you can replace keywords from the previous command and run it again. 
+
+`^OLD KEY WORD^NEW KEY WORD OR PHRASE^`
+
+**Example:**
+
+```bash
+kuser@pleasejustwork:$ sudo nmap -T3 10.10.22.0/24 -p 80,443
+kuser@pleasejustwork:$ ^22^50^            # the command will be executed immediately
+kuser@pleasejustwork:$ sudo nmap -T3 10.10.50.0/24 -p 80,443`
+```
+
+Use a backslash `\` as an escape character if you need to find or replace a `^`.
+
+---

items/2023-02-08_long_detecting-rogue-dhcp-server.md

@@ -0,0 +1,210 @@
+# Detecting Rogue DHCP Server
+
+# What is a rogue DHCP server <a href="#what-is-a-rogue-dhcp-server" id="what-is-a-rogue-dhcp-server">#</a>
+
+A rogue DHCP server is an unauthorized DHCP server that **distributes knowingly or unknowingly wrong or malicious information** to clients that send DHCP discover packets within a network. The following section lists some examples of rogue DHCP servers.
+
+Devices with integrated DHCP server:
+: most commonly routers that are newly connected to the network. Especially some mobile WLAN routers for hotspots can cause problems if they are connected to a network for a longer time. Non-tech people are often not aware of the consequences.
+
+Threat actors:
+: threat actors could spin up a DHCP server in your network to reroute traffic, distribute malicious information, e.x. an IP to a malicious DNS server, and cause a lot of damage after a short time.
+
+Misconfiguration:
+: there are many scenarios in which a misconfiguration could cause a rouge DHCP server to cause trouble. An easy example would be to accidentally activate the DHCP server on a firewall. 
+
+**Side note**: Every network should have measures to prevent a rogue DHCP server from causing trouble. I'll list some methods at the end of this post.
+
+![dhcp-rogue-server](/images/blog/dhcp-rogue-server.png) 
+
+
+# Signs of a Rogue DHCP server <a href="#signs" id="signs">#</a>
+
+Some signs of having a rogue DHCP server on your network are listed below:
+
+- a client receives an IP from another subnet
+- a client receives a duplicate IP within the network
+- IP reservations do not work
+- a client receives different network information (DNS, NTP, PXE, etc.)
+- more than usual DHCP traffic
+- DHCP traffic from new/unknown IPs
+
+# What is DHCP <a href="#dhcp" id="dhcp">#</a>
+
+I won't go into too much detail on how DHCP is. In a nutshell, DHCP stands for Dynamic Host Configuration Protocol and allows automatic assigning of IP addresses to devices and provides more information about the network, like the default gateway, subnet mask, DNS server, NTP server, and more.
+
+The 'DORA' process is essential and should be basic knowledge when a DHCP troubleshooting session starts.
+
+![dhcp-dora](/images/blog/dhcp-dora.png)
+
+
+---
+
+The following screenshots show a rough overview of the DORA process. Since this is not the main topic of this post, we don't need to go into detail.
+
+**DHCPDISCOVER**
+
+![DHCP-discover](/images/blog/dhcp-d.png)
+
+**DHCPOFFER**
+
+![DHCP-offer](/images/blog/dhcp-o.png)
+
+**DHCPREQUEST**
+
+![DHCP-request](/images/blog/dhcp-r.png)
+
+**DHCPACK**
+
+![DHCP-ack](/images/blog/dhcp-a.png)
+
+---
+
+So, enough theory; let us detect the rouge DHCP server.
+
+# Detecting a rogue DHCP server <a href="#detecting" id="detecting">#</a>
+
+There are various ways to detect a rogue DHCP server. Some work on the client or network level, or both.
+
+In the following sections, we assume that we only have **one legitimate DHCP server on an IPv4 network**. Larger environments can have multiple of course, but this is not relevant, and the following detection methods work even if you have multiple servers.
+
+**Side note**: You can **release the old and request a new IP** on **Windows** via command line `ipconfig /release` and `ipconfig /renew` and on **Linux** with `sudo dhclient -v -r` and `sudo dhclient -v`. Don't forget to specify the interface if you use multiple.
+
+## Packet capture <a href="#packet-capture" id="packet-capture">#</a>
+
+![DHCP-discover](/images/blog/dhcp-d.png)
+
+It is important that the packet capture is taken on a client or intermediate device on the same network as the suspected rogue DHCP server. Wireshark and tcpdump are common tools to do so, and intermediate devices have their own tools.
+
+You should look for **UDP traffic on ports 67 and 68**. It makes it easier to detect rogue DHCP servers if you are familiar with the above-mentioned 'DORA' process. Having **multiple 'Offer' packets** for a single 'Discover' packet from 1 or more IPs is an indicator for a rogue DHCP server. We have to keep IP spoofing in mind. Another option is to check on the server side: does the authorized DHCP server sends more than usual 'Offers' without receiving a 'Request'? - This is somewhat vague, but it could help to find a rogue DHCP server. 
+
+You can find more DHCP display filters for Wireshark in this [post](https://ittavern.com/guide-to-wireshark-display-filters/#dhcp).
+
+## Using nmap <a href="#nmap" id="nmap">#</a>
+
+Scan for IPs that listen on the UDP port 67 in your network:
+: `sudo nmap -sU -p 67 -d 10.10.20.0/24`
+: `-sU` - limits scan to UDP ports
+: `-p 67` - destination port
+: `-d` - optional: increase debug level.`-dd` for even more information
+: `10.10.20.0/24` - your network
+
+```bash
+[...]
+Completed UDP Scan at 23:22, 0.24s elapsed (2 total ports)
+Overall sending rates: 16.82 packets / s, 470.93 bytes / s.
+Nmap scan report for _gateway (10.10.20.1)
+Host is up, received arp-response (0.00041s latency).
+Scanned at 2023-02-06 23:21:58 CET for 2s
+
+PORT   STATE         SERVICE REASON
+67/udp open|filtered dhcps   no-response
+MAC Address: 90:6C:AC:78:80:FB (Fortinet)
+Final times for host: srtt: 406 rttvar: 3765  to: 100000
+[...]
+```
+
+This gives you a quick overview of your network. 
+
+#### nmap Scripts <a href="#nmap-scripts" id="nmap-scripts">#</a>
+
+The required NSE script `broadcast-dhcp-discover` should be installed by default together with nmap. More information to the script can be found in the [official documentation](https://nmap.org/nsedoc/scripts/broadcast-dhcp-discover.html).
+
+**Side note**: If you are using Linux, you can find the interface's name with `ip -br a` or `ip -br l`. 
+
+The default command looks like this:
+: `sudo nmap --script broadcast-dhcp-discover -e eth0`
+: by default, this script will ask for an IP for the MAC address `de:ad:c0:de:ca:fe`. Decent threat actors will sort those requests out to stay undetected. It is recommended to change the MAC address like in the following commands.
+
+Nmap command to use a fixed or random MAC address:
+: `sudo nmap --script broadcast-dhcp-discover --script-args broadcast-dhcp-discover.mac=aa:bb:cc:dd:ee:ff -e enp0s31f6`
+: `sudo nmap --script broadcast-dhcp-discover --script-args broadcast-dhcp-discover.mac=random -e enp0s31f6`
+
+**Sample output**
+
+```bash
+user@pleasejustwork:~$ sudo nmap --script broadcast-dhcp-discover --script-args broadcast-dhcp-discover.mac=aa:bb:cc:dd:ee:ff -e enp0s31f6
+[sudo] password for kuser: 
+Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-06 17:22 CET
+Pre-scan script results:
+| broadcast-dhcp-discover: 
+|   Response 1 of 2: 
+|     IP Offered: 10.10.20.57
+|     DHCP Message Type: DHCPOFFER
+|     Server Identifier: 10.10.20.1
+|     IP Address Lease Time: 7d00h00m00s
+|     Subnet Mask: 255.255.255.0
+|     Router: 10.10.20.1
+|     Domain Name Server: 9.9.9.9, 149.112.112.112
+|     Renewal Time Value: 3d12h00m00s
+|_    Rebinding Time Value: 6d03h00m00s
+|   Response 2 of 2: 
+|     IP Offered: 192.168.178.242
+|     DHCP Message Type: DHCPOFFER
+|     Server Identifier: 192.168.178.51
+|     IP Address Lease Time: 2m00s
+|     Renewal Time Value: 1m00s
+|     Rebinding Time Value: 1m45s
+|     Subnet Mask: 255.255.255.0
+|     Broadcast Address: 192.168.178.255
+|     Domain Name Server: 192.168.178.51
+|_    Router: 192.168.178.1
+
+WARNING: No targets were specified, so 0 hosts scanned.
+Nmap done: 0 IP addresses (0 hosts up) scanned in 1.23 seconds
+```
+
+---
+
+For more information about `nmap` visit the [nmap guide](https://ittavern.com/getting-started-with-nmap/) or other `nmap` [posts](https://ittavern.com/tags/nmap/).
+
+
+## Windows DHCP server event logs <a href="#windows-event-logs" id="windows-event-logs">#</a>
+
+The following event logs on the authorized Windows DHCP server can indicate a rogue DHCP server on a network.
+
+| Event ID | Source | Message |
+|--------------|-----------|------------|
+| 1042 | Microsoft-Windows-DHCP-Server | The DHCP/BINL service running on this computer has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses.  |
+| 1098 | Microsoft-Windows-DHCP-Server | Unreachable Domain |
+| 1100 | Microsoft-Windows-DHCP-Server | Server Upgraded |
+| 1101 | Microsoft-Windows-DHCP-Server | Cached authorization |
+| 1103 | Microsoft-Windows-DHCP-Server | Authorized(servicing) |
+| 1105 | Microsoft-Windows-DHCP-Server | Server found in our domain |
+| 1107 | Microsoft-Windows-DHCP-Server | Network failure |
+| 1109 | Microsoft-Windows-DHCP-Server | Server found that belongs to DS domain |
+| 1110 | Microsoft-Windows-DHCP-Server | Another server was found |
+| 1111 | Microsoft-Windows-DHCP-Server | Restarting rogue detection |
+
+The source can be found on [microsoft.com](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc726899(v=ws.10)).
+
+You can check the logs regularly or add those events to your monitoring solution.
+
+## Microsoft Rogue DHCP Checker <a href="#microsoft-roguechecker" id="microsoft-roguechecker">#</a>
+
+Microsoft provided a tool to detect rogue DHCP servers, but this blog post from 2009 is no longer available. But thanks to archive.org we can find the [blog post](https://web.archive.org/web/20140812200404/http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx) and download the 'RogueChecker' there.
+
+![dhcp-ms-roguechecker](/images/blog/dhcp-ms-roguechecker.png) 
+
+Installed it on Windows 10 and it seems to work.
+
+## Turn off your own DHCP server <a href="#turn-of-legitimate-dhcp-server" id="turn-of-legitimate-dhcp-server">#</a>
+
+Especially in larger networks, this often enough is not a solution, but I thought it would still be noteworthy. Disable the legitimate DHCP server in some way, release the IP on the client and ask for another IP. You shouldn't get a new legitimate IP address! - In case you receive a new IP address, the chances are high that there is a rogue DHCP server.
+
+You can now check the DHCP server on the client and use other methods to find the rogue DHCP server on your network.
+
+## Intrusion Detection Systems <a href="#ids" id="ids">#</a>
+
+There are many solutions that cover the detection of rogue DHCP servers, but not all companies have the capacities to maintain such a system. Therefore, we do not need to go into detail, but it is still worth mentioning.
+
+# Preventing actions of a rogue DHCP server <a href="#prevention" id="prevention">#</a>
+
+Detecting is one thing; preventing any damage from a rouge DHCP server is another. This post focuses on detection, but I thought it won't hurt to list some prevention measurements.
+
+- DHCP snooping/guarding on intermediate devices
+- firewall policies that allow communication via UDP 67 and 68 only with authorized DHCP servers
+- client management solution to check the correct DHCP server; does not work for printers and so on
+- authorize DHCP servers in Active Directory and other services
+
+---