Matomo und die DSGVO

Folgende Einstellungen müssen bei Matomo ehemals Piwik angepasst werden um DSGVO-konform zu sein.

1. IP Adressen anonymisieren

  • Als Administrator anmelden
  • In den Einstellungen den Punkt “Daten anonymisieren” auswählen
  • Einstellungen wie im Screenshot ersichtlich anpassen

  • WICHTIG: Alte Daten müssen anonymisiert werden. Das benötigte Tool ist auf der gleichen Seite etwas unterhalb zu finden

2. Auf den jeweiligen Seiten muss der Datenschutz iFrame eingebettet werden

  • Als Administrator anmelden
  • In den Einstellungen den Punkt “Users opt-out” auswählen und den entsprechenden in eurer Webseite einbauen

Mehr Informationen findest du auf https://matomo.org/docs/privacy/

Gnome 3: Missing ownCloud-client tray icon

If you use Gnome 3 under Arch Linux with ownCloud client you will see no tray icon by default.

Here are the steps to get to the tray icon like you see in the screenshot

  • Install gnome-Tweaks

yaourt gnome-tweaks

  • Install the Appindicator extension

yaourt gnome-shell-extension-appindicator

  • Open gnome tweaks and enable the extension

  • Restart ownCloud-client or login and logout

Use HP iLO2 Remote Console with Linux in 2018

Today I have to reinstall an old HP ProLiant 350 G5 which uses Integrated Lights-Out 2 (iLO2). For the re-installation I need to use the Remote Console which runs as Java Applet. A long time ago Firefox dropped the support of NPAPI and therefore Java Applets will not work anymore (Official statement).

Here is my solution how to use Java Applets.

Environment:

  • OS: Arch Linux
  • Browser: Firefox ESR
  • Java: JRE7
  • HP ProLiant ML350 G5 with iLO2

Install Firefox ESR

yaourt firefox-esr

Choose version: aur/firefox-esr-bin 52.6.0-1

Install JRE7

yaourt jre7

Choose version: aur/jre7 7u80-1

Configure JRE7 for Firefox

cd /usr/lib/mozilla/plugins

sudo rm libnpjp*

sudo ln -s /usr/lib/jvm/java-7-jre/jre/lib/amd64/libnpjp2.so

Add the iLO2 to the security exceptions

  1. Start the Java Control Panel: /usr/lib/jvm/java-7-jre/jre/bin/ControlPanel
  2. Add the URL to the exception list

Open iLO2

  1. Open Firefox-ESR
  2. Open about:addons
  3. Verify if the plugin is listed
  4. Open the iLO page and start the remote console

Finally you should get a screen like this

Gnome: Start ownCloud Desktop Client minimized

Today I solved the annoying behave of not minimized ownCloud Desktop Client under Gnome during logon startup.

System: Arch Linux
Gnome: 3.26.2
ownCloud Desktop Client: 2.4.0

1. Create a helper script

touch ~/scripts/start_owncloud_minimized.sh
chmod u+x ~/scripts/start_owncloud_minimized.sh
vim ~/scripts/start_owncloud_minimized.sh

Content of start_owncloud_minimized.sh:

#!/bin/bash
FULLSCREEN_TIMEOUT=5
WINDOW_NAME="ownCloud"

owncloud &

sleep $FULLSCREEN_TIMEOUT
wmid=`wmctrl -l | grep $WINDOW_NAME | cut -f 1 -d " "`
for i in $wmid; do
    xdotool windowfocus $i; xdotool key "Escape"
done</pre

2. Create the startup routine

 

vim ~/.config/autostart/ownCloud.desktop

Content of ownCloud.desktop:

IMPORTANT: Set your home folder in “Exec” line.

[Desktop Entry]
Name=ownCloud
GenericName=File Synchronizer
Exec=/home/username/scripts/start_owncloud_minimized.sh
Terminal=false
Icon=owncloud
Categories=Network
Type=Application
StartupNotify=false
X-GNOME-Autostart-enabled=true

3. Done

Re-Login and see how the ownCloud Desktop Client magically disappear into the background.

UniFi Security Gateway: Add an additional public IP with NAT

The UniFi Controller has no UI configuration to assign an additional IP for the UniFi Security Gateway (USG). Hopefully this will be added from Ubiquiti in the future.

Date: 25.12.2017
Controller Version: 5.6.26
Firmware: 4.4.12.5032482

 

After many hours of reading, try and error I was able to solve this task. This guide is focused on people with network basics, therefore I will not cover technically explanations.

UPDATE:  Important, set only the values for the second IP inside config.gateway.json the settings like Port Forwarding for the first IP have to configured on the webinterface.

Attention: After following this guide you will see the first IP inside the USG Overview/Details pane and the second IP inside the Config pane in the webinterface. This looks like a bug UniFi Controller which can be ignored.

Goal:

NAT Public IP 10.0.0.2 on Port 80/TCP to internal server 192.168.0.2 on Port 8080/TCP.

Solution:

Overview:

  1. Test if the Port is closed
  2. Add the additional IP to the gateway
  3. Create a DNAT rule from WAN to LAN
  4. Create a SNAT rule from LAN to WAN
  5. Create a Firewall rule to allow traffic from WAN to LAN
  6. Apply changes
  7. Test if the Port is now open

NOTE: You can also add this with CLI commands but it will not persist after changes made from the Web-Interface.

Step 1

Test with NMAP from WAN/Internet

nmap -n -Pn -p 80 10.0.0.2

If this Port is open you should check your network setup because something is responding to 80/TCP and the next steps will potentially lead to undesired results.

Step 2-4

We need to create or append config.gateway.json inside the UniFi Controller. Place this file inside the site configuration, e.g. for the default page but the file inside “data/sites/default”

Content of config.gateway.json:

{
    "interfaces": {
        "ethernet": {
            "eth0": {
                "address": [
                    "10.0.0.1/29",
                    "10.0.0.2/29"
                ],
                "firewall": {
                    "in": {
                        "name": "WAN_IN"
                    },   
                    "local": {
                        "name": "WAN_LOCAL"
                    },   
                    "out": {
                        "name": "WAN_OUT"
                    }
                }
            }
        }
    },
    "service": {
        "nat": {
            "rule": {
                "3000": {
                    "description": "DNAT 10.0.0.2 TCP/8080 to 192.168.0.2",
                    "destination": {
                        "address": "10.0.0.2",
                        "port": "80"
                    },   
                    "inbound-interface": "eth0",
                    "inside-address": {
                        "address": "192.168.0.2",
                        "port": "8080"
                    },   
                    "log": "enable",
                    "protocol": "tcp",
                    "type": "destination"
                },
                "5000": {
                    "description": "SNAT 192.168.0.2 TCP/8080 to 10.0.0.2",
                    "log": "enable",
                    "outbound-interface": "eth0",
                    "outside-address": {
                        "address": "10.0.0.2",
                        "port": "80"
                    },   
                    "protocol": "tcp",
                    "source": {
                        "address": "192.168.0.2",
                        "port": "8080"
                    },   
                    "type": "source"
                }
            }
        }
    },
    "firewall": {
        "name": {
            "WAN_IN": {
                "default-action": "drop",
                "rule": {
                    "1000": {
                        "action": "accept",
                        "description": "NAT 10.0.0.2 TCP/8080 to 192.168.0.2",
                        "destination": {
                            "address": "192.168.0.2",
                            "port": "8080"
                        },
                        "log": "enable",
                        "protocol": "tcp"
                    },   
                }
            }
        }
    }
}

Step 5

Now it’s time to apply these rules to the USG. To do this log in to your UniFi Controller and force provisioning

Step 6

Test with NMAP from WAN/Internet

nmap -n -Pn -p 80 10.0.0.2

Install self-signed certificate for curl (and others)

These are the steps to install a self-signed certificate so you can avoid using the “–insecure” switch for curl and others which communicate over SSL/TLS.

For me it was necessary to communicate safe over the network with my tool written in  ruby

Test environment:

  • Server: debian 7 (Raspberry PI) with owncloud 9
  • Client: centOS 7

HOST=rpi01
PORT=443
FILE=$HOST.pem
# Test first if you get an certificate error
curl -v -O remote.php https://$HOST/owncloud/remote.php
# Download the certificate
openssl s_client -showcerts -connect $HOST:$PORT </dev/null | openssl x509 -outform PEM > $FILE
# Install the certificate into nssdb
certutil -d sql:/etc/pki/nssdb -A -t “P,,” -n $HOST -i $FILE
# List if the certificate are inside the database
certutil -d sql:/etc/pki/nssdb -L -n $HOST
# Download the test file again.
curl -v -O remote.php https://$HOST/owncloud/remote.php

Registrierkassen-Software cbird unter Linux verwenden

tux-cbirdDa ich bei einigen meiner Kunden die hervorragende Registrierkassen-Software cbird der Firma usoft e.U. verwende und diese in Java geschrieben musste ich natürlich gleich testen ob diese nicht auch unter Linux laufen könnte.

Mit ein paar kleinen Kniffen läuft Sie auch unter Linux ohne Funktionseinschränkungen, Drucken, Sichern, PDF export, …

Dank der Genehmigung von usoft habe ich Skripts, eine Anleitung und weitere Informationen auf einem GitHub Repository veröffentlicht.

Falls Ihr Wünsche, Fehler oder sonstiges anmerken möchtet erstellt bitte auf GitHub einen Eintrag oder direkt hier im Blog. Direkt im Blog kann es etwas dauern da ich Aufgrund der vielen Blog-Spambots nur ab und zu die Kommentare durchsehe 😉

zum GitHub Repository

Nagios check to verify open files counter

I published my Nagios checks to monitor the open files counter for special users and for the whole system. You can chek it out on github and nagiosexchange.

check_open_files

https://github.com/wefixit-AT/nagios_check_all_open_files

https://exchange.nagios.org/directory/Plugins/Operating-Systems/check_open_files-2Esh/details

check_all_open_files

https://github.com/wefixit-AT/nagios_check_all_open_files

https://exchange.nagios.org/directory/Plugins/Operating-Systems/check_all_open_files-2Esh/details