Convert your disk file from raw to qcow2

Use Virtual machines, such as within KVM, then you may be running raw disk images.

Converting them to Qcow2 will give you some advantages, such as the ability to snapshot your VM. Here we will show you how to:

  •     Check your disk file's format to see if it is raw or qcow2
  •     Convert your disk file from raw to qcow2

Check Your Format

You can test your disk file with the following command:

qemu-img info [disk filename] 

If it is a raw image format, you should get output similar to below:

image: images.programster.org.img 
file format: raw 
virtual size: 30G (32217432064 bytes) 
disk size: 30G 

If it is a qcow2 image format, then it will output something similar to:

image: images.programster.org.qcow2 
file format: qcow2 
virtual size: 30G (32217432064 bytes) 
disk size: 4.8G 
cluster_size: 65536 
Format specific information: 
    compat: 1.1
    lazy refcounts: false

 

Convert Raw To Qcow2

Simply enter the following command:

qemu-img convert -p -f raw -O qcow2 [input filename] [output filename] 

After the operation completes, you may wish to delete the original input file. You will need to update any configs that utilize the new image, such as through sudo virsh edit [VM ID] for KVM. E.g. change the type from raw to qcow2 and update the path.

 

  • The convert option tells qemu-img that we want to copy an existing image file to a new image file.
  • The -p option tells the qemu-img tool that I want to know about the progress of the copy operation.
  • The -f option specifies the format of the original input file.
  • The [input filename] parameter is the disk name of the input file.
  • The -O option specifies the format that we want to use for the output file.
  • The [output filename] parameter is the disk name of the output

 

Credits|Credits

KVM (virt-manager) take a snapshot of qcow2 disk.

Take A Snapshot

 To list a kvm vm on Linux based server [VM ID], more info

virsh list 

If your KVM guests are now running with Qcow2 disk images, you can take an internal snapshot of the guest with the following command:

virsh snapshot-create [VM ID]  

Alternatively, you can create a file with the following contents

<domainsnapshot>
    <name>Name for the snapshot</name>
    <description>Description for the snapshot</description>
</domainsnapshot>

Then pass it to the snapshotting command.

virsh snapshot-create [VM ID] [filepath]  

You can take snapshots of guests whilst they are running. Whilst the snapshot is being taken, the guest will be "paused". The "state" of the guest is also saved.

List Snapshots
One can list a virtual machine's snapshots with

sudo virsh snapshot-list [VM ID]  

Which will output something like:

 Name                 Creation Time             State
————————————————————
 1422179589           2015-01-25 09:53:09 +0000 running

Restore Snapshot

If you want to "revert", "go to", or "restore" a previous snapshot, then execute the following command:

virsh snapshot-revert [VM ID] [Snapshot Name]  

Delete Snapshot

virsh snapshot-delete [VM ID] [Snapshot Name] 

Credits | Tips

Virtualizando uma máquina física

Virtualizar máquinas fisicas podem resolver uma série de problemas, como: migrar servidores, ter mais controlo sobre backups e restaurar máquina após incidente.

Para tal é necessária alguma preparação:

  • Uma unidade externa grande ou maior do que a unidade a ser virtualizada (formatada em NTFS para evitar  limites 4GB em partições FAT32 4GB)
  • A ferramenta dd
  • Uma distro linux ou Hiren's BootCD

Deve excluir ou mover todos os arquivos desnecessários (como imagens, filmes, música, etc.) da unidade física, bem como certificar de ter todas as actualizações estão instaladas.

1. Ligar unidade externa ao computador que se pretende converter
2. Iniciar o computador através do Hiren's BootCD (CD / Pen)
2.a. No terminal:
3.

lsblk

(listar as unidades)
4. Montar a unidade externa (x – a letra que identifica a unidade externa)

 mount -t ntfs-3g /dev/sdx /media/media/EXTERNAL_DRIVE 

5. Criar o arquivo de imagem. O comando para criar isso é:

dd if=/dev/sdx of=/media/EXTERNAL_DRIVE/sdx.img bs=1024

6. Converter o arquivo *.img numa imagem pronta após remover a unidade externa
6.a. Qemu-ready image:

qemu-img convert -f raw sda.img -O qcow sda-qcow.img

6.b. VirtualBox image:

VBoxManage convertdd input.img output.vdi

7. Criar a maquina virtual e apontar para a imagem criada anteriormente

 

 

 

Reset the root and admin password (SMEServer)

p, li { white-space: pre-wrap; }

  • Reboot Server
  • When The Display Graphics Boot Loader Appears Press "CRTL + X"
  • Press Tab to find out the available kernel
  • Write down the "<kernel name> single" – example "SMEServer-up single"
  • Press enter. you will be presented with a prompt.

passwd root

passwd admin

 

Credits

Contribs

smeservers.blogspot.nl

How To Back Up and Wipe Your Android Device Properly Before Selling It.

Backup and wipe your android phone properly before transferring or selling it to other person.

Steps:
1. full backup

Before formatting your device, you should be aware of things that your date can be recovered with recovering tools. So you need to encrypt your data before wiping out.

Encrypt your data
If you encrypt your data before formatting your phone, it will be impossible to recover and decrypt. Make sure your device is fully charged before proceeding because encrypting process takes time.

1. Launch the settings app and locate the “Encryption” option under Security.

2. Tap “Encrypt phone.”

Perform a factory reset

Settings -> Backup & reset -> Factory data reset” and tap “Reset phone.” Now it is safe to sell your phone.

 

Credits

Configure Thresholding and Suppression Snort

Thresholding:
This feature is used to reduce the number of logged alerts for noisy rules.
This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number# of times a particular event is logged during a specified time interval.
 
Edit:
#nano /etc/snort/threshold.conf
 
Format
 
The suppress configuration has two forms:
suppress \
        gen_id <gid>, sig_id <sid>

 

suppress \
        gen_id <gid>, sig_id <sid>, \
        track <by_src|by_dst>, ip <ip-list>

 

Example:

# snort: "GPL ICMP_INFO PING *NIX"
suppress gen_id 1, sig_id 2100366

 

Option Description
gen_id <gid>

Specify the generator ID of an associated rule. gen_id 0, sig_id 0 can be used to specify a "global" threshold that applies to all rules.

sig_id <sid>

Specify the signature ID of an associated rule. sig_id 0 specifies a "global" filter because it applies to all sig_ids for the given gen_id.

track by_src|by_dst

Suppress by source IP address or destination IP address. This is optional, but if present, ip must be provided as well.

ip <list>

Restrict the suppression to only source or destination IP addresses (indicated by track parameter) determined by < list >. If track is provided, ip must be provided as well.

 

#This event is generated when an attempt is made to gain access to private resources using Samba.
suppress gen_id 1, sig_id 536
#GPL SHELLCODE x86 NOOP
suppress gen_id 1, sig_id 648
#GPL SHELLCODE x86 0x90 unicode NOOP
suppress gen_id 1, sig_id 653
#This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines. 
suppress gen_id 1, sig_id 1390
#This event is generated when an attempt is made to return to a web client a file with a Class ID (CLSID) embedded in the file.
suppress gen_id 1, sig_id 8375
#This event is generated when network traffic that indicates download of executable content is being used.
suppress gen_id 1, sig_id 11192
#This event is generated when an attempt is made to exploit a known vulnerability in Safari.
suppress gen_id 1, sig_id 12286
#This event is generated when an attempt is made to exploit a known vulnerability in an ActiveX control.
suppress gen_id 1, sig_id 15147
#This rule generates events when a portable executable file is downloaded.
suppress gen_id 1, sig_id 15306
#This event is generated when obfuscated javascript containing excessive fromCharCode is detected.
suppress gen_id 1, sig_id 15362
#FILE-IDENTIFY download of executable content - x-header  -> stops windows download
suppress gen_id 1, sig_id 16313
#WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt
suppress gen_id 1, sig_id 16482
#This event is generated when an attempt is made to exploit a known vulnerability in internet security.
suppress gen_id 1, sig_id 17458
#This event is generated when an attempt is made to exploit a known vulnerability in firefox.
suppress gen_id 1, sig_id 20583
#This event is generated when an attempt is made to exploit a known vulnerability in adobe air.
suppress gen_id 1, sig_id 23098
#FILE-IDENTIFY Armadillo v1.71 packer file magic detected
suppress gen_id 1, sig_id 23256
#This event is generated when an attempt is made to exploit a known vulnerability in adobe air.
suppress gen_id 1, sig_id 24889
#ET P2P? BitTorrent? peer sync
suppress gen_id 1, sig_id 2000334
#ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
suppress gen_id 1, sig_id 2010516
#ET SHELLCODE Possible Call with No Offset TCP Shellcode
suppress gen_id 1, sig_id 2012088
#ET SHELLCODE Excessive Use of HeapLib? Objects Likely Malicious Heap Spray Attempt
suppress gen_id 1, sig_id 2013222
#ET INFO Packed Executable Download
suppress gen_id 1, sig_id 2014819
#ET INFO EXE - Served Attached HTTP
suppress gen_id 1, sig_id 2014520
#GPL SHELLCODE x86 inc ebx NOOP
suppress gen_id 1, sig_id 2101390
#GPL WEB_CLIENT PNG large colour depth download attempt
suppress gen_id 1, sig_id 2103134
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419
#ET POLICY Unusual number of DNS No Such Name Responses
suppress gen_id 1, sig_id 2003195
#ET POLICY Suspicious inbound to MSSQL port 1433
suppress gen_id 1, sig_id 2010935
#ET POLICY Suspicious inbound to mySQL port 3306
suppress gen_id 1, sig_id 2010937
#ET SHELLCODE Possible Call with No Offset TCP Shellcode
suppress gen_id 1, sig_id 2012086
#ET SHELLCODE Possible Call with No Offset UDP Shellcode
suppress gen_id 1, sig_id 2012087
#ET SHELLCODE Possible Call with No Offset UDP Shellcode
suppress gen_id 1, sig_id 2012089
#ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
suppress gen_id 1, sig_id 2012141
#ET POLICY Executable served from Amazon S3
suppress gen_id 1, sig_id 2013414
#ET POLICY Outdated Windows Flash Version IE
suppress gen_id 1, sig_id 2014726
#ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
suppress gen_id 1, sig_id 2013504
#BLEEDING-EDGE RBN Known Russian Business Network Traffic - Known Trojan C&Cs (bleeding-rbn.rules)
suppress gen_id 1, sig_id 2406003
#ET RBN Known Russian Business Network Monitored Domains
suppress gen_id 1, sig_id 2406067
#ET RBN Known Russian Business Network Monitored Domains
suppress gen_id 1, sig_id 2406069
#ET TFTP Outbound TFTP Read Request -- VONAGE
suppress gen_id 1, sig_id 2008120
#ET SHELLCODE Common 0a0a0a0a Heap Spray String
suppress gen_id 1, sig_id 2012252
#ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
suppress gen_id 1, sig_id 2012758
#ET INFO EXE - OSX Disk Image Download
suppress gen_id 1, sig_id 2014518
#ET INFO PDF Using CCITTFax Filter
suppress gen_id 1, sig_id 2015561
#GPL ICMP_INFO PING *NIX
suppress gen_id 1, sig_id 2100366
#GPL ICMP_INFO
suppress gen_id 1, sig_id 2100368
#GPL SHELLCODE x86 stealth NOOP
suppress gen_id 1, sig_id 2100651
#GPL SHELLCODE x86 0xEB0C NOOP
suppress gen_id 1, sig_id 2101424
#GPL SHELLCODE x86 0x90 NOOP unicode
suppress gen_id 1, sig_id 2102314
#WEB-CLIENT libpng malformed chunk denial of service attempt
suppress gen_id 3, sig_id 14772
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4
#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7
#(http_inspect) NON-RFC DEFINED CHAR [**]
suppress gen_id 119, sig_id 14
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 2
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
suppress gen_id 120, sig_id 4
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9
#(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
suppress gen_id 120, sig_id 10
#(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
suppress gen_id 120, sig_id 11
#(portscan) UDP PORTSWEEP
suppress gen_id 122, sig_id 19
#(portscan) UDP Filtered Portscan
suppress gen_id 122, sig_id 21
#(portscan) UDP Filtered Decoy Portscan
suppress gen_id 122, sig_id 22
#(portscan) UDP PORTSWEEP FILTERED
suppress gen_id 122, sig_id 23
#(portscan) ICMP PORTSWEEP FILTERED
suppress gen_id 122, sig_id 26
#(spp_frag3) Bogus fragmentation packet. Possible BSD attack
suppress gen_id 123, sig_id 10
#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3
#(ftp_telnet) Invalid FTP Command
suppress gen_id 125, sig_id 2
#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1
##SENSITIVE DATA DISABLE##
#Credit Card Numbers
suppress gen_id 138, sig_id 2
#U.S. Social Security Numbers (with dashes)
suppress gen_id 138, sig_id 3
#U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4
#Email Addresses
suppress gen_id 138, sig_id 5
#U.S. Phone Numbers
suppress gen_id 138, sig_id 6
#(spp_sip) Empty request URI
suppress gen_id 140, sig_id 2
#(spp_sip) URI is too long
suppress gen_id 140, sig_id 3
#(spp_sip) Maximum dialogs within a session reached
suppress gen_id 140, sig_id 27
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1
#(IMAP) Unknown IMAP4 response
suppress gen_id 141, sig_id 2
###
#ET POLICY PE EXE or DLL Windows file download HTTP
suppress gen_id 1, sig_id 2018959
#ET POLICY HTTP traffic on port 443 (POST)
suppress gen_id 1, sig_id 2013926
#ET POLICY Data POST to an image file (gif)
suppress gen_id 1, sig_id 2010066
#ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
suppress gen_id 1, sig_id 2016150
#ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
suppress gen_id 1, sig_id 2016149
#ET POLICY Dropbox.com Offsite File Backup in Use
suppress gen_id 1, sig_id 2012647
#ET POLICY Logmein.com/Join.me SSL Remote Control Access
suppress gen_id 1, sig_id 2014756
#ET POLICY Pandora Usage
suppress gen_id 1, sig_id 2014997
#ET POLICY iTunes User Agent
suppress gen_id 1, sig_id 2002878
#ET POLICY Windows-Based OpenSSL Tunnel Outbound
suppress gen_id 1, sig_id 2012078
#ET POLICY Executable and linking format (ELF) file download
suppress gen_id 1, sig_id 2000418
#ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)
suppress gen_id 1, sig_id 2009801
#ET POLICY TeamViewer Dyngate User-Agent
suppress gen_id 1, sig_id 2009475
#ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection
suppress gen_id 1, sig_id 2009020
#ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection
suppress gen_id 1, sig_id 2008989
#ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection
suppress gen_id 1, sig_id 2008988
#ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection
suppress gen_id 1, sig_id 2008987
#ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
suppress gen_id 1, sig_id 2008986
#ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection
suppress gen_id 1, sig_id 2008985
#ET POLICY Logmein.com Host List Download
suppress gen_id 1, sig_id 2007765
#ET POLICY Logmein.com Update Activity
suppress gen_id 1, sig_id 2007766
#ET POLICY Microsoft TEREDO IPv6 tunneling
suppress gen_id 1, sig_id 2003155
#ET POLICY Netflix On-demand User-Agent
suppress gen_id 1, sig_id 2007638
#ET POLICY TeamViewer Keep-alive outbound
suppress gen_id 1, sig_id 2008794
#ET POLICY TeamViewer Keep-alive inbound
suppress gen_id 1, sig_id 2008795
#APP-DETECT TeamViewer remote administration tool outbound connection attempt
suppress gen_id 1, sig_id 34463
#ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
suppress gen_id 1, sig_id 2020565
#ET INFO JAVA - ClassID
suppress gen_id 1, sig_id 2016360
#ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain
suppress gen_id 1, sig_id 2013097
#ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
suppress gen_id 1, sig_id 2016538
#ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)
suppress gen_id 1, sig_id 2011704
#ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
suppress gen_id 1, sig_id 2016870
#ET POLICY Vulnerable Java Version 1.6.x Detected
suppress gen_id 1, sig_id 2011582
#ET POLICY Vulnerable Java Version 1.8.x Detected
suppress gen_id 1, sig_id 2019401
#ET MALWARE Adware.iBryte.B Install
suppress gen_id 1, sig_id 2018194
#ET POLICY HTTP traffic on port 443 (HEAD)
suppress gen_id 1, sig_id 2013927
#ET POLICY Possible IP Check api.ipify.org
suppress gen_id 1, sig_id 2019512
#ET POLICY BingBar ToolBar User-Agent (BingBar)
suppress gen_id 1, sig_id 2013715
#ET POLICY User-Agent (Launcher)
suppress gen_id 1, sig_id 2010645
#ET INFO JAVA - document.createElement applet
suppress gen_id 1, sig_id 2015707

##OPTIONAL RULES BELOW##
##UNCOMMENT SUPPRESS LINE TO ENABLE##

#(ftp_telnet) FTP bounce attempt
#suppress gen_id 125, sig_id 8
#ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 647
#suppress gen_id 1, sig_id 2523293
#ET TOR Known Tor Exit Node UDP Traffic group 89
#suppress gen_id 1, sig_id 2520177
#ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 89
#suppress gen_id 1, sig_id 2522177
#ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy
#suppress gen_id 1, sig_id 2014703
#ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set - Likely Kazy
#suppress gen_id 1, sig_id 2014702
#FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt
#suppress gen_id 1, sig_id 25459
#ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
#suppress gen_id 1, sig_id 2010525
#ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
#suppress gen_id 1, sig_id 2019416
#ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
#suppress gen_id 1, sig_id 2007695
#ET SCAN Potential SSH Scan OUTBOUND
#suppress gen_id 1, sig_id 2003068
#ET MALWARE W32/OpenCandy Adware Checkin
#suppress gen_id 1, sig_id 2014122
#ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
#suppress gen_id 1, sig_id 2015633
#ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com
#suppress gen_id 1, sig_id 2015634
#ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain
#suppress gen_id 1, sig_id 2013744
#ET INFO DYNAMIC_DNS HTTP Request to a dns-stuff.com Domain *.dns-stuff.com
#suppress gen_id 1, sig_id 2014867
#ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com
#suppress gen_id 1, sig_id 2014868

Credits

Suppress ListSuppress ListSuppress List

Linux Show List Of Network Cards

 
You can use any one of the following command to list network cards installed under Linux operating systems.
Please note that the ifconfig and ip commands will also display interfaces information about vpn, loopback, and other configured interfaces.
 
  1. lspci : List all PCI devices.
  2. lshw : List all hardware.
  3. dmidecode : List all hardware data from BIOS.
  4. ifconfig : Outdated network config utility.
  5. ip : Recommended new network config utility.
 
lspci 
Type the following command:
# lspci | egrep -i –color 'network|ethernet'
 
lshw 
The lshw command can extract detailed information on the hardware configuration of the machine including network cards. Type the following command:
# lshw -class network
 
dmidecode 
Getting HW information about BIOS.
# dmidecode -t bios
Getting HW information about system.
# dmidecode -t system
Getting HW information about baseboard.
# dmidecode -t baseboard
Getting HW information about chassis.
# dmidecode -t chassis
 
OR
 
# dmidecode -t cashe
# dmidecode -t processor
# dmidecode -t connector
# dmidecode -t slot
 
ifconfig and ip command
To see all configured network devices, enter:
# ifconfig -a
 
OR
# ip link show
 
OR
# ip a
 
/proc/net/dev
The dev pseudo-file contains network device status information. This gives the number of received and sent packets, the number of errors and collisions and other basic statistics.
$ cat /proc/net/dev

Cronjob to check and restart service if dead

For check and restart services, if they are inactive/dead.
 
$ nano service_ck.sh
 
#!/bin/bash
STATUS=$(systemctl is-active snort)
# Most services will return something like "active" if they are in fact "active"
test "$STATUS" = "active" || systemctl restart snort
 
Change file permissions:
$chmod +x service_ck.sh
  
Update your crontab:
$sudo crontab -e
 
add:
 
# min   hour    day month   dow cmd
*/1 *   *   *   *   /path/to/service_ck.sh
  
or 
 
#every minute:
* * * * * /path/to/service_ck.sh