ELK – Auto-delete older Logstash indices

The following is an approach to auto-delete Logstash indices in Elasticsearch every X days. The following steps are to be run on your ELK host.

Get curator-cli

sudo pip install elasticsearch-curator -U

Create script

cd ~/
vim elasticsearch_del.sh

My preference is to delete indices older than 30 days, change the 30 to your preference. Then save the file.

/usr/local/bin/curator_cli "$@" delete_indices --filter_list '[{"filtertype":"age","source":"creation_date","direction":"older","unit":"days","unit_count":30},{"filtertype":"pattern","kind":"prefix","value":"logstash"}]'

Now make the script executable:
chmod +x elasticsearch_del.sh

Then run the script to make sure it works – use the --dry-run argument to test (i.e. not actually take any action):

./elasticsearch_del.sh --dry-run

If you you’re happy with the output and want to run it for real:


Setup a CRON schedule job

crontab -e

Add the following line – changing the schedule to your preference. This runs it every Saturday at 5pm:

0 17 * * SAT /home/db/elasticsearch_del.sh


timhaak/plex docker upgrade

I’m using the timhaak/plex docker image

Here is to upgrade:

sudo docker pull timhaak/plex

sudo docker rm plex

Get it running again:
sudo docker run -d --restart=always -e PLEX_ALLOWED_NETWORKS=<CIDR> --name <shortname> -h <hostname> -v <config-location>:/config -v <media-location>:/data/movies -p 32400:32400 -p 32400:32400/udp -p 32469:32469 -p 32469:3
2469/udp -p 1900:1900/udp -p 32410:32410/udp -p 32412:32412/udp -p 32413:32413/udp -p 32414:32414/udp timhaak/plex


<shortname> with what you want the container to be called

<hostname> with what you want the PMS to be called

<config-location> with the location of your Plex config (note to self, mine is: /opt/plex-data/)

<media-location> with the location of your videos/media

Verify upgrade

Show running containers:

sudo docker ps

Take note of the container ID for plex

Get a bash shell to the running Plex container:

sudo docker exec -it <containerid> /bin/bash

Verify the version installed

dpkg-query -s plexmediaserver | grep "Version"

ChromeOS + OpenVPN (+ TLSAuth)

This is a guide to get OpenVPN (with TLS Auth) working for a ChromeOS client. Note this guide assumes you to have control of the OpenVPN server and associated configuration. This guide doesn’t explain the specifics of port forwarding on your router, or use of Dynamic DNS – if you’re doing all the below I’ll assume you know about doing those things – if not there are plenty of tutorials around.

Versions used:

  • ChromeOS 57.0.2987.115 beta – on Samsung Chromebook Plus
  • Ubuntu 14.04 LTS (Bit old I know, but systemd 😦 )
  • OpenVPN 2.3.2 (openvpn 2.3.2-7ubuntu3.1)

Install OpenVPN server and easy-rsa

sudo apt-get install openvpn easy-rsa
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Create certificates

cd /etc/openvpn/easy-rsa

Edit vars file to update the values

  • Set KEY_SIZE to 2048
  • Also set KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL parameters. Don’t leave any of these parameters blank.

Run ./vars to load parameters
Run ./clean-all to clear keys and previous files

Now lets create our CA cert and key:

Run ./build-ca. The majority of the defaults will be loaded of the var specified values, but you must enter the Common Name (CN) – enter a name that identifies your CA. MyVPN-CA for example. This will create two files 1) ca.crt your CA cert (public) and 2) ca.key you CA private key (secret!)

Now to create the server cert and key:

Run ./build-key-server server. Like the previous command most values can be defaulted. When prompted for CN, enter server. Then select yes for both Sign Certificate and Commit. This will create two files 1) server.crt your servers cert (public) and 2) server.key your servers private key (secret!)

Time for the client(s) cert and key(s):

Run ./build-key-client client1. When prompted for CN, enter a name unique for each client – e.g. client1. Then select yes for both Sign Certificate and Commit. This will create two files 1) client1.crt your clients cert (public) and 2) client1.key your clients private key (secret!)

Now we need to put the client cert and key into a format understood by ChromeOS, namely pkcs12. Run openssl pkcs12 -export -in client1.crt -inkey client1.key -certfile ca.crt -name MyClient -out client1.p12. Enter an export passphrase. This will create a file called client1.p12.

You can repeat the above each client, and just increment the client number: client2, client3 etc…

Now to generate the Diffie Hellman parameters. Run ./build-dh – this may take a few to many minutes. This will create a file called dh2048.pem – this is not secret.

Finally, we should create an OpenVPN static key. Run openvpn --genkey --secret ./keys/ta.key. This will create a file called ta.key – this is another secret. Now we need this is a strange and specific format for ChromeOS where it’s all in one line with inline line break escape characters ‘\n’. So lets do that with a bit of Perl – grep -v '#' ./keys/ta.key | perl -p -e 's/\n/\\n/' > ./keys/ta-oneliner.key.

Now we need to copy the files required by the server into the appropriate directory for your OpenVPN server, like this: cp ./keys/ca.rt ./keys/server.crt ./keys/server.key ./keys/ta.key ./keys/dh2048.pem /etc/openvpn/

While we are here, there are a number of files that you need to get to your client (e.g ChromeOS). There many ways to do this – for example copy somewhere using scp then copying into Google Drive. The files your client needs are client1.p12, ca.crt and ta-oneliner.key.

Configure server

sudo nano /etc/openvpn/server.conf

Here is the content of mine with comments for each line – known to work with ChromeOS clients (see version above)

Enable IPv4 forwarding:

Edit /etc/sysctl.confand uncomment net.ipv4.ip_forward=1 to enable IP forwarding. Then make it come into effect by running sudo sysctl -p /etc/sysctl.conf

Restart Openvpn server:

sudo service openvpn restart. And verify it’s actually running – sudo service openvpn status. If it’s not look in \var\log\syslog for any errors/hints.

Client Configuration (ChromeOS)

Open Chrome – and goto chrome://settings/certificates

Select ‘Authorities’, then ‘Import’, and load in the ca.crt file. When prompted tick the ‘Trust this certificate for identifying websites.’ You should see your certificate in the list under the ‘Private’ parent.

In the same certificates window select the ‘Your Certificates’ tab – then ‘Import and Bind to device…’ and load in the client.p12 and enter the passphrase you specified when creating it. You should now see your client certificate listed.

Now we need to create a ONC file for ChromeOS:

  1. Generate two random GUIDs via https://www.uuidgenerator.net/ or similar. Refresh the page to get your second one. Take note of both, I will refer to them as GUID#1 and GUID#2
  2. Copy the following into a text editor on your ChromeBook

3. Replace the following values in the above files:

  • <GUID#1> – paste value from earlier
  • <GUID#2> – paste value from earlier
  • <VPN_NAME>: Enter a name for your connection. This what you’ll see in the ChromeOS VPN UI.
  • <CA-CERT>: this is the contents of the CA.crt, without the header lines, on one long line, so it will be one long string of base64 encoded ascii, typically begining with “MII” and continuing on for some lines, remove the newlines in the cert. The footer line “—–END CERTIFICATE—–” is also not included.
  • <HOSTNAME>: This is simply the hostname of your VPN server. Do not include port – as this is specified by the ‘port’ parameter – change that if you’re not using 443.
  • <USERNAME>: Is your username on the vpn server.
  • <TLS_AUTH_KEY>: This one is the TLS auth key. Open ta-oneliner.key and paste the contents.

Save your ONC file. Not it contains secret information to treat accordingly. Any filename will do, but maintain the .onc extension

Now we need to install the ONC file:

  • In Chrome goto chrome://net-internals#chromeos
  • Click ‘Choose File’ under ‘Import ONC file’
  • Set your ONC file. Note you may get no postive or negative response from the import attempt. Just go to the VPN UI in the ChromeOS launcher – if the import succeeded you’ll see your VPN connection listed.

Drop comments/queries below and I’ll assist if I can.

Source and extra reading

PowerShell: remotely verify if TCP port is listening

I recall one of the most powerful lessons I learnt on the job was when I learnt how to remotely (or locally – verify if a TCP port was actively listening using the TELNET command. So many ‘Is the firewall open?’ questions answered with a single command

More recently I’ve been in situations where I have a company assigned Windows notebook, with telnet.exe missing and various GPO restrictions in place. However, these notebooks did have PowerShell – so I became curious to determine if I could achieve the same verification as I was with Telnet – Yes you can. Open PowerShell – and use this:
If (New-Object System.Net.Sockets.TCPClient -ArgumentList '<fqdn.domain.tld>',<port-num>) { Write-Host 'YES' } If ($? -eq $false) { Write-Host 'NO' }

Replace <fqdn.domain.tld> with the Fully Qualified Domain name or IP address of the host to target.

Replace <port-num> with the target TCP port to probe if listening.

The script will respond with ‘YES’ if it’s listening, and ‘NO’ if it’s not.

Windows 10 – Reveal saved WiFi password as unprivileged user

Home/Sufficiently privileged users can typically get the WiFi password of an Access Point that they are currently connected to by doing the following:

  1. Connect to the WiFi AP you want to un-mask the password for
  2. Right-click the WiFi symbol in the systray and select ‘Open Network and Sharing Center’
  3. Click ‘Change adapter settings’
  4. Right click the WiFi adapter
  5. In the WiFi Status dialog, click ‘Wireless Properties’
  6. Click the Security tab and then check ‘Show Characters’ – this should show your current Wifi password

However, there are cases where this option isn’t viable – either the machine is locked down and doesn’t let you select ‘Show Characters’ – or you are in a situation where you are not in range of the WiFi AP to actually connect. Try this via the Windows command prompt (cmd.exe):

Run this command to list the wifi profiles the machine knows about:

netsh wlan show profiles

Then show the password for a specific profile:

netsh wlan show profiles name=<profile> key=clear

Replace <profile> with your profile name / SSID.

The password should be shown in Key Content: field