Posts by ISeeTWizard

In case of a data breach, ransomware attack or similar there are some steps to follow

Step 1

A cyber attack can certainly be classified as a disaster scenario and a clear mind is needed to navigate to a solution. Oncey you and your team adopt a problem solving attitude you will be able to respond to the breach in a logical and organized way.

The main point is "DON'T PANIC"

Step 2

If a cyber attacker demands a ransom it may be tempting and easier to pay it to regain control of your network but oftem times it may lead to future attacks so "DO NOT PAY A RANSOM".

I would say just pay a ransom if there is no other way to recovery your data but if you don't have any secured backup I have no pity for you!

You could also invest in an Endpoint Detection and Response solution that can stop ransomware before it can be executed.

Step 3

Now it's time to form a response team as to address any damage caused by the cyber attack you will need a capable and experienced response team. You team should be comprised of IT staff members either contracted or in-house who will investigate the attack and work to resolve it.

HR should be included if your employees haved been impacted by the attack. Public Relations representatives should be included to best explain the attack to your customers. Always includ legal counsel since breaches can have a number of legal implications.

Step 4

So let's see your backup which is hopefully available and undamaged from the attack (that is why offline backups are often very important). If this is the case switch to them immediately. The biggest reason this step fails is because it is often forgoten to test the data restoration process.

If you don't have any backup solution like I wrote I have no pity for you! Avoid switching off all your servers and workstations even if it's a good temptation but this won't stop or fix your damage.

Step 5

If your organization is hit with a cyber breach, it is imperative that you minimize the number of affected systems. You will need to isolate where the breach occurred and stop it from infecting other systems. Once the breach has been suspended you response team can test other portions of the network to see if they have been compromised as well.

Step 6

Now it is time to investigate. Upon investigation you may find that the damage affects numerous portions of your organization. HR response team members will need to be address any impact on your employees. If your customers or the public were affected PR staff will need to control the damage done to your reputation. The attack may even cause legal ramifications and as such your business's lawyers may need to be involved.

Step 7

After all that you should also contact your clients. The PR memebrs on your response team need to reach out to call clients who have been impacted by the breach as soon as possible. For security purposes your clients may need to change their passwords and/or PIN numbers if their private information was compromized.

Step 8

As your response team is investigating the attack ensure that they are documenting both their process and their findings. From this evidence you will be able to ascertain the vulnerability that allowed the attack to be successful and thus fortify it going forward.

Step 9

As last step I think it's sure that you are looking to prevent future attacks.

If your team is unable to effectively secure your organization's IT you may need to partner with an outside cyber security company. Outsourcing your cyber security needs to an Managed Security Services Provider (MSSP) can be cheaper and the are often more effective than most IT teams.

In IT there are so many authentication options. Here are the 10 commonly used ones.

We once had an issue to recover data from a broken disk. Under Windows the disk was directly "attacked" and so directly the control over it was lost.

Same was with Windows PE Boot Sticks to recover data.

So the only option left was Linux and here is how we did.

First you need some tools you can download from the links below:

http://www.system-rescue-cd.org/Download
https://rufus.ie or https://www.balena.io/etcher

1. Put the ISO on an USB Stick with Rufus (preferred) or Etcher
2. Boot from Stick (deactivate Secure Boot) without connecting any external device (makes it easier to find the correct devices later)
3. During the Boot process choose the default option (the first from the 2 options)
4. When the boot process is finished you may want to change your keyboard layout. You can do this with the setkmap tool.
   Simply type setkmap at the prompt and then choose your keyboard layout from the list (fr_CH as example) and click OK.
5. You can also start a graphical interface with startx but this is not needed to recover data. Within the graphical interface you can use FireFox, Partition Manager or FeatherPad (TextEditor)
6. Connect your source drive (the defective one) and search for this device with
   ls -la /dev/sdc (where sdc may vary depending on what dev your device was mapped – so it could be sdc / sdd / sde etc.)
   If you have chosen the wrong one you’ll get an error saying that no such file or directory was found.
   PS: With lsblk you should be able to see what disk is mounted under what /dev/

7. Now you can mount this device to check where the data is:

   • First create a folder in the mnt folder - do this with the following commands
     cd / (to get to the root folder)
     cd mnt (change directory to /mnt)
     mkdir source (take source as name as this is easier to find yourself back)

   
   

   • After creating the directory we can now mount the device (stay within the mnt folder)
     mount /dev/sdc2 ./source or mount /dev/sdc2 /mnt/source
     We use the number 2 as most of the time there are more partition created under Windows and 1 would be the hidden boot partition and 2 the first data partition
     That is also why we first mount the device to see if we are on the correct partition.

   
   

   • You can list what’s on your disk with (always while staying in mnt folder)
     ls -l ./source or ls -l /mnt/source

   
   

   • If you are on the wrong partition you have to unmount the device and restart with point b
     umount /mnt/source (for unmounting the source device)

   
   

   • if you can't mount due to an unclean NTFS file system you may try this (example):
     sudo ntfsfix /dev/sdc2
     sudo mount -o rw /dev/sdc2 /mnt/source

     
     

8. When you have your source device you connect your destination device to copy the data too. Important here is that you use a device formatted with NTFS as we are going to first create an image of the source disk on that disk which will be more than 4GB (FAT32 only supports files of max 4GB).
   Also here you have to do the same as for the source drive, just name the folder destination (point 7 and and as it is a NTFS partition the normal mount wouldn’t work so you have to take
   ntfs-3g to mount the device
   ntfs-3g /dev/sdd2 ./destination
9. When your destination disk is mounted switch to that folder so that you are in /mnt/destination
   This is important for the following command as we want to create a map file directly on that disk to be able to resume the recovery in case of a crash
10. For the recovery process we are going to use ddrescue. Here are some switches that may be needed:
    -f force
    -d direct disk access (slower but doesn’t use the kernel cache)
    with that method you can sometimes even recover more data as with the normal method
    not every system is supporting this
    -r3 retry 3 times (you can change the numer)
    -N skip the trimming phase
    We are using the following command for the first run (here we are recovering the most readable data)
    ddrescue -d /mnt/source /mnt/destination/data.img mapfile
    with that we copy the sdc2 partition in an data.img file on the destination disk and the mapfile is used if the recover crashes or so to not start from scrap.
    Also the mapfile is used for the second scan. Without switches we simply copy the data and when a sector has issues with reading ddrescue is skippin it and continuing with the next one without any retries.
    Now with the second scan we are going to use the -r switch to recover even more data. It is important to use the same mapfile as before
    ddrescue -d -r3 /mnt/source /mnt/destination/data.img mapfile
    You could also use this command directly but depending on the disk state you may lose all the data.
11. After the copy is finished (about 10 hours for 1TB disk) you have an entire img file of your source disk.
    Here you may want to copy it as when you are going to mount this file you are going to make changes on it.
12. Create an olddisk folder under /mnt
    mkdir olddisk (when you are under the mnt folder)
13. Now mount the image file an create the folder for the recovered data
    mount /mnt/destination/data.img /mnt/olddisk
    mkdir /mnt/destination/recovery
14. Than copy the data to the destination disk in a new folder
    cp -R /mnt/olddisk/ /mnt/destination/recovery/
    Pay attention that this also takes hours
15. When all the data is copied you can unmount all the devices
    umount /mnt/olddisk
    umount /mnt/destination
    umount /mnt/source
16. Now shutdown the computer
    shutdown -h now
17. Check on a Windows PC if you have access to the data

I hope this can help you if you ever have such an issue. I also had a personal SSD that wasn't accessible over Windows anymore but mounting it over an USB adapter on my Synology NAS, which is also Linux, helped me out and I could recover the data. It wasn't important data, as I have backups for everything, but I spend during some days collecting different download etc. for a project and so I didn't need to redownload everything lol 🙂 And there was an old Windows 95 game I patched to make it run on Windows 10 🙂

PS: If I ever make a video I gonna attach it - maybe you can leave a comment and tell me if you want a how to video from me.

If you ever had this question here is a link with the answer to it 😉

Mac OS Compatibility Guide by Mac Model

eshop.macsales.com

Pay attention that this is an external link and that I'm not affiliated to it.

Synology DSM is actually based on a simple Linux system and therefore the standard commands can be used there. That's why you can easily get the IDs you will need for many containers thanks to the easy command named ID.

Attention: The video is still in german

Attention: The video is still in german

docker run -d --name=watchtower \
-v /volume1/docker/docker.sock:/var/run/docker.sock \
--restart=always \
containrrr/watchtower --cleanup --include-stopped --include-restarting --interval 21600

Watchtower updates your containers automatically without asking. For some, this is very useful, but for others who have to work with a container all the time, less so.

That's why there is also an option to always run Watchtower manually instead of automatically. You can find all of these options in the documentation.

Here is an example of a manual update of Calibre:

docker run --rm \
-v /volume1/docker/docker.sock:/var/run/docker.sock \
containrrr/watchtower \
--run-once calibre

docker run --rm creates the Watchtower container, runs it and when it is finished, it is automatically deleted.

Create symbolic link for docker.sock

ln -s /var/run/docker.sock /volume1/docker/docker.sock

I am creating this symbolic link because I was having problems with some containers accessing docker.sock. When I linked them like this, those containers no longer had any problems and ran perfectly.

Used Links

Watchtower Documentation

Kavita is a comic book reader - the whole thing is kept relatively simple and clean. I had a few problems but these are explained in the video.

docker run -d --name=kavita \
-p 5000:5000 \
-e PUID=1038 \
-e PGID=100 \
-v /volume1/docker/Kavita:/kavita/config \
-v /volume1/Comics:/manga \
--restart always \
kizaing/kavita

SMTP Server

docker run --name kavita-email -p 5003:5003 
-e SMTP_HOST="smtp.office365.com" 
-e SMTP_PORT="587" 
-e SMTP_USER="frank@datateam.lu" 
-e SMTP_PASS="xyungelöst" 
-e SEND_ADDR="frank@datateam.lu" 
-e DISP_NAME="Frank Schroeder (Anime)" 
-d kizaing/kavitaemail:latest

Remember that this is just an example and my password is not included - so the whole thing as it is will be useless for you but simply a small suggestion as to how you could solve it.

As an additional tool, I can recommend the Comictagger to tag the comics correctly.
I didn't show or explain this in the video as it is actually very self-explanatory.

Used Links

Random Number (for a port number by random generator)

your_spotify is a web app that shows you statistics about your Spotify usage.

You can find out more in the video.

The installation takes place in 3 steps:

• Database
• Server
• Web Client

docker run -d --name mongo \
-v /volume1/docker/your_spotify_db:/data/db \
--restart always \
mongo:4.4.13

With Synology you should be careful to use a 4.4.x version of the Mongo DB because 5.x is not compatible with the CPU of the device (maybe with newer devices this isn't the case anymore).

docker run -d --name=your_spotify_server \
--link mongo \
-p 33424:8080 \
-e API_ENDPOINT= https://dyndnsserverdomain/api  \
-e CLIENT_ENDPOINT= https://dyndnsserverdomain  \
-e SPOTIFY_PUBLIC=eurepublicid \
-e SPOTIFY_SECRET=eurepublicidsecret \
-e CORS=all \
--restart always \
yooooomi/your_spotify_server

ou must fill in the API and CLIENT endpoint according to your settings.

In the same way, you must take your Spotify PUBLIC and SECRET data from your developer account. Links to this are a little further down.

When filling in the data in the configuration on the Spotify page, it is important to fill in the correct redirect URI.

 https://dyndnsserverdomain/api/oauth/spotify/callback 

docker run -d --name=your_spotify_client \
-p 17812:3000 \
-e API_ENDPOINT= https://dyndnsserverdomain/api  \
yooooomi/your_spotify_client

Please make sure to fill in your API endpoint correctly here too.

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name spotify.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;


    location /api/ {
        # enable the next two lines for http auth
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        proxy_pass  http://192.168.178.20:33424/; 
    }

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app holodeck;
        set $upstream_port 17812;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;        
        #proxy_pass  http://192.168.178.20:17812/; 
    }
}

SWAG example conf file for your_spotify.

Used Links

TZ - Timezone

Random Number (for a port number by random generator)

your_spotify @GitHub

Spotify Developer Dashboard (an application must be created here to get an API key)

Spotify Account Privacy (to request the past history)

SWAG is a reverse proxy software based on NGINX. I tried to do the same with Traefik but I failed - even if it worked somehow, many pages simply had missing information and were therefore useless.
SWAG has a lot of ready-made configuration files for frequently used programs integrated and is therefore very easy to use.
You can also have SSL certificates created automatically by Let's Encrypt and fail2ban is also on board.

However, there is a big problem on a Synology, namely ports 80 and 443. Although the DSM software runs on a different port, these two ports were blocked and redirected.

To get around this, there is a small script that I am giving you here. This is run via an SSH session and unlocks ports 80 and 443 again.

There are a lot of instructions on the internet about this but I found a script on Github that worked for me - a lot of things hadn't worked before. As always, I put the link below in the list of used links.

#! /bin/bash

# NEWLY ADDED BACKUP FUNCTIONALITY IS NOT FULLY TESTED YET, USE WITH CARE, ESPECIALLY DELETION
# Developed for DSM 6 - 7.0.1. Not tested on other versions.
# Steps to install
# Save this script in one of your shares
# Edit it according to your requirements
# Backup /usr/syno/share/nginx/ as follows:
# # cd /usr/syno/share/
# # tar cvf ~/nginx.tar nginx
# Run this script as root
# Reboot and ensure everything is still working
# If not, restore the backup and post a comment on this script's gist page
# If it did, schedule it to run as root at boot
#   through Control Panel -> Task Scheduler

HTTP_PORT=81
HTTPS_PORT=444

BACKUP_FILES=true # change to false to disable backups
BACKUP_DIR=/volume1/apps/free_ports/backup
DELETE_OLD_BACKUPS=false # change to true to automatically delete old backups.
KEEP_BACKUP_DAYS=30

DATE=$(date +%Y-%m-%d-%H-%M-%S)
CURRENT_BACKUP_DIR="$BACKUP_DIR/$DATE"

if [ "$BACKUP_FILES" == "true" ]; then
  mkdir -p "$CURRENT_BACKUP_DIR"
  cp /usr/syno/share/nginx/*.mustache "$CURRENT_BACKUP_DIR"
fi

if [ "$DELETE_OLD_BACKUPS" == "true" ]; then
  find "$BACKUP_DIR/" -type d -mtime +$KEEP_BACKUP_DAYS -exec rm -r {} \;
fi

sed -i "s/^\([ \t]\+listen[ \t]\+[]:[]*\)80\([^0-9]\)/\1$HTTP_PORT\2/" /usr/syno/share/nginx/*.mustache
sed -i "s/^\([ \t]\+listen[ \t]\+[]:[]*\)443\([^0-9]\)/\1$HTTPS_PORT\2/" /usr/syno/share/nginx/*.mustache

if which synoservicecfg; then
  synoservicecfg --restart nginx
else
  synosystemctl restart nginx
fi

echo "Made these changes:"

diff /usr/syno/share/nginx/ $CURRENT_BACKUP_DIR 2>&1 | tee $CURRENT_BACKUP_DIR/changes.log

To run the script, please change to the directory where you created it and run it as follows:

sudo ./free_ports.sh

Why this script? Well, as I said, it works, and above all it creates a backup of all changed files and tells you at the end what it has changed.

You can also decide which port should be used instead of 80 and 443 to then free them up.

It is best to save this script in a share under the name free_ports.sh, for example, and run it in an SSH session (don't forget sudo).

I use Bitvise, for example, as an SSH client under Windows - but there are countless others.

The script is supposed to always run at startup - but I haven't had to do that yet (my server restarts every day overnight - so it shuts down for 6 hours a night).

docker run -d \
  --name=swag \
  --cap-add=NET_ADMIN \
  -e PUID=1027 \
  -e PGID=100 \
  -e TZ=Europe/Luxembourg \
  -e URL=my.ddns.server \
  -e VALIDATION=http \
  -e EMAIL=euremailadresse \  
  -e SUBDOMAINS=heimdall, \
  -p 443:443 \
  -p 80:80 \
  -v /volume1/docker/Swag:/config \
  --restart unless-stopped \
  linuxserver/swag

Please remember to enter your DynDNS domain or similar under URL as well as a correct email address. Also always enter the correct IDs for folder rights.

To create a .htpasswd file, use the following command:

sudo htpasswd -c /volume1/docker/Swag/nginx/.htpasswd newuser

Or for an additional user:

sudo htpasswd /volume1/docker/Swag/nginx/.htpasswd newuser2

Used Links

TZ - Timezone

Random Number (for a port number by random generator)

SWAG @DockerHub

Free_Ports Script @GitHub

Bitvise SSH Client

SWAG Reverse Proxy Configurations @GitHub (read the readme.md on this page!)

Attention: This video is still in german

docker run -d \
  --name=heimdall \
  -e PUID=1027 \
  -e PGID=100 \
  -e TZ=Europe/Luxembourg \
  -p 40979:80 \
  -p 9039:443 \
  -v /volume1/docker/Heimdall:/config \
  --restart always \
  lscr.io/linuxserver/heimdall

I used Flame at the time and was looking for a better alternative and I think I found it in Heimdall 🙂

Used Links

TZ - Timezone

Random Number (for a port number by random generator)

Heimdall

Heimdall @LinuxServer.io

Heimdall @GitHub

Attention: The video is still in german

docker run -d --name=calibre \
-p 20118:8080 \
-p 43797:8081 \
-e PUID=1027 \
-e PGID=100 \
-e TZ=Europe/Luxembourg \
-e PASSWORD=calibrepw \
-v /volume1/docker/Calibre:/config \
-v /volume1/E-Books.local:/e-books \
-v /volume1/SSL:/SSL:ro \
--restart always \
lscr.io/linuxserver/calibre

Please remember to write your own password instead of calibrepw. The default login user is abc. Also make sure you use your own user ID and not the one I give as an example here.

Calibre is a free software package for processing, converting and managing e-books for Linux, macOS and Windows.

UsedLinks

TZ - Timezone

Random Number (for a port number by random generator)

Documentation for the Calibre Docker Container

Calibre

Attention: The video is still in german

docker run -d --name=calibre-web \
-p 8083:8083 \
-e PUID=1027 \
-e PGID=100 \
-e TZ=Europe/Luxembourg \
-e DOCKER_MODS=linuxserver/calibre-web:calibre \
-e OAUTHLIB_RELAX_TOKEN_SCOPE=1 \
-v /volume1/docker/CalibreWeb:/config \
-v /volume1/E-Books.local:/e-books \
-v /volume1/SSL:/SSL:ro \
--restart always \
lscr.io/linuxserver/calibre-web

Default user: admin
Default password: admin123

Calibre-Web is a web interface for Calibre that allows you to manage your e-book collection.

You can browse through your books, read them directly from the browser or on one of your devices, ideally

Used Links

TZ - Timezone

Random Number (for a port number by random generator)

Calibre-Web @LinuxServer.io

Calibre-Web @GitHub

Attention: The video is still in german

Today there is a small statement about my videos because some of the comments made me very upset and angry.

I also talk about SSL and the end is not the end because I had to add something lol 🙂

Used Links

SSL Converter (Site often slow - so please be patient 🙂 )

Docker Images - Examples

Attention: The video is still in german

docker run -d --name=portainer \
-p 8000:8000 \
-p 9000:9000 \
-v /volume1/docker/docker.sock:/var/run/docker.sock \
-v /volume1/docker/Portainer:/data \
--restart=always \
portainer/portainer-ce

Portainer is an open source container management tool that eliminates the need to write code. Portainer provides a graphical user interface for everything that can be done via a Docker command line.

Portainer can also be password protected and multiple users and/or roles can be distributed.

Used Links

Portainer Community Edition Documentation

Sometimes you need to suspend your Bitlocker Encryption in order to change some hardware.

Here a 2 ways to do it - you need admin rights to do it.

Powershell

Open Powershell as admin an run the following command to suspend the Bitlocker Encryption.

Suspend-Bitlocker -MountPoint "C:" -RebootCount 0

Open Powershell as admin an run the following command to resume the Bitlocker Encryption

Resume-Bitlocker -MountPoint "C:"

CMD

Open CMD as admin an run the following command to suspend the Bitlocker Encryption

Manage-bde -Protectors -Disable C: -RebootCount 0

Open CMD as admin an run the following command to resume the Bitlocker Encryption

Manage-bde -Protectors -Enable C:

Additional info

You may have noticed that both have an option with RebootCount. This is used to say to the system that after x reboots the system will automatically reactivate itself.

The value here can be maximum 15.

2016 (even 2012 / 2019 possibly also on newer editions)

Sometimes it can happen that a key entry is corrupt and you can't activate your Windows anymore and even worse through the GUI you can't change the product key or reinstall it.

So the only option is an elevated Powershell, like so often...

Remove the current key with:

slmgr -upk

Install the new key (even if identical to the already installed one)

slmgr -ipk yourkeyhere

It may take now 2-3 minutes until your installation is activated!

First of all you need to know that this here is just an additional info page about Windows. You can find more info on the dedicated pages on the main site within the corresponding timeline area.

Since there are many versions of Windows, I thought I would install the different versions within a virtual system and show them to you.

The important thing is that if you want to copy it → remains legal
I have a license for every version of Windows shown except for versions 1 and 2, although I have to check to what extent these are still licensed. In the worst case, I only install them (test version) to show you and then delete them again.

The video will show up in the timeline within the specific version to not have everything in double and triple 🙂

Here the most important links used:

WinWorldPC

VMWare - XP Support

Tech Latest - Windows XP ISO Download

VMWare Workstation

Archive.org

Windows 10 Downloader

Windows 11 Downloader

Windows 8 ISO Downloader

Windows ISO Downloader - Best tool to download latest Windows and Office ISO files

Click here for the Windows timeline on the main site - still under construction just like Windows itself 🙂

Sometimes the password for a remote desktop connection isn't saved. This is due too a local policy.

To change this you can do the following:

open gpedit.msc

navigate to:
Computer Configuration - Administrative Templates - System - Credential Delegation

look for and open the following policy:
Allow saved credentials with NTML-only server authentication or
Allow delegating saved credentials with NTLM-only server authentication

select enabled and add your server/pc name where you want to connect 
ATTENTION: Don't forget to put TERMSRV/ before your machine name
and save password from in the list

run gpupdate

If that doen't work you may have to go to your credential manager and under Windows Credentials you have on top your saved Windows Credentials. Here you delete the entry of your machine and recreate on the same page but under generic credentials. Pay attention that you need to enter just your machine name here, not TERMSRV/ in front of it as it than won't work.

To remove this annoying partition (there is always a popup of a full disk as this one doesn't have many space) you have to do the following:

Open a command prompt with administrative rights and execute the commands from this post.

diskpart
list volume
select volume <number of your volume>
remove letter=<drive letter of your volume>
exit