Time Machine cleanup old backups

This is the command to cleanup old backups in Time Machine should you ever need to. Replace with an appropriate path for your backup location. I find it’d best to delete ranges of old backups with the * wildcard as well.

tmutil delete /Volumes/BackupDriveName/Backups.backupdb/MacComputerName/YYYY-MM-DD-HHMMSS/

Ad Blocking with DNS

Easy to ad block with your own DNS server if you don’t want to trust adblock or other plugins.

1 – you need a web server to host a blank image

2 – Get blacklist

Get the blacklist from http://pgl.yoyo.org/adservers/

Choose for the bind 8 config format.

I had to change the file so that the records read like this:

zone "101com.com" IN { type master; notify no; file "/etc/bind/null.zone.file"; };

by adding the “IN” between the domain name and the “{ type master ….” part. Use your vi-skills for this.

Give this file a easy name, like ‘blacklist’. Now create a line in /etc/bind/named.conf.local:

include "/etc/bind/blacklist";

Create the null zone file

Create a file /etc/bin/null.zone.file with the following contents:

$TTL    86400   ; one day

@       IN      SOA     nds.example.com. hostmaster.example.com. (
            2002061000       ; serial number YYMMDDNN
            28800   ; refresh  8 hours
            7200    ; retry    2 hours
            864000  ; expire  10 days
            86400 ) ; min ttl  1 day
        NS      nds.example.com


@               IN      A
*               IN      A

and replace example.com by your internal domain name and replace by the name of your web server. The above format allow for the use of wildcards. This means that you do not have to care about the subdomains.

Restart bind (Ubuntu version)

service bind9 restart

2 is copied from here for posterity: https://box.matto.nl/dnsadblok.html

3 – use a different DNS source if you want

If you want to use a different DNS server (say you don’t trust your ISP or Google to know every site you query) you can find others here:


And then in /etc/bind/named.conf.options add the forward to the dns servers:

 forwarders {;;;

Fetchmail Google SSL Updates

Google appears to update it’s SSL cert nightly which breaks my fetch mail script nightly as well. Here’s a simple python script in case this happens to you!

import ssl
import socket
import hashlib
import sys

addr = 'imap.gmail.com'

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
wrappedSocket = ssl.wrap_socket(sock)

 wrappedSocket.connect((addr, 993))
 response = False
 der_cert_bin = wrappedSocket.getpeercert(True)
 pem_cert = ssl.DER_cert_to_PEM_cert(wrappedSocket.getpeercert(True))

 thumb_md5 = hashlib.md5(der_cert_bin).hexdigest()
 #print("MD5: " + thumb_md5)


cnt = 0

thumb_md5_d = ''

for letter in thumb_md5:
 if cnt%2 == 0 and cnt!=0:
 thumb_md5_d += ':'
 thumb_md5_d += letter
 cnt += 1

thumb_md5_d = thumb_md5_d.upper()

infile = "//home//user//fetchmailrc.tmp"
text = open(infile)

outfile = open('/etc/fetchmailrc', 'w')


for line in text:
 if textToSearch in line:
 line = line.replace( textToSearch, thumb_md5_d )

Where fetchmailrc.tmp is this (in addition to whatever else in your fetchmailrc):

poll imap.gmail.com protocol IMAP user "login@gmail.com" there with password "password" is blah@blah.com here nofetchall ssl sslfingerprint 'GOOGLE_FINGERPRINT'

Then you setup a cron job to run it nightly and now you’ve got up to date Google fingerprints!

ZFS fix with Debian upgrade

Somehow a Debian update broke bfs and I was getting this issue:

The ZFS modules are not loaded.
Try running '/sbin/modprobe zfs' as root to load them.

To reinstall ZFS this worked for me – a compilation of many suggestions so not sure all were necessary but it worked:

apt-get clean
apt-get update
apt-get purge zfs*   --get rid of everything ZFS
apt-get remove spl dkms spl-dkms  --get rid of more ZFS
apt-get autoremove
apt-get install -t jessie-backports zfsutils-linux  --change to whatever your distribution uses

--these commands recompile the libraries if they are still having issues
dkms remove -m zfs -v --all
dkms remove -m spl -v --all
dkms add -m spl -v
dkms add -m zfs -v
dkms install -m spl -v
dkms install -m zfs -v


A couple of handy sites for getting that setup:

Your own IPSEC VPN in about 3 minutes using Digital Ocean

And this debian one for support.


Couple of notes that the script didn’t cover:

  • Instead of openswan had to use strongswan.
  • Had to add a shared secret to /etc/ipsec.secrets
  • To use a proxy you just point the proxy to listen on and point the computer to that proxy’s port

The script he had is the key so it’s here for posterity:

apt-get install -y openswan xl2tpd ppp
apt-get install -y lsof

iptables --table nat --append POSTROUTING --jump MASQUERADE
echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p

echo "for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done"  |  tee -a /etc/rc.local
echo "iptables --table nat --append POSTROUTING --jump MASQUERADE"  |  tee -a /etc/rc.local

echo "config setup
    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
    #decide which protocol stack is going to be used.


conn L2TP-PSK-noNAT
    #shared secret. Use rsasig for certificates.
    #Disable pfs
    #start at boot
    #Only negotiate a conn. 3 times.
    #because we use l2tp as tunnel protocol
    #fill in server IP above
    rightprotoport=17/%any" > /etc/ipsec.conf

    ipsec verify

    echo "[global]
ipsec saref = yes

[lns default]
ip range =
local ip =
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes" > /etc/xl2tpd/xl2tpd.conf

echo "require-mschap-v2
mtu 1200
mru 1000
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4" > /etc/ppp/options.xl2tpd
echo "# username  l2tpd password  *" >> /etc/ppp/chap-secrets
echo ""
echo ""
echo "To Do:"
echo ""
echo "- Add users: /etc/ppp/chap-secrets"
echo "Restart the software: /etc/init.d/ipsec restart;  /etc/init.d/xl2tpd restart"

Updating Tripwire for changes

First, take a look at the report you received or run (and read):

sudo tripwire --check

If everything is OK, run the following command:

sudo tripwire -m u -Z low -r /var/lib/tripwire/report/hostname-timestamp.twr

Find memory info in Ubuntu (all linux?)

I keep looking this up so saving for posterity. This is a good way to get memory info in Ubuntu:

sudo lshw -C memory

This gets all sort of useful info. I needed to get the memory speed since I have too many computers with too many different memory speeds. Doesn’t seem to show that it is ECC memory but I also had to know that. See below for ECC and memory speed.

       description: BIOS
       vendor: LENOVO
       physical id: 0
       version: 5JKT50AUS
       date: 09/27/2010
       size: 64KiB
       capacity: 2496KiB
       capabilities: pci upgrade shadowing cdboot bootselect socketedrom edd int13floppy1200 int13floppy720 int13floppy2880 int5printscreen int9keyboard int14serial int17printer acpi usb biosbootspecification
       description: L1 cache
       physical id: 5
       slot: L1-Cache
       size: 32KiB
       capacity: 32KiB
       capabilities: internal write-back unified
       configuration: level=1
       description: L2 cache
       physical id: 6
       slot: L2-Cache
       size: 256KiB
       capacity: 256KiB
       capabilities: internal varies unified
       configuration: level=2
  *-cache:2 DISABLED
       description: L3 cache
       physical id: 7
       slot: L3-Cache
       size: 4MiB
       capacity: 4MiB
       capabilities: internal unified
       configuration: level=3
       description: System Memory
       physical id: 2c
       slot: System board or motherboard
       size: 14GiB
          description: DIMM DDR3 Synchronous 1066 MHz (0.9 ns)
          product: M391B5673EH1-CH9
          vendor: Samsung
          physical id: 0
          serial: FCBB3D85
          slot: A1_DIMM0
          size: 2GiB
          width: 64 bits
          clock: 1066MHz (0.9ns)
          description: DIMM DDR3 Synchronous 1066 MHz (0.9 ns)
          product: 18JSF51272AZ-1G1D1
          vendor: Micron Technology
          physical id: 1
          serial: D7172936
          slot: A1_DIMM1
          size: 4GiB
          width: 64 bits
          clock: 1066MHz (0.9ns)
          description: DIMM DDR3 Synchronous 1066 MHz (0.9 ns)
          product: CT51272BA1067.M18F
          vendor: Undefined
          physical id: 2
          serial: 00000000
          slot: A1_DIMM2
          size: 4GiB
          width: 64 bits
          clock: 1066MHz (0.9ns)
          description: DIMM DDR3 Synchronous 1066 MHz (0.9 ns)
          product: 18JSF51272AZ-1G1D1
          vendor: Micron Technology
          physical id: 3
          serial: 5DC579DE
          slot: A1_DIMM3
          size: 4GiB
          width: 64 bits
          clock: 1066MHz (0.9ns)

To get ECC and speed use this:

dmidecode --type memory
Handle 0x002C, DMI type 16, 15 bytes
Physical Memory Array
	Location: System Board Or Motherboard
	Use: System Memory
	Error Correction Type: Single-bit ECC
	Maximum Capacity: 8 GB
	Error Information Handle: 0x002D
	Number Of Devices: 4
Handle 0x0032, DMI type 17, 28 bytes
Memory Device
	Array Handle: 0x002C
	Error Information Handle: 0x0033
	Total Width: 72 bits
	Data Width: 64 bits
	Size: 4096 MB
	Form Factor: DIMM
	Set: None
	Locator: A1_DIMM1
	Bank Locator: A1_BANK1
	Type: DDR3
	Type Detail: Synchronous
	Speed: 1066 MHz
	Manufacturer: Micron Technology
	Serial Number: D7172936  
	Asset Tag: NULL
	Part Number: 18JSF51272AZ-1G1D1
	Rank: 2

(Forced) Move from zfsonlinux to Ubuntu ZFS

I upgraded the server from 14.04 to 16.04 and slowly discovered everything was not working perfectly with the ZFS functionality. Researching it appears zfsonlinux doesn’t support 16.04 since ZFS is a part of 16.04. However I couldn’t get the Ubuntu version to load and got this error. It gave me the pointer that the old trusty (14.04) version was the issue.

The following packages have unmet dependencies:
 zfsutils-linux : Depends: zfs-doc (= but is to be installed
                  Depends: libnvpair1linux but it is not going to be installed
                  Depends: libuutil1linux but it is not going to be installed
                  Depends: libzfs2linux but it is not going to be installed
                  Depends: libzpool2linux but it is not going to be installed
                  Recommends: zfs-zed but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

So had to purge the non Ubuntu trusty packages and start over. This will find the old installed zfs packages:

dpkg -l|grep zfs

Then you can purge the packages old trusty (14.04) to remove them:

sudo apt-get purge zfs-doc

Make sure nothing odd is in /etc/apt. Then install the native Ubuntu version with the normal:

sudo apt install zfsutils-linux

Black Mirror in real life – Chinese public credit scores

China, and specifically Shanghai for now, is instituting public credit scores to rank citizens by various factors. The end goal to improve the behavior of people by ranking them publicly. This has to have been in the works for awhile. Did Black Mirror just steal the plot for Nosedive from what China is actually doing?

Quite a few places are reporting it and here’s the NRP version. I read it first in the Economist weeks ago so they should get credit for breaking it really but NPR reminded me. A quote from NPR’s version:

“We want to make Shanghai a global city of excellence,” says Shao Zhiqing, deputy director of Shanghai’s Commission of Economy and Informatization, which oversees the Honest Shanghai app. “Through this app, we hope our residents learn they’ll be rewarded if they’re honest. That will lead to a positive energy in society.”

Shao says Honest Shanghai draws on up to 3,000 items of information collected from nearly 100 government entities to determine an individual’s public credit score.

A good score allows users to collect rewards like discounted airline tickets, and a bad score could one day lead to problems getting loans and getting seats on planes and trains.

The wonders of Let’s Encrypt and Certbot in relation to StartSSL/StartCom issues

All websites should be encrypted. Definitely don’t do anything secure over an unencrypted connection.

To support that the site has always had SSL setup. However I just discovered that the SSL certs the site uses by StartSSL have been revoked by all major browsers it appears!

A little digging for a new free SSL cert site came up with Let’s Encrypt. That in combo with Certbot is SUPER EASY to get certs and keep them up to date. All for free! I’ll probably even donate it’s so easy now!

The trick for certbot for me was to use the standalone check so I didn’t have to mess with the NGINX server’s folder security.

$ certbot certonly --standalone -d example.com -d www.example.com

Then you just point NGINX to the PEM files it creates and you’re set!

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

EASY PEASY! Now Chrome and Safari work again!

Then to renew all the certs at once you can run this

certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"