Building a Virtual Sandbox (Part II) – Initial Server/Workstation

This first system will have several duties:

  • Workstation
  • Git Server
  • Ansible
  • DNS
  • and possibly other services as we move along.

For this system, we’re using Ubuntu 20.04 Desktop.  The settings used for this systems is 2G memory, 20G disk with the basic workstation install. We’ll give this an IP of, and place it on the internal network we configured in the prior article.  The hostname is “ubuntu-ws”.  I’ll also create the user “mascio” as an administrative user. Don’t forget to boot the OpenBSD firewall from earlier.

Why is a CentOS/RedHat guy choosing Ubuntu? Several reasons: (1) with the recent shakeup of CentOS, CentOS 8 may not work well for me in the long run, (2) I get plenty of CentOS practice at work. Don’t worry there will be plenty of other CentOS stuff here over time. I’m not leaving CentOS/RedHat. Refreshing skills and knowledge from time to time is a good idea.

And just because I like the functionality better, let’s install aptitude:

sudo apt-get install aptitude

Let’s start by installing Ansible:

sudo aptitude update
sudo aptitude upgrade -y
sudo aptitude install openssh-server net-tools sshpass tree python python-pip python-setuptools ansible -y

We’ll come back to configuring Ansible.

Since I’ve already decided the Ansible playbooks need to be under source code control, we’ll install git and GitLab:

sudo aptitude install -y git-all curl openssh-server ca-certificates tzdata postfix mailutils
curl | sudo bash

Since this is a lab, and the external infrastructure is not yet in place, use “Local only” for your Postfix configuration. If you have a smart host or other infrastructure in place, configure as you see fit.

And now bind:

sudo aptitude install bind9 bind9utils bind9-doc

We should be done with installing for now. Let’s get bind set up. Since we’re not using IPv6 and only IPv4, let’s set it to only serve only the latter:

sudo vi /etc/default/named

And add “-4” to the OPTIONS line:

OPTIONS="-u bind -4"

Now restart bind:

systemctl restart bind9

Normally, you would set up your trusted hosts here, but we only have a primary right now, so we’ll come back to that step later when we have servers to worry about.

Now, we need to add some extra lines to /etc/bind/named.conf.options:

options {
        directory "/var/cache/bind";

        recursion yes;                 # enables resursive queries
        #allow-recursion { trusted; };  # allows recursive queries from "trusted" clients
        listen-on {; };   # private IP address - listen on private network only
        allow-transfer { none; };      # disable zone transfers by default

        forwarders {

Next, edit /etc/named.conf.local and adjust domain/IP as necessary:

zone "" {
        type master;
        file "/etc/bind/zones/"; # zone file path
        #allow-transfer {; }; # secondary private IP address - place holder

zone "" {
    type master;
    file "/etc/bind/zones/db.10.13.13";  # subnet
     #allow-transfer {; }; # secondary private IP address - place holder

Now that, we have the zones defined, both forward and reverse, let’s create the data files needed:

sudo mkdir /etc/bind/zones

Edit /etc/bind/zones/ and add:

$TTL    300
@       IN      SOA     localhost. (
                       20122400         ; Serial
                            300         ; Refresh
                            300         ; Retry
                            300         ; Expire
                            300)       ; Negative Cache TTL

; name servers - NS records
                       IN      NS

; name server A records  IN      A

; host A records   IN      A   IN      A

A quick note on my serial value, it is in the format of YYMMDDHHmm. So this reads I updated on Dec 24, 2020, once. Also, all of my values are small, which for a lab is probably OK, but for Internet production usage, you’ll want to adjust those for performance.

Edit /etc/bind/zones/db.10.13.13 and add:

$TTL    300
@       IN      SOA     localhost. (
                       20122400         ; Serial
                            300         ; Refresh
                            300         ; Retry
                            300         ; Expire
                            300 )       ; Negative Cache TTL

; name servers
      IN      NS

; PTR Records
10   IN      PTR    ;
;10   IN      PTR    ;

And to be sure everything is good, run:

sudo named-checkconf

If all is well, restart BIND:

sudo systemctl restart bind9

Been a while…

Been pretty busy, but since this COVID19 mess began, I’ve been working from home.  Spent the first two week dealing with oncall issue, then then lots of deployment issues.  Work kept me pretty busy. 

But, I finially got time to work on some of my sewing (New messanger bag in the works for me…).  BUT, Charrie started a new job at a nusting home, and they are required to wear masks when dealing with patients.  Since all her patients are potentially vulnerable individuals AND all in the same place, the nursing home takes this very seriously!   Unfortunately, they only had one mask for her.  It’s reusable, but needs to be washed every day.  This gets to be a drag very quickly!

So, my messanger bag got pushed to the side, and I started looking at masks.  She does not like the standard surgical style mask, especially with ties.  And the ties on her’s are a fairly wide, smooth ribbon.  When tied, either a pain to untie, or won’t stay tied.  So…  After much research, I made an Olsen style mask from UnityPoint Health’s YouTube channel:  Little bit of a challange, but the biggest problem was getting it to fit Charrie properly.  And the pattern, for her, looked a bit big.  Works good for me though!

Not too bad for me, but not very satisfactory for Charrie.   Decided to do a bit more research before I started messing with how to scale the patter to fit her, not to mention how to get the ear loops to fit right, I found another one on YouTube that seemed to fiit the bill.  It was called the “Best Fit Face Mask” (, and had some nice options for handling that pesky ear loop fit/adjustment.  Especially since finding elastic right now is nearly impossible!  So I made one up (medium) from the author’s pattern, and had Charrie test fit it. 




Fit beautifully!  So I make up two more:




All have the filter pocket added.  Even if no filter is added, there is one more layer of tigher weave cotton to help keep her bad stuff to herself, and the patient’s bad stuff, to themselves!

Not N95, but it does not need to be in this case.

Now to work on my messanger bag.  Nice tapistry looking fabric…

success vs failure

Failure is not the opposite of success.

Failure is not overcoming.

Success has plenty of “failure ” along the way – It is called learning.  Learning what not to do and what you need to do.

If you never stop trying, you don’t fail.  You may decide to stop pursuing a course of action as not cost effective, but that is not a failure, but a decision.

Humans are lousy random number generators

After reading Bruce Culp’s December 2014 newsletter, I found it interesting that I was writing on a similar topic, but from a different direction. In Bruce’s newsletter, he mentions a Reg Parker who thought through the human process and the weaknesses in humans. I would consider this one of the first steps in social engineering, a problem we still face today. In his case, he did not use social interactions to obtain information, but clever observation of human behavior and how to leverage that knowledge. What is the problem we are looking at?
Humans are lousy random number generators!

I may not be the best Enigma historian, but my training in Mathematics and Statistics has shown me that humans are lousy at choosing random numbers or letters. Part of the security of Enigma, or any cryptology system, is that randomness. The rotor starting point and the key used, needs to be random. In addition, any short-term repetition or pattern endangers the entire system.

To test this theory on myself, I recorded my passwords over an extended period. By studying that list, I noticed I have certain patterns in the self-generated passwords. I do better by looking around at choosing objects at “random,” taking three or 4 characters from the name or category and add numbers and special characters by bouncing my hands on the keyboard without looking. Not perfect, but better than the ones I thought up as “random.” Because we have a tendency to fall into patterns, I was careful not to choose the same object that was chosen in the prior 4-5 passwords. While true random passwords or choices can repeat, a repeated three letter pattern would assist the cryptologist/bad guy in cracking my password.

Many people have studied humans’ lack of ability to be random (see below). So how can we overcome this problem as we try to emulate proper procedures to create secure keys? Alternatively, to use this to create better passwords for yourself? True random passwords are difficult to remember, but there are strategies to help. Semi-random pronounceable passwords are better for humans, but are a weaker then true random ones. A bit weaker, but one you can remember is far better then one that is secure, but you have to write it down! As a systems administrator, I have to generate initial passwords for my users. I use the Password Generator listed in Sources of Random, below. You will notice, the pronounceable passwords have many 3-letter groups that we can take advantage of for Enigma settings.

If you look under “Sources of Random,” I also have a couple of different Apps and a web page to help. Are these truly random? Nope! However, the pseudorandom algorithms are sufficiently complex, that for the number of messages we are likely to send, we should be OK.

Don’t like these? Got one or two dice? Couple of coins? I have created a couple of charts to let you use “old tech” to generate some random values. The coins are a bit more work, since it takes five coin tosses to get one letter, but if you are not in a rush, it works. The dice charts were designed to spread the numbers out so the chance of any dice roll will give you the best chance of getting a number, but even with that, 10 throws out of 36 (27.7%) are a reroll. Without getting in to fancy dice and complex charts, it is the best I can do. If you want to spend a few bucks, you can get a 26-sided die.

Do you need to change anything for something we do for fun? No, but hopefully this will give you some thoughts on the problems of creating secure keys and passwords

Sources of Random:

  • Web based Random Letter Sequence Generator: You can generate several three/four letter sequences to use as starting points and keys for Enigma enciphering. Generate several sequences to keep handy, and scratch them off as you use them. (
  • Android App: “Letters & Numbers Generator”: My favorite Android app to generate random letters. (
  • IOS: “Letters – Random Character and Words” by Georg Dresler
  • Dice:
    • 26 letters:
    • 26 numbers:
  • Password Generator:


  • Human Password Selection and Randomness:
  • Are people capable of generating a random number?
  • Humans cannot consciously generate random numbers sequences: Polemic study.
  • Kerchkhoff’s principle:

Top 10 reasons for studying martial arts

Another sent to me a long time ago.


10) Broken masonry makes great drainage for potted plants.
9) Get beaten up by people half your size and twice your age.
8) Never run out of kindling wood again.
7) No need to wonder what belt to wear.
6) Get to be on first name basis with the Emergency Room staff.
5) These uniforms make nice pijamas.
4) Never need to wonder why it’s hard to get up in the morning.
3) Get to appreciate the finer points of Chuck Norris’ acting.
2) Learn to count to 10 in 3 different Asian languages.

And the top reason for studying martial arts:

1) (Tie) Get to star in Ginsu commercials. / Three words: free nose job.

Cat Bathing as a Martial Art

This was sent to me a long time ago. Enjoy!


Some people say cats never have to be bathed. They say cats lick
themselves clean. They say cats have a special enzyme of some sort in
saliva that works like new, improved Wisk – dislodging the dirt where it hides
and whisking it away.

I’ve spent most of my life believing this folklore. Like most blind
believers, I’ve been able to discount all the facts to the contrary, the kitty
odors that lurk in the corners of the garage and dirt smudges that cling to
the throw rug by the fireplace.

The time comes, however, when a man must face reality: when he must
look squarely in the face of massive public sentiment to the contrary and
announce: “This cat smells like a port-a-potty on a hot day in Juarez.”

When that day arrives at your house, as it has in mine, I have some
advice you might consider as you place your feline friend under your arm
and head for the bathtub:

— Know that although the cat has the advantage of quickness and lack
of concern for human life, you have the advantage of strength. Capitalize on
that advantage by selecting the battlefield. Don’t try to bathe him in an
open area where he can force you to chase him. Pick a very small bathroom.
If your bathroom is more than four feet square, I recommend that you get in
the tub with the cat and close the sliding-glass doors as if you were about
to take a shower. (A simple shower curtain will not do. A berserk cat can
shred a three-ply rubber shower curtain quicker than a politician can shift

— Know that a cat has claws and will not hesitate to remove all
the skin from your body. Your advantage here is that you are smart and know
how to dress to protect yourself. I recommend canvas overalls tucked into
high-top construction boots, a pair of steel-mesh gloves, an army helmet, a
hockey face mask, and a long-sleeved flak jacket.

— Prepare everything in advance. There is no time to go out for
a towel when you have a cat digging a hole in your flak jacket. Draw the
Make sure the bottle of kitty shampoo is inside the glass enclosure. Make sure
the towel can be reached, even if you are lying on your back in the water.

— Use the element of surprise. Pick up your cat nonchalantly, as
if to simply carry him to his supper dish. (Cats will not usually notice
your strange attire. They have little or no interest in fashion as a rule.
If he does notice your garb, calmly explain that you are taking part in a
product testing experiment for J.C. Penney.)

— Once you are inside the bathroom, speed is essential to
survival. In a single liquid motion, shut the bathroom door, step into the
tub enclosure, slide the glass door shut, dip the cat in the water and
squirt him with shampoo. You have begun one of the wildest 45 seconds of
your life.

Cats have no handles. Add the fact that he now has soapy fur, and
the problem is radically compounded. Do not expect to hold on to him for
more than two or three seconds at a time. When you have him, however, you
must remember to give him another squirt of shampoo and rub like crazy.
He’ll then spring free and fall back into the water, thereby rinsing
himself off. (The national record for cats is three latherings, so don’t
expect too much.)

— Next, the cat must be dried. Novice cat bathers always assume
this part will be the most difficult, for humans generally are worn out at
this point and the cat is just getting really determined. In fact, the
drying is simple compared to what you have just been through. That’s
because by now the cat is semipermanently affixed to your right leg. You
simply pop the drain plug with you foot, reach for your towel and wait.
(Occasionally, however, the cat will end up clinging to the top of your
army helmet. If this happens, the best thing you can do is to shake him
loose and to encourage him toward your leg.) After all the water is
drained from the tub, it is a simple matter to just reach down and dry the

In a few days the cat will relax enough to be removed from your
leg. He will usually have nothing to say for about three weeks and will
spend a lot of time sitting with his back to you. He might even become
psychoceramic and develop the fixed stare of a plaster figurine.

You will be tempted to assume he is angry. This isn’t usually the
case. As a rule he is simply plotting ways to get through your defenses and
injure you for life the next time you decide to give him a bath.

But at least now he smells a lot better.