Handige Knakker

Authorize for teams.
Replace YOUR_TENANT_ID, YOUR_EMAIL and YOUR_PASSWORD.
Use one of these client_id’s, depending on your usecase.
1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams mobile/desktop application)
5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Teams web application)

auth.sh:

#!/bin/bash

curl -s -X POST https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/token \
-c cookies.txt \
-o auth.blob \
-F grant_type=password \
-F resource=https://teams.microsoft.com/ \
-F client_id=1fec8e78-bce4-4aaf-ab1b-5451cc387264 \
-F username=YOUR_EMAIL \
-F password=YOUR_PASSWORD

This will save your bearer token, amongst others, to auth.blob in a json object.

Because the bearer token is only valid for a certain period of time, you’ll need to refresh it. Here’s how. You’ll need ‘jq’ installed to decompose the json object.
refresh.sh:

#!/bin/bash

REFRESHTOKEN=`cat auth.blob | jq ".refresh_token" | sed 's/"//g'`

curl -s -X POST https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/token \
-c cookies.txt \
-o auth.blob \
-F grant_type=refresh_token \
-F resource=https://teams.microsoft.com/ \
-F client_id=1fec8e78-bce4-4aaf-ab1b-5451cc387264 \
-F refresh_token=$REFRESHTOKEN

In the script you can keep repeating actions, but in order to keep your token active, you can use the following piece of code:

if [ -f "auth.blob" ]; then
  EXPIRES=`cat auth.blob | jq ".expires_on" | sed 's/"//g'`
  NOW=`date +%s`
  TTL=`expr $EXPIRES - $NOW`
  if [ $TTL -lt 60 ]; then
    echo "time for a refresh!"
    ./refresh.sh
  fi
else
  echo "no previous auth present!"
  ./auth.sh
  EXPIRES=`cat auth.blob | jq ".expires_on" | sed 's/"//g'`
  NOW=`date +%s`
  TTL=`expr $EXPIRES - $NOW`
fi

Now you can do the cool stuff like query your calendar or whatever:

#!/bin/bash

BEARER=`cat auth.blob | jq ".access_token" | sed 's/"//g'`
curl -s --write-out "%{http_code}|%{time_total}n" -o bla.txt "https://teams.microsoft.com/api/mt/emea/beta/me/calendarEvents?StartDate=2021-02-07T23:00:00.000Z&EndDate=2021-02-14T23:00:00.000Z" \
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36" \
-H "authorization: Bearer $BEARER"

Or verify your local timezone:

#!/bin/bash

BEARER=`cat auth.blob | jq ".access_token" | sed 's/"//g'`

date "+%Y.%m.%e %T %N"
curl -v 'https://teams.microsoft.com/api/mt/part/emea-03/beta/me/calendarEvents/timeZoneSettingsWithOffset?timezone=Europe%2FAmsterdam' \
-H "authorization: Bearer $BEARER" \
-H 'authority: teams.microsoft.com'
echo ""
date "+%Y.%m.%e %T %N"

Since my work laptop is too restricted, i’m trying to set up Ubuntu on a USB stick and boot from there.
Actually, it has proven to be a very smooth experience so far. I’m impressed by the overall speed and battery performance.

Couple of things i must not forget.
WORK IN PROGRESS

Get some essentials:

sudo apt install curl ffmpeg keepassxc

Latest Google Chrome Browser: link
Latest Citrix Workspace (Receiver): link
Latest Citrix RTME (HDX for Skype): link

After installing the ica client:

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
cd /opt/Citrix/ICAClient/keystore/cacerts
sudo wget https://www.quovadisglobal.com/wp-content/files/media/quovadis_quovadisrootca2.pem
sudo /opt/Citrix/ICAClient/util/ctx_rehash

modify /opt/Citrix/ICAClient/config/wfclient.template before making the first connection

MSLocaleNumber=0x00000413
KeyboardLayout=US-International

Also: modify /opt/Citrix/ICAClient/config/All_Regions.ini

MouseSendsControlV=False

Lastly:

sudo apt-get install --reinstall libcanberra-gtk-module
/opt/Citrix/ICAClient/util/configmgr (for mapping local drives)

Install Microsoft Teams:

sudo curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo echo "deb [arch=amd64] https://packages.microsoft.com/repos/ms-teams stable main" > /etc/apt/sources.list.d/teams.list
apt update
apt install teams

Connecting to exchange web services (for calendar sync)

sudo apt install evolution-ews

Google drive support e.g. for keepass

sudo add-apt-repository ppa:alessandro-strada/ppa
sudo apt-get update
sudo apt-get install google-drive-ocamlfuse

edit ~/.gdfuse/default/config and set mv_keep_target=true

mkdir ~/Documents/GoogleDrive
google-drive-ocamlfuse ~/Documents/GoogleDrive

startup file for google drive mount and offline backup of keepass databases:

#!/bin/bash

google-drive-ocamlfuse ~/Documents/GoogleDrive
if [ ! -d ~/BACKUP/keepass/ ]; then mkdir -p ~/BACKUP/keepass/; fi
if [ -d ~/Documents/GoogleDrive/keepass/ ]; then cp -f ~/Documents/GoogleDrive/keepass/*.kdbx ~/BACKUP/keepass/; else echo Offline; fi

gedit json formatter:
Preferences - Plugins - enable External Tools
preferences - Manage external Tools
“+”, give name e.g. “Format Json”, shortcut key Ctrl+Alt+J, input=Current Document, output=Replace current document
code:

#! /usr/bin/env python
 
import json
import sys
 
j = json.load(sys.stdin)
print( json.dumps(j, sort_keys=True, indent=2) )

Kodi:

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:team-xbmc/ppa
sudo apt-get update
sudo apt-get install kodi

Youtube-dl:

sudo curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl
sudo chmod a+rx /usr/local/bin/youtube-dl
sudo ln -s /usr/bin/python3 /usr/local/bin/python

Example how to allow certain known connections (e.g. unifi accesspoints) and log unknown connection attempts.
This is done by adding a chain called LOGDROP, append packets that match the criteria (tcp/8080) to that chain, log the packets and drop them.

iptables:

#!/bin/bash

AP01="192.168.0.1"
AP02="192.168.0.2"
AP03="192.168.0.3"

# Resetting ...
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X

# Setting default policy on incoming traffic
iptables -P INPUT DROP                                                  # DENY INCOMING CONNECTIONS
iptables -P FORWARD DROP                                                # THIS IS NOT A ROUTER

# allowed accesspoints
iptables -A INPUT -p tcp --dport 8080 -s $AP01 -j ACCEPT                # UNIFI - AP01
iptables -A INPUT -p udp --dport 3478 -s $AP01 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s $AP02 -j ACCEPT                # UNIFI - AP02
iptables -A INPUT -p udp --dport 3478 -s $AP02 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s $AP03 -j ACCEPT                # UNIFI - AP03
iptables -A INPUT -p udp --dport 3478 -s $AP03 -j ACCEPT
# log AP connections that aren't allowed
iptables -N LOGDROP
iptables -A INPUT -p tcp --dport 8080 -j LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
iptables -A LOGDROP -j DROP

# Make persistent
iptables-save >/etc/iptables/rules.v4

Create a file in /etc/rsyslog.d/ called “30-unifi-accesspoints.conf” with the following content:

:msg,contains,"IPTables-Dropped: " /var/log/unifi_accesspoints.log

and restart rsyslog

Mediainfo is a very nice utility, but it works even better with rar support.
Took me a while to compile it succesfully, therefor here are the steps. Easy once you know it :~

First, install current version of the normal Mediainfo and other requirements that we need later.

sudo -s
apt install mediainfo libmediainfo-dev git build-essential

Then get the latest source code from the mediaarea.net website. Currently version 20.03.

mkdir /root/installers/ && cd /root/installers
wget https://mediaarea.net/download/binary/mediainfo/20.03/MediaInfo_CLI_20.03_GNU_FromSource.tar.gz
tar zxvf MediaInfo_CLI_20.03_GNU_FromSource.tar.gz
cd MediaInfo_CLI_GNU_FromSource
./CLI_Compile.sh
cd MediaInfo/Project/GNU/CLI && make install

Now we’re going to add the rar functionality. It depends on a modified version of libdvdread, also from lundman, that we need first.

cd /root/installers
wget http://lundman.net/ftp/dvdread/libdvdread-4.2.0.plus.tar.gz
tar zxvf libdvdread-4.2.0.plus.tar.gz
cd libdvdread-4.2.0.plus
./configure && make && make install

And now we’re going to build the mediainfo-rar version:

cd /root/installers
wget "http://www.lundman.net/ftp/mediainfo-rar/mediainfo-rar-1.4.0.tar.gz"
tar zxvf mediainfo-rar-1.4.0.tar.gz
cd mediainfo-rar-1.4.0
./configure && make && make install

Run it: mediainfo-rar.
If it complains about “error while loading shared libraries: libdvdread.so.4”, fix it with:

ln -s /usr/local/lib/libdvdread.so.4 /lib/x86_64-linux-gnu/libdvdread.so.4

That’s all.

Backup links in case sources will ever disappear:
MediaInfo_CLI_20.03_GNU_FromSource.tar.gz
libdvdread-4.2.0.plus.tar.gz
mediainfo-rar-1.4.0.tar.gz

Somehow systemd does not run in the debian-chroot, so in case inetd is working for you, here’s how:
ssh to your synology

sudo -s
chroot /volume1/@appstore/debian-chroot/var/chroottarget /bin/bash
apt install wget tcpd zip unzip openssl lftp openbsd-inetd

Install software of choice. Then:

service openbsd-inetd start
exit

Auto-start the inetd service with the debian-chroot:

sqlite3 /volume1/@appstore/debian-chroot/var/debian-chroot.db
INSERT INTO services VALUES ('0', 'INETD', '/etc/init.d/openbsd-inetd','ps -p $(cat /var/run/inetd.pid)');
.quit

1 Install the synology “noarch” package
Go to the Package Center, then Settings
Trusted sources, “Synology Inc. and trusted publishers”
Package Sources, Add, “SynoCommunity” + “http://packages.synocommunity.com/”
Community, install Python (v2.x, not v3) and nano
Manual Install, debian-chroot_noarch-all_8.4-7.spk but DO NOT “Run after installation”

2 Fix the DSM Interface
Ssh to your Synology

sudo -s
cd /volume1/@appstore/debian-chroot/env/bin
./pip install click
nano /var/packages/debian-chroot/target/app/debian-chroot.js

Then replace

"url": "3rdparty/debian-chroot/debian-chroot.cgi/direct/router",
with
"url": "/webman/3rdparty/debian-chroot/debian-chroot.cgi/direct/router",
and:
'url': '3rdparty/debian-chroot/debian-chroot.cgi/direct/poller',
with
'url': '/webman/3rdparty/debian-chroot/debian-chroot.cgi/direct/poller',

And alter the onclose function:

onClose: function () { 
    this.doClose();
    this.mainPanel.onDeactivate();
    return true;
},

3 Replace the binaries with x64
Remove old binaries:

cd /volume1/@appstore/debian-chroot/var
rm -rf chroottarget

Put the x64 chroot.tar.gz in the current directory

tar zxvf chroot.tar.gz
echo "chroot" >/volume1/@appstore/debian-chroot/var/chroottarget/etc/hostname
cp /etc/resolv.conf /volume1/@appstore/debian-chroot/var/chroottarget/etc/resolv.conf
touch /usr/local/debian-chroot/var/installed

If you created a chroot for a different architecture than x64, use the following command. Otherwise skip this.

chroot /volume1/@appstore/debian-chroot/var/chroottarget /debootstrap/debootstrap --second-stage

The chroot is now installed. Start it:

/var/packages/debian-chroot/scripts/start-stop-status start

Enter the chroot:

chroot /volume1/@appstore/debian-chroot/var/chroottarget /bin/bash

Post-installation steps:

apt update && apt upgrade && apt autoremove
apt-get install locales
dpkg-reconfigure locales -> only "[*] en_US.UTF-8 UTF-8" -> system default: en_US.UTF-8
dpkg-reconfigure tzdata -> set correct timezone, e.g. Europe, Amsterdam

Optional
If you want extra mounts in your chroot, look in:

/var/packages/debian-chroot/scripts/start-stop-status

example to add a Synology share called stuff to the chroot:

add to BOTTOM of all mount commands in section start_daemon script:
        grep -q "${CHROOTTARGET}/mnt/site " /proc/mounts || mount -o bind /volume1/stuff ${CHROOTTARGET}/mnt/site
add to TOP of all umount commands in section stop_daemon script:
        umount ${CHROOTTARGET}/mnt/site

Reboot your synology

On your current installed debian x64 installation:

sudo apt install debootstrap
sudo debootstrap stable chroottarget
sudo tar -cvzf chroot.tar.gz chroottarget

Save the chroot.tar.gz

If you need to create a chroot for a different architecture, eg armhf, the second command would be:

sudo debootstrap --foreign --arch armhf stable chroottarget

save current installed packages to textfile

dpkg -l | grep ^ii | awk '{print $2}' > installed.txt

re-install packages from textfile

sudo apt-get install $(cat installed.txt)

Plenty of stuff you can find on the internet.
But for my own references:

Basic Ubuntu LTS installation.
If you’re on a public ip, first get your firewall in order. Then install Unifi.

Firewall
Make sure you’re root (sudo -s), then:

apt-get install netfilter-persistent
service netfilter-persistent start
invoke-rc.d netfilter-persistent save
mkdir /etc/iptables/

In this example:
1.2.3.4 = trusted machine that is allowed to connect to the Unifi controller. Probably your own pc
4.5.6.7 = site 1 with AP’s and other ubiquiti stuff
6.7.8.9 = site 2 with AP’s and other ubiquiti stuff

Ports tcp/8080 and udp/3478 are all you need between your ubiquiti equipment and your controller (see link)

Save the following to firewall.sh and execute (replace ip’s with real ip’s):

#!/bin/bash

# Resetting ...
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

# Setting default policy on incoming traffic
iptables -P INPUT DROP                                                  # DENY INCOMING CONNECTIONS
iptables -P FORWARD DROP                                                # THIS IS NOT A ROUTER

# Exceptions to default policy
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT        # FOR INITIATED CONNECTIONS FROM THIS HOST
iptables -A INPUT -i lo -j ACCEPT                                       # MUSTHAVE (e.g. for MongoDB bind to localhost)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT                           # SSH
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT                       # PING

# unify test
iptables -A INPUT -p tcp --dport 8443 -s 1.2.3.4 -j ACCEPT       # Connections from management host

iptables -A INPUT -p tcp --dport 8080 -s 4.5.6.7 -j ACCEPT       # UNIFI - INFORM - site1
iptables -A INPUT -p udp --dport 3478 -s 4.5.6.7 -j ACCEPT       # UNIFI - STUN   - site1
iptables -A INPUT -p tcp --dport 8080 -s 6.7.8.9 -j ACCEPT        # UNIFI - INFORM - site2
iptables -A INPUT -p udp --dport 3478 -s 6.7.8.9 -j ACCEPT        # UNIFI - STUN   - site2

# Make persistent
iptables-save >/etc/iptables/rules.v4

Install Unifi
Make sure you’re root (sudo -s), then:

echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50
apt-get update
apt-get install unifi

.. last but not least, go to: https://ipaddress:8443/

Recent versions of Ubuntu use a built-in firewall. Therefor iptables doesn’t persist after a reboot.
Here’s how:

# Start
sudo service netfilter-persistent start
#Add to startup
sudo invoke-rc.d netfilter-persistent save