Evaggelos Balaskas - System Engineer

You can find my presentation on Athens Digital Week 2010 here: How to Contribute to Open Source Projects or to Communities

I am using a socks proxy on my office. This of course isnt a bug but a feature!

I want to mount a remote folder on a server outside my office dmz over ssh. So i ‘ve looked up for ssfs that mount an ssh remote folder with fuse (userspace). The main problem is that sshfs doesnt support any proxy settings! Thats a bummer.

So is there a way ?

From the command line i can pass sshfs through proxychains. But how can i do this through fstab ?

The normal entry on fstab is something like this:

sshfs#username@example.com:/home/username/folder/ /home/username/remote/folder/ fuse user,reconnect,compression=yes,ssh_protocol=2 0 0

and from cli is something like this:

proxychains sshfs username@example.com:/home/username/folder/ /home/username/remote/folder/ -C -o reconnect,ssh_protocol=2

That problem gave me a morning headache and i postponed everything i should be doing till i solved it.

And i solved it !!!

I didnt know that the first column in /etc/fstab can be a program or a shell script.
Do you ?

I learned it today, and i am extremely happy to learn linux stuffs with the old transitional way:
try & error.

So the above headache resolved by this entry on fstab:

proxysshfs      /home/username/remote/folder/         fuse    user,noauto     0       0

and this script: /usr/local/bin/proxysshfs

#!/bin/bash
unset http_proxy ; unset https_proxy ;
proxychains sshfs username@example.com:/home/username/folder/ /home/username/remote/folder/ -C -o reconnect,ssh_protocol=2

So now, everytime i am writing something like this:

mount /home/username/remote/folder/

my proxysshfs script is set in motion and the result is to execute the above command and finally mount the remote folder over ssh through a proxy.

How to protect your grub menu with password

Not so far ago, i wrote a post about adding password to grub.

I have to be complete honest with you: “I was wrong !”
I found the next day why i was wrong, but i was too ashamed to errata my own post!

So lets start again from the begging.

In the previous post i had added successful a password on my linux entry on grub menu. But that didnt mean anything, cause anybody can edit the grub menu at boot time and remove the password entry ! Yes its simply as that!

You have to add a lock entry on grub menu.

After a lot of tests i think i found the “correct” way of securing my grub menu.
Removing password from any menu title and add only a global password for grub with lock mechanism.

So we need to create the encrypted password, from our terminal we type:

$ grub-md5-crypt
Password: 
Retype password: 

$1$nNyIl/$2rdkv9UCclYQu1Hb0hxiQ/

For our example i typed: test

And finally (finally) my /boot/grub/menu.lst looks like this:

password –md5 $1$nNyIl/$2rdkv9UCclYQu1Hb0hxiQ/

title Arch Linux
root (hd0,0)
kernel /boot/vmlinuz26 root=/dev/sda1 ro
initrd /boot/kernel26.img
lock

I’ve just uploaded some photos from FrOSCamp 2010 and FUDCon:Zurich 2010 here:

FrOSCamp 2010 Zurich

ETH have already uploaded the video recordings here: FrOSCamp Talks 2010

This image is from FrOSCamp 2010

It’s the one of the best t-shirts i’ve ever seen!

How to setup a custom (webdav) server for xmarks.

No rocket science here,
Download PyWebDAV
Build it: python setup.py develop.
Create a custom directory: mkdir -pv /webdavserver/xmark/

Run something like this:

davserver -D /webdavserver/xmark/ -P 1234 -v -H webdav.example.com -u testuser -p 'testuser'

And then just change the xmark settings to use a custom server:

Remember you should type files and not directories:

http://webdav.example.com:1234/xmark/bookmark.json
http://webdav.example.com:1234/xmark/password.json

If you have problems with suspending your linux box when you are closing lid,
then you should take a quick look on this post !

edit this file: /etc/acpi/handler.sh

vim +/lid /etc/acpi/handler.sh

if you see the lid section empty, then add something like this: pm-suspend

eg.

button/lid)
#echo “LID switched!”>/dev/tty5
pm-suspend
;;

Just to be safe, restart acpi daemon

sudo /etc/rc.d/acpid restart

Thats it !

When a linux box came from hibernation usually resume everything from the previous state.
That means that if someone just hit the power button on your system, in a few minutes he/she will have access to your linux partition and most certain to an already logged-in system !

In a previous post i wrote how to enable Lock Screen after hibernation, but lets face it. This isnt a secure way!

And if someone has access to your hard drive he/she can somehow retrieve your data from your hibernate snapshot.

An alternative and most secure way is to encrypt your hibernate snapshot and then access it through a pass phrase.

First of all, your have to create the key for the encryption process.
Just type: suspend-keygen and then choose the length of the key. I prefer 4096 bits.
After that, you should type a secure pass phrase. Finally choose the name of the key.

A full example:

$ suspend-keygen 

libgcrypt version: 1.4.6
Key bits (between 1024 and 4096 inclusive) [1024]: 4096

Generating 4096-bit RSA keys.  Please wait.
Testing the private key.  Please wait.

Passphrase please (must be non-empty): 
Confirm passphrase: 

File name [suspend.key]: 

Τransfer your suspend.key to /etc

mv suspend.key /etc/

Now you must edit the below two lines on: /etc/suspend.conf

encrypt = y
RSA key file = /etc/suspend.key

Thats it !

The next time you resume your system from hibernation, you have to write your pass phrase to resume your encrypted hibernate snapshot.

Security is like an onion, it has many many layers.
(and sometimes we end up crying)

For preventing someone to boot your linux (or not) partition it is best to protect your grub menu.

There are two ways:

1st : To use a global password for grub
2nd: To use different passwords for every menu title.

I prefer the second method cause is a more security solution.

We need to create the encrypted password, from our terminal we type:

$ grub-md5-crypt
Password: 
Retype password: 

$1$nNyIl/$2rdkv9UCclYQu1Hb0hxiQ/

For our example i typed: test

And finally we add the bellow line in /boot/grub/menu.lst

password --md5 $1$nNyIl/$2rdkv9UCclYQu1Hb0hxiQ/

eg.

title Arch Linux [vmlinuz26]
root (hd0,0)
kernel /boot/vmlinuz26 root=/dev/sda1 ro
initrd /boot/kernel26.img
password –md5 $1$nNyIl/$2rdkv9UCclYQu1Hb0hxiQ/

In august i wrote a post about hibernation on linux, Linux hibernation in just 4 steps.

If you want to add screen lock support in resume, you have to create a custom script.

Hibernation’s scripts run in reverse numeric order, so you have to use 00 (double zeros) in the name of your custom script, telling resume process to lock screen at the end.

In my case, i wrote a super simply bash script to slock my screen. I am the only user of my laptop so the bash script is extremely dammy and does only one thing, take a look:

/usr/lib/pm-utils/sleep.d/00lock

#!/bin/bash

case $1 in
	hibernate)
		# not required.
		su ebal -c slock &
	;;
	suspend)
		# not required.
	;;
	thaw)
		# not required.
	;;
	resume)
		# not required.
	;;
	*) exit $NA
	;;
esac

You should replace ebal with your user name and slock with your screen lock program.
Alternative commands against slock are:

• xscreensaver-command –lock
• gnome-screensaver-command ––lock
• xlock

pirsyncd stands for: Python Inotify Rsync Daemon.

Description:
This is an attempt of writing a daemon to watch a directory for kernel’s inotify events and then execute an rsync command to synchronize two different directories (local or remote). This is a poor man’s mirroring or an alternative (not so) real data replication mechanism and it is based on Pyinotify.

pirsyncd

From ChangeLog:

• Pyinotify has been updated in version 0.9.0 (20100604)
• Rsync option “–safe-links” has been added
• Scoring 7.38 with pylint (better code styling)

plz try ./pirsyncd –help & ./pirsyncd –examples to see more.

Get the latest version of pirsyncd v20100907

Today i’ve tried the four (4) tiling applications on Xfce, that wikipedia refers as “Third party tiling applications on Xorg”

• Tile v0.7.3
• stiler git version
• PyTyle v0.7.4
• QuickTile git version

The winner is: Stiler

Both Tile & QuickTile had a really bad tiling appearance and PyTyle doesnt work with Xfce

You should all know this comic strip:

but have you ever wondered, what would happen if you hadnt setup sudo properly ?

Click on images !

For the past year i am looking for http 404 (not found) on my blog. I have only two sites, a blog & a wiki, so without any other web application, i can monitor for web vulnerabilities (that hackers are looking for) by just looking for 404 (Not Found) http errors.

I am using mod_rewrite for URL manipulation. My custom .htaccess redirects every Not Found (404) page to my index.php.
You can use it too, but you must be extremely careful.

You MUST NOT have any valid URLs with one the files below.
If you have, just remove the specific line from the .htaccess file.

An example:

Url: http://balaskas.gr/README doesnt exist,
so if you click on it, you should redirect to my home page.

RewriteEngine on

RewriteRule xmlrpc.php$ index.php
RewriteRule login_page.php$ index.php
RewriteRule setup.php$ index.php
RewriteRule config.inc.php$ index.php
RewriteRule multithumb.php$ index.php
RewriteRule orderSuccess.inc.php$ index.php
RewriteRule send_reminders.php$ index.php
RewriteRule config.php$ index.php
RewriteRule ask_password.php$ index.php
RewriteRule msgimport$ index.php
RewriteRule README$ index.php
RewriteRule fastenv$ index.php
RewriteRule main.php$ index.php
RewriteRule sql.php$ index.php
RewriteRule error.php$ index.php
RewriteRule errors.php$ index.php
RewriteRule sitemap.xml$ index.php
RewriteRule show_image_in_imgtag.php$ index.php
RewriteRule phpmyadmin$ index.php
RewriteRule blackhat.dll$ index.php
RewriteRule general.js$ index.php
RewriteRule get_reminders.php$ index.php
RewriteRule install.txt$ index.php
RewriteRule get_events.php$ index.php
RewriteRule auth.inc.php$ index.php
RewriteRule delete.php$ index.php
RewriteRule adxmlrpc$ index.php
RewriteRule class.dashboard_lms.php$ index.php
RewriteRule home$ index.php
RewriteRule default.php$ index.php
RewriteRule index.inc.php$ index.php
RewriteRule logging.php$ index.php
RewriteRule public.php$ index.php
RewriteRule index.inc.php$ index.php
RewriteRule add-cats.php$ index.php
RewriteRule nosuichfile.php$ index.php
RewriteRule judge.php$ index.php
RewriteRule apple-touch-icon.png$ index.php
RewriteRule apple-touch-icon-precomposed.png$ index.php
RewriteRule host-meta$ index.php

FOSDEM 2011: 5+6 February 2011

(για πιο τεχνικά, προσπεράστε τον πρόλογο)
Πρόλογος:

Πριν από λίγες μέρες, ανάρτησα το εξής post: 3g on linux, cosmote on the go.

Περιέγραψα, σε απλά βήματα, την διαδικασία σύνδεσης στο διαδίκτυο μέσω ενός usb 3g stick. είχα κατά νου γενικές οδηγίες που θα μπορεί να χρησιμοποιήσει μέχρι και ο πιο απλός χρήστης για να συνδεθεί εύκολα και γρήγορα.

Από τα σχόλια του Post, καλύφθηκαν ακόμα περισσότερα θέματα, κι όχι μόνο τεχνικά. Έγιναν αναφορές για διαφορετικές προσεγγίσεις, γραφικά προγράμματα, σύνδεση μέσω τρίτων προγραμμάτων κι άλλα πολλά.

Θα ήθελα να ευχαριστήσω όλους του φίλους για την συνεισφορά τους, τόσο για τα σχόλιά τους, όσο και για τα ηλεκτρονικά τους μηνύματα.

Με αφορμή το post, τα σχόλια και κάποια από τα ηλεκτρονικά μηνύματα που δέχθηκα, θεώρησα φρόνιμο να δημιουργήσω μία νέα σελίδα, στην οποία θα προσπαθήσω να εξηγήσω όσο πιο απλά μπορώ (κι όχι όσο το δυνατό καλύτερα) όλα όσα είναι απαραίτητα γύρω από το 3G σε διανομές Linux.

Θα είναι μεγάλη μου χαρά να το διαβάσετε (κι αυτό), να το σχολιάσετε (μέσω email) και να με διορθώσετε όπου έχω κάνει λάθος ή έχω παραλείψει κάτι.

FAQ :: 3G on Linux

You all know: Teenage Mutant Ninja Turtles

Ok, take a look here:

And then here:

See the resemblance?

Just to get serious for a moment, the true story is here:
Gnome History

Ok, dont be crazy !
I am really going here:

Απλά, όμορφα και ωραία. 10 λεπτά απομένουν μέχρι να έχετε το 3g έτοιμο στο linux-άκι σας.

Βήμα 1ο:

Η παρακάτω εντολή είναι για το Archlinux, προσαρμόστε την ανάλογα (δλδ εγκαταστήστε ArchLinux):

sudo pacman -S ppp usb_modeswitch

Βήμα 2ο:

Βάλτε το usb στον υπολογιστή/laptop σας.
Είναι σχεδόν σίγουρο, ότι θα το δει σαν block device (cd ή δίσκο).

Πληκτρολογήστε την εντολή: dmesg για να δείτε παραπάνω πληροφορίες.

Με την εντολή lsusb θα βρείτε το vendor και product id
Δείτε το αποτέλεσμα της δικής μου εντολής:

Bus 001 Device 004: ID 1bbb:f000 T & A Mobile Phones

Vendor ID: 1bbb ή καλύτερα 0×1bbb
Product ID: f000 ή καλύτερα 0xf000

Βήμα 3ο:

Τώρα πρέπει να μετατρέψουμε το usb-stick από block device σε modem (serial) device.
Πριν προχωρήσετε όμως, επιβεβαιώστε με την εντολή

ls -l /dev/tty* | grep -i usb

η διανομή σας, δεν το έχει ήδη κάνει (μπορεί hackers να το έχουν ήδη φτιάξει!)

Εάν δεν φέρει αποτελέσματα, τότε πληκτρολογήστε την εξής εντολή:

sudo usb_modeswitch -W -v 0x1bbb -p 0xf000 -V 0x1bbb -P 0xf000

Βήμα 4ο:

Αφαιρέστε το usb-stick, μετρήστε μέχρι το 10 δυνατά (ναι - ναι πρέπει να μετρήσετε δυνατά) και ξανα-βάλτε το στον υπολογιστή/laptop σας.

Τώρα με την εξής εντολή:

ls -l /dev/tty* | grep -i usb

θα πρέπει να δείτε τις νέες συσκευές!

Βήμα 5ο:

Τώρα μένει απλά να ρυθμίσετε το ppp.
Πως γίνεται αυτό ρωτάτε; Όπως όλα τα πράγματα στο linux, εύκολα !

Δύο αρχεία πρέπει να δημιουργήσετε:

0001 : /etc/ppp/peers/cosmote

με περιεχόμενο το εξής:

connect “/usr/sbin/chat -v -f /etc/ppp/cosmote.chat”
noipdefault
defaultroute
/dev/gsmmodem
460800
noauth
debug
novj
usepeerdns
nodeflate
nobsdcomp

Μεγάλη προσοχή στην 4η γραμμή που περιγράφει το device (σε εμένα είναι το /dev/ttyUSB2)

0010 : Και τώρα είμαστε έτοιμοι, να δημιουργήσουμε το 2ο αρχείο μας: /etc/ppp/cosmote.chat

ABORT BUSY
ABORT ERROR
REPORT CONNECT
TIMEOUT 10
‘’ AT
OK AT+CGDCONT=16,”IP”,”internet”
OK ATDT*99#

Βήμα 6ο:

Εάν έχετε φτάσει μέχρι εδώ, θα αναρωτιέστε ” Είναι δυνατόν να είναι τόσο μα τόσο απλά τα πράγματα στο linux ? “

Μα ΝΑΙ, είναι τόσο απλά κι εύκολα.

Και μάλιστα είστε σε θέση να περιηγηθείτε στο internet.

Αρκεί να πληκτρολογήστε την εξής εντολή:

sudo pon cosmote

Κι ανοίξτε τον αγαπημένο σας περιηγητή διαδικτύου (εννοείτε ότι μιλάμε για τον midori

Κι όταν θέλετε να σταματήσετε το 3g:

sudo poff cosmote

Some time ago, i wrote a
post in greek of how easy is to use hibernation on linux desktops.

For some time now, i didnt use hibernation and in between i upgrade my laptop a lot of times.
For some strange reason the previous tested (kernel) solution didnt work perfectly.

So i just implement the second hibernation solution: uswsusp

This method provides a userspace suspend program that uses a lot of
scripts to hook your running modules, programs and memory data to a swap partition.

Simple as that in theory, i did small changes on my laptop.

1. Installation

sudo pacman -S uswsusp

2. Kernel HOOKS

Change the resume kernel hook from /etc/mkinitcpio.conf
to uresume (userspace resume)

HOOKS=”base udev autodetect pata scsi sata uresume filesystems”

Save the above file and then run this command:

mkinitcpio -p kernel26

3. Configuration

Edit /etc/suspend.conf, so that the resume device is linking to your swap partition:

resume device = /dev/sda2

sda2 is my swap partition, just add your swap partition!

4. Hibernate

sudo pm-hibernation

PS: I read in a lot of HowTos that you have to edit /boot/grub/menu.lst
to add resume path of swap partition, but believe me, thats not necessary!