Securing FreeBSD server with Fail2Ban and IPFW

Posted on by | Leave a reply

I’ve been playing with a FreeBSD machine for a while now and my primary server now runs FreeBSD :D
So I came across this problem: installing Fail2Ban with IPFW.

FreeBSD has three different firewalls, so it’s difficult for any upstream application to decide on what kind of setup it should advocate. There is no one-size-fits-for-all. I read about various firewalls, and since I wanted to stick with FreeBSD only, I decided to use IPFW.

Fail2ban is a very useful script to prevent brute force attacks against various system daemons. And the best part about it is, it works on regular expressions and user configured commands for banning and unbanning IP addresses.

IPFW has lookup tables feature which I used here. This is one of the IPFW rules in my script:

So, it will block any traffic for IP addresses found in table number one.

Now, Fail2Ban Jail configuration /usr/local/etc/fail2ban/jail.conf :

Go to /usr/local/etc/fail2ban/action.d  and copy ipfw.conf  to ipfw-ssh.conf

Open ipfw-ssh.conf in your favorite text editor and modify actionban  and actionunban  lines:

For the lazy, here’s a patch:

That’s it. Start your firewall and fail2ban.
Whenever fail2ban detects brute force attempts, it will add the IP to table number one, which will cause the connections to be blocked as per our primary IPFW rule. And it will be deleted after the bantime  is over.

BufferSubmit to reddit

Nginx and Metalog

Posted on by | Leave a reply

Metalog is an easily configurable system logger daemon which can be substituted for standard syslogd and klogd. It has one limitation though, that you cannot log to remote machines. It’s very easy to configure Nginx to use Syslog (Metalog, in my case).

All you need to do is compile nginx with this syslog plugin. If you’re on Gentoo, you can compile nginx with the syslog useflag.
Configure nginx as follows:

And then, metalog configuration:

This configuration must be placed before catch-all rule otherwise, you’ll have all errors and access logs in your /var/log/everything/current which is quite disturbing.

With this configuration, you can find nginx logs at /var/log/nginx/errors/current  and /var/log/nginx/access/current .

The advantage? Metalog performs automatic log rotation. Yes, I know I can configure a cron job for that, but I prefer this.

BufferSubmit to reddit

A handy timezone converter for all Linux users

Posted on by | Leave a reply

Linux has a in built timezone converter and I have been using various web services ever since.

Timezone is controlled by the TZ environment variable and you can set it to the desired timezone before executing a command, which will make the command think that you are in that particular timezone.

Here’s how to use it:

Accidental discovery at it’s best :D

BufferSubmit to reddit

Configuring Roboto font in Linux

Posted on by | 8 Replies

Roboto font comes from Android and Google designed it really well. It looks awesome on desktops and laptops. But getting it working as a default system font in Linux is quite a task because the font package of Roboto available has multiple font forms declaring same type of text style.

The standard Roboto package consists of following fonts:

  • Roboto-BlackItalic
  • Roboto-Black
  • Roboto-BoldCondensedItalic
  • Roboto-BoldCondensed
  • Roboto-BoldItalic
  • Roboto-Bold
  • Roboto-CondensedItalic
  • Roboto-Condensed
  • Roboto-Italic
  • Roboto-LightItalic
  • Roboto-Light
  • Roboto-MediumItalic
  • Roboto-Medium
  • Roboto-Regular
  • Roboto-ThinItalic
  • Roboto-Thin

Now the problem is, Roboto Black, Roboto Regular and Roboto Medium, are selected as candidates for the standard font. See the output below:

Read the style field of each font in the above output, you’ll see “Regular” in the field for Roboto-Regular.ttf and Roboto-Medium.ttf. But note another parameter, the weight of font. Robot-Black and Regular declare it as 80 while Medium declares it as 100.

Font selection happens in the alphabetical order first matching weight and then style. The weight for “Regular” size is 80. So the first font selected would be Roboto-Black, since it declares weight as 80 and appears before Roboto-Regular and Roboto-Medium in alphabetical order.
If you delete Roboto-Black, it will match Roboto-Medium which declares a weight of 100, but has “Regular” in the style specification.

The problem is, both these fonts Black and Medium are just too bold for daily use. You just can’t distinguish between bold and normal text and this causes ridiculous amount of confusion in applications like Thunderbird which use bold text to mark unread message and normal text otherwise.

To deal with this, a slight modification is needed in your font configuration file as follows -

If you add the above configuration to your fontconfig, it will blacklist Roboto Lt font with weight 100 (which is Medium) and Roboto Bk font which is Roboto Black. See the earlier fc-query output if you’re interested in how I got these values.

And here’s my /etc/fonts/local.conf:

Just ensure that this configuration is not overridden in any file /etc/fonts/conf.d. A simple way would be to clean up /etc/fonts/conf.d and keep the bare minimum you need.

Some screenshots for Roboto font as requested by Zachary Potter:

Process Monitor

roboto_thunderbird

roboto_dolphin

BufferSubmit to reddit

NFS cannot allocate memory and No such file or directory errors

Posted on by | Leave a reply

NFS cannot allocate memory seems to be common issue a lot of people face while mounting NFSv4 shares, as revealed from search results on Google. Even I faced it when trying to mount a NFS share exported from my desktop on my Raspberry Pi. It didn’t give the error on the Pi, though. I discovered this issue when debugging this problem and tried to mount on localhost.

Initially it appears to be a kernel issue, but it turned out not to be one. After researching a lot about the problem I understood that it is a error in exports configuration!

Basically, in NFSv4, there is a / (root) under which all shares are exported and this must have the fsid=0 parameter specified in the configuration.
At the client, while mounting you are not supposed to specify the full path to the resource, instead it must be relative to the NFS Root.

The following example would clear it up -

I’ll try to export /home and mount it on localhost with following configuration:

And when I run the mount command:

Now I’ll change the exportfs configuration to:

Running the mount command again,

Now, in the above output, you can see that while it failed to mount with NFSv4, but it succeeded in mounting NFSv3. This comes from the newer way of exports which is partially explained in the manual exports(5).

The solution to the No such file or directory is simple, you have to use / as the path to mount the root and if you are exporting some subdirectories, they need to be relative to / in the mount command instead of the full path.

Now modifying the mount command accordingly:

Now if I export a subdirectory inside /home, say my home folder /home/nilesh then it would be available via NFSv4 to clients as /nilesh and not /home/nilesh.

There seems to be a big problem controlling access in this model, you can’t have different permissions for /home and /home/nilesh. If you export /home as read-only, /home/nilesh will also get mounted read-only no matter what.

If you export /home as read-write and /home/nilesh as read-only, then clients would be able to write into all directories on the share, when the share root is mounted, i.e. /, but if the client mounts /home/nilesh it will be read-only.

I’m not sure about how to control access in NFSv4 for subdirectories, since you cannot have more than one entry for fsid=0. If you know the answer, do comment.

BufferSubmit to reddit

Routing for multiple ISP links on Linux

Posted on by | 2 Replies

Many of us have multiple ISP uplinks for different reasons like reliability, download limit, etc. but there is no clear guide [at least, I couldn't find any] on routing for multiple links.

I came across the same problem — I got a new fiber connection, but it is a capped one and I have a slow ADSL link which is not capped. So I obviously would want to use the ADSL link for low priority downloads while fiber for browsing.
After a lot of researching around, I found the solution. Probably a specific case, since my computer has just one Ethernet card and I want to use both the links simultaneously on the same computer.

The network setup scenario:

  • There’s a main router (NAT, DHCP Enabled), which has WAN port, WiFi and LAN ports with IP Address 192.168.0.1
  • There’s another WiFi router (which is used in WDS Bridge mode) with IP Address 192.168.0.2
  • The ADSL Router (NAT Enabled, DHCP disabled) has IP Address 192.168.0.3  and is connected to main router’s LAN port, since fiber must be connected to WAN port for PPPoE connection.
  • An Ethernet Switch is wired to the second WiFi router.
  • The Linux box is connected to the Ethernet Switch.

I setup two IP Addresses on the Linux box: 192.168.0.4 and 192.168.0.5 as follows:

Now, I want to route all traffic originating from 192.168.0.4 (the default IP Address for eth0) via fiber, and all traffic originating from 192.168.0.5 via ADSL Router.
To accomplish this, I use policy based routing (CONFIG_ADVANCED_ROUTER must be enabled in kernel configuration) using iproute2.

Routing:

We need to create a new table which will be looked up if traffic is from the second IP and otherwise use the default route.
And then the policy routing rule which specifies that if traffic is from second IP, lookup the other table.

And you’re done. Traffic from applications using 192.168.0.4 (it will be used as default, if you don’t specify anything) will get routed through 192.168.0.1 and those who use 192.168.0.5 will get routed through 192.168.0.3.
As a simple test, you can do this:

That should give you two different IP Address, the first one your Fiber’s public address and the second one your ADSL’s public address.
If that works, you can add the routing code to run at startup or may be even in system network configuration. Every Linux distribution has it’s own way of doing that, so I won’t cover that. If you’re a Gentoo user, you can add it in /etc/conf.d/net as follows:

Now, many applications like Firefox, Chrome, etc. don’t support listening/using to a specific interface/IP Address. There’s a simple solution for the problem I found on Daniel Lange’s Blog.
All you have to do is, download this libc wrapper and compile it as follows:

Once you have done that, you can use it as follows:

If you visit text.whatisyourip.org from there, you should see your ADSL public IP. For applications which support binding to a specific address, just configure it do so.

BufferSubmit to reddit

Blog converted to WordPress

Posted on by | 4 Replies

There’s no doubt that WordPress is the most popular blogging platform. I used to be a WordPress hater since I had a disaster with the same in 2007 when I had jumped into the blogging bandwagon (that blog does not exist anymore).
And after that incident, I always used Drupal, and in my opinion, Drupal is a very powerful and great Content Management System, suitable for nearly any and every task.

But, when I started my new personal blog, I was in no mood to use WordPress and Drupal was just too heavy for a simple personal blog. So I started out with Octopress.
While most people move from WordPress to Octopress, I did the opposite and I have reasons for it.

Firstly, I was bored of Octopress. Write a post in Markdown and then run those rake *  commands. And then there are reasons like, themes, plugins ,etc. Sure, I can develop my own plugins and themes for Octopress, but unfortunately it is written in Ruby, and I am in no mood to learn Ruby any time soon.

I got a few chances to try out WordPress in different environments, and I realized that it has come a long way since the last time I had used it. And WordPress being the most popular blogging platform, as a freelancer, I can improve my scope by learning about it. I believe that it is not possible to learn something without using it and hence the move.

You can also attribute this to the increasing penetration of mobile devices for this change. I can’t post via email to Octopress,but I can to WordPress. All it takes is a POP-enabled email account and I’ll be able to make blog posts from my mobile. :-)

Happy New Year!

BufferSubmit to reddit

The Minimum Attendance Requirement

Posted on by | 5 Replies

One day, I was studying for one of my exams, and this thought came to my mind – Why do colleges keep the minimum required attendance level so high? The first answer that comes to anyone’s mind is: Because students bunk classes.

Okay, but why do students bunk classes?

The reason is simple: Because the lectures are boring. The hard fact is, very few people take up teaching out of dedication. Most of the people are those who for some reasons, could not get a job in their industry and are in the teaching job.

My college specifies a minimum attendance requirement of 75%. And this is almost same across major colleges in India. I don’t know what’s the case in IITs, NITs, etc. I have a few friends from those but nobody ever complained about attendance.

So I guess the attendance requirement is lesser, in the favor of student in those colleges. The lesser attendance requirement is what, I believe creates great engineers out of those. No, I don’t say that lectures are not important or something, but inside every human being there is a curious child: one who loves to learn new things and do new things. If you give time to the person to do things by self, I’m quite sure everyone will come up with something good.

If you have read my About page, I know a lot related to computers. Nearly none of my friends know as much as I know. I even have a nickname Rajnikanth, because apparently I do extraordinary things which is not possible by anyone! The truth is, I know much lesser than what super geeks know for example. There are so many people I know, online who are way more knowledgible than me. That’s my standard, but according to my friends’ standards, I’m Rajnikanth. The bigger question is, how do I know so much? It’s simple: curiosity. I took a programming class way back in 2007 during summer holidays of school, which created the whole interest about computers in me. Then I came to know about how to make websites and all, and kept on learning things. How? Google. Google. Google.

If the bar of minimum attendance is reduced, students will get more time to do things they like, which eventually could turn up into a successful startup. In order to ensure that students do attend lectures: improve teachers. Improve the way they teach, make it interesting to sit in the lecture. Lectures should not be times when you sleep, but you actively learn something.

In the present scenario, 99% of the lectures very boring. This creates an impression in student’s mind that the subject itself is boring and hence the apocalypse.

One simple real experience by me: A subject’s lecturer in my college was really good. He used teach very well. And there was this another teacher who used to bore a lot; but the subject was very interesting, which I unfortunately realized very late when I opened the book during exams. I had read the book on the former subject a couple of times and I have relatively good knowledge in the same; not so in the other. Why this happened? The professors. The professor who could teach well created interest in me to read and learn more about the subject, while the other one failed to do so. Additionally, at the end of semester, I had attendance issues with the subject whose professor was boring and I had attended 100% in the former.

So, from the example above, it’s pretty clear that it’s in the hand of the professor to create interest in the student to read and learn more about the subject. If the professor fails to do so, the student bunks classes and otherwise, willingly attends the classes.

The simplest solution to this problem is one single thing: improve teachers and change the way subjects are taught. Make it interesting. One big reason I see why we don’t have good teachers in India is: A teacher’s job is relatively lesser paid than a job the person might get in industry. This nees to change. Seriously.

If the payment to teachers is increased, more and more better qualified people will take up teaching as job themselves, instead of being forced due to circumstances. And when we have better teachers, students will bunk lesser number of classes. You won’t even need to keep the attendance requirement to 75%, somewhere around 40% could do great. Nearly every student will have more than 60% attendance, subject to two conditions: The teachers are good and the lectures are interesting.

BufferSubmit to reddit

Fixing the CWM Assert Error

Posted on by | 2 Replies

When you flash Android ROMs via Clockwork Mod (CWM), sometimes an error comes up, especially when trying to move from one custom ROM to another custom ROM or may be updates of the same ROM (unless it’s stock).

For instance, I have Sony Xperia S (LT26i) also known as nozomi (the codename used by developers). I flashed CM9. Due to some issues I had to reflash CM9, so I erased out everything (/system, /data, /cache) and when I try to flash the zip I downloaded I get an error similar to this:

Basically, there is no information /default.prop which specifies that the device on which I’m trying to flash the ROM is nozomi or LT26i. Earlier I used to flash the stock ROM to solve the issue, but later I came across some post on XDA Forums (don’t have the link) which said that you’ve to edit a script in the zip file and remove the check/assert.

The process is very simple. Just unzip the contents of the zip file you downloaded (for your device, not any other!) into a folder, go to the META-INF/com/google/android folder and open updater-script in a text editor. Remove the first line or first two lines whatever is appropriate and then zip the folder again; be sure to preserve the directory structure. The META-INF and any other folders must be in the root of the zip file.

The script modification technique works for me. Read the below notes before attempting it –

  • I’m not responsible for any damages if you edit the script and flash a ROM which does not belong to your device!
  • I’m also not responsible for any damage to your device if you flash a ROM / do anything :P

Enjoy.

An update about the same: http://b.nileshgr.com/post/39439347786/okay-so-the-cwm-assert-error-doesnt-need-such-a

BufferSubmit to reddit

Command Line URL Shortener

Posted on by | 3 Replies

On my computer, I use Gentoo Linux with KDE. If you’re a KDE user, you might be knowing that the default clipboard tool known as Klipper has the ability to execute commands when a new entry copied to the clipboard matches regex. That’s how the idea of having a handy URL shortener came to my head.

I built a small URL shortener script using Python which would accept the source URL and output the shortened URL, using my bitly.com account.

Here’s the script:

It’s available on my utilites GitHub repository as well. The regex I’ve used in the script seems to match all kinds of URLs that I generally came across; if you find bugs, either comment or fork & push (preferred) on GitHub.

Coupling it with Klipper -

  • Place the script in $HOME/bin and set it is executable.
  • Go to actions in Klipper’s settings
    klipper
  • In actions, create a new action and put the path of script as /home//bin/shorten (or whatever). Keep the rest same.
    klipper-action
  • Save & you’re done. Copy any URL http or https and press Ctrl-Alt-R (that’s the default, use your’s if you’ve modified).
BufferSubmit to reddit