Once in a time, I get to travel to places that make me worry about the data on my laptop. This time, it is not the US, but another openly democratic country where they kill you for a joint, let alone nude pictures. Enough politics, though.
I have a laptop with the /boot in a separate partition, followed by a /root partition and a /swap. Having a separate /boot is mandatory, as the BIOS has to load an unencrypted kernel and its initrd before being able to access the encrypted partition. Another option is to keep /boot on a USB stick, but its setup can take a whole other post.
First things first, let us install software for managing encrypted disks and updating the initrd image:
aptitude install cryptsetup initramfs-tools
We have to make sure that the encryption modules are present on the initrd, so I add the following three modules to the initrd config:
echo aes-i586 >>/etc/initramfs-tools/modules echo dm-crypt >>/etc/initramfs-tools/modules echo dm-mod >>/etc/initramfs-tools/modules
Next step is to inform cryptsetup and inittab of the partition mapping between /dev/hda2 (the physical device) and /dev/mapper/root (its encryption interface).
echo "root /dev/hda2 none luks" >>/etc/crypttab sed -i 's#/dev/hda2#/dev/mapper/root#' /etc/fstab
We also have to change the root device for grub the same way we did it for inittab:
sed -i 's#/dev/hda2#/dev/mapper/root#' /boot/grub/menu.lst
Now, recreate the initrd image by issuing
I tried first using the Splix printer driver as it looked a bit more clean than the foo2qpdl recommended by the Open Printing Database.
The printer requires the libjbig library that is not available on Debian due to unclear licensing. However, Markus Kuhn distributes the jbig-kit package that can be compiled easily. The only strange annoyance being that its makefile has no install target, so I just copied the library and its header files to /usr/lib and /usr/include. After that, Splix compiled flawlessly and afer running make install, and restarting cups, the printer was available for configuration in the cups web interface
The printer has a USB interface for scanning on a USB key, but I decided to install the Samsung unified driver, anyway. It is now intelligent enough to suggest adding existing users to the lp groups and after that, xsane is able to scan under non-root users.
The official printer driver does not print well (see image), all text appears bold and blurred, but I use the Splix driver am very satisfied with the results.
A few days ago, I lived through a DDOS attack at one of the sites I run. It started with the general unavialability of Apache, although the system was idle and the ssh access functioned perfectly. As I already had some experience with DDOS attacks, I immediately looked at the network connections using netstat and saw over 300 IPs sending SYN_REC packets in mass. The attack was much more powerful than I ever experienced.
~# netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'| sort |uniq |wc -l
310
I immediately started the APF firewall with RAB enabled and a script to block the offending IPs in iptables, as I had these at hand from the previous DDOS attack:
BEGIN {
pipe = "netstat -n|gawk '{print $5}'|gawk 'BEGIN{FS=\":\"}{print $1}'|sort|uniq -c |sort -n"
while (( pipe| getline) > 0 ) {
if ($1 > 29 && $2 != "") {
command="/sbin/iptables -I INPUT -s " $2 " -j DROP"
date="date"
command | getline result
date | getline dateresult
print dateresult " - command: " command ", result: " result >>"/var/log/firewall.log"
}
}
close(pipe)
}
After a few hours it became clear that the IPs are rotating too often and the size of the botnet is well over 10.000, so I was left with a choice of either dying under DDOS or dying due to the performance hit of the large pool of IP addresses in iptables. The SYN_REC part was being filtered easily by syncookies, APF activated them on launch. The real problem was the HTTP flood.
I am probably the last webmaster in the world to ban Yahoo! Slurp from indexing my sites. Now, I am resolved. Bye-bye, Yahoo! You were just behaving too badly.
iptables -A INPUT -s 66.196.64.0/18 -j DROP iptables -A INPUT -s 68.142.192.0/18 -j DROP iptables -A INPUT -s 72.30.0.0/16 -j DROP iptables -A INPUT -s 74.6.0.0/16 -j DROP
A new parameter has been added to the vmstat and sar utilities a couple of years ago, the CPU steal time. As explained by Rik van Riel, it is
I did this a few times in my life, and every time it was painful to reconstruct the necessary toolset and configuration options. So, here it goes. First, enable the proxy support.
~# a2enmod proxy # utility functions ~# a2enmod proxy_http # http forwarding ~# a2enmod proxy_html # html rewriting ~# a2enmod headers # http headers rewriting
Then, assuming that your web application runs on port 3031 on the same host as Apache, and you want to make it available at the /demo url in Apache, write the following in the Apache config:
<IfModule mod_proxy.c>
<IfModule mod_proxy_http.c>
<IfModule mod_proxy_html.c>
<IfModule mod_headers.c>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /demo http://localhost:3301
ProxyPassReverse /demo http://localhost:3301
<Location "/demo">
# ask the localhost to return the uncompressed HTML
RequestHeader unset Accept-Encoding
# Filter Responses through mod_proxy_html
SetOutputFilter proxy-html
# convert URLs in CSS and JavaScript as well
ProxyHTMLExtended On
# convert URLs in a.hrefs
ProxyHTMLURLMap ^/ /demo/ R
# convert URLs in CSS and JS
ProxyHTMLURLMap "'/" "'/demo/"
# convert URLs in CSS and JS
ProxyHTMLURLMap "\"/" "\"/demo/"
</Location>
</IfModule>
</IfModule>
</IfModule>
</IfModule>
Create a 10G disk image:
qemu-img create -f qcow2 netbsd-4.0-i386.qcow2 10G
Avoid hangup on boot with --no-acpi and the default network card timeout by trying out a different card, e.g. -net nic,model=ne2k_pci:
kvm -hda netbsd-4.0-i386.qcow2 -cdrom i386cd-4.0.iso --no-acpi -net user -net nic,model=ne2k_pci
Walk through the installer.
Install additional packages with pkg_add:
export PKG_PATH=ftp://ftp.netbsd.org/pub/NetBSD/packages/4.0/i386 pkg_add vim ctwm firefox wget
Include them in path:
echo "PATH=$PATH:/usr/pkg/bin" >>/etc/profile . /etc/profile
Install the latest stable pkgsrc:
wget ftp://ftp.netbsd.org/pub/pkgsrc/pkgsrc-2008Q1/pkgsrc-2008Q1.tar.gz tar xzf pkgsrc-2008Q1.tar.gz -C /usr
Make sure that pkgsrc fetches binary packages for dependencies, when possible:
echo ".ifdef BSD_PKG_MK BINPKG_SITES=ftp://ftp.NetBSD.org/pub/NetBSD/packages/4.0/i386 BINPKG_SITES+=/usr/pkgsrc/packages/All .endif" > /etc/mk.conf
Configure pkg_online to be able to search for packages
cd /usr/pkgsrc cvs -d:pserver:anonymous@pkgsrc-wip.cvs.sourceforge.net:/cvsroot/pkgsrc-wip login cvs -z3 -d:pserver:anonymous@pkgsrc-wip.cvs.sourceforge.net:/cvsroot/pkgsrc-wip checkout -P wip cd /usr/pkgsrc/wip/pkg_online unset PKG_PATH make package DEPENDS_TARGET=bin-install
Search for additonal packages
pkg_online_find :s:pptp
P.S. Thanks to Aleksey Cheusov <vle@gmx.net> for implementing and making available pkg_online.
Ну вот и ещё один дубль. Восьмого января фотосайт изменил структуру сайта и поломал так полюбившийся многим photosight wallpaper под Windows, а также скрипты дла автоматической установки "фото дня" на рабочий экран, используемые пользователями других OS.
Впрочем, от упрямого айтишника ничто не спасёт. Вот новый скрипт под Gnome Desktop для всеобщего пользования:
cd /tmp ID=`wget -q -O - http://www.photosight.ru/wallpaper/week.wp` && \ wget -q -N http://img-`date '+%Y-%m'`.photosight.ru/`date '+%d'`/$ID.jpg && \ gconftool-2 -t str --set /desktop/gnome/background/picture_filename /tmp/$ID.jpg && \ gconftool-2 -t str --set /desktop/gnome/background/picture_options "centered"
А вот версия под KDE по мотивам комментария
cd /tmp ID=`wget -q -O - http://www.photosight.ru/wallpaper/week.wp` && \ wget -q -N http://img-`date '+%Y-%m'`.photosight.ru/`date '+%d'`/$ID.jpg && \ dcop kdesktop KBackgroundIface setWallpaper /tmp/$ID.jpg 4