Thursday, October 13, 2011

inodes on ext4

I had to create a partition of 100GB with a very large number of inodes, 6 millions just wasn't enough. So I've created a ext4 partition of 100GB with 1024 block size and 250.000.000 inodes like this:


mkfs.ext4 -N 250000000 -b 1024 /dev/mapper/lv_name

Friday, September 9, 2011

Increase number of loop devices on Linux


Instead of 8 loop devices, you'll now have 64 using the following line:
# vi /etc/modprobe.conf
options loop max_loop=64

Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.

Followed by:



kernel panic - not syncing: Attempted to kill init!

It's simple. At grub screen, press "a" to change kernel parameters and add "enforcing=0". Next, you can add this to /etc/grub.conf to do this automatically.

This happened after enforcing SElinux on both CentOS5 and RHEL6.1.

[update] It all happened after changing SELINUXTYPE in /etc/sysconfig/selinux to "strict" on CentOS and "mls" in RHEL. The problem is that selinux-policy-strict was missing on CentOS, and so was selinux-policy-mls in RHEL. You'll have to install them first before modifying /etc/sysconfing/selinux. After that, reboot once with "enforcing=0 autorelabel" and after that a reboot with no other parameter, and should be ok.

Monday, August 29, 2011

scp and wget missing on RHEL6 minimal install

So, to get around, you can install them from DVD or, mount your DVD as a yum repo, and then install the following packages:

wget
openssh-clients

Friday, August 12, 2011

How to convert dos format text files to unix format

I needed this for some scripts I discovered they're DOS format and bash couldn't understand them. So, it's simple, and you have multiple choices:


tr -d '\r' < input.file > output.file


sed 's/$'"/`echo \\\r`/" input.file > output.file

Monday, August 1, 2011

apache not processing only

This is solely PHP based, and I found this in default php.ini on RHEL6.1


short_open_tag = Off


Turn it on to allow only ..


Tuesday, July 26, 2011

Facebook 2-way authentication

Considering that sometimes I'm a security freak, I've enabled 2-way authentication on Facebook. True is that I disabled the same thing on Google, but that's not important. Anyway, this morning, I tried to access my Facebook account using a newly installed Windows XP netbook, and Facebook asked a code they sent to my cell phone. My cell phone, right next to me, very turned on, very high network meter. SMS didn't came. Ok..I clicked resend, but still nothing. After the third resend, I waited for few minutes and nothing - then again, still no SMS from Facebook HOURS away from that moment (4 hours and counting). So, the next step available was to contact them through a contact form on their website, where they we're telling me to describe my problem - and where I also suggested they should use Google's 2-way authentication SMS servers, because their message comes almost instantly. After few seconds, some automated reply was sent to me, telling me I should "Attach a copy of your government-issued photo ID". SAY WHAT??

Seriously, I only send that to my bank, to the police, ..things like that. Why should I send this to Facebook? Who exactly are they? So I replied to them that, since they're not a government-related company, I will NEVER EVER send a copy of my "government-issued photo ID" and suggested again that they really should use Google's SMS servers for this one.

I'll just paste the funniest part of their requirements:

When you respond:
1. Briefly describe the issue you’re experiencing.
2. Attach a copy of your government-issued photo ID. We need to confirm that you own this account. Note that we will permanently delete our record of this attachment from our servers once we use it to confirm your identity.
The ID you attach:
- Must be government-issued (ex: passport, driver's license)
- Must be in color
- Must clearly show your full name, date of birth, and photo
No shit?! 

Thursday, July 21, 2011

Starcraft Broodwar on Windows 7 64 bit (and 32 bit)

There's a problem with playing Starcraft Broodwar on Windows 7 no matter what the update is, ...the latest is 1.16.1 I guess..So, after installing the update, it automatically runs the game, but the colors are messed up. To get around this, you have to add a registry key to your Windows. The files can also be found on blizzard's webpage here. You can also manually create the .reg files using notepad.

For the 32 bit version of Windows 7 the content should be:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibility\StarCraft116]
"Name"="StarCraft.exe"
"ID"=hex:ca,89,65,49
"Flags"=hex:00,08,00,00 

For the 64 bit version of Windows 7 the content should be:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\Compatibility\StarCraft116]
"Name"="StarCraft.exe"
"ID"=hex:ca,89,65,49
"Flags"=hex:00,08,00,00

This is it. Starcraft Broodwar 1.16.1 up and running smoothly...

Monday, July 18, 2011

Linux disks by LABEL and UUID

To list disks by uuid you can issue:

ls -al /dev/disk/by-uuid/

..the answer should be something like:

5d82b8f4-5dfd-4164-8a78-e56cb1d7ea1c -> ../../sdb1

6cc7cb86-f1bc-4c16-833c-c6efa55257d6 -> ../../sda1

..to find out specific uuid of a specific disk you shoud run:

blkid /dev/sda1

..and you can auto mount in /etc/fstab by specifying the UUID instead of device, for example:

UUID=5d82b8f4-5dfd-4164-8a78-e56cb1d7ea1c /tmp          ext4    errors=remount-ro 0       1

Another way to categorize disks is by label. Of course, you can also auto mount disks in /etc/fstab by labels. To set a label for a disk just type:

e2label /dev/sda1 mylabel

..or..

tune2fs -Lmylabel /dev/sda1

..and you can auto mount disks in /etc/fstab like this:

LABEL=/         /      ext3    defaults        1 1

 

Thursday, June 30, 2011

Apache 2.2 LDAPS authentication in Active Directory 2008

So, I've been trying the whole day to get this Apache 2.2 installation to authenticate into an Active Directory LDAP using secure connection. These will be Ubuntu settings, particulary for 10.04 LTS (probably works for every Debian, RedHat versions as well).

First, I exported the CA from my browser (IE9) using Internet Options > Content > Certificates > Trusted Root Certificate Authority and export the one from Active Directory (CA from Active Directory) and saved is as BASE64 file, because by default, OpenSSL can use this kind of file and not DER or whatever, and saved the file on the Linux server in /certs/cert.cer.

Second, edit the httpd.conf in /etc/apache2 to look like this:

 

#LDAPSharedCacheSize 500000

#LDAPCacheEntries 128

#LDAPCacheTTL 60

#LDAPOpCacheEntries 128

#LDAPOpCacheTTL 60

LDAPConnectionTimeout 10

LDAPTrustedMode SSL

LDAPVerifyServerCert on

LDAPTrustedGlobalCert  CA_BASE64 /certs/cert.cer

 

Thirds step is to add your LDAP configuration to your website using <Location> tag in /etc/apache2/sites-enabled/000-default or whatever path you have for your website, and add the following:

 

<Location "/">

    AuthType Basic

    AuthName "AD Authentication"

    AuthBasicProvider ldap

    AuthzLDAPAuthoritative  Off

    AuthLDAPURL             "ldaps://xx.xx.xx:636/OU=testOU,DC=domain,DC=local?sAMAccountName?sub?(objectClass=user)"

    AuthLDAPBindDN          "CN=user,OU=Users,OU=testOU,DC=domain,DC=local"

    AuthLDAPBindPassword    passforuser

    AuthLDAPRemoteUserAttribute sAMAccountName

    Require valid-user

</Location>

 

This implies that you have an AD running at IP xx.xx.xx.xx, has 636 port opened (LDAPS), there's an user called "user" in the specified OU and has the DN specified at AuthLDAPBindDN, the password "passforuser" and AuthLDAPURL is the query Apache is doing to the Active Directory server. Instead of "Require valid-user" you can require different things, like ..specific user, specific group, etc. So, save the website file after doing this. And there's one more step.

Fourth step, and the last before restarting apache, is to edit ldap.conf. Don't know for sure where this file can be found on RedHat, but on Debian (and in my case, Ubuntu 10.04 LTS) can be found in /etc/ldap/ldap.conf. So, edit this file, ..of course, there are some commented options, but add this line:

 

TLS_REQCERT never

 

Restart apache, and that's it.

Monday, May 30, 2011

iptables limit syn flood

iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

Saturday, April 23, 2011

Power management boost on Linux Mint 10 / Ubuntu 10.10

So, I've been a performance instead of battery saving fan since I got my first laptop. It usually worked out by selecting "Performance" from some specific vendor power management software on Windows. But with Linux, it was getting annoying. I had my Asus EEEPC 1008HA for almost 2 years now, and I was really annoyed by being forced to get power plugged because otherwise, my music stopped playing correctly, had some small interruptions, videos, the same..even compiz had small interruptions in compositing my desktop the way I like it. It was clear to me that it was a power management, and surely something related to hard drive power management. After digging up the internet, I've seen using hdparm command, that a HDD parameter it was changing automatically between power on/off - APM_level, when power plug on, it was set to 254, when power plug disconnected, it was 128. After that, I've searched Google for details and scripts that can make my EEEPC run the same on battery and power and I got the following script up and running, and my laptop run as fast as on power plug connected. If anyone intends to use this, this will drain your battery much faster than using other power management software.
###power save off
echo performance > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
echo performance > /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor
hdparm -B 254 /dev/sda
echo 0 > /proc/sys/vm/laptop_mode
echo max_performance > /sys/class/scsi_host/host0/link_power_management_policy
echo max_performance > /sys/class/scsi_host/host1/link_power_management_policy
echo max_performance > /sys/class/scsi_host/host2/link_power_management_policy
echo max_performance > /sys/class/scsi_host/host3/link_power_management_policy
iwconfig wlan0 power off
echo 0 > /sys/module/snd_hda_intel/parameters/power_save
echo 10 > /proc/sys/vm/dirty_ratio
echo 5 > /proc/sys/vm/dirty_background_ratio
echo 1000 > /proc/sys/vm/dirty_writeback_centisecs
This will practically remove any power management or set to maximum performance for SATA, CPU, HDD, wireless and sound. And, I've put this into my /etc/rc.local file, and after a restart, everything is the same, ..well, except for the dimmed light, which I don't mind if it helps some power save. It's ok though, before this, my battery lasted around 2 hours with interruptions ..now it lasts for an hour, but seamless performance.

Tuesday, March 22, 2011

Best e-mail service?!

It's not an answer, it's actually a question to whom I don't have an answer.

So, I've been a Google user for a very very long time. My first GMail account was created using an invitation, when GMail registration was not for everybody and you can only create an account using invitations. Me very happy back then. And I'm not only a GMail user, ..I use lots of things from Google, like Picasa, Blogger, Docs, Buzz ..the dead Wave, Reader, Analytics, Maps ..and from time to time, I check if something really changed about Orkut, ..and still nothing, buggy as hell. But lately, GMail started having problems. And considering I use GMail as my primary account, and all my other accounts (Hotmail and Yahoo, using GMX Mail Collector and then POP3 to get it to GMail) go to my primary GMail account, things are getting annoying.

So, there are 2 other well known alternatives, and 1 more people doesn't know about, or ..it doesn't have too many users. So, Yahoo is slow, and I hate it because I don't have IMAP/POP/SMTP support (for the free account) and no docs, and Hotmail looks nice, has a GREAT SkyDrive of 25GB to store whatever you want, but still, their Office Live is crappy. It crashes in my Chromium every few minutes and needs a restart of the app. Oh..and that new alias thing, well, it's M$, so IT DOESN'T WORK. So, one doesn't have docs, the other one has ..but crashes, but they have that cool 25 GB SkyDrive storage where you can put almost everything, oh..and the aliases thing doesn't work. GMail, has great apps, docs, e-mail storage. It lacks a 25GB free SkyDrive, and now, the GMail errors that keep me away from the most important e-mail address. GMX is not an option, that's because the support is ...none, the interface is too fucking heavy for my small EEEPC which I use to read e-mails, but has something like a SkyDrive ..with much less storage..and I've seen people using this for a long time, and happy with it. Don't ask me why...

And there's Zoho. Zoho is something most of the people don't know about. It's very useful, lots of apps, but unfortunately, not much storage - 1GB. And with upgrades, you only upgrade the number of workspaces, not the storage. And I really need storage for pics.

So, any ideas?! I need storage for everything, e-mail, docs, ..reader, something like picasa..

Monday, February 28, 2011

Install headless OpenOffice.org on Ubuntu 10.04.2

I needed this for an Alfresco Community Edition installation, so ..here are the steps:

1. install the necessary packages:
apt-get install openoffice.org-writer openoffice.org-calc openoffice.org-draw \
openoffice.org-impress openoffice.org-java-common openoffice.org-headless


2. create the init script:
nano /etc/init.d/openoffice

fill it with:
#!/bin/bash
# openoffice.org headless server script
#
# chkconfig: 2345 80 30
# description: headless openoffice server script
# processname: openoffice
#
# Author: Vic Vijayakumar
# Modified by Federico Ch. Tomasczik
#
OOo_HOME=/usr/bin
SOFFICE_PATH=$OOo_HOME/soffice
PIDFILE=/var/run/openoffice-server.pid
set -e
case "$1" in
start)
if [ -f $PIDFILE ]; then
echo "OpenOffice headless server has already started."
sleep 5
exit
fi
echo "Starting OpenOffice headless server"
$SOFFICE_PATH -headless -nologo -nofirststartwizard -accept="socket,host=127.0.0.1,port=8100;urp" & > /dev/null 2>&1
touch $PIDFILE
;;
stop)
if [ -f $PIDFILE ]; then
echo "Stopping OpenOffice headless server."
killall -9 soffice && killall -9 soffice.bin
rm -f $PIDFILE
exit
fi
echo "Openoffice headless server is not running."
exit
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac
exit 0


3. make the script executable:
chmod 755 /etc/init.d/openoffice


4. make it start at common runlevels:
update-rc.d openoffice defaults


That's all folks :)

Monday, February 21, 2011

PF - FreeBSD packet filter (I)

So, this is about the default firewall in *BSD distros. Considering I know iptables, this should be easy to learn. First of all, to be sure it will get autorun at startup, modify /etc/rc.conf like this:


pf_enable="YES"                  # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_program="/sbin/pfctl"        # where the pfctl program lives
pf_flags=""                     # additional flags for pfctl
pflog_enable="NO"               # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_program="/sbin/pflogd"    # where the pflogd program lives
pflog_flags="" # additional flags for pflogd


This should autorun PF using the config file found at /etc/pf.conf. But first, and I just have to do it right now, to enable PF advanced features, you should compile your kernel with:


device pf
device pflog
device pfsync

...and, to use packet queuing, you should also add this:


options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

This is it for now, that's because I got something already compiling on my FreeBSD VM and it's more than enough for a VM running on a EEE PC :)

Tuesday, February 15, 2011

2 bugs with Linux Mint 10 on MSI laptop (and probably Ubuntu 10.10)

1. ath5k phy0: gain calibration timeout
NetworkManager shows wireless as disconnected and doesn't search/find for wlans. To fix this, you just have to completely shutdown the laptop and then power on (reboot doesn't seem to do the trick)

2. Laptop battery critically low. Computer will hibernate very soon unless it is plugged in.
When the power cord is disconnected, a popup appears with this message, no matter how full the battery is. That's why some fucked up batteries, BIOSes when you disconnect the power cord, they mistakenly show -  0:04 remaining (92%) - in the popup from the power manager. So it actually thinks it only has 4 minutes left, and wants to hibernate, although you still have 92% of battery left. So to avoid this crap, go to gconf-editor > apps > gnome-power-manager > general and uncheck "use_time_for_policy". So, next time you disconnect the power cord, it will use percentage to calculate if it's time to suspend or hibernate.

Tuesday, February 8, 2011

Debian 6 - no graphical interface

So, I tried twice to install Debian 6 on a VMWare Workstation 7 and at the end, there was no graphical interface installed, of course, using the net installer, not the whole 52 (WTF???) CDs. Nothing, just the good old command line prompt. So if I type:

apt-get autoremove

..it will practically remove a LOT of packages most of them related to gnome and X. So, what's missing?
If you type "startx" you'll notice there is no /usr/bin/X. So, to really have a graphical interface on your newly installed Debian 6 you should just:

apt-get install xorg

After that, X will start automatically..
But, it's not over yet, because if you enter:

apt-get autoremove

..again, you'll still be removing a LOT of packages including gnome ones. I'm actually at this point so I have to figure out what's missing..Anyway, everything seems to work..

Thursday, January 20, 2011

Next Generation Firewall

So, what is a NGFW? (I've been reading around, and this is the accepted shortcut). It's bullshit! It's like a much stupid version of an UTM. Some people here were very excited about Paloalto Networks products, especially NGFW products. So, I've been reading their datasheet about this new technology - patent-pending :) - and, beside usual port/IP/MAC firewall, this firewall implements 3 new things - App-ID, User-ID, Content-ID. What are those?! It's very simple. App-ID identifies traffic by application - like signature, protocol and some heuristics in detecting them, User-ID identifies traffic by user, being very tied to a directory infrastructure (AD, LDAP), and Content-ID which analyzes traffic and searches for patterns, like CC, SSN, and so on. Great!!

But, how is this better than a UTM? In my case, the first that comes to my mind is Fortigate. Buggy as a motherfucker, but pretty good eventually. So, in this case, it comes with Application Control, which does the same shit like Paloalto, but somehow it has more signatures (Paloalto says "over 1000", meaning somewhere around 1001, and Fortigate says something around 1400). Fortigate tightly integrates with AD and LDAP, I know because I've used this crap on both directory infrastructures, so yeap, you can analyze and filter traffic based on users. And, Content-ID, which sounds very like a DLP (data loss prevention), which is also available in a Fortigate UTM, but I never tested it.

Ok, so a Fortigate UTM has everything a Paloalto NGFW has. But, it has some extra shit too: VoIP Security, VPN, Antivirus, Antispam, AntiMalware, IPS, Web Filtering. So, I was asked yesterday about my opinion regarding NGFW and now I'm very sure about my reply - a less featured UTM.