Ident Server
Posted by Dataforce
I recently encountered a problem on a server that I manage where by the oidentd server didn't seem to be working.
Manual tests worked, but connecting to IRC Servers didn't.
I tried switching oidentd with ident2 and the same problem.
After switching back, and a bit of debugging later it appeared that the problem was that the IRC Servers were expecting spaces in the ident reply, whereas oidentd wasn't giving them.
I then quickly threw together an xinet.d-powered ident server with support for spoofing.
First the xinet.d config:
service ident
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
server = /root/identServer.php
nice = 10
}
Unfortunately yes, this does need to run as root otherwise it is unable to see what process is listening on a socket. In future I plan to change it to allow it to run without needing to be root (by using sudo for the netstat part)
Now for the code itself:
#!/usr/bin/php
<?php
/**
* Simple PHP-Based inetd ident server, version 0.1.
* Copyright (c) 2010 - Shane "Dataforce" Mc Cormack
* This code is licensed under the MIT License, of which a copy can be found
* at http://www.opensource.org/licenses/mit-license.php
*
* The latest version of the code can be found at
* http://home.dataforce.org.uk/index.php?p=news&id=135
*
* This should be run from inetd, it will take input on stdin and write to stdout.
*
* By default users can spoof ident by having a .ident file in /home/<username>/.ident
* If this is present, it will be read.
* It should be a file with a format like so:
*
* <pid> <ident>
* <local host>:<local port>:<target host>:<target port> <ident>
*
* The first line that matches is used, any bit can be a * and it will always match,
* so "* user" is valid. In future more sophisticated matches will be permitted
* (eg 127.*) but for now its either all or nothing.
*
* Its worth noting that <target host> is the host that requests the ident, so if this
* is likely to be different than the host that was connected to, then "STRICT_HOST" will
* need to be set to false.
*
* At the moment <local host> is ignored, in future versions this might be changed, so
* it is still required.
*
* Lines with a ':' in them are assumed to be of the second format, and must contain
* all 4 sections or they will be ignored.
*
* Lines starting with a # are ignored.
*
* There are some special values that can be used as idents:
* ! = Send an error instead.
* * = Send the default ident.
* ? = Send a random ident (In future a 3rd parameter will specify the format,
* # for a number, @ for a letter, ? for either, but this is not implemented yet)
*
* In future there will also be support for /home/user/.ident.d/ directories, where
* every file will be read for the ident response untill one matches.
* This will allow multiple processes to create files rather than needing to
* lock and edit .ident
*/
// Allow spoofing idents.
define('ALLOW_SPOOF', true);
// Requesting host must be the same as the host that was connected to.
define('STRICT_HOST', true);
// Error to send when '!' is used as an ident.
define('HIDE_ERROR', 'UNKNOWN-ERROR');
openlog('simpleIdent', LOG_PID | LOG_ODELAY, LOG_DAEMON);
$result = 'ERROR : UNKNOWN-ERROR' . "\n";
$host = $_SERVER['REMOTE_HOST'];
syslog(LOG_INFO, 'Connection from: '.$host);
// Red in the line from the socket.
$fh = @fopen('php://stdin', 'r');
if ($fh) {
$input = @fgets($fh);
$line = trim($input);
if ($input !== FALSE && !empty($line)) {
$result = trim($input) . ' : ' . $result;
// Get the data from it.
$bits = explode(',', $line);
$source = trim($bits[0]);
$dest = isset($bits[1]) ? trim($bits[1]) : '';
// Check if it is valid
if (preg_match('/^[0-9]+$/', $source) && preg_match('/^[0-9]+$/', $dest)) {
// Now actually look for this!
$match = STRICT_HOST ? ":$source .*$host:$dest " : ":$source.*:$dest";
$output = `netstat -napW 2>&1 | grep '$match' | awk '{print \$7}'`;
$bits = explode('/', $output);
$pid = $bits[0];
if (preg_match('/^[0-9]+$/', $pid)) {
$user = `ps -o ruser=SOME-REALLY-WIDE-USERNAMES-ARE-PERMITTED-HERE $pid | tail -n 1`;
$senduser = trim($user);
// Look for special ident file: /home/user/.ident this is an ini-format file.
$file = '/home/'.trim($user).'/.ident';
if (file_exists($file)) {
$config = file($file, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES | FILE_TEXT);
foreach ($config as $line) {
// Ignore comments.
$line = trim($line);
if (substr($line, 1) == '#') { continue; }
// Make sure line is valid.
$bits = explode(' ', $line);
if (count($bits) == 1) { continue; }
// Check type of line
if (strpos($bits[0], ':') !== FALSE) {
// LocalHost:LocalPort:RemoteHost:RemotePort
$match = explode(':', $bits[0]);
if (count($match) != 4) { continue; }
if (($match[1] == '*' || $match[1] == $source) &&
($match[2] == '*' || $match[2] == $host) &&
($match[3] == '*' || $match[3] == $dest)) {
syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line);
$senduser = $bits[1];
break;
}
} else if ($bits[0] == '*' || $bits[0] == $pid) {
syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line);
$senduser = $bits[1];
}
}
if ($senduser == "*") {
$senduser = trim(user);
} else if ($senduser == "?") {
$senduser = 'user'.rand(1000,9999);
}
}
if ($senduser != "!") {
$result = $source . ', ' . $dest . ' : USERID : UNIX : ' . trim($senduser);
} else {
$result = $source . ', ' . $dest . ' : ERROR : ' . HIDE_ERROR;
}
}
}
}
}
echo $result;
syslog(LOG_INFO, 'Result: '.$result);
closelog();
exit(0);
?>
I welcome any comments about this, or any improvements and hope that it will be useful for someone else.
I suck…
Posted by Dataforce
Due to an incredibly stupid mistake on my part, I accidentally managed to `rm -Rf` the /home directory on the server this site is hosted on (and lost about 200gb of data, including everything that was hosted under the home.dataforce.org.uk domain.)
As such this site will probably be horrible broken for some time (logins won't work, changing page style, any images or downloads) until I recover the up to date version of the scripts and as many of the files as possible. (Most of the actual content for the site is stored in mysql so none of that was lost, just the php scripts that pull it all together and anything non-page like).
If you came here looking for something that now gives you a 404, feel free to leave a comment here and I'll see if I can find what you were looking for.
GitWeb Hacking.
Posted by Dataforce
Recently I setup gitweb on one of my servers to allow a web-based frontend to any git projects which the users of the server place in their ~/git/ directory.
After playing about with it, I noticed that it allowed for placing a README.html file in the git config directory to allow extra info to be shown on the summary view, managed to get it to pull the README.html file from the actual repository itself, and not the config directory, thus allowing the README.html to be versioned along with everything else, and not require the user to edit it on the server, but rather just edit it locally and push it.
This is a simple change in /usr/lib/cgi-bin/gitweb.cgi:
From (line 3916 or so):
if (-s "$projectroot/$project/README.html") {
if (open my $fd, "$projectroot/$project/README.html") {
print "<div class=\"title\">readme</div>\n" .
"<div class=\"readme\">\n";
print $_ while (<$fd>);
print "\n</div>\n"; # class="readme"
close $fd;
}
}
To:
if (my $readme_base = $hash_base || git_get_head_hash($project)) {
if (my $readme_hash = git_get_hash_by_path($readme_base, "README.html", "blob")) {
if (open my $fd, "-|", git_cmd(), "cat-file", "blob", $readme_hash) {
print "<div class=\"title\">readme</div>\n";
print "<div class=\"readme\">\n";
print <$fd>;
close $fd;
print "\n</div>\n";
}
}
}
I also added a second slightly hack that uses google's code prettyfier when displaying a file, and makes the line numbers separate from the code so they don't copy also when you copy the code,
From (line 2476 or so):
print "</head>\n" .
"<body>\n";
To:
print qq(<link href="http://google-code-prettify.googlecode.com/svn/trunk/src/prettify.css" type="text/css" rel="stylesheet" />\n);
print qq(<script src="http://google-code-prettify.googlecode.com/svn/trunk/src/prettify.js" type="text/javascript"></script>\n);
print "</head>\n" .
"<body onload=\"prettyPrint()\">\n";
and
From (line 4351 or so):
while (my $line = <$fd>) {
chomp $line;
$nr++;
$line = untabify($line);
printf "<div class=\"pre\"><a id=\"l%i\" href=\"#l%i\" class=\"linenr\">%4i</a> %s</div>\n",
$nr, $nr, $nr, esc_html($line, -nbsp=>1);
}
To:
print "<table><tr><td class=\"numbers\"><pre>";
while (my $line = <$fd>) {
chomp $line;
$nr++;
printf "<a id=\"l%i\" href=\"#l%i\" class=\"linenr\">%4i</a>\n", $nr, $nr, $nr;
}
print "</pre></td>";
open my $fd2, "-|", git_cmd(), "cat-file", "blob", $hash;
print "<td class=\"lines\"><pre class=\"prettyprints\">";
while (my $line = <$fd2>) {
chomp $line;
$line = untabify($line);
printf "%s\n", esc_html($line, -nbsp=>1)
}
print "</pre></td></tr></table>";
close $fd2;
This could do with a quick clean up (reuse $fd rather than opening $fd2) but it works.
New Phone – T-Mobile G1.
Posted by Dataforce
Recently I acquired a T-Mobile G1 to replace my old T-Mobile MDA Vario 2 (HTC Hermes).
All I can say about this phone is that it is quite awesome. I no longer need to run an exchange server to keep my contacts/calendar synced somewhere as the G1 syncs everything to Google Mail/Calendar.
Its a really good phone and I recommend it to anyone who is thinking of getting a new phone, the integration with google is especially useful, and the full-html (including CSS and javascript) is very nice.
JDesktopPane Replacement
Posted by Dataforce
As as I mentioned before I've been recently converting an old project to Java.
This old project was an MDI application, and when creating the UI for the conversion, I found the default JDesktopPane to be rather crappy. Google revealed others thought the same, one of the results that turned up was: http://www.javaworld.com/javaworld/jw-05-2001/jw-0525-mdi.html
So, I created DFDesktopPane based on this code, with some extra changes:
- Frames can't end up with a negative x/y
- Respond to resize events of the JViewport parent
- Iconified icons move themselves to remain inside the desktop at all times.
- Handles maximised frames correctly (desktop doesn't scroll, option to hide/remove titlebar)
My modified JDesktopPane can be found as here part of my dflibs google code project.
Other useful things can be found here, take a look and leave any feedback either here or on the project issue tracker
GMail – apply labels to email from group members
Posted by Dataforce
As Noted by Chris recently on IRC, Google Mail lacks a feature in its ability to automatically label/filter messages - you can't do it based on emails from people in a contact group, short of adding a filter with all their email address on it.
At the time it was mentioned this didn't affect me, however later when I got round to adding loads of labels/filters in gmail (yay for, nicely coloured inbox!) to nicely separate things for me I also ran into this problem, so came up with the following python script that does it for me.
It checks messages, sees if the sender is in the contacts, then checks each group to see if there is a label with that group name that is not already set, then checks to see if the contact is in the group, and finally sets the label if everything matches up.
I ran it initially to tag my entire inbox (set "checkAllIndex" to "True" change "ga.getMessagesByFolder(folderName)" to "ga.getMessagesByFolder(folderName, True)") and now have it running on a 15 minute cron (not using loopMode) to tag new messages for me.
Hopefully this will be useful to someone else, I'm not sure how well it works in general, it worked fine for me with ~700 messages at first, however after a few runs (due to regrouping some contacts) I was greeted by an "Account Lockdown: Unusual Activity Detected" message when trying to do anything - This went away after about 20 minutes, but don't say you wern't warned if it happens to you.
#!/usr/bin/env python
"""
This script will login to gmail, and add labels to messages for contact groups.
By default the script will only check items from the past 2 days where email
was recieved.
Loop mode can be enabled to save logging in repeatedly from cron.
Loop mode may fail after some time if google kills the session, or gmail
becomes unavailable or so. (Untested in these situations). On the other hand
it may also just keep running indefinetly as if no problem occured, loop mode
is relatively untested and was added as an after thought.
When running in loop mode, it is best to have a crontab entry also that checks
and restarts the script if it dies.
Copyright 2008 Shane 'Dataforce' Mc Cormack
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
"""
# Uncomment the lines below if python can't find libgmail on its own, and edit
# the sys,path.insert to point to where libgmail.py is.
# import sys
# sys.path.insert(0, 'libgmail')
import libgmail
import time
###############################################################################
# Configuration
###############################################################################
# Email Address
email = "YOUR EMAIL HERE"
# Password
password = "YOUR PASS HERE"
# Check all on index, rather than just the first 2 dates found
checkAllIndex = False
# Use Loop (if true the script will keep looping, and sleep between checking
# for new mail to modify)
useLoop = False
# Time in seconds to sleep when looping (300 = 5 mins)
loopTime = 300
# Label Prefix - if group-based labeles are prefixed, set the prefix here.
# (eg "Groups/")
labelPrefix = ""
# What folder to check? ('inbox' or 'all' are probbaly the most common settings)
folderName = 'inbox'
###############################################################################
# Helper classes/methods
###############################################################################
class ContactGroup:
def __init__(self, id, name, contacts):
self.id = id
self.name = name
self.contacts = contacts
def containsContact(self, contact):
for knownContact in self.contacts:
if knownContact[0] == contact.id:
return True
return False
def __str__(self):
return self.name
# Get Contacts and Groups
# Modified from libgmail 0.1.10 to include groups aswell
def getContacts(account):
"""
Returns a GmailContactList object
that has all the contacts in it as
GmailContacts
"""
contactList = []
groupList = []
# pnl = a is necessary to get *all* contacts
myUrl = libgmail._buildURL(view='cl',search='contacts', pnl='a')
myData = account._parsePage(myUrl)
# This comes back with a dictionary
# with entry 'cl'
addresses = myData['cl']
# Now loop through the addresses and get the contacts
for entry in addresses:
if len(entry) >= 6 and entry[0]=='ce':
newGmailContact = libgmail.GmailContact(entry[1], entry[2], entry[4], entry[5])
contactList.append(newGmailContact)
contacts = libgmail.GmailContactList(contactList)
# And now, the groups
for entry in addresses:
if entry[0]=='cle':
newGroup = ContactGroup(entry[1], entry[2], entry[5])
groupList.append(newGroup)
return contacts, groupList
###############################################################################
# Setup
###############################################################################
print "Running.."
print "Use Loop:", useLoop
if useLoop:
print " Loop Time:", loopTime
print "Check all on index:", checkAllIndex
print "Label Prefix:", labelPrefix
print "Checking Folder:", folderName
print "libgmail Version:", libgmail.Version
print ""
# Login to gmail
print "Logging in as", email
ga = libgmail.GmailAccount(email, password)
ga.login()
# Loop at least once.
loop = True;
while loop:
loop = useLoop
print "Getting label names.."
# Get Labels
labels = ga.getLabelNames(refresh=True)
# Get Messages
print "Getting messages.."
inbox = ga.getMessagesByFolder(folderName)
# Get Contacts
print "Getting contacts and groups"
contacts, groups = getContacts(ga)
# Check each thread in the inbox
lastDate = '';
secondDate = False;
for thread in inbox:
# Only check dates we are supposed to.
if not checkAllIndex:
# Get the date
threadDate = thread.__getattr__('date');
# Make sure a date is set
if lastDate == '':
lastDate = threadDate
# If this date is different to the last one do something.
if lastDate != threadDate:
# If we are already on the second date, then we stop now
if secondDate:
break;
# Otherwise, if the new data is a non-time date, we can change to the
# second date.
elif "am" not in threadDate and "pm" not in threadDate:
lastDate = threadDate
secondDate = True
print "Thread:", thread.id, len(thread), thread.subject, thread.getLabels(), thread.__getattr__('date'), thread._authors, thread.__getattr__('unread')
try:
# Current Labels
threadCurrentLabels = thread.getLabels();
# We will add labels here first to prevent dupes
threadLabels = set([])
# Check each message in the thread.
for msg in thread:
print " Message:", msg.id, msg.sender
# Check if sender is a known contact
contact = contacts.getContactByEmail(msg.sender)
if contact != False:
# Check each group for this contact
for group in groups:
# If we have a label with this group name
labelName = labelPrefix+group.name
if (labelName in labels) and (labelName not in threadCurrentLabels):
# And the group contains the contact we want
if group.containsContact(contact):
# Add it to the list
print " Sender Label:", labelName
threadLabels.add(labelName)
except Exception, detail:
print " Error parsing messages:", type(detail), detail
# Now add the labels
for label in threadLabels:
print " Adding Label:", label
thread.addLabel(label)
# If thread was unread, make it unread again.
if thread.__getattr__('unread'):
print " Remarking as unread"
ga._doThreadAction("ur", thread)
if loop:
print ""
print "Sleeping"
time.sleep(loopTime)
else:
print "Done"
On a related note, I've also recently started to use the "Better Gmail 2" addon for firefox (Official page seems down atm, but more info here) mostly for the grouping of labels feature.
Edit: Script will now preserve unread status of threads.
MD5
Posted by Dataforce
I was recently looking at converting an old application from VB6 to Java that used MD5 in its output files as hashes for validation.
The first thing I did was to make a java class that read in the file and checked the hashes, I tried it on a few files and it worked fine, then I found a file that it failed on.
Now, this app wrote all the files using the exact same function, so it seemed odd that 1 of them wouldn't parse and the rest would.
When I looked at the file closer, I found that this one contained some symbols in the output that the others didn't - I eventually figured out that the symbol that was causing the problem was the pound sign (£).
Without going into too much detail, this presented a major problem, the string in question was used as part of the password validation for the app (the output files are encrypted using the password as a key), and the java code was getting different results than the old VB6 code, and was unable to decode the file as a result.
So, this sparked my curiosity a bit, the VB6 code I was using wasn't a built in, it was code I'd gotten elsewhere and used, so I assumed it was faulty code (not that this helped me much, as I needed to get the exact same output, but ignoring that).
I edited the initial form of my application to return the MD5 String for "£" on its own, and got: "d527ca074d412d9d0ffc844872c4603c"
I did the same for my java code and got: "6465dad1d31752be3f3283e8f70feef7"
So now all I needed to do was to see which was right, so I made a quick PHP script, and did the same and got: "d99731d14c7750048538404febb0e357" ... Yet another different hash!?
Ok, I thought, md5sum will help me figure out which one is right. one `echo '£' | md5sum -` and I had "67160ce935d7cb5339047b12ad4611cb". Yes, that is correct, a 4th different hash.
So here I was with 4 different hashes and no idea which one was correct.
So after a bit of googling, I discovered that the MD5 RFC (1321) had the source code for a test application in it.
So I extracted the code from the Appendix of http://www.ietf.org/rfc/rfc1321.txt and tried to compile it with `gcc md5.c mddriver.c -o mddriver` only to discover that it failed to compile with lots of errors, fortunately this was an easy fix, near the top of mddriver.c, change "#define MD MD5" to "#define MD 5" and then it compiles without problem.
So, I ran "./mddriver -s£" and got the output "MD5 ("£") = d99731d14c7750048538404febb0e357" which agreed with what the PHP md5() function gave.
(Its worth noting that `echo '£' | ./mddriver` agreed with md5sum, which made me remember that `echo` appends a "\n", which was why I got a different output, running `echo -n '£' | md5sum` gives the correct result, and would have saved me googling and finding the test suite!)
I tested a few other things and got the following results:
mddriver: d99731d14c7750048538404febb0e357
PHP: d99731d14c7750048538404febb0e357
mySQL: d99731d14c7750048538404febb0e357
python: d99731d14c7750048538404febb0e357
postgreSQL: d99731d14c7750048538404febb0e357
md5sum: d99731d14c7750048538404febb0e357
JavaScript: d527ca074d412d9d0ffc844872c4603c
VisualBasic: d527ca074d412d9d0ffc844872c4603c
Eggdrop: d527ca074d412d9d0ffc844872c4603c
Java (custom): d527ca074d412d9d0ffc844872c4603c
Java (built in): 6465dad1d31752be3f3283e8f70feef7
- JavaScript implementation from http://pajhome.org.uk/crypt/md5/
- VisualBasic implementation from http://www.frez.co.uk/freecode.htm#md5;
- Custom Java implementation from http://www.freevbcode.com/ShowCode.Asp?ID=741
There is also a list of MD5 implementations at http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
----
The differences are primarily due to character encoding in the different languages. (In the case of my app, there was also a flaw in the implementation for strings where (length % 64) is > than 55 as well)
Example:
[07:14:55] [shane@Xion:~]$ php -r 'echo md5(utf8_encode("£"))."\n";'
2ccf59396b3c0958eec4ba721e2d083f
[07:15:01] [shane@Xion:~]$ php -r 'echo md5("£")."\n";'
d99731d14c7750048538404febb0e357
Java: System.out.println((int)'£'); => "163"
PHP: echo ord('£'); => "194"
PHP: echo ord(utf8_encode('£')); => "195"
Virtualbox Bridging
Posted by Dataforce
Edit: This is now pretty much unneeded, the new version of VirtualBox seems to handle this all nicely on its own.
As I mentioned in my last post, One of the useful advantages of the network boot setup is that I can use it to quickly install virtual machines.
Now a few things:
- My Desktop is a lot more powerful than my server, so I run the virtual machines on it.
- I use virtualbox rather than vmware.
- All the network boot stuff is on my server not my desktop (obviously)
So in order to allow this, virtualbox needed to be setup to bridge to my existing adapter, this was quite straight forward, pretty much exactly as the manual said.
sudo apt-get install bridge-utils
Edit /etc/network/interfaces, and add
auto br0 iface br0 inet dhcp bridge_ports eth0
Now the next suggestion was to setup a tkap0 device and tell virtualbox to use that, or to use a dynamic configuration.
The dynamic configuration sounded better as it meant I didn't need to remember to add a new tap device for each vm.
The suggested dynamic configuration suggests using kdesu/gksudo and a script in the home dir of the user that will setup and cleaup the tap device (this means inputting your password every tiem you start/stop the VM and requiring a separate script for each user that wants to have a vm with bridging) this seemed rather annoying so I came up with an alternative.
/usr/bin/setuptap
#!/bin/bash
# Make sure we are root
if [ $(whoami) != root ]; then
exit 1;
fi;
# Create an new TAP interface for the user and remember its name.
interface=`VBoxTunctl -b -u ${SUDO_USER}`
# If for some reason the interface could not be created, return 1 to
# tell this to VirtualBox.
if [ -z "$interface" ]; then
exit 1
fi
# Write the name of the interface to the standard output.
echo ${interface}
# Bring up the interface.
/sbin/ifconfig ${interface} up
# And add it to the bridge.
/usr/sbin/brctl addif br0 ${interface}
/usr/bin/cleanuptap
#!/bin/bash
# Make sure we are root
if [ $(whoami) != root ]; then
exit 1;
fi;
# Remove the interface from the bridge. The second script parameter is
# the interface name.
/usr/sbin/brctl delif br0 $2
# And use VBoxTunctl to remove the interface.
VBoxTunctl -d $2
Now these scripts run with sudo as any user will setup the tap device for that user (thats what ${SUDO_USER} is for)
This still requires a password for starting/stopping the VMs tho, so we use
sudo visudo
or if you prefer nano
sudo EDITOR=nano visudo
and add
# Allow virtualbox users to setup/cleanup tap devices %vboxusers ALL=NOPASSWD:/usr/bin/setuptap,/usr/bin/cleanuptap
now:
- configure virtualbox to attach the network device to a "host interface"
- leave the Interface name blank (setuptap creates the next available one)
- Setup Application: "sudo /usr/bin/setuptap"
- Terminate Application: "sudo /usr/bin/cleanuptap"
And virtualbox will be able to create/destroy the tap device as needed.
However. there is still one problem, DHCP will not work for these VMs without a little help, so we need to:
sudo apt-get install dhcp3-relay
and answer the questions asked. (DHCP Server IP, and INterface to listen on (br0))
Virtualbox unfortunatly seems to need a little push to actually network boot, so I also use an etherboot iso to actually boot from the network along with the "PCnet-FAST III" adapter type.
and thats all there is to it, you can now network boot and dhcp from virtual machines not hosted on the server.
Updates!
Posted by Dataforce
So, it was brought to my attention that I havn't actually updated this in a while, so here you go, an update! (However dissapointing you might find it!)
Ok, so the most important update of recent is that I finally (after 4 years of being out of date) upgraded the OS on my server from Redhat 9 (EOL April 2004!) to the ubuntu server 8.04 ("Hardy Heron").
This also as a result of to a change in iptables between the ancient 2.4.30 Kernel and the current 2.6.24 prompted me to rewrite my IPTables firewall scripts (As the old one broke stuff, like my multiple IPs - which in turn managed to break logging into Authgate in a fun way!).
For anyone who is interested, they can be downloaded here.
Once downloaded, extract them to a directory (I use /root and thus they are currently configured as such) and edit the "nat" file to change the main settings.
You can then run it by using:
/bin/bash /root/nat
(Change to suit where you extracted to)
I have also included shape.php, which allows you to setup traffic shaping for People >:E
It needs configuring separately to the main script, and is called by nat-shape.sh (which is called by the main script).
Once you have configured shape.php you will need to edit nat-shape.sh to make it actually call it (remove the first echo, and remove the # from the start of the other 2 lines)
The next thing I've done recently is to tidy up the DMG generation script for DMDirc.
Now it manages to create compressed images on linux aswell as on OS X, and doesn't require stupidly ugly code or a patched version of Apples DiskDev tools!
And finally I'm now back home for the next 4 months rather than at uni, yay for no more stupid download cap! (Seriously, 20GB for a whole month kills me!)
Email Woes
Posted by Dataforce
On a daily basis, I get around 800 emails to my email accounts, of which most of it is spam.
Now as good as thunderbird is at detecting spam, even it fails at a lot of the spam I recieve, leaving me with arround 100-200 spam per day that gets into my inbox.
I've dealt with and accepted this for over a year now, before a discussion on IRC made me decide to do something about it. (When I say discussion, I mean Chris pasted one line showing how good the UTD-Hosting mail server was at preventing junk getting to him)
So, I recently (Today and yesterday) started prodding my postfix config to help with the problem.
Firstly I added some RBL checking, this was easy enough, 3 lines to my config in the smtpd_recipient_restrictions bit:
reject_rbl_client list.dsbl.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client dnsbl.sorbs.net
I also added:
reject_non_fqdn_recipient
reject_unknown_recipient_domain
I also added the following lines:
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions =
permit_mynetworks
check_helo_access hash:/etc/postfix/helo_access
reject_non_fqdn_hostname
reject_invalid_hostname
permit
smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
reject_unknown_sender_domain
permit
/etc/postfix/helo_access looks like this (Its surprising how many mails this catches, 114/7500 - altho they would probably be caught later on):
soren.co.uk REJECT You are not me. 207.150.170.50 REJECT You are not me.
Next step was SPF checking, this involved adding to smtpd_recipient_restrictions:
check_policy_service unix:private/policy
and to master.cf
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl
(One can apt-get install postfix-policyd-spf-perl or download it from http://www.openspf.org/Software)
Currently I use catch-all on all my domains (yes this is stupid I know) and as a result, I get alot of spam to 1) Addresses that don't exist and never have 2) Addresses that used to exist for others but now don't.
To combat this, I added this line to smtpd_recipient_restrictions:
check_recipient_access hash:/etc/postfix/recipient_access
/etc/postfix/recipient_access looks something like this:
foo@example.com REJECT This account is no longer valid. bar@example.com REJECT This account is no longer valid. baz@example.net REJECT This account is no longer valid.
The result of all this can be seen by running the mailstats script Chris was kind enough to share with me:
root@soren:/etc/postfix# ./mailstats.php Incoming --(7500)--> Valid HELO --(6707)--> Valid Sender --(6705)--> Passed by dsbl --(6136)--> Passed by spamhaus --(811)--> Passed by sorbs --(568)--> Passed by relay check --(565)--> Passed by SPF --(542)--> Forwarded to shinobu --(390)--> To a valid domain --(339)--> To a valid user --(306)--> Dropped Spam --(306)--> Delivered. Total Rejections: 7194 (Unknown Reason: 0 | Pretended to be me: 114)
The "Forwarded to shinobu" entry is a server for which I am the backup MX for, this accounts for 152 mails (about 2%)
The delivered count of 306 mails is about 4%, meaning that 94% of all the junk mail I recieve is now dropped by postfix and not delivered to my mailbox!
These simple additions have made a huge difference! I have a 10day holiday coming up, and now rather than coming home to 8000 mails, I'll only come home to 320!
As a further line of defense, prior to being sent to my mailbox, those 4% of mails get filtered thorugh spamassassin (which I have configured to only run for certain domains, with different scores for different domains/users as needed) which does a good job of catching the spam that thunderbird misses, configuring a mail filter on thunderbird to filter these mails (Which get subject tagged with {Spam?}) into my junk folder (aswell as configuring thunderbird to trust what the spamassassin headers say) means very little, if any, spam now reaches my inbox!
Brilliant!