A very cool combination of some rants from Joe Rogan:

Okay, so this post will be brief but to the point. Today I needed to lock down a machine I administer so the only inbound connections which were allowed were SSH connections from trusted hosts. I’m using Debian so this will obviously work for other Debian based distros such as Ubuntu, Linux Mint etc.

Assuming you’re running a current version of Debian or a derivative then iptables will already be present on your system. One of the first things to take note is that iptables won’t hold its ruleset during a reboot so to start off this tutorial the first thing I ensured was that the ruleset will be restored when the machine is rebooted. So, as root I edited /etc/rc.local and before the exit line i added /etc/iptables-init. Because this was a fresh install my rc.local ended up looking like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Setup iptables
/etc/iptables-init
exit 0

Next, I created the script which we’ve setup to be executed from rc.local:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

#!/bin/sh
# ----------------------------------------------------------------------
# simple but secure iptables initialization script
# DateCreated: Thu 12 Jan 2012 00:37:04 GMT
# Author: Jerry Walsh
# ----------------------------------------------------------------------

# Put your trusted hosts/ranges here:
TRUSTED_HOSTS="1.2.3.4 8.8.8.8/24 \
  4.3.2.1 1.2.2.2 3.3.3.4 "

# flush rules
iptables -F

# Log dropped connections
#iptables -N LOGDROP

# allow localhost connections to the loopback interface 
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# allow connections which are already established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow all outbound connections
iptables -A OUTPUT -j ACCEPT

# allow tcp to port 22 (ssh daemon) from trusted hosts
for GOODIE in $TRUSTED_HOSTS; do
  iptables -A INPUT -p tcp -m state --state NEW -s $GOODIE --dport 22 -j ACCEPT
done
# or you could just allow ssh access from all hosts
# NOTE: if you're going to allow ssh access from all hosts then
# it's always a good idea to put sshd on a non-standard port
# - this keeps the majority of script kid trawlers out
#iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#other optional extras:
# allow inbound http access
#iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
# allow inbound https access
#iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT

# drop all other inbound traffic (including ICMP, UDP etc.)
iptables -A INPUT -j DROP
# you could also just block tcp connections..
#iptables -A INPUT -p tcp -j DROP

Finally, I set the script executable and executed the script now to load the new rules in to iptables:

1
2

chmod 0700 /etc/iptables-init
!$

And that’s it! Remember - it’s always good to test your configuration from a remote host or better still from a ‘bad’ remote host and a ‘good’ (whitelisted) host.

REMEMBER: The above script is just an example! You should modify the script to meet YOUR needs (as it stands this met mine) but it still serves as a useful starting point. It should also be noted that ICMP ping replies will be blocked using the above setup - this may not be desirable but in my case it was!

I’ll leave you with ‘Another Day’ from Album Leaf:

There’s no doubt about it that John Cleese is a genius when it comes to comedy but his genius-ness (is that even a word?) doesn’t stop there. What follows is one of my favourite videos from him. The highlight of which is this enlightening little piece of wisdom:

To know how good you are at something requires the same skills as it does to be good at those things. Which means if you’re absolutely hopeless at something, you lack exactly the skills that you need to know that you’re absolutely hopeless at it. And this is a profound discovery - that most people who have absolutely no idea what they’re doing, have absolutely no idea that they have no idea what they’re doing.

It explains a great deal of life.

…

It also explains why so many people in charge of so many organisations have no idea what they’re doing, they have a terrible blind spot.

Watch the video here:

I’ve decided that it’ll now be customary to sign off each post with a bit of music. In this case, given that it’s the weekend it’ll be some uplifting vocal trance from Andain, the Myon and Shane 54 remix of ‘Promises’. Enjoy! (and sorry if this doesn’t float your boat :P):

I know, I know.. it’s been long overdue and I’ve just been putting it off for far too long. A recent trip to Zell Am See, in Austria recently gave me enough downtime to focus on revamping the site which is now complete. I think everything should be working OK but if you encounter problems then please let me know. I hope the new look will get me blogging more often and with higher quality!

I plan to post again soon, this time with something more substantial until then I’ll leave you with my “tune of the trip”, “Black Ash Veil” by Apparat:

Just another short but hot off the press post… The title says it all, TextBuddy now support the Three network!

Time’s currently not on my side so I’m going to make this one quick. A new version of TextBuddy has just been released. The major (and only) addition in this version is support for the Eircom eMobile network. Get it while it’s hot..

Well, it’s been quite some time since my last post. I’ve been busy and it seems Google has been busy too.

I recently upgraded to the latest version of Chromium (aka Google Chrome) and noticed that the folks at Google have decided to drop the http:// prefix from the “omnibox”:

CNet reported this back when the feature first appeared in the developer beta’s but I must say I’m surprised at the results I found in the following article:

Really?  You’d prefer to see the http:// stay?

In my opinion, dropping it is one of the best damn things they have ever done because in this day and age, it’s no longer necessary. It just doesn’t matter anymore because the web is all about http:// now. It’s implicit and the UI should mirror this - people don’t need to know about it. I recall what my good friend anto once said…

This is just one of the things which makes Chrome stand out from all the others, Jeff Atwood recently wrote that

Chrome was a completely respectable browser in V1 and V2. The entire project has moved forward so fast that it now is, at least in my humble opinion, the best browser on the planet. Google went from nothing, no web browser at all, to best-of-breed in under two years.

Here’s a small script which you can use to compile PDFlib support for PHP on Linux. This should work on any Debian based Linux distribution.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

#!/bin/sh
# Download the PDFLib Lite Linux source from here first:
# http://www.pdflib.com/download/pdflib-family/pdflib-lite-7/
# put the download in the same location as this script
# NOTE: you will be prompted by the pecl installation at the end
# of the process for a path - you'll need to enter /usr/local/ here
#
# Author: jbw
# DateCreated: Mon, 22 Mar 2010

# We need root privileges ..
if [ "$USER" != "root" ]; then
  chmod +x "$0"
  gksudo "$0"
  exit
fi

dpkg -l | grep -q build-essential || \
  apt-get install build-essential

tar zxvf PDFlib-Lite-7*.tar.gz && \
  cd PDFlib-Lite-7*/ && \
  ./configure && \
  make && \
  make install

dpkg -l | grep -q php-pear || \
  apt-get install php-pear

dpkg -l | grep -q php5-dev || \
  apt-get install php5-dev

pecl install pdflib

If you don’t plan on using the dl() method to load this module dynamically then you may need to modify the php configuration so it autoloads the pdf.so extension.

Okay, so it may mean my typing posture is out of line but even so, it can be incredibly annoying if your thumb just happens to hit the touchpad on your laptop while you’re typing.

I’m using a Lenovo Thinkpad T400 which has a synaptics based touchpad. This fix only works if you’re using a synaptics based touchpad! If you’re not using a synaptic touchpad then this fix probably won’t work for you.

First off, we need to edit our xorg.conf at /etc/X11/xorg.conf. I appended the following to my file since I had not Mouse based input device section:

1
2
3
4
5
6
7

Section "InputDevice"
Identifier  "Touchpad"
Driver "synaptics"
Option "Device" "/dev/psaux"
Option "Protocol" "auto-dev"
Option "SHMConfig" "on"
EndSection

if you have an input device section then you’ll need to ensure it features the same Option and Driver lines as above.

Once you’ve made these changes you’ll need to restart the X server. You can do this using

1

/etc/init.d/gdm restart

or alternatively kill the X server using ctrl+alt+backspace and let gdm bring it back up. BEFORE we restart the X server, let’s setup a tapping delay. I created a xinitrc file at ~/.xinitrc and put the following in it:

1
2

pgrep syndaemon > /dev/null && killall syndaemon
syndaemon -i 0.5 -d

You can experiment with different delays once you’ve restarted your X server by executing the two lines above from within your .xinitrc (or simply re-execute ~/.xinitrc). Half a second turned out to be the perfect delay for me but it’s entirely down to your own preferences.

Have fun!

I don’t think I’ll ever understand why Ubuntu is becoming increasingly attached to Pulseaudio. While I appreciate the neat things you can do with it, I’ve had NOTHING but problems when using it in conjunction with voip/sip applications such as Ekiga (or zoiper). Don’t get me wrong, I have tried to make friends with it. I once wasted the best part of half a day trying to come up with some form of a pulseaudio configuration that produced even semi-decent results with voip applications. It was all in vein and so it had to go - I removed Pulseaudio and everything worked, perfectly. That was in Juanty, but things were different now since I’d just upgraded to Ubuntu 9.10 aka Karmic Koala. Having upgraded, I quickly went to remove my arch enemy, otherwise known as Pulseaudio. Things unfortunately didn’t work out to well, since it seems a portion of the sound applications and applets are now dependant on Pulseaudio. So I tried yet again to make friends and still conclude Pulseaudio is an epic failure.

What happens if you remove Pulseaudio on Karmic Koala?

Removing Pulseaudio in Karmic means you lose some sound related gnome goodness. You lose the volume control applet (aka speaker icon) and the hardware keyboard volume control keys stop working too. The OSD that normally displays when you volume up/down/mute also disappears. Really, I didn’t care about this loss, since I never use the graphical mixer anyway - that’s kinda the point of having the hardware volume keys, isn’t it ? The OSD is just bling, and I could live without it as long as I could just get the hardware keys working.

Instructions for removing Pulseaudio from Karmic Koala

And so here’s what I ended up with - hardware keys work and the increment/decrement of the up/down buttons is now configurable. I don’t have an OSD and I don’t have gnome sound volume control applet anymore. If like me, you want to remove Pulseaudio no matter what, then follow these very gratifying steps:

Step 1.Uninstall PulseAudio

Use Synaptic via System » Administration » Synaptic Package Manager or sudo apt-get remove --purge pulseaudio from the shell

Step 2. Disable the gnome keyboard volume related shortcuts

Disable the gnome keyboard volume related shortcuts since they are pulseaudio dependent and will no longer work. Go to System »Preferences » Keyboard Shortcuts and disable the three volume shortcuts (up, down and mute). You can disable a shortcut by clicking on the line and then pressing the backspace key (i.e. backspace, NOT the key on your keyboard labeled ‘delete’)

Step 3. Configure your own keybindings to control the hardware volume keys.

I use compiz, so I opted to setup custom commands with custom keyboard bindings using the compizconfig settings manager. If you don’t use compiz, then you’ll need to configure the keybindings in whatever you use. If you are using compiz go to System » Preferences » CompizConfig Settings Manager. Then go to Commands and setup your keybindings like this:

Keep in mind you can easily attach these commands to edge or button bindings too. Keyboard bindings is all I wanted thou:

The jbw-mute-audio is a small shell script which uses amixer to check whether the audio is muted or not and then mutes/unmutes accordingly:

#!/bin/sh
# Mute or unmute
# jbw Mon, 08 Feb 2010
(amixer sget Master  | grep '\[off\]'  && amixer sset Master unmute) \
    || amixer sset Master mute

Save the above script and customize it accordingly (man amixer). Don’t forget to chmod the script so it’s executable.

That’s it! Enjoy life without Pulseaudio woes!