If you, like myself, rellay like the Google Drive and it’s abitlity to co-operate on a seamless basis no matter what operating system or office version the other parties are using and if you share entire folders or certain files with people from time to time it can after a while become rather difficult to keep track on these shares.
Maybe you sometimes share with someones email address or you may share a link to the document with a bunch of people. It is a good idea to go through your shares and revoke all that are not supposed to apply any more from time to time.
There isn’t’ an easy builtin tool to do this into the Google Drive but I hope we will get this one day. In the mean time there is an additiona tool that you may use: https://whohasaccess.com/ which is a third party app that will (after your permission) scan your google drive folders, create a report on the permissions you have set.
You can then use this report to review your sharing options and change them accordingly and when you are done you may also delete your data at the third party.
However, if your data is really sensitive you should think about using a third party app like this access to it. But if it is normal personal stuff we all put together and it’s not something that is sensitive commercially or worse it is a pretty good feature. I do hope Google Drive people would include this function in the normal Google Drive menu soon however. The service resides in Germany and is thus bound with the data protection act of Bundesrepublik Deutschland which is a little comforting.
We are going to Tallinn for a cruise over the weekend. Be back in business on Monday again, but if you should need to get hold of me, use my private number in the weekend as I am leaving the work phone at home.
Vi reser till Tallinn på en kryssning över helgen. Återkommer måndag morgon igen men om du behöver få tag i mig, använd min privata telefon eftersom jag kommer lämna arbetstelefonen hemma.
Recently I have had quite a few bouts with people trying all sorts of nefarious things with my VPS from various places in the world. I realized the best way is to take whole countries out of the equation and I wanted to make this a nice easy way of doing this.
First of all, I soon realized that I needed to be a little bit restrictive but since some of the domains that runs on the server is probably legitimately accessed I wanted to divide all countries up in three categories:
0 – No restrictions
1 – Restricted access, basically just allowing ICMP and http on port 80
2 – Complete blocking, drop all packets
So countries in the 0 class would be Sweden and all countries where there is a reasonable legal system and where I have not yet seen too many attempts on the security from. Class 1 would be places like Russia, where there are legit traffic but also a lot of crap coming from and Class 2 would be china where there is likely no legit traffic and still a lot of attempts on the security.
First of all, you need to get hold of a zone file divided on country by country. This is also called a CIDR file (Classless Internet Domain Routing) where all the IP blocks assigned on an international level are put in the right file. You can find this here. Just download the file with all the blocks in and keep it somewhere. You may want to refresh this now and then, say on a montly basis or so.
I am assuming you already have an iptables script file and that you are just looking at adding this functionality. Open the script file and add the following to it
# Loop over all lists of banned networks # Any rules below this will not work on these ranges as they will # drop before they reach any other rule. If you want to open some ports # even for banned countries, then you need to put those rules in front # of this rule! echo "Kill line certain CIDR, one way of blocking suspect countries!" for f in /etc/iptables/banned-hosts/* do echo "Processing k-line file $f..." while read p do $IPTABLES -A INPUT -s $p -j CBLK done < $f done
This script should be placed before any rules that will allow any traffic what so ever!
After this part you place the rules that allows any traffic you wish to allow from the restricted countries and then you place this after those rules:
# Restricted hosts here from CIDR files in the restricted session # these guys will only be able to do ICMP and http, nothing else # and that should be quite a few countries echo "Restrict line certain CIDR, one way of blocking suspect countries!" for f in /etc/iptables/restricted-hosts/* do echo "Processing r-line file $f..." while read p do $IPTABLES -A INPUT -s $p -j CBLK done < $f done
Now you should create the following directories:
sudo mkdir /etc/iptables sudo mkdir /etc/iptables/banned-hosts/ sudo mkdir /etc/iptables/restricted-hosts/
Explode the file you downloaded with all the IP Blocks in country by country into the /etc/iptables/banned-hosts/ directory and you should get a bunch of files called af.zone, al.zone and so on. Each of these referrs to a ISO 2 letter country code.
Do not run the iptables script at this point. Start by removing the file for your own country. In my case that would be se.zone for Sweden. Your mileage may vary here. Refer to this page if you do not know the country codes (which are the same as these countries internet domains).
Delete the files that you do not wish to impose any restrictions on.
Move the files for the countries you want to restrict to the /etc/iptables/restricted-hosts/ dir.
Anything remaining when you are done in the /etc/iptables/banned-hosts/ will be denied access when you run your iptables script.
So run the script now, it may take some time.
When you are done run the command iptables-save > /etc/iptables/tables to save your iptables then add the line in /etc/rc.local or some other similar place iptables-restore < /etc/iptables/tables in order to automatically load your tables on boot time.
echo "### IP-tables ###" IPTABLES=/sbin/iptables echo "Default policies." $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "Flushing old rules" $IPTABLES -F $IPTABLES -X echo "Create LOGDROP chain" $IPTABLES -N LOGDROP $IPTABLES -A LOGDROP -j LOG --log-prefix "IPT: DROP " --log-level 7 $IPTABLES -A LOGDROP -j DROP echo "Create LOGACCEPT chain" $IPTABLES -N LOGACCEPT $IPTABLES -A LOGACCEPT -j LOG --log-prefix "IPT: ACCEPT " --log-level 7 $IPTABLES -A LOGACCEPT -j ACCEPT echo "Create INVALIDDROP chain" $IPTABLES -N INVALIDDROP $IPTABLES -A INVALIDDROP -j LOG --log-prefix "IPT: INVALID " --log-level 7 $IPTABLES -A INVALIDDROP -j DROP echo "Killfile certain IP chain" $IPTABLES -N BANNED $IPTABLES -A BANNED -j LOG --log-prefix "IPT: BANNED " --log-level 7 $IPTABLES -A BANNED -j DROP echo "Create a country block chain" $IPTABLES -N CBLK $IPTABLES -A CBLK -j LOG --log-prefix "IPT: CBLK " --log-level 7 $IPTABLES -A CBLK -j DROP # Loop over all lists of banned networks # Any rules below this will not work on these ranges as they will # drop before they reach any other rule. If you want to open some ports # even for banned countries, then you need to put those rules in front # of this rule! echo "Kill line certain CIDR, one way of blocking suspect countries!" for f in /etc/iptables/banned-hosts/* do echo "Processing k-line file $f..." while read p do $IPTABLES -A INPUT -s $p -j CBLK done < $f done echo "Enabling ICMP" $IPTABLES -A INPUT -p icmp -j LOGACCEPT $IPTABLES -A OUTPUT -p icmp -j LOGACCEPT echo "Enabling http on standard port" $IPTABLES -A INPUT -p tcp --dport http -m state --state NEW -j LOGACCEPT $IPTABLES -A INPUT -p tcp --dport http -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --sport http -m state --state ESTABLISHED -j ACCEPT # Restricted hosts here from CIDR files in the restricted session # these guys will only be able to do ICMP and http, nothing else # and that should be quite a few countries echo "Restrict line certain CIDR, one way of blocking suspect countries!" for f in /etc/iptables/restricted-hosts/* do echo "Processing r-line file $f..." while read p do $IPTABLES -A INPUT -s $p -j CBLK done < $f done echo "Dropping invalid packets" $IPTABLES -A INPUT -m state --state INVALID -j INVALIDDROP echo "Enabling DNS server connections." $IPTABLES -A INPUT -p tcp --sport domain -j ACCEPT $IPTABLES -A INPUT -p udp --sport domain -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport domain -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport domain -j ACCEPT echo "Enabling NTP server connections." $IPTABLES -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW -j LOGACCEPT echo "Applying rules for inbound and outbound ssh" $IPTABLES -A INPUT -p tcp --dport gopher -m state --state NEW -j LOGACCEPT $IPTABLES -A INPUT -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state NEW -j LOGACCEPT $IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT echo "Applying rules for outbound ssh standard port" $IPTABLES -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state NEW -j LOGACCEPT $IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT echo "Enabling https traffic out from this machine" $IPTABLES -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 443 -m state --state NEW -j LOGACCEPT $IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW -j LOGACCEPT echo "Dropping all other input packets." $IPTABLES -A INPUT -j LOGDROP echo "Done." echo "IPV6 setting policy" /sbin/ip6tables -P INPUT DROP /sbin/ip6tables -P OUTPUT DROP /sbin/ip6tables -P FORWARD DROP echo "IPV6 flushing tables" /sbin/ip6tables -F echo "IPV6 Done."
Are you looking for something light weight but still has the most important features you get from a full-blown Emacsen in your system? Then you can try some clones of MicroEmacs or uEmacs which will usually work for most editing needs. No dependencies and works out of the box even in small projects and suitable for things like Raspberry Pi or other such stuff.
For Ubuntu you may want to go here to find a debian packaged ready to use package or the full source as needed:
Remember you can always check the status of samba using the commands
# service smbd status # service nmbd status
I found that they where running and started as they should but still did not accept connections. The bind interfaces in my samba.conf file is the interfaces rather than the ip address but it does not seem to solve the problem. However restarting samba did solve the problem and I nailed it down to the ”Samba IP sensitivity problem”.
Samba really does not like when you use DHCP for the server and even if you set it up so that it always gets the same IP from the DHCP server it does not matter, Samba does not like it.
The simple solution to this is to add the two following lines to the last part of /etc/rc.local which is the script that runs last upon boot.
service smbd restart service nmbd restart
However, also changing your networking setup to fixed IP generally works well, this is in case you do not want to do that or can’t do that.
Another way would be to change it to the dhcp lease script so when the samba server gets a new lease, an automatic restart of the related daemons happen. However, that would also interrupt any service being served at the moment and break long file transfers or streams. I would therefore advice against it.
The best solution so far is to use a fixed IP. The above workaround is a kludge. You have been warned.
So you want to share files over the network with perhaps windows machines or you want to be able to have networked file systems that are not requiring Kerberos to become secure but there are something fishy going on with your Samba installation?
Read on, here is the recipe to get it going. First of all make sure you have samba installed. An easy way to check this is to type the following two comnmands:
# service smbd status smbd start/running, process 27562 # service nmbd status nmbd start/running, process 27540
If either of those are not running, please install the samba package on your machine according to your OS recommendations, it may differ slightly depending on Linux distribution.
When you are done with this it’s time to modify the configuration file for Samba. Use your favorite editor (as root) and start by backing up your original configuration file.
# cp -a /etc/samba/smb.cfg /etc/samba/smb.bak
Then start your favorite editor and start off with this configuration:
[global] workgroup = WORKGROUP # change this to be unique on your network domain master = yes # there can only be one master local master = yes preferred master = yes os level = 65 server string = %h server (Samba, Ubuntu) name resolve order = bcast host interfaces = 127.0.0.1 lo eth0 bind interfaces only = yes log file = /var/log/samba/log.%m max log size = 10000 syslog only = no syslog = 0 map to guest = bad user [guest] comment = networked file system path = /mnt/guest # set this to your preferred place read only = yes guest ok = yes [anders] comment = private file system for anders path = /home/anders # be careful with your home folders read only = no guest ok = no valid users = anders [google-drive] comment = private file system anders path = /mnt/raid/google-drive # another folder requiring password read only = no guest ok = no valid users = anders [upload] comment = put your upload here path = /mnt/raid/upload # something where anyone can upload read only = no valid users = %S
Make sure the folders you have pointed out are actually valid folders. Then create the users needed to access the system:
# smbpasswd -a username
Type the password and create the users needed as per the shares that you have defined above. The valid users = %S means any user in the system can use that if they give the right password. To delete users from your samba system when no longer needed
# smbpasswd -x username
Next thing is to restard the name server for Samba and the actual server daemon:
# service nmbd restart nmbd stop/waiting nmbd start/running, process 28297 # service smbd restart smbd stop/waiting smbd start/running, process 28309
When this is done you should be able to connect giving the right username/password or as a guest if you have created the shares for the guest accounts.
Mounting the smb file system on a command line is done like this:
# mount -t cifs //server.name.or.ip/share /mnt/share -o username=yourname
If needed it will ask for your password also.
To list shares on an SMB server, use the following:
# smbclient -L //server.name.or.ip/ -U user%pass
You can skip -U user%pass if you prefer working as guest.
This should get you up and running easily. It’s not sophisticated and you have to manually work the passwords and they are not synced with with the rest of the users on the local machine, that is more complex to set up, this was meant to be a quick starter to get you going.
If you need to list the users in the database (to remove any you do not want any more) you can use the command:
# pdbedit -L
Read the man page for more information.
A small but very cool news is that if you have a google hangout going from your phone with your best friend, spouse or anyone really, if you have their number and google account you can now chose for each message you reply if you want to send it as a traditional hangout message or as a text (SMS) message.
It is a small but cool feature and hangouts just got even better!
This means that if you can not reach someone using hangout you can immediately resent using SMS instead and so on. It’s just great.