Kategoriarkiv: English
New Emacs on old Ubuntu
If you want to install Emacs24 on an older Ubuntu such as 12.04 you can do it manually by adding the following repository and then installing.
First remove the emacsen you have which is probably emacs23
$ sudo apt-get remove emacs emacs23
Then add the new repository and update:
$ sudo add-apt-repository ppa:cassou/emacs $ sudo apt-get update
Then install Emacs24:
$ sudo apt-get install emacs24 emacs24-el emacs24-common-non-dfsg
Creating a SSH chroot jail
So you need to create a place where you can let people in to dump their files using ssh but you do not want them to be poking around in your machine?
Unix is by its own a very open system. You can cd around in most places and looka at what is installed where, even read a lot of the configuration files in /etc and what not. Also by default in many systems you are allowed to peek into other users home directories even if you can’t change something you can get a lot of info from them and even cp the whole thing. Unless they’ve changed permissions.
This is written for Ubuntu by the way, but most modern Linuxen would work very similar to this and SSH is pretty standard so is most of the other things in here. If you have any problems you can let me know in the comment section.
Let’s say you have a friend who wants to put his backups on your machine and you want to put yours on his but you don’t want him to see what else you have on there. You need to create a chrooted environment for the guy when he logs on.
Here is how you do this.
First of all you need to decide where to place your ”jail”. The jail is the root in the chrooted environment, we will refer to this as a jail throughout this article. The jail can be put in /var/jail or somewhere similar perhaps you prefer /mnt/jail and mount it on a separate volume alltogether or why not make use of /opt/jail. Whatever you decide is fine.
You need to create your jail and a few other top level directories first. Let’s first gain root privileges:
$ sudo bash
Now create a directory structure
# cd /var
# mkdir -p jail/{dev,bin,home,etc,lib}
# chown -R root:root jail
Next step is to creat the /dev/null file as this is needed by many things…
# mknod -m 666 /var/jail/dev/null c 1 3
Next step is to copy some needed files from /etc into the jailed etc:
# cd /var/jail/etc # cp /etc/ld.so.cache . # cp /etc/ld.so.conf . # cp /etc/nsswitch.conf . # cp /etc/hosts .
You can not link to the /etc real files because they would loop when you actually chroot… so that won’t work.
It’s now time to give the guys something to do in the jail. You need to add bash as a minimum at least. Whatever else you want to add also is okay, but don’t add too many commands. We will add the following commands: bash, rsync, ls, less, gzip, bzip2.
# cd /var/jail/bin
# cp /bin/{bash,ls,gzip,bzip2} .
# cp /usr/bin {rsync,less} .
Now you need to get your libraries over to the lib in the chroot. You can either figure out one by one which are needed by using the ldd command on each of our commands in the bin directory but that takes far too long. Let’s just throw them in there:
# cp -r /lib/* /var/jail/lib/
Create the chrooted user in the system: (In all the following [username] means the actual user name you want to add to the system. Your first one is probably a test user.)
# adduser -b /var/jail/home [username]
Then create his home dir:
# mkdir /var/jail/home/[username] # chown -R username:username /var/jail/home/[username] # chmod 700 /var/jail/home/[username]
When all this is done you need to tell SSH to put the user in jail when he logs on to your system. This is done by adding the following at the END OF THE FILE /etc/ssh/sshd_config:
Match User [username]
chrootdirectory /var/jail/
X11Forwarding no
AllowTcpForwarding no
AuthorizedKeysFile /var/jail/home/%u/.ssh/authorized_keys
That last part, the AuthorizedKeysFile is not needed if you do password logins, but if you want to be able to do rsa/dsa key logins with SSH you need to put that line in there, otherwise SSH will look for the keys in the wrong place!
If you are addin SSH keys also, you should do the following:
# cd /var/jail/home/[username] # mkdir .ssh # chown [username]:[username] .ssh # chmod 700 .ssh
Then put the authorized_keys in there and chown it to the username and chmod it to 600 and it should work out of the box.
Christmas Greetings
Who has access to my Google Drive?
If you, like myself, rellay like the Google Drive and it’s abitlity to co-operate on a seamless basis no matter what operating system or office version the other parties are using and if you share entire folders or certain files with people from time to time it can after a while become rather difficult to keep track on these shares.
Maybe you sometimes share with someones email address or you may share a link to the document with a bunch of people. It is a good idea to go through your shares and revoke all that are not supposed to apply any more from time to time.
There isn’t’ an easy builtin tool to do this into the Google Drive but I hope we will get this one day. In the mean time there is an additiona tool that you may use: https://whohasaccess.com/ which is a third party app that will (after your permission) scan your google drive folders, create a report on the permissions you have set.
You can then use this report to review your sharing options and change them accordingly and when you are done you may also delete your data at the third party.
However, if your data is really sensitive you should think about using a third party app like this access to it. But if it is normal personal stuff we all put together and it’s not something that is sensitive commercially or worse it is a pretty good feature. I do hope Google Drive people would include this function in the normal Google Drive menu soon however. The service resides in Germany and is thus bound with the data protection act of Bundesrepublik Deutschland which is a little comforting.
Gone to Tallinn / Vi far till Tallinn
We are going to Tallinn for a cruise over the weekend. Be back in business on Monday again, but if you should need to get hold of me, use my private number in the weekend as I am leaving the work phone at home.
Vi reser till Tallinn på en kryssning över helgen. Återkommer måndag morgon igen men om du behöver få tag i mig, använd min privata telefon eftersom jag kommer lämna arbetstelefonen hemma.
Systemd?
IP-Tables control of traffic by Country
Recently I have had quite a few bouts with people trying all sorts of nefarious things with my VPS from various places in the world. I realized the best way is to take whole countries out of the equation and I wanted to make this a nice easy way of doing this.
First of all, I soon realized that I needed to be a little bit restrictive but since some of the domains that runs on the server is probably legitimately accessed I wanted to divide all countries up in three categories:
0 – No restrictions
1 – Restricted access, basically just allowing ICMP and http on port 80
2 – Complete blocking, drop all packets
So countries in the 0 class would be Sweden and all countries where there is a reasonable legal system and where I have not yet seen too many attempts on the security from. Class 1 would be places like Russia, where there are legit traffic but also a lot of crap coming from and Class 2 would be china where there is likely no legit traffic and still a lot of attempts on the security.
First of all, you need to get hold of a zone file divided on country by country. This is also called a CIDR file (Classless Internet Domain Routing) where all the IP blocks assigned on an international level are put in the right file. You can find this here. Just download the file with all the blocks in and keep it somewhere. You may want to refresh this now and then, say on a montly basis or so.
I am assuming you already have an iptables script file and that you are just looking at adding this functionality. Open the script file and add the following to it
# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!
echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
echo "Processing k-line file $f..."
while read p
do
$IPTABLES -A INPUT -s $p -j CBLK
done < $f
done
This script should be placed before any rules that will allow any traffic what so ever!
After this part you place the rules that allows any traffic you wish to allow from the restricted countries and then you place this after those rules:
# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries
echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
echo "Processing r-line file $f..."
while read p
do
$IPTABLES -A INPUT -s $p -j CBLK
done < $f
done
Now you should create the following directories:
sudo mkdir /etc/iptables sudo mkdir /etc/iptables/banned-hosts/ sudo mkdir /etc/iptables/restricted-hosts/
Explode the file you downloaded with all the IP Blocks in country by country into the /etc/iptables/banned-hosts/ directory and you should get a bunch of files called af.zone, al.zone and so on. Each of these referrs to a ISO 2 letter country code.
Do not run the iptables script at this point. Start by removing the file for your own country. In my case that would be se.zone for Sweden. Your mileage may vary here. Refer to this page if you do not know the country codes (which are the same as these countries internet domains).
Delete the files that you do not wish to impose any restrictions on.
Move the files for the countries you want to restrict to the /etc/iptables/restricted-hosts/ dir.
Anything remaining when you are done in the /etc/iptables/banned-hosts/ will be denied access when you run your iptables script.
So run the script now, it may take some time.
When you are done run the command iptables-save > /etc/iptables/tables to save your iptables then add the line in /etc/rc.local or some other similar place iptables-restore < /etc/iptables/tables in order to automatically load your tables on boot time.
Full example
echo "### IP-tables ###"
IPTABLES=/sbin/iptables
echo "Default policies."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "Flushing old rules"
$IPTABLES -F
$IPTABLES -X
echo "Create LOGDROP chain"
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG --log-prefix "IPT: DROP " --log-level 7
$IPTABLES -A LOGDROP -j DROP
echo "Create LOGACCEPT chain"
$IPTABLES -N LOGACCEPT
$IPTABLES -A LOGACCEPT -j LOG --log-prefix "IPT: ACCEPT " --log-level 7
$IPTABLES -A LOGACCEPT -j ACCEPT
echo "Create INVALIDDROP chain"
$IPTABLES -N INVALIDDROP
$IPTABLES -A INVALIDDROP -j LOG --log-prefix "IPT: INVALID " --log-level 7
$IPTABLES -A INVALIDDROP -j DROP
echo "Killfile certain IP chain"
$IPTABLES -N BANNED
$IPTABLES -A BANNED -j LOG --log-prefix "IPT: BANNED " --log-level 7
$IPTABLES -A BANNED -j DROP
echo "Create a country block chain"
$IPTABLES -N CBLK
$IPTABLES -A CBLK -j LOG --log-prefix "IPT: CBLK " --log-level 7
$IPTABLES -A CBLK -j DROP
# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!
echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
echo "Processing k-line file $f..."
while read p
do
$IPTABLES -A INPUT -s $p -j CBLK
done < $f
done
echo "Enabling ICMP"
$IPTABLES -A INPUT -p icmp -j LOGACCEPT
$IPTABLES -A OUTPUT -p icmp -j LOGACCEPT
echo "Enabling http on standard port"
$IPTABLES -A INPUT -p tcp --dport http -m state --state NEW -j LOGACCEPT
$IPTABLES -A INPUT -p tcp --dport http -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport http -m state --state ESTABLISHED -j ACCEPT
# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries
echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
echo "Processing r-line file $f..."
while read p
do
$IPTABLES -A INPUT -s $p -j CBLK
done < $f
done
echo "Dropping invalid packets"
$IPTABLES -A INPUT -m state --state INVALID -j INVALIDDROP
echo "Enabling DNS server connections."
$IPTABLES -A INPUT -p tcp --sport domain -j ACCEPT
$IPTABLES -A INPUT -p udp --sport domain -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport domain -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport domain -j ACCEPT
echo "Enabling NTP server connections."
$IPTABLES -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW -j LOGACCEPT
echo "Applying rules for inbound and outbound ssh"
$IPTABLES -A INPUT -p tcp --dport gopher -m state --state NEW -j LOGACCEPT
$IPTABLES -A INPUT -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state NEW -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT
echo "Applying rules for outbound ssh standard port"
$IPTABLES -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state NEW -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
echo "Enabling https traffic out from this machine"
$IPTABLES -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -m state --state NEW -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW -j LOGACCEPT
echo "Dropping all other input packets."
$IPTABLES -A INPUT -j LOGDROP
echo "Done."
echo "IPV6 setting policy"
/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P OUTPUT DROP
/sbin/ip6tables -P FORWARD DROP
echo "IPV6 flushing tables"
/sbin/ip6tables -F
echo "IPV6 Done."
Perfection in a little box
Look at this thing that hold 6 soda or beer cans with a specially designed ice pack that keeps them cool in the box the whole day. Is it not just perfection in a little box? Found in Swedish Biltema the other day by a friend.
MicroEmacs
Are you looking for something light weight but still has the most important features you get from a full-blown Emacsen in your system? Then you can try some clones of MicroEmacs or uEmacs which will usually work for most editing needs. No dependencies and works out of the box even in small projects and suitable for things like Raspberry Pi or other such stuff.
For Ubuntu you may want to go here to find a debian packaged ready to use package or the full source as needed:
http://jamesie.de/microemacs/index.en.html