Older blog entries for yeupou (starting at number 125)

Securing and improving internet services, including SSH and SMTP, using xinetd

As stated by its manpage, xinetd performs the same function as inetd: it starts programs that provide Internet services. Instead of having such servers started at system initialization time, and be dormant until a connection request arrives, xinetd is the only daemon process started and it listens on all service ports for the services listed in its configuration file. When a request comes in, xinetd starts the appropriate server. Because of the way it operates, xinetd (as well as inetd) is also referred to as a super-server.

The X in the name stands for extended. Which means the following is really for xinetd, not openbsd-inetd :)

Still according to its manpage, so far, the only reason for the existence of a super-server was to conserve system resources by avoiding to fork a lot of processes. While fulfilling this function, xinetd takes advantage of the idea of a super-server to provide features such as access control and logging. Some people will say, and they’ll be right, that running all services through a wrapper implies, instead of conserving resources, somekind of overhead: in conserves resources since it avoids running concurrently as many services as available on the server, right, but this makes no sense on a server with a wide audience that actually have enough users so all services are anyway almost always running concurrently. In this case, some people would be correct to assume more efficient to use standalone servers for each service .

But, and that’s the point, access control makes a difference. Sure, standalone servers have also access control. OpenSSH does ; and using OpenSSH via xinetd should not discourage to look into /etc/ssh/sshd_config. Nonetheless, xinetd access control applies to any service running through it. And that’s prett-ay, pretty good. For instance, you do not need to configure each standalone server to be hardened enough against DDoS, if xinetd is, you should be fine.

So let’s get to business. We assume here you have xinetd up an running. Shouldn’t be a big deal, xinetd is standard on many GNU/Linux systems.

Normally, you should have a /etc/xinetd.d where you can add bits of config for xinetd (if it does not exists, well, you could still use the default config file /etc/xinetd.conf).

There you have basic standard stuff: chargen, daytime, discard, echo, time. If you do not want to provide these, sure make sure each entry in these files got the line:

disable = yes

For each following example to work, you must indeed shut down the standalone server, otherwise the service port won’t be available to xinetd. Also, in the following examples, you’ll have to edit the IPs according to your network.

This is for OpenSSH, with a specific port for root login (probably a nuisance a distant server supposed to be frequently accessed as root – but a safe pick for a local network server rarely accessed as root from the web):

# To work, sshd must not run by itself,
# so /etc/ssh/sshd_not_to_be_run
# should exists

# allows unrestricted SSH only to local network
service ssh
{
socket_type = stream
protocol = tcp
wait = no
user = root
bind = 192.168.0.1
only_from = 192.168.0.0
server = /usr/sbin/sshd
server_args = -i
}

# allows SSH from the web but restricted to users listed
# (root being forcefully disallowed)
# restrict also to only 5 connections per IP (per-source)
# and limit the rate of incoming connections (cps)
service ssh
{
socket_type = stream
protocol = tcp
port = 22
wait = no
user = root
bind = 88.???.???.???
server = /usr/sbin/sshd
server_args = -i -o PermitRootLogin=no -o AllowUsers=thisuser
cps = 30 10
per_source = 5
log_on_success = HOST USERID
}

# allow SSH from the web only for root, on port 33333
# requires /etc/services to include lines:
# rootexternalssh 33333/tcp
# rootexternalssh 33333/udp
service rootexternalssh
{
socket_type = stream
protocol = tcp
port = 33333
wait = no
user = root
server = /usr/sbin/sshd
server_args = -i -p 33333 -o AllowUsers=root
cps = 30 10
per_source = 3
log_on_success = HOST USERID
}

This is for Dovecot, an IMAPS server. This setup listen on the local network. You can easily tune it following the example given above:


service imaps
{
socket_type = stream
protocol = tcp
wait = no
user = root
bind = 192.168.0.1 127.0.0.1
only_from = 192.168.0.0 127.0.0.1
server = /usr/lib/dovecot/imap-login
flags = IPv4
server_args = --ssl
}

I won’t provide an exhaustive list of services that you can run with xinetd. You can surely find for yourself what suits you best! :) But the presentation wouldn’t be complete if I missed traps. Yes, you can set up traps with xinetd. For instance if you do not use ftp, irc, telnetd, etc, you can safely assume that someone trying to connect on these services ports is trying to do something he shouldn’t. And you can then decide to disallow further connections.


# bind must be set so we do not shut off clients from the
# local network that made dumb scan
service ftp
{
socket_type = stream
wait = no
user = root
bind = 88.???.???.???
flags = SENSOR
type = INTERNAL
log_on_success = HOST PID
deny_time = 1440
}

service sftp
{
socket_type = stream
wait = no
user = root
bind = 88.???.???.???
flags = SENSOR
type = INTERNAL
log_on_success = HOST PID
deny_time = 1440
}

service irc
{
socket_type = stream
wait = no
user = root
bind = 88.???.???.???
flags = SENSOR
type = INTERNAL
log_on_success = HOST PID
deny_time = 1440
}

service telnet
{
socket_type = stream
wait = no
user = root
bind = 88.???.???.???
flags = SENSOR
type = INTERNAL
log_on_success = HOST PID
deny_time = 1440
}

These are basic examples. You can do more.

For instance, I wrote SeeYouLater, denying access to spammers with hosts.deny, a production-ready perl software that looks in the SMTP daemon logs for identified spam sources IPs and then ban them via /etc/hosts.deny (which xinetd handles).
With the SMTP daemon run through xinetd, any identified spam source will no longer even be able to connect (which prevents plenty of advantages).

I’d like to mention that I ran xinetd on Gna! main servers (for mail with exim, or for CVS/SVN/Arch, etc – mail server was moved and I did not follow the way it is set up) and the overhead mentioned above was unnoticeable while the number of connections per minutes was quite higher than what you would expect on a small business network server or whatever.


Syndicated 2010-03-14 21:02:05 from # cd /scratch

Next Step towards GNUStep within KDE

Back in the days I started using GNU/Linux, the only user-friendly desktop environment available was KDE 1. So I started using KDE 1. Afterwards, considering license issue of Qt (that was no Libre Software at that time) KDE was depending on, considering progress being made by the GNOME project, I switched to GNOME 1.

Then, my brother Philippe advised me to give a try to WindowMaker. I did. At first, I was puzzled. But finally, I adopted this desktop environment inspired by NextStep. The main point is to kick the taskbar and the big start menu and, instead, going through apps with the right or middle click on the desk and having each important app to get a dock, which one could be used to launch the app or show the app if already launched.

Years afterwards, WindowMaker seemed to make no longer any progress and I wanted a modern desktop environment. Which means I wanted a desktop environment in which every piece of software is neatly integrated, where configuring new features was easy – while toying with both WPrefs and wmakerconf was not. And Qt was freed. So I get back to KDE. GNOME was longer an option, as I do not believe GNOME leaders like Miguel De Icaza to make the right decisions (the Nautilus and Eazel story was revealing enough for me: trying to behave corporatish, they choose the worse software to be the GNOME file manager, but they did while it wasn’t even coded, they only trusted a newly founded company made by people with no experience in Libre Software to do the right and good thing and it was no surprise to me when HelixCode/Ximian/whatever-crap-it-is-renamed started to sell proprietary software under the denomination commercial software after implementing .NET, I expected nothing more from people talking about Open Source mumbo-jumbo ESR style, instead of Free Sofware, while they were getting popular just because of their involvment in a GNU project). KDE is powerful, rock-solid. But it is also über-conventional. They know what is working good in MS Windows, they clone it, improve it and release it. Moreover, KDE tries to address a broad audience, so KDE is made to seem familiar even to people having no clue about GNU/Linux. Moving back to KDE meant loosing the interesting design of WindowMaker.

Then, I had the opportunity to look at an Apple Macbook Pro. The dock, for good reasons, reminded me of WindowMaker. And finally, I found Daisy. It is a clone of Mac OS X dock, it works like the WindowMaker dock. But it is a plasmoid for KDE. It’s only just clumsier to set up (no easy drag and drop), prone to bugs (sometimes, a click on the dock app launcher start two instance). But it works. And I trashed once more the taskbar I definitely do not like.

KDE with Daisy, WindowMaker/Mac Os X style!

There is no Debian package, so I went to Ubuntu plasma-widget-daisy page. There, I downloaded the source tarball and the debian part (which contains the debian folder necessary to built the package). I extracted them all in a temporary directory. Then:

1/ I edited the debian/changelog file to add a new entry.

2/ I edited “Build-Depends:” in the debian/control file to depends on the pkg-kde-tools version that comes with my system (Debian unstable).

3/ I installed necessary dependancies to build the package – as the package was not in debian trunk, I made the guess that it had the same deps than the similar package plasma-widget-ktorrent:

# apt-get build-dep plasma-widget-ktorrent

4/ I rebuilt it:

$ dpkg-buildpackage -r fakeroot plasma-widget-daisy

5/ Then I installed the package.

You can fetch my plasma-widget-daisy_0.0.4.22a-0ubuntu2-fordebian1_amd64.deb package built against debian sid (unstable) for an amd64 architecture.

I also posted a RFP (request for packaging) against wnpp in debian BTS (bug tracking system).


Syndicated 2010-03-08 12:16:46 from # cd /scratch

Watching Freebox’s TV stream on a Workstation in a software-independant way

There are plenty of ways to get TV broadcast on a workstation. You can browse TV show website that provides it. You can use software like VLC that will connect to whatever server (that may be an ISP router) that will serve such broadcast.

Freebox is somekind of ADSL modem/router modern enough even to carry an harddisk, provided by the French ISP Free.fr. Freebox provides several output plugs for video stream: HDMI, S-Video, numeric audio and one called “TV”.

Freebox available plugs

What is of interest to me is to make use of my Freebox stream with my workstation just as if it was a mere TV set. I do not want to use a specific software that will connect to whatever address, I do not want to use a specific video player. I just want to mimic the TV-set behavior. And so forth, it should run on whatever Operating System. Debian GNU/Linux, obviously, since that’s what I’m using, but any other else if wanted.

If I were using a real TV set, I would have two options: using the HDMI plug, if my TV-set supports it, to gain high-quality image ; using otherwise the SCART (called Péritel in France) cable with an adaptator in the “TV” plug.

The hardware is on one end the Freebox HD, as shipped by Free.fr.
On the other end, the workstation is recent enough, with modern video controller (ATI Radeon HD 4870) and “hybrid video recorder” (WinTV-HVR-1300, sold in Europe) which means in it’s producer marketting that it supports both analog and numeric streams. But actually, it does not, since all it’s video input plug are analogic (Composite video and S-Video).

Happauge PVR-1500

$ lspci | grep VGA
02:00.0 VGA compatible controller: ATI Technologies Inc RV770 [Radeon HD 4870]
$ lspci | grep video
01:08.0 Multimedia video controller: Conexant Systems, Inc. CX23880/1/2/3 PCI Video and Audio Decoder (rev 05)

Will also be necessary a S-Video cable, adaptator “TV” to SCART and a RCA stereo cable.

So, let get down to business:

1) Plug the S-Video from the Freebox to the WinTV-HVR-1300 (or any similar card that have a S-Video plug). Then you should be able to get video.

S-Video plugged in video recorder PCI card

2) Plug the adaptator “TV” to SCART in the “TV” Freebox plug, connect it with the RCA stereo to your tuner or workstation soundcard. This looks clumsy and surely could be improved. Nonetheless, then you should get audio.

RCA stereo plugged in Freebox TV plug via a SCART adaptator

3) Start a video player. For instance, you can use mplayer with the following script:

#!/bin/sh
# -ao not set as sound is going directly through the tuner
# -vo gl2 : slurp too much CPU, use xv instead, it is lighter
# we assume video recorder device is /dev/video0
# we use PAL-BG, assuming that's how the Freebox is configured
# (this is all one big line)
/usr/bin/mplayer -stop-xscreensaver -aspect 16:10 -ontop \
-dr -vo xv -ao null -framedrop \
-vf pp=fd \
-contrast 10 -brightness 5 -hue 5 -saturation 5 \
-tv mjpeg:norm=PAL-BG:noaudio:driver=v4l2:device=/dev/video0:input=2:width=768:height=576 \
-nocache -quiet 'tv://' -identify

Freebox stream through MPlayer, in KDE

For the sound, it depends whether you plugged the output in a classic tuner or in your workstation soundcard. But that should be easy-going.

Here it works with MPlayer, but could work with plenty other video player, dedicated to TV (like KDEtv) or not.
It is also easy to envision how to really record video with this setup (if you have the audio going through your workstation soundcard).
I’m sure there is room for improvement here. I’m not very fond of the idea of using through this SCART / RCA stereo cable. But it works.


Syndicated 2010-03-06 18:29:32 from # cd /scratch

Transport Tycoon nowadays

Do you remember back in the days of 1996/1997, fooling around with Pentium 100 MMX with 32 MB RAM?

A small depot on the way...


Among Cannon Fodder, Dune 2000, Duke 3D, there was Transport Tycoon (Deluxe), « a business simulation game, presented in an isometric view in 2D [...], in which the player is in control of a transport company, and can compete against rival companies to make as much profit as possible by transporting passengers and various goods by road, rail, sea or by air » as described by Wikipedia.

Nice gameplay, nice graphics (considering it was no CGA or EGA) with buildings inspired from Glasgow, it even featured network game ability.

and a cheap train with one purpose...


At that time, networking-wise, I knew nothing but null-modem, which was a real nightmare of instability in conjonction with MS Windows 95. So I enjoyed 1vs1/human vs human once in a while, when it was working. Not to mention that’s the kind of game where it is way easier to fight the IA players, more or less allied -or at least not interfering- with the other human player. Obviously when you spend nearly 30 minutes to design a nice railroad junction, you will easily loose temper when the guy sitting 3 meters away is messing it up, making it unprofitable and whatever. It is definitely easier to mess with the IA players that are dumb enough so you can destroy at will their bus/trucks, with a tiny train depot placed near their truck depots/destination, a cheap train. The only I ever had with this game are planes: they are way too profitable (at mid-game) with almost no effort, so there is no point in continuing spending hours to lay tracks… but isn’t it the point of the game, to design complicated tracks design? What’s the fun in putting 2 bigs squares inside busy cities?

After TTD, several games more or less similar were published: Railroad Tycoon (focused on the trains – maybe sharing my opinion about the planes?), Railroad Tycoon 2, Railroad Tycoon 3, Railroads, Chris Sawyer’s Locomotion (this one being made by Chris Sawyer, author of TTD).

I’ve tried them all. Chris Sawyer’s Locomotion is a nicely improved version of TTD: better graphics, slight gameplay improvements. It would have been great if published in 1999/2000. But it was published late in 2004 and way too much user interface progress have been made since then – laying tracks still in the old TTD way was no longer an option.

The Railroad Tycoon (RT) serie, in regard of user interface and aesthetics, was clearly superior. Nice scenarii, great country music (this is not a joke), clearly you couldn’t wait to enjoy network play… But you should have. It was buggy, subject to plenty of loss of synchronization – meaning the networked computers lost touch of what each other was doing. And, that was a hit when I found out, it handled in the most stupid way these lost of sync: it was simply disregarding the issue, and, unaware, you were continuing to play, laying tracks, whatever, until you found out that you were no longer playing exactly the same game that the other player. You had layed tracks from the Seattle to Minneapolis, it was working good – but it existed only in your instance, it would not show up on the other player computer. And, at some point, you had a segfault from one or the other instance, probably because of a conflict between the two concurrent ongoing games. Depending on which computer you grabbed the savegame from, to restart where it crashed, you could see the gap between the two concurrent games… This bug was present in the whole RT serie. The game support was a joke, a few patches were published (few days after RT3 release – which says a lot about the extent of the test cycle that the publisher probably made before the release) but none really fixed it. And as it is proprietary software, there is no legal room for improvement.

So far, there is no TTD-like game that fit to modern user interface standards while allowing decent network play.

So, here comes OpenTTD. TTD was written 99% in assembler, some lads decided to reverse-engineer it and, tada!, they published the result under the GNU GPL 2.

Internet/LAN play in OpenTTD


Taken from their about page, significant enhancements from the original game include for example: bigger maps (up to 64 times in size), stable multiplayer mode for up to 255 players in 15 companies or as spectators, dedicated server mode and an in-game console for administration, new pathfinding algorithms that makes vehicles go where you want them to, autorail/-road build tool, improved terraforming canals, shiplifts, aqueduct larger, non-uniform stations and the ability to join them together, mammoth and multi-headed trains clone, autoreplace and autoupdate vehicles, possibility to build on slopes and coasts, advanced/conditional orders, share and copy orders, longer and higher bridges including new ones, full flexible tracks/roads under bridge , reworked airport system with many more airports/heliports (i.e. international and metropolitan), presignals, semaphores, path based signalling, support for TTDPatch newgrf features, drive-through road stops for articulated road vehicles and trams, multiple trees on one tile, bribe the town authority, [...] convert rail tool (to e-rail, monorail, and maglev), drag&drop support for almost all tools (demolition, road/rail building/removing, stations, scenario editor…), sorting of most lists based on various criteria (vehicle, station, town, industries, etc.), autoscroll when the mouse is near the edge of the screen/window, cost estimation with the ’shift’ key, etc.

Obtaining content with BaNaNaS inside OpenTTD

In the interface, you can even fetch online new features, scenarii or whatever with BaNaNaS, a content service. And that is the point of this article :)
You can find there two scenarii I’ve made for OpenTTD: one is called France and is a map of France, the other one is called Jungle Urbaine (Paris) and is a map of Paris. In both these maps, industries are placed randomly.

France OpenTTD scenario as available on BaNaNaS


Jungle Urbaine (Paris) OpenTTD scenario as available on BaNaNaS


Syndicated 2010-03-06 14:16:39 from # cd /scratch

VIdeos with subtitles: SMPlayer can help!

It is always a mess to get the correct subtitle for a given TV-show or movie you obtained.

First, you have to browse allsubtitles, opensubtitles and whatever -some of these sites are full of ads and are even ugly-coded enough to kill your fragile webbrowser-. And afterwards, you may find that, in fact, the subtitle you have related to another version of the video you are attempting to watch, and this results in delay issues.

Not to mention that you may even use a video player dumb enough to force you to always select the subtitle (.srt, .sub, etc) each time by hand while its name is consistent with the video file name.

There is, finally, a work around. It is called SMPlayer. It is a frontend to MPlayer that have a menu that allows to automatically download subtitles or even set, on the fly, delay for the current subtitle file used.

On a decent GNU/Linux system, you could probably do apt-get install smplayer. For Microsoft Windows, go to MPlayer HQ, select download MPlayer with SMPlayer GUI. Mac OS X users… well… should take spend some time to port it – it should be so hard.


Syndicated 2010-03-06 04:21:30 from # cd /scratch

Lightest terminal: urxvt in daemon/client mode?

Thinkpad 600EI still use an old IBM Thinkpad 600E that I bought second hand a decade ago.

It still works. Well, the battery is dead, I added RAM as much as the motherboard can handle (2x 128 MB DIMM modules + 50 MB onboard module – something like that) and I changed, several years ago, the hard-drive, replacing the stock one with a more recent rescued from a short-lived Acer Aspire that belonged to my brother.

It still works. Sure, it is subject to bugs that will probably never get fixed, but none that you can’t work around.

It still works. But… But it is not a very fast computer however. It is not really that it runs slower than in the past. It is not really that we get used to faster computer. The fact is that software developers have not much reasons to write code light enough to run smoothly on this old piece of junk. So they don’t, most of them.

You end up running obsolete software or be very glad to find pieces of software like Midori (lightweight webbrowser based on WebKit).

Yes, yes, I will get to the point.

The point is whatever you can get can make a difference. I tried to run dash instead of bash. Bleua. That’s fine for scripts. But I cannot live with no completion at all. So I stayed with the Bourne Again Shell. But I had to cut of most of completions (how now, the endless scripts in /etc/bash_completion.d) to avoid waiting hours to get a shell to start.

So here comes urxvt. urxvt is fast. Like aterm. But it supports UTF-8. And it matters.
But the really nice thing is that urvxt includes a daemon/client mode. You just have to start the daemon at the begin of the X session, for instand in having the following in ~/.xsession :

#!/bin/dash
# terminal daemon
urxvtd -q -f -o
# desktop
export BROWSER=midori
wmaker

Then, everytime you need a terminal, call uxrvtc instead of urxvt.

You might also want to add in ~/Xdefaults something like:
Rxvt*background: gray23
Rxvt*foreground: white
Rxvt*troughColor: gray33
Rxvt*scrollColor: gray13
Rxvt*scrollstyle: plain

Rxvt*visualBell: true
Rxvt*saveLines: 2000
Rxvt*urlLauncher: midori

Rxvt*color12: SkyBlue2

There are no real-life drawbacks that I encountered so far.


Syndicated 2010-03-06 03:51:27 from # cd /scratch

Superkaramba vs gkrellm

I’ve been using gkrellm since several years – with WindowMaker, KDE, whatever desktop environment. Considering old venerable it is, clearly, gkrellm does not really fit with nowadays eye-candy. So its tempting to give whatever may be available a try.

As I run KDE, Superkaramba it must be.

Well, I tried it a year ago already: it was full of transparencies effects, composite-whatever-2.0, but it was also clumsy, bloated, and definitely prone to segfault.

I gave it another try today.

Well, I took some time to browse KDE apps for nice Superkaramba widget. Not easy to pick, I must say.

I went for EasyMonitor, mainly because it is modular and easy to tune.

So far, no segfault. And it does not seems to consume too much CPU resources – that always the issue to keep in mind, the damn thing is supposed to help checking resources usage, not to burn half of them.

Finally, I customized several files to fit my expectations and limit resources consumption. Here they are: EasyMonitor_Filesystem.theme, EasyMonitor_Memory.theme, EasyMonitor_Network_Interface_eth0.theme, EasyMonitor_Procesor_multi.theme, EasyMonitor_Top.theme. All these files should be put where EasyMonitor is installed, ~/.kde/share/apps/superkaramba/themes/ in my case.


Syndicated 2010-03-06 03:18:26 from # cd /scratch

26 Feb 2010 (updated 26 Feb 2010 at 10:35 UTC) »

Looking for a very fast utf8 xterminal?

Give a try to urxvt in daemon/client mode.

For instance, you can have the following in ~/.xsession :


#!/bin/dash
# mouse speed
sleep 5s && xset m 4 &
# terminal daemon
urxvtd -q -f -o
# desktop
export BROWSER=midori
export XDG_CONFIG_HOME=$HOME/.config
lxsession

and then call uxrvtc instead of urxvt as terminal.

You might also want to add in ~/Xdefaults something like:


Rxvt*background: gray23                                                         
Rxvt*foreground: white                                                          
Rxvt*troughColor: gray33                                                        
Rxvt*scrollColor: gray13                                                        
Rxvt*scrollstyle: plain                                                         
                                                                                
Rxvt*visualBell: true                                                           
Rxvt*saveLines: 2000                                                            
Rxvt*urlLauncher: midori                                                        
                                                                                
Rxvt*color12: SkyBlue2     

So far, I use it on a very old laptop. But I'm considering using it everywhere.

(side note : bash completion is getting bloated... it is best to use dash whenever sufficient - otherwise, on an old computer, you should at least make sure it only runs the default stuff, not every files in /etc/bash_completion.d/)

3 Feb 2010 (updated 3 Feb 2010 at 18:24 UTC) »

1° Getting http://myy.helia.fi/~karte/opml-export-feeds.html to work in order to import akgregator feeds into rawdog.

my $xmlUrl=0;
while (<FILE>) {
    $xmlUrl = $1 if /xmlUrl=\"([^\"]+)\"/;
    if ($xmlUrl ne 0) {
	if ($rawdog_config) { print "feed 30m " }
	print "$xmlUrl\n" 
    }
    $xmlUrl=0;
}
close FILE;

2° trying hard to post this on advogato with konqueror - no luck, I had to do it with iceweasel to avoid getting part of the entry to go in limbo with no explanation.

116 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!