Expat-IT Tech Bits

Home

Contact

Links

Search this site:

Categories:

/ (287)
  Admin/ (122)
    Apache/ (10)
      HTTPS-SSL/ (4)
      PHP/ (3)
      performance/ (2)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (6)
    Monitoring/ (2)
      munin/ (2)
    SSH/ (6)
    SSL/ (1)
    Samba/ (1)
    VPN-options/ (6)
      OpenVPN/ (1)
      SSH-Proxy/ (3)
      Tinc/ (1)
      sshuttle/ (1)
    backups/ (17)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (2)
    commandLine/ (24)
      files/ (8)
      misc/ (10)
      network/ (6)
    crontab/ (1)
    databases/ (15)
      MSSQL/ (2)
      MySQL/ (8)
      Oracle/ (3)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (11)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (7)
      puppet/ (1)
    iptables/ (3)
    tripwire/ (1)
    virtualization/ (9)
      VMware/ (1)
      virtualBox/ (8)
  Coding/ (14)
    bash/ (1)
    gdb/ (1)
    git/ (3)
    php/ (5)
    python/ (4)
      Django/ (2)
  Education/ (1)
  Hosting/ (27)
    Amazon/ (18)
      EBS/ (3)
      EC2/ (10)
      S3/ (1)
      commandline/ (4)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (30)
    Android/ (1)
    Awesome/ (3)
    CPUfreq/ (1)
    China/ (2)
    Debian/ (8)
      APT/ (3)
      WPA/ (1)
    audio/ (1)
    encryption/ (3)
    fonts/ (1)
    misc/ (6)
    remoteDesktop/ (1)
    router-bridge/ (3)
  SW/ (45)
    Micro$soft/ (1)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (28)
      Drupal/ (9)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (7)
      WebERP/ (2)
      WordPress/ (1)
      eGroupware/ (1)
    chat/ (1)
    email/ (1)
    fileSharing/ (2)
      btsync/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (15)
    IMchat/ (2)
    circumvention/ (2)
    cryptoCurrency/ (1)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (2)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (14)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)

Archives:

  • 2016/07
  • 2016/05
  • 2016/02
  • 2016/01
  • 2015/12
  • 2015/11
  • 2015/06
  • 2015/01
  • 2014/12
  • 2014/11
  • 2014/10
  • 2014/09
  • 2014/07
  • 2014/04
  • 2014/02
  • 2014/01
  • 2013/12
  • 2013/10
  • 2013/08
  • 2013/07
  • 2013/06
  • 2013/05
  • 2013/04
  • 2013/02
  • 2013/01
  • 2012/12
  • 2012/10
  • 2012/09
  • 2012/08
  • 2012/07
  • 2012/06
  • 2012/05
  • 2012/04
  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09
  • Subscribe XML RSS Feed

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
    PyBlosxom

    This site has no ads. To help with hosting, crypto donations are accepted:
    Bitcoin: 1JErV8ga9UY7wE8Bbf1KYsA5bkdh8n1Bxc
    Zcash: zcLYqtXYFEWHFtEfM6wg5eCV8frxWtZYkT8WyxvevzNC6SBgmqPS3tkg6nBarmzRzWYAurgs4ThkpkD5QgiSwxqoB7xrCxs

    Sat, 30 Jul 2011


    /Security/skype: Skype Has Been Compromised

    Skype can no longer be trusted. Truth is, because Skype is closed-source commercial software, they could never be fully trusted anyway, but now there is proof of their misdeeds. Canadian researchers were able to gain access to several misconfigured servers in China which contained millions of Skype text messages, along with the IDs of those who sent them[1][6].

    For years now, Skype has published a Chinese version of their software on tom.com[4]. Apparently it is this version that is logging conversations and passing them on to the Chinese government. And even Skype themselves admit[3] that that includes conversations between a Chinese version of Skype and non-Chinese versions. At this point, there is no evidence that voice communications have also been compromised. But then, at this point, one must assume Skype's credibility as a provider of secure communications to be absolutely zero.

    If you insist on using Skype, please do not download from tom.com. For text communications, may I suggest Pidgin[5]. I have heard of alternatives for secure voice communication, but have not yet had a chance to try them....

    [1] http://www.tgdaily.com/content/view/39577/108/
    [2] http://www.chinapost.com.tw/business/asia/%20china/2008/10/04/177302/Skype’s-China.htm
    [3] http://share.skype.com/sites/en/2008/10/answers_to_some_commonly_asked.html
    [4] http://skype.tom.com/
    [5] http://blog.langex.net/index.cgi/Security/IMchat/
    [6] https://www.eff.org/deeplinks/2008/10/chinese-skype-client-hands-confidential-communicat

    posted at: 04:54 | path: /Security/skype | permanent link to this entry

    Fri, 29 Jul 2011


    /Admin: Apt-Cacher-NG: Caching Downloaded .deb Packages

    This is a polite thing to do if you have multiple machines running the same distribution on your network since it takes some of the stress off of the distribution's mirrors. It is also the right thing to do, as you do not waste bandwidth, and in places where bandwidth sucks, you also save a lot of time waiting for downloads.

    I used to use apt-move for this, but it has recently stopped working, and is also orphaned. apt-cacher-ng[1] would appear to be a more elegant solution, and seems to work out of the box with the default configuration. All I did on the server side (where apt-cacher-ng is actually installed) is open port 3142 in the firewall, and add this line to /etc/apt/apt.conf:

    Acquire::http { Proxy "http://127.0.0.1:3142"; };

    which forces all apt network traffic to go to apt-cacher-ng on the designated port. On the client side, I added this line to /etc/apt/apt.conf:

    Acquire::http { Proxy "http://lenovo:3142"; };

    where "lenovo" is the name of my apt-cacher-ng server in /etc/hosts. With these two settings, all packages downloaded to either server or client or saved in the cache for future use.

    Note that on the server if you point your browser at

    http://localhost:3142/acng-report.html

    you will find some cache statistics, and a function for cleaning stale files out of the cache.

    [1] http://www.unix-ag.uni-kl.de/~bloch/acng/

    posted at: 08:31 | path: /Admin | permanent link to this entry

    Wed, 20 Jul 2011


    /Admin/iptables: Build A Router With iptables

    This[1] is a deeper reference, but it did not quite get the job done for me. (Nor did a lot of other recipes I looked at either, for that matter....) The "Example Scenario: SOHO" here[2] got me a working router.

    First make sure forwarding is enabled in your router OS. The standard way to do this on Debian is to edit /etc/sysctl.conf to turn on net.ipv4.ip_forward. My machine is not a full-time router, so I added a

    up echo 1 > /proc/sys/net/ipv4/ip_forward
    line to the /etc/network/interfaces clause that brings up my internal LAN interface, ie.
    iface static inet static
      address 10.1.1.1
      netmask 255.255.255.0
      network 10.1.1.0
      broadcast 10.1.1.255
      up echo 1 > /proc/sys/net/ipv4/ip_forward
    

    Then I added these lines to my "basic firewall":

    -A POSTROUTING -o eth0 -j MASQUERADE
    
    -A INPUT -s 10.1.1.0/24 -i eth4 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.1.1.0/24 -i eth4 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A FORWARD -d 10.1.1.0/24 -i eth0 -m state --state ESTABLISHED -j ACCEPT
    -A OUTPUT -d 10.1.1.0/24 -o eth4 -m state --state NEW,ESTABLISHED -j ACCEPT
    

    where eth0 is the outward/WAN interface, eth4 is the inward/LAN interface, and 10.1.1.0/24 is the IP address block used on the LAN. Note that only ESTABLISHED, not NEW, connections are allowed to come in on eth0/WAN.

    To configure DHCP[3] add this line to rules.v4:

    -A INPUT -i eth4 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
    and
    apt-get install dnsmasq

    Just configure the dhcp-range in /etc/dnsmasq.conf, ie.

    dhcp-range=10.1.1.50,10.1.1.150,12h

    and it should be all ready to go.

    [1] http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Masquerading_.28Many_to_One_NAT.29
    [2] http://fedorasolved.org/Members/kanarip/iptables-howto
    [3] http://www.faqs.org/docs/iptables/lettingdhcprequests.html

    posted at: 23:52 | path: /Admin/iptables | permanent link to this entry