My desktop

A few variables, settings, etc to describe my desktop

.exrc:

set nu
set showmode

.fluxbox/keys:

Mod1 l :ExecCommand xlock -mode blank
Mod1 t :ExecCommand xterm -vb -ls -fg ‘#cdc4a5’ -bg ‘#0e3851’
Mod4 r :ExecCommand xrandr –output VGA1 –auto –output LVDS1 –off
Mod4 m :MaximizeWindow
Control Mod1 Right :NextWorkspace
Control Mod1 Left :PrevWorkspace

.fluxbox/init:

session.screen0.rootCommand: fbsetroot -solid black
session.styleFile: /usr/share/fluxbox/styles/BlueFlux

about:config:

browser.newtab.url = about:blank

about:addons:

screengrab
saved password editor

 

setxkbmap -model pc105 -layout hu,us -option grp:alt_shift_toggle

Git tutorial #1

Initialise the repository on the remote server:

ssh git@yourserver.com
mkdir test/project1
cd test/project1
git init --bare

On the local host:

cd somedir/project1
git init
echo some text > somefile.txt
git add somefile.txt
git commit -s -m "my very 1st commit"
git remote add origin git@yourserver.com:test/project1
git push -u origin master

Clone the project on another host:

git clone git@yourserver.com:test/project1
cd project1

Based on http://thelucid.com/2008/12/02/git-setting-up-a-remote-repository-and-doing-an-initial-push/

SSH settings for your own good

Long story short: I highly recommend reading the stribika article, https://stribika.github.io/2015/01/04/secure-secure-shell.html.

Note: before deploying these settings, make sure your version of openssh supports them!

sshd_config settings:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
PasswordAuthentication no
ChallengeResponseAuthentication no
PubKeyAuthentication yes
AllowGroups ssh-user
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

ssh_config settings:

Host *
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    PubkeyAuthentication yes
    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
    UseRoaming no
    VisualHostkey yes

Generate keys:

ssh-keygen -t ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -o -a 100
awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
wc -l "${HOME}/moduli" # make sure there is something left
mv "${HOME}/moduli" /etc/ssh/moduli

Sparse image készítése

dd if=/dev/zero of=/path/to/1.img bs=1 count=0 seek=100G
losetup /dev/loop0 /path/to/1.img
mkfs.jfs /dev/loop0
mount /dev/loop0 /tmp/uu
df -h | grep /tmp/uu

Mikor jöhet ez jól? Pl. akkor, ha csillió file-t akarsz létrehozni, de a filerendszered már kész van, és kevés rajta az inode. Az ext4 pl. a formázás (azaz az mkfs.ext4 futtatása) után már nem teszi lehetővé az inode-ok számának módosítását.

3-2-1 Backup: The Rule For Recovery

Doug Hazelman ugyanezzel a címmel írt egy cikket a fenti szabályról: http://www.networkcomputing.com/storage/3-2-1-backup-rule-recovery/108368175

A 3-2-1 szabály talán a legfontosabb az adatok biztonsága szempontjából. Röviden azt mondja, hogy egy cégnek 3 példányban kell az adatait tárolnia, 2 különböző adathordozón, amiből az egyik egy másik helyszínen van.

A cikk megemlíti a Pixar esetét, amelyik majdnem elveszítette a Toy Story 2-t egy ügyetlen parancs és a nem működő mentés miatt. A Pixar csak azért menekült meg, mert valakinek megvolt a film az otthoni pc-jén.

Aztán Ohio államban valaki hazavitte a szalagot, amivel ugyan teljesült az ‘1’, csakhogy betörttek a lakásába, és elvitték a mentést is, amin rajta volt 64000 állami alkalmazott személyes adata, pl. igazolvány számok, stb.

Az NTP Software cikke megemlíti Peter Krogh nevét, akitől származik a 3-2-1 szabály. Szerinte 2 féle ember van: akinél már tönkrement a storage, és akinél még csak fog tönkre menni.

Az email archiválás kapcsán említette valaki, hogy “üzletileg nem elfogadható a levelek összevissza tárolása, elkülönítése, local archive meg stb bohóckodás.“, meg hogy jól vannak a levelek a mail szerveren.

Ez nyilvánvalóan nem felel meg a 3-2-1 szabálynak, és bizonyára nem véletlen, hogy tőlünk nyugatabbra konkrétan jogszabály írja elő (FRCP, SOX, …), hogy mely ipari szereplőknek meddig kell archiválni a leveleiket, hogy meglegyen a compliance.

Arról nem is beszélve,hogy ha pedig majd egyszer megborul a mail szerver alatt a storage (Krogh szerint ez csak idő kérdése), akkor lesz majd ‘fun’. De nem is kell hardware hiba, annyi is elég a bajhoz, ha valaki véletlenül (vagy éppen szándékosan) töröl a levelekből.

Az email archiválás – főleg ha egy 3. fél végzi – akkor védelmet nyújthat ez ellen is.

 

roundcube login failure after php upgrade to 5.6.x

I’ve just upgraded php to 5.6.x, and I couldn’t login to roundcube any more.

Since I use a self signed certificate I’ve added the following fix to config/config.inc.php:


$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false
),
);

Credits: https://bbs.archlinux.org/viewtopic.php?id=187063

 

 

The real cost of spam

Spam costs a lot: to us regular users. A nice article about the cost we have to pay in order to defend against spam.

The cost vectors (according to the article):

– antispam technology

Most companies deploy additional servers to filter spam. Some also buy commercial software to perform spam filtering. It needs staff to manage it, and all of these costs money.

– lost productivity

Spam wastes your time. It needs some attention to handle it. Note that “deleting messages, however, turns out to be the most expensive spam strategy. The average employee at companies that delete spam messages loses an average of 7.3 minutes per week looking for lost legitimate messages.”

– wasted storage

A usual method is to move spam emails to a quarantine. It consumes disk space, so you need additional storage capacity, and enterprise grade storage still costs.

– intangible costs

“Spam has a broader economic impact as well, hitting many businesses and nations that are least able to bear the burden. Consider Nigeria, for example. Nucleus Research noted that while fraud and corruption have been rampant in Nigeria for some time, the country may be forever kept in the digital darkness because of the volume of deceptive email sent by local spammers. The research firm noted that most spam filters block any mail with “Nigeria” in the title or text, effectively keeping anyone communicating with, from, to or about Nigeria from doing it via email.”

Deploying CoreOS OVA on VMware

Deploy the vmware ova

Download the OVA image from Core OS website, and deploy it to VMware using vsphere client, etc.

When you boot the VM, you won’t be able to login, unless you provide coreos.autologin=tty1 as a kernel parameter to grub. If you do so, then you’ll be auto logged in as user core. Type sudo bash to get the root prompt necessary for the initial setup.

Read more at http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2109161

Configure networking

Create /etc/systemd/network/static.network, add the following, and finally reboot:


[Network]
Address=192.168.1.2
Gateway=192.168.1.1
DNS=192.168.1.100 192.168.1.101

Read more at https://www.brianchristner.io/how-to-install-and-configure-coreos-inside-vmware/

Setup ssh acccess

Edit /usr/share/oem/cloud-config.yml, and add your ssh public key, eg.


ssh_authorized_keys:
- ssh-dss AAAAB3NzaC1kc3MAAAEBAOm5s8yJIl1ZnaqQU93f.....

Then validate the settings:


coreos-cloudinit --validate --from-file /usr/share/oem/cloud-config.yml

If everything goes right, then apply settings:


coreos-cloudinit --from-file /usr/share/oem/cloud-config.yml

Now you may ssh to the host using your private ssh key as user core, eg.


ssh -i /path/to/ssh.key -l core 192.168.1.2

You may want to setup etcd (version 2)


etcd2:
# generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
# specify the initial size of your cluster with ?size=X
discovery: https://discovery.etcd.io/THE_VALUE_OF_THE_GENERATED_TOKEN

# multi-region and multi-cloud deployments need to use $public_ipv4
advertise-client-urls: http://0.0.0.0:2379
initial-advertise-peer-urls: http://0.0.0.0:2380
# listen on both the official ports and the legacy ports
# legacy ports can be omitted if your application doesn't depend on them
listen-client-urls: http://0.0.0.0:2379
listen-peer-urls: http://0.0.0.0:2380

Recommended reading:

Cloud config docs
Using CoreOS