So I've recently started using Linux on my Desktop full time again. All
because of Gnome 3.
I've abandoned Linux on my Desktop at home a few years back, and started
using OS X full time. I got a PPC Mac Mini, then an Intel Mac Mini and
finally a MacBook. I was fairly happy with it: Fancy UI with a nice CLI to
it to fiddle around on.
Good Bye Apple
A couple of months back though i started to grow tired of Apple and it's
behavior in general. The Company has grown from Cool Underdog to a Mega
Company, and that definitely shows. IMO they're becoming the Microsoft of
the 90's, using their market dominance in some areas to pressure little
companies out of business.
The past few months also felt like Apple's primary focus are their
iSomething Devices, and they don't care about OS X much anymore.
With all the recent updates to iTunes, which I've grown to absolutely hate
as an application, their App Store for OS X and their apparent intentions
to turn the Desktop into a Touch UI, I'm not very big on the whole
gestures notion. I finally decided to give up on it all together.
(No, you can't have my stuff, I've already sold all of it)
Windows 7 as intermediary
For some time i was using Windows 7 exclusively on my desktop at home and
notebook. Windows 7 is a good OS, but as a Unix person it is severely
lacking in a number of areas.
Microsoft is also severely lacking in the innovation department.
They need to get their act together and get some good updates out again.
Their image is crap these days, and if they don't turn around, i wouldn't
be to surprised if they didn't matter in a couple of years anymore. Even
their
primary enterprise market is slowly shifting away from them.
It'd be a shame if we'd end up with a new dominant player (Apple or Google
for example) merely replacing Microsoft. We need to keep the competition,
to keep these
Mega Companies in check.
Hello Gnome
Fortunately for me Gnome 3 arrived. I started using it at work (Fedora 15
Betas) and when it got released i put
Archlinux on my Desktop and haven't
looked back yet.
I still occasionally boot Windows on my Notebook to edit Photos in
Lightroom, but that's allright. I've tried
Bibble
but i am to used to Lightroom to make the switch.
In essence i have made a complete turnaround: From Linux to Mac OS X to
Windows and now back to Linux.
Let's see how long it'll last this time.
Some good to know things on Gnome 3
- Gnome 3 Cheatsheet: link
- Gnome Shell extensions:
link
- Gnome Tweak Tool for some advanced Settings:
link
Enable Focus follows Mouse in Gnome Shell:
gconftool-2 -s /apps/metacity/general/focus_mode sloppy --type string
Changing a user theme with the extension installed (Older versions of the
Tweak Tool didn't really work for me):
gsettings get org.gnome.shell.extensions.user-theme name # Get current
gsettings set org.gnome.shell.extensions.user-theme name Zukitwo # Set one
gsettings reset org.gnome.shell.extensions.user-theme name # Reset to default
Bots usually operate in a fairly similar way to get onto your server:
- They exploit a known vulnerability in a PHP script to inject some code
- This injected code is usually very simple, downloading the Trojan from a remote address with curl or wget to a temporary directory
- After the Trojan has been downloaded, it is then being executed through the PHP vulnerability
A method I've employed in the past to at least stop these automated spreads of Trojans is by adding iptables rules that forbid the User that the Web server is running as to do any connects to the outside world:
# Allow Everything local
iptables -A OUTPUT -o lo+ -A OUTPUT -o lo+ -A OUTPUT -o lo+ -m owner --uid-owner 33 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m owner --uid-owner 33 -j ACCEPT
# Allow DNS Requests
iptables -A OUTPUT -p udp -m owner --uid-owner 33 -m udp --dport 53 -j ACCEPT
# Allow HTTP Answers to clients requesting stuff from the Web Server (HTTP+HTTPS)
iptables -A OUTPUT -p tcp -m owner --uid-owner 33 -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m owner --uid-owner 33 -m tcp --sport 443 -j ACCEPT
# Log everything that gets dropped
iptables -A OUTPUT -m owner --uid-owner 33 -m limit --limit 5/sec -j LOG --log-prefix "www-data: "
# and finally drop anything that tries to leave
iptables -A OUTPUT -m owner --uid-owner 33 -j REJECT --reject-with icmp-port-unreachable
# Force outgoing request through http proxy on port 8080
iptables -t nat-A OUTPUT -p tcp -A OUTPUT -p tcp -A OUTPUT -p tcp -m owner --uid-owner 33 -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
"But now all my RSS Clients, and HTTP Includes won't work anymore"
There is two ways around the fact that now nothing on your web server is allowed to talk to the evil internet anymore:
- Insert `ACCEPT` rules into the iptables chain to the destinations you want to allow. This method is tedious, and error prone as you need to constantly be aware what ip's the services you're using have and update your iptables rules accordingly.
- Using a simple HTTP Proxy to pass through the requests you want to allow.
I've always preferred the HTTP Proxy method, while it may be a bit more work to setup in the first place, the added security is worth it, since you can allow on an url basis you don't need to worry about the remote side changing ip's anymore, as well as that if you allow ip's with iptables, people can upload their Trojans to these web servers and bypass all your fancy protection.
A good proxy to use that allows for extensive filtering and is still small footprint is Tinyproxy, a few settings you want to tune are:
# Only Listen on Localhost
Listen 127.0.0.1
# Allow requests from your local server only
Allow 127.0.0.1
Allow <Official IP Address of your server>
# Enable Filtering, and deny everything by default
Filter "/etc/tinyproxy/filter"
FilterURLs On
FilterExtended On
FilterDefaultDeny Yes
Looking at your Tinyproxy logfiles, you should now see requests beeing denied if you access a page on the Web server that tries to include external resouces:
CONNECT Aug 01 05:11:57 [16731]: Connect (file descriptor 7): aello.beerta.net [207.192.69.25]
CONNECT Aug 01 05:11:57 [16731]: Request (file descriptor 7): GET /1.0/user/cb0amg/recenttracks.rss HTTP/1.0
INFO Aug 01 05:11:57 [16731]: process_request: trans Host GET http://ws.audioscrobbler.com:80/1.0/user/cb0amg/recenttracks.rss for 7
NOTICE Aug 01 05:11:57 [16731]: Proxying refused on filtered url "http://ws.audioscrobbler.com:80/1.0/user/cb0amg/recenttracks.rss"
INFO Aug 01 05:11:57 [16731]: Not sending client headers to remote machine
Voila, my Wordpress installation tried to grab the recent track RSS from last.fm, i want to allow that so I'll just add this to my Tinyproxy filter rule:
^http://ws.audioscrobbler.com:80/1.0/user/cb0amg/recenttracks.rss.*
^http://backend.deviantart.com:80/rss.xml.*
^http://rest.akismet.com:80/.*
Now anything you want your Web Server to access, you can simply add to your Tinyproxy filter.
Remember though, this is not a blanket protection against any software flaw that exists! You should still keep your software updated at all times.
Good Quote from Linus, worth reposting:
Oh, I'm a big believer in "technology over politics". I don't care who it comes from, as long as there are solid reasons for the code, and as long as we don't have to worry about licensing etc issues.
In fact, to some degree, I'd be more likely to include it because it's from a new member of the community rather than less (again, I'd like to point out that drivers are special. They don't impact other things, so they get merged much more easily than some core changes).
I may make jokes about Microsoft at times, but at the same time, I think the Microsoft hatred is a disease. I believe in open development, and that very much involves not just making the source open, but also not shutting other
people and companies out.
There are 'extremists' in the free software world, but that's one major reason why I don't call what I do 'free software' any more. I don't want to be associated with the people for whom it's about exclusion and hatred.
via Microsoft Patches Linux; Linus Responds | Linux Magazine.
Just found a new toy: apt-build.
Beeing on Debian (based) Systems most of the time (if you don't count my dayjob which is exclusivly RedHat and Fedora Systems), this comes in handy if you don't like how Debian thinks software should be build. Time to mess up my Ubuntu Desktops!
Ever since i connected a 19" TFT (Instead of my 19" CRT) screen to my Mac Mini i find the fonts to look ugly. Look at this Screenshot:
On the Left side is my Linux Desktop with Font settings to TFT Optimized. The Antialiasing is hardly noticed, and looks very sharp, on the right side is the same page on my Mini, also set to "Optimized for TFT" and the Antialiasing just jumps into your face. I'm tempted to connect the CRT to the Mini again, because it looks naturally better with Antialiasing on a CRT than on a TFT.
It May also be that i'm just too dumb (I live Linux, and only got the mini last year). Anyone with a hint on how to make the fonts look "good" on OS X ?
(If you told me 2 Years ago, that one day i would say that fonts on the Linux Desktop look better than on a Mac, i would've probably burst into a laugh. Glad to see there has been some major improvements over the time!)
