Posts tagged "Linux"

Gnome 3 - Back to the Roots

So I’ve recently started using Linux on my Desktop full time again. All because of Gnome 3.

I’ve abandoned Linux on my Desktop at home a few years back, and started using OS X full time. I got a PPC Mac Mini, then an Intel Mac Mini and finally a MacBook. I was fairly happy with it: Fancy UI with a nice CLI to it to fiddle around on.

Good Bye Apple

A couple of months back though i started to grow tired of Apple and it’s behavior in general. The Company has grown from Cool Underdog to a Mega Company, and that definitely shows. IMO they’re becoming the Microsoft of the 90’s, using their market dominance in some areas to pressure little companies out of business.

The past few months also felt like Apple’s primary focus are their iSomething Devices, and they don’t care about OS X much anymore.

With all the recent updates to iTunes, which I’ve grown to absolutely hate as an application, their App Store for OS X and their apparent intentions to turn the Desktop into a Touch UI, I’m not very big on the whole gestures notion. I finally decided to give up on it all together.

(No, you can’t have my stuff, I’ve already sold all of it)

Windows 7 as intermediary

For some time i was using Windows 7 exclusively on my desktop at home and notebook. Windows 7 is a good OS, but as a Unix person it is severely lacking in a number of areas.

Microsoft is also severely lacking in the innovation department. They need to get their act together and get some good updates out again. Their image is crap these days, and if they don’t turn around, i wouldn’t be to surprised if they didn’t matter in a couple of years anymore. Even their primary enterprise market is slowly shifting away from them.

It’d be a shame if we’d end up with a new dominant player (Apple or Google for example) merely replacing Microsoft. We need to keep the competition, to keep these Mega Companies in check.

Hello Gnome

Fortunately for me Gnome 3 arrived. I started using it at work (Fedora 15 Betas) and when it got released i put Archlinux on my Desktop and haven’t looked back yet.

I still occasionally boot Windows on my Notebook to edit Photos in Lightroom, but that’s allright. I’ve tried Bibble but i am to used to Lightroom to make the switch.

In essence i have made a complete turnaround: From Linux to Mac OS X to Windows and now back to Linux.

Let’s see how long it’ll last this time.

Some good to know things on Gnome 3

  • Gnome 3 Cheatsheet: link
  • Gnome Shell extensions: link
  • Gnome Tweak Tool for some advanced Settings: link

Enable Focus follows Mouse in Gnome Shell:

gconftool-2 -s /apps/metacity/general/focus_mode sloppy --type string

Changing a user theme with the extension installed (Older versions of the Tweak Tool didn’t really work for me):

gsettings get org.gnome.shell.extensions.user-theme name # Get current
gsettings set org.gnome.shell.extensions.user-theme name Zukitwo # Set one
gsettings reset org.gnome.shell.extensions.user-theme name # Reset to default

Securing your Web server against Bots

Bots usually operate in a fairly similar way to get onto your server:

  • They exploit a known vulnerability in a PHP script to inject some code
  • This injected code is usually very simple, downloading the Trojan from a remote address with curl or wget to a temporary directory
  • After the Trojan has been downloaded, it is then being executed through the PHP vulnerability

A method I’ve employed in the past to at least stop these automated spreads of Trojans is by adding iptables rules that forbid the User that the Web server is running as to do any connects to the outside world:

# Allow Everything local
iptables -A OUTPUT -o lo+ -A OUTPUT -o lo+ -A OUTPUT -o lo+ -m owner --uid-owner 33 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m owner --uid-owner 33 -j ACCEPT
# Allow DNS Requests 
iptables -A OUTPUT -p udp -m owner --uid-owner 33 -m udp --dport 53 -j ACCEPT
# Allow HTTP Answers to clients requesting stuff from the Web Server (HTTP+HTTPS)
iptables -A OUTPUT -p tcp -m owner --uid-owner 33 -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m owner --uid-owner 33 -m tcp --sport 443 -j ACCEPT
# Log everything that gets dropped
iptables -A OUTPUT -m owner --uid-owner 33 -m limit --limit 5/sec -j LOG --log-prefix "www-data: "
# and finally drop anything that tries to leave
iptables -A OUTPUT -m owner --uid-owner 33 -j REJECT --reject-with icmp-port-unreachable

# Force outgoing request through http proxy on port 8080
iptables -t nat-A OUTPUT -p tcp -A OUTPUT -p tcp -A OUTPUT -p tcp -m owner --uid-owner 33 -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080

“But now all my RSS Clients, and HTTP Includes won’t work anymore” There is two ways around the fact that now nothing on your web server is allowed to talk to the evil internet anymore:

  1. Insert `ACCEPT` rules into the iptables chain to the destinations you want to allow. This method is tedious, and error prone as you need to constantly be aware what ip’s the services you’re using have and update your iptables rules accordingly.
  2. Using a simple HTTP Proxy to pass through the requests you want to allow.

I’ve always preferred the HTTP Proxy method, while it may be a bit more work to setup in the first place, the added security is worth it, since you can allow on an url basis you don’t need to worry about the remote side changing ip’s anymore, as well as that if you allow ip’s with iptables, people can upload their Trojans to these web servers and bypass all your fancy protection.

A good proxy to use that allows for extensive filtering and is still small footprint is Tinyproxy, a few settings you want to tune are:

# Only Listen on Localhost
Listen 127.0.0.1

# Allow requests from your local server only
Allow 127.0.0.1
Allow <Official IP Address of your server>

# Enable Filtering, and deny everything by default
Filter "/etc/tinyproxy/filter"
FilterURLs On
FilterExtended On
FilterDefaultDeny Yes

Looking at your Tinyproxy logfiles, you should now see requests beeing denied if you access a page on the Web server that tries to include external resouces:

CONNECT   Aug 01 05:11:57 [16731]: Connect (file descriptor 7): aello.beerta.net [207.192.69.25]
CONNECT   Aug 01 05:11:57 [16731]: Request (file descriptor 7): GET /1.0/user/cb0amg/recenttracks.rss HTTP/1.0
INFO      Aug 01 05:11:57 [16731]: process_request: trans Host GET http://ws.audioscrobbler.com:80/1.0/user/cb0amg/recenttracks.rss for 7
NOTICE    Aug 01 05:11:57 [16731]: Proxying refused on filtered url "http://ws.audioscrobbler.com:80/1.0/user/cb0amg/recenttracks.rss"
INFO      Aug 01 05:11:57 [16731]: Not sending client headers to remote machine

Voila, my Wordpress installation tried to grab the recent track RSS from last.fm, i want to allow that so I’ll just add this to my Tinyproxy filter rule:

^http://ws.audioscrobbler.com:80/1.0/user/cb0amg/recenttracks.rss.* ^http://backend.deviantart.com:80/rss.xml.* ^http://rest.akismet.com:80/.*

Now anything you want your Web Server to access, you can simply add to your Tinyproxy filter.

Remember though, this is not a blanket protection against any software flaw that exists! You should still keep your software updated at all times.

Microsoft Patches Linux; Linus Responds

Good Quote from Linus, worth reposting:

Oh, I'm a big believer in "technology over politics". I don't care who it comes from, as long as there are solid reasons for the code, and as long as we don't have to worry about licensing etc issues. In fact, to some degree, I'd be more likely to include it because it's from a new member of the community rather than less (again, I'd like to point out that drivers are special. They don't impact other things, so they get merged much more easily than some core changes). I may make jokes about Microsoft at times, but at the same time, I think the Microsoft hatred is a disease. I believe in open development, and that very much involves not just making the source open, but also not shutting other people and companies out. There are 'extremists' in the free software world, but that's one major reason why I don't call what I do 'free software' any more. I don't want to be associated with the people for whom it's about exclusion and hatred.

via Microsoft Patches Linux; Linus Responds | Linux Magazine.

Debian Packaging

Just found a new toy: apt-build.

Beeing on Debian (based) Systems most of the time (if you don’t count my dayjob which is exclusivly RedHat and Fedora Systems), this comes in handy if you don’t like how Debian thinks software should be build. Time to mess up my Ubuntu Desktops!

Fonts Rant (Linux vs OS X)

Ever since i connected a 19” TFT (Instead of my 19” CRT) screen to my Mac Mini i find the fonts to look ugly. Look at this Screenshot:

Linux vs OS X

On the Left side is my Linux Desktop with Font settings to TFT Optimized. The Antialiasing is hardly noticed, and looks very sharp, on the right side is the same page on my Mini, also set to “Optimized for TFT” and the Antialiasing just jumps into your face. I’m tempted to connect the CRT to the Mini again, because it looks naturally better with Antialiasing on a CRT than on a TFT.

It May also be that i’m just too dumb (I live Linux, and only got the mini last year). Anyone with a hint on how to make the fonts look “good” on OS X ?

(If you told me 2 Years ago, that one day i would say that fonts on the Linux Desktop look better than on a Mac, i would’ve probably burst into a laugh. Glad to see there has been some major improvements over the time!)

Quest for silence

So, my Quest for silence in my “Office” is coming along nicely. My Server is now quietly running in the corner, my Linux Desktop got a new CPU Cooler, my Mac Mini is built by pro’s and completely silent. That leaves my Gaming Computer, but i tiink i can live with that one. (Yes, i do have to much Hardware)

Been reading a little on all the Ruby on Rails fuss that is going on at the moment. Looks nice, the installation on Debian was pretty easy. (Running lighttpd and Ruby on Rails and PHP via fastcgi. If anyone is interested in how to do it, drop me a line).

I’ll need some time to look into Ruby (After my tries in Python and C# i’m not too optimistic about that though, i’m too much of a PHP whore these days). Also been looking for something similar in PHP, but that wasn’t successfull so far.

Update: Found 3 PHP on Rails Projects so far that i should look into as an alternative to learning Ruby

New Server

So, yes, i finally got all the Hardware i ordered home. Quite a struggle. The result of all this is quite good though:

celaneo:~# cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 13
model name      : Intel® Celeron® M processor         1.40GHz
stepping        : 8
cpu MHz         : 174.999
cache size      : 1024 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss tm pbe nx
bogomips        : 2803.79
It”s a Celeron M CPU with 1.4GHz. Using Speedstep (cpudynd on linux) the CPU is actually running at 175MHz when idle!

3 Seagate Barracuda S-ATA Disks get me a nice Raid-5:

 
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda1              28G  5.6G   21G  22%
tmpfs                 248M     0  248M   0% /dev/shm
/dev/md0              559G  104G  455G  19% /home

So far the thing is running stable, and if it keeps that way, i will probably replace my Desktop with a Mobile CPU too.

File Server

I’ve ordered some new Hardware a week ago (and if i’m lucky DHL will actually somwhen manage to get the stuff delivered to me) with which i’m going to replace my current File Server Box, which is getting on my nerves with it’s nousy coolers and Hard Drives. The new box will have a Fanless Pentium M Notebook CPU and some (hopefully) silent S-ATA Disks.

Beeing the lazy Linux guy i’ve been getting over the last couple of years (i don’t enjoy fiddling with a magnitude of configfiles as i used to.) i think i’m going to give eBox Security Platform a try. That is, if the Hardware wil ever arrive …

Fedora Core 2 test1 update

Finally installed Fedora Core 2 test1 on my Workstation. Although a prerelease version it is pretty stable (for me atleast), and i’ve not come across any major bugs. I love the new Spatial Nautilus which behaves a lot like the good old Amiga Workbench Filemanager, and EFM (The Enlghtenment File Manager, which was hacked up by rasterman). Kernel 2.6 is a breeze, everything is working well, and i’ve not had a single crash or other odd happenings.

Fedora Core 2 test1

Yay! They made Fedora Core 2 test 1 available. I’m really happy with this distribution, and like the tight release cycle. Gnome 2.6 and Kernel 2.6. 4 CD’s to download, but the BitTorrent source should do pretty quick. Hopefully i can test this tomorrow on my spare Computer.

Apache2

Finally tried Apache2 with FastCGI. I wasn’t keen enough to have the PHP built into Apache2. Was a bit fiddling, and still not everything works 100%, but atleast i have Apache2 now :)

Gnome Blog

I found a cool Gnome Applet to blog! Gnome Blog, and it worked with my hacked up XML-RPC interface out of the box. Very cool.

X niceness

This looks cute. Pure eyecandy. I would love to see some dropshadows on my windows :) Translucent menus aren’t really usefull though.

rant- Eugenia tests Fedora

Eugenia of OS News, my all-time-favourite newsprovider about Operating Systems, tested Fedora Core 1. Read the story here. The quality of those ‘reviews’ are a Mild Disappointmet. I’ve read a couple of her articles in the past, and i’m not very pleased with her ‘reviews’. If you can’t compile an application, then please don’t complain that the distribution is faulty.

Fedora Update

Still happily using Fedora Core on my Linux machines. Yum is a good packaging tool, not sure if it can stand up to apt, but definatly an improvement to searching for rpms manually. I’ve also started to look into theming of Gnome, after leaving Enlightenment behind, i had to do something to my Desktop. Next project would be a port of my K10K theme to Metacity. We’ll see ;)

BloGTK Blogging

I’ve added a small xmlrpc interface to my blog (ripped mostly from Serendipity), so i can use a GTK client to blog. That’s rahter nice, because the webinterface to my blog wasn’t really the best one. Missing features are Editing and Deleting of existing posts, maybe i’ll add that in a later version. If i could only clean up the crappy php sources, i could release it … But i’m not motivated enough to do that.

Fedora Core

Installed Fedora Core on both my Machine at work and at home. I am very pleased with the release. The installation went smooth, default UI is all dandy, fonts looking good, and software wisely chosen. The kernel they put together is a beauty. On my machine at work i ‘only’ have about 368MB ram, with all applications running (shells,moz,ooffice,…) it still is absolutely smooth, unlike RH9 that was previously installed.
Gaming starts to bore me. That’s good, because it means i’ll get more work done :)

More Ximian

I love it :) I´ve installed RH9 on a partition on my main Workstation, and installed Ximian ontop of that. It´s really great. Maybe i´ll stick with this RH+Ximian combo for a while.

Ximian

For those who didn’t notice yet Ximian released their Ximian Desktop 2. I personally can’t use it, since i’m on Debian, but i’ve downloaded their artwork package, converted it to a .deb, and installed it. I love their Industrial theme. Good job guys ! Here is a screenshot of my current desktop.

Mozilla, XFT and gnome2

Found this while searching for Bluecurve on Debian. Really cool. Switched to Unstable on my main Debian boxen, and installed Mozilla with Xft support. I am really impressed so far. Better looking than the builtin freetype support. Also Gnome2 is really looking good, i start to like it!

YAMP3 player

So everybody, their freinds, and their dogs have an MP3 Player for sale. I currently own an Archos Jukebox 6000 (which i would never buy a second time). The first company who offers Ogg Vorbis support will gladly receive my money. I still hope apple sees the light first, since their player is really looking best.

more on linux 2.5

I’ve been running the 2.5.40 Kernel since yesterday now, no crashes yet. 2.5 Feels really snappy, and fast, certaily an improvement over 2.4.

kernel

Linux eclipse 2.5.40 #2 SMP Fri Oct 4 13:16:14 CEST 2002 i686 unknown unknown GNU/Linux

apt for redhat

While searching for my mp3 plugin for xmms, i´ve stumbled across apt for RedHat. Very nifty if you´re used to debians apt tool. Let´s see how this works in daily usage.

RedHat Psyche

I´ve upgraded the RedHat installation on my Desk at work to Psyche from Null today. Seamless upgrade. I had to install a more recent version of Mozilla, but thats okay :) I´m still searching for a XMMS Plugin to play mp3 again, somebody got a package for me ?

RedHat

So RedHat released its final 8.0 Version. I´ll probably download the ISO images after the mirrors cought up, and give it a try.

xfs

So xfs got merged into the 2.5 Kernel tree. Now i can finally start to use the 2.5 Tree on my Workstation.

RedHat Null

After reading this bug report on Mozilla/Xft handling, i realised that i´ve done everything wrong on my RH Installation. I´ve Downloaded the Mozilla nightly build, i got my TTF fonts dropped them into a directory, and setup Mozilla to do fonthandling with the buildin Truetype support. Bad behaving me! I guess i have to file a bugreport on RH, saying that the out of the box look and fonthandling of Mozilla is awfull.