The not so quiet revolution

How many times did i hear… the “ahh…good old times” rant. Sure, sometimes the world as we know it now is complicated, sometimes unfair and even cruel and bad. But if you stop and zoom out a bit, like 20 years (don’t need to go all the way to the dark ages), one realizes the leap forward. And in technology the leap is nothing short of massive – thank you Mr. Moore. I’m really glad and lucky to be apart of this.

You can get a Raspberry PI a fully functional (and power efficient) computer running Linux for about 30€. You can get a TV stick running Android OS for about 50€ (there are Linux distributions for this kind of device). Linux is free, BSD OS family is free. Most of the SDKs are free. MySQL is free (as other fully capable Relational Database Systems). Many compilers are free. Open Office is free. Heck, even Adobe CS2 can be freely downloaded from Adobe…

Transit Price Drops

Also the price of bandwidth and networking has gone South over the years as the speed and quality has gone North. I remember to dial-up with a 28.8 kbps modem, downloading a single mp3 file was task for one hour, loading a simple webpage was eternity, etc… and in the end of the month the phone bill was obscene… Nowadays, i can download pristine high resolution full movie (in Itunes or other payed service of course) in less than an hour for a fraction of the cost that the mp3.

Documentation, tutorials, examples, e-books, howto’s all over the place. Information (for all levels) is freely available to anyone, you just need time and the right mindset, to read, test and educate yourself about any technology that you want to learn.

So in the web business capital is not the main factor, it’s knowledge and labor. The funny thing is that capitalism did this, an industry that moves billions of dollars and for start capital is not the most important factor (by far). Some kid can (and probably is) somewhere in some room build the next big website or mobile app costing him (or her) nothing more than time.

There is a bright future in this model. You don’t need some guys in suits that are sitting on top of the money to believe in your idea. You are the only one that needs to believe (can you picture the scared faces?) and learn, learn, learn:

Personally i wish i had much more time and piece of mind to learn and thinker with new technologies and projects because now is the time.

FreeBSD migrating user accounts

FreeBSDQuick and dirty way to migrate user accounts from one FreeBSD box to another. From the source box you will only need two files:

/etc/master.passwd
/etc/group

copy them to the target box, but DON’T overwrite (yet) the existing files there. Put them in /root/master.passwd and /root/group. Compare the copied files with the existing ones for new system users that may exist. If there are any new users/groups add them to the copied files.

Then move /root/group to /etc/group and run this magical command

pwd_mkdb -p /root/master.passwd

It will install in /etc/master.passd and recreate all the needed files (/etc/pwd.db, /etc/spwd.db and /etc/passwd).

Securing SSH with SSHGuard

SSHGuardIf you have a remote server running some flavor of Unix or Linux 99% chances that you use SSH. The best security practice is to use an access key with password and disable password access altogether. But you end up loosing some flexibility (for some customers Putty is this utterly complex piece of software, imagine them playing with SSH keys…).

The best you can do is to enforce a better user password policy, but even so, as every password service it’s at mercy of brute force attacks. These attacks consume precious clock cycles and worst case scenario they can break a password and gain access to the system.

So, here comes SSHGuard to our rescue. It’s a pretty neat piece of software that is highly flexible and customizable to ones system, needs and paranoia level. On top of that is maintenance free and very easy to setup.

I’m using FreeBSD and the venerable (yet, very capable) IPFW firewall. The choice of the firewall is simply because it’s the one that i am more pro-efficient with.

First thing is to enable IPFW on your system. Open /etc/rc.conf and add these lines

firewall_enable="YES"
firewall_type="open"

actually this setup is only to bring IPFW up, it doesn’t filter anything, all the traffic is passed trough. But if you forget the firewall_type=”open” rule and start the firewall you will be lock out, because the default is no traffic allowed… (and you win a drive to the data-center or some kind of remote rescue shell procedure).

Start IPFW

/etc/rc.d/ipfw start

and check that is running

ipfw show

Now, you are ready to install SSHGuard itself, very easy task

cd /usr/ports/security/sshguard-ipfw
make install clean

and enable it in /etc/rc.conf

sshguard_enable="YES"

Ready? Start it

/usr/local/etc/rc.d/sshguard start

Still, there is a final thing to take care. SSHGuard uses syslogd to monitor incoming (failed) logins. So, you must edit /etc/syslog.conf and uncomment (or add if it’s not there) the line that the SSHGuard port added.

auth.info;authpriv.info     |exec /usr/local/sbin/sshguard

And restart syslogd

/etc/rc.d/syslogd restart

And now your SSH service should be bullet proof to brute force attacks. Keep safe!

UPDATE 2014-02-23

Latest versions of SSHGuard don’t use syslogd any more, it uses an internal “log sucker” that follows the logs. The default logs are “/var/log/auth.log:/var/log/maillog”, as I don’t want it to follow /var/log/mailog i override this in /etc/rc.conf with:

sshguard_watch_logs="/var/log/auth.log"

UPDATE 2014-08-05

For several reasons, I have switched from IPFW to PF. So the port to install is /usr/ports/security/sshguard-pf/ and you must add this line to your /etc/pf.conf and enable PF in /etc/rc.conf

table  persist

then to list the blocked IPs

pfctl -t sshguard -T show

to remove an IP from the list

pfctl -t sshguard -T delete aaa.bbb.ccc.ddd

to remove all the IPs

pfctl -t sshguard -T flush

NOTE

Also going to test drive on a debian box fail2ban, and will soon post quick review and differences, drawbacks, benefits versus sshguard.

Facebook pollution

facebook-logo-reversedIt’s spring time cleaning at my Facebook account…. i am sick and tired of excessive crap that don’t add anything, except loosing my precious eye time. Facebook for me is a really cool medium to keep up with friends, family and companies. And guess what? If i added you to my Facebook friends list is because i want to ear something about YOU. Something that YOU did, some of YOUR photos or video, some great (or not so great) news about YOUR life, some place that YOU are or have been, YOUR thoughts about something, etc… Not this pollution that i currently get in my news feed.

I can even categorize the persons that i am about to remove from my news feed, “unfriend”or block.

The human hubs

These are the most annoying people for me. Just read some news (or just the main title) in the Internets, and share, share, share… Guess what? I read the fucking news in my tablet, also listen to radio and watch some TV like most people do.  I really don’t need 20 shares in my news feed about something that is all over the media. Please, please don’t do this, if the news isn’t related to you and you don’t have personal toughs or insights about it. Don’t share it with me.

The compulsive gamer

Also very annoying kind. Let’s be honest, i don’t care less that you waste your time growing virtual animals, vegetables, villages, whatever you feel like, it’s your time anyway. If it makes you happy, just do it, but please don’t send me more game invitations. If i want to play video games, i do it in my Playstation with my big TV set and powerful speakers in full throttle mode, and even all that apparatus is just picking up dust most of the time.
So, do your thing for entertainment and i do mine, but please don’t send me no more fucking game invitations (except if it is outdoors, or go and watch a football game or something similar and non Facebook related).

The political activist

These people are also a pain in the ass. Yes, these are difficult times, i agree, and maybe your are in some deep shit because of the government and the austerity policy. Maybe your unemployed and got nothing else to do but to share 50 posts about how bad are the politicians, the government and the all system. I’m far from being apolitical and if you have your life messed up you have my sympathy, but please, please don’t spend the days sharing posts against the president, the government, Angela Merkel, EU, etc… It makes you look a negative person distilling hate, notably if it is obsessive, and i have people with more than 20 posts of this kind daily… Take your cause elsewhere, go outside, write your own letter to the president, write in the walls of the parliament, show up in the demonstrations, whatever. And then please, also take some pictures of what you did to change and post them in Facebook.

The humorist

The least annoying, if it is done with moderation. Moderation, again, keyword is moderation. But unfortunately some people just share and post every each and single meme that they come across. A dog a cat and a mouse picture, share. A sentence about live with a sunset picture, share. A guy falling down some stairs, share. A pope-mobile pulled by monkeys, share, etc, etc… please use some common sense and share with moderation and with some quality criteria, not just some shit that you happened to see somewhere.

And, that’s about it. One has got to do, what one has got to do. Cleaning time now.

 

Raspberry PI follow-up

raspberry_pi_logoSo, i did get a (actually 2) Raspberry PI and did get it up and running, it was time to do anything useful with it…

Time to setup a Samba server for network recording of security camera feeds. I went along with SWAT, a web based graphical interface to samba configuration. Like all Debian based software, the installation process is pretty straight forward,

apt-get update
apt-get install swat

And auto-magically it installs everything that you need, it evens adds the needed configuration line to /etc/inetd.conf 🙂

[global]
        netbios name = INTRANET
        server string = %h server
        map to guest = Bad Password
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        guest account = nobody
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb

[public1]
        comment = Samba Public 1
        browsable = yes
        public = yes
        writable = yes
        read only = No
        guest ok = Yes
        path = /media/usb0/samba/cam1/

[public2]
        comment = Samba Public 2
        browsable = yes
        public = yes
        writable = yes
        read only = No
        guest ok = Yes

Then just point your browser to the PI ip at port 901. Curious enough, i found the SWAT tool too complex for the simple configuration that i wanted: i trust all users in the network, so my need was just two shares that anyone could read/write. So, i ditch SWAT and went on to good ol’style configuration file editing. The final /etc/samba/smb.conf that is working for me:

Fired up samba
# service samba restart

And the cams had no problem finding the samba shares and recording into them.

Next step was to get an easy way to navigate and download recordings. Of course you can also use the samba shares to navigate and read, but specially to outside access it would implied to configure a VPN access to the network (you don’t want your security camera feeds exposed in the Internets with read/write permissions to the world, right?). I went for HTTP with some kind of a file explorer software that allows users/permissions, file/directory browsing, and file download. For the server part i opted for lighttpd, a small footprint server, and for the voodoo PHP (all pretty familiar technology to me). Again the installation is for dummies:

apt-get install lighttpd
apt-get install php5-cgi

Then just a tiny adjustment at /etc/lighttpd/lighttpd.conf:

index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

fastcgi.server = ( ".php" => ((
                     "bin-path" => "/usr/bin/php-cgi",
                     "socket" => "/tmp/php.socket"
                 )))

and restart it. For the software i went for the super nice, cool and powerful AjaXplorer. Just download it and untar to /var/www directory. Then point your browser to PI and log in with admin/admin (changed the password) and then it was just a matter of setting up a user account and a repository pointing to /media/usb0/samba/ (the parent directory of both samba shares).

Now, only one thing left, clean up and report. What to use? Of course PHP again. But this one in command line, so i installed the CLI version.

apt-get install php5-cli

And i did i script that cleans up old recordings and send me a daily report email using basic functions and the great PHPMailer class.

require('phpmailer/class.phpmailer.php');

function deleteDir($dir, $days) {
    $now      = time();
    $diff     = 60*60*24*$days;
    $treshold = $now - $diff;

    $d = dir($dir);
    while (false !== ($entry = $d->read())) {
        if ($entry != '.' && $entry != '..') {
            $year  = substr($entry, 0, 4);
            $month = substr($entry, 4, 2);
            $day   = substr($entry, 6, 2);

            if (mktime(0, 0, 0, $month, $day, $year) < $treshold)
                exec("/bin/rm -rf ".$dir.$entry);
        }
    }

    $d->close();
}

function getDirUsage($dir) {
    exec("/usr/bin/du -sh ".$dir, $output, $return);

    if ($return > 0)
        return 0;

    $output = $output[0];
    $output = explode("\t", $output);

    return $output[0];
}

/*
 * DELETE OLD FILES, +30d
 */

deleteDir('/media/usb0/samba/cam1/video/', 30);
deleteDir('/media/usb0/samba/cam2/video/', 30);

/*
 * GET USED/FREE SPACE
 */

exec ('df -h', $output);
foreach ($output as $line) {
    if (strpos($line, '/media/usb0')) {
        $disk_line = $line;
        break;
    }
}

$disk_line = explode(" ", $disk_line);
$disk_line = array_values(array_filter($disk_line));

$disk_used_space = $disk_line[2];
$disk_used_perc  = $disk_line[4];
$disk_free_space = $disk_line[3];

/*
 *  GET YESTERDAY RECORDINGS USAGE
 */

$yesterday  = date("Ymd", time() - 60 * 60 * 24);
$cam1_space = getDirUsage('/media/usb0/samba/cam1/video/'.$yesterday.'/');
$cam2_space = getDirUsage('/media/usb0/samba/cam2/video/'.$yesterday.'/');

/*
 *  GET YESTERDAY RECORDINGS USAGE
 */

$yesterday  = date("Ymd", time() - 60 * 60 * 24);
$cam1_space = getDirUsage('/media/usb0/samba/cam1/video/'.$yesterday.'/');
$cam2_space = getDirUsage('/media/usb0/samba/cam2/video/'.$yesterday.'/');

/*
 * SEND REPORT EMAIL
 */

$mail = new PHPMailer();
$mail->IsSMTP();                            // telling the class to use SMTP
$mail->SMTPAuth = true;                     // enable SMTP authentication
$mail->Port     = 25;                       // set the SMTP port
$mail->Host     = "mail.domain.com";        // SMTP server
$mail->Username = "username";               // SMTP account username
$mail->Password = "password";               // SMTP account password

$mail->From     = "email@domain.com";
$mail->FromName = "Descriptive email";
$mail->AddAddress("my_email@domain.com");

$mail->CharSet = "UTF-8";
$mail->Subject  = "Cam Report";
$mail->Body     = "YESTERDAY RECORDINGS\n".
                  "Cam 1: $cam1_space\n".
                  "Cam 2: $cam2_space\n".
                  "\n\n".
                  "HDD SPACE STATUS\n".
                  "Free: $disk_free_space\n".
                  "Used: $disk_used_space ($disk_used_perc)\n";
$mail->WordWrap = 50;

if(!$mail->Send())
        error_log($mail->ErrorInfo);

Then just run it daily with cron
30 3 * * * /usr/bin/php /path/to/script/cams.php > /dev/null

For now that’s all, but i guess there will be more updates on the Raspberry PI as i have still some ideas floating in my head.