Listing posts

Displaying posts 1 - 5 of 200 in total
nano editor settings
mouse 293 · person cloud · link
Last update
2019-08-19
2019
08-19
« — »
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# /etc/nanorc or ~/.nanorc
set tabsize 2
set tabstospaces
set smarthome
set regexp
#set autoindent
set nonewlines

set morespace
set constantshow
set linenumbers

#set mouse
set smooth

set nowrap
set suspend

# use alt-</, or alt->/. to switch buffer/new buffer
# user ^R ^T to open a new file buffer with file manager
set multibuffer

~~~ * ~~~

Setup fail2ban to protect services
mouse 506 · person cloud · link
Last update
2019-08-12
2019
08-12
«secure apps/server with fail2ban jails
ssh and ssh ddos»

Install fail2ban:

1
apt-get install fail2ban

Configure fail2ban:

Create a file (a modified copy of jail.conf) with these lines:

1
2
3
4
5
6
7
8
9
10
11
[DEFAULT]
# space separeted list of IP addresses, CIDR masks, DNS hosts
ignoreip = 127.0.0.1/8 192.168.1.1/24

# number of seconds that a host is banned
bantime  = 3600

# a host is banned if it has generated "maxretry" during the
# last "findtime" seconds
findtime = 600
maxretry = 1
  • on debian 9 put it in /etc/fail2ban/jail.d/local.conf appending these lines:
1
2
3
4
5
6
7
[sshd]
enabled  = true
maxretry = 1

[sshd-ddos]
enabled  = true
maxretry = 1
  • on debian 8 put it in /etc/fail2ban/jail.local (a copy of jail.conf) appending these lines:
1
2
3
4
5
6
7
8
9
10
11
12
13
[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 1

[ssh-ddos]
enabled  = true
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 1

Starting, status, unblock IPs:

1
2
3
4
5
6
7
# restart service after any config modification
systemctl restart fail2ban

# show jailing info/counters
fail2ban-client status
fail2ban-client status sshd
fail2ban-client status sshd-ddos

To unlock blocked IPs:

1
2
3
4
iptables -L | less -p"Chain fail2ban-ssh" # find desired REJECT rule

# iptables -D <rulename> <rule line from rulename header>
iptables -D fail2ban-ssh 1

SSH tips

You can allow or deny access to specific users by editing /etc/ssh/sshd_config:

1
2
3
4
5
# allow ssh access only to users A and B and disallow all the others
AllowUsers user_a user_b

# deny ssh access only to users A and B and allow all the others
DenyUsers user_a user_b

in this way the SSH demon triggers a faster failure+ban for the disallowed users.


Source: debianizzati, digitalocean


~~~ * ~~~

RaspberryPi server
Last update
2019-08-12
2019
08-12
«raspi, raspbian, nas, webdav, dlna, media center, torrent, rdp/vnc, print/scan, firewall, dns, monitoring, vpn, zram»

Table of contents:

  1. Update raspbian linux to latest version
  2. Change pi user password and hostname
  3. Configure a static IP address
  4. Tune kernel settings
  5. Tune wifi settings
  6. Remove tv black borders
  7. Fix slow usb mouse
  8. Reduce power consumption
  9. Extend lifespan of mechanical HDD
  10. Extend lifespan of sdcard
  11. Extend your RAM by enabling ZRAM
  12. Setup a NAS (via NFS)
  13. Setup a remote desktop (via VNC)
  14. Setup a shared printer
  15. Setup the firewall
  16. Dedicated posts:
  17. SSH access and tunnels
  18. Tools
  19. Backup
  20. Miscellanea

Update raspbian linux to latest version:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apt-get update
apt-get upgrade
apt-get dist-upgrade
apt-get clean
apt-get autoremove
rpi-update # update firmware & kernel

apt-get purge bash-completion     # speed up shell TAB-auto completion

# --- os version update, eg: from jessie (deb8) to stretch (deb9)
sed -i 's/jessie/stretch/g' /etc/apt/sources.list
sed -i 's/jessie/stretch/g' /etc/apt/sources.list.d/raspi.list
# repeat the commands above, then check the current version:
cat /etc/os-release

Debian 10 upgrade: see rpi blog post notes and comments.




Change pi user password and hostname:

1
sudo raspi-config # Change User Password; Hostname




Configure a static IP address (see also this and fallback method):

append the desired following blocks to /etc/dhcpcd.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
interface eth0
fallback mylan

SSID my_wifi_ssid
fallback mylan

interface wlan0
fallback mylan

profile mylan
static ip_address=192.168.1.110/24
static routers=192.168.1.1
static domain_name_servers=84.200.69.80 37.235.1.174 84.200.70.40 37.235.1.177

Note: Do not use the directive inform 192.168.1.110 because it breaks the UPS monitor.




Tune kernel settings

  • Disable IPv6: append ipv6.disable=1 to kernel parameters in /boot/cmdline.txt or:
1
2
3
4
# via sysctl:
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/local.conf
# via modprobe:
echo "blacklist ipv6" >> /etc/modprobe.d/local.conf
  • Set autoreboot on kernel panic: append panic=5 to kernel parameters in /boot/cmdline.txt or via sysctl:
1
echo "kernel.panic = 5" >> /etc/sysctl.d/local.conf
  • Remove tv black borders: set disable_overscan=1 in the /boot/config.txt.

  • Fix slow usb mouse: append usbhid.mousepoll=0 to kernel parameters in /boot/cmdline.txt.




Tune wifi settings

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# disable roaming
echo "options brcmfmac roamoff=1" >> /etc/modprobe.d/local.conf

# set correct regional domain
sed -i 's/REGDOMAIN=.*/REGDOMAIN=IT/' /etc/default/crda

# auto turn off power management
cd /etc/network/if-up.d/
echo -e '#!/bin/bash\n/sbin/iw dev wlan0 set power_save off' > local-wlan
chmod 755 local-wlan
# find an optimal MTU size via:
#   ping -c 2 -M do -s 1600 www.google.com
# then save it with:
echo "/sbin/ip link set dev wlan0 mtu 1400" >> local-wlan

Turn off bluetooth if unused, see this section.




Reduce power consumption:

put in /etc/rc.local:

1
2
3
4
5
6
7
8
9
10
11
# turn off leds multiple times
(for i in 1 2 3 4 5; do
  for i in /sys/class/leds/led?; do
    echo none > $i/trigger
    echo 0    > $i/brightness
  done
  sleep 60
done) &

# disable HDMI output (and set boot to console via raspi-config)
/usr/bin/tvservice -o # -p to re-enable

set boot to console and reduce memory split:

1
2
raspi-config # Boot Options > Desktop / CLI > Console
raspi-config # Advanced Options > Memory Split > 16

turn off unsued wlan/bluetooth (see /boot/overlays/README), put in /boot/config.txt:

1
2
dtoverlay=pi3-disable-wifi
dtoverlay=pi3-disable-bt

and turn off the bluetooth services:

1
2
systemctl disable hciuart
systemctl disable bluetooth




Extend lifespan of mechanical HDD:

put in /etc/hdparm.conf:

1
2
3
4
5
6
7
/dev/sda {
  write_cache = on
  # -B -- disable Advanced Power Management
  apm = 254
  # -S -- 1h timeout
  spindown_time = 242
}




Extend lifespan of sdcard:

install my tmpfs-folders script and add a custom periodic cleaning of /var/log files in root crontab:

1
2
#  m   h   dom   mon   dow   command
   0   0     *     *     3   /opt/systemd-units/clear_var_log.sh > /dev/null 2> /dev/null




Extend your RAM by enabling ZRAM (compressed RAM):

put in /etc/rc.local:

1
2
3
4
5
6
7
8
9
10
if modprobe zram num_devices=1 ; then
  echo lz4  > /sys/block/zram0/comp_algorithm
  echo 384M > /sys/block/zram0/mem_limit
  echo 768M > /sys/block/zram0/disksize

  mkswap /dev/zram0
  swapon -p 10 /dev/zram0

  sysctl vm.swappiness=90
fi

and optionally disable dphys-swapfile swapfile service:

1
systemctl disable dphys-swapfile




Setup a NAS (via NFS):

Server side commands:

1
2
3
4
5
6
7
8
9
apt-get install nfs-kernel-server

systemctl enable rpcbind # it's disabled by default...
systemctl restart nfs-kernel-server

# add a share to /etc/exports
echo "/path 192.168.1.0/24(rw,sync,no_subtree_check,all_squash,anonuid=1001,anongid=1001)" >> /etc/exports

exportfs -ra # reload server

and append these lines to /ect/rc.local:

1
2
3
# fix: nfs server doesn't start without rpcbind
systemctl start   rpcbind
systemctl restart nfs-kernel-server

Client side commands:

1
2
echo "192.168.1.110:/path /mnt/path nfs defaults,user,exec 0 0" >> /etc/fstab
mount /mnt/path




Setup a remote desktop (via VNC):

You have three options:

  1. Install the modern TigerVNC server, see the dedicated post
  2. Use the lightdm TigerVNC service by enabling it in /etc/lightdm/lightdm.conf
  3. Install the old TightVNC:

    1
    2
    3
    4
    5
    apt-get install tightvncserver
    # set a password and run a LQ server on display 1:
    vncpasswd
    vncserver -geometry 1024x768 -depth 8 :1
    vncviewer server_ip:1 # connect from another host
    




Setup a shared printer:

1
2
3
4
5
6
7
apt-get install cups
apt-get install hplip # HP printers drivers
hp-setup -i # install printer + dl drivers

elinks http://localhost:631
# Administration > Printers > Add printer
# Server settings > Share printers connected to this system

then turn the printer off and on again.

On Android you can install these apps: Let's print Droid, and Let's Print PDF.




Setup the firewall:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apt-get install ufw

ufw reset # reset to defaults

ufw default allow outgoing
ufw default deny  incoming

ufw limit 22/tcp              # max 6 new connections every 30 seconds
ufw limit 2200:2230/udp       # mosh port range
ufw allow from 192.168.1.0/24 # your intranet
ufw allow 1810:1819/tcp       # deluge
ufw allow 1810:1819/udp       # deluge

ufw enable




Dedicated posts:




SSH access and tunnels:

Here is an example for creating some simple forward tunnels while connecting to a remote server:

1
2
3
4
5
6
7
# deluge thin client & web ui, vnc, nginx
ssh \
  -L 58846:localhost:58846 \
  -L 8112:localhost:8112   \
  -L 5901:localhost:5901   \
  -L 1234:localhost:1234   \
  user@server_addr

There are some great SSH clients as PuTTY for windows/linux and juiceSSH on Android.

Use mosh (even with juiceSSH!) to reliably connect from unstable or high latency networks:

1
2
apt-get install mosh               # run this both on client and server
mosh -p 2200:2230 user@server_addr # connect to opened UDP ports on server

Read the dedicated post for an advanced tunnel usage.

Read the dedicated post to setup a SOCKS proxy with SSH.




Tools:

1
2
3
apt-get install rpi-chromium-mods # video acceleration on google chrome
apt-get install remmina           # very handy VNC/SSH GUI
apt-get install omxplayer         # accelerated cli media player
  • OMXplayer GUIs:

    1
    2
    3
    4
    5
    sudo apt install libdbus-1-dev
    pip install omxplayer-wrapper
    wget -O ~/bin/gomx https://github.com/vladcc/gomx/raw/master/gomx/gomx.py
    chmod 755 ~/bin/gomx
    sed -i 's/^PL_WIN_PAD = .*/PL_WIN_PAD = 0/' ~/bin/gomx # adjust padding
    
  • raspi-keygen -- Patch for MPEG-2, VC-1 license (untested, use it at your own risk)

    1
    2
    cd /boot && cp start.elf start.elf_backup && \
      perl -pne 's/\x47\xE9362H\x3C\x18/\x47\xE9362H\x3C\x1F/g' < start.elf_backup > start.elf
    




Backup:

You can do a full/raw sdcard backup or a live/tar one.

As an alternative to 7za you can use xz just like the gz command (or use the -J option of tar).




Miscellanea:

  • Fix TV/monitor not detected unless powered on first:

    1
    sudo tvservice -d /boot/edid.dat
    
    1
    2
    3
    # /boot/config.txt
    hdmi_edid_file=1
    hdmi_force_hotplug=1
    
  • Test if we are on a raspberry (/sys, /proc/cpuinfo):

    1
    2
    cat /sys/firmware/devicetree/base/model # Raspberry Pi 3 Model B Rev 1.2
    grep Hardware /proc/cpuinfo             # Hardware : BCM2708
    
  • To save space on new installs of ruby gems, put in ~/.gemrc:

    1
    2
    install: --no-rdoc --no-ri -​-no-document
    update:  --no-rdoc --no-ri -​-no-document
    

    and to install a gem in the user $HOME use this command:

    1
    2
    3
    4
    gem install --user-install bundler
    
    # remember to update your PATH adding this line to ~/.bashrc
    export PATH=$HOME/.gem/ruby/2.1.0/bin:$PATH
    
  • If you have a logitech wireless keyboard (eg: K400+) then you can use solaar to query and configure it:

1
2
3
4
5
6
git clone https://github.com/pwr/Solaar.git
cd Solaar/bin

solaar show all
solaar show 1 | grep Battery
solaar config 1 fn-swap off # toggle function keys
  • If you have a keyboard without the F# keys (like the kano keybord) you can emulate them with xdotool and then run it via xbindkeys:

    1
    2
    3
    4
    sudo apt-get install xdotool xbindkeys xbindkeys-config
    xdotool key ctrl+alt+F1  # emulate these key press
    xbindkeys-config         # create and save your bindings
    xbindkeys                # run daemon
    

    or you can use xmodmap to remap existing keys:

    1
    2
    3
    xmodmap -pke | tee ~/.Xmodmap > ~/.Xmodmap-orig
    nano    ~/.Xmodmap # edit keys
    xmodmap ~/.Xmodmap # load changes (run this on X startup)
    

    see Xorg keyboard references on the bottom.

  • Autostart programs when loggin in LXDE: put your commands prefixed by @ in ~/.config/lxsession/LXDE-pi/autostart




Notes:

  • Raspberry Pi 3 provides 1.2A USB current by default (no need to set max_usb_current=1 in /boot/config.txt). Of course a 2.5A PSU is mandatory.

Tips:

Sources:


~~~ * ~~~

Useful Android apps
Last update
2019-08-08
2019
08-08
«a collection of must have android apps for many common needs»

General

Media

Games

System


~~~ * ~~~

rclone upload/download split/restore large file
mouse 343 · person cloud · link
Last update
2019-08-02
2019
08-02
«upload/backup a big file to your online drive with auto split/concatenation»
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/env ruby

require 'shellwords'

RCLONE_OPTS = ENV['RCLONE_OPTS'].to_s

def print_usage_and_exit
  progr = File.basename __FILE__
  puts "USO: #{progr} <service_name> <ul|dl|rm|ls> <src_file|-> [<dst_file|->] [chunk_size_MB]"
  puts "  splits/concatenate and upload/download a file via rclone"
  puts "  eg: tar -cf - / | pigz | #{progr} gdrive ul - /backup/vps/root.tgz"
  puts "  eg: #{progr} gdrive dl /backup/vps/root.tgz - | tar -xzf - -C /"
  puts "  eg: #{progr} gdrive ul homes.tgz /backup/vps/homes.tgz"
  puts "  eg: #{progr} gdrive dl /backup/vps/homes.tgz homes.tgz"
  puts "  eg: #{progr} gdrive rm /backup/vps/homes.tgz"
  puts "  eg: #{progr} gdrive ls /backup/vps"
  exit 1
end

# temp files cleanup on exit
$temp_files = []
def remove_temp_files; $temp_files.each{|f| File.unlink(f) rescue nil }; end
Signal.trap('INT' ){ remove_temp_files; exit }
at_exit{ remove_temp_files }

# sanitize parameters
srv_name, action, src_file, dst_file, chunk_size = ARGV
srv_name   = srv_name.to_s.strip
src_file   = src_file.to_s.strip
dst_file   = dst_file.to_s.strip
chunk_size = 1024 * 1024 * (chunk_size.to_i > 0 ? chunk_size.to_i : 100) # default 100MB

case action
when 'rm'
  print_usage_and_exit if ARGV.size < 3

  puts "deleting files..."
  system %Q|rclone #{RCLONE_OPTS} --include #{src_file.shellescape}.rc\\* delete #{srv_name}:|
when 'ls'
  print_usage_and_exit if ARGV.size < 3

  puts "listing files..."
  files = `rclone #{RCLONE_OPTS} lsf #{srv_name}:#{src_file.shellescape}`.split("\n")
  puts files.map{|i| i =~ /\.rc[0-9]{4}/ ? "*#{i[0..-8]}" : " #{i}"}.sort.uniq
when 'ul'
  print_usage_and_exit if ARGV.size < 4

  puts "deleting any eventual old files..."
  system %Q|rclone #{RCLONE_OPTS} --include #{dst_file.shellescape}.rc\\* delete #{srv_name}:|

  puts "split and upload of [#{src_file}]:"
  fd_src = src_file == '-' ? STDIN : File.open(src_file)
  chunk_idx = -1
  until fd_src.eof?
    remote_name = "#{dst_file}.rc#{"%04d" % (chunk_idx+=1)}"
    tmp_name    = `mktemp -u /tmp/rclone-bkup.XXXXXXXXXX`.strip
    $temp_files << tmp_name
    File.open(tmp_name, 'wb'){|f| f << fd_src.read(chunk_size) }
    ObjectSpace.garbage_collect
    puts "  #{tmp_name} => #{remote_name}"
    system %Q|rclone #{RCLONE_OPTS} copyto  #{tmp_name.shellescape}  #{srv_name}:#{remote_name.shellescape}|
    File.unlink tmp_name
  end
  fd_src.close
when 'dl'
  print_usage_and_exit if ARGV.size < 4

  remote_names = `rclone #{RCLONE_OPTS} --include #{src_file.shellescape}.rc\\* lsf #{srv_name}: -R --files-only`.split("\n").sort
  if remote_names.size == 0
    puts "no file found"
    exit 1
  end

  STDERR.puts "download and restore to [#{dst_file}]:"
  fd_dst = dst_file == '-' ? STDOUT : File.open(dst_file, 'wb')
  remote_names.each do |remote_name|
    tmp_name = `mktemp -u /tmp/rclone-bkup.XXXXXXXXXX`.strip
    $temp_files << tmp_name
    STDERR.puts "  #{remote_name} => #{tmp_name}"
    system %Q|rclone #{RCLONE_OPTS} copyto  #{srv_name}:#{remote_name.shellescape}  #{tmp_name.shellescape}|
    File.open(tmp_name) do |fd_chunk| # apppendi il pezzo 10MB al colpo
      fd_dst << fd_chunk.read(1024 * 1024 * 10) until fd_chunk.eof?
    end
    File.unlink tmp_name
  end
  fd_dst.close
else
  puts "action [#{action}] unknown"

  print_usage_and_exit
end