May 22, 2020

xtables-addons: How to fix 'Can't open DBIP database' Error

When you are using the 3.8-* version of xtables-addons to harden your server with a geofense, chances are super high that things don't work anymore… The latest problem occurs after you have downloaded the geo-ip-tables from Maxmind and try to convert the tables for the geofense with xt_geoip_build. You get this error: Can't open DBIP database. The simple reason for this is that the developers of xtables-addons decided to get rid of Maxmind (maybe because they did that thing with the user accounts a couple of months ago? Read more

May 15, 2020

MSMTP: Sending Mail With a Linux Server

If you are running a Linux server, you probably want to enable that thing to send emails to you. This is useful, for instance, to tell you that someone got blocked by fail2ban. In earlier years, SSMTP has been a good candidate to achieve this kind of thing. Today, Debian, Raspbian, and probably Ubuntu server OSes have no packet for SSMTP anymore. However, you can use MSMTP to achieve the same thing. Read more

January 2, 2020

xt_geoip_dl vs. Maxmind Accounts

Since some time I use a geofence on my servers to ban all incoming requests that do not originate from DE. The company (Maxmind) that distributes up to date mappings from IP ranges to country codes (“geoip tables”) recently changed how they distribute these files. Now, you must have an account and license key to download the geoip tables. Note: everything is still free! The need for login credentials breaks the update mechanism for geoip tables which typically uses xt_geoip_dl. Read more

June 18, 2019

Extract Attachments From Email (mbox) using Python

Some days ago I had the idea to dig around in my mailbox and see what people have sent me over the years. As I was especially interested in the attachments (pictures) I googled a bit and found out you can quickly extract stuff from a mbox (used by a Dovecot SMTP server). Here's what I cobbled together. #!/usr/bin/python import mailbox import dateutil.parser from datetime import datetime mbox = mailbox.mbox('/home/USER/mail/MAILBOX') def extractattachements(message): if message. Read more

June 11, 2019

A Song of Praise on Manjaro Linux (Gnome Edition)

As I am a friend of free and open source software I actually would love to use a Linux-based OS on my Laptop(s). However, after countless tries I must say that I am not a big friend of Linux on a notebook. I often found the system to be a bit fragile, things that “just work” on other OSes (like a Bluetooth keyboard, tethering or an external screen) can be a fight, if you have a bit of special hardware it can take ages to set it up, power management sometimes does not work properly (so your Laptop gets super hot while the battery is drained in no time)… At least, this is what I have experienced in the last years with Ubuntu or Ubuntu-based distributions running on my old MacBook Air from 2011. Read more

May 23, 2019

Deploying a Website with goHugo.io and Gitlab CI/CD

When I need to build a website, I typically use Hugo to generate the .html from .md. However, one thing is a bit inconvenient: deployment. If not done right, you have to do that manually (edit -> hugo -> rsync). Alternatively, and much better, you can use the Hugo-Gitlab|Hub-Netlify-toolchain I described earlier. These day, I needed a website for a new research project of mine and didn't want to ship the site with Netlify. Read more

March 26, 2019

Playing with WireGuard VPN

Since a couple of years I use OpenVPN to access my home network from remote and also to protect my traffic when I am traveling and have to use WiFi networks I do not completely trust. Unfortunately, the iOS VPN client does not work for me anymore so I needed an alternative. My Fritz Box (German home WiFi router brand) actually supports an IPSec VPN. However, iOS's VPN client is horrible. Read more

March 16, 2019

xtables-addons-common on Ubuntu 18.04

Last year in June I set up geofence on my home server to ban all access not coming from DE. In January I noticed that things did not work anymore. A bit of research revealed, that the company that provides the needed GeoIP tables decided to stop shipping them in format A and only offered the tables in format B. So neither the script that downloads the tables (xt_geoip_dl) nor the script that converts the tables (xt_geoip_build) into the binary format that xt_geoip can digest to block connections attempts worked anymore. Read more

March 4, 2019

Block Ads and Trackers with Pihole in a Docker Container

Recently I stumbled upon Pihole, which is a tool that blocks advertisements and web trackers. The nifty idea of Pihole is that it is no web proxy as Privoxy but it acts as a DNS server in your network. So, after installing Pihole, you setup your devices in a way that they use Pihole as a DNS server. Then, the device's DNS requests for “good” domains are answered and DNS requests for known, blacklisted ad/tracker domains are not answered (= blocked). Read more

August 10, 2018

Domains and Sub-domains for Home-Hosted Services

I like to host (most of) the web services I use for my daily routine at home. Recently, I started shipping services using Docker containers. To make these services available via a public IP address and to conveniently enable HTTPS, I decided to use nginx as a reverse proxy. So the dockerized service becomes available via something like https://mydomain.dyndnsservice.xy/servicename. At least this was the plan. Unfortunately, I ran into the always same problem when I tried to coax a dockerized service to live happily in a “sub-folder” of my dynamic DNS domain. Read more

July 24, 2018

Hardening a Server with a Geofence

I recently noticed some odd HTTP requests on my web server, which I exclusively use for private purposes like hosting Nextcloud, GOGS, or Wallabag. I did a bit of research where these requests come from – just fire something like for elem in $(awk '{print $1 | "sort | uniq"}' /var/log/nginx/access.log); do curl ipinfo.io/$elem; done – and found out that they all originate from Russia, China or India. That sounds a bit suspicious to me. Read more

July 14, 2018

Deploying a Website with goHugo.io, github.com, netlify.com and forestry.io

Since a good while I use the static website generator Hugo for my Blog (which (by the way) is back online since a few days (minus the photos) after I got rid of my vServer last month). As I do not have this vServer anymore, I neither have a repository that keeps track of my website's source code, nor a machine that will automatically build the website's html whenever I change something, nor a public web server to serve the website's html. Read more

December 18, 2017

Three Ways of Becoming Root in Ansible

To gain a basic understanding on Ansible, I recently decided to play a little with it. What I wanted to achieve is a simple update-playbook for my three servers. One question I stumbled upon more or less immediatly was: how do I actually become root on the different systems? In case of my Debian box this was straight forward as I can ssh to that box as root using my ssh key. Read more

July 10, 2017

Hosting Nextcloud on a nginx Web Server

A good while ago I ditched my so-far preferred file-synchronization solution Syncthing for Nextcloud. The reason for this step was that Syncthing behaved in odd ways quite often: sometimes it didn't find content that should be synced, at other days the sync process got stuck and wouldn't complete. I really got annoyed fixing my Syncthing cluster manually almost weekly and started to play with Nextcloud. I decided not to have just one Nextcloud instance, but two: one instance on a public vServer (Debian Jessie; mostly to sync calendars and contacts between Mac OS and iOS devices, and sharing files with others), the other instance (Ubuntu 16. Read more

June 21, 2017

Dockerizing Stuff for Fun and Profit

When I want to play with $things, I mostly use virtual machines as throw-away systems that I can mess up with odd software I don't want to install on my Mac or that simply does not run on it. A good while ago I looked into docker as a more lightweight and flexible alternative to a VM. However, I put docker aside as it wasn't usable on a Mac at all. Read more

June 10, 2017

FFMPEG vs My 'Go Low' Action Cam

I got myself a really cheap action cam. Think “China copy” and “Go Pro” and you know what I bought. However, for its 35 EUR price tag that thing is pretty cool. One problem with that cam is that it comes without any software. So you need to dig around a bit if you want to get creative with recorded movies and pictures. So far, I tried two things: time lapse videos from a sequence of photos and stabilized videos. Read more

June 1, 2017

Inline Enumerations in LaTeX

Normally you use the \enumerate command in LaTeX to create enumerated lists like this: I use lots of space! If you prefer your enumeration “inline”, you could do that: ... \newcommand{\inlineEnum}[1]{ \ifcsname c@#1\endcsname \addtocounter{#1}{1} \textbf{\arabic{#1})~} \else \newcounter{#1} \setcounter{#1}{1} \textbf{\arabic{#1})~} \fi } ... \begin{document} \inlineEnum{counter} Here is some text. \inlineEnum{counter} Here is some more text. \inlineEnum{counter} And another sentence! ... \end{document} Much better: … Here is some text. Read more

May 31, 2017

Testing Guetzli - Google's Perceptual Image Encoder

… a quick test of the Guetzli JPEG encoder published some weeks ago by Google. To my big surprise, you cannot encode TIFF or another lossless image format into JPEG. You need to export your RAW camera file first to JPEG @ 100% quality. Then you encode that file with Guetzli. Seems a tad odd to me, as you have a lossless compression two times. The speed of Guetzli is furthermore quite disappointing. Read more

May 31, 2017

Using Two Different GitHub Accounts on the same Computer

Some days ago I created next to my private GitHub account another one for work. At first I was a bit confused how to authenticate to two different GitHub accounts. The solution is rather simple as my former colleague R. H. told me. At first, you need to create two different SSH keys id_rsa_work and id_rsa_priv. Of cause you can use your already existing SSH key for one of the GitHub accounts. Read more

January 20, 2017

Automatically Split and Crop a Multi Page PDF File

My workflow for LaTeX documents with figures is that I typically first draw the figures in MS Visio, then export the drawing to PDF and finally crop the PDF file so that there is no white margin anymore. This is a little tedious when you have lots of figures and lots of updates on these figures… I changed my workflow a bit. Meanwhile I draw all figures in the same Visio file. Read more

January 2, 2017

Automatic Renewal of Let's Encrypt Certificates

Since a couple of months I deliver all my websites by HTTPS only. Certificates are issued by Let’s Encrypt and I use Certbot as a certification client (hope that is the correct word). This works quite well, actually. However, the certificates from Let's Encrypt have one drawback: they expire after 90 days. Hence, you need to renew the certificate now and then. The description from the Certbot page does not work for me as the renew verb of the certbot command would create one certificate (with many common names) for all pages served by the server. Read more

February 12, 2016

Checking a Web Server's TLS Configuration

Yesterday I reinstalled my virtual server and also created a new configuration for the Apache web server that fixed some issues of the old one. I also wanted to know how well the Apache is configured regarding the security of TLS. Some days earlier, I stumbled upon SSL Labs, a site offering some automatic checks regarding certificate, server configuration and the used server software itself. Seems the server is quite fine. Read more

December 21, 2015

SVN Externals

I know that subversion is somehow out of fashion. However, svn has some benefits, as you can control access to individual directories quite easily. Today I asked myself if it is possible to combine contents of one svn with contents of the other. Or, to put it differently, to kind of “mount” one SVN into the other. The answer are svn externals. As the documentation is a little crappy, I want to write down what I found out. Read more

September 8, 2015

Some Shell Scripts for Duplicity

Some days ago I accidentally noticed that my ISP upped the meager free online storage capacity included in my contract to a whopping 1TB. This is finally a size where one can think about backing up data to ‘the cloud’. I updated my old duplicity scripts that I did not use for some time and thought I can put them to this place; maybe they are useful to somebody. The files are also available in my github. Read more

May 27, 2015

Syncthing

A while ago I wrote about the combination of encfs, GnuPG and a file synchronization software like OwnCloud. I used this for almost 3 monts and was really happy with it. But suddenly I experienced strange problems: it seemed that encfs was unable to decrypt files. When accessing a file I got something like an input/output error. Interestingly, the affected files were all different ones on my three computers that I synced via this solution. Read more

May 15, 2015

Messing With DNS Using NFQUEUE and Scapy

Some days ago I taught myself a little about NFQUEUE and Python. Meanwhile I dug a little more into the matter and looked into building new network packets. In this special case I wanted to create DNS packets. The idea was to intercept DNS requests with Netfilter and return a fake IP address in a faked DNS response. Messing with packets in Python is quite easy to do when you use the Python bindings for Scapy, a quite powerful packet manipulation tool. Read more

May 8, 2015

Messing With VoIP Calls Using NFQUEUE

For the project of one of my students we need to intercept and modify SIP messages. Our first idea was to configure a proxy in the SIP user agent (soft phone) and to modify an existing SIP proxy to our liking. Unfortunately this approach did not work reliably as the soft phone seemed to be faulty: some SIP messages were sent via the proxy we configured, other were sent directly to the server. Read more

April 1, 2015

My Take on the Ubuntu Phone

Since a couple of days I've got an Ubuntu Phone, or, to express myself more correctly: an bq Aquaris E4.5 with Ubuntu Touch pre-installed. The hardware is surprisingly cheap (170 EUR) but also surprisingly fine (if you are okay with plastic). But let's talk about the software: I am not very happy with Ubuntu Touch at the moment as this OS is very unfinished. I really think nobody who does not own a degree in informatics should buy one at the moment. Read more

April 1, 2015

Ubuntu Phone First Configuration

Previously, I've written down my first thoughts about the new Ubuntu Phone. In this post I want to explain some first configuration steps: WIFI configuration I had the problem that I couldn't paste my complicated password into the UI. A work around is the following: Install the Terminal application from the Ubuntu store via the 3G connection. By the way: when the Terminal is started a password is asked. That is your phones lock screen PIN, which is also your root (sudo) password. Read more

March 13, 2015

Publishing PGP keys in DNS

In most cases people publish their GPG Key on a key server which (typically) syncs keys with other key servers. Yesterday I learned that there's an other option: When you are in control of a DNS server you can publish your key (or more specifically: a pointer to that key) in a DNS TXT record. So what you're doing is the following: you export your public key to a file, preferably ASCII armored Read more

March 4, 2015

encfs + GnuPG

Yesterday I discussed with somebody that it would be cool to use encfs on a folder shared with several people. The word “folder” can be understood as a Samba share, a Subversion repository, or a Dropbox. Obviously, the show stopper here is the exchange of the symmetric key needed by encfs. So let's use our GnuPG keys! The idea of the script is as follows: generate a symmetric key $encfsKey for encfs using /dev/urandom wrap $encfsKey using GnuPG; the $receivers variable holds the IDs of all people that should be allowed to decrypt $encfsKey (the folder) plus your own ID (you also want to decrypt! Read more

March 3, 2015

Visiting Cards With Latex

I created a simple Latex template for a standard 85x55mm visiting card and some add-ons. The template features the standard elements of a visiting card plus a PGP/GPG fingerprint and some space for an (optional) portrait, logo or QR Code. As I wanted to use a specific font not available in MacTeX, I used XeLaTeX. XeLaTeX gives access to fonts installed on the Mac, such as Times New Roman, Arial, Helvetica, etc. Read more

February 15, 2015

Update PGP Key

Again some notes, mostly for myself… I wanted to update my both (private/office) 2048-bit GPG keys to a (single) 4096-bit key. Here are some handy commands. Start with generating a new key: gpg --gen-key Select a RSA/RSA 4096 bit key… Edit your new key, add all mail addresses you need. Also set your preferred hash and crypto algorithms. gpg --edit-key NEWKEYID > adduid > ... > setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed > quit Make a backup of your new key… Read more

February 12, 2015

Some Notes on GnuPG on Mac

Recently I'm playing a little with GnuPG and I wanted to document some things, mostly for myself… GnuPG on Macs It seems that GnuPG version 2 available in Homebrew is broken. Instead use MacGPG2. If you do not want to compile this by yourself, there is also a handy installer available, which comes with a plugin for Apple Mail and a graphical tool for key management. Command Line Voodoo Creating a signature of a file (= create hash value of file + encrypting hash value with own private key): Read more

November 17, 2014

Space-Efficient Hard Drive Images with dd

dd is able to copy every single bit of data from a source volume to some other destination. This is cool for some applications but has drawbacks when you simply want to make a backup of a volume: even when your volume is only -let's say- half full, the copy will be as big as the entire volume. Furthermore, when you pipe the data stream read by dd through gzip it won't compress well. Read more

August 14, 2014

Syncthing

Synthing is a file syncing application that might replace Dropbox and other public Cloud services. In contrast to OwnCloud or Seafile there is no central server. The synchronization is done between equal peers. Well, at least each peer runs the same software. I fiddled around with Syncthing and tried to sync stuff between my two MacBooks. Here the problem is that both computers are rarely running at the same time. So I put a Syncthing instance on my always-on home server and built some kind of a “synchronization star-topology” with a central sync point. Read more

August 7, 2014

Bitmessage

I found a nice application which might replace email in some time: Bitmessage. Basically, Bitmessage creates a Peer-to-Peer network, i.e., a network of equal participants. The quite interesting feature of this app is that it broadcasts messages to (all) participants in this P2P network. As the message is encrypted with the public key of the intended receiver, only this person is able to decrypt the message. The cool feature now is that nobody knows who was able to decrypt the message. Read more

July 21, 2014

Using OpenVPN as a Home Gateway + Internet Gateway

Well, first of all I need to explain my headline: Up to now I operated my OpenVPN Server at home as a gateway into my home network. When I connect a mobile device to the OpenVPN I can use the services I run inside the private home network from remote. All other traffic (surfing the web, mailing, etc.) does not flow over the tunnel. This is in most cases what I want as tunneling EVERYTHING through my Home Server would be quite s l o w. Read more

May 8, 2014

Encrypt webdavfs

In my last post I described how it is possible to combine several cloud storage spaces into one logical storage space. An article I recently read about encfs popped into my head and I had the idea to combine this with the “super storage space” (S3) created during my break this noon :D prepare your S3 as described in the last post. I guess it’s a good idea to mount the individual webdavfs to /media/. Read more

May 8, 2014

Logically Combining Several Free Cloud Storage Spaces Into One

I know a couple of free of cost online storage options. The Telekom Mediencenter is one of them which gives you decent 25GB of storage. A big bonus is that you can mount that thing as a webdavfs in Linux. Combined with the tool duplicity and cron you can build yourself a nice and encrypted backup system using the Mediencenter. But to be honest: even 25GB are pathetic today. So we need more space. Read more

April 26, 2014

Flashing / Installing an OS on a Cubietruck (Cubieboard 3)

Update (Feb. 2017): The text below got pretty old and I just realized that some hyperlinks did not survive the migration from the Wordpress blog I used ages ago to Hugo… In the meantime, some very good Linux distributions emerged from the community, which are really simple to install. I personally recommend Armbian. My Cubietruck has been running very reliably with this distribution for two years. Furthermore, in case there are issues you cannot solve yourself, the Armbian Forum has been very helpful. Read more

© holger 2015 - 2020 |