# xtables-addons: How to fix 'Can't open DBIP database' Error

When you are using the 3.8-* version of xtables-addons to harden your server with a geofense, chances are super high that things don't work anymore… The latest problem occurs after you have downloaded the geo-ip-tables from Maxmind and try to convert the tables for the geofense with xt_geoip_build. You get this error: Can't open DBIP database. The simple reason for this is that the developers of xtables-addons decided to get rid of Maxmind (maybe because they did that thing with the user accounts a couple of months ago?

# MSMTP: Sending Mail With a Linux Server

If you are running a Linux server, you probably want to enable that thing to send emails to you. This is useful, for instance, to tell you that someone got blocked by fail2ban. In earlier years, SSMTP has been a good candidate to achieve this kind of thing. Today, Debian, Raspbian, and probably Ubuntu server OSes have no packet for SSMTP anymore. However, you can use MSMTP to achieve the same thing.

# xt_geoip_dl vs. Maxmind Accounts

Since some time I use a geofence on my servers to ban all incoming requests that do not originate from DE. The company (Maxmind) that distributes up to date mappings from IP ranges to country codes (“geoip tables”) recently changed how they distribute these files. Now, you must have an account and license key to download the geoip tables. Note: everything is still free! The need for login credentials breaks the update mechanism for geoip tables which typically uses xt_geoip_dl.

# Extract Attachments From Email (mbox) using Python

Some days ago I had the idea to dig around in my mailbox and see what people have sent me over the years. As I was especially interested in the attachments (pictures) I googled a bit and found out you can quickly extract stuff from a mbox (used by a Dovecot SMTP server). Here's what I cobbled together. #!/usr/bin/python import mailbox import dateutil.parser from datetime import datetime mbox = mailbox.mbox('/home/USER/mail/MAILBOX') def extractattachements(message): if message.

# A Song of Praise on Manjaro Linux (Gnome Edition)

As I am a friend of free and open source software I actually would love to use a Linux-based OS on my Laptop(s). However, after countless tries I must say that I am not a big friend of Linux on a notebook. I often found the system to be a bit fragile, things that “just work” on other OSes (like a Bluetooth keyboard, tethering or an external screen) can be a fight, if you have a bit of special hardware it can take ages to set it up, power management sometimes does not work properly (so your Laptop gets super hot while the battery is drained in no time)… At least, this is what I have experienced in the last years with Ubuntu or Ubuntu-based distributions running on my old MacBook Air from 2011.

# Deploying a Website with goHugo.io and Gitlab CI/CD

When I need to build a website, I typically use Hugo to generate the .html from .md. However, one thing is a bit inconvenient: deployment. If not done right, you have to do that manually (edit -> hugo -> rsync). Alternatively, and much better, you can use the Hugo-Gitlab|Hub-Netlify-toolchain I described earlier. These day, I needed a website for a new research project of mine and didn't want to ship the site with Netlify.

# Playing with WireGuard VPN

Since a couple of years I use OpenVPN to access my home network from remote and also to protect my traffic when I am traveling and have to use WiFi networks I do not completely trust. Unfortunately, the iOS VPN client does not work for me anymore so I needed an alternative. My Fritz Box (German home WiFi router brand) actually supports an IPSec VPN. However, iOS's VPN client is horrible.

## March 16, 2019

Last year in June I set up geofence on my home server to ban all access not coming from DE. In January I noticed that things did not work anymore. A bit of research revealed, that the company that provides the needed GeoIP tables decided to stop shipping them in format A and only offered the tables in format B. So neither the script that downloads the tables (xt_geoip_dl) nor the script that converts the tables (xt_geoip_build) into the binary format that xt_geoip can digest to block connections attempts worked anymore.

# Block Ads and Trackers with Pihole in a Docker Container

Recently I stumbled upon Pihole, which is a tool that blocks advertisements and web trackers. The nifty idea of Pihole is that it is no web proxy as Privoxy but it acts as a DNS server in your network. So, after installing Pihole, you setup your devices in a way that they use Pihole as a DNS server. Then, the device's DNS requests for “good” domains are answered and DNS requests for known, blacklisted ad/tracker domains are not answered (= blocked).

# Domains and Sub-domains for Home-Hosted Services

I like to host (most of) the web services I use for my daily routine at home. Recently, I started shipping services using Docker containers. To make these services available via a public IP address and to conveniently enable HTTPS, I decided to use nginx as a reverse proxy. So the dockerized service becomes available via something like https://mydomain.dyndnsservice.xy/servicename. At least this was the plan. Unfortunately, I ran into the always same problem when I tried to coax a dockerized service to live happily in a “sub-folder” of my dynamic DNS domain.

# FFMPEG vs My 'Go Low' Action Cam

I got myself a really cheap action cam. Think “China copy” and “Go Pro” and you know what I bought. However, for its 35 EUR price tag that thing is pretty cool. One problem with that cam is that it comes without any software. So you need to dig around a bit if you want to get creative with recorded movies and pictures. So far, I tried two things: time lapse videos from a sequence of photos and stabilized videos.

# Inline Enumerations in LaTeX

Normally you use the \enumerate command in LaTeX to create enumerated lists like this: I use lots of space! If you prefer your enumeration “inline”, you could do that: ... \newcommand{\inlineEnum}[1]{ \ifcsname c@#1\endcsname \addtocounter{#1}{1} \textbf{\arabic{#1})~} \else \newcounter{#1} \setcounter{#1}{1} \textbf{\arabic{#1})~} \fi } ... \begin{document} \inlineEnum{counter} Here is some text. \inlineEnum{counter} Here is some more text. \inlineEnum{counter} And another sentence! ... \end{document} Much better: … Here is some text.

# Testing Guetzli - Google's Perceptual Image Encoder

… a quick test of the Guetzli JPEG encoder published some weeks ago by Google. To my big surprise, you cannot encode TIFF or another lossless image format into JPEG. You need to export your RAW camera file first to JPEG @ 100% quality. Then you encode that file with Guetzli. Seems a tad odd to me, as you have a lossless compression two times. The speed of Guetzli is furthermore quite disappointing.

# Using Two Different GitHub Accounts on the same Computer

Some days ago I created next to my private GitHub account another one for work. At first I was a bit confused how to authenticate to two different GitHub accounts. The solution is rather simple as my former colleague R. H. told me. At first, you need to create two different SSH keys id_rsa_work and id_rsa_priv. Of cause you can use your already existing SSH key for one of the GitHub accounts.

# Automatically Split and Crop a Multi Page PDF File

My workflow for LaTeX documents with figures is that I typically first draw the figures in MS Visio, then export the drawing to PDF and finally crop the PDF file so that there is no white margin anymore. This is a little tedious when you have lots of figures and lots of updates on these figures… I changed my workflow a bit. Meanwhile I draw all figures in the same Visio file.

# Automatic Renewal of Let's Encrypt Certificates

Since a couple of months I deliver all my websites by HTTPS only. Certificates are issued by Let’s Encrypt and I use Certbot as a certification client (hope that is the correct word). This works quite well, actually. However, the certificates from Let's Encrypt have one drawback: they expire after 90 days. Hence, you need to renew the certificate now and then. The description from the Certbot page does not work for me as the renew verb of the certbot command would create one certificate (with many common names) for all pages served by the server.

# Checking a Web Server's TLS Configuration

Yesterday I reinstalled my virtual server and also created a new configuration for the Apache web server that fixed some issues of the old one. I also wanted to know how well the Apache is configured regarding the security of TLS. Some days earlier, I stumbled upon SSL Labs, a site offering some automatic checks regarding certificate, server configuration and the used server software itself. Seems the server is quite fine.

# SVN Externals

I know that subversion is somehow out of fashion. However, svn has some benefits, as you can control access to individual directories quite easily. Today I asked myself if it is possible to combine contents of one svn with contents of the other. Or, to put it differently, to kind of “mount” one SVN into the other. The answer are svn externals. As the documentation is a little crappy, I want to write down what I found out.

# Some Shell Scripts for Duplicity

Some days ago I accidentally noticed that my ISP upped the meager free online storage capacity included in my contract to a whopping 1TB. This is finally a size where one can think about backing up data to ‘the cloud’. I updated my old duplicity scripts that I did not use for some time and thought I can put them to this place; maybe they are useful to somebody. The files are also available in my github.

# Syncthing

A while ago I wrote about the combination of encfs, GnuPG and a file synchronization software like OwnCloud. I used this for almost 3 monts and was really happy with it. But suddenly I experienced strange problems: it seemed that encfs was unable to decrypt files. When accessing a file I got something like an input/output error. Interestingly, the affected files were all different ones on my three computers that I synced via this solution.

# Messing With DNS Using NFQUEUE and Scapy

Some days ago I taught myself a little about NFQUEUE and Python. Meanwhile I dug a little more into the matter and looked into building new network packets. In this special case I wanted to create DNS packets. The idea was to intercept DNS requests with Netfilter and return a fake IP address in a faked DNS response. Messing with packets in Python is quite easy to do when you use the Python bindings for Scapy, a quite powerful packet manipulation tool.

# Messing With VoIP Calls Using NFQUEUE

For the project of one of my students we need to intercept and modify SIP messages. Our first idea was to configure a proxy in the SIP user agent (soft phone) and to modify an existing SIP proxy to our liking. Unfortunately this approach did not work reliably as the soft phone seemed to be faulty: some SIP messages were sent via the proxy we configured, other were sent directly to the server.

# My Take on the Ubuntu Phone

Since a couple of days I've got an Ubuntu Phone, or, to express myself more correctly: an bq Aquaris E4.5 with Ubuntu Touch pre-installed. The hardware is surprisingly cheap (170 EUR) but also surprisingly fine (if you are okay with plastic). But let's talk about the software: I am not very happy with Ubuntu Touch at the moment as this OS is very unfinished. I really think nobody who does not own a degree in informatics should buy one at the moment.

# Ubuntu Phone First Configuration

Previously, I've written down my first thoughts about the new Ubuntu Phone. In this post I want to explain some first configuration steps: WIFI configuration I had the problem that I couldn't paste my complicated password into the UI. A work around is the following: Install the Terminal application from the Ubuntu store via the 3G connection. By the way: when the Terminal is started a password is asked. That is your phones lock screen PIN, which is also your root (sudo) password.

# Publishing PGP keys in DNS

In most cases people publish their GPG Key on a key server which (typically) syncs keys with other key servers. Yesterday I learned that there's an other option: When you are in control of a DNS server you can publish your key (or more specifically: a pointer to that key) in a DNS TXT record. So what you're doing is the following: you export your public key to a file, preferably ASCII armored

# encfs + GnuPG

Yesterday I discussed with somebody that it would be cool to use encfs on a folder shared with several people. The word “folder” can be understood as a Samba share, a Subversion repository, or a Dropbox. Obviously, the show stopper here is the exchange of the symmetric key needed by encfs. So let's use our GnuPG keys! The idea of the script is as follows: generate a symmetric key $encfsKey for encfs using /dev/urandom wrap$encfsKey using GnuPG; the $receivers variable holds the IDs of all people that should be allowed to decrypt$encfsKey (the folder) plus your own ID (you also want to decrypt!

# Visiting Cards With Latex

I created a simple Latex template for a standard 85x55mm visiting card and some add-ons. The template features the standard elements of a visiting card plus a PGP/GPG fingerprint and some space for an (optional) portrait, logo or QR Code. As I wanted to use a specific font not available in MacTeX, I used XeLaTeX. XeLaTeX gives access to fonts installed on the Mac, such as Times New Roman, Arial, Helvetica, etc.

# Update PGP Key

Again some notes, mostly for myself… I wanted to update my both (private/office) 2048-bit GPG keys to a (single) 4096-bit key. Here are some handy commands. Start with generating a new key: gpg --gen-key Select a RSA/RSA 4096 bit key… Edit your new key, add all mail addresses you need. Also set your preferred hash and crypto algorithms. gpg --edit-key NEWKEYID > adduid > ... > setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed > quit Make a backup of your new key…

# Some Notes on GnuPG on Mac

Recently I'm playing a little with GnuPG and I wanted to document some things, mostly for myself… GnuPG on Macs It seems that GnuPG version 2 available in Homebrew is broken. Instead use MacGPG2. If you do not want to compile this by yourself, there is also a handy installer available, which comes with a plugin for Apple Mail and a graphical tool for key management. Command Line Voodoo Creating a signature of a file (= create hash value of file + encrypting hash value with own private key):

# Space-Efficient Hard Drive Images with dd

dd is able to copy every single bit of data from a source volume to some other destination. This is cool for some applications but has drawbacks when you simply want to make a backup of a volume: even when your volume is only -let's say- half full, the copy will be as big as the entire volume. Furthermore, when you pipe the data stream read by dd through gzip it won't compress well.

# Syncthing

Synthing is a file syncing application that might replace Dropbox and other public Cloud services. In contrast to OwnCloud or Seafile there is no central server. The synchronization is done between equal peers. Well, at least each peer runs the same software. I fiddled around with Syncthing and tried to sync stuff between my two MacBooks. Here the problem is that both computers are rarely running at the same time. So I put a Syncthing instance on my always-on home server and built some kind of a “synchronization star-topology” with a central sync point.

# Bitmessage

I found a nice application which might replace email in some time: Bitmessage. Basically, Bitmessage creates a Peer-to-Peer network, i.e., a network of equal participants. The quite interesting feature of this app is that it broadcasts messages to (all) participants in this P2P network. As the message is encrypted with the public key of the intended receiver, only this person is able to decrypt the message. The cool feature now is that nobody knows who was able to decrypt the message.

# Using OpenVPN as a Home Gateway + Internet Gateway

Well, first of all I need to explain my headline: Up to now I operated my OpenVPN Server at home as a gateway into my home network. When I connect a mobile device to the OpenVPN I can use the services I run inside the private home network from remote. All other traffic (surfing the web, mailing, etc.) does not flow over the tunnel. This is in most cases what I want as tunneling EVERYTHING through my Home Server would be quite s l o w.

# Encrypt webdavfs

In my last post I described how it is possible to combine several cloud storage spaces into one logical storage space. An article I recently read about encfs popped into my head and I had the idea to combine this with the “super storage space” (S3) created during my break this noon :D prepare your S3 as described in the last post. I guess it’s a good idea to mount the individual webdavfs to /media/.

# Logically Combining Several Free Cloud Storage Spaces Into One

I know a couple of free of cost online storage options. The Telekom Mediencenter is one of them which gives you decent 25GB of storage. A big bonus is that you can mount that thing as a webdavfs in Linux. Combined with the tool duplicity and cron you can build yourself a nice and encrypted backup system using the Mediencenter. But to be honest: even 25GB are pathetic today. So we need more space.

# Flashing / Installing an OS on a Cubietruck (Cubieboard 3)

Update (Feb. 2017): The text below got pretty old and I just realized that some hyperlinks did not survive the migration from the Wordpress blog I used ages ago to Hugo… In the meantime, some very good Linux distributions emerged from the community, which are really simple to install. I personally recommend Armbian. My Cubietruck has been running very reliably with this distribution for two years. Furthermore, in case there are issues you cannot solve yourself, the Armbian Forum has been very helpful.

© holger 2015 - 2020 |