I've run into this before but I always seem to forget...

If you're trying to set up Services for Unix on a Windows desktop to allow a Linux machine to access shares over NFS, there's a little caveat.

Your NFS share from the Windows box may mount just fine, but whatever you do it just gives you "Permission Denied" when you try to go into the mounted directory in Linux. Here's a couple of things to check;

On Windows, make sure the directory owner in the advanced permissions is set to the user you are mapping for.

Make sure your Windows user that matches in the maps actually has a password. NFS won't let you access as a user with a blank password.

So, when you're installing SFU on a Dell or other machine that automatically logs the Windows user "Owner" in at boot, you need to set a password for the "Owner" account in Windows.

Since nobody actually logs in as the local account "Owner" on this machine (it's on a domain) I didn't think about the fact that mapping to that user would create problems.

Oh, and if your domain is managed by a SAMBA server, SFU seems to refuse to save the changes when you try to map a SAMBA domain user to the NIS user. That's why I fell back to mapping to the local "Owner" account.

As you can see, the interface has progressed considerably since last time. I've added a thumbnail view of whatever directory you're browsing at the bottom of the window that also slides with a kinetic drag control. If you click on a photo in the directory, it's added to the current working group. Sorry for the resolution of the screencast, but this video is hosted on Flickr.

Yesterday I posted about implementing rate limiting on new connections. Today I'm going to cover how to take it a step further and watch failed login attempts and automatically block an IP address for a day.

First, you'll want to download BlockHosts from A C Zoom. It's a python script that can be run every time someone attempts to connect that will watch your log files and dynamically create your /etc/hosts.allow file to keep out the nasties.

So, in a traditional step by step method, here's what to do:

sudo su -
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.4.0.tar.gz
tar -zxvf BlockHosts*
cd BlockHosts*
python setup.py install

Now you'll want to configure the /etc/blockhosts.cfg file, so open it with your favorite editor and make the following changes:

Look for "WHITELIST = ". You might want to add your own local network to this just in case.

Look for "LOGFILES" and uncomment the one that says:

LOGFILES = [ "/var/log/auth.log", ]

Look for "[mail]" and plug in your setup if you want it to send you an email periodically telling you what action has been taken.

Save and close that.

Sure, there's a lot of tutorials out there for blocking SYN+FIN, christmas scans, etc.

But did you know that most of those won't help against a default nmap scan? Try it - block all the standard stealth scans, etc using something like the following:

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

You'll find that a simple nmap scan is still able to list all the ports available on the machine. Not that I'm telling you to not use the above code, in fact it's a good first step.

If someone is trying to find all open ports on your server, think about what's happening. They are randomly going around poking it in various places saying "Hey, who's there?". They poke to the tune of hundreds or even thousands of probes per second.

I just had an epiphany. I want twitter to implement a threshold setting in my account above which I don't get notified of new followers.

For instance,

I get followed by "JennyFreeLaptop23434".

I get an email letting me know...

But, with a follower threshold setting on notifications, I could set in MY account a threshold of "10:1" and since Jenny is following 253,530 people and only has 5 followers, I can safely assume that Jenny is a spammer. And if Jenny is following more than 10 people for every follower, don't bother letting me know she's (he's?) following me too.

Just a thought...

There's so many different HOWTO's on the Internet regarding using bridged networking for kvm virtual machines. Unfortunately most are completely out of date, wrong or just don't apply to Ubuntu's implementation.

Believe it or not, it's not very hard. KVM/QEMU will automatically create the "tap" interface (actually it names them vnetX) and will even create a new MAC address for it. All we have to do is put our primary ethernet adapter into promiscuous mode and create a bridge device.

Both steps are easily done by editing /etc/network/interfaces. No additional scripts are needed if you're using static IP addresses.

Here's an example setup for preparing the host machine. This assumes you have one physical card in the machine (eth0) and that you want to access your host machine using 192.168.1.2:

# The loopback network interface
auto lo
iface lo inet loopback

# Create our bridge interface using a static IP address on the network
auto br0
iface br0 inet static
        address 192.168.1.2
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        pre-up ifconfig eth0 down
        pre-up ifconfig eth0 0.0.0.0 promisc up
        pre-up brctl addbr br0
        pre-up brctl addif br0 eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

Ah, the speed of fiber Internet. 9.2 Megabit throughput... What a pain to get working properly, at least while trying not to inconvenience my customers. I'm a bit surprised that my outbound is so slow though... Gonna have to talk to them about that.

This drove me up the wall trying to figure it out, but loading jpg's or tiff's into a Cairo surface with Python really isn't all that hard.

The trick is to load it into a gtk.gdk.pixbuf first. here's an example:

pixbuf = gtk.gdk.pixbuf_new_from_file(filename)
x = pixbuf.get_width()
y = pixbuf.get_height()
''' create a new cairo surface to place the image on '''
surface = cairo.ImageSurface(0,x,y)
''' create a context to the new surface '''
ct = cairo.Context(surface)
''' create a GDK formatted Cairo context to the new Cairo native context '''
ct2 = gtk.gdk.CairoContext(ct)
''' draw from the pixbuf to the new surface '''
ct2.set_source_pixbuf(pixbuf,0,0)
ct2.paint()
''' surface now contains the image in a Cairo surface '''

Of course you could bypass stamping it onto a Cairo surface entirely and just use the original pixmap for most things, but for doing affine translations I needed an actual surface and not a context to one. Otherwise you have to remember what is accessible through gdk and what is a native Cairo surface.

With a little bit of pipe magic, you can even do image manipulation externally before loading it, and never have to create a temp file:

import subprocess

If you do a lot of Ubuntu installations, or you like to always carry a copy with you so you can use Linux wherever you are, installing Ubuntu on a USB stick really isn't all that hard.

Simply use Synaptic to install "usb-creator". Download an image of Ubuntu that you want to run from the USB drive, keeping it in an ISO image file. From the System+Administration menu you'll see "Create A USB Startup Disk." Choose the ISO file you downloaded as the source image, and pick your empty USB stick as the destination.

If you chose "Stored in reserved extra space" you can literally run Ubuntu from the stick and any changes you make or files you create will be stored on there as well - in my case my Wireless setup is remembered from boot to boot, and any files I save in my home directory are still there next time.

It's a great way to show off Linux to someone who has never seen it - simply keep it on your keyring and you're always ready to run Linux. It's a great way to carry PC and network diagnostic utilities with you as well.