the itjerk

my adventures with technology

Category Archives: Linux

dnscrypt

Domain Name Service (DNS) is the mechanism by where numeric IP addresses become readable domain names; it’s far easier for me to tell you to visit strawberrybricks.com than a bunch of numbers. When you browse the internet, then, the addresses you type or click on go through a DNS search. Typically, your ISP provides this service, or whomever you get your network connection from – however there is an implicit level of trust involved. Who’s to say that yahoo.com for example, is really yahoo.com? What is the DNS server spoofed the reply? Further, any DNS server can collect a wealth of information by recording your DNS requests. Finally, the speed of your browsing is dependent on how quickly these requests are filled.

Both Google (8.8.8.8) and OpenDNS (208.67.222.222) provide free DNS services that are fast and secure, and supposedly do not track your requests. A third service, Quad9 (9.9.9.9) was very recently launched. Your ISP has a lot of information about you. Switching your DNS to one of these providers is simple (just type them in your router, or network connection), and gives some degree of privacy. Every little bit helps?

DNSCrypt goes one further by encrypting all your DNS requests. It’s an easy enough program to install, available for PC, Mac and Linux, and for routers using DD-WRT. On my Ubuntu box, I needed to install libsodium-dev first, and then was most successful installing DNSCrypt-proxy from source by using the old “configure, make, make install” method with version 1.9.5. Then, you can run it with systemd automatically.

On the web:
DNSCrypt

Advertisements

minidlna

When talking about digital music servers other than Squeezebox Server, I feel like a cheater. It’s been my reliable go-to method for serving up my ripped and downloaded music for over a decade now. But not every piece of hardware speaks to it; Beep appeared a while back and saw me install miniDLNA on my linux box, where all my music files reside.

The Digital Living Network Alliance is a trade group that certifies compliance to a standard for delivering digital media. MiniDLNA is an implementation for Ubuntu, and mini it is! No interface (save a bare bones web page at port 8200), it is configured by editing /etc/minidlna.conf.

Set the path to your music; I’m only looking for audio files, so I mark the directory with an A.
#media_dir=/var/lib/minidlna
media_dir=A,/mnt/data/music

Set the database cache directory (important!) and enable logging:
db_dir=/var/cache/minidlna
log_dir=/var/log

Tell it to look for new files or not:
inotify=yes

Set the name of the server presented to clients. This provides a simple way to check if you’re connecting to you server.
friendly_name=My-MiniDLNA

That’s it! Restart the service after you make changes to the configuration,
sudo service minidlna restart

or rebuild the database if you’ve changed or added music.
sudo service minidlna force-reload

There’s a ton more it can do, including serving videos, pictures, etc, and it also offers per-user configuration as well; but for my purpose my newly acquired Oppo BVD-103 can now stream all the music on my computer.

On the web:
MiniDLNA Ubuntu
ReadyMedia

ssl 24/7

While I’ve had ssl on my website for sometime (for anything login related), I had never enabled it by default. First, I had to install the patch the Video Filter module to work with https connections to Youtube. Then, using the developers tools built into Chrome, I found I had a http link to a Facebook logo (I have no idea why it isn’t local). That had to be fixed in the site’s theme. Finally, I found I had the remnants of ShareThis in a block. Although I deleted the module eons ago, I forgot about the block (which is how it appears on a page). Thankfully, those developer tools in Chrome made it plain as day. Now that all that was fixed, I edited the .htaccess file for the site, and entered the following to force https connections. (Remember to restart Apache after you edit .htaccess.)

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mywebsite.com/$1 [R,L]

With a free certificate from Let’s Encrypt, why not enable ssl. Oddly enough, only Chrome, Firefox and Microsoft browsers make it obvious when your connection to a website is secure. What’s up with that Apple?

raid, finally

I’ve always kept my media on a second drive in my linux box and backed it up to a remote NAS. While a perfectly acceptable setup, what I always wanted was two mirrored drives with all my data. The computer already a WD Red 1TB drive so I thrilled when I found another of the exact same drive for $67. Always a best practice to use the same model when building a mirrored RAID1.

I bought a Syba 2-port SATA RAID controller card that plugged into the empty PCI-e slot on the motherboard. It was only $25, but honestly if I had a motherboard with more features, I wouldn’t have needed it. Nonetheless, after moving the drives around in the case so the power connectors would match up to all the drives, I booted the computer and used CTRL-R immediately to get to the card’s BIOS to setup the RAID. It didn’t initially recognize all the drives, so I booted into Ubuntu and used the program Disks to format the new drive. (I also edited /etc/fstab and took out the reference to the old single drive). Rebooting again, the card recognized both drives, and then setup them up as a RAID1 using the card’s BIOS utility.

Continuing into Ubuntu, I again ran Disks and formatted the new single drive. I then edited /etc/fstab with the new mount point (which I had to create), and then ran a sudo mount -all to access it.

Now it’s time to copy everything back to my new mirrored data drive. Remember, when it comes to data, you must have two copies of everything you’d ever expect to keep. But two drives mirrored are really only one copy (think accidental erase), so I’ll still need to keep a backup of files I want to keep forever.

ubuntu 16.04 xenial xerus

Last week the first point release for Ubuntu 16.04 LTS triggered the update on my 14.04 computer and I went for it. There are several questions that pop up and need an answer for the upgrade to continue, so it’s an attended upgrade. I didn’t pay too much attention to what was upgraded, removed, not supported, etc, I just figured I would figure out whatever I need to.

Drupal 6 didnt work out of the box because 16.04 ships with Php7; but it was easy enough to install Php5.6, with the help of this repository (the guy is an official packager for Debian) so now I again have a local copy of my website.

I also needed to upgrade Logitech Media Server to 7.9, which is a beta version, but once installed, my Slimserver – the thing that got me into linux so many years ago – started working again right away.

I have to admit that with the LTS releases being supported for five years, there really isn’t much of a point to upgrading a desktop. At that point, it’s time for a new computer and a clean install. But for something like my webhost, where I’ve got more investment in webserver, email, etc, it’s easy enough to do twice every 10 years.

On the web: Xenial Xerus

let’s encrypt – free ssl

Let’s Encrypt is “a free, automated, and open certificate authority” from the ISRG (and now apparently the EFF), and a growing list of technology big-names. And in the sounds too good to be true department, they offer not only free ssl certificates, but an easy to use tool that configures your web server, or ACME – automated certificate management environment, in a just a few easy steps. Encrypting web traffic should be utilized not only with sites running e-commerce or email, but whenever the use of passwords is involved.

First step is to install the client via git:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Then run the config:

cd /opt/letsencrypt
./letsencrypt-auto --apache -d yoursite.com

The client will ask a few questions about the certificate you want to install. Most importantly, remember that you probably need to apply it to your default-ssl.conf. To test your new certificate, use SSLLabs website:

https://www.ssllabs.com/ssltest/analyze.html?d=yoursite.com&latest

The tutorial below even shows you how to add renewal options to cron for set and forget ease. Remember to git pull and stash to keep everything up to date. And most of all, it’s a free service!
On the web:

Let’s Encrypt – Free SSL/TLS Certificates

How To Secure Apache with Let’s Encrypt on Ubuntu 14.04

putty and ssh keys

If you have a Windows computer, no doubt you’re using putty for your ssh needs. In order to use keys to sign into remote hosts, you’ll need to run puTTYgen program, generate a new pair of keys, and then copy/paste the public key to your remote host, and cat it to the remote authorized_hosts file. You can use the GUI interface, just don’t copy the last bit “== rsa-key-20150204”. After you generate your keys, be sure to change permissions on the directory you store them in on your Windows computer!

On the web:
Putty

squeeze2upnp + beep = lms

Screenshot from 2015-03-11 18-56-42

Logitech Media Server (LMS), the old Squeezebox Server or Slimserver, is my go-to for playing my music library on hard disk. I use a Squeezebox v3, various Raspberry Pi’s, and now with the help of this nice little program, my Beep. Squeeze2upnp (sq2u) is as it says, “a bridge between LMS and uPNP devices”. It translates LMS instructions for UPnP devices. More simply, it makes my Beep appear as a playback device in any LMS app or webpage.

You can download Squeeze2upnp below, it’s precompiled for Linux and Windows. There’s instructions in the user guide on how to set it up and get it running. Make sure your Beep is playing while Squeeze2upnp is in “discovery” mode, and be sure to daemonize it with the “-z” option, otherwise CPU usage goes through the roof. You will also have to edit the config.xml file to support FLAC playback. Also, you may have to monkey with your firewall, I’m not sure what ports it uses, but it caused an issue for me. (more later).

to discover UPnP devices on local subnet and configure sq2u to play them:
./squeeze2upnp-x86 -i config.xml
to daemonize sq2u:
./squeeze2upnp-x86 -z

That’s it, give it a few minutes and your UPnp device will appear
Big shout out to philippe44 for his active development of the Squeeze2upnp program. I had an issue with it crashing, sent him a debug file, and all is now well. That’s the beauty of FOSS.

Update: philippe44 is currently working on a third-party plug-in for LMS that automates discovery and playback to your Beep inside the LMS interface. Check out the thread above at slimdevices.com for more info.

On the web
https://github.com/philippe44/LMS-to-uPnP

this is beep

Just before the holidays I received Beep, a $99 music streaming device. It’s a very simple thing, whose purpose is to provide wireless streaming capability to dumb systems, like a pair of powered speakers, stereo system, boom box, well, just about anything that has an audio input that accepts either 3.5mm analog or digital optical output. I especially like that last part, digital. The Beep runs on 5VDC, sports a metallic finish and consists of a large multifunction knob (start/pause/skip/stop/volume) and some cool flashing lights.

It’s controlled by an app, available on either Android or iOS, that also helps you setup the player on your network. When I first got it, Beep was pretty limited. I could play either Spotify or Pandora, or in my case, neither (because I don’t use either service), though it now also supports SomaFM radio. Okay, it’s still pretty limited. No support for Google Play, Amazon Music, that iTunes thingy, etc.
Screenshot_2015-03-09-17-01-40
Recently however, Beep have added support for DLNA music servers. This is great news, because I can now play all the music on my local media server via the Beep. In order for me to do so, I first installed MiniDLNA software on my Ubuntu box using apt-get, manually edited the config file to get it setup, and opened a few ports in my computer’s firewall, 8200 TCP and 1900 UDP to let MiniDLNA out. It would have been easier if the Beep would just connect to my Squeezebox Server (aka LMS), but it’s just not there, yet…

It would also be better if Beep were a little more stable, and transparent. Throughout the day it randomly lights up “smiley face” (looking for network connection) and “sun shining” (all lights glowing, who knows what this means). That’s ultimately going to be the hard sell on Beep: without a display, no one wants to decode blinking lights; what’s it doing? why is it doing that? It just needs to work.

To use Beep as a renderer (something that plays media from a DLNA server), I had to get another Android app, BubbleUPnP. It’s a fairly straight forward app, though I did have to install the “demo server” in order for it to find my MiniDLNA server. Not sure if this is me or the app, but it was not very intuitive to figure out. That done, however, I can stream my server’s music library to whatever I connect my Beep to.
Screenshot_2015-03-09-16-50-06

On the web:
Beep | Bringing music to every room in your home
MiniDLNA
BubbleUPnP Server

good bye spam

I hate spam. Okay, everyone hates spam. Anyway I’d been getting a shit-ton of it lately, in the mail from one of my domains. I wanted to take ACTION, because, yeah, you guessed it, I hate spam, and as a good itjerk, I wanted to beat those spammers.

Step one is to figure out why is it spam and what makes it different than good email. So the first thing to check was the message header, where I found this interesting bit:

Return-Path: WalkinTub-webmaster=MYDOMAIN.com@marylouvan.com

They put my MYDOMAIN in the Return-Path! Fortunately, it’s an easy fix, all I have to do is create a rule in spamassassin to filter it our. Off to edit /etc/mail/spamassassin/local.cf, I added the following, and gave it a BIG score:

# checking for local domain in return path
header LOCAL_RETURN Return-Path =~ /MYDOMAIN\.com/i
score LOCAL_RETURN 50.00
describe LOCAL_RETURN mark with score 50 all mails with Return-Path "bogus@mydomain.com"

Now, all that spam has this in it’s header, and goes directly to my Junk folder! I win!!!

X-Spam-Flag: YES
X-Spam-Score: 47.003
X-Spam-Level: ***********************************************
X-Spam-Status: Yes, score=47.003 tagged_above=2 required=6.31
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
LOCAL_RETURN=50, RP_MATCHES_RCVD=-1, SPF_FAIL=0.001,
SPF_HELO_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no