Booting XBMC OpenELEC with NFS storage

Posted on 01/04/2013 by admin

I have had a raspberry pi type B for a few weeks now and one problem that I have is on the SD card which can get stressed and corrupt XBMC data. I was looking for a solution tonight and eventually stepped on it reading a few pages from the wiki. Since I still want to use the SD card, I just changed /flash/cmdline.cfg to contain this:

ip=dhcp boot=/dev/mmcblk0p1 disk=NFS=192.168.0.66:/media/xbmc

Of course, you will need to change the NFS server and mount point as they are likely to be different. Worth noting that I rsync’d the content of /dev/mmcblk0p2 (/storage in OpenELEC) so I would not have to scan my whole collection again.

There is also a full procedure to netboot your Raspberry Pi but this did not appeal to me, details there.

Nexus 4 first thoughts and random shit

Posted on 17/02/2013 by admin

It has been almost 5 days that I have ditched my Samsung S3 for a Nexus 4. I have had time to witness issues and other things, so what do have to say after almost a week of usage. During the week, 4.2.2 dropped by OTA, I have yet to see the benefits but it can only be better right!?

Well, the bad news first, as previously mentioned, the camera is definitely sub par compared to the S3, it does not matter too much since I don’t make an big use of it. I got mostly used to the screen compared to the S3, definitely not as shiny but I am starting to mind less about it. I had an issue with trying to enable bluetooth to connect to my speakers, a reboot fixed that. That is all I can think on the bad news really.

On the upside, the battery life is just stellar… I got 2 days and 2h+ on a single charge with 5h on screen mostly watching videos, browsing the web and listening to music, this is in line with the battery I was getting on the Samsung S3 using Cyanogenmod 10.1

The speed of the device is amazing enough to mention again, it really really kicks ass. I have yet to find smoother and faster. I recall using Jellybean on a Nexus 7 and thinking that it would be nice if my phone could be that snappy, well it is!

I dropped the phone already once, and was very happy to have purchased that cover. I am fairly sure it saved its skin (dropped off a meter onto tiles).

I read on the internet about hardware revisions. Apparently back in November, revision 10 shipped out and had some hardware issues, that got solved in February by revision 11 (the unit i got). A revision 12 is under wraps apparently. But so is the life of a device, never get the first. You can check which one you have by shutting down the phone then pressing simulteanously volume down + power.

So after a few days, I am strongly confident I made the right choice, amazing device. Thank you Google for making a stock device so nice to use!

A day with the Nexus 4

Posted on 13/02/2013 by admin

As I mentioned to a few people, I have abandoned my Samsung Galaxy S3 for a Google Nexus 4 (the one made by LG). As for Samsung, I will never buy their devices again, they do not care about opening their Exynos platform and provide updated sources. Cyanogenmod has been playing catch up game for so long now it is no longer funny. Stock ROMs are just a joke, laggy and over crippled with bloatware. So in short, goodbye Samsung, you lost a customer.

I had been thinking about getting a stock device for a while, eventually caved in for the Nexus 4. Setup was a breeze, first boot upgraded the firmware for 4.2 to 4.2.1 over the air. That brings it to the same software version as I used on Cyanogen on the S3. I will start with the things I miss from the S3.

Notification led: Definitely better on the S3, the Nexus 4 one is very small and not so bright, also at the bottom of the phone, not the best place
Screen: I knew this one before buying the device, screen is much better on the S3, but again, I should get used to it, it is still quite stunning
Soft buttons: Force of habbit I guess but I like physical buttons better, and been used to them for a long time on the Galaxy series

Now onto the PROS:

Speed: That one was a given but I have been stunned by how quick the device feels.
Stock firmware: I had a taste with Cyanogen but stock feels even better, no extra software, pure Google experience
Battery life: I get quite a strong battery life and no drain over night even with wifi left on
Price: Back then the S3 was at 600 euros, the Nexus 4 16GB set me for 350 euros, difficult to fault it there

So far this is all I have to say about the phone, liking it a lot and not even planning to root it for now. There is a Cyanogen thread for the Nexus 4 but I would advise against it for now. I have read a fair bit of entries in there and there still are a few nagging issues compared to stock.

Last but not least, you can always recover stock by downloading from Google itself should you need to.

UPDATE : 4.2.2 was delivered to me OTA yesterday. Feels as good as previous version. For benefits and changes, take a look at this article: 4.2.2 screenshot comparison.

Configuring OSSEC with MySQL and Analogi

Posted on 03/02/2013 by admin

I have been using OSSEC for a while now but I always used only plain text logs. While this is not bad, it does not scale really well. I started looking into a way to do it right(tm). I knew OSSEC was compatible with MySQL, and since 2.7 has been released, it gave me an excuse to play with it again.

You will need to enable MySQL in OSSEC (not enabled by default), grab the source then do the following. Note that if upgrading an existing installation, you might want to save the registered client keys, the file to back up is: /var/ossec/etc/client.keys

cd ossec-hids-2.7/src
make setdb
cd ..
./install.sh

After you have completed the installation, you need to configure your MySQL server, I used the official documentation to do it. Here is my run down of it:

$ mysql -u root -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@<ossec ip>;
mysql> set password for ossecuser@<ossec ip>=PASSWORD('ossecpass');
mysql> flush privileges;
mysql> quit
mysql -u root -p ossec < ./src/os_dbd/mysql.schema

You just now need to edit /var/ossec/etc/ossec.conf and add a new section within the config:

  <database_output>
        <hostname>127.0.0.1</hostname>
        <username>ossecuser</username>
        <password>xxxxxxx</password>
        <database>ossec</database>
        <type>mysql</type>
    </database_output>

And at last, enable MySQL and restart the service:

/var/ossec/bin/ossec-control enable database
/var/ossec/bin/ossec-control restart

Analogi is a web interface replacement to ossec-wui which is now very dated and spurts too many false positive. To install analogi, go to the main project page and clone it using git:

git clone git://github.com/ECSC/analogi.git

It is up to you to protect that folder on your webserver as this has potential security risks, I am using NGINX, so here is my setup:

        location /ossec/analogi {
                auth_basic "Restricted Access";
                auth_basic_user_file htpasswd-file;
        }

You then need to rename the config file and change the SQL information

mv db_ossec.php.new db_ossec.php

You should now be able to see information gathered from different clients straight into MySQL and using Analogi.

Protecting your blog with NAXSI

Posted on 28/01/2013 by admin

I have been pondering how to make wordpress more secure. This is when i stepped on NAXSI. This is a WAF developed specifically for nginx. As it happens, i am providing an nginx debian package for squeeze that I plan to update. So here is the package for nginx 1.2.6 (amd64) built against naxsi 0.48. I am using Debian Squeeze as a server.

First, credits where they are due, I based my blog entry on the blog entries of 2 friends: Guigui and iMil.

You will need to edit /etc/nginx/nginx.conf and add:

http {
    include        /etc/nginx/naxsi_core.rules;
}
server {

        listen 80;
        listen [::]:80; #only if you are using ipv6
        server_name  weblog.frlinux.net;
        root /where/your/awesome/blog/is;
        proxy_set_header Proxy-Connection "";
        location /RequestDenied {
                return 403;
        }
        location / {
                index  index.html index.php;
                include    /etc/nginx/naxsi.rules;
        }

Then add the following file: /etc/nginx/naxsi.rules with this:

SecRulesEnabled;
DeniedUrl "/RequestDenied";

## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

# WordPress naxsi rules

### HEADERS
BasicRule wl:1000,1001,1005,1007,1010,1011,1013,1200,1308,1309,1315 "mz:$HEADERS_VAR:cookie";
# xmlrpc
BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";

### simple BODY (POST)
# comments
BasicRule wl:1000,1010,1011,1013,1015,1200 "mz:$BODY_VAR:post_title";
BasicRule wl:1000 "mz:$BODY_VAR:original_publish";
BasicRule wl:1000 "mz:$BODY_VAR:save";
BasicRule wl:1008,1010,1011,1015 "mz:$BODY_VAR:sk2_my_js_payload";
BasicRule wl:1009,1005,1100,1310 "mz:$BODY_VAR:url";
BasicRule wl:1009,1100 "mz:$BODY_VAR:referredby";
BasicRule wl:1100 "mz:$BODY_VAR:_wp_original_http_referer";
BasicRule wl:1000,1001,1008,1009,1010,1011,1013,1015,1016,1100,1200,1302,1303,1310,1311,1315,1400 "mz:$BODY_VAR:comment";
BasicRule wl:1100 "mz:$BODY_VAR:redirect_to";
BasicRule wl:1000,1009,1315 "mz:$BODY_VAR:_wp_http_referer";
BasicRule wl:1000 "mz:$BODY_VAR:action";
BasicRule wl:1001,1013 "mz:$BODY_VAR:blogname";
BasicRule wl:1015,1013 "mz:$BODY_VAR:blogdescription";
BasicRule wl:1015 "mz:$BODY_VAR:date_format_custom";
BasicRule wl:1015 "mz:$BODY_VAR:date_format";
BasicRule wl:1015 "mz:$BODY_VAR:tax_input%5bpost_tag%5d";
BasicRule wl:1100 "mz:$BODY_VAR:siteurl";
BasicRule wl:1100 "mz:$BODY_VAR:home";
BasicRule wl:1000 "mz:$BODY_VAR:submit";
# news content matches pretty much everything
BasicRule wl:0 "mz:$BODY_VAR:content";
BasicRule wl:1000 "mz:$BODY_VAR:delete_option";
BasicRule wl:1000 "mz:$BODY_VAR:prowl-msg-message";
BasicRule wl:1100 "mz:$BODY_VAR:_url";
BasicRule wl:1001 "mz:$BODY_VAR:c2c_text_replace%5btext_to_replace%5d";
BasicRule wl:1200 "mz:$BODY_VAR:ppn_post_note";
BasicRule wl:1100 "mz:$BODY_VAR:author";

### BODY|NAME
BasicRule wl:1000 "mz:$BODY_VAR:delete_option|NAME";

### Simple ARGS (GET)
# WP login screen
BasicRule wl:1100 "mz:$ARGS_VAR:redirect_to";
BasicRule wl:1000,1009 "mz:$ARGS_VAR:_wp_http_referer";
BasicRule wl:1000 "mz:$ARGS_VAR:wp_http_referer";
BasicRule wl:1000 "mz:$ARGS_VAR:action";
BasicRule wl:1000 "mz:$ARGS_VAR:action2";
# load and load[] GET variable
BasicRule wl:1015 "mz:$ARGS_VAR:load";
BasicRule wl:1015 "mz:$ARGS_VAR:load[]";
BasicRule wl:1015 "mz:$ARGS_VAR:q";

### URL
BasicRule wl:1000 "mz:URL|$URL:/wp/wp-admin/update-core.php";
BasicRule wl:1000 "mz:URL|$URL:/wp/wp-admin/update.php";
# URL|BODY
BasicRule wl:1009,1100 "mz:$URL:/wp/wp-admin/post.php|$BODY_VAR:_wp_http_referer";
BasicRule wl:1016 "mz:$URL:/wp/wp-admin/post.php|$BODY_VAR:metakeyselect";
BasicRule wl:11 "mz:$URL:/wp/xmlrpc.php|BODY";
BasicRule wl:11 "mz:$URL:/wp/wp-cron.php|BODY";
# URL|BODY|NAME
BasicRule wl:1100 "mz:$URL:/wp/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME";
BasicRule wl:1000 "mz:$URL:/wp/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME";
BasicRule wl:1000 "mz:$URL:/wp/wp-admin/user-edit.php|$BODY_VAR:from|NAME";
# URL|ARGS|NAME
BasicRule wl:1310,1311 "mz:$URL:/wp/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME";
BasicRule wl:1000 "mz:$URL:/wp/wp-admin/users.php|$ARGS_VAR:delete_count|NAME";

There is a learning mode that you can enable to train your application, I would suggest you download the following script then take a look at Guigui’s article. I just focused on a ready to go configuration.

This configuration works on the latest Debian Squeeze using the latest packaged wordpress, of course YMMV. I have deployed this about 2 weeks ago and is proving quite nice in terms of security. It protects 2 blogs on my main server.

How to recover your google auth database

Posted on 25/01/2013 by admin

I seem to be forgetting this all the time so there you go, linked from another article: http://cadince.com/3-ways-to-move-google-authenticator/

But also manually, get the database in /data/data/com.google.android.apps.authenticator/databases/databases then you can open it with sqlite3.

Steam on Linux using Arch and Nvidia drivers

Posted on 05/01/2013 by admin

I have been testing Steam on Linux with no great deal of success on Arch compared to Ubuntu. I stepped onto that error today your video card is unsupported, or your OpenGL driver needs to be updated. This returned an interesting solution on the steam community forums. What fixed it for me was: sudo pacman -S lib32-nvidia-utils. Happy Fragging!

Happy New Year 2013!

Posted on 04/01/2013 by admin

This is that time of the year again. I have gathered some quick starts like last year, I have posted in average twice as less this year with only 15 entries (41 in 2011), visits have steadily stayed around 11k to 12k per month (while hits reached around 80.000 per month). This shows me that i need to post more interesting stuff. I have lined up a fair few tech stuffs i want to talk about so stay tuned…

Happy New Year to y’all

Spotify on an RPM based system (64 bits)

Posted on 31/12/2012 by admin

I recently registered with Spotify and wanted to listen to it on Linux. They have a preview client for Debian but nothing for RPM based systems. Funnily enough, they have an app for Android. This is a quick and dirty guide to get it running on CentOS/RHEL systems. You will need a PREMIUM subscription for this to work.

First, credits where they are due, I looked at this post on the community site. You need a Debian based system to convert the RPM or you will have to install alien yourself. Once this is done, go to the repository and grab the latest DEB for your platform. Then convert this (as root)

alien --to-rpm spotify-client_0.8.4.103.g9cb177b.260-1_amd64.deb

You then obtain an RPM you can install, you will need to install it the dirty way with nodeps. You also need to install a few dependencies:

yum install openssl098e qtwebkit
rpm -ivh --nodeps spotify-client-0.8.4.103.g9cb177b.260-2.x86_64.rpm

Now running the first next command will show you that a few libs are not in the right location, this is how to fix it on RHEL 6.3, other RPM based systems might require different lib names:

ldd -v /usr/bin/spotify |grep "not found"
ln -s /usr/lib64/libssl.so.0.9.8e /usr/lib64/libssl.so.0.9.8
ln -s /usr/lib64/libcrypto.so.0.9.8e /usr/lib64/libcrypto.so.0.9.8
ln -s /usr/lib64/libnss3.so /usr/lib64/libnss3.so.1d
ln -s /usr/lib64/libnssutil3.so /usr/lib64/libnssutil3.so.1d
ln -s /lib64/libplc4.so /usr/lib64/libplc4.so.0d
ln -s /lib64/libnspr4.so /usr/lib64/libnspr4.so.0d

All going well, the client should now have all the libs linked properly. You can then launch spotify and profit!

I think this is worth mentioning that this is a temporary fix as I believe official clients will eventually show up.

Building a home made NAS

Posted on 07/11/2012 by admin

This is the first part of a few posts on my experience on building a home NAS. This has been on my mind for a while but it should be noted that I am planning to run slightly more things with this than just your typical NAS, hence why I am not going for an ATOM. I will most likely be running logstash along with observium and other web related things onto it. I am dying to put that to use.

Now onto the hardware:

Intel Core i5-3450S 2.80GHz (Ivybridge) Socket LGA1155 Processor (65W)
Lian Li PC-Q25B Mini-ITX Cube – Black
Asus P8H77-I Intel H77 (Socket 1155) DDR3 MiniITX Motherboard
Corsair Vengeance Low Profile 16GB (2x8GB) DDR3 PC3-12800C10 1600MHz Dual Channel Kit
Noctua NH-L12 CPU Cooler
Arctic Silver 5 Thermal Compound
Nexus NX-5000 R3 530W Real Silent 80+

Now dying to get the hardware. First stop will be to install FreeBSD with ZFS, then I will be comparing this with CentOS 6 and ZFS. Have a few spare drives and one SSD, that should get me going for a while

frl1nuX

Punching 0 & 1's and expecting results…