OpenSUSE Linux Rants

Being a musician and a Linux user myself, this one certainly caught my attention! I use Muse along with my Roland Fantom X-8 to write and play music on Linux. Some of these tools look slick.

Excerpt:

A loop in music is a section of the music that repeats itself continuously until receiving a signal to either stop or move on to the next section. A loop can be assigned to a single instrument or to a group of instruments. Compositionally, loops are used for a variety of purposes. For example, they may function as formal bass patterns over which a composition is built, or they may suppy a long but consistently repeating series of chords used to define the harmony for independently composed bass and melody lines. For many computer-based music-makers the loop's most popular implementation is the drum loop, a rhythmic pattern of one or more measures of percussion sounds that can be repeated unchanged for simple lines or mixed & matched with other loops for more life-like variation.

Read the rest of "Getting Loopy: Performance Loopers For Linux Musicians"

Linux has a number of incredible security tools. Joe Brockmeier introduces nmap, one of the better security tools out there.

Excerpt:

"Ever wondered how attackers know what ports are open on a system? Or how to find out what services a computer is running without just asking the site admin? You can do all this and more with a handy little tool called Nmap. What is Nmap? Short for "network mapper," nmap is a veritable toolshed of functionality to perform network scans. It can be used for security scans, simply to identify what services a host is running, to "fingerprint" the operating system and applications on a host, the type of firewall a host is using, or to do a quick inventory of a local network. It is, in short, a very good tool to know."

Read the article here

I had a smooth, easy experience with a fresh install of openSUSE 11.2 on my desktop this weekend. Man, that was nice.

With the excellent openSUSE Build Service available, I find myself there often. Many times I am looking for more recent versions of packages than what are available from the repositories I have loaded into my machine. Once the packages are found, I usually just grab the repository that they are in and load that into YAST.

For example, let’s say we’re looking for pidgin. Using YaST or zypper, we do a search, and find that we have version 2.6.2 available to us. However, with the openSUSE Build Service, we see that 2.6.3 is available. We’ll just grab the repo for it, which is located directly above the 1-click install button. Right-click on it, select “Copy Link Location.” You have the repo in your clipboard.

Then, we can use zypper to load our repository into YaST, set it to autorefresh, and then refresh it. Then, when we search for pidgin again, 2.6.3 shows up rather than 2.6.2. It’s a quick, easy way to collect and save reliable repositories that have newer packages in them.

To add a repo, then set it to autorefresh, then refresh it takes three, semi-lengthy commands, for example:

[1049][root@laptop:~]$ zypper addrepo "http://download.opensuse.org/repositories/GNOME:/Apps/openSUSE_11.2" "Gnome Apps"

Then:

[1049][root@laptop:~]$ zypper modifyrepo -r "Gnome Apps"

Then:

[1049][root@laptop:~]$ zypper refresh "Gnome Apps"

Rather than type all that out every time, I threw a quick script together that I call ‘repoadd’ (don’t forget to run chmod +x on it to make it executable) to save me all the agony:

#!/bin/sh
# $1 is the repo, i.e. http://download.opensuse.org/repositories/GNOME:/Apps/openSUSE_11.2
# $2 is the name you wish to give it, i.e. "Gnome Apps"
zypper addrepo "$1" "$2"
zypper modifyrepo -r "$2"
zypper refresh "$2"

Now, instead of having to type that all out every time, you can just run:

[1049][root@laptop:~]$ repoadd "http://download.opensuse.org/repositories/GNOME:/Apps/openSUSE_11.2" "Gnome Apps"

Of course, 1-Click Install does essentially the same thing. I just thought I’d explore and share this different way of going through that process. You never know when those alternative ways of doing things can save your hide.

Linux is built to be inherently secure, and has a great track record of having superior security to its proprietary counterpart.

However, in the world of server administration, paranoia is an asset. How else could someone get in? How can I prevent that? How can I be notified?

One magnificent contribution to the security of Linux servers the world over is called fail2ban. Why should you care?

From the Fail2ban main page:

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

So basically, it gives the finger to those mean people who are trying to brute-force your ssh server. And it blocks them at the packet level with iptables. No iptables knowledge necessary. (Though if you want a quickie, take a look at this short “Iptables for Linux” intro).

For openSUSE users, check to see if you have it available using zypper:

[1049][root@laptop:~]$ zypper search fail2ban

If you find it, use zypper install fail2ban to get it on your box.

If you have trouble getting it installed, follow the seriously excellent advice on the fail2ban download page.

When you get it installed, as root, edit your /etc/fail2ban/jail.conf file.

Put your ip addresses in the ignoreip list so you don’t lock yourself out.

bantime is in seconds. 1 hour is 3,600 seconds. 24 hours is 86400. I put in at least 24 hours. Do what works for you.

maxretry is how many tries a user gets before they’re blocked for bantime seconds. 3 to 5 chances seems more than generous.

Now to set up the notification.

In the same file, look for the section called [ssh-iptables]. Change this section so it looks like this:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=notrealemail@suseblog.com, sender=fail2ban@suseblog.com]
logpath  = /var/log/messages
maxretry = 3

If you don’t want the ‘whois’ info, take out the ‘-whois’ from the sendmail part. Change the dest email to your own, and set the sender to whatever you want. Maxretry will override the default that you set further up. In logpath, put in the system log, or wherever your sshd logs stuff. Mine happens to be what you see there.

When it’s set up as you like, save and quit.

Now, fire that bad fool up:

[1607][root@mail:/etc/fail2ban]$ fail2ban-client start
2009-11-27 16:07:46,554 fail2ban.server : INFO   Starting Fail2ban v0.8.4
2009-11-27 16:07:46,555 fail2ban.server : INFO   Starting in daemon mode
[1607][root@mail:/etc/fail2ban]$

To make it run when the machine restarts, use chkconfig:

[1607][root@mail:/etc/fail2ban]$ chkconfig -a fail2ban
fail2ban                  0:off  1:off  2:off  3:on   4:off  5:on   6:off
[1610][root@mail:/etc/fail2ban]$ 

Within at least a few hours, you should get notifications. Or, you can have someone try and brute force your box and see if their IP gets banned.

If you read through jail.conf, you’ll see that fail2ban can do loads more than I’ve covered here. But if you want a little more armor on ssh, your biggest target, slap fail2ban on your box.

Ophcrack is the Linux LiveCD that you reach for when you forget your admin password on your Win32 (incl. XP and Vista) box.

From the Ophcrack Sourceforge page:

“Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman’s original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.”

For all admins who use said proprietary OS, if you ever forget your admin password, this is one great way to recover it, and help you keep your job.

Please do not ever, ever, ever use tools like this for malicious purposes, because that’s just plain not very nice.

As many know, one of my BIGGEST gripes with Gnome and/or GTK-based apps is their inability to NATIVELY support remote filesystem access, like Konqueror does by default, and Kate does by default, and many of the other applications built for KDE do by default. As mentioned in a previous post:

“kio-slave – For anyone who doesn’t know what this does, it gives KDE the ability to interact with remote filesystems via FTP, SSH, etc. You can open up a remote filesystem, and drag and drop a text file right onto your Kate icon. Kate will open the file for you to edit it. When you are done editing, just click SAVE and close the file. KDE via kio-slave saves the file back to the remote fileystem (assuming you have the proper privileges). This is the one thing that has the supremest of importance to me. It is possible to have one Konqueror window open and have it split into 16 different panes, each pane connected to a different filesystem or directory, whether local or remote. If you have never done this, you have to try it some time. You can split Kate windows the same way. Before anyone says it, I realize that you can make other desktop environments do this, but KDE just does it right out of the box.”

Some may even remember when I posted a bit of a rant about this. I use remote filesystems ALL DAY LONG.

As I’m moving away from KDE and everything that ties me to it, the need arose to access remote filesystems very quickly in a windowing system. I realize ssh does this. With ssh, it takes about 12 seconds to log in and copy a file over, not to mention all the keystrokes. With Konqueror, I click the Konqueror Icon, press CTRL+SHIFT+L, and select the remote filesystem I want from my bookmarks and I’m there. All of 3 seconds and a tenth of the effort.

How to mimic the functionality I want?

One possibility is a little app called gigolo. Why the name? As the author says, “Because it mounts what its told to.”

For XFCE4 users, this little baby is pretty fun. It allows you to bookmark remote filesystems, autoconnect to them, and all sorts of great stuff, quite a bit like kio-slave does. Just a bit more cumbersome, but at least I get the functionality.

Experience is a great teacher, so add the repo and install gigolo:

[1207][root@suse-desktop:/home/scott]$ zypper addrepo "http://download.opensuse.org/repositories/X11:/xfce/openSUSE_11.1" XFCE4 ; zypper modifyrepo -r XFCE4 ; zypper in gigolo
Adding repository 'XFCE4' [done]
Repository 'XFCE4' successfully added
Enabled: Yes
Autorefresh: No
URI: http://download.opensuse.org/repositories/X11:/xfce/openSUSE_11.1

Autorefresh has been enabled for repository 'XFCE4'.
Retrieving repository 'XFCE4' metadata [done]
Building repository 'XFCE4' cache [done]
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  gigolo

Overall download size: 90.0 K. After the operation, additional 310.0 K will be used.
Continue? [YES/no]:
Retrieving package gigolo-0.3.2-1.1.i586 (1/1), 90.0 K (310.0 K unpacked)
Retrieving: gigolo-0.3.2-1.1.i586.rpm [done]
Installing: gigolo-0.3.2-1.1 [done]
[1208][root@suse-desktop:/home/scott]$

Now just run it. You’ll get a window similar to the following:

Press CTRL+B to edit your bookmarks. A window like this comes up:

Click ADD. In the box that appears, fill out the info and click OK:

If you selected autoconnect, you’ll be prompted for the password:

You may also have to create a keyring password. When you are done, if you selected autoconnect, you’ll see an icon showing that it’s connected:

If not, click the down arrow next to the bookmark button (furthest left), and select the bookmark you want to connect to:

Once you have connected to a bookmark, double-click it in the gigolo window. Nautilus comes up displaying the remote filesystem. Not sure if you can use other file managers, but if you can, let me know.

¡Por fin! It’s about time they did something like this with OpenSUSE Linux. Uses for this are infinite. What a fantastically cool concept.

From the site, “Novell has launched a new service called SUSE Studio that makes it easy to build software appliances. Ars gives it a spin and find it’s an excellent tool for building virtual appliances.”

Now honestly, who couldn’t use that?

Check this out: “Novell has launched a new Web service called SUSE Studio that simplifies the process of building Linux-based software appliances. It provides a convenient interface for creating custom versions of Novell’s SUSE Linux distribution with specialized configurations. The service is part of Novell’s broader SUSE Appliance Program initiative.”

“Enterprise software deployment comes with a lot of serious technical challenges. Getting a complex piece of server software up and running on backend infrastructure often requires system administrators to wrestle with dependencies and configuration issues. Software appliances are increasingly viewed as a compelling solution to this problem.”

“A software appliance is a preconfigured stack that includes a software program and its dependencies bundled with a minimal operating system image that can get the program up and running with the smallest possible resource footprint. This concept is often referred to as “Just Enough Operating System” (JeOS).”

“SUSE Studio allows users to build software appliances on top of SUSE Enterprise Linux or OpenSUSE. It offers several templates that can be used as a starting point, including a minimal JeOS template, a server template, a minimal X11, KDE, and GNOME templates. After selecting a base template, users can customize it and add additional software.”

The versatility of Linux never ceases to blow my mind. I mean, to each their own, but if you are looking for the X-11 of consumer-level operating systems, Linux stands up to the test, tell you what (tell your mom, too).

Enough of my yammering about this new OpenSUSE project. Take a look at the screen shots and full story:

Linux appliances made easy with SUSE

Linux has so many marvelous tools. The great part about this is that you can combine the tools to make new tools. As you may know, there have been previous postings about a tool called ’sup’ which tells you some useful information about the linux box into which you are logged. Having so many terminal windows open, and screen sessions going, it’s easy to get lost in the labyrinth of connections and sessions. This tool clears all that up for you really quick.

Since the last version, the most significant change is the ability to determine which version of which Linux distribution you are using.

Here is some sample output:

<=== SYSTEM ===>
  Distro info:  Welcome to openSUSE 11.1 - Kernel \r (\l).
  Kernel:       Linux laptop 2.6.27.19-3.2-pae #1 SMP 2009-02-25 15:40:44 +0100 i686 i686 i386 GNU/Linux
  Uptime:        9:20am  up   0:47,  1 user,  load average: 0.64, 0.54, 0.38
  Memory:       Total: 1986Mb   Used: 730Mb     Free: 1256Mb
  Swap:         Total: 4180Mb   Used: 0Mb       Free: 4180Mb
  Architecture: i686
  Processor:    0 : Intel(R) Core(TM) Duo CPU T2250 @ 1.73GHz
  Processor:    1 : Intel(R) Core(TM) Duo CPU T2250 @ 1.73GHz
  Date:         Tue Jul 21 09:20:09 MDT 2009

<=== USER ===>
  User:         scott (uid:1000)
  Groups:       users www
  Working dir:  /home/scott
  Home dir:     /home/scott

<=== NETWORK ===>
  Hostname:     laptop
  IP (lo):      127.0.0.1/8
  IP (lo):      127.0.0.2/8
  IP (eth0):    10.245.106.6/24
  Gateway:      10.245.106.1
  Name Server:  10.45.106.10

I don’t like it when people try and hack my web servers. To make myself aware of people trying to access my ssh daemon, I wrote me a little script. Yup, I’m certainly aware of DenyHosts. Notwithstanding, in the hopes that this script may find use elsewhere, I post it here. Behold, enjoy, and chuckle a bit at how much better you could write it. Then, let me know how you’d improve it:

#!/bin/sh
LOGFILE=/root/hack_attempts
IFS=$'\n'
PATTERN="^"`date --date="1 minute ago" "+%b %e %H:%M:"`""
tail -n 1000 /var/log/messages | grep ""$PATTERN"" | grep sshd | grep -i "invalid user" | grep " from " > "$LOGFILE"
if [ $(stat -c%s "$LOGFILE") -gt 0 ] ; then
	echo "See the attached log for details" | mailx -a "$LOGFILE" -s "Possible hack attempt" YOUREMAIL@YOURDOMAIN.COM
fi
rm "$LOGFILE"

Copy it to your /root folder. Name it something cool like ’ssh_foghorn’, and chmod +x it to make it executable. Put it in your /etc/crontab file to run once every minute. Make sure you set the system log to whatever your distro uses. And change the email address to your own. Doesn’t cure cancer, but for 8 lines of code, it does what it needs to.

Again, I’m sure there are better ways to do this, so let’s hear ‘em!

So the boss wants me to learn Ruby on Rails. As a sidenote, right now I’m running OpenSUSE 11.0.

I’d like to use a great IDE so that I can get going quickly. So I have to learn the IDE and the language.

Which IDE to use? Well, I thought since Eclipse is an IDE platform, that I could do PHP and Ruby on it.

I spent the next few days learning how to install Eclipse so that it would work with Ruby on Rails.

Here’s where I stand:

First, install libmysqlclient-devel, because you’ll need to compile the mysql gem for Ruby. Then, install ruby (1.8.6 patchlevel 114 worked best for me), and make sure gcc is installed so you can compile gems when necessary.

When you’re done with this step, check to see what version of ruby you have, and make sure it’s 1.8.6:

$ ruby -v
ruby 1.8.6 (2008-03-03 patchlevel 114)

Next, install eclipse. I found version 3.4 from the OpenSUSE BuildService. Version 3.3 is available for OpenSUSE 10.3.

While that is installing, install rubygems 1.3.1. Again, this version for OpenSUSE 11.0 was only available on the BuildService.

Then, you’ll need to update your gem repository, and then install a handful of gems:

$ gem sources -u
$ gem install rails
$ rails -v
Rails 2.2.2
$gem install mysql cgi_multipart_eof_fix ruby-prof linecache ruby-debug-ide ruby-debug-base mongrel gem_plugin
$ gem update // gets the latest versions of installed gems

When eclipse is done installing, follow the instructions in the “Plugging Aptana into an existing Eclipse configuration” article.

It will prompt you for lots of updates, just go ahead and do them all. Once in awhile, I’ve had it crash, so I just start the article over from the beginning.

Finally, run eclipse, go to the MyAptana view, click on the Plugins icon. You’ll see a list of available plugins. One is PHP, and one is Aptana Radrails. Click on “Get it”. You’ll go through a similar installation process to install that plugin.

Again, if there are any updates, go ahead and do them.

Now, that is how far I’ve gotten, and I’ve even been able to do a tutorial or two with that setup. For all the ruby experts out there who are running it on Linux, what IDE do you use? If you use Eclipse w/RadRails, do you have any further suggestions? If you don’t use Eclipse, why? And if you don’t use Eclipse, what tutorials exist that teach one how to use your preferred IDE with Ruby on Rails?

I have updated the ’sup’ bash script so that you can see some useful stats about your Linux box at a glance. Here is some output:

  User:         scott (uid:1000)
  Groups:       users dialout video
  Working dir:  /home/scott
  Home dir:     /home/scott
  Hostname:     suse-linux
  IP (lo):      127.0.0.1/8
  IP (lo):      127.0.0.2/8
  IP (eth0):    192.168.12.144/24
  Gateway:      192.168.12.2
  Name Server:  192.168.12.1
  Date:         Wed Jan 21 09:38:57 MST 2009
  Uptime:        9:38am  up 15 days 23:36,  6 users,  load average: 0.22, 0.22, 0.24
  Kernel:       Linux suse-linux 2.6.25.18-0.2-pae #1 SMP 2008-10-21 16:30:26 +0200 i686 i686 i386 GNU/Linux
  Memory:       Total: 2016Mb   Used: 972Mb     Free: 1044Mb
  Swap:         Total: 4102Mb   Used: 150Mb     Free: 3952Mb
  Architecture: i686
  Processor:    0 : Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz
  Processor:    1 : Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz

I’ve added the processor info and gateway and nameserver info. I’ve commented out some other stuff that will give you your sound card info, video card info, and basically everything you can get with “lspci -v”. That would be why it’s commented out. Anyway, take a look at the new version:

Linux ’sup’ bash script

School is quite a bit funner than I remember.

However, I am taking an interesting class dealing with storyboarding for movies. We have to do these things called “animatics.” You all know what a movie storyboard is, right? If not, google “movie storyboards” and read up. The boiled down version is that it is a scene-by-scene (generally using stills) depiction of the sequences of a movie. Could be a short movie. Could be a scene.

Well, an animatic is where you take these storyboarding pictures and make a glorified slide show with them. You are able to put in sound effects, filler music, placeholder dialogue, and other assets to make the storyboard much more like the movie will actually be.

So our professor gave us a few exercises. He gave us a series of drawings, a basic plot, and told us to make an animatic out of them.

What tool did I turn to? When all was said and done, it was Cinelerra, the non-linear video editor for Linux:

Click for larger image

Just to refresh, these are not movies, but more like an indicator of where people will be standing, what kind of shots will be used, what kind of lighting there might be, etc.

With that, if you’d like to take a look at what I finally turned in for these three projects created with Cinelerra, here you are:

2.8 Mb – Ogg Theora format – right-click, save as…

7.2 Mb – Ogg Theora format – right-click, save as…

3.9 Mb – Ogg Theora format – right-click, save as…

Spielberg I am not. Lucas I am not. But at least I got credit for doing the exercises.

From the OpenSUSE Newsroom:

The openSUSE Project is proud to announce the 1.0 release of the openSUSE Build Service. The 1.0 release provides all the features necessary to support building openSUSE in the public build systems and allowing direct contributions to openSUSE from all contributors. Developers can now submit contributions to openSUSE directly at build.opensuse.org.

The openSUSE Build Service allows developers to create and maintain packages for openSUSE and many other Linux distributions, including CentOS, Debian, Fedora, Mandriva, Red Hat, and Ubuntu. With the 1.0 release, the openSUSE Build Service expands its scope to building the entire openSUSE release, and provides everyone with the same access and transparent interface to work on the openSUSE distribution.

The openSUSE Build Service has offered a simple collaboration system since its inception for groups to work closely together on packages or solutions stacks. The 1.0 release improves on existing functionality to allow the Build Service to scale to larger projects like openSUSE’s Factory distribution, and to allow building openSUSE’s stable releases in the open.

What the changes mean for contributors:

• Anyone can find a package’s working copy as maintained by the official packager or packaging team. Contributors can submit changes against the working copy.
• The submission handling and notification system has been put in place, allowing any contributor to request a merge of their changes to a project.
• Quality assurance happens before contributions are merged. Test builds of a suggested change are accessible to anyone.
• Improved branch handling. It is easy to set up a branch of a package. The branch will build in the same way as the original package, but can be modified.
• Source handling is improved in 1.0. It’s now possible to easily maintain a branch, and modifications are stored without creating a full copy. This makes it easier to maintain features based on the latest copy of package. The Build Service builds the latest packages, including modifications, automatically.

The majority of this functionality is implemented on the server side. The rest can be implemented by the various Build Service clients, so that contributors can take advantage of the new features.

The Build Service team has also introduced a number of smaller improvements and bugfixes to make the system more scalable and usable.

The openSUSE Build Service is now considered “feature complete” for collaboration. The Build Service team is looking for additional feedback on improving the openSUSE Build Service as it will now be the standard tool for working on the distribution.