Sunday, December 6, 2020

The Linux Desktop project

Since my work laptop is too restricted, i’m trying to set up Ubuntu on a USB stick and boot from there.
Actually, it has proven to be a very smooth experience so far. I’m impressed by the overall speed and battery performance.

Couple of things i must not forget.
WORK IN PROGRESS

Get some essentials:

sudo apt install curl ffmpeg keepassxc

Latest Google Chrome Browser: link
Latest Citrix Workspace (Receiver): link
Latest Citrix RTME (HDX for Skype): link

After installing the ica client:

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts

modify /opt/Citrix/ICAClient/config/wfclient.template before making the first connection

MSLocaleNumber=0x00000413
KeyboardLayout=US-International

Also: modify /opt/Citrix/ICAClient/config/All_Regions.ini

MouseSendsControlV=False

Lastly:

sudo apt-get install --reinstall libcanberra-gtk-module
/opt/Citrix/ICAClient/util/configmgr (for mapping local drives)

Install Microsoft Teams:

sudo curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo echo "deb [arch=amd64] https://packages.microsoft.com/repos/ms-teams stable main" > /etc/apt/sources.list.d/teams.list
apt update
apt install teams

Connecting to exchange web services (for calendar sync)

sudo apt install evolution-ews

Google drive support e.g. for keepass

sudo add-apt-repository ppa:alessandro-strada/ppa
sudo apt-get update
sudo apt-get install google-drive-ocamlfuse

edit ~/.gdfuse/default/config and set mv_keep_target=true

mkdir ~/Documents/GoogleDrive
google-drive-ocamlfuse ~/Documents/GoogleDrive

startup file for google drive mount and offline backup of keepass databases:

#!/bin/bash

google-drive-ocamlfuse ~/Documents/GoogleDrive
if [ ! -d ~/BACKUP/keepass/ ]; then mkdir -p ~/BACKUP/keepass/; fi
if [ -d ~/Documents/GoogleDrive/keepass/ ]; then cp -f ~/Documents/GoogleDrive/keepass/*.kdbx ~/BACKUP/keepass/; else echo Offline; fi

gedit json formatter:
Preferences - Plugins - enable External Tools
preferences - Manage external Tools
“+”, give name e.g. “Format Json”, shortcut key Ctrl+Alt+J, input=Current Document, output=Replace current document
code:

#! /usr/bin/env python
 
import json
import sys
 
j = json.load(sys.stdin)
print( json.dumps(j, sort_keys=True, indent=2) )

Kodi:

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:team-xbmc/ppa
sudo apt-get update
sudo apt-get install kodi

Youtube-dl:

sudo curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl
sudo chmod a+rx /usr/local/bin/youtube-dl
sudo ln -s /usr/bin/python3 /usr/local/bin/python

Wednesday, June 24, 2020

iptables log specific connections

Example how to allow certain known connections (e.g. unifi accesspoints) and log unknown connection attempts.
This is done by adding a chain called LOGDROP, append packets that match the criteria (tcp/8080) to that chain, log the packets and drop them.

iptables:

#!/bin/bash

AP01="192.168.0.1"
AP02="192.168.0.2"
AP03="192.168.0.3"

# Resetting ...
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X

# Setting default policy on incoming traffic
iptables -P INPUT DROP                                                  # DENY INCOMING CONNECTIONS
iptables -P FORWARD DROP                                                # THIS IS NOT A ROUTER

# allowed accesspoints
iptables -A INPUT -p tcp --dport 8080 -s $AP01 -j ACCEPT                # UNIFI - AP01
iptables -A INPUT -p udp --dport 3478 -s $AP01 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s $AP02 -j ACCEPT                # UNIFI - AP02
iptables -A INPUT -p udp --dport 3478 -s $AP02 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s $AP03 -j ACCEPT                # UNIFI - AP03
iptables -A INPUT -p udp --dport 3478 -s $AP03 -j ACCEPT
# log AP connections that aren't allowed
iptables -N LOGDROP
iptables -A INPUT -p tcp --dport 8080 -j LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
iptables -A LOGDROP -j DROP

# Make persistent
iptables-save >/etc/iptables/rules.v4

Create a file in /etc/rsyslog.d/ called “30-unifi-accesspoints.conf” with the following content:

:msg,contains,"IPTables-Dropped: " /var/log/unifi_accesspoints.log

and restart rsyslog

Wednesday, May 13, 2020

Mediainfo with rar support

Mediainfo is a very nice utility, but it works even better with rar support.
Took me a while to compile it succesfully, therefor here are the steps. Easy once you know it :~

First, install current version of the normal Mediainfo and other requirements that we need later.

sudo -s
apt install mediainfo libmediainfo-dev git build-essential

Then get the latest source code from the mediaarea.net website. Currently version 20.03.

mkdir /root/installers/ && cd /root/installers
wget https://mediaarea.net/download/binary/mediainfo/20.03/MediaInfo_CLI_20.03_GNU_FromSource.tar.gz
tar zxvf MediaInfo_CLI_20.03_GNU_FromSource.tar.gz
cd MediaInfo_CLI_GNU_FromSource
./CLI_Compile.sh
cd MediaInfo/Project/GNU/CLI && make install

Now we’re going to add the rar functionality. It depends on a modified version of libdvdread, also from lundman, that we need first.

cd /root/installers
wget http://lundman.net/ftp/dvdread/libdvdread-4.2.0.plus.tar.gz
tar zxvf libdvdread-4.2.0.plus.tar.gz
cd libdvdread-4.2.0.plus
./configure && make && make install

And now we’re going to build the mediainfo-rar version:

cd /root/installers
wget "http://www.lundman.net/ftp/mediainfo-rar/mediainfo-rar-1.4.0.tar.gz"
tar zxvf mediainfo-rar-1.4.0.tar.gz
cd mediainfo-rar-1.4.0
./configure && make && make install

Run it: mediainfo-rar.
If it complains about “error while loading shared libraries: libdvdread.so.4”, fix it with:

ln -s /usr/local/lib/libdvdread.so.4 /lib/x86_64-linux-gnu/libdvdread.so.4

That’s all.

Backup links in case sources will ever disappear:
MediaInfo_CLI_20.03_GNU_FromSource.tar.gz
libdvdread-4.2.0.plus.tar.gz
mediainfo-rar-1.4.0.tar.gz

Monday, May 11, 2020

Run services like inetd in Synology debian-chroot

Somehow systemd does not run in the debian-chroot, so in case inetd is working for you, here’s how:
ssh to your synology

sudo -s
chroot /volume1/@appstore/debian-chroot/var/chroottarget /bin/bash
apt install wget tcpd zip unzip openssl lftp openbsd-inetd

Install software of choice. Then:

service openbsd-inetd start
exit

Auto-start the inetd service with the debian-chroot:

sqlite3 /volume1/@appstore/debian-chroot/var/debian-chroot.db
INSERT INTO services VALUES ('0', 'INETD', '/etc/init.d/openbsd-inetd','ps -p $(cat /var/run/inetd.pid)');
.quit

Create a Synology x64 debian chroot

1 Install the synology “noarch” package
Go to the Package Center, then Settings
Trusted sources, “Synology Inc. and trusted publishers”
Package Sources, Add, “SynoCommunity” + “http://packages.synocommunity.com/”
Community, install Python (v2.x, not v3) and nano
Manual Install, debian-chroot_noarch-all_8.4-7.spk but DO NOT “Run after installation”

2 Fix the DSM Interface
Ssh to your Synology

sudo -s
cd /volume1/@appstore/debian-chroot/env/bin
./pip install click
nano /var/packages/debian-chroot/target/app/debian-chroot.js

Then replace

"url": "3rdparty/debian-chroot/debian-chroot.cgi/direct/router",
with
"url": "/webman/3rdparty/debian-chroot/debian-chroot.cgi/direct/router",
and:
'url': '3rdparty/debian-chroot/debian-chroot.cgi/direct/poller',
with
'url': '/webman/3rdparty/debian-chroot/debian-chroot.cgi/direct/poller',

And alter the onclose function:

onClose: function () { 
    this.doClose();
    this.mainPanel.onDeactivate();
    return true;
},

3 Replace the binaries with x64
Remove old binaries:

cd /volume1/@appstore/debian-chroot/var
rm -rf chroottarget

Put the x64 chroot.tar.gz in the current directory

tar zxvf chroot.tar.gz
echo "chroot" >/volume1/@appstore/debian-chroot/var/chroottarget/etc/hostname
cp /etc/resolv.conf /volume1/@appstore/debian-chroot/var/chroottarget/etc/resolv.conf
touch /usr/local/debian-chroot/var/installed

If you created a chroot for a different architecture than x64, use the following command. Otherwise skip this.

chroot /volume1/@appstore/debian-chroot/var/chroottarget /debootstrap/debootstrap --second-stage

The chroot is now installed. Start it:

/var/packages/debian-chroot/scripts/start-stop-status start

Enter the chroot:

chroot /volume1/@appstore/debian-chroot/var/chroottarget /bin/bash

Post-installation steps:

apt update && apt upgrade && apt autoremove
apt-get install locales
dpkg-reconfigure locales -> only "[*] en_US.UTF-8 UTF-8" -> system default: en_US.UTF-8
dpkg-reconfigure tzdata -> set correct timezone, e.g. Europe, Amsterdam

Optional
If you want extra mounts in your chroot, look in:

/var/packages/debian-chroot/scripts/start-stop-status

example to add a Synology share called stuff to the chroot:

add to BOTTOM of all mount commands in section start_daemon script:
        grep -q "${CHROOTTARGET}/mnt/site " /proc/mounts || mount -o bind /volume1/stuff ${CHROOTTARGET}/mnt/site
add to TOP of all umount commands in section stop_daemon script:
        umount ${CHROOTTARGET}/mnt/site

Reboot your synology

Create debian x64 chroot files (for Synology debian-chroot)

On your current installed debian x64 installation:

sudo apt install debootstrap
sudo debootstrap stable chroottarget
sudo tar -cvzf chroot.tar.gz chroottarget

Save the chroot.tar.gz

If you need to create a chroot for a different architecture, eg armhf, the second command would be:

sudo debootstrap --foreign --arch armhf stable chroottarget

Thursday, October 10, 2019

Win 10 slow startup caused by AMD Radeon graphics card

Reminder: Look in registry for EnableUPLS and set 1 to 0.

Thursday, July 18, 2019

Save and re-install debian/ubuntu packages

save current installed packages to textfile

dpkg -l | grep ^ii | awk '{print $2}' > installed.txt

re-install packages from textfile

sudo apt-get install $(cat installed.txt)

Sunday, January 14, 2018

Ubiquiti Unifi Controller on Ubuntu LTS

Plenty of stuff you can find on the internet.
But for my own references:

Basic Ubuntu LTS installation.
If you’re on a public ip, first get your firewall in order. Then install Unifi.

Firewall
Make sure you’re root (sudo -s), then:

apt-get install netfilter-persistent
service netfilter-persistent start
invoke-rc.d netfilter-persistent save
mkdir /etc/iptables/

In this example:
1.2.3.4 = trusted machine that is allowed to connect to the Unifi controller. Probably your own pc
4.5.6.7 = site 1 with AP’s and other ubiquiti stuff
6.7.8.9 = site 2 with AP’s and other ubiquiti stuff

Ports tcp/8080 and udp/3478 are all you need between your ubiquiti equipment and your controller (see link)

Save the following to firewall.sh and execute (replace ip’s with real ip’s):

#!/bin/bash

# Resetting ...
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

# Setting default policy on incoming traffic
iptables -P INPUT DROP                                                  # DENY INCOMING CONNECTIONS
iptables -P FORWARD DROP                                                # THIS IS NOT A ROUTER

# Exceptions to default policy
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT        # FOR INITIATED CONNECTIONS FROM THIS HOST
iptables -A INPUT -i lo -j ACCEPT                                       # MUSTHAVE (e.g. for MongoDB bind to localhost)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT                           # SSH
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT                       # PING

# unify test
iptables -A INPUT -p tcp --dport 8443 -s 1.2.3.4 -j ACCEPT       # Connections from management host

iptables -A INPUT -p tcp --dport 8080 -s 4.5.6.7 -j ACCEPT       # UNIFI - INFORM - site1
iptables -A INPUT -p udp --dport 3478 -s 4.5.6.7 -j ACCEPT       # UNIFI - STUN   - site1
iptables -A INPUT -p tcp --dport 8080 -s 6.7.8.9 -j ACCEPT        # UNIFI - INFORM - site2
iptables -A INPUT -p udp --dport 3478 -s 6.7.8.9 -j ACCEPT        # UNIFI - STUN   - site2

# Make persistent
iptables-save >/etc/iptables/rules.v4

Install Unifi
Make sure you’re root (sudo -s), then:

echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50
apt-get update
apt-get install unifi

.. last but not least, go to: https://ipaddress:8443/

Saturday, October 21, 2017

make iptables persistent

Recent versions of Ubuntu use a built-in firewall. Therefor iptables doesn’t persist after a reboot.
Here’s how:

# Start
sudo service netfilter-persistent start
#Add to startup
sudo invoke-rc.d netfilter-persistent save