Linux

HOWTO: WRITE BETTER DOCUMENTATION

So, call to action: if you are writing any kind of documentation, before explaining how to fix the problem, teach the user how to diagnose it.

Source: Why Linux Troubleshooting Advice Sucks

I’ve been writing documentation for myself for years, and been using Linux for 20 years and I still struggle with the basics cos most documentation for Linux fucken sucks.

  • Teach the user how to diagnose the issue so they can confirm the solution you have is indeed for their issue.
  • Explain why this is happening.
  • Provide the solution. Could be a bash one-liner they can copy-paste. Could be a script (explain how to run it). Could be a patch (explain how to apply it). Don’t just say “this is an exercise left to the reader.”

And no, “reading the source” doesn’t help. Neither does “read the man pages”; the only man page worth anything is the one for nmap.

If you’re one of those people that say that you can go fuck yourself, hard, in the ass, no lube.

HOWTO: WRITE BETTER DOCUMENTATION Read More »

“Burn the witch!”, they yell

This is written in Rust because I personally believe that writing security critical components that we would ship with the operating system in C is a massive disservice to our users. Go also doesn’t really have a good story to do interoperability with core C system components like this (the Go runtime is massive and as of writing this post the entire PAM module I’ve written is smaller than the Go runtime, even with a statically compiled copy of libcurl).

Source: The Surreal Horror of PAM – Xe

You can already see C fanbois off in the distance carrying pitchforks and torches

“Burn the witch!”, they yell Read More »

The more things change the more they stay the same

I first started using Linux and FreeBSD on laptops in the late 1990s. Back then, there were all sorts of hassles and problems, from hangs on suspend to pure failure to boot. I still worry a bit abo…

Source: Managing an External Display on Linux Shouldn’t Be This Hard | The Changelog

Evidently nothing has changed since we stopped using Linux as our daily driver OS. We were actively thinking of switching back as we got tired of Windows rebooting on me whenever it felt like. Slight problem— We have two 4K displays and two 1080p displays hooked to a Radeon GPU and AMD isn’t particularly nice about proper driver support; they’re better than Nvidia but not by much.

We hate to think what would happen if we have to switch to a laptop full-time. We’d probably give in fully to the dark side and run WSL on Win11. More and faster progress is being made on running desktop applications on it than people are doing on fixing these issues on “real” Linux.

The more things change the more they stay the same Read More »

Microsoft is just using Linux to make the moat around Windows deeper

I’ve also slowly become convinced of something else. Elegant though they may be, grand, over-arching theories of human-computer interactions are just not very useful. The devil is in the details, and accounting for the quirky details of quirky real-life processes often just results in quirky interfaces. Thing is, if you don’t understand the real life process (IC design, neurosurgery procedures, operation scheduling, whatever), you look at the GUIs and you think they’re overcomplicated and intimidating, and you want to make them simpler. If you do understand the process, they actually make a lot of sense, and the simpler interfaces are actually hard to use, because they make you work harder to get all the details right.

Source: Perhaps WSL2 Should be a Wake-up Call | Lobsters

As someone who has railed elsewhere about the evils of point of sale systems created by people who have never, in their little sad developer lives, worked in food service, I feel this comment in my bones. For people who know what they want to accomplish, a complicated interface will let you your job once you learn it, and it will let you do magic once you master it.

People bitch about Windows— including myself. But we’re still using it. I personally keep thinking of switching back to Linux but I find myself dreading the inevitable UI churn of GNOME and KDE; it is one of the reasons why I prefer XFCE. But even it suffers from churn under it in the form of libraries and modules that are tossed aside and rewritten in an inane race towards “modernity”.

As for WSL, the classic Borg assimilation quote comes to mind.*

We are the Borg. Existence, as you know it, is over. We will add your biological and technological distinctivensess to our own. Resistance is futile.

Microsoft is just using Linux to make the moat around Windows deeper Read More »

Accessorize your Windows toys with WSL

Normally I would consider this a bug. However over the years I’ve come to the conclusion that Windows is a pretty toy. It works wonderfully “in the small”. But it isn’t useful for significant programmer workloads (like typing :-) ).

Source: WSL Isn’t Linux | Hacker News

Your mistake was considering Windows suitable for anything but media consumption. It will phone home, it will reboot when it feels like it, and it won’t resume state when it does reboot or resume from sleep.

The best use for WSL is to use it to shell into a proper Linux host. Only way you can guarantee you won’t lose your work when the OS decides to do something.

Accessorize your Windows toys with WSL Read More »

Block attacker IP addresses, four ways

If you run WordPress you’ve seen these in your web server logs:

132.232.46.230 - - [29/Oct/2020:13:58:41 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:44 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:48 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:52 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:55 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:58 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"

Fucken scanners just slamming xmlrpc.php looking for a way in. When this happens CPU usage just goes through the roof for as long as the scan lasts and it could be five minutes, could be six hours, could be all week; before it ends. The gods help you if you’re paying by CPU usage.

So you have to block access to the file. You could just block all access to XML-RPC but doing this will prevent the WP mobile app from working.

We’ll just block that specific IP address but we need to be quick about it; just do a quick one liner on the terminal before the OS just topples over and becomes completely unresponsive or worse.

iptables

This should work for any Linux distribution that has iptables out of the box which is basically all of them.

# iptables -I INPUT -s 132.232.46.230 -j DROP
  • -I: Insert the rule as the first rule to be applied in the INPUT chain. You could use -A (append) but the sooner we get rid of that traffic the less work the CPU has to do.
  • -s: Source address, in this case 132.232.46.230, which belongs to Tencent.
  • -j: jump to the DROP target. If you use the REJECT target you’re just creating more work for the CPU.

Documentation here but the Ubuntu how-to is far more useful in getting people started.

pf

As it is part of both FreeBSD and OpenBSD base installations it should be enabled in /etc/rc.conf but from reading the (almost useless) documentation and looking around the web You need to fuck around with pf.conf first, then you can manipulate the table. This is the first result on the web when you search for “pf block ip address”. So no one-liner that can save your life.

Edit /etc/pf.conf and add

table <badhosts> persist
block on fxp0 from <badhosts> to any
  • Create table named badhosts, and set it to be persistent in kernel memory
  • Block, on interface fxp0 (you’ll want to change this), traffic from rules in the badhosts table to any destination.

Once you have this you can manipulate the table from the command line with pfctl

# pfctl -t badhosts -T add 132.232.46.230
  • -t means pfctl will manipulate the badhosts table
  • -T will show statistics
  • add address 132.232.46.230 to the table

Fucken hell FreeBSD documentation is the fucken worst. Dryer than Melania Trump’s libido. Now, reading through the OpenBSD pf documentation it looks like you can do

# pfctl -t badhosts -T add 203.0.113.0/24

Which will create the badhosts table automatically without having to fuck around with /etc/pf.conf. Don’t know if this will work on FreeBSD though.

ipfw

It is part of the FreeBSD base installation so it does depend on ipfw being enabled in /etc/rc.conf but it looks like you can go

# ipfw add deny all from 132.232.46.230 to any
  • Add rule denying any and all fraffic from 132.232.46.230 to any destination

At least these rules are succint and easy to read. Whomever wrote the documentation seemed to pay more attention to usage at least.

Still, fuck FreeBSD.

Windows

Super easy now that PowerShell is built into Windows itself:

PS C:\WINDOWS\system32> New-NetFirewallRule -DisplayName "Block traffic from 132.232.46.230" -Direction Inbound -LocalPort Any -Protocol Any - Action Block -RemoteAddress 132.232.46.230
  • -DisplayName: The human-readable name of the firewall rule
  • -Direction: Can be Outbound or Inbound. We want Inbound obviously.
  • -LocalPort: Going with any ports because fuck crackers.
  • -Protocol: Same, block all port
  • -Action: Block traffic
  • -RemoteAddress: Specifying only 132.232.46.230

The documentation for the commandlet is super nice. No, I’m not typing ‘cmdlet’.

The old way involved so, so manny clicks. PowerShell makes it easy.


Now all of the previous bits of code cease to have any effect after a system reboot so if you want the rules to be permanent… don’t. Blackhats will just scan from different hosts and different networks so blocking an IP address permanently is just unproductive.

A better solution is to use fail2ban:

There is also CrowdSec but I haven’t personally used them.

This post came to be cos I spent 30+ minutes trying to figure out how to block traffic on a FreeBSD host and their documentation is just… inscrutable. Should you ask for help in their forums you’ll just get told to RTFM.

You end up going in circles, consuming yourself in rage and frustration which does not feel nice. Rage-posting is where it’sat.

Block attacker IP addresses, four ways Read More »

A Debian Wifi Router: Kernel tuning

So it turns out that if you go with the default kernel parameters on the device you won’t get much throughput. I’m currently paying my ISP for a 25Mbit/s pipe both ways, which is bloody awesome.

I was having problems with throughput and network jitter, though. I was able to have a fast connection from my devices to the router and the router had the full connection available to itself; problems were the router was not able to make the full connection bandwidth available to its clients and the bandwidth would go from 25Mbit/s all the way down to 5Mbit/s all the time.

This is really damn annoying when you’re putting in a good match on Unreal Tournament, let me tell you.

Thinking it could be something related to hostapd I played around with a few more settings but nothing really made a difference. I’m having problems with reception and throughput in my bedroom but that’s for another post, I guess. Suffice to say that with a direct line of sight to the router everything works about as expected.

So it wasn’t hostapd. Played around with iwconfig and iw but neither made much of a difference. That left the network interfaces themselves and the kernel.

Dug around and found plenty of links and articles on what settings to adjust and how to adjust them but all of them are geared towards servers of some sort. There isn’t much information that a home/office IT guy would be able to use for tuning the kernel for bandwidths of less than 100Mbit/s, which is what I’m attempting to do here. The most popular post (which I basically copied into my configuration) is using settings for 1Gbit/s connections that I then changed with the one entry that matched from the Ars Technica post.

Here’s sysctl.conf as I have it right now:

# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# Kernel parameter adjustments
# 2016/09/12 02:59:32: http://www.nateware.com/linux-network-tuning-for-2013.html
# http://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/
#
kernel.sem = 250 256000 100 1024

# Increase system file descriptor limit
 fs.file-max = 100000
#
# # Discourage Linux from swapping idle processes to disk (default = 60)
 vm.swappiness = 10
#
# # Increase ephermeral IP ports
 net.ipv4.ip_local_port_range = 10000 65000
#
# Increase Linux autotuning TCP buffer limits
# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
# Don't set tcp_mem itself! Let the kernel scale it based on RAM.
net.core.rmem_default = 4194304
net.core.rmem_max = 4194304
net.core.wmem_max = 4194304
net.core.rmem_default = 4194304
net.core.wmem_default = 4194304
net.core.optmem_max = 40960
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304

# Make room for more TIME_WAIT sockets due to more clients,
# and allow them to be reused if we run out of sockets
# Also increase the max packet backlog
net.core.netdev_max_backlog = 25000
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_tw_buckets = 200000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10

# Disable TCP slow start on idle connections
net.ipv4.tcp_slow_start_after_idle = 0

# If your servers talk UDP, also up these limits
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192

# Disable source routing and redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

# Log packets with impossible addresses for security
net.ipv4.conf.all.log_martians = 1

Everything in here I’m sure can be tuned further and the file itself is so damn ugly to look at but for now at least I have a starting point I can use.

All this tomfoolery is turning me into a network wonk.

A Debian Wifi Router: Kernel tuning Read More »

Blackslab back on Linux

Title says it all. First I tried using Windows 8 on her and it kinda sorta worked… but it was just too much for the computer.

I tried Windows 7 and it worked without a hitch… before I actually installed software. Once I did, the system bogged down to the point where I would dread using it. Even youtube videos would bring the system to its knees.

Right now I’ve been using Linux Mint 14 Debian Edition without problems except the usual Pulseaudio bullshit, but that will require very smart minds to fix.

Blackslab back on Linux Read More »

Linux desktop “progress”

Northfield/Norwood isn’t about changing anything fundamentally with Wayland/Weston, but Moreau doesn’t like the pace of development within Wayland/Weston and it being bottlenecked at times by Kristian’s workload. Moreau is also more focused on just “desktop bling” and effects than low-level graphics subsystem work. Among the desktop effects he wants to bring over from Compiz into a Wayland compositor include the desktop cube, desktop wall, scale, wobbly windows, expo, and Emerald Theme support.

[Phoronix] Wayland/Weston Fork Now Called Northfield/Norwood.

In a couple of years you’ll have to get a new computer to run any sort of Linux desktop environment, while your old computers get Windows installed on them.

Linux desktop “progress” Read More »

Redesigning the Thinkpad for Windows 8 and ONLY Windows 8

ThinkPad loyalists will almost certainly direct their attention to the new trackpad when first laying eyes on the T431s. Or, perhaps, they’ll spot the notable (and very deliberate) omission of the physical buttons that have historically sat just beneath and above a far smaller tracking surface. According to Parrish, the overall concept was to “simplify the appearance of two pointing devices in ThinkPad notebook design and maximize touchpad area — while optimizing it for interaction with Windows 8.” A tricky approach, no doubt, given that a solid swath of ThinkPad users have no doubt grown used to mousing with the crimson-clad, centrally located nub. The end result is a five-button clickpad, as it was detailed to me, which supports 20 gestures and handles northerly clicks for those who refuse to switch from using the aforementioned pointing stick.

The inside story of Lenovo's ThinkPad redesign.

So I guess Linux support is out? Right now I’m pissed at the desktop environment mess, but once the dust has settled, I’ll probably be going back. I’d like to go back to Linux on a Thinkpad, but if Lenovo chooses to block me from that, I’ll buy a computer from some other OEM that does let me.

Redesigning the Thinkpad for Windows 8 and ONLY Windows 8 Read More »

Ask Slashdot: Mac To Linux Return Flow? – Slashdot.

Just like me, people are switching back and forth.

  • OS X is getting a lot of iOS stuff into it that professional creators don’t want or need.
  • Windows 8 is not everyone’s cuppa tea… but it’s quite solid as long as you learn how to deal with don’t-call-it-Metro interface.
  • Linux is in a state of disarray. KDE is pure eye candy, GNOME is griefing, Xfce and Enlightenment kind of refuse to pick up the slack, MATE and Cinnamon are still bug ridden.
  • BSD is stable… if you’ve got compatible hardware and don’t mind using libraries that are often years old.

Shit’s broken and no one ain’t fixin’ it.

Read More »