Category Archives: System Administration

Linux system administration.

Synaptics touchpad under Xorg lives again

I have a Dell Inspiron 1501 laptop running Arch Linux, and recently, after an update, the Synaptics touchpad stopped working.

The touchpad shows up in dmesg as:

Synaptics Touchpad, model: 1, fw: 6.3, id: 0x180b1, caps: 0xa04713/0x200000
input: SynPS/2 Synaptics TouchPad as /class/input/input7

I was using a USB mouse until I found time to get the touchpad working again. Here’s what I had to do…

Continue reading Synaptics touchpad under Xorg lives again

Pastebin Firefox extension

My friend James Ronan has just released a Pastebin Firefox extension, making it even easier to paste code etc to pastebin.com.

As the code by Paul Dixon which powers pastebin.com is Open Source and can be installed on your own server, the extension allows you to provide the URL of your own private pastebin install if you have one – this is ideal for me, as we have a private pastebin setup at work which is often used.

Using the extension is as simple as right clicking and chosing “pastebin my clipboard”, which submits the contents of your clipboard (or highlight buffer) to pastebin, and copies the resulting URL to the clipboard, ready for you to paste on IRC / IM / whatever.
Continue reading Pastebin Firefox extension

Preventing SSH brute-force attacks with iptables

I wanted to do this tonight and couldn’t remember the exact iptables incantation, and I know I’ll want it again, so sharing it here for me and for anyone else it may be useful to.

If you need SSH to be world-accessible, but don’t want to be plagued by SSH brute-force login attempts, the following ought to do the trick:


iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 3/minute -j ACCEPT

That will allow inbound SSH connections, but only 3 per minute (averaged) – this should be more than a user would normally need, but isn’t sufficient for a brute-force login attack. If someone tries a brute-force attack against you, after a few connections they’ll be ignored.

This is assuming that your default INPUT policy is to drop or reject packets, as it should be. For it to work, it also assumes that you have a rule to allow inbound connections which are part of an established connection – something like:


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Of course, if you’re going to open SSH to the world, even with the above protection, you’ll still want to ensure passwords are secure (or disable password-based authentication totally, using SSH keys instead), and I’d recommend disabling root logins via SSH (the PermitRootLogin setting in /etc/ssh/sshd_config)

VPS.net beta testers wanted for new VPS products

VPS.net (a brand of the UK2 group) is looking for VPS beta testers to receive a free VPS for testing.

There’s only 50 places available so, if you want to take part in the beta, go sign up now! We’re looking for users with some experience of VPS/servers, who can provide useful feedback on their experiences with the service.

See also the description of what a VPS cloud is, and how the design provides scalability and reliability for VPS users.

Spam blacklisting is massively useful

I use SpamAssassin to filter spam out of my incoming mail, and it does its job admirably. I didn’t bother using DNS blacklists, since I didn’t really want to hand over control of what mail I accept to a third party, and was worried about false positives. However, with an average of about 3,000 spam mails per day getting shoved down to my home server for it to run spamassassin on, it was quite a waste of resources.

Recently I configured Postfix on my public-facing server to check against a couple of DNS blacklists – the most effective of which seems to be zen.spamhaus.org.

Here’s the number of spam mails which reached my home server each day:


[davidp@supernova:spam]$ grep -c '^From ' spam-2008-11-{27,28,29,30} spam-2008-12-*
spam-2008-11-27:3048
spam-2008-11-28:2759
spam-2008-11-29:3439
spam-2008-11-30:2853
spam-2008-12-01:3113
spam-2008-12-02:1231
spam-2008-12-03:155
spam-2008-12-04:193
spam-2008-12-05:78
spam-2008-12-06:92
spam-2008-12-07:61

See if you can guess which day the blacklisting was put in place :)

Debian Xen guests without /dev/pts – no SSH

I’ve been playing with Xen on a Debian host machine. I created a couple of guest machines using xen-create-image (set to use debootstrap to automatically install + configure a basic Debian install on the guest), and was unable to SSH to the guests – I got:


[davidp@masterplan ~]$ ssh 10.1.1.20 -l root
root@10.1.1.20's password:
PTY allocation request failed on channel 0
stdin: is not a tty

I struggled with this for a while, for some reason accessing the guest’s console with xm console didn’t seem to work either.

However, I now managed to get console access to one of them using xm console domain, and found that /dev/pts wasn’t mounted – it wasn’t listed in the fstab file that had been created.

I added the following to /etc/fstab :


none /dev/pts devpts defaults 0 0

Now I can SSH to the guests. :)

Labelling FAT/FAT32 partitions in Linux

Mostly a post for my future refererence, as it took some Googling to find this, but it might be useful to others.

I wanted to view/change the “drive label” for a FAT partition. This is done with the mlabel tool from the mtools package, but it has a strange insistence on setting up “drive letter” mappings, in /etc/mtools.conf or ~/.mtoolsrc, so that you can use it as, for example:


mlabel e:

Um, no thanks. I don’t want to map a Windows-like notion of drive letters to a partition which may appear at a different device each time (it’s a USB device; the point of having the label is to not have to know or care what device node it’s been assigned this time – if USB devices are connected in a different order, it might not be /dev/sdf next time).

The option needed is -i which doesn’t appear to be documented in the mlabel manpage, used along with the fake drive letter ::, for example:


# setting:
[dave@ruthenium ~]$ sudo mlabel -i /dev/sdf1 ::DAVEBLACKBERRY
# viewing:
[dave@ruthenium ~]$ sudo mlabel -s -i /dev/sdf1 ::
Volume label is DAVEBLACKBERRY

With that done, I can then add an entry to /etc/fstab which identifies the device by its label:


[dave@ruthenium ~]$ grep BLACKBERRY /etc/fstab
/dev/disk/by-label/DAVEBLACKBERRY /mnt/blackberry vfat defaults,uid=dave,gid=users 0 0

I should have been able to use LABEL=DAVEBLACKBERRY rather than the long /dev/disk/by-label/... notation, but LABEL= didn’t work, and I didn’t have tiem to figure out why :)

X failures with ATI driver & Xinerama after upgrade

Arse – I updated my Arch Linux install last night, and X will no longer start using my previous config. I can start X using the vesa driver, so X itself isn’t broken, but when I try to start up with my multiple monitor setup (3 screens on 3 seperate ATI Radeon 7000 PCI cards) I get a crash, with the following backtrace:


Backtrace:
0: X(xf86SigHandler+0x7e) [0x80d9d5e]
1: [0xb7ef4420]
2: X(xf86RandR12SetRotations+0x6b) [0x80f58ab]
3: X(xf86CrtcScreenInit+0x9e) [0x80f173e]
4: /usr/lib/xorg/modules/drivers//radeon_drv.so(RADEONScreenInit+0x17fa) [0xb7adfcaa]
5: X(AddScreen+0x1fc) [0x80733dc]
6: X(InitOutput+0x21e) [0x80a769e]
7: X(main+0x296) [0x8073b66]
8: /lib/libc.so.6(__libc_start_main+0xe0) [0xb7cb9390]
9: X(FontFileCompleteXLFD+0x201) [0x80730d1]

How annoying.

I think the issue is down to changes in the X server for Xinerama (used to spread your display across multiple screens) to use RandR, which doesn’t seem to play well.

I’ll post updates here as/when I find a fix.

Using rankmirrors script for faster Arch Linux package downloads

If you use Arch Linux I’d strongly suggest using the snippet of code below to use rankmirrors to sort your pacman repository mirrors into an optimal order, to use the fastest servers first.


cd /etc/pacman.d
for repo in *; do
echo "Processing $repo..."
mv $repo $repo.b4.rankmirrors
rankmirrors -v $repo.b4.rankmirrors > $repo
done

I was getting an average of about 300-400K/sec; after doing this, I was reaching 10M/sec!