5
Apr

Installing Mastodon on a CentOS/RHEL server

   Posted by: Dante   in General

The official Mastodon installation guides are all made for Debian-based distros, so here’s a handy production-ready install for CentOS/RHEL (based on nginx):

  1. Enable the NUX repo, so that we can install ffmpeg:
    1. sudo rpm –import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
    2. sudo rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
  2. Use yum to install these packages: ImageMagick libpqxx-devel libxml2-devel libxslt-devel nodejs ffmpeg file git curl postgresql postgresql-contrib postgresql-server redis gcc gcc-c++ bzip2 openssl-devel readline-devel
  3. sudo npm install -g yarn
  4. Create a user to run the app:
    1. sudo useradd -d /home/mastodon -m -s /bin/bash -U mastodon
  5. Configure Postgres to start at boot and start the service:
    1. sudo systemctl enable postgresql
    2. sudo postgresql-setup initdb
    3. sudo systemctl start postgresql
  6. Create a PGSQL database user:
    1. sudo su – postgres; psql
    2. CREATE USER mastodon CREATEDB;
    3. \q
  7. Follow the guides to install rbenv and rbenv-build for the mastodon user
  8. Once rbenv is ready, run `rbenv install 2.3.1` as the mastodon user
  9. Install mastodon (sudo as mastodon user):
    1. cd ~
      git clone https://github.com/tootsuite/mastodon.git live
      cd live
      gem install bundler
      bundle install –deployment –without development test
      yarn install
  10. Follow the rest of the guide for configuration at Mastodon’s repo, starting from the “Configuration” step
  11. Disable the user mastodon from logging in:
    1. sudo chsh -s /sbin/nologin mastodon

Tags: , ,

19
Mar

Running Convos on Apache

   Posted by: Dante   in General

Convos is a nice app that allows you to run a persistent IRC client on a machine, and make it available via http to multiple users. The official documentation focuses on nginx, but if you want to run this on Apache, the situation gets tricky.

Fear not, here’s the code snippet that you need to use for your configuration:

<Proxy *>
Require all granted
</Proxy>

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / ws://127.0.0.1:$PORT$/ keepalive=On
ProxyPassReverse / http://127.0.0.1:$PORT$/
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:$PORT$/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:$PORT$/$1 [P,L]
RequestHeader set X-Forwarded-Proto “https”
RequestHeader set X-Forwarded-HTTPS “1”
RequestHeader set Host “hostedconvos.yourdomain.com”
RequestHeader set Connection “upgrade”
RequestHeader set X-Forwarded-For “hostedconvos.yourdomain.com”

Make sure to replace $PORT$ with whatever port you’re running the Convos daemon on, and also make sure to put an SSL certificate on that Apache virtual host.

Tags: , ,

26
Apr

Securing Splunk web interface with Let’s Encrypt

   Posted by: Dante   in General

The availability of Let’s Encrypt across most modern browsers’ trusted stores is pretty awesome. Combine that with an easy to use interface for generating/renewing certificates and you’ve got a winning platform.

Today we’ll look into generating a certificate with Let’s Encrypt to secure a Splunk Enterprise installation. This howto assumes a couple things:

  1. Splunk is installed under /opt/splunk
  2. Let’s Encrypt binaries are under /opt/letsencrypt

Let’s get started! First make a backup of current certs under /opt/splunk/etc/auth/splunkweb (privkey.pem and cert.pem). To do this, we’ll use the standalone temporary webroot feature from Let’s Encrypt, which will listen on port 80 for incoming connections to validate the domain/host. Make sure that’s open. Run ‘letsencrypt-auto certonly’ from the Let’s Encrypt folder, then select the temporary webserver option. Your new certs should be generated under the /etc/letsencrypt/live folder.

Next up we’ll simply link the generated certs to the Splunk folders. With default folders in consideration, do this:

  • cd /opt/splunk/etc/auth/splunkweb
  • ln -s /etc/letsencrypt/live/ (YOUR HOST) /privkey.pem ./privkey.pem
  • ln -s /etc/letsencrypt/live/ (YOUR HOST) /fullchain.pem ./cert.pem

After that, log into the Splunk interface on port 8000 (default) and go to the Administration section, then enable SSL for the Splunk Web component. After a server restart, it should start serving SSL content over port 8000.

Leave a comment if you had any issues or suggestions!

Tags: , ,

16
Jul

Installing ZoneMinder on Ubuntu 14.04 Trusty Tahr

   Posted by: Dante   in General

ZoneMinder is a free open-source PVR for security cameras with plenty of features such as zone-based motion detection, support for network cameras with various protocols, etc. The install instructions on the program’s website are a bit misleading for a new install, so we’re going to do a step-by-step install walk-through here. This is based on the 1.27 release of ZoneMinder and the Server release of Ubuntu 14.04 LTS. On my first install, I used a low power machine with an Atom D525 processor, and that wasn’t nowhere near the capability needed for a single network camera, so I had to change the hardware to something beefier. Take that into consideration before starting the process. In the end, I used a small DELL desktop with an Intel C2D E6300 and it worked out great for 3 ACTi network cameras.

Let’s start with deploying Ubuntu on the machine you’ll use to record video. I did a base install with the basic Ubuntu server, OpenSSH and Samba packages, no X and no LAMP stack (this will be installed later). Configure disk as needed during the install.

After the system is operating, then we’ll add the repository for ffmpeg. With Ubuntu 14.04, they’ve switched to libav and there’s no package for ffmpeg, so we’ll add it from the official PPA. Issue these commands:

user@host:~$ sudo apt-add-repository ppa:jon-severinsson/ffmpeg
user@host:~$ sudo apt-get update

Now we’ll add a whole slew of packages, required by ZoneMinder. Issue this command:

user@host:~$ sudo apt-get install apache2 mysql-server php5 php5-mysql build-essential libmysqlclient-dev libssl-dev libbz2-dev libpcre3-dev libdbi-perl libarchive-zip-perl libdate-manip-perl libdevice-serialport-perl libmime-perl libpcre3 libwww-perl libdbd-mysql-perl libsys-mmap-perl yasm automake autoconf libjpeg8-dev libjpeg8 apache2-mpm-prefork libapache2-mod-php5 php5-cli libphp-serialization-perl libgnutls-dev libjpeg8-dev libavcodec-dev libavformat-dev libswscale-dev libavutil-dev libv4l-dev libtool libnetpbm10-dev libavdevice-dev libmime-lite-perl dh-autoreconf dpatch git ffmpeg libvlccore-dev libvlc-dev libcurl4-gnutls-dev libjson-any-perl netpbm zip libnet-sftp-foreign-perl libio-pty-perl libexpect-perl libtiff5

Define a secure password for your MySQL install. After it completes, we’ll continue by retrieving the ZoneMinder and building the package. Let’s clone the repository under /opt and build the .deb package for installation (note that the ubuntu1204 link is not misspelled):

user@host:/opt$ sudo git clone https://github.com/ZoneMinder/ZoneMinder.git zoneminder
user@host:/opt$ cd zoneminder
user@host:/opt/zoneminder$ sudo ln -s distros/ubuntu1204 debian
user@host:/opt/zoneminder$ sudo dpkg-checkbuilddeps
(the above command should return no results)
user@host:/opt/zoneminder$ sudo dpkg-buildpackage

This should result in a few packages being available under /opt. We’ll install the .deb package using:

user@host:/opt$ sudo dpkg -i ./zoneminder_1.27.1-1_amd64.deb

After installing the package, if it complains about dependencies, do ‘sudo apt-get -f install’ followed by ‘sudo dpkg-reconfigure zoneminder’ to correct the situation. At the time of writing, this came out clean. Now we’re going to make the web interface available via Apache:

user@host:/opt$ sudo cp /etc/zm/apache.conf /etc/apache2/sites-available/zm.conf
user@host:/opt$ sudo a2ensite zm
user@host:/opt$ sudo a2enmod cgi
user@host:/opt$ sudo service apache2 restart

This should make the web interface available through http://host/zm. Beware that this is a standard install with all defaults, so it’d be recommended to follow standard procedures to tighten down Apache’s config as well as MySQL and the system itself.

From here, standard ZoneMinder configuration applies, so just add your cameras as desired. There’s a good starter tutorial for motion detection here.

Tags: , , , , ,

Today, we at Your Nearest Bar are proud to announce our first software release, called JetScanner. It is a little utility coded in Python (tested only on 2.7) that allows scanning pages from an HP JetDirect device that has an AiO or MFP device attached to it. Currently it is only tested with the HP JetDirect 175x, or J6035B. If you’d like us to add support for other JetDirect devices, please shoot an email to somedude at yournearestbar dot com.

The code is licensed under the GPLv2 and it’s available for download at http://code.google.com/p/jetscanner/. The program has descriptive help built-in with the switch -h or –help. Current plans include changing the PDF postprocessing and adding e-mailing capabilities, so check back in the future for an updated version.

Tags: , , , , , , ,

24
Oct

Monitoring dd with a progress bar

   Posted by: Dante   in General

When using the linux utility dd, there is no visual output of the progress, how long it is going to take, or anything else. Easy to solve with the use of pv:

% pv /dev/sda | dd of=/dev/sdb bs=100M

that’ll display the amount of data transferred, the elapsed time, the throughput speed, a nice progress bar, and the ETA. For devices that do not have a fixed size, let’s say, /dev/zero, there’ll be only a throughput display.

Tags: , , , ,

15
Oct

Printing across different subnets

   Posted by: Dante   in General

When printing across different subnets, or configuring a personal firewall, certain ports need to be opened. For RAW and LPD/LPR printing, use the following:

  • TCP 9100
  • TCP 515

If printing from Microsoft Windows, the operating system will need SNMP access open as well, otherwise the printer detection procedure won’t work. Open the following port:

  • UDP 161

Make sure that the SNMP access is read-only, or that it has a strong password if read-write is really needed.

Tags: , , , , , , , , ,

22
Apr

Enabling SSH access on a Cisco router

   Posted by: Dante   in General

Let’s go through a quick and easy way to enable SSHv2 access on a Cisco router. Should be similar on a switch.

  • Make sure the IOS has the crypto modules, usually identified by a “k9” or “k5” in the IOS file name. Check with show version
  • Configure a hostname with the command hostname and a domain name with the command ip domain-name
  • Generate a new keypair with crypto key generate rsa and use 2048 bits
  • Create a new username for SSH access: username sshuser password 0 mysshpassword. Replace sshuser and mysshpassword accordingly.
  • Configure SSH parameters:
    • ip ssh timeout 60
    • ip ssh authentication-retries 3
    • ip ssh rsa keypair-name NAME (replace NAME with the keypair name obtained from show crypto key mypubkey rsa
  • Prevent non-SSH sessions with line vty 0 4 and transport input ssh
  • Additionally, prevent SSH access from outside a certain subnet:
    • access-list 15 permit 192.168.0.0 0.0.0.255
    • line vty 0 4
    • access-class 15 in

Now SSHv2 should be enabled and accessible. All commands should be entered in global configuration mode, except for the show commands.

Tags: , , , ,

4
Mar

Fixing Windows Media Center TV Setup

   Posted by: Dante   in General

Given certain circumstances, Windows Media Center will get stuck at “Downloading TV Setup Data” and do nothing else. This generally occurs after some sort of hardware change, as it happened to me on a motherboard change and on a hard drive change. YMMV.

For the sake of clarity, this entire post refers to Windows 7, but it could apply to Vista as well, given that the paths are relatively the same.

Anyway, there are a few posts around the Web that tell you to run a command line for mcupdate.exe with some switches. That’s like getting a tire patch, it’ll work for now but won’t last. Here’s the new tire solution:

1) Go to the Control Panel, Programs and Features, and click “Turn Windows Features on/off”. Uninstall Windows Media Center.

2) Reboot.

3) Empty out the folder C:\ProgramData\Microsoft\eHome\

4) Go to the features and enable Windows Media Center again.

5) Run Windows Media Center and do the TV setup.

This solution is the only one that worked across reboots and allowed me to go and reset the TV signal without hassle. Please leave a comment if something else worked for you.

Tags: , , , , , ,

Today I’ve decided to give OpenSolaris a spin, and to my surprise, it doesn’t have the SmartArray drivers available by default. Took some considerable amount of research to come up with a procedure to do the install. Here are the steps:

  1. Download the SmartArray drivers for Solaris on the HP website (at the time of writing, I installed OpenSolaris 2009.06 and used drivers for Solaris 10)
  2. Uncompress the package with gunzip.
  3. Inside the newly uncompressed folder, there will be a file called CPQary3.pkg. First run pfexec touch /ADD_DRV_IGNORE_ROOT_BASEDIR then run pfexec pkgadd -d ./CPQary3.pkg in the folder with the uncompressed files. There will be some errors installing the man page, but those should be ignored. The driver will be successfully installed.
  4. Run the Device Driver Utility. Right click the Smart Array controller, go to Show Details. Make note of the node name of the controller, which was pcie11,409a in my case.
  5. Run pfexec add_drv -c scsi -i ‘”pcie11,409a”‘ cpqary3 while substituting it for the correct node name in your case. It shouldn’t give any errors. Please note that the node name has a single quote followed by a double quote.
  6. Run the OpenSolaris Installer, and it should detect your arrays.

Overall it’s an easy process, and it amazes me that the default image does not include this driver. Good luck with the install. Questions are welcome in the comment area.

Tags: , , , , , ,