dev.baeck.at

How to Switch to a german keyboard layout on a Raspberry

2014-05-26T00:00:00-07:00

Open up a shell and type

  sudo nano /etc/default/keyboard

find where it says

  XKBLAYOUT=”gb”

change it to:

  XKBLAYOUT=”de”

How to limit Amazon S3 access to one bucket only

2014-04-05T00:00:00-07:00

If you want to limit the access of a specific user/group to only one S3 bucket you should use the following IAM policy:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": "arn:aws:s3:::bucketname",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectAclVersion"
      ],
      "Resource": "arn:aws:s3:::bucketname/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*",
      "Condition": {}
    }
  ]
}

Interstingly enough to access a bucket, you also need the right to list all the buckets.

Embedding Youtube iframes into Jekyll

2014-01-01T00:00:00-08:00

With Xcode 5.0.1 and Mavericks the Xcode command line tool is no longer available through Xcode. You need to install it manually. You need the command line tools to compile stuff or for example to run Mac Ports.

There are many ways to install the command line tools. If you are running OS X 10.9 the command line is your friend:

xcode-select --install

You can also do it via XCode itself. Just go to Preferences > Downloads.

And finally download it manually at https://developer.apple.com/downloads/index.action.

Hosting a Jekyll Blog on Github

2013-12-30T00:00:00-08:00

For this blog and some others I use Jekyll and github to run. This has many advantages. Github cares about the hosting and scaling stuff and even the deployment is only a git push away.

Jekyll is a static blogging engine written in ruby. I do not know shit about ruby, but it simply works very well.

To run your own Jekyll blog on Github just follow the steps outlined here.

To make it run on your custom domain, just create a file called CNAME in the root directory of your repository and just put your custom domain insdie it.

Finally the above only describes hosting a blog on github pages for one account, but you can do this for as many accounts as your wish. Just create a new repository and push your jekyll data to the branach “gh-pages” like I do it here.

Install Sublime Text 3 Package Control

2013-11-19T00:00:00-08:00

Go to Preferences => Browse Packages… menu
Go up a folder into the Installed Packages/ directory
Download Control.sublime-package and copy it into the Installed Packages/ directory
Restart Sublime Text

Even easier:

Open console via ctrl+´ or the View > Show Console menu
Paste this nasty litte piece of python code into the console

import urllib.request,os; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); open(os.path.join(ipp, pf), 'wb').write(urllib.request.urlopen( 'http://sublime.wbond.net/' + pf.replace(' ','%20')).read())

via sublime.wbond.net

Python use MySQL column names instead of numbers

2013-09-27T00:00:00-07:00

Instead of:

cursor = conn.cursor()
cursor.execute("SELECT name, value FROM table")
result_set = cursor.fetchall()
for row in result_set:
    print "%s, %s" % (row[0], row[1])

Just do this:

cursor = conn.cursor(MySQLdb.cursors.DictCursor)
cursor.execute("SELECT name, value FROM table")
result_set = cursor.fetchall()
for row in result_set:
    print "%s, %s" % (row["name"], row["value"])

Nice to know and saved 3 lines of code!-)

Python if else one liner

2013-08-08T00:00:00-07:00

Instead of:

def func(x):
    if x == 0:
        return "something"
    else:
        return "something else"

Just do this:

def func(x):
    return "something" if x == 0 else "something else"

Nice to know and saved 3 lines of code!-)

Getting started with Sublime Text 3

2013-07-30T00:00:00-07:00

Download it here
Install Package Control for Sublime Text 3
Gi
For python install: SublimeRope SublimeLinter AdvancedNewFile

Secure your ssh server

2013-07-24T00:00:00-07:00

While ssh is pretty secure, your should consider making it even more secure, by adding some of these steps.

Use keys instead of passwords
Disable login as root
Install denyhosts
Change your ssh port
Configure a firewall (iptables)

Caution: Whenever making changes to your sshd.config file, be certain that you have an active shell session in case you’ve made a fatal syntax error. After restarting sshd, log in from another session to test it before terminating your active terminal session.

Passwords are bad - use keys

Passwords are always a kind of obscure security mechanism. A better and certainly more secure mechanism is to use ssh keys for all users. If ypu want to know how to generate a new user with his own key, have a look at this guide.

To disable Password-based Login log in to your instance and edit the ssh daemon configuration file:

sudo nano /etc/ssh/sshd_config

Find the line

PasswordAuthentication yes

and change it to

PasswordAuthentication no

Don’t forget to restart sshd:

sudo service ssh restart

Disable Root Login

One of the biggest security holes you could open on your server is to allow directly logging in as root through ssh, because anyone can attempt to brute force your root password. It’s much better to have a separate account that you regularly use and simply sudo to root when necessary. You should make sure that you have a regular user account and that you can su or sudo to root from it.

We need to edit the sshd_config file, which is the main configuration file for the sshd service.

sudo nano /etc/ssh/sshd_config

Find this section in the file, containing the line with “PermitRootLogin” in it. Set it to “no” to disable logging in through ssh as root.

PermitRootLogin no

You could restrict the access via ssh to certain users. I highly recommend that.

AllowUsers user1, user2, user3

And finally restart your ssh service

sudo service ssh restart

Install denyhosts

DenyHosts is a security tool that monitors server access logs to prevent brute force attacks It works by banning IP addresses that exceed a certain number of failed login attempts.

DenyHosts is very easy to install:

sudo apt-get install denyhosts

After you install DenyHosts, make sure to whitelist your own IP address. Skipping this step will put you at risk of locking yourself out of your own machine.

Open up the list of allowed hosts allowed on your server:

sudo nano /etc/hosts.allow

Under the description, add in any IP addresses that cannot afford to be banned from the server; you can write each one on a separate line, using this format:

sshd: 12.34.45.678

After making any changes, be sure to restart DenyHosts so that the new settings take effect on your virtual private server:

sudo service denyhosts restart

DenyHosts is ready use as soon as the installation is over, but if you want to customize DenyHosts, you can make the changes within the DenyHost configuration file:

sudo nano /etc/denyhosts.conf

Change your ssh port

There are many discussions on the web about why changing your ssh from the default 22 to something else is a good or bad idea. Personally I think it is a good thing, because it adds a small security layer to the system. It is just like keeping your phone number out of the white pages. It won’t someone who really wants to call your doing that, but it will keep the kiddies away.

Changing your port has some upsides:

Brute Force attack on port 22 are useless (Script Kiddies)
It reduces the impact on your log files

And also some downsides:

It can be a pain to explain other users that they can’t use the default port and how to change that
Some restrictive outgoing firewalls are blocking non standard ports and only allow connections to for example 22, 25, 80, 443

I think if a port change causes you even some trouble, it is probably not worth the effort because there are far more effictive ways to protect your server.

If you do move away from 22, make sure it is below 1024. Under most Unix-a-like setups in their default config, only root users can listen on ports below 1024, but any user can listen on the higher ports. Running ssh on a higher port increases the chance of a rogue (or hacked) user managing to compromise your SSH daemon. You can find a list of known port numbers here

So how to do it? Just edit the line “Port 22” in your /etc/ssh/sshd_config file

Optional: Set up a Firewall (iptables)

You should be pretty save right now, but what about us paranoid people, who believe that the NSA is looking into everything? Oh wait, they are. Maybe it is a good idea to add another line of defense: An iptables firewall. I would not recommend this if your server is running on EC2, because amazon already has very easy to handle firewall their so called Security Groups builtin.

Check your default firewall rules by entering the following command:

sudo iptables -L

Have a look at the output. If you haven’t implemented any rules yet, you should see an empty ruleset:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

First you need to create a configuration file for your firewall:

sudo nano /etc/iptables.firewall.rules

Copy and paste the rules shown below in to the iptables.firewall.rules file you just created.

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

By default, the this will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked.

Now let’s activate the firewall rules:

sudo iptables-restore < /etc/iptables.firewall.rules

Check your firewall rules again:

sudo iptables -L

It should return this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Finally you have to make sure that this configuration is loaded on startup. Start by creating a new script with the following command:

sudo nano /etc/network/if-pre-up.d/firewall

Copy and paste this lines in to the file you just created:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Set the script’s permissions to executable:

sudo chmod +x /etc/network/if-pre-up.d/firewall

And you are done! Remember, you’ll need to edit the firewall rules later if you install other software or services. It can be a pain to look into configuration files of new serivices just to recognize hours later, that you just have to open a port at iptables.

Are we really done now? Even more paranoid people could have a look into SELinux.

Add an ssh user with key to an Amazon EC2 instance

2013-07-24T00:00:00-07:00

First you need to create a pair of keys on your local machine (replace “user” with your chosen username):

ssh-keygen -b 1024 -f user -t dsa

This will create 2 files: user (private key), user.pub (public key). Now copy the public key file to a temporary place on your instance:

scp -i root *.pub ec2-your-instance-name.compute.amazonaws.com:/tmp

sudo adduser user

For simplicity’s sake, use the same “user” name as you did for key generation. Now we need to place the key into their ssh authorized keys file (replacing “user” with the username you chose earlier)

sudo mkdir ~user/.ssh
sudo cat /tmp/user.pub >> ~user/.ssh/authorized_keys
sudo chmod 700 ~user/.ssh
sudo chmod 600 ~user/.ssh/authorized_keys
sudo chown user:user ~user/.ssh
sudo chown user:user ~user/.ssh/authorized_keys

Now log in:

ssh -i ~/.ssh/user -l user ec2-your-instance-name.compute.amazonaws.com

To add your new user to the sudoers list:

sudo adduser user sudo

Don’t forget, that you probably want to delete an old user:

sudo userdel -r olduser

Synchronize your ssh configuration across multiple machines with Dropbox

2013-07-23T00:00:00-07:00

Working with many different Macs and servers daily can ba a pain. But you can store your SSH configuration file in dropbox, and create a symbolic link to it so you can use the same configuration across your computers.

Also, you can use this method to sync other types of configuration files like your bash profile or your hosts file.

Create a folder in your Dropbox to store such files.

mkdir ~/Dropbox/symlinks

Move your ssh config to this folder.

sudo mv /etc/ssh_config ~/Dropbox/symlinks/ssh_config

Create a symbolic link to the new file.

sudo ln -s ~/Dropbox/symlinks/ssh_config /etc/ssh_config

Configure your favorite ssh hosts to type less

2013-07-23T00:00:00-07:00

ssh is pretty straight forward. I spend years typing long lines into the console or setting up complicated UI to manage my favorite ssh hosts. But there are some tricks, which could save you a lot of time.

At first, you need to create an ssh config file. If you are on a mac the file is located at /etc/ssh_config. All other unix-like machines should create the file in ~/.ssh/config. To check where the OS is looking for a config file you could also type

ssh -v test

It should return something like this:

OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012
debug1: Reading configuration data /etc/ssh_config

Make sure the file has read-write permission to only your user.

chmod 600 /etc/ssh_config

Now, configure a your favorite hosts in the ssh_config file

Host example
HostName example.com
Port 667
User username
IdentityFile ~/.ssh/id_rsa

Now, instead of writing this:

ssh -i ~/.ssh/id_rsa -p 4431 username@example.com

You can write this:

ssh example

As a small benefit this also works with scp.

scp /path/to/some/file example

Now let’s tunnel. If you are used to write this, to make a connection to a remote mySQL database

ssh -f -N -i ~/.ssh/id_rsa -L 9906:127.0.0.1:3306 username@database.example.com
# -f puts ssh in background 
# -N makes it not execute a remote command

You should consider modifying your config like this:

Host tunnel
HostName database.example.com
IdentityFile ~/.ssh/id_rsa
LocalForward 9906 127.0.0.1:3306
User username

To be able to finally establish a tunnel with this command:

ssh -f -N tunnel

Add EC2 pem key permanently to ssh

2013-07-23T00:00:00-07:00

Add your pem key to SSH so you do not have to manually specify it when connecting to EC2 instances.

With this command:

    ssh-add ~/.ssh/KEY_PAIR_NAME.pem

You can do this:

    ssh ec2-instance.amazonaws.com

instead of:

    ssh -i ~/.ssh/KEY_PAIR_NAME.pem ec2-instance.amazonaws.com

Configuring Wifi on your Raspberry Pi

2013-07-11T01:33:58-07:00

There are many ways how to configure wifi on the Raspberry Pi. Most of them are complicated and messy. I found this solution the easiest to apply. One important thing is, that this will not work with a hidden wifi. You will always have to broadcast your network’s ssid.

Connect to you Pi via ssh and type

sudo nano /etc/network/interfaces

You should see something like this

auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Edit it this way

auto lo

iface lo inet loopback
iface eth0 inet dhcp

auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-ssid "YOUR_NETWORK_SSID_HERE"
wpa-psk "YOUR_WIFI_PASSOWRD_HERE"

Finally unplug your network cable, reboot your Pi and check ifconfig if you have an active wifi connection.

sudo reboot
ifconfig

ifconfig should return something like this. The important thing is to see an assigned IP address in the wlan0 section.

eth0      Link encap:Ethernet  HWaddr b8:27:eb:95:4d:5d
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 80:1f:02:97:4e:c2
          inet addr:10.0.1.6  Bcast:10.0.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3692 errors:0 dropped:3978 overruns:0 frame:0
          TX packets:402 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:356570 (348.2 KiB)  TX bytes:55122 (53.8 KiB)

Troubleshooting

Is your network not hidden?
It does not work without a password
Are the password and the ssid with double brackets?

AES encryption with pycrypto

2012-04-12T00:00:00-07:00

Why encrypting anything, when there are already hashes? Hashes work really well especially when they are properly salted for passwords, but if you use OAuth connections from Facebook, Twitter etc., passwords are becoming less important. Access Tokens are now the new way to access a users information, but we cannot simply hash them, because to access users Facebook information, we still need the token. So the only way o store it more secure is to encrypt it.

Encryption and decryption via pycrypto can be pretty tough. It is not as convenient as the AES_ENCRYPT function in mysql and the documentation is worse than none. But anyway it’s Open Source and it is good to have it. It takes more effort to understand the library and if you want to have true interoperability between different plattforms and languages you need to understand it anyway.

How is that encryption working? Basically you have a key and a message. The key is some kind of password you need it to encrypt and decrypt the message. But the key has to be 16, 24 or 36 letters long not more not less and also the message has to be a multiple of 16, 24 or 32. Don’t ask why, I don’t know that too and I don’t care!-) So what we need to do is to pad our key with a filling char to get to the exact length. If you haven’t chosen a key yet I would recommend to chose an exactly 32 character long key, os you don’t have to pad it. As padding character I chose the ‘{‘ because the padding will be at the end of the text and it is most unlikely that the text will end with a ‘{‘. The same thing goes for the text. The text also needs to be a multiple of 16, so we have to pad that too.

But I chose a different way for the key. I simply hash it with MD5 and get automatically a 32 character key back. Obviously you can’t do that with the text/value to encrypt.

#!/usr/bin/env python

from Crypto.Cipher import AES
from Crypto.Hash import MD5
from base64 import encodestring, decodestring #base64 encoding to enable json dumps

# the block size for the key and message must be 16, 24, or 32 for AES
BLOCK_SIZE = 32

# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length.  This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'

def pad(msg, block_size=BLOCK_SIZE, padding=PADDING):
    """
    *pad the text to be encrypted*
    - appends a padding character to the end of the String
    - until the string has block_size length

    """
    return msg + ((block_size - len(msg) % block_size) * padding)

def depad(msg, padding=PADDING):
    """depad the decryptet message"""
    return msg.rstrip(padding)

def getSecret(key):
    """hases the key to MD5"""
    return MD5.new(key).hexdigest()

def encrypt(key, msg):
    """encrypts the message"""
    secret = getSecret(key)
    cipher = AES.new(secret)
    return encodestring(cipher.encrypt(pad(msg)))

def decrypt(key, msg):
    """decrypts the message"""
    secret = doSecret(key)
    cipher = AES.new(secret)
    return depad((cipher.decrypt(decodestring(msg))))

You should not use this as a library, because there is no error handling implemented. For example what happens if the key is longer than the block_size, etc.. This script is just demo the encryption process with pycrypto.