Tuesday, June 07, 2016

Bootable USB device for Mageia 5

If you Google "create a bootable USB drive in Linux> most of the returns you get will tell you to use Rufus for Windows or netbootin for Linux.

The problem is that Mageia no longer provides unetbootin and instead provides their own tool, IsoDumper. Still in development, IsoDumper can only save as a disk image of the existing files, write an image file to the USB device, or format the USB device with a FAT, NTFS or EXT filesystem. It would be nice if Mageia provided a bootable DOS image for you so that you could easily do BIOS and firmware updates since Linux has yet to produce a usable tool for that.

It's always good to know how to do that from the command line if the GUI tools are not available, so that's what we will do.


You can get a USB image containing FreeDOS from this site. There are three different images depending on the size of your USB stick. Mine is 2GB, so I could choose either of the first two. I chose the second image.

Once downloaded, you need to uncompress the file like this:

$ bunzip2 FreeDOS-1.1-memstick-2-256M.img.bz2

Now it's simply a matter of using dd to copy the image file to the USB device. On my system, the USB device was detected as /dev/sdj and /dev/sdj1 was auto-mounted at /run/media//. That's OK to let it do that, no need to unmount it, just note what the device is named by your system. Note that we use dd to write to the device, not the filesystem that may be on it.

$ dd -if=FreeDOS-1.1-memstick-2-256M.img of=dev/sdj bs=512

For good measure, invoke the sync command and unmount the device.

$ sync && sudo umount /dev/sdj

Reinsert the USB device, allow the system to auto-mount it, and transfer whatever BIOS/firmware and installation program you need. Use the USB device to boot your computer which will leave you at a command prompt to invoke whatever installation program you have.


REFERENCES

Rufus Download

unetbootin homepage

IsoDumper Homepage

dd manpage

FreeDOS for USB/PXE Homepage



Monday, May 30, 2016

Kill the Upgrade to Windows 10

There are many people who, for whatever reason, don't want to upgrade  to Windows 10. Microsoft admits this and outlines the way to do this on their support page.

This is what you need to do:

Create a blank .reg file and put this in it:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Gwx]
"DisableGwx"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade"=dword:00000001



Then run it bu double-clicking on it.  Alternatively, you may manually add those keys to the registry yourself using regedit.

Or you can download this file which is the file you were told to create above. Please examine the downloaded file in a text editor to see that it matches the instructions above.

Wednesday, May 18, 2016

Adding a Spellchecker to Leafpad


Leafpad is the text editor for the LXDE desktop environment. It does well for editing basic text files, but it lacks a spellchecker.

This is a hack to use the default-installed Hunspell to spell-check your text file.

To accomplish this, you need to save the text file, open it in Hunspell, close Hunspell and re-open the document in Leafpad.

This is accomplished by a script added to your .bashrc. I found this script in a recent Knoppix thread.

Add this to .bashrc:

lpad() { # uses leafpad to edit $1; on closing leafpad, # # # hunspell checks spelling; 
#on closing hunspell, leafpad shows corrected copy.
leafpad $1; aspell $1; leafpad $1 &
}

NOTE: You can also use this with ispell, but you'll need to invoke "ispell  -c".

NOTE: I found the command line at the bottom of Hunspell to be misleading. For example, it says that pressing "I" is "Insert". It actually means "Accept  the  word,  capitalized as it is in the file, and update private dictionary."  As well, "U" is "Uncap". It actually means "Accept the word, and add an uncapitalized (actually,  all lower-case) version to the private dictionary." "X" causes you to exit the file with no changes and "Q" causes you to exit, discarding any changes you have already made.

NOTE: Hunspell keeps its dictionaries in /usr/share/hunspell and by default two additional dictionaries are installed. I have found that these other dictionaries, en_CA and en_GB, often confuse Firefox and that is solved easily by deleting all but the en_US files.


RESOURCES






Sunday, May 15, 2016

Using a Blocklist File With Iptables

I read an interesting piece about securing servers written by Greg Bledsoe in LinuxJournal. I thought I would try it out and it turns out that it needed a few massages to make it run on my Mageia5 system.

There are two parts to his approach, a short script that runs as rc.local, which file does not exist in Mageia, but will be properly run if you create it in /etc/rc.d/rc.local.

#!/bin/sh
#/etc/rc.d/rc.local
# REF: http://www.linuxjournal.com/content/server-hardening?page=0,2
#create iptables blocklist rule and ipset hash
/usr/sbin/ipset create blocklist hash:net
/usr/sbin/iptables -I INPUT 1 -m set --match-set blocklist 
↪src -j DROP

This file owner should be root with 700 permissions.

Once you create it, you should execute it manually because that needs to be done before you run the script to collect the blocklists.

I put the blocklist collection script in /usr/local/bin. You will need to create the directory /usr/local/bin/tmp because the script wants to keep its temporary files there.


#!/bin/bash
#/usr/local/bin/getblocklist
# REF: http://www.linuxjournal.com/content/server-hardening?page=0,2

PATH=$PATH:/sbin
WD=`pwd`
TMP_DIR=$WD/tmp
IP_TMP=$TMP_DIR/ip.temp
IP_BLOCKLIST=$WD/ip-blocklist.conf
IP_BLOCKLIST_TMP=$TMP_DIR/ip-blocklist.temp
list="chinese nigerian russian lacnic exploited-servers"
BLOCKLISTS=(
"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project 
 ↪Honey Pot Directory of Dictionary Attacker IPs
"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  
 ↪# TOR Exit Nodes
"http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP 
 ↪Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" 
 ↪# BruteForceBlocker IP List
"http://rules.emergingthreats.net/blockrules/rbn-ips.txt" 
 ↪# Emerging Threats - Russian Business Networks List
"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Dont Route 
 ↪Or Peer List (DROP)
"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious 
 ↪IP List
"http://www.openbl.org/lists/base.txt"  # OpenBLOCK.org 30 day List
"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
)

cd  $TMP_DIR
# This gets the various lists
for i in "${BLOCKLISTS[@]}"
do
    curl "$i" > $IP_TMP
    grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLOCKLIST_TMP
done
for i in `echo $list`; do
    # This section gets wizcrafts lists
    wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html
    # Grep out all but ip blocks
    cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt
    # Consolidate blocks into master list
    cat $i.txt >> $IP_BLOCKLIST_TMP
done

sort $IP_BLOCKLIST_TMP -n | uniq > $IP_BLOCKLIST
rm $IP_BLOCKLIST_TMP
wc -l $IP_BLOCKLIST

ipset flush blocklist
egrep -v "^#|^$" $IP_BLOCKLIST | while IFS= read -r ip
do
        ipset add blocklist $ip
done

#cleanup
rm -fR $TMP_DIR/*

exit 0

This file owner should be root with 700 permissions.

Check your script and remove the " ↪" symbols, re-connecting the comments to the line above them.

Now manually execute the script. It should run and exit, creating the blockhost.conf file that the first script above will execute.

The final step is to add the second script in your crontab to run once a day.

All Done. Remember to read the entire article.

Friday, May 06, 2016

ImageMagick Interim Fix

A vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users. According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

Update your /etc/ImageMagick/policy.xml file so that it contains the code taken from http://imagetragick.com  and restart corresponding daemons.

You're safe now. The full fix is still being worked out.

And if you have the old version of ImageMagick (because you are on CentOS 5, for example) which doesn't support policy.xml, you can edit delegates.xml, by removing all delegates just to be safe. The file will be somewhere around: /usr/lib64/ImageMagick-6.2.8/config/

RESOURCES
https://en.wikipedia.org/wiki/ImageMagick

https://it.slashdot.org/story/16/05/06/1516254/huge-number-of-sites-imperiled-by-critical-image-processing-vulnerability

http://fmwconcepts.com/imagemagick/

In a terminal type
$ display
and the ImageMagick native GUI appears.
If you want to create an application luncher with the logo then the icon is in the folder
/usr/share/doc/imagemagick/www/Magick++/ImageMagick.png

Tuesday, May 03, 2016

Installing Unreal Tournament 2003 on a 64-bit Modern System

In 2003, I was elated that Unreal Tournament 2003 came with a Linux installer (on Disc 3). All I had to do was run the installer and play the game.

Nowadays, it's not so easy. Linux is not like it was in 2003. Not only has it improved. but it includes tools to allow backwards compatibility.

We'll be installing as root to make the game available to all system users.

First, we need to set a usable POSIX value.

# export _POSIX2_VERSION=199209

The set a usable libc version.

# export SETUP_LIBC=glibc-2.1

Then tell the installer that we are running on a 32-bit system.

# linux32 ./linux_installer.sh

Modify the ut2003 startup script in /usr/local/games/ut2003 with the above information.

Then just use the graphical installation tool, provide you CD key and play the game.



Sunday, April 10, 2016

Creating a chroot Environment for Mageia

Mageia documents how to set up a chroot environment in their Wiki. We'll set up both a 32-bit and a 64-bit environment for both the current release as well as the development branch, Cauldron, and eventually use them with schroot, a tool that makes managing chrooted environments much, much easier.

To summarize the steps to create a chroot using urpmi as follows:

Create a Mount Point
To create the mountpoint for the chroot environment for either or both 32- and 64-bit environments as well as Cauldron:
# mkdir -p /mnt/chroot/mageia32
# mkdir -p /mnr/chroot/mageia64
# mkdir -p /mnt/chroot/cauldron32
# mkdir -p /mnt/chroot/cauldron64

Mageia can use either package set with your native urpmi application to install packages in the chrooted environment.

32-bit chroot
For the 32-bit environment:
Add the repositories.
$ sudo urpmi.addmedia --distrib --urpmi-root /mnt/chroot/mageia32  --mirrorlist 'http://mirrors.mageia.org/api/mageia.5.i586.list' 

$ sudo urpmi.addmedia --distrib --urpmi-root /mnt/chroot/cauldron32  --mirrorlist 'http://mirrors.mageia.org/api/mageia.cauldron.i586.list' 

Install the base system:
$ sudo urpmi --urpmi-root /mnt/chroot/mageia32 basesystem urpmi locales-en mc wget openssh-server

$ sudo urpmi --urpmi-root /mnt/chroot/cauldron32 basesystem urpmi locales-en mc wget openssh-server

64-bit chroot
For a 64-bit environment:
Add the repositories.
$ sudo urpmi.addmedia --distrib --urpmi-root /mnt/chroot/mageia64  --mirrorlist 'http://mirrors.mageia.org/api/mageia.5.x86_64.list'

$ sudo urpmi.addmedia --distrib --urpmi-root /mnt/chroot/cauldron64  --mirrorlist 'http://mirrors.mageia.org/api/mageia.cauldron.x86_64.list'

Install the base system:
$ sudo urpmi --urpmi-root /mnt/chroot/mageia64 basesystem urpmi locales-en mc wget openssh-server 

$ sudo urpmi --urpmi-root /mnt/chroot/cauldron64 basesystem urpmi locales-en mc wget openssh-server 

Make the Environments Usable
These next few steps are not needed if you will be using schroot. If not using schroot, you need to make these environments usable, so you need to provide DNS information so networking can be used by copying /etc/resolve.conf to the appropriate location in the chroot.

You also need to have a working /proc filesysten.
# mount -o bind /proc /mnt/chroot/mageia [cauldron][32][64]/proc

You would also use this technique to access your host filesystem from within the chrooted environment by mounting it inside the chroot.

Using the chroot Environment
The Mageia wiki for chroot offers straightforward instructions as to how to ssh into your chroot environment and won't be repeated here. It also offers advice on launching X clients from the chrooted environment.

schroot
At this point, it is worth exploring the advantages that schroot offers for managing and manipulating your chrooted environments. To Be Continued . . .

RESOURCES

Mageia Wiki for chroot

Mageia QA procedure for evaluating schroot

Magiea URPMI Wiki Entry

Debian Wiki Schroot HOWTO

Schroot Build Environment Setup

Schroot Mageia Configuration