Category Archives: GNU/Linux

Disabling IPv6 in Debian Sid

Note to self: since the Debian Kernel Team in all their infinite wisdom decided to compile statically the IPv6 modules, all the alias-meh and blacklist tricks to disable it are useless. What the pundits out there have missed since the beginning of time (or close to it: the inclusion of the IPv6 code in Linux 2.5/2.6) is the sysctl magic thingy to disable it.

Open /etc/sysctl.conf in your favorite editor and type the dark rune:

net.ipv6.conf.all.disable_ipv6 = 1

save and reboot. (I don’t recommend changing this setting on a running system, it can have unexpected side effects).

CAVEAT LUSER: Yes Joe, this works in Ubuntu as well as any GNU/Linux® distro that integrates sysctl in its init system.

Wine and µTorrent can rot an Ext3 filesystem

Note to self: All bittorrent clients are horrid. Some have a bearable stench, others haven’t. And for some reason these days I find all POSIXy clients despicable.

Thus enter µTorrent running under wine. And I start getting these weird filesystem errors that could eventually eat the whole filesystem where there are some really rare and valuable files. I started poking at the problem and discovered that µTorrent has its own disk-cache manager that, of course, enters in conflict with the Linux one. There you have a testament to the design flaws of the Windows NT VM and the NTFS filesystem; you  have to implement your own disk-cache manager if you want something that works. Fortunately you can turn it off.

So I’ve settled on this configuration:

  • Linux: 2.6.30 (yeah, a release candidate for now), makes Ext filesystems work in writeback journaling mode with write safety.
  • Filesystem: Ext3 with write barriers enabled to cover your backside against hardware write cache idiocy.
  • wine: A very recent vintage
  • µTorrent: The latest with all disk cache settings disabled.

How to fix the new MS fonts in POSIXy systems

OK, you’ve got your new computer preinstalled with MS Vista and/or MS Office 2007. You didn’t waste time to install your favorite GNU/Linux distribution or BSD flavor and took the time to comb down that Windows partition for goodies the license and Title 17 of the US Copyright law may warrant you to use. That is, unless George of the Bush hasn’t killed it already with the help of his friends in the US Congress, each and every one of whom make Sarah Palin look like a Nobel Prize Winner, ten years in a row.

You find those nice fonts with names starting with “C”, Calibri, Cambria, Candara, Consolas, Constantia and Corbel. Diligently you copy them into your $HOME/.fonts directory and run the magic command fc-cache -r -v in a terminal emulator window, go to the font settings application for your preferred desktop environment and change the monospaced font to Consolas (new font from MS, several years in development, it has to be the ultimate coding font, right?). Open a new terminal or a text editor and you discover it is hideous! Blocky, blurry and bold although you made a point of not using bold in the settings, Something you learned the hard way after having written The Great American Novel, a thousand pages worth, printed it in Comic Sans Bold 10 points to save paper and sent it to your prospective editor, who answered back thanking you heartily for all the toilet paper supplies you sent along the other day.

The problem is that the MS “C” fonts are hinted in such way that they don’t work well if you don’t use subpixel rendering and as far as I can see there is no real traditional hinting in them worth a cent. Even after you fiddle with the LCD-type settings there is no improvement, because most GNU/Linux distros default to use the patented bytecode interpreter, which works just fine with traditional truetype hints, instead of the patent unencumbered autohinter (in typical “Bite me!” attitude). Even those distros that give you the choice to use one or the other, such as Debian, have for the most part managed to bastardize the code resulting in Freetype working as it shouldn’t. And all downstream distributions, including Ubuntu, receive the same turd.

But don’t fret! There are ways to work around the ugliness. We can create a $HOME/.fonts.conf like this:


<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<!-- Use the Autohinter -->
  <match target="font">
    <test name="family">
        <string>Calibri</string>
        <string>Cambria</string>
        <string>Cambria Math</string>
        <string>Candara</string>
        ;<string>Consolas</string>
        <string>Constantia</string>
        <string>Corbel</string>
     </test>
        <edit name="autohint" mode="assign"><bool>true</bool></edit>
  </match>
</fontconfig>

That ought to fix the ugliness, although results will vary depending on how bastardized is the Freetype library in your system. Of course you can add more configurations to the file as long as you respect the XML syntax. Do be careful if using KDE(3/4) because the KDE font configuration tools love to eat users .fonts.conf files raw and spit them out in pieces.

Fedora 8: beatiful and brittle like a snowflake

I make a point of trying out Fedora at leat once every year. I think it is a matter of romantic intoxication; I felt betrayed when RedHat 9’s XFree86 fried the flyback of my favorite, very expensive, 17 inch high resolution CRT. That toy is with me nomore but it still gives happiness to someone else. Yup, I repaired it and passed it along.

Life is too short, you never know if you will break your neck getting out of bed tomorrow, or slipping in the shower today, so I chose to grab a copy of the Live CD installer i686 edition to be as compatible with all the hardware I own as possible.

First I tried it in my desktop, an Athlon-XP box, in the aging workstation category class. Close but no cigar. I installed it in the first part of the hard drive and left the other half to install FreeBSD later on. As soon as I installed FreeBSD, Fedora’s kernel became unable to boot the system. It didn’t matter if I installed FreeBSD first or second or in the first or the second half of the disk, if I used Fedora with LVM2 or plain primary and extended partitions… Whatever. Debian and a couple of obscure distros share space fine with FreeBSD in that same disk, therefore the problem is Fedora’s kernel patches that make the kernel barf on whatever it is that FreeBSD does to the partition table. As I’m not willing to dedicate a whole HD to Fedora, it is out of the question in my desktop.

Then I tried it in my laptop. This one is a nice last generation Dell job. In fact this model is sold with Ubuntu Linux in the US of A and to some select European suckers (as my friend Benct would put it, he can’t buy it because he doesn’t live in one of the three countries of the EU with lucky bastards willing to pay top Euro, did you know that Dell charges the same in devalued US dollars or Euros? Poor suckers, err… Europeans. Apple, HP, Lenovo and the other leeches are even worse). OK, it took 5 tries, something to do with the fact that I use JFS for all filesystems in this laptop, with Ubuntu Linux as its main OS btw. Of course, using JFS in Fedora’s root partition when installing from the Live CD is out of the question!

The software choice in Fedora’s Live CD is rather scarce and in my opinion backwards. OK, Abiword is great, but it was great in 1999 too. The technical decisions are highly disputable. Canonical manages to put a whole OS install in a 700MB Live CD that contains more or less that of a standard install made with a 700MB alternate CD and that includes OpenOffice.org! The problem as I see it is the choice of filesystem and compression for the live CD. They may pretend that they want it to be as compatible with older hardware as possible, but there are limits to what you can do and yet, I have booted Ubuntu’s Live CDs in Pentium IIIs with 192MB RAM… squashfs and gzip compression can only go so far. After installing what did I find? A beatiful desktop and both a broken wifi, sound and video camera. The first was fixable after a 331MB update over the wire, downloading and installing the latest firmware for my wireless radio from Intel’s website and setting up a little modprobe hack to modify the default settings of the kernel driver to stop hardware network scanning (Network Manager and wpa supplicant do just fine on its own). I also had to set my access point to broadcast its ESSID, that is, I had to publish the ESSID of my access point. Talk about a borked Network Manager (0.7 btw). The video camera is still at large and the sound chipset model has to be declared explicitly when loading the kernel module.

Ah! And don’t get me started on the init system, it plainly sucks. There are sysv init implementations of implentations and this one is one of the most baroque in the wild yet. Let’s hope that the adoption of upstart infuses sanity into that heap of bullknit.

My conclusion: I like Fedora 8. It is beautiful –did I mention the default horary slideshow desktop?– The visual impression is stunning and the overall visual integration is sobering, although I find the color range chosen for the Nodoka theme childish and too pretentious in a KDE Plastique kind of kitschy way but it is staying nonetheless. The OS is as rock-solid as usual since Fedora Core 5 but the warts show. I won’t be switching to it soon, but I’ll keep it installed as Rawhide while enjoying the bumpy ride to Fedora 9.

Update 01 It is already February 21 and I’m loving riding on Rawhide. Now, if somebody would care to fix HAL so that I have soft brightness control again…

Update 02 It is April 18 and yes, upstart is a great improvement. PackageKit is like heaven after using Pirut for so long as well. Yumex is still a staple though. Fedora 9 is already a blast.

Borrando discos duros por diversión o ganancia

Hay muchas razones por las cuales hay que borrar un disco duro. Desde corregir problemas con bloques dañados o forzar la geometría del disco a sus valores por defecto cuando hemos creado una tabla de particiones defectuosa hasta simple y llana paranoia. Yo me justifico con las razones uno y dos y conozco aquellos que definitivamente lo hacen por la tercera…

En vez de comprar una utilidad comercial y/o propietaria como el MaxBlast (haciendo un aparte, mi socio casi se muere cuando le regalé una copia del Ultimate Boot CD con una copia gratuita de la última versión. ¡Fué y sacó sus disquetes de la versión anterior que le habían costado su buen dinero en Miami! Nos tocó consolar la pena con unas cervecitas, porque no era viernes…), que lo único que hace es escribir un montón de ceros en el disco, se puede usar las herramientas disponibles en cualquier sistema operativo que se arrime a los estándares POSIX y SuSv3 (UNIX(tm), BSD, GNU/Linux y otra calderilla).

Siendo genérico dd es la herramienta más poderosa que existe para trabajar con dispositivos que manejen datos, tanto en bloque como en flujo de caracteres. Por esto mismo es muy peligrosa. Debo advertir que nunca se debe usar en vano ni antes de repasar el manual, dormir ocho horas mínimo y definitivamente nunca con ron entre pecho y espalda o al otro día con la seca. Dicho esto, el truco es muy sencillo. Tomamos basura del dispositivo zero y lo descargamos al dispositivo de bloque que representa el disco duro en el sistema uando un tamaño de bloque en disco que haga que rinda el asunto:

dd if=/dev/zero of=/dev/sdb bs=1000000

Si tenemos la fortuna o desfortuna (dependiendo de nuestra opinión y de cuan fánaticos seamos) de tener disponibles las herramientas GNU coreutils, podemos usar shred:

shred -v -n1 --random-source=/dev/zero /dev/sdb

que prefiero pues puedo tener información de avance en la terminal. Por cierto,

shred -v -n0 -z /dev/sdb

hace exactamente lo mismo.

The conceptual definition of fanboy

Being adult is to stop hiding from others with masks and lies. Reaching enlightenment is to stop hiding from ourselves and to be able to see reality as is. Both are difficult tasks and many people live all their lives trapped in their own delusional fantasies.

The anonimity lent by the intarweb seems to be a letter of marque to many people who evidently have a murky perception of reality, yet thanks to their insecurity and mental confusion (I won’t talk about intellect because you need a clear mind to start using your intellect), try to impose their cockamamie ideas on others. As well as their incredibly poor use of syntax and ignorance of semantics. And this takes us to trying to distill the concept of the fanboy.

The fanboy is what I say above and worse. Usually male in the early or the late stages of his life. The young ones are ignorant and emotionally confused, therefore arrogant. The old ones are ignorant, thus arrogant but compounded with ill-founded pride due to their self-aggrandizement “my years of experience give me the right to pontificate about life, death and all in-between”. People who think that typing python -c "print 'Hello World!'" makes you an authority. On what, I don’t have the foggiest.

And this brings me to the motivation of this post. Have you been reading lots of blog comments saying the author that he should use PCLinuxOS because it is the best next thing after the discovery of fire? Today the DistroWatch Newsletter comes with a very interesting statistic and a conclusion: the average number of users in an IRC support channel is a realistic numerical measure of the actual user base. Ready to have a reality check?

I’ve given up on Ubuntu, the community

but not on the distribution, yet..

I’m fed up of the hand holding and the political correctness that has statarted to perfuse the IRC channels. I was banned from #ubuntu+1 only because I told some idiotic teenager to use a different version or distribution if he (or she) was fed up with the bugs in a development version that’s not yet stable enough for a new user? Now, I never go there to ask questions but to help. I’ve never got real help in IRC, because in general most people there are a bunch of ignorant children. Rather it is I who gives help to others. I feel justified in my decision of not wanting to teach anymore. As far as I know, my knowledge stays with me and whoever wants to learn what I know may come and beg as all good true students with potential for mastery have done for the last ten thousand years. Does the latter thought offend you? That only means you have lots to learn and I may even teach you one or two things if you ask nicely.

Last Sunday, in that very same channel I had a brief exchange with Sarah Hobbs, aka hobsee, one of the most respected Ubuntu members due to her contributions to community relations where she said “It seems that the technical knowledge of users diminishes with each new release” or something like that, if memory serves me right (I keep forgetting to enable logging in my IRC client). That was in the morning. In the evening, the operators on the channel were a bunch of losers who do not deserve the air they breath and happened what I refer above. Anyway, that very much summarizes my thoughts on the matter. I have started severing my ties to that particular “community” because, if you lie down with dogs you wake up with fleas. I still use the distribution but as things go, I much rather use Debian with Garnome or FreeBSD than Ubuntu and that’s exactly what I’m starting to do. Yet, I do find that there are things to be done within the developer community and Im considering rekindling my long lost interest in packaging, translation and development. Yet, being the steppenwolf I am, I wonder if I would ever fit withing an “open source community” of sorts. Hell, I don’t fit in the academic community (where I belong by my own rights, suppossedly) because I can’t withstand the arse-kissing (and even ball-licking) that goes on among the “established academics” and “scientists”. That’s a game I won’t play, it goes against my sense of selfworth and integrity. I’m too much of a ろょにん not to cringe at the idea of selling out my personal principles.

Protegiendo a sshd de ataques de diccionario con netfilter

En mi última entrada, escribí acerca de un pequeño script que bloquea conexiones a direcciones IP hostiles. Es un script sencillo que solo usa las facilidades del filtro de paquetes para bloquear una lista conocida de subredes clase B; si se quiere bloquear otra dirección, es necesario añadirla a la lista . Esto es, creé un muro de fuego sin estado (stateless rules).

Pero lo que hace verdaderamente poderoso a netfilter es su capacidad de conservación de estado (stateful rules). Esto permite crear mecanismos de protección y filtrado que no dependen de una lista estática de direcciones IP si nó del comportamiento mismo de las fuerzas hostiles que nos atacan. En la jerga de la caballería mecánizada esto lo llaman “blindaje activo”. Como un ejemplo de ello pongo aquí un fragmento que me gusta usar y que encontré en un comentario a un how-to acerca de como usar DenyHosts que es otra solución, muy popular, de hecho mucho más popular, pero que no es muy práctica si el equipo en cuestión debe seguír una política estricta de no conectarse al exterior si no es absolutamente necesario. Créanme, en general, si el sistema sirve a un proceso crítico del negocio, ni siquiera las actualizaciones del sistema operativo justifican una conexión abierta a la intergüexxxxda esa.

Sin más el fragmento, explicadito:

# Primero creamos una cola (cadena) nueva en el sistema por la que
# dirigiremos el tráfico de nuestras conexiones SSH.
iptables -N SSH

# Le decimos a netfilter que todas las conexiones nuevas
# que lleguen a la cola INPUT dirijidas al puerto 22 sean
# redirigidas a la cola SSH.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH

# A las conexiones recientes que están en la cola SSH
# las marcamos con el nombre "ataquessh"
iptables -A SSH -m recent --name ataquessh --set

# Cuando una conexión reciente conocida que tiene la marca "ataquessh"
# en la cola SSH ha intentado conectarse 3 o más veces seguidas en
# los últimos 60 segundos la bloqueamos hasta el próximo
# chequeo (en 60 segundos). La idea es que un script se bloqueará
# solito y un cracker redomado se dará cuanta pronto que es una
# pérdida de tiempo hacer ataques directos al puerto 22. Esto no
# descarta que intente usar otros medios de entrada que si requieran
# de verdaderos conocimiento. Pero hemos descartado al 99.95% de
# los posible crackers ahí afuera.

iptables -A SSH -m recent  --update --seconds 60 \
    --hitcount 3 --name ataquessh -j DROP

Podemos aprender más de como usar --update combinado con --seconds y --hitcount en el sitio web de SnowMan, el autor del módulo ipt_recent, además de en este artículo sobre limitación de conexiones a sshd que aunque viejito tiene información válida e interesante.

Actualización: Arreglé algunos problemillas con el código.