I just set this up as root and in root’s crontab.

Download Source

Source:

#!/usr/bin/python
 
import os
 
def gettextoutput(cmd):
    """Return (status, output) of executing cmd in a shell."""
    pipe = os.popen('{ ' + cmd + '; } 2>&1', 'r')
    pipe = os.popen(cmd + ' 2>&1', 'r')
    text = pipe.read()
    if text[-1:] == '\n': text = text[:-1]
    return text
 
home_dyndns = "example.dyndns.org"
log_dyndns = "./new_home_ip_check.log"
last_dyndns = gettextoutput("cat " + log_dyndns)
cur_dyndns = gettextoutput("host " + home_dyndns)
 
print "Log: "+ last_dyndns
print "Cur: "+ cur_dyndns
 
if last_dyndns == cur_dyndns:
    print "IPs match, no restart necessary"
else:
    print "Updating last IP with current"
    os.system("echo '" + cur_dyndns + "' > " + log_dyndns)
    print "Restarting iptables to update"
    os.system("/etc/init.d/iptables restart")

Output looks like:

Log: example.dyndns.org has address 114.76.37.112
Cur: example.dyndns.org has address 114.76.37.112
IPs match, no restart necessary
 
Log: example.dyndns.org has address 114.76.37.113
Cur: example.dyndns.org has address 114.76.37.112
Updating last IP with current
Restarting iptables to update
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

The script’s input is the bind9 file containing all zone entries you want to confirm are pointed to your server, I suggest making a copy – not working with any live configs. The script will run an lookup using `host -t ns` on google’s DNS server to find out what the outside world thinks the domains’ name servers are; I tried `whois` in the past but it was too unreliable due to timeouts & limits on the number of calls per minute. Then it checks the results of that host lookup against the hostnames, all capitalized hostnames, and IP addresses of your DNS servers (3 in my case). If any one of the DNS servers matches than we know the domain is still using our DNS. The other options are 1) it doesn’t find any DNS servers that are ours 2) it finds the phrase ‘not found’ which host returns if the domain is expired or there are no ‘NS’ type records in DNS. The script echos to shell what DNS servers match as it runs, but it only logs the DNS servers that don’t have any matches (so they can be removed by automation or manually later).

With the zone-audit.log output I then can remove the domains that aren’t using our DNS since they’re no longer in use. Please leave feedback in the comments if you think of a good improvement.

Code after the jump or Here

#!/bin/bash
#
 
domains=`sed -n 's/^zone\s*\"\([^\"]*\)\"\s* {[^\r]*/\1/p' /root/confirm-dns-zones/named.master`
date > /root/confirm-dns-zones/zone-audit.log
 
for i in $domains
do
  echo "Checking $i"
  domain_ns=`host -t ns $i 8.8.8.8 | grep "$i"`
  echo $domain_ns
 
  if [[ $domain_ns =~ 'NS1.EXAMPLE' || $domain_ns =~ 'ns1.example' || $domain_ns =~ '4.3.2.1' ]]; then
    echo "$i contains DNS1 (4.3.2.1)"
    match_dns1=TRUE
  else
    #echo "DNS1 NOT FOUND"
    match_dns1=FALSE
  fi;
 
  if [[ $domain_ns =~ 'NS2.EXAMPLE' || $domain_ns =~ 'ns2.example' || $domain_ns =~ '4.3.2.2' ]]; then
    echo "$i contains DNS2 (4.3.2.2)"
    match_dns2=TRUE
  else
    #echo "DNS2 NOT FOUND"
    match_dns2=FALSE
  fi;
 
  if [[ $domain_ns =~ 'NS3.EXAMPLE' || $domain_ns =~ 'ns3.example' || $domain_ns =~ '4.3.2.3' ]]; then
    echo "$i contains DNS3 (4.3.2.3)"
    match_dns3=TRUE
  else
    #echo "DNS3 NOT FOUND"
    match_dns3=FALSE
  fi;
 
  if [[ $match_dns1 == FALSE && $match_dns2 == FALSE && $match_dns3 == FALSE ]]; then
   echo "* ERROR: $i - None of our DNS found for this domain using 8.8.8.8"
   echo $i >> /root/confirm-dns-zones/zone-audit.log
  fi;
 
  if [[ $domain_ns =~ 'not found' ]]; then
    echo "* Possible script error or missing DNS / Expired domain"
    echo "* ERROR: $i - Possible script error or missing DNS / Expired domain" >> /root/confirm-dns-zones/zone-audit.log
  fi 
 
  echo
  echo "----------------"
  echo
  sleep 1
done

If someone can authenticate on the FTP (could even be anonymous ftp, but I’d recommend using a special username you want to specifically grant access) then fail2ban triggers an ALLOW command for their IP on some port (or all ports), for example SSH (22) or apache https (443) with a private site on it that you want to keep private and totally hidden from the internet at large. This concept could really apply to anything. Any command IPTables can run can be triggered through something fail2ban sees in a log file basically, the possibilities are endless. In my example I’ll use https, port 443, but in real life I’m using an obscure port number and the program running on it that is not very secure by default.

So here are my slightly modified configuration files for setting up a custom fail2ban service that does the opposite of what fail2ban typically does.

In /etc/fail2bain/jail.conf I added:

 [vsftpd2allow443]
 
 enabled  = true
 port     = 443
 filter   = vsftpd-2-https
 banaction = iptables-accept-https
 logpath  = /var/log/vsftpd.log
 maxretry = 1
 bantime  = -1

filter has to match the name of the corresponding file in the /etc/fail2ban/filter.d folder. banaction has to match the corresponding file in the /etc/fail2ban/action.d folder. Max retry is 1 so the person doesn’t need to successfully login to the FTP more than once to get access to our secret port back door. Bantime -1 should add the person for ever. For added security try bantime = 86400 for 1 days access (bantime uses seconds).

Next make a copy of a default action for a template:

 cp -vip /etc/fail2ban/action.d/iptables.conf /etc/fail2ban/action.d/iptables-accept-https.conf

Then modify all the DENYs to ACCEPT and change the port:

 actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Becomes
 actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ACCEPT
 
 actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 # Becomes
 actionunban = iptables -D fail2ban-<name> -s <ip> -j ACCEPT
 
 port = ssh
 # Becomes
 port = 443

And lastly you need your fail2ban filter that watches vsftpd for successful authenticions of our special user who gets special ports opened up for them. Since I’m using vsftpd as my FTP I just copied it’s current filter and modified it to look for good auths instead of bad auths.

 cp -vip /etc/fail2ban/filter.d/vsftpd.conf /etc/fail2ban/filter.d/vsftpd-2-accept-https.conf

Change ‘specialuser‘ to whatever FTP user you want to gain special access to your server.

 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
     \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 # Becomes
 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
     \[specialuser\] OK LOGIN: Client "<HOST>"\s*$

If you’re not using VFTPd then fail2ban has many other popular linux FTP client’s setup in the filter.d folder. You should also look in your log file (ls /var/log/*ftp* should find it) to find out what syntax it uses to denote a successful FTP login because it will most likely be different than what VSFTPd uses.

Now you just need to remember the password for your specialuser and you just FTP to your server with that login from any computer in the world to open your hidden port to access your secret content. This idea is mostly for personal use and I recommend against trying to have any beginner users use this as a mechanism for accessing content or even using it in a serious This slight modification isn’t revolutionary or anything and I may not be the first to come up with it but it definitely isn’t a well search indexed idea so I thought I’d throw this out there for others.

adduser q3ds
cd /home/q3ds

Find linuxq3apoint-1.32b-3.x86.run, wget or upload to the q3ds user folder

chmod +x linuxq3apoint-1.32b-3.x86.run
./linuxq3apoint-1.32b-3.x86.run
 
# Returns...
# Verifying archive integrity...tail: cannot open `+6' for reading: No such file or directory
# Error in check sums 579851737 212141158
# This should fix that error: 
 
export _POSIX2_VERSION=199209
./linuxq3apoint-1.31.x86.run 
 
# Returns...
# Verifying archive integrity...OK
# Uncompressing Quake III Arena Point Release 1.31 ..................................................................
# This installation doesn't support glibc-2.0 on Linux / x86_64
# Please contact Id software technical support at bugs@idsoftware.com
# The program returned an error code (1)
# OK, time for another fix:
 
sudo apt-get install ia32-libs linux32
# ... press Y <enter> to confirm install
 
# Try again with 32bit emulation
 
linux32 ./linuxq3apoint-1.31.x86.run 
 
# Go through the install and change the install path to /home/q3ds/quake3/

Copy/FTP baseq3/pak0.pk3 off our CD or backup into your /home/q3ds/quake3/baseq3 folder.

These are my console screens for running q3ded behind the scenes, they’re setup for my mod of choice – WFA (whose install files are located @ bitblender.net:

q3start:

#!/bin/bash
echo "Starting WFA Server"
sleep 1
cd /home/q3ds/quake3
screen -L -A -m -d -S wfa-server ./q3ded +set fs_game wfa +set dedicated  2 +set sv_pure 0 +set gametype 4 +exec wfa-server.cfg

q3stop:

#!/bin/sh
screen -dr wfa-server -X quit
echo "Killing off wfa-server...";

q3restart:

#!/bin/bash
echo "Restarting WFA Server"
sleep 1
/home/q3ds/scripts/q3stop
sleep 1
/home/q3ds/scripts/q3start

q3console (ctrl+A+D to detach from console):

#!/bin/sh
sudo screen -x wfa-server

/etc/init.d/gnump3d :

#!/bin/bash
 
gmconfig="/etc/gnump3d/gnump3d.conf"
gmport="54321"
gmpidfile="/var/run/gnump3d_$gmport.pid"
 
case "$1" in
start)
  if [ -f $gmpidfile ] ; then
    echo "GNUmp3d already running on port $gmport"
  else
    echo "Starting GNUmp3d."
    /usr/bin/gnump3d --background -config $gmconfig --port $gmport
    sleep 1
    ps -ef | grep -v "grep" | grep "config $gmconfig" | cut -c10-15 > $gmpidfile
  fi
;;
stop)
  if [ -f $gmpidfile ] ; then
    echo "Shutting down GNUmp3d."
    /bin/kill -9 $(cat $gmpidfile)
    rm $gmpidfile
  else
    echo "GNUmp3d isn't running on port $gmport yet"
  fi
 
;;
restart)
  $0 stop
  $0 start
;;
status)
  if [ -f $gmpidfile ] ; then
    echo "GNUmp3d running on port $gmport with config $gmconfig and pid $(cat $gmpidfile)"
    echo $(ps -ef | grep -v "grep" | grep "config $gmconfig")
    #echo
    # code to display the other instance of gnump3d here...
  else
    echo "GNUmp3d isn't running yet"
  fi
;;
*)
  echo "Usage: $0 {start|stop|restart|status}"
  exit 1
esac
 
exit 0

To run more than one copy of gnump3d with this simply make a copy of this script and call it something like gnump3d_2.

sudo cp -vip /etc/init.d/gnump3d /etc/init.d/gnump3d_2

Then change the new init.d script to point to your new config and port (pid file auto updates by port #).

gmconfig="/etc/gnump3d/gnump3d_2.conf"
gmport="54322"

Make a copy of the stock gnump3d config and modify the necessary lines.

sudo cp -vip /etc/gnump3d/gnump3d.conf /etc/gnump3d/gnump3d_2.conf

In my config I modified these lines:

port = 54322
root = /home/gnump3d_2
user = gnump3d_2
logfile = /var/log/gnump3d/access_2.log
errorlog = /var/log/gnump3d/error_2.log
now_playing_path = /var/cache/gnump3d_2/serving
tag_cache = /var/cache/gnump3d_2/song.tags

And lastly we’ll need to make the cache drectories:

mkdir /var/cache/gnump3d_2/
mkdir /var/cache/gnump3d_2/serving
chmod -R 777 /var/cache/gnump3d_2
touch /var/cache/gnump3d_2/song.tags

And then you’re set to startup the second gnump3d instance.

/etc/init.d/gnump3d_2 start

Find this part:

for ($$opt{section}) {
#    ...Skip ahead to descr...
            /^descr(iption)?$/ &&
              do{
                  $section = "No Description for $item";
                  $$rcfg{setenv}{$item} =~ /MRTG_INT_DESCR="(.+?)"/  #"
                        and $section = $1;
                  $$rcfg{pagetop}{$item} =~
                          m,&lt;td>Description:&lt;/td&gt;\s*&lt;td&gt;\Q$section\E\s*([^&lt; ][^&gt;]+?)</td>,i
                        and $section = $1;
                  last;
              };

The first `and $section = $1;` is a catch all to assign the interface name if there’s no description. The second one overwrites it, replacing the int name if it does find a description. So all you need to do is modify the second instance of `and $section = $1;` to:

and $section = $section . " - " . $1;

And your MRTG index is infinitely improved!

I upgraded from an older xUbuntu to xUbuntu 8.10 64-bit and the first thing I had to do is restore the windows file share where I backed up configurations, samba shares, and my Adaptec SATA Raid 1210SA. Then I had to conquer ATI’s proprietary drivers and restore my previous install’s server functionality. Next time I’ll be finishing up the HTPC portion by configuring my TV Tuner with mythTV and installing Boxee as well – and maybe integrating the two together if possible.

Note: you can copy paste the code commands with the “# comments” at the end because Linux will ignore everything after the #

Network Shares and Raid

apt-get install samba # for sharing my raid storage across the network
apt-get install smbfs # for mount.cifs to mount windows file shares
apt-get install nfs-common # for the other mount types
apt-get install dmraid # for my Adaptec SATA 1210SA Raid card (x2 320GB drives)
apt-get install vim # because vi drives you insane after using vim


With the right programs installed I could reach my backups, test/setup my mounts permanently, and setup samba so I can start listening to my music right away again.

mkdir /media/a-computer; mkdir /media/a-computer/backup # make a folder to mount to
mount.cifs //192.168.0.51/backup /media/a-computer/backup -o guest,rw # mount my windows backups share
tail -3 /media/a-computer/backup/fstab >> /etc/fstab # copy old fstab permanent mounts to new fstab

tail -3 /media/a-computer/backup/fstab # outputs
/dev/mapper/asr_1 /media/windows ntfs rw 0 0
//192.168.0.51/usenet /media/a-computer/usenet cifs guest,rw,mand 0 0


Video Setup

I’m plugged into my Panasonic Viera 42″ HDTV through an ATI HD2600XT and DVI-I to HDMI cable (from monoprice). After installing xUbuntu 8.10 on a CRT Monitor (so I could read the text) I switched video cables and plugged in my HDTV only. It booted into X with VESA drivers on “Default” resolution (not sure what res.,it wasn’t HD, but it worked on my TV somehow) and first thing that was obviously needing fixed is the text was too small to read.

I quickly remembered you can’t fix the font size problems high resolutions in the XFCE menus. You have to make a config change for X:
echo "Xft.dpi: 96" >> ~/.config/xfce4/Xft.xrdb

To install the video drivers I decided to just go through the menus instead of attempting it through command line (if you need to use apt-get I believe you need to manually add the proprietary apt-get rep source). I went to Applications > System > Hardware Drivers > And There were ATI/AMD Proprietary drivers – after one click it launched the package manager and installed fglrx for me, very painless. I also ran updates and rebooted at this time.

I had some issues with the fglrx video driver at first but to make a long story short, here’s how I finally got a good xorg.conf for it.

dpkg-reconfigure xserver-xorg # This helped the next step make a more complete config
aticonfig --initial # Before I ran the above step, this generated a very minimual xorg.conf
aticonfig --resolution=0,1920x1080,1280x720 # Set my HDTV resolutions
service gdm restart # Restart X and test new xorg.conf - booted into 1920x1080 for me


Being in 1080p resolution caused fonts to look a lot smaller, even with the xfce font DPI fix, so I increased font sizes in the menus: Applications > Settings > Settings Manager > User Interface & Windows Manager. I also increased the Panel sizes to 41 to make Icons bigger.

Switching to fglrx enabled HD resolutions but it also gave me black bars around my screen. To fix this at first I was trying to utilize the aticonfig’s overscan tv functions since I’m using a TV. however my display isn’t detected as a “TV” type for whatever reason, as this shows:
# aticonfig --query-monitor
Connected monitors: tmds1
Enabled monitors: tmds1
aticonfig --tv-info
The TV is not connected
The TV geometry is "0x0+0+0"


After a lot of Googling and experimenting with various aticonfig commands I came to this solution: aticonfig --set-pcs-val=MCIL,DigitalHDTVDefaultUnderscan,0 – This fixed my underscan black bars but isntead created an overscan problem (screen was bigger than TV borders). I managed to fix this by tweaking the resolution (not sure if this causes pixel stretching but it doesn’t look bad – may just be a work around). Here’s my overscan fix autostart script which lowers my resolution and bump the screen into center position:
#!/bin/bash
# Add this script to autostarting apps, these commands don't seem to save
aticonfig --set-pcs-val=MCIL,DigitalHDTVDefaultUnderscan,0
# X was over by 28 pixels on each side (1920 normal)
aticonfig --set-dispattrib=tmds1,sizeX:1866
aticonfig --set-dispattrib=tmds1,positionX:+28
# Y was over by 16 pixels on each side (1080 normal)
aticonfig --set-dispattrib=tmds1,sizeY:1048
aticonfig --set-dispattrib=tmds1,positionY:+16

X/Y overscan values needing adjustment may be different for you

Diversion 001
With my video completely setup I needed to test it out:
sudo apt-get install vlc
I checked out some videos, normal video started skipping, HDVideos were artifacting, skipping, and top showed them taking over 50% of my CPU most of the time…that’s not right, never had this problem on my previous installs (windows XP or xubuntu 8.04). Investigation revealed my CPU frequency is set to the minimum of 1000mhz of 2200mhz max. Google revealed an application I hadn’t heard of before that was quite easy to use and fixed this problem:
apt-get install cpufrequtils
cpufreq-set -g performance # Sets frequency to max

I thought that was very odd, maybe a bug with Intrepid Ibex?

Torrents, usenet/Sabnzbd, and GNUMp3D

Next I setup my uTorrent webui to act as a central torrent server for my home. If you need instructions on setting up webui see uTorrent’s webui post. I already set it up in wine previously so I’m just restoring from a backup here:

sudo apt-get isntall wine # We need wine to run uTorrent
cp -vip /media/a-computer/backup/uTorrent.exe .~/wine/drive_c/Program\ Files/uTorrent/ # Get the exe
rsync -aP /media/a-computer/backup/adam/.wine/drive_c/windows/profiles/adam/Application\ Data/uTorrent/ ~/.wine/drive_c/windows/profiles/adam/Application\ Data/uTorrent/ # I need the app data folder where webui is saved
cp -vip root/startup-uTorrent.sh /home/adam # Copy my startup script
cat /home/adam/startup-uTorrent.sh # It's a simple script needed for auto start on boot
#!/bin/sh
wine /home/adam/.wine/drive_c/Program\ Files/uTorrent/uTorrent.exe &


Then I add the script to the startup applications list through Applications > Settings > Settings Managed > Autostarted apps > Add > Then Enter a description and the path /home/adam/startup-uTorrent.sh

References:

http://ubuntuforums.org/showthread.php?t=225721

http://www.phoronix.com/forums/showthread.php?p=36734#post36734

http://ubuntuforums.org/showthread.php?p=5842624

http://www.thinkwiki.org/wiki/How_to_use_cpufrequtils

Brain