My only caveat in setting up this autostarting headless VM was that Windows 7 remain password protected when it started up (task scheduler’s on start trigger function didn’t prove much help with this goal BTW)…a little less simple but I managed to keep it under 3 steps somehow, mostly thanks to superuser’s superb knowledge base and some luck googling. Keep in mind I have a single user setup on this windows 7 machine. Multiple users might require you force the machine to always logon to your VirtualBox/Startup script user by default after a reboot…so you’ve been warned. Here’s how it’s done:

1. download hstart (see README)
2. Remove/un-check the “User must enter a username and password to use this computer” checkbox option from Start -> Run -> `control userpasswords2` (But wait…didn’t you just say…YES KEEP READING)
3. write a batch script in your startup folder containing (psudocode): C:/hstart.exe /NOCONSOLE “VMBoxHeadless.exe -start-vm ‘your-vm-name’” followed by “rundll32.exe user32.dll,LockWorkStation”

The name VMBoxHeadless is a bit misleading since you still have a cmd window to leave open as long as you want your VM running if you run it through a batch script, that’s where hstart comes in. Then you have to tell windows to logon automatically instead of waiting for the user to enter a username/password. Finally your batch script run VMBoxHeadless through hstart and then just re-locks your computer afterwards and you have a primed and ready VM waiting for you upon restart. If your VM name has spaces it might require escaped quotes or single quotes around it, I used a hyphen in my name so I didn’t have to deal with that problem.

Here’s an eaxmple batch script

C:\Users\HTPC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hstart a-serv headless.bat:

"E:\scripts\hstart64.exe" /NOCONSOLE "C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe -startvm a-serv" 
rundll32.exe user32.dll,LockWorkStation

References (yay superuser!)
What is the best way to hide a command prompt window?
Command line cmd command to lock a windows machine

I’m writing the symbolic link commands so they are as copy pastable as possible, for multiple windows releases. If all else fails, use the full path rather than the environment variable (%APPDATA%, %HOMEPATH%).

Lets Begin, first make a folder in your dropbox folder called ‘Game Saves’ to house your new save games. Then within this new saves folder make a folder for your games, (e.g. Minecraft/Dragon Age)

Now you need to know where your save game folder is for each game, we’ll start with Minecraft. In either windows XP, Vista, or 7 you can just go to your Start button, Run (or windows+R shortcut) and enter `%APPDATA%\.minecraft\` and you’ll see the saves folder. Move it to some place safe or just rename it to “saves_backup”. Then you want to put another copy of the `saves` folder in your newly crated `Dropbox\Game Saves\Minecraft\` folder. [Note: Copying a large Minecraft saves folder can take a while because of the massive amount of tiny files used by Minecraft]

After that’s done successfully, open another Run prompt from the Windows Start menu and this time type in `cmd`. In the black DOS command prompt that opens enter this (Note you may need to change the Dropbox path if yours is “My Dropbox” or customized)

mklink /D "%APPDATA%\.minecraft\saves" "%HOMEPATH%\Dropbox\Save Games\Minecraft\saves"

For Dragon Age: Origins you should find your save games in `%HOMEPATH%\Documents\BioWare\Dragon Age`. Move and or backup the Characters folder. Then copy the Characters folder to `Dropbox\Game Saves\Dragon Age Origins\`

mklink /D "%HOMEPATH%\Documents\BioWare\Dragon Age\Characters" "%HOMEPATH%\Dropbox\Save Games\Dragon Age\Characters"

Just to reiiterate the fact you have to change your path, here is another command I had to run using a different dropbox path (one computer used ‘My Dropbox’, the other just used ‘Dropbox’ for some reason).

mklink /D "%HOMEPATH%\Documents\BioWare\Dragon Age\Characters" "%HOMEPATH%\My Dropbox\Save Games\Dragon Age\Characters"

This concept is easily applied to any game. Just change the paths to match where that game’s saved files folder are located; usually they’re in my `documents/my saves`, or` my docuemnts/publisher name`, or one of application data’s folders.

I just set this up as root and in root’s crontab.

Download Source

Source:

#!/usr/bin/python
 
import os
 
def gettextoutput(cmd):
    """Return (status, output) of executing cmd in a shell."""
    pipe = os.popen('{ ' + cmd + '; } 2>&1', 'r')
    pipe = os.popen(cmd + ' 2>&1', 'r')
    text = pipe.read()
    if text[-1:] == '\n': text = text[:-1]
    return text
 
home_dyndns = "example.dyndns.org"
log_dyndns = "./new_home_ip_check.log"
last_dyndns = gettextoutput("cat " + log_dyndns)
cur_dyndns = gettextoutput("host " + home_dyndns)
 
print "Log: "+ last_dyndns
print "Cur: "+ cur_dyndns
 
if last_dyndns == cur_dyndns:
    print "IPs match, no restart necessary"
else:
    print "Updating last IP with current"
    os.system("echo '" + cur_dyndns + "' > " + log_dyndns)
    print "Restarting iptables to update"
    os.system("/etc/init.d/iptables restart")

Output looks like:

Log: example.dyndns.org has address 114.76.37.112
Cur: example.dyndns.org has address 114.76.37.112
IPs match, no restart necessary
 
Log: example.dyndns.org has address 114.76.37.113
Cur: example.dyndns.org has address 114.76.37.112
Updating last IP with current
Restarting iptables to update
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

The script’s input is the bind9 file containing all zone entries you want to confirm are pointed to your server, I suggest making a copy – not working with any live configs. The script will run an lookup using `host -t ns` on google’s DNS server to find out what the outside world thinks the domains’ name servers are; I tried `whois` in the past but it was too unreliable due to timeouts & limits on the number of calls per minute. Then it checks the results of that host lookup against the hostnames, all capitalized hostnames, and IP addresses of your DNS servers (3 in my case). If any one of the DNS servers matches than we know the domain is still using our DNS. The other options are 1) it doesn’t find any DNS servers that are ours 2) it finds the phrase ‘not found’ which host returns if the domain is expired or there are no ‘NS’ type records in DNS. The script echos to shell what DNS servers match as it runs, but it only logs the DNS servers that don’t have any matches (so they can be removed by automation or manually later).

With the zone-audit.log output I then can remove the domains that aren’t using our DNS since they’re no longer in use. Please leave feedback in the comments if you think of a good improvement.

Code after the jump or Here

#!/bin/bash
#
 
domains=`sed -n 's/^zone\s*\"\([^\"]*\)\"\s* {[^\r]*/\1/p' /root/confirm-dns-zones/named.master`
date > /root/confirm-dns-zones/zone-audit.log
 
for i in $domains
do
  echo "Checking $i"
  domain_ns=`host -t ns $i 8.8.8.8 | grep "$i"`
  echo $domain_ns
 
  if [[ $domain_ns =~ 'NS1.EXAMPLE' || $domain_ns =~ 'ns1.example' || $domain_ns =~ '4.3.2.1' ]]; then
    echo "$i contains DNS1 (4.3.2.1)"
    match_dns1=TRUE
  else
    #echo "DNS1 NOT FOUND"
    match_dns1=FALSE
  fi;
 
  if [[ $domain_ns =~ 'NS2.EXAMPLE' || $domain_ns =~ 'ns2.example' || $domain_ns =~ '4.3.2.2' ]]; then
    echo "$i contains DNS2 (4.3.2.2)"
    match_dns2=TRUE
  else
    #echo "DNS2 NOT FOUND"
    match_dns2=FALSE
  fi;
 
  if [[ $domain_ns =~ 'NS3.EXAMPLE' || $domain_ns =~ 'ns3.example' || $domain_ns =~ '4.3.2.3' ]]; then
    echo "$i contains DNS3 (4.3.2.3)"
    match_dns3=TRUE
  else
    #echo "DNS3 NOT FOUND"
    match_dns3=FALSE
  fi;
 
  if [[ $match_dns1 == FALSE && $match_dns2 == FALSE && $match_dns3 == FALSE ]]; then
   echo "* ERROR: $i - None of our DNS found for this domain using 8.8.8.8"
   echo $i >> /root/confirm-dns-zones/zone-audit.log
  fi;
 
  if [[ $domain_ns =~ 'not found' ]]; then
    echo "* Possible script error or missing DNS / Expired domain"
    echo "* ERROR: $i - Possible script error or missing DNS / Expired domain" >> /root/confirm-dns-zones/zone-audit.log
  fi 
 
  echo
  echo "----------------"
  echo
  sleep 1
done

Browser/Client side password encryption example
Download Source

I used Spamato with my outlook 2007 first and recently switched to Spambayes because Spamato simply wouldn’t work with Windows 7 even after going through an enormous hassle of hacking Microsoft’s .NET Framework 1.1 installer to get it to install in Windows 7.

I’m really glad I switched, SpamBayes has amazing accuracy when trained with your Spam/Ham folders. It even has a ‘Junk Suspects’ folder which has caught all (1 or 2) my ham messages which is mistook for spam. I don’t think any Ham has ended up in the Junk folder unless it was an automated mail/newsletter and those quickly stopped going to junk after useing the ‘recovering from spam’ toolbar button to improve training.

I used Spamato for more than a year and it works fairly well, I liked it and recommended it to others. Every time I recommended it to a non technical person I cringed a little bit after remembering the fact that it requires a couple, not so simple to explain over the phone, prerequisites.

The finite accuracy seems better in SpamBayes and the installation is definitely a hell of a lot easier than Spamato.

If someone can authenticate on the FTP (could even be anonymous ftp, but I’d recommend using a special username you want to specifically grant access) then fail2ban triggers an ALLOW command for their IP on some port (or all ports), for example SSH (22) or apache https (443) with a private site on it that you want to keep private and totally hidden from the internet at large. This concept could really apply to anything. Any command IPTables can run can be triggered through something fail2ban sees in a log file basically, the possibilities are endless. In my example I’ll use https, port 443, but in real life I’m using an obscure port number and the program running on it that is not very secure by default.

So here are my slightly modified configuration files for setting up a custom fail2ban service that does the opposite of what fail2ban typically does.

In /etc/fail2bain/jail.conf I added:

 [vsftpd2allow443]
 
 enabled  = true
 port     = 443
 filter   = vsftpd-2-https
 banaction = iptables-accept-https
 logpath  = /var/log/vsftpd.log
 maxretry = 1
 bantime  = -1

filter has to match the name of the corresponding file in the /etc/fail2ban/filter.d folder. banaction has to match the corresponding file in the /etc/fail2ban/action.d folder. Max retry is 1 so the person doesn’t need to successfully login to the FTP more than once to get access to our secret port back door. Bantime -1 should add the person for ever. For added security try bantime = 86400 for 1 days access (bantime uses seconds).

Next make a copy of a default action for a template:

 cp -vip /etc/fail2ban/action.d/iptables.conf /etc/fail2ban/action.d/iptables-accept-https.conf

Then modify all the DENYs to ACCEPT and change the port:

 actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Becomes
 actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ACCEPT
 
 actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 # Becomes
 actionunban = iptables -D fail2ban-<name> -s <ip> -j ACCEPT
 
 port = ssh
 # Becomes
 port = 443

And lastly you need your fail2ban filter that watches vsftpd for successful authenticions of our special user who gets special ports opened up for them. Since I’m using vsftpd as my FTP I just copied it’s current filter and modified it to look for good auths instead of bad auths.

 cp -vip /etc/fail2ban/filter.d/vsftpd.conf /etc/fail2ban/filter.d/vsftpd-2-accept-https.conf

Change ‘specialuser‘ to whatever FTP user you want to gain special access to your server.

 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
     \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 # Becomes
 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
     \[specialuser\] OK LOGIN: Client "<HOST>"\s*$

If you’re not using VFTPd then fail2ban has many other popular linux FTP client’s setup in the filter.d folder. You should also look in your log file (ls /var/log/*ftp* should find it) to find out what syntax it uses to denote a successful FTP login because it will most likely be different than what VSFTPd uses.

Now you just need to remember the password for your specialuser and you just FTP to your server with that login from any computer in the world to open your hidden port to access your secret content. This idea is mostly for personal use and I recommend against trying to have any beginner users use this as a mechanism for accessing content or even using it in a serious This slight modification isn’t revolutionary or anything and I may not be the first to come up with it but it definitely isn’t a well search indexed idea so I thought I’d throw this out there for others.

adduser q3ds
cd /home/q3ds

Find linuxq3apoint-1.32b-3.x86.run, wget or upload to the q3ds user folder

chmod +x linuxq3apoint-1.32b-3.x86.run
./linuxq3apoint-1.32b-3.x86.run
 
# Returns...
# Verifying archive integrity...tail: cannot open `+6' for reading: No such file or directory
# Error in check sums 579851737 212141158
# This should fix that error: 
 
export _POSIX2_VERSION=199209
./linuxq3apoint-1.31.x86.run 
 
# Returns...
# Verifying archive integrity...OK
# Uncompressing Quake III Arena Point Release 1.31 ..................................................................
# This installation doesn't support glibc-2.0 on Linux / x86_64
# Please contact Id software technical support at bugs@idsoftware.com
# The program returned an error code (1)
# OK, time for another fix:
 
sudo apt-get install ia32-libs linux32
# ... press Y <enter> to confirm install
 
# Try again with 32bit emulation
 
linux32 ./linuxq3apoint-1.31.x86.run 
 
# Go through the install and change the install path to /home/q3ds/quake3/

Copy/FTP baseq3/pak0.pk3 off our CD or backup into your /home/q3ds/quake3/baseq3 folder.

These are my console screens for running q3ded behind the scenes, they’re setup for my mod of choice – WFA (whose install files are located @ bitblender.net:

q3start:

#!/bin/bash
echo "Starting WFA Server"
sleep 1
cd /home/q3ds/quake3
screen -L -A -m -d -S wfa-server ./q3ded +set fs_game wfa +set dedicated  2 +set sv_pure 0 +set gametype 4 +exec wfa-server.cfg

q3stop:

#!/bin/sh
screen -dr wfa-server -X quit
echo "Killing off wfa-server...";

q3restart:

#!/bin/bash
echo "Restarting WFA Server"
sleep 1
/home/q3ds/scripts/q3stop
sleep 1
/home/q3ds/scripts/q3start

q3console (ctrl+A+D to detach from console):

#!/bin/sh
sudo screen -x wfa-server

/etc/init.d/gnump3d :

#!/bin/bash
 
gmconfig="/etc/gnump3d/gnump3d.conf"
gmport="54321"
gmpidfile="/var/run/gnump3d_$gmport.pid"
 
case "$1" in
start)
  if [ -f $gmpidfile ] ; then
    echo "GNUmp3d already running on port $gmport"
  else
    echo "Starting GNUmp3d."
    /usr/bin/gnump3d --background -config $gmconfig --port $gmport
    sleep 1
    ps -ef | grep -v "grep" | grep "config $gmconfig" | cut -c10-15 > $gmpidfile
  fi
;;
stop)
  if [ -f $gmpidfile ] ; then
    echo "Shutting down GNUmp3d."
    /bin/kill -9 $(cat $gmpidfile)
    rm $gmpidfile
  else
    echo "GNUmp3d isn't running on port $gmport yet"
  fi
 
;;
restart)
  $0 stop
  $0 start
;;
status)
  if [ -f $gmpidfile ] ; then
    echo "GNUmp3d running on port $gmport with config $gmconfig and pid $(cat $gmpidfile)"
    echo $(ps -ef | grep -v "grep" | grep "config $gmconfig")
    #echo
    # code to display the other instance of gnump3d here...
  else
    echo "GNUmp3d isn't running yet"
  fi
;;
*)
  echo "Usage: $0 {start|stop|restart|status}"
  exit 1
esac
 
exit 0

To run more than one copy of gnump3d with this simply make a copy of this script and call it something like gnump3d_2.

sudo cp -vip /etc/init.d/gnump3d /etc/init.d/gnump3d_2

Then change the new init.d script to point to your new config and port (pid file auto updates by port #).

gmconfig="/etc/gnump3d/gnump3d_2.conf"
gmport="54322"

Make a copy of the stock gnump3d config and modify the necessary lines.

sudo cp -vip /etc/gnump3d/gnump3d.conf /etc/gnump3d/gnump3d_2.conf

In my config I modified these lines:

port = 54322
root = /home/gnump3d_2
user = gnump3d_2
logfile = /var/log/gnump3d/access_2.log
errorlog = /var/log/gnump3d/error_2.log
now_playing_path = /var/cache/gnump3d_2/serving
tag_cache = /var/cache/gnump3d_2/song.tags

And lastly we’ll need to make the cache drectories:

mkdir /var/cache/gnump3d_2/
mkdir /var/cache/gnump3d_2/serving
chmod -R 777 /var/cache/gnump3d_2
touch /var/cache/gnump3d_2/song.tags

And then you’re set to startup the second gnump3d instance.

/etc/init.d/gnump3d_2 start

There are plenty of tutorials out there which cover configuring a normal SAB installation so I won’t cover that here. What I am going to do is make my SAB available through a web accessible passworded page, this can be accomplished with default SAB features by putting a web username/password in the general configuration section. However I find it annoying to have to enter the password when I’m on my internal 192.168 home network just to make it protected from the outside, and I don’t like the way it presents the username/password prompt in a website form rather than an generic apache pop-up. I’m sure open accessibility could be fixed in the SABnzbd+ code but I’m not a pro python hacker yet so I’ll just stick to what I know.

Basically I want a generic pop-up password that is only for people outside my network so I’m not bothered with SAB passwords while at home (And I can’t get nzbdStatus to work with a pass enabled). The htpasswd also acts as a bit of camouflage and additional security. There are some concepts which aren’t covered here which are required, you need to know how to configure your own SAB servers, Portforwarding or Firewall/iptables.

If you’re using a router, you’re going to want to make sure you’re not port forwarding the default SAB port of 8080 (which would make it wide open) and only are forwarding the apache2 port you setup for the SAB proxy. If you’re not on an internal IP subnet and have a static IP assigned directly to the linux machine you’re doing this on then I expect you have enough knowledge of IPTables to block the SAB port and allow the proxy port.

SABnzbd Daemon (optional)

Download the latest SABnzbd version from http://www.sabnzbd.org/download/ to your favorite place to install python apps and optionally install a deamon to auto start SAB: http://artur.hefczyc.net/node/10. Mine is modified to include a restart command:

#!/bin/sh
# Source: http://sabnzbd.wikidot.com/install-as-a-unix-daemon
case "$1" in
start)
echo "Starting SABnzbd."
/usr/bin/sudo -u sabuser -H /usr/local/src/SABnzbd/SABnzbd.py -d -f /home/sabuser/.sabnzbd/sabnzbd.ini
;;
stop)
echo "Shutting down SABnzbd."
/usr/bin/wget -q --delete-after "http://localhost:8080/sabnzbd/api?mode=shutdown"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

At this point I’ll assume you have a working sabnzbd installation and have tested to confirm it’s working.

vi /home/sabuser/.sabnzbd/sabnzbd.ini

Change

host = localhost

to

host = 192.168.0.53

to make it accessible from elsewhere besides the box running SAB.
That’s all you need to do with SAB other than configure servers and preferences.

Apache Proxy Setup

apt-get install apache2
htpasswd -c /usr/local/src/SABnzbd/.htpasswd username # Enter your password when prompted
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_html

Ubuntu mod_proxy Denies all but default so you’ll need to make a similar modification to what follows – see your Apache error files for something like if your proxy isn’t working. You can either change

Deny from all

to

Allow from all

if you expect to be using it from any external IP address or individual IPs you’ll expect needing access (work IP). In my case 192.168.0.1 port forwards so that’s the only one I need but I put in my entire internal subnet for testing purposes.

vi /etc/apache2/mods-enabled/proxy.conf

<Proxy *>
  AddDefaultCharset off
  Order deny,allow
  Deny from all
  Allow from 192.168.0.0/24
<Proxy>

Add something like this to your apache2 vhost config (logs are optional)

vi /etc/apache2/conf.d/vhosts.conf

Listen 8001 # Use whatever port you want, I usually use obscure ports that aren't regularly scanned.
NameVirtualHost 192.168.0.53:8001  # Change 192.168.0.53 to whatever your SAB server's IP is (make sure it's static too).

<VirtualHost 192.168.0.53:8001>
ServerName sabuser.dyndns.org # Enter your hostname or <strong>static</strong> IP address here.  I use dyndns.org since I have a dynamic IP
ProxyPass /sabnzbd http://192.168.0.53:8080/sabnzbd/
ProxyPassReverse /sabnzbd http://192.168.0.53:8080/sabnzbd/
ProxyPreserveHost On
# Password Protect the external proxy only.
<Location /sabnzbd>
AuthUserFile /usr/local/src/SABnzbd/.htpasswd
AuthName "Authenticate Yourself."
AuthType Basic
Require valid-user
</Location>
# Alternate method, requires rewrite mod:
#RewriteEngine   on
#RewriteRule     (.*) http://192.168.0.53:8080/sabnzbd/$1 [P]
</VirtualHost>

References

# Apache Proxy
http://snippets.dzone.com/posts/show/1318
http://mail-archives.apache.org/mod_mbox/httpd-users/200307.mbox/%3C20030723191854.43885.qmail@web40903.mail.yahoo.com%3E
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html