The root cause was out of processes, and later I apparently ran out of iptable entries.
I finally found that "cat /proc/user_beancounters" shows all the available resources and imposed limits of the Virtuozzo virtualisation. For my quite old Ubuntu 14.04 these limits were significantly lower than what is advertised on the Link above. This may be because the virtual machine was set-up before new limits have taken effect.
The limits which are most relevant to me are:
- numproc: Max. 100 processes (each thread counts, not just processes in the UNIX sense).
- numiptent: Max. 400 iptables entries. This is usually sufficient for eveb complex firewalls but becomes a problem when using fail2ban.
In the end it was sufficient to move the ssh port away from port 2222, which was attacked a lot. The attacks on the mail ports come from a smaller set of IPs. I am currently (2019-04) using 88 of 400 iptable entries.
zgrep firewall /var/log/syslog*|python -c "import sys;[sys.stdout.write(word + '\n') for line in sys.stdin for word in line.split() if word.startswith('DPT=')]"|sort -n -t= -k 2|uniq -c
The above assumes that you log all stray TCP packets to /var/log/syslog with the prefix 'firewall', which can be done with this iptables rule:
iptables -A INPUT -m limit --limit 200/hour --limit-burst 50 -j LOG --log-level warning --log-prefix firewall:
Kill rdpclip.exe using the TaskManager.
Start rdpclip.exe using Run.
The clipboard should work now again.
To make the Ctrl-S and Ctrl-Q keys work again you must disable flow control in screen: Press Ctrl-A F until "-flow" is displayed. Now the behavior should be back to normal: GNU screen no longer handles Ctrl-Q and Ctrl-S specially and passes these to the application.
Solution: Keep the backup disk encrypted.
Whole disk encryption is not as secure as it sounds, due to the limitations of sector-wise access, but it is _way_ better than not encrypting the disk at all, and it usually provides solid confidentiality (meaning an attacker cannot read any information from the disk).
(There are nasty attacks on whole disk encryption, but they are all around an attacker writing stuff to the disk, modifying it contents in various ways. But if the encryption is done properly all of these attacks leave random garbage in the decrypted view of the disk.)
I am using 'plain dm-crypt' instead of LUKS since I do not need any of the LUKS features and it is very easy to set up and very easy to understand what happens.
I am also using the entire disk as one big partition, without a partition table. Encrypted partition tables do not make much sense in my opinion, and I only want one partition anyway.
If there was already (plain) data on the disk (e.g. an unencrypted backup) it is wise to erase that by overwriting the disk with random garbage:
shred -n 1 /dev/sdX
Create encrypted layer of the disk:
cryptsetup --cipher=aes-cbc-essiv:sha256 --key-size 128 --key-file=key.bin open --type plain /dev/sdX enc
(I am using aes-cbc-essiv:sha256 with just a 128 bit key since it seems sufficient for my purpose. If you are concerned that somebody might modify the contents of the disk you are better off with using aes-xts-essiv:sha256 with a 512 bit key, but I was not happy with the performance penalty for very little benefit (if any).)
The file key.bin contains the 16 byte (128 bit) binary AES key. I created it using:
head -c 16 /dev/random > key.bin
I keep the key.bin file in plain on my server since I am not nervous of it getting lost. People with access to the server are unlikely to want to decrypt the backup disk of the server since they have full access to the data (even full access to the data on the encrypted disk!) anyway. Of course it is necessary to keep a backup of this key in another physical place, e.g. printed on paper etc. Otherwise the backup disk is useless.
The plain view of the encrypted disk image is now available under /dev/mapper/enc.
Creating an ext4 filesystem on the encrypted disk:
mke2fs -m 0 -t ext4 /dev/mapper/enc
Mount encrypted disk:
mount /dev/mapper/enc /backup_disk
Now you can create a backup on /backup_disk.
When done, umount the disk and stop the encryption (which might flush a few sectors to the disk):
cryptsetup close enc
In found that my binutils (dd) were too old for the dd status=progress feature.
Sending signal USR1 to dd prints its progress:
killall -USR1 dd
Alternatively you can just look at the write file descriptor of the dd process, e.g.:
grep pos /proc/4609/fdinfo/1
- Press Ctrl-A and then :
- Enter "hardcopy -h myfile.txt"
myfile.txt will be created in the current working directory of the screen instance you are connected to.
This is useful in situations where you think "I should have really redirected that into a log file". Of course this only works well if you have a big scrollback buffer. I have:
in my .screenrc.
To reset it:
- press Ctrl-A
- enter ":reset" and press enter
Done. You many need to enter "reset" in the terminal itself as well.
This one was tough. Googling showed that this problem could be solved by uncommenting the line '$ModLoad imklog' in /etc/rsyslog.conf. This in turn caused kern.log to be filled with messages like 'imklog: error reading kernel log - shutting down: Bad file descriptor'. This in turn is probably caused by some strange interaction between Ubuntu and OpenVZ/virtualization combination, but initially I did not find the precise cause of the problem, nor a solution.
This link finally gives a clue what the problem is and also presents a working workaround:
Following the solution worked for me. In more detail:
Create file /etc/init/kmsg-pipe.conf with the following content:
Then execute the script and restart rsyslogd:
See also https://www.timoschindler.de/brother-mfc-9140cdn-toner-resetten/
Goal: Let Volumio 1.55 automatically start playing music automatically after the Raspberry Pi is powered on. The RPi is used completely headless and without any buttons, and while it is fine that I can control it through my phone or a computer, I sometimes just want to start the music on random play by flicking a plain old power switch and nothing more.
After a lot of fiddling with /etc/rc.local I realized that the NAS is mounted only after my commands in rc.local were executed. A sleep may help, but rc.local is killed if you sleep to long ... argh, nasty!
Instead I decided to hardcode the autoplay into the PHP scripts directly. I don't know any PHP, but how hard can it be?
Edit file /var/www/command/player_wrk.php and search for 'WORKER MAIN LOOP'.
Add the following lines before the '// --- WORKER MAIN LOOP --- //' line:
$cmd = 'amixer cset numid=3 1';
$cmd = 'mpc repeat on';
$cmd = 'mpc random on';
$cmd = 'mpc consume off';
$cmd = 'mpc single off';
$cmd = 'mpc play';
The amixer line tries to force 3.5mm jack audio output. Not sure this works. Omit it if you use your own DAC or HDMI.
Not sure the sleep(5) is necessary. This is actually not specific for NAS and should work with any source. It should play the playlist which was last active.
I would love to have this in the GUI, but I do not know how to hack that in.
Ah yes. Completely unrelated and just so I do not forget it: To get my TL-WN725N WLAN Dongle working with volumio 1.55 I had to download the firmware for it:
sudo wget https://github.com/lwfinger/rtl8188eu/raw/c83976d1dfb4793893158461430261562b3a5bf0/rtl8188eufw.bin -O /lib/firmware/rtlwifi/rtl8188eufw.bin
I have a Zotac server without a CD drive, so I needed to run the Samsung Performance Restauration tool. I used the DOS / Mac variant which is a DOS bootable disk which contains the update tool. The easiest way to prepare the USB stick is NOT to use the USB zip provided by Samsung but to use the *.iso file (Samsung_Performance_Restoration.iso) instead:
- Mount the ISO file and get the file ISOLINUX/BTDSK.IMG from it.
- dd the BTDSK.IMG directly onto a USB stick
- boot from the USB stick and follow the instructions
On my Zotac machine when booting from this USB stick I got a couple of broken error messages about not being able to boot from device XYZ, but it booted OK from the stick after a couple of seconds.
The performance restauration procedure took 4.5h for a 1TB SSD (60% full) and about 15h for another 1TB SSD (95% full), so expect this to take some time.
Both SSDs were not erased by the procedure.
Avoid hang of headless Zotac server on Ubuntu Linux reboot. (How to disable the graphical console for grub and the Linux kernel.)
Uncomment this line:
In addition I disabled setting any graphics mode on the Linux kernel and setting the timeout to 1 second.
My /etc/default/grub file now looks like this:
Copy files using rsync as root when the remote host does not allow root access and ssh is on a different port
- Step 1: Make sure you can execute commands as root on the remote host after logging in, without entering your password. For this there are two alternative options:
- You can allow the user to execute sudo without entring the users password. You can do this by adding the following line to the end of /etc/sudoers:
- You can enter the sudo password in advance once and make sure it is cached between sessions. To make sure it is cached between sessions you must add the '!tty_tickets' option to the Defaults line in /etc/sudoers, and then you must run a dummy command as root:
- Defaults env_reset,!tty_tickets
- ssh -p PORT
-t USER @REMOTE_HOST sudo id
- Step 2: Do the rsync. Override the ssh port. Specify "sudo rsync" as remote rsync command. Target the rsync at the non-root user which can now sudo:
- sudo rsync -avRe "ssh -p PORT
" --rsync-path "sudo rsync" LOCAL_DIR USER @REMOTE_HOST :
To show the bandwidth in Bytes/s
- open the Printer Queue for your Printer
- stop the Queue
- print the PDF
- now you should have a file starting with 'd' under /var/spool/cups which is an unprotected version of your PDF
- in Terminal type sudo cp /var/spool/cups/d* ~/Desktop/d.pdf
- this assumes there is just one file starting with a 'd' which is usually the case. If there are multiple files pick one by one until you have your file.
- in Terminal type sudo chown foo:foo ~/Desktop/d.pdf (replace foo with your actual user name)
- file ~/Desktop/d.pdf does not have any restrictions
- in the Printer Queue delete the print job
- start the Printer Queue
Also, to see additional information about the currently active wireless connection hold down the Option key while clicking on the Airport Symbol in the menu bar.
- Zotac Zbox ID18
- Samsung SSD 840 EVO 1TB
- 4GB RAM (SODIMM 1600)
- Ubuntu 13.10
- download the 'Windows' Firmware update for the 840 EVO
- mount it
- dd the btdsk.img onto a USB stick
- put the USB stick into the Zotac
- change the Zotac BIOS so it boots from the USB stick
- ignore all error messages about missing partitions
- eventually the Samsung Firmware Update program comes up
- take note of the Firmware revision
- follow the instructions of the program
- ignore the message about power cycling the SSD, since you cannot power cycle it in isolation
- ignore the message about the firmware update being unsuccessful
- reboot (still from the USB stick)
- check that you have the new firmware revision
- Linux shows: ata1.00: ATA-9: Samsung SSD 840 EVO 1TB, EXT0BB6Q, max UDMA/133)
- Enable TRIM support and avoid unnecessary writes when reading files and dirs:
/ ext4 discard,noatime,errors=remount-ro 0 1
- Reduce amount of disk space reserved for root from 45GB to 1GB:
- sudo tune2fs /dev/sda1 -m 0.1
- Install sshd:
- sudo apt-get install openssh-server
- Install 'sensors' to check the CPU temp:
- sudo apt-get install lm-sensors
- sudo sensors-detect
- sudo service kmod start
- Install 'smartmontools' to see the SSD temp and other interesting data:
- sudo apt-get install smartmontools
- sudo smartctl -x /dev/sda | grep -i 'Current Temp'
- Do not start GUI/X
- edit /etc/default/grub:
- sudo jed /etc/default/grub
- sudo update-grub
- I like to install:
- sudo apt-get install jed apcalc screen minidlna openssh-server samba emacs ispell subversion g++ imagemagick
- If you have a couple of minutes:
- sudo apt-get update
- sudo apt-get upgrade
- If you would like to manually TRIM the SSD:
- sudo fstrim -v /
- Install SAMBA:
- sudo apt-get install samba
- see https://help.ubuntu.com/12.04/serverguide/samba-fileserver.html
USE_TABS = 0; LINENUMBERS = 2; % For the following to work you _must_ comment out any c_set_style() call! C_INDENT = 4; C_BRACE = 0; C_BRA_NEWLINE = 0; C_Colon_Offset = 0; C_CONTINUED_OFFSET = 4; public variable C_Class_Offset = 4;
This time the 'tape across toner window' trick would not work, even with black tape. The 'toner empty' message would only go away after doing this strange procedure which probably resets some internal state so it re-checks the toner state:
Open the front cover, then press the Back (german:Storno) button (the left bottom one of the four round black buttons), then press * 0 0 and then * 1 0. (Do not press 1 or 2 as indicated in the display. This is for the drum.) After this the 'toner empty' and also the 'toner almost empty' messages were gone and I could perfectly print again.
A subset of * 0 0 and * 1 0 might be sufficient. Not 100% sure the black tape is necessary at all.
Now the printer is printing happily and in perfect quality again. Lets see how long. :-)