If you are like me, relying on good old MH/NMH and mh-e and exmh to do your mail, then you'll know that there are few decent solutions for synchronizing your MH boxes between computers.
(more...)

If you've got a Growatt or Sungold inverter, then you will likely know that it has an RS232 port (9600 8N1, no flow control, and straight through cable) and that the manufacturer only provides hideously horrible and somewhat broken windows software for reading the inverter status.

However, their support isn't bad and they sent me the protocol specification within one day of me asking. Here is the Growatt Serial Comms Protocol as PDF. The comms protocol is a tad odd, and the spec isn't 100% clear in all situations but with a bit of fiddling I got a perl reader to work. The comms implementation isn't very robust; while experimenting I managed to send it into a catatonic state a few times, and it stuffs up the message checksum that it sends every now and then, too.

Without further ado, here's my perl proggie. It doesn't work with the growatt's super-weird dynamic address mode (shows as "MOVE" on the LCD); knock through the menus and set a fixed address value first. The perl proggie also expects a unixy box with /bin/stty because I couldn't be bothered to do the tedious termios fiddling from within perl.

once more i got nice feedback from somebody out there who benefits from my tinkering - it's very nice to see that one's efforts aren't totally wasted.

here is the original post about pam_recent for context; the newest version (with documentation) is here.

lorenco catucci suggested that pam_recent works better for rate limiting services that don't terminate the network connection on a failed login if it offered handlers for the other pam phases too, most importantly auth.

that way, one can use pam_recent to record that somebody attempts access in an iptables' recent list, and clear the record if and only if the connection gets to the account or session stage. in this setup pam is providing the control and iptables recent match just enforces the limits.

nice idea, just a few simple changes required and the result is better and more useful than before.

Ever since I stopped using a Sun SparcStation as desktop (around 94 or so) I wanted a decent Type 4 or 5 on my pc - alas, the Type 4/5 are serial keyboards and hence not directly supported by normal pcs. Getting the Type 5 to work under Linux wouldn't have been too hard (it's serial after all), but that isn't good enough: I wanted a decent solution that also work for BIOS interaction and in Windows (and even the Linux-only solution would have required soldering up a TTL inverter).

So why not build a converter?
(more...)

I've just completed testing the next generation of my kuvert tool: Version 2.0.0 is out here and has just been uploaded to debian Sid. It's full of Nice New Things that make kuvert more useful, the most notable ones being:

• inbound SMTP support
  You can tell kuvert to listen on localhost on a port of your choice for inbound messages. (This absolutely requires ESMTP authentication as pointed out in the manpage.) Benefit: any garden-variety mail user agent can send via SMTP, which means it can interoperate with kuvert. You don't have to bother with the submission wrapper anymore (but it is still available of course).
• outbound SMTP support
  Kuvert now can speak SMTP to any server of your choice. No more need for a local MTA installation (unless you prefer one, in which case kuvert will work like before).
• support for gpg-agent

There are also quite a few other goodies, but I haven't cooked up a good changes document yet; You'll have to read the manpage.

Kuvert version 2.0.4 has been released. New feature: kuvert now supports SMTP Authentiction for submitting your outbound emails to an MTA (No TLS/SSL yet).

Sources here, binaries at the Debian mirror of your choice.

I've been asked whether my R/C four wheel steering controller can share a channel with some other function; until now it couldn't.

This has changed today: you can now configure it to listen for quick "flip-flops" of your mode switch for cyclic mode (before it only recognized high-to-low transitions). That way you can run something else on the same channel (with a splitter cable) as long as that something else doesn't have a big problem with such "short blips".

Source code and manual have been updated:

• the main source
• some small helper routines
• the manual

The last of my 4WS controllers is on sale, here.

My R/C four wheel steering controller needed some fixes to work on both PIC12F635 and PIC12F683 chips, and there were some other minor stupid mistakes I had to fix.

Here's the latest version: source code and updated manual.

Looks like my pam_recent module is actually used by others out there and liked as well. For a maker/hacker/tinkerer like me that's very satisfying, especially considering the source of the most recent comment/suggestion.

Self-aggrandizement aside, there's a slightly updated version of pam_recent.c (v1.6) available, which uses pam_syslog and thus creates different syslog entries (for those of you using logcheck).

So you have a nice, nifty RC car which is shiny and very fast (and therefore cool) or dirty and really slow (and therefore cool) and yet you are unhappy with its turning radius?

You might consider rigging it for four-wheel steering, which is very nice for tight turns but not so much fun or stable for high-speed runs. Which do you choose, stability and 2WS or tight turns and 4WS? Can't one have both?

Indeed you can. Faced with this very challenge for my Wheely-King-based rock crawler, I've built a four-wheel steering controller (4WSC) which gives you that choice and lots more, provided that you have a radio with one free channel: with that channel you can switch between proportional four-wheel steering, two-wheel steering front or rear and crabbing, on the go and without stopping. Your one steering wheel controls both servos appropriately, based on your chosen mode of operation. The 4WSC also includes a servo reversing cabability for your year servo and is configured/programmed using your rc transmitter.

You might have a look at the manual to see what other goodies I managed to program in.

Here is what the 4WSC looks like: tiny (that's a 1cm grid) but quite capable and cool.

As always with my stuff, it's open source software: the commented source code is available right here for your perusal/modifications/other weird applications. Share and Enjoy. You might almost call the 4WSC an example of "open source hardware": I'm also providing a printable circuit board design, ready for making your own pcb's with the toner transfer method.

The hardware side of the 4WSC is really simple: it is microcontroller-based, uses a PIC12F635 or 12F683 or similar, and because PICs are great devices it does not need any external components (except for plugs/leads and a buzzer). All you need to build your own is such a microcontroller, a PIC programmer interface for programming it, soldering gear and either some protoboard or minimal PCB-making skills.

If that sounds too tedious/complicated, you can simply pay me a little money and get one finished and ready: I made a few of the controllers and am sufficiently happy with the outcome to sell them. Contact me here and we can discuss the details; I might also do custom firmware for your specific requirements (for a fee, mind you).

For the do-it-yourself afficionados (like me) here are the goodies:

• The manual for the 4WSC
• The latest version of the source code and the delay functions code
• The circuit board design (600dpi png)

Enjoy!

Robert Scheck suggested that I get rid of a (justified) compiler warning in pam_recent by logging only sensible things. Here's the updated version.

1.1.13 is available here (and via apt-get install kuvert in debian and ubuntu).

Changes: the pgp-signature part is now tagged a bit more extensively with a content-description and the "canonical" filename; while the filename tag was there in an earlier version (and got removed for reasons lost in time), the content description might help the more...suboptimal mail clients out there.

The prod to do this came from Andreas Labres.

Kuvert is a tool that automatically signs and/or encrypts outgoing email using the PGP/MIME standard (RFC3156), based on the availability of the recipient's key in your keyring.
(more...)

Tony Nelson pointed out a bug in glibc's gethostbyname() which causes pam_recent failures in mixed ipv4-v6 situations. The problem is worked around and the docs have been improved.

Version 1.3 can be downloaded here.

At work we've got a slightly stuffed main proxy which occasionally just stops finishing to serve a request halfway. Very annoying, especially as I must use that thing...when FAI-installing 24 Debian boxes unattendedly (via another intermediary proxy under my control).

This has bitten me in the past a few times, because cfengine1 doesn't have any easy means of figuring out that a script hasn't succeeded. With the main proxy wandering off into la-la land, this led to some halfbaked installs.

Not anymore. apt-cacher may be imperfect, but the version in etch/testing finally has a lean set of depencies and together with squid and jesred (or a similar redirector) it's easy to make everything work transparently.

That way the client config does not need to be changed at all: they all have normal source URLs, and they have to go through my proxy for web access anyway. On that fw/proxy box, I added this to jesred.rules:

regex ^http://((.*)/debian/(dists|pool)/.*)$    http://127.0.0.1:3142/\1

which makes everything remotely resembling Debian package info go to the apt-cacher which runs standalone on port 3142. A bit of twiddling with squid's always_direct and never_direct directives later, and heureka! it actually works...

One of our machines at work gets hammered by ssh password guessers, and this is about a neat and cheap (IMHO) way of dealing with this.
(more...)

My backup tape stacker died recently, so I had to look for alternate cheap backup solutions. Goodbye Amanda! *snif* Recent tape drives being prohibitively expensive, I went for two more 200gb disks, one for the living-room machine (aka. tosspot) and one for an usb enclosure and transfer via sneaker-net to the office.

So far, so good. The choice of available software, however, and my paranoia re backup storage have an intersection close to \epsilon: backuppc doesn't encrypt. boxbackup does, but is a bit rough and needs loads of certificates to get anything done. On a comparison page about boxbackup I found a link to duplicity which has a very nice feature set which meets my ideas of backup pretty nicely:

• Everything happens on the client, the server only needs to give scp/ftp/rsync/s3 access.
• Symmetric or asymmetric encryption, encrypt-but-not-sign as well.
• a way to do incrementals that shows deleted files, while still not needing anything but gpg and tar to restore (if you've lost the duplicity program).
• Doesn't need to decrypt anything for doing incrementals, if you give it a little space on the local machine.

However, it's got a fair number of minor problems as well. Quite some debugging and head-scratching and four bug reports later (one two three for duplicity, two with patches and one for rsync with a patch as well) I'm now set: a dumb rsync server with some disk behind it, encryption (but no signing) to my gpg key happening on the clients, the result of which ends up on the server. To do incrementals cleanly, a little unencrypted space (--archive-dir) is set aside on the clients, where duplicity can store some hashes and other info of the files it's backing up.

I still don't like python much but I'm at least reaching that debugging-and-mini-maintenance-hacking level. Syntactic whitespace sucks.

-- David Richerby on blacklisting blacklists

I don't like worms and other crap that hammers my ssh servers with nonexistant users and/or lousy passwords. Not that they would get in anyway, but it still pisses me off sufficiently to do something about it. This script *blam*s all such suckers for a while. Share and enjoy.

The script tails a logfile (preferrably something low-volume like your auth.log) and looks for failed ssh entries. If the other side is not whitelisted and tries too often in a time window, an iptables command is issued. After a fair while the block is removed. Obviously all this is adjustable and I'll certainly extend the setup for other annoyances, too.

The idea came from here but that implementation I didn't like very much. The clean tailing of a log (safely across rotations etc.) was snarfed from logtail (part of logcheck) and the parsing of syslog messages came from Parse::Syslog (which doesn't work on your local data, only on full files. Silly thing.)

blosxom:Blosxom is a blogging engine in a single tiny piece of perl; it's what this site uses. Well, it's small, fairly simple and not too ugly.
(more...)

"If you read Boing Boing's RSS feed, you've probably noticed that we are now running occasional text ads in selected entries."

Yes, and it pisses me off big time: the web version is so ad-infested that it's unreadable (40% of the screen realestate blinks and warbles and tries to entice me), so I read it via RSS (spidered by this abomination) in full screen beauty. Form follows function and Content rules.

I hate ads. I run jesred (and maintain it for debian, too), a squid redirector and crap filter. I add this to jesred.rules

regexi ^http://feeds.feedburner.com/	http://localhost/jesred/dot.gif

I see no more BB ads. I am happier.

The redirection was too general: boingboing's main RSS file would be n/a with the above. But all the ads live under /~a/... Better:

regexi ^http://feeds.feedburner.com/~	http://localhost/jesred/dot.gif

I'm a stupid stubborn bastard and spent a good two days to get three orinocos reflashed and the silver to gold hack (ie. 104bit WEP and 14 channels) working. Now, after lots of swearing and gazillions of reboots it works on all three cards, one original lucent silver orinoco and two enterasys/cabletron roamabouts.
(more...)

Kuvert was recently featured on the debaday blog, and somebody asked me to put the manual pages on the web.

So here they are, ugly as sin (because I couldn't convince groff or any other converter to render -mdoc manual pages in HTML without breaking them completely):

Manpage for kuvert
Manpage for kuvert_mta_wrapper

as documented in bug 242378, the spambutt has a problem with expiring the bayes database. somehow a lot of atime entries get set far into the future, and the butt doesn't recognize this properl - and sits on its butt, chugging along and retrying the wrong things over and over again.

great.

after finding a tool called db-to-text2.pl which can fix the entries and playing around with it i've decided to use the big hammer on bayesstore.pm: wherever atime is written to the db, we do a sanity check.

this patch addes these crude measures, and will hopefully keep my bayes dbs in fair shape. YMMV.

Firewalls are fun, but just dropping all the bad packets is fairly boooring.
(more...)

I like the layout of the rssreader mozilla extension, but nothing else about it: it requires using the bookmarks (hatehate), it is in javascript (hatehatehate) and it is superslow, no caching whatsoever etc.

Why not use any of the available tickers and RSS readers?
I liked rssreader's layout and integration with mozilla. I don't like tickers, I need full articles or at least overview data to judge whether an article is worth my time and headlines Just Don't Work for me. And, the killer argument: all my bookmark info is kept in a topicmap file so any RSS reading tool must get its info from there, too. None but my personal one would do that.

So I decided to make a slurping tool that slurps feed data onto the local box and massages things into the rssreader look. Easypeasy thought I, perl to the rescue etc. etc.

Well, RSS sucks: gadzillions of slightly different versions, all incomplete and fugly. Atom sucks, too, just differently.

The one parser module present in Debian, libxml-rss-perl, doesn't understand newer RSS (ie. 2.0) at all, and no Atom, so playing with that wasn't too successful. The other potential parser, XML::RSS::Parser, is not available as a Debian package, but it sucks less: with a bit of tweakery I got it to read all the RSS flavours and also Atom. Hmm, maybe I'll package it.

Net result of a few hours of mucking around, skirting incomplete unicode support in my perl (no I don't want to update to 5.8 yet) etc. is this script called rsslurp. The link retrieval part won't be useful to anybody who's not into topicmaps (ie. most of you out there), but the part for massaging things into rssreader-compliant CSSified HTML may be. The tool also caches the source XML and produces an overview HTML page with update times and feed names.

I've found a few nice things for Mozilla Firebird, the IMHO least sucky browser right now (apart from being a memory hog).

The Permit Cookies extension does not do what its name implies, but gives you a popup for blocking/allowing/removing cookies for the current site on pressing Alt-c.

Why not allow cookies with all the other features enabled, especially "ask before accepting"? I had that, but I ran into major slowdown issues with a really big cookie permissions file which denied cookies for 99.8% of the sites anyway, and the question popup was very annoying, too.

So now I have cookies disabled in the global preferences as a good default, and for the few sites where I accept the requirement for cookies as sensible, I just enable cookies specifically for the site, once and comfortably.

Disabling cookies doesn't actually disable them: the explicit exceptions still work. The one thing I lose is the "cookies for this session only" functionality; that is taken care of by my mozilla wrapper which simply removes the cookie file on startup.

userContent.css in your profile dir/chrome/ is also quite useful for some things: the Firebird Doc Site mentions how to disable marquee tags, and here I found a tip on how to change the cursor for javascriptshite links:

a[href^="javascript:"] { cursor: crosshair; }

Flashblock is another saviour: flash crap is not displayed at all but a placeholder shows up. You can click on it and only then the flash thingie loads. Very nice, very useful.

The Tabextensionsextension is so common now that it has been properly Debianised - a welcome change from the lousy XPI installation mess mozilla tries to force on us otherwise.

Related to debianising mozilla and hand-installing extensions without messing everything up is this bit of info:

Mozilla on Debian gets its extension info from per-package files in /var/lib/mozilla-nameoftheday/chrome.d/. The good old run-parts-like approach works perfectly well here, too: you (or any package) can plop a file like 99azfixthisfuckingmess into said dir without affecting any other aspect of moz, and run update-mozilla-firebird-chrome to combine those files into what moz wants to see.

Looking at the XPI thingies (which are simply zipfiles) I usually find stupid javascript "installer" *snort* scripts which wouldn't do anything useful unless I run them as root (yeah, right, I'm as stupid as that). But it's not really hard to extrapolate from what you see in the install.js things, the bla.jar files (which are again simply zipfiles) and the examples set by mozilla-tabextensions to find a working install procedure.

So what I nowadays do to install extensions by hand but cleanly is rip the XPI apart and copy the bla.jar into /usr/lib/mozilla-nameoftheday/chrome/. Then I look at the install.js to see the register-something calls and populate my 99... fragment with the appropriate entries. Run the update program, restart moz, done.

Here's the entry dealing with the editcss extension as an example (they all look very similar):

content,install,url,jar:resource:/chrome/editcss.jar!/content/editcss/
locale,install,url,jar:resource:/chrome/editcss.jar!/locale/en-US/editcss/
skin,install,url,jar:resource:/chrome/editcss.jar!/skin/classic/editcss/

After seeing a nice traffic graph on a friend's site, I decided to install mrtg. Being a perfectionist with slow boxes, the defaults (ie. use mainly snmp) didn't make me happy.

I ended up writing about 10 small perlies that either query /proc or sift through logfiles. It worked, but not very nicely: lotsa perl processes starting every 5 minutes and quite some code duplication. Rethink. Improve.

So here's the new, combined, all-in-one solution: a single script that does the data gathering all in one go. It's called bigstat.

bigstat reads a couple of simple things from /proc (memory usage, interface traffic counters, cpu stats and load average), but all that is hardly new and not worth talking about. It also gets at the firewall packet drop counters and plots df -k vs. df -i.

What is notable IMHO is that bigstat also deals with sources that are decidedly not nice enough to provide convenient counters or gauges: my apache access log for example, the mail logs and my inn logs (the "common" way of getting apache info for example involves parsing the html output of mod_status...bleh, for mail people have parsed mailstats output and for inn there's nothing ready-made except for CNFS storage.)

My approach there is to use some builtin logtail functionality together with persistent counter and offset files: go over the unread/new parts of the log, look for some useful pattern and increase the counters. Then save the last counter states in the persistent counter file and also remember where in the file we were (plus inode). This guarantees counter continuity regardless of log rotation. bigstat then writes all the fourliner data mrtg expects into separate files, and mrtg just reads them via a 2-liner shell wrapper around cat. This works great and is very efficient.

If you need some inspiration to set up something similar: help yourself to my examples here. The script and mrtg config file are GPL'd. The proc stuff and iptables-usage are linux-specific, and the regexp matches will definitely need adjustment for your environment.

• cleansed mrtg config
• bigstat script
• read-bigstat script

I'm talking about the "Speedtouch Home/Pro" which I got cheap from a friend.
(more...)

The CA.pl example script coming with OpenSSL has a couple of nice features (among lots of exceedingly ugly ones), namely -signcert: that one, slightly adjusted to eat real input files instead of this silly newcert.pem foolishness, can convert an existing cert into a req and does sign that afterwards.
(more...)

i haven't set up clamav to run as a milter on my servers - yet. yes, i know about mailscanner, amavis and friends...they're all too fat for what i want, and clamav's mail parsing facilities (at least in the versions i could get onto my Debian/stable servers) are nonexistant. so i've got dual queues, between which some kind of filter is moving stuff after scanning.

my small script is a simple wrapper around MIME::Parser (see libmime-perl in debian) that reads sendmail queue files, extracts the content into a tempdir, runs clamscan on that and depending on the result, moves the stuff into the quarantine or the real mail queue. Feel free to (ab|re|per)use.