DVB Support for the Videolan Client (VLC) on Fedora Core 5

The version of the Videolan Client (VLC) for Fedora Core 5 from freshrpms does not include DVB support.

[foo@localhost ~]$ vlc --program 4704 dvb:12207000:0:3:27500000
VLC media player 0.8.5 Janus
status change: ( new input: dvb:12207000:0:3:27500000 )
status change: ( audio volume: 256 )
status change: ( play state: 1 )
[00000295] main input error: no suitable access module for `dvb:12207000:0:3:27500000'
status change: ( stop state: 0 )
[00000285] main playlist: nothing to play

A quick search through the VLC Documentation shows it must be rebuilt with the ‘experimental’ --enable-dvb option.

I took the source RPM from Freshrpms, added the --enable-dvb option on the ./configure line and attempted to rebuild.

Assuming you have an up to date Fedora Core 5 installation, working DVB hardware with the necessary drivers. To do this you will need (at least) the following packages installed:

gnutls-devel libdvdread-devel libdvdnav-devel libebml-devel libmatroska-devel libmodplug-devel libmad-devel libid3tag-devel lame-devel faac-devel faad2-devel a52dec-devel flac-devel mpeg2dec-devel speex-devel libtheora-devel x264-devel SDL_image-devel fribidi-devel aalib-devel libcaca-devel wxGTK-devel xosd-devel lirc-devel libcdio-devel vcdimager-devel avahi-devel libopendaap-devel libmpcdec-devel libcddb-devel libdca-devel

These are available from the core & extras Fedora repositories, some are located in the ATrpms & Freshrpms repositories.

Build the new RPM with the following:

[root@localhost ~]# rpmbuild –ba /usr/src/redhat/SPECS/videolan-client.spec

To install the new RPM I had to --force –nodeps the RPM transaction:

[root@localhost ~]# rpm -U --force --nodeps videolan-client-0.8.5-1.fc5.i386.rpm videolan-client-devel-0.8.5-1.fc5.i386.rpm

This time when I retry launching VLC I got the following:

[foo@localhost ~]$ vlc --program 4704 dvb:12207000:0:3:27500000
VLC media player 0.8.5 Janus
[00000544] skins2 interface error: Cannot open display
[00000544] skins2 interface error: cannot initialize OSFactory
Remote control interface initialized. Type `help' for help.
[00000548] dvb access error: the DVB input old syntax is deprecated, use vlc -p dvb to see an explanation of the new syntax

It turns out that the VLC documentation is rather outdated. After poking around in the VLC user interface I extracted the necessary command-line arguments to make it work.

The following command line execution of VLC will tune to the frequency 12.207Ghz, vertical polarisation, symbol rate 27.5Mhz with an ‘automatic’ FEC and select program 4704 (Sky News).

[foo@localhost ~]$ vlc --program=4704 dvb:// :dvb-adapter=0 :dvb-frequency=12207000 :dvb-srate=27500000 :dvb-caching=300 :dvb-inversion=2 :dvb-probe :dvb-voltage=13 :no-dvb-high-voltage :dvb-tone=-1 :dvb-fec=9 :dvb-code-rate-hp=9

And this variation will stream it over UDP to localhost port 1234.

[foo@localhost ~]$ vlc --program=4704 dvb:// :dvb-adapter=0 :dvb-frequency=12207000 :dvb-srate=27500000 :dvb-caching=300 :dvb-inversion=2 :dvb-probe :dvb-voltage=13 :no-dvb-high-voltage :dvb-tone=-1 :dvb-fec=9 :dvb-code-rate-hp=9 :sout=\#duplicate\{dst=std\{access=udp,mux=ts,dst=127.0.0.1:1234\}\}

And without further a do, the pre-built RPMS and modified source RPM I created.

Binary RPM:

videolan-client-0.8.5-1.fc5.i386.rpm
videolan-client-devel-0.8.5-1.fc5.i386.rpm
videolan-client-debuginfo-0.8.5-1.fc5.i386.rpm

Source RPM:

videolan-client-0.8.5-1.fc5.src.rpm

Lastly, you can select multiple programs from the same transponder and stream them to separate destination addresses, see the example in Chapter 9 of the VLC documentation.

Feedback & Questions welcomed!

IT Terminology – Hard Drive Jenga

Hard Drive Jenga

A term used to describe removal of Hard Drives from a RAID storage array where the objective of the game is to remove as many drives as possible without the array collapsing causing catastrophic data loss. Not for the faint hearted!

Not to be confused with Hard Drive Dominoes (another fine example).

What not to do when you’ve installed sshdfilter

sshdfilter is a great tool which monitors system logs for repetitive failed login attempts and actively updates iptables to block offending ip addresses. However, there is a slight shortfall it its design as there are no exceptions to its blocking rules as I found this morning:

Subject: sshdfilter event for 127.0.0.1, Too many password guesses, blocking
Date: Fri, 3 Mar 2006 11:04:02 +0000 (GMT)
From: root@lobstertechnology.com (root)

IP 127.0.0.1 was blocked, Too many password guesses, blocking.
Will remove block at Fri Mar 3 12:04:02 2006.

I almost cried, this one is worthy of being framed and put on the wall.

Firewalling against 127.0.0.1 is very very bad news on a unix system where there is a lot of loopback activity to run core services such as databases, x servers etc. I had a root shell open at the time and could flush the iptable rules to get back to some kind of normality.

Thankfully, Gerry has produced a patch allowing you to configure ‘trusted’ addresses which will never be blocked in this way. Hopefully it will make it to the core sshdfilter code in the near future.

Fedora Core 5 yum.conf

Just a quick snippet of my /etc/yum.conf file which includes the ATrpms and FreshRpms repositories.

[main]
cachedir=/var/cache/yum
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
metadata_expire=1800

[atrpms]
name=Fedora Core $releasever – $basearch – ATrpms
baseurl=http://dl.atrpms.net/fc$releasever-$basearch/atrpms/stable

[freshrpms]
name=Fedora Linux $releasever – $basearch – freshrpms
baseurl=http://ayo.freshrpms.net/fedora/linux/$releasever/$basearch/freshrpms

Trac – Emptying a Wiki database

A quick bit of shell magic to empty a Trac wiki database in a freshly installed Trac environment. In this example /var/www/html/trac is assumed to be the Trac environment you created with trac-admin.

$ for page in `trac-admin /var/www/html/trac wiki list | cut -d' ' -f1 | grep "^[A-Z]" | grep -v "Title"`; do trac-admin /var/www/html/trac wiki remove $page; done;

;)

Wordpress 2.0.3 ‘Bug Fix & Security Release’

Matt announced a release for Wordpress today on the Wordpress Development Blog. This release addresses several bugs and a security issue raised on Bugtraq.

Files changed in this release:

wp-admin/admin-db.php
wp-admin/admin-functions.php
wp-admin/admin.php
wp-admin/categories.php
wp-admin/cat-js.php
wp-admin/edit-comments.php
wp-admin/edit-form-advanced.php
wp-admin/edit-form-ajax-cat.php
wp-admin/edit-form-comment.php
wp-admin/edit-link-form.php
wp-admin/edit-page-form.php
wp-admin/edit-pages.php
wp-admin/edit.php
wp-admin/import/mt.php
wp-admin/inline-uploading.php
wp-admin/link-categories.php
wp-admin/link-import.php
wp-admin/link-manager.php
wp-admin/list-manipulation.js
wp-admin/list-manipulation.php
wp-admin/moderation.php
wp-admin/options-discussion.php
wp-admin/options-general.php
wp-admin/options-misc.php
wp-admin/options-permalink.php
wp-admin/options.php
wp-admin/options-reading.php
wp-admin/options-writing.php
wp-admin/page-new.php
wp-admin/plugin-editor.php
wp-admin/plugins.php
wp-admin/post.php
wp-admin/profile.php
wp-admin/profile-update.php
wp-admin/templates.php
wp-admin/theme-editor.php
wp-admin/themes.php
wp-admin/upgrade.php
wp-admin/upgrade-schema.php
wp-admin/user-edit.php
wp-admin/users.php
wp-comments-post.php
wp-content/plugins/akismet/akismet.php
wp-content/plugins/wp-db-backup.php
wp-includes/cache.php
wp-includes/capabilities.php
wp-includes/classes.php
wp-includes/comment-functions.php
wp-includes/default-filters.php
wp-includes/functions-compat.php
wp-includes/functions-formatting.php
wp-includes/functions.php
wp-includes/functions-post.php
wp-includes/kses.php
wp-includes/links.php
wp-includes/pluggable-functions.php
wp-includes/registration-functions.php
wp-includes/template-functions-general.php
wp-includes/template-functions-links.php
wp-includes/vars.php
wp-includes/version.php
wp-login.php

Unfortunately I havent had time to look into the security issue itself and detail its effects / how it has been patched, the post by Matt details the changes pretty comprehensively. I have however created a diff/patch from 2.0.2 to 2.0.3 and checked it into my SVN repository:

http://svn.lobstertechnology.com/wordpress-patches/wordpress-2.0.2-2.0.3.patch

You can apply this patch from the top directory of your Wordpress installation using the ‘patch’ program from a UNIX shell.

patch -p1 < wordpress-2.0.2-2.0.3.patch

However I haven’t yet personally tested patching up to 2.0.3 yet, I would suggest taking a backup first.

Patch to mod_evasive to enhance reporting

This morning I took the opportunity to install mod_evasive on my Apache Web Server after being hammered by zombies last night. Quote from [www.nuclearelephant.com]:

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

It appears to work well, I tested it out by loading it up with small scale DoS attacks. It blocked the offending addresses as expected and produced the relevant syslog entires & triggered my external reporting script. I was however a little disappointed with its script execution functionality, it basically did a "system" call allowing you to pass only one argument - the offending IP address.

I already have mod_security installed which also executes an external reporting script. However mod_security has a neat little feature which I took for granted, it passes all the 'environment' variables from the request to the script allowing you to see the request itself & any headers passed.

For example, a typical mod_security email alert for me would contain:

DOCUMENT_ROOT=/usr/local/apache/vhosts/www.domain.com
GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=*/*
HTTP_ACCEPT_ENCODING=gzip, x-gzip
HTTP_CONNECTION=close
HTTP_HOST=www.domain.com
HTTP_MOD_SECURITY_ACTION=500
HTTP_MOD_SECURITY_EXECUTED=/usr/local/scripts/modsec_alert.pl
HTTP_MOD_SECURITY_MESSAGE=Access denied with code 500. Error normalizing REQUEST_URI: Invalid URL encoding detected: not enough characters
HTTP_USER_AGENT=Mozilla/4.0
PATH=/bin:/sbin...
PATH_INFO=/search.cgi
PATH_TRANSLATED=/usr/local/scripts/modsec_alert.pl
QUERY_STRING=q='object+levels%
REDIRECT_STATUS=302
REMOTE_ADDR=XXX.XXX.XXX.XXX
REMOTE_PORT=45852
REQUEST_METHOD=GET
REQUEST_URI=/cgi-bin/search.cgi?q='object+levels%
SCRIPT_FILENAME=/usr/local/apache/vhosts/www.domain.com/cgi-bin
SCRIPT_NAME=/cgi-bin
SERVER_ADDR=XXX.XXX.XXX.XXX
SERVER_ADMIN=foo@bar
SERVER_NAME=www.domain.com
SERVER_PORT=80
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache

This shows me detailed information about the request which was declined and why. I wanted to get similar functionality out of mod_evasive and I achieved this with the following additional code (butchered from mod_security).

C++:
  1. if (sys_command != NULL) {
  2.   char **env = NULL;
  3.   const char *args[5];
  4.  
  5.   ap_add_cgi_vars(r);
  6.   ap_add_common_vars(r);
  7.  
  8.   env = (char **)ap_create_environment(r->pool, r->subprocess_env);
  9.  
  10.   ap_cleanup_for_exec();
  11.  
  12.   args[0] = filename;
  13.   args[1] = text_add;
  14.   args[2] = NULL;
  15.   execve(sys_command, (char ** const)&args, env);
  16. }

The original mod_evasive code is expecting a sprintf format string as the parameter 'sys_command' allowing you to define a position with '%s' where the IP address should be inserted. My code above does not to this, it expects 'sys_command' to be the path to the executable which takes a single argument of the IP address.

This change can be applied automagically - to the Apache 1.3.x version of mod_evasive.c only - with the following patch: mod_evasive_execve.patch

Assuming mod_evasive_1.10.1.tar.gz & mod_evasive_execve.patch have already been downloaded to the same directory:

[foo@bar ~]$ tar zxf mod_evasive_1.10.1.tar.gz
[foo@bar ~]$ cd mod_evasive
[foo@bar mod_evasive]$ patch -p1 < ../mod_evasive_execve.patch
patching file mod_evasive.c
[foo@bar mod_evasive]$ $APACHE_ROOT/bin/apxs -iac mod_evasive.c
gcc -DLINUX=22 -DEAPI -I/usr/include/gdbm -DUSE_HSREGEX -fpic -DEAPI -DSHARED_MODULE -I/usr/local/apache/include -c mod_evasive.c
gcc -shared -o mod_evasive.so mod_evasive.o
[activating module `evasive' in /usr/local/apache/conf/httpd.conf]
cp mod_evasive.so /usr/local/apache/libexec/mod_evasive.so
chmod 755 /usr/local/apache/libexec/mod_evasive.so
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak
cp /usr/local/apache/conf/httpd.conf.new /usr/local/apache/conf/httpd.conf
rm /usr/local/apache/conf/httpd.conf.new
[foo@bar mod_evasive]$

Now create a simple shell/perl/something script to use this info. My example emails myself and the address listed as the SERVER_ADMIN, because each VirtualHost on my server has a 'ServerAdmin' entry with the owners email address, my customers get a copy of the email too.

PERL:
  1. #!/usr/bin/perl
  2. # /usr/local/scripts/mod_evasive_alert.pl
  3. $IP=$ARGV[0];
  4. $MSG="mod_evasive has blacklisted the IP $IP.\n\n";
  5.  
  6. foreach $key ( sort keys %ENV ) {
  7.    $MSG .= $key . "=" . $ENV{$key} . "\n";
  8. }
  9.  
  10. open(SENDMAIL, "|/usr/sbin/sendmail -t") or die "Cannot open sendmail: $!";
  11. print SENDMAIL "Reply-To: foo\@bar\n";
  12. print SENDMAIL "Subject: [lobstertechnology.com] mod_evasive alert $IP\n";
  13. print SENDMAIL "To: " . $ENV{'SERVER_ADMIN'} . "\n";
  14. print SENDMAIL "Cc: foo\@bar\n";
  15. print SENDMAIL "Content-type: text/plain\n\n";
  16. print SENDMAIL $MSG;
  17. close(SENDMAIL);

Now configure mod_evasive to execute your script when it is triggered, add the following to your $APACHE_ROOT/conf/httpd.conf:

CODE:
  1. <ifmodule mod_evasive.c>
  2.     DOSSystemCommand    "/usr/local/scripts/mod_evasive_alert.pl"
  3. </ifmodule>

Now restart Apache:

[foo@bar mod_evasive]$ $APACHE_ROOT/bin/apachectl restart
/usr/local/apache/bin/apachectl restart: httpd restarted

Tada! You're done. Use the 'test.pl' script provided by mod_evasive to trigger a blocking of your IP and see the email generated.

Fedora Core 5 on VMWare 5.5

Fedora Core 5 was released yesterday, I attempted to upgrade my existing Fedora Core 4 installation in VMWare Workstation 5.5.0 and encountered a problem.

Fedora isn’t automatically detecting the VMWare SCSI device, it presents a warning that there were no hard drives were detected. I found you can resolve this by manually adding the BusLogic device during setup.

See the following sequence of screenshots.

1. Default Boot Screen
Installation Boot Screen

2. Warning Message "No hard drives have been found."
Warning

3. List of Automatically Detected Devices
Detected Drivers

4. Manually Selecting the "BusLogic MultiMaster SCSI" Driver
Add Device

5. List of Detected Devices now including the BusLogic Driver
Drivers List

After doing this everything installed normally, Good Luck!!

Wordpress 2.0.2 ‘Security Release’

Matt announced a security release for Wordpress today on the Wordpress Development Blog. This release addresses unannounced XSS problems apparently with comment posting & registration. The files affected by this release are:

wp-admin/admin-functions.php
wp-admin/admin-header.php
wp-admin/admin.php
wp-admin/edit-pages.php
wp-admin/import/blogger.php
wp-admin/list-manipulation.php
wp-admin/menu-header.php
wp-admin/post.php
wp-admin/user-edit.php
wp-comments-post.php
wp-includes/classes.php
wp-includes/comment-functions.php
wp-includes/functions.php
wp-includes/js/tinymce/langs/en.js
wp-includes/js/tinymce/plugins/wordpress/langs/en.js
wp-includes/js/tinymce/tiny_mce_gzip.php
wp-includes/template-functions-general.php
wp-includes/template-functions-links.php
wp-includes/version.php
wp-register.php
wp-settings.php

Here is a short summary of some of the notable changes:

wp-admin/admin-functions.php

- Forced default values of $_POST['comment_status'] = 'closed' & $_POST['ping_status'] = 'closed' when they are not set.
- Added escaping of attachment data-objects.
- Added escaping of posts data-objects.

wp-admin/admin-header.php

- Added check for 'manage_categories' privileges before showing the "Add" option to the category list while writing a post.

wp-admin/list-manipulation.php

- Abstracted deletion of links from direct SQL to a wp_delete_link method.

wp-admin/menu-header.php

- New 'admin_notices' Action allowing plugins to insert HTML immediately after the 'adminmenu' and 'submenu' <ul>'s. I think I'll be using that for my "New version of SpamKit available" messages.

wp-admin/post.php

- Additional HTTP Referrer checks using the 'check_admin_referer' method when submitting a new post, editing an attachment and editing a post.

wp-admin/user-edit.php

- Additional HTTP Referrer checks using the 'check_admin_referer' method when updating a User.

wp-includes/comment-functions.php

- Sanitising of user-submitted Name, Email & URL from cookies.

wp-register.php

- Forced blank default value of user-submitted email address & login name.
- Sanitising of the display of user-submitted email address & login.

I have created a patch to take 2.0.1 installations of Wordpress up to version 2.0.2 without having to reinstall and possibly loose customisations.

http://svn.lobstertechnology.com/wordpress-patches/wordpress-2.0.1-2.0.2.patch

You can apply this patch from the top directory of your Wordpress installation using the 'patch' program from a UNIX shell.

patch -p1 < wordpress-2.0.1-2.0.2.patch

Full Example Usage:

[michael@lobstertechnology ~] $ cd blog.lobstertechnology.com
[michael@lobstertechnology blog.lob...] $ patch -p1 < wordpress-2.0.1-2.0.2.patch
patching file wp-admin/admin-functions.php
patching file wp-admin/admin-header.php
patching file wp-admin/admin.php
patching file wp-admin/edit-pages.php
patching file wp-admin/import/blogger.php
patching file wp-admin/list-manipulation.php
patching file wp-admin/menu-header.php
patching file wp-admin/post.php
patching file wp-admin/user-edit.php
patching file wp-comments-post.php
patching file wp-includes/classes.php
...
[michael@lobstertechnology blog.lob...] $

Alternatively, you can simply replace only the files which have changed - listed above.

;)

WP Plugin » SpamKit Plugin 0.4 – Time-Based-Tokens to Fight Spam

This is a pretty significant release of SpamKit Plugin which provides some cool new features. This is checked into Subversion over at WP-Plugins.org and you can download the new version here spamkit-plugin.php.

Released as version 0.4:
* Added options page, this required sanity checks to prevent double definition of functions, implemented in a C-style #ifdef / #define pattern.
* Added full configuration functionality, this is done using built-in defaults, overridden by saved options making it upgrade proof.
* Added new EXPERIMENTAL check, comments posted by clients with no User-Agent string are auto-spammed and dont make it to the moderation page.
* Added new EXPERIMENTAL check, submitted email address is subject to format validation & DNS check for a mail exchanger.
* Updated to use Gerry's new OO-based TBT code removing the dependancy on MCRYPT.
* Removed any path-dependant problems, making it compatible with all WP installs *i hope*.
* Added option to place trackback & pingbacks in the moderation queue, disabling this option causes them to be auto approved.
* Added option to moderate comments which fail TBT checks, disabling this option will mean the comments are automatically marked as spam and will never be seen.

Known Issues:
* Because direct calls to this script (for the badge) cannot access WP or any options, there is no easy way to provide a configurable /tmp directory. There is however a configuration option to disable this functionality if it causes problems.