Microsoft Exchange sucks. It is entirely too big, requires way too much administration and costs a ridiculous amount (especially considering it'll cost you extra for things like antispam). I am sure that plenty of large organizations choose to run Exchange because they feel more comfortable running an application manufactured by an enormous corporation that ripped off Stacker and forced the use of their browser. Anyways, I went searching for a better way to do email and it wasn't so straightforward.

In my search I assumed the following requirements:

- SMTP (obviously this one is required)
- IMAP (this is how I like to store/read my email)
- RBL (there's a few good ones out there)
- SSL/TLS ('cause I want to send/receive email from other places too)
- No Java (seriously, Java is a pig)
- No .NET (seriously, .NET is a pig)
- Simple backup/restore (durrr, why make it hard right?)

I started off by trying Linux, I like Debian, and began there. I found numerous tutorials explaining how to setup very enterprise-like email scenarios but they were all dependent on doing things exactly as they were explained. Deviation from the described plan seemed to be more painful than it should have been. You can make a pretty impressive system out of Postfix (MTA), Dovecot (POP/IMAP), Spam Assassin (duh), MySQL (users, domains, aliases, etc) and Squirrelmail (webmail)… but I couldn't find a reasonable interface for managing settings, domains, users, etc. I'd even settle for a simple web interface but then you'd be adding Apache and PHP and whatever the fuck else to the mix. I then checked out CentOS, quickly lost my motivation and gave up on Linux.

OK, so I am back at Windows… and trust me, I don't WANT to be. I wanted to see if I could do it on NT4 which would would be bitchin' for anyone wanting to have appropriate licensing, but that didn't work out. Maybe that was a bad idea to begin with since NT has absolute shit for USB support. Why do you want USB support on a mail server? Well, it just might be a cheapass way to back that shit up (remember, I was going for cheap). OK, so now I am workin with Windows 2000 Server…

I found a few that were supposed to be free but they had limitations that made them worthless to anyone who wasn't using it just for their family. Xeams looked good but needed Java, and hMailServer is dependent on .NET. There is an old version of hMailServer (version 4.4.4 I believe) that doesn't require .NET but doesn't have the ability to use SSL/TLS. So as it stands, right now my snork.ca email is being run on hMailServer v5.x and I have a Windows 2000 machine with SP3 that runs it. This is the best I could do? :-(

Anyone have any bright ideas? Suggestions? Annoying comments? Anything?

So somewhat recently I setup a couple of Linux boxes to act as routers [rather NAT gateways] for a couple of Internet connections. I've been pretty happy with the way they have been working but I was hoping for some elevated monitoring. These machines are accessible via SSH and I wanted to find a way to get a notification if some douchebag was trying to login to my sshd with some bruteforce crap or even just typing in passwords. In all likelihood I would permanently ban the IP address (or the ISP) from logging in to my SSH server. I'd like to leave it open to most places though, so that I might manage my router from wherever I happen to be (and so I might use tunneling from wherever I might be, to access other machines).

I found a few software solutions like fail2ban & denyhosts. I might give denyhosts another chance but in the meantime I found that this works quick n dirty. First you need the logtail and sendemail packages installed, then you cron this to happen every hour or so

logtail /var/log/auth.log | grep -i "failure" | sendEmail -f 'myrouter@domain.com' -t 'alertme@domain.com' -u 'Login Failure' -s smtp.domain.com

logtail will keep a record of where it left off examining your log file, so it will only show you new entries in your logs. grep will search out the failures of course, and sendemail will send off an email showing the log entries. I'll keep fuckin with this and if it fits the bill I might just keep it, though that DenyHosts thing looks pretty slick too. And how the hell do ya keep it from emailing if there is no new entry?

I recently came across an article describing how to limit access to sshd… here's generally what it said:

The Debian packages of OpenSSH are compiled with tcpwrappers support, which means you can specify which hosts are allowed to connect without touching your firewall.

The two important files are:

/etc/hosts.allow
/etc/hosts.deny

The first can contain entries of hosts which are allowed to connect, the second contains addresses which are blocked.

Assuming that you wish to allow the remote addresses 1.2.3.x, and 192.168.0.x to connect but nothing else you would setup the files as follows. Firstly allow access by placing the following inside /etc/hosts.allow:

# /etc/hosts.allow
sshd: 1.2.3.0/255.255.255.0
sshd: 192.168.0.0/255.255.255.0

Then disallow all further access by placing this in /etc/hosts.deny:

# /etc/hosts.deny
sshd: ALL

Lately I have had some troubles with my routers. I hate calling them routers but calling them "NAT Gateways" would confuse a lot of people. I have been experiencing occasional disconnects from my USR 8000A router and complete lockups from my Linksys BEFSR81. I have a D-Link DI-604 lying around but I just didn't feel like fucking with it. These devices have pretty limited requirements (make network connections and transfer packets between them using NAT), there are other features but frankly it shouldn't be that demanding. None of my routers are good candidates for dd-wrt or OpenWrt so I wondered if it might be reasonable to make my own Linux "NAT Gateway". I am kind of partial to Debian but this could be done with any current distribution.

NOTE: It is important to realize that the Linux kernel version will influence what methods are used to route packets. Kernel 2.0 used ipfwadm for this functionality, while 2.2 used ipchains, 2.4 and 2.6 kernels use iptables. Since 2.4 has been around for almost a decade I think it is safe to say that iptables should be used if you are on anything even remotely current.

Step 0: Where to start?

To begin with, it probably helps to have some idea why you want to have a router and what it actually does. The Internet is not a "thing" and it is not a "place"… it is simply a bunch of little networks all plugged into each other. If you want to add your PC to the chaos then you can plug it right into your ISP. However, if you have more than 1 PC at home, or if you want to shelter your PC's from Internetards then a router is a simple solution. What's that mean? Well, let's start with the "shelter" concept. Network cables plug all this shit together, and TCP/IP is the language that computers speak when using those cables. There are different kinds of cables and different languages computers use, but for the home Internet user, ethernet and TCP/IP are pretty much the standard. TCP/IP works kind of like regular postal mail, everyone needs an address to communicate with others. Here are a few examples that might help make the analogy a little more clear

I'm just making that shit up but the idea is that there are some similarities between the way information moves around on the Internet and how it moves around by snail mail. So why do you care? Well, the addresses is why you care. In TCP/IP there are a limited number of addresses and that means there are a limited number of machines that can talk on the Internet. However, there's a workaround/exception that let's many more machines talk without having to use up extra addresses. Certain ranges of addresses are reserved for "private networks" and if you have a home router you have probably seen this in the form of 192.168.0.X addresses. Those addresses do not actually exist on the Internet. So how does that work?

If you were to plug your PC directly into your home Internet connection then it would likely end up with a real Internet address. This means that if your PC were running any "Listening Services" then they would likely be accessible by the Internet at large. What does that mean? Well if you had webserver software like IIS, Apache or PWS then anyone who could find you could see whatever your computer is serving up. Or if your machine had some ftp software running on it, then people could potentially be trying to log in to your ftp server. In case you hadn't picked up on it yet, this is bad. Now hopefully your PC is setup appropriately and you do not have anything listening for people who want to contact your computer. Perhaps you have a software firewall installed on your PC (or maybe it came with one) and your PC won't reply to these people. However, if your home network is configured as in the above picture, then the router is the one that gets the real address from your Internet provider. It then uses those fake 192.168.0.X addresses to talk to your computers, laptops, printers, iPods and other devices in your home. When your PC wants to see something on the Internet it passes the request to the router and the router uses it's real address to make the request for you. When the reply comes back, the router knows it is for your PC and it sends it in to you. In addition to all this, if you actually WANT your webserver to be accessible to the outside world, then you can setup "port forwarding" rules on the router to let just that service be accessed as if your PC was the one with the real address. Names for this are often NAT, PAT, SNAT and a couple others… the important part is the "T" at the end. It stands for Translation and that is what the router does to make individual services available from within your network. This is how a router "shelters" your PC, this is also how a router allows you to give multiple devices Internet access with only a single address.

Now that you know it is nice to have a router, why would you want to build one instead of just going to the store and buying one? Well I can only think of a few reasons

1. You want to learn about Linux
2. You want very detailed control of your router's rules
3. You want logging that doesn't suck
4. You want additional features your router doesn't have
5. You want to see if a Linux machine will be more stable than that locked up crappy router
6. You think I am brilliant and just want to copy me
7. You know that chicks dig geeks

Step 1: OK, where to really start?

I am sure that some people would love to brag about the antiquated hardware they can run a Linux router on, however, I'm not that guy. I would think that a mid-level Pentium III with 256M (maybe 512M) of memory would be nice. This is plenty of horsepower… of course it could be run on less but why push your luck?  Too cheap to pull an old PIII out of the closet? Your machine will need two network cards of course, one to connect to your internal network and one to connect to the ISP's network. Then you'll need a copy of Linux. I would suggest going to Debian.Org and getting that, but you could use almost any distribution (though some of the instructions might be slightly different for other distros). If you decide to try Debian then the netinst CD should probably do fine. It is about 150M or so for the i386 version. Get it and burn it on to CD… run through the install on your box. I did a "standard system" install on my box (which has no X-Windows) but you can do whatever the hell you want with yours. Almost all of what is required for the router is command line stuff and editing text files. You can edit text files with something similar to Notepad in X-Windows or just use nano at the command line.

Step 2: Network Cards

Now once you have Linux up and running you need to make sure that you can see both of the network cards. In Linux the command line interpreter is often called "terminal", whatever you want to call it, you wanna open it and use the ifconfig command to check out your network cards.

Output from my ifconfig

What the hell is all that? Well the last one (the one called lo) is the "loopback" device which is not actually a network card but rather a reference to your machine's ability to talk TCP/IP. The ones you would care about are eth0 and eth1 (which are basically "ethernet device 0" and "ethernet device 1"). For those of you who are accustomed to starting at 1 when you begin counting, just suck it up and accept that this numbering system starts at 0.

Now what happens if you don't have eth0 and eth1?I would suggest editing your /etc/interfaces and check to make sure that your second NIC is listed there.

nano /etc/interfaces

You can find general information about the syntax and setup of the interfaces file here (PS: I know it says Ubuntu, but did you know that Ubuntu is based on Debian and many configuration files are very similar?). OK, you added an entry for the second nic but it doesn't show up still?

Well you can use the command

ifconfig -a

to see all your NICs even if they are currently down. If you do not see both your NICs then you are likely having a problem with the driver for one or both of them. You can use

apt-get install modconf

to install a nice little util for playing with the drivers… you'll probably have to scroll down a fair bit to get to the NIC drivers, but they're there. Just type in modconf to start it and it will pop up as a menu driven app that you navigate with your arrow keys. Make sure that the driver for your network card is loading, Google is your friend here, use the right driver. Now what if you have both cards listed but they list as eth0 and eth3? Where do you change those names? Well, if you made multiple changes with modconf or different network cards it might be udev screwing that up. I had this problem and had to

nano /etc/udev/rules.d/70-persistent-net.rules

to get rid of the extra junk that was left behind by installing different network cards and screwing with drivers. You'll see that the names of your NICs are there and you can change incorrectly named NICs as well as delete entries that are not needed. If this doesn't get both of your NICs setup as eth0 and eth1 you got something seriously fucked up going on.

NOTE: When setting up the /etc/interfaces file I found it best to give both cards static addresses on different subnets. If you don't know much about subnetting, try this explanation. If you still don't understand it much use 192.168.0.1 for your internal card and DHCP (or your ISP issued static IP) for your external card. This will mean that later on, during the DHCP portion in Step 6, you'll be using the 192.168.0.X subnet for your DHCP scope.

Step 2b: You have a PPPoE Link?

Some folks will have a PPPoE link that doesn't work quite the same as a regular DHCP or staic address. The PPP part stands for Point To Point Protocol and the oE is for "Over Ethernet". It is often seen on DSL links for authentication and as a result requires a name and password from your ISP. If this is what you have then you will want to

apt-get install pppoeconf

Have both of your network cards setup as eth0 and eth1, then plug in to your provider and run pppoeconf. It is a nice little menu driven app that will look for a concentrator to log in to, ask you for the name and password needed and then update your /etc/interfaces file for you. If you have this kind of link you will probably find that you need to use ppp0 as your external network card.

Step 3: Get Rid Of Shit You Don't Need

There's a few things that may have been put on your system by default during the install which you can get rid of, or should get rid of.  Try using

userdel -r <name>

to get rid of a lot of the non-essential users that you'll find in /etc/passwd. It would be wise to keep root, a non-privileged user to login as, and man. When you are done doing that you might want to get rid of some applications that are installed by default. To dump them you can use

apt-get remove <packagename>

here's a little list of some of the stuff you can drop… I am sure there's more though:

eject
iamerican
ibritish
ispell
laptop-detect
wamerican
exim4-base
exim4-config
nfs-common
nfs-kernel-server
netatalk
portmap
analog
samba

Step 4: Remote Management

I personally didn't install X-Windows on my router box, my plan is to use SSH to manage it. SSH allows me to log in to it from wherever I need to, and it is encrypted so I could even access my router from a machine across the Internet if I wanted. You may choose to install X-Windows and you may even decide to use VNC (or SSH/VNC) to remotely manage it. Hell, maybe you'll plan to manage it right from the local console. To install SSH run

apt-get install ssh

If you elect to use SSH as I did, here are some suggestions I would make:

1. Set the ListenAddress directive in your /etc/ssh/sshd_config to the address of your internal network card. This will limit access to the router to your internal network only and will keep "external goofs" from trying to guess passwords.
2. If you make your router's SSH accessible from the Internet (the external card), use the Port directive to make it listen on a port other than 22. This means that when you try to connect to your router you'll have to connect to the non-standard port. It also means that jackasses in Korea are less likely to find your SSH server.
3. Deny root access to your SSH server with DenyUsers root. You may wish to further limit access to other usernames and groups but if you are the only one logging in to your router then the best setup might be only allowing a non-privileged user to SSH in and then use su to perform tasks that require admin access (which is most of what you would do on this box anyways).

Step 5: Is It A Router Yet?

Now to make your box into a router you need to use iptables commands. The commands are put together in a script (similar to a DOS batch file). The script should begin by clearing out any current rules, then setup the ability for your internal machines to "get out", then provide rules for machines to come in on (if necessary). The folks at AboutDebian have a REALLY nice writeup on these scripts, you first look at their Proxy page HERE and then the Firewall page HERE. You can seriously make these scripts relatively simple or brutally complex, it's up to you. It is entirely fine to use the proxy setup alone and if you need to allow for some port forwarding, just add two lines to allow access. Just remember that iptables will be cleared upon reboot so if this thing is your primary means of Internet access then you must add the script to your startup (see Automated Startup section on Proxy page). This part of the config is entirely personal based on your network config and what you want to have available from both directions.

Step 6: So That Is It Right?

Sure it is… but there are a couple of extra features that you will probably want for your router. DHCP services can be added by

apt-get install dhcp3-server

and then you modify /etc/dhcp3/dhcpd.conf to configure it. Assuming that your internal subnet is 192.168.0.X then you'll want to add a DHCP scope like this:

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option domain-name-servers 192.168.0.1;
option routers 192.168.0.1;
default-lease-time 3600;
}

The first line just names a domain and can really be whatever you like. The next couple of lines tell clients on your network to use 192.168.0.1 (your router) as their DNS server and their default gateway. A lease time and additional subnet infor are thrown in, and then finally a range of addresses is given to the DHCP server. If you bring up a client on this network it should likely receive 192.168.0.100 as it's IP address and it will depend on your router for all of it's Internet access needs.

Now if you just followed those instructions then your router is also designated as the DNS server for your network. So you should

apt-get install dnsmasq

so that it will answer the DNS queries from the clients on your network. To configure DNSMasq you want to edit /etc/dnsmasq.conf, and hopefully you'll find yours as well commented as mine. You should really need only minimal changes to this file, but if you are as anti-marketing as I am you'll want to use it for more than just DNS queries. You can use it to block ad servers! Scrolling down a little in the config file will bring to you a spot with an example of how to force an address for a particular name. You can add in ad servers here with an address of 127.0.0.1 which will point your browser to your local PC whenever it tries to load something from the listed servers. Mine came with this example

address=/doubleclick.net/127.0.0.1

This means that any machine using your router as a DNS server will not be able to load ads from doubleclick.net. This works for all services, not just browsing as well. Some ad servers use many subdomain names like ads1.crap.com and ads2.crap.com – to block these you do not need to list all of them, you can simply use a wildcard like this

address=/.crap.com/127.0.0.1

which will block crap.com and all of the machines under it. Another thing that might come in handy here is that you can also make entries in DNSMasq to point to things on your local network… like if you had a network printer setup as 192.168.0.10 you could make an entry in DNSMasq like this

address=/printer.mydomain.com/192.168.0.10

and then you wouldn't have to use the ip address, you could just refer to it as printer.mydomain.com. Finally, if you end up using DNSMasq for blocking, here's what might happen: You open "www.coolwebsite.com" and it has banner ads at the top from "ads.douchebag.com" but instead of seeing the ads, DNSMasq points the douchebag server to your local PC. If your PC is not a webserver (which most are not by default) then you might see a message saying "Can't Find Freakin' Content" where the ads used to be. This can be cleaned up significantly by setting up a little webserver on your local machine. Nothing fancy, just something that servers up a 1×1 transparent GIF file for all requests. I typically use Windows machines for a desktop environment and have found that Homer is a great little utility for this. Assuming that you want to run Homer all the time and that you don't want to see the Homer window/icon, you could optionally run it as a service and not allow it to interact with the desktop. This can be achieved with SRVANY and INSTSRV from the Windows Resource Kit (and perhaps a little reading on a previous post I made).

Crap, I saved this screenshot a little while back and I totally forget what I was doing at the time. I might have been installing the VirtualBox Guest Additions or something. Anyways, it looks fuckin' funny… click HERE to see it eh.

Yeah, I wanted to try CentOS and it was a minor pain to put it in a VirtualBox box.

1. Create the new machine in VirtualBox as "Linux – Other"

2. Use the ISOs to install the OS

3. Open a terminal window and su to root

4. Run yum install gcc to install the GNU Compiler

5. Run yum install kernel-devel to install the required headers

6. From the VirtualBox menu select Devices -> Install Guest Additions, this will hopefully present you with a mounted filesystem in your CentOS guest.

7. Use your terminal (still under su) to copy the appropriate VBoxLinuxAdditions-<arc>.run file to a location on your CentOS filesystem. You can put it pretty much anywhere, you just need to copy it locally so you can run it, you may delete it afterwards.

8. Run the ./VBoxLinuxAdditions-<arc>.run and let it install.

How ya like them apples?

You know, after my last post I thought that it might be unfair to say that it doesn't work under Linux. So I checked, and it works just fine under Wine. So now I guess the worst thing I can say is that the grid lines (or rather dots) seem to work a little odd to me. That is easily customizable though in the settings dialog (press F9). Screw you Microsoft, I don't need Visio now!

Now why the hell wouldn't ntfs-3g be installed by deafult? Does it take up a lot of diskspace? Perhaps it is unstable? Perhaps not? Booo!

That's right, I have a Broadcom BCM4312 wireless NIC in my Lenovo N500 laptop and the Linux driver is a bit of a bitch. Well, if I use Ubuntu it will recognize it and ask me if I want to install the not-so-free drivers. Debian is not so enthusiastic. So I went to Broadcom's Website and grabbed the driver they had available there. But wait, it's not that easy… I also needed these instructions I found from Andy Kelley. In short, here's the steps:

1. Download the drivers from Broadcom's Site

2. Make sure ya got the headers: apt-get install build-essential linux-headers-`uname -r`

3. Make sure ya got "make": apt-get install make

4. From the Broadcom instructions: make -C /lib/modules/`uname -r`/build M=`pwd` clean

5. Also from Broadcom's instructions: make -C /lib/modules/`uname -r`/build M=`pwd`

6. Dump potentially conflicting drivers: rmmod bcm43xx b43 b43legacy ssb wl

7. Make sure you got TKIP: modprobe ieee80211_crypt_tkip

8. Use the new module: insmod wl.ko

There are additional steps if you would rather relocate the driver file in a more appropriate place:

9. Remove it: rmmod wl

10. Make a new dir for it and copy it: mkdir -p /lib/modules/`uname -r`/misc

10b. cp wl.ko /lib/modules/`uname -r`/misc/wl.ko

11. Put it back in: insmod /lib/modules/`uname -r`/misc/wl.ko

12. Generate the dependency: depmod -a

Then if you are feelin' really crazy you can blacklist a few drivers that might screw with it:

echo "blacklist bcm43xx" >> /etc/modprobe.d/blacklist
echo "blacklist b43" >> /etc/modprobe.d/blacklist
echo "blacklist b43legacy" >> /etc/modprobe.d/blacklist
echo "blacklist ssb" >> /etc/modprobe.d/blacklist

Oh yeah, and I would also suggest apt-get network-manager which has a quick n' dirty interface for adding wireless networks.

Shit, I am really the king of Blah Blah Blah tonight eh? Anyways, if you have a Gnome desktop and do not want to see the default icons anymore you can open "Applications -> System Tools -> Configuration Editor" and then browse to "apps -> nautilus -> desktop". There you'll find check boxes for the crap on your desktop.

Yes, my laptop installation continues and now I feel like documenting Truecrypt.

1. Open Synaptic and install libfuse2

2. Then install fuse-utils

3. Then install dmsetup

4. Exit Synaptic (not kidding)

5. Go to Truecrypt's website and download the .deb (Ubuntu X86)

6. Extract the .deb from the archive and run it as root

7. Agree to the license and crap

8. Open a root terminal and cd /etc

9. Run visudo and add a line below root with the same syntax

# User privilege specification
root    ALL=(ALL) ALL
user    ALL=(ALL) ALL

10. Logoff and on again… and try Truecrypt.

Not as bad as Firefox eh?

OK, I just reinstalled my laptop. I am running Debian on it, cause I want to. However, it comes with Ice Weasel and Epiphany… neither of which I like. I have installed FF2 on Linux before but have never bothered to document what I did. In an attempt to be more thourough about things I am gonna document it now (no matter how easy or annoying it may be).

1. Find out that mozilla.com has dropped the 2.0.0.20 download from their website

2. Find it elsewhere

3. Save it to my website so I can download it later [Windows version] [Linux version]

4. Download the Linux version

5. Uncompress the Linux version to a nifty location on your drive

6. Open Synaptic [or use apt-get] and install libstdc++5

7. Open a root terminal and cd to /usr/local/bin [or anywhere in the path really]

8. Create a link with ln -s /unarchivepath/firefox firefox

9. Add to the menus if you want

10. Run it

11. Get rid of the bookmarks toolbar

12. Download and install CustomizeGoogle_v0.76, AdBlockPlus_v1.0.2, and CookieSafeLite_v1.4

13. Run through Customize Google and setup ad blocking

14. Add Snorkuscription and point it to HERE

15. If you insist on having Flash player, get the old version here

16. Hmmm, I guess maybe check the preferences to see if there is anything else to turn off

There, that wasn't so bad was it?