Firewalld, firewall-cmd and Fail2Ban

Basically I’ve been looking at upgrading a web-server to the latest version of Fedora 19, or when it’s released later this year CentOS 7.0 (providing it’s easy for them when RHEL 7.0 is released), however knowing that iptables is now becoming redundant in favour of firewalld in Fedora I started looking at updating my web-server install script to work with firewalld.  Knowing part of that is Fail2Ban and that uses iptables my first port of call was finding a way of getting these two working together.

My first obvious search for “firewalld fail2ban” returned nothing helpful whatsoever, just people wanting a conf file to get it working with no actually helpful response, however once I found that firewalld uses firewall-cmd on the command line to control the rules I searched for that. This turned up a current bug posted on RedHat’s BugZilla: https://bugzilla.redhat.com/show_bug.cgi?id=979622 , where it turns out a very helpful soul, Edgar Hoch, has created an action.d conf file to get it all working: https://bugzilla.redhat.com/attachment.cgi?id=791126

Fedora 19, GNOME 3 and nVidia graphics

After upgrading to the latest version of Fedora a few months ago I was terribly un-impressed. The box in question had been upgraded every 6 months (-ish, thanks to Fedora 18) since Fedora 14 and I’d never had any issues, but then came Fedora 19.

To be fair it wasn’t Fedora’s fault per say, it was GNOME 3 and the open source nVidia graphics drivers. The desktop looked ok when you booted the box, but if you tried to use the Activities section, none of the transparency worked, and a lot of the Favourite icons in the dock had a luminous green behind them when you hovered over them.  What was worse was trying to launch a non-favourite application, click to do that and you could see the first 6 frequently used ones, but no others, and none under the “all” tab. This obviously made the whole experience pretty much unusable.

I went through the obvious investigations, straight away looking for some better nVidia graphics drivers.  I didn’t expect to find any official nvidia drivers after Linus’ hilarious rant last year. However, it turned out there was. I first tried downloading them from nVidia but their installers were less than helpful, and none wanted to install on my system regardless of fulfilling their dependencies. I then tried looking elsewhere and remembered the trusty basic linux guide site If !1 0. I found a guide on there for Fedora 18, and adapted it for Fedora 19, but unfortunately that wouldn’t work due to a mass amount of package conflicts.  I’d been meaning to wipe the system for a while and start again, so backed up the /etc/ folder to another drive, wiped the partitions, then installed Fedora 19 and used the guide again and all was fine and dandy.  The boot screen is the basic plymouth one rather than the more graphical splash one, but apart from that everything works and I don’t have awful un-usable graphics anymore.

If you want the latest guide, which is for Fedora 19, go here: http://www.if-not-true-then-false.com/2013/fedora-19-nvidia-guide/

BETT 2013

Well, Just over a week ago I got back from attending my first BETT show, and I have to say it was an amazing experience.

It had everything, from hearing about 3 seconds and having a fleeting glance of Brian Cox, providing my “technical advice” to customers when I could, spending hours packing / handing out bags, many trips to storage to retrieve stock, meeting hundreds of enthusiastic customers eager to get our bags or stress balls, and clearly the best bit on the stand being when we had quite a few of the staff doing “Double Dream Hands” on Saturday (I mean, why wouldn’t we!!!).

Overall it had quite a familiar experience to when I previously worked as both a waiter and barman during my 6th form college & university years.  The at times very fast paced work, but also constant interaction with the general public is always something I’ve enjoyed and fed off (yep, call me a wierdo, but I enjoy running about at work every once in a while, and this was definitely one of those times). The atmosphere amongst the staff was also brilliant. Everyone pulled together and created a great atmosphere. This kept everyone going and kept everything working like a well oiled machine to try to give the customer everything they wanted, even when (most of the time) all of demonstration pods were busy, and our sales team couldn’t give any more demonstrations due to the constant influx of enthused new and existing customers.

As purely a developer it was also a great experience. Seeing how enthusiastic customers are to get their hands on our new product, and hearing how much they feel it’ll help in so many ways in their school, makes you enthused both as an individual, and as part of the team, to carry on producing the already great product we create to make a massive difference to the education of children.

Overall as I’ve already done on twitter I’d definitely like to thank both all the visitors to our stand, and all my colleagues, both those I finally properly met at the event, and those I’d already been working with, you all helped contribute to a thoroughly enjoyable working week.

NginX – Blocking per IP address or range

Yep I know what your thinking, blocking  by IP inside NginX, shouldn’t you be doing that at firewall level instead? Yes, if it comes from the actual IP, you should. Programs such as Fail2ban provide the functionality to automatically block unscrupulous IPs via iptables thus the traffic never gets anywhere near your software.

The problem comes however when your using a service such as Cloudflare. As far as the firewall is concerned the IP is that of Cloudflare, not the actual end user. Thus we then have to fall back on the next layer, which in this case is NginX. Utilising the RealIP Module we can set the user’s actual IP address into the correct server variable. Once we’ve done this anything running from NginX (PHP-FPM etc.) will see the remote address as the correct one rather than Cloudflare’s IP.

Anyway, to the point, blocking the IPs you don’t like. To do this you simply need to use NginX’s geo module. With this you can compare the provided remote address to a list and set a variable inside the http definition in nginx.conf:

geo $ban_ip {
default 0;
10.1.0.0/24 1;
192.168.0.254 1;
};

Once you’ve set this up you can use that variable inside the individual server definitions to send different http response codes for those specific IP addresses:

if ($ban_ip) {
return 404;
}

or you can tell NginX to simply drop the connection,

if ($ban_ip) {
return 444;
}

which if combined with Cloudflare will show the user Cloudflare’s cached version of your site, so the end user is still getting your site, without your server ever serving their client anything.

Thanks for this lovely snippet of information go to Alexander Azarov.

Fedora 18 – non-graphical boot and ifconfig

After downloading Fedora 18 and creating a minimal install virtual machine I went straight to doing the default I always do.  As I was creating a test server I need to be able to see what’s happening during boot so I disable the graphical boot.

Previously (at-least up to Fedora 15) I’d used the plymouth commands to switch the graphical boot to details which had worked.

[[email protected]ocalhost ~]# plymouth-set-default-plugin details
[[email protected] ~]# /usr/libexec/plymouth/plymouth-update-initrd

However, when I tried this with Fedora 18, nope, not working, the community to the rescue. Another individual  (Nigel Smith) had had the same issue and found the solution in editing the default grub configuration file. So if you need the same visit here:

http://nwsmith.blogspot.co.uk/2012/10/customizing-grub2-boot-options-in.html

While I was at it I also noticed that ifconfig produced a “Command not found”. Erm … wha? Where did that go? Isn’t that like a basic linux command? Turns out in Fedora 18 it’s been removed due to the alternative and replacement iproute package being in place for “many years”. So you’ve now got 2 choices:

1. use the ip command:

ip addr

2. install the net-tools package:

yum -y install net-tools

Formatting a Date in PHP using ISO Format

We all know how to format a date in PHP when using the date functions, but what happens if you’ve only got the ISO format? This doesn’t work with PHP’s date functions.

Well I got this exact situation whilst using Zend_Locale in Zend Framework. Because the locale data files utilised are sourced externally the format comes back in ISO format.  A conversion function is provided (Zend_Locale_Format::convertPhpToIsoFormat) however that’s converting the wrong way and won’t help in this situation.

I went ahead and wrote a quick function which will return a formatted date using a provided ISO format, rather than PHP format.  It works like the PHP function and accepts the same parameters.

You can find the function as a gist on github:

<?php

function date_iso($format, $timestamp = null)
{
	if ($timestamp === null) {
		$timestamp = time();
	}

	$convert = array(
		'a' => 'A' , 'B' => 'B', 'D' => 'z', 'ddd' => 't', 'dd' => 'd', 'd' => 'j',
		'EEEE' => 'l', 'EE' => 'D', 'eee' => 'N', 'e' => 'w', 'HH' => 'H', 'H' => 'G',
		'hh' => 'h', 'h' => 'g', 'I' => 'I', 'l' => 'L', 'MMMM' => 'F', 'MMM' => 'M',
		'MM' => 'm', 'M' => 'n', 'mm' => 'i', 'r' => 'r', 'SS' => 'S', 'ss' => 's',
		'U' => 'U', 'ww' => 'W', 'X' => 'Z', 'YYYY' => 'o', 'yyyy' => 'Y', 'yy' => 'y',
		'ZZZZ' => 'P', 'zzzz' => 'e', 'Z' => 'O', 'z' => 'T'
	);

	$values = preg_split(
		'/(a|B|D|d{1,3}|EEEE|EE|eee|e|HH|H|hh|h|I|l|M{1,4}|mm|r|SS|ss|U|ww|X|YYYY|yyyy|yy|ZZZZ|zzzz|Z|z|[^a-zA-Z]+)/',
		$format,
		-1,
		PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY
	);
	foreach ($values as $key => $value) {
		if (isset($convert[$value])) {
			$values[$key] = date($convert[$value], $timestamp);
		}
	}
	return implode($values);
}