IRSSI Prowl Notifications

Posted on July 9, 2009 by welby

A quick script to send notifications from IRSSI for privmessages and also for highlights, I’ll put more commentary on later, but for now..

Selec All Code:
use strict;
use vars qw($VERSION %IRSSI);
use Irssi;
use LWP::UserAgent;
 
$VERSION = '0.1';
 
%IRSSI = (
        authors => 'Welby McRoberts',
        contact => 'irssi@whmcr.com',
        name => 'irssi_prowler',
        description => 'Sends a notification to Prowl to alert an iPhone of a new highlighted message',
        url => 'http://www.whmcr.com/2009/07/irssi-prowl-notifications',
        changes => 'Friday, 10 Jun 2009'
);
 
######## Config
my($PRIV_PRI, $PRIV_EVENT, $HI_PRI, $HI_EVENT, $APP, $UA, $APIKEY);
$PRIV_PRI = 2;
$PRIV_EVENT = 'Private Message';
$HI_PRI = 1;
$HI_EVENT = 'Highlight';
$APP = 'irssi';
$UA = 'irssi_prowler';
$APIKEY='7b5d817bd95911b4c049e3034dcf7a96dfa3fb53';
########
 
####### Highlights
 
sub highlight {
        my ($dest, $text, $stripped) = @_;
        if ($dest->{level} & MSGLEVEL_HILIGHT) {
                print "prowl($HI_PRI, $APP, $HI_EVENT, $text)";
                prowl($HI_PRI, $APP, $HI_EVENT, $text);
        }
}
 
####### Private Messages
 
sub priv {
        my ($server, $text, $nick, $host, $channel) = @_;
        print "prowl($PRIV_PRI, $APP, $PRIV_EVENT, $text)";
        prowl($PRIV_PRI, $APP, $PRIV_EVENT, $text);
}
 
####### Prowl call
 
sub prowl {
        my ($priority, $application, $event, $description) = @_;
        my ($request, $response, $url, $lwp);
        print 'pri: '.$priority;
        print 'app: '.$application;
        print 'event: '.$event;
        print 'description: '.$description;
 
        ######## Setting up the LWP
        $lwp = LWP::UserAgent->new;
        $lwp->agent($UA);
        # URL Encode
        $application =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
    $event =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
    $description =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
        # Setup the url
        $url = sprintf("https://prowl.weks.net/publicapi/add?apikey=%s&priority=%d&application=%s&event=%s&description=%s&",
                                        $APIKEY,
                                        $priority,
                                        $application,
                                        $event,
                                        $description
                                        );
        print $url;
        $request = HTTP::Request->new(GET => $url);
        $response = $lwp->request($request);
        print $response;
}
 
####### Bind "message private" to priv()
Irssi::signal_add_last("message private", "priv");
####### Bind "print text" to highlights()
Irssi::signal_add_last("print text", "highlight");
Posted in Apple, iPhone, Linux | Tagged , , , , | 2 Comments

Lighttpd: mod_security via mod_magnet

Posted on June 19, 2009 by welby

In most large enterprises there is a requirement to comply with various standards. The hot potato in the Ecommerce space at the moment (and has been for a few years!) is PCI-DSS.

At $WORK we have to comply with PCI-DSS with the full audit and similar occurring due to the number of transactions we perform. Recently we’ve deployed lighttpd for one of our platforms, which has caused an issue for our Information Security Officers and Compliance staff.

PCI-DSS 6.6 requires EITHER a Code review to be preformed, which whilst this may seem to be an easy task, when you’re talking about complex enterprise applications following a very……… agile development process it’s not always an option. The other option is to use a WAF (Web Application Firewall). Now there are multiple products available that sit upstream and perform this task. There is however an issue if you use SSL for your traffic. Most WAF will not do the SSL decryption / reencryption between the client and server (effectively becoming a Man in the Middle). There are however a few products which do this, F5 networks’ ASM being one that springs to mind. Unfortunately this isn’t always an option due to licensing fees and similar. An alternative is to run a WAF on the server its self. A common module for this is Mod_Security for Apache. Unfortunately, a similar module does not exist for Lighttpd.

In response to $WORKs requirement for this I’ve used mod_magnet to run a small lua script to emulate the functionality of mod_security (to an extent at least!). Please note that mod_magent is blocking, so will cause any requests to be blocked until the mod_magnet script has completed, so be very careful with the script, and ensure that it’s not causing any lag in a test environment, prior to deploying into live!

Below is a copy of an early version of the script (most of the mod_security rules that we have are specific to work, so are not being included for various reasons), however I’ll post updates to this soon.

/etc/lighttpd/mod_sec.lua

Selec All Code:
-- mod_security alike in LUA for mod_magnet
LOG = true
DROP = true
 
function returnError(e)
        if (lighty.env["request.remote-ip"]) then
                remoteip = lighty.env["request.remote-ip"]
        else
                remoteip = "UNKNOWN_IP"
        end
        if (LOG == true) then
                print ( remoteip .. " blocked due to ".. e .. " --- " ..
                                lighty.env["request.method"] .. " " .. lighty.request["Host"] .. " " .. lighty.env["request.uri"])
        end
        if (DROP == true) then
                return 405
        end
end
 
function SQLInjection(content)
        if (string.find(content, "UNION")) then
                return returnError('UNION in uri')
        end
end
 
function UserAgent(UA)
        UA = UA:gsub("%a", string.lower, 1)
        if (string.find(UA, "libwhisker")) then
                return returnError('UserAgent - libwhisker')
        elseif (string.find(UA, "paros")) then
                return returnError('UserAgent - paros')
        elseif (string.find(UA, "wget")) then
                return returnError('UserAgent - wget')
        elseif (string.find(UA, "libwww")) then
                return returnError('UserAgent - libwww')
        elseif (string.find(UA, "perl")) then
                return returnError('UserAgent - perl')
        elseif (string.find(UA, "java")) then
                return returnError('UserAgent - java')
        end
end
 
-- URI = lighty.env["request.uri"]
-- POST = lighty.request
if ( SQLInjection(lighty.env["request.uri"]) == 405) then
       ret = 405
end
if ( UserAgent(lighty.request["User-Agent"]) == 405) then
       ret = 405
end
return ret

The following needs to be added to lighttpd.conf to attach this LUA script via mod magnet

server.modules += ( "mod_magnet" )
magnet.attract-physical-path-to = ( "/etc/lighttpd/mod_sec.lua")

*Update – 23 Aug 09* Updated to return code even if one test passes*

Comments or suggestions are appreciated!

Posted in Uncategorized | Tagged , , , | 6 Comments

Oyster cards and overland services

Posted on May 27, 2009 by welby

For those who know me you’ll know that I go into London on occasion but did like the fact that Woking gas no fast ticket system and hence no cheaper fares are available. You’ll also know that me and the ticket machine don’t always see eye to eye!
Imagine my glee in finding out that ousted is now available on the over ground network. Now correct me if I’m wrong but Woking is a feeder town, nothing more. So it would be safe to asume that feeder towns would get oyster. How wrong I was. Turns out that South West Trains can’t be bothered to accept oyster. Now this wouldn’t be a major issue, if the auto ticket machines worked. It takes a good 5 minuites to get a ticket by card from them. To add to the irony TFL have the backup oyster stuff running out of a computer building not even 2 miles away. All that I’m asking for is the ability for me to pre pay for say 5 trips into London and the single fare on the tube or bus, as the only +tube options we have on the auto system is zomes 123456! Why can’t oyster just be added! It would make things simpler and all in all a lot more 21st century! Also think on the trees or something!

Posted in Non Geeky | Tagged , , , | 1 Comment

RouterBoard as a Home Router – 7 Months on – Part 1

Posted on May 25, 2009 by welby

At the new year I decided that I was fed up with having my main Unix server acting as a Router (amongst other things) and decided to bite the bullet and get a full blown router. Here in lay a dilema. Being the fact that I’m a geek, I couldn’t settle for a “home” unhackable router. So this instantly ruled out most of the commercial available routers, baring those that run OpenWRT. Now don’t get me wrong, OpenWRT is more than capable, but I just didn’t feel like having to worry about hardware support, fighting with IPTables and getting hardware that probally wouldn’t scale. Now before anyone starts thinking “Scaling, but this is for a home connection!”, this is true. However I do sync my DSL at the full  24244 kbps Downstream, and 2550 kbps upstream (I live under 200m from the exchange according to my line attenuation, also my ISP doesn’t bandwidth cap, and allow for FastPath and similar to be enabled. Go BeThere!) . Also at the time, I was seriously considering investing in a secondary connection for additional bandwidth. This meant that I was left with a few choices

  • Build my Own. Using something like an ALIX/Sokeris and use something like FreeBSD (or something with a webgui for when I feel rather lazy, such as m0n0wall or pfsense. Both I’ve used previously with great success)
  • Cisco. Yes, the 800 pound gorrila of home. A ‘cheap’ 1800 or similar was going to set me back about £400, however this would have provided me most of what I needed.
  • RotuerBoard. These where, to me at least, relativly unknown. I originally looked at them for building my own system with them, and then discovered RouterOS came with the boards. This was an instant sale.

After my first look at RouterOS I was basically sold. Main reasoning behind this was that it was a comercial Linux distribution, that actually worked well as a router, and shipped with both a CLI (Nortel-esq in this case) and a *shock* gui application. It also met my main criteria.

  • Support for 802.1Q. I have multiple vLANs at home so having support for dot1q was a necessity
  • Support for 802.3ad. As I have a few machines connecting via the router, I needed the throughput, as I don’t have gigabit switching LACP support was a necessity.
  • Support for Wireless. All good routers for the home (even a geeky one) need support for 802.11(a/b/g).
  • Support for SubSSIDs. Relating to the above, I didn’t want to have 7 wireless cards for my various networks
  • Support for WPA2-PSK and WPA2-EAP. I use RADIUS to authenticate all my personal stations to a central authentication system, but I don’t want to have to add guests to this, so PSK should also be supported.
  • Support for OpenVPN. I don’t like having my traffic to / from home going in the clear at all, so I needed to be able to connect via a VPN of some sort, My preference is OpenVPN for c2s vpns (s2s is still IPSEC…. which leads onto the next point)
  • Support for IPSec. I connect to various friends networks, and yet again, don’t want this sort of traffic in the clear, we made the standard IPSec (3des/md5) a while back
  • Support for “Unlimted” Firewall rules. This may sound silly, but anyone who has worked with the lowend Sonicwalls will know what I mean, only being able to put 20 rules is EXTREMELY restrictive especially with multiple vlans! (I’ve got roughly 300 rules)
  • Support for setting DHCP options. I used VMWare ESX at home for my test lab, so I require to be able to setup the DHCP server to be able to send the correct options for PXE (or gPXE) so this was a requirement
  • Quick booting. As silly as this may sound, I don’t want boot times of upwards of 30 seconds for my router.
  • Support for Bridging of interfaces with Firewall rules. This one is rather self explanatory really!
  • Support for UPnP. Lets face it, UPnP is required for any form of Voice/Video chat these days over the main IM networks (YIM/AIM/MSNIM)
  • Support for NetFlow or similar. This one is a nice to have, as I like to use flow-tools to generate a rough guess on what type of traffic is flowing through my network
  • Support for Traffic Shaping. Ah yes, the holy grail of routers. Unfortunately the likes of TC on linux requires a degree in astrophysics to get working how you’d like!
  • Easy configuration.

After discovering (via the x86 installable and the demo units) that RouterOS would let me do all of the above, I decided to give it a whirl.

Posted in Hardware, Linux, Projects | Tagged , , , , | 6 Comments

Issues with OS X 10.5 iTunes 8.1.1 and mt-daapd (aka Firefly Media Server)

Posted on May 25, 2009 by welby

I’ve recently upgraded my iTunes installation on my MacBookPro to 8.1.1 and to my horror found that I’m no longer able to connect to my DAAP library on my NAS.

This is rather strange as the issue has only just appeared in 8.1.1 and does not appear on my windows machines which reside on a different network, and have Bonjour / Rendezvous mDNS traffic broadcast locally by RendevousProxy. After much annoyance, I decided to do a quick check of what an older iTunes library was sending out, and comparing that to Avahi. It turns out that my Avahi configuration was missing some vital Text Records. This wasn’t an issue in previous revisions of the iTunes client, but appears to be an issue in 8.1.1.

I updated my daap.service file in /etc/avahi/services/ to the following

Selec All Code:
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
  <service>
      <type>_daap._tcp</type>
          <port>3689</port>
	  <txt-record>txtvers=1</txt-record>
	  <txt-record>iTSh Version=131073</txt-record>
	  <txt-record>Version=196610</txt-record>  </service>
</service-group>
And restarted Avahi for good measure and now can connect to my mt-daapd library again!
Posted in Apple, iTunes, Linux, media, Software | Tagged , , , , , , , , , | 2 Comments

SKY on a HTPC

Posted on September 16, 2008 by welby

Recently I’ve become more and more annoyed with my SKY-HD’s disk spinning up and down, and then the power appearing to be cut to the drive, meaning that theres a rather loud click comes from it. Not a problem if you’re watching TV, as this only occurs when the box is in standby. Very annoying if you’re having problems sleeping and the thing is going clunk ever 30 minutes or so. I’ve been told that I can change a disk spin down somewhere on the box, however this doesn’t appear to have made any difference. Another issue that is compounding the annoyance is that the SKY-HD box is almost impossible to use with a single tuner.

I decided to resurrect my HTPC and attempt to get SKY going into that. There where 4 major requirements for this

1. Has to be able to play content – I pay a silly amount a month just for 3 HD channels (BBC, Discovery and History) :: This meant that a DVB-S2 receiver was required

2. Has to be able to decode pay for channels – I pay a subscription to them, I’ll be damned if I don’t get my channels! :: This meant that either a SoftCAM or a CI slot and CAM were required

3. Has to be local to the machine, I want a raw MEPG2/h264 stream going to the media pc, and not any additional transcoding, also one less set of CPUs is a good thing ™ – This isnt a poke at a specific Linux Based satellite receiver at all :: This meant internal cards or locally attached devices (USB2/Firewire)

4. The HTPC must be running software that can play my videos – I don’t want to have my popcorn hour AND a HTPC to do my video. :: This meant using a Media Centre type application, this does however exclude Microsoft’s Windows Media Centre, as it doesn’t play MKVs/OGMs etc

 

Relatively small requests one would think, but apparently not! I was left with a few choices for Card, however the one that seemed to come out tops was the Digital-Everywhere FloppyDTV/S2. This meets requirements 1&3, by being able to decode DVB-S2 signals, and also is sending data via the Firewire bus.

In order to meet requirement 2 I opted for the “Dragon Cam” (or specifically the T-Rex 4.1). This is a Conditional Access Module, which along with a valid SKY viewing card, preforms the VideoCrypt (NDS) decryption. This does have one, annoying, caveat. The smartcard must go into a SKY box every 4->6 weeks to have a “new installation” done, as the CAM will not rewrite the new decryption codes to the card.

 

The Shopping list at the end of all of this was as follows:

  • Digital Everywhere FireDTV S2 External @ £160 (External was chosen for various reasons, including the IR remote support)
  • Firewire PCI Card @ £10 
  • T-Rex Cam @ £60
  • Infinity Unlimited USB Card Programmer @ £60 – This was required to do the initial loading of the T-Rex CAM, however can be returned / resold / similar as its a once off requirement

So all in all £220 to view/record on a media pc. This is for a single tuner only, as I don’t have access to multiple drops from the buildings satellite distribution system (which is rather amusing, as these are “executive” flats, built in the last 3 years, and yet all flats only have a single drop for satellite). Multi Drops can be done using a SoftCAM, where the CAM is replaced with a USB Smartcard programmer, but only one is required, meaning that the first channel would be £220, but each after that would be £160 (or £130 if an internal was to be used). Of course the Legality of using a SoftCAM is extremely questionable, where as a non official sky receiver is only marginally.

I’ll be documenting more on the setup soon

Posted in Hardware, media, Projects, sky, TV | Tagged , , , , , , | 1 Comment