When doing backups on Linux, it is ususally wanted that the system stays responsive to inputs. That includes terminals and Xorg/Wayland. In the context of IO niceness, the concept of “everything is a file” bites Xorg/Wayland into the ass quite well because it turns out that writing to the frame buffers and refreshing the screen is also subject to IO classes and niceness. In conjunction with the fact that by default the Linux kernel has relatively large dirty page buffers and seems to work on the buffers in a single thread, this leads to Xorg and Wayland being blocked by tasks that have a large buffer to write back.Continue reading “Making Linux responsive aka how IO priority and buffer size influences responsiveness”
In the past years credential theft has become a common theme among web sites. They all stem from a compromise of the web or application server or unrelated other infrastructure. Once access to the file system of the database server is achieved or the database can be accessed using the application’s credentials, the stored secret credentials the user configured, and potentially shares with other sites, can be retrieved from the database. As soon as the intrusion is detected, responsible web site owners usually notify the users about the breach and ask them to change their credentials to the website and warn about credentials reuse. Having a breach is obviously bad publicity and evidently has negative consequences.
However, at least one of the attack avenues can be sealed off: Retrieving of the secret data from the database using the credentials of the web applicationContinue reading “Protecting databases against credentials theft”
Assuming syslog guarantees message deliver is a common pitfall.
Neither syslog over TCP nor syslog over UDP implement any application layer confirmation of the receipt of any log messages. If anything occurs between the writing to the buffer or the sending of the log over the socket and the logs having been written to the disk on the receiver, those logs are permanently lost.Continue reading “Syslog is unreliable – Use RELP instead”
Here’s an example line for default.pa or similiar, or for running using pacmd. I haven’t tested it, but pulseaudio accepts this line just fine:
load-module module-echo-cancel use_master_format=1 aec_method=webrtc use_volume_sharing=1 aec_args=”analog_gain_control=0 digital_gain_control=1 beamforming=1 mic_geometry=-0.04,0,0,0.04,0,0 target_direction=4.71238898,0,0″ source_master=alsa_input.usb-046d_0821_FDA941A0-00.analog-stereo sink_master=alsa_output.pci-0000_43_00.1.hdmi-stereo-extra3 source_name=echoCancel_source sink_name=echoCancel_sink
Needs LC_NUMERIC=C in environment to be able to correctly read the mic_geometry. Using commas instead of periods doesn’t work.
if you use systemd, just use a drop-in (e.g. create one using systemctl edit)
What is it?
iptables is a cli frontend to netfilter, the Linux kernel firewall/nat implementation for OSI layer 3 and 4.
Just some standards for writing applications I came up with to make it easy to deal with, fast and provide a high level of availability.Continue reading “Programming Standards”
- Don’t use iptables to apply your rules one at a time, use iptables-restore to apply a whole ruleset in one action.
- Set your INPUT and FORWARD policy to DROP.
- Don’t set your OUTPUT policy to DROP unless you really know what you’re doing.
- If you’re going to implement a blacklist or whitelist, you should look at using ipsets if that list is going to be more than two or three addresses, and if it might be dynamic.
- Allow all traffic on lo.
- You should ALLOW traffic in ctstates of RELATED and ESTABLISHED near the beginning of your rules
- Don’t use iptables -L
- DON’T USE IPTABLES -L
- Use iptables-save instead of iptables -L.
- Don’t use ifconfig or any of the net-tools.
- Use iproute2 (ip address, ip link, ip route, ip rule, …)
- Always read the man pages that are installed on the system you’re trying to use the corresponding software on.
Summary page of the Netfilter related resources
- iptables 101 and FAQ to get started quickly
- iptables tutorial from frozentux
- flowgraph of the packets in netfilter as png or svg
- Managing large lists of IPs,subnets, protocols or ports in iptables using ipset
- Dynamically updating ipsets from DNS records
- Periodically updating a blocklist from an IP using Python and ipset
- Words of wisdom regarding iptables
- Example iptables rule sets for IPv4 and IPv6
- Things You Should Know About Netfilter
- About asking questions the smart way
- What have you tried?
- Why automatic conntrack helper assignment is dangerous
- IProute2 cheat sheet
- nftables wiki
- Should I filter output?
nftables is considered production ready since 2019-06-27