Page: 2 of 4

Blog Posts

17 May 2014 » OmniROM

Like many other tech-competetent/masochistic Android users I enjoy using custom Android ROMs on my devices. Although my Galaxy Nexus and Nexus 10 were, and would have continued to be, perfectly fine running stock Android I always found it to be a bit lacking in a few areas, mainly in the customization department.

On my phone, I've always used CyanogenMod due to the (percieved) stability and fact that they still actively support the Sprint version of the Galaxy Nexus, but I've become warry of their direction after they went commercial. Unlike my phone, my Nexus 10 doesn't have any sort of critical functionality that could potentially be botched by bleeding edge ROMs. I've tried the other two big players in the ROM market, but still didn't stick with them. While both are great choices in their own right, I found Paranoid Android and AOKP to have too many features for my liking...

I like to have something closer to Stock, but without a huge amount of features I never use. I also tried the many offshoots of these three that frankenstein a bunch of features from all three, but encountered too many stability issues, or just too many unused features and component. Then while browsing the XDA Developers forums, I heard about a new player: OmniROM.

OmniROM is developed by some of the bigger players in the Android development community and in many ways it is has set out to accomplish what CyanogenMod is/used to be. Their goals include developing new open source software and enhancements for the wider Android community to benefit from, while providing a simple, close to stock experience. The current nightlies are based on Android 4.4.2, and support a healthy and growing number of devices.

Thus far some of the more interesting features to the ROM include:

  • Multiwindow (Still in development)
  • OpenDelta: Over the air delta updates
  • OmniSwitch: A replacement for the standard Android App Switcher, with more features, and a favorites list for Apps.
  • Active Display: Displays notifications on the screen, when it is off.

omniswitch

There's many smaller features such as being able to change the placement of the clock, or being able to adjust the size of the soft buttons, and a home-grown file manager. However, one of the aspects I value most of this ROM is their stance on Nightly Releases.

"We also recognise how people use Custom ROMs – we’re all custom ROM users and developers ourselves – the argument that 'nightlies are not for end users' is over-used, and no longer valid. We’ve found that the vast majority of users want to get nightly updates to their ROM. For that reason, nightlies aren’t a playground – nightlies are for new features that are finished. You should be able to expect the same stability and reliability from a nightly as you would from a 'release' ROM, and can report any bugs that prevent this from happening."

-(About Omni)

And in the six or so months that I have been using Omni I have found this to be incredibly true. I've yet to encounter any serious crash or instability while on any of the nightlies, which were all installed with OpenDelta. While I quite often have issues with OpenDelta stopping in the middle of downloading updates, It's always produced working updates, despite somewhat enlongated waiting. A word of warning however is that OpenDelta currently only supports TWRP recovery at this moment, since cwm doesn't officially support the scripting that OpenDelta requires.

opendelta

That said, OmniROM is still very much a work in progress and currently does not have a "stable" release. Despite the relative stability of the nightlies, some users may not be comfortable using it until a stable release has been made. But for those who are feeling slightly adventurous, I would wholeheartedly recommend giving OmniROM a shot, especially to those who are not completely happy with their current ROM. If nothing else, OmniROM has a ton of potential that is very quickly being recognized with their fast and stable releases.

permalink

09 May 2014 » Configuring iptables

With the recent fixing of my "network issues", I have been putting more time and effort in to making sure everything, from the website to the Raspberry Pi, is cleaned out after it's Winter hibernation. Upon reading some of journald's log files (which I'd noticed grew somewhat quickly), I discovered a flood of failed remote login attempts, clustered at different times of the day, and all attempting to login from high numbered ports, with users that don't exist on the system. A quick whois lookup on the IPs revealed that they're locations from all over the world, so most likely bots looking for easy access to insecure systems.

Before the downtime I had not bothered to setup any sort of protection on the Pi since I figured that my domain was still relatively new and unknown. While it's still pretty unkown, I have it posted in public places now, and have it indexed by Google, so this most likely allows intrepid spam-bots to find my domain relatively easily. While programs like fail2ban or disabling ssh all together could have remedied the problem, I went for a much less passive approach, and decided to set up a firewall.

Linux has plenty of software firewall solutions, but naturally I decided to go with iptables, the Linux kernel's built-in firewall. I'm fully aware of nftables, the sucessor to iptables, but since Arch Linux ARM currently has the 3.10 Kernel as it's "stable" Kernel version this option is not available to me yet. I plan on using it however, once it fully replaces iptables in the kernel.

While it's a powerful tool, iptables is not the easiest to setup for those inexperienced with firewalls, like me. Fortunately the fantastic Arch Wiki has an entire article for setting up a stateful firewall with iptables.

Admittedly it didn't go as smoothly as I thought it would, entirely due to PEBKAC issues, and setting it up over an ssh connection. As one could imagine setting the INPUT DROP policy before configuring the SSH related chain will quickly lead to an unproductive session, especially when one doesn't have immediate physical access to the Raspberry Pi.

Luckily for me the article in question has a helpful explination of what each command did at each step, so at least I wouldn't feel too bad about the fact I mainly copy and pasted the commands that I felt I needed. While I still don't know a significant amount about iptables yet, I feel I now at least have a basic understanding, that suits a machine that only servers out a simple webserver.

For those interested, I threw together a quick bash script that more or less matches the rules and chains I have in place. This must be run as root, so use with caution.

#!/usr/bin/bash

# User defined chains
echo "Setting user defined Chains"
iptables -N TCP
iptables -N UDP
echo "Done"

# Set default policies
echo "Setting Policies"
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo "Done"

# Set rules
echo "Setting rules"
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
echo "Done"

# Attach TCP/UDP chains to INPUT
echo "Attaching TCP/UDP chains to INPUT"
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
echo "Done"

# Open ports for services
echo "Opening ports for HTTP, HTTPS, DNS, and SSH"
iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A TCP -p tcp --dport 443 -j ACCEPT
iptables -A UDP -p udp --dport 53 -j ACCEPT
iptables -A TCP -p tcp --dport 22 -j ACCEPT
echo "Done"

# Reject everything else
iptables -P INPUT DROP

# Save Settings
echo "Saving settings to /etc/iptables/iptables.rules"
iptables-save > /etc/iptables/iptables.rules
echo "Done"

Of course, there is more I need to do, such as disabling logins for SSH, and only allowing access via SSH keys. That being said, there's nothing particularly interesting/useful/valuable on my Raspberry Pi in the first place.

permalink

04 May 2014 » IT LIVES!

About four months ago we got fed up with how hit or miss our WOW! provided router was, and replaced the wireless functions of the offending Router/Modem abomination with a real wireless router. Somehow the port forwarding and DHCP reservations for my Pi were disrupted, and my website went down. Due to how busy this recent semester at school was, I didn't have much time/energy (except I kinda did sometimes) to deal with getting it back up and running. Since I had a bit of free time between Spring and Summer semester (almost an entire week!), I didn't have much of an excuse to not deal with it.

Fortunately my four-month-out-of-date Arch Linux ARM install survived the most massive system update it will hopefully ever have to deal with, and other than not having enough space the first try due to an unemptied Pacman cache, it's up and running, happy as can be.

Despite broken promises of real content and what not, I will still try to put some stuff out every now and then, even though my final two semesters at school are looking to be just as busy as my most recent ones.

permalink

02 Jan 2014 » New Year, Hopefully New Content

Hopefully in the coming year I am able/willing to make more posts with content more interesting content than changes I made to the internals of this blog. However, I've reached a plateau in terms of changes I want to make, so there isn't much more I can even post about it. Recently I've embedded Mozilla's Fira Typeface in place of the user's predefined font. The new fonts should show up just fine on Firefox and webkit browsers, but I have no idea about Internet Explorer other than IE11, or others. Just in case there are other pleasant fallbacks in place. The site may load a bit slower now since it has to load the fonts, but it shouldn't be too noticable.

The favicon is a new addition as well. It's nothing special, but the extremely observant reader would have noticed that the letters 'm' and 'p' were made using the Mr. Saturn font from the game Earthbound (a personal favorite of mine)!

boing

(font and image courtesy of Earthbound Central)

UPDATE (12 May 2014): The Sans Serif font is Noto Sans and the Monospaced font is Ubuntu Mono

permalink

16 Dec 2013 » New Name! Same Great Taste!

Earlier today I finally bit the proverbial bullet and purchased a domain for this site. I now own the misterpokeylope.com domain, and will be using it instead of the old mrpokeylope.mooo.com. I set up a redirect from the old URL to the new one and such, but at this point it's deprecated.

All of the dynamic DNS services are still provided by FreeDNS, and everything is still hosted on my Raspberry Pi, so absolutely nothing has changed other than the URL. Recently I discovered that my website could not be indexed by Google or other search engines due to the polices of using a free shared subdomain from FreeDNS. So now, the hope is that people will actually be able to find this site without me having to give a link out...

$15 well spent I suppose.

permalink
Page: 2 of 4