VirtualHost Overlap on Port 443

When I was fiddeling with mod_gnutls to get full power forward with the new Wildcard SSL Cert I got me, I came across the problem that Apache 2 was whining about the VirtualHost Overlap with a message like this:

[warn] _default_ virtualhost overlap on port 443, the first has precedence

Also, he refused to serve the content from the additional ssl vhost. After a little searching, I found on the pageĀ webchalk.hubpages.comĀ the hint that let me fix this behavior. I just needed to add another NameVirtualHost directive to the ports.conf. So now it looks like this:

NameVirtualHost *:80
NameVirtualHost *:443
Listen 80
<IfModule mod_gnutls.c>
Listen 443
</IfModule>

With that now I can create my <VirtualHost *:443></Virtualhost> and Apache don’t complain anymore. And with mod_gnutls he also shut up about multiple SSL hosts.

Getting subtitles from YouTube made easy

When I wanted to save me some hillarious video from YouTube I encontered a the problem to get the subtitles since they’re part of the fun. But thankfully I found a solution on Sourceforge called “Google2SRT“. With this lil’ program its piece a cake to grab the subtitles you want (except the automatic generated speech2text ones).

[singlepic id=8 w=320 h=240 float=none]

Its very simple to use, just select Web, insert the URL of the YouTube video, hit “Read”. Then he present the found subtitles to you and after selecting which you want just hit “Go”. After that he grabs the subtitles and converts them into SRT (SubRip Subtitles) from where you can easily merge them into a MP4/MKV or edit/convert them into another formats. Since the program is written in JAVA it practially runs where JAVA runs, like Windows, Linux, OSX and more. Used it on a Ubuntu 12.04 (64 bit) and worked fine.

Perfect codec for fluent video editing on Linux is called DNxHD

I came across DNxHD just a short while ago, searching for a solution to be able to fluent edit my videos from various occasions. So far it was a bit of a problem since the video editing software had trouble to decode it fast enough (we speak about 1920×1080 AVC video), and so it was a pain to just cut them into pieces. But with DNxHD its piece a cake, the only downside is the fact it need a lot of spaceĀ (8 min equals ~11 gb when the video is 1920×1080) but the positive aspect is that its visually lossless. Before I used H264 lossless mode, but yea, same problems as with the AVC files from the cam itself, through a bit better since its not in M2TS format anymore. I really wish they would finally add VDAPU (nvidia) and its AMD counterpart to the known video editors. Anyway, to convert a source m2ts to our DNxHD mov (yes, Quicktime, otherwise it won’t work) just do the following on a console after navigating into your video folder:

avconv -i 20120526130908.m2ts -vcodec dnxhd -b 185M -s 1920x1080 -aspect 16:9 -deinterlace -r 25 -acodec pcm_s16be -v verbose -y Shiroku_live_1080_dnxhd.mov

Here I convert the live performance of Shiroku that I captured on theĀ  Dokomi this year into DNxHD for editing. The file also needs deinterlacing and decimate since its taken in 50i. If you capture in 60i (NTSC) you want to change the “-r 25” to “-r 30”. Also you can change here already the resolution if you plan to use a lower res later or your camera actually takes a lower res. To do so change the “-s HxW” parameter, for example for 720p go for “-s 1280×720”. When you change the picture size you also can change the video bit rate. I found a useful table at this page. Currently ffmpeg just support 8 bit DNxHD, and through that our video editing software also only support 8 bit since practically all software on Linux use ffmpeg for de/en-coding in the end. If you system don’t have “avconv” just replace it with “ffmpeg”. I migrate from the ffmpeg to the avconv command since with ffmpeg-0.8 the “ffmpeg” command is marked as legacy. Also I found it quite useful to export from my video editing software to DNxHD, and encode the material with Handbrake. The DNxHD export works way faster than the usual H264 export, and Handbrake tends to encode the H264 more efficient then the video editing software does. If you still look for software to edit with, here is a list of software I use(d):

And if you have suggestions for more video editing software, just post a comment. I’m always open to try something new.

How to get into the hidden menus of a Panasonic TV

First of all, a (usual) word of warning: PLEASE BE CAREFUL AND ONLY PLAY WITH THESE MENUS IF YOU KNOW WHAT YOU ARE DOING! If you do not know what you do there, it’s quite possible to get unwanted effects and in worst case you might even destroy the panel/circuit boards or just lock yourself out of the device^^.

But after that, there are 2 menu’s which you can use. Let’s begin with the more interesting of them, the so-called “hotel menu”. Why more interesting? Well, most settings I can imagine that are useful to you are to be found in this one. To access it press and hold the button “-/V” and while holding it press in a fast sequence the “AV” button or “TV/AV” button (depending on your remote).

Then a new menu opens, and there you find the settings. Here are some hints on what settings save and which put your device in the danger of becoming unusable unless a service tech undo those:

Save ones

  • “Initial INPUT”: Let you select which input gets selected on startup (like HDMI1/2/3,TV,etc)
  • “Inital VOL level”: The sound volume at startup
  • “Maximum VOL level”: how loud can you make them at most, nice to keep the kids from overdoing it^^
  • “Inital POS”: let you select the TV channel that he selects at startup

Dangerous ones

  • “Remote lock”: deactivates the remote control
  • “button lock”: deactivates the buttons on the TV itself

Found those info in the German Hifi Forum here. The picture I found on PC Creator’s blog.

And for those who know what they’re doing and who really want into the so-called “service menu”, you can use it via pressing and holding “-/V” on the tv and at the same time repeated pressing “0” on the remote. Navigation gets done by the colored buttons on the remote. But I can’t really give any information on that menu, since I don’t have the knowledge, just came along those information at some page.

And a last warning, I don’t take any responsiblity for those information to be correct and/or flawless since those are inofficial and so can be wrong. It is up to you if you want to make use of them or not, and the later results are also your responsibility.

 

 

Gears of War 2 – how to fix the installation problem on the XBOX 360

Borrowed Gears of War 2 from a friend to give it a whirl, and ended up confused. When I tried to install it like usual, the XBOX kind hung up (well, couldn’t get out of the install screen and no progress). After a bit searching around, and getting annoyed by all the guides focusing on pirating the game instead of addressing my problem I finally found in the xblsenioren.de forum the suggestion: “Cut the internet connection (or just log out of XBOX Live), and then install it”. I first thought they must be joking, but heck it solves mysteriously the problem with the Gears of War 2 installation. Its currently installing like nothing ever happened, weird error.

How to fix the blue colorization of videos in Flash 11 on Linux

I had this annoying color bug that showed everything with a blue dust over it, like on YouTube. To fix call a page with Flash and then do a right-click, go to settings. There select the first tab and deactivate the hardware accerlaction. Then load a page with a flash video player, and enjoy watching flash video again. This works only for the Flash from Adobe.

Transfer mail encrypted between the servers with postfix

When I was looking at mailheaders again (it became kind of a hobby, and this proves you learn from it^^) I was noticing one of my incoming mails was transfered via ESMTPS. So far I knew SMTP and ESMTP but ESMTPS was appearently a new. Turned out it was ESMTP via secure transportlayer, or like RFC 3848 defines it: “The new keyword ‘ESMTPS’ indicates the use of ESMTP when STARTTLS is also successfully negotiated to provide a strong transport”. So I became curious, how can I do that too? After a bit searching I came across the setting smtp_tls_security_level in postfix and yes, after setting it to ‘may’ it did the trick. So now if the server supports STARTTLS he opens a encrypted connection with the remote server for the transfer. You need to set a bit more to make it working without any errors, here is what you need to do on a Ubuntu 10.04 (Debian and others should work similar):

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtp_tls_loglevel = 1'
sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
sudo service postfix restart

We set only smtp_tls_security_level to ‘may’ cause otherwise with ‘encrypt’ the remote server is forced to support STARTTLS, if he does not the transfer fails. So with may encryption gets used when supported. Loglevel 1 gives you a short notice when a safe connection was established and what cipher got used. Like this:

Mar 14 00:22:08 utgard postfix/smtp[11397]: setting up TLS connection to gmail-smtp-in.l.google.com[173.194.70.26]:25
Mar 14 00:22:08 utgard postfix/smtp[11397]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1 with cipher RC4-SHA (128/128 bits)
Mar 14 00:22:09 utgard postfix/smtp[11397]: 6A591E6C2C3: to=, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.9, delays=0.01/0.03/0.13/0.73, dsn=2.0.0, status=sent (250 2.0.0 OK 1331680929 s26si2913819weq.13)

And last but not least, we need to set the path to where he can find the ca-certificates to validate the remote servers certificate. Otherwise we get a entry saying a untrusted connection gets used, means he encrypts but can’t verify the remote identity. In Ubuntu (Debian) inside the chroot path of postfix lies a file containing all ca-certificates, we just need to point postfix to it. The normal path is not accessable from inside the chroot. Thanks to Alain Kelder to point this out. With all that done, our server is good and enabled to send out his outgoing mail to other smtp servers using a secure transport layer. You can go even further and for example force encryption for specific servers on a per-site basis. But since thats not the scope of this article, please refer to the postfix TLS documentation for that. There you find also information how to optimise the encryption by disabling/enabling ciphers and similar.

pam_geoip – Restrict accounts to certain Cities/Countrys only

A friend did ask me, if its possible to block access to his SSH server by blocking via GeoIP which he is already successful using on his webserver to lower the amount of spam he gets (at the cost of potential visitors, but thats his choice after all, right ?). So I dugg a bit in the net, and came across the module pam_geoip.so which allows me based on Maxmind’s GeoIP City Database to block access to services using PAM for authentification. What I show here is a example how to install it and block certain countries using GeoIP City DB lite (aka Maxmind’s free database) from accessing our SSH accounts. This works on a Ubuntu/Debian Linux, for other Distributions/OSes please check if the libary packages named similar. I expect you to have the basic development tools installed already. So let’s start:

sudo apt-get install libgeoip-dev libpam0g-dev
wget http://ankh-morp.org/code/pam_geoip/pam_geoip-0.9.tar.gz
tar xzvf pam_geoip-0.9.tar.gz
cd pam_geoip-0.9
make
sudo -i
cp pam_geoip.so /lib/security/
chown root:root /lib/security/pam_geoip.so && chmod 644 /lib/security/pam_geoip.so
cp geoip.conf /etc/security
chown root:root /etc/security/geoip.conf && chmod 644 /etc/security/geoip.conf
cd /etc/security
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz
chmod 644 /etc/security/GeoLiteCity.dat

When that is done, fire up nano and set the geoip.conf to something similar as this:

#
# /etc/security/geoip.conf - config for pam_geoip.so
#

#<domain>   <service>  <action>  <location>  
*           sshd       deny      CN
*           *          ignore    UNKNOWN

When you’ve done this, fire up nano again to edit this time /etc/pam.d/sshd and add this:

account required pam_geoip.so geoip_db=/etc/security/GeoLiteCity.dat system_file=/etc/security/geoip.conf action=allow

With all this we set the pam_geoip module to default allow, and block all access attempts from Chinese IP’s. Don’t forget to restart the sshd and logout, as we don’t wanna be root longer then needed. You can use way more complex configurations like allowing access to a certain account only in a specific place or within a radius around this place. But for that I would really suggest to buy the premium version of the GeoIP City Database for the higher accuracy. For country-blocking the free should be fine for most of us through. For more complex usage check out the modules website at http://ankh-morp.org/code/pam_geoip/geoip.conf.html. And also checkout the included manpages/config samples. Thanks for help with the installation and the sample to block Chinese IP’s goes to guruway’s blog.

Make amavis-new speak German with you

By concidence I came across a translation of the amavis-new templates for it’s messages in German and a guide how to set those translations up. The translated templates you can download from http://fblan.de/postfix/amavis/de_DE/. The install instruction works on Debian/Ubuntu, on other OSes please check where the entry in the config lies. And here is how to install them (requires root):

sudo -i
mkdir /etc/amavis/de_DE
cd /etc/amavis/de_DE
wget http://fblan.de/postfix/amavis/de_DE/charset
wget http://fblan.de/postfix/amavis/de_DE/template-dsn.txt
wget http://fblan.de/postfix/amavis/de_DE/template-spam-admin.txt
wget http://fblan.de/postfix/amavis/de_DE/template-spam-sender.txt
wget http://fblan.de/postfix/amavis/de_DE/template-virus-admin.txt
wget http://fblan.de/postfix/amavis/de_DE/template-virus-recipient.txt
wget http://fblan.de/postfix/amavis/de_DE/template-virus-sender.txt

Once you took care of that, we need to edit the file /etc/amavis/conf.d/30-template_localization. Comment out the old line “read_l10n_templates(‘en_US’, ‘/etc/amavis’);” and place a new line with “read_l10n_templates(‘de_DE’, ‘/etc/amavis’);” below. After a restart amavis now sends out his reports in German instead of English. And do not forget to do a logout after the amavis restart, we don’t wanna act as root longer then necessary! šŸ˜‰

The guide is from o-o-s.de and the translation from fblan.de, thanks to both!

And should the fblan.de webpage down for some reason, I have a local copy for download here.

500 OOPS: vsftpd: refusing to run with writable root inside chroot() with vsftpd 2.3.5+

If you encounter this errormessage after a recent update or fresh install with vsftpd 2.3.5 or newer, here is whats happend:

As of vsftpd 2.3.5, the chroot directory that users are locked to must not be writable. This is in order to prevent a security vulnerabilty.

Depending on the configuration you utilize this can be a problem. If so I suggest for the moment to downgrade to 2.3.4 (I’m aware not the best solution!), or change your setup. People with ArchLinux have another solution to this, they can install vsftpd-ext via AUR and then set in the configĀ allow_writable_root=YES. If someone has the patch agains the source for this, I would love to get a copy.

Downloadlinks for 2.3.4

https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz
https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz.asc

As soon I find a better solution to this problem, I will write again.