parted -s ‘rm 1’ DEVICE

Find partitionable size:

~$ sudo fdisk -l /dev/sdc | grep bytes | head -1 | sed ‘s/^.* \([0123456789]*\) bytes/\1 \/ 1000000/’ | bc
16039

Partition the ThumbDrive:

parted -s ‘mkpart primary 0 16039’ DEVICE

Create the DeviceMapper device:

sudo cryptsetup create NAME DEVICE
passphrase:

Make a filesystem on the mapped device (non-journaled FS’s only):

mke2fs /dev/mapper/NAME

Mount the filesystem where appropriate:

mount /dev/mapper/NAME /map-point

Here’s a quick tutorial for:

* setting up a CSR (Certificate Signing Request)
* submitting the CSR
* installing the intermediate CA certs

This assumes you already have ssl enabled web/mail services, that you have openssl accessible on a system under your control and that you actually want a decent SSL certificate installed.

Start out by going to the StartSSL website, register to be a user, download and install the client-certificate they created for you. Now, we can start making our certificates:

Create an RSA encoded PEM key

%openssl genrsa -des3 -out my-domain.net.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for my-fictitious-domain.com.key:
Verifying - Enter pass phrase for my.fictitious-domain.com.key:

Generate the CSR:

%openssl req -new -key my-domain.key -out blah.my-domain.csr
... answer questions…

Copy/Paste the CSR into the provided text box on StartSSL, follow the prompts, validate your email address and then download your Certificate file. Install the Certificate file someplace you’ll find it later (/usr/local/ssl/certs, /etc/ssl/certs, /usr/local/apache/certs/). Download the CA certs from StartSSL be sure to download these at least:

Class 1 Intermediate Server CA

Save this where you saved the certificate for your host.

Add the following lines to your Apache SSL config:

SSLCertificateFile /location/to/your/cert/file.pem
SSLCertificateKeyFile /location/to/your/keyfile.key
SSLCertificateChainFile /location/to/startcom.class1.server.ca.crt

NOTE WELL: the use of an encrypted key file is ‘recommended’ so that if someone unsavory gets ahold of your cert file and key file they can’t become your webserver. This does, however, mean that the service will not auto-start since apache will require you to type the passphrase into a dialog to decrypt the key. This can be avoided, at the expense of some security with:

openssl rsa -in your-domain.key -out your.domain.decr.key

and making the line referencing the key in the apache config:

SSLCertificateKeyFile /location/to/your/keyfile/your.domain.decr.key

Now, restart your web service and rejoice.

user $> grep “restricted SMS e-mail” /var/log/mail.log | sed ‘s/^.* to=//’ | sed ‘s/,.*$//’ | sed ‘s/[<>]//g' | sed 's/@.*$//' | sort -rn | uniq -c | sort -rn | more
1 6307282195
1 6307213667
1 6306997321
1 6306990660
1 6306676641
1 6306247678

Looking for bounced VZW users:

user $> grep vtext /var/log/doit-mail.log | grep -v “status=sent” | grep “status=deferred” | sed ‘s/^.* to=//’ | sed ‘s/, .*$//’ | sed ‘s/[<>]//' | sed 's/@.*$//' | sort -rn | uniq -c | sort -rn | more
11 3123392171
10 8123202309
9 6302941108
8 8477076867
8 7733320757
8 6179534027
7 8152631645

- more in a bit -

gpstrans - communicate with Garmin GPS receiver

you may also have better luck with the more robust (seemingly)

gpsbabel - Universal GPS format translator

Either will let you connect via a USB-Serial dongle to the serial port on the Garmin.
(what model GPS is this?)

morrowc@tweezer:~$ gpstrans -p /dev/ttyUSB0 -i
GPStrans (ASCII) - Version 0.40
Copyright (c) 2005 by Carsten Tschach (tschach@zedat.fu-berlin.de)
Linux/KKJ mods by Janne Sinkkonen (1996)
Copyright (c) 2000 German Grid by Andreas Lange
Copyright (c) 1998,2000 Mayko-mXmap mods by Matthias Kattanek
Copyright (c) 2001 Development by Joao Seabra-CT2GNL
Copyright (c) 2005 Development by Jim Van Zandt
Warning: device with product ID 411 is unknown - assuming it’s like a GPS II.
Connected GPS [/dev/ttyUSB0] is: Garmin eTrex Legend Software Version - V3.7

Lets download some waypoints:

morrowc@tweezer:~$ gpstrans -p /dev/ttyUSB0 -dt
Warning: device with product ID 411 is unknown - assuming it’s like a GPS II.
Format: DMS UTC Offset:  0.00 hrs Datum[100]: WGS 84
Type Date Latitude Longitude
H -1075874956
T 08/17/2008 11:35:00 XX°52’25.5” -YY°58’53.3”
T 08/17/2008 11:35:40 XX°52’25.4” -YY°58’53.2”
T 08/17/2008 11:36:23 XX°52’25.3” -YY°58’53.1”
.
.
.

Success! Now, take your output, push that through a php script and apply it to google-maps!

The gpsbabel version of getting content/tracks off the GPS device is:

gpsbabel -t - i garmin -f /dev/ttyUSB0 -o kml -F /tmp/track_output.kml

The kml file can then be loaded directly in google-earth and you can watch your icon roll along the path of the GPS route.

zone “007arcadegames.com” {type master; file “/etc/namedb/blockeddomain.hosts”;};
zone “008i.com” {type master; file “/etc/namedb/blockeddomain.hosts”;};
zone “008k.com” {type master; file “/etc/namedb/blockeddomain.hosts”;};

SAGA-dc.org even provides the empty zone file, to do this in an automated fashion:

put in your root crontab:

31 0,6,12,18 * * * /usr/bin/wget -q -O - http://dns-bh.sagadc.org/files/spywaredomains.zones | sed ‘s/\/namedb\//\/bind\//’ > /etc/bind/spywaredomains.zones 2>&1 && pkill -HUP named

setup named to read this new zone info, add to the bottom of your named.conf:

include “/etc/bind/spywaredomains.zones”;

Now, anyone that uses your recursive resolver should better protected than before…

1) open Terminal.app (Applications/Utilities/Terminal.all or if you see below and install quicksilver: Cmd-space Term)

2) use ssh-keygen to make a key:

mba:~ you$ ssh-keygen -t dsa -f .ssh/id_dsa
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): (put in your passphrase here)
Enter same passphrase again: (repeat passphrase)
Your identification has been saved in .ssh/id_dsa.
Your public key has been saved in .ssh/id_dsa.pub.
The key fingerprint is:
d6:d3:54:79:16:14:ab:42:cf:80:52:6f:9b:55:5e:4e morrowc@mba.local

3) scp that id_dsa.pub to your ssh bastion host

mba:~ you$ scp .ssh/id_dsa.pub you@bastion:.ssh/mba_id_dsa.pub
Password: (your passwd here)

4) ssh to the bastion and append the mba_id_dsa.pub to your .ssh/authorized_keys file

bastion:~ you$ cat .ssh/mba_id_dsa.pub >> .ssh/authorized_keys
bastion:~ you$ chmod 400 .ssh/authorized_keys

5) exit the ssh and attempt an ssh again, you should be prompted for your passPHRASE not passWORD.

All good! Now for the tunneling bits, I suggest:

1) 8080 for web traffic (http/https/ftp)
2) 8000 for chat traffic (aim/gtalk don’t like squid for some reason, but don’t mind socks proxying)

We’ll be setting up an alias command that does all the hard work for us, this alias lives in your ~/.bash_profile file, here’s the setup:

1) edit ~/.bash_profile (vi ~/.bash_profile)
2) add this

alias proxy="ssh you@ssh-bastion -D127.0.0.1:8000 -L8080:127.0.0.1:3128”

Now, to test this, do:

mba:~ you$ . .bash_profile
mba:~ you$ proxy

which should log you into your bastion host and setup the tunnels, which you can verify with firefox/safari provided you setup the proxy-bits on those applications.

All this said, i’d get the following additional applications for your Mac:

1) Adium-X the all-over-goodness chat client (yahoo/msn/gtalk/aim and more protocols available)
2) QuickSilver a replacement to the horrid Spotlight searching, includes app launching capabilties as well

########
# special additions for tcp speedups
net/ipv4/tcp_tw_reuse = 1
net/ipv4/tcp_tw_recycle = 1
net/core/somaxconn = 1024
net/ipv4/ip_local_port_range = 2048 65000
#
# nf_conntrack additions
net/netfilter/nf_conntrack_generic_timeout = 300
net/netfilter/nf_conntrack_tcp_timeout_established = 14400
net/netfilter/nf_conntrack_tcp_timeout_fin_wait = 20
net/netfilter/nf_conntrack_tcp_timeout_close_wait = 20
net/netfilter/nf_conntrack_tcp_timeout_last_ack = 10
net/netfilter/nf_conntrack_tcp_timeout_time_wait = 20
net/netfilter/nf_conntrack_tcp_timeout_close = 10
net/netfilter/nf_conntrack_udp_timeout = 10
net/netfilter/nf_conntrack_udp_timeout_stream = 30
net/netfilter/nf_conntrack_icmp_timeout = 5

This reduces some conntrack timeouts significantly, take:

net/netfilter/nf_conntrack_tcp_timeout_established = 14400

for instance which was set to something on the order of: 432000 which is about (432000/86400 = 5 days). So, anything that didn’t end properly (apparently lots of spambots fall into this category) would stick around for almost 5 days time. With a limit of 65k sessions in the nf_conntrack state-table this is obviously a bad thing. So, add the above text to your /etc/sysctl.conf and reload that with sysctl -p /etc/sysctl.conf…

-A INPUT -s ip-block/mask -j DROP
-A INPUT -s ip-block/mask -j DROP
-A INPUT -s ip-block/mask -j DROP

downloads available at:

linky-loo

Obviously you can sed/awk/perl your way into the final listing that fits your model better. Some other resources on blocking known bad traffic can be found over at:

DShield
MyNetWatchman

Note that the list I have isn’t from either of these… but they are great resources none-the-less.