..:: seize the day ::..

Another problem in openSUSE 11.1 is the broken of kbluetooth service. It is mentioned in bugzilla. If someone use the bluetooth keyboard and/or mouse in their PC it will be difficult for him/her to use the computer . I only need the bluetooth to connect my cellphone Nokia E51 to my laptop. And I’m doing this only  if I’m out of office and cannot get the wireless or ethernet cable around to connect to the internet (I have another workaround here, which is enable you to transfer the file with bluetooth on openSUSE 11.1)

You will feel that there is a problem if you point the mouse arrow to bluetooh applet in the panel/systray. It will return the line "No Bluetooth Adapter". If you click the kbluetooth aplet it will return

Well, actually I don’t use bluetooth for transfer the file from my cellphone, so I can live with that. However the "hcitool scan" is working and the bluetooth service can scan and find another bluetooth device without problem, this is a good news

Basically, I open the bluetooth in my Nokia E51, then running "hcitool scan" in my laptop, and it can find it. Try it in your laptop/PC also.

I try to do the pairing between my Nokia E51 and the laptop through the cellphone menu but it cannot find the bluetooth on my laptop. So I download simple-agent file from git.kernel.org. Just right-click to the "raw" next to simple-agent save link as a file in your harddisk, you should rename it as simple-agent. It is a python script.

Go to the directory you save the file and give "chmod +x simple-agent" to give you the execution right for the file. Then run the script to see if it works. In my case it looks like this one (change the address with your cellphone address you have from "hcitool scan")

~ ./simple-agent hci0 00:1D:FD:EE:79:96 

and the result is 

RequestPinCode (/org/bluez/4871/hci0/dev_00_1D_FD_EE_79_96)
Enter PIN Code: 1234 –> fill it with PIN code and the same PIN in cellphone
Release
New device (/org/bluez/4871/hci0/dev_00_1D_FD_EE_79_96)

Don’t affraid to retry this command several times until it success. I try 3 times before I can connect to the cellphone.

Now I can easily use the cellphone to connect to 3G internet provider for the internet connection with "sudo wvdial E51". (You can read my other posting here). It looks like everything is ok but….. wait.

argh…. no nameserver.  I understand this problem and actually easy to solve. I use knetworkmanager to connect to my office access point. Now when I’m trying to connect to the internet using my cellphone, then networkmanager doesn’t write the nameserver from different provider to the /etc/resolve.conf. I go to yast - network device - network setting, go to global options tab and select Traditional Network with ifup on the Network Setup Method. In short, I use ifup instead of networkmanager for this connections. Hmm…. this might be a problem for people traveling alot , searching to bugzilla there is at least one people already reported.

After changing the network connection method with ifup now everything run perfectly

Ok folks that’s it for now. Till then keep safe and stop global warming

Have a lot of fun

OK without further ado, I also have problem with openSUSE 11.1 installation on HP 2230s laptop. There is no sound .

My laptop soundcard is Intel 82801I (ICH9 Family), this is the "lspci | grep Audio" result

slowhand:/home/medwinz # lspci | grep Audio
00:1b.0 Audio device: Intel Corporation 82801I (ICH9 Family) HD Audio Controller (rev 03) 

I know some people also have the same problem with me in the list thread and even I make a bug report for this case. Before I submit the bug report I browse the opensuse forum thread for the same case and also googling around and found the closed relative on Ubuntu launchpad. I understand that this is holidays season and the respond from Novell internal bug solver personnel might be not too responsive. So based on the information I gathered finally I can make my laptop ready to rock again

This is the workaround and the steps I took:

cat /proc/asound/card0/codec#* | grep Codec
the result of mine
   Codec: Analog Devices AD1984A
   Codec: LSI ID 1040
   Codec: Intel G45 DEVCTG

checking through less /usr/src/linux-2.6.27.7-9/Documentation/sound/alsa/ALSA-Configuration.txt, I found out some entries for AD1984A

I decided to install the Amarok and the restricted format from community, and when it finished I set the engine to xine and try to play my mp3 collection but no sound something broken again. I try to install vlc from packman also and now I can hear the mp3. The question is what happened with Amarok packman from packman repo? It is ok on 11 why not in 11.1. Then after reading the wiki, I decide to install yauap and gstreamer engine (which is I think not make sense ), but what happen is the mp3 now automagically can be played through the Amarok. It is enough explanation for me  

Have a lot of Fun

medwinz note:

According to Marcus Meissner from SUSE this bug is already fixed. So first thing you should do if you as a normal user cannot get access write to your DVD writer is doing on-line update for your hal. See also information on openSUSE wiki.

openSUSE 11.1 just come out in December 18 2008. It brings the new experience for the communities who always fascinated by this distribution. One thing I feel really annoying is non-root user cannot access the DVD to make copy, burn an iso or anything using the tools like k3b. After searching the bugzilla and discussion in the openSUSE mailing list, at least we found the workaround for this problem.

Below are some workaround that maybe can help you solve the situation at least until the official update come out.

Check your access for the DVD drive. Run ‘getfacl /dev/sr0′ from the konsole. For the  non root user before we insert the blank DVD-R it should be something like:

medwinz@slowhand:~> getfacl /dev/sr0
getfacl: Removing leading ‘/’ from absolute path names
# file: dev/sr0
# owner: root
# group: disk
user::rw-
user:medwinz:rw-
group::rw-
mask::rw-
other::—

After you insert blank DVD-R the same command gives

medwinz@slowhand:~> getfacl /dev/sr0
getfacl: Removing leading ‘/’ from absolute path names
# file: dev/sr0
# owner: root
# group: disk
user::rw-
group::rw-
mask::rw-
other::—

If your result is something like above which is a non root user is missing the permission to access the DVD (rw) then you have problem

The easiest workaround is to change the content of /usr/share/PolicyKit/policy/org.freedesktop.hal.device-access.policy. In some ways openSUSE 11.1 looks DVD burner as removable block medium, and the access for this medium is prohibited for non-root users. Open that file (as su) and find the section that start with <action id="org.freedesktop.hal.device-access.removable-block">, then change the content below that becomes

<action id="org.freedesktop.hal.device-access.removable-block">

   <description>Directly access removable block devices</description>
   <message>System policy prevents access to removable block devices</message>
   <defaults>
     <allow_inactive>yes</allow_inactive>
     <allow_active>yes</allow_active>
   </defaults>
 </action>

Now restart your computer. It should be ok now to use k3b to burn your DVD.

Other workaround is set your user as member of "cdrom" groups. Then create /etc/udev/rules.d/99-my.rules file with the following entry:

KERNEL=="sr*[0-9]", GROUP="cdrom", MODE="0660"

Reboot your computer and it should be ok now. The rule is to make sure that /dev/sr0 is always owned by root:cdrom and that cdrom group has the permission to read and write to the DVD/CD

Have a lot of fun

Salah satu "fasilitas" yang diberikan oleh openSUSE kepada para penggunanya adalah SuSEfirewall. Well, banyak user yang rasanya kurang afdol kalau tidak menggunakan iptables dan membuat script sendiri. OK, saya juga begitu awalnya, tapi lama kelamaan terpengaruh juga akan kemudahan SuSEfirewall ini. Kebalikannya bagi pengguna yang biasa dengan shorewall atau berbagai userspace firewall lain yang sudah dibungkus dalam satu paket yang menarik merasakan kalau menggunakan SuSEfirewall hanya nambah-nambah kesulitan aja 

Semua itu adalah pilihan, tidak ada yang lebih baik atau lebih jelek. Karena dibelakang userspace itu sebenarnya tetap saja iptables

Apakah anda pernah memeriksa log anda dan menemukan hal seperti ini:

Coba cek server anda misalnya 

  # less /var/log/messages | grep ssh | more

Perhatikan bahwa lumayan banyak "script kiddies" yang berusaha masuk ke server anda melalui ssh. Memang kalau anda punya password yang sukar ditebak (gak ada dalam dictionary brute force attack) mungkin susah dibobol. Tapi terus terang hal ini lama kelamaan akan meyebalkan karena membuat server anda mengerahkan sebagian resourcenya dalam hal ini.

Anda mungkin sudah pernah mendengar bahkan menggunakan denyhosts dan fail2ban. Kedua software ini adalah software yang banyak digunakan untuk memblok ip atau hosts yang kedapatan telah beberapa kali mencoba masuk secara ilegal ke host anda. Fungsi memblok ip tersebut ternyata dimiliki pula  oleh SuSEfirewall dan dengan setting yang sangat singkat.

Pada openSUSE 10.3 dan 11.0, fungsi tersebut diaktifkan dengan menambahkan atau mengaktifkan baris di bawah ini pada /etc/sysconfig/SuSEfirewall:

  FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

Baris ini memiliki arti, firewall akan memblok ip yang berusaha melakukan akses ssh yang invalid sebanyak 3 kali dalam 60 detik. Harap diperhatikan bahwa anda harus menon-aktifkan port 22 pada FW_SERVICES_EXT_* dan/atau FW_TRUSTED_NETS. Setelah di edit silakan restart/start SuSEfirewall anda.

  rcSuSEfirewall2 restart

Padanan dari configurasi SuSEfirewall ini dalam bentuk script iptables adalah kurang lebih:

  iptables -A INPUT -p tcp –syn –dport 22 -m recent –name sshattack –set
  iptables -A INPUT -p tcp –dport 22 –syn -m recent –name sshattack –update –seconds 60 –hitcount 3 -j LOG –log-prefix ‘SSH attack: ‘
  iptables -A INPUT -p tcp –dport 22 –syn -m recent –name sshattack –update –seconds 60 –hitcount 3 -j REJECT

Beberapa tips praktis

Di bawah ini beberapa tips praktis untuk memperketat akses ssh server anda. Bagaimanapun anda sangat membutuhkan akses ssh untuk administrasi server anda. 

1. Pastikan anda mengupdate paket ssh anda dengan versi terbaru
2. Non aktifkan akses root login pada ssh anda. Masuklah sebagai user biasa, baru pindah ke mode su atau gunakan sudo
3. Batasi LoginGraceTime dan MaxAuthTries.
4. Pindahkan port ssh dari port standar 22 ke port lain (misalnya ke high port). Hal ini akan membuat "script kiddies" sedikit sibuk karena port 22 akan direject
5. Aktifkan konfigurasi SuSEfirewall di atas (ganti portnya ke port ssh anda, misalnya dari 22 menjadi 22000)
6. Rajin-rajinlah mencek log anda.

Have a lot of fun