Block Asterisk SIP registrations from internet/WAN hackers with iptables/shorewall

As a result of hundreds of hacking attempts targeted at my Asterisk server from internet, I've installed Fail2ban to automatically ban the IP addresses of the hackers from accessing after 3 failed attempts with the following in my jail.conf
[asterisk-udp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060", protocol=udp]
           sendmail-whois[name=Asterisk-udp, dest=root, sender=root]
logpath  = /var/log/asterisk/messages
maxretry = 3

However, then I started to receive hundreds of email from Fail2ban telling me IP address were banned by it one after another. Below is an example email for banning an IP address in France:
Hi,

The IP 195.154.38.225 has just been banned by Fail2Ban after
63 attempts against Asterisk-udp.


Here is more information about 195.154.38.225:

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '195.154.38.0 - 195.154.39.255'

% Abuse contact for '195.154.38.0 - 195.154.39.255' is 'abuse@proxad.net'

inetnum:        195.154.38.0 - 195.154.39.255
netname:        ISDNET-4
descr:          Tiscali France Backbone
country:        FR
admin-c:        BG34
tech-c:         TTFR1-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

role:           Tiscali Telecom France Registry
remarks:        now known as Online S.A.S. / Iliad-Entreprises
address:        8 rue de la ville l'évèque
address:        75008 Paris
address:        France
abuse-mailbox:  abuse@iliad-entreprises.fr
admin-c:        IENT-RIPE
tech-c:         IENT-RIPE
tech-c:         NR1053-RIPE
nic-hdl:        TTFR1-RIPE
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

person:         Benoit Grange
address:        Tiscali Telecom
address:        37 bis rue Greneta
address:        75002 Paris - France
phone:          +33 1 45 08 20 00
fax-no:         +33 1 45 08 20 01
remarks:        +-----------------------------------------------------------------------+
remarks:        | ATTENTION: Pour nous signaler un probleme (intrusion, spam, etc),     |
remarks:        | merci de respecter la procedure suivante:                             |
remarks:        | Envoyer un mail a "abuse@tiscali.fr" avec les informations suivantes: |
remarks:        | - date & heure (y compris le fuseau horaire ou l'heure GMT)           |
remarks:        | - adresse IP source ou toutes les en-tetes du mail                    |
remarks:        | - nature du probleme (en quelques mots)                               |
remarks:        | Nous ne repondons pas aux demandes par telephone.                     |
remarks:        | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
remarks:        | Je ne suis que le representant legal de Tiscali et non pas            |
remarks:        | l'utilisateur final de l'adresse IP renvoyee par votre firewall       |
remarks:        | Les adresses IP sont generalement allouees dynamiquement a nos abonnes|
remarks:        | et donc votre logiciel ne peut PAS connaitre le nom de l'utilisateur  |
remarks:        | reel de l'IP. Merci d'avoir lu jusqu'au bout.                         |
remarks:        +-----------------------------------------------------------------------+
nic-hdl:        BG34
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% Information related to '195.154.0.0/16AS12876'

route:          195.154.0.0/16
descr:          Online SAS
descr:          Paris, France
origin:         AS12876
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.78 (DB-3)

Regards,

Fail2Ban

I've had enough such emails therefore I started looking for a way to block these hacking attempts from reaching my Asterisk server. I had shorewall installed on the Asterisk server as my firewall and NAT router. It has interface net defined on the internet/WAN side and the iptables chain net2fw is relevant for managing the traffic from internet to my firewall.
Therefore I added the following into /etc/shorewall/started to drop all SIP registration packets (containing string "REGISTER sip:") from internet destined to UDP port 5060 of my firewall
/usr/sbin/iptables -I net2fw -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
The --algo is a required parameter that specifies the pattern matching strategy (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris). After restarting shorewall, the following is shown from iptables
# iptables -L net2fw
Chain net2fw (1 references)
target     prot opt source               destination      
DROP       udp  --  anywhere             anywhere             udp dpt:sip STRING match  "REGISTER sip:" ALGO name bm TO 65535
And I'm happy now that all these annoying hacking attempts are properly handled.

Fix slow USB mouse response on my Chromium OS

I have a cordless USB mouse Lenovo N50 connected to a MSI X340 laptop with Chromium OS installed on it. The same mouse works flawlessly on a Chromebook Acer C720 but it gets very slow response on the X340 with Chromium OS ArnoldTheBats build. The mouse cursor's movement on the screen always lags that of the actual mouse by noticeable amount of time. I've tried changing the mousing setting in Chromium browser or xset in console but neither worked. However, today I was able to fix it after updating the Chromium OS to the latest build by following the steps below:

1. Set my own password for root user: Go to Developer Console in Chromium (push keys Ctrl- Alt-F2) and log in as user "chronos" with initial password "password". Then type the following command:
sudo chromeos-setdevpasswd
   and enter the new password
2. Become root user by typing the following command:
sudo su
   and enter the password set in the previous step
3. Check network status with the following command:
ifconfig In my case, the wireless interface wlan0 is not connected under developer console as no IP address is shown under wlan0. I had to connect an ethernet cable to the laptop to get interface eth0 up. 
4. Update Chromium OS to the latest build with the following command: update_engine_client --update --omaha_url=http://chromebld.arnoldthebat.co.uk:8080/update
5. (May not be necessary) After the above update is successful, type the following command:
sudo stateful_update In my case, this command actually failed.
6. Try updating the system again as the previous command failed:
update_engine_client --update
sudo stateful_update No need to supply the –omaha-url any more in future updates. It showed that the update succeeded and system needs reboot.
7. Reboot the system and now the mouse is as responsive as on the other Chromebook
8. Reinstall the Flash plugin: the update was 32-bit, so I used the first instruction below with the link http://goo.gl/FrT7Q6
• 32-bit Chromium OS: uname output i686
• 64-bit Chromium OS: uname output x86_64

Install Samba 4.1 AD DC on CentOS 7 with yum

CentOS 7's bundled Samba 4 does not provide Active Directory (AD) Domain Controller (DC) functionality due to the incompatibility between the Kerberos 5 libraries used by a Samba 4 AD DC (Heimdal) and those by RHEL/CentOS (MIT). However, Samba 4 binaries (rpms) compiled with Heimdal Kerberos library for CentOS 7 can be obtained from the Sernet Samba repository without the need of compiling Samba from its source code.

To download the rpm files with yum, a user account is necessary at the Sernet Samba repository. Signing up for a user account at Sernet is totally free and can be done in a minute. Upon successful registration, one can log into the portal and obtain a yum repo file with his username and password embedded in the repo URL. The repo file can be copied to /etc/yum.repos.d and one can then use yum to install the necessary rpms for a Samba 4 AD DC on CentOS 7.

If the bundled Samba 4 was installed in the system, remove it with yum first.
 yum remove samba*
The following Samba 4.1 rpms can then be installed from Sernet on CentOS 7 to enable a AD DC
sernet-samba-libs-4.1.14-9.el7.x86_64
sernet-build-key-1.1-4.noarch
sernet-samba-common-4.1.14-9.el7.x86_64
sernet-samba-libsmbclient0-4.1.14-9.el7.x86_64
sernet-samba-4.1.14-9.el7.x86_64
sernet-samba-winbind-4.1.14-9.el7.x86_64
sernet-samba-ad-4.1.14-9.el7.x86_64
sernet-samba-client-4.1.14-9.el7.x86_64

If there is existing Samba 3 NT4-style domain, it can be upgraded to AD type domain with samba-tool, which is installed as part of the packages above. The following Samba Classic Upgrade wiki guide provides excellent instructions on the upgrade. For simplicity,  one can use Samba 4's built-in DNS server for the AD DC. After the upgrade is complete, start the AD DC by
service sernet-samba-ad start
and test it following this guide.

Enable flash,PDF and mp3 plugin for 64-bit Chromium OS ArnoldTheBats build

Yesterday I downloaded and installed the latest 64-bit Chromium OS ArnoldTheBats daily buildCamd64OS-20140508010101.img.7zto an old laptop MSI X340. It booted into Chromium OS successfully and Wi-Fi worked well (push Fn-F8 to turn on Wi-Fi if the Wi-Fi LED is not lit). However, its web browser lacks the plugin of flash, mp3 player or PDF viewer that Chrome OS has. I had to do the following to get them to work:

1. Login as a normal Chromium user (not a guest or a supervised one)
2. Push Ctrl-Alt-F2 to open the developer console, where it shows "localhost login:"
3. Enter "chronos" as the login user, "password" as the password if prompted
4. Run the following command to become the root user
   

   sudo su

5. Run the following command script as root user to enable the 64-bit flash and PDF plugin
   

   curl -L http://goo.gl/MuVta5 | bash

   After it downloads a file that is about 10 MB, it will install the 64-bit flash, mp3 player and PDF viewer plugins and restart the Chromium OS. The following functions were verified to be working after logging into Chromium:

• Flash
• PDF
• mp3/mp4

Stop sleeping computers from waking up at nights by themselves

It's annoying to me recently some of my sleeping computers started waking up at nights randomly. The first thing I did is to identify devices that are currently configured to wake the computer up from a sleep state in Windows by the following command line:
Powercfg -devicequery wake_armed
Below is the list of the devices returned by the command:
Standard PS/2 Keyboard
Logitech USB TrackMan Wheel
Realtek PCIe GBE Family Controller
Since I had configured the computer to allow wake-on-LAN by magic packets for a while, it is anticipated to see the device "Realtek PCIe GBE Family Controller" on the list. However, I didn't expect to see the other two devices since I didn't want any unintentional motion or events on them to wake the computer up. So what I did to disarm them from waking up the computer is:
powercfg -devicedisablewake "Logitech USB TrackMan Wheel"
powercfg -devicedisablewake "Standard PS/2 Keyboard"
The above commands runs in Windows  7 or 8 with an elevated command prompt (running the Command Prompt program with administrator privileges). Now if I query for wake_armed devices again, I only see the network adapter, which is desirable.

Another useful command for troubleshooting the unintended waking up is
powercfg -lastwake to report information about the last event that woke the computer up from sleeping. And below is what's reported from one computer:
Wake History Count - 1
Wake History [0]
  Wake Source Count - 1
  Wake Source [0]
    Type: Wake Timer
    Owner: [SERVICE]     \Device\HarddiskVolume2\Windows\System32\svchost.exe (SystemEventsBroker)
    Reason: Windows will execute "NT TASK\Microsoft\Windows\Media Center\mcupdate_scheduled" scheduled task that requested waking the computer.

The above tells me that the task mcupdate_scheduled is so intelligent that it woke up the computer from sleep to do its job. And it is not alone. The following command can list all such clever tasks that can wake up the computer:
schtasks /query /FO list | more

The following command can disable the task from being scheduled again:
schtasks /change /TN "\Microsoft\Windows\Media Center\mcupdate_scheduled" /disable

After disabling all these tasks, the following command can confirm that no active timers are scheduled to wake up the computer.
powercfg -waketimers

The above changes worked for me to stop sleeping Windows 7 computers from waking up at nights by themselves.

Apache Hadoop with single Fedora node

Today when I tried to start Jobtracker for Apache Hadoop 1.2.1, I kept getting the following ENOENT error
FATAL org.apache.hadoop.mapred.JobTracker: ENOENT: No such file or directory
        at org.apache.hadoop.io.nativeio.NativeIO.chmod(Native Method)
        at org.apache.hadoop.fs.FileUtil.execSetPermission(FileUtil.java:699)
        at org.apache.hadoop.fs.FileUtil.setPermission(FileUtil.java:654)
        at org.apache.hadoop.fs.RawLocalFileSystem.setPermission(RawLocalFileSystem.java:509)
        at org.apache.hadoop.fs.RawLocalFileSystem.mkdirs(RawLocalFileSystem.java:344)
        at org.apache.hadoop.fs.FilterFileSystem.mkdirs(FilterFileSystem.java:189)
        at org.apache.hadoop.mapred.CompletedJobStatusStore.(CompletedJobStatusStore.java:81)
        at org.apache.hadoop.mapred.JobTracker.initialize(JobTracker.java:2051)
        at org.apache.hadoop.mapred.JobTracker.offerService(JobTracker.java:2328)
        at org.apache.hadoop.mapred.JobTracker.main(JobTracker.java:4792)

I realized the most important error is the bold one, which is related to logging as specified in mapred-site.xml

mapred.job.tracker.persist.jobstatus.dir
file:////var/log/hadoop/mr/jobstatus

After the the correct folder permissions are set, it should look like following
$ ll /var/log/hadoop/
drwxr-xr-x. 2 hdfs   hadoop 4096 Jul 22 22:45 hdfs
drwxr-xr-x. 4 mapred hadoop 4096 Jul 22 23:10 mapred
drwxr-xr-x. 2 mapred hadoop 4096 Jul 22 20:14 mr
After all the services are running, I can list them by
#jps
22896 DataNode
26189 TaskTracker
22225 NameNode
26502 Jps
26042 JobTracker
And I can list the listening ports of the services by
# lsof -i -P | egrep -v "ESTABLISHED" | grep java
java      22225   hdfs   66u  IPv4 573305      0t0  TCP localhost:8020 (LISTEN)
java      22225   hdfs   79u  IPv4 573311      0t0  TCP localhost:50070 (LISTEN)
java      22896   hdfs   63u  IPv4 575844      0t0  TCP *:50010 (LISTEN)
java      22896   hdfs   65u  IPv4 576654      0t0  TCP *:50075 (LISTEN)
java      22896   hdfs   73u  IPv4 575856      0t0  TCP *:50020 (LISTEN)
java      26042 mapred   64u  IPv4 589571      0t0  TCP localhost:9000 (LISTEN)
java      26042 mapred   75u  IPv4 589575      0t0  TCP localhost:50030 (LISTEN)
java      26189 mapred   61u  IPv4 590005      0t0  TCP localhost:40660 (LISTEN)
java      26189 mapred   79u  IPv4 590177      0t0  TCP *:50060 (LISTEN)

Fedora dracut in chroot environment

The following is the procedure to create new initframfs when the root filesystem has structural changes such as between LVM, MD or plain. 

• Chroot to the desired folder (.e.g. /mnt/temp)
  chroot /mnt/temp
• mount the system partitions /proc, /run, /dev, /sys
  mount -t proc proc /proc
mount -t tmpfs tmpfs /run
mount -t devtmpfs devtmpfs /dev
mount -t sysfs sysfs /sys
• mount the /boot and / partition
  mount -t ext4 /dev/sdb1 /boot
mount -t ext4 /dev/md0 /
• Create the udev/data folder to emulate the udev database
  cd /run
mkdir udev/data
• To include mdadm in Fedora dracut: add module mdraid found in /usr/lib/dracut/modules.d/
  dracut -v -f -a mdraid --mdadmconf /boot/initramfs-$(uname -r).img $(uname -r)

How to make Samba 4 shares writable with Fedora 19 and Selinux

Today I found I couldn't create new folders in my samba 4 share under Fedora 19. And this was due to the settings of Selinux since there wasn't any problem without enabling Selinux.

The status of the Selinux boolean values that are relevant to Samba can be queried via the following command:

#getsebool -a | grep samba
#getsebool -a | grep smbd
Since we need to allow samba to modify shared files, the files/directories must be labeled public_content_rw_t and we must turn on the smbd_anon_write boolean.

• Labeling all files under the share folder (e.g. /mnt/media) to public_content_rw_t so that they can be modified by multiple domains (Apache, FTP, rsync, Samba).


#semanage fcontext -a -t public_content_rw_t "/mnt/media(/.*)?"
#restorecon -F -R /mnt/media
Note: File context can be temporarily modified with the chcon command. However, that won't survive a relabeling. We need to permanently change the file context by using the semanage fcontext command. This will modify the SELinux labeling database. It is necessary to use restorecon to apply the labels.

• Turn on the smbd_anon_write boolean:


#setsebool -P smbd_anon_write 1

• It's NOT necessary to turn on samba_export_all_rw if the shared files/directories are properly labeled and the smbd_anon_write boolean is turned on.
• The security context of the files can be verified via
  # ls -Z /mnt/media
drwxrwxr-x. video media system_u:object_r:public_content_rw_t:s0 video

Running power calculator in windows 7

The following are important for the power calculator power toy to run successfully in windows 7:  

• The file pcalc.exe needs to run in compatibility mode for windows XP. This can be set by right clicking the file pcalc.exe in windows explorer and click "Properties" of the context menu. Then click on the button near the bottom "Change settings for all userse" and check the compatility mode as shown below. Click OK to save the changes.

• The file pcalc.exe can not reside in windows\system32 folder. I found windows folder or other folders should work.

Use search in windows 7 to clean up the mess from BOX sync

Today I found that the BOX sync I installed for BOX.net caused a big problem in my data folder. It created multiple copies of the same file for each file in my local and remote data folder and some of the files were cloned for up to 20 times.

After I did a quick look at many of the cloned local copies created by BOX sync, I found there are some patterns on their file name and last modification date:

• They have a file name appendix (n) before the file extension, where n is a number ranging from 1 to 20
• They were last modified on the same day: Feb. 26, 2013
• They are all files. No sub folders were cloned

I could use search in windows 7 to locate all the files satisfying the above patterns with the following search syntax:

filename: "(" kind: NOT folders datemodified:‎2/‎26/‎2013

More than 3000 items were found matching the search criteria. After I verified that they were actually excessive files, I selected all of them and deleted them to clean up the mess. 

Increase/grow the capacity/space of a linux Raid 1 partition without losing data

Today I found I needed to increase the capacity of my data partition (on a Raid 1 array) to fit a hard drive upgrade. Below are a couple of good references on how that can be done and some arguments to mdadm need to be adjusted to work for me
http://www.flyonthenet.it/blog/?p=71
http://johnlange.wordpress.com/tech-tips/linux/expanding-linux-software-raid1-with-an-ext3-file-system/
The safe and lengthy procedure is as follows (assuming the old array consists of drive A and B and the new array with increased capacity consists of drive C and D):

1. Back up all the data on the Raid 1 array (e.g. /dev/md2) and umount the array from the system
2. Remove the partition on one old drive (A) from the Raid 1 array that needs to grow capacity
3. Partition a new hard drive (C) as Linux raid autodetect/fd type with the wanted capacity and add that partition to the Raid 1 array. Mdadm will start recovery/resync of the array.
4. Let mdadm finish resyncing the array and the array is now clean again (very important, otherwise data loss). Make sure the array status has [UU]
   cat /proc/mdstat
md0 : active raid1 sdb1[1] sda1[0]
76798592 blocks [2/2] [UU]
5. Remove the partition on the remaining old drive (B) from the array.
6. Partition the second new hard drive (D) as Linux raid autodetect/fd type with the wanted capacity and add that partition to the Raid 1 array. Mdadm will start recovery/resync of the array.
7. After resyncing is complete, the underlying block device of the array is now of an appropriate size to hold the file system with increased capacity. Grow the capacity of the array and let the resyncing finishmdadm --grow /dev/md2 --size=max
8. Resize the ext file system
   e2fsck -f /dev/md2
resize2fs /dev/md2
e2fsck -f /dev/md2
9. Mount the array
   
   
   Alternatively, a quick and dirty solution to grow the capacity of the array (metadata version 0.90) on the same pair of drives (A&B) is shown below

• Back up all the data on the Raid 1 array (e.g. /dev/md2) and umount the array from the system
• Increase the size of the partitions of the raid devices on the existing hard drives (A&B)
• Create new raid array with mdadm (note the metadata argument to specify the same metadata as in the previous array is critical. Otherwise e2fsck will not find the superblock since latest mdadm uses metadata version 1.2 as default)
  mdadm --create /dev/md2 --level=raid1 --raid-devices=2 /dev/sdc1 /dev/sdb1 --metadata 0.90
  If mdadm prompts that the partitions already contain an ext2fs file system, hit "y" to continue.
  Continue creating array? y
mdadm: array /dev/md2 started.
• Check the file system on the array and fix the errors. Then resize the file system.
  e2fsck -f /dev/md2
resize2fs /dev/md2
e2fsck -f /dev/md2
• Mount the array

Use ImageMagick to create GIF file

convert -resize 50% -delay 50 -loop 0 IMG*.JPG animation.gif
convert animation.gif -crop 1152x768+0+150 crop.gif
Reduce image size: convert animation.gif -resize 100x50 small.gif

Use FFMPEG to process video files

• Rotate video files

1. Download latest FFMPEG windows build from here. 
2. Move all video files to be rotated (e.g. MOV files) into a subfolder. 
3. Execute the command below from within a CMD script file (it must be executed from within a CMD script file since it will fail if copy and paste on the command line)
   FOR /F "tokens=*" %%G IN ('dir /b *.MOV') DO ffmpeg -i %%G -vf "transpose=1" -qscale 0 -s 608x1080 -y %%G.rotated.MOV
   All videos will rotate 90 degree clockwise (transpose=1). Change it to transpose=2 for counterclockwise. Height of the videos is reduced to 1080 since some media players have problem playing back files whose height is larger than 1080. Output files will append .rotated.MOV to the name of input files.

• Set the dimension and frame rate of output file
  Command option -r set frame rate in frames/second, -s set dimension to be widthxheight
  ffmpeg -i input.mp4 -qscale 0 -r 30 -s 720x1080 -y output.mp4
• Slow down a video
• Copy the video to a raw bitstream format
  ffmpeg -i input.mp4 -map 0:v -c:v copy -bsf:v h264_mp4toannexb raw.h264
• Generate new timestamps while muxing to a container
  ffmpeg -fflags +genpts -r 19.25 -i raw.h264 -c:v copy output.mp4

• Trim video file

1. Extract the video stream and discard the audio stream: -c copy -an option
   ffmpeg  -i input.mp4 -c copy -an noaudio.mp4
2. Trim time: Today I have a need to trim the first 8 seconds off a mp4 video file taken by my cell phone. I found I could use -ss option to specify the start time and -t option to specify the duration of the trimmed video (below 12 seconds) and re-encode the video: 
• ffmpeg -i input.mp4 -ss 00:00:08 -t 00:00:12 output.mp4
• If the encoding is slow, -c copy option can skip the encoding but could generate an output file than can not seek properly
3. Trim size: can be done with the crop filter

• ffmpeg -i input.mp4 -filter:v "crop=out_w:out_h:x:y" output.mp4

  the arguments are as follows:
  
• out_w is the width of the output rectangle
• out_h is the height of the output rectangle
• x and y specify the top left corner of the output rectangle relative to the top left corner of the input video

• Convert video to GIF file
• Generate individual frames from the video file
  mkdir frames
ffmpeg -i out.mp4 -r 10 frames/ffout%03d.png
• Remove unwanted frames
• Convert frames to GIF file using ImageMagick
  convert -delay 0.25 -loop 0 frames/ffout*.png output.gif

• Concatenate multiple video files into one
  Utilize the concat filter to concatenate multiple video files into one
  ffmpeg -f concat -i inputs.txt -c copy -y output.mp4
  The file inputs.txt should list all the video files to be concatenated (one file per line) and its contents look like the following:
  file 1.mp4
  file 2.mp4
  file 3.mp4
  file 4.mp4
• Mix video and audio files
  I found a quick way to mix an audio mp3 file and a video/audio mp4 file by using the -map argument with ffmpeg:
  ffmpeg -i input0.mp4 -i input1.mp3 -map 0:v:0 -map 1:a:0 -c copy -shortest out output.mp4
-map 0:v:0 for (0) input file zero, (v) video streams of the input file, (0) stream zero (first) of the video streams
-map 1:a:0 for (0) input file one, (a) audio streams of the input file,  (0) stream zero (first) of the audio streams
-c copy copy the desired streams to the output file instead of encoding them to maintain the same quality
-shortest designate the duration of the output file to be the same as the shortest one among input streams

Using multiple Google Voice (GV) numbers in one android phone

I found it practical to use at least two GV numbers in one android phone with reasonable usability. I had purchased the Groove IP app for my primary GV number since it was proven to be the best solution for using GV with android phones. Then I installed SIPdroid and created an PBxes.org account for using a second GV account with PBxes.org. I then switched to csipsimple for this GV number since it can be integrated into the native dialer. In theory, I could run SIPdroid to register a third GV account then I can have three GV numbers to work in one cell phone but I haven't tested that yet.

I did found one issue initially: csipsimple no outgoing calls
I updated csipsimple to the latest version but that didn't help: it can receive incoming calls without any problems but can not make outgoing calls with its dialer. It typically drops calls in one second after the outgoing calls are dialed. I thought Groove IP and csipsimple could share the native dialer but apparently that is not the case. I needed to uncheck integration csipimple with android in its settings to make outgoing calls working again. Otherwise it would try to use the native dialer for outgoing calls and that was default to use Groove IP in my native dialer and that's why it failed.

How to dismiss a window without a close button

The installation of Offisync left a window displayed on the screen without a close or minimize button. It's annoying since that window blocks almost 30% of the viewable area of the screen. The Applicatons tab in task manager doesn't show any trace about it. I had to resort to Process Explorer, which has a nice function called "Find Handle or DLL..." with a hotkey (CTRL+F). After I pushed CTRL+F key, I entered "Offisync" as the handle or DLL substring to search and the result returned has a process of Rundll.exe, which I killed to dismiss the window. 

Shorewall rules for blocking intra-zone traffic

According to the manual of shorewall-rules, when all is used either in the SOURCE or DEST column intra-zone traffic is not affected. When all+ is used, intra-zone traffic is affected. Therefore, the following rule blocks access from IP 192.168.1.150 of loc zone to all other zones (including the network interface of the firewall running shorewall on the loc zone)
DROP    loc:192.168.1.150       all+

Free XLS/XLSX to CSV/TEXT file converter

I found the utility bundled in the perl module Spreadsheet::Read is pretty good. It actually uses Spreadsheet::ParseExcel or Spreadsheet::XLSX to read Microsoft Excel files. Its main utility is xlscat and a wrapper xls2csv. It can read both XLS (excel 2003 and before) and XLSX (excel 2007 and beyond) files but not XLSM (macro enabled excel workbook) files yet. It can output in different text file formats

usage: xlscat [-s ] [-L] [-n] [-A] [-u] [ Selection ] file.xls
              [-c | -m]                 [-u] [ Selection ] file.xls
               -i                            [ -S sheets ] file.xls
    Generic options:
       -v[#]       Set verbose level (xlscat)
       -d[#]       Set debug   level (Spreadsheet::Read)
       -u          Use unformatted values
       --noclip    Do not strip empty sheets and
                   trailing empty rows and columns
        -e     Set encoding for input and output
        -b     Set encoding for input
        -a     Set encoding for output
    Input CSV:
       --in-sep=c  Set input sep_char for CSV
    Input XLS:
       --dtfmt=fmt Specify the default date format to replace 'm-d-yy'
                   the default replacement is 'yyyy-mm-dd'
    Output Text (default):
       -s     Use separator . Default is TAB \t, \n allowed
       -L          Line up the columns
       -n          Number lines (prefix with column number)
       -A          Show field attributes in ANSI escapes
    Output Index only:
       -i          Show sheet names and size only
    Output CSV:
       -c          Output CSV, separator = ','
       -m          Output CSV, separator = ';'
    Output HTML:
       -H          Output HTML
    Selection:
       -S Only print sheets . 'all' is a valid set
                   Default only prints the first sheet
       -R    Only print rows    . Default is 'all'
       -C    Only print columns . Default is 'all'
       -F    Only fields e.g. -FA3,B16
Therefore to read rows 5-100 in first worksheet of file in.xlsx and output as semi-colon delimited file out.csv
xlscat -m -R 5-100 in.xlsx > out.csv
When there isn't a output format option, xlscat defaults to use "|" as delimiter and I found it's more convenient to use TAB (\t) as the delimiter. Therefore I changed the program of /usr/local/bin/xlscat at line 129 to
defined $opt_s or $opt_s = "\t";
After the above change, I can use the following command to read rows 50-100 in first worksheet of file in.xlsx and output as TAB (\t) delimited file out.csv
xlscat -R 50-100 in.xlsx > out.csv

Shorewall rule for a particular time period

I found from the manual for /etc/shorewall/rules that Shorewall can have rules active on a particular time period of each day or particular days of the week or month, or a range defined by dates and times if supported by the kernel and iptables. The following can be checked:

#shorewall show capabilities | grep Time
   Time Match: Available
#rpm -qa | grep shorewall
shorewall-4.4.19.1-2-mdv2011.0.noarch
#uname -r 
2.6.38.7-server-1mnb2

The TIME field should be the 12th field in the rules file (after the CONNLIMIT field and before the HEADERS field). The following creates a rule blocking a local IP address of 192.168.1.100 from accessing internet at 18:45-21:00 every day in my local time (instead of UTC).

#ACTION SOURCE DEST PROTO DEST_PORT SOURCE_PORT ORIGINAL_DEST RATE USER/GROUP MARK CONNLIMIT TIME HEADERS    
DROP loc:192.168.1.100 all all - - - - - - - timestart=18:45&timestop=21:00&localtz

#service shorewall reload 
#iptables -L | grep TIME 
DROP all -- 192.168.1.100 anywhere TIME from 18:45:00 to 21:00:00
DROP all -- 192.168.1.100 anywhere TIME from 18:45:00 to 21:00:00
DROP all -- 192.168.1.100 anywhere TIME from 18:45:00 to 21:00:00
DROP all -- 192.168.1.100 anywhere TIME from 18:45:00 to 21:00:00

Notes on xmgrace

• Hotkeys:
• Ctrl L: Move current graph legend
• Ctrl M: Move an object
• Ctrl T: Place timestamp

• Set font color for plot legend
• Click on the plot and prefix the legend string by \R{red} (for red color)
• Transform axis tick label from length to angle in degree (acceptable expressions)
  atan($t/100)*180/PI
  
• Set the number of decimal digits to N on the transformed axis tick labels
  I had to multiply the result by 10^N and round it to an integer then divide by 10^N. For e.g. the following will set the number of decimal digits to to 2
  rint(atan($t/100)*180/PI*100)/100

Stop annoying password prompt dialog from Outlook in windows 7

From last week, my outlook 2007 started popping up a dialog asking for username and password while trying to receive POP3 emails from Yahoo small business email servers. The annoying dialog may pop up as frequent as the Send/Receive frequency set in Outlook (in my case every 3 minutes) and it will pop-up again even if the correct username/password is entered and saving the password is checked in the dialog.


I did an investigation and this method seems to work, at least for me. The steps are summarized below:

1. Close/kill outlook.
2. Type the following in Start->Run (Windows+R key) or search box
   %userprofile%\AppData\Roaming\Microsoft\Protect\
   A explorer window will pop up showing the contents of the above folder
3. Look for a folder named as the SID of the logged on user (starting with something like S-1-5-21-) and rename it by appending .old or -old to its name.
4. Start outlook and enter the username/password when prompted (check to save the passwords by outlook) and the above folder will be recreated.
5. Sit back and relax.