HOWTO Remove GMX Antispam Header from mails in kmail

I recently had enough of all the "* GMX Antispam *" lines in my kmail junk folder and tried to get rid off it. (It also marked false positivies in my incoming folder which also annoyed me).

Here's a small guide to strip the "* GMX Antispam *" string from your mail's subject (notice: this won't sort your mails in your junk folder, it only strips the subject line):

  • Fire up kontact/kmail
  • Go to Settings -> Configure Filters...
  • Add a new filter
  • Move it to the top of the list
  • Rename it to something like "Rewrite-GMX-Antispam-Header"
  • Now have a look at the general tab, add "X-GMX-Antispam" to the first field
  • Then choose "matches reg. exp." in the drop down box
  • Enter "^[2345]" in the following field (kmail will now match all mails which have been marked by the GMX Antispam service)
  • In "Filter actions" choose "Rewrite header" and choose "Subject" in the next field
  • In "Replace" enter "\*\*\* GMX Spamverdacht \*\*\*\ "
  • The last edit field must be blank.

If you don't know how to sort mails marked as GMX Antispam into your junk mail folder:

  • Add a new filter (Filter must be listed below the above filter rule)
  • Rename it to something like "GMX-Antispam"
  • Now have a look at the general tab, add "X-GMX-Antispam" to the first field
  • Then choose "matches reg. exp." in the drop down box
  • Enter "^[2345]" in the following field (kmail will now match all mails which have been marked by the GMX Antispam service)
  • In "Filter actions" choose "Move into folder" and select your junk folder in the next field.
  • If you like, you can also mark the mails as read immediately

Enabling DNS cache with dnsmasq on Gentoo

I've just found a nice article about enabling DNS-Cache for Konqueror at fedorawiki.de. It's very useful, because Konqueror doesn't provide this feature. If you take e.g. the german freemail provider http://gmx.net, Konqueror sends a huge amount of dns queries to load all the pictures and stuff. You really notice the performance gain if you cache these queries with a local DNS server, for example dnsmasq.

Here are the steps to install and configure dnsmasq:

Install dnsmasq
# emerge -av dnsmasq

Then insert 'nameserver 127.0.0.1' into the first (important!) line in /etc/resolv.conf

nameserver 127.0.0.1
...

Then start dnsmasq
# /etc/init.d/dnsmasq start

You can test your local DNS cache by typing
dig google.de

Have a look at the query time (must be something higher than 50ms in most cases). Query google again.
Now that's amazing, isn't it? 0msec!

Let dnsmasq start at boot (otherwise you can't resolve any DNS names because you've edited the /etc/resolv.conf)
# rc-update add dnsmasq default

Further reading
http://ubuntu.wordpress.com/2006/08/02/local-dns-cache-for-faster-browsing/

Ebuild: kio-sysinfo

Full package name: kde-misc/kio-sysinfo

Hey, here is a new ebuild. I performed some updates (translations, etc.) on the original package. This is a testing version.

Note
You have to download both files (.ebuild and .patch file)! Put the patch into your files/ directory. Refer to the Gentoo wiki for more information: http://gentoo-wiki.com/HOWTOInstalling3rdPartyEbuilds

See also http://www.kde-apps.org/content/show.php?content=58704

Frequently updated ebuild
This package is now in the sunrise overlay. Please check out this link if you want updated ebuilds.
http://overlays.gentoo.org/svn/proj/sunrise/reviewed/kde-misc/kio-sysinfo/

  • 2007-09-17, added kio-sysinfo-1.8.2 ebuild + patch

Ebuild: kicker-compiz

Full package name: kde-misc/kicker-compiz

From the kde-apps.org project page:
"This is a modified pager applet for kicker to make it work with compiz. More generally, it is intended to work with window managers that use the concept of "large desktops" instead of "multiple virtual desktops" as kwin does exclusively."

I quite like the fork because it provides boarderless transparent snippets of your desks.

See also:
http://www.kde-apps.org/content/show.php?content=46021

Ebuild: blockhosts

Full package name: app-admin/blockhosts

Ok, this isn't really new; I decided to extract the ebuild from the HowTo.
So here is the blockhosts ebuild.

Some information about the package:

Blockhosts is a python script which records how many times a system service has been probed, using configurable pattern matching to recognize failed accesses (such as for "sshd" or "proftpd" or any service), and when a particular IP address exceeds a certain number of failed attempts that IP address is blocked by using one of the following techniques, e.g.:

  • using TCP_WRAPPERS (writes to /etc/hosts.allow)
  • using "ip route" commands to setup null-routing for attackers
  • using IPtables to setup packet filtering for attackers

See also
* HOWTO Secure SSHd with BlockHosts * http://www.aczoom.com/cms/blockhosts/

Frequently updated ebuild
This package is in the sunrise overlay. Please check out this link if you want up2date ebuilds.
http://overlays.gentoo.org/svn/proj/sunrise/reviewed/app-admin/blockhosts/

  • 2007-06-05, +blockhosts-2.0.3.ebuild
  • 2007-06-09, +blockhosts-2.0.4.ebuild
  • 2007-08-01, +blockhosts-2.0.5.ebuild
  • 2007-09-21, +blockhosts-2.0.6.ebuild, prune
  • 2007-10-01, +blockhosts-2.1.0.ebuild

Ebuild: black-gentoo

Full package name: x11-themes/black-gentoo

Black-gentoo is a theme package for KDE by xactive (http://art4linux.org). Black-gentoo provides...

  • a KDM theme,
  • a ksplash theme,
  • a gensplash theme
  • and a background image.

I like it and therefor I decided to distribute it.

Here's the ebuild (it's a repack; I hope I can keep it up to date).

Note
Downloading and installing the ebuild is enough; you don't need to download the source file (*.tar.gz).

See also
http://www.kde-look.org/content/show.php?content=46634

  • 2007-06-05, fixed SRC_URI
  • 2007-08-10, fixed SRC_URI again, sorry

HOWTO Secure SSHd with BlockHosts

(Updated version: http://gentoo-wiki.com/HOWTO_BlockHosts)

Protecting SSHd (and others) with BlockHosts

What is BlockHosts?

Blockhosts is a python script which records how many times a system service has been probed, using configurable pattern matching to recognize failed accesses (such as for "sshd" or "proftpd" or any service), and when a particular IP address exceeds a certain number of failed attempts that IP address is blocked by using one of the following techniques, e.g.:

  • using TCP_WRAPPERS (writes to /etc/hosts.allow)
  • using "ip route" commands to setup null-routing for attackers
  • using IPtables to setup packet filtering for attackers

Advantages

I decided to install BlockHosts rather than its aquivalents, e.g. denyhosts or fail2ban, because it provided more features:

  • BlockHosts can prevent attacks from SSHd and many other services (such as proftpd, vsftpd) innately, rather than its equivalents
  • It provides multiple ways to block the attacker
  • It's very easy to set up

Installation

Ebuild

Currently there's no BlockHosts package in the Portage tree. I've written an ebuild (thanks again to #gentoo-sunrise for reviewing it) which should work (for all archs?). If you do not know how to cope with 3rd party ebuilds, refer to the handbook.

Download: blockhosts ebuild

Emerge

WARNING: I assume that you've set your PORTDIR_OVERLAY to /usr/local/portage. First, copy the ebuild to /usr/local/portage/app-admin/blockhosts/. Then do this:

# Create blockhosts digest
ebuild /usr/local/portage/app-admin/blockhosts/blockhosts-2.0.2.ebuild digest
# Unmask blockhosts
echo "app-admin/blockhosts ~x86" >> /etc/portage/package.keywords
# I'm not sure if this is needed, but it won't hurt anyone
emerge --metadata
# Emerge it
emerge -va app-admin/blockhosts

That's everything.

Configuration

First, you need to create and edit some files

# Create /etc/hosts.allow if it does not exists (required by BlockHosts)
touch /etc/hosts.allow
# Append the following lines to /etc/hosts.allow
# (BlockHosts will write its own stuff between them)
echo "#---- BlockHosts Additions" >> /etc/hosts.allow
echo "#---- BlockHosts Additions" >> /etc/hosts.allow

Setting up BlockHosts protecting SSHd

Setting up openssh:
Check if openssh was merged with the tcpd useflag enabled:
equery uses openssh
If not, add this useflag (it's necessary to work with TCP_WRAPPERS) to the openssh package
echo "net-misc/openssh tcpd" >> /etc/portage/package.use

Re-emerge to apply use flags

emerge -va net-misc/openssh
Check if your SSHd logs to /var/log/sshd (Gentoo default, afaik)
cat /var/log/sshd
If there's some recent output, everything's ok. Proceed.

Setting up BlockHosts:
Edit /etc/blockhosts.cfg nano /etc/blockhosts.cfg

All occurences of LOGFILES are commented, uncomment the first occurence, and change "secure" to "sshd".
/etc/blockhosts.cfg

...
LOGFILES = [ "/var/log/sshd", ]
#LOGFILES = [ "/var/log/auth.log", ]
#LOGFILES = [ "/var/log/secure", "/var/log/vsftpd.log", ]
...

Save, close nano again, this should be enough.

Post-Configuration

You can tune some settings in the config file if you like to (THRESHOLD and stuff), but the defaults are ok.

Testing

Run blockhosts.py in --dry-run mode (simulation):
# This will check your logs for potential attacks
/usr/bin/blockhosts.py --dry-run --verbose
The blockhosts.py script should output something like this (assumed there were some failed login attempts already):

...
#---- BlockHosts Additions
ALL: 89.13.50.6 : deny 
#bh: ip:      89.13.50.6 :   8 : 2007-04-10 00:52:23 CEST

#bh: logfile: /var/log/sshd
#bh: offset: 13083
#bh: first line:Apr  9 23:49:37 hostname sshd(pam_unix)[29697]: authentication$
#---- BlockHosts Additions
...
  • The lines starting with "#bh: ip:" count how many times a host has failed to login to any of your services.
  • The lines starting with "ALL:" are the blocked hosts.

Now, if everything seems to be ok, drop the --dry-run parameter.
BlockHosts will now write to the /etc/hosts.allow file and every service that uses TCPWRAPPERS (modwrap for proftpd) refuses connections from this ip.
/usr/bin/blockhosts.py --verbose

Completion

Now we want to have a cronjob or something which will run blockhosts.py again and again, to check the logs frequently.

Cronjob

Add a cronjob which runs every five minutes
nano /etc/crontab
Add blockhosts.py cron

*/5 * * * * /usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log 2>&1

Save, close. BlockHosts should now update hosts.allow every five minutes.

TODO

  • BlockHosts and iptables
  • BlockHosts + spawn utility

See also

http://www.aczoom.com/tools/blockhosts/ - BlockHosts Homepage