Profile

Cover photo
Enrico Tagliavini
73 followers|103,998 views
AboutPostsPhotosVideos+1's

Stream

Enrico Tagliavini

Shared publicly  - 
 
Well that's a bummer. I was looking forward for Intel powered mobile devices given I highly dislike the free software unfriendly ARM.

Hopefully something else will come up in the future.... while I would be glad ARM becoming a bit more friendly (given their success is anyway based on free software products in the first place) I highly doubt it will ever happen.
 
http://www.phoronix.com/scan.php?page=news_item&px=Intel-Cans-Broxton Broxton was to be Intel's 2016 Atom SoC platform for phones and tablets. Broxton was to be using 14nm Goldmont CPU cores and Skylake graphics, but now it's no more.
View original post
1
Add a comment...

Enrico Tagliavini

Shared publicly  - 
 
And, for automation, I strongly recommend trying out tlp http://linrunner.de/en/tlp/tlp.html (does almost everything powertop does, but without user intervention,. Install it, enable the system(d) service, enjoy)
 
http://www.phoronix.com/scan.php?page=news_item&px=PowerTOP-2016-Try  Intel OTC's PowerTOP utility has been around for nearly a decade for making it easy to carry out power optimization tweaks on Intel Linux systems. However, is this program still useful or are modern Linux distributions and upstream code now better optimized by default for delivering an ideal power-savings experience? As it's been a while since the last time I tried PowerTOP, I fired it up today on an Intel Haswell ultrabook running a development snapshot of Ubuntu 16.04.
Phoronix is the leading technology website for Linux hardware reviews, open-source news, Linux benchmarks, open-source benchmarks, and computer hardware tests.
View original post
1
Add a comment...

Enrico Tagliavini

Shared publicly  - 
 
Unexpected event of the day: my server is attacked by a bot net, trying SSH users and passwords. Fail2ban is unfortunately almost ineffective since they switch IP every time. Just for the fun of it I wanted to try something to counteract that.

I found a solution but it comes to a, potentially, high price. I implemented rate limiting for new SSH incoming connections. Problem is you might be locked out of your server as well during an attack, which is not good. I avoided that by implementing IP white listing: incoming ssh connections from a set of IPs will not be subject to rate limiting. I have at least two fixed IP sources where I can SSH from, so this should be effective enough to prevent the locked out problem. So how to do that?

$ iptables -N SSHWL

this creates a chain for all the IP sources we want not to rate limit. Add IP source(s) to this chain, -j ACCEPT the packet and don't forget to put -j RETURN as last line.

For example:

$ iptables -A SSHWL -s <company IP network> -j ACCEPT
$ iptables -A SSHWL -j RETURN

then insert the required checks in the INPUT chain at the correct line (depends on your setup):

[1] $ iptables -I INPUT 7 -p tcp -m state --state NEW -m tcp --dport 22 -j SSHWL
[2] $ iptables -I INPUT 8 -m state --state NEW -m tcp --dport 22 -m recent --rcheck --seconds 60 --hitcount 5 --name limitssh --rdest -j LOG --log-prefix "SSH global inc rate limit " --log-level 6 --log-tcp-options --log-ip-options
[3] $ iptables -I INPUT 9 -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name limitssh --rdest -j DROP
[4] $ iptables -I INPUT 10 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name limitssh --rdest
[5] $ iptables -I INPUT 11 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

[I'm pretty sure the last two lines can be combined, but I like to keep them separated for the time being].

Line [1] will ensure that the source IP will be checked against the whitelist. This is very important. This is what ensures you are not going to be locked out.

Line [2] performs the same check as line [3] (which will DROP the packet eventually) and add a LOG entry about the packet that's going to be DROPed (only if it's going to be dropped).

Line [3] checked if the defined rate limit is being exceeded. If so packet will be DROPed.

Line [4] if we reached this line it means the rate limit was not exceeded yet. Inform the iptables extension that we one new incoming connection should be counted

line [5] ACCEPT the packet since rate limit was not reached yet.

Note the use of --rsource in this case would be ineffective since the source IP changes every time.

1
Enrico Tagliavini's profile photo
 
Did a minor correction, initially I forgot the -m state --state NEW -m tcp --dport 22 in lines [2] and [3]. Also change line [2] from using --update to --rcheck
Add a comment...

Enrico Tagliavini

Shared publicly  - 
 
Look out Firefox users. +Mozilla Firefox is going to remove the Panorama (or tab view) feature in Firefox 45!

Fortunately somebody created an addon to restore the functionality, if you install the addon now it's like the feature was never removed from Firefox. It is even based on the same code.

While I can understand this is not really a must have for the every day user.... this was something making Firefox unique. Granted there's the extension and that's what an extension is about: adding a feature not all users are requiring.

Still I think Mozilla should be careful removing features like this... at least this is not as bad as the Hello contacts disaster :/
The Tab Groups (Panorama) feature is being removed from Firefox but there are some great alternatives for organizing your open tabs.
1
Add a comment...

Enrico Tagliavini

Shared publicly  - 
 
I don't understand this move. Care to explain +Mozilla Firefox? Hello is my favorite video call platform. It works better then Skype and way better than google hangouts. For what I do that is. I call my girlfriend every day and many times a week my parents and also her parents.

With this move you just removed their way of calling me. The have no clue about the links, they just remember how to call me the way I showed them when I was physically with them. I live at 700 Kms from them, it is a problem to explain you removed the contact list to old people. Even my girlfriend was thinking it was simply broken.

Mozilla put you shitty ideas together and think before firing and when you do please announce it!

No problem nobody is perfect and I would greatly appreciate if could put this functionality back into firefox, even just with an extension
 
Mozilla plans to change how Firefox Hello works starting with Firefox 44. It plans to remove contacts and make tab-sharing a default.

http://www.ghacks.net/2015/12/07/firefox-hello-contacts-to-be-removed-tab-sharing-incoming/
View original post
1
Add a comment...
Have them in circles
73 people
Pier Luigi Tagliavini's profile photo
Claudio Arseni's profile photo
Bob Olds's profile photo
Francesco Pederiva's profile photo
Jim Sublette's profile photo
Alice Ferrazzi's profile photo
Francesco Riosa's profile photo
Raúl Caro Pastorino's profile photo
Stefan Weichinger's profile photo

Enrico Tagliavini

Shared publicly  - 
 
Updated my system to #Fedora 22 to Fedora 23 today. WOW! What a painless experience. No really. Two commands, reboot, wait, automatic reboot. Done. About 15 minutes total.

Well done +Fedora Project . That you very much for making the upgrade process better. Now to my gaming laptop.... having quite a more complex setup there since I have custom made (by me) packages for bumblebee and bbswitch. Let's see how it handles with them.
What is DNF system upgrade? dnf-plugin-system-upgrade is a plugin for the dnf package manager which handles system upgrades. It is the recommended upgrade method for Fedora 21 and later. What does DNF system upgrade do? DNF system upgrade can upgrade your system to a newer release of Fedora, ...
1
Add a comment...

Enrico Tagliavini

Shared publicly  - 
 
If you use NetworkManager you should consider filling this survey :)

Just do it!™
Recently, while considering possible improvements to our command line client, we realized that we're not really confident about how useful is it for the users. Do you use it? Is it intuitive enough? Do sysadmins like it? Is the documentation all right? Do we communicate features sufficiently?
1
Add a comment...

Enrico Tagliavini

Shared publicly  - 
 
I have only one thing to say about #Canonical claiming that shipping zfs.ko is not a violation of the GPL since it is not a derivative work of the Linux Kernel.

(See linked image now).

I would like to point out that ZFS on Linux uses the Solaris Porting Layer [1] which " is a Linux kernel module which provides many of the Solaris kernel APIs". This means ZFS needs quite a few function from the Linux Kernel internals.... stating this is not a derivative work is quite bold.

Canonical stop the bullshit, it's very sad to see one of the biggest name in Linux be the first one to make such a huge mistake. You make a big deal about your own binary shit and then happily violate others.

And for what? Do you think this will give you any advantage over Red Hat? They know their shit way better and they don't have to cheat to do a better product. Invest your time with honest and clever ideas Canonical. What about making btrfs fscking ready for production for example? That would haave been a much much better idea.

[1] https://github.com/zfsonlinux/spl
1
Add a comment...

Enrico Tagliavini

Shared publicly  - 
 
In the last weeks I developed a Linux daemon for centralized password reset service for the group I work. It's based on unix domain sockets for now (to be extended to TCP/IP eventually).

When writing a systemd service file for it I asked myself "how hard would it be to implement #systemd socket activation?" [this includes receiving a pre-initialized socket from systemd as well of course]. Well I answered that question and the answer is: not at all! So systemd socket activation is now part of my daemon and I'm loving it.

Thank you systemd!
1
Add a comment...

Enrico Tagliavini

Shared publicly  - 
 
https://www.youtube.com/watch?v=WipM3SAYqK4

Wow that was awesome, thank you +Bryan Lunduke


### SPOILER ALERT ###

Stop reading here, you have been warned.


"Systemd destroyer Worlds" almost killed me.

And yeah having Justin Bieber more popular than Linux on google hurts 
1
Add a comment...

Enrico Tagliavini

Shared publicly  - 
 
Alleluja! One less piece of junk is finally going away. But instead of migrating to Java web start, another big piece of junk [1], please just do something that makes sense. You have better alternatives.

[1] Java web start, for the little I know about it, is a way to start an application from a web interface. In Linux, for what I've used, you download a description file and start it with javaws command. Unfortunately if you were connecting via a proxy server, SSH tunnel or the like, it wont work. I know because a lot of common BMC GUI console work with something like this. Of course I don't expose my damn management network to the evil internet, you have to hop on some access server. The only working workaround I found is using a VPN. Not a big problem for me, but not really friendly.
Phoronix is the leading technology website for Linux hardware reviews, open-source news, Linux benchmarks, open-source benchmarks, and computer hardware tests.
1
Add a comment...
People
Have them in circles
73 people
Pier Luigi Tagliavini's profile photo
Claudio Arseni's profile photo
Bob Olds's profile photo
Francesco Pederiva's profile photo
Jim Sublette's profile photo
Alice Ferrazzi's profile photo
Francesco Riosa's profile photo
Raúl Caro Pastorino's profile photo
Stefan Weichinger's profile photo
Links
Enrico Tagliavini's +1's are the things they like, agree with, or want to recommend.
Make·Play·Live
plus.google.com

Open technology that supports your making, playing and living.

Meet the new Windows 8 - Sub Eng
www.youtube.com

Usually, if you say "linux" people think about a very hard to use OS. But is it true? Is Kubuntu really an OS for developers and nerds? I'm