So this is a thing. Say hello to the linux "operating system".
https://redd.it/fzqidu
@r_linux

IPTables GeoFilter + banned_hosts using ipset

I have over the course of a couple of weeks come up with a good geofiler noscript that will also cycle in IP addresses that snoop your interfaces for know services and add them to an ipset drop list.

I start off in my firewall noscript with creating new ipset kernel lists so that when my firewall noscript is run the tables are created in the kernel so that rules can be set using them.

ipset -N china hash:net
ipset -N india hash:net
ipset -N iran hash:net
ipset -N russia hash:net
ipset -N korea hash:net
ipset -N banned_hosts iphash

Then I create the iptables statements to incorporate the ipset kernel lists.

iptables -A INPUT -m set --match-set china src -j DROP
iptables -A INPUT -m set --match-set india src -j DROP
iptables -A INPUT -m set --match-set iran src -j DROP
iptables -A INPUT -m set --match-set russia src -j DROP
iptables -A INPUT -m set --match-set korea src -j DROP

Then I create a rule set to add snoopers to the banned\_hosts ipset kernel list. I have offset my ssh service to an obscure port number, and **It should be noted that I do NOT run an SMTP, WEB or SECURE WEB server on this host.** So any IP looking for such services is considered a snooper and has no business talking to my external interface.

iptables -A INPUT -i $UNTRUSTED -p tcp --dport 22 -j SET --add-set banned_hosts src
iptables -A INPUT -i $UNTRUSTED -p tcp --dport 25 -j SET --add-set banned_hosts src
iptables -A INPUT -i $UNTRUSTED -p tcp --dport 80 -j SET --add-set banned_hosts src
iptables -A INPUT -i $UNTRUSTED -p tcp --dport 443 -j SET --add-set banned_hosts src
iptables -A INPUT -m set --match-set banned_hosts src -j DROP

I have put together a noscript that refreshes the ipset kernel lists and writes out the banned\_hosts for permanent inclusion to the banned\_hosts kernel list. I call this noscript /home/fw/geofilter.sh.

# Export the banned_hosts list to a file.
ipset list banned_hosts -file /home/fw/banned_hosts.exam
# Strip the first 8 lines of exported banned_hosts.
sed -e '1,8d' banned_hosts.exam >banned_hosts.log
# Flush the ipset lists
ipset -F
# remove any old list that might exist from previous runs of this noscript
rm *-aggregated.zone

# Pull the latest IP set for geofilter
wget https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
wget https://www.ipdeny.com/ipblocks/data/aggregated/in-aggregated.zone
wget https://www.ipdeny.com/ipblocks/data/aggregated/ir-aggregated.zone
wget https://www.ipdeny.com/ipblocks/data/aggregated/kp-aggregated.zone
wget https://www.ipdeny.com/ipblocks/data/aggregated/kr-aggregated.zone
wget https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone


# Add each IP address from the downloaded list into the ipset
for i in $(cat cn-aggregated.zone ); do ipset -A china $i; done
for i in $(cat in-aggregated.zone ); do ipset -A india $i; done
for i in $(cat ir-aggregated.zone ); do ipset -A iran $i; done
for i in $(cat ru-aggregated.zone ); do ipset -A russia $i; done
for i in $(cat k*-aggregated.zone ); do ipset -A korea $i; done
for h in $(cat banned_hosts.log ); do ipset -A banned_hosts $h; done

# Restore iptables
/home/fw/firewall.sh

Call the geofilter.sh from a crontab.

00 4 * * * cd /home/fw/ && sudo ./geofilter.sh >/dev/null

Create a tmux session (alternative to screen) to watch the traffic counters in iptables. /home/fw/watchfirewall.sh

tmux new -d -s watch "sudo watch -d -n 2 iptables -nvL"

run the [watchfirewall.sh](https://watchfirewall.sh) noscript.

fw@host:/home/fw# ./watchfirewall.sh

Attach to the tmux session to watch the firewall chain incrementation.

tmux attach -t watch

https://redd.it/fzk48s
@r_linux

What are some of the most epic moments in Linux history?

Lately while browsing through Linux related subs I find comments mentioning old wars in Linux history. So I was meaning to ask, what are some epic moments in Linux history that were forgotten or that just happened in the background but still had a great impact over the industry?

https://redd.it/fzrjxd
@r_linux

Tips for those who want to start contributing with linux.

Hello guys!

I'm a software developer and I've been use linux for 9 years. Now, I want to know some tips to start help the linux community, such tools, what level of knowledge in hardware and software are needed.

If you remember some cool, or critical project (In need of more developers) that want some help, let us know and post a comment.

Books and links to get started are welcome!

And not forget \#stayhome

https://redd.it/fzrr3d
@r_linux

First Distro

My first distro. I remember back the I could not figure out why Doom or was it Duke Nukem would not load on the computer. Little did I know then that Linux was not the same as Windows.

https://preview.redd.it/lzcp2bb9tbs41.jpg?width=1600&format=pjpg&auto=webp&s=0d4afacac1d79f80928f10063c6ff174f7ecfbab

https://redd.it/fzr5j7
@r_linux

Kernel Level Anti Cheat (EAC or /dev/null) potential solutions

Firstly, I wanted to originally post on /r/linux_gaming , but I thought that since this was more about software development, it was better to post here.

I'm speaking as a bit of a noob in terms of kernel level and wine programming, but I'm quite frankly frustrated with the lack of communication from part of devs from EAC regarding Wine compatibility, so I ask you this:

How realistic is the possibility of a solution being worked on from Wine to this problem?

I'm not asking whether Codeweavers is working on fixing this, just hypothetically if it could even be accomplished. If so, what would be the steps to overcoming this barrier.

If this is in the wrong sub, I apologize.

https://redd.it/fzuc14
@r_linux

3mux: Terminal multiplexer inspired by i3
https://github.com/aaronjanse/3mux

https://redd.it/fzttzg
@r_linux

Bored? How about trying a Linux speed run?
https://rachelbythebay.com/w/2020/04/11/pengrun/

https://redd.it/fzv1j5
@r_linux

cron.weekly issue #129: http3, brim, pagure, mosh, git & more
https://ma.ttias.be/cronweekly/issue-129/

https://redd.it/fztgk1
@r_linux

Faking your webcam background under Linux
https://github.com/fangfufu/Linux-Background-Blur-Webcam/

https://redd.it/fzxct4
@r_linux

Multi "Device Not Managed" error on create_ap tool.

When I start create\_ap using
`systemctl start create_ap`

after configured the `/etc/create_ap.conf` file.

I get this :

​

https://preview.redd.it/gvhh81qwmes41.png?width=363&format=png&auto=webp&s=10e5752aee68c42cc545062df8984ded459ec790

And my phone has no interent connection even though it's connected to AP created.

PS: I'm using Arch.

https://redd.it/fzyk4p
@r_linux

libtree: ldd as a tree and much more
https://github.com/haampie/libtree

https://redd.it/fzyoh4
@r_linux

This week in KDE: Libinput scroll speed, Dolphin remote access improvements, and more
https://pointieststick.com/2020/04/11/this-week-in-kde-libinput-scroll-speed-dolphin-remote-access-improvements-and-more/

https://redd.it/fzz7lk
@r_linux

Just installed antiX on my dad's laptop. Now I am paranoic. What are these bookmarks?
https://redd.it/g01v02
@r_linux

[Google Search] Gnome extension for google search
https://redd.it/g00fir
@r_linux

is www.openprinting.org worth checking?

Hello there!

I want to buy a printer, don't want to spend a lot of money on an HP printer that will work for sure (yeah that's the actual problem, thank you for not pointing that out). And was checking printers on [https://www.openprinting.org/](https://www.openprinting.org/) ...

​

But... It seems outdated to say the least. Also, some printers are listed as completely unfunctional, but i know of people that managed to get them working.

The entries have no date, it's unclear if an entry is recent or not.

Generally speaking that doesn't look well curated.

​

Is [https://www.openprinting.org/](https://www.openprinting.org/) still the reference or something better has appeared in the meantime ?

https://redd.it/fzk5zz
@r_linux

The Concept of a Perfectly Secure OS

Hi, I have a concept of what would constitute a perfectly secure OS. I'd like to know if such a thing already exists, if it would be reasonable or feasible to make it and what you think in general about the idea.

I'd start by giving an analogy to make an intuitive sense of my idea: think about a database server and different remote users. Theoretically, no user can read/write to a resource that the server controls unless they are given an explicit permission to do so. A local system (e.g. a personal computer) can use a similar architecture (solely software based) to manipulate processes and resources/devices in the same way.

​

Let's look at how such security design would work:

* The OS has exclusive control over the file system, CPU/GPU and RAM (the necessary components for running the OS).
* Every process that is located under the OS root folder on the file system is considered part of the OS.
* The OS guarantees that no process outside the OS root folder can read/write from inside the OS root folder nor from any memory page that is allocated to the OS.
* The OS exposes an API for every resource that a non-OS process might want to access. (But all permissions are granular, e.g. you can ask for permission to read/write a specific folder/file, or to communicate with a specific process...)
* The OS has exclusive control over every connected device. But, a process can acquire permission to *act like* a device driver and communicate (raw data) with the device through the OS API.
* The OS can communicate with the "local human user" in a secure way by forcing the input/output devices (keyboard-mouse/screen-speaker) to use the OS native drivers.
* The local human user can modify permissions associated with every non-OS process.

​

With these simple rules, every possible breach I can think of will not be possible (unless you deliberately allow it of course). Here are a few trivial examples:

* A non-OS process can't access your clipboard, keystrokes, list of running processes, screenshot, camera or files unless you give it the permission to do so, in a very granular way.
* A non-OS process can never pretend to be an OS process because the user can invoke the OS with a keyboard shortcut that the OS watches for and never dispatches to non-OS processes. The OS can be configured to immediately pause every non-OS process once the OS permission panel is invoked.

My concept cannot protect from physical-access attacks of course. But, the OS can run a checksum test on itself in some cryptographically secure way that requires the local human user's password, in order to protect against tampering with the storage device and changing the OS root folder.

​

Any ideas or critics are very welcome.

https://redd.it/fzcj89
@r_linux

enact - easy dual-monitor setup and hotplug support for window managers like i3, bspwm, and others

`enact` will detect the proper resolution of your secondary monitor (if any) and automatically set it up as soon as you plug it in (or out).

It uses xrandr under the hood and is made with window managers like i3, bspwm, and others in mind.

Use cases:
- a laptop and an abritrary secondary monitor (e.g. at work, home, etc.)
- a desktop with two monitors

https://github.com/chmln/enact

https://redd.it/g05tsk
@r_linux

Vector Packet Processing - An Open Source Terabit Software Dataplane
https://fd.io/

https://redd.it/g06z76
@r_linux

A New Password Manager

I wrote a new password manager, it takes the fundamental concepts from [pass](https://www.passwordstore.org) and builds on them to give you even more flexibility! What do you think?

GitHub Link: [https://github.com/vimist/securestore](https://github.com/vimist/securestore)

Blog Post: [https://vimist.github.io/2020/04/12/A-New-Password-Manager.html](https://vimist.github.io/2020/04/12/A-New-Password-Manager.html)

https://redd.it/g0643w
@r_linux

Explaining the layers of package management
https://distrowatch.com/weekly.php?issue=20200413#qa

https://redd.it/g07wkv
@r_linux