Skip to content

Adding a MediaWiki to BananaPi

In previous post I covered how to stand up CentOS 7 on BananaPi:
http://blog.scottnolan.org/2016/03/16/bananapi-server-running-centos-7-linux/

This is how to add Apache, PHP, MariaDB and MediaWiki to a BananaPi.

Install a bunch of software:
yum -y install httpd php php-mysql php-gd php-xml mariadb-server mariadb

First, set up the database:
systemctl start mariadb
mysql_secure_installation

disable anonymous users
enforce only local root login
remove test database
reload priv tables

mysql -u root -p
CREATE USER 'wiki'@'localhost' IDENTIFIED BY 'CHANGE_MARIADB_PASSWORD';
CREATE DATABASE wikidatabase;
GRANT ALL PRIVILEGES ON wikidatabase.* TO 'wiki'@'localhost';
FLUSH PRIVILEGES;
SHOW DATABASES;
SHOW GRANTS FOR 'wiki'@'localhost';
exit
systemctl enable mariadb

I like to store the passwords in a password vault like KeePassX, 1Password, or LastPass.

Set up apache:
systemctl enable httpd
vi /etc/httpd/conf/httpd.conf

Change DocumentRoot “/var/www/html”
to DocumentRoot “/var/www”

Change change ” DirectoryIndex index.html”
to ” DirectoryIndex index.html index.html.var index.php”

echo "It Works" >> /var/www/index.html
systemctl start httpd.service

Configure firewall to allow WebService
yum -y install system-config-firewall-tui
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Test by pointing a browser at the IP_OF_BANANAPI

Now install MediaWiki:

cd /root
wget http://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.tar.gz
curl -O http://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.tar.gz.sig
gpg --verify mediawiki-1.26.2.tar.gz.sig mediawiki-1.26.2.tar.gz
cd /var/www
tar -zxf /root/mediawiki-1.26.2.tar.gz
ln -s mediawiki-1.26.2/ mediawiki
chown -R apache:apache /var/www/mediawiki
systemctl restart httpd.service

Finish setting up your MediaWiki Server by pointing a web browser at http://IP_OF_BANANAPI/mediawiki and finish setting up the Wiki.

Enjoy your own Wiki server.

Caching BIND name server on BananaPi

I previously covered how to install CentOS 7 Linux and NTPD on BananaPi here:
http://blog.scottnolan.org/2016/03/16/bananapi-server-running-centos-7-linux/

This post is how to install BIND name server for caching DNS on BananaPi.

Install and enable the BIND software:
yum -y install bind bind-chroot
systemctl enable named.service

Go get a root hints file:
yum -y install wget
wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.root
cp /usr/share/doc/bind-*/sample/etc/named.rfc1912.zones /var/named/chroot/etc

Update your named.conf file:
vi /etc/named.conf

Change the string listen-on port 53 { 127.0.0.1; };
to listen-on port 53 { 127.0.0.1; IP_OF_BANANAPI; };

Change allow-query { localhost; };
to allow-query { localhost; 192.168.1.0/24; }; (only use whatever subnet you have)

Add to options block:
forward first;
forwarders {
71.252.0.12;
4.2.2.2;
208.67.222.222;
8.8.8.8;
};

Use IPs for the public caches that are fastest from your location; I use NameBench on my Mac to determine the fastest local servers.

That creates a caching name server; you can also (optionally) add local zones too if you like.

Configure firewall to allow DNS:
yum -y install system-config-firewall-tui
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
named-checkconf /etc/named.conf
cd ; systemctl start named
cd ; systemctl restart named

Install dig/nslookup tools and verify your BIND/DNS server:
yum -y install bind-utils
nslookup www.cnn.com 127.0.0.1
nslookup google.com 127.0.0.1

Test from another computer:
nslookup google.com IP_OF_BANANAPI

Congratulations – you have a caching DNS server.

BananaPi server running CentOS 7 Linux

I enjoy tinkering with small, energy-efficient servers. My latest toy is a LeMaker BananaPi (RaspberryPi clone, but with eSATA and gigabit ethernet).

Grab a CentOS 7 for ARM image from http://mirror.centos.org/altarch/7/isos/armhfp/, mine happens to be CentOS-Userland-7-armv7hl-Minimal-1511-BananaPi.img

Stuff that onto an SD card (mine is 16GB, but this should work even smaller) using dd commands. Insert the SD card into the BananaPi, plug the server into a MicroUSB power supply and it should boot and get an initial IP address from your DHCP server if you have one. Find that IP by checking your router; or connect keyboard, mouse, and monitor to see the console of the server (optional).

Find the device name for the SD card by TYPE, NAME, SIZE
df -h or sudo diskutil list

On my Mac the device name is /dev/disk6s1
sudo diskutil umount /dev/disk6s1

For the DD command, switch to the raw device name and the whole disk (/dev/rdisk6) to go much faster.
sudo dd if=/Users/snolan/Downloads/CentOS-Userland-7-armv7hl-Minimal-1511-BananaPi.img of=/dev/rdisk6 bs=4m ; tput bel
Control-T to check progress of DD command – mine took about 20 minutes…

Pop the SD card into the BananaPi and power it on.
Check your router or DHCP server to see the new device’s IP address on the network.

SSH into the root@IP_of_server or use the console to login as root – either way initial password is “centos” which needs to be changed ASAP! Put your new root password into your password vault (I use KeePassX).

Let’s configure this little Server to use a static IP address now…

Find the device name of the active interface (eg: eth0):
nmcli dev status

cd /etc/sysconfig/network-scripts/
ls -l ifcfg*
vi ifcfg-
eth0 (switch to your interface/device name)

The ifcfg-XXX file should look like:
DEVICE="eth0"
HWADDR="your:mac:address:here:please"
NM_CONTROLLED="no"
ONBOOT="yes"
BOOTPROTO=static
IPADDR=192.168.subnet.ipaddr
NETMASK=255.255.255.0

Update the network file:
vi /etc/sysconfig/network

The network file should look like:
GATEWAY=192.168.subnet.router
HOSTNAME=fqdn_of_new_server
DNS1=ip_primary_nameserver
DNS2=ip_secondary_nameserver
SEARCHsearch_domain_of_your_network

Restart networking:
systemctl restart network.service

You will need stable system clock, I like to use GMT so arbitrary daylight saving stupidity does not impact my databases:
yum -y install ntp

Verify you can reach some public time servers:
grep "^server" /etc/ntp.conf

ntpdate -q 0.centos.pool.ntp.org
You want to see stratum values in low single digits (stratum 2 or stratum 3)…

ntpq -p
Make sure the servers you are looking at are stratum 2 or 3 (the “st” field in the tabular output)…

vi /etc/ntp.conf

Add the following line:
restrict 192.168.subnet.ip netmask 255.255.255.0 nomodify notrap

systemctl stop ntpd
systemctl enable ntpd
systemctl start ntpd

Test locally:
ntpdate -q 127.0.0.1
That should show a low single digit stratum number (3 or 4)…
date
That should show current UTC/GMT time…

Configure firewall to allow NTP
yum -y install system-config-firewall-tui
firewall-cmd --permanent --add-service=ntp
firewall-cmd --permanent --add-port=123/udp
firewall-cmd --reload

Test from another computer:
ntpdate -q 192.168.subnet.ip_of_server
That should show a low single digit stratum number (3 or 4)…

See which clients are using my NTP server
ntpdc -c monlist
yum install tcpdump
tcpdump udp port 123 -i any

DNS (Caching name server) and Apache/MariaDB/MediaWiki in another post…

Splunk Forwarder on BananaPi

I have been tinkering with a nifty little RaspberryPi clone made by Lemaker and called BananaPi (basically a RaspberryPi model B with 1 gigabyte memory, eSATA connector, and gigabit ethernet). It’s the size of a deck of playing cards in it’s clear acrylic case, and runs CentOS 7 Linux server operating system.

I have it running ntpd, named (DNS BIND), httpd, MariaDB, PHP, and MediaWiki. I’ll probably put other things on it soon. Like any server, it should be monitored; so I was delighted to find an ARM based Splunk Forwarder at https://splunkbase.splunk.com/app/1611

Now my logs and events are getting shipped to my Splunk indexer and I can monitor and graph anything that logs on the BananaPi.

Steven Levy nails it, again – why are we fighting for the right to privacy again?

Steven Levy has an excellent article about the current attempt to squash privacy and encryption by the FBI and why this all sounds so familiar, it’s because we already had this battle before, twice, in the 1990s… and both times wisdom prevailed. Will it prevail again?

https://backchannel.com/why-are-we-fighting-the-crypto-wars-again-b5310a423295

Remember the dreaded “Clipper” chip and everyone worrying about Net Nannies with the Gores at the helm? Hell, our entire electronic commerce system only works because of public key cryptography. If agencies are allowed back doors into that, then there ultimately is no way to trust electronic financial transactions at all.

Excellent reading, and thank you Apple for fighting the good fight for the rest of us.

Vegetable Garden, 2016

Having a gently warm spring weekend has encouraged me to start on the garden this year; so far I am just tilling the soil with an old garden fork and thinking about how best to prevent deer and rabbit from eating everything.

Empty garden bed, ready for fence and seeds.

Fresh tilled garden bed.

Remaining from prior years is a little Rosemary, a lot of Oregano, the heavy trimmed back Fig tree/bush, and one or two carrots. I plan to rotate the plantings and put corn, squash, peas, beans, and lettuces in the big bed (it housed tomatoes, melons, zucchini, and radishes last year) and put tomatoes, cucumbers, and zucchini in the triangular bed this year. Herbs and chili peppers stay where it is hot, tight against the garage wall.

While out clearing leaves and dead-fall from winter, I found a few treasures to share and noticed that the cherry tree has buds forming:

tiny irises

tiny irises

tiny daffodils

tiny daffodils

hyacinth I think

hyacinth I think

more hyacinth?

more hyacinth?

Tagged

Ransomware targeting Mac OS X posing as Transmission 2.90

It looks like some extortionists hijacked the transmissionbt.com website, and published for about 36-48 hours a fake version of Transmission (bitTorrent client) that claims to be v2.90 but is actually RansomWare that will encrypt your files and demand payment for decryption keys. Don’t use Transmission v2.90 and be careful out there.

http://arstechnica.com/security/2016/03/first-mac-targeting-ransomware-hits-transmission-users-researchers-say/

I guess Mac OS X has finally achieved mainstream status if the bad guys are really targeting it now. Prior fake malware has all been posing as illegal/unlicensed copies of commercial software, so far as I know this one is a first to target through freeware.

AppleTV (4th Generation) with tvOS

I am testing a new (4th generation, Oct 2015) AppleTV as a replacement for my 2nd generation AppleTV (Sep 2010).
My initial impression is overwhelmingly positive! I am finally replacing the older AppleTVs entirely.

I was an early adopter, got my first AppleTV (Silver, ran stripped version of Mac OS X 10.4 Tiger with FrontRow) when they first announced the device in 2007, mostly as an experiment in bringing internet content (YouTube, iTunes Movie rentals, Flickr) to my big TV screen. I liked it so much I hacked it to do Boxee and Xbox Media Center (XBMC) and bought one with a 160GB drive a few months later for the basement recreation room.

When the little black 2nd generation AppleTVs came out in 2010 I was skeptical, but experimented again, and at first was not impressed. The move to iOS without any applications was a hindrance, and I had come to rely on XBMC seeing my big media share of my own library of content… Then in January 2011 they were jailbroken and XBMC and Boxee and Nito were all available and I switched to 2nd generation AppleTVs with every TV… and there I stayed…

The 3rd generation (2012) AppleTV, and it’s faster revision (2013) did not interest me as they could not be jailbroken; and without XBMC access to my growing library of media served from an old Mac Mini, they simply were not viable.

In 2014 I started looking at Roku as an alternative… I really like iTunes access (no other digital streaming catalog has closed captioning as good as iTunes) and AirPlay had become essential… but Roku had much more stable XBMC and Plex clients for seeing my huge media library and they came with support for Amazon Prime as well (something AppleTVs still don’t do). Roku3 remains a top recommendation from me.

I am thrilled that the new AppleTV (Oct 2015) finally gives me the best of almost all worlds. I downloaded the free app Plex and with Plex Media Center (free download) loaded on my old Mac Mini my huge library is available on the latest/greatest AppleTV that does AirPlay, HBO Now, iTunes, Hulu, and Netflix. I see no reason (other than budget) not to replace all the old 2nd generation AppleTVs with the new ones. So now what do I do with three hacked AppleTVs?

Huge honorable mention goes to Roku who has two models now (Roku3 and Roku4) that are simply astounding streaming media players – they too do Plex out of the box, they also do HBO Now, Hulu, Netflix, YouTube. The Roku does not have Apple’s App ecosystem, and it does not have AirPlay support nor iTunes media support; but it does do Amazon Prime, and is a little cheaper, and has the amazing headphones jack on the remote feature that is spectacular.

4th Generation AppleTV Out of the Box experience:
1) I love that it automatically pairs with an existing iOS device (iPhone/iPad) to grab AppleID and avoid some typing manually through the cumbersome remote controlled on screen keyboard.
2) I love that it detected wired ethernet and automatically set that up correctly even after seeing Wi-Fi on my iPhone.
3) I love that some apps (YouTube) send you to a website on a laptop/desktop/tablet/phone with a simple code to avoid some typing manually through the cumbersome remote controlled on screen keyboard your long login/password to YouTube/Google.
4) I love being able to move the apps around so that Plex, HBO Now, Computers, and Search are at the top of the screen instead of the much more infrequently used iTunes Movies, iTunes TV, iTunes Music and Photos.
5) I love the new remote, much easier to swipe through menus and settings in general, though I do miss the Remote app on my iPhone working with the AppleTV (that was better still, and made typing in passwords much faster).
6) I HATE that connecting to Computers for Home Sharing, connecting to HBO Now and most other accounts requires the manual remote control based hunt and peck username and password keystroke entry – this is a HORRIBLE experience and needs to be beaten out of every interface. It would be acceptable with the Remote App working again, or any BlueTooth keyboard – but neither is an option yet… and it is painful to set up accounts.
7) Switching from Kodi/XBMC to Plex is a big change, but not as big as I was worried about – and it turns out to be VERY pleasant; the ordering of shows, the marking of what was watched and remains unwatched is a breeze through Plex Media Server’s web based software (on the computer/server) and the Plex client is fast and beautiful and easy to use. Huge improvement over XBMC Gotham (13.2) that I was using.
8) I love that AirPlay once again works from those devices I foolishly upgraded to iOS 9 before updating my old AppleTVs (iOS 9 devices cannot AirPlay display to older AppleTVs any more).
9) I have not figured out how to load key features from the AppleTV remote into my Logitech universal remote yet – and I need to at least get the basics set up there – but for now we have two remotes in use.

I may go to a mixed AppleTV 4 and Roku 4 household; because I love AirPlay, gaming apps, and iTunes Media on AppleTV; and I love Amazon Prime and remote based headphones on Roku.

Election Day in Virginia, November 3rd, 2015

Quick reminder to all those in Virginia; it is election day tomorrow – state and local offices will be holding elections in every district in the state. Don’t forget to go vote.

Where do I vote? Virginia State Board of Elections Voting Places

What is on my ballot? Virginia State Board of Elections Ballot

XcodeGhost infected Applications; might include Mercury

First really serious hack to impact iOS devices that are not jail-broken manages to inject spyware into several apps that were actually in the Apple App store. There are several good articles covering XcodeGhost and the hacked apps that may have been developed with XcodeGhost. One of the better written ones is on ArsTechnica, of course…

Apple Scrambles After 40 Malicious XcodeGhost Apps Haunt App Store

This impacts China more than most, as most of the apps are Chinese language apps targeting people in China; but there are a few reputedly infected apps that are in global use, including the Mercury web browser!

That hits home, as I have been using Mercury on iOS (iPad and iPhone) for a long time as an alternative to Safari (I use several browsers with different settings and permissions to have different privacy modes). The news that Mercury might be spying on me is more than a little frightening.

The good news, I don’t trust any iOS browser to do anything – I never save passwords, rarely allow them to use location, etc.. so the amount of information gathered is limited to the use of the browser itself.

Also – I am using Mercury 9.1.0; and my firewall is not seeing any traffic to 92.242.140.21 (the IP address of init.icloud-analysis.com where the reports are allegedly going); so I am hopeful that that version of Mercury is not infected (but there is no guarantee). I am pretty sure the newer versions released after May 31st, 2015 are infected (that is when Mercury was briefly unavailable in the App Store and only resumed under a different publisher than original versions).

Timeline of Mercury so far (some google searching):
2009/08/24 iLegendSoft registered their website
2009/12/23 Mercury is already released and reviews are beginning to appear
2012/07/27 mercury-browser is out and website launched
2014/12/21 Mercury 8.9.4 released, still with plenty of info – probably a good version
2015/04/29 Mercury 9.0.7 released
2015/05/06 Mercury 9.0.10 released
2015/05/?? Mercury 9.1.0 released
2015/05/31 Mercury disappears from app store
2015/07/06 Mercury 9.2.1 announced on Facebook – likely hacked – new publisher “Lucy Ding” instead of iLegendSoft
2015/09/18 XcodeGhost hack unveiled – Mercury on the list of infected apps according to some news outlets

Until we know more, do NOT install Mercury, and it is probably best to figure out what private information you have entered into Mercury and clear that if you are not certain it is safe (change passwords, and the like).

It is a testimony to how good the walled garden of the app store is, that this is really the first serious hack of un-broken iPhones and iPads since their debut several years ago. That is amazing.