Block Comcast Xfinity data cap popup

If you have recently been converted to the Comcast data cap market you will have 2 months to continue getting unlimited data before being charged any overages.

The problem is that you will see html injection popups on any site that is not https:// encrypted.

These cannot be blocked via a hosts file/dns/bind filter. It's generated from http://servicealerts.comcast.net:8080/

While, it's nice they are giving us a couple of months before actually charging, you have to suffer through popups for every 90%, 100%, 110%, 125% usage threshold and up.

To block these, in Adblock, manually edit your filters to include:

##*#comcast_content

If you are curious, the code looks like this:

How to install Guacamole 0.9.8 for Ubuntu 14.04 and secure with Nginx ssl

Guacamole is a pretty straightforward RDP/VNC/SFTP utility that requires no plugins on client systems. It utilizes HTML5 to serve up the connections directly over a browser.

This is a pretty standard install to connect to a windows RDP host. We will be securing the server with UFW, fail2ban and SSL using NGINX as a reverse proxy.

First, enable the firewall and allow the following ports:

sed -i 's/ENABLED=no/ENABLED=yes/g' /etc/ufw/ufw.conf

ufw allow 22 && ufw allow 8080

Install the prerequisite software

apt-get update && apt-get install -y fail2ban build-essential htop libcairo2-dev libjpeg62-dev libpng12-dev libossp-uuid-dev tomcat7

apt-get install -y libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev

Download and extract the guacamole server files

cd ~

wget http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-0.9.8.tar.gz

tar -xzf guacamole-server-0.9.8.tar.gz && cd guacamole-server-0.9.8/

Compile and make the program (this may take some time depending on your hardware).

./configure --with-init-dir=/etc/init.d && make && make install

Now we want to update the library cache and update the init scripts so it will start on bootup

ldconfig && update-rc.d guacd defaults

Create the main Guacamole configuration folder and file

cd ~ && mkdir /etc/guacamole

Vi (or, you can use Nano/your file editor of choice) the main configuration which provides the location of the user-mapping.xml file.

vi /etc/guacamole/guacamole.properties

# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822

# Location to read extra .jar's from
lib-directory: /var/lib/tomcat7/webapps/guacamole/WEB-INF/classes

# Authentication provider class
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml

For the Guacamole client, we are going to add a simple RDP connection. This is highly configurable, so be sure to read up on their site to see all the variables.

The Guacamole website will have a username of guacadmin and a password of guacpass.

For our purposes we are going to connect to a windows box, 192.168.0.25 with the username: winuser and the password winpassword on the standard port 3389. Change these fields to the Windows box you want to connect to.

vi /etc/guacamole/user-mapping.xml

<user-mapping>
 <authorize username="guacadmin" password="guacpass">
  <protocol>rdp</protocol>
  <param name="hostname">192.168.0.25</param>
  <param name="port">3389</param>
  <param name="username">winuser</param>
  <param name="password">winpass</param>
 </authorize>
</user-mapping>

You may need to adjust your remote desktop settings to allow connections from non-NLA authenticated servers, such as this.

Update tomcat to point to the user authentication files.

mkdir /usr/share/tomcat7/.guacamole

ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole

wget http://sourceforge.net/projects/guacamole/files/current/binary/guacamole-0.9.8.war

cp guacamole-0.9.8.war /var/lib/tomcat7/webapps/guacamole.war

Restart the tomcat and guacamole services

service guacd start && service tomcat7 restart

You should now be able to access your server via port 8080. For instance, my server which is 192.168.0.24

http://192.168.0.24:8080/guacamole/

Log in with the guacadmin/guacpass credentials and it will automatically log you into windows using the credentials you supplied in the user-mapping.xml file.

If you do not want it running in the /guacamole subfolder and want to place it in the server root

service tomcat7 stop

mv /var/lib/tomcat7/webapps/ROOT /var/lib/tomcat7/webapps/ROOT.bkp

mv /var/lib/tomcat7/webapps/guacamole /var/lib/tomcat7/webapps/ROOT

service tomcat7 start

You should now be able to access it via the ip and port: http://192.168.0.24:8080

To further strengthen the server and allow https over a standard port, nginx can be installed side-by-side with tomcat to provide a reverse proxy and allow encryption.

apt-get install -y nginx

Don't forget to update the firewall to allow port 443 and remove port 8080

ufw allow 443 && ufw delete allow 8080

Generate the SSL keys

mkdir /etc/nginx/ssl && openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/guacamole.key -out /etc/nginx/ssl/guacamole.crt

If you are using a DNS name to access the server, or anything other than an IP address, make sure you include the FQDN.

We want to clear out the default nginx configuration and add our own

mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bkp

rm /etc/nginx/sites-enabled/default

vi /etc/nginx/sites-available/guacamole

server {
        listen 443 ssl;
        server_name 192.168.0.24;

        access_log   /var/log/nginx/guacamole.access.log ;
        error_log    /var/log/nginx/guacamole.error.log info ;

        ssl_certificate /etc/nginx/ssl/guacamole.crt;
        ssl_certificate_key /etc/nginx/ssl/guacamole.key;

        location / {
        proxy_buffering off;
        proxy_pass  http://127.0.0.1:8080;
        }
}

ln -s /etc/nginx/sites-available/guacamole /etc/nginx/sites-enabled/guacamole

Restart nginx

service nginx restart

You should now be able to access the server via the standard https port

https://192.168.0.24

Export Oracle Virtualbox signed hardware cert and slipstream it into a Windows install

If you deploy a lot of Windows 7 boxes using Virtualbox and resort to slipstreaming prerequisite files using nlite and/or answer files, you know the fully automated Virtualbox Guest Additions stops and prompts for input due to an unsigned driver from Oracle:

Thus, the install is not fully automated. To get around this, you can export the cert from another Windows guest that has Virtualbox installed using Powershell.

Run powershell with elevated privileges and execute these commands:

cd cert:\LocalMachine\TrustedPublisher

$cert = dir | where { $_.Subject -like "*Oracle*" }

$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert

$bytes = $cert.Export($type)

[System.IO.File]::WriteAllBytes("C:\oracle.cer", $bytes)

You should have an Oracle hex encoded cert in the root of your C: drive named oracle.cert.

To make this easier to install during the slipstream process, encode the cert in a 7zip SFX executable file. (sounds more complicated than it is if you've never used it. It simply creates an executable zip file),

Now, using NTLite, or whatever app of choice, for your post process scripts, we need to extract the cert to the C: drive and import it into the host using certutil.

oracle.exe -oc:\ -y

(There is no space between the o and c in the script above)

certutil -addstore -f "TrustedPublisher" c:\oracle.cer

You should have something like this:

After you compile the ISO, your fully automated installs shouldn't prompt to trust that cert in the middle of your post processing.

Build a Yahoo Pipes replacement with Tiny Tiny RSS on Ubuntu 14.04

TT-RSS is an open source Yahoo Pipes (and to a large part, Google Reader) replacement. You can filter feeds, import OPML files and access via APIs and Android. It also has plugin support.

I'm going to list the steps to install Tiny Tiny RSS on a clean install of Ubuntu 14.04 using Apache, PostgreSQL, GIT and PHP5.

For demonstration purposes I'm not including the best security practices (SSL, firewall, fail2ban, user permission best practices, etc). Please refer to this great guide to secure your installation.

From a clean Ubuntu 14.04LTS install the following packages:

apt-get update && apt-get install -y apache2 git ntp postgresql-contrib php5 php5-curl php5-cli php5-pgsql

Make sure your hostname is set and update the Apache config to prevent FQDN error messages.

echo "ServerName $HOSTNAME" >> /etc/apache2/apache2.conf

Also, since timing is important with RSS feeds, we installed the NTP service.

service ntp reload

We are going to recycle the standard html output rather than create a virtualhost for demonstration purposes so we will git clone into the generic Apache directory.

git clone https://tt-rss.org/git/tt-rss.git /var/www/tt-rss

mv /var/www/html /var/www/html2 && mv /var/www/tt-rss /var/www/html

Now we are going to create a PostgresSQL user and database. Make sure you enter your own, unique username and password (and document it).

su - postgres

createuser -P -s -e ttpguser

It will prompt you to create a password for the ttpguser (or whichever username you chose).
Now we will create the database

createdb ttrssdb

exit

After you exit, you should be back as root. We need to modify the PostgreSQL client authentication conf file: /etc/postgresql/9.3/main/pg_hba.conf (Use nano if you are more comfortable with it.) and add the user we created in the database.

After this line:

local   all             postgres                                peer

Add this entry (make sure that it's the same username you created earlier):

local   all             ttpguser                                   md5

Update permissions for the cache and various other elements

chmod -R 777 /var/www/html/cache/images
chmod -R 777 /var/www/html/cache/upload
chmod -R 777 /var/www/html/cache/export
chmod -R 777 /var/www/html/cache/js
chmod -R 777 /var/www/html/feed-icons
chmod -R 777 /var/www/html/lock

Restart the services

service postgresql restart && service apache2 restart

Browse to the IP address of the server you created and you will be directed to http://<yourIP>/install if everything went alright.
Enter the following parameters

Username ttpguser
DB name ttrssdb
Hostname (leave blank)
Port 5432

Once that's done, initialize the database. You will get some code you will need to copy and import into your root www directory.

vi /var/www/html/config.php

Paste the code in and save the file. Go back to the root site, http://<yourip> and you should be welcomed with a login screen. The default username and password are admin and password.

To change this, go to Actions -> Preferences -> Users -> Admin -> Change password -> Fill out email (for some reason, cant change password for admin without entering an email address) -> Save -> (Refresh the browser)
Log back in as the admin and the new password. Head back to the user section. Add a new user and create a username you wish to use. Click on it again and enter the password.

You should be able to log in with the non-admin user.

To add a feed, go to Actions -> Subscribe to feed. You will notice the feed does not update. There are multiple ways to update, check the main site for more information on setting cron jobs, etc. For testing, we can simple type

su -c "php /var/www/html/update_daemon2.php" -s /bin/sh www-data&

This will start scrolling text, and will continue to run in the background. If you end the process, the updates will stop. Read the main tt-rss page on updating for more information.

You should see feeds start to appear. You can also import your OPML file now.