Duplicate Arch system?

Similar Messages

• ArchTaz Live: boot and run an Arch system entirely in RAM

  ArchTaz Live Boot: A method to boot and run an Arch system entirely in RAM using tmpfs.
  As the name suggests it was inspired by (copied entirely from) SliTaz http://www.slitaz.org/ and boots in exacly the same way.
  It needs a custom init script in the root directory and for some reason that I can't work out a hook for sysinit_premount in rc.sysinit to remount / rw.
  The /usr/bin/archfs script is just a chunk of Slitaz's Tazusb utility with some minor changes (and I haven't properly tested the lzma or no compression).
  The /init script is modified from the usual initramfs /usr/lib/initcpio/init with hints from the SliTaz /init script (and some personal additions for my system).
  Copy init to the root directory, run archfs (eg. # archfs writefs gzip) and move the resulting archfs.gz to your boot partition/directory and boot with archfs.gz as your initrd.
  I run a fairly light system (Openbox, Firefox, Gnome-Mplayer, SpaceFM, no dev packages) and gzip compression gives me an archfs.gz just over 230MB that boots in just over 30 seconds using 138MB RAM on startup, and most applications start instantly (2GHz Core2Duo, 4G RAM). Lzma compression generally gives a smaller archfs.gz but takes longer to boot. I have a persistent home partition, I install packages as I need them and then they're gone on next reboot if I don't do a new archfs.gz to keep them. I delete man pages, unneeded locales, etc. Obviously if you're running a hefty install on a limited box you may run into problems.
  Any tips, cleanups, corrections welcome. It's been a mostly copy and paste and mash stuff together process so it isn't neat. And I think I may need some serious help when systemd becomes default.
  /usr/bin/archfs:
  #!/bin/sh
  # Archfs - entirely copied from part of the Tazusb utility supplied with
  # SLiTaz GNU Linux - with some cosmetic changes.
  ### Tazusb - SliTaz LiveUSB
  ### Tazusb is an utility to generate, configure and manipulate SliTaz LiveUSB
  ### bootable media and/or USB /home partition, such as flash keys, SD card or
  ### USB harddisk.
  ### Authors : Christophe Lincoln (Pankso) <[email protected]>
  ### Andrew Miller (Spode) <[email protected]>
  COMMAND=$1
  case $COMMAND in
  writefs)
  # Writefs to rootfs.gz
  if [ -z $2 ]; then
  COMPRESSION=none
  else
  COMPRESSION=$2
  fi
  # Start info
  echo ""
  echo -e "\033[1mWrite filesystem\033[0m
  ===============================================================================
  The command writefs will write all the current filesystem into a suitable cpio
  archive (rootfs.gz) usable on a bootable LiveUSB media.
  Archive compression: $COMPRESSION"
  echo ""
  # Create list of files
  find /bin /etc /init /sbin /var /lib /lib64 /root /usr >/tmp/list
  for dir in /boot /dev /home /proc /sys /tmp /mnt /media /run
  do
  echo $dir >>/tmp/list
  done
  # Generate initramfs with specified compression
  if [ "$COMPRESSION" = "lzma" ]; then
  echo -n "Creating archfs.gz with lzma compression... "
  cat /tmp/list | cpio -o -H newc | lzma > /archfs.gz
  elif [ "$COMPRESSION" = "gzip" ]; then
  echo -n "Creating archfs.gz with gzip compression... "
  cat /tmp/list | cpio -o -H newc | gzip -9 > /archfs.gz
  else
  echo -n "Creating archfs.gz without compression... "
  cat /tmp/list | cpio -o -H newc > /archfs.gz
  fi
  # Get initramfs size
  size=`du -sh /archfs.gz | cut -f 1`
  echo "==============================================================================="
  echo "Root filesystem size: $size"
  echo ""
  echo -en "----\nENTER to continue..."; read i
  esac
  exit 0
  /init:
  #!/bin/bash
  PATH=/bin:/usr/bin:/usr/sbin:/sbin
  udevd_running=0
  if [ -x /usr/bin/systemd-timestamp ]; then
  RD_TIMESTAMP=$(systemd-timestamp)
  fi
  . /usr/lib/initcpio/init_functions
  mount -t proc proc /proc -o nosuid,noexec,nodev
  mount -t sysfs sys /sys -o nosuid,noexec,nodev
  mount -t devtmpfs dev /dev -o mode=0755,nosuid
  mount -t tmpfs run /run -o nosuid,nodev,mode=0755
  mkdir -m755 /run/initramfs
  # parse the kernel command line
  parse_cmdline
  for d in ${disablehooks//,/ }; do
  [ -e "/hooks/$d" ] && chmod 644 "/hooks/$d"
  done
  #. /config
  run_hookfunctions 'run_earlyhook' 'early hook' $EARLYHOOKS
  [ -n "${earlymodules//[[:space:]]}" ] && modprobe -qab ${earlymodules//,/ }
  [ -n "${MODULES//[[:space:]]}" ] && modprobe -qab $MODULES
  # If rootdelay is empty or not a non-negative integer, set it to 10
  if [ -z "${rootdelay}" ] || ! [ "${rootdelay}" -ge 0 ]; then
  rootdelay=10
  fi
  run_hookfunctions 'run_hook' 'hook' $HOOKS
  # honor the old behavior of break=y as a synonym for break=premount
  if [ "${break}" = "y" ] || [ "${break}" = "premount" ]; then
  echo ":: Pre-mount break requested, type 'exit' to resume operation"
  launch_interactive_shell
  fi
  rootdev=$(resolve_device "$root") && root=$rootdev
  unset rootdev
  #fsck_root
  # Make /new_root
  mkdir /new_root
  # Mount root at /new_root
  #${mount_handler:-default_mount_handler} /new_root
  echo -e "Switching / to tmpfs..."
  mount -t tmpfs tmpfs /new_root
  run_hookfunctions 'run_latehook' 'late hook' $LATEHOOKS
  run_hookfunctions 'run_cleanuphook' 'cleanup hook' $CLEANUPHOOKS
  # Stop udevd if is running
  if [ "${udevd_running}" -eq 1 ]; then
  udevadm control --exit
  udevadm info --cleanup-db
  fi
  # Copy root
  echo -e "Copying root..."
  for i in $(ls -a /); do
  case "$i" in
  .|..) ;;
  mnt) mkdir /new_root/mnt;;
  proc) mkdir /new_root/proc;;
  sys) mkdir /new_root/sys;;
  dev) mkdir /new_root/dev;;
  run) mkdir /new_root/run;;
  new_root) ;;
  *) cp -a /$i /new_root
  esac
  done
  # Create mountpoints
  mkdir /new_root/mnt/sda1
  mkdir /new_root/mnt/sda2
  mkdir /new_root/mnt/sda3
  mkdir /new_root/mnt/sda4
  init=${init:-/sbin/init}
  echo -e "Switching root..."
  exec env -i \
  "TERM=$TERM" \
  "RD_TIMESTAMP=$RD_TIMESTAMP" \
  /sbin/switch_root /new_root $init "$@"
  ## Mount root at /new_root
  #${mount_handler:-default_mount_handler} /new_root
  #run_hookfunctions 'run_latehook' 'late hook' $LATEHOOKS
  #run_hookfunctions 'run_cleanuphook' 'cleanup hook' $CLEANUPHOOKS
  init=${init:-/sbin/init}
  if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
  # Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
  # We fall back into a shell, but the shell has now PID 1
  # This way, manual recovery is still possible.
  err "Failed to mount the real root device."
  echo "Bailing out, you are on your own. Good luck."
  echo
  launch_interactive_shell --exec
  elif [ ! -x "/new_root${init}" ]; then
  # Successfully mounted /new_root, but ${init} is missing
  # The same logic as above applies
  err "Root device mounted successfully, but ${init} does not exist."
  echo "Bailing out, you are on your own. Good luck."
  echo
  launch_interactive_shell --exec
  fi
  if [ "${break}" = "postmount" ]; then
  echo ":: Post-mount break requested, type 'exit' to resume operation"
  launch_interactive_shell
  fi
  exec env -i \
  "TERM=$TERM" \
  "RD_TIMESTAMP=$RD_TIMESTAMP" \
  /sbin/switch_root /new_root $init "$@"
  # vim: set ft=sh ts=4 sw=4 et:
  /etc/rc.d/functions.d/root_rw:
  root_rw() {
  mount -o remount,rw /
  add_hook sysinit_premount root_rw
  archfs:
  http://pastebin.com/RNTDWhFc
  init:
  http://pastebin.com/n4vcqG62
  root_rw:
  http://pastebin.com/i1LV61SV
  Last edited by 0ddba11 (2012-12-30 10:12:35)

  Oh yes any man directory was symlinked to /tmp long ago, so they don't even get installed.
  Right, new boot process:
  Using hooks in normal initramfs-linux.img to unpack archfs.gz into tmpfs and boot it.
  Create an initcpio preset file /etc/mkinitcpio.d/archfs.preset:
  # mkinitcpio preset file for the 'archfs' package
  ALL_config="/etc/mkinitcpio.conf"
  ALL_kver="/boot/vmlinuz-linux"
  PRESETS=('archfs')
  archfs_config="/etc/mkinitcpio.conf"
  archfs_image="/boot/archfs-linux.lzo"
  archfs_options="-S fsck -A tmpfs -z lzop"
  Or append to the standard 'linux.preset' file so the initramfs is created automatically when you upgrade your kernel. Or alter /etc/mkinitcpio.conf to add options.
  Create the file /lib/initcpio/hooks/tmpfs:
  #!/usr/bin/ash
  run_latehook() {
  # Mount tmpfs root
  mount -t tmpfs tmpfs /mnt
  # Unpack rootfs
  msg "Unpacking rootfs..."
  cd /mnt
  # parse the kernel command line
  parse_cmdline
  for archfs in ${archfs//,/ }; do
  if [ "$archfs" = "xz" ]; then
  xz -d < /new_root/boot/archfs.xz | cpio -imd --no-absolute-filenames > /dev/null 2>&1
  elif [ "$archfs" = "gzip" ]; then
  gzip -dc /new_root/boot/archfs.gz | cpio -imd --no-absolute-filenames > /dev/null 2>&1
  elif [ "$archfs" = "lzo" ]; then
  lzop -d < /new_root/boot/archfs.lzo | cpio -imd --no-absolute-filenames > /dev/null 2>&1
  elif [ "$archfs" = "img" ]; then
  cpio -imd --no-absolute-filenames /new_root/boot/archfs.img > /dev/null 2>&1
  fi
  done
  # Switch tmpfs to new root
  umount /new_root
  mount -M /mnt /new_root
  # vim: set ft=sh ts=4 sw=4 et:
  And the file  /lib/initcpio/install/tmpfs:
  #!/bin/bash
  build() {
  add_dir /mnt
  add_module ext3
  add_binary cpio
  add_binary xz
  add_binary gzip
  add_binary lzop
  add_binary fsck.ext4
  add_symlink /usr/bin/fsck.ext2 fsck.ext4
  add_symlink /usr/bin/fsck.ext3 fsck.ext4
  add_runscript
  help() {
  cat <<HELPEOF
  This hook creates the tmpfs root, mounts the device that contains the
  rootfs and extracts it into the tmpfs root.
  HELPEOF
  # vim: set ft=sh ts=4 sw=4 et:
  This loads modules and fsck binaries for the filesystem of my /boot partition into the initramfs. It also adds all the relevant compression binaries (some which can also be compiled into busybox or left out if not needed). I'm working on automatically reading the filesystem from your /boot partition based on the "root=" kernel command line option and adding the appropriate modules.
  Create a new archfs.gz (or new extensions) with new cleaned up /usr/bin/archfs:
  http://pastebin.com/xiqgyYyL
  Now run with:
  # archfs lzo
  (or whichever crompression you choose). It also takes care of any mounting directories you have in /mnt. And "writefs" is no longer needed, that's all it does anyway.
  Then simply add the "root=(your boot partition)" and "archfs=lzo" (or whichever compression you chose) command line options to your grub.cfg.
  Run:
  # mkinitcpio -p archfs
  That'll create an initramfs: archfs-linux.lzo that you need to move to your boot partition with your kernel and archfs.gz. Then point grub to that as your initrd.
  This will boot and the tmpfs hook will do it's work just after init has mounted your boot partition and then init will switch roots and run /sbin/init as it would on any normal install.
  Mix and match as needed. You can remove the /init file from the root of your filesystem or leave it there and all but an xz compressed archfs.gz will boot the old way aswell (the kernel can't handle the xz version). It should all be fairly upgrade proof, barring any major changes to mkinitcpio.
  Boot for me with lzo compression is at least twice as fast as old method. Partly due to lzo compression which is super fast (especially creating the archfs.lzo). It makes for a bigger file but it's still only 350MB (pretty much half my uncompressed root filesystem).

• Make LiveCD of current Arch system

  I would like to make my current Arch system bootable from CD/DVD/USB.. So I can boot it on any PC just like it is, that will not make any changes to PC that will boot it, etc.
  Thanks

  That's kind of vague, and unless you have a very minimalistic arch install, I doubt it's feasible to do with a CD.  I'd say a USB thumbdrive would probably be your best option so that you wouldn't be slowed down by your optical drive reading everything off a DVD.  I think it would probably just be easier to install Arch on to a USB drive and copy over all the necessary config files for the programs you'd want to use on it.  I'm pretty sure most of what you'd need to do this is already available on the wiki.  Check out Here and the beginners guide if you need it, and you should be able to do all this on your own.
  Edit: Well, I was beaten to it while looking around for stuff.  Still, everything you need is out there already, here or on the wiki.
  Last edited by shikitohno (2012-01-07 21:25:15)

• [SOLVED]possible to make live image of a current running arch system?

  Hi Friends!!!. Is it possible to make live iso image of a current running arch system? are there any tools available for that?(I want to do this cause When i install a new arch system, I want to remain my own customizations intact)
  Last edited by Pranavg1890 (2012-10-14 07:29:58)

  OK, so after reading the posts, I think that this is not possible.but i think this sould be feature which should be researched upon cause everytime I install arch on a new machine(arch reinstalls on same machine are very rare cause it's a rolling release and has excellent recovery tools) I have to spend a 5-6 hours of time configuring the system.so, i think it should be a feauture that should be worked upon.for eg. like you could chroot into the iso created and then replace the deafult configs by the one on your system or a system scanner which scans the changes on the system with respect  to default arch installation and make the necessary changes to the live image.Thanks friends for your replies. I mark this thread as solved.

• Arch System Config Util.

  Hi guys,
  I started today to make a Arch System Configuration Utility, Now its very basic
  and i got alot ideas on how to expand the program with more functions. It is
  a basic text editor which lets you config the most important Arch config files on the fly.
  The program was born because i as a light desktop user got fed up opening the same
  old same old files over and over again in my FM, so whit this thingy i can open them on the fly.
  There are probebly half a dozen more config files i could place in the app but this is just
  the bare beginning.Hers the screeny:
  It is very small and uses GTK.
  http://www.mediafire.com/?fwh3gzxxiuy
  here is the DL link.
  I am planning for this program to make it able to start,stop,restart services and display a bunch of system stats really not sure yet
  if you have suggestions post To be able to save the files you must  run it as root eg, sudo
  Enjoy..
  Caved

  Hey guys,
  To reply some words to the people placing comments on this little app.
  If i hadn't seen the topic of this treat i would never have posted it, i am sorry
  if that offended some people because that was and would be never be my intention
  also i am not a real dev , this is stuff written in gambas2 LOL. its for fun.
  I just wanted to share something i worked on for personal use that maybe
  people could think of as semi usefull.
  This little project was just a thing to keep me bussy and get used to the Gambas2
  IDE, that being said:
  I am still working on this thing and wont post any of it anymore before i think it would
  be even worthy of making a PKGBUILD for (which might never happen), and then this:
  the source that gambas2 gives  can (to my best knowledge) only be compiled with the
  gambas2 IDE), Just saw it CAN make a source archive just not sure to what extent this can be
  compiled with gcc Thats wy i was posting the stand alone binary files.
  Anyway in the version that has not been posted:
  * Combo drop down box to have a look at the most used log files on arch linux. (finished)
  * Search box + filter to search for keywords in the currently displayed log files and  a
     a filter SO displaying only the lines in log files i am looking for (being worked on atm)
  * Controls and drop down box with to the most common system services one would mostly want
     to start, stop or restart) (being worked on atm, controls already done)
  * A small CLI window under the text output box , to catch the output of the systems services
    start / stop / restart (being worked on, CLI running but working on the piping of the commands to it)
  * Resizing of the hole application without buggering up the positions of the buttons on top and
     botton (finished)
  this is what it looks like atm.
  Caved

• [SOLVED] Remote Access to a home Arch system behind the router.

  Hello,
  I am trying to remotely access my home Arch system from school. I did try doing something and this is what I did:
  1. Used DynDns and NO-IP to setup a free domain, I thought NO-IP script was easy to run so I tested this on NO-IP.
  2. I then installed Openssh.
  3. Then I have setup the Port forwarding on the router to point to my ssh port (change from 22).
  4. I tried to ping, the domain name from NO-IP with no response.
  What I want to ask is... is there any better way of doing this?
  I dont need a desktop access, simple ssh should do for now.
  Thank You
  Gopi
  Last edited by gopichand (2011-11-01 00:50:13)

  OK, I have solved this by this process. Will work only if the router supports the DynDNS. I am assuming that you have created a DynDNS account, its free for 2 domains. I also had to make my computer use STATIC IP from my router, just specify any IP address outside the DHCP range.
  1. On the router, add the details about the DynDNS account. On my Belkin Router, I had to go to Firewall -> DDNS -> DynDNS and give the details and also enable it.
  2. By doing the above step, we don't have to install the client for DynDNS.
  3. On the router again, setup the port forwarding, again (on my Belkin Router) go to Firewall -> Virtual Servers -> Add the IP and the port numbers, I had to use the same number for both the incoming and the private port, though for other routers the number can differ?
  4. On the computer, I installed the openssh and then changed the login port to the one specified in the router for forwarding.
  5. Make the router and ssh logins as safe as possible. I understand that opening the router is not safe so I have to warn you.
  I can now login using my DynDNS domain name from anywhere woohoo!
  Last edited by gopichand (2011-11-01 01:07:23)

• Complete arch (system) documentation?

  Hi. I would like to have arch and it's mechanisms and infrastructure completely documented. Of course this could be quite a large task, but i think people like me (who like to read the manual before using stuff) would appreciate this, and it would also serve to leverage the overall knowledge of archlinux, so that less people would ask "stupid questions" (i don't mean it like that.. ) on the forums.
  I also understand that this could realistically only be done for a "base" install arch system, as X11 and other applications/services go beyond the scope of such basic documentation.
  The reason i would like this is because i couldn't find anything like this on the wiki, _and_, it would also be nice to have something compiled in a form you could print out. (ie without further references, but a compilation).

  As far as a doc for experience users though i think that would be a waste, since most experienced users wouldn't need a doc to let them know how to edit a linux system.
  Not the arch linux specifics, take the init system as an example. How, and what files are used. How to write your own init/daemon. Did you for example know that daemons get registered in /var/run daemons when succesfully started? And that rc.multi/functions is responsible for that (and how)? Or that rc.sysinit is resposible for setting you system locale?
  Or how to use makepkg/makeworld in archlinux? Again, even if there already is a wiki entry about this, it should be a part of a compiled doc covering basic system maintenance in arch.
  Some of the already present wiki articles (like setting up a network connection) though already existing, should be a part of this documentation. If necessary, expand them.

• Bullet Proof Arch System

  Hi Arch community.
  I have a VPS running Arch (its only for personal use, portfolio hosting, some storage) which i first set up exactly a month ago.
  Just like someone said on the IRC (sorry random helper, i don't remember your name, no credits today ) arch is perfectly good to go for a 24/7 system if properly set, and after some research (like discovering that xyne's almost been in jail and Allan breaks stuff on a daily basis) i concluded Arch is a good choice for the job. (Since i can handle very occasional bugs, and have time to maintain once a week)
  This whole month my Arch setup ran mainly OpenSSH, Apache, VSFTP, OpenVPN and (unsuccessfully) Postfix with near to no additional configuration, and it was completely trouble-free.
  I had even asked for help to a script kiddie to verify if he could "blow that guy's server" and he told it was impossible (lol'd hard knowing i didn't even had a firewall installed)
  And so i decided to go to the long run with it, so I'll start by building the system from the bottom with security on mind. But i think its better to ask to the more experienced than to search the web for "randobuntu" guides, and so i want to ask to the community:
  - How would you setup Arch for a computer that you physically don't possess (and don't know who does or what they do with it) that you could be comfortable to put your "super-secret-and-personal-files" on it?
  - I also would like to make a list of good security practices on a server setup (I mean, others than: "Don't use root")
  Right now i got these(With the help of https://wiki.archlinux.org/index.php/security):
  I'm thinking in 3/4 partitions:
  - /boot formatted with EXT2 [It's impossible to crypt the bootloader, am i wrong?; Should/Can i merge it to the '/'?]
  - / probably formatted with EXT4 [Should i crypt the whole thing? Will it generate too much overhead?  It's EXT4 the best for the whole setup?]
  - /var with encrypted EXT2 [Any better choice?]
  - /home being handled by Truecrypt with EXT4 format [Should i use it? Is AES-TWOFISH+Whirlpool a good pick? Truecrypt should be stronger than the kernel encryption, am i wrong?]
  - /boot, /var, /tmp and /home with nodev, nosuid and noexec. [i didn't quite understood what nosuid does]
  All of the encrypted partitions with the exception of home using Ecryptfs [Good choice? Should i stack with some other algorithm? Where should the mount parameters (password or keyfile mainly) be to be safe?]
  [How can / be encrypted without the password being in clear text on /boot?]
  Which bootloader should be used to ensure safety, and how will it be ensured on a remote system?
  On the wiki there is:
  ArchWiki wrote:It is highly important to protect your bootloader. There is a magic kernel parameter called init=/bin/sh. This makes any user/login restrictions totally useless.
  What does this?
  The used kernel should be the linux-lts or linux-selinux (https://aur.archlinux.org/packages/linux-selinux/)?
  I think that SELinux is a bonus, but the AUR package is... an AUR package (i would like to avoid them when possible) and it is not even an LTS kernel.
  For the firewall I'm thinking in using UFW since it's much simpler than configuring directly iptables and does the same job.
  Everything blocked except the ports 20,21,25,80,143,443,465,587,993,{unknown SSH and VPS ports}/tcp and 53/udp for incoming. What about outgoing?
  Also
  chmod 700 /boot /etc/{iptables,arptables}
  Every possible network service having its own fingerprint as removed as possible [Eg. Just "Apache" instead of "Apache x.x.x mod_something Unknown GNU/Linux x86_64... etc"]
  SSH with root login disabled, and rejecting connections from anywhere else than server's own ip.(A VPN should be used to use SSH)
  Also set a login timeout with bash "TMOUT" and disable login to accounts after 3 failed login attempts.
  Use sudo to administer, only allowing one or certain users to execute the programs that may harm the system, if possible users with uncommon names instead of "admin".
  Login with certificates instead of a password.
  VSFTP and Postfix with virtual users and system users disabled. [Good idea?]
  I think OpenVPN is always safe since it enforces CA's to auth. Right?
  What MAC should be used? SELinux? [I understand almost nothing about them]
  After all there measures, would you guys trust this system for your files?
  What can the ISP/Goverment do that ignores all of those measures? Directly reading RAM looking for filesystem passoword? Replace the kernel with one containing a rootkit?
  Any other ways to break this?
  PS: Xyne's and Allan's thing was an obvious joke
  Last edited by ClaudioP (2013-12-26 07:23:02)

  Leonid.I wrote:Typical encryption schemes when /boot is stored on the same HDD as the encrypted root are flawed. Indeed, if the kernel and initramfs are not encrypted, I can replace them and leak your encryption key. Therefore, for the system encryption to be effective (i.e. not only protect your data if the system is stolen, but also protect the system from unauthorised physical access), you must separate kernel and bootloader from the system, and store them in a safe place.
  Then encryption just becomes useless after all, unless the files are encrypted on a different computer.
  How could /boot be on a different computer? Can I boot with the /boot partition on a network? Like if it was PXE/NFS?
  Leonid.I wrote:
  ClaudioP wrote:All of the encrypted partitions with the exception of home using Ecryptfs [Good choice? Should i stack with some other algorithm? Where should the mount parameters (password or keyfile mainly) be to be safe?]
  No. If the underlying partition is encrypted, what's the point of ecryptfs?
  I saw somewhere on the wiki that there are setups with two layers of encryption. I don't know its effectiveness.
  Leonid.I wrote:[...] a properly encrypted installation, doesn't even have a bootloader.
  Forgive the noob question, but how can a system be booted without bootloader? Can MBR be linked directly to the kernel? Whats the difference?
  Leonid.I wrote:If you can't learn iptables, don't try to secure the system.
  I've read somewhere that in the close future iptables will be replaced(don't know when nor whats the replacement). I don't want to spend loads of time on something temporary.
  And whats the difference between using iptables and UFW and Iptables? Doesn't UFW uses iptables? Sorry if im the kind on newbie who just knows the basics (65k ports, in and out)
  Leonid.I wrote:Nmap can do a deep portscan of all 2^16 ports in less than 3min, so messing with default ports will only give you a headache when administering the system.
  My bad. I was thinking of doing it in the services only accessible by the VPN, but then there would be no point on doing it
  Leonid.I wrote:Before making everything 600 root:root, ask yourself what would an attacker learn from your iptables.rules and ssd_config? That you block certain ports and have ssh login grace time 30sec? A good security doesn't rely on secrecy of the configuration.
  I was basing myself on what i found on the wiki. What you said makes sense.
  By the way, whats best to do with rejected connections? Deny them or reject them?
  Leonid.I wrote:Any attacker with more than 2 neurons will try to exploit all known vulnerabilities in the last 10 versions of Apache. If you know that your service is vulnerable, patch it, don't try to hide.
  But there aren't many more in use counting with backports and between every distro? (Not to mention that Arch is a very uncommon distro for a server)
  Leonid.I wrote:
  ClaudioP wrote:SSH with root login disabled, and rejecting connections from anywhere else than server's own ip.(A VPN should be used to use SSH)
  Also set a login timeout with bash "TMOUT" and disable login to accounts after 3 failed login attempts.
  Right, no root over SSH -- this is common wisdom. May I ask why is SSH root login bad? Because some blogger said so? Create a 4096 bit ssh key with a passphrase and use it exclusively for system administration.
  Also, why 3 attemtps and not 1? Are you trying to hide an unfolding attack from yourself? If I am running am internet-facing server, I want to be able to profile an attack. For example, if you see login attempts with login/passwd pairs root/root or ubuntu/ubuntu -- this is a kid -- pay attention but not too much. If the passwords are more complicated, you might have a problem...
  But then if for some reason the key is intercepted there would be a free access to the privileged account, not for some unprivileged account that would have to use su to become root.
  Oh i see, the 3 attempts were meant for a multi-user system with common passwords, not for someone using cryptographic keys.
  Why would the complicated password mean something bad? Couldn't be an idiot try of brute-force?(IDK, some dumb program that doesn't starts with 0 or A)
  What else could the "complicated passwords" mean? Give an example please.
  Leonid.I wrote:Just because using sudo for priviledge escalation is a folk knowledge doesn't make it right. But if you are going to use it, read this first:
  http://www.openwall.com/lists/owl-users/2004/10/20/6 .
  I partially understood it. Not fully since English is not my mother language, but mostly.
  Leonid.I wrote:
  ClaudioP wrote:After all there measures, would you guys trust this system for your files?
  No.
  Moral after all: Never(some emphasis on NEVER) trust a remote system to encrypt your files in safety
  Leonid.I wrote:
  ClaudioP wrote:Any [...] ways to break this?
  [...]The question which you should ask is whether the hassle of breaking your security is worth stealing your SSN and $20K in your bank account.
  Then nobody receiving less than 1k$ a month or doing anti-government propaganda would be affected by the NSA and the other well known parties.
  I'm not too much into the topic, but AFAIK(which is not certain to be right) there are much more people affected.
  /dev/zero wrote:No security system is perfect. You need to consider the costs of your time, effort and money and weigh them against the risks of various kinds of attacks.
  Right now (since it's impossible to prevent against against physical attacks) I'll forget about local encryption, it just becomes useless. I'll just encrypt personal files before upload.
  By the way, is there any encryption utility that works file by file and not with a container? I don't want to upload the entire container every time i change something.
  ewaller wrote:Well, one can slow them down a bit: http://en.wikipedia.org/wiki/Hardware_security_module
  Sorry but the hardware is not mine and i am not rich
  If i was i would not be concerning about security

• [SOLVED]3.18.5-1-ARCH + system-modules-load.service on Macbook Pro 9,2

  After upgrading from 3.18.4-1-ARCH to 3.18.5-1-ARCH this weekend, my systemd service system-modules-load fails during bootup. I checked out
  # systemctl status system-modules-load
  and found nothing but a warning that my journal has been rotated and the log output is incomplete. I have not hunted down the log or rooted through dmesg as of yet - I need my system functional while working during the week, so I downgraded my kernel back to 3.18.4 for now (under which system-modules-load loads fine). I will reinstall 3.18.5 next weekend and see if I can locate the problem - this post is just a feeler to see if anyone else is encountering this problem with the latest kernel.
  Last edited by Olorin (2015-02-06 03:08:31)

  Yep. It was my own fault. I had been using the b43 driver for my BCM4331 wifi card, and recently switched to broadcom-wl. However, I still was trying to load b43 in /etc/modules-load even though I had removed the driver and module from my system. Not sure why my system only started complaining in 3.18.5, but in any case removing the offending .conf file solved the problem. Thanks, graysky.

• After kernel update, anything i should do for my arch system in vbox

  Hi all:
  I've installed arch as a vbox guest system. The host system is windows 7.
  After Archlinux kernel updates, do i need to re-install the guest add-on modules ?
  or is there anything necessary after each kernel update ?
  Best Regards,

  Thanks for the reply.
  I've already installed the virtualbox-archlinux-additions.
  So after the kernel update there's nothing i need to do ?

• Update Xorg 7 and arch-system, this is my contribution

  This works for me, this is my contribution, I hope can help someone in troubles:
  pacman -Sy
  pacman -Rd xorg-server xorg-clients (if installed)
  pacman -Sf xorg-xdm
  pacman -S xorg-clients xorg-server
  pacman -Sf xorg
  pacman -Syu (upgrade all system, almost 200mb)
  pacman -S xorg-fonts-75dpi
  pacman -S xorg-fonts-100dpi
  pacman -S libxcomposite libxss
  Enter in /etc/X11/xorg.conf and reconfigure the paths so:
  Section "Files"
  RgbPath "/usr/share/X11/rgb"
  FontPath "/usr/share/fonts/misc/"
  FontPath "/usr/share/fonts/TTF/"
  FontPath "/usr/share/fonts/Type1/"
  FontPath "/usr/share/fonts/CID/"
  FontPath "/usr/share/fonts/75dpi/"
  FontPath "/usr/share/fonts/100dpi/"
  FontPath "/usr/share/fonts/local/"
  ModulePath "/usr/lib/xorg/modules"
  EndSection
  Write startx, if it doesn't works kdm or gdm, write:
  mkdir -p /usr/X11R6/bin/
  ln -s /usr/bin/X /usr/X11R6/bin/X
  If doesn't works, control the errors, maybe it misses a file, install it with pacman.
  Moreover, I've a ricompiled kernel with drivers nvidia, so I'm entered on my kernel source and I've written:
  make all && make modules_install
  generate-modprobe.conf
  cp -f System.map /boot
  cd arch/i386/boot
  cp -f bzImage /boot
  At this point I've rebooted and I've reinstalled Nvidia drivers:
  ./NVidia.xxxxxx.run (WITHOUT OVERWRITE FILE /etc/X11/xorg.conf)

  This works for me, this is my contribution, I hope can help someone in troubles:
  pacman -Sy
  pacman -Rd xorg-server xorg-clients (if installed)
  pacman -Sf xorg-xdm
  pacman -S xorg-clients xorg-server
  pacman -Sf xorg
  pacman -Syu (upgrade all system, almost 200mb)
  pacman -S xorg-fonts-75dpi
  pacman -S xorg-fonts-100dpi
  pacman -S libxcomposite libxss
  Enter in /etc/X11/xorg.conf and reconfigure the paths so:
  Section "Files"
  RgbPath "/usr/share/X11/rgb"
  FontPath "/usr/share/fonts/misc/"
  FontPath "/usr/share/fonts/TTF/"
  FontPath "/usr/share/fonts/Type1/"
  FontPath "/usr/share/fonts/CID/"
  FontPath "/usr/share/fonts/75dpi/"
  FontPath "/usr/share/fonts/100dpi/"
  FontPath "/usr/share/fonts/local/"
  ModulePath "/usr/lib/xorg/modules"
  EndSection
  Write startx, if it doesn't works kdm or gdm, write:
  mkdir -p /usr/X11R6/bin/
  ln -s /usr/bin/X /usr/X11R6/bin/X
  If doesn't works, control the errors, maybe it misses a file, install it with pacman.
  Moreover, I've a ricompiled kernel with drivers nvidia, so I'm entered on my kernel source and I've written:
  make all && make modules_install
  generate-modprobe.conf
  cp -f System.map /boot
  cd arch/i386/boot
  cp -f bzImage /boot
  At this point I've rebooted and I've reinstalled Nvidia drivers:
  ./NVidia.xxxxxx.run (WITHOUT OVERWRITE FILE /etc/X11/xorg.conf)

• Convert the arch system to python3.

  Hey,
  I have taken up a proof of concept project/challange in which I have to convert all my python2 code to python3, to make it a python3 based system. I chose arch, which defaults to python3 all right.
  I am using xfce4 to make it user freindly.Removing python2 will not satisfy these dependencies:
  libieee1284 and libplist.
  I do not want python2 on my system, I have to show it to my teachers. Also can I do pacman -Rdds python2? will it break the system?
  In short, How can I make my system python based, and not python2?

  sankrant wrote:I will try force removing them and see if something happens, .
  Yes, you should try it yourself. I doubt many people have done what you are trying to do.
  Also, we can't do your homework for you: https://wiki.archlinux.org/index.php/Fo … e#Homework
  So long as this thread remains about generic Arch Linux usage it can stay.
  One more remark, converting from 2 to 3 is not trivial. If it were, it would have been done for everything by now.
  Good luck.

• [SOLVED] How to modify Arch system info terminal

  Hello,
  I was wondering if it was possible to modify the System Info display in the terminal(with the Ascii Arch logo).
  I have no clue where to look, and Google isn't my friend on this matter.
  Thanks in advance for your help.
  Last edited by visudex (2012-03-12 22:06:55)

  Trilby wrote:
  I suspect you are referring to archbey
  archbey --help
  It's in the default bashrc.
  eh?
  ┌─[Centurion ~]
  └─╼ archbey --help
  bash: archbey: command not found
  ┌─[Centurion ~]
  └─╼ pkgfile archbey
  ┌─[Centurion ~]
  └─╼
  You might be looking for Archey, or Alsi, or Screenfetch -- all in AUR

• Trouble with iCloud Contacts & Calender / duplicates from system failure

  Duplicates do appear on iPad Contacts and even duplicate birthday entries.
  Even on iCloud.com the birthday entries are duplicate.
  The problem is when you delete a duplicate contact on iPad you lose both!
  Check on iCloud.com if the contact is really a duplicate (from the sync process?).
  Please Apple resolve the problem!
  Peter

  Resolving duplicate calendars
  Resolving duplicate contacts

• SLD: Duplicate Technical System after Installation Number change

  We changed the installation number for a system. After this, inside SLD there are 2 entries for this system, with 2 different installation number (new and old). What is the correct procedure to remove   one of the entry (old one).
  Please advise.
  A proper SAP note would be appreciated.
  Thanks

  Its ok even if you have forgotten to register to the SLD during installation.We can regaister after installation.Since SLD runs on java engine then if you go to http://<ipaddress or hostname of the server>:5<instancenumber>00/sld
  If you go into that you can click on administration button and follow the instructions as in the link.
  http://help.sap.com/saphelp_nw70/helpdata/en/31/f0ff69551e4f259fdad799a229363e/frameset.html
  Difference between technical systems and business systems is that business systems are used in PI/XI.Whereas technical systems are nothing but your ECC , CRM etc.You have to use business systems only when there is a case for connecting to XI/PI.Hope i have answered your quesries if not please let me know.