If you’ll open SSH on a server to the open internet, you’ll notice a lot of bots trying to login. You certainly should setup certificate based login, but banning offending IPs is also an important security measure.
I’ve installed fail2ban on my Raspbian installations and want to explain the installation and configuration. Its quite easy and the benefits are huge!
sudo apt-get install fail2ban
Create a copy of the original configuration file so that it won’t be overwritten by any updates:
> msmtp --version
msmtp version 1.6.6
TLS/SSL library: GnuTLS
Authentication library: GNU SASL
Supported authentication methods:
plain scram-sha-1 external gssapi cram-md5 digest-md5 login ntlm
IDN support: enabled
NLS: enabled, LOCALEDIR is /usr/share/locale
Keyring support: none
System configuration file name: /etc/msmtprc
User configuration file name: /home/pi/.msmtprc
Copyright (C) 2016 Martin Lambers and others.
This is free software. You may redistribute copies of it under the terms of
the GNU General Public License <http://www.gnu.org/licenses/gpl.html>.
There is NO WARRANTY, to the extent permitted by law.
Configure the system configuration:
sudo vi /etc/msmtprc
The content of my configuration file (note the necessary changes for servers and email addresses):
# Set default values for all following accounts.
# Use the mail submission port 587 instead of the SMTP port 25.
# Always use TLS.
# Set a list of trusted CAs for TLS. The default is to use system settings, but
# you can select your own file.
# If you select your own file, you should also use the tls_crl_file command to
# check for revoked certificates, but unfortunately getting revocation lists and
# keeping them up to date is not straightforward.
# Mail account
# TODO: Use your own mail address
# Host name of the SMTP server
# TODO: Use the host of your own mail account
host <your Username provided by KAS>.kasserver.com
# As an alternative to tls_trust_file/tls_crl_file, you can use tls_fingerprint
# to pin a single certificate. You have to update the fingerprint when the
# server certificate changes, but an attacker cannot trick you into accepting
# a fraudulent certificate. Get the fingerprint with
# $ msmtp --serverinfo --tls --tls-certcheck=off --host=smtp.freemail.example
# Envelope-from address
# TODO: Use your own mail address
# Authentication. The password is given using one of five methods, see below.
# TODO: Use your own user name fpr the mail account
user <The username of the email account you use for sending emails>
# Password method 1: Add the password to the system keyring, and let msmtp get
# it automatically. To set the keyring password using Gnome's libsecret:
# $ secret-tool store --label=msmtp \
# host smtp.freemail.example \
# service smtp \
# user joe.smith
# Password method 2: Store the password in an encrypted file, and tell msmtp
# which command to use to decrypt it. This is usually used with GnuPG, as in
# this example. Usually gpg-agent will ask once for the decryption password.
#passwordeval gpg2 --no-tty -q -d ~/.msmtp-password.gpg
# Password method 3: Store the password directly in this file. Usually it is not
# a good idea to store passwords in plain text files. If you do it anyway, at
# least make sure that this file can only be read by yourself.
# TODO: Use the password of your own mail account
password <The password of the email account you use for sending emails>
# Password method 4: Store the password in ~/.netrc. This method is probably not
# relevant anymore.
# Password method 5: Do not specify a password. Msmtp will then prompt you for
# it. This means you need to be able to type into a terminal when msmtp runs.
# Set a default account
# TODO: Use your own mail address
account default: firstname.lastname@example.org
# Map local users to mail addresses (for crontab)
This file contains a username and password. Therefore limit its access to only root:
sudo chmod 600 /etc/msmtprc
Duplicate the config file to ~/.msmtprc if you want to provide email configuration for your user as well.
Now configure the recipients for your systems users by setting the recipients in /etc/aliases. Make sure, that you don’t have trailing spaces behind the email addresses:
Let your computer now that msmtp should be used as replacement for sendmail by adding this content to /etc/mail.rc
set sendmail="/usr/bin/msmtp -t"
Test your configuration by sending an email from the terminal:
echo "Content of your mail" | mail -s "Subject" email@example.com
I’ve tinkered before with my Xiaomi Robot Vacuum but returned to the official Xiaomi app since the existing solutions felt uncomfortable. I even worked on adding Mac support for the dustcloud software but stopped using the rooted firmware.
A few days ago I’ve read about Valetudo. Valetudo is a web interface to the Xiaomi robot being self hosted on the robot. It allows easy extraction of the necessary control token and stops the robot from reporting cleaning and location data to Xiaomi. There’s also support for MQTT so that you can integrate it into existing home automation systems.
I followed the instructions on creating a rooted firmware and found a few problems and want to share my solution:
The firmware builder creates a firmware package along with SSH keys supplied during the build process. I could not login using those SSH keys and required the SSH key directly from the ~/.ssh folder of the user.
Flashing inside a VirtualBox Ubuntu VM doesn’t work, even when you use a bridged network interface. You maybe able to request the device token but the flash command always fail.
Flashing the robot may fail, if it isn’t completely reset to its default. You can reset the robot to factory default by pressing the home and reset button until you hear the chinese voice.
You should flash the robot while it is inside its charging station.
If you’re using a Mac, you can install python3 and the required python packages. This will allow you to flash the firmware directly from your mac.
Keep your machine close to the robot during the flashing process, because it might otherwise timeout.
Since I’m using a chinese version of the robot, I only hear the chinese voice. In this case you’ll need to convert the robot to a european version following these instructions. Once the robot is rebooted you’ll hear the english translation and can verify this from the Valetudo interface.
Now you’re ready to use Valetudo. I’ve added a link to the Valetudo homepage on my smartphone. It replaces now the Xiaomi app while it still provides access to the cleaning map, the maintenance hours for replacing parts as well as automated clean up plans. All in all its a really nice piece of software!
I’ve recently stumbled over an article in the german magazine C’T about visualisations of your Fritz!Box’s connection. The solution looked quite boring and outdated, since it used MRTG for the graph creation.
I’ve started searching for a better solution using Grafana, InfluxDB and my Raspberry Pi and found this great blog post. I’ve already explained how to install Grafana and InfluxDB in this post, so I’ll concentrate on the Fritz!Box related parts:
Start with the installation of fritzcollectd. It is a plugin for collectd.
Now create a user account in the Fritz!Box for collectd. Go to System, Fritz!Box-user and create a new user with password, who has access from internet disabled. The important part is to enable “Fritz!Box settings”.
Additionally make sure that your Fritz!Box is configured to support connection queries using UPnP. You can configure this under “Home Network > Network > Networksettings”. Select “Allow access for applications” as well as “Statusinformation using UPnP”.
Next part is the installation and configuration of collectd:
Login to your grafana installation and configure a new datasource. Make sure to set the collectd database. If you’re using credentials for the InfluxDB, you can add them now. If you’re not using authentication you can disable the “With credentials” checkbox.
Check if your configuration is working by clicking on “Save & Test”.
If everything worked, you can proceed to importing the Fritz!Box Dashboard from the Grafana.com dashboard. The ID is 713. Make sure to select the right InfluxDB during the import setup.
After clicking on import, you’ll should be able to see your new Dashboard. It might take a few minutes/hours until you’ve gathered enough data to properly display graphs.
Be aware though that if you start gathering this much data you’ll might end up with “insufficient memory” errors. You’ll might want to tweak your InfluxDB settings accordingly.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.