Using a dynamic DNS (DDNS) to solve the problem of keeping a firewall open to remote users at changeable IP addresses

Important

(Updated July 1, 2011 to include rudimentary test for string returned that doesn’t contain an actual IP address)

One problem faced by Asterisk users (and probably also users of other software PBX’s) is that you want to secure your system by not opening ports up to the entire Internet, but if you have remote users (users not on the same local network as your Asterisk server) you need to make an exception for them to allow them to penetrate your firewall. If all your external users have fixed IP addresses, it’s not a problem — you simply add a specific rule in your firewall to permit access from each user’s IP address. However, if their ISP changes their IP address frequently, or if they are using a softphone on a laptop computer, then you can’t just assume they will constantly be at same IP. And if one of those users happens to be your boss or your mother, they are not going to be happy if they can’t use the phone until they make contact with you, and you enter their new IP address in the firewall. And they’re probably not going to be real happy if they have to go to a web site or take some other action before they can make and receive calls.

This solution will work for many users in this situation, provided that you are using the iptables firewall. Again, the goal is to keep all your ports closed to outsiders, except for your authorized users. But if you can get each user to set up a Dynamic DNS account and then set their router to do the Dynamic DNS updates (as described here for DD-WRT users), OR failing that if you can get them to install a software Dynamic DNS client on their computer (which is a poorer choice because the computer has to be on for updates to occur), then you can run a script on your Asterisk box every five minutes to check to see if their IP address has changed, and if so, update iptables. I have one script that is called as a cron job every five minutes, and looks like this:

#!/bin/bash
/root/firewall-dynhosts.sh someaddress.afraid.org
/root/firewall-dynhosts.sh someotheraddress.afraid.org
/root/firewall-dynhosts.sh someaddress.no-ip.com

In other words it has one line for each Dynamic DNS host I want to check. For each host it calls a script named firewall-dynhosts.sh which in turn contains this:

#!/bin/bash
# filename: firewall-dynhosts.sh
#
# A script to update iptable records for dynamic dns hosts.
# Written by: Dave Horner (http://dave.thehorners.com)
# Released into public domain.
#
# Run this script in your cron table to update ips.
#
# You might want to put all your dynamic hosts in a sep. chain.
# That way you can easily see what dynamic hosts are trusted.
#
# create the chain in iptables.
# /sbin/iptables -N dynamichosts
# insert the chain into the input chain @ the head of the list.
# /sbin/iptables -I INPUT 1 -j dynamichosts
# flush all the rules in the chain
# /sbin/iptables -F dynamichosts

HOST=$1
HOSTFILE=”/root/dynhosts/host-$HOST”
CHAIN=”dynamichosts” # change this to whatever chain you want.
IPTABLES=”/sbin/iptables”

# check to make sure we have enough args passed.
if [ “${#@}” -ne “1” ]; then
echo “$0 hostname”
echo “You must supply a hostname to update in iptables.”
exit
fi

# lookup host name from dns tables
IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`
if [ “${#IP}” = “0” ]; then
echo “Couldn’t lookup hostname for $HOST, failed.”
exit
fi

if [ ! `expr “$IP” : ‘([1-9])’` ]; then
echo “Did not return valid IP address, failed.”
exit
fi

OLDIP=””
if [ -a $HOSTFILE ]; then
OLDIP=`cat $HOSTFILE`
# echo “CAT returned: $?”
fi

# has address changed?
if [ “$OLDIP” == “$IP” ]; then
echo “Old and new IP addresses match.”
exit
fi

# save off new ip.
echo $IP>$HOSTFILE

echo “Updating $HOST in iptables.”
if [ “${#OLDIP}” != “0” ]; then
echo “Removing old rule ($OLDIP)”
`$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`
fi
echo “Inserting new rule ($IP)”
`$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`

echo “Changing rule in /etc/sysconfig/iptables”
sed -i “0,/-A\sdynamichosts\s-s\s$OLDIP\s-j\sACCEPT/s//-A dynamichosts -s $IP -j ACCEPT/” /etc/sysconfig/iptables
# sed -i “s/-A\sdynamichosts\s-s\s$OLDIP\s-j\sACCEPT/-A dynamichosts -s $IP -j ACCEPT/g” /etc/sysconfig/iptables

echo “Sending e-mail notification”
`echo “This is an automated message – please do not reply. The address of dynamic host $HOST has been changed from $OLDIP to $IP. You may need to change the dynamichosts chain in Webmin’s Linux Firewall configuration.” | mail -s “IP address of dynamic host changed on machine name“ recipient@someaddress.com,anotherrecipient@someaddress.net`

As always, copy and paste the above script, so you can see where the line breaks are really supposed to be (the last line in particular is quite long, and will likely be broken up into four or five lines on the screen). Also, beware of WordPress or other software changing the single or double quotation marks to “prettified” versions — only the plain text normal quotation marks will work.

Note that prior to the first run of the script you will need to run the three commented-out commands shown near the top of the script, right after “create the chain in iptables”, to create the chain. For your convenience here they all are in one place, without the interleaved comment lines:

/sbin/iptables -N dynamichosts
/sbin/iptables -I INPUT 1 -j dynamichosts
/sbin/iptables -F dynamichosts

The lines in blue in firewall-dynhosts.sh are custom additions by me. Just in case something goes wrong, I suggest you make a backup copy of /etc/sysconfig/iptables in a safe place before running this script. My first addition checks the first character of the string returned in $IP to make sure it is actually a number. This was a quick and dirty addition to keep it from trying to use a string like ;; connection timed out; no servers could be reached as a valid IP address (yes, it really did that). I’m sure that the test there could be improved upon (for example, to do a full check for a valid IP address rather than just checking the first digit) but as I say this was a quick and dirty fix. If you have any suggestions on how to improve it, please leave a comment. I did find this article, Validating an IP Address in a Bash Script, but it seemed like a bit of overkill considering that in this case what I’m really trying to do is simply weed out error messages.

The second set of additions change the address in the dynamichosts chain of /etc/sysconfig/iptables. Please note that this file may be at a different location in some versions of Linux (such as /etc/iptables.up.rules), if so you will need to change this accordingly. This is particularly important if you run both Webmin and fail2ban. If fail2ban is running it will add some lines to the in-memory version of iptables, so you don’t want to do a simple commit to save the in-memory version back to the iptables file. But at the same time, if you use Webmin’s “Linux Firewall” module to maintain iptables, you want any changes in IP addresses to show up the next time you call up Webmin’s Linux Firewall page. So this simply does a search and replace in /etc/sysconfig/iptables on the rule containing the old IP address, and replaces it with the new one. There are two lines in that section that contain the sed command, the first one will replace only the first instance of the old IP address if it’s in iptables more than once, while the second (which is commented out) would replace all instances of the old IP address. Uncomment whichever you prefer and leave the other commented out, but bear in mind that if two or more of your remote extensions might ever be at the same IP address at the same time, you want the first version (the one that is uncommented above) so that when one of those extensions moves to a different IP address it doesn’t change the IP address for all of the extensions.

Note there’s still a possibility of missing a change if you are actually working in Webmin when a change occurs (since you’ll already have loaded a copy of iptables, and if you then make changes and save it out it could overwrite any change made by the script). But, the last two lines of the script send you an e-mail to alert you to that possibility. If you don’t use Webmin and don’t need or want an e-mail notification for some other reason, you can omit those last two lines, otherwise change the parts in red text to sane values for your situation. While editing, pay attention to the backtick at the end of the line (it’s easy to accidentally delete it when editing an e-mail address — don’t do that!).

When you’re all finished, make sure both scripts are executable and the permissions are correct, then create a cron job to call the first script every five minutes.

The only slight drawback to this method is that when an IP address changes it can take up to ten minutes to update (five for the Dynamic DNS to pick it up, and five more for the cron job to fire that gets it from the Dynamic DNS). Fortunately, most ISP’s tend to change IP address assignments in the middle of the night. Note that using the wrong DNS servers can cause the updates to take significantly longer; I set my computers to use Google’s DNS (8.8.8.8 and 8.8.4.4) and that works fairly well. Note that if ALL your Dynamic DNS addresses are from freedns.afraid.org then you may want to change one line in the above script, from

IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`

IP=`/usr/bin/dig +short @ns1.afraid.org $HOST | /usr/bin/tail -n 1`

This change will specify that the afraid.org DNS server is to be used for these lookups (and ONLY for these lookups, not for every DNS request your system makes – don’t want to overload the servers of this free service!). This may be particularly important if the DNS server you normally use is a caching server that doesn’t always do real-time lookups for each DNS request (for example, if you have installed the BIND DNS Server on your system). If some of the Dynamic DNS addresses come from other services then you could use a similar modification that checks a public DNS service that does not cache entries for long periods of time; as I write this Google’s DNS servers seem to update in near real time.

One thing some may not like is that this script basically hands the “keys to the kingdom” to your authorized users, by giving them access to all ports, or at least all ports not explicitly denied by rules higher in priority. It would be easy enough to change the rule that is written to iptables, or even add additional ones, in the above script, so that you could specify access to individual ports. The other problem is it works great for those external users at fixed locations that don’t move around a lot. It might not work quite as well as well for softphone users on laptops due to the delay between the time they turn on the laptop and the time your Asterisk server picks up the new address.

This has actually worked the best for me of anything I’ve tried so far because once you get the external user’s router set up to do the Dynamic DNS updates, they don’t have to think about doing anything else prior to making a call.

EDIT (December, 2015): If it is not possible or appropriate to update the dynamic DNS automatically from the users’ router, there may be another option. If any of your users have Obihai devices (or possibly another brand of VoIP device that includes an accessible “Auto Provisioning” feature that is not currently being utilized), you may want to know that they do not need to run a separate client to update their dynu.com or freedns.afraid.org dynamic IP address, because an Obihai device (and possibly some other brands of VoIP devices) can do that automatically. This is NOT a recommendation for Obihai devices, but if you or one of your users happens to already have one, here is the information as originally found in this thread on the Obihai forum, posted by user giqcass, who wrote:

Rough Draft for hackish DNS updates:

This hack will let your OBi update Dynamic DNS. It isn’t perfect but it works very well. It’s as simple as calling a url to update the DNS at afraid.org. I believe it would be a simple task to add this feature to the OBi firmware directly. So please add this OBiHai. Pretty please. Until then here you go.

Set up a Dynamic DNS host at http://freedns.afraid.org/
Go to the Dynamic DNS tab.
Copy the “direct” update url link.
Open your Obi admin page.
Click the System management page.
Click Auto Provisioning.
Under “ITSP Provisioning” Change the following.
Method = Periodically
Interval = This setting must be greater then 400 so not to over use resources. I use 3667.
ConfigURL = Paste the update link you got from afraid.org (use http://… not https://…)

Press Submit at the bottom of the page. Restart you OBi.

If you use choose to use dynu.com instead of freedns.afraid.org (which you might because dynu.com doesn’t force you to visit their web site periodically to keep your domain), the procedure is the same (after the first line), except that for the ConfigURL you would use:

http://api.dynu.com/nic/update?hostname=YOUR_DYNU_DYNAMIC_DNS&username=YOUR_DYNU_USERNAME&password=MD5_HASH_OF_PASSWORD

Replace YOUR_DYNU_DYNAMIC_DNS with your dynamic DNS domain name, YOUR_DYNU_USERNAME with the username you use to log into your dynu.com account, and MD5_HASH_OF_PASSWORD with the MD5 hash of your dynu.com password OR your IP Update Password if you have set one (which is recommended). To get the MD5 hash of the password you can enter it on this page. To set or update your IP Update Password, use this page.

The advantage of this is that if one of your users travels and takes their VoIP device with them, it would be able to change the dynamic DNS each time they plug in at a new location (not immediately, but after several minutes at most), so that if you use the technique outlined in this article your server will recognize their current address and permit access. Remember that it’s okay to use more than one Dynamic DNS service simultaneously, in case you or your user are already using a different one that doesn’t provide a simple update URL like dynu.com and freedns.afraid.org do. Other brands of VoIP adapters that have a similar “Auto Provisioning” feature may be able to do this as well, but we don’t have specific information for any of them. If you do, please feel free to add that information in a comment.

Note that we are not recommending any particular free dynamic DNS service. If you want to know what your options are, there is an article on the Best Free Dynamic DNS Services that will show you some options. You want one that is reliable and that will not disappear in a few months, but since we don’t have a crystal ball, we can’t tell you which ones might fit that criteria.

Do you use Webmin to configure iptables and also run fail2ban? Don’t forget to do this!

Important

For many Linux users this will be a “Thank you, Captain Obvious” type of post, but it’s one of those things that some Webmin users might not realize. If you use Webmin’s “Linux Firewall” configuration page to configure the iptables firewall in Linux, and you click “Apply Configuration”, it will remove fail2ban‘s rules from your active iptables configuration. So, you must go to a Linux command prompt and enter service fail2ban restart — UNLESS you make a small change in the Webmin “Linux Firewall” configuration.

From the Webmin “Linux Firewall” main page, click Module Config, then on the configuration page, in the “Configurable options” section, look for the line “Command to run after applying configuration.” Click the button next to the text box on that line, and in the text box enter service fail2ban restart and then click the Save button at the bottom of the page. That’s all you need — now every time you make a firewall change and click “Apply Configuration”, it will automatically restart fail2ban for you.

A Perl script to send Caller ID popups from Asterisk to computers running Notify OSD (such as Ubuntu Linux) or any command-line invoked notification system

Important

This is basically an update to my article, A Perl script to send Caller ID popups from Asterisk to computers running Growl under OS X on a Mac or Growl for Windows, and you should still use that article if you are sending notifications to a computer on your local network that runs Growl or Growl for Windows as the notification system.

I wanted to find a way to send Caller ID popups to a Ubuntu Linux box, and in the process I discovered a different method of sending such notifications. There are pros and cons to using the new method, so let me explain those first:

Pros:

Can send notifications to any computer that supports command line generated notifications (so it could also be used with Growl, if you can use growlnotify from a command prompt to generate a notification).
Can send notifications to any computer that you can SSH into, provided you have it set up to use public/private key authentication rather than password authentication.

Cons:

Notifications typically display a couple of seconds later than under the previous method. I suspect this is due to the SSH authentication taking a second or two.
It’s a little bit more complicated to set this up, though not horribly so.
Because this uses SSH and requires that Asterisk be granted permission to establish an SSH connection as the super user (by using sudo), there may be unforeseen security risks.

Read that last point again, and please understand that as with all projects on this site, I offer this for experimental purposes only. I explicitly do not warrant this method as being 100% secure, nor will I tell you that it could not be exploited to do bad things on your system. I don’t think it can (and feel free to leave a comment if you think I’m wrong), but I just don’t know that for sure. So, if you decide to use anything in this article, you agree to assume all risks. If you’re the type that likes to sue other people when something goes wrong, then you do not have permission to use this code. We’re all experimenters here, so no guarantees!

As with the previous method, you must have the Perl language installed on your Asterisk server, and you must have the Asterisk::AGI module installed (I’m going to assume you know how to install a Perl module from the CPAN repository – if you have Webmin installed, it can be done from within Webmin). Chances are you already have Asterisk::AGI installed, unless you built your Asterisk server “from scratch” and never installed it.

There’s one additional thing you must do on the Asterisk server before this will run, and that’s allow Asterisk to run the ssh command as root. So, add this to your /etc/sudoers file (probably at the very end, but in any case it should be obvious where to add this because it will be in a section where Asterisk is granted similar privileges with regard to other programs):

asterisk ALL = NOPASSWD: /usr/bin/ssh

Next you want to copy and paste the following Perl script to the filename /var/lib/asterisk/agi-bin/notifysend.agi on your Asterisk server (to create a non-existent file, you can use the touch command, and after that you can edit it in Midnight Commander or by using the text editor of your choice). If this code looks somewhat familiar, it’s because it’s adapted from some code that originally appeared in a FreePBX How-To, which I have modified.

#!/usr/bin/perl
use strict;
use warnings;
use Asterisk::AGI;
my $agi = new Asterisk::AGI;
my %input = $agi->ReadParse();

# Next two lines fork the process so Asterisk can get on with handling the call
open STDOUT, '>/dev/null';
fork and exit;

my $num = $input{'callerid'};
my $name = $input{'calleridname'};
my $ext = $input{'extension'};
my $user = $ARGV[0];
my $ip = $ARGV[1];

if ( $ip =~ /^([0-9a-f]{2}(:|$)){6}$/i ) {
    $ip = $agi->database_get('growlsend',uc($ip));
}

# OMIT this section if you don't want IP address
# checking (e.g. you want to use foo.bar.com)
unless ( $ip =~ /^(d+).(d+).(d+).(d+)$/ ) {
    exit;
}

if ( $ARGV[2] ne "" ) {
 $ext = $ARGV[2];
}

my @months = (
    "January", "February", "March", "April", "May", "June",
    "July", "August", "September", "October", "November", "December"
);
my @weekdays = (
    "Sunday", "Monday", "Tuesday", "Wednesday",
    "Thursday", "Friday", "Saturday"
);
my (
    $sec,  $min,  $hour, $mday, $mon,
    $year, $wday, $yday, $isdst
) = localtime(time);
my $ampm = "AM";
if ( $hour > 12 ) {
    $ampm = "PM";
    $hour = ( $hour - 12 );
}
elsif ( $hour eq 12 ) { $ampm = "PM"; }
elsif ( $hour eq 0 )  { $hour = "12"; }
if ( $min < 10 ) { $min = "0" . $min; }
$year += 1900;
my $fulldate =
"$hour:$min $ampm on $weekdays[$wday], $months[$mon] $mday, $year";

# Next two lines normalize NANP numbers, probably not wanted outside of U.S.A./Canada/other NANP places
$num =~ s/^([2-9])(d{2})([2-9])(d{2})(d{4})$/$1$2-$3$4-$5/;
$num =~ s/^(1)([2-9])(d{2})([2-9])(d{2})(d{4})$/$1-$2$3-$4$5-$6/;

my $cmd = qq(./remotenotify.sh "$name" "$num calling $ext at $fulldate");
$cmd = "sudo ssh $user@$ip '$cmd'";
exec "$cmd";

Also, if you want to be able to specify computers that you wish to send notifications to using MAC addresses rather than IP addresses (in case computers on your network get their addresses via DHCP, and therefore the IP address of the target computer can change from time to time), then you must in addition install the following Perl script (if you have not already done so when using the previous method). Note that if you have a mix of computers on your network and you are using both the new and old methods, you only need to do this once — it works with both methods (hence the reference to “growlsend” in the database and “gshelper” as the name of this script). Call it /var/lib/asterisk/agi-bin/gshelper.agi and note that there is a line within it that you may need to change to reflect the scope of your local network:

#!/usr/bin/perl
use strict;
use warnings;
my ($prev, @mac, @ip);
# Change the 192.168.0.0/24 in the following line to reflect the scope of your local network, if necessary
my @nmap = `nmap -sP 192.168.0.0/24|grep -B 1 MAC`;
foreach (@nmap) {
    if (index($_, "MAC Address:") >= 0) {
        @mac = split(" ");
        @ip = split(" ",$prev);
        `/usr/sbin/asterisk -rx "database put growlsend $mac[2] $ip[1]"`;
    }
    $prev=$_;
}

Make sure to modify the permissions on both scripts to make them the same as other scripts in that directory (owner and group should be asterisk, and the file should be executable), and if you use the gshelper script, make sure to set up a cron job to run it every so often (I would suggest once per hour, but it’s up to you).

Now go to this page and search for the paragraph starting with, “After you have created that file, check the ownership and permissions” (it’s right under a code block, just a bit more than halfway down the page) and if you are using FreePBX follow the instructions from there on out (if you are not using FreePBX then just read that section of the page so you understand how this works, and in any case ignore the top half of the page, it’s talking about a different notification system entirely). However, note that the syntax used in extensions_custom.conf differs from what is shown there, depending on whether you are specifying an IP address or a MAC address to identify the target computer.

First, if you are specifying the IP address of the target computer, then instead of using this syntax:

exten => ****525,1,AGI(growlsend.agi,192.168.0.123,GrowlPassWord,525)

You will need to use this:

exten => ****525,1,AGI(notifysend.agi,username,192.168.0.123,525)

Note that username is the account name you use when doing an ssh login into the destination system, and it should also be the desktop user on the system (not root!). Let’s say that the system is currently at IP address 192.168.0.123. In order for this to work, you need to be able to ssh into your Ubuntu box from your Asterisk server, using the following command from the Asterisk server’s command line:

ssh username@192.168.0.123

If it asks for a password, then you need to follow the instructions at Stop entering passwords: How to set up ssh public/private key authentication for connections to a remote server, and get it set up so that it will not ask for a password (if you don’t like my article, maybe this one will make it clearer).

It’s probably easiest to configure each computer that is to receive notifications to use a static IP address. But note that if you use the above code and have the gshelper.agi program running as a cron job, then after the first time it has run while the computer to receive the notifications is online you should be able to use a computer’s MAC address instead of the IP address. This only works if you’ve used the modified script on this page, not the one shown in the FreePBX How-To. As an example, instead of

exten => ****525,1,AGI(growlsend.agi,192.168.0.123,GrowlPassWord,525)

as shown in the example there, you could use

exten => ****525,1,AGI(notifysend.agi,username,01:23:45:AB:CD:EF,525)

(the above is all one line) where 01:23:45:AB:CD:EF is the MAC address of the computer you want to send the notification to. Once again, just in case you missed it the first time I said it, this won’t work until the gshelper.agi script has been run at least once while the computer to receive the notifications was online. If for some reason it still doesn’t appear to work, run the nmap command (from gshelper.agi) including everything between the two backticks (`) directly from a Linux command prompt and see if it’s finding the computer (depending on the size of your network, it might be several seconds before you see any output, which is why I don’t try to run this in real time while a call is coming in).

If you are NOT running FreePBX, but instead writing your Asterisk dial plans by hand, then you will have to insert a line similar to one of the above examples into your dial plan, except that you don’t need the four asterisks (****) in front of the extension number, and if it’s not the first line in the context, you’ll probably want to use n rather than 1 for the line designator (and, you won’t be putting the line into extensions_custom.conf because you probably don’t have such a file; instead you’ll just put it right in the appropriate section of your dial plan). In other words, something like this (using extension 525 as an example):

exten => 525,n,AGI(notifysend.agi,username,192.168.0.123,525)

This line should go before the line that actually connects the call through to extension 525. I do not write Asterisk dial plans by hand, so that’s about all the help I can give you. And if you don’t write your dial plans by hand, but you aren’t using FreePBX, then I’m afraid you’ll have to ask for help in whatever forum you use for advice on the particular software that you do use to generate dial plans, because I can’t tell you how to insert the above line (or something like it) into your dial plan.

Now is where it gets just a bit more complicated than in the original method. If you have followed the above instructions, you’ll be able to send the notifications to the remote system using SSH, but there will be nothing there to receive them. So we have to create a small script on the receiving system to do something with the received notifications. That script will vary depending on the receiving system, but it must be named remotenotify.sh and it must be placed in the destination user’s home directory, and don’t forget to make it executable! Here’s one that will work in most Ubuntu installations that have Notify OSD installed:

export DISPLAY=:0
notify-send --urgency="critical" --icon="phone" "$1" "$2"

Those two lines are all you need. On a different type of system (or if you have multiple displays) you may need to or wish to do something different. For example, as I mentioned above, if the destination system is running Growl then your remotenotify.sh script will need to call growlnotify, but beyond that I wouldn’t know what to use there (EDIT: But if the target system is a Mac that is running OS X, a pretty good guess would probably be that you’d only need one line, something like this:

growlnotify -s -p 1 -a Telephone -m "$2" $1

In this case it should make the notification sticky until dismissed by the user, give it a priority of 1 — the default is 0 — and use the application icon from the “Telephone” application if you have it installed. Instead of -a to specify an application’s icon you could use -I followed by a path to an .icns file that contains an icon you want to use. Type growlnotify –help to see all the growlnotify options. Oh, and before you can make an SSH connection to a Mac you have to go into System Preferences | Sharing and turn on Remote Login).

The beauty of this approach is that you can make the remotenotify.sh script as simple or as complicated as you need — you could even make it forward a notification to other devices if you wish, but figuring out how to do that is up to you (if you come up with something good, please leave a comment and tell us about it!).

If you’re running Ubuntu on the target system, here’s a few articles you may wish to use to help you get your notifications to look the way you want them to appear:

Tweak The NotifyOSD Notifications In Ubuntu 10.10 Maverick Meerkat [Patched NotifyOSD PPA Updated]
Get Notifications With A Close Button In Ubuntu
Configurable NotifyOSD Bubbles For Ubuntu 11.04: Move, Close On Click, Change Colors And More

If you want to be able to review missed notifications, you may be able to use this (as a side note, why don’t they have something like this for Growl?):

Never Miss A NotifyOSD Notification With “Recent Notifications” GNOME Applet

The idea behind the shell script that runs on the target system was found in a comment on the following article, which may be of special interest to MythTV users:

Send OSD notification messages to all systems on a network

There are links to other original sources throughout the article, so feel free to follow those if you want more in-depth commentary.

Link: How to update Webmin’s dated look

Important

Found a great post on the PBX in a Flash forum that I’d like to pass along to those of you that use Webmin:

If you use Webmin regularly, you’ve probably noticed that it is starting to look pretty dated. There is a solution and that is to change the theme to the new Stressfree theme. It is a much nicer design and doesn’t affect any of the applications associated with Webmin – just the look and arrangement.

Go to the full post with installation instructions.

How to install Midnight Commander under Mac OS X (the easiest way?)

Important

This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. We have used the information here to install Midnight Commander 4.8.10 under OS X 10.9 (Mavericks) and also to install Midnight Commander 4.8.12 under MacOS 10.13 (High Sierra) and in both cases it was a quick and painless install, and works great!

Over the many months that this blog has been available, one of the most consistently popular posts has been, How to install Midnight Commander under Mac OS X (the easy way, using Rudix). Unfortunately, at the article notes, the developer of Rudix changed his package and while you can still use Rudix to install Midnight Commander on your Mac, it’s not quite as straightforward an installation as it once was.

This morning I received a comment from reader LouiSe on that article, that read as follows:

What do you think about an up2date universal binary installer package? … http://louise.hu/poet/tag/mc/

Well, if it works I think it’s a great idea, but I don’t have the time to fully test it and since I’m still running Leopard, I have no way to test it under Snow Leopard. So I’ll just throw it out there and say that if any of you would like to test it (at your own risk, of course) and see how well it works for you, I’d appreciate it if you’d leave a comment. For the time being, be as careful as you might be with any software from an unknown source. But if you’re daring enough to give it a try, this might indeed be the easiest way to get the latest version of Midnight Commander onto your Mac.

Since Midnight Commander is free and available for virtually all versions of Linux, learning to use it now will put you a step ahead for the day when you get sick of being seen as a cash cow by Apple, and are ready to move on to a computer that runs Linux. Ubuntu Linux in particular has finally matured to the point that it is actually usable by non-geeky types, and the vast majority of the software in the Linux world is still free. I like free software, and I don’t like watching the “spinning beach ball of death” on my Mac Mini, so unless someone gives me a newer one as a gift or something (not likely), the Mac Mini I’m using now is probably going to be the last Mac I will ever own.

Disaster recovery with MondoRescue

Important

The Great Desktop Fire — Image by mattbraga via Flickr

Many of us face the problem of having a server that we know we should backup frequently, but we don’t do it because it’s either too difficult to figure out how, or the backup solutions offered don’t actually restore the entire system if it crashes, so we figure, “why bother?” If your system crashes, the thing you really need is a way to restore the entire system from some recent point in time.

Well, here’s one possible solution for you, assuming your server runs some form of Linux, and it’s from the fine folks at Sunshine Networks in Brisbane, Australia. I refer you to their article:

Disaster Recovery with Elastix 2.0

Now, don’t let the title throw you – there’s nothing Elastix-specific in this article. The instructions should work with just about anything running under the CentOS operating system, and with minor tweaks to the installation process, under other versions of Linux. What this software is supposed to do is give you an ISO file that can be burned to CD’s or DVD’s, or stored on a network share on another machine. If the worst happens, you fix the hardware problems and then reinstall from the ISO file, and the way it’s supposed to work is that you get back to exactly where you were at the time of the last backup. Now, I haven’t personally ever had to attempt a restore, but apparently others have and consider this a great piece of software. Obviously, I’m not making any guarantees, but it’s got to be better than no backup at all, right?

EDIT: Since I originally wrote this article, I’ve actually had the opportunity to use MondoRescue to restore a failed system (in this particular case, one that runs on a virtual machine). To say it worked great is an understatement. You just boot from the .iso file and it installs EVERYTHING back as it was. The only issue I had was that it couldn’t communicate with the network because the name of the network adapter was apparently different on the original and new systems — once I reconfigured the network settings to select a valid adapter (eth0, for example) it appeared to work just as it had on the day of the backup. And the restore process was surprisingly fast (much faster than the original installation, in fact)! Of course I cannot guarantee it will work that well for you, but I was blown away by the speed of the restoration, and I’m not that easily impressed!

I must also note that the article on the original Sunshine Networks site seems to have disappeared, so I changed the link to point to an archived copy on the Wayback Machine. However, in case that fails at some point, here is how I installed MondoRescue. Their instructions gave three different ways to do it, and I used this one, which (with perhaps a change in the file used) should work on any Red Hat or Centos based system (this was noted as “Tested on Elastix 2.0 32-bit” — if you are running something else, don’t just follow these instructions because you may need a different file):

cd /root/
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm
rpm -Uhv rpmforge-release-0.5.1-1.el5.rf.i386.rpm
yum install mondo

after mondo installed correctly, you should disable the RPMForge repository, just to be on the safe side :
nano /etc/yum.repos.d/rpmforge.repo
change “enabled = 1” to “enabled = 0”

(They used vi to edit the repository; I changed it to nano. Use whichever text editor you like).

However, the file shown here is probably NOT the right one for your system. So, first go to http://packages.sw.be/rpmforge-release/ and read the descriptions for each file, and be careful to select the right one for your system, and substitute that filename in the two lines where it is used above.

After installation, you can start the program by running /usr/sbin/mondoarchive, which will bring up a GUI (of sorts). The original article notes that:

your full iso will ( under default settings ) be created in the following directory :
/var/cache/mondo/mondorescue-1.iso
there is a small recovery CD here :
/var/cache/mindi/mondorescue.iso

END OF EDIT.

The article has you use the mondoarchive GUI to make the backups (well, they actually say mondorescue, but when I downloaded the software the program was called mondoarchive), and that’s fine to start with. But eventually, you’re going to want to automate the process so you can use it in a cron job to do unattended scheduled backups on a regular basis. I have this running on one machine and send copies of the backups to another, like this (cut and paste from this article to get the full lines without wrapping) :
#!/bin/bash mondoarchive -OVi -d "/var/cache/mondo" -E "/asterisk_backup" -N -9 -G -s 4G ssh myaccount@server2.net rm /home/myaccount/server1backup/mondo/mondorescue-1-old.iso ssh myaccount@server2.net mv /home/myaccount/server1backup/mondo/mondorescue-1.iso /home/myaccount/server1backup/mondo/mondorescue-1-old.iso scp /var/cache/mondo/mondorescue-1.iso myaccount@server2.net:~/server1backup/mondo ssh myaccount@server2.net rm /home/myaccount/server1backup/mindi/mondorescue-old.iso ssh myaccount@server2.net mv /home/myaccount/server1backup/mindi/mondorescue.iso /home/myaccount/server1backup/mindi/mondorescue-old.iso scp /var/cache/mindi/mondorescue.iso myaccount@server2.net:~/server1backup/mindi
The first line calls the mondoarchive program to create the backup – the -E argument excludes any directories you don’t wish to back up (I have a directory of backups made using another method that I didn’t want backed up) and you can read about the other arguments in the documentation (also see the full HOWTO). The remaining lines connect to the external server and delete the oldest backups, rename the previous backup, and then copy the new backups over. To do it the way I’ve done it here, you must have ssh access to the other server and you must be able to connect without using a password, using public/private key authentication. You may also have to log into the remote server and create the directories (/home/myaccount/server1backup/mindi/ and /home/myaccount/server1backup/mindi/ in this example – obviously you can call the directories whatever you wish, it’s entirely up to you).

There is, of course, more than one way to remove the pelt from a deceased feline, and you’ll probably have your own method for moving the files to another server. In some situations it appears that MondoRescue could do it for you (look at the n option), but it doesn’t include a provision to remove the oldest file and rename the previous one (not that I could see, anyway), so that’s why I did it in a shell script.

The folks at Sunshine Networks have several other great how-tos – you might want to give them a look! And for more useful information on MondoRescue, particularly how to perform a restore, see Configure IT Quick: Use Mondo Rescue to back up Linux servers (but please realize that article was written in 2003, and the install has apparently been made less complicated since then, so don’t use their installation instructions).

Link: Using IP tables to secure Linux server against common TCP hack attempts

Important

This article was originally published in November, 2010.

I’m not entirely certain of the original source of this article — I found it on one site, but a quick search reveals that the original source is most likely this site, but I may be wrong. The author of that article says he took some of the info in that article (looks like more than “some” from where I sit) from this article: How to: Linux Iptables block common attacks

Related articles found on that site are Using iptables to secure a Linux based Asterisk installation against hack attempts and Securing Asterisk – Fail2Ban (and that latter article looks suspiciously similar to this one: Fail2Ban (with iptables) And Asterisk).

I don’t know how valid or useful any of this is, but if you are running iptables on your system (if you’re not sure enter iptables -V on the command line — it should show you the version of iptables that is installed, if it is installed) then you might want to check these articles out. And if you find an earlier source for any of these, let me know and I’ll include the links. I know that in the technical community sometimes information gets copied around, but would it kill you guys to give attribution and a link to the original source when you are lifting information (or even raw text) from someone else’s article?

Linux iptables an Introduction (brighthub.com)
Managing Linux Firewalls with Iptables (brighthub.com)
Best practices: iptables (building43.com)
Securing your ssh server (building43.com)
Securing your ssh server (rackerhacker.com)

A Perl script to send Caller ID popups from Asterisk to computers running Growl under OS X on a Mac or Growl for Windows

Important

Notice

EDIT March, 2014 and August 2020: If you are running OS X Mavericks or later, or any version of MacOS we recommend that you do NOT use the script shown here, but instead send notifications to a XMPP/Jabber account and use either Apple’s Messages app (formerly iChat) or a third party messaging program such as Adium to receive them, since the message will then display in the Notifications Center and you do not need Growl. See How to send various types of notifications on an incoming call in FreePBX for more information. You may also find this thread on the RasPBX forum useful.

What follows will probably not work on ANY currently supported version of MacOS and is left here as a historical reference only.

Quite some time ago, I wrote a post explaining how you could poll a Linksys or Sipura VoIP adapter or phone once per second, and whenever there was an incoming call, generate a notification popup on your computer, if you have the Growl notification service installed. However, that method doesn’t work if you’re not using a Linksys or Sipura phone or device.

If you are running Asterisk, there’s another way to do it, and that’s to get Asterisk to send the notifications directly. In order for this to work, the computer on which you want to receive the notifications has to be running Growl (under Mac OS X) or Growl for Windows. You must also configure Growl to receive network notifications. I will note here that if you are using a Mac and have never done that before, you may want to make sure that Growl network notifications work before proceeding, because it appears that under OS X, it’s pretty much a crap shoot whether Growl network notifications will work at all, and when they don’t the Growl folks apparently have no clue as to why they don’t. It seems to be a machine-specific thing – on some Macs they work fine, while on others they don’t work at all.

You must have the Perl language installed on your Asterisk server, and you must have the Net::Growl and Asterisk::AGI modules installed (I’m going to assume you know how to install a Perl module from the CPAN repository – if you have Webmin installed, it can be done from within Webmin). Chances are you already have Asterisk::AGI installed, unless you built your Asterisk server “from scratch” and never installed it, but if you’ve never installed Net::Growl you’ll need to do that first.

Next you want to copy and paste the following Perl script to the filename /var/lib/asterisk/agi-bin/growlsend.agi on your Asterisk server (to create a non-existent file, you can use the touch command, and after that you can edit it in Midnight Commander or by using the text editor of your choice). If this code looks somewhat familiar, it’s because it’s adapted from some code that originally appeared in a FreePBX How-To, which I modified.

#!/usr/bin/perl
use strict;
use warnings;
use Net::Growl;
use Asterisk::AGI;
my $agi = new Asterisk::AGI;
my %input = $agi->ReadParse();
my $num = $input{'callerid'};
my $name = $input{'calleridname'};
my $ext = $input{'extension'};
my $ip = $ARGV[0];

if ( $ip =~ /^([0-9a-f]{2}(:|$)){6}$/i ) {
    $ip = $agi->database_get('growlsend',uc($ip));
}

unless ( $ip =~ /^(d+).(d+).(d+).(d+)$/ ) {
    exit;
}

open STDOUT, '>/dev/null';
fork and exit;

if ( $ARGV[2] ne "" ) {
    $ext = $ARGV[2];
}

# Define months and weekdays in English

my @months = (
    "January", "February", "March", "April", "May", "June",
    "July", "August", "September", "October", "November", "December"
);
my @weekdays = (
    "Sunday", "Monday", "Tuesday", "Wednesday",
    "Thursday", "Friday", "Saturday"
);

# Construct date/time string

my (
    $sec, $min, $hour, $mday, $mon,
    $year, $wday, $yday, $isdst
) = localtime(time);
my $ampm = "AM";
if ( $hour > 12 ) {
    $ampm = "PM";
    $hour = ( $hour - 12 );
}
elsif ( $hour eq 12 ) { $ampm = "PM"; }
elsif ( $hour eq 0 ) { $hour = "12"; }
if ( $min < 10 ) { $min = "0" . $min; }
$year += 1900;

my $fulldate =
"$hour:$min $ampm on $weekdays[$wday], $months[$mon] $mday, $year";

# Next two lines normalize NANP numbers, probably not wanted outside of U.S.A./Canada/other NANP places
$num =~ s/^([2-9])(d{2})([2-9])(d{2})(d{4})$/$1$2-$3$4-$5/;
$num =~ s/^(1)([2-9])(d{2})([2-9])(d{2})(d{4})$/$1-$2$3-$4$5-$6/;

register(host => "$ip",
    application=>"Incoming Call",
    password=>"$ARGV[1]", );
notify(host => "$ip",
    application=>"Incoming Call",
    title=>"$name",
    description=>"$numnfor $extn$fulldate",
    priority=>1,
    sticky=>'True',
    password=>"$ARGV[1]",
    );

Also, if you want to be able to specify computers that you wish to send notifications to using MAC addresses rather than IP addresses (in case computers on your network get their addresses via DHCP, and therefore the IP address of the target computer can change from time to time), then you must in addition install the following Perl script. It requires a command-line utility caller arp-scan so install that if you need to – I used to use nmap for this but they changed the output format, making it harder to parse, and arp-scan is much faster anyway. Call it /var/lib/asterisk/agi-bin/gshelper.agi and note that there are two references to 192.168.0… within it that you may need to change to reflect the scope of your local network, if your network’s IP addresses don’t start with 192.168.0.:

#!/usr/bin/perl
use strict;
use warnings;
my @mac;
# Change the following lines to reflect the scope of your local network, if necessary
my @arp = `arp-scan --quiet --interface=eth0 192.168.0.0/24`;
foreach (@arp) {
        if (index($_, "192.168.0.") == 0) {
                @mac = split(" ");
                `/usr/sbin/asterisk -rx "database put growlsend \U$mac[1] $mac[0]"`;
        }
}

Make sure to modify the permissions on both scripts to make them the same as other scripts in that directory (owner and group should be asterisk, and the file should be executable), and also, if you use the gshelper script, make sure to set up a cron job to run it every so often (I would suggest once per hour, but it’s up to you).

Now go to this page and search for the paragraph starting with, “After you have created that file, check the ownership and permissions” (it’s right under a code block, just a bit more than halfway down the page) and if you are using FreePBX follow the instructions from there on out (if you are not using FreePBX then just read that section of the page so you understand how this works, and in any case ignore the top half of the page, it’s talking about a different notification system entirely). But note that if you use the above code and have the gshelper.agi program running as a cron job, then after the first time it has run while the computer to receive the notifications is online you should be able to use a computer’s MAC address instead of the IP address. This only works if you’ve used the modified script on this page, not the one shown in the FreePBX How-To. As an example, instead of

exten => ****525,1,AGI(growlsend.agi,192.168.0.123,GrowlPassWord,525)

as shown in the example there, you could use

exten => ****525,1,AGI(growlsend.agi,01:23:45:AB:CD:EF,GrowlPassWord,525)

(the above is all one line) where 01:23:45:AB:CD:EF is the MAC address of the computer you want to send the notification to. Once again, just in case you missed it the first time I said it, this won’t work until the gshelper.agi script has been run at least once while the computer to receive the notifications was online. If for some reason it still doesn’t appear to work, run the nmap command including everything between the two backticks (`) directly from a Linux command prompt and see if it’s finding the computer (depending on the size of your network, it might be several seconds before you see any output, which is why I don’t try to run this in real time while a call is coming in).

exten => 525,n,AGI(growlsend.agi,192.168.0.123,GrowlPassWord,525)

Virtually everything in this article has already been published in one place or another, but I wanted to get it into an article with a relevant title and cut out some of the extraneous explanations and such. There are links to all the original sources throughout the article, so feel free to follow those if you want more in-depth commentary.

An overscan fix for the Sharp LC-42SB45U television set when connected to a computer with a Linux operating system (Ubuntu, etc.)

Important

This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which in turn was reposted with the permission of the original author from a now-defunct Macintosh-oriented blog. It is reposted with his permission. Comments dated before the year 2013 were originally posted to The Michigan Telephone Blog.

If you bought a Sharp LC-42SB45U TV, perhaps because it was on a super great (and very lightly advertised) deal at Wal-Mart back in November, and then later tried to hook up a home theater PC to it, you may have been disappointed to discover that unlike most flat screen digital TV’s it doesn’t have a “pixel-to-pixel” or similar 1:1 pixel mapping mode. The result is that when you hook up a computer to one of the HDMI ports, there is a serious overscan problem — for example, if you are running Ubuntu Linux (or some other version of Linux) you won’t see the top or bottom menu bars, because they are outside the visible screen area. If you use XBMC or Boxee, you can go into that program’s settings menu and apply overscan correction from within the program, but most other programs and video players don’t offer an overscan correction option.

The problem is not that there’s no “Dot by Dot” setting in the Sharp TV — it’s just that it’s a (very) hidden option, and as far as I know, there is nothing you can do using the buttons on the TV or on the remote to make it appear (I’d be very happy to be proven wrong on this point; if there is some sort of hidden remote control key sequence that can make the Dot by Dot option always appear, I wish someone would spill the beans so we can fix this issue the right way). But with one small tweak in a Linux configuration file, you can make it appear, like so:

Sharp TV screenshot — Sharp LC-42SB45U TV showing Dot by Dot option

My first approach to this came at a cost: I read that if you could send the Sharp a non-standard vertical sync frequency (refresh rate) a bit below the normal 60 Hz, the alternate View Mode would appear. That did work, and in my non-scientific testing, I found that 59.55 Hz was about the cutoff point. Anything above that, and you get the normal menu of View Mode options when you press the View Mode button on the remote. Anything at about that or below, and you get the View Mode options menu shown above. However, this was certainly less than ideal because of the non-standard refresh rate. I got started on that path after reading a forum post that suggested a custom ModeLine in your /etc/X11/xorg.conf file to give you a 1816×1026 display. While this will work to fix the overscan, it also cuts down on the pixels available to programs, and makes things not quite as sharp (no pun intended) as they should be.

Now, the idea of using a custom ModeLine in your /etc/X11/xorg.conf file is not a bad idea, and the above-referenced post did contain some good information (especially about disabling some unwanted Ubuntu packages that might cause your xorg.conf to be ignored). So I tried the xorg.conf shown in that post, except I used the original ModeLine shown (which is correct for the Sharp LC-42SB45U as long as you don’t mind the overscan). I then read in another forum post (on a different site) that someone had found that the Dot by Dot option would appear if the refresh rate were set to 59 Hz rather than 60 Hz. However they were doing that on a Windows machine, not a Linux box, if I recall correctly.

But again, that had the disadvantage of a non-standard refresh rate. I’ve read on several sites that the ideal refresh rate is 59.94 Hz (it’s very close to 60 Hz and is exactly twice the ATSC 1920×1080 progressive scan frequency of 29.97 Hz) so my goal was to get as close to that as possible. I then read that someone had actually accomplished this on a Windows box by changing the timing to something called “CVT reduced blank” (the procedure on a Windows box is to bring up the NVIDIA Control Panel, then click on Change Resolution, then Add Resolution, then Create Custom Resolution, then in the “Timing” section find the “Standard” drop-down box and select CVT reduced blank. Make sure the other settings look sane, click the Test button and go from there. Mac OS X users can do something similar using a program called SwitchResX — see Brian Semiglia’s comment in the Comments section for a link to instructions. The reason this doesn’t work under Linux is that the Linux version of the NVIDIA Control Panel doesn’t offer this level of functionality, and also, some might encounter this issue even if not using NVIDIA graphics). So my goal was to find a ModeLine that would do the CVT reduced blank but not use a non-standard screen size nor refresh rate. After searching the web, playing around with an online Calculator for video timings which I saved to a local drive and then hacked a bit to display four decimal points of precision on some key values, and generally spending more time than I intended, I came up with a working ModeLine.

First, let’s look at the original 1920×1080 ModeLine from the above-linked forum post:

ModeLine "1920x1080" 148.50 1920 2008 2052 2200 1080 1084 1089 1125 +hsync +vsync

If you change the pixel clock frequency value in a ModeLine (the 148.50 in the line shown above) you change the refresh rate, and if you change certain other values you change the other timings. I cheated a bit and used Google to search for a working ModeLine that provided 1920×1080 at 59.94 progressive scan, and found one that was very close (59.93, actually) so I tweaked the refresh to give me exactly 59.94. This is the final ModeLine I came up with:

Modeline "1920x1080" 138.5141 1920 1968 2000 2080 1080 1083 1088 1111 +hsync +vsync

Okay, so you may think it ridiculous to specify the pixel clock frequency out to four decimal places, but hey, it works! So, this is what I’m now using for an xorg.conf file (by the way, if any of the ModeLines in this article are truncated on your display, just keep in mind that the last two values in each line are +hsync +vsync — if you copy and paste any of the long ModeLines, hopefully you’ll get the complete line). Bear in mind that I’m using this with an Acer Aspire Revo, so some of these lines are specific to the NVIDIA graphics chipset, but the principle of changing the ModeLine probably should work with this model Sharp TV even if some other graphics chipset is used on the computer:

# nvidia-xconfig: X configuration file generated by nvidia-xconfig
# nvidia-xconfig:  version 1.0  (buildmeister@builder75)  Tue Dec  8 21:04:28 PST 2009

Section "ServerLayout"
    Identifier     "Layout0"
    Screen      0  "Screen0"
    InputDevice    "Keyboard0" "CoreKeyboard"
    InputDevice    "Mouse0" "CorePointer"
EndSection

Section "Files"
EndSection

Section "InputDevice"
    # generated from default
    Identifier     "Mouse0"
    Driver         "mouse"
    Option         "Protocol" "auto"
    Option         "Device" "/dev/psaux"
    Option         "Emulate3Buttons" "no"
    Option         "ZAxisMapping" "4 5"
EndSection

Section "InputDevice"
    # generated from default
    Identifier     "Keyboard0"
    Driver         "kbd"
EndSection

Section "Monitor"
    Identifier     "Monitor0"
    VendorName     "Unknown"
    ModelName      "Unknown"
    HorizSync       15.0 - 75.0
    VertRefresh     55.0 - 76.0
    ModeLine       "1920x1080" 138.5141 1920 1968 2000 2080 1080 1083 1088 1111 +hsync +vsync
    Option         "ExactModeTimingsDVI" "TRUE"
    Option         "DPMS"
EndSection

Section "Device"
    Identifier     "Device0"
    Driver         "nvidia"
    VendorName     "NVIDIA Corporation"
    Option         "ModeValidation" "NoEdidModes"
    Option         "HWCursor" "false"
    Option         "DynamicTwinView" "false"
EndSection

Section "Screen"
    Identifier     "Screen0"
    Device         "Device0"
    Monitor        "Monitor0"
    DefaultDepth    24
    SubSection     "Display"
        Modes      "1920x1080"
        Depth       24
    EndSubSection
EndSection

Section "Extensions"
     Option         "Composite" "Disable"
EndSection

This seems to work well on a Acer Aspire Revo running Ubuntu Karmic Koala (EDIT: and I’ve also used it under Maverick Meerkat), though I imagine it would work with other Linux distributions that use an xorg.conf file (including XBMC Live), however as far as I know this trick only works with the Sharp LC-42SB45U TV and no other model. With this xorg.conf I don’t have to tweak the overscan settings in XBMC or Boxee at all. It works for me, but it may or may not work for you. Standard disclaimers apply – I’m not telling you to do this on your setup, and if you break something, you own all the pieces, but from me you’ll get nothing more than perhaps a bit of sympathy. Don’t even think of doing this if you are not willing to assume any and all risks.

EDIT: If you don’t want to go through all the hassle I went through to calculate the correct ModeLine, you can run the cvt program with the -r option from the Linux command prompt, like this:

cvt -r 1920 1080

That’s for a 1920 x 1080 display. On my system this generated the following output:

# 1920x1080 59.93 Hz (CVT 2.07M9-R) hsync: 66.59 kHz; pclk: 138.50 MHz
Modeline "1920x1080R"  138.50  1920 1968 2000 2080  1080 1083 1088 1111 +hsync -vsync

You’ll notice this is nearly identical to the ModeLine I generated (the vsync is the opposite, though — don’t know if that would be an issue). What I’ve read is that you paste the generated ModeLine into your xorg.conf file and make sure you also have the line

Option         "ExactModeTimingsDVI" "TRUE"

in your xorg.conf (to force it to use your generated ModeLine) and that may be all you need. Certainly simpler than how I did it, but I didn’t know about the cvt program. (End EDIT).

By the way, if you want to hack that Calculator for video timings, just save the HTML page to your local hard drive, open it in a text editor and look for this section (it’s very close to the top):

function TwoDecimal(number) {
 number=((Math.round(number*100)/100));
 return number;
}

Change that second line to

number=((Math.round(number*10000)/10000));

Then load the page into your favorite browser (with JavaScript enabled). That will display a couple extra decimal points on some of the critical values.

Some notes on creating a home theater PC using the Acer Aspire Revo

Important

This is a heavily edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

This article was originally published in January, 2010. Things have changed considerably since then, and most of what was shown in the original article is no longer necessary. You install Ubuntu, then you install XBMC, and it pretty much just works. And if you want an even better experience, you might want to look into installing XBMCbuntu. There may be a few hints in this article that are still applicable but you are very likely going to find that most things just work. One thing you may (or may not) need to do is completely uninstall and then reinstall lirc, because it may not show you the window that lets you select your remote (assuming you have purchased an infrared remote that has a receiver that connects to the USB port), and on the re-install of LIRC you should see the selection window and be able to pick your correct remote. Or, better yet, you can skip the removal/reinstall by running dpkg-reconfigure lirc from a terminal prompt (which will bring up the remote control selection window).

Another thing that you might want to do is consider using Linux Mint rather than Ubuntu, particularly if you hate the new Unity interface.

The original genesis of this installation was an article at the Lifehacker site entitled Build a Silent, Standalone XBMC Media Center On the Cheap. While that article is probably outdated, you may still want to read it first, then come back here.

The first thing you need to know is that there are several different models of the Acer Aspire Revo out there. You want the highest powered model you can get, and in particular, the most memory and highest number of processors. Even the high-end ones are very reasonably priced if you shop around, and even moreso if you can score a good, gently-used unit. Note that you CAN buy an Acer Aspire Revo with some version of Windows installed, but it will cost you more and (especially in the higher end models) and for a standalone media center, Linux works better anyway, so why pay extra for an operating system you may never use?

You’ll need a wireless or USB keyboard and mouse during the setup phase. Some Revo sellers include a wireless keyboard and mouse, while others don’t, so just be aware of that when ordering. Read specifications VERY carefully and know what you are buying! Also consider, if you get a defective keyboard (we did), will it cost more to ship it back than what you’d spend to buy a replacement locally (probably yes, if you buy from an overseas seller)? Don’t overlook pre-owned Revo’s — as long as they are still in good working condition and have a model number in the 3000 series or above, they should be fine (the main thing to make sure of is that they have the maximum amount of memory). Be aware that some early models did not have a digital audio output, so if that’s important to you (and it probably is in this application), be careful what you buy.

Also, the Lifehacker article wants you to install the operating system from a thumb drive. If you have an external CD or DVD drive (that connects using a USB port) do yourself a favor and use that (just install from the distribution CD). By the way, speaking of USB ports, at least some Revo models have a sixth (hidden) USB port. It’s right next to the power switch, on the narrowest part of the case — if you see a small, rubbery insert with a USB logo on it, you can peel that off with your fingernail to reveal the hidden USB port (not that you’d want to unless you really need the sixth port).

Probably the most important thing in that Lifehacker article is the BIOS tweaks. Note that most newer Revos don’t seem to have the “Boot to RevoBoot” option, so if you can’t find that setting, don’t worry about it. Also, if you get a newer, higher end unit with more memory, set the iGPU Frame Buffer Size to 512MB, not the 256MB that the article suggested for the low-end unit that Lifehacker used for their build.

Installing Ubuntu is easy; you basically answer the few questions asked during the installation, and stay with the defaults when you are not sure how to answer. You probably do want it to take over the entire hard drive, so make sure you have saved anything you might want from that drive before you begin the install. We strongly recommend using a 32 bit version of Ubuntu – even though the Revo technically supports a 64 bit operating system, we have found that many things simply don’t work right with the 64 bit OS. If you insist on trying the 64 bit version, you’l probably at the very least need to work through several issues.

If you’re totally inexperienced with Linux, you probably should grab the latest full install disk image of Ubuntu and burn it to a CD, or if you really want to try installing it from a USB memory stick, a visit to the Pen Drive Linux site may help you get the image onto the USB stick in the first place. We used the Ubuntu Minimal CD Image for the install, to save time downloading a huge CD image that is mostly replaced during the software update process. If you go that route, be sure to read the instructions on that page carefully, or you’ll be scratching your head wondering why it’s not working! When you type “tasksel” to select the system to install as instructed, you’ll want to install the standard Ubuntu Desktop but there may be other options you’ll want to install as well, such as an ssh server and/or samba server (those might already be present in the Ubuntu desktop install, but it won’t install anything twice, so I just checked those to be on the safe side).

If you do as most users probably will, and download an ISO file, burn it to a CD, and install from that (using an external CD or DVD drive), just be sure that you check any boxes to install additional codecs or to use additional repositories, if offered any such options.

After installing the operating system, if the nVidia drivers were not installed (very unlikely unless for some reason your video hardware wasn’t detected properly), the next task is to install them. The system should offer to do this automatically (look for an icon in the top panel).

You can install Software using the Ubuntu Software Center, but not all available software is available there. You can also install Synaptic if you wish, from the Ubuntu Software Center or using apt-get install synaptic from a terminal window. When I mention installing software, I suggest you try the Ubuntu Software Center first, and if you don’t find it there, then try Synaptic or apt-get.

You might want to start by installing mc (Midnight Commander) – I wouldn’t have a Linux box without it, but that’s just me.

In newer versions of Ubuntu you may also want to consider installing ClassicMenu Indicator, which is a notification area applet (application indicator) for the top panel of Ubuntu’s Unity desktop environment. It provides a simple way to get a classic GNOME-style application menu for those who prefer this over the Unity dash menu. Like the classic GNOME menu, it includes Wine games and applications if you have those installed. It looks like this:

If you want to be able to access your HTPC from other computers on your local network using SSH, install openssh (you don’t need to do this if you installed an ssh server using the minimal install, or if you find that ssh already works) and (optionally) sshguard. Then edit /etc/ssh/sshd_config and change the PermitRootLogin value from “yes” to “no” (for the sake of system security).

Another thing you want to do is make sure that the system time be kept synchronized with Internet servers. Right click on the clock applet in the top panel, then select Time & Date Settings, and make sure everything looks right there (especially that the option to set the time “Automatically from the Internet” is selected).

Now it’s time to install XBMC. If you don’t find it in any of the standard repositories or want to make sure you get the latest release version, then do this from the terminal window:

sudo add-apt-repository ppa:team-xbmc
sudo apt-get update
sudo apt-get install xbmc
sudo apt-get update

You might also want to install MythTV, or at least a MythTV frontend. See Links: A complete guide for setting up MythTV from start to finish for more information on that. Note that MythTV can be installed from the Ubuntu Software Center, and that’s the only recommended method, since they tend to offer a more stable version.

If you happen to have a Wii remote control, see the document Building an ION powered HTPC with XBMC and in particular, Module 6 : Using a Wii remote control. The following notes on an IR remote do not apply if you are using a Wii remote!

If you have an infrared remote control and infrared receiver (these generally come together as part of a package; check the XBMC forums to see which are recommended), run XBMC at least once and then run dpkg-reconfigure lirc from a command prompt (terminal window) to select your particular model of remote control.

You will likely want to be able to launch XBMC using the remote. As a PRELIMINARY way to accomplish this, we opened or created (can’t recall which) a file called .lircrc (note the leading dot character) in the user home directory and put the following lines in:

begin
 prog = irexec
 button = KEY_BLUE
 config = xbmc --standalone &
 repeat = 0
end

begin
 prog = irexec
 button = KEY_POWER
 config = /usr/bin/gnome-session
 repeat = 0
end

begin
 prog = irexec
 button = teletext
 config = sudo shutdown -r now
 repeat = 0
end

This starts XBMC if you push the blue button on the remote. It also returns to the desktop if you push the power button (however, it may leave whatever program you were in running in the background), and reboots the system if you push the teletext button, but for the latter to work, you must add the following line to the end of your /etc/sudoers file:

%admin ALL = NOPASSWD: /sbin/shutdown

EDIT: In later versions of Ubuntu the above line does not always work as shown, however, substituting the user name for %admin apparently does. So for example, if you had users named larry, moe, and curly on your system, you could do this (if you wanted all of them to be able to use the remote button to reboot the system):

larry ALL = NOPASSWD: /sbin/shutdown
moe ALL = NOPASSWD: /sbin/shutdown
curly ALL = NOPASSWD: /sbin/shutdown

Note that this is just to get you started — you can do more complex operations by running an external script rather than the selected program directly, to make your remote work the way you want it to.

By the way, the irexec program must be running for the above to work, so you can use the Ubuntu Startup Applications program to make it run at startup. You should run it with the -d option, e.g. irexec -d in order to make it run as a background process. Note that you need to do this even in newer versions of Ubuntu.

Startup Applications — Add Startup Program

You will probably want to set up one or more shared folders on your system so you can move videos, etc. into those folders. Be aware that you do have to enable file sharing for each folder you want to share. This is pretty straightforward in Ubuntu — select the folder you want to share, right click on the folder icon, click on “Sharing Options”, and then give the share a name and check the appropriate boxes:

Check “Share this folder” and give the share a name (I called this one “shared”). Check “Allow others to create and delete files in this folder” even if you are going to require a valid login to do so, otherwise even you will not be able to copy files to that folder or delete existing ones from a remote location. Check “Guest access” if you want anyone on your local network to have access without the need to supply a user name and password.

If you are trying to get VNC screen sharing (in Ubuntu it’s called Desktop Sharing, but it’s actually VNC) to work, when setting up Desktop Sharing Preferences, make sure that “You must confirm each access to this machine” is UNchecked (it is checked by default).

Desktop Sharing Preferences - UNCHECK "You must confirm each access to this machine" — Desktop Sharing Preferences – UNCHECK “You must confirm each access to this machine”

Then, use the CompizConfig Settings Manager (see How To Change The Settings Of Ubuntu Unity With CompizConfig Settings Manager) and uncheck all the options under “Effects” (except that “Window Decoration” is okay to keep). Apparently, the use of any visual effects is enough to make the remote desktop non-functional:

The nice thing about this is that even if you have the overscan issue discussed below, when you access the shared Desktop you see the full screen including the top and bottom panels, so you don’t have to guess where you’re clicking! In theory, you could disconnect the keyboard and mouse from the Revo, and just use the Remote Desktop when you need to do system maintenance work, or whatever.

One major issue you may encounter when using a HDTV as the display device is something called “overscan” – that means the desktop is actually larger than the area shown by the HDTV display, meaning you can’t actually see your top panel, etc. While XBMC has a ways to correct for overscan, it’s better to correct it for the entire system. In recent Ubuntu versions, the NVidia drivers are installed when Ubuntu is installed (probably only if the installer detects you have NVidia graphics hardware), and the newer drivers do sometimes expose an Overscan Compensation slider that can be used to correct the problem:

Screenshot-NVIDIA X Server Settings — NVIDIA X Server Settings (Overscan Compensation slider near bottom)

This slider doesn’t always appear for some reason, and even when it does, you really should try NOT to use it (except, perhaps, during initial setup and configuration) because if set to anything other that “0” it WILL degrade picture quality somewhat. The proper place to cure overscan is at the HDTV itself. Most HDTV sets have a setting that will fix overscan, but the problem is that there is no standard name for this setting — I’ve seen it called things like pixel-to-pixel, dot-to-dot, 1:1 display, exact image, etc. It’s often buried a submenu or two deep (remember that owner’s manual you got with your TV? Now might be a good time to dig it out!). I’ve found that if you look hard enough, most newer TV’s have this setting, although some do a pretty good job of hiding it (the Sharp LC-42SB45U being an extreme case – it won’t even display the option unless the timing of the signal you send meets certain specifications!). You really should try very hard to find this option, because it’s much better to correct the problem at the hardware end than by using any software method (that includes the software overscan correction built into XBMC) – you’ll get a sharper picture and quite likely fewer issues with video flickering, etc. Even if you have to resort to building an xorg.conf file to make it work, that’s better than trying to do software overscan compensation in the video driver or XBMC — use that method only as a last resort.

If your TV set just doesn’t have a setting such as the one mentioned above — and some don’t — there is a page of instructions to help fix the overscan problem here. We originally wanted this for the aforementioned Sharp LC-42SB45U TV and wasted a huge amount of time trying to find an overscan fix, and you can read what we finally came up with for that particular make and model TV only here: An overscan fix for the Sharp LC-42SB45U television set when connected to a computer with a Linux operating system (Ubuntu, etc.) (and if you have that model TV, it’s preferable to use the xorg.conf file given at that link rather than the Overscan Compensation slider). No matter what, you can see the full screen if you use the VNC/Desktop Sharing service mentioned above, and some have even resorted to using a little workaround to make the overscan less annoying, assuming you don’t find the workaround more annoying than the original problem! And for the more technically astute, it’s always possible to tinker with the ModeLine in xorg.conf (which, again, is preferable to using the Overscan Compensation slider).

Note that the following few paragraphs (up to, but not including, the one about HDMI audio issues) were applicable at the time this article was originally written, but are likely no longer valid due to updates in the nVidia driver and in Kodi (the new name for XBMC).

Irregardless of whether you have overscan issues, if (and ONLY if) you can see any flickering or “tearing” or other weirdness during video playback, it would probably be a good idea to follow the instructions one of these three posts: Either Howto achieve judder free perfectly synced playback at 23.97/59.94 Hz, XBMC and fixing the 24p issue, or HOW-TO setup XBMC and Linux with correct resolution (xorg.conf) (and I’d recommend them in that order — start with the first, and only go on to the second or third if you still have unresolved issues, except that if after trying the technique in the first link, you still see a bit of flicker during the playback of video files then I’d jump right to the third link — that’s the one that fixed it for us on one installation) — in those articles they tell you to modify /etc/X11/xorg.conf and add a couple of lines. I’d suggest a few additional modifications there, if not already mentioned in whichever article you used — under Section “Device” add one or both of these lines

Option "HWCursor" "false"
Option "DynamicTwinView" "false"

The first of those lines is a “blinking cursor fix” and it’s supposed to help if you find an unwanted blinking cursor you can’t get rid of (I haven’t encountered that particular problem yet). The second line enables 1080p 24Hz mode for smoother playback of certain videos (probably most of them, actually). That line can actually go in either “Device” or “Screen” section – I added it to both just to be safe, but that’s probably overkill. Also, at the bottom of the xorg.conf file, add this:

Section "Extensions"
     Option         "Composite" "Disable"
EndSection

That’s supposed to provide better H264 acceleration.

If you added the “DynamicTwinView” “false” option as shown above, and you know for a fact that your monitor supports 1920 x 1080 @ 60 Hz (you should be able to determine that if you followed the instructions in the aforementioned post) then that mode should become available in XBMC — in the XBMC GUI, go to Settings | System | Video Output to select your desired output mode, and see if that mode is available. If, for some reason it is still not available, you might be able to force the issue (you really should not need to do this if you started with the posts linked above, but I’ll leave this information here anyway in case someone needs it) – in order to do that, open a terminal window and do this:

cd /etc/X11/Xsession.d
sudo touch 45custom_xrandr-settings
sudo nano 45custom_xrandr-settings

Paste into this file the following lines, but take the parameters for the first line from the Modeline you created in the previous step, except use “1920x1080_60.00” instead of “1920×1080”. The first line below is an example (do not copy it verbatim, use the settings from your Modeline) but the second and third can be copied and used as is:

xrandr --newmode "1920x1080_60.00" 173.00 1920 2048 2248 2576 1080 1083 1088 1120 -hsync +vsync
xrandr --addmode default 1920x1080_60.00
xrandr --output default --mode 1920x1080_60.00

One other thing that might improve the video quality in XBMC is to go to Settings | Video | Playback settings and change the setting Adjust display refresh rate to match video to On start/stop (you could also try Always). This fix may be of particular help if you are trying to watch Live TV, or recorded TV from a PVR backend, and the picture doesn’t appear quite as sharp as it should. Leave Pause during refresh rate change set to Off. Obviously, this would be most noticeable if you are trying to view a 1080p source. In some areas you may need to play with the de-interlacing options as well, but that is beyond the scope of this article, and we didn’t find a need to do that.

If you are having audio issues when trying to send audio via HDMI, first of all open a terminal window and enter alsamixer and when it comes up press F6 to select your sound card (most likely HDA nVidia) and then make sure that none of the S/PDIF outputs are muted (this will me indicated by “MM” whereas an unmuted one will show “00”). Pay particular attention to S/PDIF 1 as it is often the culprit – use the arrow keys to select it and then press M to unmute it, then ESC to exit. I know this doesn’t make sense since you are trying to send audio out the HDMI port and not the optical audio port, but trust me, you need to do this. Then, if you are finding that audio is coming from the wrong speakers (center and LFE channels are mixed up with left and right surround channels) go to this page: HOW-TO:Remap HDMI audio on Gen 1 ION – Linux – I suggest using the settings under “1.3.1 ALSA Configuration” and below, but read the entire page first to get the full overview. Note that after following the instructions on that page, if you are also running the MythTV frontend you may have to set the audio to use ALSA:hdmi_direct and that this will NOT appear in the dropdown – you should first select one of the other compatible HDMI card options and then edit the Audio Output Device field to show ALSA:hdmi_direct. This is all necessary because the NVIDIA MCP79/7A HDMI hardware has incorrect channel mapping. This problem does NOT appear when using the S/PDIF (optical) output.

If you want to use a web browser to view videos that require the Flash plugin (such as many YouTube videos), particularly if you will be trying to view them in fullscreen mode, you should know that the Flash plugin will not use the Revo’s onboard nVidia graphics unless you tell it to. But, if you don’t do that the videos will most likely be too jerky to watch. So here is what you need to do from a Linux command prompt:

sudo mkdir /etc/adobe/
sudo nano /etc/adobe/mms.cfg

Now insert the following two lines into the file you’ve just opened:

EnableLinuxHWVideoDecode=1
OverrideGPUValidation=true

Then press CTRL+X followed by Enter to save the new file.

Note that this fix does not work absolutely perfectly, so you might still see some video issues now and then, and it might not work on all sites or in all browsers (it does work in Firefox, however). In many cases the video will be far more watchable than without the fix, but on some systems this fix could cause browser crashes and if those become frequent you may need to try removing the /etc/adobe/mms.cfg file. Also, note that this fix will only improve videos played using the Flash plugin.

If you need to (re)format a hard drive to use with your system, and you don’t want any wasted space on the drive, be sure to read this: Free Disk Space by Reducing Reserved Blocks

If you want your system to have a fixed IP address on your local network, click on the networking icon in the top panel (up and down arrows side by side), then Edit Connections, then find the connection you are using and edit it appropriately. For example, under the Wired tab I see Wired Connection 1, and if I click on that and then click the Edit button, I can then select the IPv4 Settings tab, change the method to Manual, and then enter the appropriate settings for my local network.

You may find that you need to go to the “Misc” section of /etc/samba/smb.conf and set domain master = no — otherwise you may find that certain network shares randomly disappear from other computers on your network. If you don’t have the problem of shares disappearing from other computers on your network, or if you don’t have any other servers or computers that are also trying to assert themselves as a master browser, then this may not be an issue for you.

If you have Macs on your local network and would like to use AFP (Apple File Protocol) to move files around, see How to set up AFP filesharing on Ubuntu.

If you hate typing in a password each time you ssh into your Revo, see Stop entering passwords: How to set up ssh public/private key authentication for connections to a remote server.

If you want to reduce startup time when using Ubuntu or Mint (and you do not have more than one operating system installed), do this:

sudo nano /etc/default/grub

Then look for this line:

GRUB_TIMEOUT="10"

Change this line to read:

GRUB_TIMEOUT=0

Then follow the instructions at the top of the file: “If you change this file, run ‘update-grub’ afterwards to update.” This also must be done as root, so after you save the file and exit nano, do this:

sudo update-grub

If you allow the Update Manager to install certain types of updates (particularly nVidia driver updates) — and you should update your software when updates are available — you may find that XBMC won’t start up, but instead displays a message that stats with the words, “XBMC needs hardware accelerated OpenGL rendering.” Typically, simply rebooting the system will fix that issue.

If you are using the Perl script we posted a couple of years ago that monitors a Linksys or Sipura VoIP device and provides Caller ID popups when a call comes in, you may be interested to know that by adding one line to the Perl script and making some minor configuration modifications, you can also have Caller ID popups in XBMC. See our article BETA Perl script for Caller ID popups when using Linksys/Sipura devices for information. Alternately, if you have an Asterisk server, you can send Caller Id information to XBMC by adjusting the XBMC configuration as in the aforementioned article, and then adding a line to your Asterisk dial plan in the form:

exten => extension-number,n,TrySystem(wget -b -O /dev/null -o /dev/null "http://HTPC-IP-address:8080/xbmcCmds/xbmcHttp?command=ExecBuiltIn&parameter=XBMC.Notification(Call%20from%20%22${URIENCODE(${CALLERID(name)})}%22%2C${CALLERID(number)}%20calling%20extension-number%2C15000%2C%2Fhome%2Fusername%2Fphone.png)")

Note that is all one line, and be sure to change the bold, italicized values to something appropriate for your configuration, and also be sure to see the aforementioned articles for XBMC configuration information and to get the phone.png icon.

If you would like to occasionally play music without the need to have the TV running, you might want to install a program called Audacious. The nice thing about Audacious is that it offers a LIRC plugin (under the General plugins section) and if you enable that, and then add a section to your .lircrc file (for an example, follow this link and then scroll down to the section “Configure Audacious(2) to use Lirc“), you can control the program using your remote.

If you set Audacious to “Continue playback on startup” (under the Playback section of the preferences), and then create a .lircrc entry to start Audacious, you could use your remote to turn on Audacious and resume wherever it left off on your playlist. This is really beyond the scope of this article, but I just thought I’m mention it for those who have your Revo hooked up to a receiver and would like to be able to play audio without wasting electricity running a TV you’re not watching.

Addendum for those who wish to use Boxee under Ubuntu 12.04:

Boxee has discontinued support for desktop platforms, but you might be able to install the last Linux desktop version by following the instructions on this page to install Boxee (note particularly the unmet dependency that must also be installed), and then if you are using a MCE remote, you must also follow the instructions in this post to make the remote work correctly with Boxee.

TechNotes

My Personal Notes You Might Find Useful

Tag: Linux

Using a dynamic DNS (DDNS) to solve the problem of keeping a firewall open to remote users at changeable IP addresses

Like this:

Do you use Webmin to configure iptables and also run fail2ban? Don’t forget to do this!

Like this:

A Perl script to send Caller ID popups from Asterisk to computers running Notify OSD (such as Ubuntu Linux) or any command-line invoked notification system

Like this:

Link: How to update Webmin’s dated look

Like this:

How to install Midnight Commander under Mac OS X (the easiest way?)

Like this:

Disaster recovery with MondoRescue

Like this:

Link: Using IP tables to secure Linux server against common TCP hack attempts

Like this:

A Perl script to send Caller ID popups from Asterisk to computers running Growl under OS X on a Mac or Growl for Windows

Like this:

An overscan fix for the Sharp LC-42SB45U television set when connected to a computer with a Linux operating system (Ubuntu, etc.)

Like this:

Some notes on creating a home theater PC using the Acer Aspire Revo

Like this:

Recent Posts

Recent Comments

Archives

Categories

Meta

Like this:

Like this:

Like this:

Like this:

Like this:

Like this:

Related Articles

Like this:

Like this:

Like this:

Like this:

Recent Posts

Recent Comments

Archives

Categories

Meta