Category Archives: Platforms

Securely run a low memory/low CPU Minecraft server

If you’ve got next to no memory and CPU available to run a Minecraft server, don’t fret. Cuberite is what you’re after. At them moment, Cuberite isn’t bug-free, nor indiscernible from a genuine Minecraft server, but it’s quite usable – and instead of needing 4GB+ of RAM, it needs less than 300MB. And it needs next to no processing power: some people run Cuberite on their Raspberry Pi and have plenty of CPU available.

I would at this point go on about how this is a significant point of difference between C++ and Java, but Java optimizes for something different to C++.  I got into an interesting discussion with Cathy about this after reading a question someone had about what Java was trying to be good at. I used to think that VB was the new COBOL, but clearly Java is the new COBOL; those Java programs are going nowhere, they’re verbose and easy to understand and maintain.

A point to note: The Minecraft protocols are bandwidth heavy, I found if I wanted to run a server at home I’d be able to have one, perhaps two players. Thus is Internet in Australia. Instead I’ve dropped this onto a free AWS VPS instance and bandwidth is no problem.

Still, it’s a random piece of software off the Internet, so we’re going to give it its own user account for our own safety. Let’s install the software:

curl -sSfL | sh
sudo mv Server /usr/local/cuberite
cd /usr/local/cuberite

Cuberite allows configuration through a web interface.  We now enable webadmin.ini
; Please restart Cuberite to apply changes made in this file!

Port 8080 is the alternative html port (http/https).  You could cd into webadmin and run and get https serving, but your browser will barf on the certificate. Instead, let’s use a LetsEncrypt certificate, one that we installed earlier. First we make our one-line shell script for running the daemon:

sudo useradd -c "Cuberite server" -f -1 -M -r cuberite
chown -R cuberite:`whoami` /usr/local/cuberite/
sudo nano /etc/init.d/

# Provides: cuberite
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: cuberite
# Description: Cuberite server, a Minecraft server lookalike
cd /usr/local/cuberite
sudo -u cuberite /usr/local/cuberite/Cuberite -d &

Next we set it going when the box starts up:

sudo chmod +x /etc/init.d/
sudo update-rc.d defaults

Before we can go to the website we need to allow user cuberite to get to the certificates:

sudo groupadd privkey_users
sudo usermod -aG privkey_users cuberite
sudo sudo chmod g+rx /etc/letsencrypt/live/
sudo sudo chmod g+rx /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/live/
sudo chown root:privkey_users /etc/letsencrypt/live/
sudo -u cuberite ln -s /etc/letsencrypt/live/ /usr/local/cuberite/webadmin/httpscert.crt
sudo -u cuberite ln -s /etc/letsencrypt/live/ /usr/local/cuberite/webadmin/httpskey.pem

Changing these permissions doesn’t affect apache2’s ability to get them.
The reason we’ve used a group here is to allow both Cuberite and any other app (for example, exim) to access the private keys; just add any other user that needs to use the private keys to the privkey_users group.

Remember to punch a firewall hole for port 8080. Fire up Cuberite now:

sudo service cuberite restart

And check if that worked, there should be about one entry:

ps -aux | grep cuberitps -aux | grep cuberit

If not, you can check in the logs directory to see what’s wrong.

So now:

sudo lsof -i :8080

should be secure.  Note the https is mandatory, as your browser will use http if you fail to specify a protocol.

Windows WannaCrypt attack

This is interesting, and perhaps not unexpected: a vulnerability in Windows SMB 1 (used for shared drives) which was patched by Microsoft in March April, has been exploited.

It’s hit unpatched computers in numerous countries – most infamously, the UK’s National Health Service.

Despite what some Australian media is reporting, this tracker shows we are not immune — though it may be a reduced impact for now thanks to the weekend. Could be a different story on Monday.

For now it appears to have stopped thanks to someone finding a “kill switch”, but no doubt it or another version will hit again.

The lesson here for any of your computers that are connected to a network:

Patch them. Keep them up to date — preferably set them to automatically install patches.

If you’re using XP or older, Microsoft has just issued a patch, which you can get here.

You can also disable SMB 1 — note there are server and client portions, and that later versions of Windows make this a lot easier than earlier ones.

If you’re using Vista or older, find out about getting an upgrade. Vista patches stopped being issued earlier this year. You’ll be safe from this specific attack if you’re patched, but maybe not the next one. (Windows 7 keeps going until 2020.)

My assumption is that home users who use a broadband modem of some kind may not be at immediate risk this time from outside attack, since the modem can function as a basic firewall, but accidentally running an infected file from an email or web site could bring it in.

This attack has been serious, and other future ones will be too. So stay up to date, and stay safe.

  • Blatant plug: If you’re in southeast Melbourne and have no idea how to fix your computer, my brother-in-law runs this company that may be able to help: Bayside PC Services
  • In this blog post, Microsoft basically tells governments that they shouldn’t keep discovered vulnerabilities secret and exploit them for themselves (as the NSA did in this case, until that information was stolen) — that they should instead tell vendors so they can be fixed quickly. Difficult to argue with that.

Making a captcha deamon for spamgourmet installations

For those of you following along at home, this is part of a cookbook style instruction set for getting spamgourmet going, but because of screwed up permission logic I can’t post this section there.

The captcha is for validating humanity when creating spamgourmet accounts. We’re going to limit what parts of the OS it can tromp over:

sudo useradd -c "captcha server for spamgourmet" -f -1 -M -r captcha
sudo /bin/mkdir -p /var/www-spamgourmet/captchasrv/
sudo chown -R captcha /usr/local/lib/spamgourmet/captchasrv/
sudo chown -R captcha /var/www-spamgourmet/captcha

Now we make our one-line shell script for running the daemon

sudo nano /etc/init.d/

# Provides:          captchasrv
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: captchasrv
# Description:       captcha daemon for spamgourmet
sudo -u captcha perl /usr/local/lib/spamgourmet/captchasrv/ &

Next we get it going

sudo chmod +x /etc/init.d/
sudo update-rc.d defaults

And check if that worked, there should be about four entries:

ps -aux | grep captc

Now the captcha server will start whenever the computer starts.

Installing a secure Apache webserver to run Perl

So, you want to run Perl on the web, because it’s the 90s all over again. You want HTTPS, because… no, there’s no because.  You want HTTPS.  Who wouldn’t?  Here’s what you do on a Debian Linux such as Ubuntu:
sudo apt-get install apache2 libapache2-mod-perl2
mod-perl is an Apache module that allows Perl programs to be executed from Apache.

Our goal is to get /var/www/html/ running at

print "Hello World"

Disable the default Apache virtual host:

sudo a2dissite 000-default.conf

Create an file in /etc/apache2/sites-available with your text editor, replacing instances of with your own domain name in both the configuration file and in the file name /etc/apache2/sites-available/

<VirtualHost *:80>
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     <Directory /var/www/>
              Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
              AllowOverride None
              AddHandler cgi-script .pl
              Require all granted

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     <Directory /var/www/>
              Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
              AllowOverride None
              AddHandler cgi-script .pl
              Require all granted

If you have multiple sites, you’ll want to do things with DocumentRoot to isolate them from each other. But that’s for another post.

You might add in DirectoryIndex / to make execute your program.

The Directory section above allows you to isolate executable code from served code, which is good practice. For this example we’re dumping the executable in with everything else, which is questionable.

Repeat this process for any other domains you host.

sudo a2ensite
sudo ln -r -s /etc/apache2/sites-available/ /etc/apache2/sites-enabled/
sudo service apache2 restart

Punch holes in your firewall for ports 80 and 443.  Navigate to to check all is okay. You ought to see Hello World displayed for your website.

Having security used to be a pain.  SSL certificates signed by a recognised CA cost money, and then you’d have to keep them up to date, and there wasn’t process automation, so you’d do all that stuff by hand.  LetsEncrypt address all these problems, handing out free certificates and scripted everything.

Now it’s time for the S part of HTTPS:
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot --apache

certbot renew
If that works, we’ll automatically renew our 90-day certificates every month:
echo '@monthly root /usr/bin/certbot renew >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab

Done.  You’ll never have to worry about certificates again. Now alter your Apache sites-available file (look in /etc/apache2/sites-available/) to include the (optional) redirect HTTP to HTTPS and the mandatory location of the SSL certificates:

<VirtualHost *:80>
# Only allow HTTPS
RewriteEngine on
RewriteCond %{SERVER_NAME} =
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf

Now make the secure version live, and in the process the insecure one… shy? When a request is made for a http page, like, the response will be “Here’s where what you asked for has moved to… forever!”:
sudo service apache2 restart
Now requesting ought to deliver you to

Install exim4 STARTTLS using a free LetsEncrypt certificate

Here we are on a Debian Linux, such as Ubuntu and we want to run a mail server. Exim4 is currently the most popular email server, but getting it up and working for free is a hassle – who wants to pay for a SSL certificate, on an ongoing basis? And then there’s the maintenance of the security of it – constant renewal, renouncing and re-installation of the certificates.

Wherever you see, swap in your Fully Qualified Domain Name. That may be
It’s assumed you’re not logged in as root, but user ubuntu
Wherever you see, swap in your machine’s local IP address, from
ifconfig | grep "inet addr" | grep -v ""

Security is all handled automatically by LetsEncrypt’s certbot. I’ll let you look that one up yourself. Run it up and get your certificate for

Once you’ve got that handled, punch a hole in your firewall so that port 25 can get through from the outside world to your machine. Be aware: the outside world is filled full of botnets trying to hack into your machine.  After installing exim, keep an eye on the logs in /var/log/exim4/ for a while.

Let’s install exim4:
sudo apt-get install exim4
sudo dpkg-reconfigure exim4-config

  • pick “Internet site”
  • system mail name is
  • IP address is (the one returned by ifconfig, not the externally accessable one)
  • Other destinations:
  • No relays
  • No smarthost
  • No Dial-on-Demand
  • mbox format (or whatever)
  • Split the files
  • ubuntu for postmaster mail

Check we’re now running a mail server:
sudo netstat -napt
should show
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0* LISTEN 25700/exim4

Now we have a mail server, the world needs to find it. Check your nameserver setting to ensure mail is destined this machine.  You probably want only one MX record.

Check the Internet can send mail to our server. After allowing for the appropriate propagation delay for your nameserver changes, use gmail or something to send an email to – you should be able to read it by typing

Now it’s time to enable MTA-MTA link encryption for secure transport of mail, by enabling STARTTLS on exim4 using our LetsEncrypt certificate
sudo nano /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
Enable STARTTLS by adding/setting in the tlsoptions section:

before any of the IF shenanigans. Also add/replace pointers to the certificates:
tls_certificate = /etc/letsencrypt/live/
tls_privatekey = /etc/letsencrypt/live/

The MAIN_TLS_CERTKEY = no entry fixes an exim4 log message
2017-04-16 09:13:24 TLS error on connection from (IcePlanet) [] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.key): Error while reading file.
You will see this when testing with swaks:
$ swaks -a -tls -q HELO -s -au test -ap '<>'
=== Trying
=== Connected to
< - 220 ESMTP Exim 4.86_2 Ubuntu Sun, 16 Apr 2017 09:13:24 +0000 -> EHLO IcePlanet
< - Hello []
< ** 454 TLS currently unavailable *** STARTTLS attempted but failed -> QUIT
< - 221 closing connection
=== Connection closed with remote host.

Allow exim (which when running runs as user Debian-exim) to get to the certificates:

sudo groupadd privkey_users
sudo usermod -aG privkey_users Debian-exim
sudo sudo chmod g+rx /etc/letsencrypt/live/
sudo sudo chmod g+rx /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/live/
sudo chown root:privkey_users /etc/letsencrypt/live/

Changing these permissions doesn’t affect apache2’s ability to get them.
The reason we’ve used a group here is to allow both exim and any other app (for example, a secondary service that wants to use 8080 to serve up a configuration page) to access the private keys; just add any other user that needs to use the private keys to the privkey_users group.

These permission changes prevent the following error message in your log file:
2008-06-03 08:27:35 TLS error on connection from ([]) [] (cert/key setup: cert=/etc/ssl/certs/server.pem key=/etc/ssl/private/server.key): Error while reading file.

Restart the service and the TLS settings ought to be working
sudo service exim4 restart
Test STARTTLS is working from another machine
swaks -a -tls -q HELO -s -au test -ap '<>'
There shouldn’t be any obvious complaining.


Windows 10 close desktop: default action

In previous versions of Windows, they made it easy to change the default power option to be Log Off. This is handy for me – we tend to leave our PCs on, but logged off most of the time (with the power settings such that they put themselves to sleep).

Not so in Windows 10. If you Alt-F4 (close window) on the desktop, it’ll default to Shut down.

Worse, they’ve renamed all the options so that you can’t use a letter as the initial for Log Off. S now stands for not just Switch User and Sleep, but also Sign Out and Shut Down!

Thankfully there is a way to change the default. It involves going into the Registry.

  • Go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • If it doesn’t already exist, create a DWORD Start_PowerButtonAction
  • Defaults are as follows (in decimal): 1 = Sign out, 2 = Shut down, 4 = Restart, 16 = Sleep, 64 = Hibernate, 256 = Switch user

Beats me why they didn’t build that into the UI somewhere.

Unfortunately it doesn’t affect the Start / Power button.

For ease of use, we also created a prominent Log Off short cut on the desktop/Start menu, pointing to:

C:\Windows\System32\shutdown.exe -l

(That’s a lowercase L)

Clone to a bigger drive, and convert MBR to GPT

I wanted to partly upgrade Windows to a new drive.

Currently, Windows itself and Program Files are on C: drive, which is an SSD (which I meant to blog about in detail, but never got around to) and documents are on D: drive (which was the tricky bit of the SSD upgrade — to do it properly involves using SysPrep with an Unattend.xml configuration file that tells Windows that documents will live on D: not C:. This article describes it in detail.

Anyway that’s really irrelevant to the problem at hand, which is that D: drive had run out of space. Here’s a brief description of what I did:

  • The new drive is a 4 Tb drive, replacing a 1 Tb drive.
  • Plug the new drive in, use Clonezilla to clone the old D: onto the new drive. Following the detailed instructions, this all went pretty smoothly.
  • But… the catch is the old drive was formatted in MBR, which has a limitation of 2 Tb. For beyond that, you need GPT.
  • I looked around for tools to convert the drive. It’s easy if you’re prepared to wipe it, but I wanted to preserve the data I’d just moved across. Finding ways to do it without wiping everything was tricky, but I settled on the free version of Minitools Partition Wizard — this has an easy-to-understand interface, and did the job
  • Once that MBR is converted to GPT, you can enlarge the partition to make the whole drive available.
  • Unplug the old drive, move the new one into the same slot as the old (this is on a Mac Pro booting in Windows Bootcamp) and it works. Done!

PS. Similar exercise afterwards shuffling the OS X partition from a 320 Gb drive to the old 1 Tb. That required GParted, as it seems the GPT partition couldn’t be expanded due to a formatting issue (which GParted helpfully offered to fix as it started up) and another small 600 Mb partition being in the way — not sure what it is, but it seems to be essential for booting OS X — GParted was able to move it to the end of the disk.

Install updates and shutdown actually means start updating, then shutdown part way through

Last night my laptop said it wanted to install updates. So when I’d finished using it, I chose “Install Updates and Shutdown”, thinking it would be all finished and ready to go in the morning, right?

Wrong. When I started it back up this morning, it proclaimed that it was 1% through the updates, and “This will take some time.”

It took almost an hour to get through everything, but finally it got to the log on screen.

At that point I had to do something else, so I shut it down again. Later I booted it back up, logged on, and … more delay, as it went through a protracted “Getting things ready” phase.

Maybe this is a rarity given this is apparently the Windows 10 “Anniversary Update“, which brings a whole bunch of new functionality — none of which, so far, I think I actually need.

But the lesson for next time is to use “Update and Restart” (which truly is something Windows 8 and 10 have over Windows 7) rather than “Update and Shut down”, which clearly doesn’t do what I thought it would do.

New laptop – bloatware to remove

My old laptop was old when I got it, and I just realised that was four years ago. I tried to breathe a little more life into it by putting Linux on it… with some success, but I’ve got some stuff I need Windows for, and that crawls along these days.

So I bought a new cheap laptop, for web and email use (definitely not an attempt at a desktop replacement)… a Lenovo B41-30.

Vital stats: A$299 (which seems to be an okay price; apparently it’s $100 off) from Centrecom. 14 inch screen. Celeron N3050, 1.6 GHz, 2 cores. 500 Gb hard drive. Intel graphics. Windows 10 (x64).

Only 2 Gb RAM, but I’ve paid A$35 for a 4 Gb stick – why wouldn’t you? Unfortunately it only likes alike sticks in the two slots, so the original 2Gb had to come out. Perhaps I might put another 4 in there to make it 8. You can always do with more RAM, right?

Anyway, after setting it up, here’s the bloatware I’ve removed:

  • BT Locker – locks your computer if your phone is too far way, using Bluetooth I assume
  • Cyberlink Power2Go – for ripping CDs and DVDs… not actually very useful on a laptop with no optical disc player.
  • PowerDVD – DVD/media player – ditto.
  • McAfee LiveSafe
  • AppExplorer – recommends apps to install – all I want on this thing is the basics. I certainly don’t want it being clogged up with extra apps.
  • Lenovo Solution Center
  • Lenovo ReachIt
  • Lenovo ShareIt

That’s all for now. It’s running at an acceptable speed.

Streaming TV and Chromecast – Stan won’t support iPad HDMI

I was in contact with Stan (streaming TV) support over the weekend. The iPad wouldn’t play, whether connected via an HDMI cable or the Chromecast. It would play zero to a few frames, then freeze up.

They suggested doing a factory reset on the Chromecast and removing and re-installing the Stan app.

It sounded unlikely (it’s the real-life version of the IT Crowd’s “Have you tried turning it off then on again”), but to my surprise, it actually worked.

HDMI was still a problem though. They said it wasn’t supported.

So why doesn’t Stan support HDMI? An interesting answer came back:

“We are unlikely to support this method of streaming in the future due to DRM (Digital Rights Management) contractual agreements we have with the studios we licence our content off of. If anything changes, we will be sure to let you know.”

This is puzzling, given their main competitors Netflix and Presto seem to support it.

It’s worth noting that Stan (and I believe the others) don’t support my 2011-model Samsung smart TV either. Thank goodness for the Chromecast. It’s not as easy as being able to play directly just on the TV (with no other devices required), but at least it works — and navigating menus is far easier on a tablet than a TV remote control.

As one observer (I forget who) noted — there’s little point paying extra for a smart TV (over a dumb one) when an A$49 device like a Chromecast is less likely to become obsolete — or if it does, it can be cheaply and easily replaced.

Enable Stereo Mix on Windows 7 under BootCamp

After rebuilding my Mac Pro with Windows 7 on an SSD (more about this later), Stereo Mix went missing.

To re-enable it, I ended up changing the audio driver to the Microsoft High-Definition Audio drivers, then back to the Realtek drivers:

  • Control Panel / Device Manager
  • Browse to Sound Video and Game Controllers
  • Choose Realtek High Definition Audio / Change (you’ll need an admin password at this point)
  • Update driver / Browse / Let me pick, and choose High Definition Audio Device.
  • Let it finish, then go back in again but at the last step choose Realtek High Definition Audio. This time I found it needed a reboot.

I assume this updates you to the drivers that came with Windows, rather than those that came with Boot Camp.

After the reboot, Stereo Mix is available. You just need to enable it under Control Panel / Sound / Recording devices, right-click, Show disabled devices, then enable it. You can set it as the default so you can record things in Audacity etc.

The old PC made new again: trying out Linux

My old hand-me-down laptop is getting too slow under Windows.

I tried reinstalling, and it’s still slow. Perhaps it’s the patch upon patch upon patch that needs to be applied to make it safe that explains why Windows installations always slow down over time — and why reinstalling didn’t solve the problem.

So I went looking around for lightweight Windows-like Linux distros… and ended up with LXLE.

The steps were pretty simple.

  1. Windows Disk Management to shrink the main partition enough so there was space for Linux.
  2. Download LXLE (silly me, I could have chosen 64 bit, but went with 32 because Windows was 32… the specs say it’s actually 64-bit… though with only 2Gb of memory, 32 might be better, as it is with Windows?)
  3. Used UNetbootin to create a bootable USB drive
  4. Boot onto the USB and follow the steps. Easy.
  5. Two things I’ve done apart from installing the default OS: install Chrome so I could sync my bookmarks, passwords etc
  6. And install gpointing-device-settings via Synaptic, to turn off the annoying touchpad click (which I keep firing accidentally)

The laptop seems rejuvenated. The speed is nice. I mostly use it for web and a little word processing (which Libre Office, installed with the distro, should cover).

The interface is similar enough to Windows that I’ll get by fine with it. (And unlike trying to move to OSX, no annoying differences in keyboard shortcuts.)

And if I desperately want something in Windows, I can still boot it up if I need to.

Still to investigate:

  • Compatibility with VPN for work
  • RDP for work and other uses
  • See if GIMP will cover the same stuff I use Paint.Net for, or if I need to find something else


It has had some problems with waking up after sleep, and forgetting the touchpad No Click setting when rebooting.

And now, after a week…

Linux boot problem

Now it won’t boot.

The whizzes on Twitter suggest it might be a hard disk corruption… which it might be, though Windows is still booting fine.

Or it might be that grub needs reinstalling. I’m not even sure how or why I’d do that.

The other suggestion people have is to try a different (more stable?) distro, such as Lubuntu. Might be worth a look, though I’m wondering how much better it would be.

As I get time I’ll keep testing.

Update: It may have been to the partition running out of disk space. Yeah, seems like an odd way of dealing with it.