Jan 092017
 

One problem for using HTTPS was in the past that sharing DNS names with one web server was not supported. HTTP can handle this for longer.

However HTTPS also supports virtual HTTPS servers: SNI does that.

And here is how to use it with HAProxy:

frontend https-in 
        bind *:443 ssl crt /etc/haproxy/ssl/private/ 
        reqadd X-Forward-Proto:\ https 
        acl is_site1 hdr_end(host) -i www1.qw2.org 
        acl is_site2 hdr_end(host) -i www2.qw2.org 
        use_backend site1 if is_site1 
        use_backend site2 if is_site2

All the magic is in the bind line where a directory with PEM certificates (concat of fullchain.cer and the key)

Now you can have https for everything and HAProxy will handle all the secure connectivity for you.

 

 

Sep 222016
 

I like my switch/routers from Mikrotik. While not flawless, they are working well, have a descent command line interface and a usable web (and Windows) GUI. They got all features I need and are stable.

One missing feature however was that DHCP leses did not get a DNS entry. The simple workaround was that stuff which should get DNS gets a static IP. Anything else doesn’t and thus is not reachable by DNS. Was not a big deal until I used Vagrant which can build VMs (via VirtualBox). Now I got plenty VMs which I simply bridge on the normal LAN. But in order to connect to them outside of “vagrant ssh nodeX”, I needed to have their IP. Vagrant can tell me, as can the VM itself when I connect via “vagrant ssh”, but all this is way more complex than simply using DNS. dnsmasq does that automatically, but not the DHCP/DNS combo on RouterOS.

Scripts to the rescue!

https://www.tolaris.com/2014/09/27/synchronising-dhcp-and-dns-on-mikrotik-routers/ has a nice one which does what it’s supposed to do. Relying on the TTL to be different from static DNS entries, it’ll create or delete DNS records which according to DHCP leases should or should not exist.

screenshot_20160922_163849

One important hint: you need to allow the script to read/write “things”. And the scheduler when running the script.

screenshot_20160922_164130

TTL for DHCP is set to 15min. TTL for static enteries is 1d. The script runs every 5min.

Apr 072016
 

Today we got an email from our Internet provider that we seem to attack an IP address within the provider’s network. Seemed to attack port 53. They ask us to check for viruses etc. The provider is Japanese, so the email was naturally Japanese too. Did not make it easier to understand for me.

Everyone knows, port 53 is DNS. Why would we or a virus try to connect port 53 on a non-server?

I checked all computers (the Windows machines was a natural first suspect), but all was clean. And then it dawned me: DNS Amplification attack! Using our router.
A quick check on the router showed more activity than normal, so it was confirmed that the router is the culprit.
The NAT connection table then promptly showed about 2000 connections with more and more being created while old ones were closed due to inactivity.

How to fix this? Disable remote DNS requests! Except remote is anything non-local to the router which also disabled the internal network from using DNS as all machines in our LAN use our router as DNS server (resp. relay).

The next attempt was better: set up the firewall to drop incoming DNS requests which come from the ppp interfaces.
Now I got about 50 active connections again (that’s normal), no odd DNS requests, and fw-dns-amp about 500 packets per second are being dropped. That accumulates quite fast. 280k packets dropped while writing this article.

The magic fix looks like this:

/ip firewall filter add chain=input action=drop protocol=udp in-interface=all-ppp dst-port=53 log=yes log-prefix=Ext-Incoming-DNS

That was interesting. Relatively easy to defeat. I’m surprised this is not configured by default, but then, I have a rather non-user-oriented router where it’s expected that the admin knows what he’s doing…
I’ll have to look a bit more into security of the router in regards to DoS attacks and logging and notifications for unusual traffic.

Feb 282016
 
SoftEther - Part 2

Wanted to put a VPN gateway into a Docker container. Turned out to be difficult since the container needs to accept ESP traffic for IPSec, which I could not make work.

However running a SoftEther VPN server turns out to be easier than expected: Have the binaries, and a vpn_server.config file, and off you go. To create the config file, use the Windows management utility.

On the client side it’s rather simple. Windows client software is neat and straightforward. Linux is not much harder:

# Download softether-vpnclient-v4.19-9599-beta-2015.10.19-linux-arm_eabi-32bit.tar.gz to e.g. /var/tmp/
cd /usr
tar xfv /var/tmp/ softether-vpnclient-v4.19-9599-beta-2015.10.19-linux-arm_eabi-32bit.tar.gz
cd vpnclient
make i_read_and_agree_the_license_agreement
./vpnclient start
./vpncmd
2 (Management of VPN Client)
ENTER (picks localhost)
NicCreate VIRTUALNIC (e.g. box2)
AccountCreate ACCOUNTNAME (e.g. box2)
vpn.domain.org:443 (VPN Server Host Name and Port Number)
VIRTUALHUBNAME (e.g. Box2Hub)
USERNAME (e.g. harald)
box2 (Virtual NIC)
#
AccountPasswordSet ACCOUNTNAME
PASSWORD (password for USERNAME)
PASSWORD (repeat)
standard (standard or Radius)
#
# Autostart:
AccountStartupSet ACCOUNTNAME
# Connect:
AccountConnect ACCOUNTNAME
# Check
AccountStatusGet ACCOUNTNAME

And that’s it. It’ll create a virtual NIC vpn_box2 and whenever you start vpnclient, it’ll create it and connect.

E.g. have this in /etc/rc.local:

( /usr/bin/vpnclient start ; sleep 10 ; ifconfig vpn_box2 192.168.30.51 netmask 255.255.255.0 up ) &

or alternatively if you can take any IP address:

( /usr/vpnclient/vpnclient start ; sleep 10 ; dhclient vpn_box2 ) &

In case of slow connection/computers, increase the 10s delay to more. I use 20s for my AllWinner A20 CPUs.

Mar 222015
 
Toggling LEDs

Here was a great start and given that I did not know Lua a lot (and I am sure I don’t still), it was a nice little challenge to expand the example to include all 6 LEDs.

Here the result:

 

myled={ 4, 3, 2, 1, 5, 0, 6, 7, 8 }
mystate={}

start_init = function()
local i
for i=1,6 do
 gpio.mode(myled[i], gpio.OUTPUT)
 gpio.write(myled[i],gpio.HIGH)
 mystate[i]=0
end 
end 
 
sendFileContents = function(conn, filename) 
    if file.open(filename, "r") then 
        --conn:send(responseHeader("200 OK","text/html"))
        repeat  
        local line=file.readline()  
        if line then  
            conn:send(line)
        end  
        until not line  
        file.close()
    else 
        conn:send(responseHeader("404 Not Found","text/html"))
        conn:send("Page not found")
            end 
end 
 
responseHeader = function(code, type) 
    return "HTTP/1.1 " .. code .. "\nConnection: close\nServer: nunu-Luaweb\nContent-Type: " .. type .. "\n\n";  
end 
 
httpserver = function () 
    start_init(); 
    srv=net.createServer(net.TCP)  
    srv:listen(80,function(conn)  
      conn:on("receive",function(conn,request)  
        conn:send(responseHeader("200 OK","text/html")); 
        fflag, findex, pin=string.find(request, "gpio=(%d+)")
        pin=tonumber(pin)
        if fflag and pin>=1 and pin<=6 then
          print("Changing pin "..pin.." to ")
          if mystate[pin]==0 then
               mystate[pin]=1
               gpio.write(myled[pin], gpio.LOW)
               print("on\n")
          else
               mystate[pin]=0
                gpio.write(myled[pin],gpio.HIGH)
               print("off\n")
          end         
        else 
            sendFileContents(conn,"schead.htm")
            local i
            for i=1,6 do
             if mystate[i]==0 then
              preset=""
             else
              preset="checked=\"checked\""
             end
             conn:send("<div><input type=\"checkbox\" id=\"chbox"..i.."\" name=\"chbox"..i.."\" class=\"switch\" onclick=\"loadXMLDoc("..i..")\" "..preset.." />")
             conn:send("<label for=\"chbox"..i.."\">GPIO "..i.."</label></div>\n")
            end
            conn:send("</div>")            
        end 
        print(request); 
      end)  
      conn:on("sent",function(conn)  
        conn:close() 
        conn = nil  
 
      end) 
    end) 
end 
 
httpserver()

Note:

  1. I use only the 6 red LEDs on the dev board I have
  2. I had to shorten the text sent to the web client from “checkbox2” to “chbox2” as otherwise the last characters of those 6 lines were missing. That showed when some LEDs were on and I reloaded the page. Then toggle 6 went missing. Thus don’t send too much too fast.

 

Mar 222015
 
ESP8266 - IoT, here we come

The Internet of Things was for the longest time limited to bigger things. Costs of US$100 and more for a IP connected device was a given.

Arduino boards like this Ethernet Shield with a W5200 chip still needed a separate CPU. And it was not wireless, so add in a cable and a fraction of a switch. Newer possibilities are Raspberry Pi + USB WLAN stick (<US$40). Those were a bit expensive and quite large if all you want is switch on/off something small like a lamp.

Then came solutions like Spark Core which were relatively cheap (<US$40) and small. Slowly getting there.

And then the ESP8266 showed up, making most other solutions oversized and overpriced: About US$3 for the naked module (ESP-12) and US$11 for a small dev module. And you can program it in C or Lua or JavaScript. And not only is it cheap and quite capable, but it is also small, low-power and it’s easy to work with and connect it to various interfaces: GPIO, I2C, SPI, RS232, PWM etc.

Here an example of the blinking LED in Lua:

gpio.mode(4, gpio.OUTPUT)
led4=0

function switchled4()
 if led4==0 then
  gpio.write(4, gpio.LOW)
  led4=1
 else
  gpio.write(4, gpio.HIGH)
  led4=0
 end
end

tmr.alarm(0,1000,1,switchled4)

This leds the LED connected to GPIO4 (internal numbering, just like Arduino does) blink. And here a link to an example which uses a web page with AJAX to toggle 2 LEDs.

All in all, there is no reason to NOT allow pretty much anything to be connected to your WiFi network.

 

Feb 112014
 

SoftEther works (see my previous post), but it needs an extra install of software, while PPTP is pretty much standard for many operating systems. So we’ll set this up.

It’s actually very easy too

Server side

Debian server: install some packges:

aptitude install pptpd

/etc/pptpd.conf (I removed all comments here):

option /etc/ppp/pptpd-options
logwtmp
localip 192.168.31.1
remoteip 192.168.31.10-249

/etc/ppp/pptpd-options (again, no comments):

name SERVERNAME
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490
ipcp-accept-remote
netmask 255.255.255.0

Add this to /etc/rc.local:

/sbin/iptables-restore </etc/iptables.save

Setting up routing and firewall:

iptables -A FORWARD -s 192.168.31.0/24 -d 192.168.31.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.31.0/24 -j REJECT

Edit /etc/sysctl.conf to enable IP fording:

net.ipv4.ip_forward=1

Enable sysctl.conf changes:

sysctl -p

Edit /etc/ppp/chap.secrets to have all accounts, e.g.:

username1<TAB>*<TAB>password<TAB>*

 

Client side

Debian: install some packages

 aptitude install pptp-linux

Create /etc/ppp/peers/BoxPPTP (BoxPPTP is the name of the connection):

pty "pptp PPTPSERVERNAME --nolaunchpppd"
name harald
remotename BoxPPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam BoxPPTP
192.168.31.10:

192.168.31.10 is the IP the client wants to have.

/etc/ppp/options.pptp:

lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate

Add your account in /etc/ppp/chap-secrets:

username1<TAB>BoxPPTP<TAB>password<TAB>*

Add this to /etc/network/interfaces:

auto ppp0
iface ppp0 inet ppp
  provider BoxPPTP
  post-up sleep 2 ; route add -net 192.168.31.0 netmask 255.255.255.0 gw 192.168.31.1

To enable the PPTP connection, do:

ifup ppp0

Check via:

# ip addr list ppp0
20: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1486 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp 
    inet 192.168.31.11 peer 192.168.31.1/32 scope global ppp0
# ip route list
default via 192.168.11.1 dev eth0 
192.168.11.0/24 dev eth0  proto kernel  scope link  src 192.168.11.36 
192.168.31.0/24 via 192.168.31.1 dev ppp0 
192.168.31.1 dev ppp0  proto kernel  scope link  src 192.168.31.11

At this point you can ping the PPTP server (192.168.31.1 in this case) as well as all other clients as long as they are not firewalled.

 

Mar 232012
 
Synology DS212j

Finally got a small NAS. Although it was tempting to get a bigger/faster one with 5 or  4 disk slots and a fast CPU, it’s way overkill for my purpose, so in the end, I went for a small DS212j plus a (for now) 3TB disk.

It’s plenty fast (75MB/s read via NFS), the GUI is awesome, the capabilities more than sufficient. It has some kinks though:

  • The OS is on the disk and not in flash memory.
  • If you have 2 different size disks, then if you create a mirrored volume, the rest of the space goes unused instead of being able to use it as a non-mirrored volume.
  • Volumes always take full disks (or what is left after the OS is copied on them)
  • To enable NFS, you need to first enable it, and then create shares (which are usually for Samba shares), and there enable NFS sharing too.
  • To enable home directories, click on the user modules and click there on “User Home” and enable it and say which volume to use.
  • Disk groups names are hardcoded: Disk group 1, Disk group 2 etc.
  • Volume names are hardcoded: Volume 1, Volume 2 etc. They map to mount points called /volume1, /volume2 etc.
  • The media server does not ask for the location of files. It defines it to be on a volume you pick.

If you have only 2 disks, do yourself a favor and get 2 of identical size and use a RAID-1 (or their hybrid volumes). Alternatively expect no mirroring whatsoever. If you have more disks (4 would be a good start), then this is much less of a problem.

Nov 052011
 
GLANTANK - Resurrected

I have not used my GLANTANK for quite a while. Now it has a new purpose: I use as a server for lsync. lsyncd is what I was looking for for a while: it synchronizes directories a la rsync (it’s actually using rsync for that), but it is using the inotify feature of the Linux kernel which informs a process that a file has changed. So instead of scanning every (say) 1h thousand of files, it copies the ones which are modified much sooner and does not need a full scan of all files except on startup.

The old Debian installation was outdated, so I wanted to re-install Debian Linux on the GLANTANK first. I used the same instructions in the past and it worked as expected. So I was hopeful this time too. ssh never started up though.

The only way to see something happening then is to use a serial console. See also here for some pictures. Pins are 1:3.3V,  2:RxD, 3:TxD, 4:GND. 115200 bps and 8N1.

And the problem is that the latest kernel 2.6.32-5-iop32x has no driver for the GLANTANK disk interface, and that stops the installation process. The fix is on the Debian bug list and that solves it.

Next problem are the not-so-quiet fans. There’s a program to control them called fanctld. Needs kernel header files and gcc-4.3 to create a working fandrv.ko kernel module.

Update: Plugging in and out of disks with a cable which is soldered to the mainboard is a bad idea: the cable broke and no disk worked afterwards. Well, it was fun while it lasted.  Which was until now.

Oct 302011
 
Moving Servers

Moving servers from Strato (can’t complain, good enough service, nothing ever broke, few but regular planned outages, and not expensive either), to Linode (quite a bit more expensive for the same performance, but less performance is ok too, so it’s about the same price). The main advantage of Linode is the location: Tokyo.

Main differences:

  • Location Germany vs Japan
  • Ping round trip from home decreased from 310ms to 30ms (and 18ms is my ADSL line already)
  • CPU changed from 1 core Opteron 2347 HE to 4 core Xen L5520 (but in reality it’s only 1 core anyway, however the new one is about 3 times faster according to http://www.webhostingtalk.com/showthread.php?s=&threadid=308055)
  • RAM decreased from 2GB to 0.5GB (but I only use about 0.4GB anyway)
  • Disk size decreased from 80GB incl. backup plus 80GB ftp, to 20GB and no backups
  • Data traffic decreased from 3TB to 200GB (but I never crossed 100GB)
  • Virtualizer changed from Virtuozzo to Xen
  • I now have some transparency about oversubscription of the underlying server
  • DNS is totally different: Strato uses a simple wildcard scheme: anything with *.studiokubota.com is pointing to the server. Linode uses a more traditional scheme where I need to define those DNS entries manually. But now I have control about it and can point hosts in my domain to any IP I like.
  • IP addresses decreased from 2 to 1 (but I used the extra IP only for VPN)
  • I need to use another registrar (I actually don’t need to, but it’s much cheaper if I do)

As you can see, it’s a mixed bag, but I am, generally ok although I’ll lose the ability to do proxy services in Germany, which allowed me to see some content some companies like to prohibit me from watching (streaming movies).

As a reminder to myself, here the additional commands/configs I had to do to move the server with all stuff I need:

# This is pretty much copy & paste. Run as root on the new server.
OLD=the.old.server
NEW=the.new.server
MYSQLPASSWORD=THEMYSQLPASSWORD

# User accounts

# Add encrypted password
echo >>/etc/passwd "harald:*:2000:100:Harald Kubota:/home/harald:/bin/bash"
# Copy root .ssh directory from old server

cd ~root

rsync -av $OLD:~root/.ssh .
# Install packages
aptitude update
aptitude full-upgrade
aptitude install locate
aptitude install apache2 imagemagick openvpn  gcc rsnapshot
aptitude install libapache2-mod-perl2 libapache2-mod-php5 libapache2-mod-perl2-doc
aptitude install phpmyadmin bsd-mailx
aptitude install postfix spamassassin procmail dovecot-common dovecot-imapd
# Configure postfix as Internet site with its local name as hostname

aptitude install mysql-server

# Set mysql "root" password, do not initialize the DB beside creating it

# Installing MT5 support files

aptitude install php5

aptitude install bsd-mailx exim4 libsoap-lite-perl libdbi-perl libimage-size-perl \
libmime-charset-perl libmime-encwords-perl perlmagick libxml-libxslt-perl \
 libxml-simple-perl libxml-libxml-perl libmime-tools-perl
aptitude install libgd-gd2-perl libio-compress-zlib-perl libarchive-any-perl
# copy /var/www

rsync -avz --progress $OLD:/var/www/ /var/www/

# For test purposes, create a symbolic link to one of the existing web pages

cd /var/www
ln -s harald.studiokubota.com $NEW

# Copy apache config

rsync -av $OLD:/etc/apache2/ /etc/apache2/

# Copy backup job from /etc/cron.daily/

rsync -av $OLD:/etc/cron.daily/mysqldump /etc/cron.daily/

# Mail: postfix, dovecot, spamassassin

rsync -av $OLD:/etc/postfix /etc/
# Modify main.cf to contain all domain names and fix the hostname too
# Also add virtual names and rebuild via
postmap /etc/postfox/virtual

rsync -av $OLD:/etc/dovecot /etc/
rsync -av $OLD:/etc/spamassassin /etc/
rsync -ac $OLD:/etc/default/spamassassin /etc/default/

mkdir /var/log/spamassassin
groupadd spamd
useradd -d /var/log/spamassassin -M -g spamd -s /bin/false spamd
chown spamd:spamd /var/log/spamassassin

# To learn ham/spam by putting spam in Spam and ham in Ham, add those to your user crontab:
#10 19 * * * sudo sa-learn --spam -u spamd --dir /home/harald/Maildir/.Spam/* -D
#10 20 * * * sudo sa-learn --ham -u spamd --dir /home/harald/Maildir/.Ham/* -D

# On both servers stop spamassassin and copy the DB over
ssh $OLD "service spamassassin stop"
service spamassassin stop
rsync -av $OLD:/var/log/spamassassin .
# Start spamassassin again
ssh $OLD "service spamassassin start"
service spamassassin start
service postfix restart
service dovecot restart

# Restore mysql DB

d=`date +%d`
cat >/tmp/dump.sh <<EOF
FN="/var/tmp/dbdump-${d}.bz2"
rm -f "\$FN"
mysqldump -p$MYSQLPASSWORD --all-databases | bzip2 -9 >\$FN
EOF
scp /tmp/dump.sh $OLD:/var/tmp/
ssh $OLD "bash /var/tmp/dump.sh"

# Restore on NEW server

rsync -av --progress $OLD:/var/tmp/dbdump-${d}.bz2 /var/tmp/
bunzip2 </var/tmp/dbdump-${d}.bz2 | mysql -u root -p
mysqladmin -p$MYSQLPASSWORD flush-privileges

# Other things

rsync -av --progress $OLD:/etc/openvpn /etc/
rsync -av --progress $OLD:/etc/default/openvpn /etc/default/

Files to modify manually later:

  • /etc/openvpn/openvpn.conf
  • some more files in /etc/openvpn to create/configure (it’s obvious), and adjust the files on the VPN client too