Author: termina

Raid on Debian Etch

If you’d like to do some RAID 0/1 in Debian Etch with some SATA drives you can do this in only a few simple steps.

cfdisk all your drives; create your partition(s) and make the type linux-raid-autodetect (Type: FD).

mknod /dev/md0 b 9 0

mdadm –create /dev/md0 –level 0 –raid-devices=2 /dev/sda1 /dev/sdb1

You can do level 1 the same way. Keep in mind that if you do multiple md devices, change the last number to the number of the device (mknod /dev/md1 b 9 1, for example).

For RAID 5, do

mdadm –create /dev/md0 –level 5 –raid-devices=3 /dev/sda1 /dev/sdb1 /dev/sdb1

Just keep in mind that RAID 5 needs three or more drives to work.

If you’d like to add more drives to a RAID 5, you can do so easily.

mdadm –add /dev/md0 /dev/sdd1
mdadm –grow /dev/md0 –raid-devices=4

After doing this, you need to resize your filesystem on md0

apt-get install lvm2 lvm-common

pvresize /dev/md0

pvdisplay

You should now be using the full size of the array.

Now all you have to do is

mkfs.ext3 /dev/md0

st0rage.org Security Announcement

Hi All!

I recently received this email from someone ([email protected] actually ;)). I was behind on my email, wish I had seen this sooner.

See http://it.slashdot.org/it/08/02/10/2011257.shtml
You did a good job at hardening your server but you forget /dev/shm
I used http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c to patch
your kernel on-the-fly.
But update your kernel.

A friend.

I’d like to thank the person who contacted me about it, and thank them for fixing the problem. That is probably the coolest thing ever to happen on st0rage. 🙂

Just figured I’d let everyone know; first root exploit since 2004. Whooo! 😀

SunFire V480 and Linux

I’ve been working on a SunFire V480 system with Solaris 8 on it for some time now trying to upgrade it (and hopefully migrate it to debian).

After setting up a test machine, migrating all the applications as well as ldap, I disovered that Sun has not yet opened up the hardware enough to allow developers to have this machine work on any Linux or BSD system.

Looks like I’ll be using OpenSolaris on this machine, and never buying Sun again. 🙂

Vostro 1400 Issues Fixed in Ubuntu Hardy 8.04

I installed Alpha 5 of Ubuntu Hardy 8.04 and have had VERY possitive results.

Fixed issues are:

Fan

After some time my laptop’s fan would turn on and off (from i8k’s 1 setting to 2) whether i8k was loaded or not (i8k would not load without force=1). It did this constantly and was very loud.

This behavior started after many kernel upgrades of 7.10. 8.04 Alpha 4 also had this problem.

The issue seems resolved; my fan stays at setting 1 (fan on low speed). I have not heard it go to setting 2 (high speed) yet, but my laptop does not usually run hotter than 40oC.

Update: i8k does not allow you to turn the fan to the second setting; the hardware seems to control when the fan is turned on high. I notice that the fan seems to respond more to the GPU’s temperature than the CPUs temperature. CPU is usually less than 40oC however, so I’m not concerned.

Sound

This was a major issue with Ubuntu. 7.10 required an option in /etc/modprobe.d/alsa-base (model=3stack). 8.04 did not work at all (I filed a bug report in launchpad that solved this issue).

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/186940

This latest Alpha fixed the issue.

nvidia/Compiz

I have a  GeForce 8400M GS. 7.10 had issues with my card (some kernels could not handle ‘nvidia’ and I had to settle for ‘nv’). Compiz had very strange bugs too (windows could glitch up, lots of twitching when maximizing windows).

8.04 has resolved these issues (for now). Compiz is working beautifully for the first time, and ‘nvidia’ is loaded without issue.

LCD Lid stays on when closed

I noticed recently that the LCD stays on after I close the lid of my laptop. This is a waste of power, and causes the laptop to run hotter than it should.

Edit /etc/acpi/lid.sh and add the following line after /usr/share/acpi-support/screenblank

xset dpms force off

Startup Scripts in Debian

If you would like to add a custom startup script to your Linux machine (for running ircd or an iptables script for example) the process is simple.

Create a file in /etc/init.d

touch /etc/init.d/program

chmod +x /etc/init.d/program

Edit it, and create something like this

#!/bin/bash

case $1 in

start)

sudo -u irc /home/ircd/unreal start

;;

stop)

sudo -u irc /home/ircd/unreal stop

;;

esac

These scripts are run as root, so you should probably use sudo to run programs as unprivileged users.

Now we just have to add it to our default runlevel (runlevel can be found in /etc/inittab on Debian, in Ubuntu this file does not exist as far as I know). The runlevel should be the same across all Debian (including ubuntu) systems.

ln -s /etc/init.d/program /etc/rc2.d/S20program

The S20 requires a little bit of explanation. S means Start, and 20 means to run after the 19’s but before the 21+’s. It’s simply a priority system.  You can replace S with K to ‘stop’ instead of ‘start’ when the computer shuts down.

Secure Portable Workstation with Debian Etch

Pictures coming soon!

I came across a “dying” Dell Latitude C680. It was old, but after looking at the specs I decided to keep it.

2.4/1.2ghz (speedstep)

1GB Ram

60GB HDD (mine was dead)

Two battery/expansion bays (one battery, one floppy)

One CD-Rom drive (thought it was dead, turned out to be the bay itself was bad)

GeForce 440 64mb video

The cdrom drive failed on me, but I was able to replace the floppy drive with another CD-rom drive.

I modified the hard drive bay caddy (mostly with electrical tape and the plastic case of a CF card) to house a 4GB CompactFlash card connected to a CF to IDE laptop convertor. With a little bit of fuss, I was able to get it to slide into the bay without catching on anything.

Using a Debian Etch CD, I did a full disk encryption LVM base install. It wasn’t too slow, however there were parts where the CF card was obviously choking a bit.

After booting into the system, I tested the CF card with hdparm -tT /dev/hda and was pleasantly surprised.

Timing cached reads: 716 MB in 2.00 seconds = 357.50 MB/sec
Timing buffered disk reads: 114 MB in 3.02 seconds = 37.71 MB/sec

So cached reads are about 1/2 as slow as I’d expect from a regular IDE drive, but the buffered disk reads are about as high.
I’m running Fluxbox, with Iceweasel and a few other operations and am noticing no problems with performance. Sometimes when dealing with multiple files at the same time things get slow.

Like any solid-state drive, this will make your laptop much more rugged (no moving parts except for fans and cd-rom drive).

While it has limited space, I could have easily purchased a 8/16/32GB CF card with similar speeds… if I had the money.

The CF card was around $25, and the adapter was $5.

For the next stage, I plan on using the now dead CD rom bay on the side to house USB devices with a powered USB hub.

This laptop will mainly be used for school (if it gets stolen, not a big deal) and war driving.

tcpwrappers

TCP wrappers are one of Linux’s most useful built-in features.

Instead of using a complex set of firewall rules, tcpwrappers provides an easy method of restricting access to certain daemons using ip addresses, host names, and ranges. While I wouldn’t reccommend on relying soley on them, they are a great tool for workstations and other machines behind a firewall.

hosts.deny is checked first; then hosts.allow. By default, if a program is not listed in either it is granted access to everyone.

/etc/hosts.deny

sshd: ALL
ftpd: ALL
mountd: ALL

/etc/hosts.allow

sshd: 192.168.0.0/24
ftpd: 192.168.1.0/255.255.255.0
mountd: 192.168.5.2,server2,192.168.3.2,192.168.6.0/24

As you can see, you have several different ways to give (or prevent) access.

Generally any program you see running as rpc.program will be supported via tcpwrappers (use program, not rpc.program in hosts.*). Anything running from inetd.conf will also be supported.

Stand-alone services (ignoring SSH/FTP) will generally not work with this, and rely on the program denying access or iptables.

Even if you use iptables, have some service: ALL lines in /etc/hosts.deny can be useful if you ever have problems with iptables

Postfix Security

A major problem with the default postfix install is that any user can send email as any user (even if it’s not your domain!)

The solution is very simple.

Edit /etc/main.cf and add

smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_sender_restrictions=check_sender_access,hash:/etc/postfix/domains,

reject_unauth_destination,reject_sender_login_mismatch

Make sure you don’t add ‘permit_mynetworks’ here, or local users (or webmail users) will be able to forge their email.

In /etc/postfix/domains, add

your.domain OK

other.domain OK

and run

postmap /etc/postfix/domains

postfix reload

You might also want to try to help stop spam (along with spamassassin) with blacklists and stopping bad senders.

In /etc/postfix/main.cf

smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination,

reject_invalid_hostname,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_rbl_client list.dsbl.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,permit

I have mixed feelings about blacklists; my website has shown up on them from time to time after all. Still, if you’re willing to get a few false positives then this should help stop quite a bit of spam.

Linux on the iPAQ H4150

This applies to all H4000 series iPAQs (although there may be specific issues here and there).

The files you will need can be downloaded here: http://www.angstrom-distribution.org/releases/2007.12/images/h4000/

You will only need a SD Card for this. It must be 256MB or bigger (total file size is around 180MB).

Download the following files

Angstrom-boot-2.6.21-hh20-r6-h4000.exe
Angstrom-x11-image-glibc-ipk-2007.12-h4000.rootfs.tar.gz
startup.txt
zImage-2.6.21-hh20-r6-h4000.bin

We do this instead of using the “liveramdisk” image in order for wireless to work, and to be able to hard reset your device without losing any linux files/settings.

Using cfdisk or a graphical partition editor create two partitions.

A first (smaller) FAT partition in order to store the *.exe, *.bin and *.txt file(s).

The second (larger) EXT2 partition to store the filesystem. (rootfs)

Mount the ext2 partition, and do the following

tar xpzf Angstrom-x11-image-glibc-ipk-2007.12-h4000.rootfs.tar.gz -C /media/disk2

Where /media/disk2 is your mounted ext2 partition.

You need to edit a file for wireless to work.

/etc/modprobe.d/acx.conf

Remove/blank this file, for some reason the acx module is blacklisted. Perhaps it causes some issues with other 4000 devices?

You should also check out

/etc/network/interfaces

to add some wireless networks.

You should also get rid of some startup programs (if you don’t need them)

Move the following to a safe place (/root?)

/etc/rc5.d/S10dropbear

/etc/rc5.d/S20syslog

/etc/rc5.d/S23bluetooth

This will disable bluetooth support, logging and remote SSH access.

In order for wireless to work after suspend, you need to make two files.

/etc/apm/suspend.d/S50ifdown

case $1 in
start)
ifdown wlan0
rmmod -f acx
;;
esac

/etc/apm/resume.d/S50ifup

case $1 in
start)
modprobe acx
sleep 1
ifup wlan0
;;
esac

Set up your /etc/network/interfaces file (or use the GUI) for ifdown/ifup to work.

You might also want to remove /etc/apm/resume.d/50-gpe-bluetooth-resume

In Windows, browse to your ‘Storage Card’ and run the exe file. Choose the second of the three options for booting linux, and if all goes well you’ll running linux in no time! You will lose all your Windows settings.

If anything goes wrong, do the following to perform a ‘hard reset’

1. Hold down the power button

2. Use the stylus to press down the reset button on the side of the PDA

3. Let go of the power button while still pressing the reset button

4. Let go of reset. Device should boot into Windows.

Other issues/Comments

For some reason, my battery is not detected under Windows 2003 (can’t tell there’s a battery, nor the charge). Works with Linux, so not sure what’s up with that.

Wireless so far has performed flawlessly. I get the same latency I get from my laptop when pinging yahoo.com, and see 2-4ms latency on the same network. Very surprising, since on Windows internal network latency would be around 20-40, with outside networks having horrible (100-200) latency.

All in all, I think I’m going to have a lot of fun with this device. And for around $80 on ebay, it’s not a bad deal.

Speed up network transfers with ssh and tar

When you use sftp/scp to transfer directories, you notice it ends up taking a long time. It works on files one at a time and they can often take a small amount of time to start and finish. A solution is to use tar to stream the file over ssh (so you have one continuious stream, without starting/stopping a lot).

ssh [email protected] “tar cf – big_dir/” | tar xf –

I timed transferring a 330MB directory with more than 3600 files in it.

Transferring over 10/100 Ethernet over SMBFS with ‘cp -r’

real    2m45.495s
user    0m0.100s
sys     0m4.424s

Transferring over 54mb WiFi (at 70% signal strength) using ssh/tar

real    2m8.800s
user    0m12.377s
sys     0m10.501s

Transfering over 10/100 Ethernet using ssh/tar

real    0m37.929s
user    0m5.628s
sys     0m4.068s

It took 37 less seconds over wireless (pretty impressive, especially when dealing with only 330MB). It was a full 2 MINUTES (and 8 seconds) faster over the same kind of connection.

This is useful both in a LAN enviornment and over the internet.