Raid on Debian Etch

Posted in HowTo, Informational, Storage on April 12th, 2008 by termina

If you’d like to do some RAID 0/1 in Debian Etch with some SATA drives you can do this in only a few simple steps.

cfdisk all your drives; create your partition(s) and make the type linux-raid-autodetect (Type: FD).

mknod /dev/md0 b 9 0

mdadm –create /dev/md0 –level 0 –raid-devices=2 /dev/sda1 /dev/sdb1

You can do level 1 the same way. Keep in mind that if you do multiple md devices, change the last number to the number of the device (mknod /dev/md1 b 9 1, for example).

For RAID 5, do

mdadm –create /dev/md0 –level 5 –raid-devices=3 /dev/sda1 /dev/sdb1 /dev/sdb1

Just keep in mind that RAID 5 needs three or more drives to work.

If you’d like to add more drives to a RAID 5, you can do so easily.

mdadm –add /dev/md0 /dev/sdd1
mdadm –grow /dev/md0 –raid-devices=4

After doing this, you need to resize your filesystem on md0

apt-get install lvm2 lvm-common

pvresize /dev/md0

pvdisplay

You should now be using the full size of the array.

Now all you have to do is

mkfs.ext3 /dev/md0

Postfix Security

Posted in HowTo, Networking, Security, Services on February 1st, 2008 by termina

A major problem with the default postfix install is that any user can send email as any user (even if it’s not your domain!)

The solution is very simple.

Edit /etc/main.cf and add

smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_sender_restrictions=check_sender_access,hash:/etc/postfix/domains,

reject_unauth_destination,reject_sender_login_mismatch

Make sure you don’t add ‘permit_mynetworks’ here, or local users (or webmail users) will be able to forge their email.

In /etc/postfix/domains, add

your.domain OK

other.domain OK

and run

postmap /etc/postfix/domains

postfix reload

You might also want to try to help stop spam (along with spamassassin) with blacklists and stopping bad senders.

In /etc/postfix/main.cf

smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination,

reject_invalid_hostname,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_rbl_client list.dsbl.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,permit

I have mixed feelings about blacklists; my website has shown up on them from time to time after all. Still, if you’re willing to get a few false positives then this should help stop quite a bit of spam.

Linux on the iPAQ H4150

Posted in HowTo, Reviews on January 30th, 2008 by termina

This applies to all H4000 series iPAQs (although there may be specific issues here and there).

The files you will need can be downloaded here: http://www.angstrom-distribution.org/releases/2007.12/images/h4000/

You will only need a SD Card for this. It must be 256MB or bigger (total file size is around 180MB).

Download the following files

Angstrom-boot-2.6.21-hh20-r6-h4000.exe
Angstrom-x11-image-glibc-ipk-2007.12-h4000.rootfs.tar.gz
startup.txt
zImage-2.6.21-hh20-r6-h4000.bin

We do this instead of using the “liveramdisk” image in order for wireless to work, and to be able to hard reset your device without losing any linux files/settings.

Using cfdisk or a graphical partition editor create two partitions.

A first (smaller) FAT partition in order to store the *.exe, *.bin and *.txt file(s).

The second (larger) EXT2 partition to store the filesystem. (rootfs)

Mount the ext2 partition, and do the following

tar xpzf Angstrom-x11-image-glibc-ipk-2007.12-h4000.rootfs.tar.gz -C /media/disk2

Where /media/disk2 is your mounted ext2 partition.

You need to edit a file for wireless to work.

/etc/modprobe.d/acx.conf

Remove/blank this file, for some reason the acx module is blacklisted. Perhaps it causes some issues with other 4000 devices?

You should also check out

/etc/network/interfaces

to add some wireless networks.

You should also get rid of some startup programs (if you don’t need them)

Move the following to a safe place (/root?)

/etc/rc5.d/S10dropbear

/etc/rc5.d/S20syslog

/etc/rc5.d/S23bluetooth

This will disable bluetooth support, logging and remote SSH access.

In order for wireless to work after suspend, you need to make two files.

/etc/apm/suspend.d/S50ifdown

case $1 in
start)
ifdown wlan0
rmmod -f acx
;;
esac

/etc/apm/resume.d/S50ifup

case $1 in
start)
modprobe acx
sleep 1
ifup wlan0
;;
esac

Set up your /etc/network/interfaces file (or use the GUI) for ifdown/ifup to work.

You might also want to remove /etc/apm/resume.d/50-gpe-bluetooth-resume

In Windows, browse to your ‘Storage Card’ and run the exe file. Choose the second of the three options for booting linux, and if all goes well you’ll running linux in no time! You will lose all your Windows settings.

If anything goes wrong, do the following to perform a ‘hard reset’

1. Hold down the power button

2. Use the stylus to press down the reset button on the side of the PDA

3. Let go of the power button while still pressing the reset button

4. Let go of reset. Device should boot into Windows.

Other issues/Comments

For some reason, my battery is not detected under Windows 2003 (can’t tell there’s a battery, nor the charge). Works with Linux, so not sure what’s up with that.

Wireless so far has performed flawlessly. I get the same latency I get from my laptop when pinging yahoo.com, and see 2-4ms latency on the same network. Very surprising, since on Windows internal network latency would be around 20-40, with outside networks having horrible (100-200) latency.

All in all, I think I’m going to have a lot of fun with this device. And for around $80 on ebay, it’s not a bad deal.

Speed up network transfers with ssh and tar

Posted in HowTo, Networking on January 27th, 2008 by termina

When you use sftp/scp to transfer directories, you notice it ends up taking a long time. It works on files one at a time and they can often take a small amount of time to start and finish. A solution is to use tar to stream the file over ssh (so you have one continuious stream, without starting/stopping a lot).

ssh [email protected] “tar cf – big_dir/” | tar xf –

I timed transferring a 330MB directory with more than 3600 files in it.

Transferring over 10/100 Ethernet over SMBFS with ‘cp -r’

real    2m45.495s
user    0m0.100s
sys     0m4.424s

Transferring over 54mb WiFi (at 70% signal strength) using ssh/tar

real    2m8.800s
user    0m12.377s
sys     0m10.501s

Transfering over 10/100 Ethernet using ssh/tar

real    0m37.929s
user    0m5.628s
sys     0m4.068s

It took 37 less seconds over wireless (pretty impressive, especially when dealing with only 330MB). It was a full 2 MINUTES (and 8 seconds) faster over the same kind of connection.

This is useful both in a LAN enviornment and over the internet.

iptables logging (the good way) in Debian Etch

Posted in HowTo, Networking, Security on January 23rd, 2008 by termina

When using iptables to log, you generally make a ‘LOG’ chain, and then

iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

To log and then drop.

LOG has some disadvantages though. Using LOG, information will fill up the output of the ‘dmesg’ command as well as the kern.log file. Using Debian Etch, I was unable to get iptables to log to any other file but kern.log.

A better solution is ULOG.

You can clear your dmesg output with ‘dmesg -c’

apt-get install ulogd

iptables -N DROPLOG
iptables -A DROPLOG -j ULOG -m limit –limit 2/hour –ulog-nlgroup 1 –ulog-qthreshold 20

iptables -A DROPLOG -j REJECT
iptables -A INPUT -p tcp -i eth0 –dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -j DROPLOG

This will drop and log all incoming traffic except for port 22.

You shouldn’t need to edit /etc/ulogd.conf, but you might want to check it out.

All information should get logged to /var/log/ulog/syslogemu.log

Remote Syslogd Logging

Posted in HowTo, Networking, Security on January 22nd, 2008 by termina

There are some issues with remote logging using syslogd. By default, anyone can write logs to syslod if it is accepting connections. This can be an issue if someone wants to fill your /var/log with junk.

On a default install of Debian (or just about any distro) you should have all the tools you need already.

On log server edit /etc/default/syslog

SYSLOGD=”-r”

iptables -I INPUT -p udp –dport 514 -s CLIENTIP -j ACCEPT
iptables -A INPUT -p tcp -i eth1 –dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP

You will want these iptables rules to be loaded on statup. How you do this will vary on your distro, but a simple start/stop script in /etc/rc2.d is the easiest way to go on debian.

On log client edit /etc/syslod.conf

auth.alert @server

mail.* @server

The client’s logs will end up in whatever file auth.alert gets logged to on the server.

Debian 4.0 (Etch) LDAP Server

Posted in HowTo, Networking, Security on January 17th, 2008 by termina

LDAP still gets me from time to time. I’ve set up multiple Debian LDAP servers now, and each time it seems like something new gets me. I’m going to try to put together a set-by-step LDAP guide that is sure to work (with Debian Etch). If you have any problems, please post! This setup has been tested on x86 and amd64 Debian variants.There seem to be some bugs with debian’s default ldap install (missing .so files, config files that don’t work, not remembering settings from the setup screens). However, once everything works it’s rock solid.

apt-get install slapd ldap-utils libnss-ldap libpam-ldap nscd migrationtools


Add your admin password, and accept default ldapi for now. Replace example and net with your domain/hostname (where each “.” is a “dc=”).

libnss-ldap and libpam-ldap are set up the same way, use identical answers (passwords are saved in /etc/*.secret make sure permissions are 600!)

When prompted, replace ‘manager’ with ‘admin’ and example/net with your domain/hostname


Make root local database admin = yes

Database require login = no

Uncomment “rootdn” in /etc/ldap/slapd.conf and make sure all suffix’s are your domain and not a debian default (for example, localdomain or example.net)

Place a “rootpw password” entry under rootdn

/etc/nsswitch.conf should look like:

passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: ldap

cd /usr/share/migrationtools

Edit migrate_common.ph and replace “padl.com” with your domain

./migrate_base.pl > /tmp/base.ldif

./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

./migrate_group.pl /etc/group /tmp/group.ldif

/etc/init.d/slapd restart

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif

cp -p /usr/share/doc/libpam-ldap/examples/pam.d/* /etc/pam.d

apt-get install libpam-cracklib

ln -s /lib/security/pam_unix.so /lib/security/pam_pwdb.so

You may have to remove the first block of text in base.ldif (ldap should already have it)

As far as I can tell, pam_ldap.conf and libnss-ldap.conf are broken by default. Do this to fix them.

echo > /etc/pam_ldap.conf

vim /etc/pam_ldap.conf

base dc=example,dc=net

uri ldap://127.0.0.1/

ldap_version 3

rootbinddn cn=admin,dc=example,dc=net

port 389

pam_password crypt

cp /etc/pam_ldap.conf /etc/libnss-ldap.conf

/etc/init.d/slapd restart

/etc/init.d/nscd restart

You might want to remove a test user from /etc/passwd and /etc/shadow that has been imported to ldap.

su – username

Is a good test. Check /var/log/auth.log if you have problems. If nothing is there, try

/etc/init.d/slapd stop

slapd -u openldap -g openldap -d 999

That will have slapd run as the users it’s supposed to, and be very verbose.

At this point, everything should be working (if not, don’t go forward yet!). Now we can use encryption, to increase the security of our ldap server.

cd /etc/ldap

mkdir ssl

openssl req -new -x509 -nodes -out ldap.pem -keyout ldap.pem -days 3650

chmod 640 ssl/ldap.pem

chmod 750 ssl

chown -R root:openldap ssl

At the very top of /etc/ldap/slapd.conf put

TLSCACertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap.pem
TLSCipherSuite HIGH:+MEDIUM:!LOW

SSLVerifyClient none

Find the "access"lines near the bottom of slapd.conf and change them like this

access to attrs=userPassword,shadowLastChange
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
by * none

and

access to *
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by * read

Make sure you restart

/etc/init.d/slapd restart

Assuming all goes well, you should still be able to "su - username" to your ldap-only user with the added benefit of encryption.

Additionally, if you find that SSL isn't working for you, try doing this.

Add the following to /etc/ldap/ldap.conf

TLS_CACERT /etc/ldap/ssl/ldap.pem
TLS_REQCERT demand

Add this to both pam_ldap.conf and libnss-ldap.conf

ssl start_tls

tls_checkpeer no

tls_cacertfile /etc/ldap/ssl/ldap.pem

After further investigation, 'ssl start_tls' is the way to go. Make sure ldap.conf has your SSL stuff in it and restart slapd and nscd.

http://bbis.us/etch-ldap.tar.gz

Tags:

Ignoring snoopy logs with logcheck

Posted in HowTo, Services on January 17th, 2008 by termina

snoppy is an awesome tool available on the debian archives. It allows you to see what commands your users have run (by default logs to /var/log/auth.log). It acts like a beefed up .bash_history that users cannot disable/delete/etc.

logcheck scans your logs for weird things, and emails them to you.

By default, these two programs do not get along. snoopy entries show up in logcheck’s emails (which can get very, very big). This sort of defeats the purpose of logcheck, since you get sent massive emails with the important stuff hidden between giant blocks of snoopy logs.

To disable this

echo ‘^w{3} [ :0-9]{11} [._[:alnum:]-]+ snoopy.*’ > /etc/logcheck/violations.ignore.d/snoopy

chmod 644  /etc/logcheck/violations.ignore.d/snoopy

ln -s /etc/logcheck/violations.ignore.d/snoopy /etc/logcheck/ignore.d.server/snoopy

Now test it

sudo -u logcheck logcheck

To make more logcheck ignore rules, test your file(s) by:

egrep -f logcheck-file /var/log/auth.log

It will display only what will be ignored.

Make sure the file(s) are 644 (rw r r) or logcheck won’t be able to ignore what’s in the file.

Connect to a Running X Session Remotely

Posted in HowTo, Networking on January 16th, 2008 by termina

From the computer you want to view the remote X session:

ssh [email protected] -L 5900:localhost:5900

If you can only connect to a linux gateway, you can substitute localhost with the internal IP address of the machine you want to vnc to.

ssh [email protected] -L 5900:192.168.1.100:5900

On computer2 do the following.

This does not need to be done as root, but you’ll need to be the actual user running the X session if you log in as a regular user. On ubuntu/debian you can use apt-get install x11vnc.

x11vnc -display :0 -passwd password

If it complains that it cannot connect to :0, try this

x11vnc -auth /var/lib/gdm/:0.Xauth -passwd password

Note that using the :0.Xauth method will work if X is just running at the login screen (so you could connect and log into X as a user).

Now, from computer1, do

vncviewer localhost

This is very useful, but make sure you use a password if port 5900 is open on computer2.

Linux DVR/MythTV Box

Posted in HowTo on January 16th, 2008 by termina

There’s a lot of information out there for building a MythTV box out there. I figured I’d throw in my two cents, and hopefully help people that encountered some of the same problems I did.

First, the hardware.

I picked a good case; it’s a low profile case (so you need low profile cards!). It was pretty cheap, looks nice, and came with a power supply. $20 not including shipping.

http://www.svc.com/ycc-s27.html ($40 with shipping)

Front of Case

Since I was on a budget, I picked up a cheap Motherboard and a low power CPU. I had to purchase a Heatsink/Fan elsewhere since the one that came with the CPU would not fit on the motherboard and had a non-standard 4-pin fan power cable.

AMD Semperon LE-1150 Sparta 2.0Ghz 45W CPU ($40~)

BioStar AM2 Motherboard ($40~)

Combined, these were $80. While I might have liked more speed for this price, I felt the low power consumption was worth it.

2GB – 2x1GB DDR2 667 ($40)

A 60GB SATA Laptop drive (had it laying around) performs beautifully. It’s resonsive, and best of all whisper quiet. It’s not much space, but I have a seperate computer with nearly 500GB of free space that I’ll probably be using for NFS.

60GB SATA Laptop Drive ($45)

The PVR-150 (150MCE-LP) capture card performs well; it has a built-in MPEG encoder which takes stress off the CPU (very useful in this case). New this card is around $75, but you can get one off ebay for $20+ less if you feel cheap.

Haupage PVR-150MCE-LP ($75)

This card had trouble dealing with the splitters I was using (900mhz and 1100mhz). Removing the 900mhz helped. My cable was being run from the 3rd floor to the basement, which might have been a problem too (no other capture card I’ve messed with had this trouble, not sure if it’s something with this card or just a weird quirk my card had).

Now, I needed a card with S-Video or RCA out. I ended up getting a GeForce 4 MX440 64MB. Ebay for this; new low profile video cards are quite expensive. This isn’t a major performance card, but it’s low profile (mine had only a heatsink, so even less noise). It’ll do fine for TV watching, and some light game plaing.

GeForce 4 MX440 64MB Low Profile ($20)

Top of PVR

The last thing this setup needed was a remote control. An ATI Wonder (supported by Linux) was cheap on ebay.

ATI Wonder Remote ($10)

ATI Remote

To get the remote working in Linux isn’t very hard (although it would be nice if lirc would auto-detect controllers). The information is available on mythtv’s website here: http://www.mythtv.org/wiki/index.php/ATI_Remote_Wonder

One important suggestion is to disable the lirc_atiusb module, by adding the following in /etc/modprobe.d/blacklist

blacklist lirc_atiusb

Add the correct module in /etc/modules

ati_remote

Reboot; lircd will no longer hang and your remote should work. 🙂

This setup plays and records video flawlessly (I don’t notice anything while recording and watching at the same time). I play emulators on it (N64, PSX, etc.) with USB-> N64/PSX adapters and definitly think this is worth it. It’s totally silent.

For only $300 including shipping, this isn’t too bad. It could definitly use a larger drive, but personally I like the idea of a central server to store my library (if only to keep down on the noise here in my TV room!).