debian on ss4000

Notes on installing Debian on an Intel ss4000-E arm NAS

A DL10 to DB9 (fe)male cable is needed.
A DL10 connector, a DB female or male connector depending on how you want to do it and a ribbon cable, actually three wires should be enough.

 
DL-10       DB9 Male
3     <->   2  RxD
5     <->   3  TxD
9     <->   5  GND


If you want to use a USB to serial adapter you may want to use a DB9 Female connector and switch 3 TxD with 2 RxD



During the installation I will take the new OS image files from an HTTP server in my network.
The squeeze arm iop32x network-console initrd.gz and zImage will be at http://10.21.241.5/ss4k/

Thanks to patience and the Internetz I found out that the wheezy images do not work on my ss4000-e and finally got a squeeze image found at http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-armel/current/images/iop32x/network-console/ss4000e/ to work.

Get initrd.gz and zImage from there and put them in an HTTP server in your LAN.
Alternatively you may put them in the ss4000 flash through the serial interface, it should be slower.


Install minicom or cu
# apt-get install minicom


I am using a USB to serial converter based on the PL2303 Prolific chip
# lsusb |grep PL
Bus 004 Device 003: ID 067b:2303 Prolific Technology, Inc. PL2303 Serial Port

that gives me a serial at /dev/ttyUSB0
# dmesg |tail -5
[457618.284273] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[457618.284281] usb 4-1: Product: USB-Serial Controller
[457618.284288] usb 4-1: Manufacturer: Prolific Technology Inc.
[457618.286317] pl2303 4-1:1.0: pl2303 converter detected
[457618.298540] usb 4-1: pl2303 converter now attached to ttyUSB0



Setup minicom ( If using a USB to serial converter )
# minicom -o -s
Choose 'Serial port setup'
Set A - Serial Device to '/dev/ttyUSB0'
Set F - Hardware Flow Control to 'No'
( E - Bps/Par/Bits should be by default set to `115200 8N1` which is fine )
Hit Enter
Select 'Save setup as ...' -> 'ss4K1'

Connect the cable from the es4000 to the serial or USB2serial converter and fireup a session
# minicom -o ss4K1


Power ON the ss4000 and hit Control-C to enter RedBoot
You have one second to hit Control-C, if you miss it, power cycle the ss4000 and try again.


Switch the bootloader to RAM mode and hit Ctrl-C to interrupt the RAM reboot.
RedBoot> fis load rammode
RedBoot> g
+Ethernet eth0: MAC address 00:0e:0c:e9:5c:42
IP: 10.9.9.1/255.255.255.0, Gateway: 10.9.9.1
Default server: 10.9.9.10, DNS server IP: 0.0.0.0

EM-7210 (RAM mode) 2005-12-22
== Executing boot script in 1.000 seconds - enter ^C to abort
^C
RedBoot>


Set up networking ( I had to use /24 masks because I could not set up other masks in Redboot )
RedBoot> ip_address -l 10.21.241.3 -h 10.21.241.5
Test Networking
RedBoot> ping -i 10.21.241.3 -h 10.21.241.5
Network PING - from 10.21.241.3 to 10.21.241.5
PING - received 10 of 10 expected


initrd.gz
RedBoot> load -v -r -b 0x01800000 -m http /ss4k/initrd.gz                                                                                   
/                                                                                                                                           
Raw file loaded 0x01800000-0x01d144ec, assumed entry at 0x01800000                                                                          
RedBoot> 


zImage
RedBoot> load -v -r -b 0x01008000 -m http /ss4k/zImage                                                                                      
\                                                                                                                                           
Raw file loaded 0x01008000-0x01164df7, assumed entry at 0x01008000                                                     
RedBoot>


Execute the new Linux kernel
RedBoot>exec -c "console=ttyS0,115200 rw root=/dev/ram mem=256M@0xa0000000" -r 0x01800000


Now the installer starts in the console.

After a few steps you should see something similar to the following
lqqqqqqqqqqqu [!!] Continue installation remotely using SSH tqqqqqqqqqqqk
   x                                                                       x
   x                               Start SSH                               x
   x To continue the installation, please use an SSH client to connect to  x
   x the IP address 192.168.1.77 and log in as the "installer" user. For   x
   x example:                                                              x
   x                                                                       x
   x    ssh installer@192.168.1.77                                         x
   x                                                                       x
   x The fingerprint of this SSH server's host key is:                     x
   x b1:4e:bc:b4:c1:d5:7b:10:6a:84:c4:b1:44:95:6a:4a                       x
   x                                                                       x
   x Please check this carefully against the fingerprint reported by your  x
   x SSH client.                                                           x
   x                                                                       x
   x                                                             x
   x                                                                       x
   mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj



ssh into 192.168.1.77 with user installer and password install and continue the installation

Set a caching nameserver and an Internet Gateway at 192.168.1.1

Choose a network mirror and continue the installation

Set RedBoot to boot the new debian system

Reboot and hit Control-C to enter RedBoot
RedBoot> fconfig boot_script_data
boot_script_data: 
.. fis load ramdisk.gz
.. fis load zImage
.. exec
Enter script, terminate with empty line
>> fis load -b 0x01800000 ramdisk.gz
>> fis load -b 0x01008000 zImage
>> exec -c "console=ttyS0,115200 rw root=/dev/ram mem=256M@0xa0000000" -r 0x01800000
>> 
Update RedBoot non-volatile configuration - continue (y/n)? y
... Unlock from 0xf1fc0000-0xf1fc1000: .
... Erase from 0xf1fc0000-0xf1fc1000: .
... Program from 0x0ffd2000-0x0ffd3000 at 0xf1fc0000: .
... Lock from 0xf1fc0000-0xf1fc1000: .
RedBoot>reset 



wait ...
Debian GNU/Linux 6.0 unassigned-hostname ttyS0

unassigned-hostname login: root
Password: 
Linux unassigned-hostname 2.6.32-5-iop32x #1 Tue Sep 24 05:31:45 UTC 2013 armv5tel

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

root@unassigned-hostname:~#


Setup network,hostname, etc ...

Check out specs
# cat /proc/cpuinfo
Processor : XScale-80219 rev 0 (v5l)
BogoMIPS : 398.95
Features : swp half thumb fastmult edsp 
CPU implementer : 0x69
CPU architecture: 5TE
CPU variant : 0x0
CPU part : 0x2e2
CPU revision : 0

Hardware : Lanner EM7210
Revision : 0000
Serial  : 0000000000000000



Lucky me, I found a 512MB DDR PC400 stick.
Install it and reboot to enter RedBoot to change the installation script
== Executing boot script in 1.000 seconds - enter ^C to abort
^C
RedBoot> fconfig boot_script_data
boot_script_data: 
.. fis load -b 0x01800000 ramdisk.gz
.. fis load -b 0x01008000 zImage
.. exec -c "console=ttyS0,115200 rw root=/dev/ram mem=256M@0xa0000000" -r 0x01800000
Enter script, terminate with empty line
>> fis load -b 0x01800000 ramdisk.gz
>> fis load -b 0x01008000 zImage
>> exec -c "console=ttyS0,115200 rw root=/dev/ram mem=512M@0xa0000000" -r 0x01800000
>> 
Update RedBoot non-volatile configuration - continue (y/n)? y
... Unlock from 0xf1fc0000-0xf1fc1000: .
... Erase from 0xf1fc0000-0xf1fc1000: .
... Program from 0x1ffd2000-0x1ffd3000 at 0xf1fc0000: .
... Lock from 0xf1fc0000-0xf1fc1000: .
RedBoot> reset



root@theano:~# free
             total       used       free     shared    buffers     cached
Mem:        516144      29680     486464          0       1996      16832
-/+ buffers/cache:      10852     505292
Swap:       749560          0     749560



Done.



Links :
http://download.intel.com/support/motherboards/server/ss4000-e/sb/ss4000e_tps_13.pdf
http://ecos.sourceware.org/docs-latest/redboot/redboot-guide.html
http://www.debian.org/releases/stable/armel/ch05s01.html.en
http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-armel/current/images/iop32x/network-console/ss4000e/ http://d-i.debian.org/daily-images/armel/daily/iop32x/network-console/ss4000e




Put debian on an Intel SS400 How-To

apache2 rewrite

Apache 2 Rewrite

Enable the Apache2 rewrite Module on a debian system.
# cd /etc/apache2/mods-available/
# a2enmod rewrite
# service apache2 restart


Example of an .htaccess that forwards www.example.com to example.com
RewriteEngine on
RewriteCond %{HTTP_HOST} www.example.com
RewriteRule ^(.*)$ http://example.com/$1 [R=permanent,L]


You may need to allow overwrite e.g.
<Directory "/sites/www.example.com/wwwroot">
  AllowOverride All
  Order allow,deny
  allow from all
</Directory>





Or skip the .htaccess in the wwwroot dir and just put the Rewrite rules in the apache host configuration file.
<Directory "/sites/www.example.com/wwwroot">
RewriteEngine on
RewriteCond %{HTTP_HOST} www.example.com
RewriteRule ^(.*)$ http://example.com/$1 [R=permanent,L]
</Directory>


The .htaccess is read by apache every time someone visits the URL. I would use it only if I was creting an apache host for someone who does not have root or someone who does not have experience with systems administration.



apache mod_rewrite manual



mod rewrite example



openwrt hybrid caching DNS

A quick post on how to setup an AWMN-Internet hybrid caching DNS server on OpenWrt.

Install with opkg if you are using some relatively new version of OpenWrt.
# opkg install bind-server


Adjust your /etc/bind/named.conf
# cat /etc/bind/named.conf
options {
 directory "/etc/bind";
 forwarders { 195.170.0.1; 8.8.8.8; };
 listen-on { 127.0.0.1; 10.29.74.1; };
 allow-query-on { any; };
 allow-query { any; };
 allow-recursion { any; };
 auth-nxdomain no;    # conform to RFC1035
};



zone "localhost" {
 type master;
 file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
 type master;
 file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
 type master;
 file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
 type master;
 file "/etc/bind/db.255";
};



zone "awmn" {
 type forward;
 forwarders {
  10.19.143.12;
  10.0.0.1;
  10.19.143.13;
  };
 };

zone "10.in-addr.arpa" {
 type forward;
 forwarders {
  10.19.143.12;
  10.0.0.1;
  10.19.143.13;
  };
 };


zone "ewn" {
 type forward;
 forwarders {
  10.145.7.150;
  10.146.210.130;
  };
 };

zone "mswn" {
 type forward;
 forwarders {
  10.148.50.2;
  10.148.51.2;
  };
 };

zone "cywn" {
 type forward;
 forwarders {
  10.215.255.5;
  };
 };

zone "iwmn" {
 type forward;
 forwarders {
  10.205.3.2;
  };
 };

zone "pwmn" {
 type forward;
 forwarders {
  10.140.14.67;
  10.140.19.209;
  10.140.14.73;
  10.143.4.1;
  };
 };

zone "wana" {
 type forward;
 forwarders {
  10.224.6.66;
  10.224.3.35;
  };
 };

zone "her.wn" {
 type forward;
 forwarders {
  10.176.0.10;
  10.176.0.11;
  };
 };



Restart Bind
# /etc/init.d/named restart


Put it in your /etc/resolv.conf
# echo "nameserver 127.0.0.1" > /etc/resolv.conf



Done!

195.170.0.1 is the caching DNS server of a large Greek ISP.

You may add more forwarders in options from this public DNS servers list

Replace and add IP addresses to listen-on accordingly.

Do not add AWMN-Internet hybrid DNS servers to the forwarders in options.



OpenWrt hybrid caching DNS How-to

A monitor for wireless internets that use BGP as their inter-AS Routing Protocol





A monitor for wireless internets that use BGP as their inter-AS Routing Protocol



Background and the AWMN model

In the AWMN and other community owned wireless internets network enthusiasts own, setup ,and maintain network and RF equipment on a Best Effort Basis. Most wireless nodes are Autonomous Systems (AS) and the vast majority of inter-AS links are wireless.

Most of the networking and RF equipment are exposed to harsh environments. Equipment failures, configuration errors , equipment incompatibilities , and plain old pranks are much much more common than in professional ISP networks.

There is a Number and Name Authority aka Host-master per community but there is not one authority that has administrative access to all the networking equipment. Usually there are Node Databases but when they exist they are incomplete and contain a large amount of false information. Many wireless communities in Greece are interconnected through wireless and Internet connections.

There are not peering agreements between nodes and communities and there are not established protocols to deal with problems. Community spirit and good interpersonal relationships between the node operators are not always enough. The vast coverage areas and the large number of network nodes increase the complexity of monitoring.





Abstract

This post discusses a Monitor for wireless internets that use BGP as their inter-AS Routing Protocol. The Monitor has access to the Node Database, BGP daemon tables, Routers, and Sensors across the internet. The Monitor alarms problems to Number and Name Authorities and Node Operators, draws a near real time connectivity graph and potentially automatically acts upon events to correct or contain problems.





Definitions

Node Database

A Database with IP Numbers, Node geographical coordinates (latitude,longitude,elevation), Node Operator Contact Information, DNS zones Link information and information for services provided by various nodes across the internet. The Number and Names Authorities aka Host-masters of the internet allocate and assign resources through the Node Database and most information is put there by the node operators. In the AWMN the Wireless Node Database WiND is used.



Node

An Autonomous System as defined in RFC 4271 where the most inter-AS links are wireless and most links within the Autonomous System are wired.



Node Operator

A community member who acts as a node administrator to one or more nodes. He usually has one wireless node on the rooftop of his residence.





1 Border Gateway Protocol Monitor

Our internet monitoring system has access to many BGP Speakers across the internet. In a wireless not-professional, not-homogeneous internet as-paths change very often and it is very common to find wrong as-paths, ghost links and ghost prefixes in a BGP table. We have access to many BGP tables but we need a way to attach levels of certainty to the information they contain. Also in community based internets configuration mistakes and pranks such as IP hijacks are common. The following procedure attempts to deal with ghost links, ghost prefixes, configuration mistakes, and IP hijackings by using the information on BGP tables from across the internet.




We get the BGP tables from across the internet in short regular intervals eg: 30 minutes

We detect Prepends log them and filter them out from the input to the rest of the process

We detect BGP Communities log them and filter them out from the input to the rest of the process

Now every path shorter than 255 ASes that contains an Autonomous System many times indicates a Loop and it should be alarmed and excluded from the following process. RFC 4271 25.1

We split the table in pairs of AS numbers to get the links.

To attach a level of certainty to a pair we calculate a weight by adding a point on every hop starting from the table in which we found it.
eg: consider the following as-path on the AS 1
2 3 4 5 6
the weight w of the pair 1 2 is equal to 0+1=1 w(1,2)=1 and w(2,3)=3 the smaller the weight is the most probable is that the link exists When an AS number x has a w(x,y)=1 , meaning we have access to its table a pair x,z with w(x,z)=33 is invalid and it should be alarmed.

For every prefix in the tables we check if it is assigned by the Number Authority and if not we alarm the host-master.

For every prefix in the tables we check if it is assigned by the Number Authority to the AS advertising it and if not we alarm the host-master.

If we find an AS not assigned to anyone by the Number Authority we alarm the host-masters.

We detect prefixes announced multiple times and according to our Number Authority should not be Anycast If we find such prefixes we can figure out using information from the Number Authority who is cheating or messed up and alarm host-masters and operators.

If we see a path leading to a node-AS where we have access to a BGP table with a prefix not announced there, then this is a Ghost Prefix this is the easy part. To Guess Ghost Prefixes with paths leading to Autonomous Systems in which we do not have access we will use the weights to attach certainty.

For the prefix weight we use the size of the as-path.

Again, the smaller the weight, the higher the probability the prefix exists.

While we traverse the tables lower weights replace higher weights.

We are trying to figure out if the small prefixes announced are valid. (An easy way to do this would be to check against a list maintained by the Number Authority) Invalid small prefixes can create parallel internet spaces for large prefixes announced by ASes with one or a few not stable links.

Detect prefixes that should not pass the BGP filters agreed by the community.



2 Classic and Not So classic Nagios Stuff

We will need to complement the Monitor with Classic nagios ICMP echo stuff since BGP tables may quickly become nothing more than tables of forwarding intentions in a wireless internet.

We could make use of tracepath scripts to detect asymmetries.

Since this is a wireless internet we will need to monitor Connection Quality CCQ, signal/noise ratios,noise level,and signal strength. These are available through SNMP in many routers so adding them to a nagios like system is simple ( examples )





3 Smart Routers

Most wireless routers now days are harsh embedded systems that have plenty of CPU and RAM. We may use scripts to add some brains and network healing capabilities to them.

eg: In the AWMN is common enough for a dish antenna to move by strong winds or a feeder fill with water after a storm. The link quality may drop drastically but the BGP session remains active. However, since the link quality is very poor many frames and IP packets drop, the ones using it suffer, and the quality of the internet drops. Another as long or even longer but higher in quality route could be used instead. A script may monitor the signal strength of each link and close the appropriate BGP session if the link quality drops drastically (an example script)

A smart router may prepepend its autonomous system to the AS-path as a first measure and close the BGP session as a last measure. The router could also act based on Connection Quality and other link quality metrics.









URI: A monitor for wireless internets that use BGP as their inter-AS Routing Protocol

WTF Google Safe Browsing

WTF Google Safe Browsing?

safebrowsing ipduh.com

Truth

IPduh is not compromised and has nothing to do with malware distribution.
Quite the opposite is True.



Rant

Google Safe Browsing thank you for waisting my time, the headache and this post.



What Happened

ipduh has a little simple tool called bouncer that checks if a URI is mentioned in a black list before forwarding you there. It is used mostly to hide referrals by people who post links and it uses --among other external and ipduh tools-- the Google Safe Browsing API ( when it works ) --what an irony! ( on multiple levels )

So, Safe Browsing saw uris like the following and made some false associations.

http://ipduh.com/url/bouncer/?fitmaster.gr
http://ipduh.com/url/bouncer/?antarsya.gr
http://ipduh.com/url/bouncer/?grayicon.com


According to Google Safe Browsing those sites were distributing malware at some time.
For most of the sites above the bouncer was saying:
Attention!
malware
Please check dns/bl


Still want to go? Use: www





A Few Pointers to the Safe Browsing People

  • You are not the only one who may warn about potentially malicious websites.
  • When you say that x site is very bad be sure about it.
  • Vague Scary Words do not help anyone.
  • If you continue using URI associations like that you are going to become a First Grade Annoyance Tool that can easily be manipulated by clueless haxors with one week of training.




WTF Google "Safe" Browsing

Enable - Disable BGP peer based on signal strength.

In the AWMN is common enough for a dish antenna to move from strong winds or for a feeder to fill with water after a storm. The link quality may drop drastically but the BGP session remains active. However, since the link quality is very poor many frames drop, the people using it suffer and the quality of the internet drops. Another as long or even longer but higher in quality route could be used instead. A script may monitor the signal strength of each link and close the appropriate BGP session if the link quality drops drastically.

The following is such a script written for RouterOS by George Katsimagklis aka SV1BDS (Ham Radio Cosign and awmn handle) inspired by an AWMN VoIP conversation we had. There is a thread in Greek about it the awmn forum.

The script

# monitor WLAN1 status
:global wlan1status
:global wlan1RSSI
:local interfacename "wlan1-xyz"
:local myemail "69xxxxxxxx@mycosmos.gr,zzzzz@yahoo.com"
:local RSSIlevel -75
:local SMTPserver "smtp.gmail.com"
:local peername "SV1XYZ"

# Local variables
:local int
:local mysubject
:local RSSIs "-1dB"
:local RSSI
:local statusnow "down"
:local s

:foreach int in=[/interface wireless registration-table find interface=$interfacename] do={
    :set statusnow "up"
    :set RSSIs [/interface wireless registration-table get $int signal-strength]}

:set RSSI [:tonum [:pick $RSSIs 0 [:find $RSSIs "d" 0]]]

#:log info $RSSI
#:log info $statusnow

:if ([:typeof $wlan1status] = "nothing") do={
     :set wlan1status $statusnow
  } else={:if ($wlan1status != $statusnow) do={
              :set mysubject ($interfacename." on ".[/system identity get name]." is ".$statusnow)
             /tool e-mail set address=[:resolve $SMTPserver]
             :foreach s in=[:toarray $myemail] do={
                  /tool e-mail send to=$s subject=$mysubject}
             :log info $mysubject
             :set wlan1status $statusnow
             :foreach int in=[/routing bgp peer find name=$peername] do={
                 :if ($statusnow = "up") do={
                      /routing bgp peer enable $int
                 } else={
                      /routing bgp peer disable $int
                 }
             }
         } 
 }
:if ($statusnow="up") do={
  :if ([:typeof $wlan1RSSI] = "nothing") do={
      :if ( $RSSI<$RSSIlevel) do={
          :set wlan1RSSI "BAD"
          :set mysubject ($interfacename." on ".[/system identity get name]." RSSI is ".$RSSI." (".$RSSIlevel.")")
          /tool e-mail set address=[:resolve $SMTPserver]
          :foreach s in=[:toarray $myemail] do={
              /tool e-mail send to=$s subject=$mysubject}
          :log info $mysubject
          :foreach int in=[/routing bgp peer find name=$peername] do={ /routing bgp peer disable $int }
      } else={
           :set wlan1RSSI "OK"
           :foreach int in=[/routing bgp peer find name=$peername] do={ /routing bgp peer enable $int }
      }
  } else={:if ( $RSSI<$RSSIlevel and $wlan1RSSI="OK") do={
                 :set wlan1RSSI "BAD"
                 :set mysubject ($interfacename." on ".[/system identity get name]." RSSI is ".$RSSI." (".$RSSIlevel.")")
                 /tool e-mail set address=[:resolve $SMTPserver]
                 :foreach s in=[:toarray $myemail] do={
                       /tool e-mail send to=$s subject=$mysubject}
                 :log info $mysubject
                 :foreach int in=[/routing bgp peer find name=$peername] do={ /routing bgp peer disable $int }
                 }
              :if ( !($RSSI<$RSSIlevel) and $wlan1RSSI="BAD") do={
                 :set wlan1RSSI "OK"
                 :set mysubject ($interfacename." on ".[/system identity get name]." RSSI is ".$RSSI." (".$RSSIlevel.")")
                 /tool e-mail set address=[:resolve $SMTPserver]
                 :foreach s in=[:toarray $myemail] do={
                        /tool e-mail send to=$s subject=$mysubject}
                 :log info $mysubject
                 :foreach int in=[/routing bgp peer find name=$peername] do={ /routing bgp peer enable $int }
               }
  }
}
#:log info "end"






Enable-Disable BGP peering based on signal strength

5GHz - 3x3 MIMO Antenna - 3x3 MIMO Feeder

In the past three months me, nikolas_350, and other members of the AWMN community have been trying to design Antennas for Long Range 3x3 Multiple Input Multiple Output MIMO Wireless links.

When Atheros based 3x3 MIMO miniPCI express cards were made available at reasonable prices we decided to come up with a 3x3 MIMO 5GHz feeder design or at least a practical 3x3 MIMO Antenna System and after one, heated at times, discussion we concluded to construct three types of Feeders and run a series of tests. We chose to try out combinations of polarizations , single & multiple offset dish antennas and feeders , and LMR cable lengths until we achieve a practical way to differentiate the three streams enough to achieve 3x3 MIMO above MCS20 on long range links.

We started our quest confident that we can create a four dish-four feeders per link system, hopping that in the process we will come up with a practical two dish-two feeders per link system.

In the AWMN we use mostly offset dish Antennas with 5GHz copper feeders we make ourselves.



We have single ( one polarization ) feeders and double ( horizontal and vertical polarization ) feeders. Our double feeders have been working great in Long 2x2 MIMO 802.11N Links.

classic AWMN 5GHz Feeders







We decided to use RouterOS powered devices in our tests since many people in this group were familiar only with this operating system. Also we had heard rumors that RouterOS works OK with the Atheros based 3x3 MIMO miniPCI express cards and we wanted to try out the Nv2 protocol with 3x3 MIMO.



The Feeders we constructed


The tough parts were made by nvac. We are not a factory --yet.

The 0,90,225 feeder

The 0,120,240 degrees feeder from behind


The 0,120,240 feeder
The 0,120,240 degrees feeder without n-types from above



The 0,90,270 feeder



Our Tests

Our tests were simple.
It works means three spatial streams registered with a sustainable index above MCS20 and bandwidth throughput greater than the 2x2 MIMO upper limit. The 2x2 MIMO maximum bandwidth throughput is approximately 210Mb/s UDP for a 40MHz channel.



Test 1)
Indoor
Three small antennas on each node
A few centimeters up to 10 meters distance between the nodes

When I say small, I mean it, the antennas were λ/4 copper wires.

In the few centimeters up to 2 meters distances the results were excellent and we saw the wireless registration locking at 450Mb/s, and bandwidth tests reporting more than 300Mb/s UDP traffic.





Test 2)
Indoor
One 0,90,225 feeder on each node
5m and 10m distance between the nodes
In a nutshell, it did not work.
We saw momentarily rates above the MCS20 index.



Test 3)
Indoor
One 0,120,240 feeder on each node
5m and 10m distance between the nodes
In a nutshell, it did not work.
We saw momentarily rates above the MCS20 index.



Test 4)
Indoor
One 0,90,270 feeder on each node
It did not work.



Test 5)
Indoor
Two Feeders on each node
One feeder with horizontal and vertical polarization and one feeder with diagonal polarization
It works.
However, we are indoors and away from practical.



The Long Outdoor Tests were made in the ipduh-nikolasc link ~3,5 Km distance.

The offset parabolic dish we are using are 80cm Gilbertini.

Test 6)
Outdoor
One offset parabolic dish with a 0,90,225 feeder on each node
It does not work.
We saw momentarily rates above the MCS20 index.



Test 7)
Outdoor
One offset parabolic dish with a 0,90,270 feeder on each node
It does not work.



Test 8)
Outdoor
One offset parabolic dish with a 0,120,240 feeder on each node
It does not work.
We saw momentarily rates above the MCS20 index.



Test 9)
Outdoor
Two offset parabolic dish with two feeders on each node
One Feeder with vertical & horizontal polarizations and the other with a diagonal 45 degree polarization.
We did not test it yet.


Test 10)
Outdoor
1 offset parabolic dish with the 0,90,225 feeder on each side and variable length LMR cables.
We may achieve to differentiate one stream enough this way.
We did not test it yet.


Test 11)
Outdoor
1 offset parabolic dish with the 0,120,240 feeder on each side and variable length LMR cables.
We did not test it yet.




Waiting for nikolas_350 to recover from the Summer Vacation and get back to business.


to be continued ...



5GHz - 3x3 MIMO Antenna - 3x3 MIMO Feeder

Monitoring wireless BGP internets - Part 3

This is a rough sketch of a network monitor for community owned wireless BGP internets.

Consider a BGP internet monitoring system with access to
many BGP tables across the internet
and a Number Authority-Node Database eg: WiND or NodeDB

I am trying to figure out a process to attach levels of certainty to the information in the tables, find ghost links and ghost prefixes, and throw alarms.

The process aka the order algorithm:

We detect and filter out Prepends

Now, every path that contains an Autonomous System many times indicates a Loop and it should be alarmed and excluded from the following process.

Links: We split the table in pairs of AS numbers to get the links.

To attach a level of certainty to a pair we calculate a weight by adding a point for every hop starting from the AS in which we found the pair.
eg: consider the following as-path on the AS 1
2 3 4 5 6
the weight w of the pair 1 2 is equal to 0+1=1 w(1,2)=1 and w(2,3)=3 the smaller the weight is the most probable is that it exists

While we traverse the BGP Tables lower weights replace higher weights.

When, for an AS number x there is a w(x,y)=1 ( we have access to its table )
a pair x,z with w(x,z)=33 is invalid for sure and it should be alarmed.

Prefixes:

For every prefix in the tables we check if it is assigned by the Number Authority, if not we alarm.

For every prefix in the tables we check if it is advertized by the AS in which is assigned by the Number Authority, if not we alarm.

We detect prefixes announced multiple times and according to our Number Authority should not be Anycast If we find such prefixes we use the information from the Number Authority to figure out who is cheating or messed up to alarm.

Ghost Prefixes:

If we see a path leading to a node in which we have access with a prefix not announced there, then this is a Ghost Prefix. This is the easy part. We may attempt to guess Ghost Prefixes with paths leading to Autonomous Systems in which we do not have access using weights.

For the prefix weight we use the size of the as-path.
Again, the smaller the weight, the higher the probability the prefix exists.

Again, while we traverse the tables lower weights replace higher weights.





This BGP monitoring system combined with
  • information from a Node Database eg: WiND or NodeDB
  • some classic nagios stuff
  • and some not so classic nagios stuff ( nagios1 , nagios2-missinglink router_scripts-missinglink )
can create monitoring systems that can throw meaningful alarms, draw near real time maps, and even do some shelf-healing.



thoughts on monitoring wirelless BGP internets

HP ProCurve Switches UDP and other issues

A short note about dealing with UDP issues on daisy-chained managed ProCurve switches.

I noticed a funny problem on a AWMN node that uses two daisy-chained managed HP ProCurve switches. The routers on one of the switches were not able to get NTP updates from the time-servers connected to the other switch.

The routers having the issues were running RouterOS with their ntp clients set to unicast. The same RouterOS routers could get ntp updates just fine from interfaces not attached to the switch.

OpenWrt routers on the same switch did not have any problems talking-to and synchronizing-with time-servers attached to the other switch.



What Solved it?

On the switch
Security -> Advanced Security -> Disable Auto DoS & Disable Storm Control



hp pro curve madness

Tor Node Setup Notes debian

Notes Taken while setting up a Tor Relay Node.

The Debian System
# cat /etc/issue /etc/debian_version;lsb_release -c
Debian GNU/Linux 7 \n \l

7.1
Codename: wheezy


Add the TorProject repository to the apt sources.
# echo "deb http://deb.torproject.org/torproject.org wheezy main" >> /etc/apt/sources.list


Add the torproject gpg key
# gpg --keyserver keys.gnupg.net --recv 886DDD89
# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
TorProject debian based Install

Update apt
# apt-get update


Optionally
# apt-get install deb.torproject.org-keyring


You may need to comment out the main repository, apt-get update again, and then Install Tor with apt-get
# apt-get install tor


The configuration: /etc/tor/torrc.

I did set a few more directives in torrc
but I think that at least the following should be set
SocksPort
SocksPolicy
ORPort
Address
OutboundBindAddress
Nickname
ContactInfo
TorProject torrc

To minimize the abuse complaints you may want to use a reduced exit policy eg:
ExitPolicy accept *:80                   #g0
ExitPolicy accept *:110                  #g0
ExitPolicy accept *:143                  #g0
ExitPolicy accept *:443                  #g0
ExitPolicy accept *:993                  #g0
ExitPolicy accept *:5222-5223            #g0
ExitPolicy accept *:8080                 #g0
ExitPolicy accept *:11371                #g0
ExitPolicy reject *:*                    #g0
Or use The Reduced Exit Policy recommended by the Tor Project
TorProject ReducedExitPolicy

You may want to set the BandwidthRate and RelayBandwidthBurst.

URI: http://alog.ipduh.com/2013/08/tor-node-setup-notes-debian.html

which installed debian packages depend on a debian package

Which installed debian packages depend on a debian package?

It must be a lazier way doing this.

I was not able to find that lazier way while searching the interwebz for over five minutes and it took me 10 minutes to write the following script and this post.

whatdependsonfrominstalled.sh
#!/bin/bash
#g0 2013 http://alog.ipduh.com/2013/08/which-installed-debian-packages-depend.html
## whatdependsonfrominstalled.sh: find out which installed debian packages depend on the passed debian package
## whatdependsonfrominstalled.sh: usage:: whatdependsonfrominstalled.sh debian-package-name :::eg::: whatdependsonfrominstalled.sh libc6

ME="whatdependsonfrominstalled.sh"
MEAT="/usr/bin/${ME}"

if [ -z $1 ]; then
 egrep '^##' ${MEAT}
 exit 3
fi

for i in `dpkg -l |egrep "^ii" |cut -f3 -d' '`;do 
 
 apt-cache depends ${i} |grep Depends: |grep ${1} > /dev/null
 if [ $? -eq 0 ]; then
 echo "--"
 echo ${i};
 apt-cache depends ${i}|grep ${1}
 echo "--"
 fi
done

 
     


To get and install whatdependsonfrominstalled.sh
# wget kod.ipduh.com/lib/whatdependsonfrominstalled.sh
# chmod 755 whatdependsonfrominstalled.sh
# mv whatdependsonfrominstalled.sh /usr/bin


Usage example
$ whatdependsonfrominstalled.sh rpcbind
--
nfs-common
  Depends: rpcbind
--


URI: http://alog.ipduh.com/2013/08/which-installed-debian-packages-depend.html

portsentry

Portsentry on debian notes

The main configuration file --/etc/portsentry.conf -- does a really good job in being self-explanatory.


You may choose to block or not-block scanners with
BLOCK_UDP="0"
BLOCK_TCP="0"
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)


Scan Response
The response(s) is-are defined in the KILL_ROUTE,KILL_HOSTS_DENY,KILL_RUN_CMD directives.
You may:
  • send-route the scanner's traffic to a HOST that does not exist
     KILL_ROUTE="/sbin/route add -host $TARGET$ gw 3.4.5.6"
     
  • reject traffic from the scanner eg:
     KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
     
    enabled by default in the debian package
  • drop traffic from the scanner using a traffic packet filter eg:
     KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
     
  • add the scanner's IP address to /etc/hosts.deny eg:
      KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
     
  • run a command
      KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"
     
    before or after `blocking`
     KILL_RUN_CMD_FIRST = "0"
     


All 'scanning' IP addresses are appended to portsentry.history.
Debian puts portsentry.history at /var/lib/portsentry/portsentry.history

A scanner could choose to avoid the TCP_PORTS and UDP_PORTS in the default portsentry configuration. To mitigate against this add a few more not in use ports in the (1024,61000) range.

An attacker may use forged packets to fool portsenty into blocking legitimate networks.

I usually add a few friendly networks to the ignore list --instruct portsentry to ignore scans from there-- I recommend it to everyone with the BLOCK_TCP directive set to true and KILL_ directives that mess with the routing table, drop packets, or populate the hosts.deny list enabled.

To `permanently whitelist` Hosts and Networks you never want blocked put them in /etc/portsentry/portsentry.ignore.static.

Trusted hosts and networks used for administration along with 127.0.0.0/8 and 0.0.0.0/0 are good candidates. 0.0.0.0/0 does not mean you trust the whole IPv4 Internet It means you never reroute to a blackhole the 0.0.0.0/0 route or drop everything from 0.0.0.0/0.

The host network interfaces are added by portsentry to portsentry.ignore on startup so you do not need to worry about them. /etc/portsentry.ignore contains all the ip networks currently not affected by KILL_ROUTE. To add a CIDR edit /etc/portsentry.ignore.static and restart portsentry.

A short script that HTMLfies the portsentry.history log
      

#g0 2013
#portsenty.history to html
#http://alog.ipduh.com/2013/07/portsentry.html

PORTSENTRY_HISTORY="/var/lib/portsentry/portsentry.history"
HTML="/var/www/sites/adm.ipduh/www/in/portsentry.history.html"

awk '
BEGIN { 
print "<!doctype html><html><head><title>portsentry.history</title><style>"
print "a.lnk:link \{ color:#0000FF; text-decoration:none; \} a.lnk:visited \{ color:#0000FF; text-decoration:none; \}"
print "a.lnk:hover \{ color:#00FF00; text-decoration:none; \} a.lnk:active \{ color:#00FF00; text-decoration:none; \}"
print "</style></head><body><table border=0 cellspacing=8>" 
DEL=" </td><td> "; APRO="<a target=_blank class=lnk href=http://ipduh.com/apropos/?" ; P=">" ; OS="</a>" ;
EPOC="<a class=lnk target=_blank href=http://ipduh.com/epoch/?";  
}
{ split($6,a,"/") }
{ print "<tr><td>" EPOC $1 P $1 OS DEL $3 DEL $4 DEL APRO a[1] P a[1] OS DEL } 
{ if (a[1] != a[2] ) {  print APRO a[2] P a[2] OS } }
{ print DEL $8 DEL $9 "</td></tr>" }
END { EPOCH=systime();
print "</table><br /><br />Produced from portsentry.history on " EPOC EPOCH P EPOCH OS "</body></html>" }
' ${PORTSENTRY_HISTORY} 2>/dev/null 1>${HTML}



     


You just need to set HTML to a file in an http accessible directory and create a cronjob.

To get portsentry_history2html
$ wget kod.ipduh.com/lib/portsentry_history2html



URI: http://alog.ipduh.com/2013/07/portsentry.html

denyhosts

A few notes on denyhosts --a piece of software that finds ssh scanning IP addresses and adds them to /etc/hosts.deny.

DenyHOSTS requires TCP Wrappers
You may be able to find out if a daemon is compiled with TCP Wrappers using ldd and looking for the libwrap so.
eg:
# ldd `which sshd` |grep libwrap
 libwrap.so.0 => /lib/libwrap.so.0 (0x00007fac6668f111)
or using strings and looking for hosts_access
eg:
# strings `which sshd` |grep hosts_access
hosts_access


On Debian you may find out if a daemon is packaged with tcpwrappers with apt-cache.
eg:
# apt-cache rdepends libwrap0 |grep ssh
  openssh-server


Install denyhosts on debian
# apt-get install denyhosts


I like `whitelisting` a few hosts because by default denyhosts is trigger happy. eg to allow access from 10.12.142.92, 192.168.167.0/24, 85.26.243.146 , and 67.3.2.2 add the following line to /etc/hosts.allow
sshd: 10.12.142.92, 192.168.167. , 85.26.243.146 , 67.3.2.2 :allow


set ADMIN_EMAIL and SMTP_FROM

Denyhosts `comes` with a synchronization service --you supply the hosts attacking you and download the ones attacking to other hosts using the sync service. The sync service is disabled by default. If you want to enable it uncomment in /etc/denyhosts.conf
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911


To just supply data to the sync service add
SYNC_DOWNLOAD = no
in /etc/denyhosts.conf

To just receive data from the sync service add
SYNC_UPLOAD = no
in /etc/denyhosts.conf

To apply changes restart the denyhosts daemon
# /etc/init.d/denyhosts restart


URI: http://alog.ipduh.com/2013/07/denyhosts.html

email a notice for each ssh login

This is a bash script that emails details ( user , tty , remote IP address , date and time ) of every successful SSH login when used as sshrc.

The script
#!/bin/bash
#g0 2013
#send an email with details of each ssh login
#http://alog.ipduh.com/2013/07/email-notice-for-each-ssh-login.html

###
#set MAILTO to the email address(es) receiving the SSH LOGIN notices
MAILTO="root@localhost"
#MAILTO="system-watch@example.net,systems@example.org"
###

DATE=`date`
EPOCH=`date +%s`
EPOCH_URI="http://ipduh.com/epoch/?${EPOCH}"
HOSTNAME=`hostname`

if [ -z "$SSH_CONNECTION" ] ; then
   IP=`echo $SSH_CLIENT |cut -f1 -d' '`
else
   IP=`echo $SSH_CONNECTION |cut -f1 -d' '`
fi

IP_URI="http://ipduh.com/apropos/?${IP}"
LOGIN='no_login'

if [ -z "$SSH_TTY" ] ; then
   LOGIN="Connect by $USER"
else
   LOGIN="Login by $USER on $SSH_TTY"
fi

mail -s "SSH LOGIN on ${HOSTNAME} from ${IP}" ${MAILTO} <<END
   ${LOGIN} 
   from ${IP} ( ${IP_URI} ) 
   at ${DATE} ( ${EPOCH_URI} ) 
END

#if X11 forwarding is in use --man sshd
if read proto cookie && [ -n "$DISPLAY" ]; then
   if [ `echo $DISPLAY |cut -c1-10` = 'localhost:' ]; then
          # X11UseLocalhost=yes
          echo add unix:`echo $DISPLAY |cut -c11-` $proto $cookie
   else
          # X11UseLocalhost=no
          echo add $DISPLAY $proto $cookie
   fi | xauth -q -
fi

        




     


To install
# wget kod.ipduh.com/lib/sshrc_email_notices
# mv sshrc_email_notices /etc/ssh/sshrc
Set MAILTO to the email address receiving the SSH LOGIN notifications

A user using ~/.ssh/rc may be able to avoid /etc/ssh/sshrc. However, the root can be the only one with write permission on the a user 's ~/.ssh/rc and ~/.ssh/rc may be
/bin/bash /etc/ssh/sshrc


URL:http://alog.ipduh.com/2013/07/email-notice-for-each-ssh-login.html

Remove SSL Certificate Passphrase



# cd /etc/ssl/private
# openssl rsa -in website.key -out website.key.no-passphrase
Enter pass phrase for website.key:
writing RSA key
# mv website.key website.key.old-with-passphrase
# cp website.key.no-passphrase website.key
# /etc/init.d/apache2 restart
  * Restarting web server apache2
#
apache starts without asking for the passphrase

Another way is to use the SSLPassPhraseDialog directive to read in the password from a script.

madwifi ioctls

Notes on a few madwifi ioctls

Turn off 802.11h
# iwpriv ath0 doth 0 


fast frames support
# iwpriv ath0 ff 1 
This feature increases the amount of information that can be sent per frame, also resulting in a reduction of transmission overhead. It is a proprietary feature that needs to be supported by the Access Point.

Burst mode
# iwpriv ath0 burst 1 
Bursting allows multiple frames to be sent at once, rather than pausing after each frame. This reduces the overhead needed for transmission and thus increases the throughput. Slight modifications to the standard timing also add a bit to the throughput. Bursting is a standards-compliant feature that can be used with any Access Point.

Turn off Background Scan
# iwpriv ath0 bgscan 0 


Use A mode
# iwpriv ath0 mode 1 

# iwpriv ath0 mode 11a


An outdoor client-if configuration
# cat wireless 

config wifi-device 'radio0'
 option type 'atheros'
 option macaddr '00:0b:6b:84:41:59'
 option distance '3870'
  option outdoor '1'
 option txantenna '1'
 option rxantenna '1'
 option hwmode '11a'
 option channel '112'
 option diversity '0'
 option bursting '1'
 option ff '1'
 option disabled '0'
 option regdomain '97'
 option countrycode '0'
 option bgscan '0'
 option doth '0'
 option txpower '4'

config wifi-iface
 option device 'radio0'
 option encryption 'none'
 option ssid 'wn-x-y'
 option rate '48M fixed'
 option mode 'sta'
 option network 'ath0'
 option ifname 'ath0'



I prefer editing /etc/config/wireless, however I think that the UCI is great for scripting and sending configs.

Openwrt UCI usage examples

Enable wifi set for the first wireless interface --in /etc/config/wireless-- disabled to 0
# uci set wireless.@wifi-device[0].disabled=0; uci commit wireless; wifi


Set txpower to 6 dBm on the first wireless interface.
# uci set wireless.@wifi-device[0].txpower=6; uci commit wireless; wifi




References:
ieee80211_ioctl.h
Atheros Super A/G
iwpriv
openwrt uci wireless




madwifi ioctls

simple UTC web clock

A simple UTC web clock.

The utc-web-clock.pl script
#!/usr/bin/perl
#g0 2013 a simple web UTC clock
#http://alog.ipduh.com/2013/07/simple-utc-web-clock.html
use strict;
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
my @weekday = qw( Sun Mon Tue Wed Thu Fri Sat );
my @months = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec);
$mon="<a title=$mon>$months[$mon]</a>";
$wday=$weekday[$wday];
$year+=1900;
my $udate = "$wday $mday $mon $year";
my $uhour = $hour;
my $umin = $min;
my $usec = $sec;
my $epoch=time();

print <<"PAGE";
Content-type: text/html \n\n <!doctype html> <html>
<head><head>    
<title> UTC </title>
<meta  http-equiv='refresh' content='15'>
<style>
.clock { font-family: monospace , Arial ; font-size: 6em; }
.little { padding-left: 0px; font-family:  monospace; font-size: .9em; }
a.goto:link { color:#000000; text-decoration:underline; }
a.goto:visited { color:#000000; text-decoration:underline; }
a.goto:hover {color:#000000;text-decoration:none;background:yellow;}
a.goto:active {color:#00FF00;text-decoration:none;background:yellow;}
</style>
<script type='text/javascript'>
setInterval(tick,1000);

function tick() {
 if(document.getElementById("min").innerHTML == 59 && document.getElementById("sec").innerHTML == 59 ){
  document.getElementById("hour").innerHTML = document.getElementById("hour").innerHTML - 1 + 2;
  document.getElementById("min").innerHTML = 0;
  document.getElementById("sec").innerHTML = 0;
 }
 else if(document.getElementById("sec").innerHTML == 59 ){
  document.getElementById("min").innerHTML = document.getElementById("min").innerHTML - 1 + 2;
  document.getElementById("sec").innerHTML = 0;
 }else{
         document.getElementById("sec").innerHTML = document.getElementById("sec").innerHTML - 1 + 2;
 }
 
 //it will be funny for a dousin of seconds after 1 am --g0
 
}

</script>
</head>
<body>
<center>
<p class=clock>
<span id='hour'>$uhour</span>:<span id='min'>$umin</span>:<span id='sec'>$usec</span>
</p>
<p class=little> &copy; $udate  
<a href="http://ipduh.com/epoch/?$epoch" class=goto>$epoch</a> 
<a class=goto href=http://alog.ipduh.com/2013/07/simple-utc-web-clock.html>source</a>
</center>
</body> </html>
PAGE

     


You may wget it
$ wget kod.ipduh.com/lib/utc-web-clock.pl


simple UTC web clock

tripwire ...

Tripwire Setup on Debian Notes

Install Tripwire
# apt-get install tripwire


Well, the packaged tripwire installation automation on Debian 6.0.7 does not automagically fix everything --not-- for me.

Tripwire keeps its configuration in a encrypted database that is generated, by default, from /etc/tripwire/twcfg.txt

Tripwire keeps its policies on what attributes of which files should be monitored in a encrypted database that is generated, by default, from /etc/tripwire/twpol.txt

The Tripwire binaries are located in /usr/sbin and the database is located in /var/lib/tripwire

Create a site key
# cd /etc/tripwire/
# mkdir nope
# mv site.key nope
# twadmin --generate-keys --site-keyfile site.key 
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.
# chmod 600 site.key


Create a local key
# cd /etc/tripwire/
# twadmin --generate-keys --local-keyfile `hostname`-local.key
# chmod 600 *local.key


Create and sign with site.key the configuration file tw.cfg from the text configuration file twcfg.txt. You may want to change a few things in twcfg.txt (eg: the SMTPHOST ).
# cd /etc/tripwire/
# cp twcfg.txt nope
# vi twcfg.txt
# twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt
Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg


Create and sign with site.key the policy file tw.pol from the editable twpol.txt. You may want to adjust twpol.txt to your system and preferences.
# cd /etc/tripwire/
# mv tw.pol nope/
# vi twpol.txt
# twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol


Make sure all the configuration files are owned by root and that root is the only one who can read them.
# cd /etc/tripwire/
# chown root.root tw*
# chmod 600 tw*
You may delete or copy your txt files to another host.

Initialize the tripwire database.
# tripwire --init
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***


To change-update your policy
# cd /etc/tripwire/
# vi twpol.txt
# twadmin -m P -S site.key twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol


To update your configuration
# cd /etc/tripwire/
# vi twcfg.txt
# twadmin -m F -S site.key twcfg.txt
Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg


Initialize the Tripwire database
# tripwire -m i
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
...
### Continuing...
Wrote database file: /var/lib/tripwire/anydns.twd
The database was successfully generated.


Email alerts and reports

Test if tripwire can send email
# /usr/sbin/tripwire --test --email systems-no@ipduh.awmn


To set email alerts for a rule eg: "Root file-system executables" adjust twpol.txt accordingly sign it and write tw.pol.
#
# Critical executables
#
(
  rulename = "Root file-system executables",
  severity = $(SIG_HI),
  emailto = systems-no@ipduh.awmn
)
You may put more email addresses separated by ';' colons on emailto eg:
#
# Critical executables
#
(
  rulename = "Root file-system executables",
  severity = $(SIG_HI),
  emailto = systems-no@ipduh.awmn;systems-no@ipduh.com
)
Sign and write tw.pol
# twadmin -m P -S site.key twpol.txt


Email a report
# /usr/sbin/tripwire --check --email-report
...
### Continuing...
Beginning email reporting...
Emailing the report to: systems-no@ipduh.awmn
...


The report is:
mailed to the email address(es) in the emailto(s)
and saved in /var/lib/tripwire/report/ as well.

To create and email the report regularly put:
/usr/sbin/tripwire --check --quiet --email-report
in a cronjob

The Debian package cronjob
#!/bin/sh -e

tripwire=/usr/sbin/tripwire

[ -x $tripwire ] || exit 0

umask 027

$tripwire --check --quiet --email-report


You may put the tripwire database on a read-only medium or copy it to another host.

Update the database --exclude valid violations-- after an Integrity Check.

First of all set the system default editor to vi

Enter `exclude mode` :)
# tripwire --update --twrfile /var/lib/tripwire/report/lastest.twr
where latest.twr is the latest report

Now, remove the "x" from the adjacent boxes [x] to prevent updating the database with the new values for these objects, exit the editor, and enter your local passphrase.

The authorized integrity violations will no longer show up as warnings when the next integrity check is run.

Test --Create a Report and then look at it
# /usr/sbin/tripwire --check 
# twprint -m r --twrfile /var/lib/tripwire/report/latest.twr
where latest.twr is the latest report

View the tripwire database
# /usr/sbin/twprint -m d --print-dbfile |less


View information for a file tracked by tripwire eg: the tripwire database
# /usr/sbin/twprint -m d --print-dbfile /var/lib/tripwire/`hostname`.twd


Further:
twfiles(5)
twadmin(8)
tripwire(8)
twprint




Tripwire ...

ntp server status page 2

An addition to the simple script that draws a NTP server status web page.

The ntp-status-2.pl script
#!/usr/bin/perl
#g0 2013  , http://alog.ipduh.com/2013/07/ntp-server-status-page-2.html
#ntp-status-2 simple ntp server status web-page v.2
#Prerequisites: ntpdate & ntpq & ntptrace
use strict;
#configure
my $myNTPIP="127.0.0.1";
my $myNTPname="ntpb.ipduh.awmn - 10.21.241.100";
my $ntptrace="/usr/bin/ntptrace -n";
my $ntpdate="/usr/sbin/ntpdate";
my $ntpqnp="/usr/bin/ntpq -np";
#configure END

my $epoch=time();
my @date=`$ntpdate -q $myNTPIP`;

my @ntptrace=`$ntptrace $myNTPIP`;
my @fields=();
my $liin;
my @ntptrace_out=();
foreach my $li(@ntptrace)
{
 @fields=split(/:/,$li);
 $fields[0]="<a class=goto href=http://ipduh.com/apropos/?$fields[0]>$fields[0]</a>";
 $liin="$fields[0]".":"."$fields[1]";
 push(@ntptrace_out,$liin); 
}

my @ntpq=`$ntpqnp`;
my @ntpq_out=();
foreach my $li1(@ntpq)
{
 if($li1 =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/ )
        {
                push(@ntpq_out,"$`<a class=goto href=http://ipduh.com/apropos/?$&>$&</a>$'");
        }
 else
 {
                push(@ntpq_out,"$li1");
        }
}



print <<"TOP";
Content-type: text/html \n\n
<!doctype html><html><head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>$myNTPname</title>
<meta name='description' content='$myNTPIP - $myNTPname NTP server status web-page' /> 
<style>
p { padding-left: 0px; font-family:  Fixed, monospace; font-weight: 1em; }
.little { padding-left: 0px; font-family:  monospace; font-weight: .4em; }
.board { position:absolute; top:60px; left:100px; }
a.goto:link { color:#000000; text-decoration:underline; }
a.goto:visited { color:#000000; text-decoration:underline; }
a.goto:hover {color:#000000;text-decoration:none;background:yellow;}
a.goto:active {color:#00FF00;text-decoration:none;background:yellow;
</style>
</head><body>
<div class=board>
<p>  NTP Status: $myNTPname  </p> 
<pre>
 _____________________________________________________________________________________
|                                                                                     |
</pre>
TOP

print "<pre> @date <br /><br /><br /> @ntptrace_out  <br /><br /><br /> @ntpq_out </pre>";
print <<'BOT';
<pre>
|__________   ________________________________________________________________________|
           \ |
            \|
            
        |   /\________/\   |
        |  /____    ____\  |
        |_/     \__/     \_|
        [_       __       _]
          \_____/  \_____/
           \    ____    / 
            |   \__/   |   
          _  \________/  _
          \\  /|    |\  //
           \\IPDUHHUD9I//

</pre>
BOT
print <<"TOEND";
<center><p class=little> &copy; <a href="http://ipduh.com/epoch/?$epoch" class=goto>$epoch</a> <a class=goto href=http://alog.ipduh.com/2013/07/ntp-server-status-page-2.html>source</a>
</p></center><br /><br /><br /><br /></div></body></html>
TOEND


     


You may wget or curl it
 wget kod.ipduh.com/lib/ntp-status-2.pl




NTP server status page script 2

openwrt madwifi

Notes on enabling madwifi for atheros based wireless network miniPCI cards on openwrt ( Attitude Adjustment ) --the lazy way.

Give Internet Connectivity to the router

Install wireless-tools and kmod-madwifi.
root@rs:~# opkg update
root@rs:~# opkg install kmod-madwifi
root@rs:~# wifi detect |grep -v disabled > /etc/config/wireless


To enable wifi delete or set disabled to 0 on /etc/config/wireless and

root@rs:~# wifi


References:
http://wiki.openwrt.org/doc/uci/wireless#madwifi.options



OpenWrt MadWiFi ...

virsh basics ...

virsh notes

virsh version
# virsh -v
0.8.3


the system
# cat /etc/issue /etc/debian_version;uname -r
Debian GNU/Linux 6.0 \n \l

6.0.7
2.6.32-5-amd64


# egrep "vmx|svm" /proc/cpuinfo
flags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc rep_good nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt nodeid_msr
flags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc rep_good nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt nodeid_msr


the hypervisor
# virsh uri
qemu:///system

# lsmod |grep kvm
kvm_amd                31878  4 
kvm                   215455  1 kvm_amd


for more try
# virsh capabilities


A good way to start the virsh exploration
# virsh
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # help
Commands:

    help            print help
    attach-device   attach device from an XML file
    attach-disk     attach disk device
    attach-interface attach network interface
    autostart       autostart a domain
    capabilities    capabilities
    cd              change the current directory
    connect         (re)connect to hypervisor
    console         connect to the guest console
    cpu-baseline    compute baseline CPU
    cpu-compare     compare host CPU with a CPU described by an XML file
    create          create a domain from an XML file
    start           start a (previously defined) inactive domain
    destroy         destroy a domain
    detach-device   detach device from an XML file
    detach-disk     detach disk device
    detach-interface detach network interface
    define          define (but don't start) a domain from an XML file
    domid           convert a domain name or UUID to domain id
    domuuid         convert a domain name or id to domain UUID
    dominfo         domain information
    domjobinfo      domain job information
    domjobabort     abort active domain job
    domname         convert a domain id or UUID to domain name
    domstate        domain state
    domblkstat      get device block stats for a domain
    domifstat       get network interface stats for a domain
    dommemstat      get memory statistics for a domain
    domblkinfo      domain block device size information
    domxml-from-native Convert native config to domain XML
    domxml-to-native Convert domain XML to native config
    dumpxml         domain information in XML
    edit            edit XML configuration for a domain
    find-storage-pool-sources discover potential storage pool sources
    find-storage-pool-sources-as find potential storage pool sources
    freecell        NUMA free memory
    hostname        print the hypervisor hostname
    list            list domains
    migrate         migrate domain to another host
    migrate-setmaxdowntime set maximum tolerable downtime
    net-autostart   autostart a network
    net-create      create a network from an XML file
    net-define      define (but don't start) a network from an XML file
    net-destroy     destroy a network
    net-dumpxml     network information in XML
    net-edit        edit XML configuration for a network
    net-list        list networks
    net-name        convert a network UUID to network name
    net-start       start a (previously defined) inactive network
    net-undefine    undefine an inactive network
    net-uuid        convert a network name to network UUID
    iface-list      list physical host interfaces
    iface-name      convert an interface MAC address to interface name
    iface-mac       convert an interface name to interface MAC address
    iface-dumpxml   interface information in XML
    iface-define    define (but don't start) a physical host interface from an XML file
    iface-undefine  undefine a physical host interface (remove it from configuration)
    iface-edit      edit XML configuration for a physical host interface
    iface-start     start a physical host interface (enable it / "if-up")
    iface-destroy   destroy a physical host interface (disable it / "if-down")
    managedsave     managed save of a domain state
    managedsave-remove Remove managed save of a domain
    nodeinfo        node information
    nodedev-list    enumerate devices on this host
    nodedev-dumpxml node device details in XML
    nodedev-dettach dettach node device from its device driver
    nodedev-reattach reattach node device to its device driver
    nodedev-reset   reset node device
    nodedev-create  create a device defined by an XML file on the node
    nodedev-destroy destroy a device on the node
    nwfilter-define define or update a network filter from an XML file
    nwfilter-undefine undefine a network filter
    nwfilter-dumpxml network filter information in XML
    nwfilter-list   list network filters
    nwfilter-edit   edit XML configuration for a network filter
    pool-autostart  autostart a pool
    pool-build      build a pool
    pool-create     create a pool from an XML file
    pool-create-as  create a pool from a set of args
    pool-define     define (but don't start) a pool from an XML file
    pool-define-as  define a pool from a set of args
    pool-destroy    destroy a pool
    pool-delete     delete a pool
    pool-dumpxml    pool information in XML
    pool-edit       edit XML configuration for a storage pool
    pool-info       storage pool information
    pool-list       list pools
    pool-name       convert a pool UUID to pool name
    pool-refresh    refresh a pool
    pool-start      start a (previously defined) inactive pool
    pool-undefine   undefine an inactive pool
    pool-uuid       convert a pool name to pool UUID
    secret-define   define or modify a secret from an XML file
    secret-dumpxml  secret attributes in XML
    secret-set-value set a secret value
    secret-get-value Output a secret value
    secret-undefine undefine a secret
    secret-list     list secrets
    pwd             print the current directory
    quit            quit this interactive terminal
    exit            quit this interactive terminal
    reboot          reboot a domain
    restore         restore a domain from a saved state in a file
    resume          resume a domain
    save            save a domain state to a file
    schedinfo       show/set scheduler parameters
    dump            dump the core of a domain to a file for analysis
    shutdown        gracefully shutdown a domain
    setmem          change memory allocation
    setmaxmem       change maximum memory limit
    setvcpus        change number of virtual CPUs
    suspend         suspend a domain
    ttyconsole      tty console
    undefine        undefine an inactive domain
    update-device   update device from an XML file
    uri             print the hypervisor canonical URI
    vol-create      create a vol from an XML file
    vol-create-from create a vol, using another volume as input
    vol-create-as   create a volume from a set of args
    vol-clone       clone a volume.
    vol-delete      delete a vol
    vol-wipe        wipe a vol
    vol-dumpxml     vol information in XML
    vol-info        storage vol information
    vol-list        list vols
    vol-pool        returns the storage pool for a given volume key or path
    vol-path        returns the volume path for a given volume name or key
    vol-name        returns the volume name for a given volume key or path
    vol-key         returns the volume key for a given volume name or path
    vcpuinfo        domain vcpu information
    vcpupin         control domain vcpu affinity
    version         show version
    vncdisplay      vnc display
    snapshot-create Create a snapshot
    snapshot-current Get the current snapshot
    snapshot-delete Delete a domain snapshot
    snapshot-dumpxml Dump XML for a domain snapshot
    snapshot-list   List snapshots for a domain
    snapshot-revert Revert a domain to a snapshot

virsh # 



set a domain --guest host-- to autostart by the libvirt daemon
# virsh autostart 2
Domain 2 marked as autostarted

verify-check if a guest is set to Autostart
# virsh dominfo 2 |grep -i auto
Autostart:      enable

and
# ls /etc/libvirt/qemu/autostart/
before taking the time to read carefully and look around a bit more, I used to set autostart with `virsh start domain` cronjobs.

view domain information and create xml configuration files
# virsh dumpxml vm0
it prints the xml configuration to stdout

The kvm-qemu guest hosts xml configuration files are in /etc/libvirt/qemu/ on Debian systems.

# virsh dominfo vm0
Id:             -
Name:           vm0
UUID:           7337798a-ae00-efb4-7790-259c168f764b
OS Type:        hvm
State:          shut off
CPU(s):         2
Max memory:     524288 kB
Used memory:    524288 kB
Persistent:     yes
Autostart:      disable


Display the guest hosts list
 
# virsh list --all
 Id Name                 State
----------------------------------
  2 vm2                  running
  - vm0                  shut off
  - vm1                  shut off



Display Virtual CPU information
# virsh vcpuinfo 2
VCPU:           0
CPU:            0
State:          running
CPU time:       1219.9s
CPU Affinity:   yy

VCPU:           1
CPU:            1
State:          running
CPU time:       1040.8s
CPU Affinity:   yy


# virsh vcpuinfo vm0
error: Domain shut off, virtual CPUs not present.
error: Requested operation is not valid: cannot list vcpu pinning for an inactive domain


Create a guest from an xml configuration file
# virsh create vm0.xml
to create an xml configuration file from an existing guest
# virsh dumpxml vm0 > vm0.xml


Start a guest host
# virsh start vm0
Domain vm0 started



Reboot a guest host
# virsh reboot vm0
error: Failed to reboot domain vm0
error: this function is not supported by the connection driver: virDomainReboot
not supported for kvm on version 0.8.3

Shutdown a guest host
# virsh shutdown vm0
Domain vm0 is being shutdown

Check
# virsh list --all
 Id Name                 State
----------------------------------
  2 vm2                  running
  3 vm0                  running
  - vm1                  shut off
vm0 is still running, it does not work always

Terminate a guest host
# virsh destroy vm0
Domain vm0 destroyed

An immediate ungraceful shutdown.
Check
# virsh list --all
 Id Name                 State
----------------------------------
  2 vm2                  running
  - vm0                  shut off
  - vm1                  shut off



Useful URLs:
Virsh Command Reference
centos manual virsh
Debian on Debian KVM




virsh basics