BGP and OSPF *nix Router ( quagga - Debian )

A quick how-to setup a quagga BGP and OSPF router on nix ( debian linux ).
The setup following describes an inner-node AWMN router that resides on the same AS and the same broadcast domain with four other Border Routers.

Install quagga
#apt-get install quagga


Check if IP Forwarding is enabled
#cat /proc/sys/net/ipv4/ip_forward 
1

if 0, then
#echo 1 > /proc/sys/net/ipv4/ip_forward
#echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf


Allow 224.0.0.0/4 - multicast OSFP traffic
#iptables -A INPUT -d 224.0.0.0/4  -m state --state NEW  -j ACCEPT


Allow BGP traffic
#iptables -A INPUT -p tcp --dport 179 -j ACCEPT
(a version of bif --that does it well and fixes many things on the old bif already exists. I will post it here soon. )

Set to yes --highest priority-- the zebra, bgpd , and ospfd daemons on /etc/quagga/daemons
#cat /etc/quagga/daemons 
# This file tells the quagga package which daemons to start.
#
# Entries are in the format: =(yes|no|priority)
#   0, "no"  = disabled
#   1, "yes" = highest priority
#   2 .. 10  = lower priorities
# Read /usr/share/doc/quagga/README.Debian for details.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/quagga/examples/.
#
# ATTENTION: 
#
# When activation a daemon at the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "quagga", else
# the daemon will not be started by /etc/init.d/quagga. The permissions should
# be u=rw,g=r,o=.
# When using "vtysh" such a config file is also needed. It should be owned by
# group "quaggavty" and set to ug=rw,o= though. Check /etc/pam.d/quagga, too.
#
zebra=yes
bgpd=yes
ospfd=yes
ospf6d=no
ripd=no
ripngd=no
isisd=no




Copy the ospfd and bgpd example files into /etc/quagga and adjust ownerships
#cp /usr/share/doc/quagga/examples/bgpd.conf.sample /etc/quagga/bgpd.conf
#cp /usr/share/doc/quagga/examples/ospfd.conf.sample /etc/quagga/ospfd.conf
#chown quagga.quaggavty /etc/quagga/*d.conf


This is how my bgpd.conf looks like. This router will be used mostly to monitor BGP so no filters are used, some example filters are commented out. All of its neighbors are in the same Autonomous System.
#cat /etc/quagga/bgpd.conf 
hostname ares

log file /green/log/quagga/bgpd.log
log monitor
log stdout
log syslog

!
password password0
enable password passworde0
!

router bgp 20305
 bgp router-id 10.21.241.126
 network 10.21.241.126/32

! ipduh002011
 neighbor 10.21.241.69 remote-as 20305
 neighbor 10.21.241.69 description ipduh AWMN BGP Feed
 neighbor 10.21.241.69 timers 10 30
 neighbor 10.21.241.69 capability dynamic
 neighbor 10.21.241.69 capability orf prefix-list both
 neighbor 10.21.241.69 soft-reconfiguration inbound

! neighbor 10.21.241.69 prefix-list awmn-bgp in
! neighbor 10.21.241.69 filter-list maxaslength out

! ipduh04711
 neighbor 10.21.241.68 remote-as 20305
 neighbor 10.21.241.68 description ipduh AWMN BGP Feed
 neighbor 10.21.241.68 timers 10 30
 neighbor 10.21.241.68 capability dynamic
 neighbor 10.21.241.68 capability orf prefix-list both
 neighbor 10.21.241.68 soft-reconfiguration inbound

! neighbor 10.21.241.68 prefix-list awmn-bgp in
! neighbor 10.21.241.68 filter-list maxaslength out

! ipduh01433
 neighbor 10.21.241.67 remote-as 20305
 neighbor 10.21.241.67 description ipduh AWMN BGP Feed
 neighbor 10.21.241.67 timers 10 30
 neighbor 10.21.241.67 capability dynamic
 neighbor 10.21.241.67 capability orf prefix-list both
 neighbor 10.21.241.67 soft-reconfiguration inbound

!
!

! ipduh03711
 neighbor 10.21.241.66 remote-as 20305
 neighbor 10.21.241.66 description ipduh AWMN BGP Feed
 neighbor 10.21.241.66 timers 10 30
 neighbor 10.21.241.66 capability dynamic
 neighbor 10.21.241.66 capability orf prefix-list both
 neighbor 10.21.241.66 soft-reconfiguration inbound

!
!

!Pretty much everything (even malakies) are allowed ... This is a BGP monitor
!
!ip prefix-list awmn-bgp seq 5 permit 10.0.0.0/8 ge 9 le 24
!ip prefix-list awmn-bgp seq 10 permit 10.0.0.0/15 le 32
!ip prefix-list awmn-bgp seq 15 deny any
!
!!ip as-path access-list maxaslength deny ( [0-9]+){250}$
ip as-path access-list maxaslength permit .*
!
line vty
!
end



This is how my ospfd.conf looks like. This Router is on the same broadcast domain with all his neighbors.
#cat /etc/quagga/ospfd.conf 
! -*- ospf -*-
!
! OSPFd sample configuration file
!
!
hostname ares
password anotherpassword
enable password yetanotherenablepassword
!
router ospf
  network 10.21.241.0/25 area 0
ospf router-id 10.21.241.126
!
log stdout



Restart all routing daemons.
#/etc/init.d/quagga restart
Stopping Quagga daemons (prio:0): (waiting) .. bgpd (waiting) .. ospfd (waiting) .. zebra (ripd) (ripngd) (ospf6d) (isisd).
Removing all routes made by zebra.
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra bgpd ospfd.


By default the quagga Daemons bound on the ports in the following list.
ZEBRA  2601
OSPF   2604
BGP    2605
RIPNG  2603
ospf6d 2606 


Check OSPF
#telnet 127.0.0.1 2604
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.20.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password: 
ares> show ip ospf neighbor all 

    Neighbor ID Pri State           Dead Time Address         Interface            RXmtL RqstL DBsmL
10.21.241.66      1 2-Way/DROther     33.906s 10.21.241.66    eth1:10.21.241.10        0     0     0
10.21.241.67      1 2-Way/DROther     36.107s 10.21.241.67    eth1:10.21.241.10        0     0     0
10.21.241.68      1 Full/Backup       35.947s 10.21.241.68    eth1:10.21.241.10        0     0     0
10.21.241.69      1 Full/DR           35.167s 10.21.241.69    eth1:10.21.241.10        0     0     0
ares> quit
Connection closed by foreign host.


Check BGP
#telnet 127.0.0.1 2605
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.20.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password: 
ares> show ip bgp
BGP table version is 0, local router ID is 10.21.241.126
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i10.0.0.0         10.21.241.141                 100      0 12629 16382 8266 4704 19074 14835 3352 ?
*>i10.0.0.0/9       10.21.241.141                 100      0 12629 16382 8266 4704 19074 14835 19601 172193 172194 31671 45808 10991 11023 11023 11023 4217 4319 49208 49207 i
* i10.0.0.0/10      10.21.241.134                 100      0 17925 15551 7474 18245 1702 2350 3016 263 8506 416 891 4097 12629 18242 19601 172193 i
*>i                 10.21.241.138                 100      0 18569 18606 18912 3210 13133 121 3016 263 8506 416 891 4097 12629 18242 19601 172193 i
*>i10.0.0.1/32      10.21.241.141                 100      0 12629 3936 10515 543 i
*>i10.0.0.10/32     10.21.241.141                 100      0 12629 16382 8506 263 24 9288 3665 65202 i
*>i10.0.10.0/24     10.21.241.141                 100      0 12629 18242 i
*>i10.0.11.0/24     10.21.241.141                 100      0 12629 18242 1286 14835 4758 15731 3341 i
*>i10.2.1.0/24      10.21.241.141                 100      0 12629 18242 1286 9533 16924 i
* i10.2.2.0/24      10.21.241.141                 100      0 12629 15465 2720 14209 17983 i
*>i                 10.21.241.138                 100      0 18569 6202 6801 17244 17983 i
*>i10.2.8.0/24      10.21.241.141                 100      0 12629 5078 146 280 i
*>i10.2.12.0/24     10.21.241.141                 100      0 12629 16382 11087 416 240 i
* i10.2.13.0/24     10.21.241.141                 100      0 12629 16382 11087 416 240 72 i
* i                 10.21.241.134                 100      0 17925 13835 2879 7659 2113 72 i
*>i                 10.21.241.138                 100      0 18569 6202 3667 7659 2113 72 i
*>i10.2.15.0/24     10.21.241.141                 100      0 12629 16382 11087 416 i
* i10.2.16.0/24     10.21.241.141                 100      0 12629 14822 3112 7736 8580 i
*>i                 10.21.241.138                 100      0 18569 18606 18912 7736 8580 i
* i10.2.17.0/24     10.21.241.141                 100      0 12629 16382 11087 416 240 72 i
* i                 10.21.241.134                 100      0 17925 13835 2879 7659 2113 72 i
*>i                 10.21.241.138                 100      0 18569 6202 3667 7659 2113 72 i
*>i10.2.18.0/24     10.21.241.141                 100      0 12629 18242 1286 577 4097 806 i
*>i10.2.19.0/24     10.21.241.141                 100      0 12629 10130 8137 14365 18250 646 57 3298 i
*>i10.2.20.0/24     10.21.241.141                 100      0 12629 5078 14694 i
*>i10.2.21.0/24     10.21.241.141                 100      0 12629 16382 11087 416 410 i
*>i10.2.22.0/24     10.21.241.141                 100      0 12629 16382 11087 416 891 i
*>i10.2.24.0/24     10.21.241.141                 100      0 12629 16382 11087 416 240 4003 i
*>i10.2.25.0/24     10.21.241.138                 100      0 18569 18606 4272 4263 1819 i
*>i10.2.27.0/24     10.21.241.141                 100      0 12629 17643 i
*>i10.2.31.0/24     10.21.241.141                 100      0 12629 15465 13133 121 3016 956 810 2315 2379 4758 15731 410 3200 4500 3507 2711 8580 i
*>i10.2.33.0/24     10.21.241.141                 100      0 12629 10130 8137 14365 18250 646 57 8073 7817 10030 7347 i
*>i10.2.34.0/24     10.21.241.141                 100      0 12629 18242 1286 45 34 3674 1549 i
*>i10.2.37.0/24     10.21.241.141                 100      0 12629 16455 12528 9031 2711 8580 i
*>i10.2.38.0/24     10.21.241.141                 100      0 12629 18242 1286 577 4097 i

....


OK, it works.

If you want to access all daemons from the same place look into enabling vtysh. You will have to set vtysh_enable to yes in /etc/quagga/debian.conf and create its configuration file. There is a sample file in /usr/share/doc/quagga/examples/vtysh.conf.sample.



QUAGGA BGP OSPF router

Simple web access to the logs of a host logging to a syslog-ng daemon

A quick post to describe how to access the logs for a host logging to a syslog-ng daemon through a web-interface.

Assuming a 'destination clientlogs' like the one following.
If yours does not look like this adjust.

destination clientslogs {
             
              file("/green/log/ng/$HOST/$FACILITY/$YEAR$MONTH$DAY.log"
              owner(root)
              group(adm)
              perm(0644)
              dir_perm(0755)
              create_dirs(yes)
              );
};



If you don't have apache on this host install it.
If you are paranoid about security limit access to it with iptables.
For every host that we want to access logs through a web-site we create a virtual host. eg.
<VirtualHost 10.21.241.4:80>
        ServerAdmin systems@rocks.net
        DocumentRoot /green/log/ng/host-name/local0
        ServerName host-name-log.ipduh.awmn
        ServerAlias host-name.log.ipduh.awmn
        ScriptAlias /cgi-bin2/ "/green/log/ng/host-name/local0"
        AddHandler cgi-script .do
        DirectoryIndex index.do index.html

<Directory "/green/log/ng/host-name/local0">
        AllowOverride None
        Options       ExecCGI
        Order         allow,deny
        Allow         from all
        DirectoryIndex index.do index.html

        AuthType Basic
        AuthName "host-name"
        AuthUserFile /green/log/ng/host-name/passwd/passwd
        Require valid-user

</Directory>

ErrorLog  "|/usr/sbin/rotatelogs /green/log/ng/host-name/local0/wwwlogs/error/host-name-error_log.%Y%m%d 86400"
CustomLog "|/usr/sbin/rotatelogs /green/log/ng/host-name/local0/wwwlogs/access/host-name-access_log.%Y%m%d 86400" combined




Replace 'host-name' with the host name. Put the following script in /green/log/ng/host-name/local0/index.do



#!/usr/bin/perl
#g0 2013 simple web-interface to logs gathered by syslog-ng

use strict;
use warnings;
my $host='example';
my $sepoch=time();
opendir MYDIR, ".";
my @cont = readdir MYDIR;
closedir MYDIR;

print "Content-type: text/html\n\n";
print "<html><head><title>$host Logs Index</title>";
print <<TOPTOP;
<style>
.ipduh{ font-size:.6em;}
a.ipduh:link {color:#0000FF; text-decoration:none; }
a.ipduh:visited {color:#0000FF; text-decoration:none; }
a.ipduh:hover {color:#000000; text-decoration:underline; }
a.ipduh:active {color:#000000; text-decoration:underline; }
</style>
</head><body>
$host
<br/>
****************************************
<br/>
TOPTOP

my $file;
foreach $file (sort {$b <=> $a} (@cont)){
        if($file ne ".." && $file ne "." && $file ne "wwwlogs" && $file ne "index.do" && $file ne "passwd" && $file ne '.index.do.swp' && $file ne 'stor' ){
                print "<a href=./$file>$file</a><br />";
        }
}

print<<TELOS;
<br/>
****************************************
<br/>
<a class="ipduh" title="epoch $sepoch" href=http://ipduh.com/epoch/?$sepoch>$sepoch</a>
<a class="ipduh" title="ipduh.com" href=http://ipduh.com>ipduh</a>
</html>
TELOS


That's it! easy!



Simple HTTP-web accessible syslog-ng Logs

How to Monitor a best effort BGP wireless internet Part 2

Well, I changed my mind. I am not going to scan --not at at the beginning at least, neither to traceroute. I was trying to fit host-based monitoring systems eg nagios to my needs.

I decided to start from scratch writing a BGP monitor, a system that can give a bird's eye view of a BGP internet and throw warnings.

The BGP-monitor will use the IP relevant information in the numbers database and maybe combine information from many different BGP daemons running across the internet.
.



A Monitor for Wireless internets that use BGP as their inter-AS Routing Protocol



How to Monitor a best effort BGP wireless internet -Part 2

How to monitor a not centralized - best effort BGP based wireless network

Some thoughts on how to monitor the health of a non-centralized best effort amateur mostly-BGP wireless network.

Why not asking all the backbone node operators to send a detailed email with the peering IP addresses or even better give them the password to a nagios to enter them by themselves?

Unfortunately, this is not going to work --not in Greece, not for AWMN at least.

Why not using the Wireless Node Database for input to the monitoring system?

Well, the Wireless Node Database contains information `maintained` by the backbone operators and unfortunately even though Backbone operators usually put their links in there ( sign of status ) they forget to take them off once they are dead and they usually do not put peering IP addresses.

In a best effort non-professional internet one cannot rely on the operators for accurate information. Even in a professional Internet one cannot rely on the human operators. This is something that needs to be automated.

In a BGP based network finding all the routers along with their peering IP addresses and checking them from monitoring systems placed in different parts of the network should be sufficient.

I thought a couple of ways of finding all the peering IP addresses and both start with a BGP feed --a "show ip bgp" on a router or a quagga daemon.

This way I get the routes advertized along with AS paths and the originating AS numbers.

Great! Now one could go two ways and the first one sounds easier at first.

1) Scan the advertised IP space for daemons listening on the tcp port 179 ( BGP ). ~Trivial with a scanner like nmap or a little perl script. Some `passive` scanning could tell apart unique routers but I would still need to figure out the site - side of a link - peering for a router. Also, a daemon listening on 179 does not necessarily mean the edge of a link.

2) Traceroute --one to each route. A `traditional` traceroute will show only one side for each link, therefore only half of the peering IP addresses can be seen from one point assuming all paths are symmetric. For the purposes of a monitoring system that should be good enough. Knowing all the peering IP addresses would be even better since inner-node problems could be spotted easier on monitoring. Some claim to have written reverse traceroute tools but I have not been able to find any sources.

It' s late and I need to sleep. END of Part 1.



A Monitor for Wireless internets that use BGP as their inter-AS Routing Protocol



How to Monitor a best effort BGP wireless internet -Part 1

The storm and the busted feeder

This picture shows a busted feeder used on a dual-polarized wireless N link of the AWMN ipduh node with the AWMN geioa node. The busted feeder is on the geioa side. The connector of the LMR cable used in the horizontal polarization broke sometime in the storm and water entered the feeder.

The signal strength fall under -69 dB. However, the link did not stop working with ~120Mb/s capacity. During the day after the storm the sun dried completely the feeder and the signal strength climbed over 10 dBm.


Yeah, that's a too tough to die link.





The Storm and the busted Feeder

Monitor Wireless Links with nagios part 1

How-To monitor wireless links with nagios.

Along with standard ping checks and CPU-usage , Signal-Strength, Noise Floor, and Connection Quality CCQ ? are good `health` indicators for wireless links. However, the warning and alarm limits for each link vary and should be set for each link by the ones who set and know the specifics of the link eg. there are 1km links that report -48/-48 dBm signal strength transmitting with ~0 dBm Power and 9km links in which we cannot do any better than -61/-61 dBm before we start using ridiculous amounts of Tx Power or above 1m dishes.

Let' s start with RouterOS based routers. I will try to use SNMP since Mikrotik added the CCQ and noise-floor to SNMP recently --the signal-strength has been in the RouterOS SNMP tree for a while.

note: I have been unable to pull noise floor and CCQ with SNMP for all working interfaces on routerbords.

To get the OIDs try:
interface wireless print oid
The Object Identifiers are named: strength, noise floor , and overall-ccq.

Signal Strength:

I will use the check_snmp nagios plugin and define a command for each interface I want to monitor. Here is a command definition for a link in which I `define` -40dBm - -59dBm signal strength as OK.
###check signal strength on interface 0
define command{
command_name check_signal_strength_on_if0
command_line /usr/lib/nagios/plugins/check_snmp -P 1 -C public -H $HOSTADDRESS$ -o .1.3.6.1.4.1.14988.1.1.1.2.1.3.0.12.66.97.197.219.2 -r .*[4-5]{1}.*
 }


and this is how I use the above command in a monitored service definition
define service{
        use                     generic-service
        host_name               router.014.ipduh.awmn
        service_description     SIGNAL-STRENGTH-geioa #SIGNAL-STRENGTH-WiNode_Name
        check_command           check_signal_strength_on_if0
}


Here is another command definition in which I `define` -40 dBm =< signal strength >= -69 dBm.
###check signal strength on interface 1
define command{
command_name check_signal_strength_on_if1
command_line /usr/lib/nagios/plugins/check_snmp -P 1 -C public -H $HOSTADDRESS$ -o .1.3.6.1.4.1.14988.1.1.1.2.1.3.0.11.107.54.85.223.6 -r .*[4-6]{1}.*
 }


Noise Floor:

I use the check_snmp plugin again and here is an example of a command definition by which noise floor above -100dBm is not OK.
###check noise floor on interface 2
define command{
        command_name check_noise_floor_on_if2
        command_line /usr/lib/nagios/plugins/check_snmp -P 1 -C public -H $HOSTADDRESS$ -o .1.3.6.1.4.1.14988.1.1.1.3.1.9.1 -r .*\-1{1}[0-9]{2}.*
}


I have been unable to get the noise floor with SNMP from all the devices and all the radio cards so maybe I will have to go back to using scripts that pull it off telnet or SSH sessions.

end of part 1



Monitor Wireless Links with Nagios - Part 1

raspberry pi SD card format

Notes on formatting an SD card for raspberry pi

Insert the SD card and figure out the device name
# dmesg
[86441.438194] mmc0: new high speed SDHC card at address f377
[86441.438511] mmcblk0: mmc0:f377 SD04G 3.75 GiB 

or if you are familiar with the system drives
# cat /proc/diskstats


If the system auto-mounts the SD card unmount it
# df -h |grep -i mmcb
# umount /dev/mmcblk0
# df -h |grep -i mmcb


1) Check the drive with parted
# parted /dev/mmcblk0
GNU Parted 2.3
Using /dev/mmcblk0
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted)print                                                            
Model: SD SD04G (sd/mmc)
Disk /dev/mmcblk0: 4027MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start   End     Size    Type     File system  Flags
 1      4194kB  4027MB  4022MB  primary  fat32

(parted) unit chs                                                         
(parted) print                                                            
Model: SD SD04G (sd/mmc)
Disk /dev/mmcblk0: 975,30,29
Sector size (logical/physical): 512B/512B
BIOS cylinder,head,sector geometry: 975,128,63.  Each cylinder is 4129kB.
Partition Table: msdos

Number  Start  End        Type     File system  Flags
 1      1,2,2  975,30,29  primary  fat32
                                                                  

(parted)quit
it seems OK

2)
Suppose we wanted to format from the beginning an SD card.
Then, to destroy old partitions, create one large partition, and format ...
# parted /dev/mmcblk0
GNU Parted 2.3
Using /dev/mmcblk0
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
Model: SD SA08G (sd/mmc)
Disk /dev/mmcblk0: 7969MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  132MB   131MB   primary  fat16        boot, lba
 2      132MB   7969MB  7837MB  primary  ext4

(parted) unit chs                                                         
(parted) print                                                            
Model: SD SA08G (sd/mmc)
Disk /dev/mmcblk0: 968,220,19
Sector size (logical/physical): 512B/512B
BIOS cylinder,head,sector geometry: 968,255,63.  Each cylinder is 8225kB.
Partition Table: msdos

Number  Start    End         Type     File system  Flags
 1      0,32,32  16,15,62    primary  fat16        boot, lba
 2      16,16,0  968,220,19  primary  ext4
(parted) rm 1                                                             
(parted) rm 2   
(parted) mkpart primary 0GB 8GB
(parted) print                                                            
Model: SD SA08G (sd/mmc)
Disk /dev/mmcblk0: 968,220,19
Sector size (logical/physical): 512B/512B
BIOS cylinder,head,sector geometry: 968,255,63.  Each cylinder is 8225kB.
Partition Table: msdos

Number  Start    End         Type     File system  Flags
 1      0,32,32  968,220,19  primary  fat16
(parted)quit
# partprobe
# mkdosfs /dev/mmcblk0
# mount /dev/mmcblk0 /mnt/blah/
# df -h |grep mnt
/dev/mmcblk0          7.5G  4.0K  7.5G   1% /mnt/blah


Mount the SD drive ( From 1 )
# mkdir /mnt/blah
# mount -t vfat /dev/mmcblk0p1 /mnt/blah/
# df -h |grep mmcb
/dev/mmcblk0p1          3.8G   32K  3.8G   1% /mnt/blah


Download and Copy NOOBS to the SD
# aria2c http://downloads.raspberrypi.org/NOOBS_latest
# mkdir NOOBS
# mv NOOBS_v1_3_2.zip NOOBS
# cd NOOBS; uzip NOOBS_v1_3_2.zip; mv NOOBS_v1_3_2.zip .. ; cd ..
# cp -r NOOBS/* /mnt/blah/
# ls /mnt/blah/
bootcode.bin  defaults         os   recovery.elf       recovery.img  riscos-boot.bin
BUILD-DATA    INSTRUCTIONS-README.txt  recovery.cmdline  RECOVERY_FILES_DO_NOT_EDIT  recovery.rfs
# sync
# umount /dev/mmcblk0p1


Use the SD card to boot pi and install the raspberry pi distribution you like ...



Raspberry Pi SD card format

Change user ID and group ID

I always forget how to properly change the user ID and the group ID in a debian linux system.

Change user ID
Set ipduhuser user ID to 1111
# usermod -u 1111 ipduhuser


Change group ID
Set ipduhgroup group ID to 1111
# groupmod -g 1111 ipduhgroup


debian proper change of group and user ID



wheezy install Digest::SHA1

Install Digest::SHA1 in Debian 7

something is off with the packaging ... just use the cpan shell

# apt-get install gcc make
# cpan -i Digest::SHA1





wheezy install Digest::SHA1


bind9 signed zone transfers

Notes on setting up bind9 signed zone transfers

Create a public private key pair
# dnssec-keygen -a HMAC-MD5 -n HOST -b 128 signed


The keys
# ls *signed*
Ksigned.+157+22132.key Ksigned.+157+22132.private


# cat Ksigned.+157+29131.key 
signed. IN KEY 512 3 157 Dabcdr5JO39Z4321JeCh8g==



Add key(s) to the conf files,

eg:
on 1.1.1.1
key signed { algorithm hmac-md5; secret "Dabcdr5JO39Z4321JeCh8g=="; };
server 2.2.2.2 {
  transfer-format many-answers;
  keys { signed.; };
};
and on 2.2.2.2
key signed { algorithm hmac-md5; secret "Dabcdr5JO39Z4321JeCh8g=="; };
server 1.1.1.1 {
  transfer-format many-answers;
  keys { signed.; };
};




Bind9 signed zone transfers

debian install adobe flash player

Install the Adobe flash Player in Debian

$ su
# echo "deb ftp://ftp.debian.org/debian stable main contrib non-free" >> /etc/apt/sources.list
# apt-get update
# apt-get install flashplugin-nonfree
# update-flashplugin-nonfree --install


https://wiki.debian.org/FlashPlayer



debian install adobe flash player

Episode.IV



Episode.IV

$ traceroute -f 5 -m 60 216.81.59.173
traceroute to 216.81.59.173 (216.81.59.173), 60 hops max, 60 byte packets
 5  athe-crsa-acro7609b-1.backbone.otenet.net (79.128.227.45)  18.453 ms  18.729 ms  18.729 ms
 6  athe-inet2.backbone.otenet.net (212.205.223.218)  17.168 ms  17.276 ms  18.878 ms
 7  inet2-athe.backbone.otenet.net (212.205.223.217)  19.459 ms  17.640 ms  18.860 ms
 8  79.128.227.89 (79.128.227.89)  27.575 ms 79.128.227.237 (79.128.227.237)  26.154 ms  24.942 ms
 9  62.75.3.21 (62.75.3.21)  25.955 ms  21.494 ms  23.971 ms
10  62.75.4.166 (62.75.4.166)  61.423 ms  62.382 ms 62.75.4.138 (62.75.4.138)  70.622 ms
11  30gigabitethernet4-3.core1.fra1.he.net (80.81.192.172)  72.179 ms 10gigabitethernet1-1.core1.lon1.he.net (195.66.224.21)  63.829 ms 30gigabitethernet4-3.core1.fra1.he.net (80.81.192.172)  72.133 ms
12  10gigabitethernet1-4.core1.par2.he.net (184.105.213.162)  77.840 ms 10gigabitethernet2-2.core1.par2.he.net (72.52.92.26)  69.327 ms 10gigabitethernet2-4.core1.par2.he.net (72.52.92.42)  60.430 ms
13  10gigabitethernet7-1.core1.ash1.he.net (184.105.213.93)  134.370 ms  143.139 ms  144.838 ms
14  10gigabitethernet1-2.core1.atl1.he.net (184.105.213.110)  138.853 ms  144.016 ms  151.054 ms
15  216.66.0.26 (216.66.0.26)  152.212 ms  142.312 ms  143.741 ms
16  * * *
17  Episode.IV (206.214.251.1)  190.619 ms  200.292 ms  195.002 ms
18  A.NEW.HOPE (206.214.251.6)  200.755 ms  201.726 ms  195.167 ms
19  It.is.a.period.of.civil.war (206.214.251.9)  191.448 ms  207.654 ms  200.998 ms
20  Rebel.spaceships (206.214.251.14)  188.187 ms  191.786 ms  190.800 ms
21  striking.from.a.hidden.base (206.214.251.17)  182.061 ms  181.099 ms  180.334 ms
22  have.won.their.first.victory (206.214.251.22)  191.261 ms  180.538 ms  181.484 ms
23  against.the.evil.Galactic.Empire (206.214.251.25)  196.694 ms  191.919 ms *
24  During.the.battle (206.214.251.30)  207.117 ms  191.818 ms  212.757 ms
25  Rebel.spies.managed (206.214.251.33)  202.463 ms  200.236 ms  201.902 ms
26  to.steal.secret.plans (206.214.251.38)  207.191 ms  176.830 ms  175.679 ms
27  to.the.Empires.ultimate.weapon (206.214.251.41)  176.616 ms  180.583 ms  198.804 ms
28  the.DEATH.STAR (206.214.251.46)  187.007 ms  186.544 ms  197.269 ms
29  an.armored.space.station (206.214.251.49)  196.515 ms  197.470 ms  198.975 ms
30  with.enough.power.to (206.214.251.54)  192.450 ms  199.909 ms  202.917 ms
31  destroy.an.entire.planet (206.214.251.57)  206.645 ms  207.849 ms  192.183 ms
32  Pursued.by.the.Empires (206.214.251.62)  176.592 ms  182.370 ms  193.539 ms
33  sinister.agents (206.214.251.65)  194.358 ms  187.309 ms  182.322 ms
34  Princess.Leia.races.home (206.214.251.70)  192.842 ms  193.863 ms  195.605 ms
35  aboard.her.starship (206.214.251.73)  185.287 ms  187.834 ms  180.836 ms
36  custodian.of.the.stolen.plans (206.214.251.78)  178.555 ms  186.860 ms  191.278 ms
37  that.can.save.her (206.214.251.81)  185.571 ms  191.820 ms  182.810 ms
38  people.and.restore (206.214.251.86)  175.621 ms  187.270 ms  189.327 ms
39  freedom.to.the.galaxy (206.214.251.89)  182.308 ms  180.337 ms  191.794 ms
40  0-------------------0 (206.214.251.94)  191.857 ms  181.507 ms  194.070 ms
41  0------------------0 (206.214.251.97)  180.024 ms  182.020 ms  196.244 ms
42  0-----------------0 (206.214.251.102)  181.368 ms  198.002 ms  183.873 ms
43  0----------------0 (206.214.251.105)  180.532 ms  191.293 ms  190.058 ms
44  0---------------0 (206.214.251.110)  191.034 ms  187.540 ms  191.082 ms
45  0--------------0 (206.214.251.113)  184.317 ms  194.834 ms  185.574 ms
46  0-------------0 (206.214.251.118)  193.278 ms  188.560 ms  185.738 ms
47  0------------0 (206.214.251.121)  182.317 ms  192.127 ms  193.440 ms
48  0-----------0 (206.214.251.126)  191.105 ms  191.626 ms  192.363 ms
49  0----------0 (206.214.251.129)  185.385 ms  188.650 ms  196.623 ms
50  0---------0 (206.214.251.134)  194.552 ms  195.252 ms  192.289 ms
51  0--------0 (206.214.251.137)  191.082 ms  184.285 ms  191.032 ms
52  0-------0 (206.214.251.142)  184.084 ms  187.757 ms  180.525 ms
53  0------0 (206.214.251.145)  193.828 ms  178.079 ms  176.579 ms
54  0-----0 (206.214.251.150)  191.833 ms  191.313 ms  188.348 ms
55  0----0 (206.214.251.153)  179.847 ms  185.175 ms  191.621 ms
56  0---0 (206.214.251.158)  185.373 ms  194.372 ms  192.023 ms
57  0--0 (206.214.251.161)  179.634 ms  191.572 ms  195.803 ms
58  0-0 (206.214.251.166)  178.801 ms  196.028 ms  182.060 ms
59  00 (206.214.251.169)  198.041 ms  188.799 ms  180.537 ms
60  I (206.214.251.174)  198.517 ms  186.521 ms  191.255 ms



Episode.IV



Episode IV

get-them

A simple script that shows totals connections per IP address to a TCP or UDP port.

getthem shows output in the terminal and optionally creates an HTML file with links to more information for each IP address

Example, see connections to port 80
$ getthem
TCP or UDP 80
     18 46.12.149.75
     17 204.12.219.170
     13 84.205.244.136
      8 92.118.99.42
      8 195.78.86.91
      6 79.129.116.143
      4 62.38.152.211
      2 95.92.7.178
      2 85.72.63.93
      2 150.70.173.54
      2 150.70.173.46
      2 150.70.173.44
      2 150.70.173.43
      1 72.14.199.54
      1 180.76.5.161
      1 164.61.210.150
      1 150.70.173.56
      1 150.70.173.53
      1 150.70.173.49
      1 150.70.173.45
      1 150.70.173.42
      1 150.70.173.40



Port 80 is the default port. You may set the port eg:
$ getthem 143
TCP or UDP 143
      3 79.129.59.177



The getthem script
#!/bin/bash
#g0 2012 - http://ipduh.com/contact
INFO="http://alog.ipduh.com/2013/02/get-them.html"
MID=`id -u`
TMP="/tmp/getthem.${MID}.tmp"
HTML="/home/public_html/get-them.html"
DATE=`date`

if [ -z $1 ];then
PORT="80"
else
PORT=${1}
fi

echo "TCP or UDP ${PORT}"

netstat -unta | grep ":${PORT}" | egrep -v "::${PORT}|0.0.0.0|127.0.0.1" | awk '{print $5}' | awk -F ":" '{print $1}' | sort |uniq -c|sort -nr | tee ${TMP}

echo "<html><head><title>get-them ${DATE}</title><body><br>${DATE}<br>Connection(s) on TCP or UDP port(s) ${PORT} <br><br><br>" > ${HTML}
cat ${TMP} |awk '{ print $1" <a href=http://ipduh.com/apropos/?"$2" target=blank>"$2"</a><br><br>" }' >> ${HTML}
echo "<br><br><a href=${INFO}>get_them source</a></body>" >> ${HTML}






Get them --a simple script that shows connections / IP address to an IP-TCP or IP-UDP port

pidgin start on boot -- the easy way

A friend on my jabber server came up with a way for pidgin to start just after boot on a windows system . Not a bad way, but it is difficult for simple users. Hence, this post: Make pidgin start on boot time on windows --the super easy -- politically correct -- way :).

Tools -> Plugins -> Select "Windows Pidgin Options 2.10.6" -> Click on "Configure Plugin" -> check "Start Pidgin on Windows Startup" > click "Close" -> click "Close"

κομπλεdone! ,

yeah, it simply adds one more item in the Startup List --check with msconfig



start pidgin on boot - windows

Basic BIND > 9 administration

The Version:
# named -v
BIND 9.17.0-P8
Type rndc, the name server control utility to view the options or wannabe options
# rndc


Most Commonly Used:

A status
#rndc status
version: 9.17.0-P8 (a version)
CPUs found: 4
worker threads: 4
number of zones: 110
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running



Flush a view eg. internal --useful in caching nameservers
# rndc flush internal


Reload a zone
#rndc reload ipduh.com 
zone refresh queued


Reload all
#rndc reload
server reload successful


The above commands are usually better alternatives to
# /etc/init.d/named restart


A listing of all the rndc options -- don't expect all of them to work with custom TLDs not delegated from the root nameservers eg .awmn. --
#rndc
Usage: rndc [-c config] [-s server] [-p port]
 [-k key-file ] [-y key] [-V] command

command is one of the following:

  reload Reload configuration file and zones.
  reload zone [class [view]]
  Reload a single zone.
  refresh zone [class [view]]
  Schedule immediate maintenance for a zone.
  retransfer zone [class [view]]
  Retransfer a single zone without checking serial number.
  freeze Suspend updates to all dynamic zones.
  freeze zone [class [view]]
  Suspend updates to a dynamic zone.
  thaw  Enable updates to all dynamic zones and reload them.
  thaw zone [class [view]]
  Enable updates to a frozen dynamic zone and reload it.
  notify zone [class [view]]
  Resend NOTIFY messages for the zone.
  reconfig Reload configuration file and new zones only.
  sign zone [class [view]]
  Update zone keys, and sign as needed.
  stats  Write server statistics to the statistics file.
  querylog Toggle query logging.
  dumpdb [-all|-cache|-zones] [view ...]
  Dump cache(s) to the dump file (named_dump.db).
  stop  Save pending updates to master files and stop the server.
  stop -p Save pending updates to master files and stop the server
  reporting process id.
  halt  Stop the server without saving pending updates.
  halt -p Stop the server without saving pending updates reporting
  process id.
  trace  Increment debugging level by one.
  trace level Change the debugging level.
  notrace Set debugging level to 0.
  flush  Flushes all of the server's caches.
  flush [view] Flushes the server's cache for a view.
  flushname name [view]
  Flush the given name from the server's cache(s)
  status Display status of the server.
  recursing Dump the queries that are currently recursing (named.recursing)
  validation newstate [view]
  Enable / disable DNSSEC validation.
  *restart Restart the server.

* == not yet implemented
Version: a version


Check Configuration Files
#named-checkconf /etc/bind/named.conf.options


Check a zone file
#named-checkzon trampoline.com /var/cache/bind/db.trampoline.com




Basic Bind > 9 Administration

the bug buster



works only during the winter for little, warm, not-noisy, linux powered servers.



The Bug Buster

simple routeros hotspot setup

A simple hotspot how-to

The simple hotspot setup described here is used as an extra authentication and accounting method along with wpa2 pre-shared keys.

I assume that the router is connected already to your WAN(s).
In my case the WAN(s) are the AWMN with BGP and the Internet with static routes.

Test connectivity:
[ipduh@rock] /ip> /ping ipduh.com
HOST                                     SIZE TTL TIME  STATUS                                                                                     
85.25.242.245                              56  49 63ms 
85.25.242.245                              56  49 64ms 
85.25.242.245                              56  49 63ms 
    sent=3 received=3 packet-loss=0% min-rtt=63ms avg-rtt=63ms max-rtt=64ms 

[ipduh@rock] /ip> /ping www.awmn
HOST                                     SIZE TTL TIME  STATUS                                                                                     
10.19.143.13                               56  57 11ms 
10.19.143.13                               56  57 5ms  
10.19.143.13                               56  57 25ms 
10.19.143.13                               56  57 10ms 
    sent=4 received=4 packet-loss=0% min-rtt=5ms avg-rtt=12ms max-rtt=25ms 



Set wireless:
/interface wireless set wlan1 ssid=hotspot.ipduh.net band=2ghz-b/g/n \
\... mode=ap-bridge
etc

Set the wireless interface ip address
/ip address add address=192.168.8.1/24 interface=wlan1


Set the hotspot
 /ip hotspot setup
Select interface to run HotSpot on 

hotspot interface: wlan1
Set HotSpot address for interface 

local address of network: 192.168.8.1/24
masquerade network: yes
Set pool for HotSpot addresses 

address pool of network: 192.168.8.10-192.168.8.250
Select hotspot SSL certificate 

select certificate: none                    
Select SMTP server 

ip address of smtp server: 0.0.0.0
Setup DNS configuration 

dns servers: 10.21.241.4
DNS name of local hotspot server 

dns name: hotspot.ipduh.net



Add a Hotspot User
/ip hotspot user add name=surfer password=opensesami


κομπλεdone!

You should be able to login by connecting to the if with SSID hotspot.ipduh.net supplying the key if enabled and get your IP and DNS settings from the DHCP server. Once you fireup a browser you will be redirected to hotspot.ipduh.net --a DNS-hijacked authorization website running on 192.168.8.1.



Simple RouterOS Hotspot Setup

test ssmtp

A few notes on sSMTP

Test Installation and Configuration, send an email.
# echo "what up" |ssmtp -v asystems@ipduh.awmn -f g0@wifi.ipduh.awmn 
[<-] 220 ares.ipduh.awmn ESMTP Postfix
[->] HELO wifi.ipduh.awmn
[<-] 250 ares.ipduh.awmn
[->] MAIL FROM:
[<-] 250 2.1.0 Ok
[->] RCPT TO:
[<-] 250 2.1.5 Ok
[->] RCPT TO:
[<-] 250 2.1.5 Ok
[->] DATA
[<-] 354 End data with .
[->] Received: by wifi.ipduh.awmn (sSMTP sendmail emulation); Thu, 14 Nov 2013 03:07:10 +0200
[->] From: "root" <g0@wifi.ipduh.awmn>
[->] Date: Thu, 14 Nov 2013 03:07:10 +0200
[->] what up
[->] 
[->] .
[<-] 250 2.0.0 Ok: queued as 4FFA3532E4
[->] QUIT
[<-] 221 2.0.0 Bye
#




Test sSMTP

fixing debian munin-node 1.4.5-3 timeout problem

Notes on fixing the munin-node timeout issue.

The system
# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 6.0 \n \l

6.0.7



munin-node version
# dpkg -l |grep munin-node
ii  munin-node                          1.4.5-3                      network-wide graphing framework (node)



The problem signature
# cat /var/log/munin/munin-node.log
2013/09/08-22:29:00 [21117] Undefined subroutine &Munin::Node::Server::reset_timeout called at /usr/share/perl5/Munin/Node/Server.pm line 160,  line 1.
or something like the following
# telnet 10.21.241.100 4949
Trying 10.21.241.100...
Connected to 10.21.241.100.
Escape character is '^]'.
# munin node at anydns.ipduh.awmn.
list
Connection closed by foreign host.
#


It turns out that &reset_timeout along with $current_timeout are missing from /usr/share/perl5/Munin/Common/Timeout.pm You may comment out the reset_timeout() call in Server.pm or replace Timeout.pm with the correct module. I found one Timeout.pm that has the &reset_timeout subroutine and the $current_timeout stuff and works in an Ubuntu Repository.

Also http://munin-monitoring.org/ticket/1375.

Edit /usr/share/perl5/Munin/Node/Config.pm
# vi /usr/share/perl5/Munin/Node/Config.pm
and add global_timeout to the starting around line 80 --make it look like the following
my %config_variables = map { $_ => 1 } qw(
        ignore_file
        paranoia
        timeout
        global_timeout
        tls
        tls_ca_certificate
        tls_certificate
        tls_private_key
        tls_verify_certificate
        tls_verify_depth
        tls_match
    );




Fixing Munin Node Timeout Problem

repair messed up munin nodes on debian based systems

Repair munin nodes on debian based systems

Reinstall!!!!!111!!!12
# apt-get --purge remove munin
# apt-get --purge remove munin-node
# apt-get clean
# apt-get install deborphan
# deborphan | xargs apt-get -y --purge remove
# rm -r /usr/share/perl5/Munin/Node/
# apt-get update
# apt-get install munin-node




Repair messed up debian munin nodes

The spectrum around 5GHz in Downtown Athens

A large ~8-10dBi ( larger would make the vertical radiation angle too small ) omnidirectional antenna,
a descent 5GHz radio card, and a RouterOS powered computer
are good enough to look at the spectrum around the ~5GHz unlicensed in Greece Frequencies.

The command:
/interface wireless spectral-history 0 range 4790-6110


and this is how it looks.





The Spectrum around the 5GHz in downtown Athens

traffic accounting per IP with iptables and munin

Notes on graphing traffic per IP address on a host with munin.

Assuming the host has installed munin-node and it is a host that does not route traffic.

The IP addresses used by the host:
# ip a
1: lo:  mtu 16436 qdisc noqueue state UNKNOWN 
    ...
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    ...
    inet 192.0.2.156/28 brd 94.70.136.159 scope global eth0
    inet 10.21.241.34/25 brd 10.21.241.127 scope global eth0:1
    inet 10.21.241.35/25 brd 10.21.241.127 scope global secondary eth0:2
    ...



The accounting iptables rules
iptables -I INPUT -d 192.0.2.156
iptables -I INPUT -d 10.21.241.34
iptables -I INPUT -d 10.21.241.35
iptables -I OUTPUT -s 192.0.2.156
iptables -I OUTPUT -s 10.21.241.34
iptables -I OUTPUT -s 10.21.241.35



Test the accounting rules
# iptables -L -n -x -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
    1446   216063            all  --  *      *       0.0.0.0/0            10.21.241.35        
    9765   772474            all  --  *      *       0.0.0.0/0            10.21.241.34        
   84614 60552352            all  --  *      *       0.0.0.0/0            192.0.2.156       

...

Chain OUTPUT (policy ACCEPT 92889 packets, 61985157 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
    1437  1308702            all  --  *      *       10.21.241.35         0.0.0.0/0           
    8140  2581855            all  --  *      *       10.21.241.34         0.0.0.0/0           
   83324 58103243            all  --  *      *       192.0.2.156        0.0.0.0/0           



If you are using bif.sh to manage iptables you could put the following after drop_bad or $IPTABLES -t raw -X
#Host IP accounting
$IPTABLES -I INPUT -d 192.0.2.156
$IPTABLES -I INPUT -d 10.21.241.34
$IPTABLES -I INPUT -d 10.21.241.35
$IPTABLES -I OUTPUT -s 192.0.2.156
$IPTABLES -I OUTPUT -s 10.21.241.34
$IPTABLES -I OUTPUT -s 10.21.241.35



Configure munin-node
ln -s /usr/share/munin/plugins/ip_ /etc/munin/plugins/ip_10.21.241.34
ln -s /usr/share/munin/plugins/ip_ /etc/munin/plugins/ip_10.21.241.35
ln -s /usr/share/munin/plugins/ip_ /etc/munin/plugins/ip_192.0.2.156




Traffic accounting per IP with iptables and munin

Net::Server debian

Install Net::Server on Debian

# cpan -i Net::Server
The cpan Net::Server does IPv6 now ( Net-Server-2.007 )

or

# apt-get install libnet-server-perl


http://packages.debian.org/wheezy/libnet-server-perl
http://search.cpan.org/~rhandom/Net-Server-2.007/lib/Net/Server.pod



Net::Server Debian Linux

Remove the second version of the Ukash - Paysafe ransomware Virus

The Ukash virus is a scareware-ransomware-trojan made for late Windows Versions that loads a screen with a message from a police department demanding from the user to pay a fine or else ... The fine is to be paid with Ukash or Paysafe --tough to trace methods of payment. It has been seen speaking English , Russian , Ukranian , Greek , and other Languages. Most probably it is a kit that someone can purchase and start its own little business.

It was relatively easy to get rid off it with F8 and system restore up to its previous version but when I tried to fix again ( yeah this friend has been attracting and hosting all the strains of this piece of malware so far ) a friend' s computer, I was unable to clean the system that easy.

On it's latest version the writers added a little piece of code that simply restarts the system when a user attempts to log in to the GUI safemode.

I tried to log in with the Command Line Safe Mode and disable the restart functionality with msconfig but no cigar.

Finally, while logged in with the Command Line Safe Mode I simply started the restore program rstrui.exe in .\restore\rstrui.exe and I was able to restore the system. Or you could simply type the following upon logging in to Safe Mode with Command Line ;
cd restore
rstrui.exe 


The Ukash malware attempts a connection with some IP address in Russia when someone enters a number that matches the Ukash or Paysafe format. Disabling the whole scheme and busting the dudes behind it should not be that hard. The incompetence of the e-crime investigation units in Eastern and South Europe lets the people who operate the scam to get away with it.

I would guess that the next strain of this piece of malware will attempt to disable rstrui.exe better, since it stands on its way to take over the world.



Remove ukash paysafe ransomware malware virus v2

transmission daemon -- a bittorrent daemon

Install the transmission bittorrent client as a daemon managed with a web GUI.

# sudo -s
# apt-get install transmission-daemon


# mkdir /green/samba/share/torrents
# mkdir /green/samba/share/torrents/incomplete


settings are at /etc/transmission-daemon/settings.json and the web interface is pretty good in telling you what is wrong with them until you get them right.

Add the samba user to the debian-transmission group, adjust ownership and permissions , and restart the bittorrent daemon.
# usermod -a -G debian-transmission samba-user
# chown -R samba-user.debian-transmission /green/samba/share/torrents/
# chmod -R 775  /green/samba/share/torrents/
# invoke-rc.d transmission-daemon reload




Transmission Daemon & Samba on Debian

install samba on debian based systems

A quick how-to for a samba file server on a debian based system ( ubuntu , Xuntu , etc )

Samba is a great collection of software that enables most unix systems to run file and printing sharing services for windows and *nix clients.

Install Samba

# apt-get install samba


The configuration is in /etc/samba/smb.conf

This is what I usually change on simple installations

workgroup = WORKGROUP 
##default NT domain name ,g0
server string = %h ashare  
##share name ,g0
interfaces = 192.0.2.22/32 
## IP the samba server binds on  , g0
log file = /green/log/samba/log.%m 
## log , g0
security = user 
##g0


An example share , usually put on the bottom of /etc/samba/smb.conf
[share]          
    comment = Share   
    path = /green/samba/share  
    browsable = yes   
    guest ok = no   
    read only = no   
    create mask = 0755   


Create the share.
#mkdir -p /green/samba/share
#chown -R nobody.nogroup /green/samba/share


Add a system and samba user.
# wget http://kod.ipduh.com/lib/adduser.sh
# chmod 700 adduser.sh
# mv adduser.sh /bin
# adduser.sh 
Add User:
Enter GROUPID     : 3000
Enter GROUPNAME   : samba-user
Enter USERID      : 3000
Enter USERNAME    : samba-user
Enter USER HOME DIRECTORY ( Or hit enter for /home/samba-user ):              
Enter USERSHELL   : /usr/bin/nologin
Enter USERCOMMENT : 
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

...

# echo "/usr/bin/nologin" >> /etc/shells 


Create a samba-password for the samba-user
#smbpasswd -L -a samba-user
New SMB password:
Retype new SMB password:
Added user samba-user.


Adjust ownership
# chown -R samba-user.nogroup /green/samba/share/


Restart daemons.
# /etc/init.d/smbd restart
# /etc/init.d/nmbd restart


Firewall holes:
allow incoming udp on ports 137 and 138
allow tcp on ports 139 and 445
eg:
# iptables -A INPUT -p udp --dport 137 -i lan0 -s 192.0.2.0/24 -j ACCEPT
# iptables -A INPUT -p udp --dport 138 -i lan0 -s 192.0.2.0/24 -j ACCEPT
# iptables -A INPUT -p tcp --dport 139 -i lan0 -s 192.0.2.0/24 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p tcp --dport 139 -i lan0 -s 192.0.2.0/24 -j ACCEPT
# iptables -A INPUT -p tcp --dport 445 -i lan0 -s 192.0.2.0/24 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p tcp --dport 445 -i lan0 -s 192.0.2.0/24 -j ACCEPT


Configure some clients:

on a Debian or Ubuntu Desktop try Places->Network->Samba_Host->share ... put your credentials

on a Windows Desktop try Network Places -> View Workgroup Computers -> Samba_Host ... click on the share & put your credentials

Test & Debug -- *nix -

List the share on a remote host
$ smbclient -U samba-user -L 192.0.2.22
Since we have it, let 's use it from *nix hosts too.

Mount a Samba Share on a *nix Machine
$ id
uid=9920(diesel) gid=9920(diesel) groups=9920(diesel)
#sudo mkdir /ares_share
#sudo chown -R diesel.diesel /ares_share
#sudo mount -v -t cifs //192.0.2.22/share /ares_share -o username=samba-user,password=opensesami,iocharset=utf8,file_mode=0777,dir_mode=0777,uid=diesel




Install Samba Debian GNU Linux

set suphp on directadmin

Notes on setting suphp on directadmin on debian

# cd /usr/local/directadmin/custombuild/
# ./build update
# ./build set php5_cgi yes
# ./build set php5_cli no
# ./build all d
# ./build rewrite_confs

Rebuild roundcube, squirrelmail, phpmyadmin
# ./build phpmyadmin
# ./build roundcube
# ./build squirrelmail


Restart directadmin and httpd
# /etc/init.d/directadmin restart
# /etc/init.d/httpd restart




directadmin suphp

/32 point-to-point routing

Dedicated Server Farms have been provisioning /32 extra IP addresses lately.

Here are my notes on setting up a virtual network with the Linux bridge utilities to route /32 addresses to virtual hosts.

When I first got such IP address I immediately asked them to take them back and give me IP address within a larger subnet-LAN that includes an Internet Gateway.

Before they answer my ticket I thought that it may be better to route the extra IP addresses myself instead of bridging everything and I had a setup working. I did set a virtual LAN on private IP space in between the host and the virtual machines and added to the host /32 routes with gateway the private IP address on the virtual machine. Well, that worked fine for all traffic going to the virtual machines but I had a hard time making the source address stick for outgoing virtual machine traffic and since the nexthop was not routed ICMP and some other stuff had a tough time. At the end I made it work but I did not like it.

1st setup
 Internet IP        Private IP               Private IP        Internet IP
 203.0.113.115/26 - 192.168.45.1/24   <-x->  192.168.45.2/24 - 192.0.2.66/32
|                                  |        |                - 198.51.100.67/32 |
|________  Host  __________________|        |_____ Virtual Host_________________|



Then, I remembered /32 point-to-point networking, start searching the internetz, and start trying out stuff :P.

This is the pointopoint routed setup I ended up using. Same with the 1st but no need for the Private Network Segment and messing with routing tables and source IP addresses.

Host
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 203.0.113.115
  netmask 255.255.255.192
  broadcast 203.0.113.127
  gateway 203.0.113.65

auto br0
iface br0 inet static
  address 203.0.113.115
  netmask 255.255.255.255
  bridge_ports none
  bridge_stp off
  bridge_fd 0 
  pre-up brctl addbr br0
  
  up ip route add 192.0.2.66/32 dev br0 
  down ip route del 192.0.2.66/32 dev br0 
 
  up ip route add 198.51.100.67/32 dev br0 
  down ip route del 198.51.100.67/32 dev br0 

#not needed but I kept it
auto br0:1
allow-hotplug br0:1
iface br0:1 inet static
      address 192.168.45.1
      netmask 255.255.255.0
      broadcast 192.168.45.255 



Virtual Machine with network=bridge:br0
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
 address 192.0.2.66
 netmask 255.255.255.255
 pointopoint 85.25.199.115
 gateway 203.0.113.115

auto eth0:1
iface eth0:1 inet static
 address 198.51.100.67
 netmask 255.255.255.255
 pointopoint 85.25.199.115
 gateway 203.0.113.115

#not needed but I kept it
auto eth0:2
iface eth0:2 inet static
 address 192.168.45.2
 netmask 255.255.255.0
        broadcast 192.168.45.255 




http://alog.ipduh.com/2013/02/32-point-to-point-routing.html



a scam scam.com

Today, while browsing my crap mail folder, I came across a ridiculous piece of mail. Some amazing moron named Scott Jacobs tried to sell me patronage and protection from complaints on an email send at whois@my-domain.com --an email address used only on whois listings. He supposedly spot a complaint on scam.com that the could 'eradicate'. Unfortunately, I was not able to look at the complaint myself and laugh. Someone(s) has been DoSsing the hell out of scam.com --I wonder why.

The piece of email he sent:

"

Hello

We have noticed you have a complaint on Scam.com:

        http://www.scam.com/showthread.php?t=143318

We represent companies affected by negative reviews on RipoffReport.com,
Yelp.com, Complaintsboard.com, Scam.com, PissedConsumer.com and other
business review websites.  We can often negotiate the removal of content
from the internet, based on our pre-existing relationship with the
offending website. Over the past year we were able to help over 200
clients to date remove negative content pertaining to their brand
completely removed. That's right, not bury or suppressed, but fully
removed. However, In cases where we are unable to come to a resolution
with the offending site, we help you explore your legal options.  We do
not just simply bury or hide complaints through SEO (known in the
Reputation Management industry as burials, our goal is to erase the
negative reviews completely to clean our clients reputation online.  If
you have negative reviews, and would like to hear what we can do for you,
please respond to this email or give us a call.

PLEASE NOTE, we do not own any "scam.com" where complaints are posted, nor
can we personally control people posting complaints.  We represent and
fight for your rights, in removing defamatory or negative content.  Our
organization has been in business for over three years and we have helped
hundreds of clients protect their business from complaints.

Frequently Asked Questions:

I heard that no one can remove content from websites.  How can you? It ís
true, most websites will not work with any business directly.  However,
having worked with them before, we are able to negotiate the removal of
complaints in 90%+ of cases.  It depends on the type of complaint.

What is the process?
Each case is different.  How many complaints are there?  What types of
complaints are they (ie do they allege fraud, or just customer service
issues)?  What websites are the complaints posted on?  Do you know who
posted the complaint?  All of these questions can affect how we go about
solving your problem, and almost every problem has a solution.  With some
websites we have a previous relationship, and are able to quickly
negotiate the removal directly with the site.  In other cases, we help you
explore your legal options and connect you with our experienced lawyer.

Guarantees?
In some cases we do have a full guarantee to get the complaint removed,
and you will not pay unless we are successful. In other cases, if the
legal system needs to be used, we do not have a guarantee, but will
provide an overview of your options before you go forward.

Time frame?
In some cases the complaint can be removed within a week.  In other cases
it can take months.  It depends on the situation.

Cost?
Our minimum cost is $500, but it depends on the number of complaints and
the situation.  If the legal system is needed, in many cases it takes our
lawyer less than 5-10 hours of work.  Again, it depends on the situation,
and we will provide you with your options during our free assessment.

Why do I need you?
Most websites are not willing to talk to businesses directly, and they
claim that they will under no circumstance remove content.  With some of
these websites, we have relationships where they will work with us
privately.  Internet law and defamation is a unique area outside the
skill-set and experience of many law firms, and most lawyers have much
higher costs than our lawyer does.  Simply said, we have more experience,
key relationships, and can likely do this at a lower cost than other
competitors or lawyers you would hire.

Do you get compensation for your clients?
Most of our clients simply want the content removed, as quickly and cost
effectively as possible.  However, yes, our lawyers do defamation cases
and have successfully won defamation cases.

Does it matter if the complaint is true or false?
Not necessarily.

Does it matter if I know who did it?
No.  We can obtain this information in most cases.

How to contact us:

www.onlineprotection.us

CONFIDENTIAL EMAIL TRANSMISSION & WARNING:

This message contains confidential information and is intended only for
the individual named. It may also be privileged or otherwise protected by
work product immunity or other legal rules. If you are not the named
addressee you should not disseminate, distribute, copy this e-mail, or
disclose its contents to anyone. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete this e-mail
from your system. The recipient should check this email and any
attachments for the presence of viruses. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender does not accept liability for any errors or omissions in the
contents of this message, which arise as a result of e-mail transmission,
nor does the sender accept liability damage caused by any virus
transmitted by this email.

Please reply "remove" to this email if you would no longer like to receive
emails from our firm. We send emails for the sole purpose of letting
business owners and webmasters know that their business has a complaint
online on a negative media site.

"



Good grammar and BS skills Scottie, In case you did not receive the response I never send use your imagination to put it together. It starts with an F and ends in an off.

Finally made it to the "complaint." It 's about hellopeter.com a website not related to ipduh whatsoever. WTF Scottie? ... lay off the crack pipe ...



A scam scam.com

usb sticks linux

Notes on formatting USB sticks on Linux.

Connect the USB stick and type use the following command to figure which on which /dev/sd* is it.
# dmesg |grep -i scsi -A 2


To list all USB devices
# lsusb


If you are not seeing the USB stick see if the usb_storage module is loaded
# lsmod |grep usb_storage 


If the usb_storage is not loaded, load it
# modprobe usb_storage


Usually a USB drive automounts, check if is with df eg:
# df -h


If the USB stick is mounted, unmout it
# umount /dev/sdc


Format the USB stick with NTFS
# fdisk /dev/sdc
Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-30532, default 1): 
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-30532, default 30532): 30532

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 7
Changed system type of partition 1 to 7 (HPFS/NTFS)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

# mkfs.ntfs -L 'stick' /dev/sdc1 -f -v -I
Cluster size has been automatically set to 4096 bytes.
Creating NTFS volume structures.
Creating root directory (mft record 5)
Creating $MFT (mft record 0)
Creating $MFTMirr (mft record 1)
Creating $LogFile (mft record 2)
Creating $AttrDef (mft record 4)
Creating $Bitmap (mft record 6)
Creating $Boot (mft record 7)
Creating backup boot sector.
Creating $Volume (mft record 3)
Creating $BadClus (mft record 8)
Creating $Secure (mft record 9)
Creating $UpCase (mft record 0xa)
Creating $Extend (mft record 11)
Creating system file (mft record 0xc)
Creating system file (mft record 0xd)
Creating system file (mft record 0xe)
Creating system file (mft record 0xf)
Creating $Quota (mft record 24)
Creating $ObjId (mft record 25)
Creating $Reparse (mft record 26)
Syncing root directory index record.
Syncing $Bitmap.
Syncing $MFT.
Updating $MFTMirr.
Syncing device.
mkntfs completed successfully. Have a nice day.


Format it with FAT32
# mkdosfs -n 'stickaki' -F 32 -I /dev/sdc
stickaki is the name-label of the USB stick

You may want to format your USB stick with other file systems
# mkfs.
mkfs.bfs      mkfs.cramfs   mkfs.ext2     mkfs.ext3     mkfs.ext4     mkfs.ext4dev  mkfs.minix    mkfs.msdos    mkfs.ntfs     mkfs.vfat


Mount the USB stick
# mkdir /mnt/blah
# mount /dev/sdc /mnt/blah




http://alog.ipduh.com/2013/02/usb-sticks-linux.html

debian linux containers

Notes on LXC linux containers on debian Linux.

Install software
LXC - Userspace Interface for the Linux containment Features ( http://linuxcontainers.org/ )

bridge-utils - Software that connects Ethernet segments.

libvirt-bin - Library, API and shell that interacts with QEMU,KVM,LXC, and other "virtualization" technologies in Linux.

debootstrap - Shell Script that installs a Debian Base System into a directory of another system.

# apt-get update
# apt-get install lxc bridge-utils libvirt-bin debootstrap   


Set fstab to mount the Control Groups hierarchy on boot and mount it now.
# echo "cgroup  /sys/fs/cgroup  cgroup  defaults  0   0" > /etc/fstab
# mount /sys/fs/cgroup


Check the LXC configuration
# lxc-checkconfig 
If everything is green enable you are good to go.

Networking

There a few different ways to network a container. An easy way to access the container through the network is to set up a bridge interface.

Example of a bridge interface stanza in /etc/network/interfaces

auto lo
iface lo inet loopback


auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
 address 10.21.241.2
 netmask 255.255.255.128
 network 10.21.241.0
 broadcast 10.21.241.127
 gateway 10.21.241.99
 bridge_ports eth0
        bridge_stp off          
        bridge_waitport 0      
        bridge_fd 0             
        bridge_hello 2         
Check if your stanza works
# /etc/init.d/networking restart
# brctl show
bridge name bridge id  STP enabled interfaces
br0  8000.525400225dbc no  eth0


LXC templates

LXC templates are shell scripts that create LXC containers. The debian wheezy template that ships with lxc 0.8.0-rc1 is broken 680469. It says it is fixed now but I did not try it.

A debian wheezy template I stitched together with stuff I found in the internetz.
#!/bin/bash

#
# lxc: linux Container library

# Authors:
# Daniel Lezcano <daniel.lezcano@free.fr>

# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

# ==============================================================
# This is a slightly modified version by Rob van der Hoeven
# I use it for my FreedomBox project: http://freedomboxblog.nl
# ==============================================================
# modified by g0, http://ipduh.com/contact
# ==============================================================

configure_debian()
{
    rootfs=$1
    hostname=$2

    # squeeze only has /dev/tty and /dev/tty0 by default,
    # therefore creating missing device nodes for tty1-4.
    for tty in $(seq 1 4); do
    if [ ! -e $rootfs/dev/tty$tty ]; then
       mknod $rootfs/dev/tty$tty c 4 $tty
    fi
    done

    # configure the inittab
    cat <<EOF > $rootfs/etc/inittab
id:3:initdefault:
si::sysinit:/etc/init.d/rcS
l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
z6:6:respawn:/sbin/sulogin
1:2345:respawn:/sbin/getty 38400 console
c1:12345:respawn:/sbin/getty 38400 tty1 linux
c2:12345:respawn:/sbin/getty 38400 tty2 linux
c3:12345:respawn:/sbin/getty 38400 tty3 linux
c4:12345:respawn:/sbin/getty 38400 tty4 linux
EOF

    # disable selinux in debian
    mkdir -p $rootfs/selinux
    echo 0 > $rootfs/selinux/enforce

    # configure the network 
    cat <<EOF > $rootfs/etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 192.168.169.170
  network 192.168.169.0
  netmask 255.255.255.0
  broadcast 192.168.169.255
  gateway 192.168.169.169

EOF

    # set the hostname
    cat <<EOF > $rootfs/etc/hostname
$hostname
EOF

    # reconfigure some services
    if [ -z "$LANG" ]; then
 chroot $rootfs locale-gen en_US.UTF-8
 chroot $rootfs update-locale LANG=en_US.UTF-8
    else
 chroot $rootfs locale-gen $LANG
 chroot $rootfs update-locale LANG=$LANG
    fi

    # remove pointless services in a container
    chroot $rootfs /usr/sbin/update-rc.d -f umountfs remove
    chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh remove
    chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh remove

    #echo "root:root" | chroot $rootfs chpasswd
    echo "root:debian" | chroot $rootfs chpasswd
    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
    echo "Root password is 'debian', please change!"
    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

    return 0
}

download_debian()
{
    packages=\
ifupdown,\
locales,\
libui-dialog-perl,\
dialog,\
netbase,\
net-tools,\
iproute,\
openssh-server,\
vim,\
apt-utils

    cache=$1
    arch=$2

    # check the mini debian was not already downloaded
    mkdir -p "$cache/partial-$arch"
    if [ $? -ne 0 ]; then
 echo "Failed to create '$cache/partial-$arch' directory"
 return 1
    fi

    # download a mini debian into a cache
    echo "Downloading debian minimal ..."
    debootstrap --verbose --variant=minbase --arch=$arch \
 --include $packages \
 wheezy $cache/partial-$arch http://ftp.debian.org/debian
    if [ $? -ne 0 ]; then
 echo "Failed to download the rootfs, aborting."
 return 1
    fi

    mv "$1/partial-$arch" "$1/rootfs-$arch"
    echo "Download complete."

    return 0
}

copy_debian()
{
    cache=$1
    arch=$2
    rootfs=$3

    # make a local copy of the minidebian
    echo -n "Copying rootfs to $rootfs..."
    cp -a $cache/rootfs-$arch $rootfs || return 1
    return 0
}

install_debian()
{
    cache="/var/cache/lxc/debian-wheezy-g0-01"
    rootfs=$1
    mkdir -p /var/lock/subsys/
    (
 flock -n -x 200
 if [ $? -ne 0 ]; then
     echo "Cache repository is busy."
     return 1
 fi

 arch=$(arch)
 if [ "$arch" == "x86_64" ]; then
     arch=amd64
 fi

 if [ "$arch" == "i686" ]; then
     arch=i386
 fi

 if [ "$arch" == "armv5tel" ]; then
     arch=armel
 fi

    if [ "$arch" == "armv7l" ]; then
        arch=armhf
    fi

 echo "Checking cache download in $cache/rootfs-$arch ... "
 if [ ! -e "$cache/rootfs-$arch" ]; then
     download_debian $cache $arch
     if [ $? -ne 0 ]; then
  echo "Failed to download 'debian base'"
  return 1
     fi
 fi

 copy_debian $cache $arch $rootfs
 if [ $? -ne 0 ]; then
     echo "Failed to copy rootfs"
     return 1
 fi

 return 0

 ) 200>/var/lock/subsys/lxc

    return $?
}

copy_configuration()
{
    path=$1
    rootfs=$2
    name=$3

    cat <<EOF >> $path/config
lxc.tty = 4
lxc.pts = 1024
lxc.rootfs = $rootfs
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm

# mounts point
lxc.mount.entry=proc $rootfs/proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry=devpts $rootfs/dev/pts devpts defaults 0 0
lxc.mount.entry=sysfs $rootfs/sys sysfs defaults  0 0

# networking

lxc.utsname = $name
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.ipv4 = 0.0.0.0/24
lxc.network.hwaddr = 00:1E:$(hex):$(hex):$(hex):$(hex)
EOF

    if [ $? -ne 0 ]; then
 echo "Failed to add configuration"
 return 1
    fi

    return 0
}

# nice trick from: http://mindref.blogspot.com/2011/01/debian-lxc-create.html
hex() 
{
    echo "`tr -dc A-F0-9 < /dev/urandom | head -c 2 | xargs`"
}
    
clean()
{
    cache="/var/cache/lxc/debian-wheezy-g0-01"

    if [ ! -e $cache ]; then
 exit 0
    fi

    # lock, so we won't purge while someone is creating a repository
    (
 flock -n -x 200
 if [ $? != 0 ]; then
     echo "Cache repository is busy."
     exit 1
 fi

 echo -n "Purging the download cache..."
 rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
 exit 0

    ) 200>/var/lock/subsys/lxc
}

usage()
{
    cat <<EOF
$1 -h|--help -p|--path=<path> --clean
EOF
    return 0
}

options=$(getopt -o hp:n:c -l help,path:,name:,clean -- "$@")
if [ $? -ne 0 ]; then
        usage $(basename $0)
 exit 1
fi
eval set -- "$options"

while true
do
    case "$1" in
        -h|--help)      usage $0 && exit 0;;
        -p|--path)      path=$2; shift 2;;
 -n|--name)      name=$2; shift 2;;
 -c|--clean)     clean=$2; shift 2;;
        --)             shift 1; break ;;
        *)              break ;;
    esac
done

if [ ! -z "$clean" -a -z "$path" ]; then
    clean || exit 1
    exit 0
fi

type debootstrap
if [ $? -ne 0 ]; then
    echo "'debootstrap' command is missing"
    echo "attempting to install debootstrap"
    apt-get install debootstrap
    exit 1
fi

if [ -z "$path" ]; then
    echo "'path' parameter is required"
    exit 1
fi

if [ "$(id -u)" != "0" ]; then
    echo "This script should be run as 'root'"
    exit 1
fi

rootfs=$path/rootfs

install_debian $rootfs
if [ $? -ne 0 ]; then
    echo "failed to install debian"
    exit 1
fi

configure_debian $rootfs $name
if [ $? -ne 0 ]; then
    echo "failed to configure debian for a container"
    exit 1
fi

copy_configuration $path $rootfs $name
if [ $? -ne 0 ]; then
    echo "failed write configuration file"
    exit 1
fi

if [ ! -z $clean ]; then
    clean || exit 1
    exit 0
fi






     


Get my wheezy template and create a container
# wget kod.ipduh.com/lib/lxc-debian-wheezy-g0-01 
# chmod 744 lxc-debian-wheezy-g0-01 
# mv lxc-debian-wheezy-g0-01 /usr/share/lxc/templates/
# lxc-create -n w01 -t debian-wheezy-g0-01
...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Root password is 'debian', please change!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
'debian-wheezy-g0-01' template installed
'w01' created



To adjust the container network
# vi /var/lib/lxc/w01/rootfs/etc/network/interfaces


Start the container
# lxc-start -n w01


You should get a console to the container
Debian GNU/Linux 7 w01 console

w01 login: 



You may start a container in the background.
# lxc-start -n w01 -d
and attach to the console later or even better later through a screen.
# lxc-console -n w02


If you used the 'template' above and you want to access the container from the network you will need to be in the 192.168.169.0/24 LAN or add the 192.168.169.169/24 to the host br0 interface.
root@lxchost# ifconfig br0:1 192.168.169.169 netmask 255.255.255.0
root@lxchost# ping 192.168.169.170
PING 192.168.169.170 (192.168.169.170) 56(84) bytes of data.
64 bytes from 192.168.169.170: icmp_req=1 ttl=64 time=1.11 ms
64 bytes from 192.168.169.170: icmp_req=2 ttl=64 time=0.067 ms
^C
--- 192.168.169.170 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms


You may access the container through the LAN or the LXC host virtual ethernet
root@lxchost# ssh root@192.168.169.170
The authenticity of host '192.168.169.170 (192.168.169.170)' can't be established.
ECDSA key fingerprint is a3:b9:e5:81:d7:26:d8:7e:95:0e:37:95:8c:77:16:0f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.169.170' (ECDSA) to the list of known hosts.
root@192.168.169.170's password: 
Linux w02 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Nov  1 12:13:23 2013
root@w01:~# 



See the status of a container
# lxc-info -n w01
state:   RUNNING
pid:     18109



Shutdown a container
# lxc-halt -n w01
telinit: timeout opening/writing control channel /run/initctl
You may need to console or ssh into the container and halt it
root@lxchost# lxc-console -n w01
root@w01:~# shutdown -h now
root@lxchost# lxc-stop -n w01
root@lxchost# lxc-info -n w02
state:   STOPPED
pid:        -1



Start container(s) automatically when the host boots
# ln -s /var/lib/lxc/w01/config /etc/lxc/auto/w01
where w01 is the container



http://alog.ipduh.com/2011/09/screen-basics.html