MySQL add age column

I found a few weird stuff on the databases I have been working with lately.

one of the weird stuff: signed integer types used for age columns ...
I am not going to argue with it ... I will just laugh and I am sure that a few friends reading this blog will laugh with it as well.


So, what type would I use for a human age column on a MySQL DB?
Hmm, UNSIGNED TINYINT --a Byte ...
I don't see any human making it to over 255 years old in the next 50 years --I hope I am wrong on this

Adding an age field.
mysql> ALTER TABLE ppl ADD age TINYINT UNSIGNED;
Query OK, 34292 rows affected (1.08 sec)
Records: 34292  Duplicates: 0  Warnings: 0


The statement above should add a TINYINT(3) by default where 3 is the maximum display digit --I think

You can control the position of the `new` collumn within the table with AFTER, eg:
mysql> ALTER TABLE ppl ADD age TINYINT UNSIGNED AFTER lastname;


On second thought , if I was designing the DBs I would prefer to not even use an age column and use a birth-date instead, and then produce the age to the reports that need it with some MySQL date arithmetic function and replace older than logic with was born before logic where appropriate.





Age Field Type on a DB joke

MySQL -- greek letters instead of question marks

I think that a good collation for utf8 Greek character fields on MySQL is ' utf8_unicode_ci ' and charset utf8mb4 if planning accommodating all languages ..

to get rid of question marks ... you may enter the following commands
mysql> SET NAMES 'utf8'; SET CHARACTER SET 'utf8';
before entering data to or querying the Greek DB you did not put together, provided they did use utf8.

If you are still getting question marks all over the place they did use another charset. If you are getting question marks or things that do not make sense every so often, it may be that they have been adding data with different charsets.





MySQL show me Greek Letters instead of Question Marks

Tunnels to the IPv6 Internet - 6in4

Unfortunately there are still internets with no native connectivity to the IPv6 Internet.
6in4 Internet Protocol 41 tunnels are a good way to connect to the IPv6 Internet.

You may set up a 6in4 Internet Protocol 41 tunnel with someone that has IPv6 connectivity and is willing to donate to you a bit more than your IPv6 traffic times 2 in Bandwidth or use a 6in4 provider.

I have been using 6in4 tunnels from HE ( tunnelbroker.net ) and SixXS ( sixxs.net ) for ~two years and according to my monitor, they have an excellent uptime --much better than some ADSL based connections to the IPv4 Internet.

HE offers tunnels to the IPv6 Internet with static endpoints only.
SixXS offers both tunnels with static endpoints and tunnels to clients using a Dynamic IPv4 address.
Both Providers provide the tunnels to the IPv6 Internet free of charge.

I recommend 6in4 tunnels from SixXS and HE to anyone --stuck in an IPv4 only Network-- looking for an easy way to make his services available through IPv6 or just connect to the IPv6 Internet.

Yes!, you could provide services to the IPv6 Internet using "your" IPv6 static space routed to you through a tunnel to your dynamic IPv4 address (Look for: SixXS 6in4 heartbeat IP 41 tunnels & SixXS AYIYA tunnels ).

However, these notes are for tunnels with static IPv4 endpoints.

If you use one of the providers above for your 6in4 tunnel open an account and then use ping to figure what tunnel Server - Point of Presence to choose. They have many PoP spread around the world and the Internet distance is not always analogous to the geographical distance.

IPv4 Firewall

Punch a hole on your IPv4 Firewall to allow IP 41 from the tunnel server.
# iptables -I INPUT -p ipv6 -s 203.0.113.114/32 -j ACCEPT
where 203.0.113.114 is the other side of your tunnel --your tunnel server.
# iptables -L -n |grep 41
ACCEPT     41   --   203.0.113.114       0.0.0.0/0


Tunnel Interface

A simple script that sets up the tunnel interface.
#!/bin/bash
#ipv6-tunnel.sh g0 2011-2013

HERE='198.51.100.100'
THERE='203.0.113.114'
MYIP6='2001:470:1f0a:35d::2/64'
TUIP6='2001:470:1f0a:35d::1/64'
TUNAME='he-ipv6-0'
MYOIP6="2001:470:1f0a:35d::3/64 2001:470:1f0a:35d::3/64 2001:470:1f0a:35d::da/64"

#$IP6_DEF_ROUTE='::/0'
IP6_DEF_ROUTE='2000::/3'
TTL=255 #sixxs suggests 64 
MTU=1280

ip tunnel add ${TUNAME} mode sit remote ${THERE} local ${HERE} ttl ${TTL}
ip link set ${TUNAME} up
ip link set mtu ${MTU} dev ${TUNAME}

ip addr add ${MYIP6} dev ${TUNAME}

if [ -n "${MYOIP6}" ] ; then
for IP6 in ${MYOIP6}; do
        ip addr add ${IP6} dev ${TUNAME}
done
fi

route -A inet6 add ${IP6_DEF_ROUTE} dev ${TUNAME}






where 198.51.100.100 is your ipv4 address , 203.0.113.114 is the tunnel server ipv4 address , 2001:470:1f0a:35d::2/64 is your tunnel ipv6 address, etc

You need to change at least HERE , THERE , MYIP6 , TUIP6 , and MYOIP6 in the ipv6-tunnel.sh script. If you want to set only one IPv6 address on the tunnel interface set MYOIP6 to "" or comment it out.

To get ipv6-tunnel.sh
# wget kod.ipduh.com/lib/ipv6-tunnel.sh


You may put the tunnel interface stanza in /etc/network/interfaces in Debian based Systems or the equivalent network interfaces configuration file in other Linux distributions. However, I like to put the ipv6-tunnel.sh in /etc/network/if-up.d which for IP 41 tunnels is effectively the same.

To bring up the tunnel interface you may run the ipv6-tunnel script
# /etc/network/if-up.d/ipv6-tunnel.sh
or restart networking
# /etc/init.d/networking restart
Running /etc/init.d/networking restart is deprecated because it may not enable again some interfaces ... (warning).
...
done.
You may get some warnings but you should be just fine ignoring them.

Once up you should see the tunnel infterface and your IPv6 addresse(s) with ifconfig
he-ipv6-0 Link encap:IPv6-in-IPv4  
          inet6 addr: 2001:470:1f0a:35d::2/64 Scope:Global
          inet6 addr: 2001:470:1f0a:35d::3/64 Scope:Global
          inet6 addr: 2001:470:1f0a:35d::da/64 Scope:Global
          inet6 addr: fe80::5e46:889b/128 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
          RX packets:63 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6408 (6.2 KiB)  TX bytes:6080 (5.9 KiB)



OK, ping the other side of the tunnel
# ping6 2001:470:1f0a:35d::1
PING 2001:470:1f0a:35d::1(2001:470:1f0a:35d::1) 56 data bytes
64 bytes from 2001:470:1f0a:35d::1: icmp_seq=1 ttl=64 time=175 ms
64 bytes from 2001:470:1f0a:35d::1: icmp_seq=2 ttl=64 time=227 ms
64 bytes from 2001:470:1f0a:35d::1: icmp_seq=5 ttl=64 time=114 ms
^C
ping an Internet ipv6 address
# ping6 ipduh.com
PING ipduh.com(2001:470:1f0a:2e2:da::) 56 data bytes
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=1 ttl=63 time=74.7 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=2 ttl=63 time=271 ms
^C


To view the IPv6 routing table
# route -6 -n


To put down the tunnel interface
# ip link set he-ipv6-0 down
where he-ipv6-0 is the name of the interface.

IPv6 Firewall

Put the following one liner in /etc/network/if-pre-up/ip6fwinit to start the ipv6 firewall at the right times.
# cat  /etc/network/if-pre-up.d/ip6fwinit
#!/bin/sh
/sbin/ip6tables-restore < /etc/rules.ip6tables



A simple IPv6 firewall script , ipv6fw.sh
#!/bin/bash
#ipv6fw.sh , g0 2013 , alog.ipduh.com
#stupid-simple bif.sh style ipv6 firewall 
#using stuff mostly stolen from: 
#http://www.sixxs.net/wiki/IPv6_Firewalling



##change these:
TUNIF='he-ipv6-0' 
BR='br0'
SSHD_HOST='2001:470:1f0a:35d::3'
NAMED_HOST='2001:470:1f0a:35d::3'
HTTPD_HOST='2001:470:1f0a:35d::da'
MAILD_HOST='2001:470:1f0a:35d::da'
MY48='2001:470:7134::/48'
##

IP6TABLES='/sbin/ip6tables'
IP6TABLES_SAVE='/sbin/ip6tables-save'
IP6TABLES_RULES='/etc/rules.ip6tables'

# First, delete all:
${IP6TABLES} -F
${IP6TABLES} -X

# Allow anything on the local link
${IP6TABLES} -A INPUT  -i lo -j ACCEPT
${IP6TABLES} -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
${IP6TABLES} -A OUTPUT -o ${TUNIF} -j ACCEPT
# Allow established, related packets back in
${IP6TABLES} -A INPUT  -i ${TUNIF} -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the localnet access us:
${IP6TABLES} -A INPUT    -i ${BR} -j ACCEPT
${IP6TABLES} -A OUTPUT   -o ${BR} -j ACCEPT

# Filter all packets that have RH0 headers:
${IP6TABLES} -A INPUT -m rt --rt-type 0 -j DROP
${IP6TABLES} -A FORWARD -m rt --rt-type 0 -j DROP
${IP6TABLES} -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow Link-Local addresses
${IP6TABLES} -A INPUT -s fe80::/10 -j ACCEPT
${IP6TABLES} -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
${IP6TABLES} -A INPUT -d ff00::/8 -j ACCEPT
${IP6TABLES} -A OUTPUT -d ff00::/8 -j ACCEPT

# Allow ICMPv6 everywhere
${IP6TABLES} -I INPUT  -p icmpv6 -j ACCEPT
${IP6TABLES} -I OUTPUT -p icmpv6 -j ACCEPT
${IP6TABLES} -I FORWARD -p icmpv6 -j ACCEPT

# Allow forwarding
${IP6TABLES} -A FORWARD -m state --state NEW -i ${BR} -o ${TUNIF} -s ${MY48} -j ACCEPT
${IP6TABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH in
${IP6TABLES} -A FORWARD -i ${TUNIF} -p tcp -d ${SSHD_HOST} --dport 22 -j ACCEPT

# HTTP in https , http
${IP6TABLES} -A FORWARD -i ${TUNIF} -p tcp -d ${HTTPD_HOST} --dport 80 -j ACCEPT
${IP6TABLES} -A FORWARD -i ${TUNIF} -p tcp -d ${HTTPD_HOST} --dport 443 -j ACCEPT

# NAMED in
${IP6TABLES} -A FORWARD -i ${TUNIF} -p tcp -d ${NAMED_HOST} --dport 53 -j ACCEPT
${IP6TABLES} -A FORWARD -i ${TUNIF} -p udp -d ${NAMED_HOST} --dport 53 -j ACCEPT

# MAIL smtp , imap over ssl
${IP6TABLES} -A FORWARD -i ${TUNIF} -p tcp -d ${MAILD_HOST} --dport 25 -j ACCEPT
${IP6TABLES} -A FORWARD -i ${TUNIF} -p tcp -d ${MAILD_HOST} --dport 993 -j ACCEPT

# Set the default policy
${IP6TABLES} -P INPUT   DROP
${IP6TABLES} -P FORWARD DROP
${IP6TABLES} -P OUTPUT  DROP

# save
${IP6TABLES_SAVE} > ${IP6TABLES_RULES}



You may use wget to get the ipv6fw.sh
# wget kod.ipduh.com/lib/ipv6fw.sh


Do the appropriate changes. The variable names in between ##change these and ## are self-explanatory. BR may be any LAN interface, not necessarily a bridge.

apply the ipv6fw.sh rules
# /etc/ipv6fw.sh


/etc/ipv6fw.sh applies the ip6tables rules and saves them at /etc/rules.ip6tables
/etc/network/if-pre-up.d/ip6fwinit applies the ip6tables rules in /etc/rules.ip6tables just before the network interfaces come up

ip6.arpa. aka `reverse IPv6` zones

You can delegate the `reverse` zones of the IPv6 space routed to your tunnel to your name servers.
If you got a tunnel from SixXS or HE you can do it through their web control panel.

Test the delegation and set the ip6.arpa. zone for 2001:470:1f0b:35d::/64
# cat db.d.5.3.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
$TTL 1h 
@ IN SOA nse.ipduh.com systems.ipduh.com. (
 2 ; serial
 1h ; slave refresh interval
 15m ; slave retry interval
 1w ; slave copy expire time
 1h ; NXDOMAIN cache time
 )

@ IN  NS nse.ipduh.com.
@ IN  NS nsd.ipduh.com.
@ IN  NS nsa.ipduh.com.

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.5.3.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.  IN PTR he-6in4-tunnel.bob.ipduh.com. 
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.5.3.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.  IN PTR gw-bob.he.ipduh.com. 
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.3.0.8.0.0.f.f.8.4.6.0.1.0.0.2.ip6.arpa.  IN PTR gw-he.bob.ipduh.com.
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.3.0.8.0.0.f.f.8.4.6.0.1.0.0.2.ip6.arpa.  IN PTR 3.bob.ipduh.com.
a.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.3.0.8.0.0.f.f.8.4.6.0.1.0.0.2.ip6.arpa.  IN PTR da.bob.ipduh.com.



The ip6.arpa zone for 2001:470:7134::/48
# cat db.4.3.1.7.0.7.4.0.1.0.0.2.ip6.arpa 
$TTL 1h 
@ IN SOA nse.ipduh.com systems.ipduh.com. (
 1 ; serial
 1h ; slave refresh interval
 15m ; slave retry interval
 1w ; slave copy expire time
 1h ; NXDOMAIN cache time
 )

@ IN  NS nse.ipduh.com.
@ IN  NS nsd.ipduh.com.
@ IN  NS nsa.ipduh.com.

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.3.1.7.0.7.4.0.1.0.0.2.ip6.arpa.  IN PTR he-6in4-48.bob.ipduh.com. 
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.e.2.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.  IN PTR gw.bob.ipduh.com. 
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.e.2.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.  IN PTR yet-another-ipv6-host.bob.ipduh.com.



Test DNS:
dns trace 2001:470:1f0b:35d::1
dns trace 2001:470:7134::2


Optimal MTU

The minimum MTU for IPv6 is 1280B and the maximum MTU for IP 41 tunnels is 1480B. If an upstream router or the tunnel server is using a smaller MTU than yours your IPv6 connectivity may be partially broken. You could figure out the best MTU across a path (path MTU Discovery) using ping6.

excerpt from the ping6 man page:
 -M hint
              Select Path MTU Discovery strategy.  hint may be either do (prohibit fragmentation, even local one), want (do  PMTU  discovery,  fragment  locally
              when packet size is large), or dont (do not set DF flag).

eg:
#ping6 -s 1432 -M do ipduh.com -c 1
PING ipduh.com(2001:470:1f0a:2e2:da::) 1432 data bytes
From cl-60.ath-01.gr.sixxs.net icmp_seq=1 Packet too big: mtu=1280

--- ipduh.com ping statistics ---
0 packets transmitted, 0 received, +1 errors
#ping6 -s 1432 -M want ipduh.com -c 1
PING ipduh.com(2001:470:1f0a:2e2:da::) 1432 data bytes
1468 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=1 ttl=53 time=73.9 ms

--- ipduh.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 73.991/73.991/73.991/0.000 ms


To set the MTU you could use ifconfig
#ifconfig ipv6-iface mtu 1480
or the route tools
ip link set ipv6-iface mtu 1480


However, the minimum MTU --1280B-- should work always.

Well, if you just want to make some services available to the IPv6 Internet from one host you are done with IPv6 and you can start setting up your daemons.

Routing to other Hosts

Add net.ipv6.conf.all.forwarding=1 in /etc/sysctl.conf and enable ipv6 forwarding right now
# echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
# sysctl -p
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Comment out
${IP6TABLES} -P FORWARD DROP 
in /etc/ipv6fw.sh
Reset the IPv6 Firewall
# /etc/ipv6fw.sh


Set the LAN IPv6 Gateway in a /64 within the routed /48
HE routes 2001:470:7134::/48 to my tunnel.
I will use 2001:470:7134::/64 for my LAN and set the gateway to 2001:470:7134::1.

Set up the LAN Gateway
ip -6 addr add 2001:470:7134::1/64 dev br0:1
I am using a bridged interface, it could be any interface connected to the LAN.

On another host in the LAN
# ip -6 addr add 2001:470:7134::2/64 dev eth0:1
# ip -6 route add default via 2001:470:7134::1


Test:
# ping6 2001:470:7134::1 -c 1
PING 2001:470:7134::1(2001:470:7134::1) 56 data bytes
64 bytes from 2001:470:7134::1: icmp_seq=1 ttl=64 time=0.253 ms

--- 2001:470:7134::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.253/0.253/0.253/0.000 ms
# ping6 ipduh.com -c 1
PING ipduh.com(2001:470:1f0a:2e2:da::) 56 data bytes
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=1 ttl=62 time=59.2 ms

--- ipduh.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 59.241/59.241/59.241/0.000 ms



You may use IPv6 router advertisements to give IPv6 addresses and routes to hosts in your LAN. The daemon doing that is called ravd. Router Advertisements is a great idea, however , I do not see any use on my setups.

The problem I had so far with ravd breaks down to that:
Almost everything is IPv6 ready and it will get an IPv6 address but most sites still do not have Native IPv6 Connectivity and connect to the IPv6 Internet through a tunnel making almost everything with an AAAA record slower.
Therefore, I prefer giving static IPv6 addresses and routes to the hosts that need it.

Here is a low on effort attempt to quantify the IPv6 through-tunnel-content:through-tunnel-client latency penalties. Quantifying the router stress and bandwidth penalties of tunnels to the IPv6 is simple arithmetic.

Compare latency: an IP 41 IPv6 SixXS tunnel to a PoP in grnet
from an IPv4 Endpoint in 6799
IPv4:
$ ping -c6 ipduh.com -n
PING ipduh.com (85.25.242.245) 56(84) bytes of data.
64 bytes from 85.25.242.245: icmp_seq=1 ttl=49 time=50.1 ms
64 bytes from 85.25.242.245: icmp_seq=2 ttl=49 time=51.0 ms
64 bytes from 85.25.242.245: icmp_seq=3 ttl=49 time=51.4 ms
64 bytes from 85.25.242.245: icmp_seq=4 ttl=49 time=51.1 ms
64 bytes from 85.25.242.245: icmp_seq=5 ttl=49 time=50.3 ms
64 bytes from 85.25.242.245: icmp_seq=6 ttl=49 time=50.8 ms

--- ipduh.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5005ms
rtt min/avg/max/mdev = 50.188/50.830/51.497/0.503 ms
Tunnel-Tunnel IPv6:
$ ping6 -c6 ipduh.com -n
PING ipduh.com(2001:470:1f0a:2e2:da::) 56 data bytes
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=1 ttl=53 time=57.8 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=2 ttl=53 time=67.5 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=3 ttl=53 time=60.6 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=4 ttl=53 time=57.3 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=5 ttl=53 time=56.5 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=6 ttl=53 time=60.1 ms

--- ipduh.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 56.581/60.013/67.582/3.684 ms



Compare latency: an IP 41 IPv6 HE tunnel to a tunnel server in the he transit network
from an IPv4 Endpoint in 6799
IPv4:
$ ping -c6 ipduh.com -n
PING ipduh.com (85.25.242.245) 56(84) bytes of data.
64 bytes from 85.25.242.245: icmp_req=1 ttl=50 time=48.6 ms
64 bytes from 85.25.242.245: icmp_req=2 ttl=50 time=48.4 ms
64 bytes from 85.25.242.245: icmp_req=3 ttl=50 time=48.8 ms
64 bytes from 85.25.242.245: icmp_req=4 ttl=50 time=48.0 ms
64 bytes from 85.25.242.245: icmp_req=5 ttl=50 time=48.4 ms
64 bytes from 85.25.242.245: icmp_req=6 ttl=50 time=47.9 ms

--- ipduh.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 47.904/48.382/48.811/0.428 ms

Tunnel-Tunnel IPv6:
# ping6 -c6 ipduh.com -n
PING ipduh.com(2001:470:1f0a:2e2:da::) 56 data bytes
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=1 ttl=63 time=59.5 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=2 ttl=63 time=59.7 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=3 ttl=63 time=59.6 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=4 ttl=63 time=59.4 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=5 ttl=63 time=60.0 ms
64 bytes from 2001:470:1f0a:2e2:da::: icmp_seq=6 ttl=63 time=59.3 ms

--- ipduh.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 59.373/59.653/60.077/0.339 ms


To disable IPv6.
# ip -6 addr del 2001:470:7134::2/64 dev eth0


The systems used:
# cat /etc/issue /etc/debian_version ; uname -r
Debian GNU/Linux 6.0 \n \l

6.0.7
2.6.32-5-amd64


Usefull Links:
Linux IPv6 HowTo
Debian IPv6
SixXS IPv6 Firewalling




Tunnels to the IPv6 Internet - 6in4

debian on debian kvm notes

Notes: Run a Debian Squeeze guest on a Debian Squeeze host using KVM.

Install qemu-kvm , libvirt-bin , virtinst , bridge-utils
# apt-get install qemu-kvm libvirt-bin virtinst bridge-utils


Add root to the libvirt group.
# adduser root libvirt


Configure the bridge interface.
This is an example /etc/config/network/interfaces
# grep -v '##' /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
        address 10.42.241.5
        netmask 255.255.255.128
        network 10.42.241.0
        broadcast 10.42.241.127
        gateway 10.42.241.10
        bridge_ports eth0
        bridge_stp off          #disable spanning tree
        bridge_waitport 0       #no delay before a port becomes available
        bridge_fd 0             #no forwarding delay
        bridge_hello 2          #Hello packets are used to communicate information about the topology throughout the entire Bridged Local Area Network.


Restart the network
# /etc/init.d/networking restart
and
# reboot


Create the virtual machine.
# mkdir /home/vm
# virt-install --connect qemu:///system -n vm0 -r 512 --vcpus=2 --disk path=/home/vm/vm0.qcow2,size=10 -c /data01/os.iso/debian-live-6.0.7-amd64-standard.iso  --vnc --noautoconsole --os-type linux --os-variant debiansqueeze --description vm0_debian --network=bridge:br0 --hvm 


Starting install...
Creating storage file vm0.qcow2                                                                                            |  10 GB     00:00     
Creating domain...                                                                                                         |    0 B     00:00     
Domain installation still in progress. You can reconnect to 
the console to complete the installation process.



Options Used Meaning from the virt-install man page:
OPTIONS
Most options are not required. Minimum requirements are --name, --ram, guest storage (--disk or --nodisks), and an install option.

--connect=CONNECT
         Connect to a non-default hypervisor. The default connection is chosen based on the following rules:

qemu:///system
             If running on a bare metal kernel as root (needed for KVM installs)

General Options

-n NAME, --name=NAME
         Name of the new guest virtual machine instance. This must be unique amongst all guests known to the hypervisor on the connection,
         including those not currently active. To re-define an existing guest, use the virsh(1) tool to shut it down ('virsh shutdown') &
         delete ('virsh undefine') it prior to running "virt-install".

-r MEMORY, --ram=MEMORY
         Memory to allocate for guest instance in megabytes. If the hypervisor does not have enough free memory, it is usual for it to
         automatically take memory away from the host operating system to satisfy this allocation.

--vcpus=VCPUS
         Number of virtual cpus to configure for the guest. Not all hypervisors support SMP guests, in which case this argument will be
         silently ignored

--description
         Human readable text description of the virtual machine. This will be stored in the guests XML configuration for access by other
         applications.

-c CDROM, --cdrom=CDROM
         File or device use as a virtual CD-ROM device for fully virtualized guests.  It can be path to an ISO image, or to a CDROM device. It
         can also be a URL from which to fetch/access a minimal boot ISO image. The URLs take the same format as described for the
         "--location" argument. If a cdrom has been specified via the "--disk" option, and neither "--cdrom" nor any other install option is
         specified, the "--disk" cdrom is used as the install media.

--os-type=OS_TYPE
         Optimize the guest configuration for a type of operating system (ex. 'linux', 'windows'). This will attempt to pick the most suitable
         ACPI & APIC settings, optimally supported mouse drivers, virtio, and generally accommodate other operating system quirks.


--os-variant=OS_VARIANT
         Further optimize the guest configuration for a specific operating system variant (ex. 'fedora8', 'winxp'). This parameter is
         optional, and does not require an "--os-type" to be specified.

Valid values are:

         linux
             debianetch
                 Debian Etch

             debianlenny
                 Debian Lenny

             debiansqueeze
                 Debian Squeeze

Storage Configuration

--disk=DISKOPTS
         Specifies media to use as storage for the guest, with various options. The general format of a disk string is

             --disk opt1=val1,opt2=val2,...
path
             A path to some storage media to use, existing or not. Existing media can be a file or block device. If installing on a remote
             host, the existing media must be shared as a libvirt storage volume.

             Specifying a non-existent path implies attempting to create the new storage, and will require specifyng a 'size' value. If the
             base directory of the path is a libvirt storage pool on the host, the new storage will be created as a libvirt storage volume.
             For remote hosts, the base directory is required to be a storage pool if using this method.

size
             size (in GB) to use if creating new storage


Networking Configuration

-w NETWORK, --network=NETWORK,opt1=val1,opt2=val2
         Connect the guest to the host network. The value for "NETWORK" can take one of 3 formats:

         bridge=BRIDGE
             Connect to a bridge device in the host called "BRIDGE". Use this option if the host has static networking config & the guest
             requires full outbound and inbound connectivity  to/from the LAN. Also use this if live migration will be used with this guest.

Graphics Configuration

--vnc
         Setup a virtual console in the guest and export it as a VNC server in the host. Unless the "--vncport" parameter is also provided,
         the VNC server will run on the first free port number at 5900 or above. The actual VNC display allocated can be obtained using the
         "vncdisplay" command to "virsh" (or virt-viewer(1) can be used which handles this detail for the use).

--noautoconsole
         Don't automatically try to connect to the guest console. The default behaviour is to launch a VNC client to display the graphical
         console, or to run the "virsh" "console" command to display the text console. Use of this parameter will disable this behaviour.

Virtualization Type options

-v, --hvm
         Request the use of full virtualization, if both para & full virtualization are available on the host. This parameter may not be
         available if connecting to a Xen hypervisor on a machine without hardware virtualization support. This parameter is implied if
         connecting to a QEMU based hypervisor.



On another host running X
# apt-get install virt-manager 
oh well, that did not go as planned ... I was unable to manage the Virtual Machine I created with virt-manager remotely ... I tried to install other packages and hunted down the errors for a while but not cigar ...

Plan B
All I really need is to open a VNC session to the socket 127.0.0.1:5900 that I see and I hope that it is what I think it is.

Still on another host running X --not the vmhost.
$ vncviewer vmhost:0
the first VM guest is at :5900 ( :0 ), the second VM guest is at :5901 ( :1 ) , etc

Plan C
# ssh -L 5900:localhost:5900 vmhost
and then, somevncviewer localhost

or

use a new vinagre with Host:127.0.0.1 and Use host:vmhost


Install the guest system, give an IP address in your LAN to the guest and install SSH
When the installation is done start the Virtual Machine.
On the host.
# virsh 
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list
 Id Name                 State
----------------------------------

virsh # start vm0
Domain vm0 started

virsh # list
 Id Name                 State
----------------------------------
  3 vm0                  running

virsh # quit



ping the Virtual Machine vm0 and try to ssh to it.
If you cannot ssh to it, open a vnc session
# virsh vncdisplay vm0
:0
and then VNC to vm0 from another host.


The system is using the following `virtual` device drivers and behaves OK so-far
root@vm0# lspci 
00:00.0 Host bridge: Intel Corporation 440FX - 82441FX PMC [Natoma] (rev 02)
00:01.0 ISA bridge: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II]
00:01.1 IDE interface: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II]
00:01.2 USB Controller: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] (rev 01)
00:01.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
00:02.0 VGA compatible controller: Cirrus Logic GD 5446
00:03.0 Ethernet controller: Red Hat, Inc Virtio network device
00:04.0 SCSI storage controller: Red Hat, Inc Virtio block device
00:05.0 RAM memory: Red Hat, Inc Virtio memory balloon
I have to stress test it a bit.



Linux Bridge
libvirt bridging



Debian on Debian KVM notes

yet another awmn+Internet DNS Ubuntu 12.04 LTS

# sudo -s
# cat /etc/issue
Ubuntu 12.04.2 LTS \n \l


# apt-get install bind9


Change /etc/bind/named.conf , /etc/bind/named.conf.local , /etc/bind/named.conf.options
# cat /etc/bind/named.conf
// g0 2013 AWMN+Internet caching dns
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";


# cat /etc/bind/named.conf.options 
options {
 directory "/var/cache/bind";
 //dnssec-validation auto;
 listen-on { 127.0.0.1; 10.46.78.6; };
 version "some version alog.ipduh.com "; 
 auth-nxdomain no;    # conform to RFC1035
 allow-query { 10.0.0.0/8; localhost; };
 allow-recursion { 10.0.0.0/8; localhost; };  
 //listen-on-v6 { any; };
};



# cat /etc/bind/named.conf.local
// #g0 2013 AWMN+Internet Caching DNS

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


//####################################
//# Greek Wireless Communities Zones #
//####################################
//# https://www.awmn.net/wiki/       #
//####################################
//Because awmn will go gwmn pretty soon g stands for Greek or Global ;)
//####################################

zone "10.in-addr.arpa" IN {
        type forward;
        forwarders {
       10.0.0.1;  
       10.19.143.12;
       10.19.143.13;
        };
};


zone "awmn" IN {
        type forward;
        forwarders {
         10.0.0.1;  
         10.19.143.12;
         10.19.143.13;
        };
};

zone "wn" IN {
        type forward;
        forwarders {
                10.126.3.115;
                10.110.17.115;
                10.19.143.12;
                10.17.122.134;
                10.86.87.129;
                10.2.16.130;
                10.110.17.67;
        };
};

zone "swn" IN {
        type forward;
        forwarders {
                10.101.0.254;
                10.106.3.1;
                10.174.254.101;
                10.174.1.253;
        };
};


zone "twmn" IN {
        type forward;
        forwarders {
                10.104.76.65;
                10.122.20.70;
                10.122.3.68;
                10.122.14.72;
                10.104.1.74;
        };
};

zone "wthess" IN {
        type forward;
        forwarders {
                10.96.0.1;
                10.96.22.2;
                10.96.9.3;
        };
};

zone "ewn" IN {
        type forward;
        forwarders {
                10.145.7.150;
                10.146.210.130;
        };
};

zone "mswn" IN {
        type forward;
        forwarders {
                10.148.50.2;
        };
};

zone "cywn" IN {
        type forward;
        forwarders {
                10.215.0.125;
                10.215.2.126;
        };
};

zone "dwn" IN {
        type forward;
        forwarders {
                10.174.1.253;
                10.174.254.101;
                10.174.17.250;
        };
};

zone "wiran" IN {
        type forward;
        forwarders {
                10.230.3.133;
        };
};

zone "wana" IN {
        type forward;
        forwarders {
                10.224.3.35;
        };
};

zone "awn" IN {
        type forward;
        forwarders {
                10.198.0.130;
        };
};

zone "pwmn" IN {
        type forward;
        forwarders {
                10.140.14.67;
        };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};



Deal with the ubuntu resolv.conf madness
# echo "nameserver 127.0.0.1" > /etc/resolvconf/resolv.conf.d/base
# cd /etc/resolvconf/resolv.conf.d/
# cp base tail
# cp tail original
# cp base /etc/resolv.conf


# /etc/init.d/bind9 restart


Test
# dig voip.awmn +short
10.67.0.17
# dig www.awmn +short
srv1.awmn.
10.19.143.13
# dig ipduh.org +short
85.25.242.245
# dig ipduh.awmn +short
10.21.241.4







Yet another AWMN hybrid caching DNS server - Ubuntu 12.04

Windows Down Left Corner ad popup

A friend has been complaining about annoying advert pop-ups on most web-sites. She also noticed they were popping up on alog.ipduh and not popping up on a few large sites and ipduh.com ;).

After looking at her windows system I found a few pieces of malware and deleted them and then I noticed that the popups were still popping up in ~9/10 web-sites showing adverts from many ad networks and google adsense. Nothing weird (that I could see ) was running so I thought of looking at the hosts file before start looking at the system for rootkits and put it in a network that I can look all the traffic from it. The hosts file was --of course-- hidden and had all kinds of annoying attributes.

See and Edit the hosts file
cd C:\WINDOWS\system32\drivers\etc\
cacls.exe hosts /g builtin\users:R
cacls.exe hosts /e /g builtin\administrators:F
cacls.exe hosts /e /g "nt authority\system:F"
attrib.exe -s -h -a -r hosts


This is what I Found at the very bottom of a 20 pages long hosts file
66.185.21.82 www.google-analytics.com.
66.185.21.82 ad-emea.doubleclick.net.
66.185.21.82 www.statcounter.com.
66.185.21.82 connect.facebook.net.
93.115.241.27 www.google-analytics.com.
93.115.241.27 ad-emea.doubleclick.net.
93.115.241.27 www.statcounter.com.
93.115.241.27 connect.facebook.net.
funny!

If you are like my friend,
you made it here and you are wondering what to do now ...
delete the lines above and save the hosts file at
C:\WINDOWS\system32\drivers\etc\hosts


66.185.21.82 www.google-analytics.com.
66.185.21.82 ad-emea.doubleclick.net.
66.185.21.82 www.statcounter.com.
66.185.21.82 connect.facebook.net.
93.115.241.27 www.google-analytics.com.
93.115.241.27 ad-emea.doubleclick.net.
93.115.241.27 www.statcounter.com.
93.115.241.27 connect.facebook.net.



Windows Down Left Cornet Popup -- malware hosts anonoyance

disable ipv6 debian

To disable IPv6 on selected hosts in LANs with ipv6 router advertisements.

Disable the ipv6 address taken temporarily
# ip -6 addr del 2001:cafe:b0b0:abcd:6ef0:49ff:fe0e:f1b9/64 dev eth0
# ip -6 addr del fe80::6ef0:49ff:fe0e:f1b9/64 dev eth0 


Disable the ipv6 stack permanently
# echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
# sysctl -p


More: Debian - turn off IPv6

In case you want to disable IPv4 and enable IPv6 only on a host.
example /etc/network/interfaces
auto eth0
iface eth0 inet manual
iface eth0 inet6 auto


If you don't have an IPv6 DNS caching server find a public one in the public dns servers list





debian linux disable IPv6

torrent daemon & file server -- debian

Notes on how-to setup a torrent daemon --transmission-daemon-- and a file server on debian.

Add the 'tuser' user using adduser.sh
# adduser.sh 
Add User:
Enter GROUPID     : 2000
Enter GROUPNAME   : tuser
Enter USERID      : 2000
Enter USERNAME    : tuser
Enter USER HOME DIRECTORY ( Or hit enter for /home/tuser ): /data/tuser
Enter USERSHELL   : /usr/lib/sftp-server
Enter USERCOMMENT : 
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
 
User:tuser:x:2000:2000::/data/tuser:/usr/lib/sftp-server

Group:tuser:x:2000:

tuser home Dir /data/tuser long listing:
total 24
4 drwxr-xr-x 3 tuser tuser 4096 May  7 09:39 .
4 drwxr-xr-x 5 root  root  4096 May  7 09:25 ..
4 -rw-r--r-- 1 tuser tuser  220 May  7 09:39 .bash_logout
4 -rw-r--r-- 1 tuser tuser 3184 May  7 09:39 .bashrc
4 -rw-r--r-- 1 tuser tuser  675 May  7 09:39 .profile

.


Get Rid off the user files, tuser is going to become an sftp user.
# rm /data/tuser/.bash*
# rm /data/tuser/.profile


Add the sftp-server shell to /etc/shells
# echo '/usr/lib/stfp-server' >> /etc/shells


Make sure that the following exists in /etc/ssh/sshd_config
#grep sftp /etc/ssh/sshd_config 
Subsystem sftp /usr/lib/openssh/sftp-server
If not, add it.

Test the sftp server and the tuser account.
# echo "blahblahtest" > /data/tuser/blah
# chown tuser.tuser /data/tuser/blah


Log in to the sftp server from another host in the network.
$ sftp tuser@10.33.5.3
Connecting to 10.3.57.3...
The authenticity of host '10.33.5.3 (10.33.5.3)' can't be established.
RSA key fingerprint is dc:22:6c:c5:ed:44:9b:32:38:04:c2:65:8f:7f:dc:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.33.5.3' (RSA) to the list of known hosts.
tuser@10.33.5.3's password: 
sftp> pwd
Remote working directory: /data/tuser
sftp> get ./blah blah-copy
Fetching /data/tuser/./blah to blah-copy
/data/tuser/./blah                                                                           100%   13     0.0KB/s   00:00   
sftp> bye


Install transmission-daemon.
# apt-get install transmission-daemon


Configure transmission-daemon
# mkdir /data/tuser/torrents
# mkdir /data/tuser/torrents/incomplete
# usermod -a -G debian-transmission tuser
# chown -R tuser.debian-transmission /data/tuser/torrents/
# chmod -R 775 /data/tuser/torrents/


# cp /etc/transmission-daemon/settings.json /etc/transmission-daemon/settings.json.0
# vi /etc/transmission-daemon/settings.json
You will have to change at least "rpc-password" , "incomplete-dir" , "download-dir" ,
"incomplete-dir-enabled" and "rpc-whitelist-enabled" xor "rpc-whitelist"

To reload the transmission-daemon configuration file.
# invoke-rc.d transmission-daemon reload


Test it by logging in http://host:9091.
ooups ...
it says something about no permissions when I am trying to open-upload a torrent file.

# chmod 775 /data/tuser/torrents/
# chmod 775 /data/tuser/torrents/incomplete


Test again.
OK, it works.

If the transmission daemon sits on a host in your LAN you may want to use samba ,
samba on debian based systems



Torrent daemon and file server linux debian

A simple Web Clock

I was asked around the same time from family members and a good friend in the Athens Wireless Metropolitan Network AWMN to make an accurate web-clock with large numbers.

Hence, this simple web clock , good to put on an NTP synchronized web-server.

To get it
wget http://kod.ipduh.com/lib/clock.pl


An example apache configuration file

<VirtualHost 10.21.241.4:80>
        DocumentRoot "/var/www/clock.ipduh.awmn/www/"
        ServerName  clock.ipduh.awmn
        ScriptAlias /cgi-bin2/ "/var/www/clock.ipduh.awmn/www/"
        AddHandler cgi-script .pl

<Directory "/var/www/clock.ipduh.awmn/www">
        AllowOverride None
        Options       ExecCGI
        Order         allow,deny
        Allow         from all 
        DirectoryIndex index.pl index.html index.htm
</Directory>

ErrorLog  "|/usr/sbin/rotatelogs /var/www/clock.ipduh.awmn/logs/error/clock.ipduh.awmn-error_log.%Y%m%d 86400"
CustomLog "|/usr/sbin/rotatelogs /var/www/clock.ipduh.awmn/logs/access/clock.ipduh.awmn-access_log.%Y%m%d 86400" combined

</VirtualHost>






The Clock
#!/usr/bin/perl

#g0 2013 a simple web clock
#http://alog.ipduh.com/2013/05/a-simple-web-clock.html

use strict;
use POSIX qw(strftime);
my $date = strftime "%a %b %e %Y" , localtime;
my $hour = strftime "%H" , localtime;
my $min = strftime "%M" , localtime;
my $sec = strftime "%S" , localtime;
my $epoch=time();

print <<"PAGE";
Content-type: text/html \n\n <!doctype html> <html>
<head>    
<title> clock </title>
<meta  http-equiv='refresh' content='15'>

<style>
.clock { font-family: monospace , Arial ; font-size: 6em; }
.little { padding-left: 0px; font-family:  monospace; font-size: .9em; }
a.goto:link { color:#000000; text-decoration:underline; }
a.goto:visited { color:#000000; text-decoration:underline; }
a.goto:hover {color:#000000;text-decoration:none;background:yellow;}
a.goto:active {color:#00FF00;text-decoration:none;background:yellow;}
</style>
<script type='text/javascript'>
setInterval(tick,1000);

function tick() {
 if(document.getElementById("min").innerHTML == 59 && document.getElementById("sec").innerHTML == 59 ){
  document.getElementById("hour").innerHTML = document.getElementById("hour").innerHTML - 1 + 2;
  document.getElementById("min").innerHTML = 0;
  document.getElementById("sec").innerHTML = 0;
 }
 else if(document.getElementById("sec").innerHTML == 59 ){
  document.getElementById("min").innerHTML = document.getElementById("min").innerHTML - 1 + 2;
  document.getElementById("sec").innerHTML = 0;
 }else{
         document.getElementById("sec").innerHTML = document.getElementById("sec").innerHTML - 1 + 2;
 }
 
 //it will be funny for a dousin of seconds after 1 am --g0
 
}

</script>
</head>
<body>
<center>
<p class=clock>
<span id='hour'>$hour</span>:<span id='min'>$min</span>:<span id='sec'>$sec</span>
</p>
<p class=little> &copy; $date  
<a href="http://ipduh.com/epoch/?$epoch" class=goto>$epoch</a> 
<a class=goto href=http://alog.ipduh.com/2013/05/a-simple-web-clock.html>source</a>
</center>
</body> </html>
PAGE





A simple web clock script

Harden Internet Facing RouterOS Routers

My Notes on Hardening Internet Facing RouterOS powered Routers.

Disable The Bandwidth Test Server.
Some folks leave it on and many folks are enabling authentication.
If the Router is of any importance shut down the BTest daemon and if you ever need it enable it for-as-long-as-you-use-it with authentication on.
/tool bandwidth-server print 
                  enabled: yes
             authenticate: no
  allocate-udp-ports-from: 2000
             max-sessions: 100


/tool bandwidth-server set enabled=no


Add two users with full rights, delete or disable the admin account.
Optionally, constrict the ip space the administrators can login from.
/user add name=dadmin0 password=somepassword group=full address=10.0.0.0/8
/user add name=dadmin1 password=somepassword group=full address=10.0.0.0/8
/user disable admin


Disable telnet and www access.
You may need ftp for getting your backups,
when you need it enable it or constrict access to it.
/ip service disable telnet
/ip service disable www
/ip service disable ftp
If you don't use the api and www-ssl disable them.
/ip service disable www-ssl
/ip service disable api


You could constrict access to the ssh and winbox daemons.
You could add some port knocking rules. However, a firewall will reduce your router's pps rate --it should not matter for low capacity links eg. an ADSL connection. If you are absolutely paranoid about security and access to a router; disable winbox, enable port knocking and import ssh keys for the router administrators.

Change the port in which the ssh daemon listens.
/ip service set ssh port=666


Configure NTP clock synchronization.
/system clock set time-zone-name=Etc/GMT+2
/system ntp client set enabled=yes primary-ntp=10.21.241.4 secondary-ntp=10.3.57.3 mode=unicast


Send info,critical,warning,error logs to the 'memory` and a `remote` syslog server.
/system logging set 0 topics=info,critical,warning,error action=remote
/system logging set 1 topics=info,critical,error action=memory
It would be nice, but it does not work --at least not for me. Even though it looks like it worked on winbox it does not. I had to add a topic per rule. ( version-5.20 ). These categories may overlap ... hmm anyways ...

So ... Send info logs to the 'memory` and a `remote` syslog server.

/system logging action> set 3 bsd-syslog=yes name=remote remote=10.21.241.4 remote-port=514 src-address=0.0.0.0 syslog-facility=local0 syslog-severity=auto target=remote
3 above refers to the logging action number and the 0 refers to the logging rule number.


List the logging actions.
/system logging action print 
Flags: * - default 
 #   NAME                                                                                        TARGET REMOTE                                                                                                                       
 0 * memory                                                                                      memory
 1 * disk                                                                                        disk  
 2 * echo                                                                                        echo  
 3 * remote                                                                                      remote 10.21.241.4           


List the logging rules
/system logging print 
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                                                             ACTION                                                             PREFIX    
 0  * info                                                               remote                                                                       
 1  * info                                                               memory                                                                       
 2  * warning                                                            memory                                                                       
 3  * critical                                                           echo                                                                                                                  echo          


Increase the number of logging lines kept in memory.
/system logging action set 0 memory-lines=400 memory-stop-on-full=no name=memory target=memory


Disable remote requests to the DNS forwarder-cache.
/ip dns set allow-remote-requests=no


Good Enough Computer Security is equal to life-experience + CS-skills + imagination + common-sense + a bit of paranoia.

Add hard work, commitment , and discomfort to the list above and you may get Good Security.



Harden Internet Facing RouterOS Routers

Search is not AI and it is hard to get crowdsourcing right

Searching for strings of chars is not AI ,
--It will be once we have AI and it works-- and it is tough indeed to get crowdsoursing right

eg.

"

This is a warning message to alert you that there is action required to bring your AdSense account into compliance with our AdSense program policies. We’ve provided additional details below, along with the actions to be taken on your part.

Issue ID#: FAB0B0

Affected website: ipduh.com

Example page where violation occurred: http://ipduh.com/dns/?%E0%B8%94%E0%B8%B9%E0%B8%87%E0%B9%88%E0%B8%B2%E0%B8%A2%E0%B9%84%E0%B8%A1%E0%B9%88%E0%B8%95%E0%B9%89%E0%B8%AD%E0%B8%87%E0%B9%82%E0%B8%AB%E0%B8%A5%E0%B8%94.blogspot.com

Action required: Please make changes to your site within 72 hours.

Current account status: Active

Violation explanation

​ AdSense publishers may not display Google ads on webpages with content protected by copyright law unless they have the necessary legal rights to display that content. This includes sites that display copyrighted material, sites hosting copyrighted files, or sites that provide links driving traffic to sites that contain copyrighted material.

Examples of copyrighted content which may require legal rights in order to be displayed include, but are not limited to:

Television shows, movies, and audio files Access to streaming cable or satellite television Books and/or e-books Video games Images.

If you did not create the content yourself or if you created it using other peoples’ content as source material then you should ask yourself if you have a license or if an exception applies. For more information about potentially infringing content, please review our program policies and these tips from the policy team about avoiding copyright infringement.

"

Huh?


googlie here is yet another rant