Portsentry on debian notes

The main configuration file --/etc/portsentry.conf -- does a really good job in being self-explanatory.

You may choose to block or not-block scanners with
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)

Scan Response
The response(s) is-are defined in the KILL_ROUTE,KILL_HOSTS_DENY,KILL_RUN_CMD directives.
You may:
  • send-route the scanner's traffic to a HOST that does not exist
     KILL_ROUTE="/sbin/route add -host $TARGET$ gw"
  • reject traffic from the scanner eg:
     KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
    enabled by default in the debian package
  • drop traffic from the scanner using a traffic packet filter eg:
     KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
  • add the scanner's IP address to /etc/hosts.deny eg:
  • run a command
      KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"
    before or after `blocking`

All 'scanning' IP addresses are appended to portsentry.history.
Debian puts portsentry.history at /var/lib/portsentry/portsentry.history

A scanner could choose to avoid the TCP_PORTS and UDP_PORTS in the default portsentry configuration. To mitigate against this add a few more not in use ports in the (1024,61000) range.

An attacker may use forged packets to fool portsenty into blocking legitimate networks.

I usually add a few friendly networks to the ignore list --instruct portsentry to ignore scans from there-- I recommend it to everyone with the BLOCK_TCP directive set to true and KILL_ directives that mess with the routing table, drop packets, or populate the hosts.deny list enabled.

To `permanently whitelist` Hosts and Networks you never want blocked put them in /etc/portsentry/portsentry.ignore.static.

Trusted hosts and networks used for administration along with and are good candidates. does not mean you trust the whole IPv4 Internet It means you never reroute to a blackhole the route or drop everything from

The host network interfaces are added by portsentry to portsentry.ignore on startup so you do not need to worry about them. /etc/portsentry.ignore contains all the ip networks currently not affected by KILL_ROUTE. To add a CIDR edit /etc/portsentry.ignore.static and restart portsentry.

A short script that HTMLfies the portsentry.history log

#g0 2013
#portsenty.history to html


awk '
print "<!doctype html><html><head><title>portsentry.history</title><style>"
print "a.lnk:link \{ color:#0000FF; text-decoration:none; \} a.lnk:visited \{ color:#0000FF; text-decoration:none; \}"
print "a.lnk:hover \{ color:#00FF00; text-decoration:none; \} a.lnk:active \{ color:#00FF00; text-decoration:none; \}"
print "</style></head><body><table border=0 cellspacing=8>" 
DEL=" </td><td> "; APRO="<a target=_blank class=lnk href=http://ipduh.com/apropos/?" ; P=">" ; OS="</a>" ;
EPOC="<a class=lnk target=_blank href=http://ipduh.com/epoch/?";  
{ split($6,a,"/") }
{ print "<tr><td>" EPOC $1 P $1 OS DEL $3 DEL $4 DEL APRO a[1] P a[1] OS DEL } 
{ if (a[1] != a[2] ) {  print APRO a[2] P a[2] OS } }
{ print DEL $8 DEL $9 "</td></tr>" }
END { EPOCH=systime();
print "</table><br /><br />Produced from portsentry.history on " EPOC EPOCH P EPOCH OS "</body></html>" }
' ${PORTSENTRY_HISTORY} 2>/dev/null 1>${HTML}


You just need to set HTML to a file in an http accessible directory and create a cronjob.

To get portsentry_history2html
$ wget kod.ipduh.com/lib/portsentry_history2html

URI: http://alog.ipduh.com/2013/07/portsentry.html


A few notes on denyhosts --a piece of software that finds ssh scanning IP addresses and adds them to /etc/hosts.deny.

DenyHOSTS requires TCP Wrappers
You may be able to find out if a daemon is compiled with TCP Wrappers using ldd and looking for the libwrap so.
# ldd `which sshd` |grep libwrap
 libwrap.so.0 => /lib/libwrap.so.0 (0x00007fac6668f111)
or using strings and looking for hosts_access
# strings `which sshd` |grep hosts_access

On Debian you may find out if a daemon is packaged with tcpwrappers with apt-cache.
# apt-cache rdepends libwrap0 |grep ssh

Install denyhosts on debian
# apt-get install denyhosts

I like `whitelisting` a few hosts because by default denyhosts is trigger happy. eg to allow access from,, , and add the following line to /etc/hosts.allow
sshd:, 192.168.167. , , :allow


Denyhosts `comes` with a synchronization service --you supply the hosts attacking you and download the ones attacking to other hosts using the sync service. The sync service is disabled by default. If you want to enable it uncomment in /etc/denyhosts.conf
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

To just supply data to the sync service add
in /etc/denyhosts.conf

To just receive data from the sync service add
in /etc/denyhosts.conf

To apply changes restart the denyhosts daemon
# /etc/init.d/denyhosts restart

URI: http://alog.ipduh.com/2013/07/denyhosts.html

email a notice for each ssh login

This is a bash script that emails details ( user , tty , remote IP address , date and time ) of every successful SSH login when used as sshrc.

The script
#g0 2013
#send an email with details of each ssh login

#set MAILTO to the email address(es) receiving the SSH LOGIN notices

EPOCH=`date +%s`

if [ -z "$SSH_CONNECTION" ] ; then
   IP=`echo $SSH_CLIENT |cut -f1 -d' '`
   IP=`echo $SSH_CONNECTION |cut -f1 -d' '`


if [ -z "$SSH_TTY" ] ; then
   LOGIN="Connect by $USER"
   LOGIN="Login by $USER on $SSH_TTY"

mail -s "SSH LOGIN on ${HOSTNAME} from ${IP}" ${MAILTO} <<END
   from ${IP} ( ${IP_URI} ) 
   at ${DATE} ( ${EPOCH_URI} ) 

#if X11 forwarding is in use --man sshd
if read proto cookie && [ -n "$DISPLAY" ]; then
   if [ `echo $DISPLAY |cut -c1-10` = 'localhost:' ]; then
          # X11UseLocalhost=yes
          echo add unix:`echo $DISPLAY |cut -c11-` $proto $cookie
          # X11UseLocalhost=no
          echo add $DISPLAY $proto $cookie
   fi | xauth -q -



To install
# wget kod.ipduh.com/lib/sshrc_email_notices
# mv sshrc_email_notices /etc/ssh/sshrc
Set MAILTO to the email address receiving the SSH LOGIN notifications

A user using ~/.ssh/rc may be able to avoid /etc/ssh/sshrc. However, the root can be the only one with write permission on the a user 's ~/.ssh/rc and ~/.ssh/rc may be
/bin/bash /etc/ssh/sshrc


Remove SSL Certificate Passphrase

# cd /etc/ssl/private
# openssl rsa -in website.key -out website.key.no-passphrase
Enter pass phrase for website.key:
writing RSA key
# mv website.key website.key.old-with-passphrase
# cp website.key.no-passphrase website.key
# /etc/init.d/apache2 restart
  * Restarting web server apache2
apache starts without asking for the passphrase

Another way is to use the SSLPassPhraseDialog directive to read in the password from a script.

madwifi ioctls

Notes on a few madwifi ioctls

Turn off 802.11h
# iwpriv ath0 doth 0 

fast frames support
# iwpriv ath0 ff 1 
This feature increases the amount of information that can be sent per frame, also resulting in a reduction of transmission overhead. It is a proprietary feature that needs to be supported by the Access Point.

Burst mode
# iwpriv ath0 burst 1 
Bursting allows multiple frames to be sent at once, rather than pausing after each frame. This reduces the overhead needed for transmission and thus increases the throughput. Slight modifications to the standard timing also add a bit to the throughput. Bursting is a standards-compliant feature that can be used with any Access Point.

Turn off Background Scan
# iwpriv ath0 bgscan 0 

Use A mode
# iwpriv ath0 mode 1 

# iwpriv ath0 mode 11a

An outdoor client-if configuration
# cat wireless 

config wifi-device 'radio0'
 option type 'atheros'
 option macaddr '00:0b:6b:84:41:59'
 option distance '3870'
  option outdoor '1'
 option txantenna '1'
 option rxantenna '1'
 option hwmode '11a'
 option channel '112'
 option diversity '0'
 option bursting '1'
 option ff '1'
 option disabled '0'
 option regdomain '97'
 option countrycode '0'
 option bgscan '0'
 option doth '0'
 option txpower '4'

config wifi-iface
 option device 'radio0'
 option encryption 'none'
 option ssid 'wn-x-y'
 option rate '48M fixed'
 option mode 'sta'
 option network 'ath0'
 option ifname 'ath0'

I prefer editing /etc/config/wireless, however I think that the UCI is great for scripting and sending configs.

Openwrt UCI usage examples

Enable wifi set for the first wireless interface --in /etc/config/wireless-- disabled to 0
# uci set wireless.@wifi-device[0].disabled=0; uci commit wireless; wifi

Set txpower to 6 dBm on the first wireless interface.
# uci set wireless.@wifi-device[0].txpower=6; uci commit wireless; wifi

Atheros Super A/G
openwrt uci wireless

madwifi ioctls

simple UTC web clock

A simple UTC web clock.

The utc-web-clock.pl script
#g0 2013 a simple web UTC clock
use strict;
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
my @weekday = qw( Sun Mon Tue Wed Thu Fri Sat );
my @months = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec);
$mon="<a title=$mon>$months[$mon]</a>";
my $udate = "$wday $mday $mon $year";
my $uhour = $hour;
my $umin = $min;
my $usec = $sec;
my $epoch=time();

print <<"PAGE";
Content-type: text/html \n\n <!doctype html> <html>
<title> UTC </title>
<meta  http-equiv='refresh' content='15'>
.clock { font-family: monospace , Arial ; font-size: 6em; }
.little { padding-left: 0px; font-family:  monospace; font-size: .9em; }
a.goto:link { color:#000000; text-decoration:underline; }
a.goto:visited { color:#000000; text-decoration:underline; }
a.goto:hover {color:#000000;text-decoration:none;background:yellow;}
a.goto:active {color:#00FF00;text-decoration:none;background:yellow;}
<script type='text/javascript'>

function tick() {
 if(document.getElementById("min").innerHTML == 59 && document.getElementById("sec").innerHTML == 59 ){
  document.getElementById("hour").innerHTML = document.getElementById("hour").innerHTML - 1 + 2;
  document.getElementById("min").innerHTML = 0;
  document.getElementById("sec").innerHTML = 0;
 else if(document.getElementById("sec").innerHTML == 59 ){
  document.getElementById("min").innerHTML = document.getElementById("min").innerHTML - 1 + 2;
  document.getElementById("sec").innerHTML = 0;
         document.getElementById("sec").innerHTML = document.getElementById("sec").innerHTML - 1 + 2;
 //it will be funny for a dousin of seconds after 1 am --g0

<p class=clock>
<span id='hour'>$uhour</span>:<span id='min'>$umin</span>:<span id='sec'>$usec</span>
<p class=little> &copy; $udate  
<a href="http://ipduh.com/epoch/?$epoch" class=goto>$epoch</a> 
<a class=goto href=http://alog.ipduh.com/2013/07/simple-utc-web-clock.html>source</a>
</body> </html>


You may wget it
$ wget kod.ipduh.com/lib/utc-web-clock.pl

simple UTC web clock

tripwire ...

Tripwire Setup on Debian Notes

Install Tripwire
# apt-get install tripwire

Well, the packaged tripwire installation automation on Debian 6.0.7 does not automagically fix everything --not-- for me.

Tripwire keeps its configuration in a encrypted database that is generated, by default, from /etc/tripwire/twcfg.txt

Tripwire keeps its policies on what attributes of which files should be monitored in a encrypted database that is generated, by default, from /etc/tripwire/twpol.txt

The Tripwire binaries are located in /usr/sbin and the database is located in /var/lib/tripwire

Create a site key
# cd /etc/tripwire/
# mkdir nope
# mv site.key nope
# twadmin --generate-keys --site-keyfile site.key 
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.
# chmod 600 site.key

Create a local key
# cd /etc/tripwire/
# twadmin --generate-keys --local-keyfile `hostname`-local.key
# chmod 600 *local.key

Create and sign with site.key the configuration file tw.cfg from the text configuration file twcfg.txt. You may want to change a few things in twcfg.txt (eg: the SMTPHOST ).
# cd /etc/tripwire/
# cp twcfg.txt nope
# vi twcfg.txt
# twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt
Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg

Create and sign with site.key the policy file tw.pol from the editable twpol.txt. You may want to adjust twpol.txt to your system and preferences.
# cd /etc/tripwire/
# mv tw.pol nope/
# vi twpol.txt
# twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol

Make sure all the configuration files are owned by root and that root is the only one who can read them.
# cd /etc/tripwire/
# chown root.root tw*
# chmod 600 tw*
You may delete or copy your txt files to another host.

Initialize the tripwire database.
# tripwire --init
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***

To change-update your policy
# cd /etc/tripwire/
# vi twpol.txt
# twadmin -m P -S site.key twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol

To update your configuration
# cd /etc/tripwire/
# vi twcfg.txt
# twadmin -m F -S site.key twcfg.txt
Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg

Initialize the Tripwire database
# tripwire -m i
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Continuing...
Wrote database file: /var/lib/tripwire/anydns.twd
The database was successfully generated.

Email alerts and reports

Test if tripwire can send email
# /usr/sbin/tripwire --test --email systems-no@ipduh.awmn

To set email alerts for a rule eg: "Root file-system executables" adjust twpol.txt accordingly sign it and write tw.pol.
# Critical executables
  rulename = "Root file-system executables",
  severity = $(SIG_HI),
  emailto = systems-no@ipduh.awmn
You may put more email addresses separated by ';' colons on emailto eg:
# Critical executables
  rulename = "Root file-system executables",
  severity = $(SIG_HI),
  emailto = systems-no@ipduh.awmn;systems-no@ipduh.com
Sign and write tw.pol
# twadmin -m P -S site.key twpol.txt

Email a report
# /usr/sbin/tripwire --check --email-report
### Continuing...
Beginning email reporting...
Emailing the report to: systems-no@ipduh.awmn

The report is:
mailed to the email address(es) in the emailto(s)
and saved in /var/lib/tripwire/report/ as well.

To create and email the report regularly put:
/usr/sbin/tripwire --check --quiet --email-report
in a cronjob

The Debian package cronjob
#!/bin/sh -e


[ -x $tripwire ] || exit 0

umask 027

$tripwire --check --quiet --email-report

You may put the tripwire database on a read-only medium or copy it to another host.

Update the database --exclude valid violations-- after an Integrity Check.

First of all set the system default editor to vi

Enter `exclude mode` :)
# tripwire --update --twrfile /var/lib/tripwire/report/lastest.twr
where latest.twr is the latest report

Now, remove the "x" from the adjacent boxes [x] to prevent updating the database with the new values for these objects, exit the editor, and enter your local passphrase.

The authorized integrity violations will no longer show up as warnings when the next integrity check is run.

Test --Create a Report and then look at it
# /usr/sbin/tripwire --check 
# twprint -m r --twrfile /var/lib/tripwire/report/latest.twr
where latest.twr is the latest report

View the tripwire database
# /usr/sbin/twprint -m d --print-dbfile |less

View information for a file tracked by tripwire eg: the tripwire database
# /usr/sbin/twprint -m d --print-dbfile /var/lib/tripwire/`hostname`.twd


Tripwire ...

ntp server status page 2

An addition to the simple script that draws a NTP server status web page.

The ntp-status-2.pl script
#g0 2013  , http://alog.ipduh.com/2013/07/ntp-server-status-page-2.html
#ntp-status-2 simple ntp server status web-page v.2
#Prerequisites: ntpdate & ntpq & ntptrace
use strict;
my $myNTPIP="";
my $myNTPname="ntpb.ipduh.awmn -";
my $ntptrace="/usr/bin/ntptrace -n";
my $ntpdate="/usr/sbin/ntpdate";
my $ntpqnp="/usr/bin/ntpq -np";
#configure END

my $epoch=time();
my @date=`$ntpdate -q $myNTPIP`;

my @ntptrace=`$ntptrace $myNTPIP`;
my @fields=();
my $liin;
my @ntptrace_out=();
foreach my $li(@ntptrace)
 $fields[0]="<a class=goto href=http://ipduh.com/apropos/?$fields[0]>$fields[0]</a>";

my @ntpq=`$ntpqnp`;
my @ntpq_out=();
foreach my $li1(@ntpq)
 if($li1 =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/ )
                push(@ntpq_out,"$`<a class=goto href=http://ipduh.com/apropos/?$&>$&</a>$'");

print <<"TOP";
Content-type: text/html \n\n
<!doctype html><html><head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta name='description' content='$myNTPIP - $myNTPname NTP server status web-page' /> 
p { padding-left: 0px; font-family:  Fixed, monospace; font-weight: 1em; }
.little { padding-left: 0px; font-family:  monospace; font-weight: .4em; }
.board { position:absolute; top:60px; left:100px; }
a.goto:link { color:#000000; text-decoration:underline; }
a.goto:visited { color:#000000; text-decoration:underline; }
a.goto:hover {color:#000000;text-decoration:none;background:yellow;}
a.goto:active {color:#00FF00;text-decoration:none;background:yellow;
<div class=board>
<p>  NTP Status: $myNTPname  </p> 
|                                                                                     |

print "<pre> @date <br /><br /><br /> @ntptrace_out  <br /><br /><br /> @ntpq_out </pre>";
print <<'BOT';
|__________   ________________________________________________________________________|
           \ |
        |   /\________/\   |
        |  /____    ____\  |
        |_/     \__/     \_|
        [_       __       _]
          \_____/  \_____/
           \    ____    / 
            |   \__/   |   
          _  \________/  _
          \\  /|    |\  //

print <<"TOEND";
<center><p class=little> &copy; <a href="http://ipduh.com/epoch/?$epoch" class=goto>$epoch</a> <a class=goto href=http://alog.ipduh.com/2013/07/ntp-server-status-page-2.html>source</a>
</p></center><br /><br /><br /><br /></div></body></html>


You may wget or curl it
 wget kod.ipduh.com/lib/ntp-status-2.pl

NTP server status page script 2

openwrt madwifi

Notes on enabling madwifi for atheros based wireless network miniPCI cards on openwrt ( Attitude Adjustment ) --the lazy way.

Give Internet Connectivity to the router

Install wireless-tools and kmod-madwifi.
root@rs:~# opkg update
root@rs:~# opkg install kmod-madwifi
root@rs:~# wifi detect |grep -v disabled > /etc/config/wireless

To enable wifi delete or set disabled to 0 on /etc/config/wireless and

root@rs:~# wifi


OpenWrt MadWiFi ...

virsh basics ...

virsh notes

virsh version
# virsh -v

the system
# cat /etc/issue /etc/debian_version;uname -r
Debian GNU/Linux 6.0 \n \l


# egrep "vmx|svm" /proc/cpuinfo
flags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc rep_good nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt nodeid_msr
flags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc rep_good nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt nodeid_msr

the hypervisor
# virsh uri

# lsmod |grep kvm
kvm_amd                31878  4 
kvm                   215455  1 kvm_amd

for more try
# virsh capabilities

A good way to start the virsh exploration
# virsh
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # help

    help            print help
    attach-device   attach device from an XML file
    attach-disk     attach disk device
    attach-interface attach network interface
    autostart       autostart a domain
    capabilities    capabilities
    cd              change the current directory
    connect         (re)connect to hypervisor
    console         connect to the guest console
    cpu-baseline    compute baseline CPU
    cpu-compare     compare host CPU with a CPU described by an XML file
    create          create a domain from an XML file
    start           start a (previously defined) inactive domain
    destroy         destroy a domain
    detach-device   detach device from an XML file
    detach-disk     detach disk device
    detach-interface detach network interface
    define          define (but don't start) a domain from an XML file
    domid           convert a domain name or UUID to domain id
    domuuid         convert a domain name or id to domain UUID
    dominfo         domain information
    domjobinfo      domain job information
    domjobabort     abort active domain job
    domname         convert a domain id or UUID to domain name
    domstate        domain state
    domblkstat      get device block stats for a domain
    domifstat       get network interface stats for a domain
    dommemstat      get memory statistics for a domain
    domblkinfo      domain block device size information
    domxml-from-native Convert native config to domain XML
    domxml-to-native Convert domain XML to native config
    dumpxml         domain information in XML
    edit            edit XML configuration for a domain
    find-storage-pool-sources discover potential storage pool sources
    find-storage-pool-sources-as find potential storage pool sources
    freecell        NUMA free memory
    hostname        print the hypervisor hostname
    list            list domains
    migrate         migrate domain to another host
    migrate-setmaxdowntime set maximum tolerable downtime
    net-autostart   autostart a network
    net-create      create a network from an XML file
    net-define      define (but don't start) a network from an XML file
    net-destroy     destroy a network
    net-dumpxml     network information in XML
    net-edit        edit XML configuration for a network
    net-list        list networks
    net-name        convert a network UUID to network name
    net-start       start a (previously defined) inactive network
    net-undefine    undefine an inactive network
    net-uuid        convert a network name to network UUID
    iface-list      list physical host interfaces
    iface-name      convert an interface MAC address to interface name
    iface-mac       convert an interface name to interface MAC address
    iface-dumpxml   interface information in XML
    iface-define    define (but don't start) a physical host interface from an XML file
    iface-undefine  undefine a physical host interface (remove it from configuration)
    iface-edit      edit XML configuration for a physical host interface
    iface-start     start a physical host interface (enable it / "if-up")
    iface-destroy   destroy a physical host interface (disable it / "if-down")
    managedsave     managed save of a domain state
    managedsave-remove Remove managed save of a domain
    nodeinfo        node information
    nodedev-list    enumerate devices on this host
    nodedev-dumpxml node device details in XML
    nodedev-dettach dettach node device from its device driver
    nodedev-reattach reattach node device to its device driver
    nodedev-reset   reset node device
    nodedev-create  create a device defined by an XML file on the node
    nodedev-destroy destroy a device on the node
    nwfilter-define define or update a network filter from an XML file
    nwfilter-undefine undefine a network filter
    nwfilter-dumpxml network filter information in XML
    nwfilter-list   list network filters
    nwfilter-edit   edit XML configuration for a network filter
    pool-autostart  autostart a pool
    pool-build      build a pool
    pool-create     create a pool from an XML file
    pool-create-as  create a pool from a set of args
    pool-define     define (but don't start) a pool from an XML file
    pool-define-as  define a pool from a set of args
    pool-destroy    destroy a pool
    pool-delete     delete a pool
    pool-dumpxml    pool information in XML
    pool-edit       edit XML configuration for a storage pool
    pool-info       storage pool information
    pool-list       list pools
    pool-name       convert a pool UUID to pool name
    pool-refresh    refresh a pool
    pool-start      start a (previously defined) inactive pool
    pool-undefine   undefine an inactive pool
    pool-uuid       convert a pool name to pool UUID
    secret-define   define or modify a secret from an XML file
    secret-dumpxml  secret attributes in XML
    secret-set-value set a secret value
    secret-get-value Output a secret value
    secret-undefine undefine a secret
    secret-list     list secrets
    pwd             print the current directory
    quit            quit this interactive terminal
    exit            quit this interactive terminal
    reboot          reboot a domain
    restore         restore a domain from a saved state in a file
    resume          resume a domain
    save            save a domain state to a file
    schedinfo       show/set scheduler parameters
    dump            dump the core of a domain to a file for analysis
    shutdown        gracefully shutdown a domain
    setmem          change memory allocation
    setmaxmem       change maximum memory limit
    setvcpus        change number of virtual CPUs
    suspend         suspend a domain
    ttyconsole      tty console
    undefine        undefine an inactive domain
    update-device   update device from an XML file
    uri             print the hypervisor canonical URI
    vol-create      create a vol from an XML file
    vol-create-from create a vol, using another volume as input
    vol-create-as   create a volume from a set of args
    vol-clone       clone a volume.
    vol-delete      delete a vol
    vol-wipe        wipe a vol
    vol-dumpxml     vol information in XML
    vol-info        storage vol information
    vol-list        list vols
    vol-pool        returns the storage pool for a given volume key or path
    vol-path        returns the volume path for a given volume name or key
    vol-name        returns the volume name for a given volume key or path
    vol-key         returns the volume key for a given volume name or path
    vcpuinfo        domain vcpu information
    vcpupin         control domain vcpu affinity
    version         show version
    vncdisplay      vnc display
    snapshot-create Create a snapshot
    snapshot-current Get the current snapshot
    snapshot-delete Delete a domain snapshot
    snapshot-dumpxml Dump XML for a domain snapshot
    snapshot-list   List snapshots for a domain
    snapshot-revert Revert a domain to a snapshot

virsh # 

set a domain --guest host-- to autostart by the libvirt daemon
# virsh autostart 2
Domain 2 marked as autostarted

verify-check if a guest is set to Autostart
# virsh dominfo 2 |grep -i auto
Autostart:      enable

# ls /etc/libvirt/qemu/autostart/
before taking the time to read carefully and look around a bit more, I used to set autostart with `virsh start domain` cronjobs.

view domain information and create xml configuration files
# virsh dumpxml vm0
it prints the xml configuration to stdout

The kvm-qemu guest hosts xml configuration files are in /etc/libvirt/qemu/ on Debian systems.

# virsh dominfo vm0
Id:             -
Name:           vm0
UUID:           7337798a-ae00-efb4-7790-259c168f764b
OS Type:        hvm
State:          shut off
CPU(s):         2
Max memory:     524288 kB
Used memory:    524288 kB
Persistent:     yes
Autostart:      disable

Display the guest hosts list
# virsh list --all
 Id Name                 State
  2 vm2                  running
  - vm0                  shut off
  - vm1                  shut off

Display Virtual CPU information
# virsh vcpuinfo 2
VCPU:           0
CPU:            0
State:          running
CPU time:       1219.9s
CPU Affinity:   yy

VCPU:           1
CPU:            1
State:          running
CPU time:       1040.8s
CPU Affinity:   yy

# virsh vcpuinfo vm0
error: Domain shut off, virtual CPUs not present.
error: Requested operation is not valid: cannot list vcpu pinning for an inactive domain

Create a guest from an xml configuration file
# virsh create vm0.xml
to create an xml configuration file from an existing guest
# virsh dumpxml vm0 > vm0.xml

Start a guest host
# virsh start vm0
Domain vm0 started

Reboot a guest host
# virsh reboot vm0
error: Failed to reboot domain vm0
error: this function is not supported by the connection driver: virDomainReboot
not supported for kvm on version 0.8.3

Shutdown a guest host
# virsh shutdown vm0
Domain vm0 is being shutdown

# virsh list --all
 Id Name                 State
  2 vm2                  running
  3 vm0                  running
  - vm1                  shut off
vm0 is still running, it does not work always

Terminate a guest host
# virsh destroy vm0
Domain vm0 destroyed

An immediate ungraceful shutdown.
# virsh list --all
 Id Name                 State
  2 vm2                  running
  - vm0                  shut off
  - vm1                  shut off

Useful URLs:
Virsh Command Reference
centos manual virsh
Debian on Debian KVM

virsh basics

openwrt routerstation from kamikaze to attitude_adjustment

Notes taken while upgrading from Kamikaze to Attitude_Adjustment an openwrt powered routerstation.

Install tftp
pc# apt-get install tftp

Set the PC interface where tftp binds to
pc# ifconfig eth0:2 netmask

Get openwrt
pc# wget http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-ubnt-rs-squashfs-factory.bin

Configure routerstation network
$ ssh root@
BusyBox v1.13.4 (2009-09-24 17:24:11 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (bleeding edge, r17696) ------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
root@rs# vi /etc/config/network 
set eth0 --WAN POE port-- to
config interface lan
        option ifname   eth0
        option proto    static
        option ipaddr
        option netmask
        option broadcast

Restart network
root@rs# /etc/init.d/network restart

Put the routerstation on `tftp mode` --Hold reset button while turning it on--

Send the firmware from the PC
pc# tftp -m binary -c put openwrt-ar71xx-generic-ubnt-rs-squashfs-factory.bin
tftp> connect
tftp> mode binary
tftp> put openwrt-ar71xx-generic-ubnt-rs-squashfs-factory.bin
Sent 2883996 bytes in 2.5 seconds
tftp> quit

Reboot the routerstation and put the ethernet cable on LAN Port 1

Go to with a web-browser and click on Go to password configuration...
Set your password and Dropbear --the ssh daemon-- preferences
Click on Save & Apply

ssh in
$ ssh root@
The authenticity of host ' (' can't be established.
RSA key fingerprint is e2:f5:58:e7:2c:90:5c:02:ec:48:93:b7:bd:5c:94:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
root@'s password: 

BusyBox v1.19.4 (2013-03-14 11:28:31 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 ATTITUDE ADJUSTMENT (12.09, r36088)
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice

I did not find the Attitude Adjustment v12.09 on the table, but so far it works well.


RS from OpenWrt kamikaze to OpenWrt Attitude Adjustment