Jonathan's blog

A while back I wrote about the worst cabinet ever.

Maybe this one isn’t as spectacular to behold, but there is a Cisco switch under all that spaghetti. There are also two PoE power injectors for wireless access points. All this is in a wooden cupboard and it was roasting hot.

You can see that they also haven’t bothered to install a patch board – instead there are just wall sockets covering the side, and a few lying around not attached to anything.

At the back, there’s a telephone patch panel too.

New worst cabinet ever

While in Sicily last year, I found out where the Internet actually is. It’s halfway up a mountain in Taormina.

The Internet

Today I encountered a problem in my FreeRADIUS setup. Usernames can be sent to my RADIUS servers as a simple username (e.g. jonathan) or with a realm prepended (e.g. DOMAIN\jonathan).

When a username with a realm gets sent to a RADIUS authentication server that is doing MSCHAP, the domain is automatically stripped and you never notice. But when it gets sent to an accounting server (clearly no MSCHAP) there is no stripping or escaping done automatically.

This caught me out.

Users were authenticating on my network successfully. DOMAIN\rachel and DOMAIN\thomas were happily authenticated against the domain controllers and gained access to the wireless. But when they started sending accounting packets, the \r and \t portions of their usernames were sent to the database unquoted, where they were interpreted as a Unix newline and a tabspace respectively.

Eeek!

I didn’t notice until I saw that MySQL had converted these \r and \t characters to the hex equivalents. Where my accounting table should have contained rachel, it actually contained DOMAIN=0Dachel.

Yikes!

I fixed this by creating a local proxy realm. At the end of my proxy.conf, I added these lines:

realm DOMAIN {
}

Obviously substituting DOMAIN for the real name of my domain.

Then in the preacct section of my virtual server I added the module ntdomain to populate the variable %{Stripped-User-Name} with the domain part of the username that was originally in %{User-Name}.

Now, looking at the top of whichever dialup.conf suits your database architecture, make sure the following line is uncommented:

sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"

…and that all other definitions of sql_user_name are commented.

Once you’ve done this, your accounting detail logs will contain username likes DOMAIN\\username (with an escaped backslash) and your database table will simply have username.

Promise NS4300N

I decided to buy a NAS and remove the disks from my home server.

I didn’t want to spend too much money, since this was one of those non-essential projects. But equally, I didn’t want to spend too little and get something that would break and destroy all my data with it. Eventually I decided upon a Promise SmartStor NS4300N.

Features

It had all the features I wanted, including:

• SMB/CIFS for Windows clients
• NFS for Linux clients
• RAID5
• Gigabit Ethernet with Jumbo Frames

First impressions

So how did it shape up?

The build quality was relatively poor. It’s made from thin plastic and feels flimsy. The disk caddies are incredibly flimsy and flexible, and I felt nervous even handling them; but this didn’t matter because I planned to assemble it and leave it alone.

It wasn’t exactly quiet either. There is an 80mm fan for the disks and a 40mm fan for the internal PSU. The 80mm fan only spins when the disks are hot but it is very noisy when it does so. The 40mm fan is constant but not so loud. And of course there’s the sound of four hard disks, which varies depending on make and model. Overall, it’s probably quieter than a standard computer, but you wouldn’t want to sleep with it in your bedroom.

It’s not a problem for me because I’m putting it in the loft.

Setting it up

The initial setup wasn’t as straightforward as I thought it could (should?) have been, especially for beginners. But it wasn’t really much trouble to set up a RAID5 array with 4 x 500GB disks and format it, for a total of 1.4TB.

More confusing, perhaps, was the selection of different protocols and the layout for setting up users, shares and permissions.

I wanted to set up two shares, public and private and set public to be world-readable (for my media centre) and private to be accessible only by me. If you create these accounts on the NAS, it’s simple enough to tick the boxes and set the desired permissions on Windows (SMB/CIFS) shares.

But NFS was a different kettle of fish. No user-level permissions are available on the NAS for NFS, and the only control you get is a list of allowed IP addresses. By default the NAS says it allows *.*.*.* but I found that this didn’t let anyone in. Adding real IP addresses to the list worked.

However, I found that when you have data shared both as NFS and SMB/CIFS, the permissions go out of the window and are not respected at all. An unauthenticated guest user was able to read and delete files from my private share.

Performance

Performance was far worse than I had expected.

With the NAS mounted on my PC via NFS, it would only manage 4.8MB/s sustained write rate, and 13.5MB/s sustained read rate. That’s significantly worse than the sustained 30MB/s I used to get with the same disks in the server, as a Linux software RAID array. On top of that, writing at this speed tied up my computer’s quad-core CPU 100% with IOWait.

With the NAS mounted on the same PC via SMB, it was able to write sustained at 9.2MB/s.

This is really quite poor, given that the same set of disks when connected directly into the server with SATA could write at some 35MB/s.

It depends on your usage though – if you simply want to play music and videos from the NAS then 10MB/s is fine, even for high definition. However I use mine for large backups and I don’t want to wait almost ten times longer for the backups to complete.

Summary

• If you already have a NAS or storage server that you are happy with, don’t buy this.
• If you want to use NFS, don’t buy this.
• If you care about high performance, don’t buy this.
• If you want a reasonably-priced solution for backups or sharing media between computers, buy this. I reckon it would be fine to shove in a cupboard and simply drag your movies onto from your computer, so you could watch them on your media centre.

However, it didn’t cut the mustard with me, so I sent it back. I’ve now returned to my original system with the four disks hosted in the server. It’s fast and the permissions work fine – the downside is that I have to keep a large, noisy ATX tower case and can’t switch to an Intel Atom solution

SSH tunelling is no big secret, and there are loads of guides out there that explain how it is done in generic terms. This guide is slightly different, as it explains how to tunnel to hosts that are not publicly addressable.

For example, if you have a Linux server as your home network gateway then you can simply open ports on it, e.g. port 80 for a web server.

If you want to access a service on a computer on your network other than your server, you will have to set up port forwarding.

But there’s another way. Today while I was at work, I needed to change something on my home network printer’s web interface. The printer has a private IP address in the range 192.168.0.0/24 and there is no port forwarding set up (why would I want to share my printer’s control panel on the internet?).

Supposing my server is called jonathangazeley.com then I can enter a command like this from my work PC:

ssh -f jonathan@jonathangazeley.com -L 2000:192.168.0.105:80 -N

This command sets up port 2000 on localhost to point to port 80 on my printer at home.

Then I open my browser at work and navigate to http://localhost:2000

Hey presto, I can now see my printer’s config page remotely. As a nice by-product, the connection is also encrypted by the ssh protocol.

This is a +1 for Easy Firewall Generator for iptables.

Of course any self-respecting sysadmin should be able to set up iptables, but sometimes starting off can be tricky. So I use the this website, which lets you define the basics using a handful of checkboxes, and it generates a script that configures your computer’s iptables firewall.

It works for single hosts and servers that do NAT, and includes protection against a great many nasties.

Once you have this, it’s then an easy task to hand-configure the result to your heart’s content.

Sometimes you need to change the log verbosity of wpa_supplicant for debugging purposes. First check which log verbosity you are currently running with.

ps -ef | grep wpa_supplicant | grep -v grep

-d represents verbose
-dd represents extra verbose

To change the log verbosity, edit /usr/share/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service and add -d or -dd as appropriate. Example:

[D-BUS Service]
Name=fi.epitest.hostap.WPASupplicant
Exec=/sbin/wpa_supplicant -u -d -f /var/log/wpa_supplicant.log
User=root

Restart NetworkManager and run the check again to see which log verbosity you are running with.

A few months ago I set up a website, Memories of Korea, to showcase some slides I inherited. Naturally I was keen to find out how many visitors I’d had, so I set about finding something that could draw pretty graphs.

Based on my experiences setting up website statistics with AWstats, I’ve now prepared a guide for anyone else wishing to do the same.

This guide assumes you are running either Fedora or CentOS, with Apache httpd web server. The majority of the AWstats config will apply on any distro, and with several different web servers, but paths and installation procedures may vary.

Installing AWstats

First things first, let’s install AWstats. On Fedora:

sudo yum install awstats

On CentOS, you need to jump through a hoop first by enabling the EPEL repository:

sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
sudo yum install awstats

Tweaking your Apache logs

AWstats works by reading your httpd access logs. Somewhere in your httpd.conf you should have a line like this.

CustomLog logs/access_log common

or

CustomLog logs/access_log combined

If you have virtual servers, each server is likely to have its own log file and associated CustomLog directive, too. For now, just pick one set of logs to work with and do the rest later. If your CustomLog directive ends in common, change it to combined. This keeps the log format the same, but causes a couple of extra fields to be logged.

Don’t worry if you can’t change the log format for one reason or another – AWstats will still work but you won’t get quite as many juicy stats.

While you’re nosing around in httpd.conf, make a note of the path and filename of the access log – you’ll need it in a second. In my case it’s /var/log/access_log, which is the default for non-virtual Apache servers.

Go into /etc/awstats. There should be a sample config file called awstats.model.conf. This contains most of the default options you will need, so let’s make a copy of it and work on that. Give the copy the same name as your website

cp awstats.model.conf awstats.www.memoriesofkorea.com.conf
vi awstats.www.memoriesofkorea.com.conf

You don’t need to change many options to get it going, so I will outline the basics here. Find the following directives in the config file, and change their values appropriately. Leave everything else alone – for now!
Tell AWstats where your Apache log file is:

LogFile="/var/log/httpd/access_log"

Leave this as 1 if you are using combined Apache logs. Change it to 4 if you are using common Apache logs.

LogFormat=1

Set this to the main name of your website.

SiteDomain="www.memoriesofkorea.com"

If your website has other names, add them here. Usually the only “other” name is simply omitting the www. Leave in 127.0.0.1 and localhost, which may be important if you access your website from the server it is running on.

HostAliases="memoriesofkorea.com 127.0.0.1 localhost"

Save your changes and exit.

Run AWstats for the first time

When you installed AWstats, it was automatically configured to run and collect log information hourly, but you’re too impatient to wait for cron, run the first AWstats update now:

/usr/share/awstats/tools/awstats_updateall.pl now

Grant access to the AWstats page

You need to edit the file /etc/httpd/conf.d/awstats.conf. This just tells Apache who can view the statistics. Somewhere in the middle of the file there should be a block like the one below. By default only 127.0.0.1 (the web server itself) is allowed to view the page, so if your web browser isn’t running on the server, you will need to change something.

You might want to add a single IP address, an IP address range (e.g. 192.168.0.1/24 for a home network) or simply all to grant access to the world.

    Options None
    AllowOverride None
    Order allow,deny
    Allow from 127.0.0.1
    Allow from 192.168.0.0/24
    Allow from all

Save the file and exit. Restart Apache.

service httpd restart

See your statistics

Assuming all went well, you should be able to view your statistics page at http://www.mysite.com/awstats/awstats.pl

Other options

You no doubt saw in the /etc/awstats.conf file that there are many, many more configurable options for AWstats, including user authentication to name but one.

The config file is well commented and there is plenty of documentation online to help you along.

My home server seems to have developed a problem where its internal-facing network card “jams up”. It still keeps its IP address and everything looks normal, but in actual fact no traffic passes through it, cutting all my LAN hosts off from the Internet.

Restarting iptables, network services or anything else doesn’t help. The only cure I’ve found is to reboot the whole box.

This is OK if I’m using the computer at the time, but a pain if it breaks overnight or while I’m out, as things like my folding@home client, Vista Media Centre TV listings and overnight BitTorrent downloads need Internet access.

So I wrote this bash script to periodically check if it’s broken, and reboot if it is. The only gotcha is that it tests if the interface is working by pinging another LAN host. This is by no means a concrete test!

#!/bin/bash
HOST=192.168.0.10
if ! ping -c 1 -w 5 "$HOST" &>/dev/null ; then
logger ZEUS REBOOT
/sbin/init 6
fi

A matter brought to my attention just a few minutes ago – visibility of personal data in WHOIS info.

I registered the domain jonathangazeley.com with No-IP. It worked, and I thought nothing more of it. But this morning one of my colleagues received a personalised scam and it seems likely that the scammers retrieved his personal information from WHOIS.

I checked my own WHOIS data and was shocked (although not really surprised) to see my personal data appear before my eyes. My name, home address, mobile phone number and email address were all included. This is bad news, as anyone can get hold of this information – such as scammers, spammers, legitimate (but annoying) marketing, or even real-life criminals who want to know where I live.

Fortunately No-IP offers a private registration option for $9.95/year. I immediately purchased this option and now my WHOIS data shows nothing except my name.

I urge anyone who has registered a domain to check their own WHOIS data and take appropriate steps if necessary. It’s easy in Linux:

[jonathan@poseidon ~]$ whois jonathangazeley.com
[Querying whois.verisign-grs.com]
[Redirected to whois.no-ip.com]
[Querying whois.no-ip.com]
[whois.no-ip.com]
NOTICE: Access to No-IP.com WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the No-IP.com registrar database. The data in this record is provided by No-IP.com for informational purposes only, and No-Ip.com does not guarantee its accuracy.  This service is intended only for query-based access.  You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator or any ICANN-Accredited Registrar, except as reasonably necessary to register domain names or modify existing registrations.  All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

Domain Name: JONATHANGAZELEY.COM
Created On: 02-May-2008 10:53:42 UTC
Last Updated On: 02-May-2008 10:53:42 UTC
Expiration Date: 02-May-2010 10:53:41 UTC
Sponsoring Registrar: Vitalwerks Internet Solutions, LLC / No-IP.com
Registrant Name: Gazeley, Jonathan
Registrant Organization:
Registrant Street1: ATTN: jonathangazeley.com, c/o No-IP.com Registration Privacy
Registrant Street2: P.O. Box 19083
Registrant City: Reno
Registrant State/Province: NV
Registrant Postal Code: 89511
Registrant Country: US
Registrant Phone: +1.7758531883
Registrant FAX:
Registrant Email: 1a37bda6b1603338-250851@privacy.no-ip.com
Admin Name: Gazeley, Jonathan
Admin Street1: ATTN: jonathangazeley.com, c/o No-IP.com Registration Privacy
Admin Street2: P.O. Box 19083
Admin City: Reno
Admin State/Province: NV
Admin Postal Code: 89511
Admin Country: US
Admin Phone: +1.7758531883
Admin FAX:
Admin Email: 1a37bda6b1603338-250851@privacy.no-ip.com

Name Server: NS2.NO-IP.COM
Name Server: NS1.NO-IP.COM
Name Server: NS3.NO-IP.COM
Name Server: NS4.NO-IP.COM
Name Server: NS5.NO-IP.COM

As you can see, all of this data (except my name, of course) now belongs to No-IP. Problem solved!