Category Archives: Networking - Page 2

An easy way to generate an iptables config

Posted by on August 31, 2009 No comments

This is a +1 for Easy Firewall Generator for iptables.

Of course any self-respecting sysadmin should be able to set up iptables, but sometimes starting off can be tricky. So I use the this website, which lets you define the basics using a handful of checkboxes, and it generates a script that configures your computer’s iptables firewall.

It works for single hosts and servers that do NAT, and includes protection against a great many nasties.

Once you have this, it’s then an easy task to hand-configure the result to your heart’s content.

Changing the verbosity of wpa_supplicant on Ubuntu

Posted by on August 17, 2009 No comments

Sometimes you need to change the log verbosity of wpa_supplicant for debugging purposes. First check which log verbosity you are currently running with.

ps -ef | grep wpa_supplicant | grep -v grep

-d represents verbose
-dd represents extra verbose

To change the log verbosity, edit /usr/share/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service and add -d or -dd as appropriate. Example:

[D-BUS Service]
Name=fi.epitest.hostap.WPASupplicant
Exec=/sbin/wpa_supplicant -u -d -f /var/log/wpa_supplicant.log
User=root

Restart NetworkManager and run the check again to see which log verbosity you are running with.

Web statistics with AWstats

Posted by on August 13, 2009 No comments

A few months ago I set up a website, Memories of Korea, to showcase some slides I inherited. Naturally I was keen to find out how many visitors I’d had, so I set about finding something that could draw pretty graphs.

Based on my experiences setting up website statistics with AWstats, I’ve now prepared a guide for anyone else wishing to do the same.

This guide assumes you are running either Fedora or CentOS, with Apache httpd web server. The majority of the AWstats config will apply on any distro, and with several different web servers, but paths and installation procedures may vary.

Installing AWstats

First things first, let’s install AWstats. On Fedora:

sudo yum install awstats

On CentOS, you need to jump through a hoop first by enabling the EPEL repository:

sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
sudo yum install awstats

Tweaking your Apache logs

AWstats works by reading your httpd access logs. Somewhere in your httpd.conf you should have a line like this.

CustomLog logs/access_log common

or

CustomLog logs/access_log combined

If you have virtual servers, each server is likely to have its own log file and associated CustomLog directive, too. For now, just pick one set of logs to work with and do the rest later. If your CustomLog directive ends in common, change it to combined. This keeps the log format the same, but causes a couple of extra fields to be logged.

Don’t worry if you can’t change the log format for one reason or another – AWstats will still work but you won’t get quite as many juicy stats.

While you’re nosing around in httpd.conf, make a note of the path and filename of the access log – you’ll need it in a second. In my case it’s /var/log/access_log, which is the default for non-virtual Apache servers.

Go into /etc/awstats. There should be a sample config file called awstats.model.conf. This contains most of the default options you will need, so let’s make a copy of it and work on that. Give the copy the same name as your website

cp awstats.model.conf awstats.www.memoriesofkorea.com.conf
vi awstats.www.memoriesofkorea.com.conf

You don’t need to change many options to get it going, so I will outline the basics here. Find the following directives in the config file, and change their values appropriately. Leave everything else alone – for now!
Tell AWstats where your Apache log file is:

LogFile="/var/log/httpd/access_log"

Leave this as 1 if you are using combined Apache logs. Change it to 4 if you are using common Apache logs.

LogFormat=1

Set this to the main name of your website.

SiteDomain="www.memoriesofkorea.com"

If your website has other names, add them here. Usually the only “other” name is simply omitting the www. Leave in 127.0.0.1 and localhost, which may be important if you access your website from the server it is running on.

HostAliases="memoriesofkorea.com 127.0.0.1 localhost"

Save your changes and exit.

Run AWstats for the first time

When you installed AWstats, it was automatically configured to run and collect log information hourly, but you’re too impatient to wait for cron, run the first AWstats update now:

/usr/share/awstats/tools/awstats_updateall.pl now

Grant access to the AWstats page

You need to edit the file /etc/httpd/conf.d/awstats.conf. This just tells Apache who can view the statistics. Somewhere in the middle of the file there should be a block like the one below. By default only 127.0.0.1 (the web server itself) is allowed to view the page, so if your web browser isn’t running on the server, you will need to change something.

You might want to add a single IP address, an IP address range (e.g. 192.168.0.1/24 for a home network) or simply all to grant access to the world.

    Options None
    AllowOverride None
    Order allow,deny
    Allow from 127.0.0.1
    Allow from 192.168.0.0/24
    Allow from all

Save the file and exit. Restart Apache.

service httpd restart

See your statistics

Assuming all went well, you should be able to view your statistics page at http://www.mysite.com/awstats/awstats.pl

Other options

You no doubt saw in the /etc/awstats.conf file that there are many, many more configurable options for AWstats, including user authentication to name but one.

The config file is well commented and there is plenty of documentation online to help you along.

An ugly fix

Posted by on July 26, 2009 No comments

My home server seems to have developed a problem where its internal-facing network card “jams up”. It still keeps its IP address and everything looks normal, but in actual fact no traffic passes through it, cutting all my LAN hosts off from the Internet.

Restarting iptables, network services or anything else doesn’t help. The only cure I’ve found is to reboot the whole box.

This is OK if I’m using the computer at the time, but a pain if it breaks overnight or while I’m out, as things like my folding@home client, Vista Media Centre TV listings and overnight BitTorrent downloads need Internet access.

So I wrote this bash script to periodically check if it’s broken, and reboot if it is. The only gotcha is that it tests if the interface is working by pinging another LAN host. This is by no means a concrete test!

#!/bin/bash
HOST=192.168.0.10
if ! ping -c 1 -w 5 "$HOST" &>/dev/null ; then
logger ZEUS REBOOT
/sbin/init 6
fi

WHOIS

Posted by on July 23, 2009 No comments

A matter brought to my attention just a few minutes ago – visibility of personal data in WHOIS info.

I registered the domain jonathangazeley.com with No-IP. It worked, and I thought nothing more of it. But this morning one of my colleagues received a personalised scam and it seems likely that the scammers retrieved his personal information from WHOIS.

I checked my own WHOIS data and was shocked (although not really surprised) to see my personal data appear before my eyes. My name, home address, mobile phone number and email address were all included. This is bad news, as anyone can get hold of this information – such as scammers, spammers, legitimate (but annoying) marketing, or even real-life criminals who want to know where I live.

Fortunately No-IP offers a private registration option for $9.95/year. I immediately purchased this option and now my WHOIS data shows nothing except my name.

I urge anyone who has registered a domain to check their own WHOIS data and take appropriate steps if necessary. It’s easy in Linux:

[jonathan@poseidon ~]$ whois jonathangazeley.com
[Querying whois.verisign-grs.com]
[Redirected to whois.no-ip.com]
[Querying whois.no-ip.com]
[whois.no-ip.com]
NOTICE: Access to No-IP.com WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the No-IP.com registrar database. The data in this record is provided by No-IP.com for informational purposes only, and No-Ip.com does not guarantee its accuracy.  This service is intended only for query-based access.  You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator or any ICANN-Accredited Registrar, except as reasonably necessary to register domain names or modify existing registrations.  All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

Domain Name: JONATHANGAZELEY.COM
Created On: 02-May-2008 10:53:42 UTC
Last Updated On: 02-May-2008 10:53:42 UTC
Expiration Date: 02-May-2010 10:53:41 UTC
Sponsoring Registrar: Vitalwerks Internet Solutions, LLC / No-IP.com
Registrant Name: Gazeley, Jonathan
Registrant Organization:
Registrant Street1: ATTN: jonathangazeley.com, c/o No-IP.com Registration Privacy
Registrant Street2: P.O. Box 19083
Registrant City: Reno
Registrant State/Province: NV
Registrant Postal Code: 89511
Registrant Country: US
Registrant Phone: +1.7758531883
Registrant FAX:
Registrant Email: 1a37bda6b1603338-250851@privacy.no-ip.com
Admin Name: Gazeley, Jonathan
Admin Street1: ATTN: jonathangazeley.com, c/o No-IP.com Registration Privacy
Admin Street2: P.O. Box 19083
Admin City: Reno
Admin State/Province: NV
Admin Postal Code: 89511
Admin Country: US
Admin Phone: +1.7758531883
Admin FAX:
Admin Email: 1a37bda6b1603338-250851@privacy.no-ip.com

Name Server: NS2.NO-IP.COM
Name Server: NS1.NO-IP.COM
Name Server: NS3.NO-IP.COM
Name Server: NS4.NO-IP.COM
Name Server: NS5.NO-IP.COM

As you can see, all of this data (except my name, of course) now belongs to No-IP. Problem solved!

MSN Messenger is 10 years old

Posted by on July 21, 2009 No comments

Well I never! From an advert on Hotmail I was linked to a page which proclaims that MSN Messenger (more recently known as Windows Live Messenger) is 10 years old. I would have guessed it was older than that.

I can’t remember precisely when I first used MSN Messenger but I’m fairly sure it was in 1999. I don’t remember it being brand spanking new, though. All my friends were using it and I thought it had been around for a while.

I used to use the Messenger Plus addon to add features that the client neglected to include.

Of course, since switching fully to Linux I’ve used gAIM (now Pidgin), and I have to say it meets my needs perfectly, especially as I also have contacts on AIM now.

Who knows what developments we will see in online communication over the next decade. There’s lots of hype around videophones and that kind of thing, but the technology is already available and hardly used. I just don’t think it’s as practical.

In my opinion, IM‘s biggest rival is Facebook (among other social networks), which has completely changed the way friends, family and casual acquaintances keep in touch. It seems to have taken a slice out of personal email, and out of IM.

Mobile broadband in the sticks

Posted by on July 18, 2009 No comments

I recently bought (and blogged about) an O2 mobile broadband USB stick.

As I was on a camping holiday in a remote part of Pembrokeshire last week, I decided to take my Eee and the USB modem, just to see how it would work. I was aware that there would be no HSDPA coverage, since I had checked the coverage map before I left.

UK cellular network coverage

UK cellular network coverage

Yellow 2G
Pink 3G
Blue HSDPA

Three give the following summary of the different connection types:

  • 2G network: gives you voice, text and picture messaging services
  • 3G network: gives you all of the above, plus video calling and the internet on your mobile
  • HSDPA network (Mobile Broadband): gives you all 2G and 3G services, plus high-speed internet access on your mobile and with your dongle (USB modem)

When I connected to the network in rural Pembrokeshire, I was not surprised to find that I only got a 2G connection. The dongle’s LED was green, and according to Huawei:

  • Green - a GPRS data service is established
  • Dark Blue - a UMTS data service is established
  • Light Blue - a HSDPA data service is established

But what surprised me most was the latency in the connection. Pinging www.google.com gave responses between 4 seconds and 35 seconds! This of course makes web browsing totally unusable.

So my advice to anyone who is thinking of getting a USB 3G modem is to make sure your target areas are covered, and don’t expect it to work outside cities.

The worst cabinet ever

Posted by on July 9, 2009 1 comment

Recently at work I had to go out on site to visit a comms cabinet.  I followed the directions to the cabinet, but when I got there I found it was in a tiny closet, not deep enough for a rack.

So it seems that whoever installed the network improvised. There’s an ancient 10Mbit hub, a 48-port Cisco switch and an 8-port Linksys power-over-Ethernet switch all suspended from their network cables. The PoE switch even had its heavy power supply hanging from it, too.

Switches hanging from their cables

Switches hanging from their cables

And if that’s not bad enough, check out the telephone patch panel in the same cabinet…

Telephone patch panel

O2 Mobile Broadband

Posted by on June 16, 2009 2 comments

Note: This article is under development. More info and screenshots will be added later. Keep checking back!

I decided to buy a mobile broadband USB modem yesterday. For those of you who don’t know, I work as a wireless network & VPN specialist for the University of Bristol. At the time of writing, there are 507 access points around campus, giving pretty good coverage. However I often have to visit locations with dead wireless to fix it – and it’s times like these that mobile broadband would come in really handy.

After a bit of market research, I found that Three was the cheapest network; however their standard issue USB modem is made by ZTE and some Googling shows that this isn’t well supported by Linux. That’s a showstopper for me. However, O2 offer Huawei modems which, according to the Internet, work out of the box with recent versions of NetworkManager, which is included with distros such as Fedora and Ubuntu.

After a quick word with an O2 sales adviser, I was told that Windows and OS X are supported, and Linux is not only unsupported, but “won’t work”. Of course, I took this with a pinch of salt. I prefer to believe articles on FedoraForum, for example.

I run a number of operating systems on my various computers. It’s not essential to have it working on all of them, but it would be nice. Here’s what I’ve got:

  • Home desktop PC: Dual boot Fedora 11 with Windows Vista for occasional gaming or audio work
  • Main laptop: EeePC 901 with Ubuntu Netbook Remix 9.04
  • Secondary laptop: HP nx7400 dual boot Fedora 11 with Windows XP for occasional stuff (such as using my slide scanner)
  • Work PC: Fedora 10
  • Work laptop: Macbook with OS X 10.5 Leopard

So how did O2 Mobile Broadband really fare on these various systems?

Ubuntu Netbook Remix

First I tried it with the computer I am likely to use most on the move – my trusty EeePC. I connected the modem and was immediately greeted with a screen saying it had detected a USB modem.

I was asked to pick a network provider from a short list.

Setup was complete!

I now connect by using the NetworkManager list, the same way as for regular wireless networks. However, even if I connect to O2 Mobile Broadband, it still uses wireless networks in preference if possible. Very sensible!

Using NetworkManager to select a 3G connection

Fedora

Fedora runs a very similar version of NetworkManager to Ubuntu. The main difference is that you don’t get a magic wizard to put the settings in for you. But don’t worry, it’s quite simple.

  1. Right click the NetworkManager icon, click Edit Connections
  2. Under the Mobile Broadband tab, click Add
  3. Do the same on your Ubuntu PC, except click Edit.
  4. Copy the settings over (or look them up from O2).
  5. Done!

Windows XP

Getting it to work on Windows was easy, although I was not impressed by the software. When you plug in the USB modem, it automatically mounts as a virtual CD-ROM which then autoruns the installer. It’s all themed in the O2 colours and looks smart, even if horrible and blue. Installing it is a simple case of clicking Next repeatedly.

But what I didn’t like was the way that the software automatically takes control of your wired and wireless connections too, without consent.

The main screen

In its defence, it does work and it does do the job. It even has nice features, such as being able to prioritise various connections or networks. You can say you want the wired to always take precedence, followed by your home wireless network, then the 3G network, and finally your neighbour’s wireless.

Listing wireless and 3G networks

However, the application is ugly, blue and blobby. It looks like a UFO. It installed yet another tray icon I don’t want, and it’s changed the way I connect to wireless networks. Of course I’m capable of adapting to the change, but I liked the way I connected to networks before. Why force me to change?

One thing I haven’t tested yet is its ability to connect to WPA2-Enterprise (802.1x) networks, which I use daily as part of my job. This is where lots of other third-party wireless applications fall down.

Tonight I will look into ways to remove the app but keep the driver – and perhaps have the 3G connection available to me as an on-demand connection, the same way that Windows handles VPN connections.

Overall, I’m glad I will almost never be using this laptop with my 3G connection.

Mac OS X Leopard

Despite Apple Macs having a reputation for being intuitive and easy to use, installing the USB modem was a nightmare and I still haven’t got it to work.

While Windows and OS X are the two officially supported platforms, the OS X software is just the default Huawei software without any O2 theming at all. O2 haven’t even bothered to bap in the config in advance. Plugging in the USB modem causes a directory to be mounted, containing an installer and a PDF document. The PDF briefly explains how to install the application and fill in the settings. It has a series of screenshots and simple instructions, although still daunting enough compared with the ease by which most Mac applications are installed.

The software itself is ugly and a bit clunky. It doesn’t have anything sensible like a “tray” icon. You have to load the application manually before you want to use the connection. If you frequently use the software, it would be best to make a dock icon, which you also have to do manually.

Worst of all, it doesn’t actually work (for me). I followed the guide exactly and yet when I came to connect, it always fails with a useless error message of “Connection failure!”.

Working in a riser

Posted by on June 8, 2009 No comments

Today at work I had to install a switch in a rack in a riser. The riser goes from top to bottom of the building in question (5 storeys + basement). Access is through an iron door on each floor.

There is a grille to stand on, but it was slightly wobbly and nowhere near as big as the size of the riser, so I had to be careful where I was putting my feet. The building was constructed in the 1920s and the iron grille and brickwork is original.

It’s a long way to the bottom of the basement. While I was working I dropped a bolt. I heard it hit every grille as it went down, and it took about four seconds to reach the bottom.

The riser grille

Looking down the riser

Looking up the riser

This is what I was sent to work on – installing a small new switch in that tiny rack. It’s a Power-over-Ethernet switch to power some new Cisco APs that are going in soon. However, the new switch needed an uplink to the network, provided by…

The patch panel I worked on

… the Cisco switch that was bolted flat to the wall above my head, out of reach. You can see the bundle of cables that join the switch to the patch panel.

In order to reach the switch, I needed to stand on a chair. In order to get a chair to not fall through the grille, I had to go and find some pieces of wood. Yikes.

The switch mounted above