Linux

Anything related to Linux

Poor Man’s device discovery (DNS)

on August 4, 2016 in Linux with no comments by

I have a home network that contains a mixture of devices, some of which that receive a static IP address such as the printer, and some of which receive a dynamic IP address such as mobile phones and tablets.

The home router is setup to give every device with a static IP address a host name, such as “printer.home” or “nas.home”, making it easy to access the device’s UI (if it has one).  However, the router isn’t capable of assigning host names to devices with a dynamic IP address.

For the most part this isn’t an issue, but every once in a while I do need to access the mobile phone or tablet via the browser or similar.  This means having to lookup the IP address of the device in the router, which in turns means I have to login to it and navigate through various screens.

So I thought: “why not give every device a host name / DNS entry?”.  But with the router not capable of assigning them to dynamic IP addresses (based on MAC for example), or able to set the host name on some devices, how? Luckily I have a Raspberry Pi that’s sitting in a closet 24/7 doing very little, so I’ve put that to good use. read more →

Quick note: FUSE inside Proxmox LXC container

on February 26, 2016 in Linux with no comments by

Proxmox’ LXC containers do not have the /dev/fuse device created automatically.  A quick way of doing that is by adding the following two lines to the container’s configuration on the host node (in /etc/pve/lxc/<$container_id>.conf):

lxc.autodev: 1
lxc.hook.autodev: sh -c "mknod -m 0666 ${LXC_ROOTFS_MOUNT}/dev/fuse c 10 229"

I’m using “sh -c” directly rather than a separate script, so that this configuration is migrated to other nodes in the cluster.

As a note, it should already be in the lxc.cgroup.devices.allow by default, so doesn’t need to be added again.

Caveat as mentioned by Fabian (Proxmox staff):

If you absolutely have to, I would suggest establishing the FUSE mount on the Proxmox host and then using a bindmountpoint (e.g. “mp0: /path/on/host,mp=/path/in/container”) to make it available in the container. If you establish the FUSE mounts inside the container, you will run into problems (lxc-freeze is not compatible with FUSE which means no snapshots and no suspend backup, you need to change all sorts of containment settings which lessens security, ..).

 

Quick Note: Disable SSLv3 in OpenLDAP with GnuTLS

on October 15, 2014 in Linux with 1 comment by

Due to the SSL POODLE vulnerability, it is best to remove support for the outdated SSLv3 protocol.  As OpenLDAP with GnuTLS is a beast of its own, here’s the quick change to remove SSLv3 support:

cat > nossl.ldif <<EOF
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: SECURE256:-VERS-SSL3.0

EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f nossl.ldif

And we’re done! Obviously, if you already have olcTLSCipgerSuite, then use “replace” instead of “add”.

A quick test:

~# gnutls-cli-debug -p 636 127.0.0.1
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:636'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
Checking fallback from TLS 1.1 to... N/A
Checking for TLS 1.2 support... yes

Postfix’s killed trivial-rewrite by signal 11

on September 21, 2014 in Linux with no comments by

I was setting up a small VPS as a backup e-mail server for the two already in place.  What was supposed to be a 15 minute task, particularly as it was being installed using a proven recipe with Puppet, turned into a diagnostic nightmare for hours. Looking back, it really shouldn’t have taken that long to diagnose either, but alas, Google led me astray.

See, everything was installed according to the other servers. Postfix started up fine, but as soon as it would perform a lookup in an LDAP directory, the following error occurred:

Sep 21 00:34:02 server postfix/master[23426]: warning: process /usr/lib/postfix/trivial-rewrite pid 23460 killed by signal 11
Sep 21 00:34:03 server postfix/qmgr[23431]: warning: problem talking to service rewrite: Success
Sep 21 00:34:03 server postfix/master[23426]: warning: process /usr/lib/postfix/trivial-rewrite pid 23461 killed by signal 11
Sep 21 00:34:03 server postfix/master[23426]: warning: /usr/lib/postfix/trivial-rewrite: bad command startup -- throttling

read more →

Analogies

Poor Man’s Proxmox Cluster

on November 16, 2013 in Linux with 17 comments by
I had written this elsewhere before, but thought I would share it on my own site as well. The idea here is to create a Proxmox VE cluster with limited resources, in particular a lack of a private network / VLAN. We address this by creating a virtual private network using a lightweight VPN provider, namely Tinc.

You could use something else, like OpenVPN or IPSEC. The former is a bit on the heavy side for the task, whilst the latter may not have all the features we need. Specifically, Tinc allows us to create an auto-meshing network, packet switching and use multicast. Multicast will be needed to create a Proxmox VE cluster, whilst the virtual switching ensures packets will eventually be routed to the right server and VM.

read more →

Watching TV on your Android via a Raspberry Pi

on April 2, 2013 in Linux with 18 comments by
During the long Easter holiday I’ve kept myself busy with a little pet project for my Raspberry Pi. So far I’ve been using the RPI as a small intranet server, DNS server and Proxy server. But it had plenty of room, both in RAM and storage, to do other things. As I had recently acquired a (dirt-cheap!) Android-based tablet, I was wondering if it would be possible to stream live TV directly to it.

There are plenty of commercial solutions available, as well as some apps, that stream directly over the Internet. But, as I had mentioned, the tablet was dirt cheap and so it should be indicative of the amount of money I was willing to spend. read more →

Blocking w00tw00t scans

on July 17, 2010 in Linux with 2 comments by

Some websites are still being hit with the infamous “w00tw00t” scans. You might see these scans in your logs as:

... "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 ...

Using Iptables

The quickest method of making sure it never reaches your webserver (and thus wasting resources like processor, disk space [log files], etc) is to use iptables, and it can be done with a one-liner like this:

iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp --dport 80 -m string --to 70  --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Simply replace xxx.xxx.xxx.xxx with the IP of your web server. If you want to use this for a range of IPs (ie., you’re using multiple IPs to host web servers), simply replace the “-d xxx.xxx.xxx.xxx” portion with:

-m iprange --dst-range start.xxx.xxx.xxx-end.xxx.xxx.xxx

where start.xxx.xxx.xxx and end.xxx.xxx.xxx are the first and last IPs of your web servers respectively. read more →

A simplified Nginx-Apache combo with WordPress support

on June 28, 2010 in Linux with 14 comments by

Absolut NginxIt looks like I have neglected to write a new article in quite a while! Shame on me. But, thanks to a website outage, I’ve finally got some more good stuff to share with you.

My previous Nginx configuration became a nightmare to maintain and WordPress had become slower because Apache’s children were being killed by OOM. This was due to a  misguided PHP cache (PHP XCache to be precise) that decided to take every available bit of memory from my system, despite having max-requests per child set low (before it was purged).

This, along with my endeavors in seeking the fastest solution to everything and the introduction of a new Cloud servers by OVH, lead me to today’s article. read more →

Guide: Firewall and router with Proxmox – Extending its use

on March 20, 2010 in Linux with 13 comments by

Last year I wrote a guide on how to use Shorewall as a firewall and router for Proxmox. As a follow up I will answer a few questions I’ve received about that guide that can help you extend its use.

Proxy ARP

The most common question is in regards to proxy ARP. Enabling this option will allow you to assign a public IP directly to your guest VM, eliminating the need for port forwarding (DNAT) or having to worry about the MAC address.

As an example use for proxy ARP, it is helpful for those using a a SIP-based VoIP server since a STUN server is no longer required. read more →

Page 1 of 212»