Software
How to activate Serial Console on Debian Squeeze
Activating a Serial Console starting at the bootloader all the way up to a tty login requires just a few steps, but it took me some time to figure out all the knobs. Here’s how to do it with Debian Squeeze:
To have configruation changes persistent in Debian, you may not edit /boot/grub/grub.cfg directly, but need to edit/add the appropiate lines in /etc/defaults/grub:
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,9600n8" GRUB_TERMINAL=console GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"
Now run update-grub and you’ll get the Bootloader and all Kernel and Init messages on your serial console the next time you boot.
To get a login promt on serial you need to modify /etc/inittab to:
1:2345:respawn:/sbin/getty 38400 tty1 2:23:respawn:/sbin/getty 38400 tty2 3:23:respawn:/sbin/getty 38400 tty3 4:23:respawn:/sbin/getty 38400 tty4 5:23:respawn:/sbin/getty 38400 tty5 6:23:respawn:/sbin/getty 38400 tty6 # Serial console s0:2345:respawn:/sbin/getty -L 9600 ttyS0 vt102
That’s it. run init q to reload init and activate serial login, or simply reboot.
A few WordPress security tips
A month or so ago my Website got attacked a couple of times using DDoS and application specific attacks. I don’t want to delate anyone, but this happened at exactly the same time my travel report about Prague suddenly got a lot of attention. Just sayin’…
Nothing happened, no one could break in using any exploits or brute force and the website didn’t even go down.
So as a guy with a few years of experience with Apache, Unix and at least a little bit of experience with WordPress, I thought I’d share the things I do to secure my blog. No, I am not a big fan of security trough obscurity. 
I run this website on my own server, not all of this might be possible if you’re on a shared hosting!
- non admin username
- get ssl (for wp-admin)
- require ssl for wp-admin in wp-config.php (add to end of file)
define('FORCE_SSL_ADMIN', true); - restrict access to wp-admin using htpasswd on ssl vhost
AuthType Basic AuthName "Unixhosts.org" AuthBasicProvider file AuthUserFile /etc/apache2/htpasswd Require valid-user
- enforce ssl for wp-admin and also htaccess authentication on default vhost
SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.chrisk.de" ErrorDocument 403 https://www.chrisk.de/blog/wp-admin/ - ‘chown’ everything to root:root with only read access for the webserver
- and as always: use as few plugins as possible
There is one plugin you might want to use if you’re on a shared ssl: WordPress HTTPS. This helps you redirecting you to the correct folders on your shared ssl. Though it was still kind of buggy.
How to DSL and UMTS Failover on OpenBSD
OpenBSD. Is. Awesome. pf, carp, pfsync, ifstated, openbgp, openospfd… awesome. 
Here is my ifstated.conf to fail-over between DSL and UMTS connections. Note that this only really works with OpenBSD >=4.9, because earlier versions seem to have issues where set-state is executed before init finished, which causes UMTS to start on every 24h disconnect of the DSL line.
init-state auto
# pppoe0 is my DSL connection
pppoe0_up = "pppoe0.link.up"
# figure out which state to start with
state auto {
if $pppoe0_up {
set-state dsl_up
}
if !$pppoe0_up {
set-state dsl_down
}
}
# DSL is up. Don't do anything until it fails.
state dsl_up {
init {
run "/sbin/ifconfig | mail -s 'DSL up' root"
}
if !$pppoe0_up {
set-state dsl_down
}
}
# DSL is down. Wait a few seconds (24h disconnect).
# Then go ahead and start UMTS, but only if DSL isn't back up!
state dsl_down {
init {
run "/bin/sleep 30; /sbin/ifconfig | mail -s 'DSL down' root"
}
if $pppoe0_up {
set-state dsl_up
}
if !$pppoe0_up {
set-state umts_start
}
}
# Start pppd and bring UMTS up, until pppoe0 is still down
state umts_start {
init {
run "/usr/sbin/pppd call o2"
run "sleep 30; /sbin/ifconfig | mail -s 'Starting UMTS' root"
}
if $pppoe0_up {
set-state umts_stop
}
}
# If pppoe0 is back up, kill pppd and switch back to dsl_up
state umts_stop {
init {
run "/usr/bin/pkill pppd"
run "/sbin/ifconfig | mail -s 'Stopping UMTS' root"
}
set-state dsl_up
}
Adobe Reader X on Mac OS X – Kidding me?
I just installed Adobe Reader X on my Core2Duo Mac Mini… Adobe? Really? Why is a simple PDF Reader that slow? I have a 1200 pages PDF which I can nicely scroll through using Preview.app, but with Reader X?! Nope. Simple lagging. No fun. Makes reading an eBook reaaaally crappy!
Sadly Preview.app currently doesn’t have support for PDF signatures, so I’ll need Reader X for that, but hopefully that changes with Mac OS X Lion!
OpenVPN over TCP is BAD
I use OpenVPN in a road-warrior setup over often slow and unreliable wireless connections. That on it’s own makes using interactive applications pretty hard.
But if you’re now additionally running OpenVPN in TCP mode over these links things get worse. The reason is, that TCP uses some kind of a three-way handshake to make sure all packets arrive in time and re-transmits those packets that don’t. With OpenVPN over TCP you now have your application’s TCP session encapsulated in your VPN”s TCP session, doubling your ACKs and re-transmissions (if needed).
Now I switched to UDP on the VPN’s session and if the link starts to loose packets, the VPN will too, but the application’s TCP session will make sure those packets are being re-transmitted. All in all everything feels much faster – at least for a crappy 3G connection.
See this link for a more detailed explanation.
How to Upgrade to Xcode4 (or uninstall Xcode3)
I recently bought Xcode 4 on the Mac AppStore and thereby thought I’d upgrade. Nope. Xcode 3 is moved to ‘/Developer-old’, but kept. No big dead actually, except when your OS Disk is only 60Gb The new Xcode 4 uses almost 10Gb plust 5Gb for Xcode 3. So if you don’t need Xcode 3 anymore, just run:
sudo /Developer-old/Library/uninstall-devtools --mode=all
This removes all Xcode3 files, freeing up about 5Gb of space.
How to PXE boot GRML and OpenBSD without NFS (like boot.kernel.org)
I was looking for a way to install/rescue a couple of embedded devices in different (remote) locations. PXE booting a Linux system comes to mind, but that usually requires NFS, which is a pain in the ass when it comes to firewalls…
Most Linux based LiveCDs use Busybox and Squashfs for booting… Busybox has wget built in, so it’s possible to skip the NFS part, use wget and HTTP and load the squashfs to RAM. One still has to get TFTP trough firewalls, since it is needed to load the Kernel and Busybox, but OpenBSD for example has tftp-proxy built-in… So you need:
- DHCP to supply PXE options
- TFTP to serve the base system(s)
- PXELINUX as a kind of bootloader
- HTTPd to serve the rest of the system(s)
I want to have my favorite LiveCD GRML handy for rescue and Linux install purposes and OpenBSD of course
Let’s start with the Server you want to use to boot from:
Install tftpd-hpa, syslinux and a httpd, start tftpd-hpa with the ‘secure’ flag and place a copy of pxelinux.0 (usually in /usr/lib/syslinux/ in your $tftproot.
For GRML you’ll need to place linux26 and minirt.gz from the grml_netboot_package in your $tftproot. You’ll also need grml.squashfs from either grml-small, grml-medium or grml. I’d suggest grml-small as it needs to fit in your RAM. Place it in your $httproot.
Now configure (ISC) DHCPd to supply PXE informations:
next-server 10.1.32.1; filename "/pxelinux.0";
Create a file called ‘default’ in a folder pxelinux.cfg in your $tftproot:
label GRML kernel linux26 append initrd=minirt.gz fetch=http://<serverip>/grml.squashfs boot=live
Most PXE Loaders will try to find a file with the name of their IP Address, written in hex, then remove one case after another and fall back to ‘default’ if it doesn’t find anything. So symlink the appropriate files if you want to speed things up. ‘fetch’ tells GRML’s busybox to load it’s system files from the URL given.
To also serve the OpenBSD installer you need to download pxeboot and place it as pxeboot.0 in your $tftproot. You also need bsd.rd from any Release/Snapshot you want to serve. Call them whatever you want and also place them in your $tftproot. To serve pxeboot.0 (The OpenBSD Bootloader btw) add these two lines to ‘default’ in pxelinux.cfg:
label OpenBSD kernel pxeboot.0
You’re done. Try booting your System from PXE. You’ll get a ‘boot>’ promt. Select your system, by typing whatever you supplied as ‘label’ in your ‘default’ config… e.g. GRML or OpenBSD… in case of OpenBSD you’ll then need to supply bsd.rd to boot, or whatever you renamed that file to…
If you encounter any problems, grep the logs, use ‘tcpdump’ and have a look at the SYSLINUX Wiki…
How to Create your own ‘DynDNS’ Service
First off: This is not DynDNS as you might know it from dyndns.org. You can’t use clients like ddclient. I’m using DNSSEC and ‘nsupdate’. You’ll need to be familiar with Bind and some shell scripting… Also I only got this working on *nix and I don’t have any intention to try it on Windows.
Let’s start with what you have to do on your client:
$ dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom host1.dyn.example.org
Now copy Khost1.dyn.example.org.+157+39064.key (your pubkey) to your server’s configdir (in case of Debian: /etc/bind) and define it as follows:
key host1.dyn.example.org. {
algorithm HMAC-MD5;
secret "<put key from Khost1.dyn.example.org.+157+39064.private here>";
};
zone "dyn.example.org" {
type master;
file "master/dyn.example.org";
allow-update { key host1.dyn.example.org.; };
};
This allows everyone with the Ktest.unixhosts.org.+157+39064.private key, to update zone ‘dyn.example.org’. Feel free to find out how to do privilege separation on your own Back to your client: Since we can’t use ddclient or similar clients, I wrote my own small script:
#!/bin/sh
dir=$(dirname $0)
old_ip=$(cat $dir/ip_cur.txt)
new_ip=$(ifconfig pppoe0 | grep -E 'inet.[0-9]' | \
grep -v '127.0.0.1' | awk '{ print $2}')
if [ $old_ip != $new_ip ];
then
echo $new_ip >> $dir/ip_log.txt
echo "server <yourserver>\nzone dyn.example.org \
\nupdate delete host1.dyn.example.org. A\
\nupdate add host1.dyn.example.org. 60 A $new_ip \
\nsend" > $dir/ip_nsupdate_instructions.txt
nsupdate -k $dir/Kfhost1.dyn.example.org.+157+25504.private \
$dir/ip_nsupdate_instructions.txt || exit 1
echo $new_ip > $dir/ip_cur.txt
fi
My script get’s the current IP Address of pppoe0, compares it to the one from it’s previous run and executes ‘nsupdate’ if they mismatch. ‘nsupdate’ doesn’t accept it’s configuration from stdin, that’s why I needed to hack around with echo… If ‘nsupdate’ fails (due to connection issues or something like that) my script exits. If update was successful it writes the current ip into ip_cur.txt, so the script only executes ‘nsupdate’ on IP Address change and not every time your run it. Add my script to crontab to run it once a minute or so…
* * * * * ip_update.sh
How to Set up a ‘hidden primary’ DNS
I just had to guide a friend of mine trough the setup of a ‘hidden primary’ or ‘hidden master’ via mail, so I thought I’d also post a quick summary here to keep my blog alive ;P
First off: A ‘hidden primary’ setup, uses one server for all zone-file changes that isn’t listed anywhere and doesn’t get any queries from clients, and two or more ‘slaves’ that do the actual work. Have a look at this example zone-file:
$ORIGIN unixhosts.org.
unixhosts.org. IN SOA amy.unixhosts.org. hostmaster.unixhosts.org. (
201102111 ; serial
3h ; refresh
1m ; retry
1w ; expire
1m) ; minimum
IN NS ns.inwx.de.
IN NS ns2.inwx.de.
IN NS ns3.inwx.de.
The host amy.unixhosts.org is my ‘hidden primary’. As you can see, it’s not listed as NS, so it won’t get queries from actual client resolvers. ns[2,3].inwx.de are my name-servers for this zone, configured as slaves.
The ‘hidden primary’ config looks like:
zone "unixhosts.org" {
type master;
file "master/unixhosts.org";
allow-transfer { unixhosts; inwx; };
also-notify { 10.0.1.1; 10.0.2.1; 10.0.3.1; };
};
Whereas a ‘slave’ config looks like:
zone "unixhosts.org" {
type slave;
file "slave/unixhosts.org";
masters { 10.0.0.1; };
allow-transfer { clients; };
};
If your Infrastructure isn’t large enough to take responsibility for 3 public DNS servers, you might want to have a look at InterNetworX. I’m running their servers as ‘slaves’ for a few months now. Their support team is great and I haven’t had any issue within years!
Trying Xen 4.0 on Debian 6.0 aka Squeeze
I have a rather mixed history with all these Virtualization techniques… I started with ranting about Xen and Ubuntu here on the blog, migrated to KVM and Ubuntu and am now considering moving back to Xen… on Debian.
Recently I needed to install Xen on one of our Machines in our Lab at work. KVM was not an option, because the System (a dual-xeon with HT) didn’t have hardware virtualization support. When I last used it, Xen 3 was a pain in the ass with it’s patched old Kernel and full-virtualized guests didn’t perform well. But Xen 4 now has support in upstream Kernel so I thought I’d give it a try… Installation went fine using aptitude. Everything got set up right. But there seems to be a bug with VGA Output though. I haven’t got a login promt or any init-script output until I removed ‘quiet’ from the Kernel’s bootloader options. But this seems to be Hypervisor related, as it does work with the Xen Kernel, but w/o Hypervisor beyond it. So, if all you get is something like
ERROR: Unable to locate IOAPIC for GSI 9
try removing quiet from your bootloader configuration…
Search this Site
Hi, my name is Chris. I am a wannabe photog, traveler & geek that lives in Hesse, Germany. more about me...
follow me on TwitterMy flickr Fotos
Sponsoring
