Posts

Showing posts from 2012

OpenVPN on EC2/AWS

EC2 Instance
Allow UDP to port 1194 under the instance's security groupto the world or just your IP network Install and configure OpenVPN instance/server
apt-get install openvpncd /etc/openvpnopenvpn --genkey --secret my.keyPut code below into /etc/openvpn/server.confRun: openvpn --config /etc/openvpn/server.confLeave running while taking remaining stepsAllow NATmodprobe iptable_natecho 1 | sudo tee /proc/sys/net/ipv4/ip_forwardiptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADEChecks for the paranoidlsof -nP -ilsof -c openvpn
port 1194
proto udp
dev tun
secret /etc/openvpn/my.key
ifconfig 192.168.2.1 192.168.2.2
keepalive 10 120
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3

If on Mac, use tunnelblick to open a file like myopenvpn.ovpn with below codeReplace hostname with yoursYou'll need the my.key file in the same directory as the myopenvpn.ovpn fileOn LinuxPut below in /etc/openvpn/client.confPut my.key in /etc/openvpn as wellRun: openvpn --config /etc…

Create a git server

Git Create a git serverapt-get install gitadduser gitBecome the git user and add team's ssh keys to /home/git/.ssh/authorized_keysChange the git user's shell in /etc/passwd to /usr/bin/git-shell or to whichever path it is otherwise locatedmkdir /opt/gitchown -Rv git.git /opt/gitchmod -Rv g+ws /opt/gitcd /opt/gitmkdir myproject.gitcd myproject.gitgit init --bare --sharedSee addition to /opt/git/myproject.git/config belowmv /opt/git/myproject.git/hooks/post-update.sample /opt/git/myproject.git/hooks/post-updateOn your local computer do:
mkdir ~/tmpcd ~/tmp git config --global user.name "Your Full Name" git config --global user.email your.name@abc.netgit initgit add .git commit -m 'initial commit'git remote add origin git@git.yourserver.com:/opt/git/myproject.gitgit push origin master
NOTE: if you get an error that origin already exists, do "git remote rm origin" before pushDebug the set up, this guide probably has a few mistakes Add this to /opt/git/myp…

ARM on Linux

Quote: ACK packets and Quality of Service (qos)

"When you download, your computer needs to send (upload) ACK packets. These are basically saying "yep, I got that part of the download OK". If the computer you are downloading from detects that an ACK has not been received, it assumes that the data was not received and sends it again. The rate at which ACKs are sent back is also used to help determine the maximum speed that you can download data at, so it's important that ACKs get sent as soon as possible and don't get dropped in order to keep your downloads flowing fast. Also, repeatedly dropped ACKs can result in dropped connections, web page time-outs etc."

sed with the capital E option on the Linux CLI

No, you are not crazy, sed on Linux has a secret, BSD compatible option, -E that is equivalent to -r.

Change default text editor for crontab to vim

sudo update-alternatives --config editor

ARP mechanism

Computers Matterhorn and Washington are in an officeconnected to each other on the office local area network by Ethernet cables and network switches, with no intervening gateways or routersMatterhorn wants to send a packet to WashingtonThrough other means, it determines that Washington's IP address is 192.168.0.55. In order to send the message, it also needs to know Washington's MAC address. First, Matterhorn uses a cached ARP table to look up 192.168.0.55 for any existing records of Washington's MAC address (00:eb:24:b2:05:ac). If the MAC address is found,it sends the IP packet on the link layer to address 00:eb:24:b2:05:ac via the local network cabling. If the cache did not produce a result for 192.168.0.55, Matterhorn has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for 192.168.0.55. Washington responds with its MAC address (00:eb:24:b2:05:ac). Washington may insert an entry for Matterhorn into its own ARP table for future use.The…

No http on port 2812 for monit

FAIL!

set httpd port 2812 and use the address localhost
  allow localhost

Problemmonit doesn't listen on port 2812even though it is clearly in the config file Possible issuesIs there a "delay" set in your config?monit won't listen until this delay has passedSolutionWait, usually a minute by default, and check the port againGet rid of the delay in the config and restart monit

VLAN on Linux CLI

Turn off all "Network Manager" type processes and applicationsComment out /etc/network/interfaces entries evenDo all commands as the root userMonitoring changesIn one terminal, run this command and watch it as you execute the commands below to see what is changingsudo watch -d 'ip addr;echo =====;ip link;echo =====;ip route'Add VLANip link add link eth0 name eth0.20 type vlan id 20ip link set dev eth0 upip link set dev eth0.20 upip addr add 192.168.20.190/24 dev eth0.20ip route add default via 192.168.20.1For any other VLANs, change the "20" in the commands above to the desired VLAN, e.g.ip link add link eth0 name eth0.100 type vlan id 100Delete VLANip link delete eth0.20Abstract commandsCreateip addr add IP/NETMASK dev INTERFACE.VIDip link set dev INTERFACE.VID upip addr add 192.168.100.101/24 dev eth0.100ip link set dev eth0.100 upDestroyip link set dev INTERFACE.VID downip link set dev eth0.100 downip link delete INTERFACE.VIDip link delete eth0.100Notes…

Anti-window, anti-desktop Linux desktop

Install base debian with NO additional packagesapt-get install xorg openbox obmenu slim terminator firefox wicd-gtkrebootLog in to openbox via slimRight-click on blank desktop and open default terminalRun obmenuEdit ~/.config/openbox/menu.xml to add things you likeSet up network including wireless using early post on this blogIt is not easybut nice to know once you learn

Debugging pfsense firewall rules clearly and easily

Status -> System logs -> SettingsMake sure Log packets blocked by the default rule is not checkedCheck Show log entries in reverse orderIncrease to 500 Number of log entries to showStatus -> System logs -> Settings -> Firewall Dynamic ViewYou don't have to hit refreshNormal ViewMake sure to hit refresh if you expect a rule was triggered by your or others actionsFirewall -> RulesUnder the interface(s) you want to debugCreate a default deny rule at the end of the rule listChoose Log packets that are handled by this ruleGive the rule a very unique nameFor other rules you want to debugChoose Log packets that are handled by this ruleGive the rule a very unique nameHang out on Status -> System logs -> Firewall -> Dynamic ViewTweak rules until you see the result you desirePackets blocked that should be blockedPackets allowed that should be allowedClick on the red/green blocked/accepted iconsWill show a pop-up for the rule triggered, showing the unique name you …

VLANs with iproute on CLI

Set up VLAN "20" on eth0
Baseip link add link eth0 name eth0.20 type vlan id 20ip link set dev eth0 upip link set dev eth0.20 upManually assignip addr add 192.168.20.100/24 dev eth0.20ip route add 192.168.20.0/24 dev eth0.20ip route add default via 192.168.20.1 Delete
ip route delete 192.168.20.0/24 dev eth0.20ip link set dev eth0.20 down ip link delete eth0.20 Notes: "name" may be anything you wish, but then in subsequent commands, you must use it, which can be a bit hard to spot. Take a look at "eth0.20", and try changing it to a random string for testing.

pfsense under Virtualbox

This is very brief. Not completely complete. An outline. A hint.
Download pfsense isoDownload Ubuntu Desktop isoCreate a VM for the pfsensetwo interfacesAdaper 1
Enable Network Adapter
NATAdaper 2
Enable Network AdapterInternal Networkintnetadd the pfsense iso as a StorageEmptyOn the far right, there is a disk icon with a drop-down arrowChoose a virtual CD/DVD disk file...Select the pfsense iso on your local driveOKBoot the pfsense and hit "I" (capital eye) at the appropriate time to install pfsense to the VM's hard driveem0 and em1 will be the interfaces to use not found automatically in my caseRest of pfsense install not covered hereInstall Ubuntu as normalAdapter 1use intnetStart up Ubuntu desktop and log into 192.168.1.1or some similar gateway IP Your host computer will not be able to hit the pfsense because your host is considered "outside the firewall". Hence, the trick to use an "inside man", an "inside computer" to reach the pfsense.

N…

Add Virtualbox "Guest Additions" to Ubuntu Desktop 12.04

The VM must be running to install the Guest Additions, so start up the VMOnce the VM window shows the booted instance, find the "Devices" menu option at the very top of the encapsulating window (this is hard to make clear/clarify) but don't do anything with it yet.Make sure you are logged into your user's desktop on the VMOn the VM, make sure your user has root privileges (not covered here), also called "sudo" privilegesChoose Devices -> Install Guest AdditionsConfirm all prompts to download and mount the virtual CD from Virtualbox, this may take a while to download/completeRun the install when promptedReboot the VMSend issues

mac delivery mechanism

your computer has a default gateway set can figure out packet is not destined for the local networkwill use the MAC address of the default gateway default gateway receives the layer-2 framewill see that the MAC address matches it's ownwill un-encapsulate the data link frame and pass the data part up to the network layerat the network layer, layer 3will see that the destination IP address does not match it's ownthis is a packet that is supposed to be routedwill look in it's routing table for the closest matchwhich interface to send the packet out onwill create a new data link frame addressed to the next hopdata portion of this frame sent out the appropriate interfaceprocess will continue at each router along the way
Assume that none of the info in already cached in an ARP table on any of the machines or routers 
your computer wants to send some data to a computer on network 3your computer will create an IP packet addressed to 200.0.3.2your computer will send out an ARP reques…

CLI random break time generator

echo $((RANDOM%20+1)) | xargs -i utimer -c {}m && xfeexport HIGH=$((RANDOM%20+10));for i in `seq 1 ${HIGH}`;do echo $i:${HIGH};sleep 60;done

Cleaning up configuration files of removed Debian packages

If you want to rid yourself of those annoying packages showing up with a "rc" in the first field of "dpkg -l", do this as root, with prejudice:
dpkg -l | egrep '^rc ' | awk '{print $2}' | xargs dpkg -P Let the good times roll!

Debugging Munin loaning graphs locally

ProblemsMunin is a pain to debug remotely -- on prod -- when doing custom "loaning" graphsVarnish gets in the way(might not work, test yourself) fast-cgi doesn't work with new Munin 2.0 dynamic graph generation very well, just comment it out in the Apache configThese issues combined leads to a complete nightmare of caching and having to wait for graphs to be regenerated so you can see your changesTroubleshootingTry this link for perm checkshttp://munin-monitoring.org/wiki/CgiHowtoIMPORTANT: ust turn this on in monit.conf manually, since debian turns it off, and who knows who elsegraph_strategy cgiSolutionGrab /var/lib/munin from production serverInstall Munin 2.x or greater on your local boxComment out the Munin files under /etc/cron* whatever/whereever, so your server doesn't try to update any of the files under /var/lib/muninMove your local copy of /var/lib/munin asideMove the production version of /var/lib/munin into place on your local systemCopy perms of your or…

Wireless with dead-simple Debian install

I had to do these steps to get wireless working with dead-simple install of Debian.
Most commands done as root userThere may be missing steps, let me know, it was a mess to get working, and I don't recall all steps perfectly Steps:
run this the whole time as root to see changes as they occur, or notwatch -d 'ip addr;echo =====;ip link;echo =====;ip route'install broadcom drivers for my network cardBroadcom Corporation BCM4313 802.11b/g/n Wireless LAN Controller/etc/apt/sources.listdeb [arch=amd64,i386] ftp://ftp.fu-berlin.de/pub/unix/linux/mirrors/debian/ wheezy non-freeaptitude updateaptitude install firmware-brcm80211add your user to netdev group and restart Xnetdev:x:113:yourusernameload network card kernel modules into the kernelmodprobe brcmsmacdon't use the "-r" option, only works to reload, not initial load/etc/init.d/dbus reloadno idea what this does or if necessaryapt-get install wireless-tools verifylspci -vshows kernel module used, or not if failed t…