Recipes Vitae: 2012

sabato 17 novembre 2012

Python-stdeb

This is what i've done, to make a shiny python library of mine becomes a fully respectable deb package. Move in your python directory, where everything has been started and create your setup.py file, more or less like this sample:
So, in your directory you list:
Create the stdeb configuration file stdeb.cfg
This file will write parameters in the soon generated DEBIAN/control file. A complete list of the parameters translation is here: http://pypi.python.org/pypi/stdeb#stdeb-cfg-configuration-file
Given that, build your package with:
NOTE: It will compile the package with mypylib-"version"; the version is the one written in setup.py (version="")

enjoy your deb_dist directory.

Mikrotik (winbox): VLAN and bridge

The other day i needed to add a new wifi access point in a new place in our building. Our network, like many others, is partitioned in VLANs. We have almost a dedicated VLAN for any different network segment.

Our best practice, where permitted, is to keep access points as untouched as possible, working the VLANs on the management switches. This develop a better/centralized net control to us. However this time the location was linked to the rest of the infrastructure by a non-management switch.

The "Port 40" is just where the trunk from the unlucky zone, ends on the management switch.

So, since the NON-management switch could not collaborate with us, we are forced to tag the VLAN traffic on the AP itself.

In this article we will start from the default Mikrotik configuration up to achieve our new Bridge for the new VLAN. The only stuff we have already configured, is the switch port (in our case the number 40) marked as tagged with VID 6. Im obviously referring to the management switch.

note: I assume you already have a server for this VLAN (dhcp server and so on ..)

otherwise: http://www.cyberciti.biz/tips/howto-configure-linux-virtual-local-area-network-vlan.html

Let's start opening winbox which allow us to connect the mikrotik through the proper mac address, avoiding lost of connection playing around bridge, VLANs ..

~$ wine winbox.exe

Create the new VLAN interface which will be tied to the master-local port on the router

Why master-local port?

The master-local port on the routerboard is the collection of the slave ports, then i act on that to give the same address (vid 6) for both wireless and every wire connections

Once the VLAN interface is created, move to the "Bridge" tab and close the existing one (bridge-local), by clicking "disable" (the red "X")

.. i've forgot .. this VLAN is basically for guests, so the new bridge will be named "bridge-guest". Open "Bridge" tab and add that:

Move in the near tab "Ports". Double click on "master-local" and replace the "interface" field with the VLAN interface "guest" and the "bridge" field with the just bridge-guest

Configure "wlan1" interface replacing the field "bridge" from ''bridge_local'' to ''bridge_guest''; then go to "IP/DHCP Client". If everything goes ok, you will be able to get an ip address from your server on the other side. When on the tab, click on "+" and in the "Interface" field, choose "bridge-guest". Click ok and

thats all.

lunedì 10 settembre 2012

D-link switches and .. "martians packets" ??

Device: Dlink DGS-1224T
Firmware: 4.21.01
IP addr: 10.2.2.8

I have a VLAN interface on my linux router built on eth2 with VID 6

eth2 = 10.2.2
eth2.6 = 10.6.6 (VLAN)

This VLAN is configured on my Dlink switch as well with untagged VLAN ports. My Dlink management interface is set on 10.2.2

Since we use shorewall as iptables interface, we have found this on syslog:


Sep 10 10:03:56 lurch kernel: [2651431.667008] martian source 10.2.2.1 from 10.2.2.8, on dev eth2.6
Sep 10 10:03:56 lurch kernel: [2651431.667011] ll header: ff:ff:ff:ff:ff:ff:00:15:63:45:05:c5:08:04

Martians ??

A possible explanation:
Packets with 10.2.2 as source reach the Dlink management interface on 10.2.2.8 (for management or just a nagios ping); as reply, the Dlink perform an ARP request like "Who has 10.2.2.x" on every ports, even on the VLAN 10.6.6 ones. As result, the Linux kernel see those 10.2.2 source packets on its eth2.6 interface and complains consequently.

A possible fixaround:
Force Dlink management interface being reachable from one network only, in my case 10.2.2, on "Configuration/802.1Q Management VLAN" tab.

giovedì 6 settembre 2012

Nagios: check_http with --extra-opts

We have to check a https page which needs a login.

We want to store our login informations in a nagios only-readable file.


root@lurch:~# touch /etc/nagios/private/custom.ini
root@lurch:~# chown root.nagios /etc/nagios/private/custom.ini
root@lurch:~# chmod 640 /etc/nagios/private/custom.ini

In this example Im going to create an [https] section which includes the credentials for my login web page. This file, which will be passed to --extra-opts= plugin argument, could contains all the options listed by ./check_http -h command in the literally form. For instance:


./check_http -h
...
-a, --authorization=AUTH_PAIR
    Username:password on sites with basic authentication
...

Then:


root@lurch:~# su - nagios
nagios@lurch:~$ vim /etc/nagios/private/custom.ini


[https]
authorization = *user*:*password*

Let's write the 'commands' section. I want to call this command like 'check_https_auth'


nagios@lurch:~$ vim /etc/nagios/objects/commands.cfg


# zmo: check_https_auth 
define command{
	command_name    check_https_auth
	command_line    $USER1$/check_http -H $ARG1$ -I $HOSTADDRESS$ -s $ARG2$ --ssl -c $ARG3$ -u $ARG4$ --extra-opts=https@/etc/nagios/private/custom.ini
	}

mercoledì 29 agosto 2012

Nagios: check remote hosts via SSH with command validation

Nagios server: Fedora release 16 (Verne)
Nagios remote node: Debian GNU/Linux testing (wheezy)

Basic SSH Configuration
Let's allow the access from the nagios server to the nagios node creating a ssh key passphrase-less:


zmo@nagiosSer:~$ cd .ssh/
zmo@nagiosSer:~/.ssh$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/zmo/.ssh/id_dsa): nagios     
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in nagios.
Your public key has been saved in nagios.pub.
The key fingerprint is:
....

.. so that you will have nagios and nagios.pub from the others


zmo@nagiosSer:~/.ssh$ ls
id_rsa id_rsa.pub nagios nagios.pub

On the remote node create the nagios user and the necessary file


root@nagiosNod:~# adduser nagios
Adding user `nagios' ...
Adding new group `nagios' (1006) ...
Adding new user `nagios' (1006) with group `nagios' ...
...
Enter new UNIX password: xxxxxxxx
Retype new UNIX password: xxxxxxxx
...
root@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ mkdir .ssh
nagios@nagiosNod:~$ touch .ssh/authorized_keys

Paste your pub key, from the nagios server, into the remote nagios authorized_keys file


zmo@nagiosSer:~/.ssh$ cat nagios.pub | ssh nagios@nagiosNod.remote.com 'cat >> /home/nagios/.ssh/authorized_keys'
nagios@nagiosNod.remote.com's password: xxxxxxxx

Have a try


zmo@nagiosSer:~$ ssh -i .ssh/nagios nagios@nagiosNod 
Last login: Tue Aug 28 20:44:54 2012 from nagiosSer
nagios@nagiosNod:~$

On the nagios server


root@nagiosSer:~# yum install nagios-plugins-by_ssh.i686

On the nagios remote node
Install the nagios plugins


root@nagiosNod:~# apt-get install nagios-plugins-basic

NOTE: you can find where the plugins have been stored by


root@nagiosNod:~# dpkg -L nagios-plugins-basic
...
/usr/lib/nagios/plugins/check_apt
/usr/lib/nagios/plugins/check_tcp
/usr/lib/nagios/plugins/check_dummy
/usr/lib/nagios/plugins/check_ntp
/usr/lib/nagios/plugins/check_nwstat
/usr/lib/nagios/plugins/check_load
/usr/lib/nagios/plugins/check_procs
...

On the nagios server
Let's write a SSH config file


root@nagiosSer:~# cd /etc/nagios
root@nagiosSer:~/etc/nagios# vim check_by_ssh_config


Host nagiosNod 84.68.x.x
	User nagios
	Hostname nagiosNod.remote.com
	IdentityFile /home/zmo/.ssh/nagios

This file will be passed as ssh configuration to check_by_ssh. You can obviously add others hosts.

Configure the commands.cfg


root@nagiosSer:~/etc/nagios# vim objects/commands.cfg


# Check Remote Disk
define command {
        command_name    check_remote_disk
        command_line    $USER1$/check_by_ssh -H $HOSTADDRESS$ -F /etc/nagios/check_by_ssh_config -C "/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$"
}

A little explanation:
* $USER$ - the user which nagios run (nagios)
* $HOSTADDRESS$ - the numeric IP address definied in the server configuration file (/etc/nagios/objects/nagiosNod.cfg), mapped on "address" field
* -F /etc/nagios/check_by_ssh_config - The SSH configuration file previously written
* -C /usr/lib/nagios/.. - The command will execute on the remote node

Its better (not mandatory) to put that services in a different group. So, open /etc/nagios/objects/templates.cfg (or services.cfg) and append:


# Remote service
define service{
	name				remote-service
	use				generic-service
        max_check_attempts              4
        normal_check_interval           5
        retry_check_interval            1
        register                        0
	}

Now in /etc/nagios/objects/nagiosNod.cfg file we could append:


define service {
        use                             remote-service
	host_name			nagiosNod
        service_description             Home Partition
        check_command                   check_remote_disk!20%!10%!/home
	}

SSH validation
This step is for allow just the check_* commands execution from the nagios server on the nagios nod; not other commands, not a login or whatever else.

Create a validation commands file:


nagios@nagiosNod:~# touch /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# chown nagios.nagios /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ vim /usr/local/bin/validate-nagios-check
#!/bin/sh
# Ensure 
case "$SSH_ORIGINAL_COMMAND" in
	*\&*)
		echo "Rejected"
		;;
	*\;*)
		echo "Rejected"
		;;
	/usr/lib/nagios/plugins/check_*)
		exec $SSH_ORIGINAL_COMMAND
		;;
	*)
		echo "Rejected"
		;;
esac

A little explanation: $SSH_ORIGINAL_COMMAND is our /usr/lib/nagios/plugins/check_* . Using exec here, will prevent to open a shell for the command execution but just to exec the command.

Let's back to our authorized_keys. We have to append in the beginnin of the key definition (ssh-dss or ssh-rsa) the string to execute our validate-nagios-check script from the nagios server.


nagios@nagiosNod:~$ vim .ssh/authorized_keys
from="73.224.x.x",command="/usr/local/bin/validate-nagios-check" 
ssh-dss AAAAB3NzaC1kc3MAAACBAKK3jM9O+cmjPufrn9Ie7q+iJJu+1B0bHH6lhfYC8KandEIWP0gMGz4v...
...

You can test the validation script from the nagios server to the node.


root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com
Rejected
Connection to nagiosNod.remote.com closed.
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /bin/ls
Rejected
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /usr/lib/nagios/plugins/check_http -hcheck_http v1.4.16 (nagios-plugins 1.4.16)
Copyright (c) 1999 Ethan Galstad 
Copyright (c) 1999-2011 Nagios Plugin Development Team
...

mercoledì 22 agosto 2012

Dnsmasq and the network "pushing" on CentOS

This simple post shows you how tu push networks to your clients using the Dnsmasq DHCP server.

A possible scenario would be, your DHCP server (192.168.0.1) gives you 192.168.0.x address but you also need to reach 172.16.x.x and 10.0.x x networks, for access to (for instance) some VPN resources in your LAN. Those networks are NOT handled by your DHCP server. The quick solution is to make your DHCP server "pushing" that networks. And that is possibile thanks to "121" dhcp-option.

Let's assume our network id may be "vicinet" (you can also miss the network id, of course):

dhcp-option = vicinet, 121, 10.0.0.0/16, 192.16.0.1, 172.16.0.0/16, 192.168.0.1

The format will always be:

dhcp-option = 'id_net', 121, NETWORK, GATEWAY

martedì 21 agosto 2012

Shorewall and Pptp VPN on Ubuntu

~# apt-get install shorewall linux-pptp

PPP
Let's create a ppp peer file:

~# vim /etc/ppp/peers/zmo

I ve successfully tried these options

# Zmo PPTP VPN configuration
remotename zmo
linkname zmo
ipparam zmo
pty "pptp 149.79.X.X --nolaunchpppd" (remote VPN endpoint)
name username
require-mppe-128
refuse-eap
noauth
lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
persist
mtu 1400
mru 1400

Compile the chap-secret file

# Secrets for authentication using CHAP
# client server secret IP addresses
username zmo 2023n5t-w0re *

Network Interface
Fill the /etc/network/interfaces file. You can use the "unit x" parameter. This blessy option allows you to enumerate your ppp device (like ppp0, ppp1, ppp5 ..).

# Zmo Pptp VPN
auto ppp5
iface ppp5 inet ppp
provider zmo
unit 5

Try to get up the link, just giving

~# ifup ppp5

I raccomand to use this file (/etc/network/interfaces) even in the case you wanna add some route/net rules to your VPN device. Use the "post-up" options here.

# Zmo Pptp VPN
auto ppp5
iface ppp5 inet ppp
provider zmo
unit 5
post-up /sbin/route add 149.88.X.X gw 149.19.X.X
post-up /sbin/route add -net 150.84.X.X netmask 255.255.255.0 gw 150.84.X.X

Shorewall
Define a zone for the vpn on shorewall. I will define "zmo"

~# vim /etc/shorewall/interfaces

It should be looks like:

# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
wan eth0 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
dmz eth1 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
lan eth2 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
# VPN pptp
zmo ppp5 detect tcpflags,nosmurfs,routefilter,logmartians

Allow the vpn to be reached just by the lan

~# vim /etc/shorewall/policy

...
# Zmo Pptp VPN
lan zmo ACCEPT
all zmo REJECT
...

Masquerade the VPN traffic from that interface:

~# vim /etc/shorewall/masq

# For information about entries in this file, type "man shorewall-masq"
##############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
ppp5 - -

NOTE: an IP wont be needed here; shorewall will be masquerade the traffic with the interface IP address. Then we just can put a "-" in SOURCE/ADDRESS fields. The IP address would be needed if you would masquerade the traffic with a different IP address.

In the end, compile the "tunnels" shorewall file. You can retrieve a tunnels template file from the doc

~# cp /usr/share/doc/shorewall/default-config/tunnels /etc/shorewall

It should be looks like:

###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpclient zmo 0.0.0.0/0

lunedì 25 giugno 2012

Convert HG to Git repository

On Ubuntu:

~# ls
repository.hg
~# apt-get install hg-fast-export
~# git init new_repository.git

~# ls
repository.hg new_repository.git
~# cd new_repository.git
~/new_repository.git# hg-fast-export -r ../repository.hg

You will recieve a summary text in the end, like

git-fast-import statistics:
---------------------------------------------------------------------
Alloc'd objects: 5000
Total objects: 478 ( 14 duplicates )
blobs : 133 ( 14 duplicates 54 deltas of 133 attempts)
trees : 216 ( 0 duplicates 194 deltas of 196 attempts)
commits: 129 ( 0 duplicates 0 deltas of 0 attempts)
tags : 0 ( 0 duplicates 0 deltas of 0 attempts)
Total branches: 4 ( 1 loads )
marks: 1024 ( 129 unique )
atoms: 16
Memory total: 2344 KiB
pools: 2110 KiB
objects: 234 KiB
---------------------------------------------------------------------
pack_report: getpagesize() = 4096
pack_report: core.packedGitWindowSize = 1073741824
pack_report: core.packedGitLimit = 8589934592
pack_report: pack_used_ctr = 901
pack_report: pack_mmap_calls = 215
pack_report: pack_open_windows = 1 / 1
pack_report: pack_mapped = 331971 / 331971
---------------------------------------------------------------------

In the end do:

~/new_repository.git# git checkout HEAD

Test your repo with git log.

giovedì 14 giugno 2012

Migrate PhpBB3 on Ubuntu server

PhpBB version: 3.0.9
Backend: Mysql
Mode: Fcgi

Dump the database

ubuntu~# mysqldump -u root -p phpbb3 > /tmp/phpbb3.sql

On the new machine

new~# apt-get update && apt-get install phpbb3

During the installation, choose to configure mysql/phpbb3 via debconf and answer about passwords in this order
* Mysql root password
* Phpbb3 database password
* Phpbb3 admin interface password

Afterwords, setup the web server. You have a configuration example in /etc/phpbb3/apache2.conf; you can directly copy this file in your /etc/apache2/sites-available directory and run

new:/etc/phpbb3# cp apache2.conf /etc/apache2/sites-available/phpbb3
new:/etc/phpbb3# cd /etc/apache2/sites-available/
new:/etc/apache2/sites-available# a2ensite phpbb3 && service apache2 reload

Try to login and surf the admin interface (APC). If you had a custom theme in the previous server, do the follow:

ubuntu~# scp -r /srv/phpbb3/theme/ (or wherever it is) new:/usr/share/phpbb3/styles

Important , make a sym link in /etc/phpbb3/styles directory to make phpbb see the custom theme

new~# cd /etc/phpbb3/styles
new:/etc/phpbb3/styles# ln -s /usr/share/phpbb3/styles/theme theme

Once the link is ok, configure the new theme in the APC (administrative panel)

If everything seems to be fine, move on and restore the database

new~# mysql -u root -p phpbb3 < phpbb3.sql

Configure FCGI

new~# apt-get install php5-cgi
new~# cd /etc/apache2/
new:/etc/apache2/# a2dismod php5
new:/etc/apache2/# service apache2 restart

Setup fcgi environment

new~# cd /srv (or wherever you'll locate it)
new:/srv# mkdir php-fcgi
new:/srv# cd (alt+.)
new:/srv/php-fcgi# ls
phpbb.fcgi
phpbbrc -> /etc/php5/cgi/

phpbb.fcgi

#!/bin/sh
PHP_FCGI_MAX_REQUESTS=10000
PHP_FCGI_CHILDREN=0
export PHPRC=/srv/php-fcgi/php53rc
export PHP_FCGI_MAX_REQUESTS PHP_FCGI_CHILDREN
# Replace with the path to your FastCGI-enabled PHP executable
exec /usr/bin/php-cgi

NOTE: phpbbrc is a link to /etc/php5/cgi/ directory

The virtualhost section should be something like

<VirtualHost *:80>
    ServerName forum.example.org
    DocumentRoot /usr/share/phpbb3/www
    ErrorLog /var/log/apache2/forum_error.log
    CustomLog /var/log/apache2/forum_access.log combined
    Alias / /usr/share/phpbb3/www/

   <Directory>
      Order allow,deny
      Allow from all
      Options +ExecCGI
      AddHandler fcgid-script .php
      FcgidWrapper /srv/php-fcgi/phpbb.fcgi .php
   </Directory>
</VirtualHost>

Try to load a forum page and check with

new~# ps ax | grep cg[i]
2248 ? S 0:00 /usr/bin/php-cgi

that php-cgi is running ..

domenica 15 gennaio 2012

Handle voip customers with Siproxd on CentOS 5.7

Install Libosip2

cd /usr/local/src
wget http://www.antisip.com/download/exosip2/libosip2-3.5.0.tar.gz
tar xvf libosip2-3.5.0.tar.gz
yum install gcc
cd libosip2-3.5.0
./configure
make
make install
ll /usr/local/lib

Create a new file in /etc/ld.conf.d

echo "/usr/local/lib" > /etc/ld.conf.d/local.conf
ldconfig

Install Siproxd

cd /usr/local/src
wget http://sourceforge.net/projects/siproxd/files/siproxd/0.8.1/siproxd-0.8.1.tar.gz/download
tar xvf siproxd-0.8.1.tar.gz
cd siproxd-0.8.1/
./configure --with-libosip-prefix=/usr/local/lib
make
make install

Do this:

yum remove gcc

Create siproxd user:

useradd -c "Siproxd user" -r -s /bin/nologin siproxd

Basic Siproxd configuration:

vim /etc/siproxd_customer-name.conf

if_inbound = eth0
if_outbound = eth0

sip_listen_port = 5070
daemonize = 0
silence_log = 1
user = siproxd

hosts_allow_reg = 11.22.33.44/16

registration_file = /var/lib/siproxd/siproxd_registrations
autosave_registrations = 300
pid_file = /var/run/siproxd/siproxd.pid

outbound_proxy_host = voip.provider.example.com
outbound_proxy_port = 5060

rtp_proxy_enable = 0
rtp_port_low = 27000
rtp_port_high = 27100
rtp_timeout = 300
rtp_dscp = 46
sip_dscp = 0
rtp_input_dejitter = 0
rtp_output_dejitter = 0
tcp_timeout = 600
tcp_connect_timeout = 500
tcp_keepalive = 20

debug_level = 0x00000000
debug_port = 0

Start siproxd:

/usr/local/sbin/siproxd

Some explanations:
if_inbound/if_outbound - It's the same interface (eth0) because we just have one
hosts_allow_reg - Put here your customer IP (if he has a static one) with the right mask (/16, /24..); you can calculate the mask using a subnet calculator (http://www.subnet-calculator.com)
rtp_proxy_enable = 0 - We just want to proxy the signaling protocol (SIP) not the audio stream (RTP)
outbound_proxy_host - Put here the customer voip provider that you want to connect to

Before setup asterisk, try siproxd configuration using a softphone such as twinkle, ekiga.. It's better a softphone which includes a "Outbound Proxy" field. Twinkle does the trick.

Twinkle example configuration_
User Tab:
User name* = user ID for voip.provider.example.com
Domain* = user ID for voip.provider.example.com
Authentication Name = password for voip.provider.example.com

SIP server Tab:
check on Use Outbound Proxy
Outbound Proxy = your.siproxd.server:5070

If something goes wrong revisit you siproxd configuration running siproxd in debug mode:

/usr/local/sbin/siproxd -c /etc/siproxd_customer-name.conf -d -1 2

NOTE: do different "/etc/siproxd_customer-name.conf" files to give to each siproxd instance you need.

Asterisk trunk configuration
(on the customer PBX)

contact="user ID for voip.provider.example.com"
context=from-trunk
fromuser="user ID for voip.provider.example.com"
outboundproxy="your.siproxd.server:5070"
type=peer
nat=never
host="your.siproxd.server"
port=5070
insecure=very
secret="password for voip.provider.example.com"
username="user ID for voip.provider.example.com"

NOTE: i'm currently still testing this setup. It works pretty fine, but i cant hide some weird behavior with asterisk trunk. For instance, it's easy encounter a voip congestion placing 2 calls one after another. Using siproxd directly with twinkle doesn't. Given this, the trunk works. Any tips will be appreciate