News items for tag english - Koos van den Hout

I like nice images, usually photographs I made myself or interesting images from the Transmission Gallery which has a great set of transmission wallpapers.

I collect a few in a directory, and there is an easy way to show these on an X background when you use xscreensaver anyway:

$ xscreensaver-getimage -directory background -root

This will select a random image from directory 'background' and display it on the root window.

When I want to make IPv4-legacy-only services available via IPv6 there are some options: an application-specific proxy like the prolocation ipv6 proxy based on squid. A number of high-profile sites are available this way, including for example:

$ host www.spitsnieuws.nl
www.spitsnieuws.nl is an alias for spitsnieuws.nl.
spitsnieuws.nl has address 81.173.64.62
spitsnieuws.nl has IPv6 address 2a00:d00:ff:131:94:228:131:131
spitsnieuws.nl mail is handled by 100 smtpscan-nl1.telegraaf.nl.
spitsnieuws.nl mail is handled by 100 smtpscan-nl2.telegraaf.nl.

But that is web-only. And with some reloads I can make it show a http 503 proxy error which is not the answer I want to see on a high-profile website like www.spitsniews.nl as a visitor, let alone as the owner of the site or the advertiser.

Something I have mentioned before: if you want to implement IPv6 correctly, give it the same amount of monitoring and care as IPv4. Otherwise you're making yourself hard to reach for IPv6-enabled visitors which may damage either your website image or the image of IPv6. Both are bad.

The other option is not the application proxy but address translation. With IPv6 allocations every IPv6 end-user gets enough address space to map the entire IPv4 Internet. I have been thinking about that option for a while and then I came across NAT is evil - www.me.uk RevK's rants. Not IPv4 NAT as we know it, but NAT64 translating IPv6 address space to IPv4 address space. The trick or treat daemon mentioned in the article is the nameserver part for doing DNS64.

But the hard translating work will need to be done in pTRTd, the Portable Transport Relay Translator Daemon.

The default is dangerous from a firewall perspective: you still set up a proxy for the entire IPv4 address space. But with some serious firewall rules on the IPv6 side (default drop and only allow certain addresses and services). I could see an option to do some experimenting with this at work, very carefully selecting certain outward facing services, setting up the firewall and publishing the AAAA records in DNS.

Yes, NAT is evil. NAT64 is evil too, it hides the entire IPv6 Internet behind one IPv4 address without any headers to indicate what the original address was (which the squid proxy solution does offer). But that is one more incentive to upgrade the service to native IPv6 connectivity.

Shednet is up

Server and network in the shed, up and running complete with IPv6. It won't get an IP55 rating (being able to deal with a bit of water) but it pings, measures the powerline network throughput and makes pretty graphs of that throughput.

Somehow I found this an interesting sight to photograph. And I like the term Shednet.
Update 2010-08-22: I remembered why I originally got the idea to test a PC in the shed: to test a weather-station in the shed as a preparation for doing something again for project sundial. The "powered by alternative energy" part of that project isn't going to be implemented: solar panels would be really expensive but something really low-power with Linux in a (semi-)outdoor housing would work nicely for a weather station and ntp server.

So the first component is tested: I can get a system running there complete with network. Now to find some time to set up the PC and a weather station and measure temperature and humidity in the shed.

With ubuntu 8.04 server on the home server greenblatt I got a daily mail:

Subject: Cron  test -x /usr/sbin/anacron || ( cd / &&          
        run-parts --report /etc/cron.daily )                                    

/etc/cron.daily/logrotate:                                                      
Re-opening all log files                                   
Re-opening all log files                                                        
Re-opening all log files                                               

And I couldn't really find the source. But a google search for logrotate mail 're-opening' helps: It is caused by logrotate and mailman, filed as Bug #244233 in mailman (Ubuntu): “Logrotate is noisy with: Re-opening all log files. The fix is simple: make mailman be quiet in /etc/logrotate.d/mailman. A patch is attached to the ubuntu bug.

I enhanced the zabbix system monitoring to also work on aacraid based controllers. Google searching found me How to check the health of an Adaptec RAID array which shows that the right command-line tool is nowadays arcconf which can be found at Adaptec support for RAID products. Select the right type and click through a few times where you will find the storage manager downloads (not the drivers!). The latest 'adaptec storage manager' includes 'arcconf'. After installing arcconf produces a lot of output, but the line I am interested in is easy to find:

# /usr/StorMan/arcconf GETCONFIG 1 | grep Defunct
   Defunct disk drive count                 : 0

which is exactly what I want. Again a special UserParameter in zabbix_agentd.conf:

UserParameter=aacraid.okdisk,/etc/zabbix/external/aacraid.okdisk

A script to do the actual work:

#!/bin/sh
# aacraid.okdisk

sudo /usr/StorMan/arcconf GETCONFIG 1 | awk ' /Defunct disk drive count/ { print $6 } '

And a change in sudoers to allow this. Allowing /usr/StorMan/arcconf as is did not work because of the capitals but a more general rule helped. Now I can check for the number of disks with problems and warn accordingly (0 disks with problems is ok, 1 disk is warning, > 1 is disaster).

As part of the work on system monitoring I am looking into monitoring RAID units. The beta-ict department uses a number of raid units and data gets replicated between buildings.

I want a warning when a disk goes down. The 3ware disk controller has a nice webinterface but I can't integrate that (easily..) into zabbix. What I did was install the tw_cli command line utility from the 3ware LSI raid controller site (lookup your type of controller, find 'support and downloads' and you will see cli utils for lots of unix versions), which makes life easy:

# tw_cli show

Ctl   Model        (V)Ports  Drives   Units   NotOpt  RRate   VRate  BBU
------------------------------------------------------------------------
c0    9650SE-16ML  16        15       1       1       1       1      OK

What I want to know is the number of not-optimal disks (yes, indeed one is broken at the moment and needs replacement). That I can monitor in zabbix, when I pick up the value with a script:

#!/bin/sh
# /etc/zabbix/external/3ware.okdisk

sudo /usr/local/sbin/tw_cli show | awk ' /^c0/ { print $6 } '

Root access via sudo which means a line in /etc/sudoers which allows /usr/local/sbin/tw_cli from the zabbix user, and the right setting in zabbix_agentd.conf to bind this script to a user parameter:

UserParameter=3ware.okdisk,/etc/zabbix/external/3ware.okdisk

Now I can program a trigger on the output: 0 is ok, 1 is warning, > 1 is disaster. I added an extra action on the trigger to mail the output of tw_cli '/c0 show' to the admins so we know which disk is broken.

Now to do the same for adaptec (aacraid) based raids.

Interesting patterns in the security logs again:

Aug 10 00:19:42 greenblatt sshd[22045]: Bad protocol version identification '\200b\001\003\001' from 207.70.60.20
Aug 10 00:19:43 greenblatt sshd[22071]: Bad protocol version identification '\200b\001\003\001' from 209.19.175.124
Aug 10 00:19:44 greenblatt sshd[22072]: Bad protocol version identification '\200b\001\003\001' from 207.70.47.249
Aug 10 00:19:45 greenblatt sshd[22073]: Bad protocol version identification '\200b\001\003\001' from 207.70.41.212
Aug 10 00:19:45 greenblatt sshd[22074]: Bad protocol version identification '\200b\001\003\001' from 207.70.39.65
Aug 10 00:19:46 greenblatt sshd[22075]: Bad protocol version identification '\200b\001\003\001' from 69.5.238.171
Aug 10 00:19:47 greenblatt sshd[22076]: Bad protocol version identification '\200b\001\003\001' from 206.206.50.92
Aug 10 00:19:48 greenblatt sshd[22078]: Bad protocol version identification '\200b\001\003\001' from 207.70.3.141

Notice the timing. Makes me wonder what is going on.
Update: On twitter by @xs4cso:

Major rise in SSH brute force attacks and complaints overnight. Weak passwords to blame.

source
Update: Whois gives an interesting link between most of those IPs: they are all (but one) in network space owned by solution pro web hosting.

After adding surge protection to the ISDN line coming into the asterisk server I went out and got the Trust surge guard PW-3500.

Note the This product is no longer available in the current Trust assortment on the Trust website. I bought it at mycom: Trust UPS & Overspanningsbeveiliging Surge PW-3500 - MyCom.nl and I noticed on the outside of the package that it does not mention whether it can be used with an ADSL modem, it just mentions phones and fax machines. A note about suppressing high-frequency interference made me wonder whether it might filter high-frequency signals on the phone line a bit too much, killing ADSL throughput. The salesperson at MyCom could not tell either. But MyCom has customer friendly policies for returning articles which aren't what you expected. Even "I could not make it run with Linux" is a valid reason for returning it. So I took it home, and first thing I noticed in the manual inside the package is that it states that this surge protector is also designed for ADSL. They could have mentioned that on the outside.

So now it is living in the phone line (and power supply) for the ADSL line.

Noticed something new in the twitter user-interface today: "Who to follow". On the first view it sounds a bit like the amazon "People who bought this item might also like" where buying a book about parachute diving will give you a recommendation for clean underwear. But who I follow is a decision I make myself, and I need more information.

So, my recommendations to Twitter:

• An off-switch. Completely, not just collapsing it but gone from my view.
• An information popup when I hover over the name just like in the timeline.
• An off-switch. I mean it.
• While you are at it: an off-switch for 'trending'.
• Did I mention the option to switch it off?

After reading When Lightning Strikes - by Johannes Ullrich - ISC sans diary I was reminded that I could do a bit more about surge protection. We don't live in Florida, but we have do have lightning storms and they can damage equipment.

The first step was easy: Rerouted a few cables, and now the incoming ISDN line goes through the network/phone/isdn surge protector on the APC back-ups CS 350VA. The surge protector is there, so it is a better idea to use it. I have seen the inside of an ISDN adsl splitter after a lightning strike and that was not a good sight.

Maybe I'll get a surge protector for the adsl modem too.

Soms is er tussen de rants, hacks en ipv6 promotie tijd voor heel ander persoonlijk nieuws:

Ik hoop vader te worden in december van dit jaar.

Het is nu al een bijzondere ervaring, en dat zal het straks vast nog veel meer worden.

---

Sometimes between all the rants, hacks and ipv6 promotion it is time for quite different personal news:

I hope to become a father in december of this year.

It is already a special experience, and it will probably get more special.

There is an interesting relation between 'website with technical subject' and 'visitors with IPv6'. I counted the number of unique addresses of visitors via IPv6 to several websites I run for the month of July 2010 and found the following percentages:

• http://weather.idefix.net/ weather maps : 5% (1%)
• http://pictures.idefix.net/ pictures : 4% (2%)
• http://idefix.net/ my homepage : 2% (1%)
• http://netwerk.pcgg.nl/ hcc!pcgg netwerkgroep : 2% (2%)
• http://bbs.idefix.net/ BBS files : 1%
• http://webcam.idefix.net/ the webcam : <1%
• http://www.virtualbookcase.com/ The Virtual Bookcase : < 1%
• http://www.camp-wireless.org/ Camp Wireless : < 1%

Comparing it to July 2009 (percentages between parentheses) does show growth.

I've done some work on the weather map site. I'm improving the plotting script to have a better abstraction of data and plotting so I can do plots for multiple countries.

As a first I'm plotting Denmark. The reasons are simple: it's a not too big country and has a reasonable number of weather stations.

Weather maps Denmark.

Now to see if that gives visitors :)

I wanted to install an extra package on the wardriving box but found out that the choice of distribution: Debian etch is not available anymore, not even as 'oldstable'. A bit of searching finds that I need to look in the Debian distribution archives.

I'm not sure whether I'll keep using Debian versions for the wardrive-box. I want something nice and small and manageable, and the option for a custom kernel (no initrd, preferably no udev).

The interesting bit is that I built the wardriving box in January - February 2008 and it basically ran regularly since that time without software problems.

The extra package I wanted to try is lm_sensors, for the other project: Sundial. I was wondering how high/low the system temperature would get, and whether it would stay within the 0 - 50 ⁰C range. An IP55 rated case might be a good idea for use in the garden shed (which is semi-outdoors). The question is will the mainboard stay above 0 ⁰C when it is -15 ⁰C outside. I know from the wardriving box the Alix board generates some heat, but is it enough to keep itself warm.

The Alix.1c/1d have a temperature sensor, according to Getting started with voyage linux it should work with the w83627hf driver which indeed loads and gives a readout.

I came across the alix.1 series hardware while looking for something low-power for project sundial. Later calculations showed the 'powered by the sun or wind' part of that project would be too expensive compared to just using a plug.

Update: The archived etch works, but lm-sensors wants perl, which is not part of the stripped down debian on the wardrive box. For as far as I can see that is because there is one perl script included. Time to rebuild from source with that script removed.

Update 2010-08-03: Looking where you are going helps too: Voyage Linux is Debian-based but optimized for embedded apps. With debootstrap under Ubuntu or Debian I could set up a newer development environment for the wardrive box and test Voyage Linux.

Wardriving results 15 July - 1 August: 2800 new networks with GPS locations. I went down a few places in the WiGLE stats because other people found a lot more networks. That can happen. Maybe I'll catch up :)

At work one of my main projects at the moment is improving monitoring for beta-ict. I am used to mon at the computer science department but that shows its age a bit and I wanted to try something newer.

The choice in monitoring system was mainly for something which could monitor both system variables (free disk space, free memory, system load, whether certain needed processes were running) and service availability (is the network available, is ldap available, are web servers up and not giving out weird error messages).

I chose zabbix. It has an interesting approach: it measures variables, stores results and trends and then you can do stuff with the stored data. Such as monitoring whether certain thresholds aren't crossed, so you can do your normal tests. Or more complicated monitoring of trends or changes. But you can also make graphs of that same data. And you can use the triggers to make nice long-term availability reports.

One thing I learned is that the suggestion in the manual to use a new version postgres (>= 8.3) is to be taken serious. With 8.0 the server running zabbix regularly got up to a load of 10 on adding new systems to be monitored and historic monitoring data was lost for certain time periods. Dumping the database, installing postgres 8.4 and importing the data again and continuing with the same setup made everything lots faster and no data has been lost since.

What is also interesting is the option to use remote proxies to gather data from otherwise firewalled networks and the option to split servers / services into groups. Eventually we may give the 1st-line servicedesk their own view of our zabbix server where they can view whether main services are available so they are aware of troubles before they need to ask us.

Again and again you see responses to IPv4-will-run-out stories like "but what if we reclaim space from ..." or "but what if we use more NAT". I found one of the best answers to all of these:

Optimizing the utilization of less than 25% of the address space in the face of the consumption rate on the 75% side simply cannot yield a meaningful result. It really is akin to rearranging the deck chairs on the Titanic.

Source: Re: Rate of growth on IPv6 not fast enough? and used several times before on IPv6 mailing lists.

According to Google finally indexing the IPv6 internet - Fix6 the first sightings have been done of a googlebot with an IPv6 address. My IPv6-reachable websites haven't been blessed by a visit from the IPv6 googlebot yet. What will googlebot do when I post a link to http://[2001:980:14ca:42::18] ?

And on a different note about google: last year I noticed googledns did not give out AAAA records for www.google.com. I retested it and found it (now?) depends on where you ask. At a place not in the google IPv6 program:

koos@kolham:~$ dig +short @8.8.8.8 www.google.com aaaa
www.l.google.com.
koos@kolham:~$ dig +short @8.8.4.4 www.google.com aaaa
www.l.google.com.
koos@kolham:~$ 

And at a place in the google IPv6 program:

koos@greenblatt:~$ dig +short @8.8.8.8 www.google.com aaaa
www.l.google.com.
2a00:1450:8001::63
koos@greenblatt:~$ dig +short @8.8.4.4 www.google.com aaaa
www.l.google.com.
2a00:1450:8001::63
koos@greenblatt:~$ 

Yes, that first place needs to turn their plans about IPv6 into doing something with it.

Wardriving results 24 April - 14 July: 9419 new networks with GPS locations according to WiGLE.

The Hurricane Electric IPv4 Exhaustion Counter on this page has dropped below 365 days. What does this mean exactly?

At the end of that period there will be no more IPv4 address blocks to give out to the several Regional Internet Registries. But those have their own buffers so it won't be all over at that moment (and the IPv4 Internet will not stop functioning either).

What will happen is that when those buffers run out the moment will come that one of those Regional Internet Registries will have to answer "NO, not available" to a request for IPv4 space. The timeframe at which this will happen may vary between months (APNIC, Asia-Pacific region) and years (AfriNIC, Africa) given the current rates. What this will mean is a situation where IPv6 is the only working way to give new systems on the Internet working unique addresses. Will the world be ready for this moment? Probably not.