Collectd is a great tool to collect various parameters of a running linux installation.
It can monitor disk space, cpu load, temperatures and much more.
One thing to note, is that collectd can cause system load by itself.
To prevent this, enable caching in the rddtools.
For more details read on in this post:
https://jeremy.visser.name/2010/02/23/enable-caching-in-collectd/
Monday, October 25, 2010
Thursday, October 21, 2010
IPSec VPN with AVM 7170 / 7270 and linux (Ubuntu) OpenSwan and Dnydns
With the current Firmware the AVM ADSL routers 7170 and 7270 support creating IPSec VPN's.
That makes them interesting for connecting remote offices, small point of sales etc. to the enterprise network, also when the remotes don't have a fixed IP address.
Unfortunately the documentation of the IPSEC stuff from AVM is "very limited".
TO get it working it's important to configure the correct settings in the VPN configuration file for the AVM routers.
The wizard for creating the VPN config files generates something like this:
To be able to connect to a openswan/linux server, we have to twea some settings:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "IP_OF_ENTERPRISE";
always_renew = yes; // Make sure the connections autostarts
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "remote.dyndns.org";
localid {
ipaddr = IP_OF_ENTERPRISE;
}
remoteid {
fqdn = "remote.dnydns.org";
}
mode = phase1_mode_idp; // Change this from aggressive to normal mode
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "**********";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 172.18.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // this is the compatible setting for openswan
accesslist = "permit ip any 172.18.1.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
In the avm documentation you see the possible combinations of phase1ss and phase2ss. It is important to know, that ONLY the listed combinations work. So you can't use other non-listed combinations. (Took me a whole day to figure out)
On the openswan side you have to define a connection like this:
and of course in the ipsec.secrets you have to add the PSK
Currently we have a problem, that when the fritz boxes receive a new public IP,
the openswan does not always update the IP address for the connection.
This can be partially solved by upgrading to a more recent openswan version (2.3.16 or newer), which does a dns resolve when the vpn tunnel breaks.
But sometimes it still hangs in a state where it receives IPsec packets and drops them because they do not match the old resolved ip.
That makes them interesting for connecting remote offices, small point of sales etc. to the enterprise network, also when the remotes don't have a fixed IP address.
Unfortunately the documentation of the IPSEC stuff from AVM is "very limited".
TO get it working it's important to configure the correct settings in the VPN configuration file for the AVM routers.
The wizard for creating the VPN config files generates something like this:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "IP_OF_ENTERPRISE";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "remote.dyndns.org";
localid {
ipaddr = IP_OF_ENTERPRISE;
}
remoteid {
fqdn = "remote.dyndns.org";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "**********";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 172.18.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 172.18.1.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
To be able to connect to a openswan/linux server, we have to twea some settings:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "IP_OF_ENTERPRISE";
always_renew = yes; // Make sure the connections autostarts
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "remote.dyndns.org";
localid {
ipaddr = IP_OF_ENTERPRISE;
}
remoteid {
fqdn = "remote.dnydns.org";
}
mode = phase1_mode_idp; // Change this from aggressive to normal mode
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "**********";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 172.18.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-3des-sha/ah-no/comp-no/pfs"; // this is the compatible setting for openswan
accesslist = "permit ip any 172.18.1.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
In the avm documentation you see the possible combinations of phase1ss and phase2ss. It is important to know, that ONLY the listed combinations work. So you can't use other non-listed combinations. (Took me a whole day to figure out)
On the openswan side you have to define a connection like this:
# VPN connection for remote.dyndns.org
conn remotedyndnsorg
right=remote.dyndns.org
rightid=@remote.dyndns.org
rightsubnet=172.18.1.0/24
left=IP_OF_ENTERPRISE
leftsubnet=192.168.10.0/24
auth=esp
pfs=yes
authby=secret
dpddelay = 20
dpdtimeout = 60
dpdaction=hold
auto=start
keyingtries = %forever
keylife=45m
rekey=yes
ikelifetime=20m
compress=no
and of course in the ipsec.secrets you have to add the PSK
Currently we have a problem, that when the fritz boxes receive a new public IP,
the openswan does not always update the IP address for the connection.
This can be partially solved by upgrading to a more recent openswan version (2.3.16 or newer), which does a dns resolve when the vpn tunnel breaks.
But sometimes it still hangs in a state where it receives IPsec packets and drops them because they do not match the old resolved ip.
Wednesday, May 5, 2010
Hyper-V and current CPU's
You have a brand new installation, with a new server, ms windows 2008r2 server and hyper-v.
You see frequent blue screens (or unexpected reboots) with event log entries
like:
0x00000101 (0x0000000000000019, 0x0000000000000000, 0xfffff88001e5d180, 0x0000000000000002)
MS is aware of the problem and has a hotfix they provide on demand.
More details can be found here:
http://support.microsoft.com/?scid=kb%3Ben-us%3B975530&x=11&y=13
Looks like the Hyper-V stuff is still somewhat beta quality.
You see frequent blue screens (or unexpected reboots) with event log entries
like:
0x00000101 (0x0000000000000019, 0x0000000000000000, 0xfffff88001e5d180, 0x0000000000000002)
MS is aware of the problem and has a hotfix they provide on demand.
More details can be found here:
http://support.microsoft.com/?scid=kb%3Ben-us%3B975530&x=11&y=13
Looks like the Hyper-V stuff is still somewhat beta quality.
Thursday, April 29, 2010
Disable IE enhanced security in Windows 2008 R2 Terminalserver
One of the IE features in server environments is the enhanced user security setting.
For servers this setting might be ok, but for normal users in a terminalserver it's just not usable.
On the "Server Manager" screen you can specify for users and administrators if the enhanced security should be active or not.
First this is to turn this off for normal users.
If by chance this really has a effect on your users, be happy and enjoy it.
But if you are still reading, then probably disabling this setting for the users did not change anything.
To make it simple:
Login as user and run these 3 commands from the commandline:
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
This bug is only one year old, so please let MS some more time until they provide a fix for it.
(http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/c5572fc7-6e92-46f8-824d-baca246e3106)
For servers this setting might be ok, but for normal users in a terminalserver it's just not usable.
On the "Server Manager" screen you can specify for users and administrators if the enhanced security should be active or not.
First this is to turn this off for normal users.
If by chance this really has a effect on your users, be happy and enjoy it.
But if you are still reading, then probably disabling this setting for the users did not change anything.
To make it simple:
Login as user and run these 3 commands from the commandline:
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
This bug is only one year old, so please let MS some more time until they provide a fix for it.
(http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/c5572fc7-6e92-46f8-824d-baca246e3106)
Friday, April 23, 2010
Be (a little bit) god under Windows 7
Under Windows 7, just create a folder with the name
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}.
Now navigate to this folder with the windows explorer.
Software developers (even at MS) have some sense of humor :)
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}.
Now navigate to this folder with the windows explorer.
Software developers (even at MS) have some sense of humor :)
Friday, April 2, 2010
Connecting VDSL modem with Cat6 cable
if it's a Zyxel VDSL P-870M, then don't do it
Instead use the supplied ethernet cable (Cat5 UTP)
We did install such a modem and connected it to the firewall system (HP rack server) and did install the PPPoE stuff.
The PPP authentication did work, but then the modem stopped responding on the ethernet port.
We did even switch network port on the server, changed the cable against another cat6 cable, connected a serial terminal to the management port etc.
In a last try we did then plug in the supplied yellow cable.... and it worked.
The supplied yellow cable is a cat5 unshielded cable, with only 4 wires connected.
So probably the modem and server did agree to a gigabit connection when all 8 wires where connected, but then the modem miserably failed as soon as data did flow at gigabit speed.
On a 4-wire cable connection, the server and modem did agree to a 100MBit connection and that's probably the speed the modem is able to handle.
Instead use the supplied ethernet cable (Cat5 UTP)
We did install such a modem and connected it to the firewall system (HP rack server) and did install the PPPoE stuff.
The PPP authentication did work, but then the modem stopped responding on the ethernet port.
We did even switch network port on the server, changed the cable against another cat6 cable, connected a serial terminal to the management port etc.
In a last try we did then plug in the supplied yellow cable.... and it worked.
The supplied yellow cable is a cat5 unshielded cable, with only 4 wires connected.
So probably the modem and server did agree to a gigabit connection when all 8 wires where connected, but then the modem miserably failed as soon as data did flow at gigabit speed.
On a 4-wire cable connection, the server and modem did agree to a 100MBit connection and that's probably the speed the modem is able to handle.
Saturday, March 13, 2010
Access your firefox settings from everywhere
Do you use FireFox as your webbrowser and use it on different computers ?
Then probably you also have the problem that the history, booksmarks and saved passwords are not the same on all systems.
Since a few month there is a reliable solutions to this problem:
Mozilla Weave (Also available directly via Add-On page)
It's a firefox add on which keeps your settings in sync between as many systems as you want.
Just install the add on and then create a Weave account and all your settings are synched to the mozilla weave server. (Don't worry, privacy is granted and data is encrypted, or, if you are paranoid, you can even install your own weave server)
On the second system, just install the add on and enter your credentials and then select if you wish to merge or replace the settings from teh server.
That's it. I have been using it since version 0.5 and since version 0.9 it's realy stable and very usefull.
Actully I sync 4 Installations with weave:
1. The computer at work
2. The laptop at home running ubuntu
3. The same laptop at home running (once a month) Windows 7
4. The Desktop at home (most of the time used by my children)
And weave just works as it should.
Then probably you also have the problem that the history, booksmarks and saved passwords are not the same on all systems.
Since a few month there is a reliable solutions to this problem:
Mozilla Weave (Also available directly via Add-On page)
It's a firefox add on which keeps your settings in sync between as many systems as you want.
Just install the add on and then create a Weave account and all your settings are synched to the mozilla weave server. (Don't worry, privacy is granted and data is encrypted, or, if you are paranoid, you can even install your own weave server)
On the second system, just install the add on and enter your credentials and then select if you wish to merge or replace the settings from teh server.
That's it. I have been using it since version 0.5 and since version 0.9 it's realy stable and very usefull.
Actully I sync 4 Installations with weave:
1. The computer at work
2. The laptop at home running ubuntu
3. The same laptop at home running (once a month) Windows 7
4. The Desktop at home (most of the time used by my children)
And weave just works as it should.
Subscribe to:
Posts (Atom)