Technology

IPSec – What is it??

This is a great write up by Stephen Friedl about the IPSec suite of protocols. Highly recommend reading it.

On a side note, I finally updated the Blogging software on the site. Have been getting a lot of “blogspam” from the entries on this site. It is just amazing how far the spammers go to NOT get their message :).

RRDTOOL – How to remove spikes

We use Cacti at work to graph the usage of our clients links. It is a pretty popular feature with our customers. A problem (well not really. More like a gotcha) with rrdtool is the way it stores data. Here’ a quote from the rrd tutorial
“Round robin is a technique that works with a fixed amount of data, and a pointer to the current element. Think of a circle with some dots plotted on the edge, these dots are the places where data can be stored. Draw an arrow from the center of the circle to one of the dots, this is the pointer. When the current data is read or written, the pointer moves to the next element. As we are on a circle there is no beginning nor an end, you can go on and on. After a while, all the available places will be used and the process automatically reuses old locations. This way, the database will not grow in size and therefore requires no maintenance. RRDTool works with with Round Robin Databases (RRDs).”

So rrd stores the difference in values (between the last value and current) in the database, rather than the value itself. This creates a problem when routers are rebooted. The counters on the interfaces get cleared and rrd is fooled into thinking that there is a spike in usage. This results to “spikes” in the graphs. Sometimes you see that a 128kbps link has maxed out at 98mbps!!! :). The best way to stop this from happening is to set the correct min and max values for the ds names. Coming back to cacti again. When cacti creates a new rrd database, it does not really give one the option to setup the maximum and minimum speeds of a interface. It defaults to a max of 100000000 (i.e. 100mbps). Occasionally when we have to reboot our routers, I do the following to remove the spikes

cp filename.rrd filename.rrd.backup
Any good admin knows that before you mess with a file, you make a backup :).

rrdtool info filename.rrd | more
This gives us the chance to get the ds (data sources) names

rrdtool tune filename.rrd -a ds_name:MAXIMUM_VALUE
Set the maximum of the ds to the required

rrdtool dump filename.rrd > filename.xml
Export all data in the rrd to a xml file

mv filename.rrd filename.rrd.old
Rename the rrd to make way for the new one.

rrdtool restore filename.xml filename.rrd -r
Restore the rrd from the xml file with the -r (range check) option. So any values that are higher than the new maximum value are ignored.

And the spikes are gone..

spam stats

While following this threat on slasdot, I came across this site by a system admin who tracks where the spam he fights on a daily basis originates from. This is further proof to break the myth of spamming that “Most spam originates from outside the US”. From this site, we can see that ~35% of spam originates from the US. I am not sure how the author is getting the country of origin from the IP address. I work at an ISP and know that even though all the IP addresses belong (are allocated) to us, they are all allocated to our customers (located outside the US). And we don’t SWIP them as we are required to :). So if any of our customers send out spam, for the rest of the world, it would look as if though it is originating from the US. Wonder how much of the 35% is made up of such spammers.

Server Move

I wanted to install Gallery so that I can easily share some of the “art” that I shoot :). The server I was on did not have some settings (it has php – safe_mode on) that stopped me from installing Gallery. The good people at 3-95.com , where I host this site, offered to move me to a new server that would allow me to install Gallery. So here we are on a brand new server. I will be posting some new pictures soon.

Troubleshooting episode

I was helping a friend with some E-mail problems he was having. Here is the scenario. He is getting a “Cannot authenticate to server” when using his Outlook 2000 to get mail from his Cobalt Qube server. According to him..”Everything was working fine, but the computer crashed. So I had to rebuild the machine and now mail doesn’t work”. Pretty easy right.. So I troubleshoot it in the following way

1) Check account settings in Outlook and make sure that he has the correct “username”, “password” and “server” properties. Everything checks okay. But client still cannot authenticate to the server.

2) Alright.. Lets see if the service is running on the client. Since I didn’t have access to the server, I had to walk my friend through the process. Again, required daemons are running, but cannot authenticate.

3) Now.. I am getting all excited frustrated. I run nmap on the server remotely and see that SMTP is filtered.. Hmm.. Is that a problem.

4) Finally.. I give up and make my friend change the rules on this firewall so that I can log into the server remotely. First thing I do is check the logs (/var/log/maillog) and Bingo!!! I instantly see the error
Feb 9 21:00:10 www in.qpopper[2269]: Karen at 192.168.1.102 (192.168.1.102): -ERR [AUTH] Password supplied for “Karen” is incorrect.“. My friend was using “Karen” instead of “karen” as the username.

If only I had asked my friend to meticulously check his settings 🙂 in the first place.

Moral of the story: Unix usernames are case sensitive. And never believe the user when they say that all the settings are correct :).

MySQL – Setting up initial privileges

Ever install MySQL and wondered what to do next? Well, the first thing is to secure the root user (Note: The MySQL root user is different from the OS root user). These three simple steps should deal with it.

shell> mysql -u root mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD(‘new_password’);
mysql> FLUSH PRIVILEGES;

MySQL has really good documentation on their website. It is can be accessed here.

Dlink 614+ and Dynamic DNS

I purchased a server from Dell recently. Want to use it as a test server to play with at home. I have a small LAN at home setup using a Dlink 614+ router. I forwarded some services to the server, so that I can access it remotely. Since the IP address on my cable modem changes every so often, how do I access it remotely? Dynamic DNS from dyndns.org to the rescue :).

Register for an account over here.
Create a Dynamic DNS host on Dyndns.org
Log into the 614+ router
Go to Tools –> Misc.
Enable DDNS
Use members.dyndns.org as the server address
Enter the complete hostname (ex. Samurai.kicks-ass.net)
Enter the username and password that you have registered at dyndns.org
Click on “Apply” and you are all set.

Terminal prompt – L[U]nix

While browsing through the forums at ArsTechnica, I came across this posting. One of the poster had a pretty cool prompt on his terminal login screen. Here is the command he used to get that effect

export PS1=”\n\[\e[30;1m\][\[\e[35;1m\]0\[\e[30;1m\]] \[\e[0m\]\[\e[36m\]\h\[\e[37m\]:\[\e[34;1m\]\w\[\e[30;1m\]$ \[\e[0m\e7\e[1G\e[1H\e[1K\e[30;1m[\e[33m\j\e[30;1m] [\e[32;1m\!\e[30;1m] [\e[36m\u\e[30;1m] [\e[31;1m\d\e[30;1m] [\e[35m\@\e[30;1m] [\e[0m\e[36m`uname -sr`\e[30;1m]\e8\]”

Or if you are using Redhat, you can just edit the /etc/profile file and place the above command in it. So each time you log in to the system, you get this pretty cool prompt. I keep saying that it is cool :), but don’t give any explanation. I think a picture is due here…

Terminal Prompt

For the initiated..you can come up with your own neat tricks by reading this.

DDoS attacks :: Article

Came across this article on security-protocols.com in which the author discusses DDoS (Distributed Denial of Service). I was particularly interested since we have been experiencing such attacks on our network recently. Unlike DoS (Denial of Service) attacks where the source of attack can be easily identified and blocked, it is very difficult to identify the source of DDoS attacks. The only way we can stop the attack is by blocking all traffic to the destination of the attack. And this is exactly what the attacking party wants. I don’t see a solution to this in the near future. A good point that the author mentions is that all routers should have ingress and egress filtering configured properly. This in effect allows only authorized networks to originate and terminate at a router, thereby minimizing the ability of an attacker to use a spoofed IP address.