Samantha – file server

My new server case mod

One old(ish) midi-tower uATX case. Requirement for one quiet file server. Enter a fanless Asus uATX motherboard with 5 onboard SATA 6Gb/s ports. Mix dremel cutting disc and tinsnips with midi-tower case, add a few extra holes and a few rivets. Take a good look at your nice new smaller uATX server case, with space for upto 6 3.5″ HDDs. Enjoy.

Detailed specs

  • Motherboard: Asus E35M1-M
  • RAM: 2GB DDR3 – with only a minimal Debian install this is masses
  • HDDs: 3 internal 3.5″ 1TB drives – 2 Seagate, 1 Western Digital (mostly from my desktop)
  • OS: Debian – from the unoffical netboot CD with extra firmware for network cards to get gigabit to work
  • Management: Webmin, web management for linux servers – it lets you mix working with it and the config files without problems
  • Boot drive: 4GB TDK USB drive from Tesco!
  • 90w PicoPSU – probably more than is needed, leaves room for more HDDs

Mistakes: not drilling holes for power switch mounting and 12v power input for the PicoPSU before installing anything else like motherboards which don’t like metal filings on them!

Posted in Uncategorized | Leave a comment

sipXecs – uncharted territory

sipXecs is an open source PBX server built on Freeswitch for the core of it’s SIP functionality.

To explain: SIP is the industry standard for VoIP systems, which allow you to have a telephone system (amoungst other things!) that operates over a computer network.

However, due to a long and somewhat rocky path, the documentation is slightly odd. The project currently lives at SIPfoundry, with the downloads hidden on a page with nothing in common with the rest of the site, and ISOs hidden one folder deep, (see
here). Fortunatly this is easier to get to from the other useful location, the sipXecs wiki.

But before you simply assume that SIPfoundry is the latest company to own the copyrights and trademarks, it simply isn’t this simple. SIPfoundry is actually a non-profit organsiation setup by the orginal commercial creators of sipXecs. But of course, they have been bought and sold a few times, and now are sponsored by eZune, a company formed by members of the community and some of the orginal engineers who started the project off. eZune now provides commerical support.

But enough of that. Sadly, there are parts of sipXecs which are less than ideally documented, but most of it is simply rather hard to find. Like how to set up your Windows based DNS server you happen to already have and which are intergrated into somewhat complex things like Active Directory and exchange, to play nicely with SIP and autoconfiguring phones,which honestly is rather cool. Based on netbooting protocols, it does need seveal changes to make it all work.

Fortunatly, buried under what feels like 4 million links, there is a really quite good PDF on the DNS configration! Do note, that it states it was written back in 2007. Windows DNS setup for sipXecs

Posted in howto, linux, networking, sipXecs | Leave a comment

BT Infinity modem – v3B

Mostly just a quick set of photos, nothing on the new modem BT/Kelly Communications came to install looks much different, apart from the power supply being white not black.

Posted in Uncategorized | 2 Comments

ITX Security NCX-2000P

ITX Security NCX-2000P CCTV camera information and sort of review – see the manufacturers website for their ‘spec’ sheet! www.itxsecurity.com/eng/

Why there is no documentation and no mention of this camera anywhere on the web beats me. Maybe it’s the small relatively unknown Koreon manufacturer, but it’s hard, really hard to track down. It seems to be a nice, sensible camera, espeically for transitioning from analogue to digital CCTV. It features:

  • both a composite video out (switchable between PAL and NTSC) and 10/100M Ethernet IP networking with rtp/rtsp streams in H.264 and/or MJPEG
  • a choice of 12v DC, 24v AC or Power over Ethernet
  • 2 way audio and general purpose input/output pins – obviously both need extra hardware to work
  • DC iris control
  • Day/Night mode functionality – full colour and IR capable with removable filter
  • takes standard C/CS mount lenses

So if your camera has failed, and you want to start moving from analogue CCTV to digital, it’s an ideal option as it won’t become reduant immediately on upgrading, you’ll simply be able to move it over to the new system.

Now onto the fact it has not just little, but seemingly no documentation beyond the ‘spec sheet’ ITX provide on their website. Let me open a few little details up for you.

Web browser

The spec seems to imply that you could use almost any browser with this camera. Just see their impressive list: Internet Explorer 7.0 or above, Firefox, Chrome, PDA/Smart phone. Now, while all these can admittedly, edit the settings for the camera, they cannot view the live video feed in the built in viewer. This is only possible in Internet Explorer for the simple reason that it requires a ActiveX plugin to be installed to function. Fear not however, for the data can be liberated!

RTSP streams

However, all the ActiveX plugin does is provide an in browser RTSP/RTP viewer. With the correct software, such as VLC or a number of other media players, this can be played back directly. However, revealing the address you need is far from simple! The method that was eventually successfull was using Wireshark to disect the packets themselves to find the address request by the ActiveX viewer. However, here they are for all to enjoy!

Stream Codec RTSP address
1st H.264 rtsp://192.168.0.101/live/main/
2nd MJPEG or H.264 rtsp://192.168.0.101/live/second/

RTP didn’t seem to want to play easily with VLC player, and this seems to do what I’m looking for, so no need to go any further. Hopefully this can help other to use this camera in many projects, and break free from using that manufacturers software.

Posted in Uncategorized | Leave a comment

DansGuardian and NTLM from Active Directory

Instructions on how to get DansGuardian and Squid to do auth against an Windows Server 2008 R2 Active Directory, to allow multi-group filtering options. To help with managing the server webmin is set up along side. This assumes you’re going to run this with one ethernet port to the local network, and that you have DNS servers that are stable on the network.

Install Debian

Install Debian from CD1, normal istall mode is fine. Mostly just answer the questions as normal except when you get to “tasksel”, unmark “Grahical Desktop environment” and mark “SSH server”. If it’s just a proxy, you don’t need anything else!

Once you’ve rebooted after installing Debian, log in and use “ifconfig” to find you IP address (unless you entered a static one during install), then you can complete the rest of these instructions via SSH (and copy/paste the commands in!). I also personally prefer to edit the config files via SCP so I get to use a pretty GUI text editor.

Configure network and DNS

Navigate to /etc/network/interfaces and edit the primary network interface settings to match below. Use your own IP address. The DNS nameserver should be your internal AD DNS server, probably your domain controller. It must be as an IP address.
allow-hotplug eth0
auto eth0
iface eth0 inet static
address 192.168.0.7
netmask 255.255.255.0
gateway 192.168.0.254
dns-nameservers 192.168.0.2
dns-search exampledomain.local

Then issue /etc/init.d/networking restart to change to the new IP settings. Remeber if you do this via SSH you will have to connection dropped and you’ll need to log in again.

Add Webmin repository

Webmin isn’t included in the standard Debian repository, but never fear, it’s got it own so we’ll get regular updates.

Add the following to the end of /etc/apt/sources.list:
# webmin repository
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Now run the follwing three commands to download and install the GPG signing key used:
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc

Update repositories and upgrade packages

Next we’ll update the repository list and then apply any updates so we’re kept secure.
apt-get update
apt-get upgrade

Install our packages!

Now onto the install itself! The following command will install everything we need: Samba, Squid, DansGuardian, Webmin and a few dependencies on the side. It asks for the debian install CD to be inserted part way in, and depending on the speed of your internet connection could take several minutes.
apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate

It will ask to specify your workgroup/domain you want the server to be in, enter your domain in caps like this: EXAMPLE and not like this EXAMPLE.LOCAL

Configure Kerberos

Next a small bit of configration to take care of:
dpkg-reconfigure krb5-config
It will ask for:

  • Default Kerberos version 5 realm: EXAMPLEDOMAIN.LOCAL
  • Add locations of default Kerberos servers to /etc/krb5.conf? No

Configure NTP with your domain

Networks run better when all the machines have the same time, so we’ll change us from getting Network Time Protcotol updates from Debians servers to just using our domain controller.

Add server domaincontroller.exampledomain.local iburst
to /etc/ntp.conf below
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool:
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst

and comment out the four Debian time server entries.

Configure Samba

Make a backup copy of /etc/samba/smb.conf before we start to edit it.

Under the section labeled “Authentication” add security = ads below the line which reads # security = user

Under the section labeled “Domains” add domain logons = no immediatly below the line ; domain logons = yes

Under the “Misc” section, find the following two lines:
; idmap uid = 10000-20000
; idmap gid = 10000-20000

and uncomment them (remove the ‘;’ from the begining of each line.)

At this point add the following three lines, just above the next section marked “Share Definitions”
winbind trusted domains only = yes
realm = EXAMPLEDOMAIN.LOCAL
winbind cache time = 3600

All done for smb.conf, so save and exit.

Prepare to join the domain

Restart samba, winbind and synchronize the time with the domain controller.
net time set -S domaincontroller
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Join the domain

First reboot: this may not be needed but it seems to help. Join the machine to the domain:
kinit Administrator
net ads join -U Administrator

You’ll be asked for the password of the domain user you specify at the end of the command, once for each command. You should get:
root@proxy:~# kinit Administrator
Password for Administrator@EXAMPLEDOMAIN.LOCAL:
root@sbproxy:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- EXAMPLEDOMAIN
Joined 'PROXY' to realm 'exampledomain.local'

As this sometimes gives a positive result without actually doing what’s required, the following is an essential check:
wbinfo -t
This should give: checking the trust secret for domain EXAMPLEDOMAIN via RPC calls succeeded. If this step fails, you can’t procede. Rebooting a few times and starting from the begining of ‘Join the domain’ should fix it.

Final checks on having the domain auth working, try these to commands, the first of which should all the users in the domain (which does mean it can take some time!) and the second of which should list all the groups on the domain.
wbinfo -u
wbinfo -g

Configure Squid

Make a backup copy of /etc/squid/squid.conf before we start to edit it.

Add the following three lines below the block of #auth_param that are there, leave them incase you want to change something in the future.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic realm exampledomain

Add:
acl ntlm_auth proxy_auth REQUIRED
http_access allow ntlm_auth

above:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

Comment out this line (shortly after the above code):
http_access allow localhost

Squid needs access to /var/run/samba/winbindd_privileged We can easily fix this but the permissions will reset when we reboot. So Jesse Waters on ubuntuforums.org posted a script that will set the permissions on every system boot. Create /etc/init.d/winbind-ch.sh and paste the following into it. You need to set it’s permissions to 755 to allow excution. You can download a copy of this in a file from www.petespcs.co.uk/petespcs/dangerous/windbind-cd.sh
#!/bin/sh
#set -x
WINBINDD_PRIVILEGED=/var/run/samba/winbindd_privileged
chmodgrp() {
chgrp proxy $WINBINDD_PRIVILEGED || return 1
chmod g+w $WINBINDD_PRIVILEGED || return 1
}
case "$1" in
start)
chmodgrp
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
#EOF

Following this run update-rc.d winbind-ch.sh start 21 2 3 4 5 . to finish that off.

Configure Dans Guardian

Make a backup copy of /etc/dansguardian/dansguardian.conf before we start to edit it.

First, a simple edit: comment out the line UNCONFIGURED - Please remove this line after configuration

Find the line filtergroups = 1 and change it to however many filter groups you feel you need, but be warned that the webmin interface can only handle so many.

Uncomment the following two lines:
authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'

That’s all in that file, so close and save.

/etc/dansguardian/dansguardianf1.conf as a backup, and then make copies for each of your filter groups, so if you have 3 filter groups, you'll need 3 files called:
/etc/dansguardian/dansguardianf1.conf
/etc/dansguardian/dansguardianf2.conf
/etc/dansguardian/dansguardianf3.conf

No edits needed on them, it can all be easily done from Webmin later

Setup Webmin

Open a web browser to https://yourproxyip:10000/ and log in with root. Go to Webmin > Webmin Configuration > Webmin Modules Select "From ftp or http URL" and paste the link below into the dialog box and click Install Module.
http://downloads.sourceforge.net/project/dgwebminmodule/dgwebmin-stable/0.7/dgwebmin-0.7.1.wbm
You might want to check the SourceForge site for a newer version, see http://sourceforge.net/projects/dgwebminmodule/. You can get the address for the link above by going to download the lastest version, but when offered the download, cancel it and right click on the direct download link and select "Copy link location".

Due to Debian choosing to install programs to slightly different location to others, you need to change a few of the settings in the Dans Guardian webmin module configration. Go to Servers > DansGuardian Web Content Filter > Module config and change Full path to DG binary to /usr/sbin/dansguardian We also need to remove rc.d/ from "Command to restart DG", "Command to start DG" and "Command to stop DG".

Setup regular blocklist updates

Shallalist provides freee for non-commerical use (including education) url and domain blocklists. They update these upto every 24 hours. A simple cron job can be setup to download these, all thats needed is a simple shell script. You can download a copy from www.petespcs.co.uk/petespcs/dangerous/updatebl.sh

To create a cron job in Webmin, go to System > Scheduled Cron Jobs then click on "Create a new scheduled cron job.". The answers I recommend you enter are:

  • Execute cron job as root
  • Command /path/to/updatebl.sh
  • When to execute Times and dates selected below ..
  • Mintues Selected .. 1
  • Hours Selected .. 0
  • Days All
  • Months All
  • Weekdays Selected .. Monday, Tuesday, Wednesday, Thursday, Friday

Click create and then you'll be back at the list of cron jobs. Click on the one at the bottom of the list which will be the one you've just created, click on it to open it and click on "Run now" to make sure it works correctly and doesn't give any errors, and also to put the blacklists in place to start with.

I recommend these settings as the blacklists are updated a maximium of once over 24 hours. The script will run while no-one is likely to be around, so won't be interputed by DansGuardian restarting, but will only run on weekdays, so if it goes wrong for whatever reason - they don't include one of the catagories for example - you'll be there before anyone notices...just incase someone comes in on Saturday and finds that it's not working!

To work with these blacklists, you'll need to modify your /etc/dansguardian/lists/bannedurllist and /etc/dansguardian/lists/bannedsitelist files, otherwise DansGuardain won't start as it won't be able to find the files that are referenced. Example files are attahced, which matched the lists provided by Shalla in October 2011. For your ease they contain descriptive comments on each list, and all lists are commented out so they as they stand block nothing. Just uncomment the .Include lines that fit with what you want to block. You can find the same files at www.petespcs.co.uk/petespcs/dangerous/bannedurllist and www.petespcs.co.uk/petespcs/dangerous/bannedsitelist

This guide is based around advice from HowtoForge: How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch

Posted in dansguardian, howto, linux, networking | 5 Comments

BT Infinity

A quick shot of the inside of the BT Openreach Infinity VDSL2+ modem/router/bridge, which comes in a box labeled Huawei Echolife HG612. See Huawei’s page for the HG612. However, it is clear we have a modified stripped down version of the device, as there are no wireless features visible either internally or externally. This also means we have no access to any configuration pages it has (as yet).

A quick note on opening this thing: there are 4 Philips/Pozidrive/crosshead screws under the outer ends of the rubber feet, you don’t actually need to pull the feet fully off to get to the screws. There’s also a really annoying clip in the middle of the ‘front’ (opposite the connectors) of the box. This is easily dealt with by opening up the back edge slightly, and sliding in a long screwdriver to give a gentle push out on the front. The top then simply lifts off. Re-assembly is easy, it simply clicks in place.

There is but one other problem with this box: namely, it regularly ends up disconnecting from the broadband line, intermittently at first, then more and more often until it can’t keep a connection at all. This happens our about 2 months for me, keeping the modem flat, sitting on it’s feet on a shelf.

The problem with this box is, unsurprisingly given how few vents are on it, heat. Take out the 4 screws from under the outer ends of the feet, and whack a big fan onto it, and it sits, even after cooking itself stupid for 2 months, happy as anything, cool as a cucumber. There are reports that if you wall mount this box in the vertical position then the vents actually work! However, I have not tried this, so cannot say. It may be enough to stop a new box cooking itself, but not to fix an already problematic box.

I’m sure that in time I will be trialling a new modem in the upright wall mount position, and if there’s still no joy I will be having a go at modding that one so an external power supply is not needed, even mounting the fan within the box, a small CPU fan should do the job after all. If you do intend to do this, it’s worth bearing in mind that offically these boxes still belong to BT Openreach, so you might not want to damage it too much.

One final picture to give hardware hackers another excuse to break into these boxes, a lovely block of headers, marked RX, NULL, VCC, GND, TX, and another row is a JTAG connection from my brief research. Hopefully this might lead to some 3rd party firmware, so we can access some stats from this and use some of it’s other features. Also interesting to note is the ‘Internet’ LED space for 2 LEDs, I assume one green and one red to indicate the state of the PPPoE connection when this box is used to handle it. BT of course uses the home hub for this, but actually you can use any PPPoE cable router or simply a computer. I personally hook mine to a m0n0wall box.

Posted in bt infinity, networking | 6 Comments