Fnord.

apt-get broke something in my theme just now. I’m on travel, so fixing it will take more time than usual, sorry…

Update 9/9/08: Fixed!

This morning, in my inbox, this is what I saw:

That is, 37 reports that a host had tried to break in to my SSH port, and failed more than one password attempt. If I weren’t running DenyHosts, the dictionary attacks would have a lot greater chance of succeeding. As it is, I’ve seen at least 50 hosts blocked today; usually I get one every few days. Sadly, I’ve not got over sixty five thousand hosts denied via DenyHosts, which is a sad commentary on how many cracked Windows machines are out there.

Patch and monitor those boxes, people!

Non-geek summary: Email was down to phfactor for a few days due to a local problem. It’s back now, and I have tools to keep an eye on things.

Geeky details: I run exim4 on Debian, and had tweaked the config for dual-port (25/587) for SMTP inbound and outbound. One of the recent Debian updates borked something, such that

 -oX 25:587 -oP /var/run/exim4/exim.pid

was no longer valid, and thus exim refused to run. Oops. As a workaround, I’ve removed the port settings (meaning I have to use a different SMTP server when out and about, so this’ll get fixed later as time permits) and it’s back to running.

Having been bitten numerous times by similar problems, where one of many Debian updates will break a service, I spent some hours today researching server monitoring software beyond the Smokeping I have running already. I wanted something that could query a running service over TCP/IP and see if all was good. I came up with Monit via this post, and have it up and running now. Here’s a screenshot:

(click for full size)
Seems pretty good, decent list of native protocols that it understands. Right now it’s passworded off, not sure if I’ll remove the login or not. Seems mostly harmless to publish, since most of the monitored stuff is only accessible from this side of the router.

Update: Password will remain, as the webpage allows you to stop/start services! What a vulnerability that is, yeesh.

If you’re geeky enough to read the runes in the screenshot, you’ll see that usul (the phfactor.net do-everything Debian server) is now a Pentium 4 621, 3.2 GHz dual-core, with 2GB of memory. I just upgraded from a Athlon 64 3200+, 1GB, so this is a nice boost in capability. About the only negatives are analog VGA onboard (no DVI), and 10/100 instead of gigabit. A spare 3c996 solved that, and my old monitor has analog, so we’re sorted. Do email or call if you see any oddities!

Gotta transfer DNS from UltraDNS (now costing $50/month!) to EveryDNS.net. Not gonna be simple.

Wish me luck…

Update: Here’s why I’m moving. My UltraDNS contract is for 10k queries/month, and we’re getting 10 times that. It’s not showing up on the page views, so I’d guess it to be spammers.

Update 1/9/08 2:30PM: Update in progress, we have to wait for Network Solutions to update the root, and also for everydns to update their databases. Expect DNS errors for a day or two, sorry.

PS Yes, I donated to EveryDNS. Karma is good.

Update 1/10/08: Done! It works! A-maze-ing.

Disk upgraded, one glitch left to address but please notify me if you see anything odd.

1. Never try to move to a new hard drive while distracted by an infant.
2. Never assume that cp -a is as accurate a copy as, say, tar -p
3. Or rsync
4. Never power off the machine in frustration over the new drive, assuming that the data on the old will be unaffected. There may be connected RAID volumes that will Not Like This a Bit.
5. Never try to migrate ~240GB of data in 30 minutes. It won’t end well.

More downtime soon, after I do a correct transfer and try again.

Yep, blog was down for some hours today. Debian testing removed PHP support from Apache 1.3. On purpose.

So, forced march to Apache 2 today, kudos to Kevin for his help. We’re back!

I was looking at network backup software today, starting with the cleverly named ‘Duplicity’, and stumbled across backupninja. Check out this description from the debian package page:

Backupninja lets you drop simple config files in /etc/backup.d to coordinate system backups. Backupninja is a master of many arts, including incremental remote filesystem backup, mysql backup, and ldap backup. By creating simple drop-in handler scripts, backupninja can learn new skills. Backupninja is a silent flower blossom death strike to lost data.

Somehow, the ’silent flower blossom death strike’ made me laugh. This comes close to my all-time favorite, MGM, the Moaning Goat Meter:

MGM, the Moaning Goat Meter, is the ultimate sixty-ton cast iron lawn ornament for the desktops of today’s hacker set: A gorgeous, highly configurable load and status meter written entirely in Perl. Serious pink-flamingo territory. For evil geniuses only.

After all this, this is what it looks like:

“Why MGM?”
Xload, procmeter3 and xosview are fine, fine pieces of software (perhaps a bit hard to read). But… dammit… at a time when geeks are cool, green jumpsuits stalk the streets and Volkswagen is hip again, they’re just too dull. Dull, dull, dull.

Evil geniuses generally have a finely honed aesthetic sense which they choose ignore whenever possible. However, evil geniuses do need something good looking, ultra sweet, way too big and above all tacky as hell to bolt onto the personal programming experience. This code is *it*.

Think of it as the SUV mentality applied to strollers. Bigger than the kid? Hell, it’s bigger than Mom pushing it. You can’t even *find* the kid.

…

“What about my social life?”
The software equivalent of a depleted uranium lawn gnome? Highly unlikely.

MGM was back in the days of much-less-memory, so a lot of the pages are no longer relevant. Still funny as hell, though.

More on Duplicity and/or backupninja as I try to get something scripted…

I’ve had a lot of people trying to use my wireless network of late

Sidebar: The Airport Extreme can send log messages to your Unix box via the syslog mechanism. Check out ‘Base station options’/ ‘Logging/NTP’ and ‘Send base station logging to’

I also set the LED light to blink for traffic, as I find that more useful than always-on.

See this page for syslog setup on Debian.

and I’ve been trying to close down the hatches. I’ve always used MAC filtering, so they couldn’t get on, but someone keeps trying. Given the rapid repeat, its certainly automated or just OS stupidity, but it annoys me.

Plan of attack:

So. First problem is my version 1 Squeezebox.

It’s been trouble before, but I don’t have the dosh to upgrade to the much-nicer v2 or v3. It’s WiFi is B-only. Fortunately, I had a Linksys WRT54GS spare, and had previously setup one as a bridge.

Since I wanted to put images in this post, here’s a pic of one borrowed from the Wikipedia page on it:

I found a slightly better set of instructions for bridge mode on AnandTech, and managed to get it working. I found that the newer Talisman firmware worked better than the Alchemy release.

Sidenote on firmware and Sveasoft: I am a former subscriber to Sveasoft, and have paid for a year of access. This time, subscription having expired, I downloaded the ‘Freeman’ version from this page instead, which lacks the ultra-stupid MAC-based copy protection. I am fairly certain that Sveasoft has bent or broken GPL on this, and FWIW the Freeman version is working well. Rant over.

After you do all the setup (subnet, DHCP, client-mode wireless) there’s just one real gotcha - to get it to work, you have to enable ARP proxying on the Linksys. There’s no way to do this from the web interface, and the setting is erased if you reboot the router. So you have to

echo 1 > /proc/sys/net/ipv4/conf/`route | grep default | awk '{print $NF}'`/proxy_arp

Messy, eh?

Once I had that figured out, I wanted to enable encryption. WEP is no good, so I wanted WPA or WPA2. I’m using an Airport Express which supports all of the above as my base station. Gratuitous picture:

However, the Freeman firmware pages use different terminology than the Apple admin program, so I had to google a bit. This page and this one got me going. You have to

Now, while it reboots, go to the Freeman firmware and select ‘WPA-TKIP’. Enter same key, reboot, do the SSH ARP voodoo above, and you’re good to go.

(You also have to go around to all your laptops and enter the key into their setups, but that’s much easier.)

Once I did this I hit the next problem: Slimserver is not working. I spent hours thinking it was the bridge setup, which was reasonable given the number of places you can make mistakes, but it isn’t. For some reason, the current release in debian unstable is borked, and the symptom is that the web interface never loads. You can connect to the port ok but you get no content. I erased the contents of /var/cache/slimserver/MySQL and restarted it, but got the same result.

Oddly, the web interface was working while it rebuilt the database, but somewhere in that process it Just Stopped. No error log that I can find, no errors in /var/cache/slimserver/mysql-error-log.txt either. I’m at a loss.

The other problem that I have is probably my error - I can’t load the Linksys web interface unless I’m cabled into it. I enabled the remote admin, but it may be subnet-related or such.

I really wish that the ARP proxy setup was a) permanent and b) web-interface-settable. Yeesh.

I also am a bit peeved at Slimserver. It’s the program single most likely to break on a Debian dist-upgrade.

Ahh well, maybe with G-only and WPA it’ll cut down on the neighbors trying to associate with my base station…

Update 8/19/07: Squeezebox got updated and appears to stay up now, so I’m reopening this one. Fixed the missing anandtech URL, sorry. I should also note that the WPA+G change did remove the slowdowns and associations — hooray! Now tackling the ARP proxy and such. Post to follow!