Advertisements
Rsync Bandwidth Limit
02 Aug

Rsync Bandwidth Limit

How do I stop Rsync using all my bandwidth?

If you use rsync to move large or just a large number of files from one machine to another, ether over the internet or your local network, you’ll have realised rsync uses as much bandwidth as it can get a hold of which is not always convenient.

The reason you might want to reduce rsync’s bandwidth load is to ensure it doesn’t clog up you network making everything else unusable.

Obviously this is going to slow down to total time require to transfer your files. On the face of it this might not seem ideal, but if your moving your nightly backup files from your webserver to your backup location time isn’t the most important factor. What you really want is these backups to happen seamlessly in the background and not to DDOS your own site.

A normally rsync command might look something like this:

The parameter that tells rsync how much bandwidth to use is --bwlimit.

So if you want to limit rsync to 10MB a second the command would look like:

Or to limit rsync to 5MB a second the command would look like:

Samba Full Audit Trail
19 Jul

Samba Full Audit Trail

This is a new one. I was asked today by someone to explain why files were missing from the Samba file server. Sadly in the end I wasn’t able to find out why simple because there was no log. This at least isn’t a case of a system admin not keeping logs, there were thousands of them for Samba (I managed to trace that to a poorly configured log rotation setup) but not one of those logs could help me – seriously why is it Samba keep so many logs expect the one your interested in!

Unfortunately I wasn’t able to answer the question about where the missing files went, but this isn’t the first time I’ve been asked this question so, next time – and, as any good system admin knows, there is always a next – I want to be able to know what happened.

In this post I will talk you through configuring Samba 3.6.3 to keep a full user audit trail, recording all changes made to the file system – including deletions.

In my own research I was quite impressed that Samba can actually do this already, its just not on by default. The trick is to use a Stackable VFS Module called full_audit. The system I was setting this all up on was a Ubuntu 12.04.5 LTS (precise) and already had full_audit installed so I didn’t need to worry to much about that. To check if its installed on your system you can look for the file /usr/lib/samba/vfs/full_audit.so if its there eveything is installed and working – if it’s not, let me know in the comments bellow because I haven’t found a system which was missing it yet.

Setting up the share

I’m only interested in creating an audit trail for one of the server shares so these setting can be put assigned to the one share configuration. So when all is done the final configuration in /etc/samba/smb.conf will look like this – don’t worry to much about it, it works and I’ll go through it line by line.

When you copy this into your smb.conf file make sure not to copy the current share configuration part too

The normal configuration section you should know already, so let look at the new parts:

vfs objects – Tell Samba to load the new module

full_audit:prefix – This defines how your new log will look and fully supports using Samba variables. The format I’ve chosen is:
%U = Samba username
%I = Client IP Address
%m = Client Hostname
%S = Current Share name – not technically needed since I’m doing this for a single share but probably worth keeping encase the configuration is expanded later
For now ignore nasaudit at the start, but I’ll come on to it again later.

full_audit:success – What actions will user actions to log:
mkdir = Upload/Create new directory
pwrite = Upload/Create new file
rename = Rename a file
rmdir = Delete a directory
unlink = Delete a file

full_audit:failure – The same as full_audit:success but when the action failed

full_audit:facility – Which syslog facility to log to. We can use this later to direct messages out of syslog and into a more useful file

full_audit:priority – The priority to set log messages as.

So there you have it. Next time you restart Samba it will log a whole lot more about what a user is actually doing on your file system, but currently logs are going in /var/log/syslog so in the next step we’ll have to get them out of there into a file of their own.

Redirect the logged output

I use the rsyslog daemon rather then syslog, but the process bellow should work for ether one.

We told Samba to output logs to facility ‘local5’ so we can tell rsyslog to look for that, but rather than just take everything that gets sent to local5 we can use a filter and on messages that contain nasaudit – see told you it I’d come back to it.

Now we know what we’re planning to do lets put it all together. Just add the following line, ether to your /etc/rsyslog.conf file or better still create a new file in the /etc/rsyslog.d/ directory.

Rotating logs

The final thing we need to do is add this new logfile into the /etc/logrotate.d/samba configuration file. This way we get a nice clean audit folder, since these audit logs could be quite long on a busy server trying to search though a single file would grow old – fast

Open up your /etc/logrotate.d/samba in your favourite editor and copy in the block bellow:

This will rotate the logs every day and keeps 90 of them. Deciding how much to keep and how far back you will need to go is going to be a personal thing. In my case I’ve gone with three months to start with so and it’s simple enough to tail that back.

Raspberry Pi Bitcoin Core 0.10.2 Installation
14 Jun

Raspberry Pi Bitcoin Core 0.10.2 Installation

This weekends project is setting up a Raspberry Pi as an online Bitcoin wallet.

As you might the first step has been installing Bitcoin Core. There is no binary Bitcoin available for the Raspberry Pi’s ARM process so I had to build it from source. Less I Forget here is my step-by-step guide:

Requirements

  • Raspberry Pi 2
  • A 2A power supply
  • External HD
  • Raspbian OS Image Downloaded from here
  • The blockchain – Optional but could save days of waiting

Installing a Clean OS

First thing to do now we have a Raspbian install image is copy it to a new microSD card.

Being a Linux user I just copy the image from the command line using dd:

dd is a Unix command so if your MacOSX user the same command will work for you as well. It takes a few minutes but gets the job done. For Windows users a program like Win32DiskImager can do the install for you – full instructions can be found here.

Raspi-Config / Updating

As normal with a new installation raspi-config will run during the first boot. What we need to do here is expand the file system to take up the whole sdcard – no point in empty space just sitting around looking prity.

Once that’s done enable the SSH server. The Pi will reboot after your exit raspi-config so just let it do its thing.

Once the Pi is back up and running you can now keep working working with an attached keyboard a mouse of fire up and SSH connection from another machine and work from there, the choice is yours.

If you do choose the SSH option make sure you start a screen session, since the commands we’re about to run could take a few hours on the Raspberry.

If you need a pointers, the quickest way to get the Raspberry’s IP address is running ifconfig from the command line. The default username is pi and – if you didn’t already change it – the password will be raspberry, but I would highly recommend changing it as your first step passwd will do the job.

Now that we have a running Raspberry Pi and we’ve logged into a terminal – ether thru the keyboard and monitor or over SSH – we’re going to quickly run an OS update:

Installing Bitcoin

Getting the dependencies

We’re going to have to build Bitcoin Core from the source code, and for that we need the build tools and dependent libraries installed:

We also need to install the BerkeleyDB 4.8, since its not available from apt-get we’ll need to build it from source as well. This will take a while so probably best grab a cup of coffee or something, but if your using a Raspberry Pi2 you can replace the make command with make -j4 to spread the load over the extra cores.

Getting the source

Now that the system is ready we can finally start on Bitcoin. First get the source code from the GitHub repository:

Building it

Next we’ll configure it for our system and get the build started. Again this will take ages, but you can speed it up on the Raspberry Pi2 by using the make -j4 command instead of just make – for reference I just used the make option and it was done in about 3 – 4 hours.

Up & running

… and we’re back. We now have Bitcoin Core 0.10.2 installed on our Raspberry. Before we run it for the first time we need to make sure we can download the blockchain. At present the blockchain is over 35Gb. Since we can’t feasible store it on our microSD card we need to put it on an external hard drive.

If you’ve never plug an external drive into a Raspberry Pi before, its worth pointing out the Pi doesn’t have enought power to support the drive directly. You must ether get a drive back with it own power or plug the drive into a powered usb hub.

Once your drive is ready you have a few options for telling Bitcoin Core where to put the blockchain. Ether mount the external drive to /home/pi/.bitcoin or create a symlink there. The final option is to pass the the new location to bitcoin over the command line bitcoin-qt -datadir=/path/to/harddisk/

One last thing before we fire up the Core. If you already have a copy of the blockchain copy this to the Raspberry Pi, it will save hours or even days of waiting. However, if like me you don’t you may run into the same problems I have.

When I started running bitcoin-qt it will crash. After Googling around the error message relates to a lack of memory. The Raspberry Pi2 has 1GB or ram but its appears that isn’t always enough. Since adding more RAM isn’t a practical option I’ve resorted to running this script:

This handy little one-liner will restart bitcoin-qt every time it closes – in my case crashes – and the download will resume where it left off.

I’m not sure if this problem is histochemic of the Raspberry Pi or just while the blockchain is downloading but once my downloads completed I’ll get a better idea and can give some more feedback.

Updated certificate authority
10 Jun

Updated certificate authority

Just a quick announcement. This week I released an updated certificate authority. All my services are now signed using this new authority.

The reason for this is purely maintenance. Since I released my last authority there have been concerns and then active attacks against certificates using a sha1 hash.

So as security changes over time I felt it was time to improve my own security and my new certificates all make use of the more robust sha256 hashing algorithm.

As before, if you are not using any of the secure services offered by NxFIFTEEN – email, chat etc – there is no need for you to install this updated authority.

20 Apr

Only run the scene at night

This is a very simple LUUP snippet. The Vera has a handy function .is_night() which, as you’d expect, simply returns true or false depending on if its day or night.

Vera doesn’t need an attached light sensor for this, instead it uses local weather data – so if you’ve opted to keep your Vera offline this will not work.

First create your scene based on your chosen trigger and add the lights you want turned on, or what ever actions you want it to do, then under Also, execute the following Luup code add the following.

This works because if your LUUP code returns true, which it will at night, the scene runs and if the return value is false it want.

Tenvis MINI319W Review
19 Apr

Tenvis MINI319W Review

My trusty Panasonic BL-C10 IP camera finally failed after years of faithful service, so I went online searching for a replacement. After some searching I came across the Tenvis Mini319W for a low budget of about £32 it seemed like a good replacement.

Installation was very easy, but instead of trying to make a dry unboxing event into interesting reading see the video bellow from the Ultimate Handyman as he installs his in his garage.

https://www.youtube.com/embed/ABRS3gVEzPg

Now here is my take on it. With a price tag of just £32 the Tenvis Mini319W camera is definitely in the lower price bracket, but I was still hoping for more.

The setup and installation was very easy. After connecting a Cat5 network cable and adding power the camera set its self up on my network using DHCP and from there it was a simple case of connecting to its admin page to setup the WiFi connection – a small point of note is the camera will not connect to both WiFi and Cat5 at the same time, took me a while to work that out.

The infrared (night vision) is really quite impressive. The view is very bright and far more impressive than I’ve seen in other cameras. But setup and night vision are about the best bits.

Once your into the admin screen there are few controls. You can change the brightness or contrast and flip the image but there is no zoom. The UI is also fairly poor, loading the page to look like an iPad with the camera on display:
Web Admin

The resolution is disappointingly poor. As you can see my camera is pointed at the window, looking out to anything happening the other side of the glass is all but indistinguishable. You can make out people and colours but the image is so poor you can barely work out if their wearing a jacket or not. The best point of view is anyone standing just in front of the flowers, but even that is a blur when there’s is any motion at all.

In fairness, other than the web UI, the negatives are not deal killers. It’s the field of view that is really disappointing. My camera – in the photo above – is mounted on the wall about 5 meters from the window and you can see from the image how little of the room is actually visible.

Overall I was extremely disappointed with this camera and will be not be buying another one. The Ultimate Handyman’s video shows are far better UI and video quality than is my experience. I’m not exactly sure why but it’s possible I ended up with a different model than he has in his video. For my next camera I will just have to look a little harder.

Raspberry Pi Powered OpenVPN – Client Side
19 Apr

Raspberry Pi Powered OpenVPN – Client Side

This is part two of my series on creating your own, private, VPN server at home using a Raspberry Pi. If you have followed on from my Raspberry Pi Powered OpenVPN – Server post you will have a fully working OpenVPN server. You probably also noticed it took you a good portion of your afternoon, but with bugs and hacks being found in more and more Linux software and libraries it is well worth having a server you can trust.

You’ll have noticed though we’re missing a vital step before we can make use of our new server. In part three of my tutorial we created some access keys to allow our phones and laptops (from here on called clients) to access our server, but we haven’t told the clients.

OpenVPN software gets all the information about where your server is, how to connect, what keys to use and what connections to create from a configuration file called and .ovpn. Since you need a separate OVPN file for each client we’ll use a script to do our heavy lifting.

Eric Jodoin first created this script while at the SANS institute, and with some basic template files, it can create configuration files for all our clients.

As with the Raspberry Pi Powered OpenVPN – Server tutorial the following commands still need executed as root, so remember ether add sudo infront of them or make sure you still have root from the sudo -s command.

Setting the defaults

Eric’s script works by combining a default configuration file with the keys specific to client, so we need to create it first.

Create a new blank file:

nano /etc/openvpn/easy-rsa/keys/Default.txt

Then copy and past in this:


Remember to change the line remote to match your setup. Include the public IP address of your OpenVPN server and make sure the port and proto are correct. If in on page four you opted to use TCP or a non standard port, one other than 1194, you need to make sure this is correct here as well.

If you are not sure what your public IP address is you can ask Google.

Some ISPs will rotate your IP address regularly which causes a problem when trying to access your new server. There are however many services that offer dynamic domain names (DDNS). These give you a static domain name but make sure the IP address always points to your home PC. First thing I would do is check your router to see if it supports a DDNS provider. If it doesn’t then you can use a free service like DNS Dynamic, but you will have to setup and run the ddclient on the Pi to keep your IP address updated.

As in the previous tutorials use control+x and save the new file.

Creating the script

Now we’ll create a copy of the script Eric produced, the original PDF download of his research paper can be found online.

First create a new file in nano:

nano -w /etc/openvpn/easy-rsa/keys/ovpn_gen.sh

Get a copy of the script from my gitlab server and past it into this new file. Lastly control+x and save the new script.

By default new files created in nano are just text files, they do not have permission to execute commands. This command will give only the root user permission to read, write or execute our new file:

chmod 700 /etc/openvpn/easy-rsa/keys/ovpn_gen.sh

We can now run the script, but first make sure we are in the keys folder:


The first thing we’re asked for is the Client Name. This must be the same as we used in page three of the server side tutorial. I’ll continue using KEYNAME here, but if I was setting up the key for my Nexus 5 I would use stuart.nexus5.

If everything worked as expected you’ll see a message like this:


Now just rinse and repeat for as many clients as you have setup, but make sure to only run the command for keys you already created. If you need a new device go back to page three and create a new set of keys first.

Downloading the OVPN files

You now have to download your new OVPN file from the /etc/openvpn/easy-rsa/keys/ folder onto your clients. If you are on a link system I would use the scp command, but for Windows users WinSCP would work as well.

If you are using WinSCP you will not have permission to access the /etc/openvpn/easy-rsa/keys/, this is by design and adds additional protect to your server. So you can cp the file into the pi home directory first and download it from there, but make sure to delete it once you have it on the client.

cp /etc/openvpn/easy-rsa/keys/KEYNAME.ovpn /home/pi/

and then

rm /home/pi/KEYNAME.ovpn

In part two of this tutorial we’ll take a look at setting up our client and getting OpenVPN installed and running on your Android phone or tablet.

Software Society Email problems – Resolved
27 Mar

Software Society Email problems – Resolved

Fan-bloody-tastic! I’ve been trying to work out why emails to the Software Society have been falling over the last few weeks and finally I’ve worked it out!

The lesson to take away from it is, never let someone on the other side of an IT support desk do anything for you that’s mission critical.

All my domains are hosted thru 123-Reg who act as my registrar, and have done for years. I’ve never had to use their support desk in the past and found the service perfect for my needs. Recently one of the servers I was using as an alternative DNS Nameserver was being shutdown so I duly made alternative arrangements and went to update my registrar only to be greeted with errors. Unfortunately I was, and still am, unable to update the registrar nameservers for any domain ending in .uk.

Not to concerned I contact support and ask them to update my nameservers to a.ns.nxfifteen.me.uk, b.ns…., c.ns…. and d.ns…. within a few hours I had a response saying it had all been taken care of.

Fast forward a few weeks and emails are starting to fail, a quick check of my ISP nameserver shows no problem but on a whim I check with Google’s and low and behold the domain no longer has any DNS records!

I will leave aside the long and tedious story of how I spent hours trying to find the problem and checking the DNS server configuration files and skip right on to checking my registrar was returning the right details, as you probably guest it wasn’t. My friendly request to the support desk had resulted in my new nameservers being listed as ns1.nxfifteen.me.uk, ns2., ns3. and ns4. which are not A records on my domain.

Rather than going back through support to fix this, I still cant change them using the admin panel, I’ve resorted to adding these new domain records to my DNS. This can take 24-48 hours to propagate across the net, and as of writing Google’s DNS hasn’t updated, so please be patient with me a little longer. The problem has been resolved, I’m just waiting on it to filter through.

My New Php Fitbit Library is Complete
20 Mar

My New Php Fitbit Library is Complete

ast month I announced I was working on a write of my Drupal/Fitbit module to allow it to run independently of the Drupal framework. What I wanted was a application that would allow me to do everything I was doing before even in a static HTML site – In just over a month and more than 180 commits that’s what I’ve achieved.

My new application is completely separate from the HTML site, meaning it can have its own database and run its own analysis on historical data held there (since Fitbit has an API limit making direct call every time you want to know many any steps you took last week is inefficient, and if the site got heavy load could lead to no getting anything out of the API for an hour or so).

Results from my API are all delivered thru JSON return block that can then be processed using Javascript on directly within the browser. Since the JSON is delivered thru my caching proxy there is very little load on the server, but as an added step each JSON block is cache within the file directory so where there have been no changes this can be sent back instead of rerunning any database queries.

You can see the full API in action on my health section but it supports seven main section

As before the source code will be released and an OpenSource project, but before I do I still have to write an install script and some form of admin UI because at present to get the code up and running you need to spent more time in the MySQL database than is healthy.

If you really can’t wait though drop me a line in the comments section bellow or over the feedback form and I can sort our some early access for you

Work started on a new PHP Fitbit library
16 Feb

Work started on a new PHP Fitbit library

Last year I spent a few months building my own Drupal module for Fitbit. All in the middle did everything I wanted from it, pulling all my stats into a database and producing the reports and stats I wanted most.

Problem is, I am not using Drupal anymore. As I’ve talked about before this site is pure HTML built using Node.js. So the site only needs rebuilt when I add or remove content but since information from Fitbit is as close to real time as makes no difference I’ve struggled to think of a way to reinstate the functionality I’d come to rely on – without rebuilding the site every couple of minutes.

I’m comes JavaScript. I’m in the process of rewriting the original Drupal module in a standalone PHP application. At present I’m goal is simply to reinstate the previous code. I already know there are new features available and Fitbit have improved some of their others APIs with more features and data sets, not to mention a host of coding bugs and better ways to do things but it’s best to work on one thing at a time.

Once the hard work has been done I’ll work on getting the information out of the database and to display it here again, then I’ll look at the arm long list of issues I’m sticking in GitLab.

As before I’m planning to realise the full source code on github.com, but I’d like to get the code at least functional first, if you cant wait of course drop me a note in the comments below and ill give you access to the code now.

Raspberry Pi Powered OpenVPN – Server, Part 1
07 Feb

Raspberry Pi Powered OpenVPN – Server, Part 1

I mentioned in a previous post that I had a spare Raspberry Pi. It’s taken me a while to finish but I’ve managed to turn it into a portable OpenVPN server.

A VPN, or Virtual Private Network, is a way of extending your private network into the outside world all fully encrypted. Free and in most cases unencrypted WiFi is available almost everywhere from universities to coffee shops or hotels and even your dentists waiting room, but you have to be careful what you are doing on internet access points.

Most people are unaware but free WiFi from places like your local coffee shop or hotel are ot safe. Sending confidential email or even web browsing can be subject to interception, what is commonly known as a man-in-the-middle attack. Because of the way WiFi works its relatively easy for someone with the right tools to get between you and the internet. So however tempting it may be you really do not want to be logging into your bank and even something as simple as checking your GMail could leave your Google username and password out in the open.

The idea behind a VPN is to connect to the internet from a trusted source. Once VPN connection has been established all your communications to or from the VPN are encrypted and hidden from prying eyes. No one else at the coffee shop will have any idea what your doing online. All they will see is encrypted traffic to your VPN without being able to delve into that traffic to find out what your doing.

There is a multitude of online services which offer VPN access, in many cases allowing you to pick where you’d like access the internet from there by bypassing geographic restrictions on services like Netflix and BBC iPlayer, but these as in all things have upsides and downsides depending on the service and what charges they make. Since I really resent paying for something I can do myself I going to turn a inexpensive (£35) Raspberry Pi into my VPN server.

Doing it this way not only means I will save myself the ongoing payments of 3rd party VPN service, but I’ll also be able to access my home network as if I was there and still have full access to my Synology file storage.

What you’ll need

Hardware

Raspberry Pi: I’m using a model B but a B+ will work equally well.

SD Card: I would recommend an 8GB card. You shouldn’t need more if all your running on the Pi is OpenVPN.

Network cable: Cat5 or Cat6 depending on your network but you need something to connect the Pi to your router.

Software

OpenVPN: Which we will be installing onto your Raspberry Pi.

Some assumptions

  1. You already have installed Raspbian on your Raspberry Pi SD Card
  2. Your Raspberry Pi has a static IP address within your home network. You can ether do this from the Pi its self or like me setup your routers DHCP settings to issue the Raspberry Pi with static IP
  3. SSH is enabled. We need to access the Raspberry Pi to change settings and setup the OpenVPN server. Using SSH will make this simpler and means we don’t need to fuss with a keyboard or monitor attached to the Raspberry Pi
  4. You have forwarded both the UDP & TCP port 1194 to your Raspberry Pi’s static IP. Instructions for doing this will vary from router to router but if you search Google for your specific router you’ll find instructions

So if you’re ready I’ll get started on my how to guide.

House Cleaning

First thing we’ll do is setup the Raspberry Pi. Assuming your using a new Raspbian installation.

  1. Change your password: The default username and password for a clean Raspbian installation is pi and raspberry. Leaving this unchanged is generally a really bad idea, but not changing it on a Pi your connecting to the internet is begging for trouble. To change it first login over SSH and type sudo passwd this will change your root password then just use passwd to change the pi user password.
  2. Update: Always a good first step after a clean install. Updating the system will make sure you’re using the latest software and libraries, and any know bug or security flaws will have been patch. Raspbian OS being just a version of Debian system updates are handled by apt-get so to update the system run sudo apt-get update; sudo apt-get upgrade from the SSH terminal window.
  3. Install OpenVPN: OpenVPN is already in the repositories so installation is as easy as running sudo apt-get install openvpn

Now that our Raspberry Pi is ready we’ll move on to the setting up the installing and setting up OpenVPN on the Pi.

Raspberry Pi Powered OpenVPN – Server, Part 4
07 Feb

Raspberry Pi Powered OpenVPN – Server, Part 4

Time to put it all together

OpenVPN Configuration

So far we have setup and new Raspberry Pi, install OpenVPN, generated some server keys and at least one user/device key and created a Certificate Authority to sign them. We are still missing something though. OpenVPN doesn’t know any of the yet. We still have to tell it where to find these new files we’ve just create, what IP or port to listen for connections on, what type of connection to make or where to send the resulting traffic.

All these setting are held in OpenVPN’s configuration file, but non is installed with the OpenVPN package so we need to create a new one. Start by creating a file on the Pi nano /etc/openvpn/server.conf then fill it with this initial template:

I’ve marked some bits you will need to change yourself most importantly PI_IP_ADDRESS and YOUR_DNS_IP_ADDRESS but read thru the comments to make sure everything else is right for your setup. Once your done just control+x and save the file.

Port Forwarding

Now that OpenVPN knows what to do we need to tell the Pi to forward internet traffic. By default a Raspbian OS is designed to be a receiving client, internet traffic goes to or from it, but in this case we want it to forward traffic it receives on somewhere else – in this case your router.

To edit the system setting open up the system control file with nano /etc/sysctl.conf and find the line “#net.ipv4.ip_forward=1” and uncomment it by removing the # leaving “net.ipv4.ip_forward=1”. Once again use control+x to save the file. Lastly we have to tell the system we have changed the file. That’s done with the sysctl command, just type sysctl -p and your done.

Raspbian Firewall

We’re almost ready to restart the Raspberry Pi and have a functional server, but before we can there is one more thing we have to do. Raspbian comes with a built in firewall called iptables, found on most Linux systems, which is there to protect your computer from the dangers of the internet but we need to poke a hole through it while leaving the rest of it intact. This is done by issuing command directly to iptables, but we want these changes to still be in place next time we reboot the Raspberry Pi so we need to make the command something the Pi will run everything it connects to the router.

This is best done in two steps. First we’ll setup the script we want to run. Make a new file nano /etc/iptables-openvpn.sh and type in:

Make sure you change PI_IP_ADDRESS to your Raspberry Pi’s IP address. The hit control+x and save the file. We now need to make the file executable, but we also want normal users from changing it.

The first line means only the file owner can execute the file, no one else can even read it. The second line just makes sure the owner is root.

Now we have our supporting files we need to tell the Pi to run this file, and so poke the same hole, in our firewall every time a network connection is setup. Network setting for Linux are commonly stored in the /etc/network/interfaces file so we can start there.

nano /etc/network/interfaces

You can see a line that says “iface eth0 inet dhcp” that simply tells Linux to ask your router for an IP address for the ethernet plug. We can now inject out iptables-openvpn.sh file here by using the pre-up option.

…becomes…

Now before asking for an IP address from a connected router the Pi will run our iptables command and the firewall will be ready. control+x to save your work.

You can finally reboot your Raspberry Pi

Your Raspberry Pi is now a fully working OpenVPN server, in the next tutorial we’ll get started preparing our clients to connect to it.

Raspberry Pi Powered OpenVPN – Server, Part 3
07 Feb

Raspberry Pi Powered OpenVPN – Server, Part 3

Client Side

So we now have a working server, what we have to do now is create certificates for our users or our selves.

If you want to you can cheat here and create one certificate per user then they can use that everywhere, but as I talked about before, if they device is every lost or stolen you will have to setup all you other devices with the new key. So I have created a separate certificate for each device.

Since I am not the only person potentially going to use my VPiN service and I alone have four or five devices all needing access I’ve gone with a naming scheme USER.DEV. So for my Nexus 5 it’s be stuart.nexus5 and my laptop is stuart.redtop (If you’d ever seen my laptop you’d understand… o what the hell here it is)

To create a device key just type

./build-key-pass KEYNAME

… and more prompts

  • Enter PEM pass phrase – Make this something you will remember, depending on the client your running you may be asked to type this ever time you want to connect.
  • A challenge password? – You still have to leave this blank
  • Sign the certificate? [y/n] – The answer must be yes. You will be creating a ten year certificate

We now have an RSA key, but RSA keys have not been perfectly implemented everywhere and if you want to connect your Android or iOS device we need a Triple DES key. Triple DES is simple another encryption algorithm that applies its encryption three times for every block of data, making it harder for hackers to break by brute force. We can do this using the openssl command. All we need to do is input the old key and tell it what to produce:

openssl rsa -in keys/KEYNAME.key -des3 -out keys/KEYNAME.3des.key

OpenSSL will now prompt you for the password of the rsa/old key, which is just entered, and ask you for a new password for the 3des/new key. I just used the same password for both keys, there is no loss of security as long as it was a good password and no need for two separate password.

And that’s it. You’ve now created your first client side key. You will have to repeat these steps for each device but its simple enough just keep changing your KEYNAME as appropriate.

In the final part of this tutorial we need to put everything together and tell OpenVPN about our configuration.

Raspberry Pi Powered OpenVPN – Server, Part 2
07 Feb

Raspberry Pi Powered OpenVPN – Server, Part 2

Groundwork

Keypair

I mentioned before that a VPN encrypts traffic to and from your device. In much the same way as connecting to a site over HTTPS. This is done by public-key-cryptography. If any of you have ever heard me talk at Dundee Tech Talks you’ll have heard me go on at length about encryption and public key encryption is by far the coolest method of encryption. I’ll probably talk about it more in another post but at its simplest level you have two keys. One encrypts and one decrypts, you then can make the encryption key public. OpenVPN comes with a collection of helper scripts and config files called Easy_RSA which produce keys use the RSA encryption algorithms.

The next few commands are going to be run a root. You can ether stick sudo in-front of all the commands I’ll list bellow, or to save some time just type sudo -s and become root.

Now before we start setting up our certificates we must copy the default EasyRSA in a folder that makes sense:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

Now before we can start using EasyRSA we have to tell it where to find our new directory. So edit the vars files nano /etc/openvpn/easy-rsa/vars find the line ‘export EASY_RSA’ and update the value, once your done it should look like export EASY_RSA="/etc/openvpn/easy-rsa"

Before we leave the vars file we’ll also want to adjust the level of encryption 1024 to 2048. In most cases 1024 is all you would ever need, but why settle for less when its as easy as typing three numbers to exponentially increase your VPNs security.

To exit nano simple type control+x, nano will prompt you to save the file before exiting.

The Authority

One thing that give OpenVPN its security is that it doesn’t use a username and password to authenticate its users. When asked for a password the majority of people will use a relatively simple password, or reuse a previous password and where someone picks a good/strong password it can easily be forgotten. Another risk to consider is where you’ll be using the VPN. Having the password stored on devices like phones and tablets which can be lost or stolen leading you to have to change your password then update all other devices with the new password – a pain if you happen to away from home.

Instead OpenVPN uses a OpenSSL keypair. Every device has its own private key signed by the OpenVPN server which is then used to authenticate each device separately. Now if a device is lost its as easy as revoking that devices key, no other device heeds changed or updated.

So we need to create a certificate authority on the Raspberry Pi to sign user keys – which we’ll do next. The following commands still need executed as root, so remember ether add sudo infront of them or make sure you still have root from the sudo -s command we used when setting up the keypair.

Step 1

Move into the EasyRSA folder we created earlier: cd /etc/openvpn/easy-rsa

Step 2 – A

Run source ./vars this will setup the all the environment variables we edited before.

Step 2 – B

As pointed out by Redrerick in the comments after the most recent update to OpenVPN available for the Raspbery Pi, openvpn armhf 2.2.1-8+deb7u3, you now have to run ./clean-all this will clear out any keys and certificates and give you a clean slate to start with.

Step 3

./build-ca this is where the magic happens. The Raspberry Pi is now going to hit you with a load of questions about where you are and organisation names. You can ether fill them in accurately or just accept the defaults.

Step 4

What you will need to pick a name for your server. I started by trying to use my normal naming scheme but, turns out its crap, settled for VPiN – clever right?

./build-key-server VPiN

The same as in step 3 you are going to be hit by a series of questions.

  • Common Name – This has to be the same as your server name, if it hasn’t already defaulted to that change it!
  • A challenge password? – You have to leave this blank
  • Sign the certificate? [y/n] – The answer must be yes, if you don’t sign the certificate then nothing else will work

You’re going to get a warning saying the certificate is valid for 3,650 days. So if you still using your Raspberry Pi VPN server in ten years you’ll need to come back and go through these steps again – so you’d better bookmark the page now.

Finally it’ll say “1 out of 1 certificate requests certified, commit? [y/n]” again type ‘y’

Diffie-Hellman

Now we’re going to create whats called a Diffie-Hellman key exchange. This is a fundamental element to creating a secure connection between two machine when all of the ‘handshaking’ is done before the encryption is setup, meaning any 3rd party can sit in and watch the full unencrypted ‘handshake’ conversation but still not know what the final encryption keys used are, so once the connection become encrypted that’s it – there out in the cold.

Make sure you are still in the /etc/openvpn/easy-rsa director and run

./build-dh

Now best to get a coffee or something cause this can take a while, especially if you followed the instructions and increased the level of encryption from 1024 to 2048.

DoS (Denial of Service)

A DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack is where an attacker gets the IP address of a service online and starts issuing so many connection requests, some times in the range or a several thousand per second, that the server can not handle them all and eventually dies under the load.

OpenVPN has built in protection against these attacks called a HMAC (hash-based message authentication code). Kind of like a pre-shared secret. If the server doesn’t receive this secret it want even try to authenticate a device instead just ignoring the request. Now, while you don’t want this secret out in the wild its not a huge security risk since even with the secret a device will need a valid certificate as well.

Generating the secret is as easy as typing:

openvpn --genkey --secret keys/ta.key

OpenVPN is finally installed on our Raspberry Pi, but its fairly useless unless our devices can connect to it. So next we’ll look start creating some key for our phones and laptops.

Fedora/Yum update notification in OpenBox
06 Feb

Fedora/Yum update notification in OpenBox

OpenBox is a minimalist windows manager for Linux, it’s also my manager of choice. Due to its minimal memory footprint its faster than Gnome or KDE, but because its minimal a lot of what you may have come to know and move is no enabled by default.

I will cover more about OpenBox and its configuration in future posts, but this evening I decided to check for any updates to Fedora 21 and to my surprise I found over 200 updates waiting on me. I know, I am really bad at checking for updates but so are you so don’t judge!

When you log into KDE or Gnome many other services and background programs are run, one of which checks for system updates and alerts you. There is no such thing running by default when your first run OpenBox so I created a Bash script that runs in cron. It uses the notify-send command to pop-up alerts when updates are available.

Create a new file in /usr/local/bin/yum-watch and copy in:

Now make sure the file is executable with sudo chmod 700 /usr/local/bin/yum-watch. Now just add your new command to cron or run it at startup and you’ll start getting notifications if and when new updates are available.

Time to let go. My email will be changing
06 Feb

Time to let go. My email will be changing

This weekend is time to go on a domain purge. Turns out all my domains for up for renewal in January and all 25 of them auto renew making January, already a tight months worse.

I have a collection of 25 different domain names which I’ve gathered over the years. While the NxFifteen domains are not going anywhere there are plenty of others that can be allowed to lapse.

This post is to serve as notice. If you have any email address for me that isn’t @nxfifteen.me.uk or @anderson.eu.com it’s time to update it. Any other email address will stop working within the next 12 months.

The Dangers of Open Spots
01 Feb

The Dangers of Open Spots

All over the web you will see people telling you the internet is an unsafe place to be, but the biggest danger doesn’t come from some one sitting at home intercepting your connection to your bank or Facebook. It comes from someone sitting in the same coffee shop as you getting between you and the internet, what’s known as a ‘man-in-the-middle-attack’.

This illustration shows what a normal Internet connection should look like:

Standard Internet Connection

As you can see the green and red lines represent unchanged traffic between you and the internet.

But in a man in the middle attack it would look more like this:

Man-In-The-Middle Connection

In this case you are sending traffic to a third party, connected to the same router as you, and they are sending that on to the internet. They receive a response back and forward that on to you. This allows them to rewrite any web page or email before you see it and they can see any passwords you are sending.

Having an HTTPS connection can go along way to protect yourself from this kind of attack but it’s not perfect. If a man in the middle can intercept all your traffic they can intercept your connection request offer you a secure connection with them and create a secure connection to the remote host.

SSL Certificate Shield This is part of the reason we use Certificate Authorities. While the man in the middle can offer you a secure connect to their fake site, they can’t fake the signature. So if everything is working correctly your browser will throw up an error an encourage you to click away, but as users we’re trained to push past these without ever reading them or paying attention.

Another way this fails is when a certificate authority, whom your browser trusts, looses control of their keys. In effect a hacker can now create fraudulent certificates for any site they like and your browser will accept it quite happily. At least until everyone updates their browser.

There are a number of solutions to this each with its ups and downs. The one the industry is favouring is EV certs. These are special certificates that in most cases turn your browsers address bar green.

It’s important to understand what this EV certs actually does. It is cryptographically no more secure than a self signed certificate but it has better authenticity. Before any certificate authority can issue you with an EV certificate they have to perform far more checks on who you are, and that’s what you pay for.

A regular certificate lasting one year will separate you from between £9.99 and £175.00 of you hard earned cash but an EV certificate for the same twelve months would set you up back £249.99 and £1000.00.

While EV certificates are a solution, and a good one, they still rely on the website you’re visiting doing the hard work, and paying the fee. So we need to look at more practical solutions a user can do.

One of the best, and easiest, is only accessing the internet from a trusted router. So you can stop using any public wifi, easy. A slightly less extreme way would be if we could access the internet from our home router all the time, from where ever we are.

Raspberry Pi So how do we access the Internet from home when we’re in a coffee shop on the other side of the city? Like everything there are lots of solutions but the main one would be a VPN, like OpenVPN. Like all servers you have to be running it on your home machine at all times, just in case you want to connect to it. Not cost effective and a waste of electricity, but we can use a cheaper form of computer like a Raspberry Pi, I’ve already posted about the running costs of a Pi but it’s usually in the region of £4.60 to £10.52 per year.

This is the solution I’ve decided to go for since its open source and supports all versions of Linux, Windows and even had an Android app.

In the next article I’ll start by talking you through the initial setup of the Raspberry Pi then we’ll move on to installing OpenVPN and finally getting your laptop and Android connected.

Raspberry Pi Yearly Running Cost
29 Jan

Raspberry Pi Yearly Running Cost

I don’t know about you but I run a number or Raspberry Pi’s in my house all doing different jobs. I’ve often heard it said how inexpensive a Pi is to run but I never how inexpensive, and I wanted some real world figures.

After a little time with the good all Google I came across this form post by audigex from 2012 so I’ve used his calculations, just updated the figures.

In the same vane as audigex’s original post I’ve taken the worst case and a more average look. A Raspberry Pi uses 5W maximum, 5V x 1A = 5W, in theory but it should never go higher than 700mA which is only 3.5W.

I really had to search around but the most expensive unit price I could find at present, January 2015, was £0.24 per kWh. I won’t name and shame the company here, but believe me if you’re paying that much you will be hard pressed not to beat it!

Worst Case
Raspberry Pi Power (Watts) 5W
Hours to user 1kWh 200 h = 1000 / 5
Hours in year 8765.81 h
Raspberry Pi per year 43.83 kWh = 8765.81 / 200
Cost per kWh £0.24
Yearly Running Cost £10.52 = 43.83 * 0.24

For a more realistic look I down graded the total watt usage to 3.5W as discussed above and took the average unit cost straight off the UK Gov website, and The Department of Energy & Climate Change Quarterly Energy Prices published on the 18th December 2014. According to official Government statistics the average cost for a kWh unit is £0.15 pence, personally I’m paying slightly less than the average but the figure is still a valid one for this analysis.

Realistic Values
Raspberry Pi Power (Watts) 3.5W
Hours to user 1kWh 286 h = 1000 / 3.5
Hours in year 8765.81 h
Raspberry Pi per year 30.68 kWh = 8765.81 / 200
Cost per kWh £0.15
Yearly Running Cost £4.60 = 30.68 * 0.15

So based on, what I freely admit is back of the napkin math, a Raspberry Pi costs between £4.60 and £10.52 per year. Obvisoully this may be slightly higher if you are also running a USB hub or any external storage.

I hope this is of use to someone else. If you have noticed any flaws in my calculations please let me know in the comments bellow.

I will be speaking at The Software Society
26 Jan

I will be speaking at The Software Society

This week I will be talking at Dundee Tech Talks about Bitcoin (which will be the subject of next months posts) what it is, what you can do and how they work.

The talk starts at 18:45 for 19:00 and is free to all.

Please be aware thought, The Software Society has been let down again by another Coffee shop. They have stopping opening late on Thursday, which is fine they have their reasons and I am thankful for their support, but it has meant a slightly mad dash to get a new venue sorted out.

The Software Society has teamed up with our local MakerSpace and arranged to use their lecture/conference suite for its talks.

Dundee MakerSpace
Suite 5
Vision Building
20 Greenmarket
DD1 4QB

Right opposite Greenmarket carpark, which is free parking after 18:00

You can find full details of the talk, as well as an undated Google Map on The Society website

Week 1.4 – Wednesday
07 Jan

Week 1.4 – Wednesday

I have said before I want to start writing longer and more in depth articles this year, with the goal of one a month, now I’m almost ten days into January and I’m not sure what I want this month’s focus to be. I have a lot of ideas, but just too many to tie myself down to one.

After Christmas I have another spare raspberry pi just waiting for a job, so I think that will be my focus in January. I’ve always wanted to setup my own OpenVPN.

A cure for Crons chronic email problem
06 Jan

A cure for Crons chronic email problem

Anyone who has setup a backup system on their Linux machine, and I hope you all have, will be well aware of the problems when running commands from {% link crontab https://en.wikipedia.org/wiki/Crontab Crontab via Wikipedia %}. You will be inundated with emails every-time cron runs and with so many emails its easy to get to a point where you just stop reading them so never notice that Friday night when the backups stopped due to some error and from that point on they never ran correctly again.

One solution most of us will be familiar with is simple to direct all command output to /dev/null 15 01 * * * backup_my_pc >/dev/null 2>&1 but this now mean we want get any feedback – whether the backup ran correctly or not!

After a little time spent with Google I found a program called {% link Chronic http://habilis.net/cronic/ A cure for Crons chronic email problem %}. It acts as a wrapper script within the cron shell. So now instead of having 15 01 * * * backup_my_pc as your crontab command you use 15 01 * * * cronic backup_my_pc. Cronic will then run your shell command so it can handle all output from your command. If the command fails the full output is printed to the shell, so cron sends it as an email, but if no error occurs all output is hidden and no email is sent. A perfect solution.

Installation

The best way to install Cronic is simply to download the shell script from the {% link project website http://habilis.net/cronic/cronic Download chronic %}. Copy the download into your PATH, usually /usr/bin will be fine. Then just start updating your crontab rules.

Week 1.1 – Monday
05 Jan

Week 1.1 – Monday

It’s come again, a new year brings with it a flood of new year resolutions. It’s far from original but in 2015 I’m jumping back on the treadmill and MyFitnessPal.

I’ve been paying no attention to what I eat or do since getting back from last year’s skiing holiday, so with another skiing holiday fast approaching it’s time to decide what I want from this attempt at fitness and health.

I’ve no illusions about what state in starting in and no intentions on becoming the owner of a six pack, but I do want to be fitter, eat better and exercise more.

Since last year failed to make a long term change in breaking this into smaller ‘bite size chunks’ over the next month my goal is to move more. I want to see my beloved Fitbit reading 10,000 steps every day. Since I average around 5,000 a day this should be a challenge.

I know I don’t have allot of weight to lose but it still feels like a big change to make. It’s easy to eat right and exercise more over a short time like a week or months then once you reach your targets you soon slip back into old habits. With on a year your back where you started and on January 1st 2016 you’ll be rewriting your resolution post for another year. Enter the world of the yo-yo diet.

I did it in 2013, 2014 and here I am in 2015 doing it again. I want more this time. I am looking for a long-term change in my lifestyle and those are hard to make.

Resolutions – 2015
01 Jan

Resolutions – 2015

2014 has seen allot of changes in this site. NxFIFTEEN has always been my personal site where I could write more freely about the this that interest me, even thought that usually revolves around: Linux, technology and health.

I love to write, I may not be great at it and my spelling leaves allot to be desired, but love doing it. I know few people will ever read what I write I like to believe my tutorials and tips are of use to someone else.

Since I started blogging, back in the early days of WordPress 1.0, I’ve always known writing short “tips” is easy and writing longer tutorials and breakdowns is harder. They require more research and testing to give a better and full understanding what I’m writing about. The work aside, they are the work I’m proudest of and I get more out of.

In 2015 I want to commit myself to writing at least 12 in-depth articles. While that only averages one a month it will give me the time to put in and make these pieces something I’m proud of. While I have a short list of topics I don’t want to be tied down to any of them. I want to freedom thought the year to pick something current that I can really look at, rather than listing my twelve in January and finding my December I’ve missed something new or timely.

As always each post will be published on Twitter and Google Plus as well as my RSS feeds and JSON API