Skip to main content

PermitRootLogin yes IS the default value

Today I found out that my box at work was used for some IRC botnet. According to the logs, root’s password was bruteforced. But, i thought, hey, I am quite sure root is UNABLE to login via ssh (after all it is not even in securetty).

/etc/ssh/sshd_config:  PermitRootLogin yes

Root logins are enabled by default.

Great.

Beeline Home Internet to Limit Upload Rate

On 24 of April Beeline Ukraine / Home Internet introduced new rates. This time with strange limit on unlimited plans.

You are limited to 1Mbps upload while download may vary from 1Mbit to 10Mbit. No more 100Mbit plans, you can order a burst up to 100Mbps for 20₴ a day (aka “Turbo”). This is completely different from the previous rates where upload/download shaping was symmetric and there were 25Mbps and 100Mbps plans.

During first month I’ve been testing their PPTP connection in order to find out what can my router do. And I was always puzzled that I get 3Mbit download with 5Mbit upload for lots of directions. Not going to be puzzled anymore :)

It does look like Japanese NTT limiting upload to 30GB per day but in their case there is no mandatory limit. Violators will be contacted personally and the investigation will be on case by case basis. In our case you are limited no matter what you do.

The funniest is that the first thing many of us imagine now is that… Torrent ratings will fall. Not that the upload video to YouTube (the one you’ve made and hold copyrights) will last much longer. It’s all about the Torrents and much of them are illegally downloaded/captured copies of software and audio-visual information. Sad but true.

OpenWRT L2TP Client

Yep, PPTP is no longer an issue since we have L2TP access node.

And, Linksys WRT54GL running a stock firmware is such a dull device… No remote management, no dhcp lease info running behind pptp/l2tp connection, port forwarding done only for wan (not underlying eth0.1)…

So I hacked up ifup script for rp-l2tp to bring everything up.

Compiled ppp_synctty.o (can be selected in Kernel Modules / Network Support)

Compiled n_hdlc.o module (not in stock openwrt build):

Update: You can enable the module via make kernel_menuconfig

Index: package/kernel/modules/other.mk
===================================================================
--- package/kernel/modules/other.mk (revision 15274)
+++ package/kernel/modules/other.mk (working copy)
@@ -822,3 +822,18 @@

$(eval $(call KernelPackage,rfkill))

+define KernelPackage/hdlc
+  SUBMENU:=$(OTHER_MENU)
+  TITLE:=HDLC line discipline support
+  KCONFIG:= \
+   CONFIG_N_HDLC=m \
+   CONFIG_SERIAL_NONSTANDARD=y
+  FILES:=$(LINUX_DIR)/drivers/char/n_hdlc.$(LINUX_KMOD_SUFFIX)
+  AUTOLOAD:=$(call AutoLoad,20,hdlc)
+endef
+
+define KernelPackage/hdlc/description
+ Kernel module for HDLC line discipline support
+endef
+
+$(eval $(call KernelPackage,hdlc))

Warning – run make with V=99 since it will ask (yes, literally ask) questions whether to include other non-standard ports support. I guess we can live with this for one-time recompile, though for proper operation default kernel .config should be modified.

Modified /etc/ppp/options to contain:

replacedefaultroute
defaultroute
usepeerdns
mtu 1460
default-asyncmap
nopcomp
noaccomp
noccp
novj
nobsdcomp
nodeflate
lcp-echo-interval 0
lock
noauth

persist will not work since it is l2tpd what is controlling pppd, not vice-versa. pppd cannot renegotiate l2tpd link, therefore you will get a stuck pppd process constantly trying to reopen the pty.

and added the following config to /etc/config/network:

config interface  internet
    option proto l2tp
    option username "***@internet.beeline.ua"
    option password "***"
    option server   10.0.0.9
    option ifname   "ppp0"
    option parent   wan

Huh, interested in parent option? See OpenWRT Ticket#1430.

Create symlinks from /etc/l2tp.conf to /tmp/l2tp.conf and enjoy the l2tp connection.

And BTW – it all runs on “Linux OpenWrt 2.4.35.4 #3 Sun Apr 19 23:31:02 EEST 2009 mips unknown” since b43 support in 2.6 is not yet stable for production use :(

Fixed banners, killed IE

/galleries/dropbox/crashie.thumbnail.png
Sometimes I want to do something to prevent users from using Internet Explorer. We are having constant problems with its scripting, CSS and rendering capabilities when it comes to the real-world UI.

We started using internal banner system on intranet pages the other day to catch attention of the whole staff to some important changes/releases/events. And, due to the fact that ad server may not be accessible for 24/7 it was necessary to modify the page to postpone the banner display until all the page is displayed. IE failed the job miserably crashing in MSHTML.DLL. Feel free to use this “crashie” on your web site.

crashie.html:

<html>
    <head>
        <title>Crash IE here</title>
    </head>
    <body>
        This page will crash IE6 and IE 7
        <div id="crasher"></div>
        <script type="text/javascript">
            var crasher = document.getElementById('crasher');
            var script = document.createElement('script');
            script.type="text/javascript";
            script.src = "/crashie.js";
            crasher._preparedNode = script;
            function crashIe() {
                var crasher = document.getElementById('crasher');
                crasher.appendChild(crasher._preparedNode);
            }
            setTimeout('crashIe()', 1000);
        </script>
    </body>
</html>

crashie.js:

var crasher1 = document.getElementById("crasher");
crasher1.innerHTML = "<a href='http://myrtg.blogspot.com'>myrtg.blogspot.com</a>";

This is not yet used at this site though :) Another approach is used here: www.crashie.com when DOM is modified even before it is ready. If you think that this code can be made more compact, keep in mind that it aimed to solve a real-world problem and instead created one, so I left it almost unmodified. You may test it from my home webserver, please note that it may not be online 24/7 as it is hosted on my laptop.

OpenWRT PPTP Client – Part 3

Here are the first and the second parts.

Update: Since I promised the build instructions in Part 2, here they are – AccelPPTP On OpenWRT. Not in opkg form but works for me.

First of all, there’s a typo in pptp.sh script living in /lib/network/, this is why it is not possible to use pptp configured from luci web interface. I have updated the OpenWRT FAQ with the findings and created a ticket containing the patch.

Ok, rebuilt the pptp module, patched the startup scripts not to use pptpclient and now wan is started in a proper way, i.e. dhcp on eth0.1, then udhcpc quits leaving the routes and DNS configured and pppd is started afterwards.

Here’s the problem with this setup. It is perfect if you are not going to use the intranet resources. Beeline Internet has one “official” resource which is @ 10.1.0.3. It is not possible to access the configuration of the underlying eth0.1 device both for routing and firewalling (via uci, of course. It can be done manually without any problems :).

So it means that I am returning back to first configuring wan interface and then pptp over that. The problem is that i cannot instruct udhcpc NOT to add a default route if there is one configured by configuration, I have to patch, patch and patch the scripts :)

Update: You may want to drop the default pptp support in OpenWRT and rely on interface “triggering” mentioned here.

OpenWRT PPTP Client – Part 2

Looks impressive:

http://www.speedtest.net/result/426526870.png

The default kernel found in Kamikaze 8.09 downloaded from OpenWRT web site is panicing when kernel accel-pptp is used. I cannot provide the output of the Oops message ’cause i have no serial connection to the router (and I don’t want to add one since then I will need serial-to-usb connector as well).

So I went further and used the trunk (at revision 14823), built the image, flashed the router, found that it is far from being dead and tried…

root@gate:~# pppd plugin /tmp/pptp.so.0.0.0 pptp_server 10.0.0.3 nodetach \
             debug user ******@internet.beeline.ua password ***

No output, but no crash. Ok, logging in for another session…

root@gate:~# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol
          inet addr:94.27.114.118  P-t-P:94.27.127.24  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:10451 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8618 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:12413021 (11.8 MiB)  TX bytes:4034292 (3.8 MiB)

With no error messages in dmesg.

I will test this setup for an evening or two and the third part will be about how to package it the right way.

Here’s the third part.

OpenWRT PPTP Client – Part 1

We have moved to yet another apartment and decided not to use O3 (o3.kiev.ua) whose cable was already available to connect to. UA-IX up to 100Mbit is nice, but I could see the traffic from/to a whole bunch of users in the building (on the ethernet, right…), I am not the owner of the contract and cannot re-sign-up w/o paying 300₴ upfront to be eligible for 1₴ one-time fee and it took me a trip to their office to top-up the account… Haven’t yet got rid of the cable completely though.

I decided to give Beeline Internet (former Golden Telecom, former Sovam Teleport) a try and upon physical connection I returned to the configuration of my WRT54GL router.

The setup is quite easy:

/etc/config/network:

...
config 'interface' 'wan'
option 'ifname' 'eth0.1'
option 'peerdns' '1'
option 'defaultroute' '1'
option 'proto' 'dhcp'

config 'interface' 'beeline'
option 'proto' 'pptp'
option 'ifname' 'ppp0'
option 'server' 'vpn.beeline.ua'
option 'username' '*****@internet.beeline.ua'
option 'password' '*****'
option 'auto' '1'

config 'route'
option 'interface' 'wan'
option 'target' '10.0.0.0'
option 'netmask' '255.0.0.0'
# gw may be different. check what DHCP gives you on wan
option 'gateway' '10.22.12.1'
...

I was not able to make the interface start at boot via regular network config so I created rc script with simple ifup beeline and ifdown beeline in it.

You may need additional route to the vpn server so that your default route will not create a loop. On Kamikaze 8.09 this appears not to be needed, though. The route for 10.0.0.0 is required to access internal network resources.

I signed up for 5Mbit internet connection service, configured the router and got… 1 Mbit with some spikes down to 200Kbit. WTF?

WRT54GL. This unit features CPU that is (by default) running @ 200MHz. It is possible to make it run @ 250MHz but it does not help. The reason is how pptp handles the networking traffic. CPU just can’t cope with the amount of work required to copy the frames to/from userspace. When the cable is hooked up to the PC i get 5Mbit. So?

The first step was to search for alternative pptp implementations for Linux. There aren’t many, since pptpclient does a perfect job of being (as the name implies) a PPTP client. The embedded devices with limited CPU power and memory is not a good candidate for being a PPTP client in current implementation, YMMV though.

But it turns out that this issue is already being addressed, Accel-PPTP project provide kernel-level pptp module running on top of PPPoX architecture, modified userspace PPTP daemon (the separate client is no longer needed) and a plugin for pppd that utilizes the kernel module. ACCEL-PPTP uses kernel module to increase performance and decrease system usage.

The module works on kernel 2.6 so the first step was to upgrade the router to 2.6-based OpenWRT Kamikaze 8.09. I can confirm that Wi-Fi AP is working fine for some period, running /sbin/wifi restarts it on the router and it works again) and PPTP is slightly faster – I could get up to 2Mbit with 2.6 kernel. A good start, isn’t it :) ?

I was not able to find any precompiled module so I will try to make one myself and report the results here.

Here’s the second part.

First Vala Steps

Network connectivity exists, 2Kb/s or even worse.

Still, got plenty of time to try a new GObject based language called Vala. It’s syntax is heavily C# based (to make developers switch from evil managed memory hog Mono, I guess).

So I tried it. And I liked it.

Here’s my list of puzzle answers:

Properties

Vala’s properties are not completely C# like, in contrast you cannot create setters/getters that make computations using the name of the property. Consider the following example:

namespace Test {
    class Property {

        public int temperature {
            get {
                return temperature;
            }
            set {
                this.temperature = value;
            }
        }

        public int run() {
            temperature = 50;
            stdout.printf("temperature: %d\n", temperature);
            return 0;
        }

        public static int main() {
            var app = new Property();
            return app.run();
        }
    }
}

It will compile fine, but when started,

Segmentation fault

It happens because the generated C code contains an infinite loop. Which fails due to too deep nested level:

 static gint test_property_run (TestProperty* self) {
         g_return_val_if_fail (self != NULL, 0);
         test_property_set_temperature (self, 50);
         fprintf (stdout, "temperature: %d\n", test_property_get_temperature (self));
         return 0;
 }
 ...
 static gint test_property_get_temperature (TestProperty* self) {
         g_return_val_if_fail (self != NULL, 0);
        return test_property_get_temperature (self);
 }

HashTable

Another strange segfault I was getting in the following code:

namespace HashTableTest {
    class Application {

        public static int main(string[] args) {
            HashTable<int, int> ht =  new HashTable<int, int>(
                    int_hash,
                    int_equal
            );

            int key = 100;
            int h_value = 256;

            ht.insert(key, h_value);

            stdout.printf("Value: %d\n", ht.lookup(key));

            return 0;
        }
    }
}

Looks nice, but it will not work. If you examine the generated code, you will find that g_hash_table_insert is trying to cast GINT_TO_POINTER() on key. GINT_TO_POINTER(int) is actually a #define to (gpointer)(int) with gpointer as a #define to void *. So the key behaves as *(void *)100. Not good.

The reason is that As GHashTable only supports pointer-based keys and values, you have to use a boxed GValue... In our case we need to make key to be a reference type. The quick and correct solution is to modify the constructor as follows:

HashTable<int?, Value> ht =  new HashTable<int?, Value>(

Actually, value of int? should be OK, but the resulting C code does not compile, value of int type will work but it will be incorrect from the perspective of data integrity.

Intrepid Ibex

I have spent enough time with Ubuntu 8.10 release to share thoughts about it.

So first of all, “wow”.

I have been using alpha6 version in KVM and later on updated my 8.04 LTS installation to Intrepid Ibex beta, got immediately affected by uvesafb issue (fixed by reverting to vesafb), broken IPP/HTTP printing support and strange Evolution folders upgrade (got duplicate message for each one present on the corporate IMAP server).

Ah, and I finally learned about _FORTIFY_SOURCE.

The only thing I can recall now is that when pulseaudio is running the sound from Adobe Flash objects gets lost (which is not that critical for me), everything else looks too good to be true.

Well, do not mount any drives during livecd session before installation – the installer does not like this and it tries to convince you that your hard drive is missing, simply umount the mounted files.

If you want to get some widescreen usplash then adjust your framebuffer resolution by setting some mode listed in hwinfo --framebuffer output.

If you want to get new Atheros Wi-Fi cards support w/o recompiling the driver manually each time kernel upgrades then follow the instructions from the previous post…

Looks like everything else is great.

Ah, yes, sometimes when you switch from X terminal to vt1-7 then you get switched back to X terminal immediately.

Ubuntu gets better and better, makes people lazier and lazier :)