Apr 152014
 

The Netherlands Is Experimenting With Glow-In-The-Dark Roads Markings

According to the BBC, The Netherlands has come up with a brilliant way to save money and energy on road lighting: glow-in-the-dark paint. A trial of Glow in the dark road markings have been unveiled on a small stretch of highway (N329 in Oss) in the Netherlands.

The paint contains a “photo-luminising” powder that charges up in the daytime and releases a green glow at night, doing away with the need for streetlights. Once the paint has absorbed daylight it can glow for up to eight hours in the dark.

Interactive artist Daan Roosegaarde teamed up with Dutch civil engineering firm Heijmans to work on the idea.
The technology is being tested with an official launch due later this month.

Glow-in-the-dark-road-markings

Studio Roosegaarde

I think anything which can help improve road safety while saving energy is a must.
They are also working on temperature-sensitive paint which can show weather symbols on the road once the temperature reached a certain level but this is not included in the current trial.

Glow-in-the-dark-road-markings-weather-sysbols

Studio Roosegaarde

67 total views, 1 views today

Apr 142014
 

In this blog I’ll try and explain what ipv6 is and how i setup the server to use it.

What is IPv6? IPv6 is pretty much the same as IPv4. IPv4 is what is primarily used on the internet today. The big difference is the size of the address. The address for IPv6 are 128 bits long vs 32 bits for IPv4. IPv6 also uses hex to express address where as IPv4 only uses numeric values so you will see numbers 0-9 and letters A-F in a IPv6 address.

Why do we need IPv6? Well simply put we are running out of IPv4 address. There are roughly 4.2 billion or 4,294,967,296 to be precise unique address for IPv4 where as IPv6 has 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses, I’ll let you work out how many that is.

So what do IPv6 addresses look like? Ipv6 addresses look like this, 2001:0470:1f09:0d2b:0000:0000:0000:0300. IPv6 addresses can be shortened by removing all leading zeros so this address would become 2001:470:1f09:d2b::300. :: is used to shorten down IPv6 addresses. :: means that the space in between is filled by zeros and can only be used once in an address.

When using IPv6 the minimum allocation you are given is a /64 which would give you 18,446,744,073,709,551,616 unique IPv6 addresses, that’s way more than enough for the average person but some places will allow you to request a /48 which would give you 1,208,925,819,614,629,174,706,176 unique IPv6 addresses now compare that to the 1 IPv4 address most people get given.

Now onto setting up the server to use IPv6. As one of my server provider doesn’t offer native IPv6 yet i have to use a tunnel service, you can find a few different providers but i chose Hurricane Electric IPv6 Tunnel Broker as i heard good things about there support and their tunnel server is located very close to my server (average of 1-2ms away).

So first off sign-up for an account (its free). Time to create our first tunnel, click on “Create Regular Tunnel” it should then automatically select the closes tunnel server to use (you can override this if need be) now just input your IPv4 address where the tunnel will finish i.e. 192.168.0.200 (make sure its the servers Public IPv4 address) then click “submit”. It will then create the tunnel and show you all the info you will need to setup on the server, at the bottom of the page their is a drop down box where you can get the config info for different operating systems.

As I want it to connect to the tunnel server automatically after reboots i need to manually add it to the config file (this is for CentOS 6.x)

Create or edit “/etc/sysconfig/network-scripts/ifcfg-sit1″

NAME=""
BOOTPROTO=none
IPV6TUNNELIPV4=216.66.80.26
IPV6INIT=yes
DEVICE=sit1
MTU=""
NETMASK=""
IPV6TUNNELIPV4LOCAL="192.168.0.200"
BROADCAST=""
IPV6ADDR="2001:470:1f08:d2b::2/64"
IPADDR=""
NETWORK=""
ONBOOT=yes

Obviously change “IPV6TUNNELIPV4″ to the ip of the tunnel server, change “IPV6TUNNELIPV4LOCAL” to your servers IPv4 address and change “IPV6ADDR” to the “Client IPv6 address” you will find all the info on the details page of your tunnel.

Then i added the following to “/etc/sysconfig/network-scripts/ifcfg-eth0″

IPV6INIT=yes
IPV6ADDR=2001:470:1f09:d2b::300/64
IPV6ADDR_SECONDARIES="2001:470:1f09:d2b::220/64 2001:470:1f09:d2b::200/64"

The “IPV6ADDR” is the main IPv6 address for the network adapter and “IPV6ADDR_SECONDARIES” is used to specify any extra address you want to use on the same server. If like me your using Webmin/Virtualmin it will automatically add new IPv6 address to the “IPV6ADDR_SECONDARIES” when you create them.

UPDATE – When i setup my new server i had to edit “/etc/sysconfig/network” and add the following

IPV6_DEFAULTDEV=sit1

You could also setup the server to act as a router and give other devices on your network IPv6 address but a don’t need that here (but i have done that at home) just use google to find the extra info you need to add for it to act as a router.

Your server should now be accessible by IPv6, test by pinging a few different IPv6 enabled site and then remember to setup your firewall. Here’s a link to a quick example IPv6 Firewall For Linux google also has loads of others.

75 total views, 1 views today

Apr 132014
 

As you should know by now CentOS uses Yum to install and update packages but sometime you need packages that are not available as standard, one way to get these packages is to use 3rd party repositories which is what i do.

A note on CentOS packages
“As with all packages in CentOS, the version numbers of released software will not change over the life time of a CentOS product, i.e. CentOS 5.0 contained PHP 5.1.6 and that is the point version PHP will stay at for the life time of CentOS 5. Security patches and bug fixes are back-ported into the shipped version. See here for details: Backporting Security Fixes

You can get a list of 3rd party repositories here.
I mainly use the following extra repositories, Remi Collet Repository which also requires Extra Packages for Enterprise Linux (EPEL).

If you are considering using a 3rd Party Repository, then you should seriously consider how to prevent unintended ‘updates’ from these side archives from over-writing some core part of CentOS. One approach is to only enable these archives from time to time, and generally leave them disabled.

The Remi repository has a page detailing how to setup and use their repository.
Scroll down the page until you find “Enterprise Linux 6 (with EPEL)” and follow the instructions
here’s the quick version but check for updates

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

This will install both repository’s (remi and epel). The repository’s are not enabled when install (enabled=0). You need to enable them when you need it, for example
yum --enablerepo=remi install php*

One last note, always test everything (preferable not on a live production machine) and ensure you have a backup when using 3rd party packages as sometime a simple update can have very bad side effects.

133 total views, 7 views today

Apr 112014
 

up until now i have been manually blocking ip’s that attack my server but by the time i see them the attacks have normally finished but after the last big attack on my email server (some 35,000 attempts) i decided to find a way to automate the blocking. After a bit of research i decided to setup Fail2ban and here’s how i did it.

As i use a 3rd party repostories – EPEL i can just use yum to install it

yum install fail2ban

once installed i just needed to change the configuration to my liking, the config files can be found at “/etc/fail2ban”

first i edit “/etc/fail2ban/fail2ban.conf” and ensure the “logtarget” is set correctly

logtarget = /var/log/fail2ban.log

The default behaviour of fail2ban is configured in the file “/etc/fail2ban/jail.conf”. There’s a [DEFAULT] section that applies to all other sections unless the default options are overridden in the other sections.

I explain some of the configuration here:

ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
filter: Refers to the appropriate filter file in “/etc/fail2ban/filter.d”.
logpath: The log file that fail2ban checks for failed login attempts.

so i edit “/etc/fail2ban/jail.conf” and add my ip to “ignoreip”.
then i just need to configure the jails i want to use, here’s my ssh jail

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables-multiport[name=SSH, port="ssh, 4564"]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@server.com]
logpath  = /var/log/secure
maxretry = 3

Don’t forget to change the port to what ever port your ssh runs on and also set the “sender” and “dest” to your email.

I use a couple of other jails/filters which i’ll show you how i configured them but first i’ll show you how to start and check its running.

start fail2ban

/etc/init.d/fail2ban start

now check “/var/log/fail2ban.log” and make sure there’s no errors.
you can also check the rules are in iptables

iptables -L 

now as i said i use a couple of custom filters here’s how i did them.
Create the filter file “/etc/fail2ban/filter.d/dovecot-pop3imap.conf” and add

[Definition]
failregex = (?: dovecot: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login).*rip=(<HOST>),.*
ignoreregex =

note: the failregex may need changing to suit your system.

now add the following to “/etc/fail2ban/jail.conf”

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"]
    sendmail-whois[name=dovecot-pop3imap, dest=root, sender=fail2ban@server.com]
logpath = /var/log/maillog
maxretry = 5
findtime = 600
bantime = 3600

then just restart fail2ban

/etc/init.d/fail2ban restart

you can create all sorts of custom jails/filters just google for other ideas.

112 total views, 1 views today

Apr 102014
 

Now that i have a basic server running i wanna setup Munin so i can monitor the server. Munin is a networked resource monitoring tool that can help analyse resource trends and “what just happened to kill our performance?” problems. It is designed to be plug and play. A default installation provides a lot of graphs with almost no work.

Depending on what repositories you use (i mainly use remi and el6) you maybe able to use yum to install.

yum install munin-node munin

if not grab the source and follow the instructions here.

Once installed you need to change a few settings to your liking, the config files are found in “/etc/munin”. Munin has a master/node architecture in which the master connects to all the nodes at regular intervals and asks them for data this is very useful when you got more than server.

Ok basic settings need to setup the master, edit “/etc/munin/munin.conf”

# The next three variables specifies where the location of the RRD
# databases, the HTML output, and the logs, severally.  They all
# must be writable by the user running munin-cron.
dbdir  /var/lib/munin  #RRD databases
htmldir  /var/www/munin  #HTML output (change to whatever your website uses)
logdir  /var/log/munin  #log files
rundir  /var/run/munin

# Where to look for the HTML templates
tmpldir  /etc/munin/templates

# a simple host tree
[localhost]
    address 127.0.0.1
    use_node_name yes

now basic settings for the node, edit “/etc/munin/munin-node.conf”

log_level 4
log_file /var/log/munin/munin-node.log
pid_file /var/run/munin/munin-node.pid
background 1
setseid 1

user root
group root
setsid yes

# Regexps for files to ignore
ignore_file ~$
ignore_file \.bak$
ignore_file %$
ignore_file \.dpkg-(tmp|new|old|dist)$
ignore_file \.rpm(save|new)$
ignore_file \.pod$

# A list of addresses that are allowed to connect.  This must be a
# regular expression, due to brain damage in Net::Server, which
# doesn't understand CIDR-style network notation.  You may repeat
# the allow line as many times as you'd like
allow ^127\.0\.0\.1$
allow ^192\.168\.0\.200$

# Which address to bind to;
host *
# And which port
port 4949

Now restart munin-node so it can use the changes you made
/etc/init.d/munin-node restart

Now wait 10 minutes so it can generate some data then visit the webpage to see the results, i store mine in a directory just outside the webserver directory and use “Document directory aliases” in apache so its only available on my domain and not anywhere else.
so visit “http://192.168.0.200/munin/” (change to your setting) and you should see something similar to this
munin
Now click on one of the names, I’ll pick “system”
You should see some graphs like this (obviously yours won’t be all the way across yet)
munin2
If you don’t see any graphs check the log files for any errors, there should be 5 different log files,
first check “/var/log/munin/munin-node.log” and fix any errors.
Once its all working you now have graphs monitoring your server, there is loads of extra plugins you can add to munin depending what you want to monitor.

132 total views, 1 views today