Apr 282014
 

This post is mainly a rant but also discusses my use of a battery backup UPS (uninterrupted power supply).

After a recent fault with my main power supply to the house which killed my new PSU and surge protector (more on that later) i decided to purchase a battery backup UPS.

Battery Backup

I have used several APC units over the years for commercial clients so i choose them again but this time i choose one for the home user that offers 4 battery backup and surge protected sockets along with an addition 4 surge only protected sockets thus allowing me to plug everything in.
Here’s the full spec of the device – quick spec: 700va/405watts.

I currently have the following plugged into the 4 battery backup sockets: Main gaming PC, Dual 24″ screens and the external backup HDD. In the other 4 sockets i have: powered usb hub, 8 port gigabit switch and my laptop charger leaving 1 spare socket for a future device.
I choose this order as it will allow me to safely shutdown the pc without any data-lose or damage, the unit comes with software called powerchute which will allow the automatic shutdown of your pc when the power fails. You can set it to shutdown immediately or when there is 5 minutes remaining on the battery. I choose the latter but it doesn’t make much difference as with everything on i would only get 10-12 minutes out of the battery’s anyway. I tested this by killing the power and timing it while monitoring the powerchute software which will tell you remaining time on battery’s.

Rant time

Now hopefully i won’t have any-more dead PSU’s as it will always be shutdown safely, i say this because after having a fault with my main power supply to the house which caused the voltage to drop to 140v instead of the normal 230/240v. The power dropped several times, the first time it killed the surge protector and then some 15 minutes later it happened again killing my 4 month old Corsair psu AX860i, for those that know psu’s this is a high-end expensive psu retailing for around £170 at the time.

All credit to the power company as they came out within one hour of being called and hooked us up to a temporary supply while they dug up the road, we had a new permanent supply within 48 hours. Now for the downside, there customer relations/claims department that took 2 weeks to get somebody out to look at the PSU and surge protector. They sent a contractor out to collect the items and have them tested, well i got the call today saying they finished testing and would replace the surge protector but the psu is fine! and would be returned to me, I’m not sure how they can say its fine when even the built in self test says failed and it wont power a pc so i have been left with sending it back to Corsair for them to test and report what is faulty and hope they replace it, all this at my expense which will be discussed with the power company’s manager once i have the report from corsair. So that’s where I’m at after nearly 3 weeks.

I will post an update once i hear back and may even name and shame the companies depending on the final outcome.

Update

Its taken 6 weeks but the power company have finally agreed and paid for my replacement power supply, it arrived yesterday and is now fitted.

Apr 272014
 

Lastpass What is it

Lastpass is a cross-platform “Trust No One” password manager, That means no one can access you data not even employees of Lastpass. Lastpass is free to use in desktop web browsers but if you want access on a mobile platform you will require the premium version which cost $12 a year.

How to Install

Download the extension for your browser https://lastpass.com/misc_download2.php then create an account, you need to create a strong master password as this will be used to secure your data.

Once installed you will see an asterisk symbol net to the address bar, once logged in you can access various settings along with your vault which is where your passwords are stored. When you login on a website you can click the asterisk symbol which should appear in the login boxes and if you have saved any details you can select them otherwise type in your details, you should then get a bar appear at the top asking if you want to save your details (say yes).

Secure passwords

Lastpass can be used to generate very secure passwords, there is an option to do this from the drop-down menu on the password field. You can set password length, special characters, how many digits are used as well as an option to avoid ambiguous characters so its easy to read if need be. I recommend a password length of at least 16 characters if the site allows it.

The passwords in your vault are synced to all your computers and mobile devices. Lastpass vault is stored in an encrypted form that cannot be read without your master password. There are options to increase security further and i recommend the following: Only allow logins from your country, Disable logins from Tor network, kill other sessions on login, keep track of login and form history, automatically log-off when all browsers are closed (0 mins) and automatically log-off after idle (15 mins). You will also find an option to use multifactor authentications, this requires a second form of authentication the first time you login on a new device. There are several methods of multifactor authentication, i use Google authenticator.
Lastpass provides a QR code that can be scanned using the Google authenticator app.

Password audit

Lastpass can run an audit on all your passwords and report how secure everything is, it checks to see if you are using the same password more than once and also any that require strengthening. They have now added an option which reports if the site was affected by heartbleed and whether you should change your password.

Apr 232014
 

This site is now available over https and here’s what i did to get the certificate.

Generating a Certificate Signing Request (CSR) using OpenSSL

Generate a pair of private key and public Certificate Signing Request (CSR) for a webserver, use the following command :

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

This creates two files. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.

In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

You will now be asked to enter details to be entered into your CSR.

For some fields there will be a default value, If you enter ‘.’, the field will be left blank.


    Country Name (2 letter code) [AU]: GB
    State or Province Name (full name) [Some-State]: Yorks
    Locality Name (eg, city) []: York
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
    Organizational Unit Name (eg, section) []: IT
    Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
    Email Address []:

Please enter the following ‘extra’ attributes to be sent with your certificate request

    A challenge password []: 
    An optional company name []:

Use the name of the web-server as Common Name (CN). If the domain name (Common Name) is mydomain.com append the domain to the hostname (use the fully qualified domain name). i.e. for this site i used www.webstershome.co.uk

The fields email address, optional company name and challenge password can be left blank for a webserver certificate.

Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested.

Purchase SSL Certifcate

Now go buy your certificate from your favourite supplier, i used https://www.ssls.com/ to purchase my SSL certificate from Comodo.

Install SSL Certifcate

Now depending on where you got your certificate you will receive a zip file with yourDomainName.crt(your certificate) and 1 or more .crt Certificate Trust Chain which should be put into a .pem file

easiest way to do that is open a text editor (such as notepad++) and paste the entire body of each certificate into one text file.
You need to make sure you include the beginning and end tags on each certificate. The result should look like this:


-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Intermediate1.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: Intermediate2.crt)
-----END CERTIFICATE-----

There is no need to include the trusted root crt as your browser already has it, and if you use a browser from the stone age that doesn’t it won’t trust it anyway.
Note: Save the combined file as “yourDomainName_ca_bundle.pem”. The .pem file is now ready to use.

Now we can setup apache to use it, as i use Virtualmin i go to the Manage SSL certificate page for my domain and go to the CA Certificate page and upload “yourDomainName_ca_bundle.pem” then go to the Update Certificate and Key page and upload your “yourDomainName.crt” and private key “myserver.key”

If you don’t use Virtualmin you need to manually add this to your virtual host section of /etc/httpd/conf/httpd.conf

SSLEngine on
SSLCertificateKeyFile /etc/ssl/myserver.key
SSLCertificateFile /etc/ssl/yourDomainName.crt
SSLCertificateChainFile /etc/ssl/yourDomainName_ca_bundle.pem

Testing

Now you should be running with your new certificate, go check your setup using https://www.ssllabs.com/ssltest/

Your looking to get at least an A- otherwise you need to fix stuff and make sure it says your Certifcate is Trusted and valid and there are no chain issues.

Now time to test your website for any errors, your looking to make sure you get the padlock symbol and no errors.
The most common error is linking to images. You need to make sure any images can be reached over https. As an example on this site i use relative links which means i don’t include the “http://www.webstershome.co.uk” part of the link i just have “/image/pic1.jpg” that way the image works over both http and https.
The next issue is likely to be your css and js files will need the same treatment.
If you use a CDN service you need to make sure they allow https connections as well.

Apr 152014
 

The Netherlands Is Experimenting With Glow-In-The-Dark Roads Markings

According to the BBC, The Netherlands has come up with a brilliant way to save money and energy on road lighting: glow-in-the-dark paint. A trial of Glow in the dark road markings have been unveiled on a small stretch of highway (N329 in Oss) in the Netherlands.

The paint contains a “photo-luminising” powder that charges up in the daytime and releases a green glow at night, doing away with the need for streetlights. Once the paint has absorbed daylight it can glow for up to eight hours in the dark.

Interactive artist Daan Roosegaarde teamed up with Dutch civil engineering firm Heijmans to work on the idea.
The technology is being tested with an official launch due later this month.

Glow-in-the-dark-road-markings

Studio Roosegaarde

I think anything which can help improve road safety while saving energy is a must.
They are also working on temperature-sensitive paint which can show weather symbols on the road once the temperature reached a certain level but this is not included in the current trial.

Glow-in-the-dark-road-markings-weather-sysbols

Studio Roosegaarde

Apr 142014
 

In this blog I’ll try and explain what ipv6 is and how i setup the server to use it.

What is IPv6? IPv6 is pretty much the same as IPv4. IPv4 is what is primarily used on the internet today. The big difference is the size of the address. The address for IPv6 are 128 bits long vs 32 bits for IPv4. IPv6 also uses hex to express address where as IPv4 only uses numeric values so you will see numbers 0-9 and letters A-F in a IPv6 address.

Why do we need IPv6? Well simply put we are running out of IPv4 address. There are roughly 4.2 billion or 4,294,967,296 to be precise unique address for IPv4 where as IPv6 has 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses, I’ll let you work out how many that is.

So what do IPv6 addresses look like? Ipv6 addresses look like this, 2001:0470:1f09:0d2b:0000:0000:0000:0300. IPv6 addresses can be shortened by removing all leading zeros so this address would become 2001:470:1f09:d2b::300. :: is used to shorten down IPv6 addresses. :: means that the space in between is filled by zeros and can only be used once in an address.

When using IPv6 the minimum allocation you are given is a /64 which would give you 18,446,744,073,709,551,616 unique IPv6 addresses, that’s way more than enough for the average person but some places will allow you to request a /48 which would give you 1,208,925,819,614,629,174,706,176 unique IPv6 addresses now compare that to the 1 IPv4 address most people get given.

Now onto setting up the server to use IPv6. As one of my server provider doesn’t offer native IPv6 yet i have to use a tunnel service, you can find a few different providers but i chose Hurricane Electric IPv6 Tunnel Broker as i heard good things about there support and their tunnel server is located very close to my server (average of 1-2ms away).

So first off sign-up for an account (its free). Time to create our first tunnel, click on “Create Regular Tunnel” it should then automatically select the closes tunnel server to use (you can override this if need be) now just input your IPv4 address where the tunnel will finish i.e. 192.168.0.200 (make sure its the servers Public IPv4 address) then click “submit”. It will then create the tunnel and show you all the info you will need to setup on the server, at the bottom of the page their is a drop down box where you can get the config info for different operating systems.

As I want it to connect to the tunnel server automatically after reboots i need to manually add it to the config file (this is for CentOS 6.x)

Create or edit “/etc/sysconfig/network-scripts/ifcfg-sit1”

NAME=""
BOOTPROTO=none
IPV6TUNNELIPV4=216.66.80.26
IPV6INIT=yes
DEVICE=sit1
MTU=""
NETMASK=""
IPV6TUNNELIPV4LOCAL="192.168.0.200"
BROADCAST=""
IPV6ADDR="2001:470:1f08:d2b::2/64"
IPADDR=""
NETWORK=""
ONBOOT=yes

Obviously change “IPV6TUNNELIPV4” to the ip of the tunnel server, change “IPV6TUNNELIPV4LOCAL” to your servers IPv4 address and change “IPV6ADDR” to the “Client IPv6 address” you will find all the info on the details page of your tunnel.

Then i added the following to “/etc/sysconfig/network-scripts/ifcfg-eth0”

IPV6INIT=yes
IPV6ADDR=2001:470:1f09:d2b::300/64
IPV6ADDR_SECONDARIES="2001:470:1f09:d2b::220/64 2001:470:1f09:d2b::200/64"

The “IPV6ADDR” is the main IPv6 address for the network adapter and “IPV6ADDR_SECONDARIES” is used to specify any extra address you want to use on the same server. If like me your using Webmin/Virtualmin it will automatically add new IPv6 address to the “IPV6ADDR_SECONDARIES” when you create them.

UPDATE – When i setup my new server i had to edit “/etc/sysconfig/network” and add the following

IPV6_DEFAULTDEV=sit1

You could also setup the server to act as a router and give other devices on your network IPv6 address but a don’t need that here (but i have done that at home) just use google to find the extra info you need to add for it to act as a router.

Your server should now be accessible by IPv6, test by pinging a few different IPv6 enabled site and then remember to setup your firewall. Here’s a link to a quick example IPv6 Firewall For Linux google also has loads of others.