How to blow away a Solaris zone

Posted by hedscratchers on

You’ve been monkeying around with Solaris zones, and now you want to blow away your screwed up test zone, here’s how you do it.

To completely delete/remove a Solaris zone you essentially have 4 step process.

  1. Shutdown the zone
  2. Halt the zone
  3. Uninstall the zone
  4. Delete the zone configuration files

Here’s how, we are removing sol2

Find what is what
bash-3.00# zoneadm list -cv
ID NAME             STATUS     PATH                       BRAND    IP
0 global           running    /                           native   shared
69 sol1            running    /zones/sol1/root            native   shared
72 sol2            running    /zones/sol2/root            native   shared

Log into the zone and shut it down

Now  halt it
bash-3.00# zoneadm -z sol2 halt

Check its status
bash-3.00# zoneadm list -cv
ID NAME             STATUS     PATH                       BRAND    IP
0 global           running    /                           native   shared
69 sol1            running    /zones/sol1/root            native   shared
-  sol2            installed  /zones/sol2/root            native   shared

Now uninstall it
bash-3.00# zoneadm -z sol2 uninstall
Are you sure you want to uninstall zone sol2 (y/[n])? y

And finally delete the zone configuration
bash-3.00# zonecfg -z sol2 delete
Are you sure you want to delete zone sol2 (y/[n])? y

pam_tally & pam_tally2

Posted by hedscratchers on

There a few minor differences between pam_tally & pam_tally2, just enough to trip you over and end up in another head scratching moment!

pam_tally,  seems to have fallen out of favour for RHL6 & >= CentOS 6, they  seemed to have switched to using pam_tally2, this maybe the case for other distros as well.

With pam_tally you can specify the option ‘reset’ within the system-auth file (see below) with pam_tally2 this option has been dropped, during testing, this initially caused some confusion, as the failed login attempt counter just kept on increasing, so after waiting for the required 60 seconds, I attempt to login again…and I’m still locked out,  you will see an error such as this in /var/log/secure

sshd[2661]: pam_tally2(sshd:account): unknown option:reset

So, after reading that it became obvious that the ‘reset‘ option had been dropped, , also no_magic_root and no_reset options are not available in pam_tally2.so.

Also note, for pam_tally, you have to modify the /etc/pam.d/sshd_conf file change the following to look like this:

PermitRootLogins no (I always block root access via SSH)
PermitEmptyPasswords no
PasswordAuthentication no 
ChallengeResponseAuthentication yes
UsePAM yes

Useful commands

To show failed logins for all users faillog -a
To show failed logins for a user faillog -u mrfoo, and for PAM, pam_tally2 -u mrfoo
Reset failed login counter for user faillog -r -u mrfoo and for PAM, pam_tally2 -r -u mrfoo

pam_tally

I know this works for CentOS 5.5 (Final).

I recommend creating a ‘test’ user to try it out.

This will lock users out for 60 seconds after 3 unsuccessful attempts, then reset the tally to 0, you can change this to suit – see ‘man pam_tally’

To show failed logins at /var/log do ‘faillog -a’

Add the line ‘auth required pam_tally.so onerr=fail deny=3 unlock_time=60 ‘ after the line ‘auth required pam_env.so’ – the order is crucial, it doesn’t work correctly if you place it out of order.

Add the line ‘auth required pam_env.so’

#%PAM-1.0
  # This file is auto-generated.
  # User changes will be destroyed the next time authconfig is run.
  auth required pam_env.so
  auth required pam_tally.so onerr=fail deny=3 unlock_time=60 <===== add this line here
  auth sufficient pam_unix.so nullok try_first_pass
  auth requisite pam_succeed_if.so uid >= 500 quiet
  auth required pam_deny.so
  account required pam_unix.so
  account sufficient pam_succeed_if.so uid < 500 quiet
  account required pam_permit.so
  account required pam_tally.so reset <===== add this line here
  password requisite pam_cracklib.so try_first_pass retry=3
  password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
  password required pam_deny.so
  session optional pam_keyinit.so revoke
  session required pam_limits.so
  session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
  session required pam_unix.so

pam_tally2

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so onerr=fail deny=3 unlock_time=60  <===== add this line here
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_tally2.so  <===== add this line here, note, the 'reset' option has been dropped

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Adding it all up

Okay , lets check that mrfoo has no unsuccesful logins

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            0

mrfoo screws up is password 3 times and gets locked out, easily check by:

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            3    03/26/13 10:22:28  192.168.1.50

We have a chat with mrfoo, give him a good bollocking, and tell him never to do it again…and then reset his password

[root@foo log]# pam_tally2 -r -u mrfoo

Login           Failures Latest failure     From
mrfoo            3    03/26/13 10:22:28  192.168.1.50

Check it has reset

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            0

Foscam FI8918W – not re-establishing wirless link after scheduled wireless stop/start

Posted by hedscratchers on

My problem.

Teenager staying up all night playing online games.

Scheduled blocking of IP/MAC addresses using DD-WRT worked fine for awhile, but after a few weeks the schedule seems to go a drift, even though DD-WRT still shows the correct time and is synced over NTP, I tried this solution several times over a 18 months period, and it does this consistently.

So I configured a daily scheduled job  to switch off the RF transmitter (WiFi) at 01:00hrs and turn it on again at 06:00hrs, this worked great as it turns off the WiFi, but leaving the router/firewall still doing its job, and saves a bit of energy.

What I hadn’t figured on was the way the Foscam FI8908W IP camera handles this, when the WiFi comes back on the Foscam fails to reconnect, which I believe in not how it should work and is sloppy implementation of the WiFi standards.  The only way to make camera start is to unplug and re-plug the power cord.

So, I start getting my hands dirty, and try out a few things.

First I set a static IP within the camera GUI config page, and had the aforementioned issues – I read somewhere about using static IP assigned from the router so I next did this.I assigned a static IP using its MAC address within the DHCP lease range, in effect, I set a reservation up for it, turned off DHCP within the camera GUI, it worked, but still got issues with camera not reconnecting. As a side note, you don’t have to set static IP’s outside your DHCP scope, it is neater to do so, but just saying, you don’t have too.

I can safely say, that if your router can reserve and IP via MAC address, you CAN assigned a static IP WITHIN your DHCP scope and the Foscam camera will play along with this.

However, all of this did not fix the camera reconnecting issue.  But I have found a fix and this it.

Basically, the Foscam doesn’t play nicely when using AES, it works fine until you lose WiFi connectivity, so I changed it to TKIP, configured DD-WRT to play with TKIP, and it now works without issue, the WiFi turns off & on at night and the camera is reconnecting without issue.

Previously I was using WPA2/AES for everything, and yes, I’m aware that this is a retro-grade step from security view, but there is nothing that sensitive on my home network, and TKIP will suffice for now.

So, my advice for using a  Foscam FI8908W over WiFi, with scheduled job of turning the WiFi on & off, using DD-WRT is:

  • Assign the camera a static IP using a reservation on your router
  • Turn off DHCP on the camera, configure networking manually
  • Set camera to use WPA/Personal, TKIP
  • Set router to use TKIP

Coffee – Chiapas

Posted by hedscratchers on

Mexican Chiapas

I like coffee, a lot.  My work colleague brought in some really nice coffee,  it has a most distinct flavor,  not bitter at all,  subtle floral notes,  you really do have to try it to appreciate it. The grind he used was fairly coarse,  and it works well in a drip machine,  but the best flavor are had if you use a cafetiere (French Press),  as do most coffees in my opinion.

If you are in the Oklahoma City area you can get it from: http://primacafe.com/index.php?module=products&section=1&catid=9&id=15

Home media server and media streaming devices

Posted by hedscratchers on

Thought I’d share by media server/torrent/seeding setup with you all, my be useful to somebody. It has been uber reliable for well over 30 months now, with scarcely a reboot.

I moved from the UK to the US (UK born & raised) and had no regular income, just short term contract, so money was tight, so this influenced my decisions, and also led to a pretty green (eco-friendly) setup.

I wanted my system to have the following.

  • Inexpensive as reasonably possible without sacrificing reliability too much
  • Inexpensive to run as it will be on 24/7
  • Configuration flexibility, storage wise and router/firewall
  • Reasonably quiet

I was limited to how I can stream this data around the house as it is a rental, so installing CAT6 cabling wasn’t an option, but surprisingly the Briteview CinemaTube+WiFi worked fine most of the time, even streaming HD, the router is upstairs, the Briteview the floor below, so that helped. Now, when I got the AppleTV XBMC streaming over WiFi it worked fine for SD, but not for HD, signal strength not quite good enough, so along comes the NETGEAR XAVB101 Powerline AV Ethernet Adapter Kit, which I got for $60, I’m fully aware of the issues you can have with these things, and the house we are in does have wiring from the 70′s, but at that price it was worth a shot, and it works great! It took a few attempts to find the best electrical wall outlet, but once done, it has worked like a charm ever since, and a ballpark figure of 10 Mbit/s is required for HD streaming BTW, I’m getting around 25-27 Mbit/s with Netgear XAVB101.

My home media kit consists of the following:

  • Netgear Pre N Wireless router which I flashed to DD-WRT  which provides a lot more options over stock  firmware, I also modified the antennas, it now sports 3 rubber ducky antenna which has increased the range
  • NETGEAR XAVB101 Powerline AV Ethernet Adapter Kit – got it on sale for $60!
  • D-Link 8 port Gb switch, low energy  ‘’green edition’’
  • Old IBM X40 laptop, runs uTorrent + Cobiain backup, with a stripped down version of XP (nLite used to strip the crap out), using an old lap has been great, low energy and the battery sort of acts like an UPS. Torrents are saved to the unRAID server via mapped drive
  • Briteview CinemaTube+Wifi dongle to stream the media ( http://www.brite-view.com/cinematube.php ) through out the house, great little device, there are others on the market, but this one has worked very well and got good reviews
  • Apple TV (1st gen) hacked and now running XBMC/Crystalbuntu, with the addition of a hardware video decoder with 1080i
  • 2nd gen Western Digital Live
  • Secondhand APC BR900 UPS (new batteries fitted)
  • Custom built unRAID media server, not the fastest file server, poor write performance, but  truly great for streaming media, nothing quite like it out there, spinning down unused disk  to save power etc etc.

Regarding unRAID, the components I chose had to be inexpensive whilst being as low energy as I could reasonably afford, most of them were on ‘’special’’ at Newegg. I also modded a few things, I had a variable fan speed controller kicking around, a long with a  few case fans around which I incorporated into the unRAID server to make it cool and quiet as I could, I also slowed down the PSU fan by fitting a couple of zener diodes in-line with the 12v fan supply.

The AMD sips electricity, unRaid hardly stresses it at all, consequently the stock CPU fan is barley ticking over so runs quiet, the 2 additional case fans (one in front of the hard drives, the other at the rear) have been slowed down using the speed controller. The upshot of all of this is the thing is whisper quiet, not silent, but very unobtrusive and barely audible.

Once I had unRAID Plus installed and configured I ran it headless, no KVM, according to my Kill-A-Watt power meter is uses ~57 watts when in use (at least one disk spinning), not bad at all, and low energy usage was one of my goals seeing as it was going to be on 24/7, it is quite amazing how a  typical 400watt PSU power use adds up once you factor in 24/7/365 usage. Try using this tool and just up the number hours and days used and it is eye opener –
http://www.super-grow.biz/Electricity.jsp

I do run a monthly parity check (via unMenu add-on), the disk temps float around the 35C, even with a higher than normal ambient temperature  here in the hot Oklahoma summers,  SMART reports clean, all  of this information relayed to me daily in reassuring emails.

I have no need for hot swap backplanes, even though I do have a one, (iStarUSA SATA2.0 Hot-Swap Backplane Raid Cage), I don’t trust the cheap electronics within it and after doing a bit of research, read horror stories of components on the cage burning out and taking out all of the drives, so I like to keep it KISS. Also drive replacement is real easy with this case, they slide in and out on rails, much like the Dell Optiplex range. I could put 9 drives in this chassis if I so desired, but I probably never will as my data growth rate is not than high and I figure I will be rolling/replacing drives before then – see my note at the end for my reasoning behind this, all in all, in suits my needs, but YMMV.

It’s used for several hours a day in my household, mainly streaming TV shows and movies, been running fine for well over 30 months now with barely a hiccup,  once I had finalized my configuration and finished tinkering. It has been rebooted approximately 4  times since I’ve had it, to install new disks, when I moved house, fitted new batteries to the UPS, and for troubleshooting a DNS issue, pretty impressive I think, and just goes to show what can be achieved at bargain basement,  entry level these days.

Will I change anything? Well I’m going to upgrade the unRAID server case soon, the old is very tatty (squished and dented in my move to the US), when feeling brave enough, I would like to ditch the laptop altogether and run a torrent client from with in unRAID, and I may upgrade the firewall/router to pfsense, just for the fun of it, but to be honest, my set-up just keeps on working and I never have to touch the thing…if ain’t broke….keeps ringing in my ears!

unRAID BoM (Bill of Materials)
Case –  Cooler Master Elite http://www.newegg.com/Product/Product.aspx?Item=N82E16811119118   – because it was what I had

Mainboard – Open Box: BIOSTAR A760G M2+ AM2+/AM2 AMD 760G Micro ATX AMD Motherboard – it  was inexpensive and had low energy ratings…it also came with no I/O panel, didn’t bother me as it would not fit in my twisted and distorted space for it! I cut out a piece of foam and stuck in the space.

Drives – 2 x Western Digital Caviar Green WD6400AACS 640GB 7200 RPM SATA 3.0Gb/s 3.5″ Internal Hard Drive -Bare Drive  - it was inexpensive, had low energy ratings, performance more than adequate for my planned unRaid usage
3 x Western Digital Caviar Green WD20EARS 2.0TB SATA 3.0Gb/s 3.5″ Internal Hard Drive -Bare Drive

Memory – 1 x Kingston 1GB 240-Pin DDR2 SDRAM DDR2 800 (PC2 6400) Desktop Memory Model KVR800D2N6/1G  - inexpensive, performance more than enough

CPU – AMD Sempron 140 Sargas 2.7GHz Socket AM3 45W Single-Core Processor SDX140HBGQBOX – it was inexpensive, had low energy ratings, performance more than adequate for my usage

PSU – Rosewill Stallion Series RD400-2-SB 400W ATX V2.2 Power Supply  - modified to slow fan down

UnRaidPlus  4.7.0 + unMenu – downloaded, installed onto a Kingston USB thumb drive I had around, didn’t need the features of the ‘Pro’ version,  6 drives will be enough for me, and as capacities increase over the years I will just keeping swapping out  higher capacity models, instead of more disks overall, this way you are ‘refreshing’ the RAID every few years or so. Of course, if capacity is your goal, then nothing beats having 21 disks as an option!

Windows Software

Posted by hedscratchers on

I’ve been using Windows Desktop OS’s for years, starting with Windows 3.1, 95, 98, XP, Vista…etc…etc.. – I was also a SysAdmin for  Server 2000/2003 for quite a few years, picked up a few things a long the way.

This not a complete guide, and I’m not going way back for early versions of Windows, so I’ll just start with apps I’ve found useful, say, from Windows XP and up, are usually free, free for non-commercial use or just free cut-down version of the full blown versions.

I lean towards apps that are lightweight and not too much of a resource hog, I usually try a bunch of them out, and then discard the ones I consider poorly implemented, don’t quite do what they say, behave oddly or cause system issues, all of course based on my empirical testing, not that scientific I know, but has served me well over the years.

Some of the solution listed below, primarily, the ones you need to boot from, are Linux based tools that can be equally used on Windows.

Security – Anti Virus & Malware

I use the solutions below, Threatfire is unusual in that in can be used along side an existing AV solution, so you can run both at the same time, this is not usually the case, for “normal” AV solutions you just stick to the one, i.e. do not install and try to use 2 AV solutions at the same time, as I said Threatfire is a little different.

Usually near the top in AV lab tests, here is great resource for finding out how good the various AV solutions fair, and if you read,  it’s not a “one size fits all” thing:
http://www.av-comparatives.org/

Good for zero down attacks and can be used along side other existing AV software, which is unusual

Great for sniffing out pesky malware, free version has to be run and updated manually

Disk Tools

Very easy to use tool that securrly erases/wipes your hard disk, great if you are selling your PC on

Need to clone or copy a hard disk? Thought you needed Norton Ghost or Acronis Trueimage?  All of which I used heavily over the years, and yes, Clonezilla doesn’t have a pretty GUI, but is has a very simple to follow text base interface that doesn’t take rocket science to follow, if you fix/maintain  PCs than this is a “must have” piece of software.

Backup

Great backup solution, used it for 4 years without a hitch, and restored from it, some reviews say it is complicated, and it can be as it offers many advanced options (which I like) that a typical user may not be interested, but honestly, it is not that difficult to get your head around.

OS Optimization/Installation

What nlite enables you to do is build your own version of XP (only ever used it with XP, looks like Vista/Win7 are not supported, but vLite looks promising), so you can cut-out all the crap you don’t want, have default account s set-up, IP addresses, patch & updates, services disabled and the such like, this makes for a very lightweight OS, it will install very quickly, and you can even build-in various drivers for storage controllers, printers etc, so, no more hunting around and downloading a crap load of drivers after you have installed XP or Server 2003.

Cobian 10 backup, gmail email notifications

Posted by hedscratchers on

For 4 or so years, and with great success, I’ve been using Cobian Backup (For Windows, it’s free BTW) to backup various family PCs, but I had a few problems getting the email notifications to play with a gmail account.

I was aware that I had to use SSL/TLS and port 465, but it still did not work, the fix was to change  a few settings.

Tools|Options|Mail|SSL button, then General tab, for:

  • Transport Level Security: select Implicit
  • SSL Method: select TLSv1
  • Authentication: Auto
  • Data port protection: Clear
  • SSL mode: Unassigned
  • Verify depth: 0

I left all the check boxes clear, and then email notifications worked fine