Foscam FI8910W compared to FI8918W

I already own several Foscam FI8918Ws, so I have some experience with Foscam, I had it up and running within a few minutes, assigned a static IP using a wired ethernet connection, then set-up the wireless.

I use all of my cameras with BlueIris, running on a XP VM running on VMware ESXi, this has worked well for around 3 years, with hardly an issue. This may have an impact, seeing as I use BlueIris, I let this control all of the motion detection, sending alerts and the such like, consequently I turn just about everything off in the camera firmwware, so this must present less load on the CPU.

Jan 2014 – latest firmware and webGUI firmware (I updated it)

FI8910W – the good

Much better image quality when compared to the FI8918W (comes at a price though, more on that later), you can actually discern colors with this!

IR cut filter really works, you can see much more at night with this camera, the filter does make an audible click though, if you are in a quiet area, this may alert somebody that you have a camera.

The power supply has a very long cord, which is nice.

Seems to be rock solid over wired ethernet.

The bad.

Through out the house, I have several wireless routers, using Tomato USB and DD-WRT, every single wireless device we own have no problems working with these, we are talking multiple smartphones, tablets, XBOX360, PCs here, no isssue…and you guessed it, except for the FI8910W.

I set it up where the FI8918W was located, I initially got it to connect, and then the video would drop out, the signal strength was around -62dbm. I ran a constant ping, it would ping for about 12 seconds or so, then time out for some amount of time, then connect again (watch dog probably kicking in), then drop out and stay dropped out, I tried all sorts of settings and nothing worked, dropped it down 320×240, tried a 12db antenna, all to no avail.

So, knowing that it might struggle to work on a slightly lower than normal signal I decided to relocate it, this time it was around 30ft away, line of sight, only thing between it and the WiFi router was a single glass door, I had high hopes this time, -55dbm signal (some devices in my house work well on >-70dbm), nope still didn’t work, BlueIris reports 2.5fps coming in at 250k/Bs, webGUI was slightly more responsive though, but that was about it, still no video.

Other users have gone into detail regarding the expected performance of this camera over WiFi, it seems it needs a steady 750k/Bs to work well, and from what I see, this seems to be true.

It is of my opinion that the FI8910W is border line usable over WiFi, and its radio performance is weak – if you have a wired connection then you should be good, but to work reliably over WiFi you will need a very strong signal.

I’m now using the camera over wired ethernet and it has been rock solid.

The camera did work over WiFi when it was around 15ft away from the router and in the same room, not really much use for me, and I suspect many others.

I have just received a D-Link DCS-930L, doesn’t have pan/tilt, but is good value, colors are okay, image is just ok, not very detailed but usable, and in the same location as I tried the Foscam, this is giving ~14fps and 450k/Bs.

Also, I’m suspicious of all the “Foscam support is so good” reviews I’m seeing all the time, every time a negative review pops up, you can bet you bottom dollar that a “Foscam support is so good..” review will soon follow.

Posted in Home surveillance | Leave a comment

GPS, Garmin 850 touchscreen goes crazy

I have a Garmin 850 GPS (with European maps installed) which has served me well for around 4 years, the only issue being that the device that mounts it to the windshield, the rubber suction cup, well, loses suction and it falls off from time to time, and for whatever reason, it does this more so in my new 2103 Sonata (angle of the windshield maybe?).

It has survived these falls without any noticeable damaged, until last week that is, this time the lower left hand corner of the touchscreen was failing to work, tried turning on and off etc, all to no avail, I was residing to the fact that I might have to get a new one, then it dawned on me that I could probably still get by, by using the voice recognition, but this was not ideal, I then tried a ‘pre-boot reset’ and recalibration and it is now working fine again!

This is what I did

  1. Turn the GPS off
  2. Remove battery
  3. Press and hold the touchscreen then put the battery back in
  4. The unit will power on and go into pre-boot mode. Continue holding the screen until pre-boot goes away and the progress bar appears then release the screen, this can take around 1 minute.
  5. Now the calibration will start, two intersecting lines should display on the screen along with the message: Press Dot
  6. Follow the rest of the on screen prompts to complete the screen recalibration

That’s it.

Posted in Electronics & Gadgets | Leave a comment

Getting Oracle Instant Client, PHP, and oci8 all working

I had one hell of a game getting all of this working together, it didn’t help that the server has been CIS hardened, anyway, here is how I got it working, and one word of advice, everything seems very version picky.

This server is essentially running some web application under Apache, the app connects to 2 Oracle databases, one being older than the other, and the cause of much  trouble.

Server Build

I set selinux to permissive, once I had everything working I enabled it and troubleshooted until I got it working.

  • RHEL6.4 64-bit server install
  • CIS hardened
  • PHP 5.3.3 (cli) (built: Jul 12 2013 04:36:18)
  • Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
  • oci8 Version => 1.4.10
  • Oracle Run-time Client Library Version => 11.2.0.2.0
  • Oracle Instant Client Version => 11.2

Note: PECL shows that this version when installing- ”oci8  2.0.4 (devel) Extension for Oracle Database”

However, when “php -i|grep oci8″ is run it shows “oci8 Version => 1.4.10″

Getting Instant Oracle Client, PHP, and oci8 working

Get php stuff

yum install php php-devel.x86_64 php-pear php-ldap

Download and install (You have to register at Oracle to do this) the Oracle Instant Client rpm’s

 rpm -ivh oracle-instantclient11.2-basic-11.2.0.2.0.x86_64.rpm
 rpm -ivh oracle-instantclient11.2-devel-11.2.0.2.0.x86_64.rpm
 rpm -ivh oracle-instantclient11.2-tools-11.2.0.2.0.x86_64.rpm

I needed to configure a proxy for PECL/pear

pear config-set http_proxy http://mrfoo:foopassword@proxy.local:80/

See if you get can get OCI8

 [root@foo modules]# pecl search oci8
 WARNING: channel "pecl.php.net" has updated its protocols, use "pecl channel-update pecl.php.net" to update
 Retrieving data...0%
 Matched packages, channel pecl.php.net:
 ======================================
 Package Stable/(Latest) Local
 oci8    2.0.4 (devel)         Extension for Oracle Database

If you can download and install it

 [root@foo modules]# pecl install oci8
 WARNING: channel "pecl.php.net" has updated its protocols, use "pecl channel-update pecl.php.net" to update
 downloading oci8-1.4.10.tgz ...
 Starting to download oci8-1.4.10.tgz (169,248 bytes)
 . ................done: 169,248 bytes
 10 source files, building
 running: phpize
 Configuring for:
 PHP Api Version:         20090626
 Zend Module Api No:      20090626
 Zend Extension Api No:   220090626
 Please provide the path to the ORACLE_HOME directory. Use 'instantclient,/path/to/instant/client/lib' if you're compiling with Oracle Instant Client [autodetect] : 
 building in /var/tmp/pear-build-root3ndIn0/oci8-1.4.10
 running: /var/tmp/oci8/configure --with-oci8
 checking for grep that handles long lines and -e... /bin/ 
 ---------------------------------SNIP --------------------------------------------

If you have CIS hardened, you may get this error when running the above

shtool at '/var/tmp/oci8/build/shtool' does not exist or is not executable

So do this and try again

mount -o remount,exec /var/tmp/

It should all make and install, but you may see this warning

configuration option "php_ini" is not set to php.ini location
 You should add "extension=oci8.so" to php.ini

PHP now keeps “ini” files in /etc/php.d/, it tells you this in the php.ini file

 ;;;;;;;;;;;;;;;;;;;;;;
 ; Dynamic Extensions ;
 ;;;;;;;;;;;;;;;;;;;;;;

 ;;;;
 ; Note: packaged extension modules are now loaded via the .ini files
 ; found in the directory /etc/php.d; these are loaded by default.
 ;;;;

So create a file there named “oci8.ini” with the following

 root@foo php.d]vi oci8.ini

 ; Enable oci8 extension module
  extension=oci8.so

Modify the php.ini file so Dev have some logging

display_startup_errors = On 
html_errors = On
date.timezone = America/Chicago
error_reporting = E_ALL | E_STRICT
display_errors = On

Restart apache, and then check if PHP & OCI8 are happy

 php -i| grep OCI8
 oci8
 oci8.connection_class => no value => no value
 oci8.default_prefetch => 100 => 100
 oci8.events => Off => Off
 oci8.max_persistent => -1 => -1
 oci8.old_oci_close_semantics => Off => Off
 oci8.persistent_timeout => -1 => -1
 oci8.ping_interval => 60 => 60
 oci8.privileged_connect => Off => Off
 oci8.statement_cache_size => 20 => 20

Looking good.

Now, with Selinux in enforcing mode, apache would start and run fine, however, database look ups using oci8 failed, I tried

setsebool -P httpd_can_network_connect on

…and it still failed, in the end I set apache (httpd) to permissive, note that overall the server is still in enforcing mode, you are just settings apache to permissive

semanage permissive -a httpd_t

Then stop/start httpd – note, reloading didn’t work, it had to be stopped and restarted, and then it all worked, now this probably isn’t the most secure way of getting apache working with selinux, but it’s a starting point.

Useful paths and commands

/usr/lib/oracle/11.2/client64/
/usr/lib64/php/modules

List selinux booleans status

 semanage boolean -l
 sestatus -b | grep httpd | grep on$

Find selinux contexts

ps -eZ|grep httpd
Posted in Linux & Solaris | Leave a comment

CentOS6.4 – X11 Forwarding session using SSH fails

From time to time I use X11 forwarding to connect to various web management interfaces on remote servers, I had just done a new install of CenOS6.4 64-bit minimal to try out Backuppc, went to run the webGUI by doing the usual

ssh -X mrfoo@foo firefox --no-remote

and got the following error…

process 5513: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": No such file or directory

Easy fix I think, minimal install, now Firefox, so I install Firefox, still no joy, same error persist.

Some things seem to have changed, and they may have done this to make things a little bit more secure, but if you need X11 forwarding,  here is what I did to fix it.

In /etc/ssh/sshd_config, uncomment and set to “yes” and “10” the following and then reload ssh

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

Now you need to install xorg-x11-auth.x86_64

[root@foo .ssh]# yum install xorg-x11-xauth.x86_64

This will not fix it yet, if you look in /var/lib/dbus you will see that either the file ‘‘machine-id” is empty or missing, to fix do:

 dbus-uuidgen --ensure

Now when you look at /var/lib/dbus/machine-id you should see a id string there.

That’s it, it should now work.

Posted in Linux & Solaris | Tagged , , , | Leave a comment

Samba troubleshooting tips & tricks

You are having problems getting samba to do your beck and call, and it’s not working as it should, well here a few things to help you diagnose things – it’s assumed you have the basic already configured.

First, crank up the logging by adding the following to the smb.conf file. Cranking the log level up to 2 will log the IP numbers when a client connects, and show any authentication issues and the such like.

log file = /var/log/samba/log.%m
log level = 2 

Also, double check you have your winbind separator set correctly, for example, if you have a shared defined in the smb.conf something  like this

[http_log]
        comment = /var/log/httpd
        path = /var/log/httpd
        guest ok = no
        read only = yes
        force user = root
        valid users = FOO\mrfoo

Then make sure the smb.conf has this line

winbind separator = \

Sometimes it may be a “+” character, just make sure they match.
And here other checks/tests you can do.

Also, if you are integrating Samba into Active Directory, (security = ADS) and you are having trouble getting your AD groups to work, check the syntax for your valid users line in the smb.conf, for example:

valid users = FOO\domaingroup – will not work, however, valid users = @”FOO\domaingroup” does work, the quotes are important.

Test the smb.conf

[root@foo samba]# testparm -v|less

Check status

[root@foo samba]# smbstatus
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[http_log]"

Samba version 3.5.6-86.el6_1.4
PID     Username      Group         Machine                        
-------------------------------------------------------------------

Other useful commands

  • net ads info – check if it is joined
  • kinit mrfoo@FOO.LOCAL – check domain authentication, capitalization is important
  • getent passwd, or getent passwd “FOO.LOCAL\mrfoo” - check password authenticatiom
  • net lookup dc – check it is pointing to your domain controllers
  • wbinfo -g – should pulls a list of groups from FOO domains
  • wbinfo -t – check trust relationship
  • klist – check you have a valid kerberos ticket
  • id mrfoo@FOO.LOCAL – check user account functionality

If you are using selinux and you cannot access a share, try the following:

chcon -R -t samba_share_t "/var/log/httpd/"
chcon -R -t samba_share_t "/var/log/tomcat5/"
Posted in Linux & Solaris | Tagged , , , | Leave a comment

Rolling back Samba to an older version on RHEL

I recently had the need to downgrade the version of samba that comes with RHEL6.4 64-bit, I had authentication issues within our domain environment with the newer versions, older versions of samba seem to work fine, so I needed to downgrade samba:

From
samba_x86_64-3.6.9-151.el6_4.1 to samba-3.5.6-86.el6_1.4

The first thing I tried was the yum downgrade option, but the yum plugin yum-allowdowngrade is not in the RHEL repos, never mind I’ll just erase them and start over, so

Stop samba

[root@foo samba]# service smb stop
[root@foo samba]# service winbind stop

Erase it (this also removes windbind)

[root@foo samba]# yum erase samba

Now I need to see if the repos have an older version

[root@foo samba]#yum --showduplicates list samba

This displayed several previous versions, the version I wanted was samba.x86_64-3.5.6-86.el6_1.4, so I try

[root@foo samba]# yum install samba.x86_64 3.5.6-86.el6_1.4

…and it doesn’t work, the fix is to drop architecture part “.x86_64“, and then it works

[root@foo samba]# yum install samba-3.5.6-86.el6_1.4

Okay, this is great, now I have it installed I want it to stay at this version, so we can use “yum-versionlock

Download/install it

[root@foo samba]# yum install yum-versionlock

And now version lock samba

[root@foo samba]# yum versionlock samba

All is going great…or so I think, I now realize that I need a matching version of winbind for this older version of samba, so do

[root@foo samba]# yum --showduplicates list samba-winbind.x86_64

So lets install it

[root@foo samba]# yum install samba-winbind-3.5.6-86.el6_1.4

And lets version lock it this as well

[root@foo samba]# yum versionlock samba-winbind.x86_64

That’s it your done.

As a side note, the downgrade fixed the problem immediately, I even used the same smb.conf file I was using with the latest (and seemingly not so great) samba-3.6.9-151.el6_4.1, along with pam.conf, krb5.conf, I have 5 other servers that had the exact same issue, and even a couple of Solaris 10 servers, so I’m fairly certain it is a bug/issue within samba, if I have time I may file a bug report to RedHat.

 

 

Posted in Linux & Solaris | Tagged , , , , | Leave a comment

Creating a SELinux policy for the named daemon in a chrooted BIND9 configuration

I recently configured chrooted BIND9 slave on RHEL6.4 64-bit, with SELinux enabled, with this enabled the named daemon failed to start, easily tested by disabling SELinux, and then starting it, which would then be successful.  So, I needed to create a SELinux policy for my chrooted named daemon.

First problem was finding audit2allow, with RHEL it comes bundle with SELinux policy core python utilities, discovered by doing:

[ root@foo mrfoo# yum provides /usr/sbin/semanage
 Loaded plugins: product-id, security, subscription-manager
 This system is receiving updates from Red Hat Subscription Management.
 rhel-6-server-cf-tools-1-rpms                                                                 
 rhel-6-server-rhev-agent-rpms                                                              
 rhel-6-server-rpms                                                                         
 rhel-6-server-rpms/primary_db                                                                
 policycoreutils-python-2.0.83-19.8.el6_0.x86_64 : SELinux policy core python utilities
 Repo        : rhel-6-server-rpms
 Matched from:
 Filename    : /usr/sbin/semanage
------------ SNIP -----------------

If you need to get it:

 [root@foo mrfoo]# yum install policycoreutils-python-2.0.83-19.30.el6.x86_64

Temporarily set SELinux to permissive mode – this will not survive reboots

 [root@foo ~]# echo 0 > /selinux/enforce

Check SELinux status

 [root@foo mroo]# sestatus
 SELinux status: enabled
 SELinuxfs mount: /selinux
 Current mode: permissive
 Mode from config file: enforcing
 Policy version: 24
 Policy from config file: targeted

Ok, we are good here, what we are going to do is keep the host running in permissive mode for a period of time, the errors will be captured in /var/log/audit.log, we then use the information in the audit.log to build a new SELinux security policy, a sort of learning mode if you like.

Now, for my chroot named issue I had a crap load of errors logged in audit.log

 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="named" dev=dm-1 ino=104021 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { add_name } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { create } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file
 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" dev=dm-1 ino=104060 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0

You can also use this command to search audit logs

 [root@foo audit]# ausearch -m avc -c named

So, lets grep some of that log to create the basis for a our new SELinux policy

[root@foo audit]# grep named audit.log |audit2allow -m named > named.te

Now use this to create the policy

 [root@foo audit]# grep named audit.log |audit2allow -M namedchroot
 ******************** IMPORTANT ***********************
 To make this policy package active, execute:
semodule -i namedchroot.pp

Now load and make the module active, just as it suggests

 semodule -i namedchroot.pp

Check it is loaded

 [root@foo audit]# semodule -l
 namedchroot 1.0

Reboot and then do a few checks:

  • The named daemon started without errors
  • The audit.log to see if it is clear of errors for named
  • That BIND is working, records transfer and the such like
Posted in Linux & Solaris | Tagged , , , , , | Leave a comment