Categories
Cell Phones Communications Networking WTF

OpenWRT Quality-of-Service module caveat: speed limit

As I still have “issues” with my DSL line being extremely slow during certain times (especially between 18:30 and 23:00), I wanted to use USB tethering from my OpenWRT router to my Android LTE phone to enjoy the massive speed I have in our area (up to 90 MBit/s downlink and 70 MBit/s uplink, according to the Ookla Speedtest.Net).

So I configured the router according to the OpenWRT wiki. The internet connection did not come up immediately, and I couldn’t find out why, so as a last resort I rebooted the router. After I switched on USB tethering again on my mobile phone (which seems to be required each time you reboot the router since the mobile phone then loses the USB tethering connection), I suddenly had a working Internet connection.

However, for some reason the Internet speeds I was seeing in Ookla’s web browser-based speed test (which is a Flash applet) were very disappointing, around the same speeds I’m used to with my DSL line (14 MBit/s downlink, about 0.8 MBit/s uplink). I thought it might be an issue with USB tethering not working well in my build of OpenWRT (still r39582), so I tried USB tethering with my Mac (using HoRNDIS). I got the full speed I expected. So back to OpenWRT…

Then suddenly I suspected what might be going on: Since I had more or less exactly the same speed as my DSL connection (with the uplink of less 1 MBit/s being dramatically slower than what I should get via LTE) I thought about what could possibly limit the speed. And then I remembered that in the “Quality of Service” (QoS) module I configured the speeds of my DSL line (at the top of the page, in the Download speed (kbit/s) and Upload speed (kbit/s) fields). Could it be that these settings actually limit your speed to these values?!

I disabled QoS, and immediately thereafter I got the full LTE speed I expected.

So, another thing learnt.

I hope this helps people who might be in a similar situation…

Categories
Security

Outlook.com breaks DKIM signatures

I’m currently implementing DKIM support for my Exim mail server, and due to this I’m sending a lot of test messages to all major freemail providers in Europe and the USA.

I noticed that Outlook.com breaks DKIM signatures since they modify one header as follows:

The original header I sent is

Content-Type: text/plain; charset=ISO-8859-1; format=flowed

while the header which I see when I fetch the received message with IMAP is the following:

Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

Noe the extra “double quotes” around the charset which are not transparent to “relaxed” Header Canonicalization. This causes Thunderbird’s “DKIM Verifier” extension to fail on this message.

What’s strange is that Outlook itself succeeds internally to verify the DKIM signature, so the modification to said header probably occurs after checking the original header. See below for what the header of the received message says about authentication:

Authentication-Results: ... dkim=pass (identity alignment result is pass and alignment mode is strict) header.d=example.org;

To solve this small issue I modified Exim’s list of headers to be signed as follows. Original set is

Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID

while I now only sign the following (which I consider to be sufficient):

Subject:To:From:Date:Message-ID

Let me know if you have any comments or suggestions.

Categories
Computers Security

Insecure self-updates via plain HTTP

Yesterday I discovered by chance (since I was running the program whose name I will not disclose yet on my Mac where I’m using Little Snitch to control outgoing connections) that a program created by one of the few software giants does not use SSL to ensure the integrity of self-updates, but just uses plain HTTP so that attackers can modify downloads and thereby introduce malicious code.

Immediately I got in touch with the manufacturer of the application, and only 9 hours later they came back to me with the below response:

Right now <unnamed product> download server supports only HTTP and not HTTPS, so we don't have any immediate solution to offer. However we are keeping notes of this concern and we will address it.

Is this not simply unbelievable?!

Remember we’re not talking about someone who does this for a hobby, who may not have the money or time or even knowledge to implement SSL on their server. But we’re talking about one of the largest IT companies in the world… 🙁

I will now wait for a while, and if they haven’t fixed the issue by then I will disclose it on my blog anyway to put pressure on them… But maybe they do it intentionally in order to aid the NSA?! :-/

Categories
Computers Networking

How to properly benchmark your broadband connection

Since a while my broadband connection gets slow frequently, so I wanted to perform regular benchmarking probes and create a graph to illustrate the actual uplink and downlink speed.

Your first approach to this might be to download and upload a payload, measure the time this took, and divide the sizes of the files you downloaded and uploaded by the times it took. But this approach is seriously flawed… Why? Simple. In a usual scenario you have a router that terminates your internet connection, so eventually other LAN clients will cause traffic at the same time you’re performing your probe. This would “limit” the bandwidth you have for your probe, and thus artificially reduce the speed you calculate.

So how to do it properly? You should ask your internet gateway (your router) for the traffic it sees.

Categories
Networking Routers

Arcor bzw. Vodafone EasyBox 803A: Verwendung nur als “Modem”

Bisher habe ich an meinem Arcor- bzw. nunmehr Vodafone-ISDN/DSL-Anschluss noch separate Komponenten verwendet: Splitter, ISDN NTBA und Speed-Modem 200. Aus aktuellem Anlass (plötzlich drastische Einbrüche bei der Internet-Geschwindigkeit von normal 16 MBit/s auf teilweise nur 1-3 MBit/s) habe ich diese jedoch gegen eine Vodafone EasyBox 803A ausgetauscht, weil ich einen Defekt des Modems oder Splitters vermutet hatte.

Die EasyBox ist recht clever konstruiert, sie kann nämlich selbständig feststellen, ob sie an einem Analog-/ISDN-Anschluss betrieben wird, wo der Splitter benötigt wird (um das UK0-Signal für den NTBA abzutrennen), oder an einem reinen DSL-Anschluss (NGN), wo er nicht benötigt wird, weil dort Sprache per VoIP über DSL übertragen wird. Je nachdem wird also der Splitter und NTBA in den Signalweg eingeschliffen oder nicht. Das ist das Klickgeräusch beim Einschalten der Box! Man sollte bei Verwendung der EasyBox einen evtl. noch vorhandenen separaten Splitter aus dem Signalweg entfernen und die EasyBox direkt an die “erste” TAE-Dose (früher “Monopoldose” genannt) anschließen, um die Dämpfung (“Leitungsqualität”) zu verbessern (und damit ggf. noch ein wenig zusätzliche Geschwindigkeit aus dem DSL-Anschluss “herauszukitzeln”).

Categories
Computers Mac Security

iTunes app downloads are unsafe…

I recently bought Little Snitch because it was on sale, and just found something strange…

I launched iTunes to download an app that’s currently available for free (ok, so I am a cheapskate… ;-)), and when the actual download was about to start Little Snitch asked for confirmation to allow iTunes to connect to phobos.apple.com on port 80, meaning that the download is not protected by SSL…

IMHO this is a big security risk since it allows attackers to manipulate your download and replace the original app by another one (e. g. one that contains malicious code).

I can’t see any reason why Apple would intentionally not protect downloads by SSL — it just seems to be very bad, careless design… 🙁

What do you think?

Categories
Computers Networking

OpenWRT: Easy and secure guest WLAN access

I use OpenWRT on my TP-Link TL-WDR3500, and I have a guest WLAN defined on each of the two radios (2.4 and 5 GHz). The guest WLANs are isolated from my LAN, i. e. guest WLAN stations can’t talk to any of my own hosts (either on the WLAN, or in the LAN, i. e. hosts connected via Ethernet). Guest WLAN stations also can’t talk to each other. The actual OpenWRT configuration (apart from passwords, of course ;-)) is not a secret, I will publish an article about that soon.

For security reasons I didn’t want a static guest WLAN password, but one that changes daily, so that I don’t have to manually revoke the right to use my WLAN by changing the password all the time. So I created two tiny scripts, one that actually changes the active WLAN password every day, and one CGI script that displays the password so that I can give it to my guests.

Here’s the first one that sets the password. I run it from cron at 00:01 every day:

 #!/bin/ash
 SALT="theSalt"
 DATE=`date -I`
 PWD=`echo -n "${SALT}${DATE}" | md5sum | cut -c1-16`
 CHANGE=0

 if [ `uci get wireless.@wifi-iface[2].network`x = guestlanx ]; then
   uci set wireless.@wifi-iface[2].key=$PWD
   CHANGE=1
 fi
 if [ `uci get wireless.@wifi-iface[3].network`x = guestlan2x ]; then
   uci set wireless.@wifi-iface[3].key=$PWD
   CHANGE=1
 fi
 if [ $CHANGE -eq 1 ]; then
   uci commit wireless
   wifi
 fi

And here’s the CGI script that needs to go to /www/cgi-bin to show the current password:

#!/bin/ash
SALT="theSalt"
SSID="Guest-WLAN"
DATE=`date -I`
PWD=`echo -n "${SALT}${DATE}" | md5sum | cut -c1-16`

echo "Content-Type: text/plain"
echo ""
echo "Today's Guest Password for $SSID is $PWD"

Don’t forget to make the scripts executable by running “chmod +x <script>“.

If you find this helpful I would appreciate your feedback.

Categories
Communications Computers Networking

Windows 7 PPPoE-Protokoll schlecht implementiert?

Anläßlich eines Problems mit meinem Vodafone 16 MBit/s-DSL-Anschluss — Geschwindigkeit ging plötzlich dramatisch in die Knie, ca. 1-2 MBit/s nur noch! — habe ich testweise die PPPoE-Verbindung direkt vom Laptop unter Windows 7 über das Arcor-DSL Speed-Modem 200 zum Konzentrator bei Vodafone aufgebaut. Auf diese Weise wurde das Modem als “Schuldiger” ausgemacht: Ein baugleiches Ersatzmodem lieferte sofort über 14 MBit/s!.

Nachdem ich dann wieder das DSL-Modem mit dem TP-Link TL-WDR3500-Router (mit OpenWRT als Firmware) verkabelt hatte, stellte ich plötzlich erstaunt Folgendes fest: Die Ping-Round-Trip-Zeiten gingen von 31-32 ms (unter Windows 7 als PPPoE-Client) deutlich herunter auf 21 ms (mit OpenWRT Barrier Breaker r39582 als PPPoE-Client). Das ist insofern sehr erstaunlich, da ja nun eine 802.11an-WLAN-Strecke und der Router als zusätzliche Latenz erzeugende “Komponenten” hinzu kamen!

Ich interpretiere das so, dass die PPPoE-Implementierung unter OpenWRT der von Windows 7 deutlich überlegen ist, da sie offensichtlich “schneller” bzw. “effizienter” ist. Bevor jetzt jemand sagt “Vielleicht hast Du einen krötenlangsamen Laptop verwendet?” — nein, das ist nicht der Fall, es war ein Lenovo X220 mit einem Core i5-Prozessor mit 2.5 GHz…. Und der Laptop war dauernd “idle”… 🙂

Eure Meinung zu dieser Interpretation würde mich sehr interessieren, daher würde ich mich über Kommentare freuen.

Categories
Security

Nagios check for Avira AntiVirus definitions

I wrapped up a quick script to check whether my Avira AntiVirus definitions are current. Since it might be useful to other people I thought I’d just publish it here:

#!/bin/bash

YOUNGEST_FILE=$(ls -tr /usr/lib/AntiVir/guard/*.vdf|tail -1)

WARN=$1
CRIT=$2
WARN=$((${WARN:=3} * 86400))
CRIT=$((${CRIT:=7} * 86400))

function age() {
   local filename=$1
   local changed=`stat -c %Y "$filename"`
   local now=`date +%s`
   local elapsed

   let elapsed=now-changed
   echo $elapsed
}

FILEAGE=$(age "${YOUNGEST_FILE}")

if [ $FILEAGE -gt $CRIT ]; then
    echo "CRITICAL - Youngest file is $FILEAGE sec old"
    exit 2
elif [ $FILEAGE -gt $WARN ]; then
    echo "WARNING - Youngest file is $FILEAGE sec old"
    exit 1
else
    echo "OK - Youngest file is $FILEAGE sec old"
fi

The default (if you don’t supply any command-line parms) is to warn if the youngest of all virus definition files is older than 3 days, and a critical alert will be triggered if it is older than 7 days. If you supply only one parm it will change the number of days until a warning is triggered, and if you also supply the second parm it will also change the days for a critical alert.

I hope this is useful for someone!

Categories
Linux

How to roll your own DynDNS…

I didn’t want to rely upon services like DynDNS.org (which obviously was a smart decision since they now pretty much closed their free service) so I rolled my own…

What you need is the following:

  1. Host your domain yourself using the popular nameserver “Bind.”
  2. Host a small CGI script that will tell you your external IP (or use one of the many free services available that do the same).
  3. Run a machine within your LAN 24×7 which can detect changes of your external IP and update your hostname accordingly.

Step 1: Setup Bind for Dynamic DNS Update

to do

Step 2: CGI Script

The CGI script that needs to be deployed somewhere in the Internet to tell you your external IP is very simple and tiny and looks like this:

#!/bin/bash
echo "Content-type: text/plain"
echo ""
echo "$REMOTE_ADDR"

Step 3: External IP Probe

Here’s the script that needs to run periodically on a machine (I use Ubuntu server) within your LAN (or on your Internet gateway, although if you have the means to run stuff on your gateway you could employ a more elegant, “proper” solution):

#!/bin/bash
lockfile="/run/extip"
lockfile-check $lockfile
if [ $? -eq 0 ]; then
    echo "Locked, bailing out..."
    exit 1
fi

lockfile-create $lockfile
filename="/var/lib/extip.txt"
logfile="/var/log/extip.log"
keyfile="/root/var/lib/dyndns/Kmyhost.dyn.example.org.+163+56719.key"
cur_ip=`curl -s http://example.org/cgi-bin/myip.sh`
prev_ip=`cat $filename`
if [ $cur_ip != $prev_ip ]; then
    echo "`date --rfc-3339=seconds` IP changed, old IP: $prev_ip, new IP: $cur_ip" >>$logfile
    echo "$cur_ip" >$filename
    # Wait 5 sec to complete, force kill if nsupdate not done after 10 sec
    timeout -k 10s 5s nsupdate -k $keyfile -v<<EOF
server example.org
zone dyn.example.org.
update delete myhost.dyn.example.org. A
update add myhost.dyn.example.org. 60 A $cur_ip
send
EOF
fi
lockfile-remove $lockfile

The above script — even though it’s pretty small — is not a quick’n’dirty hack, but even employs some sanity checks:

  • It makes sure that only one instance is running at any time, and
  • it uses the timeout command from the Linux coreutils package to enforce that the nsupdate command will be terminated if it takes longer than 10 s (e. g. due to network issues).

I run the above script once a minute as follows:

# cat /etc/cron.d/extip 
* * * * * root /usr/local/bin/pubextip.sh

That’s it!

Let me know what you think. Suggestions how to improve things are, as always, very welcome!