Linux

How to roll your own DynDNS…

Post author By Ralf Bergs
Post date 2013-08-25
No Comments on How to roll your own DynDNS…

I didn’t want to rely upon services like DynDNS.org (which obviously was a smart decision since they now pretty much closed their free service) so I rolled my own…

What you need is the following:

Host your domain yourself using the popular nameserver “Bind.”
Host a small CGI script that will tell you your external IP (or use one of the many free services available that do the same).
Run a machine within your LAN 24×7 which can detect changes of your external IP and update your hostname accordingly.

Step 1: Setup Bind for Dynamic DNS Update

to do

Step 2: CGI Script

The CGI script that needs to be deployed somewhere in the Internet to tell you your external IP is very simple and tiny and looks like this:

#!/bin/bash
echo "Content-type: text/plain"
echo ""
echo "$REMOTE_ADDR"

Step 3: External IP Probe

Here’s the script that needs to run periodically on a machine (I use Ubuntu server) within your LAN (or on your Internet gateway, although if you have the means to run stuff on your gateway you could employ a more elegant, “proper” solution):

#!/bin/bash
lockfile="/run/extip"
lockfile-check $lockfile
if [ $? -eq 0 ]; then
    echo "Locked, bailing out..."
    exit 1
fi

lockfile-create $lockfile
filename="/var/lib/extip.txt"
logfile="/var/log/extip.log"
keyfile="/root/var/lib/dyndns/Kmyhost.dyn.example.org.+163+56719.key"
cur_ip=`curl -s http://example.org/cgi-bin/myip.sh`
prev_ip=`cat $filename`
if [ $cur_ip != $prev_ip ]; then
    echo "`date --rfc-3339=seconds` IP changed, old IP: $prev_ip, new IP: $cur_ip" >>$logfile
    echo "$cur_ip" >$filename
    # Wait 5 sec to complete, force kill if nsupdate not done after 10 sec
    timeout -k 10s 5s nsupdate -k $keyfile -v<<EOF
server example.org
zone dyn.example.org.
update delete myhost.dyn.example.org. A
update add myhost.dyn.example.org. 60 A $cur_ip
send
EOF
fi
lockfile-remove $lockfile

The above script — even though it’s pretty small — is not a quick’n’dirty hack, but even employs some sanity checks:

It makes sure that only one instance is running at any time, and
it uses the timeout command from the Linux coreutils package to enforce that the nsupdate command will be terminated if it takes longer than 10 s (e. g. due to network issues).

I run the above script once a minute as follows:

# cat /etc/cron.d/extip 
* * * * * root /usr/local/bin/pubextip.sh

That’s it!

Let me know what you think. Suggestions how to improve things are, as always, very welcome!

Tags dynamic DNS, DynDNS

Security

Enabling Forward Secrecy in Apache

Post author By Ralf Bergs
Post date 2013-07-27
20 Comments on Enabling Forward Secrecy in Apache

I tried to follow the instructions given in this article by Ivan Ristic, but somehow it seems not to be working, or the test at https://www.ssllabs.com/ssltest/ might be broken… 🙁

Unfortunately I can’t seem to comment on Ivan’s article (I even registered just to reply), so I created this blog post, hoping that my trackback will work…

This is what I have in Apache:

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

According to the output of openssl ciphers this should enable the following cipher suites (filtered by only those that contain ECDHE):

ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1

As far as I can tell this should include the below cipher suites which supposedly enable forward secrecy:

    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Unfortunately the above SSL test shows the following when running towards my Apache:

Forward Secrecy 	No

Does anyone know what that means? Is the test just broken, or am I misunderstanding anything?

Tags forward secrecy, TLS

Personal Navigation Devices

Erste Eindrücke vom Becker Ready 50 LMU

Post author By Ralf Bergs
Post date 2013-07-19
No Comments on Erste Eindrücke vom Becker Ready 50 LMU

Äußerlichkeiten

Nachdem ich zunächst das Garmin nüvi 150T LMT und dann das Blaupunkt TravelPilot 50 CE LMU getestet und für “ungeeignet” befunden hatte haben wir uns nunmehr das Becker Ready 50 LMU bestellt, da die Kundenmeinungen auf Amazon recht positiv sind und wir einige für uns wichtige positive Aussagen gefunden haben.

Das Gerät ist etwas dicker als die beiden erst genannten Navis, jedoch keineswegs als “dick” oder “klobig” zu bezeichnen. Das Design ist “gefällig” — wobei eine solche Einschätzung natürlich subjektiv ist.

Direkt nach dem Auspacken fiel mir auf, dass das Becker — anders als die beiden anderen Geräte — über einen Micro-USB-Anschluss (anstatt eines “veralteten” Mini-USB-Anschlusses) zum Laden verfügt. Das ist insofern positiv, als die überwiegende Mehrzeit der in den letzten Jahren auf den Markt gekommenen Handys über einen eben solchen Anschluss verfügen, so dass in beinahe jedem Haushalt ein entsprechendes 230 Volt-Ladegerät existieren dürfte — mitgeliefert wird lediglich ein Autoladegerät, was aus dem vorgenannten Grund kein Problem sein dürfte.

Der Saugnapfhalter für das Becker Navi ist sehr kompakt, so dass er leicht im Handschuhfach oder in Schubladen/Fächern unter dem Sitz verstaut werden kann. Anders als viele andere Halter, bei denen das Navi per “Klemmkraft” eingerastet wird, hat der Halter des Beckers einen federunterstützten Rastmechanismus. Potenziell halte ich das für haltbarer und damit für die bessere Lösung — ob das tatsächlich so ist wird sich erst noch zeigen…

Das Becker verfügt über ein sehr ausführliches “Information”-Menü, dem man sämtliche Versionsstände für das Navigationsprogramm, Karten, Sprachdateien, TMC, POI, zeitabhängige Routinginformationen, etc. entnehmen kann. Das habe ich bisher bei keinem Navi gesehen — sehr lobenswert! Ab Werk verfügt das Gerät über die Software-Version 9.6.1.215570 (SR2). Die Deutschland-Karte vom Anbieter Navteq hatte den Stand 2011.Q1, war also mehr als zwei Jahre alt. Eigentlich schon das erste Ärgernis, denn selbst wenn man das Erscheinungsdatum des Geräts von circa 5/2012 berücksichtigt war die Karte auch damals schon älter als ein Jahr. Egal, auf Grund der kostenlosen “lebenslang” verfügbaren Kartenupdates ist das kein Problem. Mitgeliefert werden übrigens Karten von 44 europäischen Ländern — für uns wäre noch USA interessant, aber diese Karte gibt es fast nirgendwo kostenlos dabei, diese muss extra erworben werden.

Tags GPS, Navi, Navigationsgeräte, Navigationssysteme, Straßennavigation

Debian

Debian 6.0 to 7.0 upgrade issues…

Post author By Ralf Bergs
Post date 2013-05-18
No Comments on Debian 6.0 to 7.0 upgrade issues…

I upgraded from Debian 6.0 (Squeeze) to Debian 7.0 (Wheezy) today. In general the upgrade was relatively painless, but as always some things went worse than they could… 🙁

My local Subversion repository is using a Berkeley DB, and the underlying BDB version went up from 4.8 to 5.1. In consequence I got an error when I wanted to check in a changed config file:

svn: DB_VERSION_MISMATCH: Database environment version mismatch
svn: bdb: Program version 5.1 doesn't match environment version 4.8

I remember that this has already been an issue with the last major Debian upgrade… Did I miss something in the release notes or package doc, or did the Debian folks miss this one?!

Anyway, here’s how to repair the above (based on instructions found here). Install packages db4.8-util and db5.1-util and execute the following commands:

# cd /path/to/repo
# db4.8_checkpoint -1
# db4.8_recover
# db4.8_archive
log.0000000024
# svnlook youngest ..
746
# db5.1_archive -d

Afterwards you can remove the two packages again.

Next thing I noticed

Tags Debian, Squeeze, subversion, svn, upgrade, Wheezy

Personal Navigation Devices

QuickGPSfix bei TomTom

Richte gerade für meinen Vater ein neues TomTom XXL Classic ein. Dabei stolpere ich über ein nettes Feature, das sich “QuickGPSfix” nennt. Was verbirgt sich dahinter? Es handelt sich um die Offline-Aktualisierung des Navis mit A-GPS-Daten.

A-GPS ist ein Verfahren, bei dem der GPS-Chip bestimmte Informationen über Satellitenstandorte, Satellitenstatus, etc. erhält. Dadurch kann der sogenannte “Fix”, also die Posititonsbestimmung, deutlich schneller durchgeführt werden als ohne diese Informationen, oft innerhalb weniger Sekunden.

Bei Handys ist dieses Verfahren seit Jahren Standard. Diese beziehen die A-GPS-Daten online aus dem Internet. Bei den meisten Navis ist dies nicht möglich (abgesehen von denen, die eine SIM-Karte zur M2M-Kommunikation enthalten). Sehr clever ist daher die Aktualisierung über ein Programm auf dem PC. Die A-GPS-Daten werden üblicherweise für einen Zeitraum von etwa sechs Tagen in die Zukunft von einem Feed-Server herunter geladen (so ist es jedenfalls bei meinem Bluetooth-GPS-Dongle). In diesem Zeitraum steht dann A-GPS-Unterstützung zur Verfügung. Danach muss das Navi wieder an den PC, sonst kann nur reines hardwarebasiertes GPS durchgeführt werden, bei dem ein Fix durchaus mal 30-60 Sekunden dauern kann.

Ubuntu

Issues in Ubuntu 13.04 after machine froze…

Post author By Ralf Bergs
Post date 2013-05-06
No Comments on Issues in Ubuntu 13.04 after machine froze…

I recently upgraded from Ubuntu 12.10 to 13.04, and everything seemed to be extremely smooth and painless.

However, a day or two later I suddenly noticed that the fan of my Ubuntu laptop (a Dell Latitude D630) was blowing like hell — the machine had stalled, I couldn’t wake up the desktop again, the screen remained black… I think the hang occurred after I had installed the first updates after upgrading to 13.04… Anyway, I had to hard-reboot the box… And this is when the trouble started… 🙁

Dunno what exactly happened, but the first thing I noticed was boot issues, something like “Cannot mount /boot; ext2: no such filesystem” or something close to that. And indeed the kernel in Ubuntu 13.04 seems to lack support for that admittedly ancient filesystem (cat /proc/filesystems). I fixed that by creating a journal on my /boot filesystem as follows (obviously if you have similar issues, you need to substitute your actual UUID in the command below), thereby migrating the filesystem to ext3:

sudo tune2fs -j UUID=b8ad9dbd-a514-46c8-86af-d2a9cafe3d0c

I also had to update /etc/fstab accordingly, of course:

UUID=b8ad9dbd-a514-46c8-86af-d2a9cafe3d0c /boot           ext3    defaults        0       2

Next thing I noticed that a couple of devices suddenly didn’t work: The touchpad, the touchpoint, my WiFi interface, etc. I quickly found out that obviously the modules required to support the devices weren’t loaded, and it was due to missing/broken modules dependencies. The following file which keeps those dependencies

/lib/modules/3.8.0-19-generic/modules.dep.bin

was truncated (size of 0 bytes).

So I removed it and recreated it by

sudo depmod -a

After I rebooted everything seemed to be fine again.

I hope that this concludes my negative experiences with 13.04, and that the laptop will runs as rock solid again as it used to be under 12.10.

Networking

OpenWRT on the TP-Link TL-WDR3500

Post author By Ralf Bergs
Post date 2013-04-30
16 Comments on OpenWRT on the TP-Link TL-WDR3500

I got myself a TP-Link TL-WDR3500 since it boasts great hardware (see below for detailed info), and at the same time is supported by OpenWRT which I easily found out by searching in the OpenWRT forums.

Here’s the direct link to the firmware image (current “unstable” or “bleeding edge” OpenWRT release “Barrier Breaker” — i. e. not current stable one, which is Attitude Adjustment — build r36486) which you can use to upgrade a device with the factory firmware still installed. (Update: The link refers to the “trunk”, i. e. the development branch, where daily builds are available.)

Installing OpenWRT using the stock firmware’s “Firmware Upgrade” function worked smoothly. Less than 5 mins. after I started the upgrade I had OpenWRT running (thanks, folks!).

Tags OpenWRT, TP-Link TL-WDR3500

Networking Routers

OpenWRT and DNS UPDATE

I’m hosting my domain myself on a dedicated root server, and I wanted my Internet router to automatically update a hostname in my own domain (in a designated dynamic zone) with my current public IP. With OpenWRT this was easily accomplished. I used these instructions as a starting point.

When trying to check whether everything was set up correctly I always got some strange error from the following command:

# ACTION=update INTERFACE=wan /sbin/hotplug-call iface

It turned out that the following statement

config_get ipaddr wan ipaddr

did not return the currently assigned IP address in my case, but just an empty response, so I got the following error message:

could not read rdata
syntax error

(For testing I hooked a spare router with a fresh OpenWRT install with the WAN port into my LAN, and configured the WAN interface to receive its IP address via DHCP from out of the LAN. In “production” the WAN interface receives its IP via PPPoE.)

Some friendly guy in the OpenWRT forum suggested I try the following instead:

. /lib/functions/network.sh
network_get_ipaddr ipaddr wan

And indeed this worked well.

Tags dynamic DNS, OpenWRT, TSIG

Security

PayPal-Sicherheitsschlüssel

Post author By Ralf Bergs
Post date 2013-04-20
19 Comments on PayPal-Sicherheitsschlüssel

Gestern wollte ich während eines Bestellvorgangs mit PayPal bezahlen als ich feststellte, dass mein PayPay-Sicherheitsschlüssel nicht mehr funktionierte. Egal wie oft ich den Knopf zur Anzeige eines Sicherheitscodes drückte, das Display blieb ohne Funktion, das Gerät war wie “tot”.

Es handelt sich bei meinem Modell noch um den ursprünglichen Schlüssel (und nicht den neuen im Kreditkartenformat), der eine gewisse Ähnlichkeit mit den ersten RSA SecurID-Tokens hat:

Das Teil war jetzt über sechs Jahre alt, daher ging ich davon aus, dass schlicht und einfach die Batterie leer war. Da ich nicht riskieren wollte dass mein Bestellvorgang wegen Inaktivität abgebrochen wurde, wollte ich den Schlüssel möglichst schnell “reparieren”.

Tags eBay, PayPal, security, Sicherheit, Two Factor Authorization

Debian

Solved: WordPress on Debian and media uploads not working

Post author By Ralf Bergs
Post date 2013-04-18
No Comments on Solved: WordPress on Debian and media uploads not working

I was struggling with a problem that I couldn’t upload media files to my blog — which I host myself on a Debian box in a multi-site configuration. When I tried to do so I got an error message saying that WordPress couldn’t write to the directory. Actually I had this very problem since 2005 when I started this blog — I never took the time to really investigate it (but used the work-around to refer to static content I manually uploaded to my web-server document directory)… 😉

Now that my wife wanted to start blogging, I finally had a good reason to fix this issue. It took me about an hour, and it was done. What I had to do was just two entries in my admin’s Settings (I might not have set up WordPress cleanly when I started it, so you might not have to manually set this) as follows:

And then I needed one Alias in my Apache configuration to redirect the URL prefix to a directory under my web-server document root:

# "Intercepts" files prefix and redirect to "local" (user's) directory
Alias /blog/files /home/rabe/var/www/bergs.biz/blog/files
# This is the prefix to the root of my blog
Alias /blog /usr/share/wordpress

That’s it! Sometimes things are so easy, and it only takes a short while to fix them… 😉

Tags media upload, multi-site, WordPress

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.