System administration

Connecting a SIP Trunk to a Remote SIP Extension

Sun, 04 Sep 2011 14:51:47 +1000

Connecting a SIP Trunk to a Remote SIP Extension

$WORK gives me a SIP extension on their Asterisk server for when I work from home.
I have an Asterisk + FreePBX box at home.
I wanted to be able to make/receive $WORK calls from home with my existing hard phones.
I didn't want to make any changes to $WORK's Asterisk server.

The SIP Extension at $WORK has the following settings:

          name: 1234
      callerid: Mick Pollard
   canreinvite: No
       context: default
      dtmfmode: rfc2833
          host: dynamic
      insecure: No
           nat: Yes
          port: 5060
       qualify: yes
        secret: 1234
          type: friend
      username: 1234

After some time researching it turns out this is not actually that hard.
The following is to be all done within FreePBX at home.

Add a SIP trunk (use the details of your SIP extension on the office asterisk server)
Add an outbound route
add an inbound route

Add a SIP Trunk

The main difference here is you should leave "USER Context" & "USER Details" blank.

Add an outbound route:

The dial rules used here should be tuned to match the extension prefixes in use at your $WORK.
We have 4 digit extensions starting with either a 12 or a 22. I have also add a special prefix of 9|.
which allows me to route a call via $WORK. This is important so that clients get $WORK's callerID and not my home number !

Add an Inbound Route (optional)

I currently have an inbound route that allows any calls to go straight to a queue but you may want to change this.
You just need to create an inbound route that will match your WORK extension.

You should now be abe to make and receive work calls on your existing phones at home.

Installing Graylog2 on Ubuntu Lucid

Sat, 25 Jun 2011 23:56:19 +1000

Installing Graylog2 via Ubuntu Packages

These packages and docs are currently beta.
The deb's are built on Ubuntu Lucid amd64 however should work on both i386 & amd64.

Please report bugs in this HOWTO or the packaging to me at aussielunix at gmail dot com.

graylog2-server

This installs graylog2-server and it's dependencies (mongodb-stable from 10gen) etc.
The graylog2-server will install all files to /opt/graylog2-server & a config file at /etc/graylog2..conf.
Be prepared as the java stuff drags in a lot of deps on a clean minimal Lucid install. (176 packages for me)

1) add public key for the 10gen mongo repository

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10

2) add public key for the aussielunix (Mick Pollard) PPA

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv D77A4DCC

3) add the following four lines to /etc/apt/sources.list

# 10-gen's mongodb repos
deb http://downloads.mongodb.org/distros/ubuntu 10.4 10gen
# lunix's graylog2 debs
deb http://ppa.lunix.com.au/ubuntu/ lucid main

4) let apt see the new repositories

sudo apt-get update

5) install graylog2-server plus its deps - including java and mongodb

This will take a while - go make coffee

sudo apt-get install mongodb-stable graylog2-server

6) secure mongo - add authentication

add an admin user
add a user to mongo for collection 'graylog2'

lunix@ubuntu-dev01:~/$ mongo
use admin
db.addUser('admin', 'admin-mongo-passwd')
db.auth('admin', 'admin-mongo-passwd')
use graylog2
db.addUser('grayloguser', 'grayloguser-mongo-passwd')

7) tell graylog2-server about the mongo auth

edit /etc/graylog2.conf

mongodb_useauth = true
mongodb_user = grayloguser
mongodb_password = p4ssw0rd

8) turn mongo security on - it's off by default

edit /etc/mongodb.conf

auth = true

9) restart mongo

sudo service mongodb restart

10) start graylog2-server

sudo service graylog2-server start

Conclusion

You should now have a working graylog2-server.
You can check the process tree for a mongodb instance and a java instance and that port UDP/514 is open.
You can now modify the syslog config on the graylog2-server host to send its data to 127.0.0.1:514
Move on to graylog2-web install/configure now.

graylog2-web

This installs graylog2-web and some of it's dependencies.
The graylog2-web package will install all of it's files to /opt/graylog2-web.
All of the gem dependencies have been vendored in.
The version of rubygems is too old in the Lucid repositories so I make use of a thirdparty PPA.
This PPA is from Mackenzie Morgan - a Ubuntu Developer - https://launchpad.net/~maco.m/+archive/ruby

1) add Mackenzie's PPA

sudo apt-get install python-software-properties
sudo add-apt-repository ppa:maco.m/ruby

2) let apt see the new repositories

sudo apt-get update

3) install graylog2-web

sudo apt-get install graylog2-web

4) install budler

sudo gem install bundler

5) review/edit some rails configs:

config/mongoid.yml
confg/email.yml
config/general.yml

6) start graylog2-web as a daemon

script/rails server -eproduction -d -p3000

Conclusion

You should now have a working graylog2 server & web.

A sane Varnish version for Ubuntu Hardy

Sat, 18 Sep 2010 10:51:10 +1000

With Hardy getting a bit long in the tooth so are the versions of software.
Recently a client has tasked me to add varnish to their existing wordpress cluster.
The servers they are using are all Ubuntu Hardy and the version of Varnish in the repos is ancient (1.0.3-2)
It turns out it's not that hard to build a .deb of a more modern version of Varnish.
The following GIST shows the simple steps I used to build a Ubuntu package of Varnish 2.0.6.

Funny tech support email No.1

Fri, 30 Jul 2010 08:34:15 +1000

Funny Tech Support Email Number 1

In the late 1990's we purchased a few small ISP's and whilst auditing their old servers (terrible mess) I come across this beauty.
I thought I'd share this, plus one other, from another ISP, I found for this years System Administrator's Appreciation Day.
They both made me laugh back then and still make me laugh today. Oh how I miss the days of ISP land.

Funny tech support email No.2

Fri, 30 Jul 2010 08:34:15 +1000

Funny Tech Support Email Number 2

In the mid 2000's whilst working at an ISP the following email arrived.
It gave us all a good laugh at the time and today I share with you all for System's Administrator Appreciation Day.

Self Serve Dev Environment

Sat, 24 Jul 2010 17:12:11 +1000

Introduction

I am currently working in a web development shop. We develop and maintain a range of websites/webapps for customers.
At $WORK we have many varied customers each with their own unique Production Environments (PE from here on in).
Our $DEVs are also free to run any *nix based OS on their workstations.
One of the challeges we have had in the past is making a copy of a customer's PE easily available to our $DEVS.
This used to require lodging a task in Redmine and waiting for a Systems Admin to build you a VM on a central VM server.
This post will show how we are now using common FOSS tools to give enable to $DEVS to have VM's on their own workstations that mimick a customer's PE.

Whilst I make mention of some specific tools in this post they can be swapped out in most places for alternates however I have not tested the
alternatives yet. ie: puppet/chef, mercurial/git, centos/ubuntu.

Notes on the Challenge

needs to be simple not an obsticle - if it's slower than just getting a sysadmin to build it for you then its a fail
simplicity generally means easy to fix when something goes wrong in the wheel.
self-serve - no waiting for sysadmins
visability - everything in DVCS and Redmine (project managent software)
needed to be repeatable - $DEVs needed to easily be able to build, destroy and build again
relatively self documenting - read the kickstart or puppet manifests
I hate OS images - They're big, cumbersome and pain in my..err..storage See - Golden Image or Foil Ball?

After spending a fair amount of time on this and looking at many of the VM/cloud management solutions out there I have decided that while some are very nice and useful I do not believe they are suiteable for our situation. Most VM/cloud management tools are built around the "OS Image" and require each workstation to 'register' as a node.

Current solution

After doing the full circle of research we are now using a simple collection of existing tools.
It was all there staring me in the face all along. Libvirt, virt-install kickstart puppet, mercurial and a wiki entry. A $DEV just needs to make sure he/she has libvirt, virt-install, virt-viewer installed.
We are using KVM to provide the virtualisation layer but through the use of libvirt you should be able to use any libvirt compatible virtualisation provider.(virtual box etc)

Technologies used

a httpd server (nginx, apache etc) - to serve kickstart + yum repos/mirror
Own yum repos + centos mirror ( again ubuntu mirror etc )
puppetmasterd ( or other CF tool ie: chef etc ) with autosign turned on (we have a separate puppetmaser for the $DEVS)
some kickstart files - I use one per customer and bootstrap puppet from the %POST section
libvirtd + KVM/qemu - could be any supported virtualisation software supported by libvirt
python-virtinst + virt-viewer
dhcpd
forward and reverse dns - puppet will fail to work as expected without it ( I use powerdns-recursor for demos as it exports /etc/hosts )
redmine - we make use of Redmine's ACL's to visualize the repos for puppet and kickstart files per customer

Devs

The following is the steps needed for a $DEV to deploy a customer's PE.

Check network page and grab an available network mac to use (this is used for dhcp & dns so puppet works properly)
and the name of the customers kickstart file.
update wiki page to say that network mac is in use.
deploy a VM on their workstation. - See Libvirt tips

virt-install --connect qemu:///system --accelerate -n virt01 -m 54:52:00:37:2E:B9 -r 1024 --vcpus=1 --disk pool=lvm,bus=virtio,size=20 --vnc --os-type linux --os-variant=rhel5 --network=network:default -l http://192.168.1.250/os/CentOS/5.5/os/x86_64/ -x "ks=http://192.168.1.250/ks/project_customer1.ks"

This will take advantage of the fact that both CentOS and Ubuntu have the necessary PXE files stored in their mirrors for booting the installer.

wait approx 10 or so minutes and they have a clone of the customer's PE on their workstation ready to deploy to and hack on. see notes in conclusion below

New customers

The following is what's involved in preparing for a new customer:

A new customer has a VM/server provisioned in a DC by a hosting company.
I grab the current package list and make a kickstart file to replicate the install locally
Create a new project_customer3 in puppet and add details to bottom of the new kickstart file.
publish new kickstart file and update wiki entry

Conclusion

I have reduced the time it takes for a dev to get a copy of a customers PE down from days to minutes and its now a self serve solution.
There is still more to refine in this but it's already full of win as I now get to do more of 'stuff that matters'

It's early days for us using this new setup and I am yet to work out an easy, effective way of notifying a $DEV when puppet has finished the buildout. Suggestions welcome.

cucumber tests ?
using libnotify via Dbus ? ( suggestion made at a recent DevOps Sydney meetup )
??

openssh and X11 forwarding

Thu, 29 Jan 2009 22:17:00 +1100

Occasionally you may come across times where you need to run an X application on a remote, headless server.
Today was one of those occasions for me.
Installing xorg etc to add X to the server is a reasonable amount of work and not really a choice.
openssh has an option to tunnel X11 connections and auto setup the $DISPLAY environment variable on the remote host.
This can be done either on the fly with a switch to the ssh client or a permenant setup by changing the config file for openssh.

[lunix@godzilla ~]$ ssh -Y admin@10.20.1.254
admin@10.20.1.254's password:
Last login: Fri Jan 30 00:22:23 2009 from dynamic-20.home.lunix.com.au
/usr/bin/xauth:  creating new authority file /home/admin/.Xauthority
[admin@gateway01 ~]$ echo $DISPLAY
localhost:10.0
[admin@gateway01 ~]$

This extract of ~/.ssh/config shows how to make the X11 forwarding more permenant.

Host remotehost
ForwardX11 yes

Once this has been done and the $DISPLAY env. variable is set you should be able to fire up an application that displays its output via X.

[lunix@godzilla ~]$ wireshark

This will then fire up wireshark sending its output to X via localhost:10.0 which will tunnel it across ssh to your local screen.
Remeber this may be a bit slower than running it locally but it works.

I ran into problems this morning the first time I logged in with ssh -Y with the $DISPLAY env variable not being set.
To diagnose this I retried the ssh command with the extra options of -vv. Here is a snippet of the output.

[lunix@godzilla ~]$ ssh -vv -Y admin@10.20.1.254
admin@10.20.1.254's password:
...
debug2: x11_get_proto: /usr/bin/xauth  list :0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
..
..
debug1: Remote: No xauth program; cannot forward with spoofing.
..
Last login: Fri Jan 30 06:48:28 2009 from dynamic-20.home.lunix.com.au
[admin@gateway01 ~]$ echo $DISPLAY

[admin@gateway01 ~]$

$DISPLAY wasn't set. In my case the debug1: line mentioning a missing xauth program was the problem.
A simple yum install xorg-x11-xauth fixed this. ( centos 5 )

Hope this helps.

Usefull strace primer

Fri, 09 Jan 2009 15:09:00 +1100

I'm posting this here for both future use by myself and in the hope it's usefull to anyone else.

Have you ever racked your brain to find that bug? You know, the bug that you can't find in the source code,
but which appears with deliberate consistency when your code is compiled and run.
Hacker, meet strace.
strace is a utility that allows you to trace system calls and signals for a given command and its arguments.

Full article is over at the Redhat Magazine

Simple portscanning with bash and netcat

Wed, 31 Dec 2008 12:05:00 +1100

Today I was presented with the need to find all the machines on a network that have port 22 open.
This can easily be achieved with nmap.

sudo nmap -sS -p22 192.168.1.0/24

However the only box I had was a 'linux router' with a minimalistic linux install and no access to install extra packages.
What I ended up using was a very simple shell script with nothing more than a for loop and netcat.

    #!/bin/bash
    for h in {2..254};
    do
            nc -z 192.168.111.$h 22;
            if [ $? -eq 0 ]; then
                    echo -e "192.168.111.$h\n";
            fi
    done

The -z flag to nc ( netcat ) tells it 'no io' then I just test for the exit code it gives.
Simple.

Postfix, UCE and helo_checks

Mon, 10 Mar 2008 14:16:00 +1100

As anyone that uses email will know, UCE/junk mail is coming in thick and fast.

One quick setting in postfix ( presumably you can do this with other smtpd servers but I will only show postfix )
that cut down the amount of UCE arriving at my inbox was the postfix main.cf entry:

smtpd_recipient_restrictions =....<snip>check_helo_access hash:/etc/postfix/helo_checks

Add that entry to your main.cf file then create an ASCII (text) file called helo_check with content similiar to below.

localhost                       REJECT You are not me
123.123.123.123                 REJECT You are not me
host.example.com                REJECT You are not me

Don't forget to issue a postmap on the helo_checks file.
Any mail server helo'ing to your server now with your ip, hostname or localhost will be rejected before its even allowed to send you mail/UCE.

Mar  9 04:50:20 scrappy postfix/smtpd[28556]: connect from 122-124-139-172.dynamic.hinet.net[122.124.139.172]
Mar  9 04:50:22 scrappy postfix/smtpd[28556]: NOQUEUE: reject: RCPT from 122-124-139-172.dynamic.hinet.net[122.124.139.172]: 554 5.7.1 <123.123.123.123>:
........................Helo command rejected: You are not me; from=<hi7188s.pp5975@msa.hinet.net> to=<zz@mail2000.com.tw> proto=SMTP helo=<123.123.123.123>
Mar  9 04:50:22 scrappy postfix/smtpd[28556]: lost connection after RCPT from 122-124-139-172.dynamic.hinet.net[122.124.139.172]
Mar  9 04:50:22 scrappy postfix/smtpd[28556]: disconnect from 122-124-139-172.dynamic.hinet.net[122.124.139.172]

Whilst I have no exact figures as to how much UCE this has stopped I can say it has made a noticeable difference.