March 2004 Archives

My brother, Brian, is coming to visit this summer. That means the computer room must became a guest room. We've been toying with ways to mount the server off the floor and out of the way. I basically took a 4' deep rack mount case and hung it by it's face. Then added some rinky-dink shelves below that to hold the server equipment. Pics...

The before; using beer carton as shelf suppot.

The shelf supports sans server. Offset bolts to hit studd. 2" lag bolts.

Server two angles



Blanket hung from angel hooks to muffle noise

Network & UPS on lower shelves. Don't protrude past closet portal.

It's simple and it perfectly meets my needs. It's called wondershaper . It's a very simple CBQ (or HTB) based queueing discipline script that allows you to throttle bandwidth while alotting some simple priorities. I've used it to shape the "bulk" services hosted on my cable modem to a fraction of the modems bandwidth. I prioritize dns, pop, smtp, imap, and http as bulk classes. So now my DC games won't be spiked by a largely attached porn spam or somebody hitting my website. Since I had to reboot because of the kernel compile I installed the extra 256MB RAM I've had for a year now. Lost uptimes...

So I look at my stats page and see that 144.136.66.135 is a very busy address on my site. It's some AU ip.

[...] name = CPE-144-136-66-135.nsw.bigpond.net.au.

Interesting. I check out my archived access logs to see what this ip was browsing. I archive my logs every day for a year. So I'm looking for the access logs for the last couple of days.

jim@styx:~/jimweller.net/logs$ zcat access.log.?.gz | grep 144.136.66.135 > it
jim@styx:~/jimweller.net/logs$ head it
144.136.66.135 - - [07/Mar/2004:06:38:29 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.steppingstonespecialists.com/" "-"
144.136.66.135 - - [07/Mar/2004:06:38:29 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.youthjobsearch.com/" "-"
144.136.66.135 - - [07/Mar/2004:06:39:50 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.psultra.net/" "-"
144.136.66.135 - - [07/Mar/2004:06:39:59 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.westsidecampus.com/" "-"
144.136.66.135 - - [07/Mar/2004:06:40:15 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.j-people.com/" "-"
144.136.66.135 - - [07/Mar/2004:06:42:16 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.doscoyotesenterprises.com/" "-"
144.136.66.135 - - [07/Mar/2004:06:44:54 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.myjobsux.com/" "-"
144.136.66.135 - - [07/Mar/2004:06:45:01 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.prescotthighlandsaz.com/" "-"
144.136.66.135 - - [07/Mar/2004:06:45:34 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.easytigerrecords.com" "-"
144.136.66.135 - - [07/Mar/2004:06:46:42 -0900] "GET http://www.jimweller.net HTTP/1.1" 200 118 "http://www.concordmass.net/" "-"
[..snip...]

Anyway there's 4,533 of them. All going for my main page, but witout fetching images or style sheets to render them. Notice every referer (site that this supposed browser came from) is different? This is just some ahorle trying to promote websites.

See some executives will look at a report of referers and see those websites. Free marketing, plus false positives for possible business relationships ("Jack, get freeporn.com on the horn.").

To me it's spam and 4MB on my cable modem quota. That's what you get for hosting at home, knowing too much, and having too much time on your hands.

I've been running a simple Linux VPN for one of my clients even though they are an active directory domain. I'd toyed with modifying pppd to use PAM to latch onto some other authentication methods like ldap or smb. Unfortunately, the password comes already hashed. So, you can't manipulate it for any kind of comparison (except another program that will accept MSCHAP-2 hashed passwords). The solution?

5 words, Remote Authentication Dial-In User Service or RADIUS. Radius is an extensible standard for authenticating internet users. Windows 2000 server has a service built in called Internet Authentication Services or IAS. This service is used for authentication RAS users in a "normal" windows domain.

If you're reading this page, you're probably already using ppp 2.4.2b3. You've probably already found the exceptional open source PPTP server PoPToP. You've probably even patched your 2.4 or above kernel to do MPPE and MPPC on behalf of the ppp interface.

That's where I was a couple of days ago anyway. I was just using the plain old chap-secrets file with a shared password for the whole company. Not elegant, but even using PPTP sucks as it is not secure and hence not elegant.

The final piece of this puzzle is getting PPPD to authenticate off of the IAS server. Setting up the IAS server is cake. Install the service from Add/Remove Programs. Launch it from Start->Settings->ControlPanel->AdministrativeTools->InternetAuthenticationServices. Add a new client using your linux vpn server's name or ip and setting a password you're sure to remember.

Now we're back on the linux box in the ppp source folder. I'd give a warning not to use CVS as of 3/7/2004 1:31PM because they are tinkering with improving the MS CHAP code, YMMV. You need to first patch pppd to work with MS. Then, go into the pppd/plugins/radius directory and compile and install. This installs a radiusclient(ftp) package with programs and libraries and configuration files. It also installs a plugin for pppd.

Now you just need to set up pppd. Here are my config files.

/etc/pptpd.conf

speed 115200
option /etc/ppp/pptpd-options
debug
localip 192.168.1.254
remoteip 192.168.1.110-130

/etc/ppp/pptpd-options

name router
domain MYDOMAIN.COM
auth
require-mschap-v2
require-mppe-128
nomppe-40
ms-dns 192.168.1.2
ms-wins 192.168.1.2
netmask 255.255.255.0
nodefaultroute
proxyarp
lock
logfile /var/log/pptpd.log
plugin radius.so
plugin radattr.so
radius-config-file /etc/ppp/radiusclient.conf

/etc/ppp/radiusclient.conf

auth_order      radius
login_tries     10
login_timeout   1
nologin /etc/nologin
issue   /etc/radiusclient/issue
authserver      192.168.1.2:1812
acctserver      192.168.1.2:1813
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3

/etc/radiusclient/servers

myradiusserver.mydomain.com MyIASPassword

This allows a Win32 computer to connect to the VPN using the person's windows username and password. I've also connected with Linux and Mac OS X clients. I just got this working like this recently and still have a number of tweaks. Here are some caveats.

• Sometimes the connection doesn't work. Just let it redial. I've never had it take more than 3 tries. I'm investigating. I think it might be a timeout thing. login_timeout?
• Turn off default route in the TCP/IP advanced properties on the windows client.
• You need to add the domain to the windows client. default_realm?
• If you get 1717 error on windows client reboot. An installer probably has loose ends.
• No matter what rules you use in IAS it seems the user account must have "Dial-in" enabled.

Anyway. Cheers and happy tunneling.

I'm very pleased to announce that I'm engaged to be married to Olivia Jean Wall. I proposed on Valentine's day evening from high on flattop mountain overlooking the city lights using a diamond from my grandmother's 25th anniversary ring which I had reset in more modern (and smaller) white gold setting. The event was enchanting. She's the best gal in the whole world, and I love her.

Though, we haven't formalized a date, Livie has been bounding about town with her Mom's scoping and brainstorming. There's a general leaning toward a short outdoor ceremony some where on the Turnagain Arm followed by a rockin' block party in the cul-de-sac. Likely sometime this summer. We're both very excited.