Category Archives: Linux

Linux and Unix

Hacking and securing your Asterisk server

I spent a little while playing with sipvicious today. This is a SIP scanner that can be used for scanning SIP servers – which obviousy includes Asterisk, Trixbox, Elastix, etc…

It’s not surpising that scanning for vulnerable SIP servers is on the increase – these sort of tools are really easy to use, and with the lure of making free phone calls at your expense it’s definitnely worth making sure that your PBX is secure.

Here’s what I did to scan one of my servers. The server is a Trixbox CE 2.6 server and I set up the following extensions for testing –

Continue reading

E-mail alerts from munin for network bandwidth usage

I’m a big fan of munin for monitoring your linux server. It’s quick and easy to install and produces some nice graphs.

I run some OpenVZ servers and wanted to get munin to alert me if there was a sudden spike in my bandwidth throughput.

There are some instructions here for setting up alerts from munin but I couldn’t get it to work for the “if_” plugin that is used to generate the bandwidth graphs.

Turns out that plugin doesn’t produce warnings as standard. Here’s a quick and easy solution that works for me (although there are some pitfalls – such as the fact that you’re setting a generic setting for all interfaces)

On the machine running ‘munin-node’ edit the file /usr/share/munin/plugins/if_   (the location may vary)

and add this line with all the other echo statements –

echo "up.warning 1000000"

It’s in bits per second so that should set it to 1MB/s

Now on the machine running ‘munin’ (could be the same machine) edit the file /etc/munin/munin.conf and somewhere near the top add the lines –

contacts me
contact.me.command mail -s "Munin notification ${var:host}" user@example.com
contact.me.always_send warning

And that should be it. Give it 5 minutes and see if you get an alert  (might be worth setting the warning level to less than 1MB/s to test!)

dstat – another performance monitoring tool

The way I look at it, you can never have too many tools for monitoring the prefomance of your servers!

And it’s best to look round before you actually need them too. Run them on your system when things are ‘normal’ – that will make tracking down problems a lot easier when things start to go wrong.

A handy little tools that combines the functionality of vmstat, iostat, netstat, nfsstat is called dstat.

If you’re using CentOS this can be install via rpmforge (click here for details on adding the rpmforge repo) by doing a

yum install dstat

then you can just run dstat (or ‘man dstat’ for some options)

Here’s an example of the output you can expect to see –

# dstat
----total-cpu-usage---- -dsk/total- -net/total- ---paging-- ---system--
usr sys idl wai hiq siq| read  writ| recv  send|  in   out | int   csw
6   1  93   0   0   0|  31k  242k|   0     0 | 0.2   0.3 |2070   113
0   0  99   1   0   0|4096B    0 |1402B  452B|   0     0 |2037    72
0   0 100   0   0   0|   0     0 |1336B  468B|   0     0 |2035    77
0   1  99   0   0   0|   0     0 |1276B  452B|   0     0 |2035    67
0   0  99   1   0   0|   0   528k|1632B  452B|   0     0 |2049    90
0   0 100   0   0   0|   0     0 |2168B  468B|   0     0 |2039    68
0   0 100   0   0   0|   0     0 |1692B  452B|   0     0 |2036    70
1   0  99   0   0   0|   0     0 |1216B  452B|   0     0 |2032    64
0   0 100   0   0   0|   0    40k|1216B  452B|   0     0 |2050    91
0   0 100   0   0   0|   0     0 |1276B  452B|   0     0 |2033    88
0   0 100   0   0   0|   0     0 |1266B  562B|   0     0 |2036    75
2   2  96   0   0   1|   0   344k|1967B 1157B|   0     0 |2061   230

Limit SMTP connections for OpenVZ VPS

I’ve started renting out some OpenVZ VPSs for a few people and wanted to make sure that they couldn’t be used to send spam. One of the easiest ways to do this is just to limit the number of outbound smtp connections allowed from the VPS using iptables.

I used the following iptables rules on the OpenVZ host node to accomplish this –

# Limit number of SMTP connections from Mail Server
<br>iptables -A FORWARD -o eth0 -p tcp -s 77.211.239.14 --dport 25 -m limit --limit 3/minute -m state --state NEW -j ACCEPT
<br># iptables -A FORWARD -o eth0 -p tcp -s 77.211.239.14 --dport 25 -m state --state NEW -j LOG
<br>iptables -A FORWARD -o eth0 -p tcp -s 77.211.239.14 --dport 25 -m state --state NEW -j DROP

The ip address is the ip address of the VPS. The optional log rule in the middle (that’s commented out) is useful when you are setting this up so you can check that packets are actually begin affected by the rules.

Rhapsody, Ubuntu and Firefox 3

If you’re having trouble logging in to the Rhapsody website and you are running Firefox 3 on Ubuntu (or possibly other flavours of Unix) then the following might be useful.

If, every time you try to log in to the Rhapsody website, you are asked to install the Firefox plugin, even after apparently installing it, then the plugin is not getting installed correctly.

To install the plugin manually try –

Start a shell prompt

cd .mozilla/plugins/
wget http://forms.real.com/real/player/download.html?f=unix/rhapx/RhapsodyPlayerEngine_Inst_Linux.xpi&amp;install=rwih
unzip RhapsodyPlayerEngine_Inst_Linux.xpi

Then restart Firefox.

Hopefully, now you should be presented with a username/password box when you try to log in rather than the plugin install prompt.

Delicious bookmarks disappear

I really like the delicious plugin for firefox (this is being discontinued – see here for alternative – https://dgtl.link/Firefox-Addons) and have been recommending it to people for a while now.

Recently though using the plugin with firefox 3 on both Windows and Linux (Ubuntu) has been a real pain. “Favorite Tags”  and “Tag Bundles” have been disappearing and losing their settings. This has been going on for a few weeks now and the developers have been working hard on resolving the problem, which turned out to be a corruption in one of the settings files.

They have released a beta fix for this problem, which you currently have to sign up to a Yahoo group to download. Details of the problem and how to obtain the patch can be found here.

Hopefully they will release a mainstream version of this patch soon!

Encrypting traffic with a VPN

Dan Goodin has written an interesting article for theregister.co.uk about the benefits of using a personal VPN for your wireless internet traffic.

There are some downsides to running a VPN server at home. One of these is that all of your data must travel via your home PC/server and most peoples broadband connections will limit the speed that this will work at. The maximum speed of your VPN connection will be limited by the upload speed of your home broadband – which is normally quite slow. Also, dynamic IP addresses, port forwarding and NAT on your broadband router and having to leave your home PC powered on all the time could be a pain.

Another alternative could be to run OpenVPN on your own server (or vps) at a data center or, a cheaper alternative, to buy access to an OpenVPN server that has already been setup and configured.

Running OpenVPN

I’ve been playing with OpenVPN for the past couple of weeks and I’m pretty impressed. OpenVPN allows you to create a private network between 2 computers. These could be 2 servers or a client and a server. A few of the reasons for wanting to do this are –

  • bypassing your ISPs traffic shaping
  • making your traffic appear to originate from a different country
  • encrypting your laptop traffic over an insecure link – such as a coffee shop wifi connection
  • anonymous web surfing
  • bypassing a countries web access controls

Setup and configuration of the server component can be fairly complicated depending how you want to manage the certificates and networking on there. It’s possible to install it on Linux or Windows although I’ve only tested it on Linux. Running the server on Linux you also need to configure iptables to translate your private ‘vpn’ ip address to an external ip address on the vpn server.

Continue reading

ffmpeg and streaming video

I’ve been interested in trying to stream some of my videos from my server rather than from YouTube. YouTube is great but the video quality is pretty poor.

I’m running CentOS 5.2 and decided to just try installing ffmpeg from rpmforge rather than compiling it. Lazy but easy!

rpmforge is a repository where you can find lots of prebuilt packages that are not part of a standard Redhat/CentOS install. You can find instructions for setting it up here.

So, with rpmforge configured, this was all I needed

# yum install ffmpeg
#

Then I looked round for a player to stream the video (which were going to be in flash format). Flowplayer looked pretty nice. I just wanted something simple that would have only the video and controls on the page.

After looking over the sample html pages that come with flowplayer it was easy to create a page with just the video on there. So I uploaded my videos which were in mpg format.

Running the command

# ffmpeg -i video.mpg -s 320x288 -b1200000 -ar 44100 video.flv
#

converted the video to flash format with a pretty high quality but without making the files too large. I’m sure I could probably find better settings if I played around a bit more.

And here some examples of the end result –

http://sysadminman.net/video/takeoffsywell.html

http://sysadminman.net/video/alconbury.html

http://sysadminman.net/video/fisty_nuts.html

Just out of interest – the aircraft is a Pegasus Quantum 582 which you can see a picture of here.

I no longer own it and and miss the summer evenings flying around the english countryside.

iptables for asterisk

If you’re running Asterisk on a VPS or a dedicated server then setting up your iptables firewall can be a tricky.

I thought I’d post my firewall script to help get you started. I save this script as /usr/local/bin/firewall.sh and then add a line to run it from /etc/rc.local

It allows SSH’ing to the machine plus rules required for SIP connections (you will need other rules if you use IAX) plus some basic “bad stuff” filtering.

I’ve commented it so, hopefully, you’ll be able to figure out and chages you need.

Continue reading