?

Log in

Random Ramblings
 
[Most Recent Entries] [Calendar View] [Friends]

Below are the 20 most recent journal entries recorded in dan_kolb's LiveJournal:

[ << Previous 20 ]
Tuesday, February 19th, 2008
10:34 am
Breaking ssh
Previously, I managed to get ssh logins to work to hades by adding a keep state rule in the appropriate place in the firewall ruleset.

Yesterday, on re-reading the documentation, and thanks to avf_uk, I changed the incoming firewall rule to
pass in on $alliface proto tcp from any to any port 22 keep state queue ssh

Now it still works from newer Linux systems. However, Vista has stopped talking to it. Removing the queue ssh line allows Vista to talk again.

Any ideas would be nice :)
Sunday, February 17th, 2008
1:16 am
Fixing ssh
For some time, people have had trouble sshing to hades (my colo OpenBSD box) from Vista and newer Linux distributions. I had prodded at the problem before and didn't find a satisfactory answer; today I had another poke around, and came across this page, which gave me an idea.

When I disabled the firewall, it all started working. Which therefore implies it was something to do with pf.

My existing pf rules allowed an incoming ssh packet, but didn't keep state; it kept state when a response was sent (i.e. from the outbound packet). So the rules looked like:

pass in on $alliface proto tcp from any to any port 22
pass out on $alliface proto tcp from any port 22 to any keep state queue ssh
pass out on $alliface proto tcp from any to any port 22 keep state queue ssh


(looking closer, it appears the second line doesn't actually do anything useful. Never mind)

On changing the first line to
pass in on $alliface proto tcp from any to any port 22 keep state

sshing suddenly works. However, at the expense of incoming ssh connections not being put through the packet queuing.

So. If you're running OpenBSD (and maybe other OSes), and have trouble with sshing to it from newer Linux or Vista systems, try the above.

If anyone would care to explain why this brokenness occurs, then please do. I'm guessing something's been frobbed around with in newer kernels, which causes undesired consequences.
Friday, February 15th, 2008
12:32 am
Today....
I had curry and went to see Sweeney Todd. Excellent film, with lots of slightly cartoony blood. Well worth going to see.

In other news, for those who haven't been keeping up at the back, I recently started a new job in the Physics department, so I'll still be in Durham at least another two years.
Tuesday, November 27th, 2007
5:04 pm
Pit band
I appear to have been selected to play in the pit band for a production of Anything Goes. Reed IV part, so bari + tenor sax, clarinet and bass clarinet. Hurrah!
Friday, November 16th, 2007
8:29 pm
WTF, Esso?
Driving past the local Esso garage, I notice they've increased the price of unleaded to 102.9p/l. Fuck that! If Tesco round the corner has it for 100.9 (which is still Fucking Expensive), to Tesco I shall go. I noticed no cars on the Esso forecourt....
Friday, October 19th, 2007
11:36 pm
ssh blocking
Having a look through my server's auth logs, I noticed a rather large number of attempts from people trying to guess usernames and passwords to the server. Since 2pm on the 17th of October, there were 15,760 attempts at guessing (non-existent) usernames, and 18,278 attempts at wrongly guessing passwords. Compare this with 16 successful (deliberate) login attempts. So I thought that something ought to be done. Ideally, blocking anyone who either tries a bad username (after more than 2 goes), or fails to guess a password (after more than 5 goes). A quick Google very conveniently landed me with this page, about how to block repeated illegal or failed SSH logins with ipfw, ipf, or pf. Given I'm running OpenBSD, this was rather useful. Testing the script on that page appeared to work nicely, so I'm now running it every 5 minutes. Hopefully this should reduce the number of failures in my authlog.

And, just in case something should go wrong, and I accidentally lock myself out, I have an exemption for one machine - even if its IP gets blacklisted, then I can still get in and remove the listed address.

Current Mood: satisfied
Sunday, September 9th, 2007
1:59 pm
Last Night of the Proms
Went to the Last Night of the Proms yesterday, with a friend. After a few drams of whisky at the SMWS, we went down to the Albert Hall; standing in line for 20 minutes meant we got standing room at the Gallery for £5. The concert itself was very enjoyable, with the usual Last Night festivities. I'll definitely try and do it more regularly in future.
Monday, August 13th, 2007
9:49 pm
dd-wrt, part 3
Continuing on from my previous post (again). Given my WAP is currently bricked, I took a chance to get a "new" Linksys WRT54G. This one is just a plain WRT54G v5.0, but following the same instructions as for the WRT54GS v5.1 worked fine. Curiously, I needed to re-download the vxworks killer, as the ones I had from the last upgrade didn't work (they are the same files).

To connect the routers together, I decided to try following the instructions for Wireless Bridge mode, rather than WDS. Quick summary: disable the SPI firewall (Security tab), change Wireless mode to Client Bridge, match SSIDs, and then join the other wireless router's network as a client. And it works! Hurrah!

Note that I'm not running any encryption over the wireless network (it's not routable anywhere, anyway), so I've just disabled SSID broadcast.

Next task, at some point, will be to attempt to unbrick my WAP54G. But that's not a priority any more.

Current Mood: accomplished
Sunday, August 5th, 2007
1:42 pm
dd-wrt, part 2
Continuing on from my previous post, I'm trying to upgrade my WRT54GS v5.1 first.

First stage, which is loading the vxworks_prep file (follow instructions from here) worked almost without any problems. Safari, after about half a minute, popped up an error saying that an unknown response came from the router's HTTP server. However, waiting another half minute or so, and then power cycling the router got the router coming up with a Management Mode Firmware Upgrade. However, it had lost the IP address I'd given it, and reverted to 192.168.1.1, which is the default for Linksys WRTs. So far, so good.

Stage 2: load the vxworks_killer firmware. Within a few seconds, the browser reported a success with the upgrade.

Stage 3: Power-cycle the router. Initially, it looked bricked. However, after waiting a few minutes, it started pinging. So, tftping the dd-wrt firmware up onto it worked, and a few seconds later, the SSID dd-wrt appeared in the list of wireless networks, and I was able to get to the web configuration and telnet in. So I followed the instructions to enable the full memory. And it still worked.

Try upgrading the WAP54G with the generic firmware, and, although it appeared to load the firmware on okay, the AP now appears to be bricked. Arse.

Current Mood: aggravated
Saturday, August 4th, 2007
11:01 pm
dd-wrt, part 1
Carrying on from my previous post, I'm looking into updating the firmware on my WRT54GS v5.1 and WAP54G v1.0 to dd-wrt.

According to the File Versions page on the dd-wrt wiki, I need to use the mini version to tftp after flashing via the web interface. Huh? It'd be nice if people writing documentation could do so in clear, plain, unambiguous English. It's not hard. Oh, but because I have a v5 WRT, I have to use a generic dd-wrt firmware. Which, according to the Supported Devices page says I can only use a micro version and need the VxWorks killer. The Installation page, however, says the WRT works with the mini version. How nicely clear.

So. For the WRT54GS v5.1, I need: the VxWorks killer, and the generic v23 SP2 micro firmware. For the WAP54G, it appears I just need the generic v23 SP2 micro firmware (given lack of any other information to the contrary).

I shall attempt to flash the firmware in the morning. Hopefully the devices won't end up bricked.

Current Mood: determined
4:07 pm
Wireless fun
Today, I've mostly been trying to get a Linksys WAP54G to talk to a Linksys WRT54GS. Which is easier said than done. To be able to do this, the WAP must be configured in Wireless Repeater mode. Not Bridge, or AP Client, which only talk to other WAP54G's. Unfortunately, the firmware on the WAP was too old to support this mode. Conveniently, Linksys provides rather easy access to update the firmware; the updating went flawlessly (other than losing the IP address I assigned to it), so I took the opportunity to update the WRT's firmware too.

Now, setting the WAP into repeater mode asks for the LAN address of the WRT. Duly entered, it didn't work. A wee bit of Googling turned up this Linksys customer help document about making them talk to each other. In it, it mentions to disregard (their emphasis) what it says on the Firmware setup screen, and enter the wireless MAC address of the WRT.

Of course, it still doesn't work. Next up is to try dd-wrt, and see if that'll manage to get things to work.

Current Mood: geeky
Monday, July 16th, 2007
11:42 pm
Stag do
Just come back from a great stag do. It involved hiring some canal boats from Bradford-on-Avon, going down to Bath and back, and visiting a few pubs along the way. Plus lots of drinking on the boats themselves. A good mix of quiet civility and drunked raucousness resulted in only one person throwing up (admittedly after a kebab and downing a beer), and one person passing out in a restaurant (for whom an ambulance was called after the rest of the party left, but was ultimately unnecessary).

I'd really quite like to do some more canal boating.
Thursday, June 21st, 2007
3:26 pm
Dear Powerpoint
Why, when I paste an image into a slide, do you feel the need to screw with the text that I have already carefully positioned on the slide? I know what I want. Stop trying to second guess me. No love, Dan
Tuesday, June 5th, 2007
12:11 pm
Dear virgintrains.co.uk
If I select the box that says "Arrive before...", that does not mean I'm looking to depart at that time. Love, Dan
Sunday, June 3rd, 2007
2:13 pm
Spamalot
I went to see Spamalot with a friend yesterday in London. In true Monty Python style, it was incredibly silly. There were a few sly (and not-so-sly) references to a few Flying Circus sketches. It was very well choreographed, too, and the singing was easy to understand.

If you haven't seen the show, go see it! It's hard to spend a more enjoyable two and a half hours.
Sunday, May 20th, 2007
11:39 pm
St. Andrews
Just come back from a mini-LBW in St. Andrews. 'twas very nice, if a little windy. As well as visiting some nice pubs, having tasty beer and good food, we did the usual tourist bits (aquarium, cathedral, castle), and, for some added interest, went off to the Secret Bunker. Pictures forthcoming in hopefully less than 6 months' time.

Due to some members of the group needing to be back in Edinburgh early-ish, we carelessly ended up at the SMWS' Vaults for a few hours. As usual, their whiskies were incredibly tasty.

Thanks to Edwin for organising the event.

Current Mood: content
11:35 pm
Updated photos
Finally got around to uploading all the photos that aren't currently on my cameras up to my website. Find at http://eco.li/photos/2007/
Tuesday, May 15th, 2007
11:04 pm
People rescued from gross stupidity...
According to this BBC article, a family had to be winched to safety from the Lindisfarne causeway. This rather strikes of completely stupidity — not only driving across an obviously flooded road, but driving across a tidal causeway when there's large signs warning not to cross when there's water present (and not checking the tide timetable). An RAF helicopter was called out for that. The money that cost would've been better spent teaching people to read.
Monday, April 30th, 2007
5:36 pm
Dear Livejournal comment spammers...
Please fuck off and die. Your shite attempts at advertising just make you look like worthless little tossers.

No love,

Dan

Current Mood: annoyed
Thursday, April 19th, 2007
12:41 am
Off to Greece
I'm off to Athens tomorrow (today?) morning to get some useful work done. Wonder what I'll forget to take with me...

Hopefully the plane back will arrive on time: if it does, I should just about get back to Durham in time for an orchestra social.

Current Mood: tired
[ << Previous 20 ]
My Website   About LiveJournal.com