Category Archives: Networking

Misleading statistics

Posted by on December 1, 2010 No comments

Today, the BBC published a story about the future of broadband, and specifically, 1 gigabit internet.

This isn’t actually so futuristic. It’s not a home connection, but my PC at work has a 1 Gbit internet connection, via the JANET network. It’s had it for a couple of years. When it actually comes down to real-life usage, it isn’t much faster than 100 Mbit or even 10 Mbit. While the data transfer itself does indeed go a lot faster, a lot of time is spent setting up each connection.

Connecting to a server in America from my desk here in the UK takes about 170ms for the signal to get there and back. It will take a few back-and-forths before your file transfer begins. The BBC published a table with some typical values in it.

How quick is a 1GB connection?
1 Gbit 2 Mbit
Download Tolstoy’s War and Peace 0.002 secs 1 sec
Download a 45-minute album 0.05 secs 26 secs
Download a 90-minute HD film 3 mins 36 secs 30 hrs
Watch 1-minute of Super HD 6 mins 40 secs 200 hrs

If, after reading that, you are expecting to use your 1 Gbit connection to download War and Peace in just 2 milliseconds, you can think again. There are several steps your computer has to do to initiate the connection. Each one is subject to the latency, and will probably take a few hundred milliseconds. That’s hundreds of times longer than it actually takes to transfer the data. Obviously the larger the file, the less significant this is. Wasting one second out of nearly 7 minutes for the Super HD video isn’t so bad.

For those who think that latency will improve with speed, think again. There may be some technological advances that shave off the odd millisecond here and there, but unfortunately there’s a pesky thing called the speed of light. The speed of electricity or light in a cable maxes out at 186,000 miles per second, and will usually be about two-thirds of that value, depending on the cable. It will take light 134 milliseconds to go round the equator once. Give or take, that’s how far it is from the UK to Australia and back, and in that time, according to the BBC, you could have downloaded War and Peace 67 times.

As of today, while my computer can send and receive data from the internet at 1 gigabit, unfortunately its hard disk is much slower. Downloading large files tops out at around 350 megabits because the hard disk just can’t handle it. Of course, better and faster hard disks will be invented in the future so this is a non-issue in the long term.

All I’m saying is – don’t believe everything you read in the news, and be aware that for most applications, 1 Gbit is not ten times faster than 100 Mbit.

That is all :)

A strange suggestion

Posted by on October 26, 2010 No comments

I happened to be looking at the website of a company that offers virtual private servers earlier today. This particular company has a box on their front page with a few questions about what you need your server to do, and it recommends you a suitable server package. But I was slightly surprised at the second-to-last option:

Server sorter

All the other options are sensible, but automated online gambling? I had no idea that there was a legitimate market for such a thing, let alone that a company would risk its reputation by offering a a controversial, although legal service.

Jonathan's Blog now on new "hardware"

Posted by on September 3, 2010 1 comment

This blog, and my other blogs, used to run on a rather old server: two 1GHz Pentium III processors, 1GB memory and 2 x 18GB SCSI hard drives. I host with Ridgeon Network, which is owned by my friend Chris. I help him out with some networking stuff from time to time so he loaned me this spare server for personal use.

A few weeks back one of the hard drives failed. Service continued as normal but it was an acute reminder that the server was getting old.

Recently Chris bought a powerful server for use as a VMWare ESXi hypervisor, along with a large iSCSI SAN to host all the disk images, and powerful shared MySQL database server. As he was moving lots of his servers from physical boxes to virtual machines, I decided to do likewise.

So this website, and my other sites, are now hosted on a CentOS virtual machine, with their databases on a separate CentOS database server. Given that the load average on the old P3 wasn’t very high I wasn’t expecting a noticeable improvement in performance. But how wrong I was! The site is noticeably faster to load and navigate, and in particular the WordPress management interface is miles faster.

All in all, I’m happy with the new platform. To anyone else considering replacing old servers with a virtualised infrastructure, I say go for it. You’ll save tons of electricity, take up less rack space, pave the way for later expansion (by adding more hypervisors or more disks to the SAN) and have better manageability and backupabilitiy.

Building an email server using ClearOS

Posted by on August 5, 2010 4 comments

I’ve had a server at home for years now, and I’ve also been a professional sysadmin for at least three years. I know my way around Linux pretty well and for some time I’ve run my own web server and also other services.

But one thing I’ve steered clear of until now is running my own email server.

I’ve always thought it would be fairly easy to set up, but much harder to make secure. I don’t want to receive tonnes of spam and I don’t want spammers using my SMTP server as an open relay. In the past I’ve read about building SMTP servers with sendmail, postfix and exim but there was all sorts of conflicting information when it came to integrating milters and so on. Different guides all seemed to give contradictory advice and require all sorts of strange configuration steps that I couldn’t understand.

But all that changed when I heard about ClearOS. In short, it’s a spin of CentOS which uses a custom web interface to configure various software “modules”, including things like web server, email server, firewall gateway, database server, and so on.

I installed it on a virtual machine and after only a few clicks I was running a mail server: an MX for receiving mail for my domains, an authenticated SMTP server for personal outgoing mail, and a secure IMAP server for storing and accessing my mail. The frontend sets up postfix and cyrus to do its dirty work.

For ultimate ease, users (just me, in this case) are authenticated using a local LDAP directory, rather than by using system accounts. All SSL certificates for IMAPS and HTTPS were added automatically. Email antivirus scanning is done by Amavis and spam filtering is done by Spamassassin.

I had a little bit of trouble setting up Horde to access webmail and a web interface for configuring sieve rules. By “trouble” I mean the default Apache virtual host declarations needed some changing around and some aliases adding. If you’re familiar with Apache this won’t be a problem.

There are some aspects of ClearOS I don’t like so much, and I would prefer to use CentOS. But now ClearOS has written out all my configs it should be trivial to move my new mail setup to a plain old CentOS installation, where I already run my websites from. I have definitely learnt a lot about how email works by simply reading and understanding the config files written by the frontend.

So if you want to build an email server but don’t know where to start – try ClearOS. It’s a great introduction to the “scary” parts of setting up an email server, like milters and certificates.

Newbie's guide for Linux Apache web servers

Posted by on June 3, 2010 No comments

Today a friend (from a Windows background – still a friend?! :P ) asked me how to go about setting up a LAMP (Linux, Apache, MySQL & PHP) server. I wrote him a few notes, not only on how to configure the LAMP stack, but also on how to configure a Linux system properly from scratch, and how to do so securely. There are millions of guides out there that explain how to serve web pages with Apache, but not many of them explain the basics of setting up a secure system too.

I’ve edited these notes slightly to make them suitable for a wider audience, but in essence it’s the same stuff. Hope it’s useful!

OS installation

I recommend using CentOS. It doesn’t really matter whether you choose 32-bit (i386) or 64-bit (x86_64) but use ideally use 64-bit unless there’s a reason not to.

Boot from the CD or DVD of your choice. It doesn’t matter whether you use the full DVD, or the network install CD.

Choose the text-based installer from the boot prompt by typing linux text. The text installer doesn’t install as much extra rubbish as the GUI installer.

In most cases the default options are good enough. One option you should change is to use an NTP time server. This is especially important with virtual machines, since they suffer badly from clock drift.

Choose a strong root password. You will only need it once again. After that, you won’t even even need it for logging on, so there is no need to pick anything memorable. In fact, you are best off choosing a long, random string of mixed-case letters and numbers.

When it comes to choosing packages, deselect as many of the groups as possible. We will add the packages we need individually later on.

Let the installer run its course, and reboot.

Users and passwords

Upon first boot, log in as root using the password you picked before. Now create new user accounts and set passwords:

useradd yourusername
passwd yourusername

Now for setting sudo access. This is like “run as admin” on Windows. Type visudo. In the text file that opens, read down to the line that says

root    ALL=(ALL)       ALL

Duplicate it twice by pressing yyp. Go into insert mode by pressing i and change the username root to your username. When you are done, hit Esc and type :wq to save and exit. Gotta love vi commands ;)

To disable remote root login via ssh, edit the file /etc/ssh/sshd_config using your favourite editor. If you don’t already have a favourite editor, use vi.

Find the line:

#PermitRootLogin yes

and uncomment it and change the value to no:

PermitRootLogin no

Restart the ssh daemon by doing

sudo /sbin/service sshd restart

From now on you can gain root access by using the sudo command, and you won’t need to log in as root again. Log out now by typing exit and re-login as your own user. Forget the root password forever.

Installing packages

First we add a couple of third-party software repositories that have useful stuff.

sudo rpm -Uvh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm

Let’s get rid of the stuff we don’t want or need. There are no doubt more than things that can be removed than I’ve listed here, but they can be removed later.

sudo yum remove bluez* pcsc*

Update the system so you’re sure that that latest versions of all software are installed.

sudo yum update

Now we can install the stuff we want for LAMP!

sudo yum install httpd mysql-server php php-mysql

If you are wanting to use any PHP modules/libraries they can be installed here too, such as the commonly-used graphics library gd.

Services

Let’s start the two daemons for Apache and MySQL, and tell them to start on boot.

sudo /sbin/service httpd start
sudo /sbin/service mysqld start
sudo /sbin/chkconfig httpd on
sudo /sbin/chkconfig mysqld on

Apache in its default state will run out of the box. MySQL just needs a root password setting.

mysqladmin -u root password NEWPASSWORD

From now on it’s advisable to GRANT access to specific users on specific databases/tables. Go read about MySQL users.

Firewall

Let’s assume you want HTTP on port 80 open to the world. Open /etc/sysconfig/iptables for editing, and add this line.

-A RH-INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Save and close, and run this to make the changes live.

sudo /sbin/service iptables restart

Editing configs

The main config file for Apache is at /etc/httpd/conf/httpd.conf. It doesn’t need any changes for basic operation, but if you edit it you need to restart the httpd service to pick up the changes.

If you get serious with web publishing from a LAMP platform, you will probably want to read about name-based virtual hosts.

Adding content

In its basic configuration, you should add PHP scripts, HTML pages and other content like images and stylesheets to /var/www/html/. You do not need to restart the daemon for it to pick up new content.

When debugging pages, you will probably find it handy to refer to the error log, at /var/log/httpd/error_log.

Tip: Open two SSH windows to the server – one for editing stuff, and the other for watching the log scroll by as events occur. Use Ctrl-C to break out of it. Do this:

sudo tail -f /var/log/httpd/error_log

New worst cabinet ever

Posted by on November 3, 2009 2 comments

A while back I wrote about the worst cabinet ever.

Maybe this one isn’t as spectacular to behold, but there is a Cisco switch under all that spaghetti. There are also two PoE power injectors for wireless access points. All this is in a wooden cupboard and it was roasting hot.

You can see that they also haven’t bothered to install a patch board – instead there are just wall sockets covering the side, and a few lying around not attached to anything.

At the back, there’s a telephone patch panel too.

New worst cabinet ever

New worst cabinet ever

Home of the Internet

Posted by on October 30, 2009 No comments

While in Sicily last year, I found out where the Internet actually is. It’s halfway up a mountain in Taormina.

The Internet

The Internet

Escaping usernames during RADIUS accounting

Posted by on October 7, 2009 No comments

Today I encountered a problem in my FreeRADIUS setup. Usernames can be sent to my RADIUS servers as a simple username (e.g. jonathan) or with a realm prepended (e.g. DOMAIN\jonathan).

When a username with a realm gets sent to a RADIUS authentication server that is doing MSCHAP, the domain is automatically stripped and you never notice. But when it gets sent to an accounting server (clearly no MSCHAP) there is no stripping or escaping done automatically.

This caught me out.

Users were authenticating on my network successfully. DOMAIN\rachel and DOMAIN\thomas were happily authenticated against the domain controllers and gained access to the wireless. But when they started sending accounting packets, the \r and \t portions of their usernames were sent to the database unquoted, where they were interpreted as a Unix newline and a tabspace respectively.

Eeek!

I didn’t notice until I saw that MySQL had converted these \r and \t characters to the hex equivalents. Where my accounting table should have contained rachel, it actually contained DOMAIN=0Dachel.

Yikes!

I fixed this by creating a local proxy realm. At the end of my proxy.conf, I added these lines:

realm DOMAIN {
}

Obviously substituting DOMAIN for the real name of my domain.

Then in the preacct section of my virtual server I added the module ntdomain to populate the variable %{Stripped-User-Name} with the domain part of the username that was originally in %{User-Name}.

Now, looking at the top of whichever dialup.conf suits your database architecture, make sure the following line is uncommented:

sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"

…and that all other definitions of sql_user_name are commented.

Once you’ve done this, your accounting detail logs will contain username likes DOMAIN\\username (with an escaped backslash) and your database table will simply have username.

Review: Promise SmartStor NS4300N NAS

Posted by on October 6, 2009 No comments
NS4300N

Promise NS4300N

I decided to buy a NAS and remove the disks from my home server.

I didn’t want to spend too much money, since this was one of those non-essential projects. But equally, I didn’t want to spend too little and get something that would break and destroy all my data with it. Eventually I decided upon a Promise SmartStor NS4300N.

Features

It had all the features I wanted, including:

  • SMB/CIFS for Windows clients
  • NFS for Linux clients
  • RAID5
  • Gigabit Ethernet with Jumbo Frames

First impressions

So how did it shape up?

The build quality was relatively poor. It’s made from thin plastic and feels flimsy. The disk caddies are incredibly flimsy and flexible, and I felt nervous even handling them; but this didn’t matter because I planned to assemble it and leave it alone.

It wasn’t exactly quiet either. There is an 80mm fan for the disks and a 40mm fan for the internal PSU. The 80mm fan only spins when the disks are hot but it is very noisy when it does so. The 40mm fan is constant but not so loud. And of course there’s the sound of four hard disks, which varies depending on make and model. Overall, it’s probably quieter than a standard computer, but you wouldn’t want to sleep with it in your bedroom.

It’s not a problem for me because I’m putting it in the loft.

Setting it up

The initial setup wasn’t as straightforward as I thought it could (should?) have been, especially for beginners. But it wasn’t really much trouble to set up a RAID5 array with 4 x 500GB disks and format it, for a total of 1.4TB.

More confusing, perhaps, was the selection of different protocols and the layout for setting up users, shares and permissions.

I wanted to set up two shares, public and private and set public to be world-readable (for my media centre) and private to be accessible only by me. If you create these accounts on the NAS, it’s simple enough to tick the boxes and set the desired permissions on Windows (SMB/CIFS) shares.

But NFS was a different kettle of fish. No user-level permissions are available on the NAS for NFS, and the only control you get is a list of allowed IP addresses. By default the NAS says it allows *.*.*.* but I found that this didn’t let anyone in. Adding real IP addresses to the list worked.

However, I found that when you have data shared both as NFS and SMB/CIFS, the permissions go out of the window and are not respected at all. An unauthenticated guest user was able to read and delete files from my private share.

Performance

Performance was far worse than I had expected.

With the NAS mounted on my PC via NFS, it would only manage 4.8MB/s sustained write rate, and 13.5MB/s sustained read rate. That’s significantly worse than the sustained 30MB/s I used to get with the same disks in the server, as a Linux software RAID array. On top of that, writing at this speed tied up my computer’s quad-core CPU 100% with IOWait.

With the NAS mounted on the same PC via SMB, it was able to write sustained at 9.2MB/s.

This is really quite poor, given that the same set of disks when connected directly into the server with SATA could write at some 35MB/s.

It depends on your usage though – if you simply want to play music and videos from the NAS then 10MB/s is fine, even for high definition. However I use mine for large backups and I don’t want to wait almost ten times longer for the backups to complete.

Summary

  • If you already have a NAS or storage server that you are happy with, don’t buy this.
  • If you want to use NFS, don’t buy this.
  • If you care about high performance, don’t buy this.
  • If you want a reasonably-priced solution for backups or sharing media between computers, buy this. I reckon it would be fine to shove in a cupboard and simply drag your movies onto from your computer, so you could watch them on your media centre.

However, it didn’t cut the mustard with me, so I sent it back. I’ve now returned to my original system with the four disks hosted in the server. It’s fast and the permissions work fine – the downside is that I have to keep a large, noisy ATX tower case and can’t switch to an Intel Atom solution :-(

SSH tunnelling to your home network

Posted by on September 24, 2009 No comments

SSH tunelling is no big secret, and there are loads of guides out there that explain how it is done in generic terms. This guide is slightly different, as it explains how to tunnel to hosts that are not publicly addressable.

For example, if you have a Linux server as your home network gateway then you can simply open ports on it, e.g. port 80 for a web server.

If you want to access a service on a computer on your network other than your server, you will have to set up port forwarding.

But there’s another way. Today while I was at work, I needed to change something on my home network printer’s web interface. The printer has a private IP address in the range 192.168.0.0/24 and there is no port forwarding set up (why would I want to share my printer’s control panel on the internet?).

Supposing my server is called jonathangazeley.com then I can enter a command like this from my work PC:

ssh -f jonathan@jonathangazeley.com -L 2000:192.168.0.105:80 -N

This command sets up port 2000 on localhost to point to port 80 on my printer at home.

Then I open my browser at work and navigate to http://localhost:2000

Hey presto, I can now see my printer’s config page remotely. As a nice by-product, the connection is also encrypted by the ssh protocol.