Dropbear

Blog

  • SNMP Information from your DLink DSL-300 ADSL Modem

    Not many people know it, but the DLink DSL-300 ADSL modem has SNMP management capabilities. And for such a small and cheap network device, its not too bad an implementation of it. Or perhaps I’ve just seen a lot of dead-awful ones to compare objectively. Of course the displaying of the private community in the MIB, which is something the DSL-300 does, is a pretty dumb idea.

    I should point out right here that these instructions work for me. They might work for you, or you might just find some easter egg in the modems firmware that turns it into a smoke machine So do any of this stuff at your own risk.

    You will have to connect to the modem using a serial port first to find out the IP address and change either your computers or the modems IP address so they are in the same network. Note that this address is not the same as the one your provider gives. And the communities are the very hard to guess public and private for read-only and read-write respectively.

    The modem has some of the standard SNMP MIBs that anyone who’s played with SNMP will quickly recognise, such as.

    * system information
    * interface information including the ifTable
    * IP MIB – Packets in out, discards etc
    * ip routes
    * TCP MIB
    * SNMP MIB, which is statistics about the agent itself
    * SNMPv2-SMI::mib-2.17.4

    All pretty standard stuff you see in pretty much any device. All the good information is always found in the private enterprises part of the MIB, and the DSL-300 is no exception. The problem is that if you ask
    DLink about it, they will tell you nothing. The nice thing about DLink is they’re pretty consistent about annoying the hell out of their customers by denying them technical information.

    With that rant out of the way, its time to work out for myself what these values are for. I’ve got some worked out but it will take some more time to get it all clear and possibly some will never be worked out, thanks DLink!

    All OIDs start with private.enterprises.171.11 There are quite a few gaps so if you know what the missing values mean, drop me a line.

    OID Type Description
    1.1.1.0 STRING Software version eg “R1.14AU”
    1.1.2.0 STRING PROM firmware version “Ver. 1.00”
    1.1.3.0 STRING Hardware version “Rev. 1.00”
    1.1.4.0 INTEGER Management Protocols supported: 2=snmp-ip
    1.1.5.1 Table Table showing what MIBs are supported
    1.1.5.1.1.X INTEGER  – Index of Table
    1.1.5.1.2.X STRING  – Name of MIB supported eg “DSL504-MIB”, “RFC1213-MIB”
    1.1.5.1.3.X INTEGER  – Version of MIB supported
    1.1.5.1.4.X INTEGER  – Type of MIB
    30.1.1.0 INTEGER Bridge/Router: 1=PPPoA-Router, 2=PPPoA-Bridge, 3=RFC1483-Router, 4=RFC1483-Bridge
    30.1.2.0 INTEGER Config Save 1
    30.1.3.0 INTEGER System Restart 1
    30.1.4.0 INTEGER ?? 1
    30.2.1.0 INTEGER ADSL Driver Mode: 0=link down, 1=T1-413, 2=G-lite, 3=G-DMT
    30.2.2.0 INTEGER Upstream rate in kbps
    30.2.3.0 INTEGER Downstream rate in kbps
    30.2.4.0 STRING Device driver version
    30.2.5.0 INTEGER ADSL Link Status: 0=Idle, 1=Connecting, 2=Connected
    30.2.6.0 INTEGER Driver Path: 0=Fast, 1=Interleave
    30.2.7.0 INTEGER Near End FEC line error count
    30.2.8.0 INTEGER Far End FEC line error count
    30.2.9.0 INTEGER Near End CRC line error count
    30.2.10.0 INTEGER Far End CRC line error count
    30.2.11.0 INTEGER Near End HEC line error count
    30.2.12.0 INTEGER Far End HEC line error count
    30.2.13.0 INTEGER Near End LOS (Loss Of Signal) count
    30.2.14.0 INTEGER Far End LOS (Loss Of Signal) count
    30.2.15.0 INTEGER Near End LOF (Loss Of Frame) count
    30.2.16.0 INTEGER Far End LOF (Loss Of Frame) count
    30.2.17.0 INTEGER Near End line error count
    30.2.18.0 INTEGER Far End line error count
    30.2.19.0 INTEGER Near End Alarm Indication Signal: 0=no alarm, 1=alarm
    30.2.20.0 INTEGER Far End Alarm Indication Signal: 0=no alarm, 1=alarm
    30.2.21.0 INTEGER Near End Remote Defect Identification: 0=no defect, 1=defect
    30.2.22.0 INTEGER Far End Remote Defect Identification: 0=no defect, 1=defect
    30.2.23.0 INTEGER Upstream Capacity (in percent)
    30.2.24.0 INTEGER Downstream Capacity (in percent)
    30.2.25.0 INTEGER Upstream line attenuation
    30.2.26.0 INTEGER Downstream line attenuation
    30.2.27.0 INTEGER Upstream Noise Margin
    30.2.28.0 INTEGER Downstream Noise Margin
    30.2.29.0 INTEGER Upstream Output Power
    30.2.30.0 INTEGER Downstream Output Power
    30.2.31.0 INTEGER Link retrain count
    30.2.32.0 Array Carrier Load Array
    30.2.33.0 INTEGER Unable to initialize count
    30.2.34.1.1.1-96 INTEGER A 96 row table, index column. The value equals the instance.
    30.2.34.1.2.1-96 INTEGER Near End Error Second
    30.2.34.1.3.1-96 INTEGER Far End Error Second
    30.2.35.0 INTEGER Near End Error Second count for the day
    30.2.36.0 INTEGER Far End Error Second count for the day
    30.2.37.1.1.1-7 INTEGER Error Second for the day table – instance. Value = instance
    30.2.37.1.2.1-7 INTEGER Near End Error Second count for the day
    30.2.37.1.3.1-7 INTEGER Far End Error Second count for the day
    30.3.1.0 INTEGER Spanning Tree State: 0=other, 1=disabled, 2=enabled
    30.3.2.0 INTEGER VPI of bridged PVC
    30.3.3.0 INTEGER VCI of bridged PVC
    30.4.1.1.1.1 INTEGER Index of table
    30.4.1.1.2.1 IpAddress IP address of modem
    30.4.1.1.3.1 IpAddress Network mask of modem
    30.4.1.1.4.1 INTEGER Send RIP 1=RIPv1 2=RIPv2 3=Both RIP 4=None
    30.4.1.1.5.1 INTEGER Accept RIP 1=RIPv1 2=RIPv2 3=Both RIP 4=None
    30.4.1.1.6.1 INTEGER IP Forwarding: 2=None 3=All
    30.4.1.1.7.1 INTEGER DHCP Client: 1=other, 2=disabled, 3=enabled
    30.4.1.1.8.1 INTEGER NAT State: 1=other, 2=disabled, 3=enabled
    30.4.2.1.0 INTEGER Static Route Count 0
    30.4.3.1.1.1.6
     .112.117.98.108.105.99    		 Hex-STRING SNMP read-only community, 28 bytes long with 0 padding. eg fred = 66 72 65 64 00…
    30.4.3.1.1.1.7
     .112.114.105.118.97.116.101    		 Hex-S SNMP read/write community, same encoding as Read-only
    30.4.3.1.1.2.6
     .112.117.98.108.105.99    		 INTEGER ?? 1
    30.4.3.1.1.2.7
     .112.114.105.118.97.116.101    		 INTEGER ?? 2
    30.9.1.0 IpAddress IP address of TFTP server
    30.9.2.0 String Remote filename on TFTP server
    30.9.3.0 String Local filename
    30.9.4.0 INTEGER Set to 1 to make modem connect to server
    30.9.5.0 INTEGER Set to 1 to get remote file
    30.9.6.0 INTEGER TFTP status: 0=idle, 1=Wait ACK, 2=Wait Data, 3=Sent Write Request, 4=Sent Read Request, 5=Done

    Some definitions you might find useful:

    * Error Second (ES) – Any second where at least one bit error was received.

  • Anti-Nimda/Code Red Auto-Emailer

    The Nimda and Code Red worms really annoy the hell out of me. It puts about 10-15% more load on my servers and is caused by some slack half-witted fool who calls themselves a system administrator who cannot be bothered to fix their joke of an operating system…

    Now I got **that** off my chest, this script will send an email to postmaster@their_domain explaining that they should fix their computer. Note that you will quite often get a lot of bounce-backs
    because idiots who run unpatched servers are that same sort of idiots that don’t have common mailbox names as spelt out in RFC 2142.
    The script will also send one email per worm attack, so they can quite often get lots of emails, perhaps they will fix their server and stop being a nuisance of The Internet then.

    To use this you will need apache (most likely running on something that is not Windows NT), the mod_rewrite module for apache and php.

    First you need a file. I called it nimda.php and put in at /var/www/nimda.php but it can go anywhere. You will need to do some editing, you can change the message to whatever you like.

    Then edit apache configuration file to the following:

    RewriteEngine On
RewriteRule ^(.*/winnt/.*) /var/www/nimda.php?url=$1
RewriteRule ^(.*/scripts/.*) /var/www/nimda.php?url=$1
RewriteRule ^(.*/Admin.dll) /var/www/nimda.php?url=$1
Alias /default.ida /var/www/nimda.php?url=default.ida

    If that damn worm comes visiting, it should work out the domain the worm is from and email the postmaster there. Note that you will get a fair few bounced emails but I have had some success with this approach with people taking notice. I’m still getting about 100 worm visits a day per computer though 🙁

  • Linux load numbers

    Many utilities, such as top in [procps](http://procps.sf.net/) display the percentages of time the cpu is busy doing things such as userland programs, system calls or just idle. This page describes the file /proc/stat and how programs interpret the numbers they find.

    I am the [Debian](http://www.debian.org/ maintainer for procps which contains top. Often I get bug reports about those numbers that appear at the top of top (called the summary area) so hopefully it will
    help Debian users understand it too.

    ##The /proc/stat file
    The file /proc/stat file is where the cpu numbers come from. As I am typing this, my single Athlon cpu computer running Linux 2.6.15 had the first two lines of the file looking like:

    $ grep ^cpu /proc/stat
cpu  217174 10002 105629 7692822 90422 6491 22673 0
cpu0 217174 10002 105629 7692822 90422 6491 22673 0

    The first thing you can see is I have 1 cpu, as there is only the aggregate line (starting with cpu) and then one individual cpu line (showing cpu0). Each field is describing how much time the cpu is been in various states, the values are in jiffies (more about them later). From left to right, the values are:

    * Userland – running normal programs
    * Nice – running niced programs
    * System – running processes at the system level, eg the kernel
    * Idle – CPU is doing nothing (running idle task)
    * IOwait – CPU is waiting for IO to come back
    * irq – servicing a hardware interrupt
    * softirq – servicing a software interrupt
    * Steal – To do with virtual machines, this cpu is waiting for the others

    ##Jiffies
    Quite often the kernel doesn’t count time in seconds, but counts them in a unit called jiffies. There is a concept of a value called Hz or Hertz which is the number of jiffies in a second. Happily for us, we’re only
    looking at percentages, so it doesn’t really matter.

  • Debian GNU/Linux on Compaq nx6320

    Last updated: 30 December 2006

    ##General Hardware Specifications of Compaq nx6320:

    Hardware Components
    Status under Linux
    Notes
    Intel Core Duo, 2GHz Works No special procedure required during installation.
    1024×768 15″ TFT Display Works Select Generic LCD Display in Installer
    Intel Graphics Media Accelerator 950 Works Used Standard Xorg drivers
    2GB, DDR2 Works No special procedure required during installation
    100 GB SATA Hard Drive Works Requires recent kernel, eg 2.6.18 for driver
    10/100/1000 Integrated Network Card Works Installer found the Tigon driver for it fine
    24X Max Variable CD-ROM Drive Works No special procedure required during installation
    Internal Intel Wireless Networking Works Need to download specific driver, see below.
    59 WHr Lithium-Ion Battery Works No special procedure required during installation
    Intel 82801G Sound Card Works Used ALSA driver snd_hda_intel

    This laptop is operating under Kernel version 2.6.18

    ##Basic Installation of Debian:
    I used Debian Etch RC3 as I wanted to test the installer and also get Linux on a small partition of this laptop. It is only used for network testing and as a remote Xserver, so it doesn’t have much installed.

    The sarge installer won’t work, the kernel is too old and it will not find your SATA drives.

    ##Setting up additional features for Debian
    The wireless port was the trickiest part. You need to install some packages to get it going. Make sure you have contrib and non-free in your apt archives as these drivers are not in main.

    Then install ipw3945d, firmware-ipw3945 and the module. The exact name of the module depends on what kernel you have installed. I have kernel from the package linux-image-2.6.18-4-686 so the module package is ipw3945-modules-2.6.18-4-686.

    Nothing else needed to be done, no other module packages are required. It started off kinda weird but a depmod -a and reboot later I had solid link and, once I go my wireless key on, connected fine.

    ##Unresolved issues
    None really, except I have not tried out the bluetooth, modem or smartcard reader. With the exception of the modem all are found.

    ##Links
    * [Linux on Laptops](http://www.linux-on-laptops/)
    * [Intel 3945ABG Driver](http://ipw3945.sourceforge.net/)
    * [Installing Linux on nx6320](http://www.linlap.com/wiki/Hewlett-Packard+nx6320)

  • SMTP Authentication with Postfix using files or MySQL

    There are times when you need to have users authenticate their SMTP sessions. Perhaps you have roaming users and you don’t want to be an open relay, but you cannot predict where these users are. You need a way for them to say to your SMTP server “hey I belong here, let me send email”.

    One way to do is is using SMTP Authentication. The user’s username and password are sent to the SMTP server. The server then checks the pair is correct and lets the user then send mail (or not if they are incorrect). SMTP Authentication is defined in RFC 2554.

    Postfix has a method of authentication, but it is tied up with SASL. For file-based authentication you just create a special password database. However for other types you cannot simply make a LDAP or MySQL table and be done with it. You can either use SASL natively or do it the way I have implemented it here where Postfix uses SASL which uses PAM which uses MySQL; around-about way but it does work. There is some sporadic documentation about this around The Internet, but I wrote this up in the hope you find it useful and so I don’t have to remember it or relearn it all over again.

    You might also be able to adapt this method to use other sorts of PAM authentication. For example I’m pretty sure this method with a little adaption would also work for LDAP authentication. Obviously you could
    use other databases other than MySQL, its just what I was using here.

    Required Packages

    The following Debian packages are required to get this all working. I’m using Debian Sarge here but for the most part it should work for other versions and dists with some small changes. Some other packages will be needed, but will be pulled in as dependencies.

    postfix-tls 2.1.5-9
    The main postfix server with TLS and SASL support.
    libsasl2-modules 2.1.19-1.5
    Modules that provide the LOGIN,PLAIN, ANONYMOUS, OTP, CRAM-MD5, and DIGEST-MD5 (with DES support) authentication methods.
    libpam-mysql 0.4.7-1
    PAM module to query a MySQL database – only for MySQL authentication.
    metamail
    Useful for base64 encoding and decoding using mimencode.

    You have to make sure that either one or both of the authentication modules packages are installed. If you don’t and you setup Postfix to use SASL (see below) then the stupid process will be throttled. For older distributions you may need the libsasl (no 2) packages.

    Postfix and MySQL socket problem

    Postfix runs the smtpd daemon in a chrooted environment, usually something like */var/spool/postfix*. That means that as far as the smtpd process is concerned you have nothing above that point. MySQL has a socket sitting in another directory, something like */var/run/mysql/mysqld.sock*. The problem is that the socket sits in an area that smtpd believes doesn’t exist and cannot get to anyway because of the chroot.

    To get around this problem, you have 3 options:
    1. Stop smtpd from running into a chroot.
    2. Move the mysql socket into the chroot.
    3. Don’t use the mysql socket, use a TCP socket instead.

    The last two are reasonably simple, possibly the third is the best option (you can make mysqld listen only to the loopback interface). Look at the MySQL documentation about how to move sockets or make it listen on its TCP port.

    Stopping smtpd from being in a chroot

    This had me going for a long, long time. To change this, edit /etc/postfix/master.cf and change the following line:

    smtp      inet  n       -       n       -       -       smtpd

    The second ‘n’ means it is not chrooted. There may be a way of running smtpd in a chroot with the SASL and MySQL authentication but I’m not sure how.

    Postfix Changes

    The following lines are added to /etc/postfix/main.cf

    smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = myserver
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject

    SASL Files Setup

    So far the postfix server knows it has to use SASL if it gets an authentication request. The default way for SASL to work out if you are authenticated is for it to examine a Berkley DB file called /etc/sasldb2. You can add and change users using the saslpasswd2 program.

    The problem here is if you run smtpd in a chroot environment then it will not find the sasldb file. If you try to authenticate postfix will give an error “warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory”. The problem here is that you have a /etc/sasldb2 file, but postfix is looking for a /var/spool/postfix/etc/sasldb2 file.

    The two solutions for this problem are to either not run postfix in a chroot environment (see a previous section on how to stop it) or get that sasldb2 file into the correct directory. You can put it right by copying it. You will also need to make sure the user that smtpd runs as can read the file.

    Debian users can automatically get this file updated by editing /etc/init.d/postfix. Around line 43 there is a list of files that are copied from their real directories into the chroot. Change the line so it looks like:

               FILES="etc/localtime etc/services etc/resolv.conf etc/hosts 
                etc/nsswitch.conf etc/sasldb2"

    Now when postfix is restarted you have the new sasldb2 ready to go.

    If you are doing file-based authentication then you are done, drop down to the Testing section.

    MySQL SASL Setup

    For MySQL authentication, the next step is to get SASL to ask PAM to authenticate the user. There’s some confusion because the location of this file has moved around. On my system with the versions of the packages given above, it is found at /etc/postfix/sasl/smtpd.conf but it also has been found in /usr/local/lib/sasl/smtpd.conf and /usr/lib/sasl/smtp.conf. The file is real simple one-liner:

    pwcheck_method: pam

    That’s it for SASL, it will then use standard PAM as we all know and love for authenticating.

    PAM Setup

    The PAM setup is pretty standard. All you need to know is the PAM service is called smtp, so you need to create a file /etc/pam.d/smtp. SASL only uses the authentication management group.

    It might be useful to test how things are going so far. To do this, and only for testing, you can use the pam_permit module. This module permits anything you send, so its useful for testing or for some strange circumstances, but shouldn’t be used in a production environment. The file /etc/pam.d/smtp would then look like:

    auth     required   pam_permit.so

    If you are going to run it with MySQL, use a configuration similar to that shown below. The configuration is similar to a user doing the following:

    server$ mysql -u postfix -psecret postfixdb
mysql> SELECT id FROM users WHERE id='givenusername' AND password='givenpassword';

    auth     required   pam_mysql.so user=postfix passwd=secret db=postfixdb table=users usercolumn=id passwdcolumn=password crypt=0

    The table users has two columns. The first is called id and has the username, the second is password it has the unencrypted password in it. A select is made checking both username and password. If there is a single row returned, authentication is successful.

    Testing

    I use the plain authentication method for testing. To do this you need to convert the username and password into a base64 encoded string. For example, if you have username user and password pass, you would type:

    server$ printf 'useruserpass' | mimencode
dXNlcgB1c2VyAHBhc3M=

    So the string is the username and password joined together with between them. The username is needed twice. To test it, telnet to the SMTP port of your server and type the auth commands.

    server$ telnet mail.my.server 25
Trying 10.1.2.3
Connected to 10.1.2.3.
Escape character is '^]'.
220 mail.my.server ESMTP Postfix
EHLO blah
250-mail.my.server
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250-AUTH=LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250-XVERP
250 8BITMIME
auth plain dXNlcgB1c2VyAHBhc3M=
235 Authentication successful

    I’ve used a EHLO instead of the normal HELO as this is an extended hello, so the server gives you a list of things it can do. Notice that there are two AUTH lines, this is due to the broken_sasl_auth_clients line in /etc/postfix/main.cf.

    You may have different authentication modules, it depends on what packages you have installed.

    The important thing is the server’s response to your commands is 235 Authentication successful. This means that it recognizes the username and password. If it doesn’t, it returns a 535 Error: authentication failed. If you get a failed message, check the mail logs. The logs should tell you why the authentication failed.

    Instead of using the plain authentication, you might want to use the LOGIN method. Once again mimencode is used to get the base64 encoding:

    server$ printf 'user' | mimencode
dXNlcg==
server$ printf 'pass' | mimencode
cGFzcw==

    You now have the two base64 encoded strings, to test this method is very similar to the PLAIN method.

    server$ telnet 10.1.2.3 25
Trying 10.1.2.3...
Connected to 10.1.2.3.
Escape character is '^]'.
220 my.mail.server ESMTP Postfix
EHLO blah
250-my.mail.server
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250-AUTH=LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250-XVERP
250 8BITMIME
auth login
334 VXNlcm5hbWU6
dXNlcg==
334 UGFzc3dvcmQ6
cGFzcw==
235 Authentication successful

    You might wonder what that strange text is after the 334 numbers. Once again mimencode can help. It’s a base64 encoding of the response from the mail server.

    server$ printf 'VXNlcm5hbWU6' | mimencode -u ; echo
Username:
server$ printf 'UGFzc3dvcmQ6' | mimencode -u ; echo
Password:

    So the mail server is asking for a username and password, in base64. I don’t know why they bother to do this as it doesn’t make it that much more secure but at least you now know what it is.

    Client Configuration

    OK, so you have you server setup that can do authentication, but now you want your laptop that is running Postfix to relay all email through your server. This section describes the client setup.

    Postfix Setup

    Setting up Postfix is pretty simple. Tell Postfix to send all email to your mail server and enable SASL. The file /etc/postfix/main.cf requires the following lines:

    relayhost = mail.example.net
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options =

    The configuration is telling postfix to send all email to mail.example.net, use SASL authentication and that the passwords are found in a particular file. Remember for outgoing mail Postfix uses smtp while incoming
    uses smtpd. As the client sends email the configuration lines have the “d less” smtp_ keywords.

    Client Password file

    The format of the client password file is simple, especially if you have written hash tables for Postfix before. The key is the remote server and the value is the username and password to use for that server separated by a colon.

    mail.example.net     myuser:secpasswd

  • pkghelper – Help for sysV packages

    The default package type for Solaris is definitely not the best out there, but at least you can guarantee you can install the package on any machine that has the right dependencies. The problem is making those packages for your own programs has been never easy. I hope this sets of scripts makes it a little bit easier for you.

    The scripts are heavily influenced by the Debian packaging system. If you’ve made a .deb before then a lot will look familiar to you. The documentation for the scripts is lacking but hopefully there is enough to get you started. My thanks to Joey Hess for his debhelper scripts, which this set is inspired from.

    Getting the scripts

    I have made a tarball of the scripts and some example files. pkghelper-1.0.tar.gz

    Feedback

    The scripts are very new and only been used by myself so I’m expecting a lot of people are going to find the way rocky. I’d appreciate any feedback; good or bad, about them.

    Copyright

    The scripts are copyright © 2002 by me (Craig Small) and permission is given to distribute and/or modify it under the terms of the GNU General Public License, more commonly known as the GPL. It is not essential for the purposes of the license, but is preferable if you sent any enhancements to myself at the address below. Acknowledgement of the work (or not if you prefer) will be given.