Just a note, to install knowledgetree CE on newer distributions, one needs to disable PHP5.3 and this can be accomplished on CentOS5 using:
# yum install knowledgetree --exclude="zend-server-php-5.3, mod-php-5.3-apache2-zend-server"
I’ve previously used a home router as a VPN gateway to my corporate network at AESTE. However, I’ve recently noticed that Ubuntu comes with its own PPTP client and I could use this instead while leaving the home router for devices that are not capable of connecting directly, such as a consumer NAS device at home.
I didn’t realise it but configuring it on Ubuntu was a snap. Just use the network manager and set the following settings:
VPN:
Connection Name: Any VPN
Gateway: ip of the PPTP server
User Name: CHAP username
Password: CHAP password
Advance:
Use Point-to-point encryption (MPPE): checked
IPV4 Settings:
Method: Automatic VPN
Routes:
Use this connection only for resources on its network: checked
Add in any necessary routes to reach your private network.
The installation of hylafax on Debian Squeeze went like a charm. I just had to plug the UM3100 modem into the usb port and follow the instructions on the official Debian wiki.
# apt-get install hylafax-server
# faxsetup
The only tricky part was with handling fax attachments. While there are problems getting PDF attachments to work, postscript attachments worked right out of the box as it is pure text.
It seems that ‘metamail’ is required to get PDF to work but this package has since been abandoned in Debian.
Since I do not expect to be getting volumes of faxes, I decided not to waste too much time in getting PDF to work. I am happy enough with just getting PS attachments instead.
If someone else manages to get PDF fax attachments to work on Debian (post etch), please feel free to add to the comments below.
I have already been using virt-io for hard-disk emulation in my guest machines under KVM. However, I have never tried virt-io networking before. Seeing that I wanted to upgrade my machines, I thought that I’d give it a try and this is where I noticed the speed bump.
Following some of the instructions at the lib-virt page, I got virt-io networking working for all my VMs. This is the result:
------------------------------------------------------------
Client connecting to x.x.x.x, TCP port 5001
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[ 3] local x.x.x.x port 34610 connected with x.x.x.x port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 113 MBytes 94.4 Mbits/sec
[ 3] 10.0-20.0 sec 116 MBytes 97.3 Mbits/sec
[ 3] 20.0-30.0 sec 117 MBytes 97.8 Mbits/sec
[ 3] 30.0-40.0 sec 115 MBytes 96.8 Mbits/sec
[ 3] 40.0-50.0 sec 115 MBytes 96.4 Mbits/sec
[ 3] 50.0-60.0 sec 116 MBytes 97.7 Mbits/sec
[ 3] 60.0-70.0 sec 117 MBytes 97.9 Mbits/sec
[ 3] 70.0-80.0 sec 116 MBytes 97.6 Mbits/sec
[ 3] 80.0-90.0 sec 115 MBytes 96.3 Mbits/sec
[ 3] 90.0-100.0 sec 117 MBytes 98.0 Mbits/sec
[ 3] 0.0-100.0 sec 1.13 GBytes 97.0 Mbits/sec
------------------------------------------------------------
Client connecting to x.x.x.x, TCP port 5001
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[ 3] local x.x.x.x port 58218 connected with x.x.x.x port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 47.6 MBytes 39.9 Mbits/sec
[ 3] 10.0-20.0 sec 49.7 MBytes 41.7 Mbits/sec
[ 3] 20.0-30.0 sec 46.5 MBytes 39.0 Mbits/sec
[ 3] 30.0-40.0 sec 50.8 MBytes 42.6 Mbits/sec
[ 3] 40.0-50.0 sec 49.5 MBytes 41.5 Mbits/sec
[ 3] 50.0-60.0 sec 47.5 MBytes 39.8 Mbits/sec
[ 3] 60.0-70.0 sec 44.9 MBytes 37.6 Mbits/sec
[ 3] 70.0-80.0 sec 46.1 MBytes 38.7 Mbits/sec
[ 3] 80.0-90.0 sec 45.2 MBytes 37.9 Mbits/sec
[ 3] 90.0-100.0 sec 46.2 MBytes 38.8 Mbits/sec
[ 3] 0.0-100.0 sec 474 MBytes 39.8 Mbits/sec
As you can see, more than a 200% increase in through-put.
What is more amazing is that this increased bandwidth is not shared directly. This means that two guest VMs running under the same host both enjoy a 100Mbps speed simultaneously, not 100Mbps shared across the two. This is a massive performance boost, especially inter-VM.
Lesson learned – ALWAYS use virt-io for all I/O operations under KVM/libvirt.
In order to improve the security of my blog, I have tried a few measures.
A while ago, I bought a Yubi-Key, which generates a one-time-password to be used alongside the regular login. This provided two-factor authentication and it was certainly working for a while. Then, I read up more about the Yubi-Key and found that there might be holes in the implementation of the plugin since it is still quite a new product and relatively untested.
So, I switched to using VPN instead. I configured my web-server to reject all attempts to access the administrative pages unless the connection originated from the local server. Then, I would use SSH to create a tunnel into the server and secure my connection through SSH keys. This also required two-factor authentication and provided the additional fact that the entire connection was secured over SSH.
I added this to my lighttpd configuration.
# Deny access to wordpress admin pages
$HTTP["host"] =~ "blog.sybreon.com|tech.sybreon.com" {
$HTTP["remoteip"] !~ "213\.229\.116\.90$" {
$HTTP["url"] =~ "^/wp-admin/|^/server-" {
url.access-deny = ("")
}
}
}
However, I had troubles accessing my blog from certain places because they blocked SSH connections.
Finally, I switched to SSL instead. I have now configured my web-server to only accept connections that present a valid security certificate over SSL. Again, this is a two-factor authentication using SSL certificates. Once again, the connection is also secured over SSL. I park my web server behind a pound reverse-proxy. So, this is the way I did it.
ListenHTTP
Address ::
Port 80
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0
Service
URL "^(?!/wp-admin).*"
HeadRequire "Host:.*(blog|tech).sybreon.com"
BackEnd
Address ::1
Port 8080
End
End
End
ListenHTTPS
Address ::
Port 443
Cert "/etc/ssl/private/blog.crt"
CAlist "/etc/ssl/private/sybreon.ca.asc"
VerifyList "/etc/ssl/private/sybreon.ca.asc"
Ciphers "HIGH"
ClientCert 2 3
Service
HeadRequire "Host:.*(blog|tech).sybreon.com"
BackEnd
Address ::1
Port 8080
End
End
End
What this does is to reject all connections to the admin pages for my blogs if they came over regular HTTP and to only allow connections over HTTPS. However, for HTTPS connections, client certifications are required, which are signed by a my own custom CA. Otherwise, the connection will fail if a client certificate is not presented.
The advantage of doing it this way is that I can actually have collaborators. All I need to do is to generate new certificates for them and email it to them. This process can even be automated if need be.
PS: You can try accessing the admin page over HTTP and HTTPS here, to see how this works.
There are a number of ways to increase the hard-disk size of a VM once it is provisioned, without rebuilding the VM. The chief way of doing it is via LVM and I love it.
My setup uses KVM on the host with all disk images stored in a LVM pool. In each VM, the main hard-disk is also using LVM as well, which is perfect.
To increase the size of the VM, I do this:
lvextend -L+10G /dev/lvmpool0/volumenamefdisk or similar tool.pvcreate /dev/hdaXvgextend vgname /dev/hdaXvgdisplay will show the amount of Free PE.lvextend -l + XXXX /dev/vgname/lvnameresize2fs /dev/vgname/lvname
