Category: Confused Configs

Virt-io Networking

I have already been using virt-io for hard-disk emulation in my guest machines under KVM. However, I have never tried virt-io networking before. Seeing that I wanted to upgrade my machines, I thought that I’d give it a try and this is where I noticed the speed bump.

Following some of the instructions at the lib-virt page, I got virt-io networking working for all my VMs. This is the result:


------------------------------------------------------------
Client connecting to x.x.x.x, TCP port 5001
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[ 3] local x.x.x.x port 34610 connected with x.x.x.x port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 113 MBytes 94.4 Mbits/sec
[ 3] 10.0-20.0 sec 116 MBytes 97.3 Mbits/sec
[ 3] 20.0-30.0 sec 117 MBytes 97.8 Mbits/sec
[ 3] 30.0-40.0 sec 115 MBytes 96.8 Mbits/sec
[ 3] 40.0-50.0 sec 115 MBytes 96.4 Mbits/sec
[ 3] 50.0-60.0 sec 116 MBytes 97.7 Mbits/sec
[ 3] 60.0-70.0 sec 117 MBytes 97.9 Mbits/sec
[ 3] 70.0-80.0 sec 116 MBytes 97.6 Mbits/sec
[ 3] 80.0-90.0 sec 115 MBytes 96.3 Mbits/sec
[ 3] 90.0-100.0 sec 117 MBytes 98.0 Mbits/sec
[ 3] 0.0-100.0 sec 1.13 GBytes 97.0 Mbits/sec
virt-io activated.


------------------------------------------------------------
Client connecting to x.x.x.x, TCP port 5001
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[ 3] local x.x.x.x port 58218 connected with x.x.x.x port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 47.6 MBytes 39.9 Mbits/sec
[ 3] 10.0-20.0 sec 49.7 MBytes 41.7 Mbits/sec
[ 3] 20.0-30.0 sec 46.5 MBytes 39.0 Mbits/sec
[ 3] 30.0-40.0 sec 50.8 MBytes 42.6 Mbits/sec
[ 3] 40.0-50.0 sec 49.5 MBytes 41.5 Mbits/sec
[ 3] 50.0-60.0 sec 47.5 MBytes 39.8 Mbits/sec
[ 3] 60.0-70.0 sec 44.9 MBytes 37.6 Mbits/sec
[ 3] 70.0-80.0 sec 46.1 MBytes 38.7 Mbits/sec
[ 3] 80.0-90.0 sec 45.2 MBytes 37.9 Mbits/sec
[ 3] 90.0-100.0 sec 46.2 MBytes 38.8 Mbits/sec
[ 3] 0.0-100.0 sec 474 MBytes 39.8 Mbits/sec
virt-io deactivated.

As you can see, more than a 200% increase in through-put.

What is more amazing is that this increased bandwidth is not shared directly. This means that two guest VMs running under the same host both enjoy a 100Mbps speed simultaneously, not 100Mbps shared across the two. This is a massive performance boost, especially inter-VM.

Lesson learned – ALWAYS use virt-io for all I/O operations under KVM/libvirt.

Securing My Blog

In order to improve the security of my blog, I have tried a few measures.

A while ago, I bought a Yubi-Key, which generates a one-time-password to be used alongside the regular login. This provided two-factor authentication and it was certainly working for a while. Then, I read up more about the Yubi-Key and found that there might be holes in the implementation of the plugin since it is still quite a new product and relatively untested.

So, I switched to using VPN instead. I configured my web-server to reject all attempts to access the administrative pages unless the connection originated from the local server. Then, I would use SSH to create a tunnel into the server and secure my connection through SSH keys. This also required two-factor authentication and provided the additional fact that the entire connection was secured over SSH.

I added this to my lighttpd configuration.

# Deny access to wordpress admin pages
$HTTP["host"] =~ "blog.sybreon.com|tech.sybreon.com" {
$HTTP["remoteip"] !~ "213\.229\.116\.90$" {
$HTTP["url"] =~ "^/wp-admin/|^/server-" {
url.access-deny = ("")
}
}
}

However, I had troubles accessing my blog from certain places because they blocked SSH connections.

Finally, I switched to SSL instead. I have now configured my web-server to only accept connections that present a valid security certificate over SSL. Again, this is a two-factor authentication using SSL certificates. Once again, the connection is also secured over SSL. I park my web server behind a pound reverse-proxy. So, this is the way I did it.

ListenHTTP
Address ::
Port 80
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0

Service
URL "^(?!/wp-admin).*"
HeadRequire "Host:.*(blog|tech).sybreon.com"
BackEnd
Address ::1
Port 8080
End
End

End

ListenHTTPS
Address ::
Port 443

Cert "/etc/ssl/private/blog.crt"
CAlist "/etc/ssl/private/sybreon.ca.asc"
VerifyList "/etc/ssl/private/sybreon.ca.asc"
Ciphers "HIGH"
ClientCert 2 3

Service
HeadRequire "Host:.*(blog|tech).sybreon.com"
BackEnd
Address ::1
Port 8080
End
End
End

What this does is to reject all connections to the admin pages for my blogs if they came over regular HTTP and to only allow connections over HTTPS. However, for HTTPS connections, client certifications are required, which are signed by a my own custom CA. Otherwise, the connection will fail if a client certificate is not presented.

The advantage of doing it this way is that I can actually have collaborators. All I need to do is to generate new certificates for them and email it to them. This process can even be automated if need be.

PS: You can try accessing the admin page over HTTP and HTTPS here, to see how this works.

Increasing VM Size

There are a number of ways to increase the hard-disk size of a VM once it is provisioned, without rebuilding the VM. The chief way of doing it is via LVM and I love it.

My setup uses KVM on the host with all disk images stored in a LVM pool. In each VM, the main hard-disk is also using LVM as well, which is perfect.

To increase the size of the VM, I do this:

  1. Stop the VM.
    Just so I don’t screw anything up accidentally, I will stop the VM.
  2. Extend the volume in the host.
    This increases the size of the disk on the host:
    lvextend -L+10G /dev/lvmpool0/volumename
  3. Startup the VM.
    It should reflect the new disk size. Check this by using fdisk or similar tool.
  4. Partition the empty space.
    Preferably, use a Logical partition. Remember to set the partition type to ‘8E’ for Linux LVM.
  5. Reboot the VM.
    To ensure the disk changes are read. VMs sometimes have issues with this.
  6. Create the new PV.
    Ready the new partition:
    pvcreate /dev/hdaX
  7. Extend the VG to this PV.
    This will append the PV to the existing VG instead of creating a new VG:
    vgextend vgname /dev/hdaX
  8. Find out the amount of free space.
    This is needed for the next step. vgdisplay will show the amount of Free PE.
  9. Extend the Logical Volume in this VG.
    The VG can be extended to any size, or up to the maximum free space above:
    lvextend -l + XXXX /dev/vgname/lvname
  10. Resize the File System.
    This is the final step to using the new disk:
    resize2fs /dev/vgname/lvname

Streamyx Modem Hack

I recently installed a new Streamyx package at my office. It came with a free Riger WL108 modem which was quite limited. The configuration options available were appalling and the security of the device was non-existent. It was just using WEP and it took me under 2-minutes to crack the keys.

However, what is not often documented is that the modem is capable of much more as there is a hidden administrative function. Just login to the modem as tmadmin:tmadmin and the system will expose all sorts of goodies.

Wireless Security
Look under Wireless – Security and we can enable WPA2, both the PSK and EAP versions are available. I set mine to PSK as I wanted to use it as a public access wifi for authorised personnel.

DMZ
Look under Advanced Setup – NAT – DMZ Host and we can specify a DMZ host to use. I love this option as it will allow me to remotely login to my office network and access certain services from anywhere in the world. This will be very useful as a VPN entry for road-warriors.

Dyamic DNS
Look under Advanced Setup – DNS – Dynamic DNS and we can configure it to talk to any of the dynamic DNS services available. As my office network is on a dynamic IP, this will be handy to access my office network using a domain name instead.

There is a lot more stuff that can be configured and a lot of capabilities are actually built into the modem, just not enabled nor accessible from the regular user access menu.

So, I was able to get a lot of advanced features working without going out to buy a new modem. I was actually contemplating this and am glad that I will be able to save up the RM100 or so instead.

Freeradius, OpenLDAP, DD-WRT

I had the reason to set up the wireless network in my office recently. Since this is an office network, I decided to put it on the right path, even if I was the only one using the wireless at the moment.

I started with setting up a public WEP network. This was for the use of guests to the office and is considered as part of the RED zone in my firewall settings. Then, I wanted to set up a GREEN wireless zone and felt that WPA-EAP was the best way to go for an enterprise class installation.

Since all my back-end infrastructure is Debian based, I decided to go with whatever was in the box – Freeradius and OpenLDAP. OpenLDAP was easy to setup as I have configured many LDAP servers in the past. It was fairly straight-forward. Then, came the Freeradius settings.

The default installation of Freeradius has actually got almost everything done. All I had to do was to configure the LDAP module and voila. It works! (with some minor caveats). With the default PEAP-MSCHAPv2 setup, all LDAP passwords must be stored in clear-text, which kind of sucked. So, I decided to go with TTLS-PAP instead, which allowed the passwords to be stored in any form, including the Salted-SHA1 encoding I had chosen for my LDAP.

ldap {
server = "localhost"
identity = ""
password =
basedn = ""
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
password_attribute = userPassword
set_auth_type = no
}

For the DD-WRT settings, I had to configure Freeradius to accept connections from a new client with a shared secret. Then, I configured DD-WRT with the shared secret to connect to the radius server. Done.

#replace with DD-WRT IP
client 10.X.X.X {
secret =
shortname =
}

I have been using it for several days and I have to say that it has been pretty decent so far. I have no complaints.

Weird TLD in China

I was reading about a recent Gmail hack from China and they actually showed the IP used to access the account. Since I was fairly curious, I decided to take a look into the IP – 125.45.96.89 – and I was surprised with the result.

inetnum: 125.40.0.0 - 125.47.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: WW444-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HA
mnt-routes: MAINT-CNCGROUP-RR
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20051011
changed: hm-changed@apnic.net 20051020
changed: hm-changed@apnic.net 20090507
changed: hm-changed@apnic.net 20090508
source: APNIC

Nothing surprising here since the IP reports itself as being allocated to a Chinese ISP – China Unicom in Henan.

; <> DiG 9.7.0-P1 <> -x 125.45.96.89
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60982
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;89.96.45.125.in-addr.arpa. IN PTR

;; ANSWER SECTION:
89.96.45.125.in-addr.arpa. 85865 IN PTR hn.kd.ny.adsl.

;; Query time: 23 msec

Now, this totally caught my eye. Notice the PTR record shows that the name for that IP is hn.kd.ny.adsl – an uncommon TLD. So, I checked Wikipedia for a list of available TLDs and fair enough, the ADSL TLD does not seem to exist. If I were to try to ping hn.kd.ny.adsl, the address would not even resolve through the normal DNS system.

ping: unknown host hn.kd.ny.adsl

Now, this indicates to me that China is running its own root-servers, which does not surprise me one bit as it uses it to implement the Great Firewall of China. Since it does this, it is free to implement its own list of TLDs that nobody else uses in the rest of the world. This is all fine and dandy until ICANN decides to approve the use of an ADSL TLD in the future.

With the recent WikiLeaks fiasco, people are already talking about fragmenting the Internet. This is proof that the Internet is already fragmented – we just need to take it to the next level. Zero-One-Infinity, anyone?