Increasing VM Size

There are a number of ways to increase the hard-disk size of a VM once it is provisioned, without rebuilding the VM. The chief way of doing it is via LVM and I love it.

My setup uses KVM on the host with all disk images stored in a LVM pool. In each VM, the main hard-disk is also using LVM as well, which is perfect.

To increase the size of the VM, I do this:

  1. Stop the VM.
    Just so I don’t screw anything up accidentally, I will stop the VM.
  2. Extend the volume in the host.
    This increases the size of the disk on the host:
    lvextend -L+10G /dev/lvmpool0/volumename
  3. Startup the VM.
    It should reflect the new disk size. Check this by using fdisk or similar tool.
  4. Partition the empty space.
    Preferably, use a Logical partition. Remember to set the partition type to ‘8E’ for Linux LVM.
  5. Reboot the VM.
    To ensure the disk changes are read. VMs sometimes have issues with this.
  6. Create the new PV.
    Ready the new partition:
    pvcreate /dev/hdaX
  7. Extend the VG to this PV.
    This will append the PV to the existing VG instead of creating a new VG:
    vgextend vgname /dev/hdaX
  8. Find out the amount of free space.
    This is needed for the next step. vgdisplay will show the amount of Free PE.
  9. Extend the Logical Volume in this VG.
    The VG can be extended to any size, or up to the maximum free space above:
    lvextend -l + XXXX /dev/vgname/lvname
  10. Resize the File System.
    This is the final step to using the new disk:
    resize2fs /dev/vgname/lvname

Streamyx Modem Hack

I recently installed a new Streamyx package at my office. It came with a free Riger WL108 modem which was quite limited. The configuration options available were appalling and the security of the device was non-existent. It was just using WEP and it took me under 2-minutes to crack the keys.

However, what is not often documented is that the modem is capable of much more as there is a hidden administrative function. Just login to the modem as tmadmin:tmadmin and the system will expose all sorts of goodies.

Wireless Security
Look under Wireless – Security and we can enable WPA2, both the PSK and EAP versions are available. I set mine to PSK as I wanted to use it as a public access wifi for authorised personnel.

DMZ
Look under Advanced Setup – NAT – DMZ Host and we can specify a DMZ host to use. I love this option as it will allow me to remotely login to my office network and access certain services from anywhere in the world. This will be very useful as a VPN entry for road-warriors.

Dyamic DNS
Look under Advanced Setup – DNS – Dynamic DNS and we can configure it to talk to any of the dynamic DNS services available. As my office network is on a dynamic IP, this will be handy to access my office network using a domain name instead.

There is a lot more stuff that can be configured and a lot of capabilities are actually built into the modem, just not enabled nor accessible from the regular user access menu.

So, I was able to get a lot of advanced features working without going out to buy a new modem. I was actually contemplating this and am glad that I will be able to save up the RM100 or so instead.

Freeradius, OpenLDAP, DD-WRT

I had the reason to set up the wireless network in my office recently. Since this is an office network, I decided to put it on the right path, even if I was the only one using the wireless at the moment.

I started with setting up a public WEP network. This was for the use of guests to the office and is considered as part of the RED zone in my firewall settings. Then, I wanted to set up a GREEN wireless zone and felt that WPA-EAP was the best way to go for an enterprise class installation.

Since all my back-end infrastructure is Debian based, I decided to go with whatever was in the box – Freeradius and OpenLDAP. OpenLDAP was easy to setup as I have configured many LDAP servers in the past. It was fairly straight-forward. Then, came the Freeradius settings.

The default installation of Freeradius has actually got almost everything done. All I had to do was to configure the LDAP module and voila. It works! (with some minor caveats). With the default PEAP-MSCHAPv2 setup, all LDAP passwords must be stored in clear-text, which kind of sucked. So, I decided to go with TTLS-PAP instead, which allowed the passwords to be stored in any form, including the Salted-SHA1 encoding I had chosen for my LDAP.

ldap {
server = "localhost"
identity = ""
password =
basedn = ""
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
password_attribute = userPassword
set_auth_type = no
}

For the DD-WRT settings, I had to configure Freeradius to accept connections from a new client with a shared secret. Then, I configured DD-WRT with the shared secret to connect to the radius server. Done.

#replace with DD-WRT IP
client 10.X.X.X {
secret =
shortname =
}

I have been using it for several days and I have to say that it has been pretty decent so far. I have no complaints.

Hacking Python

I was asked to help solve a problem today, involving checking the voter registration status of a database of voters against a web-form. This is not a totally straight-forward scripting issue as the web-form contains a randomly generated key and a number of other values that need to be included in the query. So, any program written would need to have a bit of smarts.

It was designed that way, don’t ask me why.

So, I thought to myself, this would be a good opportunity to learn some Python! Honestly, I have never written any Python before and I thought that since Python was a great scripting language to hack stuff together quickly, I should try to see if I could do this in Python. To make it a little challenging, I gave myself two hours to finish it (the length of free time I had while sitting at a local pasar malam this evening).

So, I started by looking up the official Python examples on how to form a HTTP query – straightforward and easy with Python. Then, I did some text processing on the return results to grep the various random keys. Next, I followed the official examples on how to perform a HTTP post. Finally, I used the official examples on how to process a CSV file and perform the checkup under a sub-routine inside a loop.

It took me just an hour to finish the script. I think that this is more of a reflection on the ease of use of Python, rather than my skills. I have just proven to myself that it is possible for me to pick up a new language and accomplish something useful with it in under an hour. Amazing.

Anyway, the code isn’t totally pretty but it is available at github.

Gawker Passwords

After reading the news report about the Gawker password leak, I thought to myself, WTF?!! According to the BBC article, I just couldn’t believe the kind of passwords people chose to use for their accounts. Unfortunately, I see this everywhere, particularly in corporate environments. People tend to come up with passwords that depend on what keys are placed in sequence on a keyboard.

Okay, having previously worked in information systems security, I have learned some things about password security. And the biggest thing that I learned from this leak is that, these people did not take suitable password protection measures.

  • A password must never be stored in the clear because it can be read if the database is dumped.
  • A password must never be encrypted because it can be read if the secret key used to encrypt it is broken along with the application.
  • A password must never be hashed because it can be read if a common password is used (like in this case) where the hashes can be calculated outside of the attack.
  • A password must always be randomly seeded and hashed so that the same password, can have different hash values under different conditions.

In fact, the last method – a randomly seeded hash – is only good for now, until it is broken. In fact, this scheme should be used to encrypt any sort of data used for one-way authentication. There are many different ways to do a seeded hash but the concept is similar in all cases – to prevent a value from having the same hash all the time.

Can you imagine it, the most common password is “123456”??!!!

This is probably a good time to plug a simple tool that will come in very handy with online passwords – pwdhash. It comes with both a Firefox and Chrome plugin so it can be easily used in modern browsers. What it does is to seed a password with the domain name and hash it. So, even if your password is “123456”, it will be sent as a random string of characters to the website.