Scrobbling to Last.fm from D-Bus

Posted on August 23, 2015August 23, 2015 by Andy

Yesterday afternoon I noticed that my music player, Banshee, had not been scrobbling to my Last.fm for a few weeks. Last.fm seem to be in the middle of reorganising their site but that shouldn’t affect their API (at least not for scrobbling). However, it seems that it has upset Banshee so no more scrobbling for me.

Banshee has a number of deficiencies but there’s a few things about it that I really do like, so I wasn’t relishing changing to a different player. It’s also written in Mono which doesn’t look like something I could learn very quickly.

I then noticed that Banshee has some sort of D-Bus interface where it writes things about what it it doing, such as the metadata for the currently-playing track… and so a hackish idea was formed.

Here’s a thing that listens to what Banshee is saying over D-Bus and submits the relevant “now playing” and scrobble to Last.fm. The first time you run it it asks you to authorise it and then it remembers that forever.

https://github.com/grifferz/dbus-scrobbler

I’ve never looked at D-Bus before so I’m probably doing it all very wrong, but it appears to work. Look, I have scrobbles again! And after all it would not be Linux on the desktop if it didn’t require some sort of lash-up that would make Heath Robinson cry his way to the nearest Apple store to beg a Genius to install iTunes, right?

Anyway it turns out that there is a standard for this remote control and introspection of media players, called MPRIS, and quite a few of them support it. Even Spotify, apparently. So it probably wouldn’t be hard to adapt this script to scrobble from loads of different things even if they don’t have scrobbling extensions themselves.

“My IP is blocked by a repressive regime, can I have a different one?”

Posted on July 7, 2013July 8, 2013 by Andy

I asked this question on Twitter yesterday and got a wider range of responses than I expected, although from a limited number of people. So I wondered what others would think.

Say you sell virtual machines and a customer says:

My service allows journalists and others inside repressive regimes to get their stories out. My IP address is being blocked by one of these repressive regimes. Can you switch it for another one?

Would you grant that request?

Assume you have never heard of their service or anyone that uses it, have no independent verification of what whether they are saying is true, and haven’t yet looked for any.

Responses so far could roughly be grouped as:

2x “Yes; it’s a reasonable request and other networks’ policies are their own business”
2x “Yes; once, but check it’s not some global spam blacklisting issue”
3x “Yes; but charge them for your time each time they ask for this”
2x “No; you’ll end up with all your IPs blocked, which may affect other customers”
1x “No; tell them to use a cloud with a constantly-changing IP address” (involves me losing the customer)

What would you do?

Scanning for open recursive DNS resolvers

Posted on January 11, 2013March 23, 2015 by Andy

A few days ago we unfortunately had some abuse reports regarding customers with DNS resolvers being abused in order to participate in a distributed denial of service attack.

Amongst other issues, DNS servers which are misconfigured to allow arbitrary hosts to do recursive queries through them can be used by attackers to launch an amplified attack on a forged source address.

I try to scan our address space reasonably often but I must admit I hadn’t done so for some time. I kicked off another scan and found one more customer with a misconfigured resolver, which has since been fixed.

After mentioning that I would do a scan I was asked how I do that.

I use a Perl script I’ve hacked together over the last couple of years. I took a few minutes to tidy it up and add a small amount of documentation (run it with --man to read that), so here it is in case anyone finds it useful:

Update: This code has now been moved to GitHub. If you have any comments, problems or improvements please do submit them as an issue and I will get to it much quicker. The gist below is now out of date so please don’t use it.

#!/usr/bin/perl use warnings; use strict; use Net::IP; use Net::DNS; use IO::Select; use Getopt::Long; use Pod::Usage; my $verbose = 0; my $help = 0; my $man = 0; my $at_once = 100; my $retries = 2; my $timeout = 1; my $fqdn = 'www.xyzzy.net'; GetOptions( 'verbose|v' => \$verbose, 'help|h|?' => \$help, 'man' => \$man, 'queries|q=i' => \$at_once, 'retries|r=i' => \$retries, 'timeout|t=i' => \$timeout, 'fqdn|f=s' => \$fqdn, ) or pod2usage(2); pod2usage(1) if ($help); pod2usage(-exitstatus => 0, -verbose => 2) if ($man); my %state; my $range = $ARGV[0]; if (not defined $range) { print STDERR "Expected IP range as first argument\n"; pod2usage(2); } if (! sanity_check($fqdn)) { print STDERR "Can't seem to resolve '$fqdn' from here." . " Does it still exist and is the local nameserver working? Pick" . " another FQDN with --fqdn if you need to.\n"; exit 1; } my $ip = new Net::IP($range); if (not defined $ip) { print STDERR "That ($range) doesn't look like a valid IP range\n"; pod2usage(2); } my $sel = IO::Select->new; my $queried = 0; my $start = time(); logger("Launching queries against " . $ip->print . ", $at_once at a time..."); $ip = launch_queries($ip, $sel, $at_once); if ($verbose) { logger("Got " . $sel->count . " queries in flight..."); } my @ready; # All the sockets we're waiting on are kept in %state. while (keys %state) { @ready = $sel->can_read(2); if (@ready) { # There's some sockets ready to read. foreach my $sock (@ready) { handle_result($sock); $queried++; # Now it's been read, get rid of it. $sel->remove($sock); $sock = undef; if ($verbose) { logger((scalar keys %state) . " queries remain"); } } } else { # There's nothing ready to read, so do a check to see if any of them # have been waiting around for too long, in which case get rid of them. my $now = time(); foreach my $sock ($sel->handles) { if ($now - $state{$sock}{when} > ($timeout * 2)) { my $their_ip = $state{$sock}{ip}; if ($verbose) { logger("Query for $their_ip timed out"); } $queried++; $state{$sock}{dns} = undef; $sel->remove($sock); delete $state{$sock}; } } if ($verbose) { logger("Timed out waiting for DNS results - " . (scalar keys %state) . " queries remain"); } } # Launch some more queries if necessary. $ip = launch_queries($ip, $sel, $at_once); } logger("$queried IPs queried in " . (time() - $start) . "s"); exit 0; # Launch DNS queries. # # ip - Net::IP object to work on # sel - IO::Select set to add sockets to when the query is launched # at_once - How many queries to have in flight at once sub launch_queries { my ($ip, $sel, $at_once) = @_; while ($ip and ($sel->count < $at_once)) { check_resolver($ip, $sel); $ip++; } return $ip; } # Launch a query against a single IP address. # # ip - the Net::IP object to test against # sel - the IO::Select set to add the socket to sub check_resolver { my ($ip, $sel) = @_; logger("Checking " . $ip->ip . "...") if ($verbose); my $dns = new Net::DNS::Resolver; # Use only this nameserver. $dns->nameservers($ip->ip); # Do recurse. $dns->recurse(1); # Ignore any search list. $dns->dnsrch(0); # Don't append anything to the end. $dns->defnames(0); # Allow 1 second retransmit. $dns->retrans($timeout); # Allow 2 retries. $dns->retry($retries); # Go. my $sock = $dns->bgsend($fqdn, 'A'); # Record the IP address, Net::DNS::Resolver object and starting time # against this socket. $state{$sock}{ip} = $ip->ip; $state{$sock}{dns} = $dns; $state{$sock}{when} = time(); $sel->add($sock); } # Read a DNS response from a socket that is ready. # # sock - the socket to read. sub handle_result { my ($sock) = @_; if (not exists $state{$sock}) { die "Socket $sock somehow is not present in our state hash"; } # Look up the IP address and Net::DNS::Resolver object corresponding to # this socket. my $ip = $state{$sock}{ip}; my $dns = $state{$sock}{dns}; my $packet = $dns->bgread($sock); # If there's an immediate failure then the packet will be undef. The packet # might also be empty. Both of those are okay, but if there i any sort of # response other than that then it's probably an open resolver. if (defined $packet and $packet->answer) { print "!!! Got answer from $ip - possible open resolver!\n"; $packet->print if ($verbose); } else { logger("No answer from $ip") if ($verbose); } # Delete from state now we're finished with this socket. $state{$sock}{dns} = undef; delete $state{$sock}; return $packet; } sub logger { my ($msg) = @_; print STDERR "# ", scalar gmtime(), "| $msg\n"; } # Check that the FQDN that we're going to query is actually visible on the # Internet, otherwise this will be a waste of time. sub sanity_check { my ($fqdn) = @_; my $dns = Net::DNS::Resolver->new; my $query = $dns->search($fqdn, 'A'); return $query; } __END__ =pod =head1 NAME find_open_resolvers.pl -- Finds open DNS resolvers inside a given IP range =head1 SYNOPSIS find_open_resolvers.pl [options] [IP range] Options: --queries simultaneous queries to perform (100) --retries number of retries of DNS query (2) --timeout timeout for DNS query in seconds (1) --fqdn Fully Qualified Domain Name to query for (www.xyzzy.net) --verbose be verbose --help display brief help --man display full man page IP range Range of IPv4 or v6 addresses =head1 OPTIONS =over 4 =item B<IP range> B<Required>. Range of IPv4 or IPv6 addresses to check for open resolvers. Will iterate through them one by one. Accepts: =over 4 =item * A single address (192.168.0.1) =item * A CIDR range (192.68.0.0/24) =item * A range, enclosed in quotes, specifying start to finish ('192.168.0.4 - 192.168.1.2') =back =item B<-q>, B<--queries> How many simultaneous DNS queries to be working on at any one time. Defaults to 100. =item B<-r>, B<--retries> Number of retries to perform for each DNS query in the event of no response. Defaults to 2. =item B<-t>, B<--timeout> How long in seconds to wait for a response from each DNS query. Defaults to 1. =item B<-f>, B<--fqdn> Fully Qualified Domain Name (i.e., a host name) to query for. Should be something that no IP address is likely to be an authoritative DNS server for. Defaults to 'www.xyzzy.net'. =item B<-v>, B<--verbose> Operate verbosely. =item B<-h>, B<-?>, B<--help> Display a brief help message. =item B<--man> Display documentation in manual page format. =back =head1 DESCRIPTION Pings off a bunch of DNS queries against every IP address in the specified range in order to see if any of them are likely to be open DNS resolvers. Every IP address in the range is tested in batches of (by default) 100 in a select loop. Testing large ranges may take a very long time. By default this queries for the FQDN 'www.xyzzy.net' which is an arbitrary choice that is unlikely to be authoritatively served by any target IP. Should a target IP return actual results for this FQDN then it is likely to be an open recursive resolver. If 'www.xyzzy.net' no longer exists in the global DNS then you may wish to specify another FQDN. =head1 AUTHOR Andy Smith <andy@bitfolk.com> =head1 COPYRIGHT AND LICENSE Copyright © 2012-2013 Andy Smith <andy@bitfolk.com>. This program is free software; you can redistribute it and/or modify it under the terms of the Perl Artistic License. =cut

Using the default 100 concurrent queries it scans a /21 in about 80 seconds (YMMV depending upon how many hosts you have that firewall 53/UDP). That scales sort of linearly with how many you do, so using -q 200 for example will cut that down to about 40 seconds. It’s only a select loop though so it’ll use more CPU if you do that.

Two things I’ve noticed since:

It doesn’t handle failing to create a socket with bgsend so for example if you run up against your limit of file descriptors (commonly ~1024 on Linux) the whole thing will get stuck at 100% CPU.
One person reporting a similar situation (bgsend fails, stuck at 100% CPU) when they allowed it to try to send to a broadcast address. I haven’t been ale to replicate that one yet.

Converting an IPv6 address to its reverse zone in Perl

Posted on November 29, 2012January 9, 2013 by Andy

I’m needing to work out the IPv6 reverse zone for a given IPv6 CIDR prefix, that is a prefix with number of bits in the network on the end after a forward slash. e.g.:

2001:ba8:1f1:f004::/64 → 4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
4:2::/32 → 2.0.0.0.4.0.0.0.ip6.arpa
2001:ba8:1f1:400::/56 → 0.0.4.0.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa

I had a quick look for a module that does it, but couldn’t find one, so I hacked this subroutine together:

#!/usr/bin/perl use strict; use warnings; foreach my $cidr (qw(2001:ba8:1f1:f004::/64 4:2::/32 2001:ba8:1f1:400::/56)) { print "$cidr reverses to ", v6_cidr_to_reverse($cidr), "\n"; } sub v6_cidr_to_reverse { my ($cidr) = @_; my ($prefix, $net_bits) = split(/\//, $cidr); # Bust the v6 address apart into the colon-delimited sections. my @sections = split(/:/, $prefix); my @v6_array; # Iterate through them backwards. foreach my $section (reverse @sections) { # Split each section up backwards into a list, so e.g. '2001' becomes # ('1', '0', '0', '2'). my @digits = reverse(split(//, $section)); my $str = $digits[0]; my $i; # Join the digits we have together with dots. for ($i = 1; $i <= $#digits; $i++) { $str .= ('.' . $digits[$i]); } # If there were fewer than four digits then make the remainder up with # zeroes. while ($i < 4) { $str .= '.' . '0'; $i++; } push(@v6_array, $str); } # Join the sections together with dots and add the reverse zone TLD on the # end. my $revstr = join('.', @v6_array) . '.ip6.arpa'; my $have_bits = 16 * scalar @v6_array; if ($have_bits > $net_bits) { # They gave us a prefix like 2001:ba8:1f1:400::/56 which specifies 64 # bits, not 56, so we have to chop off the first few nibbles. # Multiply by 2 because we need to remove the dots as well! my $remainder = ($have_bits - $net_bits) / 4 * 2; $revstr =~ s/^[0-9a-f\.]{$remainder}//; } elsif ($net_bits > $have_bits) { # They didn't specify a big enough prefix, e.g. # 2001:ba8:1f1::/56 which specifies 48 bits, not 56, so # we have to front pad with zeroes. my $remainder = ($net_bits - $have_bits) / 4; $revstr = '0.' x $remainder . $revstr; } return $revstr; }

Is there a more elegant way? Is there a module I can replace this with?

Must support:

Arbitrary prefix length
Use of ‘::’ anywhere legal in the address

Linux, IPv6, router advertisements and forwarding

Posted on September 4, 2011September 4, 2011 by Andy

By default, a Linux host on an IPv6 network will listen for and solicit router advertisements in order to choose an IPv6 address for itself and to set up its default route. This is referred to as stateless address autoconfiguration (SLAAC).

If you don’t want a host to automatically configure an address and route then you could disable this behaviour by writing “0” to /proc/sys/net/ipv6/conf/*/accept_ra.

Additionally, if the Linux host considers itself to be a router then it will ignore all router advertisements.

In this context, what makes the difference between router or not are the settings of the /proc/sys/net/ipv6/conf/*/forwarding files (or the net.ipv6.conf.*.forwarding sysctl). If you turn your host into a router by setting one of those to “1”, you may find that your host removes any IPv6 address and default route it learnt via SLAAC.

There is a valid argument that a router should not be autoconfiguring itself, and should have its addresses and routes configured statically. Linux has IP forwarding features for a reason though, and sometimes you want to forward packets with a Linux box while still enjoying autoconfiguration. In my case I have some hosts running virtual machines, with IPv6 prefixes routed to the virtual machines. I’d still like the hosts to learn their default route via SLAAC.

It’s taken me a long time to work out how to do this. It isn’t well-documented.

Firstly, if you have a kernel version of 2.6.37 or higher then your answer is to set accept_ra to “2”. From ip-sysctl.txt:

accept_ra – BOOLEAN

Accept Router Advertisements; autoconfigure using them.

Possible values are:

0 Do not accept Router Advertisements.

1 Accept Router Advertisements if forwarding is disabled.

2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled.

Functional default:

enabled if local forwarding is disabled.

disabled if local forwarding is enabled.

This appears to be a type of boolean that I wasn’t previously familiar with – one that has three different values.

If you don’t have kernel version 2.6.37 though, like say, everyone running the current Debian stable (2.6.32), this will not work. Helpfully, it also doesn’t give you any sort of error when you set accept_ra to “2”. It just sets it and continues silently ignoring router advertisements.

Fortunately Bjørn Mork posted about a workaround for earlier kernels which I would likely have never discovered otherwise. You just have to disable forwarding for the interface that your router advertisements will come in on, e.g.:

# echo 0 > /proc/sys/net/ipv6/conf/eth0/forwarding

Apparently as long as /proc/sys/net/ipv6/conf/all/forwarding is still set to “1” then forwarding will still be enabled. Obviously.

Additionally there are some extremely unintuitive interactions between “default” and “all” settings you may set in /etc/sysctl.conf and pre-existing interfaces. So there is a race condition on boot between IPv6 interfaces coming up and sysctl configuration being parsed. martin f krafft posted about this, and on Debian recommends setting desired sysctls in pre-up headers of the relevant iface stanza in /etc/network/interfaces, e.g.:

iface eth0 inet6 static
    address 2001:0db8:10c0:d0c5::1
    netmask 64
# Enable forwarding
    pre-up echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
    pre-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
# But disable forwarding on THIS interface so we still get RAs
    pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/forwarding
    pre-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
    pre-up echo 1 > /proc/sys/net/ipv6/conf/all/accept_ra
    pre-up echo 1 > /proc/sys/net/ipv6/conf/default/accept_ra

You will now have forwarding and SLAAC.

My email marketing adventure with British Telecom

Posted on August 5, 2011August 5, 2011 by Andy

Contents

The saga so far

March 2011
29th March 2011
18th April 2011
18th May 2011
29th May 2011
25th July 2011
2nd August 2011
3rd August 2011
4th August 2011
5th August 2011

What to do now?
Just hit delete / block all email from BT
On extension addresses

The saga so far ^

I have a phone line from BT. I only use it for ADSL (which I get from Zen Internet). I gave my email address to BT because they offered to tell me useful things about my account via email. I now wish I had never done this.

I use extension addresses to identify what the email addresses are being used for. This is not a new idea and I didn’t invent it. For those who don’t know what an extension address is, it’s an email address like andy+foo@example.com. It ends up at the same place as andy@example.com. The point is that if I receive an email to andy+foo@example.com then I know that it’s either from whoever I gave that address to, or it’s from someone they gave/lost my address to. It’s handy for working out who’s sold their database to spammers, or had it stolen.

I used to prefer using “+” in the extension address just because it looks nicer to me than other popular alternatives like “-“. Unfortunately, some web developers are idiots and don’t believe that “+” is valid in an email address, so they try to help by refusing to accept the address. For that reason my email servers accept both “+” and “-” and I used to use “-” when “+” wasn’t accepted.

After I started doing that, I began to experience an even more annoying failure: web sites that accepted “+” in my email address when I signed up, but later got redeveloped by idiots who think that “+” is no longer valid. That means that I can no longer log in to those sites, and predictably customer service is not trained to deal with situations like that.

It seems that BT is an example of such a company, and I am having unbelievable difficulty finding anyone there that can understand this.

When I signed up with BT, the email address I gave them had a “+” in it. They accepted it at the time.

March 2011 ^

I start to receive marketing emails from BT for extra BT services, as well as BT group companies such as Dabs and Plusnet.

29th March 2011 ^

I receive another marketing email from BT, decide I don’t want to receive them any more, and follow the unsubscribe link. The unsubscribe page at http://bt.custhelp.com/app/contact/c/769,978 tells me that the email address (which BT is emailing me on) is invalid.

I contact BTCare on Twitter to ask them how to opt out and to opt me out on my behalf. Also sent a request via BT’s site for someone to call me back about it.

Am called back by a polite BT chap who totally failed to understand the problem, told me I was opted out (funny, I never opted in…) and advised that I sign up to a no commercial email scheme.

18th April 2011 ^

Receive more marketing email from BT. Ask BTCare on Twitter why that is. Am told that it can take a month to take effect.

18th May 2011 ^

Receive more marketing email from BT. Ask BTCare on Twitter why that is.

29th May 2011 ^

BTCare tells me on twitter that they opted out the wrong address last time. Apologises and says it may take a further month.

25th July 2011 ^

BT sends me a marketing email on behalf of Plusnet.

2nd August 2011 ^

I (somewhat exasperatedly) ask BTCare if, since they can’t opt me out of the emails, we can come to a more formal arrangement for my proofreading services of £50 per future email.

BTCare replies that “We can’t opt you out of emails for other companies” and that “no compensation is available sorry.”

I point out that Plusnet is a BT company, that the emails are sent by BT on an email address given only to BT, and contain a BT unsubscribe link which does not work.

3rd August 2011 ^

BTCare asks if the email was from BT, and advises the use of a US-based commercial email opt-out site.

4th August 2011 ^

BTCare tells me that their unsubscribe link works now and that I should try it again. I try it again. It fails the same way. I tell BTCare.

5th August 2011 ^

BTCare tells me that I need to contact Plusnet directly: “the link may be BT related but its seperate to us and we have no control over them”

PlusNet (on twitter and identica) disagrees with BTCare and says BT sends those emails and operates the unsubscribe facility. They give me an email address at Plusnet to forward the marketing to anyway.

I have forwarded the email there and have so far got nothing back except an out of office email bounce. Oh well, it’s not really their problem anyway.

What to do now? ^

I would quite like to send a snail mail letter to BT to complain about this cluelessness. Does anyone know the best postal address and entity within BT for that to be directed to? If nothing else perhaps I can start sending the £50 a time invoices there?

I’d also quite like to not be a BT customer after this. I’m not too aware of my choices on that front though. My DSL is currently through Zen Internet, who I’m fairly happy with. I’d like a bit faster but don’t want to become a Sky or Virgin Media customer.

I’m told I can get Zen to “take over the copper”. What does this mean? Would it cause me difficulty in switching to another ISP in future?

Finally I have a feeling that there’s some DPA consequences for failing to opt me out of marketing in 4 months of asking, and then saying that I can’t get them to opt me out of marketing from companies they have given my email address to. Worth dropping a line to ICO?

Just hit delete / block all email from BT ^

Yeah it’s not that annoying but hopefully you can agree that this run-around is ridiculous. While I remain a BT customer I would prefer not to bitbucket all email from them as they do sometimes send stuff related to the operation of my account.

On extension addresses ^

It’s a shame, but I now consider “+” as unusable in an extension address because of idiot web developers who turn sites that used to accept these completely valid addresses into sites that reject them.

Just use “-” instead. It doesn’t look as pretty but at least not even the most ill-informed developer can think that “-” is invalid. If your email address already contains “-” (perhaps because your name does?), shit, sucks to be you.

Domain name as hostname not recommended

Posted on June 10, 2011June 10, 2011 by Andy

I had an interesting support ticket yesterday.

Someone was trying to do an apt-get update via BitFolk‘s apt cache and was ending up connecting to 2607:f0d0:1003:85::c40a:2942, where it was failing to update. This is not a BitFolk IPv6 address, nor is it the IPv6 address of a Debian mirror. Where was it coming from?

I’d asked the customer for the contents of a bunch of config files and output of the dig command, and while I was waiting for that I mentioned the problem on IRC, where Graham said:

<gdb> $ dig -t aaaa +short apt-cacher.com.net
<gdb> 2a00:1c10:3:634::3486:75a0
<gdb> 2607:f0d0:1003:85::c40a:2942
<grifferz> interesting
<gdb> Same for apt-cacher.bitfolk.com.net
<grifferz> so he's probably got some  search line in
           his resolv.conf
<gdb> I would ask what the search line is
<grifferz> r
<grifferz> search lines always good entertainment for
           those times when wtf moments are scarce
<gdb> Actually it's possible that the hostname is
      foo.net and there's no search line.

It seems that the enterprising folks at com.net have put in wildcard A and AAAA records which basically means that if you try to resolve *.com.net you end up at their “search portal”. That’s all web-based of course.

The customer didn’t have a search line, but the issue was that their host had a fully-qualified domain name (FQDN) along the lines of example.net.

This meant that according to default resolver settings it considered itself to be inside the domain net, and when searching for hosts (like apt-cacher.bitfolk.com) it would try to find them with .net appended first.

Massively confusing.

It can be fixed by giving the resolver libraries a hint as to which domain you are actually in, in the /etc/resolv.conf:

domain example.net
nameserver 192.168.1.2
nameserver 192.168.1.3

Having said that, it’s better not to pick your domain as the FQDN for any host and this is just one of the weird issues I have seen.

Sometimes customers order a VPS with a FQDN set to something like this, and I’ve yearned for an authoritative bit of documentation that says it’s not recommended. I asked about it on HantsLUG a while back also, and while it seems there was some agreement, it still seems to be down to preference.

I’ve never really tried to tell a prospective customer that they should pick a host within their domain (e.g. foo.example.net) instead of the domain name as the FQDN, because it always seemed like too complicated a subject to explain. Maybe I should try to find a way in future.

Mass-setting the default view mode for cacti

Posted on May 18, 2011 by Andy

Contents

Danger, Will Robinson!
Set “What to do when this user logs in” to “Show the default graph screen”
Set “Which mode you want displayed when you visit ‘graph_view.php'” to “Preview View” for users who have graph settings already
Set “Which mode you want displayed when you visit ‘graph_view.php'” to “Preview View” for users with no graph settings
That’s it

Recently it came to my attention that many of BitFolk‘s customers were finding our Cacti install confusing. The main problem was that upon logging in they were confronted with the default graph view – the “Tree View” – and they didn’t understand where they might find the relevant graphs within this tree.

Experienced Cacti users will know that you can also click on the “List View” or “Preview View” to get a list or grid respectively of all graphs that they’re permitted to view, but most customers are not experienced Cacti users. For me personally, having permission to view some 1400 graphs I appreciate the tree view to enforce some order, but it’s not about me. Customers generally have 2-5 graphs to view.

I decided that I would set the default view for all users to be “Preview View”. Now I wasn’t going to click on every one of the hundreds of them in the web interface to set this, and I wasn’t going to send instructions to people on how to do it for themselves either. I decided to fiddle with the database directly. This turned out to be very simple, once you know how. Here’s how.

Danger, Will Robinson! ^

Firstly, don’t do this lightly. This worked with Cacti as present in Debian squeeze and I don’t believe the database schema has changed in ages, but maybe it has or maybe it will, so before you try this:

Take a backup of your cacti database. Just mysqldump it or whatever.
Check that the queries make sense. You might like to practice on just one user account before doing it on all.

Basically if you don’t understand what these queries do, don’t do them.

There are probably more elegant ways to do this, but it’s only going to be done once so I’m not going to try to optimise it.

Set “What to do when this user logs in” to “Show the default graph screen” ^

mysql> UPDATE user_auth SET login_opts=3;

Set “Which mode you want displayed when you visit ‘graph_view.php'” to “Preview View” for users who have graph settings already ^

If a user has changed their graph settings then they’ll have a row in the settings_graphs table for this particular setting already.

mysql> UPDATE settings_graphs SET value=3 WHERE name="default_view_mode";

Set “Which mode you want displayed when you visit ‘graph_view.php'” to “Preview View” for users with no graph settings ^

Most users won’t have changed their graph settings and so won’t have a row for this. We’ll need to insert one.

mysql> INSERT IGNORE INTO settings_graphs (user_id, name, value)
  SELECT id, "default_view_mode", 3 FROM user_auth;

The IGNORE is required because there will probably be some pre-existing rows from users who did have some graph settings.

You could probably combine the UPDATE and INSERT steps by using REPLACE instead.

That’s it ^

On next login, the user should be put directly at the “Preview View”. They can still change their settings to something different if they end up not liking that.

StartCom’s free SSL certificates

Posted on March 14, 2011March 16, 2014 by Andy

I’ve been wondering what the downsides are with StartCom’s free SSL certificates.

At the moment those seem to be:

You can only renew them for 1 year – could be tedious if you
have lots of them.
Windows XP users need to have installed at least Service Pack 2
to have the CA. Apparently non-updated Windows XP works now! Just in time for its EOL.
Blackberry and other RIM devices have no support. @startssl
says: “Correct RIM has no support so far (we understand that they
are working on it though).”
Reports of no support in an iPod Touch running iOS 3.x.

Useful SSL checkers:

Some Internet history from Vint Cerf

Posted on April 4, 2010 by Andy

I’ve been following a thread on NANOG about why the first versions of the Internet Protocol supported only a maximum of 256 different networks.

Back then, every organisation on the fledgling Internet got a range of IP addresses starting with a digit 0-255 and used the next three digits to number their hosts. eg. 192.168.3.4. That’s 2²⁴-2 (16,777,214) possible host addresses. When IP address classes were introduced that was known as “class A”, and today we’d call that a /8. A pretty big range of IP addresses by today’s standards.

With the impending exhaustion of IPv4 addresses, some people are looking at these /8 networks — many of which are no longer publicly in use or are only seen to have a few reachable addresses — and asking how come these organisations were ever allowed to have such a large allocation. I never really thought about it before, but for some of the older ones the answer is that there was no choice back then. An allocation was 8 bits of network and 24 bits of hosts.

I particularly enjoyed reading a contribution on the matter from Vint Cerf, an Internet legend:

Date: Sat, 3 Apr 2010 08:17:28 -0400
From: Vint Cerf

When the Internet design work began, there were only a few fairly large networks around. ARPANET was one. The Packet Radio and Packet Satellite networks were still largely nascent. Ethernet had been implemented in one place: Xerox PARC. We had no way to know whether the Internet idea was going to work. We knew that the NCP protocol was inadequate for lossy network operation (think: PRNET and Ethernet in particular). This was a RESEARCH project. We assumed that national scale networks were expensive so there would not be too many of them. And we certainly did not think there would be many built for a proof of concept. So 8 bits seemed reasonable. Later, with local networks becoming popular, we shifted to the class A-D address structure and when class B was near exhaustion, the NSFNET team (I think specifically Hans-Werner Braun but perhaps others also) came up with CIDR and the use of masks to indicate the size of the “network” part of the 32 bit address structure. By 1990 (7 years after the operational start of the Internet and 17 years since its basic design), it seemed clear that the 32 bit space would be exhausted and the long debate about IPng that became IPv6 began. CIDR slowed the rate of consumption through more efficient allocation of network addresses but now, in 2010, we face imminent exhaustion of the 32 bit structure and must move to IPv6.

Part of the reason for not changing to a larger address space sooner had to do with the fact that there were a fairly large number of operating systems in use and every one of them would have had to be modified to run a new TCP and IP protocol. So the “hacks” seemed the more convenient alternative. There had been debates during the 1976 year about address size and proposals ranged from 32 to 128 bit to variable length address structures. No convergence appeared and, as the program manager at DARPA, I felt it necessary to simply declare a choice. At the time (1977), it seemed to me wasteful to select 128 bits and variable length address structures led to a lot of processing overhead per packet to find the various fields of the IP packet format. So I chose 32 bits.

vint

There is a reason that Vint Cerf is often called “Father of the Internet”. It’s amazing to me to think that they honestly did not know back then that this Internet thing was going to be all that popular.

The ongoing struggle

I'll get there one day.

Category: Internet