bobpeers -> blog

A friend bought a new laptop on my recommendation but now needs it setting up with a wireless connection. She lives in a small flat, has very basic computing needs and only has the one computer currently connected to her cable modem.

I advised her just to get a cheap 802.11g router since these days even a cheap basic model is more than adequate for her needs and they can be picked up for 200-300 DKK (about $40-$60) . Her laptop has the Intel® PRO/Wireless 3945ABG module built in like many laptops these days.

When I came to visit and set up the network I saw she had a Wireless G+ MIMO Modem Router and after talking to her a few thoughts sprang to mind:

1. This router has a built in ADSL modem but she has internet through a cable modem so can’t even replace the cable modem with this box, instead she will have to use both. Then why sell her a router with useless ADSL modem built in?
2. Part of the sales pitch was of course speed, how this is G+ and runs at 108 Mbps compared to the standard 54 Mbps. Two problems here, looking at the product page it’s clear that to achive this she’ll have to use a compatible card for her laptop. Since she doesn’t want to buy more hardware this speed is just not true.
   The other problem is that since she doesn’t have an internal network but just connects directly to the internet it doesn’t really matter how fast the wireless works just as long as it’s faster than her internet connection!
   So many people don’t get this, but it even if the wireless works at a quadrillion Mbps it will only be that fast from her laptop to the router, after that it will run at 2 Mbps, the speed of her internet connection.
3. Another selling point was range, the idea that MIMO suffers less from interference and has a greater range that standard 802.11g products. Bearing in mind that she will usually be sitting less that 10 metres from her router this seems a bit pointless.

At the end of the day it’s easy to upsell computer equipment to the general public since the whole field is full of cryptic codes and changes every 10 minutes it seems.
But that’s why you need people you can trust to sell you the right thing rather than just think about the companies bottom line while, unfortunalty this service is all to rare these days.

After toying with the idea of getting a static IP address so I can connect to my Disk Station from the internet I took the plunge and ordered one.
My next thought was securing my Disk Station since I currently log in via SSH using a password and I’d rather only allow logins using a secure key to prevent brute force attacks.
The guide here is distilled from two pages (see below) and works from my Fedora9 box to my Disk Station.

References:

1. http://www.synology.com/enu/forum/viewtopic.php?f=36&t=5475
2. http://fedoranews.org/dowen/sshkeys/

Enable SSH

I won’t cover enabling SSH since there are patches supplied from Synology for this purpose and the process is very simple.
I should mention that it’s a good idea to use the telnet patch to enable telnet so you don’t get locked out if something goes wrong.

Make SSH only accept login using keys

You need to login to your box via SSH and edit the file /etc/ssh/sshd_config as shown here to accept keys to log in.

#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Also change the following line to prevent passwords being used to log in.

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

While were here we’ll also change the default SSH port from 22 to something else to stop most attacks targeted at port 22. Uncomment the line at the top of the file and change the port number.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 99

Create the Key Pairs

On you host computer (not the diskstation) open a terminal and run the following command, do NOT do this as root.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bobpeers/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX bobpeers@freja

The id-rsa key is you private key and should be kept on the computer you connect from. The id_rsa.pub is the public key that should sit on the server (or servers) that you wish to connect to. If you choose a passphrase you will be prompted for that on login so if you wish to use automated scripts you should not use a passphrase.

The public key needs to be copied to the Disk Station. Back in the SSH terminal:

# cd /root
mkdir .ssh
touch .ssh/authorized_keys
vi .ssh/authorized_keys

Since scp is not enabled you cannot just copy the key so we need to open the id_rsa.pub file on the host, copy the contents and paste them into the file on the Disk Station (in a terminal paste is ctrl + shift + v).

Edit the file permissions

On the Disk Station we need to secure the authorized_keys file, in the SSH terminal type:

chmod 700 .ssh
chmod 644 .ssh/authorized_keys

Reboot and login

Reboot the Disk Station (type reboot in the SSH terminal, this will of course kill your session). Next on the host computer login in again but if you old login was:

$ ssh root@123.4.5.6

You should now use:

$ ssh root@123.4.5.6 -p 99

Where -p 99 is the port you used for SSH in the sshd_config file. You should now login to the Disk Station using your passphrase, if you chose one, or else you will be immediately logged in if you used an empty passphrase.

Friends of our have recently bought a new laptop, it’s actually there first computer ever as up till now they have just used ones at their workplaces (people without a computer do still exist it seems!).

They also require an internet connection but since they spend the summer living in their summerhouse they really need a mobile connection.

After a little research it seems that the mobile broadband packages being sold by the mobile phone companies are starting to become good deals there days. I looked at the 3 network and see that they offer 7.2 Mbps unmetered option for only 299 DKK a month. Since it uses a USB dongle it’s truly mobile (plus I noticed that unofficially the USB dongle works under Linux).

The other option that sprung to mind was WIMAXX offered in Denmark by Clearwire. The problem here is that to be truly mobile they need to get the receiver box and then also buy a wireless router, and of course they also need mains power supply. On top of that the downloads are limited to 5 GB per month plus the maximum speed offered is only 1.5 Mbps, pretty low limits by todays standards. It seems strange that Clearwire didn’t build a wireless router into the receiver as well.

Using Virtualbox 1.6 you cannot install guest additions support when using a Fedora 9 guest. Yet another consequence of using leading edge distributions that have a release candidate of Xorg. Hopefully the next update of Virtualbox will rectify this situation.

Here’s the output when you try to install the guest additions:

# ./VBoxLinuxAdditions.run
Verifying archive integrity... All good.
Uncompressing VirtualBox 1.6.0 Guest Additions for Linux
installation............................................................
........................................................................
.........................................
VirtualBox 1.6.0 Guest Additions installation
which: no dkms in (/usr/bin:/bin:/bin:/sbin:/usr/sbin)
Building the VirtualBox Guest Additions kernel module...
Building the shared folder support kernel module...
Installing the VirtualBox Guest Additions...

Detected Xorg 1.5 RCx, refusing to install the Xorg modules. We will
provide
updated guest additions once Xorg 1.5.0 was released finally. Please
check
the vbox-users mailing list for further announcements.
Successfully installed the VirtualBox Guest Additions.
You must restart your guest system in order to complete the
installation.

The building I live in has decided to change the internet provider.

I should explain that I live in a block of flats where we all part own the whole building (it’s a very popular system in Denmark) and the internet and TV is provided to all flats from a central server located in the building.

I’ve been very happy with my connection, even though it’s actually shared between 218 flats, I usually get between 8-10 Mbits/s so downloading Linux iso files doesn’t take that long. A few days ago I downloaded Fedora 9 which only took around an hour or so.

However I now get to choose a package from Dansk Bredbånd (Danish link) which hopefully is as good as it looks. They use fibre that runs directly to the building which is then connected through a switch arriving through Ethernet to my flat.

The best part is that all the packages are symmetric as they have a 25 Mbits/s option (Danish link) so I get 25 Mbits/s up and down, pretty nice. On top of that the line is not shared so other users in the building do not affect my connection plus there are no download limits imposed like many providers (otherwise known as ‘traffic shaping’ in sales talk).

I’m debating about also getting a static IP address since then I can connect to my NAS device from anywhere or even login over SSH.

It gets switched over on June the 10th so I’ll post on my opinions of the service.

I previously mentioned how I couldn’t get Mepis to update through a proxy server with authentication.

Well I tried this suggestion which works fine for both apt-get and synaptic package manager. Just add this entry to your /etc/apt/apt.conf file:

ACQUIRE {
http::proxy "http://DOMAIN\username:password@IP:port/"
}

I just tried the fix I mentioned in my previous post for the synaptics touchpad in Fedora 9 where the tap does not work.

The fix works fine but I also see there’s a new rpm package available that has the tap functionality added back (yes, if you read this comment on the bug report it seems that it was intentionally removed and is not a bug!)

Well I have to say the my Fedora 9 install didn’t go as smoothly as I hoped. It seems that Fedora 9 is a bit rough around the edges so here’s a run down of my issues so far:

• While installing I managed to crash the Anaconda installer, this happened while I was trying to set up custom partitioning. After I let Anaconda decide the default partitions and then edit the results all worked as normal.
  I was also unable to save the crash report so no chance of logging a bug report. I have to say that this is the first time that I’ve ever manged to crash Anaconda and I’ve been using it since Fedora Core 4.
• Anaconda is now able to resize partitions during install but it seems to be only able to do this with NTFS and ext2/3 partitions. I have a FAT32 partition that was not recognized at all, seems strange it supports NTFS but not FAT32.
• gdmsetup is not available at all since the new login manager was introduced, this seems like a backwards step since now I have to learn how to use GDM configuration.
• The new Add/Remove software application called PackageKit looks nice but is very slow and basic. There no way to queue installs so you have to install them one by one while waiting for the display to refresh the package list after each install.
  It also seems to take a long time to update the package list plus the search function only works within a package group, not globally, so if you don’t know where your package belongs it’s very hard to find.
• I tried to set up Nautilus to use single clicks but after clicking a directory in the left pane it would not refresh the directory contents in the right pane. Setting it back to double click fixed the problem.
• My synaptics touchpad stopped responding to taps, it seems this is a known issue with a possible fix here. I’ll try this later but still pretty bad it doesn’t work ‘out of the box’.
• I sometimes get SELinux denial messages generated by NetworkManager. I’ve used SELinux for at least 3 releases without problems so this was a surprise. I also got more denials actually caused by running the SElinux Administration (semodule) itself, something about accessing /home/username/.xsession_error!

Hopefully these issues get ironed out soon and I’m aware that it’s a very new release but I’ve actually never had so many problems with other Fedora releases and I’ve installed every once since Fedora Core 4 within a day or two of the initial release date.

Update – the SELinux problem is a real nightmare, I run Apache and MySQL which initially worked fine but without changing anything it has suddenly stopped working due to SELinux. I’m getting a bunch of errors like this:

SELinux is preventing httpd (httpd_t) "connectto" to /var/lib/mysql/mysql.sock (unconfined_t).

Until I work this out I’ll have to set SELinux to premissive mode by running /usr/sbin/setenforce 0.

After downloading all 3.3GB of Fedora 9 last night it’s time to undo all my hard work over the last few months since Fedora 8 was released and start again with a fresh install.

Most people would think I’m nuts to do this (my girlfriend certainly does) but I get a strange pleasure out of installing a new release and wiping out the old.

I know I’ll have a few issues on the way (Apache always trips me up at some point even though I’ve got all my conf files backed up) but I’ve found that I’ve got much better at getting my system up and running again.

I’ve thought about setting my home partition on a separate partiton so I can save it between installs but having tried this once it just turned into a mess so now I just recover important files from backup after the install.

There are times when the sheer wealth of Linux distros and the associated differences between each actually leaves me wanting a bit more standardization between them.

A case in point is that since trying out many distos in a virtualized environment behind a proxy server that requires authorization it seems there is no standard way of specifying proxy servers.

On top of that it seems there is no global setting that reliably affects the entire system. On an average system there are many applications requiring internet access, curl, wget ,web browser, email program, software updater to name just a few.

Getting Firefox to access a proxy server is pretty easy but it requires me to individually set the server from within the Firefox preferences. My experiences so far show a few different possiblilites

1. A popular one that should work globally is to set environment variables, something like this

   export http_proxy="http://username:password@server.com:port/" 

   This works for some people but it only takes a search on Google to find many people for whom this has no effect.

2. From KDE there is a proxy option in the system settings, you can either use the environment setting from above or manually enter them. I’ve tried both these with Mepis and then used the Package Updater only to find these setting seem to be totally ignored (I get a 407 proxy error)

3. If you use YUM as a package updater you can edit /etc/yum.conf and add these lines:

   # The proxy server - proxy server:port number
   proxy=http://server.com:port/
   # The account details for yum connections
   proxy_username=username
   proxy_password=password
   

   I used this on CentOS 5 and to my amazement it actually worked.

4. A few times I would get the error about ‘nonnumerical port 8080?’ this turn out to be that the last ‘/’ at the end of the url is very important!
5. Then there’s similar advice for adding http_proxy=………… to the /etc/wgetrc file, plus others for curl and many other programs.

My point here is that I just want a simple GUI to add my proxy servers and then by default all my applications requiring network access should honour these setting unless I have explicitly told the application to use it’s own settings.