Christian Kildau

Currently I am a full-time IT professional working as a network architect. In my spare time I like to produce content. Especially photography. A love for traveling supports this. If you want to know more about me, please see the links below for technical articels as well as content.

Quick Tip: Use MacBook Pro TouchID with sudo

I just recently got a shiny new Apple MacBook Pro 2018 including TouchID.
iTerm2/sudo won’t support TouchID out of the box. Here’s what you need to do:

sudo  sed -i '' '2i\
auth sufficient pam_tid.so
'
/etc/pam.d/sudo

ExaBGP 4.0 getting started

Welcome back to my little tech blog. It’s been a few years since I last posted here.. 🙂

I’ve been playing around a lot with several DDoS mitigation techniques, be it in house or as a service and used many BGP implementations like classic Cisco IOS, Cisco IOS-XR(v), Bird and ExaBGP.

ExaBGP is a nice little BGP injector ‘ExaBGP‘ for things like s/dRTBH and injection of FlowSpec rules.

As I’ve had some starting issues with ExaBGP I thought I’d share just a very basic config to save others some time and will probably share some more complex examples later.

I switched from 3.4 to 4.0 (tracking -master) already, so this post will get you started with ExaBGP 4.0 only. 4.0 is still under heavy development and still has some issues as of the time of writing this post, but all in all it does what I need. Syntax might still change though.

Examples are available at https://github.com/Exa-Networks/exabgp/wiki but these are just snippets and I did not find them to be very well updated when syntax changes occurred.

To get ExaBGP running I just used a basic CentOS 7 installation:

git clone https://github.com/Exa-Networks/exabgp.git
git checkout master

My basic config looks like (place it in ./exabgp/etc/exabgp/exabgp.conf):

# Control pipe
process announce-routes {
run /usr/bin/socat stdout pipe:/var/run/exabgp.cmd;
encoder json;
}

# IPv4 template
template INTERNET_EDGE_v4 {
local-as 64496;
peer-as 64496;
hold-time 180;
router-id 192.0.2.0;
group-updates false;
local-address 192.0.2.0;
capability {
graceful-restart 120;
}
family {
ipv4 unicast;
ipv4 flow;
}
api {
processes [ anounce-routes ];
}
}

# IPv6 template
template INTERNET_EDGE_v6 {
local-as 64496;
peer-as 64496;
hold-time 180;
router-id 192.0.2.0;
group-updates false;
local-address 2001:DB8::;
capability {
graceful-restart 120;
}
family {
ipv6 unicast;
ipv6 flow;
}
api {
processes [ announce-routes ];
}

}

# Neighbours

neighbor 192.0.2.101 {
inherit INTERNET_EDGE_v4;
description "r1";
}
neighbor 192.0.2.102 {
inherit INTERNET_EDGE_v4;
description "r2";
}
neighbor 192.0.2.103 {
inherit INTERNET_EDGE_v4;
description "r3";
}

neighbor 2001:DB8::101 {
inherit INTERNET_EDGE_v6;
description "r1";
}
neighbor 2001:DB8::102 {
inherit INTERNET_EDGE_v6;
description "r2";
}
neighbor 2001:DB8::103 {
inherit INTERNET_EDGE_v6;
description "r3";
}

To get ExaBGP started just run

./exabgp/sbin/exabgp ./exabgp/etc/exabgp/exabgp.conf

or in case you want to see debug output:

sudo env exabgp.daemon.daemonize=false ./exabgp/sbin/exabgp ./exabgp/etc/exabgp/exabgp.conf

Thomas Mangin (the author of ExaBGP) provides great support via Google Groups, GitHub issue tracker and Gitter. So in case you encounter any issues, you will find support! Also, theres a FAQ


How To disable Time Machine’s MobileBackup

Starting with Lion I noticed that Time Machine is running even when my Time Capsule is not available. I also noticed that Finder shows a different amount of used disk space than

df

. My MacBook Pro’s SSD also got somewhat slow. Turned out it’s Time Machines MobileBackup function.

If you want to disable MobileBackup and free up the abused disk space, simply run the following command and reboot.

sudo tmutil disablelocal

How to fix SSH UTF-8 issues in Mac OS X Lion

After upgrading from Snow Leopard to Lion, ssh connections to remote servers using iTerm2 have issues with non ascii characters.

Luckily that’s easy to fix. Simply comment

SendEnv LANG LC_*

in

/etc/ssh_config

out.

 Host *
 # SendEnv LANG LC_*
 # ForwardAgent no
 # ForwardX11 no
 ...

No other changes are needed. You could also permanently change your locale to UTF-8.
Just place

export LANG=en_US.UTF-8

in your shell’s source file.


How to activate Serial Console on Debian Squeeze

Activating a Serial Console starting at the bootloader all the way up to a tty login requires just a few steps, but it took me some time to figure out all the knobs. Here’s how to do it with Debian Squeeze:

To have configruation changes persistent in Debian, you may not edit /boot/grub/grub.cfg directly, but need to edit/add the appropiate lines in /etc/defaults/grub:

GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,9600n8"
GRUB_TERMINAL=console
GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"

Now run

update-grub

and you’ll get the Bootloader and all Kernel and Init messages on your serial console the next time you boot.

To get a login promt on serial you need to modify /etc/inittab to:

1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2
3:23:respawn:/sbin/getty 38400 tty3
4:23:respawn:/sbin/getty 38400 tty4
5:23:respawn:/sbin/getty 38400 tty5
6:23:respawn:/sbin/getty 38400 tty6
# Serial console
s0:2345:respawn:/sbin/getty -L 9600 ttyS0 vt102

That’s it. run

init q

to reload init and activate serial login, or simply reboot.


Intel 320 Series vs. OCZ Vertex 2 (vs. Apple)

Actually this post should be called NO OCZ NO or something like that…

I already wrote about the OCZ Vertex 2 E once or twice with somewhat mixed feelings.
Now after 6 months with the first one, and 3 months with the second one, I wouldn’t recommend buying any of these again. Well, at least not if you’re using Apple.

60Gb OCZ Vertex 2 E in my Mac Mini (6 Months old):

  • huge loss in performance (maybe due to the lack of TRIM in OSX?)
  • sometimes the mini won’t fall asleep or just wakes up again

120Gb OCZ Vertex 2 E in my MacBook Pro (10 weeks old):

  • performance is still good
  • suspend2disk doesn’t work. Known bug. OSX will crash. OCZ promised to fix it – but didn’t!
  • sleep and direct wake-up results in the SSD not being recognized for ~10 minutes!!! No booting possible!

Most of the issues with OCZ’s SSDs seem to be sleep/hibernate related and from what I’ve heard do mostly affect Apple products, but their crappy support prevents me from buying any of their products again. They promised to release a firmware upgrade which fixes suspend2disk, but they did not. They closed the thread in their forums and don’t even respond to requests via eMail. But hey! At least they release the OCZ Vertex 3 – so you possibly get all these bugs fixed for just 180€!

All these issues and their non-responding support made me replace the Vertex with the new Intel 320 Series SSD. They might be slower according to their specs, but performance isn’t everything

Which leads me to the next part of this post…

The Intel 320 120Gb SSD! I installed this one in my MacBook Pro last week and what shall I say? After one week everything is great. I’m not talking about pure performance. I didn’t NOTE any difference in real life performance, but just in case… here is a simple sequential performance check:

OCZ Vertex 2 E 120Gb:

homer:~ $ dd if=/dev/zero of=10000M.img bs=1024 count=10000000
10000000+0 records in
10000000+0 records out
10240000000 bytes transferred in 82.815477 secs (123648385 bytes/sec)
homer:~ $ dd if=10000M.img of=/dev/null
20000000+0 records in
20000000+0 records out
10240000000 bytes transferred in 47.731347 secs (214534068 bytes/sec)

Intel 320 Series 120Gb:

homer:~  $ dd if=/dev/zero of=10000M.img bs=1024 count=10000000
10000000+0 records in
10000000+0 records out
10240000000 bytes transferred in 108.879939 secs (94048546 bytes/sec)
homer:~ $ dd if=file.img of=/dev/null
20000000+0 records in
20000000+0 records out
10240000000 bytes transferred in 47.695655 secs (214694610 bytes/sec)

The Intel is a tad slower in pure sequential write performance, which is a bit disappointing considering it’s one generation newer than the Vertex 2… But, now to the important stuff

  • Suspend2Disk: works
  • Closing and directly opening the MBP: works
  • Support: Well… it’s Intel. I don’t expect it to be any better than OCZ’s.
  • The good feeling of reliability: works

I haven’t received any negative reports from friends about the Intel X25-M  (the 320 Series predecessor) nor have I found much on the Interwebs… so I’m much happier with the Intel now…


How to Check services and restart using Monit

I have a monitoring service (

<a href="http://www.zabbix.com" rel="nofollow">Zabbix</a>

) which dies every few weeks, because it’s MySQL tables were locked for too long during a backup… Annoying! mostly because it’s then dead unnoticed for not just a few minutes. So, how do you monitor a monitoring service? Or simply… How do you restart any service that has just gone away in a simple way?

I recently came across

<a href="http://mmonit.com/monit/">monit</a>

. They state it’s up and running in just 15min. I got it faster

# Daemonize and check every 2mins.
set daemon 120

# Mail settings, in case you want to receive notifications
set mailserver relay.example.org
set mail-format { from: root@host1.example.org }
set alert admin@example.org

# The first check
check process zabbix_server with pidfile /var/run/zabbix/zabbix_server.pid
start program = "/etc/init.d/zabbix-server start"
stop program = "/etc/init.d/zabbix-server stop"
group server

You can also monitor network availability, application availability, file permissions and system utilization…
I think this tool is really great for a small network, though I don’t think it would scale that well. Just give it a try.


How to OpenBSD with Huawei E1750 UMTS

Getting my OpenBSD (4.8) box to talk an Huawei E1750 USB UMTS Stick as a backup solution turned out to be not very straight forward, so in case you are in a similar situation…

Have a look at

man umsm

to see which devices are supported by OpenBSD.

The UMTS (USB)-Sticks are registered as

/dev/cuaUX

, where X is the number of your device… You’ll need userland pppd to connect. Place your peer configuration in

/etc/ppp/peers/o2

for example:

cuaU0
connect /etc/ppp/connect.o2
disconnect /etc/ppp/disconnect.o2
nocrtscts
xonxoff
#:0.0.0.2 because 0.0.0.1 is the alias for my DSL default gateway
:0.0.0.2
noipdefault
ipcp-accept-local
defaultroute
novj
nobsdcomp
novjccomp
nopcomp
noaccomp
noauth
nomagic
persist

You’ll also need Chat scripts to connect and disconnect the connection. Note that you’ll need to at least adjust

/etc/ppp/connect.o2

to suit your provider:

#!/bin/sh
chat -vs
ABORT 'NO CARRIER'
ABORT 'NO DIALTONE'
ABORT ERROR
ABORT 'NO ANSWER'
ABORT BUSY ''
at OK
atz OK
# uncomment the following if your SIM is PIN protected
# and replace **** with your PIN
#at+cpin=**** OK
'AT+CGDCONT=1,"IP","pinternet.interkom.de"' OK
'atdt*99***1#' CONNECT

And

/etc/ppp/disconnect.o2

looks like:

#!/bin/sh
chat -vs
ABORT 'NO CARRIER'
ABORT 'NO DIALTONE'
ABORT ERROR
ABORT 'NO ANSWER'
ABORT BUSY ''
'K' '' '+++ATH'

Now make sure ppp0 is initialized on startup…

touch /etc/hostname.ppp0
sh /etc/netstart ppp0

… and to connect simply run

pppd call o2

and

pkill pppd

to disconnect. Run

ifconfig ppp0

to see if your connection is up and running:

ppp0: flags=8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1500
priority: 0
groups: ppp egress
inet 10.150.81.109 --&gt; 0.0.0.2 netmask 0xfffffffc

Next post will be about auto fail-over between this and my regular DSL connection.


OpenVPN over TCP is BAD

I use OpenVPN in a road-warrior setup over often slow and unreliable wireless connections. That on it’s own makes using interactive applications pretty hard.

But if you’re now additionally running OpenVPN in TCP mode over these links things get worse. The reason is, that TCP uses some kind of a three-way handshake to make sure all packets arrive in time and re-transmits those packets that don’t. With OpenVPN over TCP you now have your application’s TCP session encapsulated in your VPN”s TCP session, doubling your ACKs and re-transmissions (if needed).

Now I switched to UDP on the VPN’s session and if the link starts to loose packets, the VPN will too, but the application’s TCP session will make sure those packets are being re-transmitted. All in all everything feels much faster – at least for a crappy 3G connection.

See this link for a more detailed explanation.


How to Upgrade to Xcode4 (or uninstall Xcode3)

I recently bought Xcode 4 on the Mac AppStore and thereby thought I’d upgrade. Nope. Xcode 3 is moved to ‘/Developer-old’, but kept. No big dead actually, except when your OS Disk is only 60Gb. The new Xcode 4 uses almost 10Gb plust 5Gb for Xcode 3. So if you don’t need Xcode 3 anymore, just run:

sudo /Developer-old/Library/uninstall-devtools --mode=all

This removes all Xcode3 files, freeing up about 5Gb of space.