Linux Journal – Creating a Centralized Syslog Server

Linux Journal – Getting Help From Linux – Part 2 Info

SSH Tunneling – Poor Techie’s VPN

 Book Review – The Linux Command Line

 Book Review – Artist’s Guide to GIMP, 2nd Edition

There are 2 more articles in Queue (I’ll keep you in suspense, check back on LinuxJournal.com) for the blog and 1 hopefully in queue for print.

Linux Journal – Internet Relay Chat
Linux Journal – Fun with Ethtool
LinuxJournal – Speed up your downloads with Axel
LinuxJournal – Archiving CD’s to ISO from the Commandline
LinuxJournal – Getting help from Linux with Man Pages – Part 1

As you can see I have been quite busy.  But I haven’t abandoned my post here at jaysonbroughton.com.  Most of the posts here are more drawn out and in-depth.  I’m not restricted to the amount of words I can write or the topics I can write about here, which can also be a double-edged sword.  This leads to more editing and more thinking about what I want to write about.  But alas, there is one in the works, stay tuned!

Convincing reasons for NTP

1. desktop clients sync time, after all employees love seeing when it’s time to
go home.

2. multiple servers sync time, keeping logs up-to-date between servers is key
to troubleshooting errors and security

3. devices (Routers, Switches, etc) keep logs in sync for troubleshooting and
centralized syslog server

4.all of the above

Security reasons for NTP

1. Access Control Lists allow an administrator to control who can sync and who
can’t sync. If your NTP server is public facing this can dramatically cut down
on bandwidth if your NTP server accidentally gets posted as a public time
server on the internet.

2. AutoKey is an encryption security feature usually used by universities and
government entities where two outward facing NTP servers ,usually a stratum 1
server and many stratum 2 clients exchange certificate based key exchange for
authentication. The key word here is ‘outward facing’ As I will go over this
again here shortly.

3. MD5 key exchange allows for internal and external clients to have MD5 hashs
to trust that the server is who it says it is before changing the time on the
server

4. By trusting who the NTP server is, a trust relationship is built that
guarantees that the time is accurate among the servers for security and legal
reasons when it comes to tracing down log files. If for instance someone has
modified DNS to point to a different NTP server but doesn’t have access to your
keys file than your internal (or other stratum servers) will not fetch the
modified time. Thus preserving the time of your log files.

5. An attacker who finds out your external facing NTP server’s hostname might
find a way of exploiting DNS and fake a time sync in order to change the
date/time of logs prior to attacking a network. With security in place on the
client side, verification of who the server is will stop such an attack.

Security Options

Well, I’ve sort of touched on the security options with NTP but I’ll go over
them again here in greater detail. NTP has 4 ways of being setup in an
environment, from totally insecure all the way to government/institution
security mandated by security policies and procedures.

1. No Security – This is the default that most people setup when they first
start out with NTP. Granted if you’re new to NTP or system administration, you
really don’t think much about NTP security and how it can affect a business.
For most SOHO (Small Office/Home Office) setups without servers this might
suffice. For businesses with servers or critical services that are outward
facing to the internet you might want to proceed to the next higher levels of
security.

2. Access Control – access control lists allow ntpd to restrict who can not
only retrieve their time from NTP, but who can also query the NTP for server
stats (such as OS and ntpd version), and control the NTP service. An outward
facing ntpd server that allows anyone access to query OS and ntpd versions is
an insecure server. Internally however, unless you don’t trust your internal
network, ACLs usually are not necessary but you can however restrict it down to
subnets. There are 4 options to the ACL including: nomodify (do not allow this
host/subnet to modify ntpd settings), noserve (do not serve time to this
host/subnet), notrust (ignore all ntp packets that are not cryptographically
authenticated), and noquery (do not allow this host/subnet to query ntpd
status). You can set all or some of these settings with ACL restrictions.

3. Shared Secrets – This is the symmetric key authentication which is used by
NTP to make sure a server is who they say they are. When fetching time, the
client requests the Key, KeyID and Key Type (which is replicated on the
server). If they differ then the time will not change, if however they match
then the time will be modified for the client. A server can have 65,534
possible keys with each key having a unique 32-bit key ID; so that gives a wide
range of possibilities. This can be used in a WAN/LAN situation behind NAT or
on the outside of the network.

4. AutoKey – the forth and more hardcore
approach to NTP Security. Autokey uses public key cryptography utilizing
challenge/response exchanges. Autokey uses certificate based authentication
and requires both the server and client to be on the outside of the firewall.
This would be a useful setup for two sites where a central stratum-1 server
provides Autokey access to several Stratum-2 servers, which then have an
internal NIC that provide NTP Access to their inside clients. The keyword to
this is: This can only be used outside
the LAN, neither the client or the server can be behind a

NAT

So now that I have explained the basics of NTP security, I’ll only be going
over Access Control and Shared Secrets in this blog post. I don’t have access
to multiple external IP addresses, certificate based authentication, and I just
don’t see very many people outside of institutions and government agencies
utilizing AutoKey.

Before I get started I will assume that you know how to install and start ntpd,
if you don’t then this really isn’t the post for you. I will lay out a simple
‘default’ ntp.conf file used on a server, but will not be going over what each
file and line mean. Google is your friend on setting up NTP servers.

Keep in mind, ntpd is for syncing time between NTP services that utilize
ntp.org’s services, and equipment such as routers/firewalls/switches that use
the ntp protocol; not sntp (simple ntp), or Microsoft’s own implementation of
NTP. Microsoft has their own version of NTP (w32t.exe) that clients use to
authenticate to an Active Directory server to get their time from. I spent a
great ammount of time researching this, and came to the conclusion that their
solution made my head hurt. There is some form of ‘encryption’ on the line to
verify the client to the server, but there is no way to use your own shared
secrets to a separate NTP server. If you want to use your windows client to
authenticate with a linux NTP server search the internet for a win32 binary
client for NTP; there are a few of them out there. If you do however want to
use your ntp client (w32t.exe) in windows to point to your linux NTP server,
that is entirely possible; check the help page for the w32t.exe executable.

What you’re going to need is a server, and a client. Or in my case for testing
purposes; a server and some virtual machine clients. Make sure you have ntpd
already installed on the server and ntp installed on the clients.

NTP Setup

On the server side, make sure you have ntp server up and running. Minimal
setup is as follows (mileage may vary according to your Distro and how you
installed NTP). All of my testing was done with a Debian server and an Ubuntu
11.04 client.s Fedora and other distributions might put ntp files in /etc/ntp/
or another locations.

 # /etc/ntp.conf

driftfile /var/lib/ntp/ntp.drift

#I like stats
statsdir /var/log/ntpstats
statstics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

#NTP servers - I list 3 and loopback as fallback
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org
server 127.0.0.1 stratum 10 #localhost

#ACL
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

restrict 127.0.0.1 restrict ::1 

Save the file, mark as read-only(chmod 444 /etc/ntp.conf) and make sure root
only has access (chown root:root /etc/ntp.conf), restart ntpd and move on to
your ntp client.

The reason that I have ‘server 127.0.0.1 stratum 10′ in my ntp.conf file is so
that for whatever reason if my network fails, ntp won’t fail. The server will
get its time from the localhost as a stratum 10 ntp server. Clients that fetch
time will get time from a higher stratum before moving onto the lower stratum,
so this is considered a fallback if the network fails. Odds are if the network
fails, the server’s time should still be accurate enough to provide time for
other clients until internet access has been restored.

On the client side, make sure you have ntp and ntpdate installed on the client.
Then edit the /etc/ntp.conf file.

Odds are on a client you don’t need the statistics, so you can comment out
statistics, change the server pools to the ip address of your NTP server keep
the restrictions and restart ntp.

For security reasons, the same file permissions apply for the client as they do
for the server. Make sure /etc/ntp.conf is marked read-only (chmod 444) and
only accessible by root (chown root:root).

While still connected to the client, run the following command to see if your
client is successfully connecting to your server before moving onto the next
step.

 ntpdate -d servername 

This should output a bunch of debug information, including the stratum level of
your server (in my case a stratum 3 server) and if it adjusted your time. If
this worked time to move onto the next step. If it didn’t, check your config
files and /var/log/messages.

Access Control Lists

Because NTP can be configured to
broadcast date/time over a subnet ACLs can be a good thing for both a client
and server. For instance if you have an NTP server that, for whatever reason
the admins haven’t been keeping up with or were unaware that they set it up as
a broadcast NTP server; the time is off by hours, days and sometimes even years
(01-01-1970 anyone?), broadcasting to a bunch of clients set to receive NTP
broadcasts can be catastrophic. Another reason for ACLs is to make sure that a
client or server does not have access to modify settings on the server or
client side, just change the time. The positive to this is that NTP allows you
to set ACL based on subnets, so if your internal network has multiple subnets
you can restrict clients based on an ACL..certain clients can get their
date/time from xx NTP server and certain ones can’t.

Keep in mind that ACLs are order-sensitive. In this
case, I deny all then allow, just like when creating firewall rules; you tend
to deny everything then allow what you want through. If you’re not using the
server on the outside of the world; there really is no need to deny all.
Deny All, Allow Some If your NTP server is on the outside of the world
and you don’t want just everyone to have access to it, then the following ACL
will block all access, then allow restrictive access.

# Ignore all
restrict default ignore
restrict -6 default ignore

#Allow localhost
restrict 127.0.0.1
restrict -6 ::1

# Add some time servers
server x.x.x.x restrict x.x.x.x [nomodify notrap nopeer noquery]

server -6 x:x:x:x:: restrict -6 x:x:xx:: [nomodify notrap nopeer noquery]

## Add Some client access
restrict 192.168.1.10

## Add an entire subnet with more restrictions
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
restrict -6 2001;838:0:1:: mask ffff:ffff:ffff:ffff:: nomodify notrap nopeer

Basic LAN Access
For basic LAN access I tend to just go with the following
setup on my NTP server:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

What do the options Mean?
If you see a -6 in restrict, that means
it’s specifically for an ipv6 setup. If your network isn’t IPv6 then you
usually don’t need to worry about this, but it wouldn’t hurt to go ahead and
add the line in while you’re making your changes just in case at some point you
do decide to go to IPv6.

nomodify – This restriction basically says do not allow the host to modify any
ntpd settings. Modify allows certian ntp utilities to modify settings of ntpd
remotely. Nine times out of ten, this will never be necessary, as an
administrator will make changes to the configuration file itself and restart
ntpd.

noserve – do not serve time to this host/subnet. Why you would allow ntpd for
one subnet and not the other is beyond me, but hey they have an option for it

notrust – This setting tells the ntp server to ignore ALL ntp packets that are
not cryptographically authenticated. This means that in order to get time,
both server and client must have the keys setup. More on this in the next
part.

noquery – This is a very useful one. This tells the server not to allow any
host or subnet to query ntpd status. ntpd status may give away information
about the operating system and/or version of ntpd. With this, an attacker may
be able to find a vulnerability against said system. This can be a pro and a
con. By disabling query, you thwart an attempt on the outside of the world
from attacks, but you also you stop clients from seeing synchronization
information about the ntpd server.

Shared Secrets – Symmetric Key Exchange

Ah, the meat and
potatos, Symmetric Key Exchange. Well not really the fun part, but the
complicated and mind numbing part of NTP security. Shared Secrets probably
wouldn’t be used in a SOHO (small office/home office) environment, but more for
a WAN setup where an NTP server might be on the outside of the network, or you
have more than one outside facing NTP servers communicating with each other.
By using Shared Secrets, the lower stratum NTP server can verify without a
doubt that the time they are receiving is from an valid time source. So without
further adieu, lets get started.

Like I stated earlier, this is usually generated for NTP server #1 on the
outside of the network to communicate with another lower stratum NTP server on
the inside of another network, or the outside of another further network. Sure
the case could be made to use Symmetric Key Exchanges between all of your
servers on the inside of your network, and that’s entirely possible.

There are two ways of creating an ntp.keys file, the easy way by just adding
words to a file, and the other way by generating MD5 hashs with ntp-keygen.
I’ll go over both of them here.

Flat Text File Create a new text file called ntp.keys
and populate it as such:

#NTP Keys
1 MD5 MickeyMouse # MD5 key for this server
2 MD5 Goofy # MD5 key for this other server
3 MD5 DonaldDuck # MD5 key for that server

Save the file and there you have it. Not exactly the most secure thing in the
world but it’s easy and quick. 1 is the keyID, MD5 specifies the type,
MickeyMouse is the key itself.

Using ntp-keygen
This is the preferred way of doing things, slightly
messy but works none the less. What I tend to do is create a separate
temporary directory since there will be a bunch of individual files generated
when this is created.

 mkdir ~./tempkeys
cd ~./tempkeys
ntp-keygen -c RSA-MD5 -M 

This will generate a few files, the one we are interested in is:
ntpkey_MD5key_hostname.bunchofnumbers

 mv ntpkey_MD5key_hostname.bunchofnumbers /etc/ntp.keys && chmod
444 /etc/ntp.keys 

*Note: Make sure that with whatever solution that you do use to generate your
ntp.keys, once you are done editing your keys file, change permissions to READ
ONLY.

If your keys are generated, it’s time to modify your server to look for the
keys.

Add the following lines to your NTP server’s /etc/ntp.conf file

###Symmetric Key Authentication enable auth keys /etc/ntp.keys trustedkey 1

What this says is the following: enable authentication, location of keyfiles
and trusted key #1. If you want to add more trusted keys from /etc/ntp.keys
then add them by spaces..ex: trusted key 1 2 3 4, and so on and so forth. There
are other options you can use as well with the keys, such as: requestkey and
controlkey. Requestkey gives authorization to the ntpdc utility, and
controlkey gives access to the ntpq utility.

If you’re done on the server side, remember to change /etc/ntp.keys and
/etc/ntp.conf to read-only, making sure root only has access to the file. Lets
continue to the client side.

Client side symmetric key setup

The steps for client-side symmetric key authentication are quite simple so I’ll
do some step-by-steps here.

1. Pick a line from the server’s /etc/ntp.keys file and copy that entire line.
2. Create a new file /etc/ntp.keys and paste the line that you copied from the
server. Save/Quit the file and mark read-only with root user access only.

Before you make changes to your client’s ntp.conf file we can test the settings
from the command-line with this simple command:

ntpdate -d -a 1 -k /etc/ntp.keys ip.of.ntp.server 

With any luck, you should see ‘receive: authentication passed’. If you didn’t,
make sure your NTP server is allowing it’s UDP port through the firewall, if
your both behind the firewall, check your settings in the servers /etc/ntp.conf
file.

If all goes well it’s time to edit your client’s /etc/ntp.conf file.

Add the following lines to /etc/ntp.conf ## Key Authentication enable auth keys
/etc/ntp.keys trustedkey 1

#Replace your server with the following server ip.of.ntp.server key 1

Once you have made your changes, save and quit your ntp.conf file and restart
ntp.

There you have it! Symmetric Key Authentication.

Conclusion As you can see even something as simple as a
network time protocol can be easily secured against attackers with high level
security. I didn’t go into the more advanced features of AutoKey, but that’s
left up to the reader. Hopefully I have left with you with a little more
knowledge on how to secure your NTP servers against attack from internal or
external influences. And heck, maybe you even learned a thing or two about NTP
that you didn’t know before.

But what exactly does Iperf do? Well, it’s quite simple really. Iperf utilises the client/server architecture, sending a select amount of data from an iperf client to a listening iperf server, and measuring the time that it takes to transmit/receive the data. Not only can iPerf measure the total bandwidth from client to server, but it can also measure bandwidth being sent from the server back to the client in both a ‘trade-off’ (wait until client test runs, then run data back from server to client) or a dual test transfer of data, both sending and receiving of data at the same time. But what if you want to test multiple simultaneous connections to the server? Mimicking multiple clients connecting to a server at the same time? Iperf allows (if threading is enabled) for an iperf client to run multiple simultaneous connections with the -P flag, of which I will demonstrate later in this article. Not only can iperf measure network bandwidth, and optimising networks; but it can easily be a valuable tool for network administrators that are troubleshooting congestion and bottlenecks between various computers on the network, including wireless clients, Point-to-Point T1′s and VPN tunnels between various secured sites.

So where do you get such an awesome tool? Well, most modern Linux distributions contain the packages in their respective distributions package manager (be it apt-get, or rpm). Not only can you run the client or server from a Linux machine, but for those of you who have a mixed-client environment; windows binaries are available. And for those of you that are not CLI inclined, there is a full blown java graphical utility out there as well. You can get all of these versions from sourceforge. Now before we get started; not only will the window’s binary act as a client, but also as a server. For those of you who are in a mixed-OS environment, this can be beneficial in testing client access to various Window’s servers. The Windows Binary allows the network administrator to actually run the server as a running service (just be sure that you disable the service once you have completed testing). So without further adieu, let’s get started!

Local Host
Before we jump into iperf with both feet, I’ll be holding your hand for the first part of the trip. First things first, running the iperf Server. The easiest way to get started with running Iperf is to execute the following: iperf -s as root, or any user that has privileges to open TCP connections over 1024. This will start the iperf server, listening on TCP Port 5001. During testing purposes it is advisable to either open up the port in iptables (iptables -A allowed -p tcp –dport 5001 -s xxx.xxx.xxx.xxx/xx -j ACCEPT *replace xxx with network information) or disable iptables on your internal server/clients during the test. Other Server options include the ability to run as a daemon, and allow a specific number of connections before closing the application (this is default to 0, accepting all connections indefinitely until the application is closed), and listen on a different TCP Port. There are other options as well, and different options between the Windows Server binary and the linux (such as the ability to write output to a file with the windows binary), see the iperf documentation that is included in the source .tar.gz for more server options than listed here.

Startup Options
-s --Start as Server
-D --Run as Daemon
-p --Server Port to listen on
-u --listen to UDP port 5001

Iperf Start as Server

Once you execute the iperf -s command, you should be presented with a screen as shown above. This little vital tidbit of information states the following: The Server is listening on TCP Port 5001, the TCP window size is set to 85.3 KBytes as default. As you can also see in the screenshot, any tests that are started by a client, is also echoed to the Server for statistics gathering. This is very useful when you have multiple clients running parallel tests; and you want to gather the information in a central location to further analyse at a later date.

So, now that the Server is running and listening for incoming connections, lets start up a client connection on the same machine. In a second terminal window on the same machine (for testing purposes, and ease of use; I opted to run the client/server localhost test in a screen session), run the following command: iperf -c 127.0.0.1. If everything is working well, you should get returned data with your bandwidth of your localhost. In this case, I also opted to use the -i flag to display a 3 second interval between the tests; instead of just 1 output after the 10 seconds of testing. Personally I find it nice to be able to check on any deviation in packet loss or bandwidth during testing.

Client against Localhost - 3 second updates

From this screenshot we can see the following: The client connected to the Server running on the localhost via TCP Port 5001, TCP window size for the client was 49.5KBytes, [ID] of 3 allows you to view the status reports of individual connections on the Server if you are running multiple Parallel connections to the Server (as specified by the -P switch). The interval is just that, it specifies the interval of the reporting. Because I used the -i 3 flag, this reports intervals between 3 seconds, and then a final output of 0-10 seconds. Transfer is the amount of data that was transferred between the client and the Server, and finally bandwidth is the total bandwidth detected during the tests.

Now that we have proven that we can retrieve results from the Server, lets try this in a LAN environment.

LAN & Wireless Testing

There are many reasons why you might use the Iperf utility on a physical LAN environment; testing bandwidth between clients at the far end of a building to an intranet server between multiple switch hops, testing a Point-to-Point T1, and even testing a VPN Tunnel for available bandwidth between the client and the server. Not only can you check TCP utilisation, but you can also check UDP loss and delay. UDP is used in a lot of business applications, including but not limited to DNS services, Voice-over-IP, and Video Conference calls. If your having network bottleneck issues, this could seriously degrade performance on a VoIP, or other UDP traffic.

The procedures for running iperf on a client on the LAN is just like our examples earlier with running it against the localhost, but this time you can also run other switches to gather more in-depth data. Your basic: iperf -c ip.of.example.server -i 3 will result in a more accurate reading of your bandwidth between a server and client.

Client against remote Server - 3 second updates

As you can see from these results, the amount of data transferred is smaller than in the localhost, along with receiving a more reasonable Bandwidth of 94.1 MBits/Sec. Now if for whatever reason, you would like to change the output from MBits/sec to some other format, the -f (–format) switch used during the execution of the client phase, will change the human readable output of your bandwidth.

Output Options

'b' = bits/sec     'B' = Bytes/sec
'k' = Kbits/sec    'K' = KBytes/sec
'm' = Mbits/sec   'M' = MBytes/sec

Earlier in the article, I talked about the ability to run both a dual test, and a ‘trade off’ test. A dual test from the client to the server allows you to run a simultaneous test of both up and down traffic, testing the bandwidth connection of sending and receiving data from the client and the server. This allows you to see a ‘real world’ example of simultaneous TCP connections by using the -d (–dualtest) option in iperf: iperf -c ip.of.example.server -d.

Client against server - Dual test

From this example, you can see that my submission of data from the server to the client was significantly less (15.3Mbits/Sec) than data transferred from the client to the server. Now the other test that you can run, is the trade off mode, utilising the -r (–tradeoff) flag. This flag tells the server that once the client connection has closed, to open another connection from server to client and send data, running an alternating test for throughput. An example of this result is below. From these results you can see that the data itself didn’t change much from the original test..both ‘up’ and ‘down’ traffic stayed within the normal bandwidth of a 100MBit LAN connection.

Client against server - Tradeoff

If you want to test simultaneous connections to the server from a specific client, you can use the -P flag, with a number after the -P specifying the number of connections to make to the Server. In order for this to work, thread support needs to be compiled into the version of iperf that you are using. If you are using a pre-packaged binary odds are that thread support was compiled in (both ubuntu & fedora have thread support in their binaries); this can be checked with: ldd /usr/bin/iperf. If you installed from source, you need to specify –enable-threads. I see the -P flag used more as a benchmarking utility, being able to make multiple connections to the server at the same time is sure to display a much lower Bandwidth.

Now what about all that talk about UDP? Well, for these tests you need to change the server options on iperf to listen in for UDP connections. But before you do, as before; you should make sure that ipchains is allowing UDP traffic through port 5001. After this is accomplished, start up iperf server again; but this time with the -u flag (iperf -s -u). Upon executing, you should see a banner that states iperf is listening on udp port 5001.

Iperf Server UDP

Just as before, the output on your server shows all of the connections from client to server. But while testing UDP, you will come across extra rows. This is the Jitter (Variation of latency packets between hosts received in milliseconds), and the Lost/Total Datagram packets with a percentage of lost packets. As a default setting, iperf sets the datagram size to 1470 bytes; but for more accurate testing, you should set the receiving datagram size to that of the application that you are testing (-l datagramsize). If using the -i feature for intervals, as before, you will see intervals printed out to the screen.

And of course, last but not least; Wireless testing. Remember the day’s when wireless was the de-facto ‘must have’ for businesses? Everyone should go wireless, laptop users, power users, training environments. Why? Because it’s new, and fancy technology without wires. Although I never could understand why a company would chose to put wireless desktops in place for power users; but to each their own. With multiple wireless clients connecting to a single wireless router/access point, to a specific server; comes the possibility of a bottleneck. This is where iperf really shines, with the wireless N-Draft of 600Mbps, wireless just might replace the 100Mbps wired ethernet connection. But before you go putting power users (such as people who rely heavily on databases accessed through the intranet), onto a wireless connection; you should first do some bandwidth testing.

Client Against Server - Wireless - 3 Second updates

Now to setup a proper wireless environment for testing; it’s all about the placement of the server. If you are setting up an environment where wireless clients will be accessing a specific server or service on the intranet, your iperf server should be located closest to the server in question. If you are just testing the bandwidth utilization of multiple wireless clients simultaneously (or in parallel) accessing the internet (or intranet resources); then your iperf server should be on the network closest to the access point. If you just want to test wireless client-to-client communication, you can place the iperf server on 1 wireless client and access it with another wireless client running the iperf client switch. The best way to test wireless throughout is to run a client on the machines accessing the intranet service, and run trade off connections to the iperf server, simulating network traffic of multiple wireless clients accessing the intranet resource. Now don’t forget, if you plan on using your wireless client for VoIP, Video Conferencing, or any other application that relies heavily on UDP; to test your bandwidth via the UDP option.

Client against Server - Wireless tradeoff

Client against server - Wireless Dual

Conclusion

So, as you can see; iperf can be a very valuable tool in the network administrator’s bag of tricks. I have barely scratched the surface of just what iperf can do. There are other options available to the network administrator once you have measured the TCP and UDP bandwidth of the individual clients, including Tuning the TCP connection on the individual client operating system, running multicast clients, and testing against IPv6 networks. In this article, I didn’t get into TCP buffer size tuning in linux due to the fact that with the 2.6.x kernel, there is a sender-side and client-side autotuning enabled in the kernel (2.4.x kernels have sender-side tuning enabled). But with other operating systems, there may be some fine-tuning of the TCP buffer sizes that you can read more about if you are so inclined to take a leap on the wild side. The index of URL’s at the end of this article will guide you through other Operating System changes for TCP window sizes. And as always, there is plenty of documentation that comes with the iperf source code (about 13 pages of the iperf Users Doc) that explains even futher in depth about topics that were not covered in this article.

URL’s:
http://sourceforge.net/projects/iperf/ – Download Iperf
http://fasterdata.es.net/TCP-tuning/background.html – TCP Tuning Guide for different operating systems

This blog post came about recently when an employee was kind enough to ask me to wipe their hard drive before they re-loaded the operating system and gave the machine to a friend of theirs.  Granted, this was a non-technical employee, but smart enough to know that maybe handing over his personal home PC with all his files on it, was probably not the brightest idea in the world.

While wiping the drive with a hardware solution seemed to have failed, I decided to go with what was more familiar with me…you guessed it, the Linux Solution.  Granted I’m not going to get into the dull ‘drool all over your keyboard with vacant stares’ speech about how a drive works, superblocks, 1’s, 0’s, and all other ways of ruining the fun out of this post.  I’m simply going to outline 2 ways that I have use to securely (and highly recommend) wipe any drive that I part ways with.  Keep in mind though, not only do I recommend doing this before you sell, or give away a drive, but even before you chuck it into the trash bin.  Nothing screams ‘ooh free hardware, wonder if I can sell it’ to someone throwing away your trash than bright shiny metal objects in a computer department’s junk bin.  Granted, if for whatever reason I cannot erase the drive, I tend to have a set of tools laying around for the purpose of removing the hard drive platter and making good use of those magnets (fridge magnets anyone?).

So, enough paranoid disk rambling, let’s get on with the meat and potato’s!

Darik’s Boot and Nuke

I’ll admit, I had been using Gnu’s Shred utility for so long that I had been blind to other utilities that were out there, even utilities *gasp* that just might be even more user friendly (read: menu’s) than shred.  This is where Darik’s Boot and Nuke (DBAN) comes into play.  DBAN has been in stable release state for about 4 years now, and from recent sourceforge stats, has been recently updated as well.

So before I get too involved, here’s some links for DBAN:
DBAN’s Website: http://www.dban.org/
DBAN’s Sourceforge page: http://sourceforge.net/projects/dban/

Download the latest version of DBAN, burn it to a CD and lets get started shall we?  But wait! There’s More!  *Necessary Disclaimer* This goes without saying, Darik’s Boot and Nuke is going to..yes, you guessed it, boot and nuke your drive.  If you have more than 1 drive in the machine, and accidentally click the wrong button, or don’t do an interactive wipe, you just wiped everything.  What I tend to do is have an old machine laying around with IDE/SATA ports (more on this at the end of this blog post), plug a drive in, fire up a live CD and wipe the drive.  This way I know that I’m not going to lose data from a production machine by accidentally wiping data from the wrong drive.  So, now that we have gotten through the nitty gritty disclaimer, lets have some fun.

Once Darik’s Boot and Nuke boots up, you will be presented with a lovely blue screen and some options.  You can Press F2 to learn more about DBAN, F3 for some quick commands, F4 for a disclaimer, ENTER to start DBAN in interactive mode and type ‘autonuke’ to just nuke everything automatically.  Personally (and especially if this is your first time using DBAN) I would chose to select the interactive mode first.   Now depending upon your RAM, speed of your CD drive, alignment of the sun and moon, this might take a minute or two to load up.

And there we have it, the beauty that is Darik’s Boot and Nuke.  So, let’s get started.  The first thing to do is select the drive that you want to wipe.  If you have multiple drives, use the directional arrow to move your cursor up and down, and Space to select the drive.  When selected ‘wipe’ will displayed.

Once you have selected the drive, let’s select a Method to wipe the drive.  Type ‘M’ to bring up a list of methods.  Currently DBAN has a list of 6 wipe methods, each of them comes with various security levels, passes, algorithms, etc.  It’s really up to you and/or the company you work for how many passes meet your requirements.  I tend to do 6 passes regardless of which method I do, is that too much? Maybe, but I like a nice even number and 6 sounded good at the time.  Now that I have discovered this product, I have started to use the ‘DoD 5220.22-M’.  Here’s a little history for you though.  They call it the DoD 5220.22-M, And that is actually (or was) a standard for wiping hard drives until 2007.  But after 2007 the DoD realized that data might still be recoverable even after x many wipes, and the standard is no longer authorised for secure deletion of DoD drives, only Degaussing is authorised last I heard.  BUT if you want to be truly paranoid about your files, you can use the Gutmann Wipe which is 35 passes and so far has stood up to scientists/techs/etc attempting to recreate the data with microscopes and all sorts of lab equipment after 35 passes.

* Note: If you are interested in the Gutmann Wipe, Peter Gutmann wrote a very good technical article on it titled “Secure Deletion of Data from Magnetic and Solid-State Memory” located here: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

So, for this little experiment, I’ll be going with the DoD 5220.22-M standard.  Navigate to the Dod 5220.22-M and hit ENTER.  This should take you back to your main screen, at the top left-hand corner of your screen you should see the Method change to ‘DoD 5220.22-M.  You can also change the Pseudo Random Number Generator by selecting P, Verify with V, and How many rounds you want to go with R.  I tend to leave these as default.

Once you are satisfied with your Drive selection, method, random generator, verification and rounds, hit the F10 key to get started.  Now depending upon the size of your Disk drive, the number of Passes, your method and just about every other factor out there, this could take as short as a few minutes, or as long as several hours.  The one good thing about DBAN though is that it will constantly update you with statistics in the upper right-hand portion of your screen.

Once DBAN has completed, it will bring you back to a main screen and ask you to shut down your machine.

GNU Shred

Ah, my personal favorite.  Gnu Shred.  Shred’s been around for a while now and I’ve used it for just about as long as it’s been around.  Shred can be found with the Gnu coreutil’s packages and is ‘usually’ installed with gnu utilities.  If you are doing this on your own machine, check your various package managers for either ‘shred’ or ‘coreutils’ package.  More information on Gnu Shred can be found here:

http://www.gnu.org/software/coreutils/manual/html_node/shred-invocation.html

While I’m at it I might as well introduce another one of my favorite sysadmin tools that I always keep within arm’s reach of my desk, SystemRescueCd.  This CD has just about anything you can imagine loaded on it, including shred of course.  I won’t go into too many details, as there are plenty of blog posts out there on SystemRescueCD (and at some point I’ll cover re-mastering the SystemRescueCD to add packages).  But I have used this little gem to pull data off of drives that windows drives deemed ‘unrecoverable’ or even unable to see the drive at all.  It’s as easy as booting the CD, mounting the partition, and moving data before the drive fails.   But alas! This isn’t a post on the beautiful things that SystemRescueCd can do.  If your interested though, you can find out about it from: http://www.sysresccd.org/Main_Page

So, let’s say you have either booted up your system with SystemRescueCd, another liveCD with Shred, or even your own system and have the drive you want to wipe attached to your machine.  The first thing, and I will stress this again (as pointed out earlier).  Make sure you have the right drive!  Oi, I only say this, because I’ve wiped the wrong drive before, yes..late night runs and not paying attention can cause unrecoverable damage.

First things first, always read the man pages.

man shred

Oh, now that was easy.  Shred doesn’t have many switches to it, and usually I tend to only stick to a handful of switches when I shred a disk which I will cover here shortly.

Now have you have become intimately familiar with shred, it’s time to make sure you have the right disk in your sights.

cat /proc/partitions

This will list your current partitions.  From here you should see the disk that you want to wipe, if your still unsure, run fdisk /dev/nameofdisk and type p to print the partitions to double check just in case.  Measure twice cut once.

Once you are 100% sure that you have the right disk, let’s move on to shredding

Shred doesn’t really have that many switches to it, but that’s the simplicity of it.  I’ll briefly show you what works for me when I shred, but feel free to tailor it to your own personal use.

shred -fvz -n 6 /dev/sda

Yup, that simple.  What’s it do?  Well I’ll break it down for you.

-f = Change permissions to allow writing if necessary
-v = Verberose.  Without the -v it’s difficult to see if shred is actually doing anything or not, with the -v set, you can see at what % shred is at and how much is remaining
-z = add a final overwrite with zero’s to hide shredding.  Does that do much? Well who’s to say, if adding a bunch of zero’s hides the fact that I shredded a disk, then more power to me.  It’s just a switch I’ve been used to using for awhile..but for the truly paranoid, then that’s the switch for you.
-n 6  = Overwrite 6 times instead of the default (3).
/dev/sda = The path to my disk (see above).

And there you have it, command line shred.  As I stated earlier, I’ve been using shred for years without any problems.  But now that I have come across DBAN; I’ve started to use it more frequently than shred.

Hardware Options

I’m not going to waste a lot of space here talking about hardware options.  But I will give you some quick pointers.  Newegg.com, amazon.com, and just about anywhere else you frequent to get computer parts, sells sata/ide to USB adaptors.  They run pretty cheap too (usually around $20-$30 the last time I bought one).  If you plan on either erasing more than one disk in a 6 month period, or you see rescuing a failing drive in your future than I HIGHLY recommend that you make such a cheap investment in one of these devices.  By using one of these sata/ide-to-USB adaptors, you can plug your drive in, hook it into a USB port and wipe the disk.  When your done, disconnect the drive, connect another drive, and continue with wiping disks.  What I tend to do is wipe a disk, then run a quick smartdisk check to see the health of the disk (more on this on a future blog post).  If the disk is failing or has too many failing sectors it gets tossed.  If however it’s still a good drive, I’ll put it on the shelf for future use.

SSD – Flash Drives

Okay okay, I’ve had some requests from people that were previewing this post prior to publishing.  What about Flash Drives and Solid State Drives, can the above techniques be used to wipe these devices?  The short answer is no.  The long answer can be found in two really good documents outlined below.  What CAN you do to wipe them? Well, from what I’ve read not a whole lot really.  I tend to keep non-sensitive (read: things without my SSN, banking info, military records, etc) information un-encrypted on my thumbdrives.  If however I do have sensitive information kept on my portable drives (such as backups of sensitive information).  I will use Truecrypt (yes, I promise..another blogpost on encrypting drives) to encrypt the entire drive prior to putting anything sensitive on it.  I don’t loan out these drives, nor do I casually toss these drives out when I upgrade them.  When it’s time to upgrade the drives and there’s encrypted partitions, I tend to go the caveman route and give them a few good (okay many good) whacks with a hammer in the garage.  Once they are barely recognizable from other rubbish I toss them into the kid’s dirty diaper trash bag and out with the trash they go.  If someone is willing to dig through soiled diapers, piece together various pulverized pieces of electronics, then attempt to re-create the data on the drive and find some way of getting my encryption key; then yes, they win.  But by gosh I’ll make their life difficult for however long it takes to piece all that together.

Reliably Erasing Data From Flash-Based Solid State Drives

http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf

SAFE: Fast, Verifiable Sanitization for SSDs

http://cseweb.ucsd.edu/users/swanson/papers/TR-cs2011-0963-Safe.pdf

Conclusion

Well we are at the conclusion of yet another blog post.  And there you have it.  How to securely wipe your hard drive prior to selling, giving away, throwing away or even storing your old drives or later use.  Out of the two solutions that I’ve demonstrated DBAN has slowly started to grow on me.  However, if I don’t have a DBAN liveCD laying around, I know Gnu binutil’s is installed on the machine 9/10 and shred isn’t far behind.  

Wait, a blog post on wake-on-lan(WoL)?  Really? As old as WoL is you would think that there would be some good information out there on just how and why you should implement it.  But surprisingly it’s very sparse.  So just why WoL?  Well, it appears with all of those ‘Kill-a-Watt’ meters out there, people are really starting to focus on their electric bills both at home and work.  What better way to clear up those large electric bills than to shut off your machine when you’re not using it, and wake it up remotely when you need to access it?  In a future blog post I’ll be talking about ACPI levels in linux and power savings by hibernation.  But for now, I’ll be focusing on WoL, how to setup and all that fun and exciting stuff.

There are a few reasons why a person at home or an IT Administrator might utilize WoL.  Not only can you save on your electric bill (and in my case AC bill during the summer months), but you can also wake the computer up remotely when you need to get access to files/software, then hibernate it when you have completed your task.

As long as WoL has been around (mid 90’s I believe), companies are just now starting to realize the power savings of putting desktops to sleep.  There is actually open-source software being developed to wake up a machine automatically, retrieve data and shut the machine off when the connection has been severed.  You would think after over 10 years someone would have thought ‘oh! what a great idea!’  But I digress, at least there is on-going development.

Capabilities
I’m not going to go into great detail of how WoL works, nor am I going to tell you it’s just magical.  I’ll settle for the in-between technical jargon.
Oh but wait! It is magical! And by magical, I don’t mean fairies flying to your computer and spreading pixie dust all over (that stuff gets EVERYWHERE!).  WoL utilizes the OSI layer 2 to receive a  ’magic packet’ destined to the computer.  The Magic Packet in question is a broadcast packet containing the receiving device MAC address, broadcasted 16x usually reserved for UDP port 7 or 9.  The UDP Port in question can actually be broadcast on any UDP Port but is usually standardized to 7(echo) and/or 9(discard).

Because WoL is broadcast to a device MAC address, the device itself is platform independent.  There is no need to have windows/linux/monkeyux installed on the device.  As a matter of fact, various custom OS devices will wake up to WoL packets (including some firewalls and routers) if the system board is set up  to accept WoL packets.  And that’s about as technical as I will be getting when it comes to OSI and Packets.

Now comes the fun part, hardware.  As I stated earlier, WoL is OS independent, which means it resides on the hardware of the device itself (whether you’re using an onboard network card or a PCI Network card).  Back when I first started experimenting with WoL (late 90′s) there was a cable that connected from your PCI Ethernet card to your motherboard.  If memory serves me correctly it was a red, green and black cable.  Nowadays either your Ethernet is built into the motherboard, or newer versions of PCI/BIOS has taken care of the need for a WoL cable.  But keep this in mind if you are trying to utilize WoL on an old NIC.

Security is another concern for devices that are set to WoL.  Because of this, WoL is inherently set to broadcast over a local subnet to find the MAC Address.  There are exceptions though, you can enable UDP Port 7/9 on a firewall and use a WoL client to send a broadcast to an ip address.   But here comes the ‘why would you?’.  First off, someone can accidentally (or purposefully) send WoL to an ip range, waking up devices that you might have on the inside of the network.  If said device has a port being forwarded through the firewall, that gives the person access to the application that was previously sleeping.  And secondly, if (like me) your computers are located in a close proximity of your bedroom, do you really want to be woken up at 3am in the morning by the sound of jet turbines as a server powers up because someone accidentally sent a broadcast WoL packet to the wrong ip address?  From experience, I know that will only last once before your other half threatens to stick that loud fan in a nice quiet place before retiring back to bed.

But there is some relief for you truly paranoid types.  Some Network Cards (re: Intel off the top of my head) have the ability to encrypt a password on the NIC.  This requires the WoL client to send not only the 14 magic packets, but the password as well to start the machine.  I say some, because I have seen the option in WoL clients, but have yet to see a Network Card that supports encrypted passwords.

Software
There are some decent WoL clients out there.  I will be going over one for each Operating system.  I won’t be going over too much of the details here, as the software is self explanatory.  For windows, I use the Java WoL utility from sourceforge (it’s java, thus it will work as a GUI for both linux and windows).  You can download ‘Gui Java WakeOnLan’ here: http://sourceforge.net/projects/guijavawol/
Once you have downloaded and extracted the WoL gui, double-click on GuiWakeOnLan.jar.  This will open up a nice fancy graphical interface, allowing you to add various WoL clients you have on the network.  On the Right-Hand side of the interface, click ‘Add’.  From there you can add the IP Address of the client, MAC address, A label (ex: HomeComputer), and what UDP port to send the Magic Packet on.  Once the client has been added, it’as a simple as highlighting the label of the machine you want to wake up, and clicking ‘Awake’.  Tada!  Now your remote machine should be waking up.  This is a nice, simple graphical interface for waking up remote machines.
If you want to run guiWakeOnLan.jar from the commandline:

1. Open up a command terminal (start->run->cmd)

2. Navigate to the location you extracted the files to

3. execute: java GuiWakeOnLan.jar

Now for linux, there’s a commandline utility that will send your WoL magic packet.  As I use Debian for testing purposes, your mileage may vary when it comes to installing packages.

From debian execute:

apt-get install etherwake

The Same application should be available in redhats repoistory:

yum install etherwake

The etherwake package contains two applications; a binary executable called ‘etherwake’, and a perl script called ‘wakeonlan’.  Now there are some subtle differences between the two.  Etherwake allows you to use a password (-p switch) to send a password along with the Magic Packets, to a NIC that supports password-based WoL, and it allows you to specify another ethernet device to send the packets out.
Wakeonlan doesn’t have a switch to send password; but it does have some other useful switches up it’s sleeve that etherwake doesn’t have.  Wakeonlan allows you to specify a file with a list of MAC addresses to wake up, a different UDP port, and multiple MAC addresses on the same line.
To use Etherwake:

etherwake macaddress

Etherwake has some useful switches.  Below is a short description of what you can do with etherwake switches:

-b :send wakeup packet to broadcast address (eg: 255.255.255.0)
-D increase debug level
-i   Use interface name instead of eth0.  Useful if you have 2
     ethernet  addresses that point to different internal/external
     subnets.
-p   This is what I explained earlier, the use of a password.
      If a NIC allows for a password entry, you would specify
      it after the -p switch

To use wakeonlan:

wakeonlan macaddress

Useful switches for wakeonlan.

-i  broadcast ip address (eg: 192.168.2.255)
-p destination UDP port (default is 9)
-f file containing MAC addresses and source broadcast address

Enabling WoL
Now before I get too much into Enabling WoL, I’ll briefly talk about ACPI levels and just what you can and cannot do when waking up a ‘sleeping’ device.   There are 2 levels that allow for WoL from a ‘sleeping’ state.
ACPI S3 – commonly referred to in many operating system as ‘sleep’ or ‘standby’.  When a computer is placed in S3, data is written and saved to RAM.  ‘Waking up’ a computer in S3, results in an average of 10-20 seconds before everything is returned to normal.  Removing power to a machine in S3 will result in all data lost and the computer will boot as if it was never put to sleep.
ACPI S4 – Commonly referred to in many operating systems as ‘hibernation’. When a computer is placed into S4, or ‘hibernation’.  All information that would have been placed in RAM if the machine was put to sleep; is instead, written to non-volatile storage, such as a hard disk, file or partition.  The computer essentially saves everything to disk and ‘turns off’ in all aspects of the word.  A small amount of power resides on the motherboard (thanks to the power supply) that keeps enough power to the NIC in order for it to wake up from a WoL Packet.
The main difference between S3 and S4 is that while a computer is in S3, information is saved to RAM, which allows the machine to ‘wake up’ quicker than in S4.  While a computer is in S4, information is saved to the hard disk.  When a machine is ‘woken up’ from S4, information saved to the hard disk is usually written to RAM in order to wake the machine up.  Thus it may take longer for the machine to wake up in S4 vs S3.  Because information is stored on the Hard Drive in S4, there is a bigger savings in power, vs an S3 state where power still runs to critical components to keep information stored in RAM.  In a later blogpost I will be talking about ACPI power levels and energy savings between the various power levels.  But for now, that’s your quick and dirty introduction to S3/S4.

Enabling WoL

In order for WoL to be of any use, it must be enabled on your machine.  WoL can be set enabled on the BIOS on most motherboards that are manufactured today (if you have a built-in network card).  However, both linux and windows can also set up Wake-On-Lan through their respective Operating Systems as a way to ‘double check’ that Wake-On-Lan is enabled.

Enabling WoL in Windows

I’ll use the example of Windows 7 to enable WoL once it’s been properly set in BIOS.

1. Start by going to control panel, clicking on ‘network and sharing center’ and select ‘Change Adaptor Settings’ on the left-hand side.

2. Right-Click on your network device and go to properties

3.  Under the device list, there should be a ‘configure’ button, click this and go to the ‘Power Management’ Tab

4. Make sure the settings for ‘allow this device to wake up the computer’ and ‘Only allow a magic packet to wake up this computer’ are checked, and click OK

Enabling WoL in linux with Ethtool

The beauty of Ethtool is that not only can you see what your network adapter’s speed is set to, but you can also see and set the status of WoL from the command line.  As root from the commandline, run:

ifconfig

This will show your available ethernet adaptors, and allow you to write down the MAC address of your device while your at it.

ethtool ethX (where x is your ethernet adaptor #)

This will show your current settings on your ethernet device, look for the letter after Wake-On:.  If the letter is d than WoL is disabled, if the letter is g then WoL is enabled.  If WoL is disabled than execute the following command to enable WoL on your device

ethtool -s ethX wol g

Run ethtool ethX again to double check that the settings took effect.  If it shows ‘Wake-On: g’ than we are ready to rock and roll.

Gathering MAC Addresses

This will be a quick and easy one.  You need the MAC address of your ethernet controller in order to ‘wake’ it up.  From windows command line run: ipconfig and look for ‘MAC Address’.  From linux run ifconfig ethX to get the MAC address of your ethernet controller that you want to use for WoL.

Testing

Aaah, now here comes the fun part.  We are going to put everything I have gone over to the test.  Before we actually wake up a desktop, I’ll briefly go over how to put a desktop to ‘sleep’.

Putting a Windows Desktop to Sleep

There are 3 ways to put a windows desktop to sleep: A remote desktop session, from another windows machine with admin rights to your remote machine, or from the actual machine itself.  The last two are pretty self-explanatory.  From either a remote desktop session, or the machine itself; go to Start -> Shutdown -> Sleep.  If, however you want to put a windows machine to sleep remotely (lets say a script that you have setup to wake the machine up for windows updates, then put it back to sleep after updates have completed).  For this, you need an application that should be in every Administrator’s bag of tricks,  Microsoft’s PsTools.  You can download PsTools from here: http://download.sysinternals.com/Files/PsTools.zip. Keep in mind though, this is a windows utility to shut down a windows machine, so you probably won’t be running this on your linux box.  PsTools comes with the PsShutdown Utility, which will allow you to remotely hibernate a windows machine.  More information on the PsShutdown utility, including various switches can be found here: http://technet.microsoft.com/en-us/sysinternals/bb897541.aspx.  So, to put a Windows machine to sleep from a remote commandline, you would execute the following:

psshutdown computername -u username -p password -h

So if I had a computer named happy, the administrator username was sleepy and the password was sneezy, than the output would look like this: psshutdown happy -u sleepy -p sneezy -h.

Putting a Linux Desktop to sleep

Well, as with everything else; it’s easier in linux .  Linux comes with ACPI & Power Management utilities that allow you to shut your machine off from the commandline. You can either put your desktop to sleep by using your desktop gui interface and clicking on sleep, or you can execute one of the 3 commands from the CLI to put your machine to sleep

/usr/sbin/pm-hibernate

/usr/sbin/pm-suspend

/usr/sbin/pm-suspend-hybrid

As previously discussed, this will either hibernate, suspend or hybrid suspend your machine.  A hybrid suspend is something relativly new that both windows 7 and linux supports.  A hybrid suspend mimics a hibernate state, but suspends instead.  This means that you get all of the power saving goodies of hibernate, but the machine wakes up quicker by suspending.

Now that you know the commandline utility, you can easily wrap this in a script, or execute the command securely from a remote machine via ssh.   For this blog post, I won’t be going into host-trust authentication between SSH clients (but I promise, this will be a post).  You can setup a central machine that allows host-based authentication to other machines on your network, not requiring a password.  From there you can have a central machine setup to execute sleep commands (or anything else) from a script without having to provide a password.  But, if you want to put a linux machine to sleep remotely, than you can execute the following command:

ssh -l username /usr/sbin/pm-suspend &

Tada! Remote sleeping Windows and Linux Computers.  Now that they are sleeping, it’s time to wake them up.  Previously in this post I discussed the various clients, from java to commandline, that you can use to wake up the machine.  Now’s your time to try these out.  From the GUI interface that I previously discussed, enter the MAC address of the device you want to wake up and click ‘wake up’.  If your using the command line utilities, it would be either: etherwake MACAddress or wakeonlan MACAddress.  If your following along, the machine that you previously put to sleep should now be ‘waking up’.  If however it failed to wake up, check the following:

1. Does your Ethernet Adaptor support WoL?

2. Did you enable WoL from BIOS?

3. For Windows: Did you enable WoL from Control Panel/Network Adaptors?

4. For linux: Did you check that WoL was enabled via the ethtool utility?

5. Are you on the same network as the device you are trying to wake up?

6. Do you have the correct MAC address of the remote machine?

If you said yes to all of the above, than you might need to whip out tcpdump (or wireshark, pick your poison) and sniff the line of the remote machine while you attempt to wake up. Set tcpdump to check for udp packets going to the server.  To test this, wake up the machine that you want to ‘wake up’ and run tcpdump:

tcpdump -i ethX (ethernet device you want to use WoL on) udp port 9

Then send a Magic Packet to the remote machine and see if it get’s through (remember to temporarily disable your software firewall for the test).

Conclusion

And there you have it, WoL with remote machines against multiple operating systems.  This isn’t the end though, but merely the beginning  in the quest for power savings.  From here, you can use the above scripts on a server (or router if your router has the capability re:DD-Wrt) to remotely wake up a group of machines prior to a scheduled event (backups, System updates, etc).  After your pre-determined project has completed execution, then you can have another script put the desktop back to sleep.

Where to go from here?  Well, personally I would keep an eye on Apples Bonjour mDNSResponder and SleepServer (http://mesl.ucsd.edu/yuvraj/research/sleepserver.html).  As of right now, Bonjour mDNSResponder is opensource software but seems to only be available for Macintosh’s.  The other solution is SleepServer, As of right now it’s a Proof-of-Concept.  SleepServer seems to be more of a research project, but states that eventually the sleep server software will be released for both linux, macintosh and windows machines.  What both of these projects will eventually accomplish, is the ability to wake on demand.  When a remote client wants to retrieve information (such as file or print sharing) from a machine that is asleep, the software will wake the machine up, allowing the user to preform whatever necessary task.  Once the person logs out of the machine (or the print job is complete) the software will put the machine back to sleep.  Eventually this will lead to machines that are only powered on to preform their necessary duties, saving on electricity for both the home and business.

What the heck is he talking about? Has Jayson lost his mind?  Alas! I have not.  If you are following the international news, than you know what’s going on with Egypt right now.  Egypt has severed internet, dsl, 3g, sms, etc due to planned protested in Egypt on Friday (today).  They feel that if they disable the ability for citizens to communicate than they will not be able to organize a protest.  Well, this is where this blog post on Tor comes in.  Some may argue that Egypt is down and there is no communication.  Somehow, somewhere, there are ways of circumventing what Egypt has done and some one has found a way of communicating with the outside world.  In this case; becoming a tor relay can help those people in another country.

As I hope to get this post out soon; I will not be going too far in depth when it comes to the inner workings of Tor, nor the advanced features of it.  This will be reserved for another blog post that I have planned in the future.  Instead, I will walk you through how to install Tor in both Linux and Windows, how to enable Tor relaying, and the various plug ins you can use to utilize Tor to your benefit.  Yes, Tor can easily be used to circumvent company firewalls, browse ‘questionable’ content online anonymously, and any host of other things.  But with anything in life, just about anything that can be used for good, can be used for evil.  You just need to find that balance.  In this case, Tor can help others in foreign countries where Internet has been censored, be it certain websites, search terms, or anything else.

And here we go.  Time to step off of my soapbox and show you how to setup Tor.

Using Tor in Linux

First things first, Tor’s main website is located here: http://www.torproject.org/index.html.en
They have excellent documentation (of which I will be referencing here in this blog) on how to setup Tor for Windows, Linux, Android, etc.  Truth be told, I am actually a Tor convert after I read about it in a #LinuxJournal magazine article, and quickly became a relay.

Installing Tor
1. Download the source to a temporary directory
wget http://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-i686-1.1.4-dev-en-US.tar.gz
2. Extract the files
tar zxvf tor-browser-gnu-linux-i686-1.1.4-dev-en-US.tar.gz
3. If your using an X-Windows system (odds are you are) especially if you want to utilize tor for anonymous browsing, then this next step is quite easy. CD to your newly extracted directory and run start-tor-browser
cd tor-browser_en-US
./start-tor-browser
4. There you have it, now your using Tor.  When you first started up the Tor GUI, a secure ‘firefox’ browser will come up verifying that you are now using Tor.  If you surf inside of this browser, you will be using the Tor network (try it out by going to www.whatismyip.com).  Once you close the browser window (or open a regular firefox browser) you will be once again using your regular internet connection.  It appears that the Tor bundle packaged these day’s has a secure Firefox browser.  I am sure with some digging around you can find a way of utilizing your current Firefox Browser with torbutton plugin.  But as I stated earlier, this is more of a quick and dirty introduction to Tor.

5. If for whatever reason, your ISP Blocks access to the Tor Network, you can use a Tor Bridge (setup by volunteer’s that use the Tor Network).  To setup a bridge connection navigate to: Settings -> Network ->My ISP Blocks Connections to the Tor Network.  If someone has given you a Tor Bridge address, add it in and click the +.  If however you have not been given a Tor Address; click on ‘Find Tor Bridges’ at the bottom of the GUI.  This will give you a list (usually 3) of Tor Bridges that you will be using to navigate the internet.

Now Tor is good for anonymous browsing, but it’s true potential is in acting as a relay or bridge for citizens of countries where Censorship has been setup by the host country.   If you want to act as a relay (recommended) for the Tor networks, this can be done through the Vidalia Graphical interface that was launched when you executed ‘start-tor-browser’.

Utilizing Tor as a Relay

As this is a ‘basics to Tor’ blog post, we will focus on setting up Tor via the Vidalia GUI interface in Linux.  More advanced ways (including setting up Tor as a daemon and Relay from the command line) can be found on tor’s main website (www.torproject.org)

1. Enable Port Forwarding on your router – In order for People to use Tor as a relay from your machine, you need to enable 2 ports on your firewall to relay to your local machine.  (Note: If your running a firewall on your local machine, Remember to enable the same ports on your local machine’s firewall as well; or this isn’t going to work as well as you thought it would).

2. The ports that you need to forward are as follows: TCP 9001 (Relay), and TCP 9030 (Directory Port).

Once you have enabled Port Forwarding on your router, you need to setup Relaying and/or Bridging.

3. From the Vidalia Interface, click ‘Setup Relay’.  From here you can either choose to be a Relay, or Relay/Bridge.  I figure if you have gone through the necessary steps to enable port forwarding; you might as well go all the way and act as a bridge.  In this case I’ll assume your consciousness has decided that you would like to be a Tor Bridge.  Click on “Help Censored Users Reach the Tor Network”.
a) Give a nickname to your bridge
b) An email is helpful in case the Tor people need to contact you
c) If you changed the default ports (9001, 9030) on your firewall, than you need to change them here.
d)Check ‘Mirror Relay’ and ‘Automatically Distribute my Bridge’
e) Click on the Bandwidth Limits tab and set the bandwidth that you want to limit on your Tor Network.
f) Click ‘OK’

4. Now give it a few minutes for your computer to check the Tor relay and transmit the information to the Tor Networks.  To check and see if this is working properly, click the ‘Logs’ icon on the Vidalia web interface.  This way you can follow along until the log reflects that you have successfully connected to the Tor Network as a Bridge/Relay.

There you have it.  Not only anonymous browsing, but Sharing your bandwidth as a Tor Relay and/or Bridge to others that are less fortunate.  When you are done using tor, click the ‘Stop Tor’ Button.  It is recommended practice that you allow others to find another relay before you disconnect your Tor Session.  This usually only take a few seconds longer before Tor will Exit.

Using Tor in Windows

If you have read the previous section on Using Tor in Linux, than this will be pretty easy for you.  Tor’s download for window’s is just as easy as it is for linux.  The application is a large bundle that contains the Tor software, Vidalia, and a custom ‘secure’ Firefox Browser.  You don’t have to install anything at all.  As a matter of fact, you can put the extracted Tor files on a portable drive and carry Tor with you.

1. Download Tor: http://www.torproject.org/download/download-easy.html.en Go to this link and click ‘Download for Microsoft Windows’

2. Once you have Downloaded the executable (self extracting) than double-click to extract the files.  The Executable will ask you where you want to extract the files; I would recommend putting it in a place where you will actually remember (in my case, my documents folder works great).

3. Navigate to your extracted file path and double-click “Start Tor Browser.exe”

4.  Look at that! It will look just like the GUI that came with the Linux installer.  Setting up a relay is just the same as you would in linux, except for 1 thing.  Port 9001 in Linux, is Port 443 in Windows.  So when you setup your Port Forwarding on your firewall, you need to enable port 443 to point to your internal machine.

And there you have it, Using Tor in Windows.  And since it’s truly portable, you can walk around with your own personal Tor client, including the portable secure firefox application that comes with Tor.

Using Tor with an Android Phone

The amazing thing about this, is that when I first starting using Tor there was never an application for the Android.  Now that I’m doing this blog post, I came across the Android application; and I’m Stoked!  Anonymous Browsing.

According to Tor’s Website (http://www.torproject.org/docs/android.html.en) for Android 1.x devices; ProxySurf is the application for surfing websites on Tor’s network, and Beem is the application to send Instant Messages over the network.

If your one of the lucky one’s that have an Android 2.x, the same rules (applications) apply.  And if your smart enough to root either your 1.x or 2.x Android device, Tor can be setup to transparent proxy all web traffic through Tor’s network.

If you want more information on using Tor Please see the following links that i have compiled for your viewing pleasure.

Tor’s Main Website: http://www.torproject.org/index.html.en
Installing Tor in Linux: http://www.torproject.org/docs/tor-doc-unix.html.en
Configuring your Web Browser for Tor: http://www.torproject.org/docs/tor-doc-web.html.en
Configure Tor as a Relay: http://www.torproject.org/docs/tor-doc-relay.html.en

And one of the most important links on Tor’s Website, Donate to Tor. http://www.torproject.org/donate/donate.html.en No, this isn’t a shameless plug for Tor.  I am not associated with Tor, nor do I code anything for the Tor Project.  But this is a product that thousands of people use all over the World in order to surf anonymously and beat Censorship.  Keep Tor running and free by donating a little something for the satisfaction that this small, free software, is keeping the Freedom of Speech and Expression alive.

Conclusion
And there you have it, a Quick How-To on setting up Tor for multiple Operating Systems.  I highly recommend if you are going to use the Tor client, that you set yourself up as a Relay or Bridge to help other people out.  Without Relays or Bridge’s, Tor wouldn’t be what it is today; a bridge to those parts of the world where Censorship out weights the freedoms that we take for granted.

And now back to our regular Blogpost Programming.  I’ll have a new post ready for your viewing pleasure on Sunday!.

What’s worse?  Not having a UPS and having a computer shut down hard, or having a UPS and not even using the software that came with the UPS to do clean shutdowns?  They both lead to the same results when the battery in the UPS is drained; hard shutdown of the machine or machines attached  to the UPS.  So why have a UPS if you don’t even use the software that was designed to protect your machine on long-term power failures?  And that’s where this blog post comes in.

Now the sad part of this story is that I’ve had a CyberPower CP550SL UPS for a few years before I even realized that it came with a USB cable in the back.  When I first bought the device, it’s sole purpose was to keep my networking equipment in the house up and running for as long as possible (330Watt max UPS..lots of up time on small networking equipment).  My servers were on an APC UPS at the time and I had adequate Linux based UPS software to keep these managed. As time went by, the APC went away along with a majority of the servers.  Eventually I combined the server and the networking hardware into a single UPS.  This is when I realized the CyberPower UPS actually had a USB cable to monitor and control the UPS.
What makes this story even better is that CyberPower has provided not only source, but Linux packages for their PowerPanel software.  This blog post aims at showing you just how powerful this command line/script based software is, and how to setup/configure for your environment.

Capabilities

So just what can this CyberPower UPS Software do?  Well, not only is it a great piece of software, but with every piece of software there is a negative.  Lets just focus on the happy thoughts, then I shall crush your hopes and dreams.

CyberPower’s PowerPanel for Linux allows you to shut down the machine that’s attached to the UPS via USB in event of power failure.  But it doesn’t just stop there, oh no.  This piece of software allows you to fine-tune your shutdown procedures.  Not only can you tell the device to shut down after a certain time without power, but also based on the % of battery life remaining.  If you know your server takes takes ~5 minutes to shut down and you have 10 minutes of battery time, you can set it to 5 minutes.  Now what I like to do is drop the server with 35% remaining on the battery, this way my networking equipment stays up in case the power returns and I can send a Wake-On-Lan packet to the server.  But I shall get into that later on in this article on best practices.

Now here comes the bad news.

CyberPower does have a PowerPanel utility for Windows based servers/clients that allow the software to shutdown other devices on the UPS that are not connected to the USB device.  That being said, the CyberPower’s PowerPanel Linux software, does not.  It allows you to shut down a single device attached to the USB port, and that’s all she wrote.  At the time of this writing, if you need to shut down multiple machines attached to a CyberPower UPS; you can check the following link out for NUT (Network UPS Tools) and see if your CyberPower UPS is supported: http://www.networkupstools.org/compat/stable.html (Some CyberPower Devices are supported, some are not).

Download & Install

First off – in the past, trying to find the Linux software for Cyberpower is a royal pain in the butt.  Maybe it’s how the site was organized, or my lack of interest after looking for a few minutes.  Either way, they seemed to have organized their site just a little better the last time I went looking for their software.  The link to download their software is here:

http://www.cyberpowersystems.com/products/management-software/ppl.html?selectedTabId=resources&imageI=#tab-box

Unlike some manufacturers, Cyberpower gives you download options for .deb, .rpm and source files.  Pick the one that best suits your system and install the package (pkg_add or rpm -i for packages, or install from source).

Configuration

Once you have successfully installed the CyberPowerr software, you can take a look at their PDF user manual that is on the same resources link that I posted above.  This document roughly outlines all of the options available to you when setting up your UPS for Linux.  I will be touching upon some of these options, along with my recommended ‘guidelines’ for how I have the cyberpower UPS set up at the house.

Alright, so before we get carried away by all of the configuration options; I’ll show you just what you can do from the command line first.  Once you have power panel properly installed, and your UPS hooked up to the server, run the following command:

pwrstat

This will give you all of the command line options to running the power panel software.  To see if Power Panel is currently talking to your UPS, run:

pwrstat -status

In this case, my output looks like this (yours may be different based upon the UPS you currently have, load on the UPS, etc)

The UPS information shows as following:

Properties:
Model Name................... UPS AE485
Rating Voltage............... 120 V
Rating Power................. 260 Watt

Current UPS status:
State ....................... Normal
Power Supply by ............. Utility Power
Utility Voltage ............. 123 V
Output Voltage............... 123 V
Battery Capacity ............ 100 %
Remaining Runtime ........... 10 min.

For configuration purposes, I will be focusing on the ‘Remaining Runtime’.  This tells you that (in this case) there is 10 minutes of available run time without power to the UPS before the UPS is shut down.  With this little tidbit of information I can set my configurations to reflect this.

The next command that you want to execute is  pwrstat -config.  This command will take the information from your config files (more on this later) and display it on your console.  In this case, mine looks like this:

Daemon Configuration:

Alarm .............................................. On

Action for Power Failure:

Delay time since Power failure ............. 60 sec.
Run script command ......................... Off
Path of script command ..................... /etc/pwrstatd-powerfail.sh
Duration of command running ................ 0 sec.
Enable shutdown system ..................... Off

Action for Battery Low:

Delay time since Battery Low ............... 5 sec.
Run script command ......................... On
Path of command ............................ /etc/pwrstatd-lowbatt.sh
Duration of command running ................ 60 sec.
Enable shutdown system ..................... On

This tells me that I have set my audible alarm on (beeep beeeeeeep beeeep..that annoying noise that wakes the dead and sends shivers down IT staff’s backs the world over).  It also shows that I do not have my configuration setup for Power Failure, but instead have my Battery Low enabled.  I chose to go with battery low instead of power failure because I can estimate the % of battery life remaining (in this case I have minutes for 100%, 5 Minutes for 50%, etc).  This made my configuration a little easier to handle.

Now, you can set all of this up from the command line (see the manual pdf page) or you can set it up from the configuration file itself.  Personally I prefer to set it from the configuration file (/etc/pwrstatd.conf).

Before I move into the configuration files, one more useful command to know is how to shut off that blasted audible alarm when you know the power’s out and the infernal beeping noise is about to cause you to stab the wall with a spork, screaming something that oddly sounds like Vulcan.  So before you start carving your way out of the house with a spork, run the following command from the command line: pwrstat -mute. Blessed Silence!

Configuration Files

Power Panel has 4 files that can be configured.  Below is a list of the files and a brief explanation of each file:

/etc/pwrstatd.conf – The Main configuration file for the pwrstat daemon. This gives the daemon all the information needed on a power failure

/etc/pwrstatd-powerfail.sh – The script that is executed based off of the configuration options given in the pwrstatd.conf for power failures

/etc/pwrstatd-lowbat.sh – The script that is executed based off of the configuration options given in pwrstatd.conf for low battery events.

/etc/pwrstatd-email.sh – Odds are you won’t have to modify this file.  This is email syntax used for sending out email that is generated by pwrstatd-powerfail.sh and pwrstatd-lowbat.sh

Let’s start with the main configuration, pwrstatd.conf.  Fire up your favorite text editor and take a look.  I’ll go through each option and what I have set in my ‘best case’ scenarios.  Feel free to follow along, but if you don’t; cyberpower has done an excellent job of documenting what each option is.

/etc/pwrstatd.conf

# Powerfail
## - I don't use the powerfail option so I just kept this as default
powerfail-delay = 60 

## Disables powerfail option
powerfail-active = no

## location of the script execution on powerfail
## (executed based on powerfail-delay)
powerfail-cmd-path = /etc/pwrstatd-powerfail.sh

##Execution of time in seconds for script
powerfail-duration = 0

##disables the powerfail shutdown
powerfail-shutdown = no 

#Low Battery#
##This is what I use, I know just how much battery life
## is remaining and go from there.

##delay in seconds when battery low alert kicks off
##before executing the script
lowbatt-delay = 5

##Activate the low battery script
lowbatt-active = yes - Activate the low battery script

##path to lowbatt script
lowbatt-cmd-path = /etc/pwrstatd-lowbatt.sh

##I estimated a 60 second script execution
lowbatt-duration = 60

##This allows the daemon to shut the system down on battery
lowbatt-shutdown = yes

##Yes, I want to be woken out of a deep beautiful sleep
##of 1's and 0's when the power fails
enable-alarm = yes

##In Seconds - 5 Minutes for full system shutdown
shutdown-sustain = 300

##I set this to no.  I'll explain this here shortly
turn-ups-off = no

##In %, thus at 35% battery life remaining (roughly 7 minutes on my ups)
##the daemon will execute my lowbattery script and start shutting down
lowbatt-threshold  = 35

##In Seconds - Polling the UPS for status information
ups-polling-rate = 3

##Retry every 10 seconds to connect to the UPS if connection is down
ups-retry-rate = 10

##Yes, I want to run pwrstat command to check the status of my UPS
prohibit-client-access = no

Before I get into the nitty gritty of pwrstatd-powerfail.sh and pwrstatd-lowbatt.sh I figured an explanation is in order for why I set these commands.  First off, I went with Low Battery alerts for a reason.  Not only do I have a server attached to the UPS, but I also have networking equipment (router, flrewall, ATA, switch, wap, etc).  By setting low battery alerts to 35%, the server itself will shut down, thus freeing up more power for my networking devices.  If at some point the power is restored and the networking equipment is up; I can execute a wake-on-lan packet to wake the server back up.  If this is something you want to do, also make sure that ‘turn-ups-off’ is disabled, if you enable it..your networking equipment will be down until you power the UPS back on.

/etc/pwrstatd-powerfail.sh

This is the shell script that is executed by pwrstatd.conf if you have enabled shutdown on power failure.  If you have sendmail setup properly to email you (in my case I had to setup sendmail to route email through my ISP’s SMTP port); you can set this script up to recieve email reports.
The first line (echo “Warning …. ) is what will be sent out to all connected Linux machines (telnet, ssh, etc).  From there you can change your defaults for enabling email, recepient name, address, sender address.  If, like me, you have a certain way that your server (or Virtualbox headless servers) need to be shut down, this is where you put it.  After ‘fi’ at the end of this script, you can either execute a bash script that you have setup previously or individual commands on shutting down services.  For me, I have a few virtualbox headless servers, and execute vbox-headless to save the machine states on the various servers, before cyberpower’s daemon starts shutting my server down.

/etc/pwrstatd-lowbatt.sh

This is pretty much the same..email information, email sent out then how you want to shut things down.  I have a separate script on my server that is executed from pwrstatd-lowbatt.sh, and a sleep command (roughly 3 minutes) between the execution of my VirtualBox Headless shutdown, and a shutdown -h now command to halt the server.

/etc/pwrstatd-email.sh

You shouldn’t have to mess with this file.  It’s called by both pwrstatd-powerfail.sh and pwrstatd-lowbatt.sh to execute an email.  If you use something other than the mail application, you could make changes near the bottom of this script to reflect the type of mail software you use (mailx for me)

Conclusion

There you have it.  Properly setting up a UPS on power failure.  Like I said earlier, I have my ways of doing things, and you may have your ways of setting up your UPS for power failure.  Both are correct, as long as you have some sort of software enabled on your UPS to properly shut down your server/devices upon power failure.  If not, you’re at the mercy of the computer gods whether your server comes back up without any problems, or you end up spending the next few days trying to fsck the drive or rebuilding a corrupt database.   As always, the choice is yours.

So, this is what I wanted to accomplish:

• Free US long distance calls (As we hardly ever use the phone unless our cellphones have died, it seems silly to actually pay $30/mo for a phone we only use to call Europe)

• Low cost calls to Europe – As of right now, .09c/min to France landlines and .15c/min to cellphones)

• Use softphones on each computer (2 laptops, and a desktop)

• Use our existing cordless phone with an ATA Adaptor (more on that later)

• Phone line rings, all phones ring until someone picks up on an extension

• Voicemail sent to email

Did I accomplish all of this? Yup, that and more. 2 weeks ago, the only thing I knew about Asterisk was that it was an opensource PBX. I had never installed or configured it before, so this would be a pretty steep learning curve. Thanks to Torrancew of #linuxjournal (irc.freenode.net) for putting up with all of my silly questions throughout that time period.

Now, yet another disclaimer. I will be walking you (the reader) through all the steps necessary to get asterisk up and running on a debian distro, from the ground up. As stated earlier, I am no expert in asterisk; everything I learned, I picked up from asterisk’s AWESOME wiki, and friends of mine. This goes without saying, RTFM!. There are some major security steps to take if you wish to turn your asterisk box into a full fledged voip server, I don’t go over these steps in this blog post; so for the love of pete, follow the security document that comes with your asterisks documentation.

Google Account

Now here’s the kicker; you need not only a gmail account, but a google voice account as well. Really? well yea, how else are you going to make and place calls with google voice? Anyway; surfing the web one day, I came across a few blog posts that talked about the basics of asterisks and google voice integration (I’ll post these links at the end of the blog in case your interested in following up). One of the posters had a valid point. You need a new gmail and gvoice acct. And I will tell you why.

When you sign into gmail.com with your regular google acct, and you have a google voice acct tied to that email address; google voice seems to override what you have setup on asterisk, and route calls to your open gmail.com browser. Not only will you not receive voice calls half the time, but buddies that see you online and send you messages, may get either sent to your gtalk inside of gmail, or they might end up stuck in limbo on your asterisk server. So the best thing you can possibly do, is to create not only a new gmail account, but a new google voice account tied to your new gmail acct.

To stop spambots (Hey Secksy! I’m hrny fer u! wanna chat? http://givemeyourCCnumber.com) from finding you and spamming your google acct, or some strange way where they might get your gvoice # and spam it; create a hard to guess username. For me, I took the first two characters of the names of my family, added the # month they were born in, and tied it all together for my gmail.com acct.

You need to do the following to get google setup for Asterisk:

gmail.com

1. Sign up for a gmail account (www.gmail.com)

a) Use a unique username (see above)

2. Sign into your gmail account and go to settings (top right)

3. Select the Chat tab, and make sure under Call Phones: Enable outbound voice calling with Google Voice, is enabled.

google voice

1. Sign up for a google voice account (www.google.com/voice)

2. Setup Google Voice

a)Top right-hand corner, go to settings->Google Voice Settings

b) because of privacy issues, you do need to tie a phone # into the account. In this case,
I used my existing home phone, waited for google to call, and entered the securitycode that was on my screen, when prompted

c) Now this is where it might get tricky. Under Phones, it took a day for me to select the
option “Google Chat” as a forward. If this doesn’t come up, wait afew hours and it
should be an option for you. When this does present itself, select it. Under Edit
for google chat, disable voicemail access, and enable all the ring schedules.

d) Go to ‘calls’

1) Disable Call Screening
2) Enable CallerID
3) Keep ‘Dont change anything’ for Outgoing callerID
4) Make sure ‘Do not Disturb’ is NOT marked

And there you go, you have successfully setup google voice for our next step in the Asterisk/G-Voice post.

Application Installation
Before you get too far into this; I have done all my testing using Debian’s net-install iso. I have also done some testing by installing the appropriate applications needed for fedora as well. It’s just easier for me to fire up a fresh net-installed debian inside of a virtualbox image these days. So this goes without saying, some packages may or may not be valid by the time you read this blog post; adjust accordingly.

This will be broken into two sections; setup the environment, and setup/configure/make asterisk packages.

Setting up the Environment
Before we begin, there are a few (okay, I lied; a LOT) of additional packages needed in order to install asterisk. For testing purposes, I installed debian minimal from a net-install. So you may already have these packages installed on your machine.

Necessary packages: (be sure to do an apt-get update prior to downloading packages)

apt-get install openssh-server make gcc libssl0.9.8 libssl-dev
 linux-headers-2.6.26-2-686 linux-source-2.6.26 g++ libxml2
libxml2-dev ncurses-base ncurses-dev libncurses-dev subversion

Once this is complete, it’s time to move onto setting up Asterisk.

Setup Asterisk

1. Create a download directory to put asterisk download. In this case, I tend to put everything into: /home/username/Downloads

2. Download Asterisk Sourcecode

a) wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.8.1.1.tar.gz

3. Extract and compile asterisk

a) tar zxvf asterisk-1.8.1.1.tar.gz && cd asterisk-1.8.1.1

b) ./configure

4. Menuselect

a) make menuselect
This is where you select the necessary modules needed to get asterisk up and running for google voice.

5. Select your modules

a) I usually select mp3 (that’s up to you); its in ‘development’ phases and located under addons-format_mp3

b) Channel Drivers -> chan_gtalk & chan_jingle should have an asterisk(*) by it.

6. hit ‘s’ to save and exit menuselect when your done.

7. Make and install asterisk

a) make && make install
b) Go get some coffee, this might take some time

8. Make Samples – Everyone needs some sample!

a) make samples

Tada! Asterisk is now installed! Congratulations, now it’s time to get to the configuration side of things.

Configure Asterisk

Okay, this is where I deviate from the standard. I’m not going to talk about all the different configuration options that you can use, nor am I going to tell you how to get asterisk to dial your coffee maker. Instead, I will paste the different configuration files that I have had to modify to get asterisk and google voice to work successfully. There are all sorts of things that you can get asterisk to do (after all, it’s been used by cities, counties and businesses large and small for years..thus plenty of other documentation).

All of your configuration files will be located in /etc/asterisk (cd /etc/asterisk)

jabber.conf

[general]
debug=yes
autoprune=no
autoregister=yes

[gmail]
type=client
serverhost=talk.google.com
username=exampleusername@gmail.com/Talk
secret=yourpassword
port=5222
statusmessage="Asterisk Server"
timeout=100

The jabber.conf file contains the information needed for asterisk to talk to google. In this case you need to replace: exampleusername with your gmail acct; and yourpassword with the password to your gmail acct.

gtalk.conf

[general]
context=users
allowguests=yes
bindaddr=0.0.0.0

[guest]
disallow=all
allow=ulaw
context=users
connection=gmail

Make the necessary changes to gtalk.conf; for the context, I used ‘users’. I did this because adding the various phones/softphones around the house into a general context made things extremely difficult to follow. Thus I created my own context, you will see more of this in extensions.conf later.

sip.conf

[jaysondroid]
canreinvite=no
context=users
dtmfmode=auto
host=dynamic
nat=yes
port=5060
qualify=no
type=friend
secret=123456
deny=0.0.0.0/0
permit=10.12.3.0/255.255.255.0

[home-phone]
context=users
deny=0.0.0.0/0
permit=10.12.3.0/255.255.255.0
port=5060
type=friend
secret=1234
dtmfmode=rfc2833
nat=yes
host=dynamic

[work-laptop]
type=friend
secret=123456
host=dynamic
context=users
deny=0.0.0.0/0
permit=10.12.3.0/255.255.255.0
mailbox=777@vm

[home-laptop]
type=friend
host=dynamic
secret=123456
context=users
deny=0.0.0.0/0
permit=10.12.3.0/255.255.255.0

Okay, this one deserves a little attention. In this case I created a sip account for my android (jaysondroid), a SIP acct for my ATA to my cordless, and 2 sip accounts for my laptops. So, I’ll break down the common sip configurations here.

*[home-laptop] – This is the name of the sip account, this will be used to log into your softphone, ata-sip adaptor, etc. This is also what will come up when you do extension-extension calls (minus the brackets of course)

*type=friend – this allows for inbound and outbound sip calls

*host=dynamic – Lets the server know that the host is configured using DHCP, if you have static clients (such as an ATA) than you would use the ip address in place of dynamic

*secret=123456 – The password used to authenticate your sip client

*context=users – in this case, i created a separate context inside of extensions.conf called users. more on this later

*deny=0.0.0.0/0 – This says don’t deny any sip clients authenticating. Note: you MUST have deny before permit..I swapped them by accident once during testing and boy was I confused!

*permit=10.12.3.0/255.255.255.0 – This says, allow clients on my local subnet (10.12.3.0) to authenticate

The other information (re: my android, and the ata) have more sip options to them, but for the purpose of this blog post, I will only be focusing on the softphone clients; but at least you can see what other options are available for android clients and ATA adaptors.

features.conf

[general]
parkext => 700
parkpos => 701-720
context => parkedcalls
parkingtime => 180
comebacktoorigin = yes
parkedmusicclass=default

This allows you to park calls that you receive into a parking lot. The reason I set this up is when I get a call to the house and answer it from the computer. This feature allows me to park the call, then pick the call up on the housephone (or another phone, etc). To park a call, you dial: #700. Once you dial #700, the automated attendant will let you know what extension the call is parked on (usually 701, unless your parking a bunch of incoming calls). From there, you go to another phone (or softphone) and dial that extension. I also have music playing for the people that I place on hold while I park the calls (why listen to dead noise? besides, I also use the on-hold music to stream my music to my softphone around the house when I want some tunes).

voicemail.conf

[vm]
601=>1234,Jayson Broughton,jayson@localhost.localdomain,attach=no|tz=mountian|maxmsg=10

The voicemail configuration file allows you to setup voicemail per extension (or in my case, all extensions ring, voicemail goes to a central voicemail box). I appended this to the bottom of my voicemail.conf file. In this case, extension # is 601, my password is 1234, my Username, and my email address. Because various people may be reading this, I won’t be getting into how to setup sendmail.cf to send email out through your ISP’s SMTP server (in my case, all outgoing smtp mail must be re-routed through my ISP’s). So for the sake of examples, I used localhost.localdomain. Common sense dictates that you would use an actual email address in place of what I have here.

Now, to the meat and potatoes, extensions.conf.

extensions.conf

[docs:users]
[users]
include => longdistance2
include => parkedcalls

exten=>s,1,Answer()
exten=>s,n,Wait(2)
exten=>s,n,SendDTMF(1)
exten=>s,n,Dial(SIP/work-laptop&SIP/home-laptop&SIP/jaysondroid&SIP/home-phone,20)
exten=>s,n,VoiceMail(601@vm,u)

exten=>601,1,Dial(SIP/work-laptop,20)
exten=>601,n,VoiceMail(601@vm,u)

exten=>602,1,Dial(SIP/home-laptop,20)

exten=>603,1,Dial(SIP/home-phone,60)

exten=>604,1,Dial(SIP/jaysondroid,20)

exten=>650,1,Answer(500)
exten=>650,n,VoiceMailMain(@vm)

[longdistance2]
exten=> _91NXXNXXXXXX,1,Dial(Gtalk/gmail/+${EXTEN:1}@voice.google.com)

Okay, I’m not going to get too far into extensions.conf. But what I will say is that the first 11 lines (everything prior to the end of exten=>601,n,Voicemail(601@vm,u) is important. Remember me talking about the users context? This is it. What the first 11 lines does is the following: It allows for [longdistance2] which is how google dials out, it also tells asterisk to do the following when a call is received.

1. Incoming call is automatically answered
2. Asterisk wait’s 2 seconds, and then sends a DTMF 1 tone (if you dial a google # it asks you to press 1)
3. It then rings all of the extensions that are specified below, for 20 seconds
4. If no answer within 20 seconds, it sends the caller to voicemail

Extension 601 is slightly different than other extensions, as it has this extra gem added to it:
exten=>601,n,VoiceMail(601@vm,u). This tells asterisk that Extension 601 (the main sip client) has voicemail attached to it, and sends the person calling to voicemail. The other extensions are setup for the other sip clients around the house.

To setup voicemail (as seen by: exten=>650,1,Answer(500) & exten=>650,n,VoiceMailMain(@vm). You would dial extension 650 from a sip client, punch in the extension that you want to retrieve voicemail from (601 in this case), enter your password and follow the voice guided prompts. NOTE: Don’t do this now, this is just an example on how to setup voicemail, you need to have asterisk up and running, and a softphone client connected before you setup voicemail

Testing
Okay, I got a little ahead of myself with the setting up voicemail part, so lets get to testing.
*For Windows clients I use X-Lite 4 softphone client (download it here: http://www.counterpath.com/x-lite-download.html).
*For linux clients I use Ekiga
*For Android phone I use sipdroid.

Now let’s get asterisk up and running shall we? First thing you need to do is start asterisk service up:

/etc/init.d/asterisk start

Now log into the asterisk cli interface

asterisk -rvvvv

Lets check to see if gtalk/jabber has connected

jabber show connected

this should show your username and – Connected next to it. If it doesn’t, make sure you put the necessary information into your configuration file, then reload with: jabber reload

Okay, now it’s time to configure your softphone of choice. For testing purposes, I assume you have setup at least 2 extensions, so that you can test between clients; if not, you can attempt to make incoming and outgoing calls.

1. Setup your softphone client of choice

a) download and install
b) under account details (or wherever it is depending upon your client) enter the account name you gave in sip.conf file, and the password
c) enter the asterisk server’s ip address where specified.
d) connect

You should see information coming across your asterisk cli interface. If you make any changes to your files during this time, you can either reload the configuration files from the interface, or do an: core reload, or core restart (core restart will require you to run asterisk -rvvvv again).

Once you see ‘successfully connected’ in your asterisk cli. Try making a call to another extension( if one is setup). Also, setup your voicemail while you have the chance (see above on voicemail setup). Now here comes the fun part! Try dialing outside (remember, you need to dial it as: 9-1-areacode-prefix-suffix. Example: 919257771234; to make an outgoing call (as outlined in [longdistance2] inside of your extensions.conf file). Now try making an incoming call from another phone. If you have multiple extensions setup, all extensions should ring, and you should be able to pick up on any extension that you have setup, to recieve the phone call.

Conclusion
There you have it. Asterisks with multiple extensions, custom voicemail, running through google talk. And like I said at the beginning of this blogpost, Please please please read the security documents provided by asterisk. Also, there is so much more you can do with asterisk; I have barely scraped the iceburg in this blog post. Some of the things I have setup recently are: Dial extension for date/time, Dial extension for current weather, Music on Hold using MP3’s (streams my mp3’s). At the end of this post, I have provided the documentation that I have used to setup asterisk; feel free to check them out.

1. Voip Info (Great for configuration information) http://www.voip-info.org/wiki/view/Asterisk#Configuration
2. Asterisk’s own wiki page (this is where I learned just about everything on how to get started with asterisk, along with how asterisk talks to google voice)
https://wiki.asterisk.org/wiki/display/AST/Home
3. Patch for google voice if you did not install asterisk 1.8.1.1
https://issues.asterisk.org/view.php?id=18412
4. What sparked my interest in google voice and asterisk, although I did modify some things but still a really good howto post:
http://blog.polybeacon.com/2010/10/17/asterisk-1-8-and-google-voice/

This was my wishlist:
*A VCard that could be universally read between: Outlook, Thunderbird, Evolution, and Mobile devices
*The V-Card must also have an image that is not linked to a website (VCard standards allow you to link images to urls).
*I wanted to be able to share my VCard from my website, sending a link to people that allowed them to click a hyperlink to add the vcard on their desktop, or navigate from their phone and add the VCard to their device.

I was able to accomplish all of these goals, of which I will outline here in this blogpost.

VCard Standards

VCard was proposed in 1995, and handed off to the Internet Mail Consortium in 1996.  VCards can contain just about anything you can imagine a contact card would contain.  Name, phone numbers, address, notes, images, and even Instant Messenger information.  I will admit though, like other RFC’s and standards; I do believe VCard’s are due for an overhaul (RFC 2646 is the VCard proposed standard, last modified in 1998).

Because of issues I had between the various clients (Outlook, Evolution and T-Bird) not able to read information from each other, I had to go with manually creating a VCard based off of the 3 VCard RFC’s that I found online.  Below are the 3 RFC Standards and their hyperlinks for more information.

* RFC2425 – A MIME Content-Type for Directory Information

* RFC2426 - VCard MIME Directory Profile

* RFC4770 – VCard Extensions for Instant Messaging

The problems I ran into while creating VCards inside of mail applications was quite frustrating.  I could create a Contact card in Outlook with all the information I wanted displayed, export it as a vcard; and when imported into Evolution, some of the information wasn’t displayed (such as cellphone #’s).  The same thing happened with evolution, I could create a VCard inside of Evolution and Outlook wouldn’t display the image.

Create your Own

Before we get started, there are some utilities that you need to make sure that you have installed on the machine.  The first is a file editor, in this case I use VIM (or VI) to do all of my vcard management.  The next is the base64 application (which can be installed from debian by installing the coreutils application). I also used sed in a script to insert Base64 Encoding into my VCard.

All VCard data must start with BEGIN:VCARD and end with END:VCARD.  Remember this, and you won’t have some of the problems I did in the beginning .  So lets start with a sample VCard and pick it apart.

BEGIN:VCARD
VERSION:3.0
N;LANGUAGE=en-us:Clause;Santa
FN:Santa Clause
TITLE:Big Daddy Clause
CATEGORIES:Presents, Santa, Holiday, Christmas
TEL;CELL;VOICE: (999) 555-1212
ADR;TYPE=dom,work,postal,parcel:;;123 Candy Cane Ln;Fargo;ND;58102-1234
URL:http://www.santaslittlehelper.com
EMAIL;PREF;INTERNET:stnick@northpole.com
NOTE:You Better not Pout you Better not Cry
REV:2010-12-23
END:VCARD

Line 1: See above.  This tells whatever application that this is a VCARD and the following information pertains to the vcard itself.

Line 2. Version #, this needs to be set to 3.0 if your going to be using a newer standard of vcard (cell, websites, etc)

Line 3: Object Name. In this case I also set the language encoding to english.  Name is first;last.  The order of the name is separated by a semi-colon.  The order is as follows: Family Name, Given Name, Additional Names, Honorific Prefixes, and Honorific Suffixes.  As an example, if Santa Clause was a Doctor of Veterinary medicine (someone has to take care of the reindeer) the Object name would be: Clause;Santa;D.V.M.

Line 4: Full Name (or Formatted name).  First <space> Last.

Line 5: Job Title

Line 6: Categories – Now I haven’t really seen a spot on contact cards for this, but I figured maybe in this case having categories might sort a card based on the type of business it is (Internet, technology, Christmas, holiday’s, etc). Each item is separated by a comma.

Line 7: Telephone information.  Now this is where it can get complicated.  If you have ever looked at an address book entry (even adding one to your phone).  You will notice there is a place to put a phone number just about anywhere you can imagine.  So this is how it breaks down:
TEL;CELL;VOICE: (999) 555-1212
Type: Type can be a combination of parts.  Acceptable types include:
home, work, msg, voice, fax, cell, video, pager, bbs, modem, car, isdn, pcs.  These can be put together.  Separation is done by parameter list(Type=msg;Type=home) or by value list (voice,home).
Once the type is selected, then you can put one number as a preferred number (device will call this number first).  So if there were two numbers that santa clause had, it would look like this:
TEL;WORK;VOICE,pref:(999)555-1234
TEL;CELL;VOICE:(999)555-1212.

Line 8: Addresses.  Yet another entry that has multiple options (be it parameter or value list).  Possible Entries (that and be connected together) are:

*Dom – Domestic Delivery Address
*Intl – International Delivery Address
*Postal – Postal Delivery Address
*Parcel – Parcel Delivery Address
*Home – A person’s residence
*Work – A persons Work address
*Pref – Preferred Address

Here’s an example of two addresses for Santa Clause.

ADR;TYPE=dom,work,postal,parcel:;;123 Candy Cane Ln;Fargo;ND;58102-1234
ADR;TYPE=dom,home,postal,parcel,pref:;;567 Gum Drop Circle;Fargo;ND;58102-1234

The first address is santa’s work address.  The second address is his home address where he prefer’s that his mail goes to.

Line 9:  This is a given, a url (Uniform Resource Locator).  In this case it’s santa’s shop.

Line 10: Email Address.  Yup, another easy one to figure out; your starting to get the hang of this! There can be more than one email address of course, thus the PREF option in case there becomes more than one way to contact Santa.  The only other option is INTERNET or x400 addressing type.  Odds are, you will stick with using INTERNET unless your business is using x400 standards.

Line 11: Notes..this is just a text value that goes into the note field for contact information.  Useful for little tidbit’s of information about the person, company, etc.

Line 12: REV: This is the revision date, useful for Date/Time stamping of different revisions to a VCard.  I use this when I update my contact card inside of VI; in case I forget when I last updated my contact information.

Line 13: See Line 1..Very very important.

Okay, so there you have it; basics of the VCard.  Now I didn’t go as in-depth as I possibly could have.  There are many many more options that you can add to a VCard.  If your interested in other options, please check out the RFC 2426 (See link above) for other stuff that you can add to your VCard.

One last thing that I would like to cover on the VCards, is inputting images into the VCard.  Some of you might think this is silly, and it very well might be.  But remember, if a client, friend, co-worker, etc enters your v-card data into their smart phone; that image is going to be displayed when they call you, or you call them.  Imagine putting the logo of your company, or something that might get a potential client thinking about you (In my case, it’s the linux mascot).  When they see you calling, before they notice your name their eyes are usually drawn to the image that is displayed on their mobile device.

Image display in V-Cards

Okay, now for the fun part, and the list of ingredients.
*base64 application (type: which base64 to make sure it’s installed on your machine, if not than fetch coretutils)
*console access
*An image that isn’t too big or too small (I would say no bigger than 1”x1”)

Because of the way that Base64 and VCards work, the encoding must be on a single line (no carriage returns).  I whipped up a script that will input the base64 information into your VCard.  For this purpose, add the following line into your VCard:

PHOTO;TYPE=JPEG;ENCODING=BASE64:INSERTBASE64HERE

This states that the information is a photo, the image is in JPEG format (this can also be GIF, PNG, etc) and the encoding is base64.  The INSERTBASE64HERE is a placeholder for sed in the following script:

#!/bin/bash
FILENAME=$1
CONTACT=$2
CHAR=`base64 --wrap=0 $1`
sed -i "s|INSERTBASE64HERE|${CHAR}|g" $2

In order to insert the image into your contact card, you need to do the following:
1. Copy this script to the directory that contains your contact-info.vcf and name it whatever you want (in this case: contact-image.sh) and make it executable: chmod a+x contact-image.sh
2. Copy the JPEG image into the same directory
3. Execute the script as follows: ./contact-image.sh fileofimage.jpg contact-info.vcf

What this simple little script does is base64 encode your image and place it inside your VCard.  Now when you go look at your Vcard, you will see the Base64 encoding in place of ‘INSERTBASE64HERE’.

There you have it, images inside of your VCard.

Now What?
Now that you have a VCard, the world is your oyster.  As an example; I have done the following with my VCard:

*Placed a copy inside of my Address book with Evolution – This way I can attach my VCard to emails and other’s can add my contact information
*Placed my VCard on my phone as a contact point.  From here (android) I can SMS, Bluetooth, or Email my Contact Card to people
*Placed my VCard on my Website – I let certain people know the location to my VCard so that they can add my contact information from their cellphone, or desktop machine
*Embedded my VCard hyperlink into a QR Code that is on my Personal Contact Card.  This way, someone can scan my card with their cellphone’s camera phone and automatically add my contact information to their phone.

On that last option, one thing that I did have to modify for this to work was the contents of my .htaccess (or httpd.conf) file. I had to do this in order for certain mobile devices (re: android 2.1 & 2.2 so far) to automatically download the VCard as a contact card instead of displaying the raw VCard data on the mobile browser.  The addition that I made to my apache configuration file was this:

<Files *.vcf>
Header set Content-Disposition attachment
</Files>

Once this is added and apache is reloaded, someone viewing your VCard data from their mobile phone will be prompted to download the VCard.  Once the VCard is downloaded and the person opens the attachment; they should be prompted to add your contact information into their phone.

So there you have it; a down and dirty introduction to VCards.  By creating VCards that adhere to the RFC2426 Standards, you can make your VCards viewable on a range of Operation Systems and Devices.  Sure, you can create a VCard inside of Outlook, Evolution, Thunderbird, etc..but this way you know that your custom VCard follows the RFC2426 rules.  That, and there’s the cool factor of creating your own VCard from the command line!