Network Configuration and Services

I have written a lot of drivel previously about the various aspects of managing network service, as I’ve tried to figure out the improvements that have been made in linux networking over the last 30 years. I don’t read the kernel threads, and don’t know what’s happening a lot of the time, and haven’t been good about being attentive to release notes, so I get behind and then have to catch up. Previous efforts to catch up have usually been in a hurry when something was busted, and weren’t comprehensive.

This time I have tried to be a bit more comprehensive, so I could settle on the set of solutions and tools I am going to use on the 20 or so different boxes where I have to set this stuff up. A few of them actually need something special, but not most of them. Still, things have to be consistent, and I need to know what I’m doing – at least better than I previously did.

Continue reading Network Configuration and Services

Onedrive

Today I turned on onedrive on my Windows box. Actually two windows boxes, one 10 and one 11. And also, to be accurate, on the Windows 10 box I had to go to some trouble to actually reinstall onedrive which I had long ago completely removed in a fit of pique.

Most of the stuff I write in this blog is about technical stuff I have figured out, and want to record so I can read about what I did later on after I have inevitably forgotten it. This is different. This is more like a cathartic confession, hopefully with the side-effect of purging myself of an unhealthy attitude I have. My confession is that I am unfairly biased against Microsoft, and I tend to automatically reject as unworthy almost anything they create, and I do so sometimes without giving it a fair shake.

Here is the quintessential example. Onedrive is (IMHO) yet another in a long line of ideas which Microsoft rips off from Apple. E.g., in the recent past, Apple created Timemachine, whereupon Microsoft introduces Filehistory. Then Apple creates iCloud, and thereafter Microsoft introduces Onedrive. I don’t love Apple, but that is for industrial policy reasons. When it comes to innovation, though, one has to admit that Apple is constantly innovating. Apple is a visionary innovative engineering company excited by new ideas, which happens also to be excellent at marketing. Microsoft, in my opinion, is a marketing company which is seldom innovative and mostly copies (or buys) other people’s ideas.

I don’t really use iCloud very much, but mostly because I don’t do much actual work on any Macs, and because I don’t take a lot of pictures or listen to a lot of music. I have the default free amount of iCloud storage, but don’t pay for more.

But the important point is that I don’t “resent” iCloud. It doesn’t make me angry. It is there, and like most Apple engineered products it is somewhat seamless. On the other hand, I resented One Drive. I resent that it superimposes itself on Windows, and cannot be ignored. I resent that it is always whining about my not having logged in, and nagging me. I resent most of all that it actually changes the way the file explorer/file system works — once One Drive was implemented, what I used to know about how my friends files were set up became wrong. So typical of Microsoft… they know best, they change things fundamentally and the user must adapt. Reminds me of the old jokes about AT&T pre-breakup. Rule 1: We are AT&T, we don’t care, we don’t have to, we are AT&T. Rule 2: Screw you, see rule 1.

But as time has gone on, I have stopped tilting at this particular windmill. Microsoft may have copied the idea from Apple, but it does make a lot of sense in some ways, like some other changes in the Microsoft experience. I have begun to use a Microsoft account for login on Windows boxes. That also, for a long time I refused to do. And I am letting the Windows boxes do their backup on Onedrive. Because — leaving aside the uber-paranoid reactions that many of us feel about all the big companies having all our data, the fact is that this is a far easier way to do backup. It is a far easier way to reinstall a new machine. All the mumbo-jumbo one used to have to do with windows license keys and licenses for other microsoft products (if one is so unfortunate and foolish to still be paying them for Office for example, which I am not) — all that stuff becomes automatic.

So, grumble, grumble… I am signing my windows boxes in with a microsoft account, and I am letting them back up on onedrive. Grumble, grumble.

Switching Mail Sending to Amazon

This is another aide-memoire about changes in mail on Tarragon.

Some weeks back a change in one of the website contact pages was done and the captcha code was inadvertantly omitted. There followed a period of massive junk email directed at the owner of the site, on her google gmail account. Google decided to cut off tarragon’s ip address.

Although the problem is fixed, google has not relented. And this is the same kind of issue I have had in the past with microsoft. Although I have never been a source of spam, the big mail outfits are quick to ban the ip address of any small personal smtp server, and it takes a lot of effort to convince them to release the ban. I am tired of it. Despite my quixotic desire to run my own mail server as a symbolic cry against the erosion of personal services on the internet, I am tired of fighting, and I think it is time to stop.

Continue reading Switching Mail Sending to Amazon

Using IWD instead of wpa_supplicant

I always feel like I am a few years behind. Here is another example. Here at nearly the end of 2021 I have learned about IWD (iNet Wireless Daemon), which is a replacement for wpa_supplicant.

This is just to record a few facts about experiences over the last couple of days, subsequent to receiving and setting up a new frame.work laptop. I install Arch on this laptop, and initially followed what I had previously done in the earlier post: Switching to systemd-networkd.

One of the problems described in that post is that if one follows what it says, a side-effect is the loss of any very good “graphical” way to switch a laptop from one SSID to another. I detail there how I used a downloaded package called wpa_gui to do that, but while it is a good step forward, it is a bit clunky. Maybe I’m not using it exactly right… I mean no disrespect to its authors, and am glad it exists; but I went looking for something else. And I discovered the IWD package.

When I downloaded and installed IWD, in ignorance, I managed to completely eliminate my wireless device and spent a good deal of time recovering. Following are some things I learned. But there are two different changes in my environment going on here, and while they are related I’m not claiming that one requires the other. One of the changes is the substitution of IWD for wpa_supplicant as the party responsible for interacting with wireless radios, selecting one, authenticating to it, and making it available as a device. The second change is that I have begun to use NetworkManager again, in conjunction with systemd-networkd.

IWD is a systemd service, as is wpa_supplicant, NetworkManager, and systemd-networkd, and it is possible to create a great deal of confusion when all of these bits are installed on the same system. If one desires to have more confusion, one has only to do all this on an ubuntu system, where the presence of Canonical’s netplan software adds another order of magnitude increase in complexity, and additional opportunities for foot target practice.

One of the big opportunities for confusion arises when IWD renames network devices. If one has “.network” files (for steering systemd-networkd) which rely upon matches on the device names, surprise! the device names (like wlp11S0) get changed to (e.g.) wlan0 by IWD.

I probably don’t understand all this well enough to attempt to explain it, and will probably only look foolish if I try, so instead I will just detail where I ended up on two of my laptops.

I have enabled the services IWD, systemd-networkd and NetworkManager. In /etc/NetworkManager/NetworkManager.conf I have a [device] section containing the setting “wifi.backend=iwd” which instructs NetworkManager to rely on IWD rather than wpa_supplicant, and prevents NetworkManager from trying to start a wpa_supplicant. I have removed the local service file /etc/systemd/system/wpa_supplicant/wpa_supplicant@wlp11s0 (which I had described in my previous blog post), and have stopped and disabled (and even masked) the associated wpa_supplicant@wlp11s0 service as well as the plain wpa_supplicant service. Update, March, 2022, I was trying to switch some things around on a Debian 11 box, and was unable to get a wireless connection until after reading some stuff in upstream on NetworkManager I found a suggestion that I add: iwd-config-path=auto in the [main] section of /etc/NetworkManager/NetworkManager.conf (same file where I put in the backend spec). Until I did this it was unable to connect to anything.

In /etc/systemd/network I have a .network file for 09_<laptop>_wireless.network containing the networkd description, same as before, except that the [match] now says “name=wl*” instead of the previous “name=wlp*” (because of IWD changing the name from wlp11s0 to wlan0).

Finally, one of these laptops is still ubuntu, so one gets the additional joy of netplan. There, in the /etc/netplan directory I went back to a yaml file which names the “renderer” as NetworkManager instead of systemd-networkd. My current, perhaps flawed understanding of this setting in netplan is that when netplan runs at boot time it uses the (collected and merged) yaml files to build at boot time the files for either systemd-networkd (in /run/systemd/network/), or for NetworkManager (in /run/NetworkManager/). These generated files will then get combined with similar files from /lib and from /etc (the latter having greatest priority, the former having least, and /run in the middle).

Going back to NetworkManager has one downside for me, the thing which drove me earlier to abandon NetworkManager in favor of systemd-networkd, and that is the specification of the IPv6 DUID to be used when soliciting an IPv6 address from DHCPv6. I can’t find information about how to stipulate the DUID to be used (for example in this nm_connection documentation). What I have done is develop better tools to figure out what NetworkManager decided to send, so I can arrange for the DHCPDv6 server to assign a static address to that DUID.

Protecting ssh

I have a dozen or so boxes, mostly little raspberry pis, out in people’s houses which let me do backups for them, and attach to their networks. I’ve documented this before in “Gateway pi”, “Memory on the Gateway Pi”, and “Timemachine on Gateway pi” for example.

Connection between these boxes and my house is with SSH, and I use openssh certificates as described in “Using openssh certificates” and “Re-signing Openssh Certificates”. However, there has always been a little nagging problem, which is that these boxes must (re-)establish their connection to me automatically upon reboot, without user intervention. This means that the private keys that accompany the certificates cannot be encrypted, for that would require human intervention.

So there is a risk. Those raspberry pis have upon them a certificate and a private key which would enable access to boxes in my house. Not completely unrestricted access, and not root access, but nevertheless.

Continue reading Protecting ssh

Adding mail accounts

This is a memory aid, like a lot of these posts. Because I forget how to do things and have to figure it out again.

Adding mail accounts on a virtual mailbox domains requires two things: a) make an entry in /etc/postfix/virtualmb and posthash it, b) ensure the username exists in the users database on tarragon.

Adding mail accounts on the primary wmbuck.net domain (without creating a login account and home directory, etc.) requires a) make an entry in /etc/postfix/localrecipientsmap and posthash it, and b) adding the username to the users database.

Detecting SSH Brute Force

It always annoys me when I see the log filling up with ssh attacks. It isn’t really a worry, these are password guessing and since passwords aren’t permitted they will never work.

I’ve been meaning for a long time to investigate the tools available in iptables with the “recent” module to detect them and block them. Today I finally did it.

There is a little script in /root called sshdrop, which contains the iptables rules. It is parameterized, but currently set for reacting to more than 2 syn in 20 seconds, and sends rejects with tcp-reset.

I also downloaded a little python script to inspect the /proc/net/xt-recent/DEFAULT and decode it a bit, which lets me see how many attackers, and how recently. The script is invoked with ipt_recents -txt.

Seems to be working well.

Headless Windows 10

The oldest physical box in the house, a 12 years old Core2 Quad in an old case was my Windows 10 box, nutmeg, which I don’t use very much except to test out various things under Windows. I don’t do much with Windows any more, yet it was attached to one of the three monitors on my desk – using up 1/3 of my total screen real estate; and it was generating heat and fan noise, and its presence offended me. I decided it needed to move to the basement, alongside Cinnamon and Rosemary who are already down there in a rack — banished to the basement because they have a lot of disk drives, and so generate a lot of heat and noise.

I bought another rack mount chassis, and moved nutmeg’s innards to it. This proved annoyingly difficult because various old bits of hardware decided this was a good time to give up the ghost – I lost two old disk drives that decided to stop functioning. But eventually got everything up and running.

The idea was that I would manage the box, on the relatively few occasions I needed to do so, just as I do both Cinnamon and Rosemary, with a VNC connection. So after it was up and running on my work table, I pulled the monitor, keyboard and mouse and rebooted. But attempting to connect with VNC failed. For the record, this was TightVNC.

I eventually found that VNC would work if and only if I had a monitor attached. Furthermore, if I had a monitor attached and established a VNC viewer to nutmeg, if I then unplugged the monitor the VNC viewer would immediately freeze. WTF?

Without making this a long story, I found that the problem could be resolved by changing an option in Settings/Accounts/Sign-in options which is down at the bottom under Privacy, and reads “Use my sign-in info to automatically finish setting up my device after an update or restart.”

So my mental model of what is going on is that if that option is set, windows is attempting to “set up my device” and I suppose the device it is trying to “set up” must be the monitor. What I don’t exactly get is why the VNC viewer should freeze when an existing monitor is removed. I suppose that removal generates some event internally, and processes attached in some way as consumers must be killed or something. Not sure. I don’t need to understand it. I have very few cycles in my advanced age and am not planning to waste any of them trying to figure out Windows.

I was very pleased that after I did this, and was able to connect via VNC, I was able to set the resolution to various values up to 4K. And after rebooting and reattaching it even retained my display resolution setting.

Attaching and backing up the iphone

I have an iPhone 11. From time to time it would be nice to be able to attach it to my network. Always a struggle.

The old Macbook Pro can only run High Sierra, and then only with some special jiggery-pokery. I can sometimes get iTunes on the Macbook to connect to the iPhone, and can usually figure out how to get data into some app using that, or to do a backup, but it is a hassle. The Windows 10 box with iTunes won’t connect to it at all, and (typical of Windows) won’t explain why. I really just want to mount it without all the fuss.

I found a guy on the net who claimed to be able to mount his iPhone on Arch, so I tried following his instructions, which basically involved installing a few libraries usbmuxd, libplist, libimobiledevice and ifuse, the last of which I had to install from AUR. That was easy enough.

Then reboot, plug in the iphone, and voila. It is detected.

I created a directory /ginger, and mounted it with ifuse /ginger, and Bob’s your uncle, I have access to its disk on Arch.

Then I checked on a whim whether I could do a backup. Sure enough libimobiledevice comes with idevicebackup2 which, supposedly, will do a backup of the device. Alas, it doesn’t work, complaining of a protocol mismatch, which according to the net means that the version 1.3.0-3 available on Arch is not the latest, and I need 1.3.1. The option is to download from git and compile from source.

This is low priority for me. I still can do an occasional backup on the Macbook, when I think of it, either locally or to iCloud, via iTunes. The local backup is stored in /Users/dee/Library/Application Support/MobileSync/backup and can be copied elsewhere by root. I don’t actually have much on the iPhone that needs a backup. Many people have their contacts and calendar exclusively on the phone, but I keep both my contacts and calendar in radicale on my server and connect to them from everywhere.

I may eventually do this if there comes a time the backups become important. For now I’ll just wait till a later version shows up in Arch.

Waiting for system online with systemd

I had previously used the NetworkManager utility nm-online in my startup script as described in Waiting for networks, but now that I have moved to systemd-networkd that isn’t available anymore.

There is a fair amount of stuff on the net about the systemd service called systemd-networkd-wait-online.service. And indeed, that is a useful service, if one wants other services to wait for the network to be online. But somehow most of it seems to miss the point somehow, or at least one big point. I found various statements on the net that systemd doesn’t have the equivalent of nm-online. The only way in which that is true is if one means by it that systemd doesn’t have something as primitive. In truth what systemd has is much better, and much more powerful.

Continue reading Waiting for system online with systemd