Skip to content

“Trumpster Fire”

“Trumpster fire” – John Gruber knocks it out of the park again with my favorite phrase of the week when he compares the Republican National Convention to a “Trumpster fire” – awesomely apt description.

http://daringfireball.net/linked/2016/07/21/nba-north-carolina

http://www.urbandictionary.com/define.php?term=trumpster%20fire

Dispicable and predatory practices by corporations (Microsoft)

This is nauseating…

https://www.thurrott.com/windows/windows-10/67367/upgradegate-microsofts-upgrade-deceptions-undermining-windows-10

I was annoyed by Apple’s pushy iOS 9.3.2 upgrade pressure; but this is way beyond anything Apple has done so far…

Tagged , , ,

Wow – visualizing the massive scale of global shipping is interesting

We live in amazing times indeed where planetary shipping can be visualized like this…

Adding a MediaWiki to BananaPi

In previous post I covered how to stand up CentOS 7 on BananaPi:
http://blog.scottnolan.org/2016/03/16/bananapi-server-running-centos-7-linux/

This is how to add Apache, PHP, MariaDB and MediaWiki to a BananaPi.

Install a bunch of software:
yum -y install httpd php php-mysql php-gd php-xml mariadb-server mariadb

First, set up the database:
systemctl start mariadb
mysql_secure_installation

disable anonymous users
enforce only local root login
remove test database
reload priv tables

mysql -u root -p
CREATE USER 'wiki'@'localhost' IDENTIFIED BY 'CHANGE_MARIADB_PASSWORD';
CREATE DATABASE wikidatabase;
GRANT ALL PRIVILEGES ON wikidatabase.* TO 'wiki'@'localhost';
FLUSH PRIVILEGES;
SHOW DATABASES;
SHOW GRANTS FOR 'wiki'@'localhost';
exit
systemctl enable mariadb

I like to store the passwords in a password vault like KeePassX, 1Password, or LastPass.

Set up apache:
systemctl enable httpd
vi /etc/httpd/conf/httpd.conf

Change DocumentRoot “/var/www/html”
to DocumentRoot “/var/www”

Change change ” DirectoryIndex index.html”
to ” DirectoryIndex index.html index.html.var index.php”

echo "It Works" >> /var/www/index.html
systemctl start httpd.service

Configure firewall to allow WebService
yum -y install system-config-firewall-tui
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Test by pointing a browser at the IP_OF_BANANAPI

Now install MediaWiki:

cd /root
wget http://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.tar.gz
curl -O http://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.tar.gz.sig
gpg --verify mediawiki-1.26.2.tar.gz.sig mediawiki-1.26.2.tar.gz
cd /var/www
tar -zxf /root/mediawiki-1.26.2.tar.gz
ln -s mediawiki-1.26.2/ mediawiki
chown -R apache:apache /var/www/mediawiki
systemctl restart httpd.service

Finish setting up your MediaWiki Server by pointing a web browser at http://IP_OF_BANANAPI/mediawiki and finish setting up the Wiki.

Enjoy your own Wiki server.

Caching BIND name server on BananaPi

I previously covered how to install CentOS 7 Linux and NTPD on BananaPi here:
http://blog.scottnolan.org/2016/03/16/bananapi-server-running-centos-7-linux/

This post is how to install BIND name server for caching DNS on BananaPi.

Install and enable the BIND software:
yum -y install bind bind-chroot
systemctl enable named.service

Go get a root hints file:
yum -y install wget
wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.root
cp /usr/share/doc/bind-*/sample/etc/named.rfc1912.zones /var/named/chroot/etc

Update your named.conf file:
vi /etc/named.conf

Change the string listen-on port 53 { 127.0.0.1; };
to listen-on port 53 { 127.0.0.1; IP_OF_BANANAPI; };

Change allow-query { localhost; };
to allow-query { localhost; 192.168.1.0/24; }; (only use whatever subnet you have)

Add to options block:
forward first;
forwarders {
71.252.0.12;
4.2.2.2;
208.67.222.222;
8.8.8.8;
};

Use IPs for the public caches that are fastest from your location; I use NameBench on my Mac to determine the fastest local servers.

That creates a caching name server; you can also (optionally) add local zones too if you like.

Configure firewall to allow DNS:
yum -y install system-config-firewall-tui
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
named-checkconf /etc/named.conf
cd ; systemctl start named
cd ; systemctl restart named

Install dig/nslookup tools and verify your BIND/DNS server:
yum -y install bind-utils
nslookup www.cnn.com 127.0.0.1
nslookup google.com 127.0.0.1

Test from another computer:
nslookup google.com IP_OF_BANANAPI

Congratulations – you have a caching DNS server.

BananaPi server running CentOS 7 Linux

I enjoy tinkering with small, energy-efficient servers. My latest toy is a LeMaker BananaPi (RaspberryPi clone, but with eSATA and gigabit ethernet).

Grab a CentOS 7 for ARM image from http://mirror.centos.org/altarch/7/isos/armhfp/, mine happens to be CentOS-Userland-7-armv7hl-Minimal-1511-BananaPi.img

Stuff that onto an SD card (mine is 16GB, but this should work even smaller) using dd commands. Insert the SD card into the BananaPi, plug the server into a MicroUSB power supply and it should boot and get an initial IP address from your DHCP server if you have one. Find that IP by checking your router; or connect keyboard, mouse, and monitor to see the console of the server (optional).

Find the device name for the SD card by TYPE, NAME, SIZE
df -h or sudo diskutil list

On my Mac the device name is /dev/disk6s1
sudo diskutil umount /dev/disk6s1

For the DD command, switch to the raw device name and the whole disk (/dev/rdisk6) to go much faster.
sudo dd if=/Users/snolan/Downloads/CentOS-Userland-7-armv7hl-Minimal-1511-BananaPi.img of=/dev/rdisk6 bs=4m ; tput bel
Control-T to check progress of DD command – mine took about 20 minutes…

Pop the SD card into the BananaPi and power it on.
Check your router or DHCP server to see the new device’s IP address on the network.

SSH into the root@IP_of_server or use the console to login as root – either way initial password is “centos” which needs to be changed ASAP! Put your new root password into your password vault (I use KeePassX).

Let’s configure this little Server to use a static IP address now…

Find the device name of the active interface (eg: eth0):
nmcli dev status

cd /etc/sysconfig/network-scripts/
ls -l ifcfg*
vi ifcfg-
eth0 (switch to your interface/device name)

The ifcfg-XXX file should look like:
DEVICE="eth0"
HWADDR="your:mac:address:here:please"
NM_CONTROLLED="no"
ONBOOT="yes"
BOOTPROTO=static
IPADDR=192.168.subnet.ipaddr
NETMASK=255.255.255.0

Update the network file:
vi /etc/sysconfig/network

The network file should look like:
GATEWAY=192.168.subnet.router
HOSTNAME=fqdn_of_new_server
DNS1=ip_primary_nameserver
DNS2=ip_secondary_nameserver
SEARCHsearch_domain_of_your_network

Restart networking:
systemctl restart network.service

You will need stable system clock, I like to use GMT so arbitrary daylight saving stupidity does not impact my databases:
yum -y install ntp

Verify you can reach some public time servers:
grep "^server" /etc/ntp.conf

ntpdate -q 0.centos.pool.ntp.org
You want to see stratum values in low single digits (stratum 2 or stratum 3)…

ntpq -p
Make sure the servers you are looking at are stratum 2 or 3 (the “st” field in the tabular output)…

vi /etc/ntp.conf

Add the following line:
restrict 192.168.subnet.ip netmask 255.255.255.0 nomodify notrap

systemctl stop ntpd
systemctl enable ntpd
systemctl start ntpd

Test locally:
ntpdate -q 127.0.0.1
That should show a low single digit stratum number (3 or 4)…
date
That should show current UTC/GMT time…

Configure firewall to allow NTP
yum -y install system-config-firewall-tui
firewall-cmd --permanent --add-service=ntp
firewall-cmd --permanent --add-port=123/udp
firewall-cmd --reload

Test from another computer:
ntpdate -q 192.168.subnet.ip_of_server
That should show a low single digit stratum number (3 or 4)…

See which clients are using my NTP server
ntpdc -c monlist
yum install tcpdump
tcpdump udp port 123 -i any

DNS (Caching name server) and Apache/MariaDB/MediaWiki in another post…

Splunk Forwarder on BananaPi

I have been tinkering with a nifty little RaspberryPi clone made by Lemaker and called BananaPi (basically a RaspberryPi model B with 1 gigabyte memory, eSATA connector, and gigabit ethernet). It’s the size of a deck of playing cards in it’s clear acrylic case, and runs CentOS 7 Linux server operating system.

I have it running ntpd, named (DNS BIND), httpd, MariaDB, PHP, and MediaWiki. I’ll probably put other things on it soon. Like any server, it should be monitored; so I was delighted to find an ARM based Splunk Forwarder at https://splunkbase.splunk.com/app/1611

Now my logs and events are getting shipped to my Splunk indexer and I can monitor and graph anything that logs on the BananaPi.

Steven Levy nails it, again – why are we fighting for the right to privacy again?

Steven Levy has an excellent article about the current attempt to squash privacy and encryption by the FBI and why this all sounds so familiar, it’s because we already had this battle before, twice, in the 1990s… and both times wisdom prevailed. Will it prevail again?

https://backchannel.com/why-are-we-fighting-the-crypto-wars-again-b5310a423295

Remember the dreaded “Clipper” chip and everyone worrying about Net Nannies with the Gores at the helm? Hell, our entire electronic commerce system only works because of public key cryptography. If agencies are allowed back doors into that, then there ultimately is no way to trust electronic financial transactions at all.

Excellent reading, and thank you Apple for fighting the good fight for the rest of us.

Vegetable Garden, 2016

Having a gently warm spring weekend has encouraged me to start on the garden this year; so far I am just tilling the soil with an old garden fork and thinking about how best to prevent deer and rabbit from eating everything.

Empty garden bed, ready for fence and seeds.

Fresh tilled garden bed.

Remaining from prior years is a little Rosemary, a lot of Oregano, the heavy trimmed back Fig tree/bush, and one or two carrots. I plan to rotate the plantings and put corn, squash, peas, beans, and lettuces in the big bed (it housed tomatoes, melons, zucchini, and radishes last year) and put tomatoes, cucumbers, and zucchini in the triangular bed this year. Herbs and chili peppers stay where it is hot, tight against the garage wall.

While out clearing leaves and dead-fall from winter, I found a few treasures to share and noticed that the cherry tree has buds forming:

tiny irises

tiny irises

tiny daffodils

tiny daffodils

hyacinth I think

hyacinth I think

more hyacinth?

more hyacinth?

Tagged

Ransomware targeting Mac OS X posing as Transmission 2.90

It looks like some extortionists hijacked the transmissionbt.com website, and published for about 36-48 hours a fake version of Transmission (bitTorrent client) that claims to be v2.90 but is actually RansomWare that will encrypt your files and demand payment for decryption keys. Don’t use Transmission v2.90 and be careful out there.

http://arstechnica.com/security/2016/03/first-mac-targeting-ransomware-hits-transmission-users-researchers-say/

I guess Mac OS X has finally achieved mainstream status if the bad guys are really targeting it now. Prior fake malware has all been posing as illegal/unlicensed copies of commercial software, so far as I know this one is a first to target through freeware.