“Trumpster fire” – John Gruber knocks it out of the park again with my favorite phrase of the week when he compares the Republican National Convention to a “Trumpster fire” – awesomely apt description.
http://daringfireball.net/linked/2016/07/21/nba-north-carolina
http://www.urbandictionary.com/define.php?term=trumpster%20fire
This is nauseating…
I was annoyed by Apple’s pushy iOS 9.3.2 upgrade pressure; but this is way beyond anything Apple has done so far…
Tagged Bait and Switch, Computers, Forced Upgrade, MicrosoftWe live in amazing times indeed where planetary shipping can be visualized like this…
In previous post I covered how to stand up CentOS 7 on BananaPi:
https://blog.scottnolan.org/2016/03/16/bananapi-server-running-centos-7-linux/
This is how to add Apache, PHP, MariaDB and MediaWiki to a BananaPi.
Install a bunch of software:
yum -y install httpd php php-mysql php-gd php-xml mariadb-server mariadb
First, set up the database:
systemctl start mariadb
mysql_secure_installation
disable anonymous users
enforce only local root login
remove test database
reload priv tables
mysql -u root -p
CREATE USER 'wiki'@'localhost' IDENTIFIED BY 'CHANGE_MARIADB_PASSWORD';
CREATE DATABASE wikidatabase;
GRANT ALL PRIVILEGES ON wikidatabase.* TO 'wiki'@'localhost';
FLUSH PRIVILEGES;
SHOW DATABASES;
SHOW GRANTS FOR 'wiki'@'localhost';
exit
systemctl enable mariadb
I like to store the passwords in a password vault like KeePassX, 1Password, or LastPass.
Set up apache:
systemctl enable httpd
vi /etc/httpd/conf/httpd.conf
Change DocumentRoot “/var/www/html”
to DocumentRoot “/var/www”
Change change ” DirectoryIndex index.html”
to ” DirectoryIndex index.html index.html.var index.php”
echo "It Works" >> /var/www/index.html
systemctl start httpd.service
Configure firewall to allow WebService
yum -y install system-config-firewall-tui
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
Test by pointing a browser at the IP_OF_BANANAPI
Now install MediaWiki:
cd /root
wget http://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.tar.gz
curl -O http://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.tar.gz.sig
gpg --verify mediawiki-1.26.2.tar.gz.sig mediawiki-1.26.2.tar.gz
cd /var/www
tar -zxf /root/mediawiki-1.26.2.tar.gz
ln -s mediawiki-1.26.2/ mediawiki
chown -R apache:apache /var/www/mediawiki
systemctl restart httpd.service
Finish setting up your MediaWiki Server by pointing a web browser at http://IP_OF_BANANAPI/mediawiki and finish setting up the Wiki.
Enjoy your own Wiki server.
I previously covered how to install CentOS 7 Linux and NTPD on BananaPi here:
https://blog.scottnolan.org/2016/03/16/bananapi-server-running-centos-7-linux/
This post is how to install BIND name server for caching DNS on BananaPi.
Install and enable the BIND software:
yum -y install bind bind-chroot
systemctl enable named.service
Go get a root hints file:
yum -y install wget
wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.root
cp /usr/share/doc/bind-*/sample/etc/named.rfc1912.zones /var/named/chroot/etc
Update your named.conf file:
vi /etc/named.conf
Change the string listen-on port 53 { 127.0.0.1; };
to listen-on port 53 { 127.0.0.1; IP_OF_BANANAPI; };
Change allow-query { localhost; };
to allow-query { localhost; 192.168.1.0/24; }; (only use whatever subnet you have)
Add to options block:
forward first;
forwarders {
71.252.0.12;
4.2.2.2;
208.67.222.222;
8.8.8.8;
};
Use IPs for the public caches that are fastest from your location; I use NameBench on my Mac to determine the fastest local servers.
That creates a caching name server; you can also (optionally) add local zones too if you like.
Configure firewall to allow DNS:
yum -y install system-config-firewall-tui
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
named-checkconf /etc/named.conf
cd ; systemctl start named
cd ; systemctl restart named
Install dig/nslookup tools and verify your BIND/DNS server:
yum -y install bind-utils
nslookup www.cnn.com 127.0.0.1
nslookup google.com 127.0.0.1
Test from another computer:
nslookup google.com IP_OF_BANANAPI
Congratulations – you have a caching DNS server.
I enjoy tinkering with small, energy-efficient servers. My latest toy is a LeMaker BananaPi (RaspberryPi clone, but with eSATA and gigabit ethernet).
Grab a CentOS 7 for ARM image from http://mirror.centos.org/altarch/7/isos/armhfp/, mine happens to be CentOS-Userland-7-armv7hl-Minimal-1511-BananaPi.img
Stuff that onto an SD card (mine is 16GB, but this should work even smaller) using dd commands. Insert the SD card into the BananaPi, plug the server into a MicroUSB power supply and it should boot and get an initial IP address from your DHCP server if you have one. Find that IP by checking your router; or connect keyboard, mouse, and monitor to see the console of the server (optional).
Find the device name for the SD card by TYPE, NAME, SIZE
df -h or sudo diskutil list
On my Mac the device name is /dev/disk6s1
sudo diskutil umount /dev/disk6s1
For the DD command, switch to the raw device name and the whole disk (/dev/rdisk6) to go much faster.
sudo dd if=/Users/snolan/Downloads/CentOS-Userland-7-armv7hl-Minimal-1511-BananaPi.img of=/dev/rdisk6 bs=4m ; tput bel
Control-T to check progress of DD command – mine took about 20 minutes…
Pop the SD card into the BananaPi and power it on.
Check your router or DHCP server to see the new device’s IP address on the network.
SSH into the root@IP_of_server or use the console to login as root – either way initial password is “centos” which needs to be changed ASAP! Put your new root password into your password vault (I use KeePassX).
Let’s configure this little Server to use a static IP address now…
Find the device name of the active interface (eg: eth0):
nmcli dev status
cd /etc/sysconfig/network-scripts/eth0 (switch to your interface/device name)
ls -l ifcfg*
vi ifcfg-
The ifcfg-XXX file should look like:
DEVICE="eth0"
HWADDR="your:mac:address:here:please"
NM_CONTROLLED="no"
ONBOOT="yes"
BOOTPROTO=static
IPADDR=192.168.subnet.ipaddr
NETMASK=255.255.255.0
Update the network file:
vi /etc/sysconfig/network
The network file should look like:
GATEWAY=192.168.subnet.router
HOSTNAME=fqdn_of_new_server
DNS1=ip_primary_nameserver
DNS2=ip_secondary_nameserver
SEARCHsearch_domain_of_your_network
Restart networking:
systemctl restart network.service
You will need stable system clock, I like to use GMT so arbitrary daylight saving stupidity does not impact my databases:
yum -y install ntp
Verify you can reach some public time servers:
grep "^server" /etc/ntp.conf
ntpdate -q 0.centos.pool.ntp.org
You want to see stratum values in low single digits (stratum 2 or stratum 3)…
ntpq -p
Make sure the servers you are looking at are stratum 2 or 3 (the “st” field in the tabular output)…
vi /etc/ntp.conf
Add the following line:
restrict 192.168.subnet.ip netmask 255.255.255.0 nomodify notrap
systemctl stop ntpd
systemctl enable ntpd
systemctl start ntpd
Test locally:
ntpdate -q 127.0.0.1
That should show a low single digit stratum number (3 or 4)…
date
That should show current UTC/GMT time…
Configure firewall to allow NTP
yum -y install system-config-firewall-tui
firewall-cmd --permanent --add-service=ntp
firewall-cmd --permanent --add-port=123/udp
firewall-cmd --reload
Test from another computer:
ntpdate -q 192.168.subnet.ip_of_server
That should show a low single digit stratum number (3 or 4)…
See which clients are using my NTP server
ntpdc -c monlist
yum install tcpdump
tcpdump udp port 123 -i any
DNS (Caching name server) and Apache/MariaDB/MediaWiki in another post…
I have been tinkering with a nifty little RaspberryPi clone made by Lemaker and called BananaPi (basically a RaspberryPi model B with 1 gigabyte memory, eSATA connector, and gigabit ethernet). It’s the size of a deck of playing cards in it’s clear acrylic case, and runs CentOS 7 Linux server operating system.
I have it running ntpd, named (DNS BIND), httpd, MariaDB, PHP, and MediaWiki. I’ll probably put other things on it soon. Like any server, it should be monitored; so I was delighted to find an ARM based Splunk Forwarder at https://splunkbase.splunk.com/app/1611
Now my logs and events are getting shipped to my Splunk indexer and I can monitor and graph anything that logs on the BananaPi.
Steven Levy has an excellent article about the current attempt to squash privacy and encryption by the FBI and why this all sounds so familiar, it’s because we already had this battle before, twice, in the 1990s… and both times wisdom prevailed. Will it prevail again?
https://backchannel.com/why-are-we-fighting-the-crypto-wars-again-b5310a423295
Remember the dreaded “Clipper” chip and everyone worrying about Net Nannies with the Gores at the helm? Hell, our entire electronic commerce system only works because of public key cryptography. If agencies are allowed back doors into that, then there ultimately is no way to trust electronic financial transactions at all.
Excellent reading, and thank you Apple for fighting the good fight for the rest of us.
Having a gently warm spring weekend has encouraged me to start on the garden this year; so far I am just tilling the soil with an old garden fork and thinking about how best to prevent deer and rabbit from eating everything.
Fresh tilled garden bed.
Remaining from prior years is a little Rosemary, a lot of Oregano, the heavy trimmed back Fig tree/bush, and one or two carrots. I plan to rotate the plantings and put corn, squash, peas, beans, and lettuces in the big bed (it housed tomatoes, melons, zucchini, and radishes last year) and put tomatoes, cucumbers, and zucchini in the triangular bed this year. Herbs and chili peppers stay where it is hot, tight against the garage wall.
While out clearing leaves and dead-fall from winter, I found a few treasures to share and noticed that the cherry tree has buds forming:
tiny irises
tiny daffodils
hyacinth I think
more hyacinth?
It looks like some extortionists hijacked the transmissionbt.com website, and published for about 36-48 hours a fake version of Transmission (bitTorrent client) that claims to be v2.90 but is actually RansomWare that will encrypt your files and demand payment for decryption keys. Don’t use Transmission v2.90 and be careful out there.
I guess Mac OS X has finally achieved mainstream status if the bad guys are really targeting it now. Prior fake malware has all been posing as illegal/unlicensed copies of commercial software, so far as I know this one is a first to target through freeware.
