Asterisk attack

August 31st, 2010

There was a lot of talk about this being the next menace after email spam. I’m not actually sure what it’s called for VoIP systems, but my Asterisk setup has started to be attacked over the last few days. Lots of entries like:

[Aug 27 19:20:30] NOTICE[18826] chan_sip.c: Registration from '"742"<sip:742@a.b.c.d>' failed for '208.109.86.187' - No matching peer found
...
[Aug 31 10:13:10] NOTICE[18826] chan_sip.c: Registration from '"1002" <sip:1002@a.b.c.d>' failed for '41.191.224.2' - Wrong password

Lots of messages get logged a second and I noticed this as suddenly CPU load on my PC jumped up quite a bit.

For the moment I’ve routed these addresses via the interface lo0 so they won’t bother me any more, but I need to come up with a better solution.

First I’m curious if applications like Asterisk or FreeSwitch have any built-in anti-abuse controls to recognise bad behaviour and to disable those abusers. I’m pretty sure that I’ve not read about anything for Asterisk, and I’m currently reading the FreeSWITCH book I bought but haven’t come across this mentioned yet.  Seems that applications like this may need to have these controls added at some time, just as sendmail, postfix and most mail servers have had to adjust to a hostile world.

The other option of course is to use a firewall or packet filter to limit the incoming traffic rate from a single IP to port 5060 or whereever the SIP connection is being accepted so that when going over the limit the ip will be blocked for some time. iptables can do this I think so I’m going to have to read about how to configure and set that up.

There are other applications designed to watch logs and use them to automatically add temporary blocks. fail2ban is one of these. I’ll also have to see if I can configure it for this task.

So if this has happened to you how do you protect your VoIP systems from that hostile world of the Internet?

Tags: , , , , , ,
Posted in VoIP | 2 Comments »

Don’t forget to monitor your nameservers

August 24th, 2010

As I mentioned in a past article I got my IPv6 connectivity working so started working on setting up various IPv6 services. One of these was to setup my name server so it also worked on IPv6.

This worked fine, but recently I lost my IPv6 connectivity but thought no more about it. I’m trying to get it working again but that’s not happened yet.

Over the last few days I’ve had some intermittent issues logging in to my home pc from my laptop and I couldn’t figure out why. Eventually I had a look at the DNS requests and of course some requests were being made to my non-reachable name server. This generated some network delays while the resolver timed out and then tried talking to one of the IPv4 name servers and correctly retrieving the information.

So conclusion, if you setup yourself with a name server for your domain and include access on IPv6 then ensure that you monitor it. I do run nagios at home and intend to add some extra checks so that I can see if there are problems. Even when playing with IPv6 if you don’t have things setup properly it can affect non-IPv6 activity…

Once the unreachable IPv6 AAAA entry was removed from my name server things went back to normal.

Tags: , , ,
Posted in IPv6 | No Comments »

Using LVM snapshot filesystems for development database instances

August 22nd, 2010

The Problem

Developers often need to have a development database copy of the live production system you are using in able to allow them to test their code and to test new functionality and make schema changes to the database for this new functionality to work.

That’s normal and happens everywhere. A typical DBA task is to make a copy of the live system, sometimes to remove any confidential or sensitive information which perhaps the development database users should not be able to see, and then give them access to this development instance. The developers then “hack away”, changing their code and perhaps things in the database until they are ready to put these new changes into production when they then come along and discuss how to apply these changes into the live systems.

Once the development database has been created it soon becomes stale so often the developers want a new up to date copy to be made to “simplify” their testing.

This is all fine until the database size begins to grow and this process of dumping and copying the data for the developers takes hours rather than minutes and therefore can only be done on a daily or weekly basis.

I have recently been experimenting with the use of mounting the development database instance on an  LVM snapshot of the original filesystem where the live system is running.  This procedure does not have to be Linux specific but should work with any OS or storage which provides a facility to make a filesystem snapshot based on the contents of another filesystem.

So what does this mean in practice?

Previous Behaviour:

Situation: server1 has a live production copy of the database. We want to make a copy to server2. server2 is already prepared with a configuration which will work based on the copy of the production data.

Procedure: stop server1, copy the filesystem holding the database to server2, start server1. start server2. [the copy procedure takes hours.]

New Behaviour:

Situation: server1 has a live production copy of the database (probably via a slave), and space/memory for a second development instance to run concurrently on the same server.

Procedure: stop server1 (live instance), make a LVM snapshot of the live filesystem (the snapshot size can be much smaller than the live filesystem size), start server1 (live instance), start server1 (development instance). [the copy procedure takes just a few seconds.]

Since I do this with the live system being a slave, I tend to also include a routine to disable replication information on the snapshot filesystem by removing the appropriate files. It may also be necessary adjust the grants on the dev-instance so that it is appropriate for the new set of db users.

To all intents and purposes when you login to the development instance it looks like an up to date copy of live system. You can make as many changes as you like as long as the number of disk blocks on the snapshot which get changed don’t exceed the snapshot size. At this point the snapshot filesystem becomes invalid and mysqld is unable to access it. Mysqld gets a bit upset about this, but you just kill it and then go and rebuild the instance again if this happens – it only takes a few seconds.

This works pretty well and speeds things up for the developers. I can create a new development environment from the live system in seconds rather than hours. The disk storage requirements also tend to drop significantly. It also helps the devs. If you do a daily refresh of this development instance then it allows the developers to test any schema changes which will be needed to be applied to the live system much more easily as “going back to the current live state” is so easy.

So if you haven’t done something like this it might be worth giving it a go.

This is an example of the output from a script I’m currently using:


[root@myhost ~]# clone_instance -s40G -d live-instance dev-instance
Aug 22 10:57:00 myhost clone_instance[16405] Cloning live-instance to dev-instance with a snapshot volume of size 40G
Aug 22 10:57:00 myhost clone_instance[16405] /mysql/live-instance is mounted as expected
Aug 22 10:57:00 myhost clone_instance[16405] Device /dev/volgroup1/live-instance is mounted on /mysql/live-instance, having volume group: volgroup1, logical volume: live-instance
Aug 22 10:57:00 myhost clone_instance[16405] live-instance is defined in /etc/my.cnf [mysqld1]
Aug 22 10:57:00 myhost clone_instance[16405] dev-instance is defined in /etc/my.cnf [mysqld2]
Aug 22 10:57:00 myhost clone_instance[16405] Found defaults file /root/.my-live.cnf needed to shutdown live-instance
Aug 22 10:57:00 myhost clone_instance[16405] Going to viciously kill any processes using files under mount point: /mysql/dev-instance
Aug 22 10:57:02 myhost clone_instance[16405] Unmounting /mysql/dev-instance
Aug 22 10:57:02 myhost clone_instance[16405] Removing existing SNAPSHOT LV /dev/volgroup1/dev-instance
Logical volume "dev-instance" successfully removed
Aug 22 10:57:03 myhost clone_instance[16405] SNAPSHOT LV /dev/volgroup1/dev-instance removed
Aug 22 10:57:03 myhost clone_instance[16405] Shutting down live-instance [mysqld1] using mysqldmin and defaults file /root/.my-live.cnf (as 'mysqld_multi stop 1' does not seem work properly)
Aug 22 11:02:34 myhost clone_instance[16405] Creating new snapshot LV dev-instance (40G) based on /dev/volgroup1/live-instance
Logical volume "dev-instance" created
Aug 22 11:02:35 myhost clone_instance[16405] Restarting live-instance [mysqld1] using mysqld_multi start 1
Aug 22 11:02:35 myhost clone_instance[16405] Mounting SNAPSHOT LV /dev/volgroup1/dev-instance on /mysql/dev-instance
Aug 22 11:02:35 myhost clone_instance[16405] Cleaning up log files on SNAPSHOT LV
Aug 22 11:02:35 myhost clone_instance[16405] Removing replication information from SNAPSHOT LV
Aug 22 11:02:35 myhost clone_instance[16405] Found defaults file /root/.my-dev.cnf needed to access dev-instance
Aug 22 11:02:35 myhost clone_instance[16405] Starting SNAPSHOT DB instance dev-instance [mysqld2] using: 'mysqld_multi start 2'
Aug 22 11:02:35 myhost clone_instance[16405] Clone procedure complete.
[root@myhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
...
/dev/mapper/volgroup1-live--instance
160G  135G   26G  84% /mysql/live-instance
/dev/mapper/volgroup1-dev--instance
160G  134G   27G  84% /mysql/dev-instance
[root@myhost ~]# lvs
LV             VG        Attr   LSize   Origin         Snap%  Move Log Copy%  Convert
live-instance  volgroup1 owi-ao 160.00G
dev-instance   volgroup1 swi-ao  40.00G live-instance    2.06
[root@myhost ~]#

The longest part of the procedure is shutting down the active live slave. The rest of the time is insignificant.
The “dev experience” when using this dev-instance is just as before. The instance works, can be modified and behaves just as you would expect.

Tags: , , , ,
Posted in Databases | 1 Comment »

Review of IPv6 Network Administration

August 18th, 2010

Originally submitted at O’Reilly

This essential guide explains what works, what doesn’t, and most of all, what’s practical about IPv6–the next-generation Internet standard. A must-have for network administrators everywhere looking to fix their network’s scalability and management problems. Also covers other IPv6 ben…

A little outdated – needs updating

By Simon Mudd from Madrid, Spain on 8/18/2010
3out of 5

Pros: Well-written, Easy to understand

Cons: Too basic

I forgot to check the date this book was published before buying it and that was a mistake. The content was pretty good but as it was written in 2005 a lot of what it says regarding versions of operating systems and the current status of software is well out of date. That’s unfortunate and could probably be easily corrected. I think that while the target audience is not clear, I am looking from a hobbyist’s perspective as to how to setup my current home network to IPv6 and I did not really get enough information. The fact that wifi is pretty common now, but that if the wifi router you use does not support IPv6 (which is typical) then you have to make tunnels in your own IPv4 lan to achieve connectivity between hosts.

I have many other O’Reilly titles and some of them are very good. I was hoping for more from this one especially as I had previously bought IPv6 Essentials some time back.

(legalese)

Tags: , ,
Posted in IPv6 | No Comments »

IPv6 Reading list

August 18th, 2010

I have just returned from holiday and while it’s not normal reading during some of my spare time I managed to read a couple of books on IPv6 I’d recently bought to get me up to scratch and refresh my memory on the topic.

These books are:

The first book is quite good, and while a little old provided a good solid background for me on the subject. A lot of the information was not relevant to my interest in setting up a networked SOHO network but that’s not really a problem. The background was interesting.

The second book was a bit of a mistake. I’d ordered it as it was a second edition and therefore up to date but I hadn’t realised that it was by Microsoft. Not a problem really but of course the focus was very much on Windows and Windows commands to achieve many things. I was surprised that Microsoft don’t support ripng (IPv6) or OSPF v3 even if they don’t really expect people many windows administrators to actually use them.  There’s also quite a lot of talk about ISATAP and TEREDO tunnelling which is not even mentioned in the Cisco book. Whether that’s because the Cisco book is not fully up to date or simply because these are rather Windows centric tunnelling mechanisms I’m not so sure.

So in the end the 2 books were useful. Certainly Cisco’s documentation and I liked the routing info which was useful.

I’m curious if you can recommend other IPv6 specific books, especially those related more to Linux and perhaps setting up systems in a SOHO environment. Comments welcome.

I’m also considering setting up another router with openwrt as this seems to be a good way to get the connectivity independently of the IPv4 infrastructure I currently have. That however is still work in progress and while my IPv6 tunnel is down I can’t make much progress.

Tags: , , , , ,
Posted in IPv6 | No Comments »

Checking IPv6 support in my existing hardware

July 24th, 2010

As part of my IPv6 setup I wanted to check what support I could expect for my current hardware. This post relates the results I got by checking on each one.

  • Linux PC – IPv6 is supported in Linux
  • MacBook – IPv6 is supported in MacOS X
  • Windows 7 NetBook – IPv6 is supported in Windows 7
  • Draytek Vigor 2820N – Draytek support in Spain confirmed to plans to implement IPv6 on this box, but they have 1 IPv6 aware router so future models should hopefully have support.
  • HP Officejet Ro L7680 Printer – this printer has a network connection. A support request on HP’s website generated an automatic message saying my printer was no longer supported.  So no chance to even say: no we won’t support IPv6 on this printer but newer ones might include IPv6 support.
  • LinkSys SPA941 IP phone – very small devices so I’m guessing this won’t happen, even though LinkSys is now part of Cisco
  • LinkSys SPA3102 PSTN connector – see above
  • LinkSys PAP2T – see above
  • Siemens C470IP
  • Thecus N5200 PRO – opened support ticket, waiting for response. This should be easy as inside this box runs Linux.
  • D-Link DES3010F managed switch – no support, but dlink does have other managed switches which do support IPv6. This would be necessary if I wanted to do VoIP over IPv6.  The current switch does not allow me to configure QoS which has been important for my VoIP setup. Maybe I’ll need to upgrade.

The clear result of this is that while PCs support IPv6 most consumer grade devices do not and I guess until there is a demand for this it’s unlikely to change.

It would be nice to have support for IPv6 on my devices as until that time if I want to connect to them when using IPv6 I’ll need to setup some sort of proxy arrangement. For a printer that is probably easy, but for something like NFS (which I use my Thecus for) I’m not sure that’s so easy. Also for my VoIP devices I’ll have to see if Asterisk or FreeSwitch support VoIP over IPv6 and if they do they can be configured to act as a gateway. However until I have a single IPv6 enabled VoIP device the gateway won’t be necessary.

Tags: , , , , , ,
Posted in IPv6 | 1 Comment »

Setup local name server to serve IPv6 addresses for my domain

July 24th, 2010

In order to use IPv6 you probably need to setup things so that your sites can be reached over IPv6. I manage my own DNS server for my domain so decided to make my DNS server reachable over IPv6.  This did not sound too complicated.

This required 2 things:

  • Ensure that Bind 9 was configured to receive and respond to queries on this address
  • Tell my registrar about the IPv6 address of my domain

I checked my DNS software, Bind (v9), and it did not seem to be responding to DNS requests to the IPv6 address. A quick look around indicated that I had to add an extra block in the options section of named.conf

options {
 directory "/etc/named";

 // required to listen for ipv6 queries
 listen-on-v6 { any; };

....

My registrar is gkg.net and I’ve been using them for a long time without trouble. So I went to their configuration page and saw that I could add another ip address for my name server. So here I added my IPv6 address. The software did not complain and I shortly found that querying the .org name servers I could see my AAAA record had been added.

Those 2 changes enabled me to offer DNS resolution for my domain over IPv6.

Tags: , , , ,
Posted in IPv6 | 1 Comment »

Request IPv6 Allocation

July 22nd, 2010

When originally looking around to find out how to connect to a IPv6 network there seem to be quite a few different options and providers.

I originally requested an allocation with Hurricane Electric but had trouble setting up the tunnel. Their web page said they could not ping my public IP address (my router) and this prevented them allowing the tunnel to be created. My ADSL router does not have any ICMP filters configured and as the public IP address is forwarded to my Linux PC I knew that did not either. I also remember when setting up my ADSL connection with Jazztel that I had some configuration issues, and this turned out to be related to the fact (from what I remember) that Jazztel block ICMP traffic to the customer’s IP address.  So with this problem I looked to see if I could find another tunnel broker.

I’m currently using ipv6tf.org and a tunnel end point that is local in Madrid, hosted it seems by Neo-Sky. The instructions for setting up the tunnel worked pretty much as expected with one minor detail. As my PC is NATed behind my ADSL router the creation of the sit tunnel requires the local address to be specified as the RFC1918 address and not my public IP address.

That is the following were needed.

# ip tunnel add sit0 mode sit remote A.B.C.D local 192.168.E.F ttl 255

When creating the IPv6 address allocation the ipv6tf.org page sends you a confirmation with the configuration details depending on your hardware but does not show this on the web page itself. So if you incorrectly provide the OS / setup, it sends you the wrong information. I’d much rather there were an additional page for each allocation with show me my config, and then based on you specifying the hardware setup.

The configuration script that I’m currently using is not using the standard OS mechanism so I still need to see how to adjust this to fit in with RedHat’s configuration files.  This is cleaner, and something I still need to do.

Tags: , ,
Posted in IPv6 | 1 Comment »

Created IPv6 Setup Progress page

July 22nd, 2010

The following page http://blog.wl0.org/ipv6-setup-progress/ is going to be used to show how I make progress in setting up IPv6 and the issues I come across.

Posted in IPv6 | No Comments »

Starting to play with IPv6

July 18th, 2010

Other the last few years I’ve read quite a lot about IPv6 but not really done a lot about it. The theory is easy but when you actually look to try to set it up you suddenly find that most hardware does not really support it.

  • My ISP (Jazztel) have told me they don’t provide an IPv6 service.
  • My Draytek 2820n ADSL router does not support IPv6. Draytek seem to be just starting to look at this in their Vigor 2130 series, but my ADSL router is not covered.
  • My Thecus N5200 Pro NAS device does run Linux underneath so it can be configured to support IPv6. I’ve recently upgraded to firmware version 2.00.18.4 dated 2010.06.15, and have logged into the box. It seems the kernel is not built with IPv6 support. I’ve made a support ticket requesting that IPv6 support is added. Let’s see what they say.
  • None of my 4 VoIP devices (Linksys SPA3102, SPA941, PAP2T, Siemens C470IP) support IPv6, though given the extra overhead of IPv6 while you need to tunnel it performance may not be very good.
  • My D-Link DES3010F managed switch has options for managing traffic priorities based on QoS. I need this for the VoIp quality to be decent as I’ve mentioned before. Again this only works for IPv4. So if I really wanted to do VoIP on ip6 I’d be back to square 1. Newer DLINK switches do appear to support IPv6, so maybe at some point I’ll have to consider upgrading.
  • My HP Officejet Pro L7680 printer has an ethernet adaptor but does not support IPv6. I’ll also ask HP about this.
  • My Linux box of course supports IPv6 so that is good.
  • My MacBook also supports IPv6. Again that is useful.

So for the moment I have done little more than setup an IPv6 tunnel and configure apache so that if you want to read this using IPv6 you can do so using http://blog6.wl0.org. Of course you won’t see any difference but this name only runs on an IPv6 address. I’ll have to check my logs to see if there are many accesses over IPv6.  If you get unable to connect type errors it’s likely you are trying to connect from an IPv4 based host. If you really think you are using IPv6 and this does not work please let me know.

I’ll have to see how I can bring other services up and running under IPv6 and will let you know how I get on.

So what experiences have you had setting up IPv6 at home?

Tags: , ,
Posted in IPv6, Other Things | No Comments »

« Older Entries