tag:blogger.com,1999:blog-72882022024-03-07T19:59:35.277-05:00tgharold.com: Tech BlogRandom technical tidbits from around the web, or things that I've figured out along the way.Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.comBlogger320125tag:blogger.com,1999:blog-7288202.post-28709826480812504722016-02-27T06:02:00.002-05:002016-02-27T06:18:55.207-05:00Simple usage example of jquery.inputmask by Robin HerbotsWe're developing an application at work where the backend system is very limited on what characters it will accept over the wire as well as issues with various fields having to be in a specific format. While we are validating everything on the backend system before we accept it, I believe that it is also useful to provide guidance to the user while they are entering data into the fields viaThomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-79033786217363890302015-12-30T08:33:00.005-05:002015-12-30T08:44:49.025-05:00Ubuntu and software RAID, getting a device path that won't change from boot to bootWhile I love mdadm (software RAID), it's perplexing me at the moment as it keeps changing its device number under Ubuntu. When I created the array, I created it as "md100", but whenever I restart it ends up as "md127" (and could end up as something else!). Normally, this doesn't matter, but I'm doing LVM on LUKS, so I need a static (unchanging) path to the array device.
This is a (4)Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-27618916576918776222015-12-10T14:11:00.001-05:002015-12-10T14:11:06.878-05:00Installing borgbackup under Ubuntu GnomeMy favorite file-level backup tool for Linux (or OS X or Cygwin) is still borg (a.k.a. borgbackup). The features that I rely on are:
Efficiency when dealing with millions of files, borg is very fast at scanning the file system and figuring out what needs to be backed up. In the past, I've run it against an IMAP mail server file system with a few million files and about Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-89696229598449238862015-09-28T10:18:00.002-04:002015-10-01T05:45:53.336-04:00Office365/ExQuilla dropping spaces / line breaks in messagesSince mid-September, we have been hunting a problem that occurs for our Thunderbird users when they attempt to send email via the Office 365 mail server. It seems to be limited to just those using the ExQuilla plug-in, which gives access to messages/contacts on the Exchange server.
The symptoms are that in the body of the email, words will be run together without spaces between them.  Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com1tag:blogger.com,1999:blog-7288202.post-25073480064302677902015-09-18T04:26:00.001-04:002015-09-18T04:26:38.784-04:00Changing how Linux Mint identifies network devicesI've been running Linux Mint 17.2 (mostly) happily on my old 2007 Thinkpad T61p. However, even with 8GB of RAM and a SSD, it was a bit too sluggish for my tastes. So I purchased a used T530 which is about 5-6 years newer and has an i7 CPU.
Swapping the SSD from one unit to the other was easy, and Linux Mint booted right up. But I couldn't get a network connection (wired or Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-9603040829699861972015-09-06T06:57:00.003-04:002015-09-06T06:57:39.303-04:00Windows 7 SP1 Windows Update takes forever to search for updatesOne of the difficulties that I've run into while setting up the VM for Win7 on my Linux Mint laptop is that the Windows Update service will take hours/days/forever to figure out what updates are needed in a fresh Windows 7 Service Pack 1 install.
The symptoms are:
Windows Update is stuck on "Checking for updates..."
High memory usage by "svchost.exe" (2+ GB)
High CPU usage by "svchost.exe" (Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-20469301118836533322015-08-30T11:18:00.000-04:002015-09-01T11:30:39.218-04:00Switching Linux Mint on Thinkpad T61pI've been wanting to try and switch to Linux full-time on my home desktop/laptop machines for a while, and the amount of spyware / tracking / report back in Windows 10 is pushing me to make a real effort this year. So, I'm taking my old Thinkpad T61p and putting Linux Mint 17.2 on it. My requirements were:
Full disk encryption
Virtualization for a Win7 or Win10 guest
Running as muchThomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-38619799936354424032015-07-26T09:58:00.001-04:002015-07-26T09:58:26.621-04:00Installing atticmatic/borgmatic on CygwinThere's a wrapper project for Attic / Borg backup called "Atticmatic" on GitHub. It helps simplify the process of doing daily backups using attic/borg.
Packages needed on Cygwin (in addition to those needed for attic/borg):
murcurial (hg)
Creation of the SSH key (assumes that you have the 'openssh' package installed):
mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen.exe -t rsa -b 4096 -N '' Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-85356790777183804762015-07-16T17:22:00.003-04:002015-07-16T17:22:36.271-04:00SSH keygen under CygwinYou will need to install the "openssh" package using the Cygwin installer before doing this.
Notes:
In the near future, OpenSSH is deprecating support for DSA keys.
Minimum supported RSA key size will be 1024 bits, but you should really do 2048 or larger.
Typical steps for creating SSH keys:
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ cd ~/.ssh
$ ssh-keygen.exe -t rsa -b 3200 -C 'Borg backup Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-57071135265843872402015-07-11T10:46:00.002-04:002015-07-11T10:46:54.441-04:00Linux KVM shutting down all virtual guestsOn my current virtualization server running Linux KVM (QEMU), I want to shutdown all guests so that I can unmount the file system containing the VM image files and make it larger.
#1 - See what guests are running
# virsh list
Id Name State
-----------------------------------------------Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-86552247714632219162015-07-08T07:36:00.003-04:002015-07-16T17:22:51.606-04:00Installing borg backup (fork of Attic) on Cygwin (Windows)I've used Cygwin with rdiff-backup before to backup a Windows box to a backend Linux server over SSH, but given the success that I've had with Attic backup, I'm going to try this with the fork of Attic which is called "Borg".
Step #1 - Download and install Cygwin. The following packages that need to be installed before you can install borg backup.
binutils (not sure)
gcc-g++
libuuid-develThomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-40944339898611340642015-07-07T22:57:00.003-04:002015-07-07T22:57:49.061-04:00pfSense RRD graphs for NTP - system jitter vs clock jitterSince installing pfSense and setting up the NTP server, I've been wondering for a while what the difference is between "System Jitter" (sjit) and "Clock Jitter" (cjit) in the RRD graphs. For instance, in the following graph, we can see that the system jitter value has gone way up.
So what causes system jitter? Looking at the Status -> NTP page gives us a bit of a clue.
At least Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-79230076334316546822015-06-27T10:09:00.001-04:002015-06-27T10:09:07.625-04:00Inexpensive and power efficient refurb PCs for firewallsThis is a follow-up on my earlier post about the Lenovo M58p (Intel Core2 Duo E8400 @ 3GHz) that I'm using for my home firewall. It clocks in at 38-40W idle and 50-60W under load (which is rare).
If you go to NewEgg's site and go into the Desktop Computers category, you can find all sorts of refurbished boxes for under $150.
So what sort of CPUs are there and how do they stack up in termsThomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-79404166956617881382015-06-22T06:26:00.000-04:002015-06-22T18:13:29.854-04:00Using aliases pfSense to create rules for protocols with multiple port rangesFile this one under "things I wish I had known sooner". When setting up pfSense firewall rules on an interface, you'll run into protocols which have multiple ports that are not in a contiguous range. One example of this is the common web server (HTTP) ports of 80, 443 and 8080-8081.
This leaves you with two options.
Setup multiple rules. This is the best option because you Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-48376087213140194832015-06-20T11:27:00.002-04:002015-06-20T11:27:52.990-04:00Using badblocks to prepare an offsite USB backup drivePart of my backup strategy is to write my backups to external USB drives which are protected by LUKS encryption. However, before I will put a drive into service, I like to heavily test any mechanical drive for a few days to see whether it will hold up to the wear-and-tear of being a portable drive.
(There's little or no point in doing this on a SSD.)
Currently, my preferred method is to Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-25475089026920140112015-06-20T11:09:00.000-04:002015-06-20T11:09:03.457-04:00pfSense rate limiting, egress filtering, opendns filtering for wifi hotspotOne of the experiments that I'm running with the new network is running an open / unsecured WiFi hotspot for the neighbors.
Some of the protections that I'm using:
Uses OpenDNS servers with some categories of websites blocked. I'm using the "OpenDNS Home" service which lets me pick and choose which categories are blocked by default. In addition, the OpenDNS server will display a "Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-12502006153209248102015-06-14T20:55:00.002-04:002015-06-14T20:55:34.537-04:00pfSense on Core2Duo E8400 refurbished PCA rough power estimate for my little SFF (small form factor) refurbished PC that I'm using for a pfSense firewall:
Intel Core2 Duo E8400 @ 3GHz
4GB RAM
120GB SSD
Dual-port Intel PCIe x4 NIC
At idle, it consumes about 38W when the CPU throttles back to 1.8GHz. That's pretty good for a PC that is not designed to be a low-power / fanless unit. Under load, that goes up to about 60-65WThomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-60142326806719523572015-06-09T08:18:00.000-04:002015-07-11T10:10:09.103-04:00pfSense Firewall CPU load estimateAccording to the pfSense dashboard, I have:
Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
2 CPUs: 1 package(s) x 2 core(s)
When running a quick speed test, "top" shows about 5% system load at 60Mbps. That gives a rough upper-end of around 1200Mbps (1.2Gbps) for switching speed. At a guess, that might be closer to only 1Gbps performance under heavy traffic.
1Gbps of capacity is plenty Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-80728704955084893532015-06-09T07:49:00.001-04:002015-06-14T16:07:46.710-04:00VLAN adventures with Netgear GS108T and TrendNet TEW-814DAPAs part of setting up my new home network, I'm experimenting with VLANs. The pfSense firewall has the following user-defined VLANs on the interior port. Each of these VLANs has a separate address range (all are IPv4 with a 24-bit netmask, i.e. 192.168.10.0/24). The pfSense firewall is always the ".1" address on each network segment and routes traffic between the segments.
em0 / 12 - Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-62015181699497248862015-06-08T07:21:00.000-04:002015-06-08T07:21:16.038-04:00Checking authorized_keys for duplicate SSH key linesAfter a while, unless you are using Puppet or some other tool, your ~/.ssh/authorized_key file will end up with half a dozen or dozens of different SSH public key lines. And depending on how careful you were, some of them may be duplicates or screwed up.
One way to make sense of the madness is to look at the first N bytes of each line in the ~/.ssh/authorized_keys file and look for Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-26295968155136273952015-05-22T07:32:00.001-04:002015-05-22T07:32:28.724-04:00Firewall build (part 3) VLAN SecuritySince I plan on using VLANs on the WiFi Access Points to separate guest vs friend vs trusted traffic, I need to make sure that I'm doing VLANs in a secure fashion and not leaving any large holes.
The primary recommendations from the listed sources are:
Don't use VLAN 1 (the default VLAN) for anything
Any ports that do VLAN trunking should use a dedicated VLAN ID
Do explicit tagging of the Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-2211459246151672392015-05-21T07:34:00.000-04:002015-05-21T13:44:55.420-04:00Firewall build (part 2) hardware needed for VPN dutiesOne thing to think about when sizing the hardware for a firewall is how much CPU power will be needed for OpenVPN (or IPSec / L2TP). OpenVPN comes with a built in "speed" command which will benchmark your system and give you an idea of maximum possible bandwidth.
Just run "openssl speed" at the command line and look for the AES-128 and/or Blowfish results. I prefer to look at the Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-33760565188296468852015-05-17T08:25:00.000-04:002015-07-16T17:23:24.604-04:00md5sum bash script to create check file for a directory treeJust a quick script that will run through the current directory and all descendant directories, creating a single "verify-tree.md5" file (using md5sum). If the check file already exists, then the existing one gets moved out of the way to "verify-tree.yyyymmdd-hhmmss.md5" for safekeeping.
Check files are useful for whenever you have a set of files that will not (or should not) change over time. &Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-64922960088437274302015-05-10T07:57:00.000-04:002015-05-20T07:57:51.536-04:00MD5 vs SHA-1 vs SHA-256 performanceI was curious this weekend about how MD5 vs SHA-1 vs SHA-256 performance stacks up. If you have the OpenSSL libraries installed, you can run a short test to calculate performance on your CPU. It gives ballpark estimates, which may or may not carry over to real-world performance on actual file data.
$ openssl speed md5 sha1 sha256
Estimates/Summary:
SHA-1 is about 55-75% the Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0tag:blogger.com,1999:blog-7288202.post-63273528500402644292015-04-26T23:28:00.000-04:002015-05-19T09:35:07.280-04:00Firewall build (part 1)Part of moving to a new place is reevaluating your network. On my current network, I have a fairly basic setup:
One WiFi Access Point (WAP) running 802.11 b/g
A Linux server acting as firewall / file share / backup storage
A few laptops
A few tablets/phones
A few other PCs
When I set this all up a few years ago I kept it very simple. The Linux server is the gateway device with Thomashttp://www.blogger.com/profile/08808578210010625190noreply@blogger.com0