blog.sarlok.com - Coffee!

System time:  Mon/12/17 : 09:20:32

Red Balloon

Holy heck... I have a blog.

Quick rant and post, more details on life after the break.

I'm extremely impressed with Junipers SRX300. Price, performance, features, are amazing.
Ordered up one of said SRX300's for my home lab, to replace my EOL'd SRX100B.

I can hear the Mikrotik and Ubiquity fans jumping up and down, but no... just no. Given the choice, I'd install OpenBSD on an APU2, before trusting Ubiquity or Mikrotik to do anything more than bridge frames, which they do poorly at that. Even then...

Related, mental note for RANCID command restriction within TACACS for Juniper/JunOS devices.
RANCID needs these, or it breaks expect:

  • 'set cli complete-on-space off'

  • 'set cli screen-length 0'

Set CLI commands are pretty tame, so you could safely get away with;

user rancid {
  service = junos-exec {
   local-user-name = your-standin-local-user
   allow-commands1 = "(show .*)"
   allow-commands2 = "(exit)|(quit)"
   allow-commands3 = "(set cli .*)"
   deny-commands = ".*"
  }
}

Let's see, other stuff... other stuff...
I put pi-hole on a beaglebone black to try it out. I learned many, many things. The experience was painful, and wasted many, many, many hours of my time. However, given how out of touch with Linux I am these days, I could attribute it to a lack of practice and knowledge surrounding how ruined the Linux landscape has truly become.
Honestly, my last foray was with Gentoo, before the portage tree was opened up to volunteers that immediately broke everything, which forced me to slackware.
I'll admit it, I was a Gentoo-ite, obsessed with kernel size. 714k of kernel, man! And another 6% FPS increase in glxgears! WOO! Pretty sure I got it much smaller once, but honestly now, who cares...

As for the things I learned, the highlights:

  • You can't just use ifconfig out of the box any more
  • no tcpdump in the 1.8gig base install. This is just plain unforgivable
  • The concept of editing resolv.conf, and expecting it to work is apparently dead
    • Side note so I remember: have to piss around with 'resolvconf' and resolv.conf.tail

      • Additional side note: Forget about resolv.conf entirely if you updated Debian to jessie, which apparently excludes the resolvconf binary. Download the rpm on another box with working DNS to proceed
  • There is no fstat, so use 'pstat -apn' to figure out what PID's are squatting on what sockets
  • Oh god systemd, why?!
    • completely ignore init.d. Look at systemctl, and then proceed to spit tea at monitor, and then remove hair with clenched fists.

I can't help thinking I could have just setup unbound in the first place, since I don't really care about the Pi-hole GUI.
Next steps, repeat the experiment with OpenBSD and unbound.

Juicy Wiggle

Oh yeah, I have a blog... geeze.

Been busy re-wiring the new house. Mostly done. Furnace tried to burn the house down when the blower motor blew and the breaker failed. Pictures to come in the spring I guess.

I've run into this a few times on some of our production OpenBSD boxes now, and I'm always spending too much time remembering how to fix it:

arpresolve: 10.10.10.1: route without link local address

Usually caused because:
The address in the log message was probably deleted and re-added, or moved to a different interface.

To fix:
Find, delete, and re-add all the static routes pointing at the host it's complaining about as you probably have some statics on the box for re-distribution or other dumb tricks

It seems bug-ish to me, since for all intensive purposes nothing's actually broken. It just spams your syslog a few hundred times a second (or more if your box is really busy).
Filed under the to-investigate-further-someday pile.

Outlines

Quick post today.
Will probably have something to say about my new house, and the options I'm looking at for a NAS / AppleTV streaming appliance eventually.
Have some pictures of my trip to the Kootenay's to post too at some point or something.

So, I keep forgetting how to do this:
How to move bridge-group 1 around on v15 Cisco Aironet's, as they are a pain in the rear. You used to be able to just replace bridge-group 1 with another, but now you get:

Interface already configured within Bridge Group 1.

So that's super helpful. The good news is it can still be moved to somewhere mostly useful. However - the destination interface must be configured with dot1q native. That, of-course, blows big wind. Thanks Cisco!
But hey - at least it's something, and can let the rest of your configs make sense.

To summarize the steps;

  • Add Interface.foo subinterface
  • Configure for dot1q encapsulation foo native
  • Move bridge-group 1 to the new interface.foo subineterface
  • Success!

And here it is in action, with gratuitous failure attempts for context.

ap>enable
ap#sh int desc
Interface                      Status         Protocol Description
BV1                            down           down
Do0                            admin down     down
Do1                            admin down     down
Gi0                            up             up
ap#sh bridge verbose

Total of 300 station blocks, 299 free
Codes: P - permanent, S - self

Flood ports (BG 1)           RX count    TX count
Dot11Radio0                         0           0
Dot11Radio1                         0           0
GigabitEthernet0                   95           0
ap#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ap(config)#int gi0.4
ap(config-subif)#encapsulation dot1Q 4
ap(config-subif)#bridge-group 1

Configuration of subinterfaces and main interface
within the same bridge group is not permitted
ap(config-subif)#int gi0
ap(config-if)#no bridge-group 1
%command not allowed, cannot remove bridge-group 1
ap(config-if)#bridge-group 4

Interface already configured within Bridge Group 1.

ap(config-if)#int g0.4
ap(config-subif)#encapsulation dot1Q 4 nativ
ap(config-subif)#bridge-group 1
ap(config-subif)#^C
ap#sh run int g0.4
Building configuration...

Current configuration : 151 bytes
!
interface GigabitEthernet0.4
  encapsulation dot1Q 4 native
  bridge-group 1
  bridge-group 1 spanning-disabled
  no bridge-group 1 source-learning
end

ap#sh run int g0
Building configuration...

Current configuration : 59 bytes
!
interface GigabitEthernet0
  duplex auto
  speed auto
end

ap#sh bridge verbose

Total of 300 station blocks, 299 free
Codes: P - permanent, S - self

Flood ports (BG 1)           RX count    TX count
Dot11Radio0                         0           0
Dot11Radio1                         0           0
GigabitEthernet0.4                  3           0

ap#

Недетское время

So, fluctuator has been shut-down. The 510 chassis soon to be re-purposed for greater things.

In doing so, I've merged and updated a pile of my VM's. Down to 4 from 7, which is a good start.
To that end, this is more of a token post to test that stuff is still working from all the migrations last night.

So... here's some random junk:


Me: oh god. I win moron of the week award.
Co-worker: You are the greetest!
(Inane chatter about my oversight)
Co-worker: I'm also not smarting today. Going to coffee my brain
Me: Huh...
TOKENHOSTNAME-S01#sh env all
FAN is OK
Internal POWER supply is FAULTY
RPS is NOT present

TOKENHOSTNAME-S01#sh inv
NAME: "TOKENHOSTNAME-S01", DESCR: "Cisco Catalyst c2950 switch with 24 10/100 BaseTX ports"
PID: WS-C2950-24 , VID: H0 , SN: SOMESERIALNO

TOKENHOSTNAME-S01#

Me: I may be having an off day, but that seems slightly strange.
Co-worker: Hmm, should be proactive and HAHAHAHA

Also, this looks incredibly interesting. I've had a song on my iPod by them for ages, but never realized they're basically a carnival stage-acting band type delay.
Wicked cool.

I Can See It In Your Face

Just found these 3D Futurama things. They definitely do it justice.

And now for something plausibly interesting… maybe.
Finally updated my random image thing which was long, long, long overdue. Pulls images out of an SQL index instead of cramming an array full of filenames and paths after scanning the disk. Every. Single. Time. The. Page. Was. Accessed.
It's improved load times significantly. Also put in the ubiquitous image access function while I was at it, so I can stop hard-linking to files in my random folder which break if I move things around.
Now I just need to find a way to safely import custom functions into Drupal, and I'll be set.

Moar random phpipam jargin. Stuff I had to do to make the ping scan, and alive host detection in phpipam work on OpenBSD after the 1.0 release:

functions/functions-common.php assumes your php executable will be 'php'. OpenBSD's 5.3 package binary is php-5.3. Yeah, I know - I need to update from 5.3. So sue me.
Quickest fix which will break next time I update base and the package tree

sudo ln -s /path/to/php-5.3 /same/path/php

Also, the ping binary included in base need the timeout switch and number to be tweaked.
Patch for OpenBSD base's 'ping' binary:

--- functions-network.php.orig  Fri Sep 26 23:57:57 2014
+++ functions-network.php       Sat Sep 27 00:05:41 2014
@@ -2906,8 +2906,8 @@
        }
        else {
                //set ping command based on OS type
-               if(PHP_OS == "FreeBSD" || PHP_OS == "NetBSD" || PHP_OS == "OpenBSD")    { $cmd = "$pathPing -c $count -W ".($timeout*1000)." $ip 1>/dev/null 2>&1"; }
-               elseif(PHP_OS == "Linux")                                                                                               { $cmd = "$pathPing -c $count -w $timeout
$ip 1>/dev/null 2>&1"; }
+               if(PHP_OS == "FreeBSD" || PHP_OS == "NetBSD")                           { $cmd = "$pathPing -c $count -W ".($timeout*1000)." $ip 1>/dev/null 2>&1"; }
+               elseif(PHP_OS == "Linux" || PHP_OS == "OpenBSD")                        { $cmd = "$pathPing -c $count -w $timeout $ip 1>/dev/null 2>&1"; }
                elseif(PHP_OS == "WIN32" || PHP_OS == "Windows" || PHP_OS == "WINNT")   { $cmd = "$pathPing -n $count -I ".($timeout*1000)." $ip 1>/dev/null 2>&1"; }
                else  { $cmd = "$pathPing -c $count -n $ip 1>/dev/null 2>&1"; }

Ride My Tempo

So. I have yet another new toy. Granted, this is my first real toy toy.
I didn't even really want it, like want want it.
Nor was I looking for it.
Was humouring the sales guy at the car dealer, who was busy trying to sell me on a Tuscon, Santa Fe, or Genesis. The aforementioned three are pretty weak compared to the Volvo.
"So, I'll try the next trim-level Genesis, maybe it'll be better than the base." I says.
"Let me take a look around the used lot, while you check if there's one free to drive." I says.
"Huh... a Lancer. Nice. Wait… that's an Evolution. Wonder which salesman owns that. …No plates? Uh… Hey! What's up with this Evo?"
There you go. That's the story of how the downpayment for anther house became a toy, and enough debt to keep me from just up and stopping from going to work suddenly. At least for a little while.
It's been a while since I've driven a standard. This one came with a racing clutch among other things, which I proceeded to stall about 5 times on the test-drive.
Since acquiring it 5+ weeks after making payment, the number of stalls has increased to a total of 21 over the span of two days, though the rate at which they occur has decreased exponentially.
Just in time for fall and winter. Smart.

Replaced an old Soekris at work couple weeks back. Poor old thing had 1388 days of uptime.
Alas, the replacement was necessary to turn a previously abandoned transmission site isolated on a 3rd party's network, into a customer-ready site, jerry-rigged into our AS.

Took a wee bit of fiddling, but found the right knobs to tweak to replicate some of the tricks we use on our cisco boxes to make management happen in stupid places without the hardware or budget to do it properly.
Probably easier to just use BGP for the whole deal, but our OSPF RIB is already polluted with so much garbage from all the bad ideas that were pushed into production over the years anyway. As such, it's becoming the dumping ground for bad (albeit, fun) ideas like this one.

Relevant config here for future self-reference - obviously, severely obfuscated from the production environment.
The keen observer will notice that there's no IPSEC here. Because of company policy to drive end-of-life equipment into the ground, we lack sufficient resources for shaping or ACL's, let alone crypto at our aggregators. My gif(4) and IPSEC experiments will have to wait until I have sufficient boxes, and enthusiasm to pursue this of my own accord.

The diagram:

On the Cisco:

!
interface Loopback254
  description Public tunnel termination interface
  ip address 172.20.254.254 255.255.255.255
!
interface Loopback101099
  description 1010 Fake St, Nutley. Z-end network
  ip address 10.10.99.1 255.255.255.255
!
interface Tunnel101099
  description 1010 Fake St, Nutley. Management tunnel
  ip unnumbered Loopback101099
  ip mtu 1476
  ip ospf 1 area 10.10.99.0
  tunnel source Loopback0
  tunnel destination 192.168.99.223
!
router ospf 1
  router-id 172.20.254.254
  area 10.10.99.0 stub no-summary
!
end

On the Soekris:

bsd~ grep inet /etc/hostname.vlan99
inet 10.10.99.0 255.255.255.0 NONE up

bsd~ cat /etc/hostname.gre0
192.168.99.223 172.20.254.254 netmask 255.255.255.255 link0
tunnel 192.168.99.223 172.20.254.254
inet alias 10.10.99.2 255.255.255.255
up
# Alias and static route to R01. Without these, ospfd sends hello's directly out the
# upstream interface un-encapsulated, instead of over the tunnel
!route add -host 10.10.99.1 -iface 10.10.99.2

bsd~ sudo cat /etc/ospfd.conf
router-id 10.10.99.254
area 10.10.99.0 {
        stub

        interface gre0:10.10.99.2
        interface vlan99:10.10.99.254 {
                passive
        }
}

Less the underlying config for a happy BSD and Cisco box (Routing tables, outbound interfaces, etc…), you should wind up with something along these lines;

bsd~ ospfctl show neighbor
ID              Pri State        DeadTime Address         Iface     Uptime
172.20.254.254  1   FULL/P2P     00:00:34 10.200.6.1      gre0      31m

On paper, this looks goofy as all hell, but is a fun way to exploit the longest prefix wins rule. Plus, our IGP tables are already polluted with far, far worse garbage that won't be going away any time soon. The real world has a habit of destroying all hope one had of running an efficient, clean, easy to manage network.
One caveat is access to/from our NMS. Since the amount of impact and network noise from this cruft is limited by the stub, a static route was necessary (Augh!).
Also, now that I think about it, the 'ip unnumbered loopback' in the example is a left-over from plastering this over top of multiple tunnels to the same site. Here, it's un-necessary.
That said, learn from my tomfoolery. Just because you can, don't… just don't. Do not do this to your network.

Moving right along.

I'm loving this album. Having watched the music videos, I recollect having watched them late last year as they were being released. I don't recall enjoying the songs nearly as much then as I do now.
Weird.

Long post is long. Here, have a music video.

Magic Carpet Ride

Seems I broke my search indexer yonks ago. It's been fixed, so yay.

Dusted off one of the random project ideas I mentioned some time back, and actually got around doing something useful beyond the initial proof-of-concept.
Successes so far:

  • Registered my iPad, and Galaxy S4 as SIP stations
  • Inbound call forwarding from the PSTN to all active SIP clients
  • Outbound calling from SIP clients to the PSTN

Problems to solve next:

  • Stop my iPad's IPSEC VPN from disconnecting every time it's idle for more than 2 minutes
  • Find a VPN setup or App that'll work with my useless bloody S4
  • Decipher and set-up voicemail
  • Find a SIP client that doesn't blow big wind

By far and away, the biggest headache was daisy-chaining my 2811's voice-port off an analogue port on the office's phone system. However, having succeeded, I'm able to intercom co-workers from wherever I have wifi connectivity which is worth the price of admission right there.

The good folks at Juniper are doing a good job of keeping me happy. I received the EX2200-C-12T-2G for my collection of lab hardware today. Now I'm half inclined to ditch the 1811 in front of *.sarlok.com, and shunt everything to my SRX100 to force familiarity levels beyond the casual mark.
However, now that most of my voice proof-of-concept is out of the way, the 2811 could probably replace it too…

Also, damn you iTunes. Damn you to hell… why don't you have this song?


Honey Dove

Gah. Unenthused sarlok is unenthused.
Warning: This post may have no meaning beyond providing a brief interlude to my current lapse of boredom.

I fixed a frick-load of broken URL's spread across my blog posts of old, most of which I broke myself after re-jigging the random images folder. Wound up splitting the one monster folder into several subs to cut back on disk chatter.
Hindsight, having fixed the broken links, I'm now re-thinking my choice of hard-coding paths and images, and have some idea for a permalink that should be sane enough to keep up with auto-filing image folders… maybe by the time my next post is done.

My new toy.
Spontaneous purchase was spontaneous. My old bow was already fast at ~320fps.
Splurged on some nice light 250 grain arrows to go with the new bow though.

My new other toy.
My initial observations were how amazingly well built the thing is. I thought Dell and IBM's servers were well made, but after cracking the T2000 open… It's very, very nice.
Master plan is to move *.sarlok.com to the T2000, and re-purpose fluctuator as a storage backend on account of the 8 drive-bays.
That aside, this made me chuckle seeing it for the first time post-install.
I especially love how base has fewer processes than there are cores… well, threads I guess - but still.

root@sparksmith:~ # uname -a
OpenBSD sparksmith.sarlok.com 5.6 GENERIC.MP#166 sparc64
root@sparksmith:~ # top -d1
load averages:  0.12,  0.19,  0.14    sparksmith.my.domain 19:46:57
26 processes: 24 idle, 2 on processor
CPU00 states:  0.0% user,  0.0% nice,  0.3% system,  0.8% interrupt, 98.9% idle
CPU01 states:  0.0% user,  0.0% nice,  0.2% system,  0.0% interrupt, 99.8% idle
CPU02 states:  0.1% user,  0.0% nice,  0.1% system,  0.0% interrupt, 99.8% idle
CPU03 states:  0.1% user,  0.0% nice,  0.1% system,  0.0% interrupt, 99.8% idle
CPU04 states:  0.0% user,  0.0% nice,  0.2% system,  0.0% interrupt, 99.8% idle
CPU05 states:  0.0% user,  0.0% nice,  0.1% system,  0.0% interrupt, 99.9% idle
CPU06 states:  0.0% user,  0.0% nice,  0.2% system,  0.0% interrupt, 99.8% idle
CPU07 states:  0.0% user,  0.0% nice,  0.2% system,  0.0% interrupt, 99.8% idle
CPU08 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU09 states:  0.0% user,  0.0% nice,  0.5% system,  0.0% interrupt, 99.5% idle
CPU10 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU11 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU12 states:  0.1% user,  0.0% nice,  0.0% system,  0.0% interrupt, 99.9% idle
CPU13 states:  0.0% user,  0.0% nice,  0.1% system,  0.0% interrupt, 99.8% idle
CPU14 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt, 99.9% idle
CPU15 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU16 states:  0.0% user,  0.0% nice,  0.1% system,  0.0% interrupt, 99.8% idle
CPU17 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU18 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU19 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU20 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU21 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU22 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU23 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU24 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU25 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU26 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU27 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU28 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU29 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU30 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU31 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
Memory: Real: 26M/110M act/tot Free: 31G Cache: 25M Swap: 0K/4097M

  PID USERNAME PRI NICE  SIZE   RES STATE     WAIT      TIME    CPU COMMAND
6537 root       2    0 4440K 4096K idle      select   11:09  0.00% sshd
15852 _smtpd     2    0 2184K 3152K sleep     kqread    0:29  0.00% smtpd
5908 _smtpd     2    0 1848K 2384K sleep     kqread    0:29  0.00% smtpd
5247 _smtpd     2    0 2216K 2624K sleep     kqread    0:29  0.00% smtpd
28491 root      10    0  712K 1472K idle      wait      0:27  0.00% man
28367 root       2    0 4240K 4088K sleep     select    0:22  0.00% sshd
25118 _pflogd    4    0 1120K  400K sleep     bpf       0:12  0.00% pflogd
16328 _spamd     4    0 1176K 1160K sleep     bpf       0:11  0.00% spamlogd
2506 root       3    0  712K 1416K idle      ttyin     0:04  0.00% getty
31521 _syslogd   2    0  960K 1152K sleep     poll      0:01  0.00% syslogd
    1 root      10    0  864K  528K sleep     wait      0:01  0.00% init
29136 root       2    0 2088K 2504K idle      kqread    0:01  0.00% smtpd
27422 root      18    0  928K  784K sleep     pause     0:00  0.00% ksh
11990 root       2    0 1536K 1736K idle      select    0:00  0.00% sshd
32385 root      18    0 1024K  776K idle      pause     0:00  0.00% ksh
17628 _smtpq     2    0 2112K 2688K sleep     kqread    0:00  0.00% smtpd
17078 _smtpd     2    0 2112K 2680K sleep     kqread    0:00  0.00% smtpd
5727 root       2    0 1168K 1424K idle      select    0:00  0.00% cron


Let's see… what else has been randomly interesting of late…
I blew half-an-hour chasing down some random problems with our internal mediawiki at work. I was surprised, and amused by the cause of a phantom reset packet. Probably would have caught on sooner if I decided to tcpdump right off the bat and saw said reset, but oh-well.
Turns out, copy-pasta of a unidiff one-liner for an unprivileged user from master.passwd into the wiki page body for documentation didn't get past the ASA IPS module sitting at the edge of a number of our servers.

evIdsAlert: eventId=1379435087058567927  vendor=Cisco  severity=medium  alarmTraits=32768
  originator: 
    hostId: sensor
    appName: sensorApp
    appInstanceId: 1178
  time: Jul 04, 2014 21:34:24 UTC  offset=-420  timeZone=UTC
  signature:   description=Unix Password File Access Attempt  id=3201  version=S238  type=vulnerability  created=20010202
    subsigId: 3
    sigDetails: [ \x26=?.]/etc/master.passwd[ \x26=?]
  interfaceGroup: vs0
  vlan: 0
  participants: 
    attacker: 
      addr: 1.2.3.4  locality=OUT
      port: 29983
    target: 
      addr: 10.0.0.10  locality=OUT
      port: 80
      os:   idSource=learned  type=bsd  relevance=relevant
  actions: 
    droppedPacket: true
    deniedFlow: true
    tcpOneWayResetSent: true
  context: 
    fromAttacker:000000  3A 73 74 61 63 6B 73 69  7A 65 2D 63 75 72 3D 38  :stacksize-cur=8
000010  4D 3A 5C 0D 0A 2B 20 20  20 20 20 20 20 20 3A 6C  M:\..+        :l
000020  6F 63 61 6C 63 69 70 68  65 72 3D 62 6C 6F 77 66  ocalcipher=blowf
000030  69 73 68 2C 38 3A 5C 0D  0A 2B 20 20 20 20 20 20  ish,8:\..+   
000040  20 20 3A 74 63 3D 64 65  66 61 75 6C 74 3A 0D 0A    :tc=default:..
000050  65 2D 2D 2D 2D 2D 40 72  2D 2D 2D 2D 2D 3A 7E 20  e-----@r-----:~
000060  24 20 20 73 75 64 6F 20  64 69 66 66 20 2D 75 20  $  sudo diff -u
000070  2F 76 61 72 2F 62 61 63  6B 75 70 73 2F 6D 61 73  /var/backups/mas
000080  74 65 72 2E 70 61 73 73  77 64 2E 63 75 72 72 65  ter.passwd.curre
000090  6E 74 20 2F 65 74 63 2F  6D 61 73 74 65 72 2E 70  nt /etc/master.p
0000A0  61 73 73 77 64 0D 0A 2D  2D 2D 20 2F 76 61 72 2F  asswd..--- /var/
0000B0  62 61 63 6B 75 70 73 2F  6D 61 73 74 65 72 2E 70  backups/master.p
0000C0  61 73 73 77 64 2E 63 75  72 72 65 6E 74 20 20 53  asswd.current  S
0000D0  61 74 20 41 70 72 20 20  35 20 30 31 3A 33 30 3A  at Apr  5 01:30:
0000E0  31 34 20 32 30 31 34 0D  0A 2B 2B 2B 20 2F 65 74  14 2014..+++ /et
0000F0  63 2F 6D 61 73 74 65 72  2E 70 61 73 73 77 64 20  c/master.passwd

(output trimmed)


No music video today, and I had nothing more to say, so… Attack cat, ATTACK!

Bouncy Bouncy

Well, this has been well overdue, and yet, it still turned into a discordant mess of random junk.
I did something constructive! I draw your attention to the tag cloud widget to the right. Haven't touched that java thing in ages though.

This was fun to read, and somewhat insightful.

Vacation was relatively uneventful. Flew to Calgary and met up with Theo, and took the opportunity to get some tech into his hands. I'm not sure if I should be happy, or annoyed that I enjoyed the two outings with him significantly more than that of my entire week in Ireland. I feel far less intelligent myself now having met the fellow, though was quite humbling - and enjoyable - to see some Beaker impressions bust loose while talking about FreeBSD in the pub.
Was entirely too nervous to ask for a photo… ahwell, maybe next time.

Okay, on with the completely random noise. Things I found myself exclaiming while playing Don't Starve.
"Nooo! My bees!"
"Help! Wake up and help me you stupid pigs!"
"Get away from my berry bushes you damn gobbler!"
"AHH! What the frick is that? Going insane sucks!"
"WUAH! *trackball goes flying*"

Nothing else in particular to say, so... here's a word I'm desperately trying to be able to say without pausing to think.
 Человеконенавистничества!

And, something completely random and stupid:
co-worker: Your ARP thing might be related to S01 fa0/46 showing amber, connected to L01 fa0/1/8
me: I'm watching a tcpdump, waiting for 16:30 to roll around to see if that tells me anything more useful.
me: Not the winrar, but still equally amusing:
16:13:26.391799 00:11:22:33:44:55 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 10.10.10.2 (ff:ff:ff:ff:ff:ff) tell 10.10.10.2
16:13:26.602404 00:11:22:33:44:55 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 10.10.10.2 (ff:ff:ff:ff:ff:ff) tell 10.10.10.2
co-worker: PM3 is old and dumb
me: Heheh. Almost as good as the Axxceleras. They generate a completely whacked out source-MAC address when they ARP for themselves.
me: And by dumb, I'm sure you mean enterprise-y

Also, yay, and stuff.

Gone Going

'Nuff said.

2nite

I've toyed with buliding a dedicated SSH client box at the office off and on, in hopes that every time my Windows box crashes, or re-activates and runs automatic updates, I don't have to re-login to a hojillion boxes all over again.
My first attempt failed miserably. I just couldn't get my sessions or programs to stay open on the host box using Xming with, or without an ssh tunnel between reboots / crashes, et al.
The following attempt was far from elegant, but it was GoodEnough™, and consisted of, Xorg, fluxbox, and VNC Server. I'm sure I don't need to go into details as to what's wrong with this solution. Besides which, I was never really happy with the setup.
For version 3, I broke down and read the man-page for tmux, which, in a nutshell, is basically screen except that it doesn't suck. Go figure, the best solution's the simplest one.

I also finally built up the nerve to migrate my minecraft server. Moved it off the barebones Debian VM it was running on, to an OpenBSD VM. I'm not sure why, but I was surprised at how much better the server runs on the new host. I suppose it could have something to do with dropping 100 processes.

Haven't touched Java since my last post... the thought of building a parser and hierarchical syntax checks feels somewhat daunting.

Been using phpipam at the office since around v0.5. Updated to 0.9 shortly after it came out. The 0.9 release includes up/down/last-seen host checks. For a free, open-source tool, it's pretty epic.
That said, setting up the scanning script's not documented anywhere obvious yet that I've been able to find, and a little bit fiddly. Lest I forget what I did...

Some values you might want to change from defaults.

-----e@insight:~ $ diff -u /usr/local/src/phpipam-0.9/functions/scan/config-scan.php \
/var/apache2/htdocs/phpipam/functions/scan/config-scan.php
--- /usr/local/src/phpipam-0.9/functions/scan/config-scan.php   Thu Jan 23 19:11:50 2014
+++ /var/apache2/htdocs/phpipam/functions/scan/config-scan.php  Mon Dec 30 23:09:08 2013
@@ -8,11 +8,11 @@

//general configs
$scanMaxHosts   = 32; // maximum number of scans per once
-$scanDNSresolve = true;        // try to resolve DNS name
+$scanDNSresolve = false;       // try to resolve DNS name
$scanIPv6       = false; // not yet

//configs
-$MAX_THREADS = 256; // set max concurrent threads
+$MAX_THREADS = 128; // set max concurrent threads

// ping path
$pathPing = "/sbin/ping";

-----e@insight:~ $ diff -u /usr/local/src/phpipam-0.9/functions/scripts/pingCheck.php \
/var/apache2/htdocs/phpipam/functions/scripts/pingCheck.php
--- /usr/local/src/phpipam-0.9/functions/scripts/pingCheck.php  Thu Jan 23 19:11:50 2014
+++ /var/apache2/htdocs/phpipam/functions/scripts/pingCheck.php Fri Dec 27 13:31:56 2013
@@ -11,10 +11,10 @@
*/

// config
-$email = true; //set mail with status diff to admins
+$email = false; //set mail with status diff to admins
$emailText = false; //format to send mail via text or html
//$wait = 500; //time to wait for response in ms
-$count = 1; //number of pings to send
+$count = 2; //number of pings to send

// response
$stateDiff = array(); //Array with differences, can be used to email to admins

By default, no subnets are setup to scan. Poke the bit for any relevant subnets to save updating them manually.

Lucky last, run it in a sensible users crontab. I wound up dropping the priority on this with nice, since the scads of processes I chose to let it spawn tends to cause a noticeable degradation to other http childs.

#mm hh md mo wd
30  *  *  *  *  /path/to/php /path/to/phpipam/functions/scripts/pingCheck.php

And away she goes.

Take me to Heaven

Pak. Chooie. Unf.
Been internet-less at home for as near as makes no difference, a week.
Abnormal service should resume shortly.

Damn. That is one ugly mini.