Viking Geek Y'All

PFSense Part 2

Previously when I wrote about PFSense I was using a dual core Opteron system with a couple of NICs as my router. My good friend Amos started using PFSense as a result of some discussions we had that week. He didn’t like using an ancient Pentium 4 system as his router. Or perhaps it was his wife who wasn’t so sure about the giant tower in the middle of his desk. In any case he went out and picked up a couple of Thin Client computers to replace the giant tower he was using.

For an exceptionally reasonable price he picked up a pair of MaxSpeed MaxTerm 8300 units. These have an 800mhz Via C3 processor, and 256mb of SD Ram 133mhz. Which for a computer is practically unusable. However as a router this is still quite a bit more hardware than anything Linksys, Buffalo, or similar companies sell.

These devices consume about 12w of power while operating, and have no moving parts in them. Which makes them completely silent, cool, and inexpensive to operate. I suspect the Maxterm takes more power to run than a Linksys router would, but the other benefits of PFSense outweigh the small change in power consumption.

After taking some time to tune the configuration files last night, I now have the new MaxTerm router in place and running the show in my home. This will allow me to re-task the dual core Opteron system as a FreeNAS file server for the house.

Cheers!

Customer Service Done Right

I have read several articles over the last several years that customer service is dead. Or at least I’ve read articles asking if customer service is dead. It however doesn’t take reading about customer service online to know that there are many examples of terrible customer service out there. Rather than complain about companies that suck at customer service, I’d like to take time today to talk about a few companies that don’t.

First we have Buffalo Technology. When my wife and I moved to Austin, TX from Indianapolis, IN I had to move out about three months before she did. In that time she packed up the house and shipped everything to me. unfortunately the power adapter for our second wireless router didn’t make the trip. I had reached out to Buffalo via their contact form asking if it was possible to order a power adapter, and if so how much it would cost. Later that same day I had a response saying that they didn’t sell power adapters by themselves, but he would be happy to mail me one free of charge. When I provided my address he let me know that “since you’re in Austin, TX if you like I can just have one sitting at our front desk with your name on it if you would like to drive by and pick it up. This was well above and beyond my expectations, and it had the exact effect I think Buffalo was looking for. The next time I need to buy a router/access point/commodity NAS, I’m likely to purchase one of their products.

Second, is a company called Kershaw. Kershaw makes pocket knives. They have some fairly inexpensive knives made in China, and some very high quality pocket knives made in the United States. I owned a middle of the road, made in the USA Kershaw Leek. When I experienced a hand full of minor problems with the knife I messaged Kershaw’s customer service via their website at something like 2 in the morning. Not only did they send me replacement parts with no questions asked. They sent me three or four of each part I needed, shipped next day, so they arrived on Thursday. All folding knives I’ve purchased since then have been made by Kershaw.

Finally, and most recently I had a fantastic experience with not one, but TWO companies related to the same problem. My TCX X-Cubed motorcycle boots, purchased in December broke. Not in a way that would have prevented me from riding in them, but it was annoying none the less. I reached out to TCX via their customer service form online, and received a response the following morning from their office in Italy. TCX opened a trouble ticket for me, but then directed me to talk to the company I had purchased my boots from, which in my opinion was acceptable. So I reached out to the second company in this event Revzilla and shared the same information I had previously shared with TCX. Within ten minutes of me reaching out to Revzilla, TCX American partner/importer contacted me saying that “Italy had forwarded my trouble ticket to them” and wanted to know how they could help. I let them know I had followed their instructions and reached out to Revzilla. I mentioned that if I didn’t hear anything from them I would get back in touch. The American partner had high praise for Revzilla, and assured me I’d be taken care of. In the time it took me to read the response from the American Partner, Revzilla had provided me an RMA number, and a pre-paid UPS shipping label. I couldn’t have asked for more!

It’s now one week from when I originally contacted TCX, and I have confirmation from Revzilla that TCX has accepted my return, and I’ve been granted in store credit for a full replacement of my boots. Sure it’s a little annoying to be without something for about two weeks when it’s all said and done, but you know what. Both companies met or exceeded my expectations at every turn.

The moral of this story is, just because many companies suck at customer service doesn’t mean they all do. I’d recommend rather than complain about the companies that get it wrong. Take your dollars to the companies that get it right. Stop rewarding bad behavior, and do reward the good. One of those articles I linked at the beginning of this post says that almost universally bad customer service is our own fault for continuing to purchase products at places that get it wrong.

I can’t recommend the companies listed above any more highly! If you’re in the market for motorcycle boots do yourself a favor and shop at Revzilla, and take a long hard look at TCX. If you need a good high quality pocket knife it’s impossible to go wrong with a Kershaw. Finally all home routers really are roughly the same. Do yourself a favor and don’t overlook Buffalo just because they don’t have the same kind of flashy, high dollar marketing a company like Linksys has.

If you’ve got a killer customer service success story, please leave it below in the comments!

Cheers!

LastPass Security Tools

In my last post I mentioned LastPass while discussing how to resolve a problem I was having. In this post I want to highlight the “Security Check” feature which makes LastPass a fantastic tool for managing your passwords.

If you click the LastPass plugin Icon, and then tools, the top option is “Security Check”. This will then prompt you for your LastPass password. After which it will analyze your password vault and give you an overall score which looks something like this.

Scrolling down from the overall score will give you details on which sites, if any, have a duplicate paassword. It will highlight the overall strength of each password in your vault. And it provides details on how recently your passwords have been updated. I’ve made it a practice to run the Security check about once a quarter. It’s amazing how much random junk you collect over the course of three months that can be cleaned up when you’re aware of it.

In any case, if you’ve been looking for a password management system that helps you make good decisions regarding your online security, I highly recommend taking a look at LastPass.

Cheers!

Fixing Lastpass & Firefox

Let’s start out by discussing a little bit about what LastPass is. LastPass is a hosted online password management utility. It provides a facility to both generate random passwords for every site you access on the internet, as well as the ability to store text based notes. This is coupled with strong encryption, preventing LastPass from ever sending or receiving decrypted data from their servers. Also included are browser plugins for all of the major browsers, on all major platforms. This allows LastPass to detect if the site is already known from the store, and auto-fill your login and password information. Or detect that a new site is detected, and offer to generate a password, and save it to your vault. In short LastPass is an very valuable tool in improving your overall online security as you can have a unique password for every site you visit. Finally LastPass includes tools to audit your vault for duplicate or weak passwords. This allows you to little by little go through each of the known sites and update/replace weak or duplicate passwords.

However LastPass isn’t without some problems. Over the last three weeks I’ve noticed the most recent version of LastPass on the most recent version of Firefox leads to the browser hanging whenever you enter a password into a site not currently tracked by LastPass. This morning I found a solution to the problem that allows you to continue to use LastPass, while also preventing the browser from locking up. If you are having problems with your browser locking up whenever you’re entering a password perform the following change. Click the LastPass icon in your browser, and select preferences. Then click on Notifications in the left hand menu. Finally un-select the “Click Icons in Fields” option. The interactive bits in the fields seems to be the core cause of the browser slow down / hangs.

Let me know below if you find a larger scale underlying problem. For now this is a pretty solid workaround.

Cheers!

Hosting Improvements With Docker

In conjunction with my new Static Files Blogging I’m also working on re-designing how the hosting environment itself is set up. The model I’m currently working on in a test environment is using Docker to drop groups of sites into individual containers. Each of these containers will have its own instance of Apache running mod_php & MySQL. In front, running in yet another container will be nginx. This will manage named virtual hosting for all of the sites, and will then proxy_pass out of its container and into the appropriate container for the site being requested.

This should help mitigate most security concerns of having a completely exploited system if a single web application is compromised. Rather only the container in which that site is running would be exploited, thus limiting the surface area and scope of the attack.

I need to put a little more effort into exactly how I’m going to split up the individual sites. I also need to determine what the least privilege I can assign to each Docker container will be while still providing a rich web application environment for the users. I don’t expect to run into resource problems on the new dedicated server even though I’ll be running several distinct instances of Apache and MySQL. However if problems arrise I should be able to make adjustments pretty easily. I’ll update this again once I have more to report, including some of the implimentation notes.

Cheers!

Networking With PFSense

I’ve been meaning to upgrade the network in our house since we moved in. I had intended to take care of setting things up the right way immediately after our Internet was migrated from the apartment we moved out of. Of course you know what they say.

The best-laid plans of men and mice often go awry

When I say I’ve been meaning to upgrade the network, I specifically am referring to using something a little more powerful than a Buffalo router running DD-WRT to take care of the networking. It’s not that there’s anything exactly wrong with DD-WRT, it’s just I want and expect more from my router/firewall appliance. This week I finally acquired a new power supply for an older dual core AMD Opteron system I had laying around and installed PFSense which is a FreeBSD based firewall distribution. My background includes a lot of working with FreeBSD. As a result I’m fairly comfortable with the way they do things. PFSense allows for the easy installation of additional packages and features, which is possible on DD-WRT, but because of the hardware you’re very limited in what you can usually add.

Just getting PFSense running on a machine isn’t enough to warrant replacing a functional solution based on DD-WRT. The first big change I made is devices wired to the router are on a different network than wireless devices. I have routing in place between the two networks so it’s a seamless separation, however it opens the door to do more things in the future. The next change I made was installing HAVP – HTTP Anti-Virus Proxy. This is configured as a transparent web proxy, which integrates with ClamAV to scan web pages and download attachments for viruses before they ever reach your desktop or laptop computer. I don’t expect this to be a silver bullet that protects the two Windows computers from thoughtless browsing, but it might help a little. By default like most home routers function as a DNS Forwarder, I’ve been meaning to run my own caching name server for a while. As a result I installed the Unbound package, which is a validating, recursive, and caching DNS resolver. Unbound also supports dnssec – DNS Security Extensions.

DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. Finally I’ve wanted to install an IDS for some time. Again PFSense makes this easy by including Snort an open source IDS system.

I don’t expect to see any significant changes with how my network runs and operates with PFSense at the edge of my network over DD-WRT. DD-WRT is a powerful home router, able to do far more than most home users would ever demand of it. I made the move to PFSense for the following reasons:

  • I’m a giant nerd who can’t leave things alone.
  • I have a soft spot for FreeBSD and things powered by it.
  • I hate having hardware just sitting around not being used

After I’ve been on this system for a while I’ll write a follow-up that includes some of the statistics for what Snort and HAVP helped protect us from.

Cheers!

Blogging Nirvana

In my Last Post I mention moving toward blogging with static HTML files. In this post I’m going to wite about the tools I’m using to make my dream a reality.

First we have a utility called Octopress which is a blogging framework built around another framework named Jekyll. Jekyll is the underlying technology behind GitHub Pages which is pretty cool. Unfortunately I didn’t want to use GitHub Pages to host my sites. So an alternative had to be found. Octopress is described on their own page as follows.

“Octopress is a framework designed by Brandon Mathis for Jekyll, the blog aware static site generator powering Github Pages.”

So this blog is created using Octopress. The next part of the equation is how I publish to this blog. This requires a little extra plumbing on my part because I want to be able to write posts from any of my computers, and have them publish to my web server. As a result I have my Octopress installations stored in my personal GitLab server. I’ve been using GitLab for about a year now for all of my personal software projets, to keep text notes, *nix Environment files, etc. and I’ve been very happy with it. Keeping the Octopress installation in GitLab gives me a way to keep all of the computers I would use to publish content to the blog in sync, but still doesn’t get me to the level of automation I would like.

Enter Jenkins. The Jenkins-Ci website describes Jenkins as:

“Jenkins is an award-winning application that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Among those things, current Jenkins focuses on the following two jobs:

  • Building/testing software projects continuously, just like CruiseControl or DamageControl. In a nutshell, Jenkins provides an easy-to-use so-called continuous integration system, making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build. The automated, continuous build increases the productivity.
  • Monitoring executions of externally-run jobs, such as cron jobs and procmail jobs, even those that are run on a remote machine. For example, with cron, all you receive is regular e-mails that capture the output, and it is up to you to look at them diligently and notice when it broke. Jenkins keeps those outputs and makes it easy for you to notice when something is wrong. In my earlier post about my Improved Backup System you’ll see I already had Jenkins in place too.

All that was left was to hook all the pieces together. GitLab has the ability to trigger a Post-receive hook. Which will trigger an event any time someone pushes to the repository. On Jenkins I had to install the Gitlab Hook Plugin. At which point we drop into GitLab’s Post-Receive Hook http://$JenkinsServer.Domain.Tld/gitlab/build_now. Then in your jenkins job be sure to check the Source Code Management section and point it at the correct Repository. This links the job to the GitLab Hook. Finally we have to tell Jenkins what to do with the Repository once it’s been cloned. Under Execute Shell add the following:

bundle
bundle exec rake generate
bundle exec rake deploy

That’s all there is to it.

Cheers!

What’s Old Is New Again

Not long ago most websites were generated by manually editing files with a .html extension, and then uploaded to a webserver which then served these static files. Then came the rise of Web 2.0, which opened the door to dynamic, rendered on the fly html using a programing language such as PHP, and a database to hold the content such as MySQL.

While these dynamic websites opened the door for all sorts of people to manage the content on their sites they brought with them a host of new problems. Primarily in the form of security issues, and performance problems. On a small site it might be easy to get a host put together that will handle the tiny amount of traffic a small site will have. However large sites pay large sums of money to build highly scalable web application server clusters including caching and load balancing. With this complexity comes another problem. Specifically small changes can have a profound negative effect on performance.

I’ve personally been looking for an easy way to use a text editor on “any” of my computers to write a blog post. Then with a tiny amount of magic have that new post appear online. This blog is my first step toward my future nirvana.

My next stop on this journey will take me to This Post which walks through using Jenkins CI to execute the commands needed to generate, and publish the static web content. Once that’s coupled with a git post commit hook on my GitLab installation I should finally be in blogging Nirvana.

I have reached this goal by integrating my personal Gitlab server, with my Jenkins-CI installation. This now publishes my blog automatically when I commit.

Privilege Seperation on Linux

I have been following a little known Linux distribution for a while now called Qubes OS.  This distro is based on Fedora 18 with Xen to create strong privilege separation between different kinds of tasks.  Specifically you create numerous Dom-U virtual machines (Ie. Work, Banking, Personal, Untrusted) and then applications like Firefox executed in the “banking” domain are completely pristine and firewalled off from Firefox in the “untrusted” domain.    This is a very neat idea as Qubes also uses a few “utility” instances to tie it all together (Networking, Firewall, etc.)  This also allows you to tune whether or not an application from say the “Work” domain can talk to applications in the “Personal” domain.

Credit: Pete Massas

Credit: Pete Massas

The problem with Qubes OS is that it’s based on an older build of Fedora, and they have a team that’s apparently too small to keep up.  There are a lot of bugs and not enough people working to squash them all.  Also Xen virtualization is heavy.  The idea of Qubes is solid, but it’s execution is perhaps sub-optimal.

I haven’t done very much work yet, but I’m looking at whether or not I can use docker on a modern Linux system to launch user land applications rather than daemons.  Then tie those applications into the host X Windows session using something like xpra.  Nat Meysenburg has a good article about using xpra with unique users per application for privilege separation.

Credit: Philippe Amiot

Credit: Philippe Amiot

I also have considered whether or not using a tool like Open vSwitch makes sense in this context, or if it will just make things unnecessarily complex.  More to come on this topic after I sit down with the author of http://www.therandomsecurityguy.com around a whiteboard.

Cheers!

Austin Sportbike Riders Maintenance Day at South Austin Motorcycle CoOp

On Feb. 23, 2014 I went down to the South Austin Motorcycle Co-Op for the Austin Sportbike Riders Maintenance day with the intent of replacing my front forks.

On the stand ready to go

A couple of the guys from the Austinmotorcycles Sub-Reddit offered to help me with the project which is great!  So we got the bike onto the stand, and unloaded the front wheel using the center stand and a tie-down strap to hold the rear wheel down.

Front wheel removed

We had no difficulty removing the front wheel.  Things were progressing nicely.

Right up until we went to remove the brake caliper from the right fork.  It appears the original owner of my Ninja 500R destroyed the caliper bolts.  They were almost completely round with no surface for the wrenches to bite.

So we went to re-assemble the front end as trying to ride it home with mangled caliper bolts didn’t sound like a good idea.  The problem is my bike is also in desperate need of new brake pads so when we went to re-install the wheel, one of the pads kept falling out.

We did eventually get it, with the help of a couple extra hands, and I rode the bike home with the “Round Head” security bolts still installed.

Monday I picked up a pair of M10 (1.25) x40mm class 10.9 bolts with 17mm heads from American Bolt here in Austin, TX.  And managed to replace the top caliper bolt after a few arguments with my tools.

One Down, One to go.

I have new brake pads, and stainless steel braided brake lines on order.  I picked up a bottle of brake cleaner & DOT-4 brake fluid.  Once the rest of the parts are in I’m going to re-attempt the fork upgrade, and will work in a brake system upgrade while I’m at it.