Wednesday, 8 December 2010

Web serving from home (Part 2)

As related in the previous post, I installed a clean version of OpenBSD on a Sun Netra T1. With all the daemons running, I decided to put it on the web --- if I could. After all, this means I have to open port 80 (http) and since we had switched to FiOS I didn't know if I could do this.

So, I logged into the router and set the security to nothing. I then realized I could put the new machine (shieldaig, named after a small coastal town in Scotland) in the DMZ. This is a more secure idea than exposing all of our machines to the wild wooly world. But, to do this meant I had to have a static address for shieldaig. That was easy enough to do ... but then I didn't have a local name! Why not? Because... in order to register the machine with the local DNS server at the router, I have to use the DHCP server. But, for once I remembered how I'd solved this problem: aliases. shieldaid has two addresses: one static, one dynamic. The static one doesn't have a name, so that's OK. Back to the router: I put the new static address in the DMZ field. I now checked that port 80 was open. It was!

So, what's the name of this machine? That's the question. Since I'd paid for kahrs.us what I needed was a DNS mapping from this name to it's IP address. I found a free DNS server --- but now the problem was how to make the DNS address point to the IP address. It took me several days of off and on tinkering to realize that the DNS server had to be all on the free DNS server. Once I did that, then the free DNS server was happy and accepted my IP address.

Now, I have to mention that FiOS has Dynamic IP unless you want to pay big bucks. It's just another layer of DHCP above our router after all... So, this means our address could change. But it appears that Verizon has set a huge timeout for the Dynamic DNS, so thus far I haven't had to reset our DNS address. Cool.

One last thing: I was trying to figure out why going to www.kahrs.us didn't work from outside. Well, turns out it gets mapped to shieldaig.kahrs.us and unless that's in the DNS entry as well, it won't work. Simple fix again.

At this point, shieldaig was now on the web. And lo and behold, immediately it was under attack. The samba server was hit constantly but since the addresses weren't local, it just failed. Then there's the constant script kiddy attacks on the sshd daemon. If it weren't so funny, I would love to trap them. I watch the logs that show constant login attempts to root (which is disabled via ssh) and then also watch as they march up the alphabet trying name after name.

I also see what's going on with web access. The machine has been found by both google and yahoo (yahoo was first). I'm wondering when random web accesses will start... thus far it's only been people who we know.

The last conundrum is why accessing www.kahrs.us fails locally but succeeds outside. I've just put this as a DNS question and decided that it doesn't really matter.

My final step was moving the machine down to the basement to live next to the router. Thus far, OpenBSD has been rock solid. And the shitehead script kiddies are deeply unsatisfied. Excellent!

Saturday, 4 December 2010

Web serving from home (Part 1)

In an earlier post, I mentioned that I was going to lose my long time web home at caip.rutgers.edu --- Since I was long gone from caip, I suppose it was about time. So, what was I going to do for a replacement? I decided maybe now was the time to take it into my own hands...

Sometime earlier I had acquired a Sun Netra T1 as a possible web machine. I had an X1 in mind, but the T1 was certainly cheap enough. It's packaged in a nice 1U box and has a very simple interface to the outside world. Two ethernet ports, a serial port and that's about it. My machine didn't have a disk but included one sled. Good thing. I happened to have a stockpile of 40 GB disks, so I installed it in the machine. Good, what next? Software, that's what. I decided to go for OpenBSD because (a) it's a BSD derivative and I know BSD from my grad skool days (b) The price is right (c) it's said to be very secure. But how do I get it onto my disk? Fortunately for me, I had torn apart a PC and had a CD-ROM available. So, I plugged it into the second IDE slot and powered the machine up. Oh yes, and connected the serial port to my lab PC.

The machine came to life easily enough but proceeded to put my in the Sun Lights Out Monitor (LOM). The LOM is yet another supervisor layer for the machine --- reminds me of the PDP-11/45 used on the PDP-10/L ... So, the problem was as soon as I told it to boot from the cdrom (in the console) then it would complain about the Fast MMU error. I'd seen this before --- a long time before but couldn't remember what it was. Google to the rescue. I found a post that claimed that this error was due to a missing password in the LOM. You've got to be kidding. But what had I to lose? I created a password and tried again. Still failed. Ah! Maybe I should logout and log back in? You guessed it. It worked. So, there I was booting from the CD-ROM and writing to the disk. I couldn't believe it.

I installed OpenBSD and it all worked. But then I changed my mind about the disk allocation. Maybe I should put most of the space for web pages? It was almost trivial to go back and re-install. After that, I had to work on the ethernet interfaces. I wanted to have two ports: one for the router and one for the local machines but decided it really didn't make much difference. So one port it was. OpenBSD comes ready to serve pages: it already has Apache on it. So, I really didn't need to install any packages. In addition, I decided to move the services served by my own machine to this server (such as BOOTP, RARP and friends). I easily moved them over.

Finally, I was looking at a reasonably nice machine. I was impressed at how fast it served pages. It seemed fairly secure. I enabled samba for the local house machines but turned it off for everyone else (this will turn out to be important). Finally, I decided it was time to remove the CD-ROM and put the lid back on. The next and final step would be to place it on the net ...

Marshall Leach

I find obituaries fascinating. There are so many interesting people that we never meet. I think it's only fair that I contribute. In this case, I never met the man. Marshall Leach died at age 70 as a full professor at Ga. Tech. He was certainly not retired and had a full teaching schedule. What's notable about Leach is that from all appearances, he was an idiosyncratic type with a great sense of humor. But what I know of him is his academic legacy. My last paper on SPICE modeling of headphones is a direct descendant of his paper on SPICE modeling in Electroacoustics. It was his paper that led me into all of Olson's papers on electroacoustic modeling and simulation. Unlike many, he published sporadically but his papers were always interesting to read. His paper on low noise electronics in Proc. of the IEEE is a clear exposition of the problems and solutions to low noise design. He received four teaching awards from the students. Clearly, he was perfect in his roles as teaching and advisor. His legacy comprises the papers he published and the many students he taught. And that's a life well lived.