Junos 10

Posted on by

Today I have been mostly installing Junos. Well actually I’ve wasted most of the day trying to get Junos 10.4 to work in Olive under VirtualBox. I understood that it required FreeBSD 7.1, so tried installing it under 7.1 and 7.4 to no avail.

In the end I cloned my Junos 9.0/FreeBSD 4.11 VM, allocated 512Mb instead of 256Mb and installed 10.4 as an upgrade, which also meant I didn’t have to bother removing checkpic.

I wasted a few rounds of installing due to using the export version, which doesn’t include SSH! Also part of the trick of getting it to work under VBox seemed to be to create a serial port as a named pipe – not sure why but that seemed to help get past the bootloader hanging, possibly as it had a TTY to allocate.

I also upgraded my 9.0 to 9.6 which has a bit of a more useful JWeb interface, and also requires 512Mb now.

All of this was to aide my development of a set of NASL scripts to do Junos security compliance auditing. It seems Tenable have worked around the UNIX-only limitation of Nessus’ ssh_cmd() function by putting in a special check for when uname -a fails – i.e. its either IOS or Junos (or unsupported). Of course in Junos shell mode, it will pass (as its FreeBSD) so you have to check that you’re in CLI mode to do the config checking.

Its only taken them four years of me asking for this, and I guess its come as a result of Nessus’s new IOS support for their own compliance plugin and local security checks for Junos patches etc.

Update: I’ve written 20 NASL plugins to do the Junos auditing now and I noticed I was hitting the SSH rate-limit setting in Junos, so my plugins were getting booted off. It was because for each plugin I was calling ssh_cmd() at least once and also a function that checks I could login with the correct level/privileges etc; so was making at least two SSH connection attempts per plugin, which soon hit the 10 connection attempts per minute limit that was configured.

So now I’ve moved all of my ssh_cmd() calls into one big include file which uses a single SSH connection to send 30 or so commands, and populates the knowledgebase with the results. The plugins then have that in their script_dependencies() and don’t use SSH at all, just a couple of calls to get_kb_item() which simplifies the code quite a lot and an entire scan can be done in 10secs!

Upgrades Galore

Posted on by

I fitted my new SSD to my fileserver yesterday as it was a rainy Sunday afternoon. Oddly enough the new 2.5″-to-3.5″ drive rails I got don’t fit in a floppy bay – well they do but the screw holes won’t line up, so I fitted it in my one remaining hard disk bay.

Anyway I was surprised how quickly I replaced the Ubuntu 9.10 setup with Debian 6.0.3 without losing any functionality. I decided to stick to Squeeze+Backports as Wheezy like on my desktop machine is way too much maintenance for a fileserver – I can’t cope with the “apt-get upgrade” fear! ;-)

Speaking of backports, to replace OpenOffice.org with LibreOffice, you need to run this and answer “yes” to the dependency questions:

apt-get -t squeeze-backports install libreoffice libreoffice-gtk

Anyway the main thing I was worrying about – the printer/scanner was truly plug’n'play – I turned it on to do some scanning and CUPS automatically configured the printer part, and SANE just worked. None of the Epkowa (iscan+pips) Epson proprietary crap required.

I encrypted the boot drive using LUKS+LVM so I only need to enter the passphrase once, that seemed a lot easier than when I installed Wheezy and did multiple partitions.

I copied across the fstab and /etc/exports and all the various disks mounted and shared over NFS to the Mac seamlessly. I literally rebuilt the fileserver in two hours! Plus now it is all encrypted I can use it as a backup desktop machine for work.

Next up was the Mac Mini, currently running Leopard 10.5.8, I decided for £21 I might as well upgrade to Lion 10.7.2 as I already have 2Gb RAM and a Core2Duo, and apparently the new version of Plex doesn’t work on 10.5

Luckily I had a Snow Leopard 10.6.8 install in a virtual machine, so I bought Lion via the App Store (basically iTunes) using that. Wow the App Store is crap – I had to sign in about 6 times, I guess they’ve not heard of sessions at Apple.

I then used these instructions to create a bootable USB disk to do a fresh install of Lion – all within VirtualBox.

I’m actually dual booting Leopard and Lion using these instructions. Shrinking the disk so I could add a partition in the free space took the longest, installation was about 25mins. I’m glad I did it actually as although Lion runs fine (except it doesn’t like etherwake) the latest Plex 0.9.5.1 is rubbish, so I’m booting Leopard and Plex 0.9.3.4 at the moment.

Hard Disk Goodness

Posted on by

I’ve been busy today fitting, backing-up and restoring a whole bunch of new hard disks. I fitted the 2x2Tb Hitachi drives, which turned out to be SATA 6Gbps 64Mb cache 7200rpm Hitachi 7K3000 drives, not 7K2000′s (3Gbps/32mb) that I expected, and they’re selling for way over twice what I paid for them! What a waste putting those in a USB2 enclosure, mind you they did come out of the enclosure pretty easily ;-)

I also fitted the hotswap dock thing, which came in handy restoring my 1Tb WDC to my 2Tb Hitachi, and backing that up to my replacement 2Tb WDC! Its a bit stiff getting the drives in, and getting them out seems even worse.

Seeing 7.5Tb capacity in Disk Usage was quite surreal! I’ve run out of SATA connectors now as one is dedicated to eSATA (with another 1Tb hanging off it!) Next I’ve got to replace the old 250Gb HDD with a new 96Gb SSD and fit the new PSU, but I’ll leave that until all the disk syncing is done.

The State Of DVB-S On Linux

Posted on by

I just wasted a few hours experimenting with DVB applications for Linux as I thought I’d like an alternative to Kaffeine that I currently use.

Guess what? None of them worked despite tuning fine using w_scan, scan or their internal scanners.

Totem and gnome-dvb-control use gnome-dvb-daemon as their backend which just coredumps almost instantly, the frontends just spawn a load of python errors whenever you click something.

The CLI favourite “vdr” just kind of sits there doing nothing instead of displaying a menu.

xawtv is just a joke these days, tvtime is not much better.

Everything seems to be focused on DVB-T (Freeview) rather than DVB-S2 (Freesat/Sky).

So I’m sticking with Kaffeine to drive my WinTV Nova-HD-S2. It works well but I’d like a console interface and a better EPG.

Another One Bytes The Dust

Posted on by

My 2Tb Western Digital Caviar Green is dying – 1305 unfixable sectors! Off to RMA land for that, when it comes back its being relogated to “backup in the cupboard” drive.

I’ve spent the last 12 hours or so trying to back up the 1.2Tb of data to other drives – luckily I still have an unused 1Tb WDC Caviar Black in the cupboard (the last RMA!) and some free space on my 1.5Tb WDC Green.

I’m replacing it with two Hitachi XL2000 external drives which I’m going to remove from their USB2 enclosure and mount the drives internally – as under the hood they are apparently Deskstar 7K2000 drives, which are 7200rpm SATA disks with 32Mb cache, and they’re not stupid 4k AFD drives like WDC’s offerings. It will invalidate the 2-year warranty, but HDD warranties are pretty pointless as you only get the same old shitty drives back again, its not like a refund.

I ended up getting one from Tesco for £57 using the £10 off £50 code TDX-KLH4, and then another one using the £10 off £75 code TDX-MNGK and buying a pack of 100 CD-R’s to make up the difference. So 4Tb of storage and some CD’s for £127 for in-store pickup is not too shabby.

I’ve also ordered a 96Gb Kingston V+100 SSD drive for the fileserver to replace its ancient 250Gb WDC Caviar Blue, for £80, plus a new PSU with a 135mm fan, and a SATA dock. Blimey the accountant will be pleased at all the expenses and VAT receipts!