pitter patter on the keyboard

Despite the crappy things I’ve had to say about 6.3 I’ve decided to tough it out on my new home router. Normally, where the modem and router-ap are separate pieces of equipment you can simply turn off DHCP on the old router and keep using it as an access point by plugging the switch side of it into the local network and moving its LAN IP somewhere it won’t conflict with the new router. Unfortunately, my ISP has made the “step up” to all-in-one modem-router-APs and the only way to bypass the limitations of the built-in router is to put the device in “bridged mode;” effectively turning it into a modem and sacrificing all of its other functionality. This would require either purchasing a separate, stand-alone access point or adding AP functionality to the ClearOS router to keep wifi going.

I settled on the Ralink 3090 because at about $10 it’s the cheapest 802.11n card offered on eBay at present. Unfortunately, the kernel module for this card seems to be the only Ralink module missing from those distributed with ClearOS by default – necessitating building and swapping in a new kernel.

First, it’s necessary to install the build environment:

yum --enablerepo=clearos-developer,clearos-epel install clearos-devel

Now we’ll grab and install the kernel sources:

# wget http://mirror2-houston.clearsdn.com/clearos/community/6.3.0/dev/SRPMS/kernel-2.6.32-279.2.1.v6.src.rpm
# rpm -iv kernel-2.6.32-279.2.1.v6.src.rpm
# cd ~/rpmbuild

Now we need to install a few dependencies and patch the kernel according to the rpm spec:

# yum install xmlto asciidoc elfutils-libelf-devel binutils-devel newt-devel python-devel "perl(ExtUtils::Embed)" hmaccalc
# rpmbuild -bp --target=x86_64 SPECS/kernel.spec
# cp -a BUILD/kernel-2.6.32-279.2.1.el6/ /usr/src
# ln -s kernel-2.6.32-279.2.1.el6/linux-2.6.32-279.2.1.v6.x86_64/ linux

We need to install ncurses-devel to run make menuconfig.

# yum install ncurses-devel

Since we’re rolling our own kernel we can’t rely on the stock initrd to get us booting. Once you’re in menuconfig be sure to compile these modules into the kernel statically:

• Your disk controller module(s)
• Ext4
• Multiple devices driver support (RAID and LVM)
• Device mapper support
• Wired network devices (optional but I’m fond of guarantees)

Once you’ve configured your kernel and module selection compile and install them:

# make
# make modules_install
# cp arch/x86_64/boot/bzImage /boot/vmlinuz-new

Now modify /boot/grub/grub.conf and copy-paste the existing entry so you have two identical entries. Modify the first one to reference the new kernel’s file name and leave the second intact so if we can’t boot the new kernel we can still get back in to do more tweaking without having to break out a livecd.

Your wireless card will probably require external firmware to be loaded with its module. Be sure to install the firmware image to /lib/firmware so it can be found easily on bootup. For the RT3090 a .bin image is available in the linux source code zip at http://www.ralinktech.com/en/04_support/support.php?sn=501.

You may at this point reboot, and if successful should be looking at a new interface (i.e. wlan0):

# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

eth1      no wireless extensions.

wlan0     IEEE 802.11bgn  Mode:Master  Frequency:2.462 GHz  Tx-Power=27 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

imq0      no wireless extensions.

imq1      no wireless extensions.

Now we need to install hostapd, which will take care of WPA authentication and putting your card into Master mode:

# yum install hostapd

Edit /etc/hostapd/hostapd.conf to reflect your environment:

ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel

# Some usable default settings...
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0

# Uncomment these for base WPA & WPA2 support with a pre-shared key
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

# DO NOT FORGET TO SET A WPA PASSPHRASE!!
wpa_passphrase=mypassword

# Most modern wireless drivers in the kernel need driver=nl80211
driver=nl80211

# Customize these for your local configuration...
interface=wlan0
hw_mode=g
channel=11
ssid=mynetwork

# Wireless N
wme_enabled=1
ieee80211n=1
ht_capab=[HT40-][SHORT-GI-40][DSSS_CCK-40]

Now start hostapd and add it to the appropriate runlevels:

# /etc/init.d/hostapd start
# chkconfig --level 2345 hostapd on

If you want the wireless to be on the same subnet as your wired LAN you must bridge the wireless and wired interfaces using standard ifcfg config files and restart networking; webconfig will not allow you to edit a bridge interface’s IP settings so these must be included in the ifcfg file. Otherwise, assign a different subnet to the wireless device and choose the LAN role to allow routing between the two subnets. Alternatively, choose the Hot LAN role if you want to keep wireless clients from poking around on your wired network (probably a good idea!).

Be sure to enable DHCP for your bridged or wireless interface and congratulations on your new ClearOS access point.

About a year ago I shared my nightmarish adventure on the Keybo2 with you. It’s finally dying and I’ll be moving soon so I decided it was high time for a new phone. In my time with the Keybo, Telus and Virgin began offering actual smartphones on their prepaid plans. Unfortunately, Telus is the only carrier with a true one-number-unlimited feature which I need to tunnel all of my calls through a VoIP incoming/dial-out gateway for unlimited North America calling and great justice.

I was a little wary given my caged experience on the keybo; I expected captive portals and locked down features abound. I talked myself into it though, realizing if I really liked it I would probably return it, drop all the VoIP buggery and get a real plan with an incumbent provider. Imagine my delight when I turned it on and:

• Connected to my access point
• Downloaded an SSH client from the REAL android market for FREE
• Created a VPN and shelled into a server
• Browsed a bunch of websites
• Installed and ran a terminal emulator
• Enabled built-in mobile hotspot (tethering)

At this point I knew I was in love; even though the prepaid data on Telus is crap ($10/250MB), totally unrestricted wifi makes up for that by letting one sync and cache certain apps before heading out. Kudos to Telus for embracing tethering; to tether the Keybo you have to unlock the service menu and grab your PPP credentials then use dial-up modem emulation over BlueTooth or USB.  Unfortunately, the terminal emulator doesn’t really give you any access to your phone unless you install a custom (rooted) ROM. I’m two weeks in and haven’t needed to root my phone yet but if the urge arises expect another article. Interestingly, the NSA released SE Android yesterday but at present it looks like it must be built from source and probably won’t be very noob-friendly for a while to come.

Here are the specs, courtesy of GSMArena:

2G Network	GSM 850 / 900 / 1800 / 1900
3G Network	HSDPA 900 / 2100
Announced	2010, July
Status	Available. Released 2010, October
Dimensions	113.5 x 59 x 13.3 mm
Weight	129 g
Type	TFT capacitive touchscreen, 256K colors
Size	320 x 480 pixels, 3.2 inches (~180 ppi pixel density)
Alert types	Vibration, MP3 ringtones
Loudspeaker	Yes
3.5mm jack	Yes
Card slot	microSD, up to 32GB, 2GB included
Internal	170 MB user available, 512 MB RAM
GPRS	Class 10 (4+1/3+2 slots), 32 – 48 kbps
EDGE	Class 10, 236.8 kbps
Speed	HSDPA 7.2 Mbps
WLAN	Wi-Fi 802.11 b/g, Wi-Fi hotspot
Bluetooth	Yes, v2.1 with A2DP
USB	Yes, microUSB
Camera	3.15 MP, 2048×1536 pixels, autofocus
	Geo-tagging, face and smile detection, Beauty Shot
Video	Yes, VGA@18fps
Flash	No
OS	Android OS, v2.2 (Froyo), upgradable to v2.3
Chipset	Qualcomm MSM7227
CPU	600 MHz ARM 11
GPU	Adreno 200
Sensors	Accelerometer, proximity, compass
Messaging	SMS (threaded view), MMS, Email, Push Email, IM
Browser	HTML
Radio	Stereo FM radio
GPS	Yes, with A-GPS support
Java	Yes, via Java MIDP emulator
Features	- Social networking integration - Google Search, Maps, Gmail - YouTube, Google Talk - DivX/Xvid/MP4/H.264/H.263/WMV player - MP3/WAV/WMA/eAAC+ player - Document viewer/editor - Organizer - Voice memo - Predictive text input

Although the camera’s resolution is no improvement over the Keybo I’m thrilled to finally have automatic, mechanical focus. Now instead of snapping 50 shots to get one decent one I’m down to something like 5. My Optimus shipped with Android 2.3 and a now-defunct app called the LG App Advisor.

Now that I had become introduced to my new toy it was time to get that totally badass animated weather wallpaper HTC Sense UI users have. To do this without purchasing Beautiful Widgets we first replace the default launcher (LG’s kind of sucks anyway) with GO Launcher EX. Then download GO Weather, both available through the Android Market. GO Weather is a beautiful (literally) piece of software that provides three interfaces:

App – This sits in your app tray and has its own video theme. Opening the app provides detailed weather information and updates the weather data.
Widget – There are four different sized widgets that can be included in your launcher; depending on the skin you choose they may display different things.
Live Wallpaper – Set your launcher’s background to the GO Weather Live Wallpaper and download a video theme to get a similar effect as the App.

Next I wanted to grab a few apps that would be handy around the city. TTC Alerts  is probably the neatest, most useful app I have installed so far. When a diversion, delay or cancellation happens on Toronto’s bus, subway and light rail system I am notified by a vibration and red TTC icon in my status bar. Dragging down the status bar gives me the details. When the issue clears up and everything is moving smoothly once more the icon turns green. Essential for anyone who relies on The Rocket.

Another sweet app for TTC users is Transit Now Toronto. You can use your GPS to find the closest bus stop and plan your route. The free version of this app does not support the Alerts function but the TTC Alerts app discussed above makes this sort of moot. If you’re lazy like me you may also like the TTC Subway Efficiency Guide which helps users pick the right place to stand on platforms so they are better situated to stairs and escalators at their destination. Toronto PATH Map is a pocket-sized map of the world’s largest underground shopping complex.

Being a man of the province I also downloaded Go Mobile from Ryerson University. Go Transit is Ontario’s inter-municipal transit system, it operates a combination of diesel-electric locomotives and coach busses to interconnect the towns and cities of Southern Ontario. My biggest complaint about this app is it requires a data connection to even get to the main menu. I feel the bus and train schedules could at least be cached daily. A minor gripe is that it is impossible to plan a route end-to-end where there is a connecting bus or train.

Speaking of caching, data is going to cost a lot on a prepaid plan so anything we can grab while at home or near a hotspot is golden. Nowhere can I see this being more beneficial than with GPS navigation. The apps that came loaded on my droid – and many of the third party apps out there -  rely on a data connection and Google Maps. Fortunately, MapDroyd has you covered: you can download a pre-compiled map of a given geographical area to your SD card .

That brings me to entertainment: with all of the weather and TTC updates and bells and whistles going on in the background non-stop I expect to be chewing through my 250MB quota without even using the connection. Obviously, browsing youtube is not going to be an option on the road. In addition to audio and video files off the PC I have found these interesting apps which will let you store their content for offline viewing:

• The Toronto Star – News notifications, background synchronization and off-line viewing of one of Canada’s most respected news outlets.
• TED Air – Download videos of TED talks to watch at any time. Very slick looking but also very crashy. I have had a _lot_ of problems with this one.

To track my data usage I’ve been using DroidStats because it’s one of few which track wifi in addition to 3G. DroidStats also comes with 4 different sized widgets to keep you informed of your quota usage on the launcher.

I’ve decided to keep this phone for the time being. The wifi combined with $10 data plan and one-number-unlimited still make it more economical for me to put up with routing my calls through VoIP than ponying up for a real phone on a proper data plan. It’s a big shock for me, giving Telus a good review but I’m so happy to finally have a cellphone that DOES things.

For $99 I have no regrets. This time.

I’m writing this checklist as I setup a new router for the home office to remind me of the modifications I need to make to get a fresh deployment “just right” the first time.  ClearOS is a CentOS-based router distribution that lets one rapidly and easily deploy and manage routers and miscellaneous network services. CentOS itself is a de-branded flavour of Red Hat Enterprise Linux. Back when ClearOS flew under the ClarkConnect label if one wanted certain parts of the product one had to either pay for an Office or Enterprise license or use well crafted google queries to find the ftp credentials for Enterprise repositories, grab the RPMs, rpm2tgz/rpm2cpio them and overlay them on the filesystem (and don’t forget to fix the permissions!) to avoid unresolvable dependencies.

Fortunately with the morph to ClearOS the Clear Foundation folks stopped charging for commodity software (i.e. web configuration modules for DMZ and Multi-WAN (load balancing/failover)) and started focusing on services you can live without. I warn against paying just for the tech support, you’re much better off in the community forum – sparse though the posts are. From my experience (last dating in 2008 mind you) their Level 1 cuts off at putting the cd in the drive and may flat out refuse to support their product if you reveal it’s being used in any setting more complex than a small office. If you’re an intermediate *nix user and you can’t figure out the problem on your own or with google chances are tech support can’t (or won’t) help you anyway; drop by the users forum.

Most of the routers I make these days are virtual machines and that goes beyond the scope of this checklist, however I plan to cover my process in a future article. The machine this checklist will be based on is an AthlonXP 2500+ 1.83GHz with 384MB DDR266 and an 8GB CompactFlash card plugged into a CF-IDE adapter, which you can get on eBay for about $1CAD. The machine has an onboard NIC and two PCI NICs as well as a wifi card so it can be turned into an access point. I like to use CF cards instead of hard drives on my physical routers because – although the cheap ones can be quite slow – you don’t have to worry about them up and dying on you for several years. The cards are worn out with repeated write cycles (though often in the high thousands) so if you choose to use them you should try to minimize the amount of data written to disk during day-to-day operation. A remote syslogd might be of great help.

We’re going to assume you’ve already downloaded and burned the installation ISO to disc. At the time of writing the current version is 5.1 SP1, the instructions below may not apply to future versions. Once you’ve booted you’ll eventually be asked if you would like to let the installer automatically partition your hard drive or if you’d like to manually configure the partitioning. It’s usually fine to let the installer do its thing but if you’re working in confined spaces like our 8GB flash card or have plenty of ram the oft-defaulted swap partition size of 1GB is a tad generous. Also choose to manually configure the partitioning if you would like to use software RAID. If you choose to RAID your drives use anything but level 0; there is no need which I could conceive for high performance storage on a router (almost everything needed is loaded into ram on startup) and reliability is priority one on mission-critical systems like these.

Chances are if you want to do anything with the storage on your router you want to outsource that operation to another machine. Your router is the gatekeeper for the network and if it becomes compromised the consequences could be worse than with any single workstation. The simplest way to reduce the risk of a service being exploited is to not run it, so your router shouldn’t run anything it doesn’t need for management or to route and protect the network (firewall, IPS, IDS etc). In following with that notion keep the number of users on the system to an absolute minimum. If you’re the only person who should have access to the box you should be the only person with a user account. ClearOS allows root logins via SSH by default so you should create at least one user account for yourself in order to separate privileges.

Once you’ve completed the installation and rebooted you can connect to the management interface at https://lan-ip:81 and log in as root. You’ll be asked to fill in a number of details to complete the installation process. Once that’s completed register your router with ClearSDN. If you have not made an account with them yet you should do so at the ClearSDN portal first. I generally disable “send diagnostic reports” when I register the routers but you may be less paranoid and more helpful. Once your router has been registered go to Software Updates. You can enable or disable automatic updates. They are enabled by default and I don’t like that one bit: what if one of the repositories gets hacked? What if a new RPM breaks something critical and I’m not around to fix it?

Don’t waste your time with all the checkboxes, shell into your router and run the following:

• yum update
  • Updates all packages currently installed
• yum install screen
  • Screen is a handy tool for multitasking shells
• yum install lynx
  • There’s already a version of lynx that comes as part of the ClearOS text console and you can use it by symlinking it to /usr/bin and its config file to /etc but that’s messy.
• yum install links
  • You don’t need this if you have lynx, I just like to install them both so I can type either. Depends on my mood.
• yum install nmap
  • nmap is an invaluable network diagnostic and analysis tool.
• yum groupinstall “Development Tools”
  • Install this on systems where you expect to be compiling third-party software. Wherever possible use RHEL/CentOS RPMs for the corresponding version of ClearOS. You probably don’t want to install this on space-restricted systems. If you have space to kill it never hurts to be prepared.
• yum install ncurses-devel
• yum install kernel-devel
  • Install these on systems where you expect to be modifying the kernel, you will need the Development Tools group to compile the kernel or modules.
• yum install net-snmp
  • Install this so you can monitor system statistics remotely. (i.e. with Cacti)
• yum install wpa-supplicant
  • You need this if you want to run an access point, ClearOS is only configured for WEP by default and can’t be set up through the web config.

The ClearOS web config has an embedded MRTG package that graphs system vitals, but if you plan on remotely monitoring your router’s statistics (load average, network traffic, etc.) you will probably want to install net-snmp. Depending on your configuration you may need open port 161UDP. Here’s a very short configuration sample that you can drop into /etc/snmp/snmpd.conf:

rouser  public
rocommunity  public localhost
syslocation  "Server Room"
syscontact  your@email
com2sec local     127.0.0.1/32    public
com2sec local     192.168.0.0/24    public
group MyROGroup v1         local
group MyROGroup v2c        local
group MyROGroup usm        local
view all    included  .1  80
access MyROGroup ""      any       noauth    exact  all    none   none

Replace 192.168.0.0/24 with the subnet or IP that should have access to SNMP data.

ClearOS is one of the few distributions that enable syncookies by default. You probably don’t need to add these lines since syncookies override tcp_max_syn_backlog. I like to do it anyway just in case something fails on bootup. Per my previous article Defending Against the SYN Flood add these lines to /etc/rc.d/rc.firewall.local:

echo 3096 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 2 > /proc/sys/net/ipv4/tcp_syn_retries
echo 1 > /proc/sys/net/ipv4/tcp_synack_retries
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Or not. It won’t kill you either way.

ClearOS comes with a special rule that snort will use to detect local SSH brute force attempts but as we covered in my previous article Stifling Brute Force Attacks with fail2ban fail2ban is highly extensible and can perform any operation that can be executed from the command line in response to any pattern match found in a given log file.  Fail2ban is not available in the default ClearOS repositories but we can use the RHEL 5 rpm available at http://dag.wieers.com/rpm/packages/fail2ban/. After installing the packages listed above the RPM should have only one dependency: gamin-python. Install fail2ban thus:

# yum install gamin-python
# wget http://rpmforge.sw.be/redhat/el5/en/i386/rpmforge/RPMS/fail2ban-0.8.1-1.el5.rf.noarch.rpm
# rpm -iv fail2ban-0.8.1-1.el5.rf.noarch.rpm

Return to the webconfig and make sure you have installed all the components and third party applications listed that you need, like the Advanced Firewall Module which is not installed by default. Configure your firewall, DHCP and VPN(s). Back at the command line let’s clean out all the packages we just downloaded:

# yum clean all

At the command line run chkconfig –list:

acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off
avahi-daemon    0:off   1:off   2:off   3:on    4:on    5:on    6:off
avahi-dnsconfd  0:off   1:off   2:off   3:off   4:off   5:off   6:off
clamd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
cups            0:off   1:off   2:off   3:off   4:off   5:off   6:off
dansguardian-av 0:off   1:off   2:off   3:off   4:off   5:off   6:off
dnsmasq         0:off   1:off   2:on    3:on    4:on    5:on    6:off
fail2ban        0:off   1:off   2:off   3:on    4:on    5:on    6:off
firewall        0:off   1:off   2:on    3:on    4:on    5:on    6:off
freshclam       0:off   1:off   2:off   3:off   4:off   5:off   6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
ipsec           0:off   1:off   2:off   3:off   4:off   5:off   6:off
iscsi           0:off   1:off   2:off   3:off   4:off   5:off   6:off
iscsid          0:off   1:off   2:on    3:on    4:on    5:on    6:off
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
l7-filter       0:off   1:off   2:off   3:off   4:off   5:off   6:off
ldap            0:off   1:off   2:off   3:on    4:on    5:on    6:off
ldapsync        0:off   1:off   2:off   3:on    4:on    5:on    6:off
lm_sensors      0:off   1:off   2:on    3:on    4:on    5:on    6:off
lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:off   3:off   4:off   5:off   6:off
mdmonitor       0:off   1:off   2:off   3:off   4:off   5:off   6:off
mdmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
multipathd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
mysqld          0:off   1:off   2:off   3:off   4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
netplugd        0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
nmb             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nscd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
openvpn         0:off   1:off   2:off   3:off   4:off   5:off   6:off
pptpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
saslauthd       0:off   1:off   2:off   3:on    4:on    5:on    6:off
smb             0:off   1:off   2:off   3:off   4:off   5:off   6:off
snmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
snmptrapd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
snort           0:off   1:off   2:off   3:off   4:off   5:off   6:off
snortsam        0:off   1:off   2:off   3:off   4:off   5:off   6:off
squid           0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
suvad           0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
system-mysqld   0:off   1:off   2:on    3:on    4:on    5:on    6:off
syswatch        0:off   1:off   2:on    3:on    4:on    5:on    6:off
vpnwatchd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
webconfig       0:off   1:off   2:on    3:on    4:on    5:on    6:off
winbind         0:off   1:off   2:off   3:off   4:off   5:off   6:off
wpa_supplicant  0:off   1:off   2:off   3:off   4:off   5:off   6:off

We want to turn off anything that starts in runlevels 2.3.4 or 5 that we don’t need. This will make the router boot faster and use less ram, which is particularly important if you’re building a virtual machine. A fast power-cycle has obvious advantages for any connectivity device and one can comfortably fit a low-traffic ClearOS router into 96MB of RAM with room to breathe by disabling the right services. Based on the defaults shown here, these are some services you probably want to turn off – your mileage of course may vary:

• avahi-daemon
• avahi-dnsconfd
  • Zeroconf stuff. You only want it if you know what that means, and probably not even then.
• haldaemon
  • Practically unused by anything but X
• iscsi
• iscsid
  • Obviously you want these if you really are using iSCSI.
• kudzu
  • Checks for new hardware and can interrupt boot process, can be run from the command line anyway
• lvm2-monitor
  • You only want this if you’re using LVM
• messagebus
  • Same with HALD
• netfs
  • Leave this on if you’re doing anything with NFS

Services you may want to disable include:

• suvad
  • Talks to ClearSDN, disabling interferes with updates and ClearSDN services but it can be started on demand
• lm_sensors
  • There’s no hardware to monitor on a xen virtual machine
• cpuspeed
  • Ditto
• acpid
  • Ditto

Use the following syntax to remove init scripts from these runlevels:

# chkconfig –level 2345 iscsid off

And enable anything that should be turned on:

# chkconfig –level 2345 snmpd on

Be sure not to touch any of the numerous LDAP services, ClearOS uses that internally to manage the user accounts. If you don’t know what a service does be sure to look it up before you disable it.

If your router includes a wireless card that requires firmware do not forget to download it to /lib/firmware.

Updatedb indexes the files on your mounted partitions for fast searching with the locate or slocate tool. You should run it once now that you have most of the files installed. By default, cron runs updatedb every night. This causes high I/O load and can be disabled by disabling its cron script’s execute bit:

# chmod -x /etc/cron.daily/mlocate.cron

While the web config makes ClearOS what it is, I don’t like the console configuration (slow, featureless and requires two logins…) – and I really don’t like the graphical one (wtf?). These are a severe obstacle on Xen installations where it’s difficult to navigate serial-based (no ptys to alt+Fx to) xenconsole out of the bottomless ncurses pit. Rather than loop-mount the image and configure the networking and reboot the VMs and shell in I prefer to disable that rubbish altogether. Edit /etc/inittab to reflect:

# Run gettys in standard runlevels
#1:2345:respawn:/sbin/mingetty --autologin=clearconsole tty1
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2

If this router is going to be in a high traffic environment you may find that snortreport.sh progressively uses more and more resources to compile the webconfig-accessible IPS/IDS reports until it starts overlapping with itself, causing extreme load. You can delete it, move it, or remove its execute bit:

# chmod -x /usr/sbin/snortreport.sh

ClarkConnect used to come with some fairly dangerous default snort rules, particularly if your router is intended to be the firewall for a public network. Things look a lot better now, the two rules I could remember always having to comment out now come commented by default; as things run I’ll keep a list of false-positive generating rules here.

NOTE: That list can be found here: Bad Snort Rules

Snort rules take the form of lines in files located in /var/lib/suva/services/intrusion-protection/rules/ (formerly /var/lib/suva/services/snort/rules/).  Disabling a rule is as simple as prefixing it with a hash mark (#) and restarting snort:

# /etc/init.d/snort restart

Check your Intrusion Prevention reports in the web config regularly when you first deploy your new firewall. Investigate any rule that appears multiple times to determine if your particular environment is triggering false positives. This is critical if you are protecting a public network, say a farm of web servers. One rule (that is now commented by default) would block an IP that sent or received a string of ascii ‘a’s, like: ‘aaaaaaaaaaaaaaaaaaaaaaaaaaaaa’ because a long string of ‘a’s  is one signature of a certain buffer overflow attack. One day one of my users said “Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah!” in a web-based chat room when I had a freshly deployed router out and he and everyone who saw it were swiftly blocked from the network. One can either live without IPS (I wouldn’t recommend it) or one can mitigate the downtime through careful monitoring.

You may wish to lock down SSH by following my article on key-exchange. While by default (in gateway mode) ssh is not accessible on the external addresses one should never discount the possibility of attack from within. Any machine behind your firewall that can be compromised will be in a unique position to compromise other machines if attention is not paid to internal network security. There is no such thing as a trusted network, only more trustworthy.