Could not load host key: /etc/ssh/ssh_host_ed25519_key

Sep 29 19:19:41 wopr sshd[11801]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

If you’re getting this error message in the log file, you most likely have the ed25519 HostKey enabled in your sshd_config file but for some reason, no host key was generated for it.

Since openssh-6.4 you can run the ssh-keygen command to generate any missing host keys:

$ ssh-keygen -A
ssh-keygen: generating new host keys: ED25519

Enable KVM guest console access in Ubuntu using the virsh console command

Usually, my first step after setting up a new Ubuntu guest is to enable console access in order gain shell access on the newly created VM.

Step 1 – Activate the serial console in the guest

nano /etc/default/grub

Change the GRUB_CMDLINE_LINUX_DEFAULT to:

GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0,38400n8 console=tty0"

Don’t forget to update Grub

update-grub

Step 2 – Create the serial console in the guest

cp /etc/init/tty1.conf /etc/init/ttyS0.conf
nano /etc/init/ttyS0.conf

Edit ttyS0.conf and replace the tty1 with ttyS0 in the last line so it will read something like “exec /sbin/getty -8 38400 ttyS0″.
Reboot the VM.

Step 3 – Log in from the host

virsh console myvm

This is it! You just gained console access to your VM.

Tip: To exit the console, hit CTRL-]. It doesn’t matter where the ] is located on your keyboard, you have to press the key below the <BACKSPACE> key and on the left side of the <ENTER> key.

How to install CoreOS on an OVH Kimsufi low-end dedicated server

Wouldn’t it be cool to build a bare-metal high availability cluster using CoreOS and a handful of DDoS-protected, €5/month Kimsufi servers from OVH? Here’s how to install CoreOS on a Kimsufi server.

At the time of this writing, OVH is not providing a CoreOS installation template for the Kimsufi servers. Since there is no virtual KVM console available for the entry level servers,  I tried to use OVH’s iPXE API. This approach would have worked well weren’t it for the CoreOS installer which tries to load binaries in the installation script after overwriting the same partition – which always results in a segfault. Also, the API is only available for the older Kimsufi 2G servers on OVH’s V6 control panel, not for the current Kimsufi servers for which OVH doesn’t provide an API at this time. Fortunately, OVH provides a “rescue mode” which lets us boot from an USB stick which is permanentely plugged in on all Kimsufi servers. Continue reading

Native Gigabit PCI-e Network Adapter / NIC for OS X

Here’s an overview of natively supported PCI-e (64-bit) network interface controllers (NIC) for OS X. I’ve had the chance to test some of them in my current Hackintosh build.

HP NC360T PCI-Express PRO/1000

The HP NC360T dual port PCI-e network adapter works out of the box in OS X. However, since OS X 10.8.2 Apple changed something in the driver resulting in a link loss whenever the network is under considerable load. If this happens, the network can be brought back to life by deactivating/reactivating the network in OS X’s control panel. Do not buy this network card if you intend to use it in a recent OS X version.
nc360t-pci-e-dual-port Continue reading

New Hackintosh build based on GIGABYTE GA-Z97X-UD5H

A cap burst on my ASUS P6T Hackintosh so I had to decide wether to buy an Apple desktop computer or to build a new Hackintosh. I would have bought an (internally) expandable Mac Pro but the current trash bin just doesn’t appeal to me.

I had three goals for the new build:

  • Since kernel extension signing is mandatory in OS X Yosemite (at least in the dev previews/public beta versions), it has to be as vanilla as possible.
  • Noise-free
  • Expandability

So, without further ado, here’s the new build:

The Z97X-UD5H uses Intel’s latest 9 Series chipset which to this date is not being used in any Apple computer. There’s a good chance Apple will use this chipset in the next iMac refresh in Q3/Q4 ’14. Even though the chipset is not officially supported in OS X, it runs just fine, even without a custom DSDT/SSDT! Continue reading

strongSwan 5 based IPSec VPN, Ubuntu 14.04 LTS and PSK/XAUTH

I prefer strongSwan over Openswan because it’s still in active development, easier to setup and doesn’t require a L2TP daemon. I prefer a simple IKEv1 setup using PSK and XAUTH over certificates. If you plan to share your VPN server with your friends it’s also a lot easier to setup for them without certificates. I haven’t tried the VPN configuration below with non-Apple clients but it works well with iOS and OS X clients. Make sure to use the Cisco IPSec VPN profile, not the L2TP over IPSec profile you need for Openswan. While strongSwan works well with KVM and Xen containers, it probably won’t work with non-virtualised containers like OpenVZ or LXC. Continue reading

LXC 1.0 Web Panel for Ubuntu 14.04

LXC is awesome! You can create and start your own virtual container with just 3 commands in Ubuntu 14.04.

apt-get install lxc debootstrap lxc-templates
lxc-create -t ubuntu -n demo
lxc-start -n demo -d

It doesn’t get any easier than this. There’s even a Boostrap-based fronted available: LXC Web Panel.

lxc-web-panel

Unfortunately, LXC Web Panel doesn’t work with LXC 1.0 which is part of Ubuntu 14.04. Fortunately though, there’s a fork available on GitHub which adds support for LXC 1.0:

https://github.com/claudyus/LXC-Web-Panel

I re-forked claudyus’ LXC Web Panel fork and added support for Ubuntu 14.04 and a few other things. My forked fork is available here: https://github.com/trick77/LXC-Web-Panel Claudyus has already updated his repository with my changes.

By the way, the original author of LXC Web Panel said he’s currently working on a Bootstrap 3 based version for LXC 1.0 which will include a RESTful API and other new features. Make sure to follow this guy on GitHub: https://github.com/googley

DNS unblocking setup tester

This may help setting up your own DNS unblocking solution:

http://trick77.com/dns-unblocking-setup-tester/

Once everything has been set up properly, all ticks should be green like in this screenshot:

tester

I just pushed another update to GitHub, please make sure to use a configuration generated with the latest generator version or the tester will fail. My main motivation to create this tester was to reduce the amount of support requests I’m receiving. Let’s see how well this goes :-)

Tomcat freezes while starting in Ubuntu 14.04 LTS

After upgrading one of my KVMs to Ubuntu Server 14.04 LTS, Tomcat 7 started to freeze while starting up with:
INFO: Deploying configuration descriptor /etc/tomcat7/Catalina/localhost/ROOT.xml

Only after several minutes, Tomcat generates the following message and starts accepting requests:
INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [295,490] milliseconds.
INFO: Server startup in 296882 ms

If you don’t have a requirement for strong cryptography in Tomcat, you might as well switch to the less secure non-blocking /dev/urandom source instead of /dev/random.
Create a file named setenv.sh in /var/lib/tomcat7/bin make it executable:
#!/bin/sh
export CATALINA_OPTS="-Djava.security.egd=file:/dev/./urandom"

..and restart Tomcat.

It will now restart within seconds thanks to the non-blocking random source.

Supermicro NTP DDoS Vulnerability

I received a notification that one of my dedicated servers was taking part in a NTP based DDoS reflection attack. At first I was like “No way!” since I don’t use NTP on any servers. Closer inspection of the source IP address revealed that the attack was coming from my Supermicro server’s built in IPMI controller. And indeed, Supermicro is using a vulnerable NTP version on its IPMI controllers:

ntpdc -n -c monlist ipmi.mysupermicroserver.com
remote address port local address count m ver rstr avgint lstint
===============================================================================
186.2.161.nnn 53842 76.20.120.nn 51127 7 2 0 0 0
217.147.208.n 123 76.20.120.nn 1 4 4 0 0 7
130.60.204.nn 123 76.20.120.nn 1 4 4 0 0 8

The quickest fix is to turn NTP sync off in IPMI as described here. If for some reason you have a requirement for NTP, here’s how to fix the Supermicro firmware on your own (not for the faint-hearted!).

Since Supermicro has a spotty track record when it comes to IPMI controller security, it’s highly recommended to define a set of jump hosts in the IP Access Control menu. Here’s a gotcha: the default policy is set to ACCEPT which means you have to add a DROP rule at the end with 0.0.0.0/0. Obviously, a private VLAN would be the preferred way, but if no VLAN is available, IP access control comes in handy. The IP access control list will filter any traffic to the IPMI controller except for the defined IP ranges. It will block access to NTP as well.

Still waiting for Supermicro to finally fix the issue in a new firmware revision though…

DNS-unblocking configuration for CBS’s iOS app

I love watching the Late Late Show with Craig Ferguson. Here’s what’s needed to watch CBS content on iPad outside the U.S. using my DNS-unblocking config generator.

latelateshow

   {
      "name": "cbs-akamai-ipad",
      "dest_addr": "ipad-streaming.cbs.com",
      "modes": [
        {
          "port": 80,
          "mode": "http"
        },
        {
          "port": 443,
          "mode": "https"
        }
      ],
      "catchall": true,
      "enabled": true
    }

Add this to config.json, regenerate the configuration files and make sure to upload them to the right places. As with NBC’s iOS app, the video stream itself is geo-fenced which may lead to considerable bandwidth consumption on your VPS server.

By the way, is it just me or does audio quality suck badly in CBS’s iOS app?

DNS-unblocking configuration for NBC’s iOS app

Today, NBC updated its mobile app for iPad and iPhone. The latest version features AirPlay support which means you can watch NBC TV shows on a large TV if you have an Apple TV connected to it. NBC offers free (ad-supported) content in its iOS app, including:

  • The Tonight Show Starring Jimmy Fallon
  • Late Night With Seth Myers
  • About A Boy
  • Grimm
  • The Blacklist
  • The Voice
  • …and many more

photo

In order to use the NBC app on iPad or iPhone outside the U.S., a new configuration entry is required in my non-SNI DNS-unblocking config generator’s config.json file:

    {
      "name": "nbc-ios",
      "dest_addr": "tve_nbc-vh.akamaihd.net",
      "modes": [
        {
          "port": 80,
          "mode": "http"
        },
        {
          "port": 443,
          "mode": "https"
        }
      ],
      "catchall": true,
      "enabled": true
    }

Since NBC uses a geo-fenced video stream from Akamai, the entire content stream has to be proxied through HAProxy which may – depending on your usage – lead to considerable bandwidth usage on your remote VPS server.

Fulltext search for Tiny Tiny RSS (TTRSS) with Sphinx and MySQL in Debian/Ubuntu

I haven’t found a working tutorial on setting up Sphinx fulltext search for the awesome Tiny Tiny RSS Reader (TTRSS) and MySQL in Debian/Ubuntu. So, without further ado, here it is:

apt-get install sphinxsearch

Create /etc/sphinxsearch/sphinx.conf:

source ttrss
{
	type			= mysql
	sql_host		= localhost
	sql_user		= ttrss
	sql_pass		= changeme
	sql_db			= ttrss
	sql_port		= 3306
	sql_query_pre		= SET NAMES utf8

	# UNIX socket name
	# optional, default is empty (reuse client library defaults)
	# usually '/var/lib/mysql/mysql.sock' on Linux
	# usually '/tmp/mysql.sock' on FreeBSD
	#
	# sql_sock		= /var/lib/mysql/mysql.sock

        sql_query		= \
		SELECT int_id AS id, ref_id, UNIX_TIMESTAMP() AS updated, \
 			ttrss_entries.title AS title, link, content, \
                        ttrss_feeds.title AS feed_title, \
                        marked, published, unread, \
                        author, ttrss_user_entries.owner_uid \
                        FROM ttrss_entries, ttrss_user_entries, ttrss_feeds \
                        WHERE ref_id = ttrss_entries.id AND feed_id = ttrss_feeds.id;


	sql_attr_uint		= owner_uid
	sql_attr_uint		= ref_id

	sql_ranged_throttle	= 0

	sql_query_info		= \
		SELECT * FROM ttrss_entries,  \
			ttrss_user_entries WHERE ref_id = id AND int_id=$id


}

source delta : ttrss 
{
        sql_query		= \
                SELECT int_id AS id, ref_id, UNIX_TIMESTAMP() AS updated, \
                        ttrss_entries.title AS title, link, content, \
                        ttrss_feeds.title AS feed_title, \
                        marked, published, unread, \
                        author, ttrss_user_entries.owner_uid \
                        FROM ttrss_entries, ttrss_user_entries, ttrss_feeds \
                        WHERE ref_id = ttrss_entries.id AND feed_id = ttrss_feeds.id \
                        AND ttrss_entries.updated > UNIX_TIMESTAMP() - INTERVAL 24 HOUR;

        sql_query_killlist      = \
		SELECT int_id FROM ttrss_entries, ttrss_user_entries \
                	WHERE ref_id = ttrss_entries.id AND updated > UNIX_TIMESTAMP() - INTERVAL 24 HOUR;

}

index ttrss
{
        source			= ttrss
	path			= /var/lib/sphinxsearch/data/ttrss
	docinfo			= extern
	mlock			= 0
	morphology		= none
	min_word_len		= 1
	charset_type		= utf-8
	min_prefix_len	        = 3
	prefix_fields		= title, content, feed_title, author
	enable_star		= 1
	html_strip		= 1

}

index delta : ttrss 
{
	source			= delta
	path			= /var/lib/sphinxsearch/data/ttrss_delta
}

indexer
{
	mem_limit		= 32M
}

searchd
{
	listen			= 127.0.0.1:9312

	log			= /var/log/sphinxsearch/searchd.log
	query_log		= /var/log/sphinxsearch/query.log
	read_timeout		= 5
	client_timeout		= 300
	max_children		= 30
	pid_file		= /var/run/sphinxsearch/searchd.pid
	max_matches		= 1000
	seamless_rotate		= 1
	preopen_indexes		= 1
	unlink_old		= 1
	mva_updates_pool	= 1M
	max_packet_size		= 8M
	max_filters		= 256
	max_filter_values	= 4096
	compat_sphinxql_magics  = 0
}

Create the indices using indexer --all
Set START=yes in /etc/default/sphinxsearch and start Sphinx using service sphinxsearch start

The last step is to enable Sphinx search in TTRSS:

	// *********************
	// *** Sphinx search ***
	// *********************

	define('SPHINX_ENABLED', true);
	// Enable fulltext search using Sphinx (http://www.sphinxsearch.com)
	// Please see http://tt-rss.org/wiki/SphinxSearch for more information

And that is it. Lighting-fast full-text search in TTRSS! Probably only useful if you have a lot of feeds/articles and you’re keeping them for quite while before purging them to oblivion.

Digitec Tagesaktionen (Daily Deals) RSS Feed

Completely irrelevant to y’all unless you’re living in Switzerland and you’re into tech gadgets:

http://feeds.wolke7.me/digitec/feed.xml

The feed will show the current “Tagesaktion” (daily deals) from digitec.ch as a RSS 2.0 feed so you don’t have to think about visiting digitec’s site every day. I missed a pretty decent SSD deal the other day but from now on, the daily deals are showing up in my RSS reader Tiny Tiny RSS – which is awesome btw.

ttrss