Linux

$ ./fingerprint.sh www.torservers.net status.headstrong.de
SHA1 Fingerprint=90:14:6B:74:FC:B8:30:C8:48:06:4F:52:A6:27:C4:0A:EE:D8:C5:6E
SHA1 Fingerprint=19:46:7F:F7:C5:1C:B7:C9:03:58:88:19:46:DC:55:BA:57:49:92:96
Continue reading "Linux Shell Script to Display SHA1 Fingerprint of Remote SSL Certificates"

We run a high bandwidth Tor exit node on a Gbit connection. Unfortunately, the NIC by our hoster doesn't support MSI-X to distribute interrupt load across all cores. The latest linux kernel 2.6.35 adds a mechanism called Receive Packet Steering:


What took us a lot of time to figure out: /proc/interrupts still shows only CPU0 is used for NIC interrupt handling, even with RPS enabled. If you want to find out whether RPS is working, you have to look at /proc/softirqs instead (eg. with watch -n1 cat /proc/softirqs):

                CPU0       CPU1       CPU2       CPU3
      HI:          0          0          0          0
   TIMER:  480622794  476948579  460999919  467641124
  NET_TX:   25311134   27075847   27513332   27307975     <-----
  NET_RX: 1388399338 4191697027 1491556667  627387845     <-----
   BLOCK:    4632803          3     315726         29
BLOCK_IOPOLL:          0          0          0          0
 TASKLET:         21          4          8          2
   SCHED:  154913375  158601463   97907175  200790209
 HRTIMER:    1576760    2361409    1330088    1545921
     RCU:  421549961  407634645  405460584  415147363

In our case, we had to specifically enable RPS:

# cat /sys/class/net/eth0/queues/rx-0/rps_cpus
00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,
00000000,00000000,00000000,00000000,00000000,00000000,00000000

# echo f > /sys/class/net/eth0/queues/rx-0/rps_cpus
# cat /sys/class/net/eth0/queues/rx-0/rps_cpus
00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,
00000000,00000000,00000000,00000000,00000000,00000000,0000000f

I have added the echo line to /etc/interfaces to set it on each boot ("up ...").

More Information

• lwn.net: rps: Receive packet steering
• Google Group Redis-DB: better multi-core functionality via per-process shared memory queues

Note to self: Don't forget to set configuration option PidFile in torrc when you run multiple instances of Tor.

"Dennis never found the problem with his Makefile. He's now stuck in a dead-end job where he has to wear a paper hat and maintains the sendmail configuration files for a large state university in the midwest. It's a damn shame." -- Garfinkel et al., Programming in Plato's Cave, Donald A. Norman: The UNIX Hater's Handbook (1994)

(via)

I use Postfix as SMTP server. By default, it includes every user's IP and hostname in outgoing mails, even internal ones. As there is no need for the outside world to see what IPs I am using internally, I dedided to remove IP headers from outgoing email. This does not have to mean that they're not logged. And besides, at the moment I am the only one using my server, so mails can still be traced to me. This post explains how. Continue reading "Remove IPs from Outgoing Mail (Postfix SMTP)"

According to the TorProject FAQ, a Tor relay will use less memory if compiled with openBSD-malloc and the latest openSSL. This helps if you're resources are limited, or if you run a high bandwidth node. Here's how you can do that on a Debian system. Continue reading "Tor on Debian, self compiled for better Performance"

With the release of Debian 5.0 "Lenny" as stable, I have upgraded my servers and installed its Xen 3.1.2 and Kernel 2.6.26 Xen packages for my DomU's. After that, one of my DomU's kept freezing: 100% CPU, no responses on the console whatsoever. I found that various people report similar problems, but no hints towards a solution.

If you experience similar freezes, downgrade your DomU to the 2.6.18 kernel from Etch: Add the etch sources to your APT repository in both Dom0 and your DomU, install linux-image-2.6.18-6-xen-686 (or -amd64 for 64bit systems) and modify your Xen configuration to use the old kernel. You can keep the rest upgraded to Lenny.

Today, I set up a user especially for SSH tunneling using Putty and my Debian vServer. The user is able to securely log in using SSH, but is not given shell access.

1. Generate an SSH key for the user. You can generate SSH keys with openssh, but I've used PuttyGen on my Windows client:

Start PuttyGen, Select "SSH-2 DSA" at the bottom, push "Generate". If you enter a passphrase to protect your private key, you'll need to enter it every time you open the tunnel connection. Save the private key and leave the window open. I've called mine "tunnel.ppk".

2. On the Linux server, you can either add a new user or reuse an existing user. Then, create ~/.ssh/ if it doesn't exist and edit ~/.ssh/authorized_keys, copy and paste the public key from the PuttyGen window. To restrict access to, well, basically no commands, prepend a command that does nothing other than keep the connection alive:


~/.ssh/authorized_keys (chmod 600):



This will put the user logging in using the key into a loop that outputs the date every 50 seconds to keep the connection alive.


3. On the client, create a new connection in Putty. Input your server details. Go to "Connection -> Data", put the user name into the "Auto-login username" field. Under "Connection -> SSH -> Auth", at the bottom, select the private key file you've created in step 1. To set up a dynamic SOCKS tunnel, go to "Connection -> SSH -> Tunnels", enter a port number into the Source port field (eg. 1080), select "Dynamic" at the bottom, and press "Add". Save your profile.

4. Connect in Putty. You will see a window echoing the date every once in a while. You can now socksify your connections to 127.0.0.1:1080 (the port you chose in step 3).