I found this amusing. Lucas Nussbaum has compared packages in Debian testing/unstable to Ubuntu Dapper/Breezy. Check out the stats. He loosely makes the claim that Debian has newer software then Ubuntu. For me the comparison doesn’t really say much, but the comments are especially funny.
Berkeley doesn’t get too warm, maybe 85F at the hotest. This summer has been very warm with temperatures in the upper 90s! I don’t have an air-conditioner, and I’m not alone in my plight, none of my neighbors have one either. I was worried that the few airconditioners I do have would melt down in my all too tosty office.
I found HDtemp, a simple program that reads the temperature of my drives and kicks out the information from a TCP/IP port. I made an RRD graph out of it and posted the results. I documented the scripts and such here. HDTemp integrates really well with gkrellm which saves the time of making and posting RRDs.
Every see lots of ssh requests in you auth log? Ya, me too and I’m sick of it.
Aug 2 22:21:49 host sshd[27593]: Invalid user web from 61.189.35.74
My ssh doesn’t accept passwords you need a valid 1028bit private key, plus a pass phrase to get in. So I don’t think that a brute force attack on ssh will do much. Still I wanted to put an end to it and I was thinking of using swatch to monitor the logs and block ips. Then I found an interesting post on using iptables to stop brute force SSH attacks.
I added just two lines into my firewall, much easier then using some script. If you look at the post above you’ll find a more sophisticated setup.
# create a new chain
iptables -N SSH_Brute_Force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set --rsource -j SSH_Brute_Force
# Good ips
iptables -A SSH_Brute_Force -s 12.223.68.45 -j RETURN
iptables -A SSH_Brute_Force -s 45.68.223.12 -j RETURN
iptables -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
iptables -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
iptables -A SSH_Brute_Force -p tcp -j TARPIT
-m recent matches the packets storing the ip addresses in a list
–name SSH give you list of ip addresses a name otherwise DEFAULT is used
–set put the source ip address on the list
–seconds the quite period and the sample period
–hitcount number of hits required in sample period to activate this rule
–rcheck see if the source ip address is currently on the list or not (!)
RETURN jump back to the original chain
TARPIT keep the connection open and let the client timeout
On July 31st an article titled iSCSI Killer was posted on Slashdot, which created quite a flurry of blog posts and activity. The Slashdot post references this linux journal article.
There has been a huge shift in storage technologies over the last year or two. It’s been very exciting, and there are a large number of very compelling vendors who offer some great products and services.
I’m not going to give a tutorial on networked storage, but ATA over Ethernet (AoE) is a lightweight low level network protocol which is NOT IP based. AoE can’t be routed since is isn’t IP based, and it gets punted over to all devices on the switch. The current mainstream, network based protocol is iSCSI. iSCSI shunts SCSI commands into TCP frames. iSCSI is a IP based protocol which may be routed.
Yes AoE seems like a lot of fun, and yes it is a different option than iSCSI, but I still say its crap. First off I’ve seen iSCSI work in high transaction environments with updates in bursts of 1Gb in a few minutes. The clients have no problem. The 3Par server had a TOE, but it was still a lot less expensive than the EMC/Veritas cluster we had. Screw 30% performance degradation from TCP/IP overhead, ’cause iSCSI with a TOE is still cheaper that what was available in 2003/2004.
iSCSI may be routed across switches which is a huge deal. Why, because for most networks I build out I have a few routers and lots of switches, often a switch for every-other rack, and two routers for each ingress/egress. What good it 10Tb of data, if 90% of the machines in the co-lo can get to it!?
As for a large storage array sitting behind a single host, something that is very useful in a small business for disk based backups, may be easily accomplished via iSCSI. Check out this article on building an iSCSI array. The article singles out open-e as the best of breed.
From my limited research it seems that open-e is a tweaked version of Debian (my favorite) running a flash based box with an IDE controller.
Note that most of the articles list a price point of $1/Gb. Amazon’s 3S service charges $0.15 per Gb per month, and $0.20Gb foreach Gb transferred. So you would reach $1/Gb after 6 months of 3S service, even without transferring data! Goes to show you many times it makes sense to grow your own.
Luckily most of you aren’t buying servers or trying to stretch your hardware budget. For those of you who are, here are some tips on saving money.
Actually there is only one tip, buy as little as possible from the original manufacture. You see the original manufacture like IBM or HP has pricing power, and they will charge you an arm and a leg for their brand name products.
Here is how you apply these rules
So for example, if you wanted to buy a HP-DL385, dual opteron with 12Gb of memory and 3 72Gb drives don’t buy it all from HP! Get an HP-DL385 with 2Gb or memory and one tiny drive. Then have the VAR purchase the additional memory and drives, install them and ship them to you.
Shop around and find some good VAR. They are competitive, and unlike the manufacture they don’t have pricing power.
This won’t work for all your hardware needs. Take a HP-DL585 for example. It can take up to 64Gb of memory, but only specially certified memory from HP may be used.
This is why you can get a 2 way HP-DL385 with 16Gb for $7,000, but a 2 way HP-DL585 with 64Gb will cost at least $68,000. Four times the memory nine times the cost.
How do I know Ubuntu is taking over?
Observation Number 1
Well just last night I upgraded my Debian etch (aka unstable) to X11R7. Now X wouldn’t restart, so I started browsing the web using another computer. I found the answers pretty quickly, but the Ubuntu forums had so many more posting, and I have to say more useful answers.
Observation Number 2
Yesterday I was sitting down with someone from our Operations group. I noticed a familar interface, so I asked, “Are you running Debian?”. The answer which suprised me but shouldn’t have, “No, its Ubuntu”.
Observation Number 3
The Wikipedia entry for Ubuntu is about the same size as the entries Fedora and Debian.
Oh, and here were my steps for fixing problems like could not open default font fixed or /ect/X11/X not executable
* Remove symlinks for /etc/X11/X and /usr/bin/X
sudo /bin/rm /etc/X11/X; sudo /bin/rm /usr/bin/X
* Install xfs
sudo aptitude install xfs
* Re-install xserver-xorg
sudo aptitude reinstall xserver-xorg
* Install some fonts
sudo aptitude install xfonts-100dpi xfonts-75dpi xfounts-base
* Re-create links to X
sudo ln -s /usr/bin/Xorg /etc/X11/X
sudo ln -s /usr/bin/Xorg /usr/bin/X
* Remove old font references, deleting anything referenceing /usr/X11R6/lib/X11/fonts in xorg.conf
sudo vi /etc/X11/xorg.conf
* Re-start gdm
sudo /etc/init.d/gdm restart
After the last one, x should start working again. It may flicker a few times and the screen will go black. Be patient.
My SVN repository is at home, and my home machine often changes ip addresses. No big deal, I have a script to update the DNS entries every 20 minutes.
Today I brought my laptop to work and tried to update the subversion repository. It didn’t work, because the old IP address was cached! It don’t think this is a subversion problem, but it was a pain in the butt.
I had switch my repository to use an IP address.
svn switch --repository http://old.org http://W.X.Y.Z
Now I have to remember to switch back 