Categories
FreeBSD Linux Windows

SSH: too many authentication failures

I am not entirely certain what the cause of this error is but it is particularly annoying when it happens on a headless system.

I think that the problem is caused by too many keys to choose from during key negotiation, or no key at all. I found this workaround.

ssh -o PubkeyAuthentication=no vince@host

Once a successful login with a password is possible, logout and copy the authentication key to the host…

ssh-copy-id -o PubkeyAuthentication=no vince@host

Then login with ssh again…

ssh vince@host

And ssh should authenticate without using a password.

Categories
FreeBSD Hardware

1024×768 FreeBSD VT Console

I use of a lot of old kit in my lab. Some of these machines have very poor ACPI implementations and they often complete their boot displaying an 80×25 character console on monitors that can support much higher resolutions. I have put up with staggered ZFS listings for too long and decided to fix this problem on my FreeBSD hosts.

Modern FreeBSD uses the VT console by default. If a video graphics driver has been installed, it will display a console in a higher resolution if configured.

The configuration below was tested on FreeBSD 13.4-RELEASE-p1 and FreeBSD 14.1-RELEASE-p5 with onboard intel graphics adapter.

Install the graphics driver:

$ sudo pkg install drm-kmod

Run the following command to load the intel graphics driver on boot:

$ sysrc kld_list+=i915kms

Edit /boot/loader.conf adding the following lines to the file:

# VT console
hw.vga.textmode=1
hw.vga.acpi_ignore_no_vga=1
kern.vty=vt
kern.vt.fb.default_mode="1024x768"

If dmesg reports a good ACPI table, you don’t need to use hw.vga.acpi_ignore_no_vga=1 .

If you are using a screen that cannot display 1024×768, use kern.vt.fb.default_mode=”800×600″ instead.

Reboot the host to see the new console settings are active.

Categories
FreeBSD Hardware

USB Serial Adapter on FreeBSD

To make a USB serial adapter visible to FreeBSD, add the following to /boot/loader.conf

# USB serial adapter
ucom_load="YES"

 

Categories
Microsoft Windows

How to use emojis on Microsoft Windows

This is super easy, just press the ‘Windows’ key (flag) and the ‘Full Stop’ key (.) on your keyboard at the same time to pop-up the emoji selector.

After all these years, I just found this feature! It was mentioned in a VSCode YouTube tutorial that I watched yesterday.

Categories
Containerisation Django Docker Python

Create a Django admin account inside a Docker container

Assuming that your Django container is already running under Docker, find out what it’s ‘Container ID’ is.

$ docker ps
CONTAINER ID IMAGE ...
fb3aabc8e123 django-web ...

In the above example the Container ID is fb3aabc8e123.

Now you can easily execute commands inside that container.

$ docker exec -it fb3aabc8e123 sh

The ‘-it’ option executes the command in an Interactive Terminal.

The ‘sh’ at the end of the command is the program to run, in this case it the system shell program. You could use ‘bash’ on a Linux machine if that’s your preference.

Now that you have a shell running in the Django container, you can run the command to create the admin user account.

# python ./manage.py createsuperuser

 

Categories
Containerisation Django Docker Podman Python

Django migrations inside a Docker container

The easiest way to have Django run a migration inside a Docker container is to get Docker to run a new container to perform the task.

Using ‘run’ instead of ‘exec’ works if there is a start-up script like entrypoint.sh that prevents the container from starting until the migration has been completed (egg-chicken-egg).

E.g. I have a Django app called ‘web’ defined in docker-compose.yml , my terminal’s current working directory is the Django container folder where manage.py is resident.

$ docker compose run web ./manage.py migrate

This probably works similarly with Podman, I just haven’t tried it yet to verify.

Categories
Alpine Linux FreeBSD Ubuntu

ZFS Trim

I noticed today that the FreeBSD ZFS pool that I created on my laptop SSD was not configured for TRIM. TRIM enables the SSD to recover space from previously written to blocks that have since had files deleted. This can help maintain performance of the SSD as it fills with data.

My pool is called zroot, so the command to check the value of the TRIM setting is:

$ zpool get autotrim zroot

The command to switch on automatic TRIM is:

$ zpool set autotrim=on zroot

 

Categories
Hardware

Netgear GSM7224 v1

Originally written in 2018. This post was languishing in drafts for a couple of years. I may complete it someday.

I acquired three old Netgear GSM7224 switches for my lab network some time ago and I pulled them off the shelf recently to use in a project I am currently working on. I wish I had actually checked them out fully when I first acquired them because it has cost me a week or so in time to get them useable in a reasonably secure test network. I did not anticipate the problems getting older high-end Netgear products to work securely in a network environment with up to date patched hosts.

Netgear GSM7224 Ethernet Switch
Netgear GSM7224 installed in test lab

If you are trying to make use of ageing Netgear GSM7224 Gigabit Ethernet Managed Switches you may find this article useful. Some of this may even be relevant to other network equipment running similar firmware Eg. Sun Netra.

Observations

I spent a little time getting familiar with one of the switches on my bench. I used a laptop running Ubuntu 18.04 with a USB Serial adapter and a 9-pin null modem serial cable connected to the switch’s console port on the front panel. As these were second hand switches I didn’t have knowledge of the existing admin password. Resetting the password was at the top of the task list but until then it was time to do some basic surveilance on the switch using nmap. These are my initial observations.

  • Noisy or failed fans
  • Slow start-up time
  • Old firmware. The latest 2007 version is still available for download
  • Log files are time and dated from 1 Jan 1970 at start-up
  • Awful Netgear documentation, lots of critical configuration information undocumented
  • Telnet running on tcp 23
  • No SSH v2 access
  • Unencrypted web management interface on tcp 80
  • No HTTPS for web interface
  • Mysterious tcp 4242 port listening
  • Web Management prompts for Java plugin but 2018 browsers are not able to run Java applets

Objectives

  1. Reset passwords on all switch login accounts
  2. Replace fans with new parts
  3. Document out of band command line management via the serial console
  4. Upgrade firmware to latest version
  5. Fix the time stamps in the log files
  6. Fix the Java plugin requirement
  7. Configure in-band management only from the management VLAN 1 with no internet access
  8. Enable SSH v1 safely via a bastion host running SSH v2
  9. Enable HTTPS web interface only over management VLAN
  10. Disable less secure management interfaces, telnet and unencrypted web management
  11. Enable remote syslog
  12. Enable SNMP

Tools and Equipment Required

  • Netgear GSM7224
  • The latest firmware for the switch. At the time of writing this was 6.2.0.14
  • Laptop or desktop computer that has a terminal emulator.
  • Oracle VirtualBox to host an old distro that has an SSH v1 client or a Windows PC with PuTTY.
  • CD-ROM or ISO image file for an old 32-bit Linux or FreeBSD distribution that was released between 2006 and 2007. This is primarily for using OpenSSL and OpenSSH from this period to fully configure the switch. I used Ubuntu 6.06 LTS x86 as this was still downloadable in 2018
  • 9-pin serial null modem cable.
  • USB to Serial adapter if your computer does not have a native serial port.
  • VT100 terminal emulation program that can connect to the switch’s console session via your serial connection. I used Minicom that was installable from the Ubuntu repos.
  • Netgear GSM7224 Administrators Guide
  • Netgear GSM7224 Command Line Reference
  • nmap or zenmap (GUI version) for testing

Optional Requirements

  • A compatible Java Plugin for a web browser that shipped with your 2006 Linux distro. If you want to try the Java applet function in the switch’s web interface
  • Wireshark if you want or need to decode further the SSH protocol between your switch and ssh clients

Replace the Noisy Fans

All three of my switches had noisy fans. Each has two 40x40x10mm 5VDC 2-pin fans inside and one in each had partially seized which was causing a lot of noise.

Opening the case was just a bit of screwdriver work to remove the rack mounting ears and then the screws holding the case together. All of the externally visible screws have to be removed to open the case. The cover slides off rearwards with a slight upward tilt. Once inside I could see the fans that need replacing.

I opted for cheap replacement fans sourced from eBay but I probably should have put more thought into that decision at the time. Within a few months the replacement fans started getting noisy.

I wish I had documented the fan replacement fully as I am going to use one of these switches again in November 2024. I originally installed brass inserts into the plastic housings of the 40mm fans to enable them to attached with screws to the chassis. I am guessing that the inserts are M3 thread and approximately 4mm deep. I have ordered some more for another set of new fans.

Gain Console Access

I connected a 9-pin null modem serial cable that I use for console access to the switch and to a USB serial adapter plugged into my laptop.

I use Minicom as a terminal emulator to access my switch consoles. Ctrl-A in Minicom gains access to its configuration menu. The connection was configured for /dev/ttyUSB0 at 9600,n,8,1. After saving the settings the switch console login prompt appeared.

My Netgear switches were all purchased used without documentation or being reset to factory defaults. I tried logging in as admin with various popular passwords without luck. Fortunately, rebooting the switches with Minicom still connected and running reveals a boot menu. Select option 2 to access a configuration menu. From here the switch can be reset to factory defaults without needing a password.

Update Firmware

I downloaded the ‘latest’ firmware from Netgear and setup a TFTP server on my laptop to serve the new firmware image. The firmware’s README describes the process to upgrade and although it takes a while silently updating there is eventually some confirmation on screen and the job is done.

I was having problem getting the SNTP client to synchronise time with the NTP servers that I had specified to use. That was until I tried this configuration command that worked…

(GSM7224) (config)# sntp client mode unicast

I also had some problems getting recent SSH clients to work. PuTTY on a Windows machine was useful as is still support SSH v1.

Port scanning the switch revealed that tcp 4242 appears to be used by the switch’s Java client interface. As I am not using the Java client it can be closed using:

no ip http java

More to follow…

Categories
Hardware

Upgrading the CPU on a Dell GX240 – Again!

SL7EY-Closeup2
I never expected that I would upgrade one of my elderly Dell GX240 PCs again, but today I did. I have two GX240 tower PCs. One of them has been used as a firewall for five years, the other as it’s fallback spare. I retired both of them a few weeks ago, replacing them with Dell PowerEdge 840 servers. Yes, they are old too, but not as old as the GX240.

I have been planning to upgrade my parent’s firewall with a PowerEdge 840 but I’m working on a project at the moment and can’t really spare one of my modified super quiet ones. I had a job lot of old CPUs arrive today and an intel SL7EY was in the bundle. I soon realized that this was the high end processor for the GX240 and quickly decided that perhaps a GX240 would go on for a bit longer at my parents house.

I stripped down both GX240s and rebuilt one using the best bits from each. I will save the other for spares and scrap them both eventually but for now the best of them gets a 2.8Ghz Pentium 4 with 512KB cache. To my dissapointment, a very large number of the new processor’s pins were bent. It took about an hour or so of work with a magnifying glass and craft knife to carefully straighten them enough for the socket to accept the processor. The PC was booted up with the new CPU and it was correctly recognised in the BIOS setup. A successful upgrade!

The 2.6Ghz Celeron has performed really well and I’m interested to see if the additional 200 Mhz and 384KB of cache that the 2.8Ghz Pentium 4 has make a noticeable difference. I didn’t take any benchmarks before and after, this was just a case of making use of a surprise ‘windfall’. I’m not expecting anything as amazing as the last processor upgrade but I think it was worthwhile doing.

Categories
FreeBSD Hardware

D-Link DFE-570TX and Broadcom BCM5821

I have just acquired a used 4-port D-Link fast ethernet PCI board from a seller on eBay. I have been looking for one of these for my ‘new’ firewall for ages and was about to give up.

The firewall is an old crate of a Dell GX240 with PCI slots but it still has plenty of grunt to do what I need without consuming too much power. It’s one of the old Dells that I bought years ago for peanuts that has been upgraded with a 2.6Ghz Celeron.

I have been experienting with a Broadcom crypto accelerator in pfSense and I was about to give up on the GX240 and move up to a newer old machine with PCI-X slots.

The BCM5821 already delivers 24x performance improvent on 2048 bit RSA in the 33Mhz PCI bus and I am intrigued to find out how fast it will go in a 64 bit, 66Mhz slot. Now that I have the D-Link, I will crack on with the original plan and save the PCI-X upgrade for later.

More to follow…