Debian Lenny – nut / Onduleur – Z3 Zenergy 700 VA (INFOSEC)
Publié le Février 23, 2011

Configuration de nut pour l’onduleur Z3 Zenergy 700 – USB de INFOSEC

System : Gnu/Linux Debian 5 – Lenny
kernel : 2.6.26-2-486
Nut : 2.2.2-6.5

Vous avez acquis un onduleur. Malheureusement, celui-ci est partiellement supporté par nut (voir la hardware compatibility list de nut). Bien que l’onduleur soit pourvu d’un port USB, celui-ci est mal détecté par le système Debian Linux Lenny. Le système linux détecte la présence d’un convertisseur USB / Série : Cypress USB to Serial. Son port série virtuel /dev/ttyUSB0 n’étant pas créé automatiquement. Ce port en mode raw est quand même exploitable comme nous allons le voir.

Voyons si les concentrateurs USB détectent la présence de l’onduleur :

# lsusb
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 002: ID 0665:5161 Cypress Semiconductor USB to Serial
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Détaillons les informations USB sur ce périphérique :

#lsusb -v
Bus 001 Device 002: ID 0665:5161 Cypress Semiconductor USB to Serial
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
idVendor 0×0665 Cypress Semiconductor
idProduct 0×5161 USB to Serial
bcdDevice 0.02
iManufacturer 1 INNO TECH
iProduct 2 USB to Serial
iSerial 3 20100813
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 34
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 3 20100813
bmAttributes 0×80
(Bus Powered)
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 3 Human Interface Device
bInterfaceSubClass 0 No Subclass
bInterfaceProtocol 0 None
iInterface 4 Sample HID
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.00
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 27
Report Descriptors:
** UNAVAILABLE **
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0×81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0×0008 1x 8 bytes
bInterval 32
Device Status: 0×0000
(Bus Powered)

Malheureusement, aucun port série (virtuel) n’est créé lors de la connection de l’onduleur. Un device standard /dev/hidraw0 sera quand même créé automatiquement pour que le système puisse communiquer en mode directe avec l’onduleur.
Installation de nut

L’installation de nut se fait sans aucun soucis :

#apt-get install nut

Après avoir testé en vain le driver megatec_usb qui aurait dû communiquer avec l’onduleur, j’ai du procéder à l’installation du paquet deb de nut de Debian 6 Squeeze ! Ce paquet (nut_2.4.6.deb minimum) contient le driver blazer_usb utile à nut pour communiquer avec le périphérique.

Disponible sur le site de networkupstools.org, téléchargez le paquet dans la section Download /Binary packages. Un lien vous ramène directement sur la page de téléchargement de nut : http://packages.debian.org/squeeze/nut

Direct link : nut_2.4.3-1.1squeeze1_i386.deb

Installation du paquet :

#dpkg -i nut_2.4.6.deb

Configuration de nut

Fichier : /etc/nut/nut.conf

MODE=standalone
UPSD_OPTIONS=” »
UPSMON_OPTIONS=” »

Fichier : /etc/nut/ups.conf

[Z3_700]
driver = blazer_usb
port = /dev/hidraw0
vendorid = 0665
productid = 5161
desc = “Server Linux Internet”

Ce fichier donne les paramètres associés à votre onduleur. Le nom de l’onduleur, par lequel le système l’identifiera, est indiqué entre les crochets.

Pour les onduleurs en usb, le port = auto pourrait aussi fonctionner. Dans mon cas j’ai dû spécifier le port /dev/hidraw0 créé par le système. Dans l’idéal, un port série virtuel serait disponible pour communiquer avec l’onduleur tel que /dev/ttyS0 ou /dev/ttyUSB0.

Fichier : /etc/nut/upsd.users

[z3]
password = pass_ups
upsmon master

Il s’agit d’un “compte” au sens du service nut.

Fichier : /etc/nut/upsmon.conf

RUN_AS_USER
MONITOR Z3_700@localhost 1 z3 pass_ups master
SHUTDOWNCMD “/sbin/shutdown -h +0″
MINSUPPLIES 1
POLLFREQ 5
POLLFREQALERT 5
HOSTSYNC 30
DEADTIME 15
POWERDOWNFLAG /etc/killpower
RBWARNTIME 43200
NOCOMMWARNTIME 300
FINALDELAY 5

Ce fichier de configuration du moniteur reprend des informations sur l’onduleur du fichier ups.conf

Fichier : /etc/nut/upssched.conf

CMDSCRIPT /upssched-cmd

Une fois tous ces fichiers configurés, vous pouvez tester la communication du driver avec l’onduleur via la commande :

#/lib/nut/blazer_usb -a Z3_700 -DDD -u root

Network UPS Tools – Megatec/Q1 protocol USB driver 0.03 (2.4.3)
0.000000 debug level is ’3′
0.040693 Checking device (0665/5161) (001/002)
0.077674 - VendorID: 0665
0.077760 - ProductID: 5161
0.077776 - Manufacturer: INNO TECH
0.077792 - Product: USB to Serial
0.077807 - Serial Number: *********
0.077822 - Bus: 001
0.077836 Trying to match device
0.078023 Device matches
0.078122 failed to claim USB device: could not claim interface 0: Device or resource busy
0.080628 detached kernel driver from USB device…
0.083726 Trying megatec protocol…
0.087616 send: Q1
1.089450 read: could not claim interface 0: Device or resource busy
1.089548 blazer_status: short reply
1.089570 Status read 1 failed
1.093459 send: Q1
1.151423 read: Q1
1.151487 blazer_status: short reply
1.151506 Status read 2 failed
1.155442 send: Q1
1.215440 read: Q1
1.215539 blazer_status: short reply
1.215562 Status read 3 failed
1.215581 Trying mustek protocol…
1.219435 send: QS
1.471366 read: (235.6 235.6 235.6 — 50.1 13.6 –.- 00001001
1.471590 blazer_status: non numerical value [---]
1.471645 blazer_status: non numerical value [--.-]
1.471687 Status read in 1 tries
1.471706 Supported UPS detected with mustek protocol
1.475396 send: F
1.599348 read: #230.0 002 12.00 50.0
1.599536 Ratings read in 1 tries
1.603375 send: I
1.663341 read: I
1.663408 blazer_vendor: short reply
1.663429 Vendor information read 1 failed
1.667352 send: I

Broadcast Message from ….
(somewhere) at 0:45 …

Communications with UPS Z3_700@localhost lost

1.727365 read: I
1.727466 blazer_vendor: short reply
1.727488 Vendor information read 2 failed
1.731350 send: I
1.791325 read: I
1.791403 blazer_vendor: short reply
1.791423 Vendor information read 3 failed
1.791440 Vendor information unavailable
1.791462 Battery runtime will not be calculated (runtimecal not set)
1.795338 send: QS
2.047274 read: (235.6 235.6 235.6 — 50.1 13.6 –.- 00001001
2.047437 blazer_status: non numerical value [---]
2.047481 blazer_status: non numerical value [--.-]
2.047805 dstate_init: sock /var/run/nut/blazer_usb-Z3_700 open on fd 5
2.051302 send: QS
2.303228 read: (236.1 236.1 236.1 — 50.1 13.6 –.- 00001001
2.303385 blazer_status: non numerical value [---]
2.303427 blazer_status: non numerical value [--.-]

Le driver

Vous devez recharger les fichiers de configuration après chaque modification :

$ sudo udevadm control –reload_rules
$ sudo udevadm control trigger

Note : ces commandes sont optionnelles pour les onduleurs USB.

Test de la communication entre le driver et l’onduleur

$sudo upsdrvctl start

Network UPS Tools – UPS driver controller 2.4.3
Network UPS Tools – Megatec/Q1 protocol USB driver 0.03 (2.4.3)
Supported UPS detected with mustek protocol
Vendor information unavailable
Battery runtime will not be calculated (runtimecal not set)

Broadcast Message from user@Debian
(somewhere) at 23:16 …

Communications with UPS Z3_700@localhost established

upsd et upsmon

upsd communique avec le driver que nous venons de démarrer. Le moniteur upsmon communique avec le service upsd. De multiples moniteurs sur différentes machines peuvent partager le même onduleur physique. Le moniteur enverra la commande d’extinction de leur machine hôte.

Fichier du moniteur : /etc/nut/upsmon.conf

Fichier du serveur : /etc/nut/upsd.conf

# MAXAGE 15
# LISTEN 127.0.0.1 3493

Ces fichiers doivent être protégés contre la lecture des utilisateurs !

$ sudo chown root:nut /etc/nut/*
$ sudo chmod 640 /etc/nut/*

Redémarrer le service nut

$ sudo /etc/init.d/nut restart

Regardez vos log système pour voir si tout s’est bien passé.
Client ups

Le programme upsc permet d’interroger votre onduleur

$ upsc -L localhost donne une liste des onduleurs géré par le serveur sur l’hôte.

$ upsc z3_700

battery.voltage: 13.60
battery.voltage.nominal: 12.0
beeper.status: enabled
device.type: ups
driver.name: blazer_usb
driver.parameter.pollinterval: 2
driver.parameter.port: /dev/hidraw0
driver.parameter.productid: 5161
driver.parameter.vendorid: 0665
driver.version: 2.4.3
driver.version.internal: 0.03
input.current.nominal: 2.0
input.frequency: 50.1
input.frequency.nominal: 50
input.voltage: 227.9
input.voltage.fault: 227.9
input.voltage.nominal: 230
output.voltage: 227.9
ups.delay.shutdown: 30
ups.delay.start: 180
ups.productid: 5161
ups.status: OL
ups.type: offline / line interactive
ups.vendorid: 0665

Tout est prêt pour que votre onduleur prévienne le système lors des coupures du secteur.

Par défaut, upsmon attendra le signal de batterie critique pour déclencher l’arrêt de la machine ; ce qui peut se produire après une vingtaine de minutes voire 30 minutes s’il n’est pas trop chargé.

Note : Pour arrêter votre onduleur à distance :

$upsdrvctl shutdown

IPv6 met een SpeedTouch 516/546 (firmware v6)

Heb je net een mooie SixXS IPV6-in-IPv4 tunnel aangevraagd, werkt het niet (of alleen maar uitgaand)…

Zo werkt het wel (in dit voorbeeld is de IPv6 router 192.168.4.4):

:expr add name=ipv6 type=serv proto=41

:firewall rule add chain=forward_host_service name=SixXS serv=ipv6 state=enabled action=accept

:nat tmpladd intf=Internet type=nat outside_addr=0.0.0.1 inside_addr=192.168.4.4 protocol=6to4

:saveall

Klaar ben je!

viablog.keesmeijs.nl » Blog Archive » IPv6 met een SpeedTouch 516/546 (firmware v6).

Password protection can limit access to your website or a specific sub-directory.

lighttpd.conf

Make sure you enable mod_access and mod_auth in your lighttpd.conf:

server.modules += ( « mod_access » )

server.modules += ( « mod_auth » )

htpasswd

#htpasswd -c ~/lighttpd/foo-auth.xt username

Running this command will prompt for this user’s new password to store in the txt file. Combining this with a special $HTTP["host"] conditional ruleset in our lighttpd.conf will allow us to enable BASIC http authentication.

$HTTP["host"] =~ « .*domainroot.* » {

$HTTP["url"] =~ « ^/somesubdir/ » {

auth.backend = « htpasswd »

auth.backend.htpasswd.userfile = « /home/you/lighttpd/foo-auth.txt »

auth.require = (« /somesubdir » => (

« method » => « basic »,

« realm » => « anything »,

« require » => « valid-user »

))

}

}

Plain Text

If you don’t have access to htpasswd or don’t care if the password is not encrypted, you can simply create a plain text file with the following:

username:123

« Username » can be any user name you like and the « 123″ is the password.

The configuration is a little different for this form of authentication:

$HTTP["url"] =~ « ^/somesubdir » {

auth.backend = « plain »

auth.backend.plain.userfile = « /home/you/lighttpd/foo-auth.txt »

auth.require = (« /somesubdir » => (

« method » => « basic »,

« realm » => « whatever »,

« require » => « valid-user »

))

}

via2skies.com :: basic http authentication with lighttpd.

Warning – if you follow these instructions fail2ban will, by default, be protecting you against other scans such as ssh attempts. This means though that if you get your IP blocked you will not be able to connect to your server from that IP. Ensure that you whitelist your IP by following the instructions at the end of the post.

Over the past few weeks we have seen a big jump in the scanning of VOIP servers. All of these scans are brute force scanning attempts that first scan for valid extension numbers and then to brute force guess the extension password by repeatedly trying different passwords.

Unfortunately Asterisk doesn’t have anything built-in to prevent these types of scans but it is very good at logging these attempts in the Asterisk logs. This means we can use a free utility called fail2ban and the linux iptables firewall to block IP addresses that make repeated failed login attempts.

Fail2ban is already included in PBX-in-a-Flash but we can also use it with other Asterisk distributions.

Most of the information in this post was taken from here, so please visit for more information.

Here is a quick guide for getting fail2ban blocking Asterisk brute force scanning on a 32 bit CentOS server. You must have iptables installed already.

First we are going to install the rpmforge repository and use the fail2ban package from there -

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

sed -i ‘s/enabled = 0/enabled = 1/’ /etc/yum.repos.d/rpmforge.repo

yum install -y fail2ban jwhois

Now disable the rpmforge repo do that it doesn’t interfere with any of the CentOS/Asterisk packages -

sed -i ‘s/enabled = 1/enabled = 0/’ /etc/yum.repos.d/rpmforge.repo

Next we are going to create the fail2ban configuration file for Asterisk. This tells fail2ban what text to monitor the logs for -

cat >> /etc/fail2ban/filter.d/asterisk.conf <<-EOF

# Fail2Ban configuration file

#

#

# $Revision: 250 $

#

[INCLUDES]

# Read common prefixes. If any customizations available — read them from

# common.local

#before = common.conf

[Definition]

#_daemon = asterisk

# Option: failregex

# Notes.: regex to match the password failures messages in the logfile. The

# host must be matched by a group named « host ». The tag « <HOST> » can

# be used for standard IP/hostname matching and is only an alias for

# (?:::f{4,6}:)?(?P<host>\S+)

# Values: TEXT

#

failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Wrong password

NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – No matching peer found

NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Username/auth name mismatch

NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Device does not match ACL

NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Peer is not supposed to register

NOTICE.* <HOST> failed to authenticate as ‘.*’$

NOTICE.* .*: No registration for peer ‘.*’ \(from <HOST>\)

NOTICE.* .*: Host <HOST> failed MD5 authentication for ‘.*’ (.*)

NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option: ignoreregex

# Notes.: regex to ignore. If this regex matches, the line is ignored.

# Values: TEXT

#

ignoreregex =

EOF

Next we are going to add some lines to the jail.conf file that tells fail2ban what log files to monitor and what action to take when the required text is detected. This includes sending an alert e-mail so you may want to change ‘root’ to your e-mail address. It also includes the length of time the IP address is blocked for in seconds. Here we have it set to 3 days, you may want to modify this -

cat >> /etc/fail2ban/jail.conf <<-EOF

[asterisk-iptables]

enabled = true

filter = asterisk

action = iptables-allports[name=ASTERISK, protocol=all]

sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]

logpath = /var/log/asterisk/full

maxretry = 5

bantime = 259200

EOF

Fail2ban needs the date in the Asterisk log files written in a specific format. To do this we can add a line to the ‘General’ section of the Asterisk logger configuration file. If you already have a ‘General’ section in there you will just want to add the line manually rather than running the command below -

cat >> /etc/asterisk/logger.conf <<-EOF

[general]

dateformat=%F %T

EOF

asterisk -rx « logger reload »

Finally we want to fire up fail2ban and set it to start at boot time -

service fail2ban start

chkconfig fail2ban on

One final thing you may want to do is ‘whitelist’ your own IP address/s. You can do this by adding them to the ignoreip line in the jail.conf file. Here’s a couple of lines to do it automatically, just change the IP address here for your own IP address -

sed -i ‘s/ignoreip = /ignoreip = 123.123.123.123 /’ /etc/fail2ban/jail.conf

service fail2ban restart

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

via» Blocking Asterisk hacking/scanning attempts with fail2ban.

<span class="html">Want to avoid segmentation with  apc.shm_segments?If your linux server limits the shared memory block  size and you're forced to use apc.shm_segments instead, change the  setting by using (here is 512M but change it as you like):
# sysctl -w kernel.shmmax=536870912

(but if you want the change to be permanent after a restart you would have to add the following line in /etc/sysctl.conf

kernel.shmmax=536870912)

and updating apc.ini

apc.shm_segments="1"
apc.shm_size="512"

apc.stat is an extremely important setting for a production server,  especially if many files are accessed on every request, which is quite  normal on complicated web applications.

Always aspire to use:
apc.stat="0"
so that APC does not try to check that each and every file exists on  every request you make. It also means you can update files on your  server without crashing incoming requests on that time fragment.  Whenever you wish to force APC to re-read all the files, simply clear  the cache or restart your server.</span>