Servers and Networking

What to look for in a router

Dave Farquhar DD-WRT, Hardware, Servers and Networking , , , , , , , , , , , , , , ,

I revisit the topic of what to look for in a router every six or seven years. As important as it always was, I think it’s even more important today, as there are a number of underpowered routers on the market and it’s best to avoid them.

This post originated in 2010. I revised it for 2017 needs, and by the time I was done, I’m not sure much of my 2010 text was left. But that’s OK.

Read more

And we have safely arrived in the 21st century.

Dave Farquhar Servers and Networking, This weblog ,

It wasn’t the smoothest of transitions, but it went a whole lot better than it could have. I’ve moved the venerable Silicon Underground, with its nearly 1,800 posts spanning a little over a decade, to WordPress 3.0.1.

This blog’s been pretty stale for a long time. Some of that is due to the software. Some of it’s my fault. Blogging software has really advanced a lot in the last few years, and the software I’ve been using since 2004 was a bit behind the curve even then. In its defense, in 2004 nothing could do everything I wanted, and the system I chose was one of the few that required login and authentication, which I desperately needed in order to stop spam. But then registration broke, and I didn’t fix it, which meant only longtime readers could comment.

For commenting, we’re going back to username and e-mail address with optional URL, and with some spam analysis tools hopefully filtering out the spam. Users are moderated until their second comment, which will help take care of the trolls. Comments containing multiple hyperlinks automatically go to moderation. And comments will be closed after some period of time, probably 14 days. Discussions usually go downhill as time goes on.

Will I post more now that it’s easier? Probably.

Modern blogs can interact with one another; mine was always an island. Now I can trackback and pingback like everyone else, which will probably prove useful.

I’m sure I’ll be making changes for a while, but this is a big improvement.

I’d like to thank Steve D. and Rich P. (you know who you are) for their help with the migration. It only took me what, three years to go through with it? Four? And then it ended up taking about two hours of real work, if that, spread out over the course of a couple of weeks.

Misguided security

Dave Farquhar Servers and Networking

I once worked someplace whose management laid an egg when they found out that it was possible to sniff network traffic over hubs. So they replaced all the hubs in their network, at considerable expense, with switches for an extra layer of security.

That’s fine. Except…Except the back door of the building never closed right, so it was pretty easy for anyone to just waltz right into the office. Nobody ever did, that I know of. But still, that’s not good.

But that’s not the end of it. One time I saw one of the other IT guys pick the lock on the server room. With a sheet of typing paper.

Yes. He grabbed a piece of paper out of the closest wastebasket, folded it in half, then in half again, pushed it into the gap in the door, made an upward motion, and freed the catch. Then he just walked in. It was easier than remembering the combination.

They spent tens of thousands of dollars out of paranoia that some employee would bring in a sniffer and plug it into the network, but wouldn’t pay the $200 or $300 it would cost to have a contractor come in for a couple of hours to make sure the doors were secure.

One of my clients had an incident with a door in a secure room yesterday, and that reminded me of this former client’s door problems. This current client fixed the problem in about 30 minutes.

It’s been five years, but I probably could still get into that former client’s server room. The hardest part would be remembering where the doors are.

Best public DNS – finding the best for you

Dave Farquhar Servers and Networking , , , , , , , ,
Best public DNS – finding the best for you

If your Internet connection is slow, it almost always helps if you optimize your DNS. But there’s more to the best public DNS than just speed. I’ll tell you how to find the fastest DNS, but using a DNS that offers improved security gives your computer protection beyond what your antivirus and firewall provide.

Sometimes it’s enough, and it’s definitely cheaper than buying a new router. Even if you do get a new router, using fast DNS helps. Here’s how to find the best public DNS to use, to improve your speed and your security.

Read more

Barfy.

Dave Farquhar Personal, Servers and Networking, War Stories , , , , , , , , , , , , , ,

I started my professional career doing network administration at the University of Missouri. (I generally don’t count my stint selling low-quality PCs at the last surviving national consumer electronics chain towards my professional experience anymore.)

Read more

Password pain

Dave Farquhar Servers and Networking , , ,

ChannelInsider bemoaned bad password policies and practices late last week.

It’s a problem. Security (unfortunately) is my specialty, so I know it’s a problem. But it’s going to get worse before it gets better.There was an old User Friendly cartoon where a helpdesk operator spitefully changed an annoying user’s password to something like !Qoh&32;[ or something like that. Unfortunately, we’ve gotten to the point where the industry-standard password policy requires users to have passwords like that–only twice as long.

Let me tell you about one of my clients. Their policy is especially draconian. The passwords have to be at least 15 characters long and have two uppercase, two lowercase, two numbers, two special characters, and two umlauts (OK, no umlauts required), but then they add some other restrictions on top of that. These restrictions make the passwords considerably harder to remember, but they also significantly reduce the number of possible passwords (which is why I won’t disclose the restrictions–and no, I won’t disclose the name of the client either). So the end result is that the passwords look really secure, but really aren’t any more secure than the 8-character passwords they were using a few years ago that had fewer restrictions.

There are several unfortunate results to this situation. One is that it takes several days to come up with a decent password. As a result, passwords get passed around. “Does anyone have a password that works right now?” is a common question I hear. Yes, passwords get passed around. Or, slightly less worrisome, they become collaborative works. Someone hands over a slip of paper with something cryptic like 1977-22@MINal.296 written on it and wants to know why the password policy rejects it. If the first person can’t figure it out, someone else looks at it.

Personally, I think if that password had more umlauts, it would probably get through the policy. But that’s just me.

And then the password age keeps getting ratcheted down. It takes almost 30 days to memorize these stupid things. But by then, the passwords expire and the whole cycle starts over again.

Ultimately the solution is going to be ever longer and ever more complex passwords with ever-shorter lifespans. Maybe 32 characters long, with four upper, four lower, four numbers, four special characters, and four foreign language characters (stuff you have to type by hitting ALT and a four-digit keycode on the numeric keypad). I hesitate to say this, because someone’s going to think that’s a great idea and adopt it. So maybe I should patent the idea to prevent that from happening.

And the result will be ever greater resentment, more password sharing, more passwords on sticky notes attached to keyboards and monitors, and even greater willingness to exchange a password for a piece of chocolate.

Loosen the restrictions a bit, cut users a bit of slack, educate them on the importance of good passwords, and the result can only be greater security. Until then, things are only going to get worse, on all fronts.

It’s too bad Secure Channel didn’t think of all that.

Review: D-Link DSL-2640B

Dave Farquhar Hardware, Servers and Networking , , , , ,

I’ve had DSL for right around 10 years. I would have ordered it sooner, except it wasn’t available in my area any earlier than that.

Over the years I’ve owned several modems. I started out with an Alcatel, then after I moved a mile down the street I owned a couple of different Speedstream modems. Each would drop connections every so often, and each had a different (and undocumented, of course) ritual to get it back online.

The highest praise I can give to the D-Link DSL-2640B is that I haven’t discovered such a ritual yet. If the phone line and electricity are working, it finds a way to stay online.

There’s nothing especially flashy about the 2640B. It’s an unassuming black and silver box, similar in styling to modern PCs, with jacks in the back. It’s a combination modem, gateway, and switch in one package, so in my case, it replaced two boxes–my Speedstream modem, and my Linksys WRT54G. Many ISPs have been distributing all-in-one units made by companies like 2wire in recent years; the D-Link is similar to those, but a bit smaller than many of them.

Setup is trivial for someone who’s set up devices like my old Linksys. Those who’ve never done such a thing may need assistance. I can’t vouch for the quality of D-Link’s customer service because I didn’t need it. Before I plugged the unit into my phone line, I plugged a laptop into the D-Link, brought the two units over to my desktop PC where I brought up my Linksys configuration, and I checked all my settings against the Linksys. About 10 minutes later, I plugged the D-Link into my phone line, it connected to my ISP, and it’s been online ever since.

The nicest feature is its ADSL information screen. It tells me the modem speed (downstream and upstream), number of errors, and other diagnostic information. I’ve seen my speed range from 1.5 megabit to as low as 256K (upstream stays steady at 384K), but it’s never dropped. I’ll take speed fluctuations over dropped connections any day. If the quality of my phone line deteriorates any further (or maybe I should say, “when”)–I’ll be armed with some good information. Southwestern Bell/SBC/AT&T have always been able to dismiss my complaints in the past. I imagine that’ll be harder to do when I can tell them exactly how many tens of millions of downstream errors I have, versus 96 upstream errors.

Despite those connections, the modem keeps on trucking. I’m impressed.

My sole complaint is that the DynDNS client doesn’t pass my domain name to my internal network. I had to put an entry for my DynDNS name into my hosts file. This won’t be an issue for anyone who isn’t running their own web server, but it’s a little aggravating for those who do. Less aggravating than a dropped connection though.

So if you need a new DSL modem for whatever reason, I recommend the D-Link DSL-2640B. It isn’t flashy, but it works and keeps working.

Update 10 October 2010: I’ve been using this unit for about 15 months, and it’s still going strong. So I can recommend it even more strongly than when I wrote this. It’s out of warranty now, and I didn’t even notice.

Something to try when ERD Commander’s Locksmith doesn’t work

Dave Farquhar security, Servers and Networking, War Stories, Windows

So maybe you’re like me and you’re administering a system that fell off its Windows domain, and the system was built by your predecessor’s predecessor, the local administrator account was renamed, and nobody has any clue what the account name or password is.

And you try ERD Commander because it worked in the past, but not this time…Usually the Locksmith works. But in this case, it didn’t, and of course everyone wanted the server back online an hour ago. We tried everything else we could think of for about three days, including downloading some things that I was sure would get me a visit from a security officer. Nothing worked. At least when I got the visit from the security officer, he just wanted to know why there were repeated attempts to log in with certain accounts.

“I was trying to hack into my own server and it seems I’m not a very good hacker,” I said. Duh.

So I found myself standing at the server with another sysadmin, having used my last idea. “I don’t suppose you have any ideas?” I asked. “I figured if you did, you would have said so by now, but…”

He shook his head.

Finally, I had one last idea. I asked him what he set the password to when he used ERD Commander.

“Password,” he said. “To make it easy to remember.”

Aha! A light went off. This system was hardened to require stronger passwords than just an 8-character alphabetic password. I had a hunch that was what was keeping us from being able to log in using our hacked account.

So we booted off the ERD Commander CD yet again, connected to the Windows installation, located what we were pretty sure was the renamed local adminstrator account, and I reset it to the standard mixed-case special character password we use for the local admin accounts.

We held our breath, rebooted, and tried to log in.

Success. Finally.

So if ERD Commander isn’t working for you, try using a stronger password to satisfy your local system policy.

And just in case you’re wondering why a computer falls off a domain, computers have usernames and passwords just like users do. Occasionally the passwords get reset. If for some reason the domain controller thinks a member computer’s password is one thing, and the member computer thinks it’s something else, you end up with a computer that says it’s on the domain, but can’t authenticate against it. The solution is to log in with a local administrator account, then either run NTDOM.EXE from the Windows Support Tools, or remove the computer from the domain and add it back in. You can just put the computer in a workgroup, ignore the dialog box that says you have to reboot, then add it to the domain, and then reboot.

Microsoft buys and then discontinues Linux/Unix antivirus products

Dave Farquhar Servers and Networking , , , , ,

First GeCAD, now Sybari.

Microsoft has been buying smaller anti-virus firms and discontinuing their Linux and Unix product lines.

Trust, schmust. When your god is Big Business, that means Big Business can do no wrong, so when you’re the U.S. government, you let companies like Microsoft do whatever they want. The problem is that Unix antivirus products are extremely useful, especially in Microsoft shops. Unix viruses are rare, and the heterogenous nature of Unix–never knowing much about the underlying hardware, binary incompatibilities between various dialects even when running on the same hardware, and never knowing for certain which libraries are installed–creates a hostile environment for viruses anyway.

So what good is a Unix server that detects viruses that can’t survive in Unix anyway? It makes a great buffer between the hostile world and the soft and chewy Windows boxes inside corporate firewalls, that’s what.

I love to put Unix boxes in between the world and mail servers that may be running Windows. Just set it up to relay mail to your Exchange or Domino server, but have it scan the mail first. Better yet, have it running on weird hardware. A slightly elderly Macintosh or Alpha or Sun box works great. Since the Intel x86 instruction set is the most common, most buffer overflows use it. While non-x86 processors aren’t immune to buffer overflows, an overflow using x86 instructions will appear to be gibberish and it won’t run. It’s like telling me a lie in Japanese. You won’t fool me with the lie, because I don’t speak Japanese, so I won’t understand a word you’re saying.

Fortunately, there are still antivirus products for Unix and Linux out there. And once Microsoft establishes its antivirus product, it will be more difficult–I hope–for it to simply continue buying antivirus firms and discontinue their products, since now they would be buying off competitors, rather than just attempting to acquire technology that they don’t have the ability to develop internally.

And even if they do buy and discontinue everything, there’s always ClamAV.

Running Knoppix on a Proliant with a SmartArray controller

Dave Farquhar Servers and Networking ,

If you’ve ever tried to run Knoppix on a Compaq or HP Proliant with a Smart Array controller, you probably got a rude surprise.

Here’s how to make the hard drive(s) show up.Open a shell window.

Type ‘su’ (no quotes) to become root.

Type ‘insmod cciss’ — you may get a message that it’s already installed.

Type ‘cd /dev’

Type ‘MAKEDEV cciss’ (this is case-sensitive).

Now Knoppix will see your drives so you can mount them and/or edit the partitions with qtparted.