You have a problem and icanhazip.com isn’t one of them

laptop keyboardI really enjoy operating icanhazip.com and the other domains. It’s fun to run some really busy services and find ways to reduce resource consumption and the overall cost of hosting.

My brain has a knack for optimization and improving the site is quite fun for me. So much so that I’ve decided to host all of icanhazip.com out of my own pocket starting today.

However, something seriously needs to change.

A complaint came in yesterday from someone who noticed that their machines were making quite a few requests to icanhazip.com. It turns out there was a problem with malware and the complaint implicated my site as part of the problem. One of my nodes was taken down as a precaution while I furiously worked to refute the claims within the complaint. Although the site stayed up on other nodes, it was an annoyance for some and I received a few tweets and emails about it.

Long story short, if you’re sending me or my ISP a complaint about icanhazip.com, there’s one thing you need to know: the problem is on your end, not mine. Either you have users making legitimate requests to my site or you have malware actively operating on your network.

No, it’s not time to panic.

You can actually use icanhazip.com as a tool to identify problems on your network.

For example, add rules to your intrusion detection systems (IDS) to detect requests to the site in environments where you don’t expect those requests to take place. Members of your support team might use the site regularly to test things but your Active Directory server shouldn’t start spontaneously talking to my site overnight. That’s a red flag and you can detect it easily.

Also, don’t report the site as malicious or hosting malware when it’s not. I’ve been accused of distributing malware and participating in attacks but then, after further investigation, it was discovered that I was only returning an IPv4 address to a valid request. That hardly warrants the blind accusations that I often receive.

I’ve taken some steps to ensure that there’s a way to contact me with any questions or concerns you might have. For example:

  • You can email abuse, postmaster, and security at icanhazip.com anytime
  • There’s a HTTP header with a link to the FAQ (which has been there for years)
  • I monitor any tweets or blog posts that are written about the site

As always, if you have questions or concerns, please reach out to me and read the FAQ. Thanks to everyone for all the support!

Photo Credit: Amir Kamran via Compfight cc

Keep old kernels with yum and dnf

When you upgrade packages on Red Hat, CentOS and Fedora systems, the newer package replaces the older package. That means that files managed by RPM from the old package are removed and replaced with files from the newer package.

There’s one exception here: kernel packages.

Upgrading a kernel package with yum and dnf leaves the older kernel package on the system just in case you need it again. This is handy if the new kernel introduces a bug on your system or if you need to work through a compile of a custom kernel module.

However, yum and dnf will clean up older kernels once you have more than three. The oldest kernel will be removed from the system and the newest three will remain. In some situations, you may want more than three to stay on your system.

To change the setting, simply open up /etc/yum.conf or /etc/dnf/dnf.conf in your favorite text editor. Look for this line:

installonly_limit=3

To keep five kernels, simply replace the 3 with a 5. If you’d like to keep every old kernel on the system forever, just change the 3 to a 0. A zero means you never want “installonly” packages (like kernels) to ever be removed from your system.

Automatic package updates with dnf

12428002945_bc47ae3529_bWith Fedora 22’s release date quickly approaching, it’s time to familiarize yourself with dnf. It’s especially important since clean installs of Fedora 22 won’t have yum.

Almost all of the command line arguments are the same but automated updates are a little different. If you’re used to yum-updatesd, then you’ll want to look into dnf-automatic.

Installation

Getting the python code and systemd unit files for automated dnf updates is a quick process:

dnf -y install dnf-automatic

Configuration

There’s only one configuration file to review and most of the defaults are quite sensible. Open up /etc/dnf/automatic.conf with your favorite text editor and review the available options. The only adjustment I made was to change the emit_via option to email as opposed to the stdio.

You may want to change the email_to option if you want to redirect email elsewhere. In my case, I already have an email forward for the root user.

dnf Automation

If you look at the contents of the dnf-automatic package, you’ll find some python code, configuration files, and two important systemd files:

# rpm -ql dnf-automatic | grep systemd
/usr/lib/systemd/system/dnf-automatic.service
/usr/lib/systemd/system/dnf-automatic.timer

These systemd files are what makes dnf-automatic run. The service file contains the instructions so that systemd knows what to run. The timer file contains the frequency of the update checks (defaults to one day). We need to enable the timer and then start it:

systemctl enable dnf-automatic.timer
systemctl start dnf-automatic.timer

Check your work:

# systemctl list-timers *dnf*
NEXT                         LEFT     LAST                         PASSED    UNIT                ACTIVATES
Tue 2015-05-12 19:57:30 CDT  23h left Mon 2015-05-11 19:57:29 CDT  14min ago dnf-automatic.timer dnf-automatic.service

The output here shows that the dnf-automatic job last ran at 19:57 on May 11th and it’s set to run at the same time tomorrow, May 12th. Be sure to disable and stop your yum-updatesd service if you still have it running on your system from a previous version of Fedora.

Photo Credit: Outer Rim Emperor via Compfight cc

Tweetdeck’s Chrome notifications stopped working

Tweetdeck logoWith the last few weeks, I noticed that Tweetdeck’s notifications weren’t showing up in Chrome any longer. I double-checked all of the Tweetdeck settings and notifications were indeed enabled. However, I found that Tweetdeck wasn’t allowed to send notifications when I checked in my Chrome settings.

Check your settings

To check these for yourself, hop into Chrome’s content settings. Scroll down to Notifications and click Manage Exceptions. In my case, https://tweetdeck.twitter.com was missing from the list entirely.

From here, you have two options: enable notifications for all sites (not ideal) or add an exception.

The big hammer approach

To enable notifications for all sites (good for testing, not ideal in the long term), click Allow all sites to show notifications in the Notifications session.

The right way

To enable notifications just for Tweetdeck, you may be able to add a new exception right there in the Chrome settings interface. Many users are reporting that newer versions of Chrome don’t allow for that. In that case, your fix involves editing your Chrome configuration on the command line.

Chrome preferences are in different locations depending on your OS:

  • Windows: C:\Users\\AppData\Local\Google\Chrome\User Data\
  • Mac: ~/Library/Application Support/Google/Chrome/
  • Linux: ~/.config/google-chrome/

BEFORE EDITING ANYTHING, be sure you’ve quit Chrome and ensured that nothing Chrome-related is running in the background. Seriously. Don’t skip this step.

I’m on Linux, so I’ll open up .config/google-chrome/Default/Preferences in vim and make some edits. You’re looking for some lines that look like this:

"https://tweetdeck.twitter.com:443,https://tweetdeck.twitter.com:443": {
   "last_used": {
      "notifications": 1431092689.014171
   }
},

Replace those lines with this:

"https://tweetdeck.twitter.com,*": {
   "last_used": {
      "notifications": 1414673538.301078
   },
   "notifications": 1
},
"https://tweetdeck.twitter.com:443,https://tweetdeck.twitter.com:443": {
   "last_used": {
      "notifications": 1431094902.014302
   }
},

Save the file and start up Chrome once more. Head on over to Tweetdeck and you should now see the familiar Chrome toast notifications for Twitter updates!

HOWTO: Mikrotik OpenVPN server

RB850Gx2 mikrotikMikrotik firewalls have been good to me over the years and they work well for multiple purposes. Creating an OpenVPN server on the device can allow you to connect into your local network when you’re on the road or protect your traffic when you’re using untrusted networks.

Although Miktrotik’s implementation isn’t terribly robust (TCP only, client cert auth is wonky), it works quite well for most users. I’ll walk you through the process from importing certificates through testing it out with a client.

[Read more…]