Dnstop – monitoring of requests to the DNS server

The utility is installed in Ubuntu/Debian by the command:

sudo apt-get install dnstop

Start-up example:

dnstop -n google.com eth0

I’ll describe the list of possible startup keys:
-4 (number of IPv4 packets)
-6 (number of IPv6 packets)
-Q (number of requests)
-R (number of answers)
-a (anonymous IP addresses)
-i ADDRESS (ignoring the specified IP address)
-n NAME (number of requests for the specified address only)
-l NUMBER (monitoring up to the specified number of requests)
-f (filter name)

How to convert a list of IP addresses to DNS names

In Linux, you can convert a list of IP addresses into DNS names, for example, by a simple script.

To do this, create an empty file with the extension .sh, make it executable and add the content to it:

#!/bin/sh
while read ip traf ; do
    name=`host $ip|awk '{print $NF}'`
    echo -e "$name\t$ip\t$traf"
done >name_ip_traf.lst <ip_traf.lst

Where ip_traf.lst is a file with a list of IP addresses that need to be converted to DNS names.

You can make it executable by the command:

chmod +rwx file.sh

Run the script in the directory where it is located by the command:

./file.sh

Or run by specifying the full path:

/dir/file.sh

After the startup, you must wait for a while or interrupt the execution by pressing CTRL+C.

How to configure SPF records

SPF (Sender Policy Framework) allows you to specify in the TXT DNS records domain settings addresses from which you can send mail to prevent e-mail spoofing.

Here is an example of adding SPF records:

v=spf1 +a +mx -all
v=spf1 ip4:192.168.1.5 ip4:192.168.7.111 +a +mx -all

Where, v=spf1 is the SPF version,
ip4:ADDRESS The IP address from which you can send mail,
+a allows receiving mail from addresses that are specified in A-records of the domain,
+mx allows mail reception if the address is specified by the MX record of the domain,
-all reject all other messages that failed verification.

Firmware Update BDCOM P3310

On the test I will update the firmware in BDCOM P3310C, firmware can be taken here:
support.deps.ua (need registration)
ftp://ftp.romsat.ua/pub/Lan/BDCOM/
BD_3310C_10.1.0E_50633_en (I used this)

Below I will describe the procedure for updating the firmware.

We connect to the device via telnet or console cable and see the current firmware version by running the command:

show version

In my case it was displayed:

BDCOM(tm) P3310C Software, Version 10.1.0E Build 37276

Let’s switch to the privileged mode and look at the contents of the file system of the device:

enable
dir

Make a copy of the firmware file to the tftp server:

copy flash tftp 192.168.1.2

Source file name? Switch.bin
Destination file name? Switch_backup_37276.bin

Make a copy of the configuration file to the tftp server:

copy startup-config tftp://bdcom_backup.cfg 192.168.1.2

Articles about the TFTP server are listed in my other articles:
Installing and Configuring a TFTP Server in Ubuntu
Starting a TFTP server in Windows

The file for the new firmware with the extension .bin, which you downloaded earlier, will be renamed to Switch.bin and placed on the tftp server.

Delete the active firmware file on the device, since there is not enough space for downloading the second one:

delete Switch.bin

Now upload the new firmware to the device:

copy tftp flash 192.168.1.2

Source file name? BD_3310C_10.1.0E_50633_en.bin
Destination file name? Switch.bin

And we will reboot the device in order to run from the new version:

reboot

Done, the firmware upgrade is complete.

The following MAC addresses are reserved for new firmware versions and can not be used:

X2:XX:XX:XX:XX:XX Local Administered
X6:XX:XX:XX:XX:XX Local Administered
XA:XX:XX:XX:XX:XX Local Administered
XE:XX:XX:XX:XX:XX Local Administered

That they could be used we execute a command:

epon local-mac forward

Also, after the firmware update, the syntax of some commands may change.
I updated it remotely via telnet, the configuration remained, some out-of-date commands in the configuration, for example those starting with sntp, automatically changed to ntp.

Change the default value in MySQL columns

I’ll give an example of specifying or changing the default value in the MySQL column.
Let’s see the list of tables in the database:

SHOW TABLES;

Let’s see the structure of the table we are interested in:

DESCRIBE internet_main;

Let’s say the activate column has the type date and the default value is 0000-00-00, and we want to make 3000-01-01, then we will execute sql query:

ALTER TABLE internet_main ALTER activate SET DEFAULT '3000-01-01';

You can also delete the default value:

ALTER TABLE internet_main ALTER activate DROP DEFAULT;

Or return it as it was:

ALTER TABLE internet_main ALTER activate SET DEFAULT '0000-00-00';

In strict mode MySQL can not set the value 0000-00-00, so you can temporarily disable the strict mode:

SET sql_mode = '';

How to enable or disable Proxy ARP on Linux

Let’s look at the status of Proxy ARP (1 – enabled, 0 – disabled):

cat /proc/sys/net/ipv4/conf/all/proxy_arp

You can look at a specific network interface (where eth0 is the name of the network interface):

cat /proc/sys/net/ipv4/conf/eth0/proxy_arp

You can enable Proxy ARP as follows:

sudo su
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

Or so:

sudo sysctl net.ipv4.conf.all.proxy_arp=1
sudo sysctl net.ipv4.conf.eth0.proxy_arp=1
sudo sysctl -p

To turn off the Proxy ARP commands are similar, you only need to specify 0 instead of 1.

The above changes will be reset after restarting the system so that this does not happen, open the file /etc/sysctl.conf in any text editor:

sudo nano /etc/sysctl.conf

And specify:

net.ipv4.conf.all.proxy_arp=1
net.ipv4.conf.eth0.proxy_arp=1

If necessary, you can see the incoming ARP packets via tcpdump:

sudo tcpdump -n -i eth0 -e arp

Install and configure accel-ppp (IPoE) for ABillS

On the test, I’ll run accel-ppp in Ubuntu Server 16.04 LTS for ABillS.

If necessary, we create vlan interfaces as I wrote here – Adding vlan to Ubuntu for ABillS

Switch to the root user:

sudo su

Install the necessary components:

apt-get update
cd /usr/src
apt-get install make cmake libcrypto++-dev libssl-dev libpcre3 libpcre3-dev git lua5.1 liblua5.1-0-dev
apt-get install linux-headers-`uname -r`

See what is the latest version of accel-ppp and download it from https://sourceforge.net/projects/accel-ppp/files/
If accel-ppp will not serve a large number of clients, then you can download fresh source code from git in which bugs can occur.

Unpack the downloaded archive:

tar -xvf accel-ppp-1.11.2.tar.bz2

Install accel-ppp (VLAN_MON_DRIVER can not be installed if the server does not use VLAN):

mkdir accel-ppp-build
cd accel-ppp-build
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DKDIR=/usr/src/linux-headers-`uname -r` -DRADIUS=TRUE -DSHAPER=TRUE -DLOG_PGSQL=FALSE -DLUA=TRUE -DBUILD_IPOE_DRIVER=TRUE -DBUILD_VLAN_MON_DRIVER=TRUE ../accel-ppp-1.11.2
make
make install

We connect the module and check:

insmod /usr/src/accel-ppp-build/drivers/ipoe/driver/ipoe.ko
lsmod | grep ipoe

Let’s proceed to manual configuration.
Let’s create an autorun script:

nano /etc/init.d/accel-ppp

Add the following content to it:

#!/bin/sh
# /etc/init.d/accel-ppp: set up the accel-ppp server
### BEGIN INIT INFO
# Provides:          accel-ppp
# Required-Start:    $networking
# Required-Stop:     $networking
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO

set -e

PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/sbin;
ACCEL_PPTPD=`which accel-pppd`
. /lib/lsb/init-functions

if test -f /etc/default/accel-ppp; then
    . /etc/default/accel-ppp
fi

if [ -z $ACCEL_PPPTD_OPTS ]; then
  ACCEL_PPTPD_OPTS="-c /etc/accel-ppp.conf"
fi

case "$1" in
  start)
        log_daemon_msg "Starting accel-ppp server" "accel-pppd"
        if [ x`lsmod |awk /ipoe/'{print $1}'` = x ]; then
          insmod /usr/src/accel-ppp-build/drivers/ipoe/driver/ipoe.ko
        fi
        if start-stop-daemon --start --quiet --oknodo --exec $ACCEL_PPTPD -- -d -p /var/run/accel-pppd.pid $ACCEL_PPTPD_OPTS; then
            log_end_msg 0
        else
            log_end_msg 1
        fi
  ;;
  restart)
        log_daemon_msg "Restarting accel-ppp server" "accel-pppd"
        if [ x`lsmod |awk /ipoe/'{print $1}'` = x ]; then
          insmod /usr/src/accel-ppp-build/drivers/ipoe/driver/ipoe.ko
        fi
        start-stop-daemon --stop --quiet --oknodo --retry 180 --pidfile /var/run/accel-pppd.pid
        if start-stop-daemon --start --quiet --oknodo --exec $ACCEL_PPTPD -- -d -p /var/run/accel-pppd.pid $ACCEL_PPTPD_OPTS; then
            log_end_msg 0
        else
            log_end_msg 1
        fi
  ;;

  stop)
        log_daemon_msg "Stopping accel-ppp server" "accel-pppd"
        start-stop-daemon --stop --quiet --oknodo --retry 180 --pidfile /var/run/accel-pppd.pid
        log_end_msg 0
  ;;

  status)
    do_status
  ;;
  *)
    log_success_msg "Usage: /etc/init.d/accel-ppp {start|stop|status|restart}"
    exit 1
    ;;
esac

exit 0

Let’s make it executable and add an autorun:

chmod +x /etc/init.d/accel-ppp
update-rc.d accel-ppp defaults

Create the lua file:

nano /etc/accel-ppp.lua

Add to it:

function username(pkt)
return pkt:hdr('chaddr')
end

Create log rotation file:

nano /etc/logrotate.d/accel-ppp

Add to it:

/var/log/accel-ppp/*.log {
      rotate 7
      daily
      size=100M
      compress
      missingok
      sharedscripts
      postrotate
              test -r /var/run/accel-pppd.pid && kill -HUP `cat /var/run/accel-pppd.pid`
      endscript
}

Open the dictionaries in the editor:

nano /usr/local/share/accel-ppp/radius/dictionary
nano /usr/local/freeradius/etc/raddb/dictionary

Add at the end:

ATTRIBUTE DHCP-Router-IP-Address 241 ipaddr
ATTRIBUTE DHCP-Mask              242 integer
ATTRIBUTE L4-Redirect      243 integer
ATTRIBUTE L4-Redirect-ipset      244 string
ATTRIBUTE DHCP-Option82          245 octets

# Limit session traffic
ATTRIBUTE Session-Octets-Limit 227 integer
# What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out)
ATTRIBUTE Octets-Direction 228 integer
# Connection Speed Limit
ATTRIBUTE PPPD-Upstream-Speed-Limit 230 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit 231 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-1 232 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-1 233 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-2 234 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-2 235 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-3 236 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-3 237 integer
ATTRIBUTE Acct-Interim-Interval 85 integer
ATTRIBUTE Acct-Input-Gigawords    52      integer
ATTRIBUTE Acct-Output-Gigawords   53      integer

Open the configuration file accel-ppp:

nano /etc/accel-ppp.conf

And add the content (we will adjust to our needs, change the names of the network interfaces, IP nas, radius secret, for each distributed pool in the ipoe section, the gateway and mask are specified, for example gw-ip-address=10.0.0.1/24, but if attr-dhcp-router-ip and attr-dhcp-mask are passed from radius, then they will be in priority):

#ABillS
[modules]
log_file
radius
ipoe
ippool
shaper
sigchld
#pppd_compat

[core]
log-error=/var/log/accel-ppp/core.log
thread-count=2

[radius]
dictionary=/usr/local/share/accel-ppp/radius/dictionary
#nas-identifier=accel-ipoe
nas-ip-address=192.168.1.1
server=127.0.0.1,radsecret,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=192.168.1.1:3799,radsecret
verbose=1
attr-tunnel-type=NAS-Identifier
gw-ip-address=192.168.1.1

[ipoe]
verbose=1
username=lua:username
lua-file=/etc/accel-ppp.lua
lease-time=600
max-lease-time=660
renew-time=300
attr-dhcp-client-ip=Framed-IP-Address
attr-dhcp-router-ip=DHCP-Router-IP-Address
attr-dhcp-mask=Framed-IP-Netmask
gw-ip-address=10.0.0.1/24
proxy-arp=1
shared=1
ifcfg=1
mode=L2
start=dhcpv4
interface=eth0
#agent-remote-id=accel-ppp
attr-dhcp-opt82=DHCP-Option82

#[ip-pool]
#gw-ip-address=192.168.0.1/24
#attr=Framed-Pool
#192.168.0.2-254,name=pool1

[client-ip-range]
#10.0.0.0/8

[dns]
dns1=8.8.8.8
dns2=8.8.4.4

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
copy=1
color=1
#per-user-dir=per_user
#per-session-dir=per_session
#per-session=1
level=5

[shaper]
attr=Filter-Id
#down-burst-factor=0.1
#up-burst-factor=1.0
#latency=50
#mpu=0
#mtu=0
#r2q=10
quantum=1500
#moderate-quantum=1
#hightspeed shaper
ifb=ifb0
cburst=1534
#up-limiter=htb
down-limiter=htb
#low speed shaper
up-limiter=police
#down-limiter=tbf
#leaf-qdisc=sfq perturb 10
#leaf-qdisc=fq_codel [limit PACKETS] [flows NUMBER] [target TIME] [interval TIME] [quantum BYTES] [[no]ecn]
#rate-multiplier=1
#fwmark=1
attr-down=PPPD-Downstream-Speed-Limit
attr-up=PPPD-Upstream-Speed-Limit
verbose=10

[pppd-compat]
#ip-up=/etc/ppp/ip-up
#ip-down=/etc/ppp/ip-down
#radattr-prefix=/var/run/radattr
verbose=1

[cli]
verbose=100
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001
password=radsecret

[snmp]
master=0
agent-name=accel-ppp

[connlimit]
limit=10/min
burst=3
timeout=60

Run accel-ppp:

sudo /etc/init.d/accel-ppp restart

You can also use the quick setup script:

cd /usr/abills/misc/
./autoconf PROGRAMS=accel_ppp

Check whether accel_ppp is running like this:

/etc/init.d/accel-ppp status
netstat -tulpn | grep accel-ppp
netstat -tulpn | grep :67

It remains to add an access server to ABills (“Settings” – “Access Server”).
For example:

IP: 127.0.0.1
Name (a-zA-Z0-9_): NAME
Type: accel-ipoe Linux accel-ipoe
Alive (sec.): 600
Control
IP: 127.0.0.1
SSH: 2001
POD/COA: 3799
User: admin
Password (PoD,RADIUS Secret,SNMP): secretpass (also specified in /etc/accel-ppp.conf)

If you need additional operations when starting and ending sessions, you can uncomment pppd_compat and write scripts:

sudo nano /etc/ppp/ip-up
sudo nano /etc/ppp/ip-down

If you need the functions of the script shaper_start.sh, then make the file executable and add it to the autorun:

chmod +x /etc/init.d/shaper_start.sh
update-rc.d shaper_start.sh defaults
/etc/init.d/shaper_start.sh status
/etc/init.d/shaper_start.sh start

And write the parameters in the /etc/rc.conf file, for example:

abills_shaper_enable="YES"
#abills_ipn_if="ens2f1"
abills_shaper_if="ens2f1"
abills_nat_enable="172.16.11.11:192.168.2.0/24"
abills_nas_id="1"
abills_ipn_nas_id="1"
...

See also my articles:
Ip-up and ip-down scripts with ipset for Accel-ppp
How to enable or disable Proxy ARP on Linux
Accel-ppp installation

How to run MySQL server on specific IP

The appropriate solution I found for running MySQL server on specific IP addresses is to run it at all and then filter the connected clients through iptables.

For the test, I used Ubuntu Server 16.04.5 LTS, which had more than 200 external white IPs and was highly loaded.

MySQL server was installed like this:

sudo apt-get install mysql-server mysql-client
mysql -V
mysql  Ver 14.14 Distrib 5.7.23, for Linux (x86_64) using  EditLine wrapper

The MySQL server needed access from localhost and several addresses on the Internet.
So I started the MySQL server on all IPs, commenting out the “bind-address” in the configuration:

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
#bind-address = 127.0.0.1
#skip-networking
sudo service mysql restart

Created users for hosts from which the connections will be made, see my article for more details – How to create a MySQL user and configure access rights

Then through iptables I allowed connections only with the necessary IP:

/sbin/iptables -A INPUT -s 127.0.0.1 -p tcp --destination-port 3306 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.5 -p tcp --destination-port 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

The DROP rule should only be the last one, if you still need to add an IP to iptables, then delete the DROP and at the end, add:

/sbin/iptables -D INPUT -p tcp --dport 3306 -j DROP
/sbin/iptables -A INPUT -s 192.168.5.33 -p tcp --destination-port 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

By the way, on the test when trying to specify several addresses in the bind-address, MySQL was launched only on the last one:

bind-address = 192.168.1.11
bind-address = 127.0.0.1

Alternatively, I have another idea, run MySQL only on 127.0.0.1 (bind-address = 127.0.0.1), redirect it to iptables to any external IP, and then you can still restrict access to the rules above):

sudo sysctl -w net.ipv4.conf.all.route_localnet=1
sudo iptables -t nat -A PREROUTING -i enp0s3 -p tcp -d 192.168.1.11 --dport 3306 -j DNAT --to-destination 127.0.0.1:3306

See also my articles:
IPTables rules for MySQL
Installing and configuring a MySQL server on Ubuntu

Enable or disable Hibernate mode in Windows

I will give an example on Windows 10, on other versions it is essentially the same.
First, open the command line (cmd) on behalf of the administrator and see what modes are currently supported, and whether the Hibernate mode is supported:

powercfg –a

If supported, then to enable it, execute the command:

powercfg /h on

You can turn off Hibernation mode as follows:

powercfg /h off

To add the Hibernation Mode option in the Start menu, open the Control Panel\Hardware and Sound\Power Options, on the left, select “Choose what the power buttons do”, in the opened “System Settings” window, click “Change parameters that are not available now”, tick the “Mode hibernate “and click” Save Changes. ”

Done.

Power parameters can also be opened with the command:

powercfg.cpl

By the way, you can generate a report on the diagnosis of energy efficiency:

powercfg -energy -duration 60 -output D:\energy-report.html

See also my article:
How to schedule shutdown Windows
Turning test mode on and off in Windows 7