Terminus Logo  Secured by phpPhobos

Shadow Family   
  Login  - No Account?  Create One   
Search 
Friday, 1 November 2024  -
News FeedRSS Feed
rss rdf  
  Home 
  Authentication 
 Documentation 
    Site Documentation 
    About me 
  Legal Notice 
 Applications 
    Web Links 
 Hobbies 
    RC Models 
    RC Batteries 
    Build blogs 
 Modules 
    Downloads 
    Weblinks 
 Blacklists 
    Blacklist 
    Blockout 
    DNS Blacklist 
 Registered Bloggers 
  Joerg's Blog 
 Gallery [Listing]
  > Diving 
  > Steampunk 
  > RC Planes 
  > FPV Drones 
  > Indy travels 
 FAQ  [ Topics  ]
 Common Linux problem... 
 Routerboard RBxxxAH 
 Apple Mac-mini 
 PHP Phobos 
 Stargate's Backup sc... 
 eBook Reader / PRS-5... 
 RC Models 
 Server in SolLan 
Terminus's FAQ   [  Topics  | Groups  | Last  | Expand  | Search  | Print  | Documentation ]
Folder open  Routerboard RBxxxAH [ Expand ]
  Question ?  How can I archive Backups automatically on RouterOS ?   
  Question ?  What is the maximum transfer speed on an RB153 Board ?   
  Question ?  What does a RB153 look like ?   
  Question ?  Blacklist IP through phpAPI and terminate active connections   
spacer line
Folder open  Answers
spacer line
Question ? How can I archive Backups automatically on RouterOS ?   [
View DetailsView details
|
Print ViewPrint view
]

 Actually - you can't. Well - it doesn't really make sense to keep the backup archives on the RouterBoard hardware. If it brakes - we want to be able to restore the backup's - right ? So - what we need - is an external system we dump the backups onto - which is going to do the backups.

First of all - we need to create a scheduler run on the routeros

/system scheduler
add comment="Scheduler backup dump" disabled=no interval=1d name="Backup" 
    on-event="/system backup  save name=daily_backup run"    
    start-time=01:01:00

This will take care of the automatic configuration backup. Next - as we don't want everyone to access the routerboard to download the backup-file - we need to add a backup group and user, and set appropriate access rights.

/user group
add name="ftp" policy=ftp,!local,!telnet,!ssh,!reboot,!read,!write,!policy,!test,
    !winbox,!password,!web,!sniff
/user
add address=10.X.X.X/32 comment="Backup User - to gain backups of the router 
    config" disabled=no group=ftp name="backup"

Add a password for the user backup. You'll need it later on.
Make sure that the address 10.X.X.X/32 is the IP-Address of your Linux Backup-server. So - only the user backup user from that IP-Address can access the routerboard through ftp.

On the server - you need curl installed. For this - b.e. on an Ubuntu system, issue

~#sudo aptitude install curl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Building tag database... Done
The following NEW packages will be automatically installed:
  libcurl3
The following NEW packages will be installed:
  curl libcurl3
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 357kB of archives. After unpacking 680kB will be used.
Do you want to continue? [Y/n/?] Y
Writing extended state information... Done
Get:1 http://de.archive.ubuntu.com gutsy/main libcurl3 7.16.4-2ubuntu1 [182kB]
Get:2 http://de.archive.ubuntu.com gutsy/main curl 7.16.4-2ubuntu1 [175kB]
Fetched 357kB in 0s (541kB/s)
Selecting previously deselected package libcurl3.
(Reading database ... 141553 files and directories currently installed.)
Unpacking libcurl3 (from .../libcurl3_7.16.4-2ubuntu1_i386.deb) ...
Selecting previously deselected package curl.
Unpacking curl (from .../curl_7.16.4-2ubuntu1_i386.deb) ...
Setting up libcurl3 (7.16.4-2ubuntu1) ...

Setting up curl (7.16.4-2ubuntu1) ...
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
Building tag database... Done

However - as it is insecure to provide scripts with passwords that can be seen inside the script or the process table - we'll use the .netrc file the curl program looks in for passwords. Create a file named .netrc in the home directory of the user who is going to perform the backups.

machine 10.X.X.X login backup password XXXXXXXX

Save the file - and make sure the mode is changed to 600 - e.g.:

~#chmod 600 .netrc
~$ ls -l .netrc 
-rw------- 1 backup backup 48 2008-03-14 16:32 .netrc

You should now be ready for a first test. As we'll be using curl - let's do it with curl.

~$ curl -n ftp://backup@10.X.X.X/daily_backup.backup -o backup.config
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  293k  100  293k    0     0  1013k      0 --:--:-- --:--:-- --:--:-- 1503k

Ok - the curl call works. All we need to do now - is to write a script and add it into the crontab of the local user. For the script - you can use the backuper.sh. This script has the advantage that it has some checks included - and moans in case something is not working right. So - copy that file to /usr/local/bin on your Linux Server, and add the following into the user's Crontab:

0 20 * * * /usr/local/bin/backuper.sh

This will execute the script every day, 20Minutes after midnight and append the date in reverse order to the name - e.g. 20080317_RB153.backup for March 17th.

Now - it is quite useless to not handle these also for backups. But this would be out of the scope of the local FAQ Entry. Check the Stargate's Backup section for one possibility in handling these.  

Entered by smurphy on Monday, 17 March 2008 @ 09:39:58  
Linux on Routerboards - Routerboard RBxxxAH, # Hits: 99807
spacer line
Question ? What is the maximum transfer speed on an RB153 Board ?   [
View DetailsView details
|
Print ViewPrint view
]

 
It showed after some testing, that the maximum Interface speed, by not using the builtin Bridge Chip - is around 10.4Mbps (Mega Bits per second), This makes roughly 1.3MiBytes/s. The limitation is due to the CPU Speed which is running at 175MHz. At that speed though CPU utilization hits 100% - while the CPU is at this level - not many manipulations are possible fluently.
The Graphs on the right show this very nicely. On top - WLan, after that the Ether3 interface - server the 4GB Download was done from, and on the bottom the CPU Load in % during the file transfer. You can see very nicely that the CPU barely leaves the 100% mark..

I have noticed that through PPPoE (Bridge to the ether1 Device) 13.4MBits/s have been transferred. So - it seems the PCI-Bus is costing also some resources to the RB153 Board. 

Entered by smurphy on Friday, 14 March 2008 @ 17:17:53  
Configuration - Routerboard RBxxxAH, # Hits: 98971

Attach   WLan small  [ 11,487 bytes - image/png ]
Attach   Load small  [ 11,208 bytes - image/png ]
Attach   Ether3 small  [ 10,803 bytes - image/png ]
spacer line
Question ? What does a RB153 look like ?   [
View DetailsView details
|
Print ViewPrint view
]

 Check out the specs of the RouterBoard RB153.

It's actually a very neat little piece of hardware. Small, efficient, low-power. Only drawback is that the CPU is not able to power the full bandwidth the interfaces provide - thus if you really need 54MBit bandwidth - you should go over to the RB53x Series - which have the same CPU at 400MHz, able to handle the bandwidth.

  • CPU: MIPS32 4Kc, 175MHz embedded
  • Memory: 32MB SDRAM
  • Storage: 64MB onboard NAND memory chip
  • 5 x 10/100 Mbit/s fast ethernet ports with auto MDI/X
  • 3 x MiniPCI Type IIIA/IIIB slots
  • 1x 2.4/5GHz 802.11a+b+g High Power Wireless Mini-PCI Card (R52H)
  • Onboard speaker
  • Serial: One DB9 RS232C asynchronous serial port
  • LEDs: Power, 3 LED pairs for MiniPCI slots, 1 user LED
  • Power options: 11..60V power jack or IEEE802.3af power over ethernet (12V / 48V DC not for use with power over datalines)
  • Power out: One 3V DC power output header, max. power output 500mA
  • Power consumption: 3-4W without any addon cards. Max. 13W
  • Dimensions: 160mm x 160mm (6.3in x 6.3in)
  • Weight: 183g (6.5oz)
  • Operating temperature: -20°C to +70°C (-4°F to 158°F)
  • Humidity: 70% relative humidity (non-condensing)
  • OS Support: RouterOS, GNU/Linux

You can have a view on the internals of mine

Entered by smurphy on Friday, 14 March 2008 @ 17:23:47  
Configuration - Routerboard RBxxxAH, # Hits: 98826

Attach   RB153 board  [ 23,906 bytes - image/jpeg ]
spacer line
Question ? Blacklist IP through phpAPI and terminate active connections   [
View DetailsView details
|
Print ViewPrint view
]

 Having a self-defending (Passive) web-site, I noticed that executing a script to actually close a firewall takes too long if the attack onto the website is executedthrough parallel requests.
Even though one can limit the WebServer and the firewall to allow only a certain number of communication channels in, it is not enough - as firewalls tend to let pass already opened sessions. This part will require the firewall to actively terminate open connections from the offending IP Address.
This is exactly what the attached script does. It uses the routerOS phpAPI to connect to the firewall and directly lock (during the request) the remote IP out and at the same time terminate all open connections that may be coming from that IP.
This script is just an example on how to do it. Everyone can adapt it for himself.

Note: The attached script is just a prototype. On my site it has been integrated into a function and is called on demand.

Results are as follow [IP does not exist in blacklist yet]:

 > Entered IP 10.10.10.246 into blacklist 
   - Removed active connection *8D41 [10.10.10.246:62000 -> 172.168.0.2:80] 
   - Removed active connection *8D4D [10.10.10.246:62001 -> 172.168.0.2:80] 
   - Removed active connection *8D55 [10.10.10.246:3000 -> 172.168.0.2:53] 
   - Removed active connection *8D59 [10.10.10.246:61997 -> 172.168.0.2:80] 
   - Removed active connection *8D5B [10.10.10.246:61999 -> 172.168.0.2:80] 
   - Removed active connection *8D62 [10.10.10.246:61996 -> 172.168.0.2:80] 
   - Removed active connection *8D75 [10.10.10.246:61998 -> 172.168.0.2:80] 


Results are as follow [IP does exist in blacklist]:

 !!! failure: already have such entry in firewall [IP 10.10.10.246]
   - Removed active connection *8C7A [10.10.10.246:61921 -> 172.168.0.2:80] 
   - Removed active connection *8C7B [10.10.10.246:61920 -> 172.168.0.2:80] 
   - Removed active connection *8C7C [10.10.10.246:61919 -> 172.168.0.2:80] 
   - Removed active connection *8C7D [10.10.10.246:61918 -> 172.168.0.2:80] 
   - Removed active connection *8C7E [10.10.10.246:61923 -> 172.168.0.2:80] 
   - Removed active connection *8C7F [10.10.10.246:61922 -> 172.168.0.2:80]

 

Entered by admin on Friday, 22 April 2016 @ 15:47:34  
Linux on Routerboards - Routerboard RBxxxAH, # Hits: 31785

Attach   blacklist_terminate.php  [ 3,487 bytes - application/octet-stream ]
 
Problems to  webmaster(-AT-)solsys(-DOT-)org  - best viewed @ 1920bpp
This site is powered by phpPhobos v2.0b446
© J. Mertin smurphy(-AT-)solsys(-DOT-)org 
Icons - Copyright Breeze artists GPL 2+