Il y a quelques jours, j'ai eu une coupure d'Internet d'environ 5h... De quoi râler auprès de son opérateur ! Perturbation générale de tous les clients. Il vaut mieux que soit ainsi plutôt qu'un incident isolé, potentiellement long à résoudre. Une fois Internet reconnecté, quel plaisir de voir dans l'interface de la box une adresse IPv6 ! Après quelques soucis de configuration réseau, tous les services sont désormais joignables via cet adressage !

Qu'est-ce qu'IPv6 ?

C'est une bonne question, car en général on veut simplement que notre connexion internet fonctionne sans avoir à tripatouiller les tréfonds de la configuration réseau. IPv6 est le "successeur" d'IPv4. Il a été spécifié en 1998 et normalisé en 2017. L'objectif est de dépasser les limitations actuelles des fameuses adresses "IP" (Internet Protocol). Cette adresse est attribuée de façon statique (toujours la même) ou dynamique aux appareils qui se connectent à un réseau ethernet (dont Internet). Elle permet le routage du trafic réseau. Au quotidien, nous ne manipulons pas directement ces adresses, mais plutôt des identifiants textuels (l'adresse d'un site web) pour naviguer. Ces identifiants sont traduits automatiquement en adresses IP par les serveurs DNS (Domain Name Server). La gestion mondiale des adresses est confiée à la société américaine (à but non lucratif) IANA qui dépend de l'ICANN (américaine également). Elle est chargée d'attribuer des blocs d'adresses IP à différents registres régionaux (1 par continent), qui attribuent eux même des sous-ensembles aux registres locaux (la plupart du temps des opérateurs télécom), attribuant individuellement (à leurs clients) une ou plusieurs adresses.

Les adresses IPv4 sont constituées de 4 octets (32 bits), chaque octet ayant une valeur comprise entre 0 et 255 (exemple : 205.196.32.55). Le nombre d'adresses total est donc de ~4 milliards. Cela peut paraître énorme, mais aujourd'hui où tout le monde a un ou plusieurs appareils connectés en même temps, on arrive vite à saturation. Surtout qu'il faut également compter les adresses nécessaires pour les serveurs (web) et les objets connectés. Les adresses IPv6 sont elles composées de 8 octets (128 bits), amenant ainsi le nombre total à plus de 340 sextillions (ou 34 * 10^37). Elles ont une notation différente, utilisant l'hexadécimal en séparant les blocs de deux octets par ":" (exemple : 2003:e8:2705:ac00:15a5:4e85:fe11:47a3). Pour améliorer la lisibilité, on utilise une forme compressée où les 0 en tête sont supprimés (au niveau du second bloc e8 par exemple). On peut également fusionner tous les blocs avec des 0 consécutifs, comme sur cet exemple : 2a02:4780:12::28 qui correspond en réalité à 2a02:4780:0012:000:0000:0000:0000:0028. Malgré cette version condensée, elles restent pourtant beaucoup moins lisibles.

Alors pourquoi ne pas avoir basculé plus tôt ? Le matériel est compatible depuis de nombreuses années, néanmoins IPv6 n'est pas qu'une simple augmentation de la taille des adresses. La norme apporte également des fonctionnalités complexes à implémenter (cf la coupure réseau !). D'autant plus qu'il faut faire cohabiter les deux piles réseau sur un même système durant la phase de transition. Mais, face à la pénurie mondiale d'IPv4 et la pression des institutions, les opérateurs n'ont d'autres choix que de migrer (progressivement). D'après mes premières statistiques (1/2 mois), il y a environ 20% de connexions utilisant IPv6.

IPv6 sur une box Bouygues Telecom (sagem F@st5330b)

Par défaut, le trafic IPv6 entrant est bloqué par le routeur et ce, même si le pare-feu est désactivé. C'est une bonne mesure de protection, mais qui pourra poser problème quand on souhaite exposer des services sur le web. Voici la procédure complète pour ouvrir les ports pour un serveur GNU/Linux (on pourra également passer en politique "faible" pour tout exposer sur toutes les machines, mais cela reste dangereux) :

1. Désactiver la délégation de préfixe sur la box

2. Activer le DHCPv6 sur son interface réseau (ici eth0), il faut ajouter une ligne au fichier /etc/network/interfaces :

   iface eth0 inet6 dhcp

3. Redémarrer le serveur ou uniquement la partie réseau

   sudo service networking restart

4. Attribuer une IP statique au serveur (n'est actuellement pas pris en compte)

5. Récupérer la nouvelle adresse

   sudo dhclient -6 eth0

6. Vérifier que l'IPv6 du serveur correspond à celle de la configuration de la box

   sudo ip a

7. Ajouter des règles de pare-feu pour tous les services à exposer (utiliser la fonctionnalité "dupliquer" pour aller plus vite)

8. Configurer le serveur DNS en ajoutant une règle AAAA
9. (Optionnel) Tester les règles via ce site

Mise à jour automatique du DNS Gandi

C'est un script que j'utilise depuis 5 ans. Le voici mis à jour pour supporter IPv6. Il est disponible ici

#!/usr/bin/env python3
#-*- encoding: utf-8 -*-
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import requests
import json
import re
import socket

# Config
domain="soutade.fr"
API_KEY = "YOUR-KEY"
livedns_api = "https://dns.api.gandi.net/api/v5/"
dyndns_url = 'http://checkip.dyndns.com/'
headers = {
    'X-Api-Key': API_KEY,
}

A_RECORD_NAME="@" # Record of A type

def get_ipv6():
    s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
    # DNS Google
    s.connect(('2001:4860:4860::8888', 1))
    return s.getsockname()[0]

def get_ipv4():
    response = requests.get(dyndns_url)
    if response.ok:
        pattern = re.compile('[^:]*(\d+\.\d+\.\d+\.\d+)')
        result = pattern.search(response.text, 0)
        if result == None:
            print("No IP found")
            exit(1) 
        else:
            return result.group(0).strip()
    # Bad gateway
    elif response.status_code in (502,504):
        exit(0)
    else:
        print("Connexion error")
        response.raise_for_status()
        exit(1)

def update_gandi_record(domain_records_href, target, current_ip):
    # Get recorded IP
    response = requests.get(f'{domain_records_href}/{A_RECORD_NAME}/{target}', headers=headers)

    if (response.ok):
        record = response.json()
    else:
        print("Failed to look for recorded IP")
        if response.status_code != 502: # Bad gateway
            response.raise_for_status()
        exit(1)

    print('Old IP : %s' % (record['rrset_values'][0]))

    if current_ip != record['rrset_values'][0]:
        record['rrset_values'][0] = current_ip

        # PUT new IP
        response = requests.put(f'{domain_records_href}/{A_RECORD_NAME}/{target}',
                                headers=headers, json=record)

        if (response.ok):
            print("IP updated")
        else:
            print("something went wrong")
            if response.status_code != 502: # Bad gateway
                response.raise_for_status()
            exit(1)

        return 34 # IP updated return !!
    return 0


# Get current IP
current_ip = get_ipv4()
print(f'Your Current IP is {current_ip}')

# Retrieve domains address
response = requests.get(livedns_api + "domains", headers=headers)
if (response.ok):
    domains = response.json()
else:
    if response.status_code != 502: # Bad gateway
        response.raise_for_status()
    exit(1)

domain_index = next((index for (index, d) in enumerate(domains) if d["fqdn"] == domain), None)

if domain_index == None:
    # domain not found
    print("The requested domain {domain} was not found in this gandi account")
    exit(1)

domain_records_href = domains[domain_index]["domain_records_href"]
ret = update_gandi_record(domain_records_href, 'A', current_ip)

current_ip = get_ipv6()
print(f'Your Current IP is {current_ip}')
domain_records_href = domains[domain_index]["domain_records_href"]
ret |= update_gandi_record(domain_records_href, 'AAAA', current_ip)

exit(ret)

Almost 3 years since the last news about IWLA. It does not really reflect the continuous development & maintenance of this wonderful tool. But don't worry, version 0.6 is now out ! The main change is the complete move from Python 2 to Python 3, but we may also mention :

• Users requests are no more saved (except if keep_requests is set) which allow to save a LOT of space
• A favicon is available
• Fresh synchronization with AWSTATS data
• Users need to do at least one hit per viewed page to not be marked as a robot
• Feed detector has been enhanced
• Track users plugin has been replaced by filter users which allows to define complex filters
• Users can be enlighted in all visits page
• IP can be anonymized (for public statistics)

The full ChangeLog is available here

While working on it, I realized how we can easily extend it. It's a real pleasure comparing to so big one PERL file code of AWSTATS, plus having it modular allows to implement our own rules which makes statistics really more precise. The only issue compared to AWSTATS is that IWLA is only focused on web statistics, but it has been design for it, not for everything related to log parsing !

New : A demo instance (for indefero.soutade.fr) is available here

I also decided to give up the old style branching model with master and dev. Using git and its lightweight branches, it's better to have a model with tags for stable releases and features branch for development. Code is not often updated and it makes no sense to have a master branch updated every 3 years with only one merge commit while dev is living.

I recently had look on concurrence, especially with Matomo and I was really afraid to see how users are tracked ! Everything is managed from pages viewed to cursor moves, user system information retrieval, time spent... All of this generate extra traffic and requires to execute Javascript code to obtain a lot of information about users's environment. But it's not the worst tool as it doesn't use commercial tracking (like Google Analytics) and keep data on webmaster's server and it's certified RGPD compliant. Commercial trackers are really a nightmare for consumer's privacy. Using it, webmaster can obtain really good statistics, but everything is stored on (abroad) commercial servers to create your profile ! Your profile is then sold or used to display you personalized advertising. Unfortunately, almost all websites are using them. In opposite, IWLA requires no cookies, no Javascript, no awful banner. It only parse and analyze log requests from webserver and generate a static HTML report which is the only right way to do !

My Cubox server offers a lot of services and one I specially appreciate when I'm not at home is that it contains all my music I can access through HTTP(S) interface. This is really fine for Linux clients where mplayer is installed, but it's not the case for Windows : VLC refuse to play my music (which requires login/password) and Windows player doesn't support m3u playlists, so I have to play each track individually.

I started to look for streamer software and the biggest open source one is Icecast which implement SHOUTcast standard. Like for all my online services, software must be lightweight (I don't have a lot of RAM) ! Plus I don't have any sound card plugged and don't want to spare cpu bandwidth with decoding/encoding files. This is a reason why basic HTTP(S) transfert is good : files are trasfered as is. Even if it's not clearly indicated by the documentation, icecast coupled with ezstream has all the qualities I need ! I was really suprised to find how it was easy to setup !

Here is a tutorial for basic setup (with current Debian stable distribution) :

If ezstream is available in your repository

sudo apt-get install icecast2 ezstream

If not (for an ARM target)

sudo apt-get install icecast2 libshout3 libtagc0 libxml2
wget http://ftp.de.debian.org/debian/pool/main/e/ezstream/ezstream_1.0.1-1_armhf.deb
sudo dpkg -i ezstream_1.0.1-1_armhf.deb

Now, we have to configure icecast. You must edit /etc/icecast2/icecast.xml. Update (at least) :

• Admin name/address
• Server address
• Optional : server port

Some of these values has already been configured by installer. There is a lot of avaible options not needed for basic setting. After that, restart icecast :

sudo service icecast restart

Now, add a NAT rule to redirect external port (8000 by default) to your server. Then, copy an example of ezstream configuration :

cp /usr/share/doc/ezstream/examples/ezstream-minimal.xml .

and edit it (be careful, here end tag are crafted by my editor) :

<ezstream>

  <servers>
    <server>
      <hostname>127.0.0.1</hostname>
      <port>8000</port>
      <password>XXX</password>
    </server>
  </servers>

  <streams>
    <stream>
      <mountpoint>/stream.mp3</mountpoint>
      <format>MP3</format>
    </stream>
  </streams>

  <intakes>
    <intake>
      <filename>/media/MyTrack.mp3</filename>
      <stream_once>1</stream_once>
    </intake>
  </intakes>

</ezstream>

I choose to play track only once. If not set, it will be played indefinitely. Now, we can run ezstream :

ezstream -c ezstream-minimal.xml

On Windows, we can use VLC to read this stream by opening :

http://icecast.soutade.fr:8000/stream.mp3

This is a basic setup, but we can do a lot of more complex things by autogenerating config file and auto start ezsteram from a web frontend for example.

This article you're reading is hosted on my own server. This last one runs a lot of services : web, mail, database, XMPP... and to manage it I need an SSH connection which is the more secure way to connect to a remote server. But, how I can trust this connection in an hostile environment ?

Connection protocols and key exchange has greatly evolved the last 20 years, but there are still based on a root asymmetric key pair (RSA, DSA, ECDSA...). When you connect to a server for the first time, you get a message like this :

The authenticity of host 'mint.phcomp.co.uk (78.32.209.33)' can't be established.
RSA key fingerprint is 6a:de:e0:af:56:f8:0c:04:11:5b:ef:4d:49:ad:09:23.
Are you sure you want to continue connecting (yes/no)? no

This is a human readable fingerprint of the root key used to establish a connection. Personally, I don't know my server fingerprint by heart. There is some solutions to check it :

• Manually by printing it on a paper/on your phone/on a USB key
• Register it with a DNS record, but DNS server/response can be easily spoofed
• Using a public key based connection (you need to keep it on a USB key)

The better remains having the secret (key or fingerprint) somewhere you could access it. I propose in this article an other solution you can always run in an hostile environment without any previous setup.

The idea is to create a restricted user that can only run a verification script that will check fingerprint once connection is established which avoid Man In The Middle attacks !

Setup

First, we'll have to create this user named check-user :

su
useradd --create-home --no-user-group --shell /bin/rbash check-user
cd /home/check-user

You can set a password or not. I don't do it, so I cannot open a connection from external nor internal as my server always checks for password (we can still use su/sudo command). I also set a restricted shell (rbash).

Then, we have to create a key pair

su check-user
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys

You can set or not a password for this key. Then, edit .ssh/authorized_keys and add :

command="rbash check_ssh_server.sh" ssh-rsa AAAA...

Now, downloads check_ssh_server.sh in /home/check-user and set execution permissions.

Then, go to your webserver directory were you can put some downloadable files (something like /var/www) and copy SSH the private key.

cd /var/www
cp /home/check-user/.ssh/id_rsa ssh_check
chmod a+r ssh_check

Now, you can edit and run check_ssh_client.sh from any network !

How does it works ?

The client starts by establishing an SSH connection and close it immediately in order to retrieve remote fingerprint. Then, it downloads check-user SSH private key and use it to connect to the server and send the fingerprint. The only command that can be run with this key is rbash check_ssh_server.sh which get the fingerprint and compare with the ones installed on the server side. A message is then displayed which indicates if the connection is secure or not.

Scripts

check_ssh_server.sh

#!/bin/bash

target_key=`echo $SSH_ORIGINAL_COMMAND| tr -d "\r\n"`

if [ -z "${target_key}" ] ; then
    echo "Empty key provided, abort"
    exit 0
fi

for keyfile in /etc/ssh/ssh_host_*_key.pub ; do
    a=`ssh-keygen -l -f ${keyfile}|grep "${target_key}"` # To avoid print
    if [ $? -eq 0 ] ; then
        echo "Target key found, your connection is secure !"
        exit 0
    fi
done

echo "!!! WARNING !!! Key not found, the connection may not be secure"

exit 1

check_ssh_client.sh

#!/bin/bash

KEY_TRACE="Server host key:"
SSH_CHECK_KEY="https://soutade.fr/files/ssh_check/ssh_check"
REMOTE_USER="check-user"

if [ -z "$1" ] ; then
    echo "usage : $@ <ssh server>"
    exit 0
fi

echo "Retrieve remote key for $1"
tmp_file=`mktemp`
ssh -v -o "NumberOfPasswordPrompts=0" $@ >${tmp_file} 2>&1
key=`cat ${tmp_file}|grep "${KEY_TRACE}"`
key=`echo ${key}|cut -d" " -f6`
rm -f ${tmp_file}

echo "Retrieve SSH private key from ${SSH_CHECK_KEY}"
wget -O ssh_check ${SSH_CHECK_KEY}
chmod 0400 ssh_check

echo "Check for key ${key}"
ssh -l ${REMOTE_USER} -i ssh_check $@ "${key}"
echo "Cleaning"
rm -f ssh_check

For a project, I need to run java on an ARMv7 core. I could have used my Cubox server, but I don't have enough memory to run web services & java in parallel. Fortunately, I could find a SolidRun ClearFog Base board. This board is mainly network focused and only have an old dual Cortex A9 with 1GB of memory which is quick reached by today web applications, but it should be okay with a single one (I hope).

SolidRun provides documentation & ready to use OS (Debian FreeBSD, Yocto, OpenWRT), so board start should take less than one half hour. Nevertheless, documentation is split in multiple files, and there is no step by step guide. Moreover, Debian images seems crafted (we can't read main ext4 partition). After 2 hours of fails I started to turn crazy ! Here is my step by step tutorial.

The goal is to install Debian on an 8GB SDCard

1) Get an 8GB SDCard and delete all partitions thanks to gparted (or fdisk).

2) Within gparted create an ext4 partition that starts at 4MB with 8GB length

3) Download target Debian images from SolidRun resources. You should take .tar.xz file which is a compressed tar file of root filesystem.

4) Go to SDCard main partition and extract data from Debian image (using sudo)

cd /media/soutade/UUID/
sudo tar -Jxvf ~/clearfog/sr-a38x-debian-buster-20200218.tar.xz
sync

5) Update fstab with your new SDCard UUID

sudo emacs etc/fstab

6) Download U-Boot for base-sdhc variant

7) Burn it to SDCard at address 512 (first sector). We assume SDCard is /dev/sdb (check it before applying this command)

sudo dd if=u-boot-clearfog-base-sdhc.kwb of=/dev/sdb1 seek=1 bs=512
sync

8) Configure ClearFog switches to start using SDcard (Off Off On On On)

9) Insert SDCard into the board, connect serial line USB to your computer

10) Power up the board and start serial line screen

sudo screen -L /dev/ttyUSB0 115200

11) Stop U-Boot process by hit a key

12) Setup kernel bootargs. Here we setup root filesystem read/write at startup, but it should be re mounted rw by fstab. Only root argument is mandatory

setenv bootargs root=/dev/mmcblk0p1 rw
env save
boot

The board should now start with a fresh Debian ! I suggest to connect within SSH which is more comfortable to use than serial line console. Login/password is debian:debian.

Have fun !