In the picture you can see the HV generator on the top of the board, on the lower left the Arduino standalone parts along with a MAX232 as a level converter for easy serial hookup and on the right two tubes connected in parallel, a SI-29BG (beta and gamma) and a SI-12B for added alpha sensivity. Also shown are the USB>Serial adapter and a separate USB connector to provide 5V to the board.

I have had it running for some weeks with a Russian SI-29BG hard beta and gamma tube. These are nice, very sturdy tubes to experiment with. They easily detect natural background radiation and K-40 from a bag of Potassium Chloride.As I already explained I have connected two tubes in parallel. There wasn’t that much variation in background radiation, (see below) even after heavy rainfall so I am now going to watch whether alpha sensivity makes any difference.

Also, the SI-12B is kind of useless on its own, it is not very sensitive to beta and gamma but is able to detect alpha quite well due to its mica window.

Scripting

I have also changed my scripting on both Linux and Arduino to make everything easier to test and make it fail gracefully when the counter stops functioning for some reason. It also now works in Cacti with a GAUGE type of data, not a counter. This prevents spikes when the counter is reset or temporarily disconnected or offline. The script is as follows:

#!/bin/bash
# serial gmcounter update & log script
LOGFILE=/var/log/gmcount.log

function getcounts {
# display last 5 minute counts
# check if log was updated within 6 minutes
if [ `find $LOGFILE -mmin -6` ]
then
# print last 5 minute count
tail -n 1 $LOGFILE | awk {' print $5'}
else
echo "Error - logfile too old"
fi
}

function log {
# read counts from serial and write to logfile
read LINE < /dev/ttyUSB0
echo $(date) >> $LOGFILE
echo $LINE >> $LOGFILE
}

# check arguments and display or log data
if [ "$1" = "" ]
then
echo 'Use "getcounts" to display counts or "log" to log counts'
fi

if [ "$1" = "getcounts" ]
then
getcounts
fi

if [ "$1" = "log" ]
then
log
fi

I have put everything in one script and created functions to log the counts over  the last 5 minutes or display the last logged 5 minute count. If the logfile wasn’t updated properly it will return an error, causing Cacti to not record a value and show the error in its logfile. The script is connected to SNMP as described in my original article.

The Arduino script is as follows:

unsigned long counts = 0;
unsigned long fivemcount = 0;
long timer = 0;
long fivemtimer = 0;

void setup() {
Serial.begin(9600);
Serial.println("serial gm counter v1.0 starting...");
attachInterrupt(1, counter, FALLING);

}

void loop(){

if (millis() - fivemtimer > 300000){
 fivemcount = counts;
 counts = 0;
 fivemtimer = millis();
}
 if (millis() - timer > 10000){
 Serial.print("counts, cur: ");
 Serial.print(counts);
 Serial.print(" total: ");
 if (fivemcount == 0){
 Serial.println("n/a");
 }
 else {
 Serial.println(fivemcount);
 }
 timer = millis();
 }

}

void counter()
{
 counts++;
 tone(8,5000,1);
}

Basically, it counts the pulses, outputs the last five minute count every 10 seconds using the serial port and clears the counter after 5 minutes preventing any overflows of the unsigned long value (very unlikely). It also gives a very short tone with each interrupt which results in a little clicking sound. The random clicking helps me get to sleep quicker .

BTW, the current graph can be found here.

This article will try to explain how to monitor and graph temperatures remotely using Dallas Semiconductor DS18xx sensors, SNMP and Cacti. DS18xx sensors are relatively cheap, accurate and multiple sensors can be connected to a single bus.

This guide is based on Ubuntu, so YMMV on other Linux/Unix based systems and may need modification to work properly.

Interfacing and software

To directly read out DS18xx sensors you need the following things:

- a Linux server running the software package digitemp (available on various platforms) and net-snmp

- a serial to 1-wire adapter (DS9097 or build one yourself with the following schematic)

- an installation of cacti running on a remote or local server

Setting up the hardware of the 1-wire network is outside the scope of the article. You can find lots of  guides to cabling and building interfaces on Google.

Testing and reading out sensors

When everything is connected properly you can try to read out the sensors. Make sure digitemp is installed and enter the following command  (this command assumes your first serial port is /dev/ttyS0, for USB serial adapters try /dev/ttyUSB0)

digitemp_DS9097 -w -s /dev/ttyS0

Digitemp should search (walk, hence the “-w”) the network and find sensors if they are connected:

DigiTemp v3.5.0 Copyright 1996-2007 by Brian C. Lane
GNU Public License v2.0 - http://www.digitemp.com
Turning off all DS2409 Couplers
..
Devices on the Main LAN
10A67CF501080074 : DS1820/DS18S20/DS1920 Temperature Sensor
10DF7DF5010800B7 : DS1820/DS18S20/DS1920 Temperature Sensor

In the example above two DS18xx sensors are found. If no sensors are found, check your cabling and sensors. It is also best to run as root to make sure there are no permission issues.

To make digitemp remember the sensors you have to store the settings in a configuration file. You can do a walk and configuration using the following command:

digitemp_DS9097 -i -s /dev/ttyS0

It should report the connected devices and confirm that it wrote a configuration file:

DigiTemp v3.5.0 Copyright 1996-2007 by Brian C. Lane

GNU Public License v2.0 - http://www.digitemp.com

Turning off all DS2409 Couplers

..

Searching the 1-Wire LAN

10A67CF501080074 : DS1820/DS18S20/DS1920 Temperature Sensor

10DF7DF5010800B7 : DS1820/DS18S20/DS1920 Temperature Sensor

ROM #0 : 10A67CF501080074

ROM #1 : 10DF7DF5010800B7

Wrote .digitemprc

It is best to move the configuration file to a central location, for example I use /etc/digitemp/digitemp.conf.  If you have multiple sensors you might be confused which sensor is which.  A simple way to check which sensor you are measuring is to hold it in your hand and probe the sensor indexes using the following command:

digitemp_DS9097 -t 1 -c /etc/digitemp/digitemp.conf

In this example, the sensor with index “1″ is measured. In the configuration file, the unique adresses of the sensors are listed so you can look them up or change the index of a device.

Interfacing with SNMP

To make interfacing with SNMP easy I wrote a script that reads out a sensor based on the index number and returns the temperature:

#!/bin/bash
# digitemp readout script

CONFFILE=/etc/digitemp/digitemp.conf

digitemp_DS9097 -t $1 -c $CONFFILE  | awk {' print $7'}| tail -n 1

This script takes the index as an argument and returns the temperature for that sensor, with all the other info stripped off. The awk command only prints the 7th column and that is piped to tail to only display the line the temperature was displayed on.

To couple this script to SNMP you have to add the following lines to /etc/snmpd.conf:

extend .1.3.6.1.4.1.2021.2000.1 temp0 /usr/local/bin/checktemp 0
extend .1.3.6.1.4.1.2021.2000.2 temp1 /usr/local/bin/checktemp 1

Shown here are two scripts coupled to different SNMP OIDs, both returning the script output for one of the connected sensors. Make sure the SNMP daemon has sufficient rights to access the serial port! On my Ubuntu 10.04 system I had to add the user “snmp” to the group “dialout” in the /etc/group file.

To test the scripts coupled to the SNMP OIDs, read them out using snmpwalk:

snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2021.2000.2

UCD-SNMP-MIB::ucdavis.2000.2.1.0 = INTEGER: 1

UCD-SNMP-MIB::ucdavis.2000.2.2.1.2.5.116.101.109.112.49 = STRING: "/usr/local/bin/checktemp"

UCD-SNMP-MIB::ucdavis.2000.2.2.1.3.5.116.101.109.112.49 = STRING: "1"

UCD-SNMP-MIB::ucdavis.2000.2.2.1.4.5.116.101.109.112.49 = ""

UCD-SNMP-MIB::ucdavis.2000.2.2.1.5.5.116.101.109.112.49 = INTEGER: 5

UCD-SNMP-MIB::ucdavis.2000.2.2.1.6.5.116.101.109.112.49 = INTEGER: 1

UCD-SNMP-MIB::ucdavis.2000.2.2.1.7.5.116.101.109.112.49 = INTEGER: 1

UCD-SNMP-MIB::ucdavis.2000.2.2.1.20.5.116.101.109.112.49 = INTEGER: 4

UCD-SNMP-MIB::ucdavis.2000.2.2.1.21.5.116.101.109.112.49 = INTEGER: 1

UCD-SNMP-MIB::ucdavis.2000.2.3.1.1.5.116.101.109.112.49 = STRING: "24.25"

UCD-SNMP-MIB::ucdavis.2000.2.3.1.2.5.116.101.109.112.49 = STRING: "24.25"

UCD-SNMP-MIB::ucdavis.2000.2.3.1.3.5.116.101.109.112.49 = INTEGER: 1

UCD-SNMP-MIB::ucdavis.2000.2.3.1.4.5.116.101.109.112.49 = INTEGER: 0

UCD-SNMP-MIB::ucdavis.2000.2.4.1.2.5.116.101.109.112.49.1 = STRING: "24.25"

End of MIB

For some reason the output of the script is displayed multiple times. I always use the most unique OID (in this case the last OID on the output) and it seems to work all the time, no problems whatsoever. If SNMP is running and accessible by either the localhost or a remote server running cacti, you can read out the temperature from Cacti.

Graphing the output in Cacti

To graph a single temperature in Cacti is quite simple. Generate a new data source using the SNMP -  Generic OID template, fill in the OID and Cacti will poll the data every 5 minutes. To graph the data source, create a graph using the SNMP – Generic OID graph template. Under Graph Item Fields you can select the data source containing the SNMP data. Save the settings (Cacti could ask for a min and max value, enter something between -20 and 100 ) and the temperature should now be graphed. You can find additional Cacti documentation on this subject here.


Beste Camera
beste-camera.nl
NicciBoekestijn@gmail.com
94.215.165.138
Submitted on 2010/01/01 at 11:57pm
Normaal reageer ik niet op blogs, maar deze keer wil ik toch even aangeven dat het een mooie blog is!

Aangezien het hier een Nederlandse spammer betreft en een .nl domein ben ik maar even gaan neuzen op de Internets. Spam wordt over het algemeen wel redelijk aangepakt in Nederland, reden dus om het een en ander uit te zoeken.

Beste-camera.nl is geregistreerd door ene Jan van Enk met email adres folita.invest@gmail.com
Zoeken op deze info via Google leverde mij de volgende lijst met sites op:

bestetv.info
bestelaptop.info
scooterkopen.info
beste-camera.nl
binnendeur.org
vloertegels.biz
pregnant-women.org

Allemaal geregistreerd onder dezelfde naam, gehost bij Leaseweb, nul echte content,  en bijna allemaal zijn ze ondergeplamuurd met Google Ads meuk en andere referral links zoals bijv. Bol.com in het geval van de website die bij mij gespamd werd.

Nou boeien pagina’s om klikvee aan te trekken mij niet zo, maar je moet niet op mijn website gaan lopen spammen in de comments. Tijd om even wat abusemail te versturen naar de hoster en de ISP van het IP van de spammert

Update:

Door opnieuw op de gespamde standaardzin te googelen kwam ik de spammer nogmaals tegen op: http://www.ceome.nl/?p=738 met een link naar eetkamerstoelen.info, en nog een keer op http://www.shikake.nl/2009/10/28/kattenluikje-tegen-indringers/ met een link naar de al bekende beste-camera.nl.

En nog een update:

Twee nieuwe domeinen gevonden, nl:

zonneschermen.org
drugs-verslaving.com

Beide weer onder dezelfde naam geregistreerd en gehost bij Leaseweb, welke het allemaal niet zo erg vinden want na een abusemailtje blijft het doodstil.

Aangezien onze spammer op basis van Google Adsense zijn centjes verdient ga ik die ook maar eens een mailtje sturen. Stay tuned

23/02/10:

Jippie, nog een domein:

besteverzekering.net

Google Adsense en Leaseweb vinden het allemaal nog steeds best. Een dezer dagen nog maar een mailtje de deur uit denk ik…

I wanted to get access to the local network at my parents house to manage computers using remote desktop. Now it is quite simple to tunnel IP traffic over a SSH connection, but I wanted proper access to the network. I just want to open mstsc on my own computer, enter the local IP address of the computer I want to access and be able to do my stuff.

So I installed PPTPD to enable VPN access to the network. Installed it using apt-get and webmin,  setup a PPP account, configured a connection in Windows XP and connected successfully. Tried accessing the webinterface of the modem that connects to the Internet, nothing… timeout. Curious as I am when it comes to annoying problems I tried accessing the local IP addres of my server. No problem accessing the webserver running this weblog. It seemed that the connection was established properly, but traffic from the client IP address of the PPTP connection was not forwarded to the LAN.

The solution was found after some googling: PPTPD: Can’t access anything but the PPTPD server when connected

By editing /etc/sysctl.conf and removing a commenting character:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

and issuing the command:

/etc/init.d/procps restart

IPv4 forwarding is enabled permanently, and traffic from the PPTP client is properly forwarded to the rest of the network.

Thanks Internet and Google, if it weren’t for you I would have been messing around until the wee hours

(After finishing this post, I had to mess around for maybe twice the amount of time I put in solving this PPTP issue because of some problem with smileys messing up text on my weblog…)

So, I tried to open an SSH session to my router to see what was going on. For some reason the router refused the connection. Since Internet access was fine I suspected that the router was running fine and had not crashed.

I tried logging in a couple of times more and finally I got access to the router. I looked at the logs and saw that the compromised host was being blocked by the sl_def_acl extended access list. This ACL is as follows:

Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log (74691 matches)
40 permit tcp any any eq 22 log

This access list will be applied to the VTY lines 0 to 4 using the following command which does not refer to any ACL but silently creates the sl_def_acl access list:

login block-for 600 attempts 3 within 30

So, what basically happens is a malicious host attempts to login through SSH, tries 3 times in 30 seconds, and after that the ACL sl_def_acl is applied to the VTY lines. But this also blocks any host including the local network from accessing the router through SSH. So a bruteforce attack is unintentionally converted into a denial of service attack by the router itself. As long as someone tries to login and fails, you will have difficulty accessing the router from any host on any network. I don’t want that so I tried to edit the sl_def_acl access list, but due to some bug this is not possible. I had to create a new access list:

Extended IP access list block_bruteforce
10 permit ip 192.168.64.0 0.0.0.255 any
20 deny tcp any any eq telnet
30 deny tcp any any eq www
40 deny tcp any any eq 22 log

And point the router to the right ACL for blocking bruteforce attempts using:

login quiet-mode access-class block_bruteforce

Now it is still possible to access the router from my local network while some host on the Internet is trying to access it. It is also possible to permit additional hosts or networks by adding this line to the ACL:

permit ip host <host> eq 22 any

Of course, the IP of the attacking host was put in my main inbound ACL to prevent any further traffic. My router, my rules… By the way, the sl_def_acl list could not be removed from the configuration so I had to leave it. Likely this is also related to the bug.

Anyway, this is what I set up to prevent my router to be compromised, comments are always welcome.

Some months ago I got my CCNA certification, and I was surprised by the low level of knowledge and experience that was needed to pass the exams. I passed the first exam with 948 points and my second one with 825. The last exam was a lot harder, and I realised that I hadn’t studied topics like dynamic routing protocols enough. Still I passed, because of my general knowledge of networking concepts and experience with calculating subnetting.

Anyway, I decided not to continue studying more Cisco stuff right away, but to get some hands-on experience first, so I bought this device.

The Cisco 851W is a router with a 100Mbit/s Ethernet WAN port. I got an Ethernet router because I wanted to use this router at home with the existing Internet connection. In the house where I live we have an ADSL Internet connection with a subnet of 16 IP adresses. There is no need to configure port forwarding in the modem, it just assigns public IP addresses through DHCP.

It took me some days to properly configure the 851W. I discovered that having a CCNA certificate in no way means that you can configure Cisco devices all by yourself.  Configuration discussed in Cisco study material is often quite basic and focuses on interfaces, not on complete configurations.

Anyway, I found this handy Excel sheet for generating a basic configuration: Configuring the Cisco 851W or 871W: Standard IOS. Using this sheet I got a basic working configuration.

Of course this configuration needed some tweaking. I added and changed the following things:

Static NAT entries and corresponding firewall rules

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.64.5 5597 interface FastEthernet4 5597
ip nat inside source static tcp 192.168.64.237 5001 interface FastEthernet4 5001
ip nat inside source static tcp 192.168.64.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.64.5 8000 interface FastEthernet4 8000
ip nat inside source static tcp 192.168.64.5 38515 interface FastEthernet4 38515
!
ip access-list extended Guest-ACL
deny   ip any 192.168.64.0 0.0.0.255
deny   tcp any any eq smtp
permit tcp any host 217.149.192.18 eq smtp
ip access-list extended Internet-inbound-ACL
permit tcp any any eq 38515
permit tcp any any eq 5597
permit tcp any any eq 5001
permit tcp any any eq 8000
permit tcp any any eq 3389
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp host 63.208.196.95 any established
!
access-list 1 permit 192.168.64.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255

As you can see there are some ports forwarded to my own PC for various software running on it. When entering static NAT entries you have to enter corresponding firewall rules. Dynamic NAT entries seem to overrule the firewall, static entries do not work without firewall rules.

This basic Excel sheet configuration also adds a firewall rule to deny “Guest” users access to my own seperate network. They will only “see” network 192.168.60.0/24. I added another firewall rule to deny access to any SMTP server except the one from the ISP, to prevent spamming from trojans which is quite likely to happen with the current users of the wireless network. Later I will also add a firewall rule to block any incoming traffic on port 25 because nobody is likely to run a mailserver on this network except for malicious purposes. I also added a firewall rule permitting any traffic from members.dyndns.org, to make Dynamic DNS work properly (more on this later).

Separate WLANs for house and private use

dot11 ssid 35bis
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 *snip*
!
dot11 ssid ruthenium
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 *snip*

interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid 35bis
!
ssid ruthenium
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2432
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN – routed WLAN
encapsulation dot1Q 20
ip address 192.168.60.1 255.255.255.0
ip access-group Guest-ACL in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled

This part of the configuration defines two SSID’s and two Dot11Radio0 subinterfaces that are attached to respectively Vlan1 and Vlan20. You can also see the access list attached to the Guest VLAN.
One thing I discovered was that Cisco calls broadcasting a SSID “guest mode”. On most routers with a wireless interface, only one SSID can be set to guest mode. That means that my own WLAN is not visible, which is only a small annoyance.

Dynamic DNS configuration

Dynamic DNS using Dyndns.org is a little bit hard to setup, but after some googling I got it to work. Following is the configuration used for dynamic dns:

ip host members.dyndns.org 63.208.196.95
ip ddns update method myupdate
HTTP
add http://vagevuur:<snip>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://vagevuur:<snip>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
!

To properly setup dynamic DNS you need to add the IP address of members.dyndns.org to the host list, because most routers are not set up to lookup domain names for security reasons. This breaks the dynamic dns settings.
You also have to add a firewall rule that allows the Dyndns site to connect to the routers WAN ip address on any established port. The router does not use NAT to connect to the site, so there are no NAT entries that overrule the firewall. By entering permit tcp host 63.208.196.95 any established in an access list applied to the WAN interface the connection is allowed because the firewall notices that Dyndns connects on the port requested in the outgoing connection.

By the way, entering the add and remove lines can only be done by entering half of the command before the question mark, then pressing CTRL-V on your keyboard, entering the question mark, and then the rest of the line. Entering a ? directly will cause the IOS help to appear, which breaks the command.

Well, this concludes my post about configuring my Cisco router. The complete configuration is available for viewing on: http://chelydra.dyndns.org/static/851wcfg.txt Enjoy and have fun!