Install EPEL Repository on CentOS 7 (x64)

The simple one line command below will enable the EPEL repository on CentOS 7

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm

Once ran you will see confirmation that it has been installed successfully, that’s it!

Notes

  • You can find out more about the EPEL repository here

Icecast PHP Stats

A previous project of mine used several live video streams served by an Icecast server at different mount points which works great, but I found there was no real solution to simply display how many viewers were actually watching the live streams.

I put together a basic PHP code that reads the Icecast XML stats file and retrieves the current overall viewers (or listeners as its officially known) of all available mount points.

Code

// get the stats xml file //
$output = file_get_contents('http://admin:[email protected]:8000/admin/stats');

// explode to make the magic happen //   
$listeners = explode('',$output);
$listeners = explode('',$listeners[1]);

// output to the world //
echo "Currently $listeners[0] people are watching the live stream!";

Once you have amended the admin password, server name and port the code above will then connect to your server and read the /admin/stats XML file. From here it will literally pick out the content shown between the <listeners></listeners> tags and that then becomes the $listeners[0] variable, simply place this wherever you want to display the amount of current viewers.

Notes

  • This code may or may not work depending on if your hosting provider allows the file_get_contents function – In my case I use my own dedicated servers and it works without issue, if you have any problems I’m sure I can sort something for you!
  • You can show the amount of sources, file connections and so on by amending the code to reflect the correct tags – A full list of tags can be seen by visiting the youricecastservername.com:8000/admin/stats page

Disable Virtualmin Two-factor Authentication

Virtualmin is constantly being developed and gaining ever useful features, and for a while now has featured two-factor authentication which is great, although what happens if you get locked out of your system? As long as you have SSH or console access then you can follow the steps below to easily get back in.

Disabling two-factor authentication for a single user

  • Get root SSH or console access
  • Edit the file /etc/webmin/miniserv.users, comment out the current line for the user then create a fresh copy above it
  • Remove any mention of “totp” and the long string of characters near the end and save, for example your file should now look like the following:
...
root:x::::::::0:0:::
#root:x::::::::0:0:totp:ZZZZZZZZZZZZZZZZ:
...
  • Restart Webmin and log back in normally

Disabling two-factor authentication entirely

  • Get root SSH or console access
  • Edit the file /etc/webmin/miniserv.conf and find the line “twofactor_provider=totp” and replace with “twofactor_provider=” and save
  • Edit the /etc/webmin/miniserv.users as mentioned above
  • Restart Webmin and log back in normally

Notes

  • I’ve had success with this on Webmin 1.760 running on CentOS 7.0

How to List the Contents of a Web Directory

Any good web host will secure the contents of website directories which don’t have an index page by not allowing the  files or folders to be listed, instead you’ll get a 403 error page saying access is forbidden. Whilst this is good in practice, sometimes you might actually need to list the contents – and its simple to enable on an Apache web server – add one line to your .htaccess file and you’re done!

How it’s done

Options +Indexes

Notes

  • If you have access you can edit your web server configuration and make it global

Add a NAS drive to your Livedrive account for free

I used to be a customer of popular cloud backup service Livedrive. The upload and download speeds were nothing to shout about and one annoyance was having to pay extra to add a NAS drive to your account, but there is a workaround!

How so?

All you need to do is add a symbolic link to your NAS drive from your computer. Think of a symbolic link as a fancy shortcut, the only difference being it masks the destination instead of taking you straight there – you’ll see what I mean when you read on.

Imagine you have a Windows computer with your NAS drive with the root of the drive already mapped to Z:, you have a folder on your NAS called MyFiles and would be able to browse to Z:\MyFiles to see whatever is stored there. Next imagine we have a folder called C:\Backup which is already uploading to your Livedrive account, using  the following command we will make C:\Backup\MyFiles lead to your NAS and in turn be included with your Livedrive backup.

mklink /d "C:\Backup\MyFiles" "Z:\MyFiles"

For me, this worked absolutely fine and I had a couple of TB uploaded without ever being caught out. I’ve since jumped ship to Amazon Drive, whilst it is more expensive per year I’ve got it running from multiple computers and the upload and download speed always tops out my connection, so I can’t complain!

Notes

  • Use the above guide at your own risk – I won’t be held liable if anything happens to your Livedrive account, files or anything else because of this!
  • This doesn’t work with Dropbox or Google Drive  – sorry
  • You only need to run the command once, after that the link will be remembered
  • To remove the link just delete it as you would any other  file or folder

Webmin 1.610 on CentOS 5.8 (x86)

The following commands can be used to install Webmin 1.610 on CentOS 5.8. Make sure you’re logged in as root and then follow the steps below.

Select a temporary directory to save the download to. We will only use the downloaded file once so it’s pointless keeping it.. free up space and put it in /tmp!

cd /tmp

Begin the download of Webmin using wget:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.610-1.noarch.rpm

Install Webmin by unpacking the archive:

rpm -Uvh webmin-1.610-1.noarch.rpm

Done! You can now login to your fresh installation of Webmin by heading to http://hostname-or-ipaddress:10000 using the root username and password.

Review of Oak Tree Dental Practice in Stourbridge

I became a patient at Oak Tree Dental Practice after my current dental practice at the time was going through some major changes and didn’t seem to be offering a good enough service. As part of a management change I was given a checkup and told I would need 6 fillings (3 existing and 3 new that needed redoing) but I couldn’t get an appointment for months, meanwhile I was still paying a monthly Denplan fee and worrying that I would eventually have no teeth and no one seemed to be taking it seriously.

I took the plunge and went to see Mr Jonathan Edward Swinscoe for a “free” checkup. I ended up paying £35 for the apparently free checkup, but he comforted me and said he could get all the fillings done in one go. I transferred my Denplan contract to him which cost £15 and the plan was to wait until the next month when the transfer was complete so the work would be done at no extra cost.

The time came for my appointment and I have to be honest I was dreading it. I had a while to think back about what Jonathan said and it just felt too good to be true, but it was too late to back out now. It didn’t help that the receptionists were too busy gosipping and dancing away to the radio, they seemed frustrated that the whole waiting room wasn’t joining in with them.

The time came where Jonathan called me in, he sat me down on a damp dentist chair that had just been cleaned and then injected, no questions about what medication I was on, no explanation of what is going to happen or anything like that, literally pain killer was injected and I was sent back out to the waiting room. He didn’t seem in a talkative mood thinking back now.

After he saw another client I was taken back into the room to the yet again damp dentist chair. The nurse was out of the room but Jonathan started drilling out my teeth by himself. He had the drill in one hand and suction tube in the other and choked me several times as he wasn’t removing the water quick enough but luckily the nurse came back and took over.

It is worth mentioning at this point that he didn’t have any gloves on and he didn’t give me any protective eyeware meaning my £200 glasses were almost destroyed.

I thought things couldn’t get any worse but at this point but then he started being incredably rough, to the point where I had to keep stopping him because of the pain and was physically shaking. Each time he stopped he would start again straight away and it soon became obvious that he was rushing drilling out the teeth out to get them all done in time, I was really worried that he would drill to far and hit a nerve but luckily that didn’t happen!

After the drilling had finished he stopped and made a sexist comment infront of his female nurse and myself, he said “Not only women have bad days you know!” so now it felt like he was having a bad day and taking it out on me? Great!

He then started putting the fillings in place, again he was rough, applying a fair amount of pressure jolting my neck around for each filling. He put his palm flat on my head which wasn’t very comfortable but at this point I just wanted to get out of there. He just didn’t seem to care, but then again he was having a bad day, so that’s okay then?

After all the fillings were done he literally scooted off to his computer and ignored me, he didn’t explain any care instructions, what had been done or anything, I literally got blanked which was rude. The nurse then asked me to move off the chair so she could wipe it down and then whisked me (still shaking) to a small table in the corridor and offered to sign me up for Denplan. I explained with a numb mouth that I had already transferred to him and then went out the reception where I was told I would need to pay and again had to explain.

I finally got to the safety of my car still shaking and it is safe to say I will never ever be setting foot back in that practice ever again and I will never ever recommend it to anyone.

To add insult to injury I have been left with really sensitive teeth and can no longer drink really hot or really cold drinks. I have also had to have the fillings adjusted by another dentist as they were poorly fitted causing “the battery effect”.

To be clear, this review is about Review of Oak Tree Dental Practice 78 Bridgnorth Road, Wollaston , Stourbridge, DY8 3PA and is not to be confused with practices of a similar name.

Encrypted AES VPN tunnel between pfSense 2.3 and Ubiquiti EdgeRouter Lite

I recently retired my Draytek 2830 following a serious security flaw I discovered (that’s another post, stay tuned!) and took the plunge with a rather impressive looking Ubiquiti EdgeRouter Lite.

The other option was a rack mountable TP-Link TL-ER6020 although the maximum NAT throughput was only 180Mbps and it only had 128MB  DDR2 memory and no clear CPU specs, also the web interface looked tired and very restricted. Pound for pound the EdgeRouter was cheaper and has a better spec of anywhere up to and over 600Mbps, 512MB DDR2 memory and Dual‑Core 500 MHz, although it wasn’t rack mountable it was a no brainer with its modern web interface, also did I mention it can process 1 million packets per second?

The EdgeRouter also appeals to my inner nerd  (you can no doubt tell) as you can program it via web interface, command line or console connection and you can remove features you don’t need to boost performance. For example, it may only have 3 gigabit ports, but you can do whatever you like with them! In my case I have it configured as 1 WAN port and the other 2 ports are linked to two seperate LAN’s. I will write a full review when I get chance, but for now just take my word that it is the best router I have ever owned.

Anyway, to business!

Home Network

As before with the Draytek guide my home network is still double NAT’d but there isn’t a speed issue anymore. I do plan to eventually run everything via the EdgeRouter but first I need to install a few additional access points (I’m thinking a couple of airGateway-LR’s hidden in roof spaces will do, powered by PoE obviously!).

In the example below the home network subnet will be 192.168.100.x
and WAN address will be 1.2.3.4

Remote Network

The remote network is the same as before too – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x and WAN address will be 5.6.7.8

Important

  • Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!
  • Make sure you use a secure pre-shared key, anything above 32 characters will do nicely and under no circumstances use the example key!
  • The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is. Anything to do with double NATing is in red, ignore this if your router is WAN facing.

Fairly straight forward, go to VPN > IPSec > Click Add P1

  • Enter the Remote Gateway as the WAN IP address of the EdgeRouter (or the Superhub in my case) 1.2.3.4
  • Enter a brieft description in the Description box – VPN to pfSense LAN
  • Select Peer identifer as KeyID tag then enter the WAN address of EdgeRouter (192.168.100.1) else leave as Peer IP address
  • Enter your pre-shared key in the Pre-Shared Key box – testing123
  • Set the DH Group to 14
  • Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

  • Enter Remote Network as the home network subnet – 192.168.100.0/24
  • Put a brief description in the Description box – Home
  • Set PSF Key Group to 14
  • Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

  • Go to Firewall > Rules > IPSec and click Add
  • Change Protocol to any
  • Enter a brief description in the Description box – Allow VPN Traffic
  • Press Save any hit Apply Changes

Configuring the EdgeRouter

First of all make sure you are running the latest firmware otherwise options may be missing and this may not go smoothly! Currently (March 2017) I’m running EdgeRouter Lite v1.9.1.

Configuring the EdgeRouter is pretty straight forward, you don’t need to do anything via command line or console (unless you really want to, knock yourself out!) – Go to VPN > IPSec Site-to-Site

  • First tick the box Show advanced options to show the encryption options
  • Under Global Options leave Automatically open firewall and exclude from NAT unless you want greater control over who can connect in
  • Under Site-to-site peers enter the Peer as the home WAN address – 5.6.7.8
  • Put a brief description in the Description box – Remote
  • In local IP enter any
  • For Encryption set AES-256
  • In Pre-shared secret enter the key set previously – testing123
  • Enter the Local subnet as 192.168.100.0/24
  • Enter the Remote subnet as 192.168.150.0/24

Once everything is saved, head over to the pfSense IPSec Status page and hit connect if it hasn’t already established and  there you have it!

At this point you may be asking why did you uncheck the option to Automatically open firewall…, this is because I like to have greater control over what IP addresses are allowed access to my network.

To substitute this option I created a rule in the NAT section translating UDP port 4500 to the routers local IP address (192.168.100.1). In turn I set the Src Address Group of this rule to a list of predefined IP addresses, thus only allowing access to my networks and blocking the rest of the world.

My experience with KGUARD and the Mars Home NVR Combo Kit

I’ve had a KGUARD Mars Home NVR Kit installed at my house for just over a year now, I bought it from eBuyer and paid a little more than I should have thinking it was a great investment and should last a good few year… it has been okay but unfortunatley the NVR side of it recently gave up the ghost.

The NVR initially started complaining about hard disk errors, randomly rebooted and is now just stuck on the boot up screen. Being familiar with embedded devices it ended up looking pretty bricked but unfortunatley there’s no obvious way to reflash the firmware. After a long email conversation with Danny Wu at KGUARD support, he wished me good luck at trying to reflash the firmware and has ignored me ever since, it would be okay but never actually told me how to get the box into recovery mode despite asking a fair few times… I’ll try fix the NVR at some point and if I have any joy I’ll write another post.

It’s not so bad right, you can still use the cameras?

In the meantime I installed iSpy connect – recommended by my friend Chris at work – on my home computer and thought that if I nipped out to Maplins and bought a slightly over priced TP Link PoE switch I could simply swap cables over and have some sort of CCTV system working in no time… was I wrong! Turns out the cameras aren’t 802.3af compliant so it won’t work without a little adjustment.

I didn’t want to go buy more kit without knowing the cameras would actually work, so I got an extension lead and a 12v 2A adapter trailing out the window at 2am, after a bit of tinkering I managed to get a stream from one of the cameras – annoyingly the cameras have their own static IP addresses which are own a different subnet to my home network and on reboot the settings revert back to default… adding a second IP to my network card sorted that.

The next day I nipped back to Maplins and got some PoE splitters, I popped into B&Q as well and got some IP rated junction boxes to cram everything into. After a bit of creativity the end result is that I can now use the KGUARD cameras but I have to have a slightly ugly looking box alongside them to shelter the PoE splitter, its not too bad but I’ve taken the opportunity to upgrade to some Trendnet TV-IP310PI’s and you can really tell the difference.

IMG_20160605_121000
PoE bodge

At least you won’t need to run new network cables?

Pah – Initially I wasn’t going to run new network cables as I thought the existing KGUARD ones would be good enough, unfortuantley not. When I went to put the new cameras waterproof connector in place I discovered that the existing KGUARD network cables only had 6 cores and just felt incredibly cheap, not wanting to take risks and to make things future proof I ended up spending the best part of a day feeding new cables through roof and under floors.

KGUARD network cable
KGUARD network cable

Where’s the happy ending?

It does come eventually, along the way I’ve ate a “cheddar and ham toasty”, got Chris up a ladder, learnt how to run and terminate my own network cables and recycled the KGUARD cameras to cover blind spots that weren’t covered before – those two both with the help of Chris one Saturday – and learnt that ultimatley you are always better building your own system as once you are past the year warranty neither the retailer nor manufacturer could care less!

I was torn between iSpy or BlueIris for software – I ended up going with iSpy which is opensource but should really be classed as freemium. If you want to do anything useful (playback footage, watch remotely or recieve email alerts) you have to upgrade to a premium version which is a monthly cost – not to worry though, I’m currently working on a VB program which will allow both live and pre-recoded playback of files possible and Chris is working on an alternative mobile ap.

I can’t thank KGUARD enough for this valuable learning experience and I would strongly recommend that if you are thinking about getting a KGUARD system then look elsewhere! If I hadn’t have had such good knowledge of network and computing then I’d have ended up with one very expensive set of paper weights.

Fix TRENDnet/Hikvision Corroded PoE Connector

Following Storm Doris back in February 2017, one of my cameras at the back of my house stopped working. Part of the roof had been blown off (only a plastic cover, thankfully nothing more serious) which exposed the cable and allowed things to get a little damp. On closer inspection the 3 far pins in the connector had corroded.

I’m presuming the corrosion had been going on some time and the storm was the icing on the cake. I tried a mixture of WD40 contact cleaner followed by a strong acid based electrical cleaner and the pins had cleaned up nicely but it still wasn’t working.

I was really trying to avoid was chopping the connector off completely as after all it is over £100 worth of camera, but it happened. For speed I opted for jelly crimps (scotch locks) as these are waterproof, the alternative was either a  surface mounted punch-down box or RJ45 coupler both which would have corroded over time and eventually left me with a broken camera again.

After making sure everything was working I wrapped the jellys in a fair amount of electric tape followed by a healthy dose of vaseline.

Colour Combinations

It came as no suprise that the camera didn’t use standard 568B colours but here is the combination I used:

Key: 568B Standard Cable / TRENDnet Cable

  • Orange WhiteOrange
  • OrangeYellow
  • Green WhiteGreen
  • BlueGrey
  • Blue WhitePurple
  • GreenBlue
  • Brown WhiteBrown
  • BrownWhite

I found the colours by refering to this guide here. I did manage to get the green and green white cables mixed up, however this hasn’t affected the camera in any way that I can tell. If it does ever cause a problem I will swap the cables around at the patch panel to avoid having to tamper any further!

Update – 05/07/2022

I’ve ditched most of my TRENDnet cameras now in favour of Hikvision, although corrosion is still a common problem it turns out. Luckily the wiring colours as the same and the above works fine for Hikvision cameras too.