芳草苑

Blog

  • Sftp chroot howto

    我之前在服务器上应用 Ftp chroot,那设置起来相对简单。但 Ftp service 不是服务器预装的,通常我会装 proftpd 或 vsftpd。

    这次我想为什么不用服务器预装的 Sftp service?我有点钻了牛角尖—— Sftp 比 Ftp 好在哪?更安全?似乎这增加的安全性对我来说毫无意义。少占点硬盘空间?空余字节多着呢。总之,我想到了就想把它用起来。

    首先新建一个用户组,sftponly,只要是这个组的用户 Sftp 登录后都会被 chroot。

    
groupadd sftponly

    然后把需要 chroot 的用户都加到 sftponly 组

    
usermod -a -G sftponly user1

    如果是新用户,则在创建的时候直接参组。

    
useradd -U -G sftponly -s /sbin/nologin -d /path/to/user1_home user1

    然后要保证 /path/to/user1_home 这个目录及所有各级父目录的属主是 root,属性 755。user1 在他的 home directory 下是没有写权限的,不能由他自己创建文件或文件夹。这也容易理解,因为他被 chroot 以后,他的 home directory 看上去是系统根目录,普通用户当然不能在根目录这一级有写权限。这时需要 root 事先为 user1 创建好若干文件夹,如 /path/to/user1_home/documents、/path/to/user1_home/pictures,并将 documents、pictures 的属主指定为 user1。

    然后我按网上的指点依样画瓢,在 /etc/ssh/sshd_config 里添加了这几行:

    
Match Group sftponly
    ForceCommand internal-sftp
    ChrootDirectory %h

    然后重启 sshd service

    
service sshd restart

    理论上这时 user1 已经可以在 Sftp 登录是被 chroot,限定在他的 home directory。但是 user1 怎么都登录不了,碰到的错误是:

    Connection closed by server with exitcode 1

    原来,在我的 /etc/ssh/sshd_config 里有这么一行

    
Subsystem       sftp    /usr/libexec/openssh/sftp-server

    这是服务器预装时的配置,可能不是所有的服务器都这样,但有一定的普遍性。

    这说明,Sftp 子系统是由 /usr/libexec/openssh/sftp-server 支持的。而在被 chroot 的 user1 看来,是没有 /usr/libexec/openssh/sftp-server 这个文件的。怎么办?两个办法:

    办法一:将那一行改为

    
Subsystem     sftp    internal-sftp

    办法二:在 user1 的 home directory 下建一个副本 %h/usr/libexec/openssh/sftp-server,只是简单的文件拷贝。

     

  • Diving into Daigou

    之前我说到代购不值得一做,但老婆说有空就做,反正闲着也是闲着。她的实干精神要远胜于我,就这一点我也要支持。

    代购的包装材料如果零买的话,价格很高,我就想一次购进一批包装材料来降低成本。这不,我买了 36 卷封箱大胶带,48 mm X 150 m(号称),花了 £55,free shipping。折合 £1.02 / 100m。

    Packaging tapes
    Packaging tapes

    而在 Poundland 花 £1 能买到 2 卷胶带,48mm X 30m。折合 £1.67 / 100m,这一下我节约了 38% 的成本。

    Weigh packaging tape
    Weigh packaging tape

    这胶带看上去质量还行,肉厚 25mm,只是它芯的孔径是 50mm,不常见,我备有的 tape gun 还不匹配。单卷胶带有 291 克重,我虽然很想从淘宝上买,9 元人民币可以买到一卷 48mm X 170m 的胶带,但加上运费,不见得能便宜多少。但是国内可以略等于普通胶带的价格买到定制胶带(这样的胶带大约要订 83 卷),在英国定制就很贵了,以后还是值得考虑从国内采购的。

    我还买了一堆泡沫包装膜,非常地占地,哎,为了节约成本带来这么多不便,不知是不是真捡着了便宜。

    Bubble wrap
    Bubble wrap

    我还买了一批双层瓦楞纸箱,但是强度不够,属于失败的采购。在淘宝上的纸箱,410 X 280 X 215,特硬加厚五层BC瓦,约448g,才5.20 元,好诱惑,但不现实。

    这么多包装材料,什么时候能用完呢?

  • 5V2A adapter for IAD

    前不久在淘宝上淘了一个华为 U-SYS IAD101H,准备用作 MGCP 语音网关。才 28 元人民币,运费 6 元,真的很便宜。

    Huawei U-SYS IAD101H
    Huawei U-SYS IAD101H

    卖家说明自配变压器,是 5V2A 的电源。我加钱求卖家帮我配好变压器,但卖家不帮忙。因为语音网关还未转寄到我手上,所以我也没急着寻购 5V2A 变压器。今天无意中在我家电视机柜边上翻出一个孤零零的变压器,一看正好是 5V2A。我想了半天没想出它是哪个设备元配的变压器,先拿来用了再说。

    5V2A adapter
    5V2A adapter

  • Newbie’s experience in setting up an IPPBX

    I classify myself as a newbie as I have been diving into Asterisk / FreePBX for only 3 months. I am not familiar with 95% parameters of my IPPBX, and I try to avoid touching those parameters. However I can proudly say I have gained enough experience in setting up an IPPBX for a commercial environment, and I want to share it with you.

    Before I start, I have to make it clear what my goals are, so you know if my experience suits you.

    Firstly, I do not have massive users, say less than 100. We did not use any PBX, but once we launch IPPBX, it must be working very stably.

    Secondly, users should be able to pick up the calls in the office, at home or on the move. Myself is a typical user, who answer 1/3 calls in the office, 1/3 at home, 1/3 on the move.

    Thirdly, I want to save every pence possible on this first IPPBX. There are many IPPBX with Asterisk preinstalled and probably optimised on the market, whose prices start from £150. However I think at £150 it is an entry level product and geared for a SOHO enviroment. If I hunt for a proper commercial Asterisk IPPBX, I should look for something above £300.  I am a fanatical DIYer and I believe business can take advantage of open source. Free open source allows business to do the same things other highly priced product can do, and sometimes does better. Of course the price of open source is the learning time. I spent £100 on the hardware (Bought from China directly. I evaluate it as £190 for similar hardware on the UK market), and 3 months in learning. A commercial Asterisk IPPBX with the equivalent capacity should be priced at £500 or so.

    My 3 months’ learning only saved £400 which is a loss. Nevertheless, back to the topic – my gained experience in setting up an IPPBX.

    I do not need to connect IPPBX to a physical analogue (POTS) or digital (ISDN) telephone line. If you do, and the more lines to connect, the more worthwhile to buy a commercial IPPBX with FXO or BRI ports built in. None of analogue/digital cards or ATA or ISDN gateways are cheap.

    At the time of choosing a DIY IPPBX other than a commercial IPPBX, I was quite worrying about the stability. Now I can say software stability can be achieved by a newbie like me. But to make the whole system work reliably, I have to buy a decent hardware to run it on, and most importantly, a reliable network. My current ISP is horrible and due to be switched away in next month. It wasted me a lot of time debugging – barking at the wrong tree. I would not say “horrible” if I was only using their network browsing Internet. It looks like it can not afford VOIP traffic when it comes to host an IPPBX.

    I set port forwarding on the NAT router where IPPBX is. I forwarded SIP bind port and RTP ports. I did not do everything at client side router. The SIP client should traverse a router not in my control.

    I put NAT in Settings >> Asterisk SIP Settings to “route”, which instantly solved a lot of audio silence between various devices, i.e. high end SIP phone, entry level SIP phone, and several soft SIP phones installed on several Android based mobiles. I still can not understand the exact logical behavior of “yes”, “no”, “never”, “router” for NAT choice, but to me, “router” is the best choice.

    I totally understand many people says SIP behind NAT is a nightmare. My IPPBX is behind a NAT router in the office, and if I am at home, my extension is behind another NAT router. This is the worst scenario. With FreePBX Distro and the above simple configuration, but without help of any third party modules, proxy, stun server, SER, the most difficult problem I encountered is one way audio on some devices / soft phones. It is always the caller can not hear voice from the callee, but the callee can.

    Then I find enabling stun server on SIP client does not do anything good. Actually I find enabling Rport for signaling and media helps eliminating one way audio symptom if this choice is available. If your device does not have such a choice, but you have two devices at hand, you can dial out using one of them and transfer the call to the other one. This method makes both ends callees. So tricky. Do we really to do that? No. I have better way later on.

    Missing codecs may cause audio silence, but it has nothing to do with one way audio. If a required codec is missing, both ends will be silent. I have a weird SIP trunk provider supplying 2 lines. Both lines have an external number (connecting PSTN) and an internal number (extension number on his SIP server). It turned out he enables different codecs for these 2 lines. And even on the same line, he enables different codecs for external number and internal number. It took me a long time before I realised it was a codec problem.

    Although Android mobiles are widely available, it is worth buying SIP phones for office and home.  SIP phones can stay online much more stable than any of soft SIP phones on Android mobile. It may not be a fault of soft phones. They are restricted by Android power management. The advantage of Android devices is you can choose SIP apps to install. To get the best of both worlds, the best buy is an SIP desktop phone with Android OS.

    Among SIP apps, I recommend Zoiper (most stable, and support IAX2), CSipSimple (support video calls with CSipSimple video plugin), Samsung Galaxy built in SIP client (may be best choice in power saving), in turn.

    It is time to summarise how to tackle one way audio. I mentioned IAX2. Yes, for soft phone, use it as the first choice over SIP. (Sadly as a hardware, VOIP phone with IAX protocol are not widely available.) I am using Zoiper on the move. In the office, as it in the same subnet, SIP traversing is not a problem, so any SIP phones will do the job. At home, use a SIP phone which can enable Rport, or use Zoiper.

    I tried to achieve a stable IPPBX without having to periodically reboot it, but I could not. The IPPBX runs into a hanging state every a few days. For example, all trunks / extensions are disconnected. Even “amportal restart” can not solve the problem. A daily reboot is a must. Just choose a quietest time and use crontab to reboot. My IPPBX reboots in 34 seconds, which means the uptime is 99.96%. Normally the IPPBX will not hang within a day. But I set a monitoring script anyway to monitor if all trunks / extensions lose connection, reboot the IPPBX immediately. It never happened so far.

    I also find IPPBX daily rebooting is a usual practice. I have monitored two of my SIP trunk providers are rebooting their servers daily. I am going to test it on a third one. Besides, I will be very glad to see a future version of FreePBX can run without rebooting for years as Nginx, etc.

  • SIP requires very reliable network

    我的 SIP 服务器 FreePBX 暂时还放在一个非常不可靠网络环境下,这在前文《FreePBX working with an unstable router》有提及,一有 SIP 不正常的风吹草动,我就成了惊弓之鸟。

    今天早上我在家,发现 SIP 分机又出现单向语音的症状,测了多次,十次有九次是单向语音,主要是主叫方听不到对方声音。我在服务器上看来看去看不出原因,不管三七二十一,又重启了一次,仍没解决问题。

    单向语音是 SIP 很常见的问题,在用 FreePBX 之初,我曾花大力气去解决,找到一套行之有效的办法。怎么今天又出现了老问题了?我一阵头疼。

    我家的网络宽带路由器确实不太好,但一开始我没意识到是它的原因,因为浏览网页是正常的,再说 SIP 能注册,也能接通。我排查了很久,无意中将手机 Wi-Fi 连接关闭,用 3G 连接网络,手机的 SIP 客户端立刻就能双向语音,一切正常。我这才想到是网络宽带路由器的原因,把它重启了一遍,SIP 通话就正常了。

    看来 SIP 对网络的要求非常高,而且是服务端、客户端双方的要求都很高。

  • FreePBX auto reboot

    FreePBX 上线运行近一个月,被我观测到若干次所有 peers (包括 trunks 和 extensions)都失去连接的情形,但 FreePBX web 界面里还是显示 asterisk 正常绿色。

    目前我无法判断这究竟是 FreePBX 的硬件问题,抑或是 FreePBX 的软件问题,还是参数配得不对。我也没找到什么现成的命令可以判断 asterisk 是否在正常工作。

    好羡慕一些人说 FreePBX 几年都不用重启也跑得很稳定。我也不想经常重启我的 FreePBX,但我得面对现实的商业化环境。

    现实是我们不是 24 小时工作,电话也不会 24 小时响个不停,但工作时间我们不能容忍 FreePBX 无缘无故停止响应。所以我做了两项调整:

    1. FreePBX 每天在伦敦时间 6AM 重启一次 OS,保证它有活力运行在大部分人的工作时间。
    2. 我还写了一个每分钟检测一次的小程序。如果检测到所有 peers 失去连接,就重启 OS。如果重启没有解决问题,则不再重启,这是为了不为非 FreePBX 自身的原因(比如说网络原因)陷入重启循环;当然,如果重启解决了问题,也不用重启了。

  • I almost forgot how to use Apache

    我不用 Apache 很多年,几乎忘了该怎么完整地配一台 Apache server。最近上线了一台 FreePBX,我想加强 web server 的安全系数,要修改一些默认参数。因为对 FreePBX 还不是很了解,所以不敢贸然把它的 web server 用我喜欢的 Nginx 代替,只好沿用元配的 Apache,捣腾它的 conf 文件。

    首先,我想弄个 VirtualHost,把 FreePBX admin 界面隐藏到不公开的 ServerName 上。我忘了在使用 name based virtual host 前要先使用 NameVirtualHost 先声明一下。

    
NameVirtualHost ip_address:port_number

    其次,启用了 VirtualHost 以后,VirtualHost 之外的 main DocumentRoot 就不起作用了。我在 VirtualHost 之外定义了一个 DocumentRoot 并想当然地认为它是 default server (未经任何一个 VirtualHost 定义的 server)的 DocumentRoot。事实上,VirtualHost 的 default server 是由 _default_ 显式定义,或在 _default_ 缺失的情况下,第一个 VirtualHost 就是 default server。

  • PEAR Mail.php

    我想在服务器上用 Gmail SMTP 代替 sendmail 发送邮件,并不想用 Zend_Mail,只想找一个轻量级的解决方案。

    一找就找到 Pear Mail。提示说只要用

    
pear install Mail

    然后在程序里

    
include_once "Mail.php";

    我照着做了,可是提示:

    Warning: include_once(Net/SMTP.php): failed to open stream: No such file or directory in mail/Mail/smtp.php on line 348
    PHP Warning: include_once(): Failed opening ‘Net/SMTP.php’ for inclusion (include_path=’.:/usr/lib/php’) in mail/Mail/smtp.php on line 348
    PHP Fatal error: Class ‘Net_SMTP’ not found inmail/Mail/smtp.php on line 349

    原来还需要安装一个依赖包

    
pear install Net_SMTP

  • Tips for printing on Avery Quick&Clean™ Business Cards

    Avery C32026 cover
    Avery C32026 cover

    It is my second time using Avery Quick&Clean™ DIY business cards. The first time was very smooth so I did not remember any caveats.

    This time I had printed 5 pages before I got a nice one. So I decide to write some tips for future reference.

    The paper I use is Avery C32026, 270g satin finish, the thickest I can find in store. The printer is Lexmark C544dn, a colour laser printer with auto duplex feature.

    Tip 1. Do not load paper in Tray 1. It is not suitable for thick paper like this. Load it in Manual Feeder.

    Tip2. Do not use auto duplex. If the business card design is double sided, print one side and manually feed paper again for the other side. The auto duplex roller is a small cylinder that may snap the cards away from the frame.

    Tip 3. Use the template provided by Avery and do not convert to any other format. C32026 template is a Word document. After editing, I converted it to a PDF file (I was thinking of portability). The position was changed slightly and some text was printed across the border.

  • Job for mariadb.service failed bug fixed

    Last month I set up a development server using Fedora 20. On that server I wanted to change MySQL socket file from /var/lib/mysql/mysql.sock to /dev/shm/mysql.sock. Basically I wanted to move MySQL socket file to shared memory for performance gain.

    I made the change in /etc/my.cnf, but when I tried to start mysqld, I got the error message:

    Job for mariadb.service failed. See ‘systemctl status mariadb.service’ and ‘journalctl -xn’ for details.

    That was my first time heard about mariadb. I did some background research on mariadb and the relationship between mysqld and mariadb. But that did not help to solve the problem. So I had to revert to the default MySQL socket file /var/lib/mysql/mysql.sock.

    Today I had some free minutes and recalled this unresolved issue. To my surprise, I just changed

    socket=/var/lib/mysql/mysql.sock

    to

    socket=/dev/shm/mysql.sock

    in /etc/my.cnf. And this time mysqld can start without any errors.

    What changes have I made to the system? Nothing but a yum update.

    So I assume there was a bug in mariadb (or mysqld) which is fixed by the recent release.

    Mariadb updated
    Mariadb updated