Multi Seat Linux Workstation

Current computers are fast enough to handle more than one user at a time. So I started the project to setup my workstation to support two seats, one for me and one for my gf.

Tasks:

  1. Two concurrent Xorg sessions both with one keyboard, one mouse, and two monitors
  2. Separate audio for both seats
  3. Auto mounting of USB storage sticks for the secondary seat. When connected to a specific USB port the usb stick is mounted in the home directory of the logged in user of the second seat.

All this has to work while still keeping root privileges strictly separated. For security reasons I don’t use systemd polkit and other tools that allow normal users to gain root privileges. (Un)Mounting, Shutdown, Printersetup, Hardwaresetup are root tasks, normal users must not be able to do these tasks because it would compromise system security.

A normal user must not be able to shut down the system or see other users USB storages just because she is sitting in front of the local console.

Two Xorg Sessions

The workstation has two graphics cards one nvidia PEG card and an onboard Intel CPU graphics. I had to activate the onboard graphics in BIOS to be able to use it on Linux. The xorg-server-intel driver on Debian Jessie was to old to support the Intel Skylake HD530 graphics, so I upgraded the package “xserver-xorg-video-intel” from jessie-backports (“aptitude -t jessie-backports install xserver-xorg-video-intel”).

Then I configured the Xservers. Xorg can run multiple times with some configuration tweaking. I built two simple Xorg.conf. One for the first seat

# /etc/X11/Xorg.first-desk.conf

Section “Device”

Identifier “Nvidia Graphics”
Driver “nvidia”

EndSection

Section “InputClass”

Identifier “Dell Keyboard”
MatchVendor “DELL”
MatchIsKeyboard “true”
Option “Ignore” “true”

EndSection

Section “InputClass”

Identifier “Logitech Mouse”
MatchVendor “Logitech”
MatchIsPointer “true”
Option “Ignore” “true”

EndSection

And one for the second seat:

# /etc/X11/Xorg.second-desk.conf

Section “Device”

Identifier “Intel Graphics”
Driver “intel”
BusID “PCI:0:2:0”

EndSection

Section “InputClass”

Identifier “TheRest”
Option “Ignore” “true”

EndSection

Section “InputClass”

Identifier “Dell Keyboard”
MatchVendor “DELL”
MatchIsKeyboard “true”
Option “Ignore” “false”

EndSection

Section “InputClass”

Identifier “Logitech Mouse”
MatchVendor “Logitech”
MatchIsPointer “true”
Option “Ignore” “false”

EndSection

Xorg tries take the first graphics card. To force one Xserver to the second card you need the BusID line. You can find this BusID with lspci:

# lspci
00:00.0 Host bridge: Intel Corporation Device 191f (rev 07)
00:01.0 PCI bridge: Intel Corporation Device 1901 (rev 07)
00:02.0 Display controller: Intel Corporation Device 1912 (rev 06)
00:14.0 USB controller: Intel Corporation Device a12f (rev 31)
00:16.0 Communication controller: Intel Corporation Device a13a (rev 31)

The sepration of mouse and keyboard works by blacklisting (“Ignore”) one keyboard and one mouse on the primary Xsession and an inverted blacklist on the secondary seat that blacklists all input devices except this one keyboard and mouse.

Two start two Xorg Xservers I added changed the file /etc/X11/xdm/Xservers to this:

:0 local /usr/bin/X :0 vt7 -config /etc/X11/Xorg.first-desk.conf -novtswitch -nolisten tcp
:1 local /usr/bin/X :1 -sharevts -config /etc/X11/Xorg.second-desk.conf -novtswitch -nolisten tcp

“-sharevts” and “-novtswitch” were the magic settings that allowed to run Xorg concurrently. Without this option the Xservers could only run one at a time by switching between VT7 and VT8 (Ctrl-Alt-F7 / Ctrl-Alt-F8).

Separate Audio

The onboard sound card has 8 channel output for surround sound. ALSA can split this multichannel output to multiple soundcards with this /etc/asound.conf file:

# /etc/asound.conf

pcm_slave.fourchannels {
    pcm "hw:0"
    period_time 0
    period_size 1024
    buffer_size 8192
    channels 4
}

pcm.jack1 {
   type plug
   slave.pcm {
        type dmix
        ipc_key 2381
        ipc_perm 0666
        slave "fourchannels"
        bindings [ 0 1 ]
   }
}

pcm.jack2 {
   type plug
   slave.pcm {
        type dmix
        ipc_key 2381
        ipc_perm 0666
        slave "fourchannels"
        bindings [ 2 3 ]
   }
}

This configuration splits the front from the surround (back) speaker output. Per user you can set the default output to either jack1 or jack2 with this ~/.asoundrc file:

pcm.!default {
    type plug
    slave.pcm "jack2"
}

Currently I hard wired this configuration per user. If me and my GF would change seats frequently I would write a “.asoundrc” file during Xsession startup every time a users logs in on the first or second seat (DISPLAY :0 or :1).

Automounting USB Storage for Second Seat

I used udevd and a small shell script to do the job.

Udevd can start scripts on USB events:

# /etc/udev/rules.d/10-multiseat-usb.rules
#
# filter on SD* (scsi events) of the blockdevice subsystem
# filter on events with the sub device tree (ATTRS) of the second seat's USB Hub idVender==05e3 named "USB2.0 Hub"
# for these events start: /root/user_usb_mounter
# which mounts the device for the logged in user and opens a filebrowser
#
KERNEL=="sd*", SUBSYSTEM=="block", ACTION=="add", ATTRS{idVendor}=="05e3", ATTRS{product}=="USB2.0 Hub", RUN+="/root/user_usb_mounter"

The script /root/user_usb_mounter looks like this:

#!/bin/bash

(
# logfile output
echo "================================" 
date

if [ "$ID_FS_USAGE" != "filesystem" ]; then
    echo "ignoring udev event without FS_USAGE == filesystem"
else
    echo "new files system"

    # look which user is logged in on seat :1
    second_user=`who | grep " :1 " | cut -d " " -f 1`

    if [ "$second_user" == "" ]; then
        echo "No user Session on :1 found, giving up"
    else
        # get userid of logged in user
        muid=`grep -- "^$second_user:" /etc/passwd | cut -d ":" -f 3`
        if [ "0$muid" -le 99 ]; then
            echo "No Userid for User $second_user on :1 found, giving up"
        else
            i=1
            # find an non existant directory mountpoint and create it
            while [ -e /home/$second_user/media/usb$i ]; do 
               i=$(( $i + 1 ))
            done
            mkdir /home/$second_user/media/usb$i
            chown $second_user /home/$second_user/media/usb$i

            #  mount the filesystem in the users home directory
            echo mount -o noatime,nodev,noexec,nosuid,uid=$muid,gid=100 "$DEVNAME" "/home/$second_user/media/usb$i"
            mount -o noatime,nodev,noexec,nosuid,uid=$muid,gid=100 "$DEVNAME" "/home/$second_user/media/usb$i" || exit 

            echo "usbstick mounted to /home/$second_user/media/usb$i"
            echo "starting xfe for $second_user"
    
            # Starting xfe for the user and wait for xfe close. unmount the usb device, inform the user
            (    su "$second_user" -l -c "DISPLAY=:1 xfe /home/$second_user/media/usb$i" 
                 umount "/home/$second_user/media/usb$i" && rmdir "/home/$second_user/media/usb$i" && sync && 
                 su "$second_user" -l -c "DISPLAY=:1 xmessage \"USB Stick is save to remove!\"" && exit
                 su "$second_user" -l -c "DISPLAY=:1 xmessage \"USB Stick umount failed. DANGER!\""
            ) &
        fi
    fi
fi

) >> /tmp/udevtest.log 2>&1

This script checks if the udev event is from a filesystem. Then it checks which user is logged in, gets it’s user ID. Then it mounts the USB device in the users context and home directory. Then it opens a file browser for the user and waits until it’s closed. Then it unmounts the stick and informs the user. This script is not very pretty but it’s a quick and working hack.

Versions: Skylake Intel CPU i5-6500 64bit mode, on ASUS motherboard Z170, Debian 8 (Nov 2017), NVidia GT 640 Nvidia Drivers 375.66, Xorg Intel Drivers 2:2.99.917+git20161206

Android Battery Drain Riddle!

Problem: an android phone is loosing battery very quickly. The battery settings don’t show any app, the display or other reasons for the battery drain.

Discussion: I found out that the battery drain is only when connected to WLAN. Then I recognized that it only happens when connected to my WLAN. The mobile phone never sleeps when connected to my WLAN. So I checked if there are many broadcasts in the network, which wasn’t. Then I moved the IP of my mobile phone to a Linux and checked for unicast traffic using tcpdump. There was it !

Solution: I have an Inverto Multibox SAT>IP server in my network and used the SAT>IP server from my mobile phone several days ago. The bug in the Inverto box is (or was) that the box has a broken idle timer implemented which means the SAT>IP stream never stopped if not shut down correctly. As a result the box pushed a SAT transport stream to the mobile phone every time I was connected to WLAN, and never stopped. I rebooted and upgraded the SAT>IP box. Battery drain was gone.

Version: Inverto SAT>IP Multibox 1.17

Battery drain before and after bugfix

Screenshot Android

CPU Bug on Intel Skylake and Kabylake

I had two or three system crashes on my Linux workstation after upgrading to a new mother board and CPU within some months. This is very unusual for me because stability is the main objective when I build a new a workstation. So I tried to find the reason.

Some weeks ago I found this bug report: https://lists.debian.org/debian-devel/2017/06/msg00308.html

Hyperthreading on Skylake and Kabylake CPUs is buggy!

If your processor model (listed in /proc/cpuinfo) is 78 or 94, and the stepping is 3 you are lucky because Intel already provides a microcode update. My workstation is processor level 94 which is Intel Core i5 6500. So I installed the debian packages intel-microcode 3.20170511.1 from jessie-backports.

Since this update I had no System crash and hang up.

FlexFabric 5700 Backup Config to TFTP in MGMT VPN-Instance

Problem: if you separate the management from the normal traffic on a switch you will usually configure the swtich via this mgmt vpn-instance and also backup and restore config files via this mgmt vpn-instance. But if you use the “backup startup-configuration to ..” it always tries to find the tftp server on the normal network Even after changing the tftp configuration with “tftp client source interface M-GigabitEthernet 0/0/0” tftp still does not work.

Solution: The backup command has no vpn-instance parameter, but the “tftp put” command has. So you can use:

tftp 172.16.100.100 put startup.cfg switchbackup.cfg vpn-instance MGMT

Version: HP/HPE FlexFabric System image version: 7.1.045, Release 2422P02

NVidia Driver on Linux-4.11.1

Problem: after installing linux kernel 4.11.1, the dkms package of the nvidia driver does not compile. You find some cryptic error message about ./Kbuild in  /var/lib/dkms/nvidia-current/375.39/build/make.log

Solution: I uninstalled the debian nvidia package and installed the newer driver from the NVidia homepage:

aptitude remove nvidia-installer-cleanup
./NVIDIA-Linux-x86_64-375.66.run

After this upgrade nvidia and linux 4.11.1 works again

Versions: before upgrade jessie backport of nvidia-driver 375.39, after upgarde nvidia-dirver from nvidia homepage 375.66

Ubiquiti UniFi the Next Botnet ?

I tested a Ubiquiti access point today. UAP-AC-Lite seems to be a very good and cheap access-point.

When you take it out of the box and connect it to the network it gets an IP address using DHCP and waits for a configuration. In this mode it sends broadcasts to find a controller and listens on port 22 (ssh) with standard login/password of ubnt/ubnt.
That’s not best practice but very usual for devices of this kind.

I tried two configuration modes:

    1. MobileApp based using my Android Phone:
      This App looks good, and works great, if you need just one SSID and not VLAN. Thumbs up, well done ubiquiti.
      But I guess this method will not work if this is you first access point in the network, because you will end with a chicken and egg problem.
    2. UniFi Controller based:
      UniFi runs on Win/Mac and Linux. The Debian package is far to big but it installs cleanly (Why does this webapp need 27MB of fonts?).
      With this webapp you can configure everything and it works good. But then I checked the security…

First I checked what new ports are open on my server:

tcp6 0 0 :::8443            :::* LISTEN 1373/java 
tcp6 0 0 :::6789            :::* LISTEN 1373/java 
tcp6 0 0 :::8843            :::* LISTEN 1373/java 
tcp6 0 0 :::8880            :::* LISTEN 1373/java 
tcp6 0 0 :::8080            :::* LISTEN 1373/java 
udp6 0 0 MYPUBLICIP:50880   :::* 1373/java 
udp6 0 0 :::10001           :::* 1373/java 
udp6 0 0 :::3478            :::* 1373/java 
udp6 0 0 MYINTERNALIP:58426 :::* 1373/java 

That’s to much for a Linux box with a public IP interface.
The documentation tells a little bit what these ports are used for, but some are not explained or not needed for normal operation.
I tried to strip down the open ports for security reasons, but I found no way to disable unused services or at least bind only to one IP. My minimum requirement would be to bind only to an internal interface and block the public interface.

But no way (officially: https://community.ubnt.com/t5/UniFi-Feature-Requests/Allow-Controller-to-run-on-a-Single-IP-Address/idi-p/959213 )

Shure I could write an iptables filterlist to block these ports, but that’s risky. Today they use these 9 ports, but what will happen on the next update ?

Then I checked what services are actually running on these ports. It’s a tomcat server !
A java/tomcat server that listens in all directions IPv4/6 and no easy way to limit this access. What can possibly go wrong?

Most people will never update this controller software, and tomcat had and will have security problems.
http://www.cvedetails.com/product/887/Apache-Tomcat.html?vendor_id=45

Hopefully ubiquiti will provide a smaller footprint configuration tool, with a bit more settings than the app, and add some security settings to the controller software.
Then I would really recommend this nice piece of hardware: Vendor Link  ,  Amazon Link

Version: UAP-AC-Lite, unifi 5.4.11-9184

Firefox Audio is Broken due to PulseAudio Dependency

Problem: Firefox 52 audio does not work without pulseaudio.

Discussion: pulseaudio is a bloated audio daemon that often fails. In the last years, when ever audio failed on linux, the quickest solution was to uninstall pulseaudio. But the Firefox developers made the mistake to remove support for the underlying audio driver alsa, and insist on the middle layer pulseaudio.
The second problem with distribution packages of pulseaudio is that it depends on lots of things itself like dbus, systemd, consolekit,…
Which leads to the problem: you can’t use firefox on most linux distributions when you prefer a better startup system than systemd.

Solution1: Don’t use Firefox until they fix this.

Solution2: You can compile pulseaudio without dependencies and use it in pure user context:

Download pulseaudio packages, configure it with:

./configure –prefix=/your/homedir/pulseaudio –disable-systemd-daemon –disable-systemd-login –disable-systemd-journal –without-caps –disable-dbus

You might need to install some -dev packages for this configure to work: libsndfile-dev, libspeex-dev, libspeexdsp-dev, ..

make
make install

And add this to your ~/.bashrc (or similar startup script):

export LD_LIBRARY_PATH=/your/homedir/pulseaudio/lib/
/your/homedir/pulseaudio/bin/pulseaudio -D

Then you can start firefox with a local, limited and secured pulseaudio server.

With standard settings pulseaudio grabs the soundcard completely and blocks audio for other alsa software. This egoism is typical for a Lenn* Poett* tool. But it can be changed. Change the following lines in /your/homedir/pulseaudio/etc/pulse/default.pa:

#load-module module-alsa-sink
load-module module-alsa-sink device=dmix

#load-module module-detect

With these settings pulseaudio uses the normal asla mixing features, and allows other software to use audio.

The pulseaudio developer think it’s a good idea to terminate the pulseaudio server after the last client quits, at let the next client “magically” restart the daemon. (I repeat: “let a client application start a daemon”). This remembers me of the days when we all thought inetd was a good idea. Now we no better. There is an option that prevents the pulseaudio service from  dying.

Change this line in ~/pulseaudio/etc/pulse/daemon.conf:

exit-idle-time = -1

This keeps the daemon running.

Sophos UTM BGP Announces 0 Prefixes

Problem: A simple bgp upstream configuration. A small AS with one IP prefix wants to connect to its upstream using BGP. The BGP peerings are up. Sophos receives the expected routes from its upstream, but the upstream router does not receive the expected single prefix.

Discussion: an outbound filter list is set to prevent sending other than the local prefix x/24. Therefor ae ip filter list is configured in the web gui and connected to the bgp neighbor settings as filter list out. The web gui should generate a quagga bgpd.conf from this and it should look like this:

router bgp 2222

neighbor 12.12.12.241 remote-as 1111
neighbor 12.12.12.241 prefix-list REF_BgpFilBgpfiltero_4 out

ip prefix-list REF_BgpFilBgpfiltero_4 seq 5 permit 13.13.13.0/24 le 32
ip prefix-list REF_BgpFilBgpfiltero_4 seq 10 deny 0.0.0.0/0 le 32

But looking into the actual config file in /var/sec/chroot-quagga/etc/quagga showed that the prefix list was missing. The backup config file bgpd.conf.sav showed the correct prefix list was there before. The only change in the meantime was that I removed an other (not used) “filter list in” in the gui. It seems there is a bug in Sophos UTM that the web gui removes all prefix lists from the config file, when you actually want to remove only one.

Workarround: configure a new fillter list and attach it to the neighbor config.

It’s very good that I actually could log into the Sophos box, because I would have never found this bug without ssh access.

Version: 9.408-4

 

Configure F5 TLS (SSL) Cipher String

The list of TLS ciphers is changing quite rapidly, old ciphers are considered insecure, and new ciphers are added.

When you configure a virtual server on an F5 you can add a TLS client profile, which means F5 is doing TLS to the client. I think this is a bit misleading because with “SSL client profile” you are actually configuring a TLS server.

You have to make your own SSL client profile, to add your key and certificate to the profile. You can do that at:
Local Traffic – Profiles – SSL – Client

When you change to Advanced Configuration you can change the “Ciphers” string. This setting changes the list of allowed ciphers and it’s order. You might want to change this for better security or to get a higher rating at https://ssllabs.com .

The default setting is “DEFAULT”. This translates to a longer string. For 12.1.1 it’s

!SSLv2:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:-MD5:-SSLv3:-RC4

This list translates to the following ciphers:

 ID SUITE BITS PROT METHOD CIPHER MAC KEYX
 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 
 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 
 2: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA 
 3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 
 4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 
 5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 
 6: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 
 7: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 EDH/RSA 
 8: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 
 9: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 
10: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 
11: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 
12: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA EDH/RSA 
13: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA EDH/RSA 
14: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA EDH/RSA 
15: 22 DHE-RSA-DES-CBC3-SHA 168 DTLS1 Native DES SHA EDH/RSA 
16: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 
17: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 
18: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 
19: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 
20: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 
21: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 
22: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 
23: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 
24: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 
25: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 
26: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 
27: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 
28: 10 DES-CBC3-SHA 168 TLS1 Native DES SHA RSA 
29: 10 DES-CBC3-SHA 168 TLS1.1 Native DES SHA RSA 
30: 10 DES-CBC3-SHA 168 TLS1.2 Native DES SHA RSA 
31: 10 DES-CBC3-SHA 168 DTLS1 Native DES SHA RSA 
32: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 
33: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 
34: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 
35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 
36: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 
37: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 
38: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 
39: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 
40: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 
41: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 
42: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA 
43: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 
44: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 

Example:

Currently Diffie-Hellman 1024 is considered insecure so you want to change the cipher string. You can use this to disable DHE:

!DHE:DEFAULT

You can check the resulting cipher list before applying the change from the console:

 # tmm --clientciphers '!DHE:DEFAULT'
 ID SUITE BITS PROT METHOD CIPHER MAC KEYX
 0: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 
 1: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 
 2: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 
 3: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 
 4: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 
 5: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 
 6: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 
 7: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 
 8: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 
 9: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 
10: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 
11: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 
12: 10 DES-CBC3-SHA 168 TLS1 Native DES SHA RSA 
13: 10 DES-CBC3-SHA 168 TLS1.1 Native DES SHA RSA 
14: 10 DES-CBC3-SHA 168 TLS1.2 Native DES SHA RSA 
15: 10 DES-CBC3-SHA 168 DTLS1 Native DES SHA RSA 
16: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 
17: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 
18: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 
19: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 
20: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 
21: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 
22: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 
23: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 
24: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 
25: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 
26: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA 
27: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 
28: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA

The cipher string “!DHE:DEFAULT” results in A- grade at ssllabs. The reason for minus A is:

“The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-”

If you want to give priority to the “Forward Secrecy” ciphers and lower priotirty to 3DES, your can change the cipher string to

-3DES:ECDHE:!DHE:DEFAULT
 # tmm --clientciphers '-3DES:ECDHE:!DHE:DEFAULT'
 ID SUITE BITS PROT METHOD CIPHER MAC KEYX
 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 
 1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 
 2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 
 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 
 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 
 5: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 
 6: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 
 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 
 8: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 
 9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 
10: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA 
11: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 
12: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 
13: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 
14: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 
15: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 
16: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 
17: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 
18: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 
19: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 
20: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 
21: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 
22: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 
23: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 
24: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 
25: 10 DES-CBC3-SHA 168 TLS1 Native DES SHA RSA 
26: 10 DES-CBC3-SHA 168 TLS1.1 Native DES SHA RSA 
27: 10 DES-CBC3-SHA 168 TLS1.2 Native DES SHA RSA 
28: 10 DES-CBC3-SHA 168 DTLS1 Native DES SHA RSA

This string moves the ECDHE ciphers to a higher priority, and 3DES moves down. The result is “Grade A” or “A+”.

But be carefull. Better cipher often means worse performance. Depending on your hardware “ECDHE-RSA-AES128-GCM-SHA256” may be 3 times slower than “AES128-GCM-SHA256”.

Links: https://support.f5.com/csp/article/K17370 https://ssllabs.com

 

Check Raid Status for Dell Raids on Linux

Linux support from dell is still very poor. They still support only RedHat$ and SuSE$.

But there are ways to check the Raid status of Dell server on debian. http://hwraid.le-vert.net/ is doing a good job in collecting information and building Debian style packages.

Example: 

A Dell server “PowerEdge T130” with “LSI Logic / Symbios Logic MegaRAID SAS-3 3008”  also called “PERC H330” running Debian 8.7.

The kernel uses the megaraid_sas driver. At http://hwraid.le-vert.net/debian/pool-jessie you can find a package called “megacli_8.07.14-1_amd64.deb”

You can check your raid status with:

megacli -LDInfo -Lall -a0

or add this to your crontab file, to receive mails when not all raids are in “optimal” state:

7 * * * *    /usr/sbinmegacli -LDInfo -Lall -a0 | grep “^State” | grep -v ” Optimal$”