Category Archives: linux

Using IWD instead of wpa_supplicant

I always feel like I am a few years behind. Here is another example. Here at nearly the end of 2021 I have learned about IWD (iNet Wireless Daemon), which is a replacement for wpa_supplicant.

This is just to record a few facts about experiences over the last couple of days, subsequent to receiving and setting up a new laptop. I install Arch on this laptop, and initially followed what I had previously done in the earlier post: Switching to systemd-networkd.

One of the problems described in that post is that if one follows what it says, a side-effect is the loss of any very good “graphical” way to switch a laptop from one SSID to another. I detail there how I used a downloaded package called wpa_gui to do that, but while it is a good step forward, it is a bit clunky. Maybe I’m not using it exactly right… I mean no disrespect to its authors, and am glad it exists; but I went looking for something else. And I discovered the IWD package.

When I downloaded and installed IWD, in ignorance, I managed to completely eliminate my wireless device and spent a good deal of time recovering. Following are some things I learned. But there are two different changes in my environment going on here, and while they are related I’m not claiming that one requires the other. One of the changes is the substitution of IWD for wpa_supplicant as the party responsible for interacting with wireless radios, selecting one, authenticating to it, and making it available as a device. The second change is that I have begun to use NetworkManager again, in conjunction with systemd-networkd.

IWD is a systemd service, as is wpa_supplicant, NetworkManager, and systemd-networkd, and it is possible to create a great deal of confusion when all of these bits are installed on the same system. If one desires to have more confusion, one has only to do all this on an ubuntu system, where the presence of Canonical’s netplan software adds another order of magnitude increase in complexity, and additional opportunities for foot target practice.

One of the big opportunities for confusion arises when IWD renames network devices. If one has “.network” files (for steering systemd-networkd) which rely upon matches on the device names, surprise! the device names (like wlp11S0) get changed to (e.g.) wlan0 by IWD.

I probably don’t understand all this well enough to attempt to explain it, and will probably only look foolish if I try, so instead I will just detail where I ended up on two of my laptops.

I have enabled the services IWD, systemd-networkd and NetworkManager. In /etc/NetworkManager/NetworkManager.conf I have a [device] section containing the setting “wifi.backend=iwd” which instructs NetworkManager to rely on IWD rather than wpa_supplicant, and prevents NetworkManager from trying to start a wpa_supplicant. I have removed the local service file /etc/systemd/system/wpa_supplicant/wpa_supplicant@wlp11s0 (which I had described in my previous blog post), and have stopped and disabled (and even masked) the associated wpa_supplicant@wlp11s0 service as well as the plain wpa_supplicant service.

In /etc/systemd/network I have a .network file for 09_<laptop> containing the networkd description, same as before, except that the [match] now says “name=wl*” instead of the previous “name=wlp*” (because of IWD changing the name from wlp11s0 to wlan0).

Finally, one of these laptops is still ubuntu, so one gets the additional joy of netplan. There, in the /etc/netplan directory I went back to a yaml file which names the “renderer” as NetworkManager instead of systemd-networkd. My current, perhaps flawed understanding of this setting in netplan is that when netplan runs at boot time it uses the (collected and merged) yaml files to build at boot time the files for either systemd-networkd (in /run/systemd/network/), or for NetworkManager (in /run/NetworkManager/). These generated files will then get combined with similar files from /lib and from /etc (the latter having greatest priority, the former having least, and /run in the middle).

Going back to NetworkManager has one downside for me, the thing which drove me earlier to abandon NetworkManager in favor of systemd-networkd, and that is the specification of the IPv6 DUID to be used when soliciting an IPv6 address from DHCPv6. I can’t find information about how to stipulate the DUID to be used (for example in this nm_connection documentation). What I have done is develop better tools to figure out what NetworkManager decided to send, so I can arrange for the DHCPDv6 server to assign a static address to that DUID.

Protecting ssh

I have a dozen or so boxes, mostly little raspberry pis, out in people’s houses which let me do backups for them, and attach to their networks. I’ve documented this before in “Gateway pi”, “Memory on the Gateway Pi”, and “Timemachine on Gateway pi” for example.

Connection between these boxes and my house is with SSH, and I use openssh certificates as described in “Using openssh certificates” and “Re-signing Openssh Certificates”. However, there has always been a little nagging problem, which is that these boxes must (re-)establish their connection to me automatically upon reboot, without user intervention. This means that the private keys that accompany the certificates cannot be encrypted, for that would require human intervention.

So there is a risk. Those raspberry pis have upon them a certificate and a private key which would enable access to boxes in my house. Not completely unrestricted access, and not root access, but nevertheless.

Continue reading Protecting ssh

Adding mail accounts

This is a memory aid, like a lot of these posts. Because I forget how to do things and have to figure it out again.

Adding mail accounts on a virtual mailbox domains requires two things: a) make an entry in /etc/postfix/virtualmb and posthash it, b) ensure the username exists in the users database on tarragon.

Adding mail accounts on the primary domain (without creating a login account and home directory, etc.) requires a) make an entry in /etc/postfix/localrecipientsmap and posthash it, and b) adding the username to the users database.

Detecting SSH Brute Force

It always annoys me when I see the log filling up with ssh attacks. It isn’t really a worry, these are password guessing and since passwords aren’t permitted they will never work.

I’ve been meaning for a long time to investigate the tools available in iptables with the “recent” module to detect them and block them. Today I finally did it.

There is a little script in /root called sshdrop, which contains the iptables rules. It is parameterized, but currently set for reacting to more than 2 syn in 20 seconds, and sends rejects with tcp-reset.

I also downloaded a little python script to inspect the /proc/net/xt-recent/DEFAULT and decode it a bit, which lets me see how many attackers, and how recently. The script is invoked with ipt_recents -txt.

Seems to be working well.

Attaching and backing up the iphone

I have an iPhone 11. From time to time it would be nice to be able to attach it to my network. Always a struggle.

The old Macbook Pro can only run High Sierra, and then only with some special jiggery-pokery. I can sometimes get iTunes on the Macbook to connect to the iPhone, and can usually figure out how to get data into some app using that, or to do a backup, but it is a hassle. The Windows 10 box with iTunes won’t connect to it at all, and (typical of Windows) won’t explain why. I really just want to mount it without all the fuss.

I found a guy on the net who claimed to be able to mount his iPhone on Arch, so I tried following his instructions, which basically involved installing a few libraries usbmuxd, libplist, libimobiledevice and ifuse, the last of which I had to install from AUR. That was easy enough.

Then reboot, plug in the iphone, and voila. It is detected.

I created a directory /ginger, and mounted it with ifuse /ginger, and Bob’s your uncle, I have access to its disk on Arch.

Then I checked on a whim whether I could do a backup. Sure enough libimobiledevice comes with idevicebackup2 which, supposedly, will do a backup of the device. Alas, it doesn’t work, complaining of a protocol mismatch, which according to the net means that the version 1.3.0-3 available on Arch is not the latest, and I need 1.3.1. The option is to download from git and compile from source.

This is low priority for me. I still can do an occasional backup on the Macbook, when I think of it, either locally or to iCloud, via iTunes. The local backup is stored in /Users/dee/Library/Application Support/MobileSync/backup and can be copied elsewhere by root. I don’t actually have much on the iPhone that needs a backup. Many people have their contacts and calendar exclusively on the phone, but I keep both my contacts and calendar in radicale on my server and connect to them from everywhere.

I may eventually do this if there comes a time the backups become important. For now I’ll just wait till a later version shows up in Arch.

Switching to systemd-networkd

Since moving to IPv6 I have had two recurrent problem: one with some conflict between systemd and the kernel over the /proc/sys/net/ipv6/conf/*/accept_ra, and the second with losing the static ipv6 address assignments on some boxes. I believe the former problem to have something to do with systemd wanting to have control of the sysctl variables, such as accept_ra.

The latter problem is due to the various bits of software that want to have a say in the control of the network. In part some of this is my own fault, as I do have these various bits installed – and if they weren’t installed they could not be causing trouble.

I installed NetworkManager in some places, even when it hadn’t been installed by default, because I wanted to be able to control things with the network applet in gnome. I installed dhclient even though it wasn’t installed, because I wanted better ability to see and control the dhcpv6 leases, particularly the DUID, and network manager made that difficult (and astonishingly, in some cases simply didn’t work).

Continue reading Switching to systemd-networkd

IPv6 Re-implementation

This is a follow up to the activities in IPv6 implementation, which was published on March 2nd and revised up through March 19th, as new challenges were addressed. Since March 19th a great deal of what I wrote has been revised, as I have learned a lot more.

The main issue was that there remained a number of problems with the implementation of IPv6 in my residence.

  • The biggest was the question how to handle the delegated prefix, particularly in renumbering. Over the course of the last several months I have to note that Comcast has never changed my prefix, except early on, when I forced it to do so by changing my DUID. And I don’t think it likely that my prefix would change unless some great catastrophe befalls which results in my being down for a very extended period – like 30 days; or more likely there is some change in my service (a change in ISP, or perhaps fiber arriving in my area).
  • The first implementation required that I make patches to the code of my router. This meant that I would have to figure out how to carry those patches forward in the event of firmware updates from Ubiquiti, the maker of the Edgerouter-X that I am using.
  • The implementation was pretty fragile, with a lot of unrelated bits in different places. In particular there was a lot of hand-waving in trying to assign and maintain a separate network for the virtual machines on one of the interior boxes.
Continue reading IPv6 Re-implementation

Waiting for networks

I was revising some things in my startup scripts. I have a sort of generalized startup script in all the boxes in my constellation, which is capable of doing 8 or 10 different things that various of the boxes need to do at startup.

For example, the various gateway boxes need to open up (auto)ssh connections to my house with reverse tunnels so I can reach them. On some boxes I want them to open a vncserver so I can get a graphical environment up. On some others they may need to mount some filesystems, with smb or nfs. On some of them I want them to figure out where their router is, in case I want to open up their router in a browser. On some I need them to establish the keychain.

Continue reading Waiting for networks

more spam improvements

Over the last couple of weeks I have made the following improvements in spam checking for mail handling on tarragon. Tarragon handles mail for about 20 domains, although only about a dozen have any mail to speak of.

I used to have entries in the amavis whitelist file, but this is/was a weakness. It is easy to fake sender addresses. Use of the amavis sendermaps feature is preferable as that way one can give a spamassassin bump to a known address or domain, but the value of the bump can be small enough not to overcome other attributes of the message. So egregious spam that claims to come from my own domain will still be caught. Also, I can have sendermaps for each separate email domain, instead of a whitelist applying to everyone. The file /etc/amavis/conf.d/56-sendermaps now has all the sendermaps.

Continue reading more spam improvements

Spamassassin change

I seemed to have more spam getting through. When I look at those messages which I think should have been caught, I observe that many/most/almost all of them contain in the X-Spam-Status the value: RCVD_IN_DNSWL_HI=-5. Spamassassin is giving them a whopping -5 whole points if the dns source of the message appears in the High Reliability list of the site, which according to what I read, is one of those sites that maintains reputation lists, and says of the High list:

“Recommended Usage: Skip spam filtering for medium and high ranked IPs. These are trusted to send spam rarely enough that they are not worth filtering.”

There is some discussion on the net, others too seem to think they are getting a lot of spam because of this, suggesting that a site on the dnswl high list can be induced to forward spam. I know little of all of this, but I have added a rule to /etc/spamassassin/

score RCVD_IN_DNSWL_HI 0 -0.1 0 -0.1

This changes the value from -5 to -0.1. If I set it to 0 (as I originally did) then I can’t tell in X-Spam-Status whether the rule applied or not. Now I see the rule in X-Spam-Status with a small value.

So far this seems to have helped. Encouraged by this, I’ve added another couple of specifications to /etc/spamassassin/, to wit:

ok_languages en fr
ok_locales en fr

Which should act to increase the “spaminess” score of emails in other languages and character sets. A couple of mail users are French speakers, but AFAIK nobody using tarragon for mail speaks any other language or/and receives mail in another language.