Saturday, January 31, 2009

Ubuntu one liner - Find out which packages are installed

The following one liner can be useful if you want to see which packages are installed in your Ubuntu machine. (it should work on debian also)

dpkg --get-selections | grep -v deinstall

Monday, January 26, 2009

When getting a tcp packet from USA than a local ISP is faster...

Today i decided to update our desktop linux machines to the latest and greatest Ubuntu version (8.10).
I was using it for sometime on my laptop and decided it would not break anything so it was time for an upgrade.
Since Digital-OPSiS office is in Athens, Greece,we use as a repo to pull updates etc.
I noticed that the download speed was not that great so i switched one of the machines to use the use the US mirror instead... and it took about 40% less time to download the same packages...
Doing a simple ping to the gr and us mirrors cleared things a bit more.

stelios@DIAS-Linux:~$ ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=58 time=197 ms
64 bytes from ( icmp_seq=2 ttl=58 time=199 ms
64 bytes from ( icmp_seq=3 ttl=58 time=201 ms
64 bytes from ( icmp_seq=4 ttl=58 time=197 ms
64 bytes from ( icmp_seq=5 ttl=58 time=194 ms
64 bytes from ( icmp_seq=6 ttl=58 time=202 ms
64 bytes from ( icmp_seq=7 ttl=58 time=204 ms

--- ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 5998ms
rtt min/avg/max/mdev = 194.562/199.653/204.150/3.273 ms

stelios@DIAS-Linux:~$ ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=54 time=90.2 ms
64 bytes from ( icmp_seq=2 ttl=54 time=89.9 ms
64 bytes from ( icmp_seq=3 ttl=54 time=90.3 ms
64 bytes from ( icmp_seq=4 ttl=54 time=89.5 ms
64 bytes from ( icmp_seq=5 ttl=54 time=89.1 ms
64 bytes from ( icmp_seq=6 ttl=54 time=88.6 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 88.453/89.106/90.142/0.816 ms

It looks like it takes 2.5 times more time to reach the local Athens uni, where the mirror is than the US mirror.
I was aware that there are capacity issues at the AIX the Greek providers are using for interconnecting but this is really ridiculous...

Friday, January 23, 2009

Doing a reverse ssh tunnel the embedded way

Having a large number of asterisk pbx installations creates some interesting problems to people who provide support for them.
One of tha major issues is how do you get access to the PBX if it is sitting behind a firewall/nat where you have little on no control and/or has a dynamic ip.
In most cases you could forward the ssh port from the vpn/router to the the asterisk machine but there are several problem that can come up with this way.
1) More and more companies have a strict "no incoming ports open" policy.
2) Having a permanent "unrestricted" access to the pbx equipment and its logs and functions,might make some companies very skeptic.
On the other having to send a tech person to a 2 hour drive to add an extension or make a minor modification to the dialplan is rather expensive and would create a real support nightmare.

After thinking about it and discussing with our clients (and their clients), we came up with the idea of a customer triggered solution that would create some form of secure "tunnel" from the Hermes e-IPBX to the suport center of the company that is providing support for the PBX.

The idea is simple.
If a tech needs to access the PBX remotely, a person in the company calls an extension, enters a password and the the pbx creates a secure tunnel to the server of the support company giving them access.
Once support has finished, the person in the company calls again the same extension shutting down the tunnel, and everything goes back to normal.
No open ports, no "unauthorized" access.

The question then came, to what type of secure tunnel we would use.
The solution had to provide a secure login and also access to web interface (port 80) of the pbx
Since Hermes e-IPBX runs on embedded devices also it had to be something small in size.
With this in mind we started investigating two options.
A PPTP vpn and a reverse ssh tunnel.

We started with the ssh option first, as almost all of the required pieces of software where in place,as Hermes e-IPBX is using dropbear as an ssh client/server.

One very little know fact about the ssh is that on top of providing secure logins to remote hosts, it can create secure tunnels between two points and forward ports between them.
Another even less known fact is that it can create reverse tunnels, where machine A which is behind a firewall/nat can be accessed by machine B without having to change anything in machine's A firewall/nat.
For this to work, machine B must have a publicly accessible ssh server.

It goes like this

Machine A initiated a reverse ssh tunnel connection to machines B ssh serv

# ssh -fNR [bind_address:]port:host:hostport] [user@]hostname

Once this is done machine B initiates a LOCAL connection to the port machine A is using as forward.

# ssh localhost -p port

As example we want to access the target node (name: localhost) from our node (name: The port we want to access is port 22 and it will be accessible from our node at port 2222.
# ssh -fNR 2222:localhost:22
After that, the you are prompted password as usual. After successful login, the command quit but it will remains in background.To access the target node, use our node to access the forwarded port (2222). So let say, if you want to ssh into the machine (because we have forwarded ssh port), we can use this command
# ssh localhost -p 2222

That is all. You now have loged in to the remote machine.

We had this example tested using our Ubuntu desktops but when we tried to implemented to the Hermes e-IPBX a few problems come up.

First, dropbear requires slightly modified commands
so the

# ssh -fNR 2222:localhost:22


# ssh -f - N -R 2222:localhost:22

Second and most important, the moment we had machine's B 22 port open (the one with the publicly accessible ssh server) we received a number of brute force ssh password guessing attacks.
Normally this would not be much of a security problem (unless of course your root password is "sex" or "god" :) but it is both annoying having to switft over large logs with failed attempts and also could work as a potential DOS attack.

The good thing about this ssh brute force attacks is that in most cases are started by "script kiddies" and the only port they scan is 22.
So if you move your ssh server to another higher port the problem pretty much disappears.
Off course as an added protection to your extra-secure-ssh-password :) it would make sense to put the machine with the ssh server on the dmz zone of your network. In the case your extra-secure-ssh-password is not so secure or a security hole is found in your ssh server.

So assuming you move the ssh server to port 3333 the command on machine A should become

# ssh -p 3333 -f - N -R 2222:localhost:22

In a following post i'll show how to merge all the above with the asterisk dialplan and create a neat support feature.

Tuesday, January 20, 2009

The Voltcraft energy Logger 3500 has arrived

The Voltcraft energy Logger 3500 has arrived today and already had the first surprise.
As a test, I connected an extension cord which had my mobile's charger, and a BT handset charger to see how its working.
I unplugged the devices one after the other to see how much the current consumed was dropping and even when i had both of them disconnected Volcraft was registering a 1W power consumption.
I though it was weird,considering that the extension cord is passive, but then i noticed that my extension cord has a switch with a light, to show when its on or off.
Switching off the cord power consumption went to 0...
Wow 1W from the lamp of the extension cord !
Although this is close to the error range of the Voltcraft,that made me wonder how many other devices are"hidden" consumers of electricity around the house or the office.

Thursday, January 15, 2009

Measuring embedded asterisk power consumption

For sometime now i wanted to look at the power consumption of embedded devices running asterisk compared to a "standard" pc (if such a thing exists) and possible extend it also to measure standard PBX's.

With a first look it looks easy enough, but as with all measurements where you want an accurate result the devil is in the details.

First problem that has to be answered is "How do you get an accurate measurement of the power consumption"

There are several low-cost "energy metering devices" ( 15-20 Euros) in the market, in some cases you can find then in supermarkets also, but the accuracy they provide is rather dubious.
From a first look most could not measure power if the power was less than 5W, which is close to what a lot of embedded boards are rated at.
Also is very close to what most PC power supplies would consume in idle mode.

There are some professional equipment out there but spending 400-2500K Euros was not an option.
So after some search and reading i found a device that looks accurate enough and won't make a big dent on the budget.

This was Voltcraft Plus Energy Logger 3500 from

According to the specs it could measure :

Operating voltage 230 V/AC
Performance measurement display 0.1 -3500 W
Performance consumption display 0.000 - 9999 kWh
Display 3-cell with 4 positions each
Tariff range 0,000 - 9,999
Accuracy 5 - 3500 W (± 1% + 1 count)
2 -5 W (± 5% + 1 count)
less than 2W (± 15% + 1 count)

So it provides a +- 5% accuracy from 2-5 W which is rather good for a device that costs 50 Euros.

The other big advantage is that it uses an SD card to store measurements and comes with a piece of software to display the data captured.

I have placed an order for it and i expect it to arrive within next week.
That would give me enough time to figure out which devices and the way to test them.

Any ideas/suggestions/criticism is welcome.

Monday, January 12, 2009

Musopen ! copyright free (public domain) music

I was looking for free (as in beer) music i could use with our HERMES e-IPBX for Music On Hold.
After some Googling i found Musopen.
Musopen is an online music library of copyright free (public domain) music.
As a footnote, If you finally decide to use it please make a donation ( i know from experience that most Open Source project need help in any form)

Sunday, January 11, 2009

World PSTN Tone Database

If you are interested in setting your sip phones or asterisk dialtone (or other tones) to be similar to the country you are in there is an online database with tone settings

It provides the frequency and cadence info plus it displays it with the format to be used by asterisk or sipura/linksys phones.

Friday, January 9, 2009

Updating the NVIDA CUDA driver in Ubuntu

I am running Ubuntu 8.04 (Hardy) 64bit on my desktop and also have the NVIDIA CUDA installed to do some "R&D" work on accelerating asterisk codecs using the NVIDIA GPU's.
Since Ubuntu does not provide a package with the CUDA drivers i had them manually installed.

All things are great till you get a new kernel update from Ubuntu...
After the kernel update the NVIDIA driver (as expected) does not load and your X server switches to a low resolution mode.
Then you need to re-install the NVIDIA CUDA drivers and it can be a bit problematic since the installer requires X server to be shut-down.

So here is what i do

First press


to switch to a terminal window, and login

then type

sudo /etc/init.d/gdm stop

That stops the X server and you can now install the drivers.

Go to the dir where the file is
(I am currently using and write

sudo ./

The installer will warn you about an allready installed driver but you can ignore it.
Then it will not find a pre-build module so it will build it on the fly.

When asked about updating your X server config, answer no, as this will probably mess-it up.

Do a reboot and the NVIDA logo (with the big BETA) should come up and you should now be in the same mode as before the kernel update.

BTW you do not need to update the NVIDIA SDK or the tools.

Sunday, January 4, 2009

Happy New Year

Happy New Year to everyone !
Let's hope that things will get better this year, although the first sings are not that good :(