Month: January 2014

Making the Raspberry Pi camera look like an Axis ethernet camera

Post author By john
Post date January 21, 2014
No Comments on Making the Raspberry Pi camera look like an Axis ethernet camera

Intro
I can’t add much to this excellent guide:

http://blog.miguelgrinberg.com/post/how-to-build-and-run-mjpg-streamer-on-the-raspberry-pi

except a few customizations and suggestions.

I think we will be able to manage to make the Raspberry Pi + its camera behave like an Axis ethernet camera. This can be useful for First Robotics. But I haven’t proven it out yet, I’m just anticipating it can be done.

I will also mention there is a better way to get real-time true motion video (see the references) and there are sure a lot of ways to not even come close – I know because I tried a bunch of dead-ends before I hit on a good way to do this! I will try to share some of my failures so others can avoid things like vlc, motion, raspi-still, etc.

The details
The Axis camera (I think its model 206) sends output via MJPG (motion JPEG). The Raspberry Pi camera can be made to do the same, with a little tweak here and there.

For instance the mjpg-streamer’s default port is 8080, but you can change it to 80, just like the Axis camera.

Instead of

$ LD_LIBRARY_PATH=/usr/local/lib mjpg_streamer -i “input_file.so -f /tmp/stream -n pic.jpg” -o “output_http.so -w /usr/local/www”

do this:

$ LD_LIBRARY_PATH=/usr/local/lib mjpg_streamer -i “input_file.so -f /run/shm -n pic.jpg” -o “output_http.so -p 80 -w /usr/local/www”

You’d better make sure you don’t have an apache server or something else listening on port 80, however.

Our enemy – lag
Although this command provides some helpful insights into the efficient running of raspi-still:

$ raspistill –nopreview -w 640 -h 480 -q 5 -o /run/shm/pic.jpg -tl 100 -t 9999999 -th 0:0:0 &

it is not sufficient by itself to eliminate all lag, unfortunately. I think the -q switch is a big help, however. In my testing lag seems to be under a second. So, ok, but nothing to write home about. But it’s easy to make it worse than that….

I settled on this testing methodology to get more precise results about lag and frames per second (fps). I held my smartphone with its stopwatch app running next to the computer screen, with the Pi camera close and pointed at the phone. So in my field of view could see the actual phone plus the phone image from the Pi on the laptop. This test was very helpful in illuminating what is going on in fact.

No matter how many fps I requested (e.g., 10 fps by setting -tl 100) the best I can do is a frame every 0.6 seconds (1.6 fps). Because of the stopwatch app I know this pretty precisely! The other interesting thing is that contrary to what i thought prior to doing this more quantitative test, the lag actually isn’t all that bad! It’s maybe 0.2 s. What made the lag seem larger is that you often get “unlucky” and your motion seems delayed because there are so few frames per second repainting the screen.

To be continued…

Other bad approaches
Suuposedly, i was assured, true motion video can be achieved following this recipe. It uses a package called motion. There is no use of either raspistill or raspivid, which is probably a good thing. I have to yet try this out – I just learned about it. Apparently it also solves the lag problem, at least at a low frame rate. This turned out to be one of those dead ends for me. Yes it more-or-less works, but not in real-time and not providing smooth motion.

References
I finally achieved true motion video and documented it in great detail in this post.

Tags Axis camera, mjpg, motion, motion jpeg, vlc

Admin ntp Security

Correct way to run an ntp server

Post author By john
Post date January 16, 2014
1 Comment on Correct way to run an ntp server

Intro
Concerns about DOS and DDOS have been heightened recently, for instance http://securityaffairs.co/wordpress/20934/cyber-crime/symantec-network-time-protocol-ntp-reflection-ddos-attacks.html. A more bare-bones, antiseptic description is here in CVE-2013-5211. Unfortunately those inventive hackers have found new ways to create headaches for us good guys. Last month saw an increase in DDOS attacks using poorly configured public ntp servers to create packet amplification. I’ve looked into it and determined how to run an ntp server without exposing your server to being an unwitting source of this type of traffic.

The details
This mostly applies to SUSE Linux (SLES), but I don’t think the other Linux distros would be all that different. In SLES you have the NTP configuration in /etc/ntp.conf. You have of course the regular lines, plus the server lines, which may look something like this:

...
server otc1.psu.edu prefer
server ntp2.usno.navy.mil
server tock.usno.navy.mil prefer
server navobs1.wustl.edu
...

You may not be able to use these exact same servers – sometimes you need to ask permission first.

Now if that’s all you had, plus the driftfile and the other blah, blah, you’re probably in trouble. Test this from another Linux server beforehand. Something like:

> ntpdc -c monlist

If you start seeing lines like the following you’re in trouble:

remote address          port local address      count m ver code avgint  lstint
===============================================================================
ldrj1200.drjon.drjo.ne 58372 10.192.186.15          2 7 2      0     30       0
ns.drjohnstec.com      48944 10.192.186.15          1 7 2    5d0      0      11
neus.drj.drjohnstechta   123 10.192.186.15          8 3 2    5d0      2      13
...

That’s no good because with one udp packet a whole lot of packets can be returned, or worse, sent to a different target since in general the source IP address of the UDP query packet could be spoofed.

The solution
Of course what I’m writing here is not news. It’s just somewhat hard to understand the ntp documentation on this topic on the ntp.org web site.

In my experimentation I’ve found you should add into the ntp.conf file these lines:

restrict default kod nomodify notrap nopeer noquery
# but allow some hosts access
restrict 127.0.0.1
# our monitoring server
restrict 10.192.186.89

Then, a

> sudo service ntp restart

and your remote listing should produce something like this:

> ntpdc -c monlist ntp1.johnstechtalk.com

ntp1.johnstechtalk.com: timed out, nothing received
***Request timed out

and equally important, you can still locally query your ntp server to see that it is still syncing time:

> ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 LOCAL(0)        .LOCL.          10 l    5   64  377    0.000    0.000   0.001
*gps1.tns.its.ps .GPS.            1 u  886 1024  377   28.554    3.396   6.836
+ntp2.usno.navy. .PTP.            1 u  154 1024  377   13.124   -1.422   4.658
+tock.usno.navy. .PTP.            1 u  965 1024  377   13.906   -0.058   0.910
+navobs1.wustl.e .GPS.            1 u  194 1024  377   30.817    0.274   1.927

And, equally important, your local servers using your ntp server should also continue to be able to sync time against the ntp server you have set up.

Conclusion
We have shown how to prevent your ntp server from being using in a DDOS attack. Most ntp servers are probably protected by a firewall of some sort, but it still might be a good idea to lock it down in this way as a best security practice.

The official advice talks about upgrading to ntp version 4.7, but I find this impractical for a couple reasons. It is not generally available from the distro package vendors, and it is considered a development release. Hence the effort to massage the configuration of an older NTP server as I’ve documented here to make it invulnerable to this problem.

References
The IT Detective Agency: ntp server shows the wrong time after patching

Tags CVE-2013-5211, DDOS

Uncategorized

SANSA flying Adventure in Costa Rica

Post author By john
Post date January 14, 2014
No Comments on SANSA flying Adventure in Costa Rica

Intro
This is not a technical post but I wanted to document it here anyways. It’s good to be king!

The details
I was with my family recently in Costa Rica. I booked the flights late and paid dearly as a result. In fact the best direct flights were sold out. I ended up relying on Orbitz for a “mutliple carriers” flight from Liberia to San Jose (SANSA Airlines, and then from San Jose to the US (United).

The flight to Liberia was a direct United flight, so no problems there. My phone did not work in Costa Rica so I only had sporadic Internet access at the occasional Wifi-enabled restaurant. My time-share place did not have a working Wifi, either.

We had this early flgiht out of Liberia Saturday so we booked a room at the Hilton airport hotel, which has all the conveniences you’d expect. So I catch up on email. There’s nothing recent from Orbitz. So I try to ensure we have boarding passes.

Imagine my horror when after finally managing to check the Orbitz record locator only one of the four passengers is listed!

Then I manage to find separate United Airlines record locators. Another of the four passengers has a unique record locator, and is booked straight through Liberia to the US. The two remaining passengers have record locators that only show the San Jose to US trip, but I can find no information whatsoever about the Liberia to San Jose leg!

I ask the Concierge to call Sansa. They are very helpful, by the way and they do that. But it’s after 5 PM and they’re closed until 8 AM tomorrow. The flight is scheduled to leave at 7:57 AM, however.

So I get back to the hotel room and tell my fmaily “It’s a cluster mess!” And I use Skype to call Orbitz from my cell phone. After 90 minutes or so on the call they agree that although I bought tickets for four people, only one now shows up in their system with their record locator. They say it is a problem with the airline who has taken over the ticket, United, or SANSA, and that I need to straighten this out with them.

well, we know we can’t call SANSA, so we try United. But it just happens to be when a giant blizzard had cancelled lots of flights in the previous days. First I am on hold for 45 minutes and then dropped without warning. Then I cannot get back through at all.

We make contingent plans to take a private car service to San Jose since our other flight isn’t until 2:20 PM anyways and we probably should have done it that way to begin with. Again the Hotel is helpful contacting that service and getting the price for that ($240 for four people).

Now we have to go to sleep and just wing it, like in the old days. Either SANSA will have our reservations or they won’t, and there’s nothing we can do about it either way…

Turns out the airport is sort of a sleepy place before 6 AM, when suddenly velvet barriers start going up and airline check-in agents appear. So we’re tired and nervously waiting.

Turns out…

To be continued…

Tags SANSA

Admin Network Technologies Raspberry Pi

Basic networking: creating a virtual IP in Debian Linux

Post author By john
Post date January 13, 2014
2 Comments on Basic networking: creating a virtual IP in Debian Linux

Intro
A quick Internet search showed a couple top-level matches that didn’t quite work for me, so I’m documenting how I got my multiple IP assignments on one interface to stick. This was work done for my Raspberry Pi, but it should apply to any Debian Linux system.

The details
This was work done for my Raspberry Pi, but it should apply to any Debian Linux host. I made my file /etc/network/interfaces look as follows:

auto lo
auto eth0
auto eth0:0
 
iface lo inet loopback
# DrJ change: make IP static
# somewhat inspired by http://www.techiecorner.com/486/how-to-setup-static-ip-in-debian/ - DrJ 1/8/13
#iface eth0 inet dhcp
iface eth0 inet static
address 192.168.2.100
gateway  192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
 
# virtual IP on eth0
iface eth0:0 inet static
address 10.31.42.11
netmask 255.255.255.0
network 10.31.42.0
broadcast 10.31.42.255

I think the key statement which is missing on some people’s examples are the lines at the top of the file:

auto lo
auto eth0
auto eth0:0

When I didn’t have those I was finding that my primary IP was defined upon reboot, but not my virtual IP, although the virtual IP could be dynamically created with a simple

sudo ifup eth0:0

Still, I wanted it to survive a reboot and adding the auto lines did the trick.

Conclusion
A few of the pages you will find on the Internet may give incomplete information on how to configure virtual IPs in Debian Linux. The approach outlined above should work. Additional virtual IPs would just require sections like eth0:1, eth0:2, etc modelled after what was done for eth0:0

References
I present some basic information on one way to get started on the Pi without an external monitor (yes, it can be done) here!
If you think you like networking, you will learn a lot of useful tips in this posting which describes how to turn your Raspberry Pi into a full-blown router.

Tags Virtual IP

First Robotics

Trajectory and interactive plot for a large, light ball

Post author By john
Post date January 10, 2014
No Comments on Trajectory and interactive plot for a large, light ball

Intro
This year’s FIRST FRC challenge involves moving around a large ball. The trajectory will not be a simple parabola as in the case for motion in a gravitational field in a vacuum, because drag will play a sizable roll. I used standard equations of motion which take into account drag to offer up this interactive trajectory plotter.

Enjoy!

Trajectory and interactive plotter of a large, light ball

References
Look, the physics hasn’t changed since the challenge of a couple years ago when the motion of smaller, heavier foam balls was the challenge. Drag is drag. So I really didn’t have much to do at all but to recognize that I could liberally steal from my previous effort: Deluscious foam ball trajectory

Tags drag

Admin Apache Linux

Recording Host Header in the apache access log

Post author By john
Post date January 8, 2014
No Comments on Recording Host Header in the apache access log

Intro
Guess I’ve made it pretty clear in previous posts that Apache documentation is horrible in my opinion. So the only practical way to learn something is to configure by example. In this post I show how to record the Host header contained in an HTTP request in your Apache log.

The details
Why might you want to do this? Simple, if you have multiple hosts using one access log in common. For instance I have johnstechtalk.com and drjohnstechtalk.com using the same log, which I view as a convenience for myself. But now I want to know if I’m getting my money’s worth out of johnstechtalk.com, which I don’t see as the main URL, but I I use it to to type it into the browser location bar and get directed onto my site – fewer letters.

So I assume you know where to find the log definitions. You start with that as a base and create a custom-defined access log name. These two lines, taken from my actual config file, apache2.conf, show this:

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" \"%{Host}i\"" DrJformat

Then I have my virtual server in a separate file containing a reference to that custom format:

#CustomLog ${APACHE_LOG_DIR}/../drjohns/access.log combined
CustomLog ${APACHE_LOG_DIR}/../drjohns/access.log DrJformat

The ${APACHE_LOG_DIR} is an environment variable defined in envvars in my implementation, which may be unconventional. you can replace it with a hard-wired directory name if that suits you better.

There is some confusion out there on the Internet. Host as used in this post refers as I have said to the value contained in the HTTP Host Request header. It is not the hostname of the client.

Here are some recorded access resulting from this format early this morning:

108.163.185.34 - - [08/Jan/2014:02:21:32 -0500] "GET /blog/2012/02/tuning-apache-as-a-redirect-engine/ HTTP/1.1" 200 11659 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36" "drjohnstechtalk.com"
5.10.83.22 - - [08/Jan/2014:02:21:56 -0500] "GET /blog/2013/03/generate-pronounceable-passwords/ HTTP/1.1" 200 8253 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)" "drjohnstechtalk.com"
220.181.108.91 - - [08/Jan/2014:02:23:41 -0500] "GET / HTTP/1.1" 301 246 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "vmanswer.com"
192.187.98.164 - - [08/Jan/2014:02:25:00 -0500] "GET /blog/2012/02/running-cgi-scripts-from-any-directory-with-apache/ HTTP/1.0" 200 32338 "http://drjohnstechtalk.com/blog/2012/02/running-cgi-scripts-from-any-directory-with-apache/" "Opera/9.80 (Windows NT 5.1; MRA 6.0 (build 5831)) Presto/2.12.388 Version/12.10" "drjohnstechtalk.com"

While most lines contain drjohnstechtalk.com, note that the next-to-last line has the host vmanswer.com, which is another domain one I bought and associated with my site to try it out.

Conclusion
We have shown how to record the contents of the Host header in an Apache access log.

Tags HTTP Host header