Monday, November 10, 2025

Network Separation for IoT Servers Phone Laptop Gaming OH MY!

 Let’s talk about ‘IoT’, ‘Servers’ and ‘Other’ stuff on your home network.


Keep your network components separated.  Let me say that again but re-worded.  Keep the devices on your network away from each other.


I’m not talking about VLAN’s here.  Yes, that’s one way to do the trick but for a home user that can be a bit out of reach.  We’ve seen the meme where the super-tech guy doesn’t want any tech in their house because it “could be listening” and if the toaster makes an odd noise they’ll throw it out the window.  Not this guy.  I’m all about not getting out of my bed to flip the light switch that’s 8 feet away from me.  I’ll grab my phone and trigger it to turn off.  This of course comes with a security risk.





Now that you know the basis of what I’m talking about, let’s jump right into the meat and potatoes of this post.

1. Put your IoT devices onto their own access point.  Yes.  Physical access point.  VLAN hopping is real and again, VLAN’s can be out of reach for your mom & pop.

2. Put your servers into their own network also.  The servers are probably ok behind a router and then a VLAN/etc. but remember that we’re talking about home setup or mom & pops house.  It’s not too far fetched these days to apply the same principle of putting your servers behind their own router.

3. Put your phones/laptop/etc onto their own device also.

4. Put gaming devices on their own WiFi.  I have a personal preference here for the last one about putting my gaming devices on their own WiFi network.  I have no evidence to back-up the “speed gains” but it gives me a warm & fuzzy that they’re not competing with other devices as much.

How do you make this happen?  There is a cheap route and an expensive route.  They both come with trade-offs in security though.


- The cheap route:

Go to your local thrift store and find a couple of old routers.  The trade-off here is that the firmware is probably going to be way out of date and have it’s own potential threat vectors.  The upside is that if an IoT device is compromised, it probably doesn’t matter if the router for it has a couple of issues.  We’re separating that network completely anyway.  I’m not advocating for opening some security issues but it might be possible to flash it with DD-WRT to get it a bit more up-to-date.  Just pull up the compatibility list while you’re in the store to see if it’s on the compatibility list.  Another downside to this route is that the hardware could only be 10/100 Mbps.  That’s ok for your IoT network, but not so great for other stuff you may be working with.  Whatever you do, just configure your router to disable the 5Ghz network if possible.  Every IoT device I’ve worked with has utilized 2.4Ghz.  Thus by disabling the 5Ghz band, you’re not sending out junk wireless signal for other access points to compete with.  What about the other hardware that I want 1Gbps or faster?  Well, the next option then.


- The less-cheap route:

Buy an off-the-shelf router or re-use what you have for your gaming and/or other devices network.  Sometimes, you can even use this same router with a “DMZ” component for your server network.  A DMZ is basically just another subnet that you’ve locked down to allow specific access to.  Fancy word, basic security.  This router will probably still get security and/or firmware updates from the vendor so it’s a good chance that it’s ok to leave as is, as long as you’re actually applying those updates.  If it’s reached end-of-life, check the HCL (hardware compatibility list) for DD-WRT because you might find you can squeak out a few more years with what you’ve got.


- The server network:

When it comes to your servers, this probably depends on the size of your home network.  I have a router/access point that I use for my server network but then disable the WiFi of it.  This way I’m not sending out useless signals.  Also, nothing in my server network utilizes wifi… but maybe I could experiment with this.  Another angle is that it reduces the attack vector of your server network as not wireless exploits could be used against it if you’ve disabled it.


Why do all this for your home network though?  With the increase in IoT devices and so many phones, laptops, gaming consoles, fridges, etc. making their way onto our networks, it’ll be better to have a secure approach to utilizing them instead of it being a problem later if something gets compromised.  Security comes with additional steps such as port-forwarding from the phone/laptop network into the server network but once it’s setup, you don’t really have to think about it again until a new server is setup.  A little bit of work early on makes me sleep easier at night and if we all do something similar to this, we could greatly reduce our attack footprint.


One final note that’s not needed but potentially a good idea.  Each router could be a different brand.  That way if a flaw is found in TP-Link, your Linksys isn’t impacted.  Again it introduces a layer of vendor confusion learning new setups for various devices but might help prevent an attack.  Also could just be dumb because one second-hand device I snagged is limited to only 16 ports forwarded.  odd
Posted by -- No comments:

Tuesday, November 4, 2025

NConf 1.3.0 Install on Ubuntu 22.04.5 LTS

This is how I got NConf working on my Nagios server.  Components:
  • Ubuntu 22.04.5 LTS  Server (minimized install)
  • Nagios 4
  • NConf 1.3.0
  • Full package list at the bottom.
  • It'll setup Apache for HTTPS with auto re-write from 80 to 443
  • Also it will turn on your firewall with prior rules allowing SSH/HTTP/HTTPS
Make a backup of your Nagios server if you've already got one setup. 
Do a backup.
Perform the backup.
Backup the server!

None of this should break anything but you're introducing OLD CODE with possible SECURITY FLAWS.  If you decide you don't want that risk, you can revert to your backup.

That said, put your dang Nagios server behind a firewall/etc if you're going to do this.  Don't come complaining to me that you go hacked because you followed this and put your Nagios server directly onto the internet with a public IP.

Also a side note.  Apparently you can automatically transfer the config to your Nagios server via SCP or you could even do a SMB mount I suppose.  From a security perspective, you could give NConf it's own server in a locked down environment, then the only thing it can do is send those configs over to Nagios for use.  That's a whole different discussion though.

Ok, moving on...
This is a bash script tested on a fresh install of Ubuntu Server Minimized.  Nothing special.  Nothing extra installed.  etc etc etc.

##########################################

#!/bin/bash
set -e
clear
echo "=== Installing NConf on Ubuntu 22.04 ==="

# === SECURITY WARNING ===
echo -e "\033[1;31mWARNING:\033[0m NConf is old, unmaintained software."
echo -e "\033[1;31mIt may contain security vulnerabilities and should NOT be exposed to the internet.\033[0m"
echo -e "\033[1;31mUse this only in a secured, isolated environment for legacy Nagios configurations.\033[0m"
echo

read -p "Do you still want to continue the installation? (y/N): " confirm
if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
    echo -e "\033[1;33mInstallation aborted by user.\033[0m"
    exit 1
fi

echo ""
read -rp "Enter NConf database username: " NCONF_DB_USER
read -srp "Enter password for user '$NCONF_DB_USER': " NCONF_DB_PASS
echo ""
read -rp "Enter WebUI username (ex: admin): " NCONF_UI_USER
read -srp "Enter WebWI password: " NCONF_UI_PASS
echo ""

# --- Function to check and install a dependency ---
check_install() {
    pkg=$1
    if ! dpkg -s "$pkg" &>/dev/null; then
        echo "Installing missing dependency: $pkg"
        sudo apt install -y "$pkg"
    else
        echo "Dependency already installed: $pkg"
    fi
}

# --- Update and ensure dependencies ---
sudo apt update -y

for pkg in software-properties-common curl ufw unzip wget apache2 mariadb-server mariadb-client; do
    check_install "$pkg"
done

# PHP 5.6 modules
sudo add-apt-repository ppa:ondrej/php -y
sudo apt update -y
for pkg in php5.6 php5.6-cli php5.6-mysql php5.6-ldap php5.6-gd php5.6-xml php5.6-mbstring libapache2-mod-php5.6; do
    check_install "$pkg"
done

# --- Start services ---
sudo systemctl enable --now mariadb apache2

# --- MariaDB setup ---
sudo mysql_secure_installation

sudo mysql -u root <<EOF
CREATE DATABASE IF NOT EXISTS nconf CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON nconf.* TO '${NCONF_DB_USER}'@'localhost' IDENTIFIED BY '${NCONF_DB_PASS}';
FLUSH PRIVILEGES;
EOF

# --- Fetch and verify NConf ---
cd /var/www/html
NCONF_TGZ="nconf-1.3.0-0.tgz"
NCONF_URL="https://sourceforge.net/projects/nconf/files/nconf/1.3.0-0/$NCONF_TGZ"

echo "Downloading NConf..."
wget -q --show-progress -O "$NCONF_TGZ" "$NCONF_URL" || { echo "ERROR: Download failed!"; exit 1; }

if [[ ! -f "$NCONF_TGZ" ]]; then
    echo "ERROR: NConf tarball not found after download!"
    exit 1
fi

echo "Extracting NConf..."
tar -xf "$NCONF_TGZ" || { echo "ERROR: Extraction failed!"; exit 1; }

if [[ ! -d "nconf" ]]; then
    echo "ERROR: Extraction did not create expected 'nconf' directory!"
    exit 1
fi

sudo chown -R www-data:www-data /var/www/html/nconf
sudo mkdir -p /var/www/html/nconf/cfg_files
sudo chmod -R 775 /var/www/html/nconf/{config,output,static_cfg,temp,cfg_files}

echo "NConf successfully downloaded and extracted."

# --- Apache config ---
sudo tee /etc/apache2/sites-available/nconf.conf > /dev/null <<'APACHECONF'
<VirtualHost *:80>
    ServerName nconf.local
    Redirect / https://nconf.local/
</VirtualHost>

<VirtualHost *:443>
    ServerName nconf.local
    DocumentRoot /var/www/html/nconf
    <Directory /var/www/html/nconf>
        AllowOverride All
        Options Indexes FollowSymLinks
        Require all granted
        AuthType Basic
        AuthName "NConf Access"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/nconf-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/nconf-selfsigned.key
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    ErrorLog ${APACHE_LOG_DIR}/nconf-error.log
    CustomLog ${APACHE_LOG_DIR}/nconf-access.log combined
</VirtualHost>
APACHECONF

# --- SSL + htpasswd ---
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/nconf-selfsigned.key \
  -out /etc/ssl/certs/nconf-selfsigned.crt \
  -subj "/C=US/ST=State/L=City/O=Org/OU=IT/CN=nconf.local"

sudo htpasswd -b -c /etc/apache2/.htpasswd $NCONF_UI_USER $NCONF_UI_PASS

# --- Perl fix for ExportNagios.pm ---
sudo sed -i.bak 's/%{\$srv->\[2\]}/\${\$srv->[2]}/g' /var/www/html/nconf/bin/lib/NConf/ExportNagios.pm

# --- Update PHP configuration dynamically ---
PHP_VER=$(ls /etc/php | grep -Eo '^[0-9]+\.[0-9]+' | sort -r | head -1)
sudo sed -i 's/^short_open_tag.*/short_open_tag = On/; s/^register_globals.*/register_globals = Off/; s/^magic_quotes_gpc.*/magic_quotes_gpc = Off/' /etc/php/$PHP_VER/apache2/php.ini

# --- Enable Apache modules and restart ---
sudo a2enmod rewrite ssl headers
sudo a2ensite nconf.conf
sudo systemctl restart apache2

# --- Firewall setup ---
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw --force enable

# --- Import NConf schema ---
mysql -u "$NCONF_DB_USER" -p"$NCONF_DB_PASS" nconf < /var/www/html/nconf/INSTALL/create_database.sql

# --- PHP autoload fix ---
sudo tee /var/www/html/nconf/include/includeAllClasses.php > /dev/null <<'EOF'
<?php
spl_autoload_register(function ($class_name) {
    $class_path = NCONFDIR.'/include/classes/class.'.$class_name.'.php';
    if (!empty($class_name) && file_exists($class_path)) {
        require_once($class_path);
        NConf_DEBUG::set("class $class_name", 'DEBUG', 'Autoload');
    }
});
?>
EOF

sudo perl -pi.bak -e 's/foreach my \$def_srv_deps_param \(keys\(\$\{\$srv->\[2\]\}\)\)/foreach my \$def_srv_deps_param (keys(%{$srv->[2]}))/; s/unless\(\$def_srv_deps_param && \${\$srv->\[2\]}->\{\$def_srv_deps_param\}\)/unless($def_srv_deps_param && $srv->[2]->{$def_srv_deps_param})/; s/\$fval\s*=\s*\${\$srv->\[2\]}->\{\$def_srv_deps_param\}/\$fval = $srv->[2]->{$def_srv_deps_param}/' /var/www/html/nconf/bin/lib/NConf/ExportNagios.pm

sudo rm -rf /var/www/html/nconf/temp/* && \
sudo mkdir -p /var/www/html/nconf/temp/test /var/www/html/nconf/temp/Default_collector && \
sudo chown -R www-data:www-data /var/www/html/nconf/temp && \
sudo chmod -R 775 /var/www/html/nconf/temp



DEPLOY_FILE="/var/www/html/nconf/config/deployment.ini"

# Backup existing file if it exists
[ -f "$DEPLOY_FILE" ] && sudo cp "$DEPLOY_FILE" "${DEPLOY_FILE}.old"

# Write the new deployment.ini
sudo tee "$DEPLOY_FILE" > /dev/null <<'EOF'
[extract config]
type        = local
source_file = "/var/www/html/nconf/output/NagiosConfig.tgz"
target_file = "/var/www/html/nconf/cfg_files/"
action      = extract
EOF



# --- Verification ---
echo -e "\n=== Verifying NConf setup ==="

echo -e "\n--- Checking MariaDB ---"
sudo systemctl is-active --quiet mariadb && echo "MariaDB is running ✔" || echo "MariaDB not running ❌"

echo -e "\n--- Testing NConf database access ---"
mysql -u "$NCONF_DB_USER" -p"$NCONF_DB_PASS" -e "SHOW TABLES;" nconf >/dev/null && echo "NConf DB accessible ✔" || echo "NConf DB access failed ❌"

echo -e "\n--- Checking Apache ---"
sudo systemctl is-active --quiet apache2 && echo "Apache is running ✔" || echo "Apache not running ❌"

echo -e "\n--- Checking PHP ---"
php -v | head -n 1

echo -e "\n--- Testing NConf web ---"
curl -skI https://localhost/nconf/ | grep -q "200\|302" && echo "NConf web responds ✔" || echo "NConf not responding ❌"

echo -e "\n--- Checking permissions ---"
for dir in config output static_cfg temp; do
  test -w /var/www/html/nconf/$dir && echo "$dir writable ✔" || echo "$dir not writable ❌"
done

echo -e "\n=== Installation complete ==="
echo -e "\nAccess NConf at: https://<server-ip>/nconf/"
echo "DBNAME = nconf"
echo "DBUSER = $NCONF_DB_USER"
echo "DBPASS = $NCONF_DB_PASS"
echo -e "\nRemember to set your Nagios binary path inside the NConf web GUI."
echo -e "\nAlso you'll need to set your nagios.cfg to point to /var/www/html/nconf/cfg_files/"

##########################################

A couple things:
1. At the end of the web ui config, you'll get "copy config file (deployment.ini) FAILED".  That's ok.  The script did it for us.
2. After config, permissions will need set for config output per our config:
chown www-data:www-data /var/www/html/nconf/cfg_files/

3. When you go to 'Generate Nagios config', you'll probably get:
Error: Cannot open main configuration file '/var/www/html/nconf/temp/test/Default_collector.cfg' for reading!
- To fix this, edit the config file as shown:
nano +1273 /var/www/html/nconf/bin/lib/NConf/ExportNagios.pm

foreach my $def_srv_deps_param (keys(%{$srv->[2]})){
# OLD --> foreach my $def_srv_deps_param (keys(${$srv->[2]})){
unless($def_srv_deps_param && $srv->[2]->{$def_srv_deps_param}) { next }
# OLD --> unless($def_srv_deps_param && ${$srv->[2]}->{$def_srv_deps_param}){next}
$fattr = $def_srv_deps_param;
# OLD --> $fval = ${$srv->[2]}->{$def_srv_deps_param};
$fval = $srv->[2]->{$def_srv_deps_param};

##########################################


Package Version Ubuntu/Source
apache22.4.52-1ubuntu4.16
apache2-bin2.4.52-1ubuntu4.16
apache2-data2.4.52-1ubuntu4.16
apache2-utils2.4.52-1ubuntu4.16
curl7.81.0-1ubuntu1.21
libapache2-mod-php5.65.6.40-86+ubuntu22.04.1+deb.sury.org+1
libcurl3-gnutls7.81.0-1ubuntu1.21
libcurl47.81.0-1ubuntu1.21
libxmlsec1-openssl1.2.33-1build2
mariadb-client1:10.6.22-0ubuntu0.22.04.1
mariadb-client-10.61:10.6.22-0ubuntu0.22.04.1
mariadb-client-core-10.61:10.6.22-0ubuntu0.22.04.1
mariadb-server1:10.6.22-0ubuntu0.22.04.1
mariadb-server-10.61:10.6.22-0ubuntu0.22.04.1
mariadb-server-core-10.61:10.6.22-0ubuntu0.22.04.1
needrestart3.5-5ubuntu2.4
openssl3.0.2-0ubuntu1.20
php5.65.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-cli5.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-common5.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-gd5.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-json5.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-ldap5.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-mbstring5.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-mysql5.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-opcache5.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-readline5.6.40-86+ubuntu22.04.1+deb.sury.org+1
php5.6-xml5.6.40-86+ubuntu22.04.1+deb.sury.org+1
python3-openssl21.0.0-1
software-properties-common0.99.22.9
tar1.34+dfsg-1ubuntu0.1.22.04.2
ufw0.36.1-4ubuntu0.1
unzip6.0-26ubuntu3.2
wget1.21.2-2ubuntu1.1
Posted by -- No comments:

Saturday, March 22, 2025

Raspberry Pi 2 USB Adapter Speed Test

This is a speed test of a couple USB adapters on my Raspberry Pi Model B+ V1.2 that I plan on using for an upcoming project.

TLDR here. Results in MB/s.


DriveAverageTest1Test2Test3Test4
Mini Flash USB4.353.44.04.65.4
Black Micro SD Adapter7.057.26.97.07.1
White Micro SD Adapter8.289.89.58.15.7
On-Board18.918.418.719.219.3

  • I used dd for a basic but effective test of writing to the drives.
    dd if=/dev/zero of=/path/to/mounted/usb/dd-test.img bs=100M count=1 oflag=dsync
  • I also realize that 100M is a bit smaller than I should have tested but found very similar results with 1G and 100M was faster :)
  • The really crazy part is how much faster the adapters are going to the Micro SD card.  I really thought the regular USB drive would have been faster.
  • For a final test, I used the same Micro SD card for the O.S. in the on-board slot.  Not surprisingly it was over twice as fast.
  • The purpose of this post is so I can reference it in the future as well as make note of how I might want to group these styles of drives in the future.
  • NOTE:  I've experienced SOME sustained write issues with one of the adapters.  It was a long time ago and I was in the middle of swapping stuff around so I don't recall which had the issue.  My guess is that the chip warms up a bit and then doesn't play nice.  Just keep that in mind for deciding how you want to proceed with your setup.

  • Regular USB
This drive is the PNY 256GB Elite-X Fit USB 3.1 Flash Drive - 200MB/s



Here is the item description:
- Elite-X Fit USB 3.1 Gen 1 Flash Drive, backwards compatible with USB 2.0 (USB 3.1 Gen 1 offers identical performance as USB 3.0, but under a new name)
- Amazing performance with read speeds up to 200MB/s, ideal for large files and demanding applications
- Transfer speeds up to 30 times faster than standard PNY USB 2.0 Flash Drives
- A compact, plug-and-stay flash drive that’s ideal for adding more storage to computers, in-car stereos, game consoles, and more
- Micro-sized, long stay, low profile design can remain connected to host devices or maximum convenience. No need to insert and remove it after each use
Compatible with most PC and Mac laptop and desktop computers, in-car stereos, game consoles, printers, TV’s, and more
 
  • Micro SD Cards
This same card is used in both of the adapters below.

SanDisk 256GB Extreme microSDXC UHS-I Memory Card with Adapter - Up to 190MB/s, C10, U3, V30, 4K, 5K, A2, Micro SD Card - SDSQXAV-256G-GN6MA



- Up to 190MB/s powered by SanDisk QuickFlow Technology (Up to 190MB/s read speeds, engineered with proprietary technology to reach speeds beyond UHS-I 104MB/s, requires compatible devices capable of reaching such speeds. Based on internal testing; performance may be lower depending upon host device interface, usage conditions and other factors. 1MB=1,000,000 bytes. SanDisk QuickFlow Technology is only available for 64GB, 128GB, 256GB, 400GB, 512GB, and 1TB capacities. 1GB=1,000,000,000 bytes and 1TB=1,000,000,000,000 bytes. Actual user storage less.)
Pair with the SanDisk Professional PRO-READER SD and microSD to achieve maximum speeds (sold separately), Compatible with microSDHC, microSDXC, microSDHC UHS-I, and microSDXC UHS-I supporting host devices
- Up to 130MB/s write speeds for fast shooting (Based on internal testing; performance may be lower depending upon host device interface, usage conditions and other factors. 1MB=1,000,000 bytes.)
- 4K and 5K UHD-ready with UHS Speed Class 3 (U3) and Video Speed Class 30 (V30) (Compatible device required. Full HD (1920x1080), 4K UHD (3840 x 2160), and 5K UHD (5120 X 2880) support may vary based upon host device, file attributes and other factors. See HD page on SanDisk site. UHS Speed Class 3 (U3) designates a performance option designed to support real-time video recording with UHS-enabled host devices. Video Speed Class 30 (V30), sustained video capture rate of 30MB/s, designates a performance option designed to support real-time video recording with UHS-enabled host devices. See the SD Association’s official website.)
- Rated A2 for faster loading and in-app performance (A2 performance is 4000 read IOPS, 2000 write IOPS. Results may vary based on host device, app type and other factors)
 
  • Black Adapter
This was advertised as a generic "Memory Card Reader Adapter High Speed USB 2.0 Reader for Micro SD SDHC SDXC Z9Y6".  

Here is the item description:
SuperSpeed USB 2.0 TF Card Reader Adapter
Quantity: 1 piece
USB 2.0 interface.
Fast transfer rates for reliable copy/download/backup.
No additional driver installation is required.
Powered by USB port, no additional power supply required.
Card Compatibility: for Micro SD SDXC/TF card
Compatible with Windows ME, 2000, XP, Vista, WIN 7 and OS with USB interface.

  • White Adapter
This is the Micro SD Card to USB Adapter, TF Card Reader with Mini Size




Here is the item description:
The Micro SD/TF card slot adopts a hidden design and is embedded in the USB plug, which can minimize the volume and protect the memory card at the same time.
Stable Work: The shell is made of aluminum alloy, which has a longer service life. The new chip and circuit design can minimize heat generation and ensure the stability and reliability of data transmission.
Portable: Ultra-light and ultra-small, the lanyard hole design can be easily connected with keychains or electronic devices, preventing loss and portability.
Scope of Application: Applicable to all USB 2.0 standard ports, providing 480Mbps read and write speed, compatible with USB 3.0 ports.
Compatible Devices: Compatible with all mainstream operating system USB port, such as TV, portable audio, notebook, computer, car system, etc.
 
  • Final thoughts
We're working with a USB 2.0 port which has a potential max of 60MB/s.  That's much faster than the speeds I'm seeing.  In real world testing we rarely see the max speed of a connection though.  Even if we took half the potential max of USB 2.0 we're not getting close to potential speeds.  At this point the Raspberry Pi 2 is aging hardware and we cannot expect to have datacenter/server grade performance.  What this does do for me is provide a baseline that I can use to identify issue hardware.  I plan on using a few Pi's for some projects and I'll be able to have a baseline for identifying issue drives in the future.

Posted by -- No comments:
Subscribe to: Comments (Atom)