Skip to content

Rallynet CONF soup: Setting up hostapd, dnsmasq, and nginx

The base honeypot LAN server requires only a few software packages and very little configuration. LAN means local area network and honeypot refers to it being set up to route all network inquiries to its own services with no outside connections. This post is about the basic set of services needed for an isolated network that will serve up a local website. The first thing to do is to install the packages.

apt install hostapd, dnsmasq, nginx

A network has an interface, the hardware that makes the connection. Configuring this is done in the /etc/network/interfaces file. Here, I use eth0, the plug in cable connection as the standard outside network connection. wlan0, the wifi device, is defined to stand by itself as a “static” device with a fixed address and defined network parameters. The “auto lo” thing is how the computer refers to itself when it wants to use network protocols for internal communications.

auto lo
iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet static

# pre-up iptables-restore < /etc/iptables.rules

# allow-hotplug wlan1
# iface wlan1 inet manual
#     wpa-conf /etc/wpasupplicant/wpasupplicant.conf

The wlan1 stuff is commented out here but left so I can later experiment with the possibility of using the wifi connection to connect to two distinct networks. As it is, if I am trying to use eth0 on one net, say to get upgrades, and wlan0 as another, say the honeypot LAN, there are issues. Somebody using a cell phone might have similar problems if they have the cell network up at the same time they are connected to the Rallynet.

The “pre-up iptables” item is for adding security later. iptables is used to control what kind of network information is allowed to go from where it came from to where it wants to go.

hostapd is the service that enables other computers to talk to the Rallynet computer. It provides the network ID and handles connection security. It is a good idea to make sure the startup script /etc/init.d/hostapd knows where the configuration file is. Look for the line that defines DAEMON_CONF and modify it or add it if missing so the file contains the line

set DAEMON_CONF=/etc/hostapd/hostapd.conf

For a simple hostapd configuration that has no security, you can use:
# file /etc/hostapd/hostapd.conf

The driver clause is there because hostapd needs proper hardware support and a software interface to that hardware that supports access point (the ‘ap’) protocols. The ssid is the network name that shows on the list people will see to select when they want to connect to the Rallynet. Here it is “SNU”.

dnsmasq provides information to connecting computers so they have an address on the network and know how to find things.
#file /etc/dnsmasq.conf

The address= line specifies that anytime a computer looks for an address to go with a domain name it will get the honeypot address. This means that anyone looking for their favorite web site will get directed to the honeypot instead. I’ve had problems with this when other networks are connected or when browsers think you’ve entered a search term rather than a domain name (e.g. “rallynet” rather than “”). no-resolv and no-hosts are in there to make sure that the local rallynet computer routing instructions are not used by other computers on the Rallynet. If find it works best to issue a “sudo systemctl stop dnsmasq” when I am plugged in to the I’net in order to get updates or whatnot. This helps avoid confusion.

nginx is a modern alternative to the old standby APACHE. I use it because it is supposed to have a smaller footprint and, I’d hope, reflects some lessons learned in twenty years of web servers. It is full featured and able to serve many websites with all sorts of features so configuration can have a lot of complexities. My major problem was making sure the “;” end of statement markers didn’t get lost in cut and paste operations I used to consolidate a tree of configuration files into just one. This example still includes a lot of things that explicitly restate defaults that are aren’t really necessary for the Rallynet so some pruning is still possible.

#file /etc/nginx/nginx.conf
user www-data;
workerprocesses 4;
pid /run/;
events {
  workerconnections 768;
http {
  sendfile on;
  tcpnopush on;
  tcpnodelay on;
  keepalivetimeout 65;
  typeshashmaxsize 2048;
  include /etc/nginx/mime.types;
  defaulttype application/octet-stream;
  sslprotocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE;
  sslpreferserverciphers on;
  accesslog /var/log/nginx/access.log;
  errorlog /var/log/nginx/error.log;
  gzip on;
disable “msie6”;

  #include /etc/nginx/conf.d/.conf;
  #include /etc/nginx/sites-enabled/

  server {
    listen 80 defaultserver;
    listen [::]:80 default

    root /home/www-data;
    index index.html index.htm index.nginx-debian.html;
    server_name _;

    location / {
      tryfiles $uri $uri/ =404;
page 404 /index.html;


The server section is where the customizing is really needed. I put the website in the /home directory rather than in /var as was the install default. The “location” and “error_page” statements work with the dnsmasq honeypot routing so that unknown pages on out of LAN domains will all route to the Rallynet home page. 

Note the log statements in the configuration files. I uncomment them when I first start out so I can find errors. Note also that these services often have utilities that will check their configuration files to make sure they are valid. When I get everything working, I’ll comment out the log statements to avoid filling up the file system.

This CONF soup is just about as bare bones as I could get it. Now I can start adding security or other features a step at a time and keep the debugging simple.

Be sure to save the default configuration files! These are a good resource for the options available. The servers also have man pages you can reference to find out about the configuration options. Web searches are also good ways to find examples and explanations.

Rallynet: Proof of Concept guidance

The first question was what to do with this thing (the Raspberry Pi or just pi). The NOOBS (new out of box software) install process worked well and provided a multi-boot pi with Raspbian, LibreELEC, and OSMC. Nice. Worked. Made a nice media center for the RV. Now what? How about a web services host so RV rally participants could upload their pictures to share? That led to Rallynet as a honeypot LAN installed on the Raspbian system. It worked, too. Now what?

That was a successful Proof of Concept so now the question became one of how to simplify and enhance. That meant being able to run both the media center and the Rallynet at the same time. It meant being able to dispense with the need for external USB storage. It meant looking into easier methods of file sharing.

First on the list was the host operating system. This came down to the recently announced Ubuntu Mate for the pi or Raspbian. There are a lot of other options and all are available to test and try out at the Raspberry Pi Download site. I decided to stick with Raspbian as it boots fast, has an established and vigorous community supporting it, puts a focus on development and maker needs, and is more directly customized for the hardware. The proprietary graphics in the pi are better accommodated with Raspbian although effective optimization to be able to show HD video requires re-building VLC or using an independent repository to get a special build of Kodi.

The latest release of Raspbian with all the latest bells and whistles was a nice clean install and it left near 30 GB of free space on its 32 GB micro SD card. Some of my favorite utilities installed with no hassle. To get the Rallynet services and GPS dongle tools, I installed from a terminal command prompt:

sudo apt install gpsd gpsd-clients python-gps hostapd dnsmasq nginx droopy photofloat gkrellm gkrellm-leds gkrellm-cpufreq gkrelltop lm-sensors gkrelltopd vim vim-gnome

This idea is to use GPS to set date and time on the pi. That project is quite a can of worms. It turns out that GPSd is an Eric Raymond (a long time well known FOSS advocate and activist) headed project with deep roots. It’s purpose is to take the device connection and message format issues and present them as a consistent and known API to facilitate GPS based utility development. GPSd can use shared memory to communicate with NTPd for a very accurate time service. Modern GPS devices intended for items such as drones provide barometric sensors and 9 axis motion sensing as is common in cell phones. That brings up the idea of using the device as the basis of a weather reporting service.

hostapd, dnsmasq, and nginx provide the base for Rallynet as a honeypot LAN and a post on the Rallynet CONF soup will be up shortly to show how these were set up.

droopy is a Python script providing html based service on port 8000 to upload files. That means rally participants who take pictures with their cell phones can use their phone browser to upload their pictures to the Rallynet. If it works, I won’t need to install Windows file sharing services.

photofloat is a photo gallery that uses the standard file system for its data store. It includes a Python script will scan the photo folders to create thumbnails and JSON format descriptions in a cache for a simple web page photo gallery service. Eric Raymond has a good rundown on JSON in his story about the development of GPSd. The format came out of the programming language that started as a simple scripting  capabilities in web browsers and is now a massive part of website presentation and web apps.

One project is to either use a Python system monitoring script that detects file system changes or a modification of droopy to call the pictures scan after an upload has occurred. That will keep the photo galleries up to date with submissions.

So now it’s on to phase II. 

Grokking Python

One of the challenges – and major benefits – to an old school programmer learning Python is to get a handle on new ways to approach and talk about old problems. Java is ‘object oriented’ but much of how it does things is not that much different from the classic procedural languages. Python is another story.

In Python, everything is an object. That means there are no primitives.All variables are pointers to objects that have a number of properties like value and type. Pointers have a long history in C and they can be a source of confusion in some circumstances of you are not careful. Those properties that are available in Python are necessary to help keep things straight.

Constants are called immutable and an immutable list (list is the name used for an array) is called a tuple. Whereas a list with values that can be changed is enclosed in brackets, a tuple is optionally enclosed in parentheses. 

There are other collections like dictionaries and sets and there is functionality that allows common actions on these collections as well as handling set of collections. This is much more interesting than just having multi-dimensional arrays and hash indexing.

The Python iterator concept takes the old idea of a counter to step through a loop to a new level. Instead of just a counter variable that steps from here to there by how-much, an iterator is an object that will return successive values and, as an object, it can be controlled by mapping or filtering to produce interesting results.

Inline functions are established by using the key word “lambda” rather than the “def” that defines the standard function. There are some implications beyond this simple distinction that need exploration.

The use of white space seems to cause a lot of dissonance. That means arguments much like C programmers get into about line indentation. I don’t know why it bugs people as white space even goes back to Fortran on punch cards. Python just expands it a bit. Enforcing white space means that a lot of punctuation to define code blocks and statements isn’t necessary in Python and that can reduce errors and improve readability.

MicroPython is an effort to get the core ideas of Python development in a microcontroller. That means a modern interpreted coding environment to compete with BASIC, Forth, and similar classic options. For Python, it means trimming down the standard library and limiting the core language somewhat. 

Python has a lot of capabilities that could be useful in GPS applications. GPS data often comes in as records that are string of bytes that can be ASCII using standard NMEA clauses or binary using proprietary structures. Python provides a Struct function that will unpack these records by mapping to a format that indicates the binary data type and the manner the binary data is mapped to various data types. 

That is some of the base that everything else is built upon. What Python advocates refer to as “batteries included” is another level. If you want to anything in software, the odds are pretty good that someone has done it before. Standard language libraries are a result. Python has a very rich set of libraries that is included with its interpreter and is available anywhere Python is. Java also has an extensive library. C, in contrast, has a small default library but that is appropriate for its focus.

It’s all about paradigms for thinking about problems and expressing ideas. It used to be learning a new language was just about English or French or Russian. Programming languages are nowhere near as complex but can still provide a lot of insight into different ways to see things.

In the news: FCC vs innovation,

There is sometimes a need to provide a governor on things to keep them from going out of control. Protecting trade secrets has a long history that the patent idea was embedded in law to open this up a bit in a controlled way. Regulation is almost always a limiting control and it is another way to keep things from going out of control. There are two examples in the news this morning related to the struggles on this topic.

Amateur Radio exists, in part, to advance the state of the art. With SDR technologies and digital modes, the costs of radio communications experimentation have been reduced so that a larger bunch of hams can get involved. But Amateur Radio is regulated and keeping regulations up to date with the implications of technology is a nontrivial exercise. Current Rules Holding Hams Back from Adopting State-of-the-Art Technology, ARRL Says.

ARRL told the FCC in its comments that the current HF symbol rate “speed limit” reflects 1980s technology and has no place in an experimental radio service in which modern protocols could be efficiently deployed in crowded RTTY/data subbands.

“The symbol rate limit was created in order to maximize the efficient use and reuse of that crowded, shared spectrum, but the assumptions made at the time are no longer valid,” ARRL said, “and the rules now prohibit radio amateurs from utilizing state-of-the-art technology, thus precluding or substantially inhibiting any meaningful contribution to the advancement of the radio art in this area.” ARRL said earlier assumptions are no longer valid mainly because there is no correlation between the data rate and the occupied bandwidth in the rules now.

Another inhibitor is described by Michael Larabel reporting that Raspberry Pi VC4 Graphics Driver Working To Support QPU Shaders.

The latest Raspberry Pi graphics driver hacking by Eric Anholt of Broadcom has been working to support QPU shaders by this open-source driver stack. QPUs are the shader core of the graphics hardware found in the Raspberry Pi SoC, but come up short of supporting OpenCL or OpenGL compute shaders

Eric is looking at supporting QPU shaders now though with this open-source driver stack since it can be used for accelerated video decode.

On this last, that is why I had to re-build VLC and suffer it’s taking over the screen the way it does in order to use it to display videos. The Tutorial: Compile VLC with HW acceleration – Jessie, RPi 2/3 worked well and produced good results. It also provided an insight into the size, scope, and complexity of modern FOSS projects that really puts my 1980’s experience in systems software development in perspective. 

The default media play in Raspbian is OMXplayer and it works but it also takes over the screen and you have to launch it from a terminal window to use keyboard commands to control it. The VLC option appears to respond to keyboard input to the display window. Additional experimentation is needed.

Tofu and the NoTo font project

Perhaps you’ve seen it? Some document on the web or PDF or a word processing document with characters that look like little boxes of tofu? That’s what happens when a called for font or the substitute for it does not have a proper glyph for the character code. All text is to a computer is string of character codes that indexes display instructions. Those display instructions can be a bitmap or a mathematical description that must be processed to create something to put on the display device or printer in the space allocated and within the specifications of the device.

Google didn’t realize how big a problem this was until Android and ChromeOS became popular in wold wide markets.

The Noto font project (it’s a mashup of ‘NO more TOfu’) has been something of a labor of love, taking five years to reach its conclusion. But the result is an open source Noto font family which Google says includes “every symbol in the Unicode standard, covering more than 800 languages and 110,000 characters”.

When we began, we did not realize the enormity of the challenge. It required design and technical testing in hundreds of languages, and expertise from specialists in specific scripts. In Arabic, for example, each character has four glyphs (i.e., shapes a character can take) that change depending on the text that comes after it. In Indic languages, glyphs may be reordered or even split into two depending on the surrounding text”.

Mark Wilson: Google releases open source font Noto to eliminate the tofu problem.

Fonts on computers have always been a challenge. Consider Donald Knuth’s Tex [wikipedia] released in 1978. Adobe got into the act in 1984 when it released its page description language [wikipedia] and Apple, due in part to licensing costs, came up with TrueType in 1991. But when you get into fonts, you get into typefaces and glyphs and rendering methods and pixelated display issues. That’s the software facet. Another facet gets into presentation, readability, and human factors. What Google got into was another facet that is the mapping of glyphs to alphabets to language constructions. Unicode was developed to help code these things but artwork was needed to fill in a representation of the indexed glyph.

That’s a long way from the character generator chip on my TRS-80 model 1 where I had to piggyback another bit of memory in order to get lower case in a 5×8 pixel array mapping. I can image what would happen if I tried to use that computer to map a modern font glyph onto its screen. I’m not sure it even had enough memory to store the code needed for the glyph description in its memory much less the code to translate that description to a screen image. And how long would the processing take?


Infrastructure and Community and Adoption

Slashdot refers to a Fireside Chat with David Rusling and Linus Torvalds on YouTube with an interesting pull quote. It’s the infrastructure and compatibility that flavors a preference for chip architecture, not so much the RISC vs CISC or minutia of instruction set. It could be said that Windows provides a community for the x86 even though Microsoft has tried to expand its products to other architectures.

This has also been reason cited for going Python. It is often expressed as bricks (excuse me, that should be “batteries”) included and community. That, and the FOSS basis, means that a complete construction environment is available everywhere and there is a lot of help in solving problems.

That same phenomena shows up with the Arduino and the Raspberry Pi. The ESP8266 community borrowed the Arduino IDE to leverage the community and infrastructure behind that system for its benefit. Newer SBC’s often try to do the same thing by using a Linux based software environment.

Much of this depends upon your focus. Linus is building kernel function and that means he is working with chip architecture. Arduino enthusiasts are working with sensing and control so they are more concerned with microcontroller issues. Raspberry Pi is confused as its original intent was education but many have picked it up for cheap computing. The ESP8266 is for the Internet of Things stuff. 

The Raspberry Pi also illustrates where infrastructure and community are important. I figured I could run VLC instead of LibreELEC to play movies in a standard Raspbian environment. Whoops. The Raspberry Pi hardware graphics acceleration isn’t open so the community has to go through loops and hurdles to use it in apps like VLC. There are HowTo’s out there about how to compile a version of VLC to include the proprietary access to the rPi hardware but, oh, my. There is progress around these rPi issues but it takes time. I’ve even seen some argument about the GPIO capabilities and specifications as the proper specification for these pins is weak. 

The infrastructure and community issues hit all sorts of things. It is why Samba or CIFS took off as a reverse engineered effort to support Windows networking on other platforms. It’s why gpsd changed over to JSON. It’s why USB has gained popularity despite the commercial ID branding issues. I still have a serial mouse around here somewhere and remember what it used to take to get a new video system up and running properly. Things have changed and are still changing but some of the critical stuff isn’t the problem it used to be. Infrastructure and Community make a difference. 

What do I do with this rPi?

An Amazon deal, the Vilros kit was on sale a while back, so I now have a Raspberry Pi 3 B to see what all the fuss is about. First thing up was to boot NOOB  (New Out Of the Box software) and install a basic Raspbian system, the LibreElec (just enough Linux for Kodi) and another media oriented system. Easy to do from NOOB and you get a rescue system as well as the multiple boot options. So now what?

The LibreElec option suggested replacing the media machine in the RV and it indeed works well with a Seagate 2 TB USB powered drive storing the AV collection. The 24″ Vizio TV supports the HDMI control link so its remote can be used to control the media player, somewhat. Shutting down the rPi also shuts down the TV. Nice. So now what?

The RV provided an idea. We get together on occasion with others out in the Nevada wilds where even cell phone coverage is spotty. How about a Rally Net so folks could share pictures, event schedules, and other information? Understand that this would be an obnoxious distraction for most of the rally participants but at under 5 watts, the rPi could run on the RV battery without much of an impact for a full weekend even without any recharging. That would be a good way to learn about networks and keep the rPi busy. Here’s what’s involved.

  1. Set the rPi wifi interface so it knows its address and how it’s going to function. That is done in /etc/network/interfaces
  2. To allow others to talk to your network, install hostapd, an access point service. This controls access to your network. hostapd is normally used as a conduit between a local net and a remote I’net but we will want to set it up like a honeypot. Andy Smith has good basic honeypot instructions on his blog and we can start with that.
  3. People who want to use your network need to get an address on the network and some information about how to find things. dnsmasq is used for this. This can be configured like a honeypot to steer all web page requests to a local service.
  4. A web server is needed. Apache is the old standby for this but Nginx is an updated program better suited to the rPi.
  5. For photo galleries, PhotoFloat was used. This isn’t on Wikipedia’s page of options but it is simple and uses the file system rather than a special database.
  6. For file sharing, Samba was configured so that the album folder could be shared using standard Windows type file sharing. After pictures have been uploaded, the system operator could run a python script to update the galleries being served via the local website.
  7. For website and photo gallery repositories, a 64 GB USB stick was used, This stick was partitioned for separate www and photo drives that were mounted in FSTAB by reference to the partition labels.

That’s only a start! I am looking at installing MySQL and WordPress to provide a more social web environment. Since the rPi doesn’t have a real time clock, I am considering adding a GPS module for satellite time. Reyax has one intended for vehicle tracking that could also serve as the basis for a weather station with its pressure, temperature, compass, and acceleration sensors.  I could also enable track logging to help create directions to the rally site and the compass could be an aid to those who want to set up their satellite TV systems, too.

Of course, the rPi wifi is very low power with an on-board ceramic antenna. This means that its range is quite limited. If someone actually did want to access the Rally Net, they’d have to either help me set up a more potent WiFi node or park a chair close to the window where the rPi sits. Meanwhile, I’ve got a good target for seeing what an inexpensive low power computer can do.


Brain dead

Kitty Knowles says Daft drillers distraught after DIY iPhone headphone jack prank.

We’d love to think that some of these testimonials are jokers trying to get in on the act, because the reality is a sad one.

As one YouTuber writes: ‘The amount of people that thought that this is real is worrying for the future of the human race.”

When you lay out several hundred dollars for a gadget, is YouTube your resource for how to modify it? With power tools?

Yes, some of the geeks out there don’t think much of the Apple fans and their sense of humor can get rather cruel but really, do the Apple fans have to prove their point?

Or these geeks could be reacting to something I have noticed: when someone starts labeling you the ‘computer wizard’ did you ever stop to think they were engaged in creating interpersonal distance? Instead of engaging with the technology that enables them to do nifty things, they are disengaging and making distance from change and growth. That is perhaps as productive and useful as digging the drill out of the garage to take after your new phone.

Check the graph on dematerialization

Marian Tupy says Computers Allow Us To Accomplish More With Less, and It’s Only Getting Better — “Researchers have just developed a way to fit yet more transistors into less space, creating an even more efficient computer chip.”

Computers have come a long way since the days of ENIAC. The first computer was a $6-million-dollar giant that stretched eight feet tall and 80 feet long, weighed 30 tons and needed frequent down time to replace failing vacuum tubes. A modern smart phone, in contrast, possesses about 13 hundred times the power of ENIAC and can fit in your pocket. It also costs about 17 thousand times less.

A megabyte of computer memory cost 400 million dollars in 1957. That’s a hefty price tag, even before taking inflation into account. In 2013 dollars, that would be 2.6 billion. In 2015, a megabyte of memory cost about one cent. … since 1980 [] the cost of a gigabyte of RAM fell from over 6 million dollars to less than five dollars; a gigabyte of hard drive storage fell from over 400 thousand dollars to three cents.

[computers]also enable a process called dematerialization—they allow us to produce and accomplish more with less.

This last point is supported by a chart from Cato showing a table of 5 by 13 icons from a camera to a level that you might find on a modern cell phone.

I still wonder about spending $3,000 for a TRS 80 model 1 tricked out system compared to a $5 microcontroller loaded with FOSS Microsoft BASIC compatible firmware (the Micromite) that has specs an order of magnitude better in all dimensions (e.g. RAM, ROM, speed, word size, built in peripherals).

It is easy to compare and contrast hardware cost and capability but it is the software side that utilizes the hardware that puts the technology on the table. That is seen in the Cato chart. It is also visible in what is replacing BASIC. The 4k or 16 Microsoft personal computer firmware has made way to Integrated Development Environments supported by massive libraries of pre-built code and support for modern ideas and paradigms in software design.

Compare the old baked in BASIC with the new MicroPython as a REPL (run, execute, print, loop) environment to play with super simple computers. If you learned programming with FORTRAN or BASIC, Python can look somewhat similar. What tells you about how things have changed is when you figure out how Python implements concepts such as aggregate data objects, control structures, and iteration through data objects. There’s some meat for dinner there.

Scientific illiteracy

A good case of illiteracy over at CNN Money: Why more people are suddenly dying on U.S. roads by Matt McFarland.

But traffic safety experts said there was no single culprit for the surge in motor vehicle deaths. Smartphone use, cheaper gas prices, climate change and a strong economy all play a role.

“It’s a very complex system,” said Ken Kolosh, the director of statistical reporting at the National Safety Council. “You can never say emphatically it’s these two or three things.”

Climate change? That’s pulling up the modern era bogey man. Another doozy is the graph showing “fatalities caused by human error crashes.” This one classes speeding and unrestrained in the same class as impaired and distracted. Going fast is not necessarily speeding but it and failure to use seat belts can indeed increase injury risk in a crash but they don’t cause crashes. Drunk driving and not paying attention to driving do increase the risk of a crash but they don’t influence the risk of injury in a crash. Drunk driving may actually decrease the risk of severe injury but that is for another examination.

For example, the NSC found a 34% increase in deaths in Georgia. The state is seeing more single vehicle crashes, lane departures, over-corrections and striking of fixed objects.

“These are characteristics of distraction, and we believe texting to be the primary [cause],” said Harris Blackwood, the director of Georgia’s highway safety office.

The U.S. experienced its warmest winter ever in 2015 – 2016. With better weather, people are more likely to spend time outside on motorcycles and bicycles. Pedestrians are also more inclined to be outside during nice weather, creating more chances to be injured.

What is the connection between the 34% increase in deaths and the ‘more single vehicle crashes’? The two measures are placed together as if there is some connection but that connection is not described or shown, just assumed.

Then there’s climate change. It looks like the problem is that people like to get out in good weather and we just can’t have that, can we?

Yes it is a “very complex system” so why such simplistic and nonsensical assumptions and assertions? Is there an agenda or two in here providing bias not visible to the illiterate and ignorant?