Planet Linux Australia

Syndicate content
Planet Linux Australia -
Updated: 57 min 5 sec ago

Michael Davies: Planet Linux Australia... rebooted

Wed, 2016-05-11 13:55
Recently Linux Australia needed to move its infrastructure to a different place, and so we took the opportunity to build a fresh new instance of the Planet Linux Australia blog aggregator.

It made me realise how crusty the old site had become, how many things I had planned to do which I had left undone, and how I hadn't applied simple concepts such as Infrastructure as Code which have become accepted best-practices in the time since I originally set this up.

Of course things have changed in this time.  People blog less now, so I've also taken the opportunity to remove what appear to be dead blogs from the aggregator.   If you have a blog of interest to the Linux Australia community, you can ask to be added via emailing planet at linux dot org dot au. All you need is a valid Atom or RSS feed.

The other thing that is that the blog aggregator software we use hasn't seen an update since 2011. It started out as PlanetPlanet, then moved on to Venus, and so I've taken a fork to hopefully improve this some more when I find my round tuit. Fortunately I don't still need to run it under python 2.4 which is getting a little long in the tooth.

Finally, the config for Planet Linux Australia is up on github.  Just like the venus code itself, pull requests welcome.  Share and Enjoy :-)

Matthew Oliver: Simple Squid access log reporting.

Wed, 2016-05-11 13:07

Squid is one of the biggest and most used proxies on the interwebs. And generating reports from the access logs is already a done deal, there are many commercial and OSS apps that support the squid log format. But I found my self in a situation where I wanted stats but didn’t want to install a web server on my proxy or use syslog to push my logs to a centralised server which was running such software, and also wasn’t in a position to go buy one of those off the shelf amazing wiz bang Squid reporting and graphing tools.

As a Linux geek I surfed the web to see what others have done. I came across a list provided by the Squid website. Following a couple of links, I came across a awk script called ‘proxy_stats.gawk’ written by Richard Huveneers.

I downloaded it and tried it out… unfortunately it didn’t work, looking at the code.. which he nicely commented showed that he had it set up for access logs  from version 1.* of squid. Now the squid access log format from squid 2.6+ hasn’t changed too much from version 1.1. all they have really done is add a “content type” entry at the end of each line.

So as a good Linux geek does, he upgrades the script, my changes include:

  • Support for squid 2.6+
  • Removed the use a deprecated switches that now isn’t supported in the sort command.
  • Now that there is a an actual content type “column” lets use it to improve the ‘Object type report”.
  • Add a users section, as this was an important report I required which was missing.
  • And in a further hacked version, an auto generated size of the first “name” column.

Now with the explanation out of the way, let me show you it!

For those who are new to awk, this is how I’ve been running it:

zcat <access log file> | awk -f proxy_stats.gawk > <report-filename>

NOTE: I’ve been using it for some historical analysis, so I’m running it on old rotated files, which are compressed thus the zcat.

You can pass more then one file at a time and it order doesn’t matter, as each line of an access log contains the date in epoch time:

zcat `find /var/log/squid/ -name "access.log*"` |awk -f proxy_stats.gawk

The script produces an ascii report (See end of blog entry for example), which could be generated and emailed via cron. If you want it to look nice in any email client using html the I suggest wrapping it in <pre> tags.:

<head><title>Report Title</title></head>
Report title<body>
... Report goes here ...

For those experienced Linux sys admins out there using cron + ‘find -mtime’ would be a very simple way of having an automated daily, weekly or even monthly report.
But like I said earlier I was working on historic data, hundreds of files in a single report, hundreds because for business reasons we have been rotating the squid logs every hour… so I did what I do best, write a quick bash script to find all the files I needed to cat into the report:

#!/bin/bash ACCESS_LOG_DIR="/var/log/squid/access.log*" MONTH="$1" function getFirstLine() { if [ -n "`echo $1 |grep "gz$"`" ] then zcat $1 |head -n 1 else head -n 1 $1 fi } function getLastLine() { if [ -n "`echo $1 |grep "gz$"`" ] then zcat $1 |tail -n 1 else tail -n 1 $1 fi } for log in `ls $ACCESS_LOG_DIR` do firstLine="`getFirstLine $log`" epochStr="`echo $firstLine |awk '{print $1}'`" month=`date -d @$epochStr +%m` if [ "$month" -eq "$MONTH" ] then echo $log continue fi #Check the last line lastLine="`getLastLine $log`" epochStr="`echo $lastLine |awk '{print $1}'`" month=`date -d @$epochStr +%m` if [ "$month" -eq "$MONTH" ] then echo $log fi done

So there you go, thanks to the work of Richard Huveneers there is a script that I think generates a pretty good acsii report, which can be automated or integrated easily into any Linux/Unix work flow.

If you interested in getting hold of the most up to date version of the script you can get it from my sysadmin github repo here.

As promised earlier here is an example report:

Parsed lines  : 32960 Bad lines     : 0 First request : Mon 30 Jan 2012 12:06:43 EST Last request  : Thu 09 Feb 2012 09:05:01 EST Number of days: 9.9 Top 10 sites by xfers           reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ -------------------                   20   0.1% 100.0%   0.0%        0.0   0.0%   0.0%       1.7       2.5                1   0.0% 100.0%   0.0%        0.0   0.0%   0.0%      48.3      77.4                1   0.0% 100.0%   0.0%        0.1   0.0%   0.0%      87.1       1.4                1   0.0%   0.0%      -        0.0   0.0%      -         -         -                2   0.0% 100.0%   0.0%        0.1   0.0%   0.0%      49.2      47.0                1   0.0% 100.0%   0.0%        0.1   0.0%   0.0%     106.4     181.0                      198   0.6% 100.0%   0.0%       16.9   0.9%   0.0%      87.2    3332.8                   11   0.0% 100.0%   0.0%        0.1   0.0%   0.0%       7.6      18.3                   15   0.0% 100.0%   0.0%        0.1   0.0%   0.0%       7.5      27.1           8   0.0% 100.0%  25.0%        3.2   0.2%   0.3%     414.1     120.5 Top 10 sites by MB              reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ -------------------                 2   0.0% 100.0% 100.0%        0.0   0.0% 100.0%       3.1     289.6                    8   0.0% 100.0% 100.0%        0.1   0.0% 100.0%       7.5     320.0              1   0.0% 100.0% 100.0%        0.0   0.0% 100.0%      36.0     901.0                   2   0.0% 100.0% 100.0%        0.0   0.0% 100.0%       3.8     223.6                2   0.0% 100.0% 100.0%        0.0   0.0% 100.0%       1.1     441.4             5   0.0%  60.0% 100.0%        0.0   0.0% 100.0%       6.8    2539.3                 2   0.0% 100.0% 100.0%        0.0   0.0% 100.0%      15.3     886.4                    1   0.0% 100.0% 100.0%        0.0   0.0% 100.0%       4.7     520.2                 2   0.0% 100.0% 100.0%        0.0   0.0% 100.0%       7.8    2920.9                    9   0.0% 100.0% 100.0%        0.0   0.0% 100.0%       1.5     794.5 Top 10 neighbor report          reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ -------------------                    4   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0              16   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0                 5   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0                     2   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0                   2   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0           2   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0                   2   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0               1   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0                    1   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0              1   0.0% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0 Local code                      reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ ------------------- TCP_CLIENT_REFRESH_MISS         2160   6.6% 100.0%   0.0%        7.2   0.4%   0.0%       3.4      12.9 TCP_HIT                          256   0.8% 100.0%  83.2%       14.0   0.8% 100.0%      56.0    1289.3 TCP_IMS_HIT                      467   1.4% 100.0% 100.0%       16.9   0.9% 100.0%      37.2    1747.4 TCP_MEM_HIT                      426   1.3% 100.0% 100.0%       96.5   5.3% 100.0%     232.0    3680.9 TCP_MISS                       27745  84.2%  97.4%   0.0%     1561.7  85.7%   0.3%      59.2      18.2 TCP_REFRESH_FAIL                  16   0.0% 100.0%   0.0%        0.2   0.0%   0.0%      10.7       0.1 TCP_REFRESH_MODIFIED             477   1.4%  99.8%   0.0%       35.0   1.9%   0.0%      75.3    1399.4 TCP_REFRESH_UNMODIFIED          1413   4.3% 100.0%   0.0%       91.0   5.0%   0.0%      66.0     183.5 Status code                     reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ ------------------- 000                              620   1.9% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0 200                            29409  89.2% 100.0%   2.9%     1709.7  93.8%   7.7%      59.5     137.1 204                              407   1.2% 100.0%   0.0%        0.2   0.0%   0.0%       0.4       1.4 206                              489   1.5% 100.0%   0.0%      112.1   6.1%   0.0%     234.7     193.0 301                               82   0.2% 100.0%   0.0%        0.1   0.0%   0.0%       0.7       1.5 302                              356   1.1% 100.0%   0.0%        0.3   0.0%   0.0%       0.8       2.7 303                                5   0.0% 100.0%   0.0%        0.0   0.0%   0.0%       0.7       1.5 304                              862   2.6% 100.0%  31.2%        0.4   0.0%  30.9%       0.4      34.2 400                                1   0.0%   0.0%      -        0.0   0.0%      -         -         - 401                                1   0.0%   0.0%      -        0.0   0.0%      -         -         - 403                               47   0.1%   0.0%      -        0.0   0.0%      -         -         - 404                              273   0.8%   0.0%      -        0.0   0.0%      -         -         - 500                                2   0.0%   0.0%      -        0.0   0.0%      -         -         - 502                               12   0.0%   0.0%      -        0.0   0.0%      -         -         - 503                               50   0.2%   0.0%      -        0.0   0.0%      -         -         - 504                              344   1.0%   0.0%      -        0.0   0.0%      -         -         - Hierarchie code                 reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ ------------------- DIRECT                         31843  96.6%  97.7%   0.0%     1691.0  92.8%   0.0%      55.7      44.3 NONE                            1117   3.4% 100.0% 100.0%      131.6   7.2% 100.0%     120.7    2488.2 Method report                   reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ ------------------- CONNECT                         5485  16.6%  99.2%   0.0%      132.8   7.3%   0.0%      25.0       0.3 GET                            23190  70.4%  97.7%   4.9%     1686.3  92.5%   7.8%      76.2     183.2 HEAD                            2130   6.5%  93.7%   0.0%        0.7   0.0%   0.0%       0.3       1.1 POST                            2155   6.5%  99.4%   0.0%        2.9   0.2%   0.0%       1.4       2.0 Object type report              reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ ------------------- */*                                1   0.0% 100.0%   0.0%        0.0   0.0%   0.0%       1.6       3.2 application/cache-digest         396   1.2% 100.0%  50.0%       33.7   1.8%  50.0%      87.1    3655.1 application/gzip                   1   0.0% 100.0%   0.0%        0.1   0.0%   0.0%      61.0      30.8 application/javascript           227   0.7% 100.0%  12.3%        2.2   0.1%   7.7%       9.9      91.9 application/json                 409   1.2% 100.0%   0.0%        1.6   0.1%   0.0%       4.1       6.0 application/ocsp-response        105   0.3% 100.0%   0.0%        0.2   0.0%   0.0%       1.9       2.0 application/octet-stream         353   1.1% 100.0%   6.8%       81.4   4.5%   9.3%     236.1     406.9 application/pdf                    5   0.0% 100.0%   0.0%       13.5   0.7%   0.0%    2763.3      75.9 application/pkix-crl              96   0.3% 100.0%  13.5%        1.0   0.1%   1.7%      10.6       7.0 application/       1146   3.5% 100.0%   0.0%        1.3   0.1%   0.0%       1.1       2.4 application/       4733  14.4% 100.0%   0.0%       18.8   1.0%   0.0%       4.1      13.4 application/x-bzip2               19   0.1% 100.0%   0.0%       78.5   4.3%   0.0%    4232.9     225.5 application/x-gzip               316   1.0% 100.0%  59.8%      133.4   7.3%  59.3%     432.4    3398.1 application/x-javascript        1036   3.1% 100.0%   5.8%        9.8   0.5%   3.4%       9.7      52.1 application/xml                   46   0.1% 100.0%  34.8%        0.2   0.0%  35.1%       3.5     219.7 application/x-msdos-progr        187   0.6% 100.0%   0.0%       24.4   1.3%   0.0%     133.7     149.6 application/x-pkcs7-crl           83   0.3% 100.0%   7.2%        1.6   0.1%   0.4%      19.8      10.8 application/x-redhat-pack         13   0.0% 100.0%   0.0%       57.6   3.2%   0.0%    4540.7     156.7 application/x-rpm                507   1.5% 100.0%   6.3%      545.7  29.9%   1.5%    1102.2     842.8 application/x-sdlc                 1   0.0% 100.0%   0.0%        0.9   0.0%   0.0%     888.3     135.9 application/x-shockwave-f        109   0.3% 100.0%  11.9%        5.4   0.3%  44.5%      50.6     524.1 application/x-tar                  9   0.0% 100.0%   0.0%        1.5   0.1%   0.0%     165.3      36.4 application/x-www-form-ur         11   0.0% 100.0%   0.0%        0.1   0.0%   0.0%       9.9      15.4 application/x-xpinstall            2   0.0% 100.0%   0.0%        2.5   0.1%   0.0%    1300.6     174.7 application/zip                 1802   5.5% 100.0%   0.0%      104.0   5.7%   0.0%      59.1       2.5 Archive                           89   0.3% 100.0%   0.0%        0.0   0.0%      -       0.0       0.0 audio/mpeg                         2   0.0% 100.0%   0.0%        5.8   0.3%   0.0%    2958.2      49.3 binary/octet-stream                2   0.0% 100.0%   0.0%        0.0   0.0%   0.0%       5.5      14.7 font/ttf                           2   0.0% 100.0%   0.0%        0.0   0.0%   0.0%      15.5      12.5 font/woff                          1   0.0% 100.0% 100.0%        0.0   0.0% 100.0%      42.5    3539.6 Graphics                         126   0.4% 100.0%   0.0%        0.1   0.0%   0.0%       0.6       2.5 HTML                              14   0.0% 100.0%   0.0%        0.0   0.0%   0.0%       0.1       0.1 image/bmp                          1   0.0% 100.0%   0.0%        0.0   0.0%   0.0%       1.3       3.9 image/gif                       5095  15.5% 100.0%   2.4%       35.9   2.0%   0.7%       7.2       9.5 image/jpeg                      1984   6.0% 100.0%   4.3%       52.4   2.9%   0.6%      27.0      62.9 image/png                       1684   5.1% 100.0%  10.3%       28.6   1.6%   1.9%      17.4     122.2 image/          10   0.0% 100.0%  30.0%        0.0   0.0%  12.8%       1.0       3.3 image/x-icon                      72   0.2% 100.0%  16.7%        0.2   0.0%   6.0%       3.2      15.0 multipart/bag                      6   0.0% 100.0%   0.0%        0.1   0.0%   0.0%      25.2      32.9 multipart/byteranges              93   0.3% 100.0%   0.0%       16.5   0.9%   0.0%     182.0     178.4 text/cache-manifest                1   0.0% 100.0%   0.0%        0.0   0.0%   0.0%       0.7       3.1 text/css                         470   1.4% 100.0%   7.9%        3.4   0.2%   5.8%       7.4      59.7 text/html                       2308   7.0%  70.7%   0.4%        9.6   0.5%   0.6%       6.0      14.7 text/javascript                 1243   3.8% 100.0%   2.7%       11.1   0.6%   5.2%       9.1      43.3 text/json                          1   0.0% 100.0%   0.0%        0.0   0.0%   0.0%       0.5       0.7 text/plain                      1445   4.4%  99.4%   1.5%       68.8   3.8%   5.5%      49.0      41.9 text/x-cross-domain-polic         24   0.1% 100.0%   0.0%        0.0   0.0%   0.0%       0.7       1.7 text/x-js                          2   0.0% 100.0%   0.0%        0.0   0.0%   0.0%      10.1       6.4 text/x-json                        9   0.0% 100.0%   0.0%        0.0   0.0%   0.0%       3.0       8.5 text/xml                         309   0.9% 100.0%  12.9%       12.9   0.7%  87.5%      42.8     672.3 unknown/unknown                 6230  18.9%  99.3%   0.0%      132.9   7.3%   0.0%      22.0       0.4 video/mp4                          5   0.0% 100.0%   0.0%        3.2   0.2%   0.0%     660.8      62.7 video/x-flv                      117   0.4% 100.0%   0.0%      321.6  17.6%   0.0%    2814.9     308.3 video/x-ms-asf                     2   0.0% 100.0%   0.0%        0.0   0.0%   0.0%       1.1       4.7 Ident (User) Report             reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ ------------------- -                              32960 100.0%  97.8%   3.5%     1822.6 100.0%   7.2%      57.9     129.0 Weekly report                   reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ ------------------- 2012/01/26                     14963  45.4%  97.6%   3.6%      959.8  52.7%   1.8%      67.3     104.5 2012/02/02                     17997  54.6%  98.0%   3.4%      862.8  47.3%  13.2%      50.1     149.4 Total report                    reqs   %all %xfers   %hit         MB   %all   %hit     kB/xf      kB/s ------------------------- ------------------------------- ------------------------ ------------------- All requests                   32960 100.0%  97.8%   3.5%     1822.6 100.0%   7.2%      57.9     129.0 Produced by : Mollie's hacked access-flow 0.5 Running time: 2 seconds

Happy squid reporting!

Matthew Oliver: Use xmllint and vim to format xml documents

Wed, 2016-05-11 13:07

If you want vim to nicely format an XML file (and a xena file in this example, 2nd line) then add this to your ~/.vimrc file:
" Format *.xml and *.xena files by sending them to xmllint
au FileType xml exe ":silent 1,$!xmllint --format --recover - 2>/dev/null"
au FileType xena exe ":silent 1,$!xmllint --format --recover - 2>/dev/null"

This uses the xmllint command to format the xml file.. useful on xml docs that aren’t formatted in the file.

Matthew Oliver: I’m now an OpenStack developer.

Wed, 2016-05-11 13:07

Hello world,

It’s been a while since I have blogged on this site, I apologise for that. My previous position was a tad proprietary, so although I worked with Linux, what I was doing needs to be sanitised before I can post about it. I have a bunch of posts in the cooker from those days still awaiting sanitation. But I have some great news… I am now an Openstack developer.

It’s been a busy year, married moved over to the UK to work for an amazing company who needs no introduction, Rackspace. Over there I was working with Linux in a Support/DevOps style role, but am back in Oz now with a new team at Rackspace! The Rackspace Cloud Builders. In this role I’ll be getting my development hat on and developing for upstream Openstack again and am so excited about it.

Watch this space!!!


Matthew Oliver: chkconfig-ify an exising init script.

Wed, 2016-05-11 13:07

If you are using a 3rd party application / package installer to install a service onto a system that using chkconfig to manage your run-levels, or writing your own which are incompatible with chkconfig. That is to say when trying to add them you get the following error:

# chkconfig <service> on
service <service> does not support chkconfig

Then it needs to be converted to support chkconfig. Don’t worry, it isn’t a rewrite, its just adding some meta-data to the init script.
Just edit the config and add the following lines just below the sha-bang (#!/bin/bash or #!/bin/sh).

# chkconfig: 2345 95 05
# description:
# processname:

NOTE: The numbers on the chkconfig line mean:

That on runlevels 2,3,4 and 5, this subsystem will be activated with priority 95 (one of the lasts), and deactivated with priority 05 (one of the firsts).

The above quote comes from this post where I found this solution, so I am passing it on.

For those playing along at home, chkconfig is the Redhat/Centos/Fedora way of managing your run-levels.

Matthew Oliver: Centos 4 / RHEL 4 Bind 9.7.3-8 RPMs.

Wed, 2016-05-11 13:07

In case anyone out there in internet land happen to have a BIND DNS server still running RHEL 4 or Centos 4 and require a version that has been back ported from the Centos 6.2 source, one that has the CVE-2012-1667 fix. Then you can download the RPMs I build from here.

NOTE: I’ve only just built them, so haven’t tested them yet, but thought it’ll be better to share. Also they aren’t x86_64, if you need them, let me know and I’ll build some.

Matthew Oliver: Debian 6 GNU/KFreeBSD Grub problems on VirtualBox

Wed, 2016-05-11 13:07

Debian 6 was released the other day, with this release they not only released a Linux kernel version but they now support a FreeBSD version as well!
So I decided to install it under VirtualBox and check it out…

The install process went smoothly until I got to the end when it was installing and setting up grub2. It installed ok on the MBR but got an error in the installer while trying to set it up. I jumped into the console to take a look around.

I started off trying to run the update-grub command which fails silently (checking $? shows the return code of 1). On closer inspection I noticed the command created an incomplete grub config named /boot/grub/

So all we need to do is finish off this config file. So jump back into the installer and select continue without boot loader, this will pop up a message about what you must set the root partition as when you do set up a boot loader, so take note of it.. mine was /dev/ad0s5.

OK, with that info we can finish off our config file. Firstly lets rename the incomplete one:
cp /boot/grub/ /boot/grub/grub.cfg

Now my /boot/grub/grub.cfg ended like:
### BEGIN /etc/grub.d/10_kfreebsd ###
menuentry 'Debian GNU/kFreeBSD, with kFreeBSD 8.1-1-amd64' --class debian --class gnu-kfreebsd --class gnu --class os {
insmod part_msdos
insmod ext2

set root='(hd0,1)'
search --no-floppy --fs-uuid --set dac05f8a-2746-4feb-a29d-31baea1ce751
echo 'Loading kernel of FreeBSD 8.1-1-amd64 ...'
kfreebsd /kfreebsd-8.1-1-amd64.gz

So I needed to add the following to finish it off (note this I’ll repeat that last part):
### BEGIN /etc/grub.d/10_kfreebsd ###
menuentry 'Debian GNU/kFreeBSD, with kFreeBSD 8.1-1-amd64' --class debian --class gnu-kfreebsd --class gnu --class os {
insmod part_msdos
insmod ext2
insmod ufs2

set root='(hd0,1)'
search --no-floppy --fs-uuid --set dac05f8a-2746-4feb-a29d-31baea1ce751
echo 'Loading kernel of FreeBSD 8.1-1-amd64 ...'
kfreebsd /kfreebsd-8.1-1-amd64.gz
set kFreeBSD.vfs.root.mountfrom=ufs:/dev/ad0s5
set kFreeBSD.vfs.root.mountfrom.options=rw

Note: My root filesytem was UFS, thus the ‘ufs:/dev/ad0s5′ in the mountfrom option.

That’s it, you Debian GNU/kFreeBSD should now boot successfully

Matthew Oliver: NTLM Authentication in Squid using Winbind.

Wed, 2016-05-11 13:07

Some old windows servers require authentication through the old NTLM protocol, luckily with the help from squid, samba and winbind we can do this under Linux.

Some URLs a much of this information was gathered from are:



In order to authenticate through winbind we will be using that and samba to connect to a windows domain, so you will need to have a domain and the details for it or all this will be for naught. I’ll use some fake credentials for this post.

Required Packages
Let’s install all the required packages:

yum install squid krb5-workstation samba-common ntp samba-winbind authconfig

NTP (Network Time Protocol)
Kerberos and windbind can be a little thingy about date and time, so its a good idea to use NTP for your network, I’ll assume your domain controller (DC) will be also your NTP server in which case lets set it up.

Comment out any lines that begin with server and create only one that points to your Active Directory PDC.

# vim /etc/ntp.conf
server pdc.test.lan

Now add it to the default runlevels and start it.

chkconfig ntpd on
/etc/init.d/ntpd start

Samba, Winbind and Kerberos
We will the use the authconfig package/command we installed earlier to configure Samba, Winbind and perform the join in one step, this makes things _SO_ much

NOTE: If you don’t have DNS set up then you will need to add the DC to your hosts file, and it is important to use the name the DC machine knows itself as in AD.

authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=pdc.test.lan \
--krb5realm=TEST.LAN --smbservers=pdc.test.lan --smbworkgroup=TESTLAN \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=TEST.LAN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=administrator --disablewins --disablecache --enablelocauthorize --updateall

NOTE: Replace pdc.test.lan with that of your FQDN of your DC server, TESTLAN with your domain, TEST.LAN with the full name of the domain/realm, and make sure you set ‘–winbindjoin’ with a domain admin.

If that succeeds lets test it:

# wbinfo -u
# wbinfo -g

If you are able to enumerate your Active Directory Groups and Users, everything is working.

Next lets test that we can authenticate with winbind:

# wbinfo -a


# wbinfo -a testuser
Enter testuser's password:
plaintext password authentication succeeded
Enter testuser's password:
challenge/response password authentication succeeded

Great, we have been added to the domain, so now we can setup squid for NTLM authentication.

SQUID Configuration
Squid comes with its own ntlm authentication binary (/usr/lib64/squid/ntlm_smb_lm_auth) which uses winbind, but as of Samba 3.x, samba bundle their own which is the recommended binary to use (according to the squid and samba projects). So the binary we use comes from the samba-winbind package we installed earlier:


Add the following configuration elements to the squid.conf to enable NTLM authentication:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

acl ntlm proxy_auth REQUIRED
http_access allow ntlm

NOTE: The above is allowing anyone access as long as they authenticate themselves via NTLM, you could use further acl’s to restrict this more.

The ntlm_auth binary has other switches that might be of use, such as restricting users by group membership:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE+ADGROUP

Before we are complete there is one more thing we need to do, for squid to be allowed to use winbind, the squid user (which was created when the squid package was installed) needs to be a member of a wbpriv group:

gpasswd -a squid wbpriv

NTLM authentication WILL FAIL if you have “cache_effective_group squid” set, if you do then remove it! As this overrides the effective group and squid then isn’t seen as part of the ‘wbpriv’ group which breaks authentication!!!

Add squid to the runlevels and start it:

# chkconfig squid on
# /etc/init.d/squid start

Trouble shooting
Make sure you open the port in iptables, if squid is listening on 3128 then:

# iptables -I INPUT 1 -p tcp --dport 3128 -j ACCEPT
# /etc/init.d/iptables save

NOTE: The ‘/etc/init.d/iptables save’ command saves the current running configuration so the new rule will be applied on reboot.

Happy squid-ing.

Matthew Oliver: Posfix – Making sense of delays in mail

Wed, 2016-05-11 13:07

The maillog

The maillog is easy enough to follow, but when you understand what all the delay and delays numbers mean then this may help really understand what is going on!
A standard email entry in postfix looks like:

Jan 10 10:00:00 testmtr postfix/smtp[20123]: 34A1B160852B: to=, relay=mx1.example.lan[]:25, delay=0.49, delays=0.2/0/0.04/0.25, dsn=2.0.0, status=sent

Pretty straight forward: date, email identifier in the mailq (34A1B160852B), recipient, which server the email is being sent to (relay). It is the delay and delays I’d like to talk about.

Delay and Delays
If we take a look at the example email from above:

Jan 10 10:00:00 testmtr postfix/smtp[20123]: 34A1B160852B: to=, relay=mx1.example.lan[]:25, delay=0.49, delays=0.2/0/0.04/0.25, dsn=2.0.0, status=sent

The delay parameter (delay=0.49) is fairly self explanatory, it is the total amount of time this email (34A1B160852B) has been on this server. But what is the delays parameter all about?


NOTE: Numbers smaller than 0.01 seconds are truncated to 0, to reduce the noise level in the logfile.

You might have guessed it is a break down of the total delay, but what do each number represent?

Well from the release notes we get:

a=time before queue manager, including message transmission;
b=time in queue manager;
c=connection setup time including DNS, HELO and TLS;
d=message transmission time.

There for looking at our example:

  • a (0.2): The time before getting to the queue manager, so the time it took to be transmitted onto the mail server and into postfix.
  • b (0): The time in queue manager, so this email didn’t hit the queues, so it was emailed straight away.
  • c (0.04): The time it took to set up a connection with the destination mail relay.
  • d (0.25): The time it took to transmit the email to the destination mail relay.

However if the email is deferred, then when the email is attempted to be sent again:

Jan 10 10:00:00 testmtr postfix/smtp[20123]: 34A1B160852B: to=, relay=mx1.example.lan[]:25, delay=82, delays=0.25/0/0.5/81, dsn=4.4.2, status=deferred (lost connection with mx1.example.lan[] while sending end of data -- message may be sent more than once)

Jan 10 testmtr postfix/smtp[20123]: 34A1B160852B: to=, relay=mx1.example.lan[]:25, delay=1092, delays=1091/0.2/0.8/0.25, dsn=2.0.0, status=sent

This time the first entry shows how long it took before the destination mail relay took to time out and close the connection:

Therefore: 81 seconds.

The email was deferred then about 15 minutes later (1009 seconds [delays – <total delay from last attempt> ]) another attempt is made.
This time the delay is a lot larger, as the total time this email has spent on the server is a lot longer.

delay=1092, delays=1091/0.2/0.8/0.25

What is interesting though is the value of ‘a’ is now 1091, which means when an email is resent the ‘a’ value in the breakdown also includes the amount of time this email has currently spend on the system (before this attempt).

So there you go, those delays values are rather interesting and can really help solve where bottlenecks lie on your system. In the above case we obviously had some problem communicating to the destination mail relay, but worked the second time, so isn’t a problem with our system… or so I’d like to think.

Matthew Oliver: Identically partition disks.. the easy way!

Wed, 2016-05-11 13:07

Was just looking into a software RAID howto.. for no reason really, but kinda glad I did! When you set up software raid you want to make sure all disks are partitioned the same, right. so check this out:

3. Create partitions on /dev/sda identical to the partitions on /dev/sdb:

sfdisk -d /dev/sdb | sfdisk /dev/sda

That’s a much easier way

Matthew Oliver: Reverse proxy using squid + Redirection

Wed, 2016-05-11 13:07

Squid – Reverse Proxy

In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself. While a forward proxy is usually situated between the client application (such as a web browser) and the server(s) hosting the desired resources, a reverse proxy is usually situated closer to the server(s) and will only return a configured set of resources.



Squid should already be installed, if not then install it:

yum install squid

Then we edit squid config:

vim /etc/squid/squid.conf

Add we add the following to the top of the file:

http_port 80 vhost
https_port 443 cert=/etc/squid/localhost.crt key=/etc/squid/localhost.key vhost

cache_effective_user squid
cache_effective_group squid

cache_peer parent 80 0 no-query originserver login=PASS name=site1-http
cache_peer parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=site2-ssl
cache_peer_domain site1-http site1.example.lan
cache_peer_domain site2-ssl site2.anotherexample.lan

acl bad_requests urlpath_regex -i cmd.exe \/bin\/sh \/bin\/bash default\.ida?XXX insert update delete select
http_access deny bad_requests

Now I’ll walk us through the above configuration.

http_port 80 vhost
https_port 443 cert=/etc/squid/localhost.crt key=/etc/squid/localhost.key vhost

This sets the http and https ports squid is listening on. Note the cert options for https, we can get squid to use https up to the proxy and unencrytped link to the last hop if we want.. which is cool. If for some reason the server doesn’t support https.

cache_effective_user squid
cache_effective_group squid

Set the effective user and group for squid.. this may not be required, but doesn’t hurt.

cache_peer parent 80 0 no-query originserver name=site1-http
cache_peer parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=site2-ssl
cache_peer_domain site1-http site1.example.lan
cache_peer_domain site2-ssl site2.anotherexample.lan

This is the magic, the first two lines, tell squid which peer to reverse proxy for and what port to use. Note if you use ssl the ‘sslflags=DONT_VERIFY_PEER’ is useful otherwise if your using a self signed cert you’ll have certificate errors.

IMPORTANT: If you want to allow http authentication (auth handled by the web server, such as htaccess) then you need to add ‘login=PASS’ otherwise squid will try and authenticate to squid rather than the http server.

The last two lines, reference the first two and tell squid the domains to listen to, so if someone connects to squid looking for that domain it knows where to go/cache.

acl bad_requests urlpath_regex -i cmd.exe \/bin\/sh \/bin\/bash default\.ida?XXX insert update delete select
http_access deny bad_requests

NOTE: The acl line has been cut over two lines, this should be on one. There should be the ACL line and the http_access line.
These lines set up some bad requests to which we deny access to, this is to help prevent SQL injection, and other hack attempts, etc.

That’s it, after a (re)start to squid you it will be reverse proxying the domains.

Redirect to SSL

We had a requirement to automatically redirect to https if someone came in on http. Squid allows redirecting through a variety of ways, you can write a redirect script at get squid to use it, but there is a simpler way, using all squid internals and acls.

Add the following to the entries added in the last section:

acl port80 myport 80
acl site1 dstdomain site1.example.lan
http_access deny port80 site1
deny_info https://site1.example.lan/ site1

acl site2 dstdomain site2.anotherexample.lan
http_access deny port80 site2
deny_info https://site2.anotherexample.lan/ site2

We create an acl for the squids port 80 and then one for the domain we want to redirect. We then use “http_access deny” to cause squid to deny access to that domain coming in on port 80 (http). This causes a deny which is caught by the deny_info which redirects it to https.

The order used of the acl’s in the http_access and the deny_info is important. Squid only remembers the last acl used by a http_access command and will look for a corresponding deny_info matched to that acl. So make sure the last acl matches the acl used in the deny_info statement!



The following is the configuration all put together now.

Reverse proxy + redirection:

http_port 80 vhost
https_port 443 cert=/etc/squid/localhost.crt key=/etc/squid/localhost.key vhost

cache_effective_user squid
cache_effective_group squid

cache_peer parent 80 0 no-query originserver login=PASS name=site1-http
cache_peer parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=site2-ssl
cache_peer_domain site1-http site1.example.lan
cache_peer_domain site2-ssl site2.anotherexample.lan

acl bad_requests urlpath_regex -i cmd.exe \/bin\/sh \/bin\/bash default\.ida?XXX insert update delete select
http_access deny bad_requests

acl port80 myport 80
acl site1 dstdomain site1.example.lan
http_access deny port80 site1
deny_info https://site1.example.lan/ site1

acl site2 dstdomain site2.anotherexample.lan
http_access deny port80 site2
deny_info https://site2.anotherexample.lan/ site2

Hamish Taylor: Follow up: The woeful state of communications in Australia’s capital city

Wed, 2016-05-11 13:06

In January 2011, I posted about my experiences in trying to get an internet connection provisioned at my new home

I am now posting from our Internode naked DSL connection. To be honest, this has been working for many months, I have been slack in posting this follow up!

The Telstra guy did come back and install the line. But only after we ordered a full phone line, dial tone and all, at around $30/month. Not to mention the $299 installation fee.

After that was installed, Internode activated the ADSL. Even that took multiple calls to get the technicians back to the exchange as things went wrong.

After that was all sorted out, it was then converted to a ‘naked ADSL’ service. Effectively cancelling the dial tone service.

The rampant stupidity of the Australian communications system is truly breathtaking. And expensive. What should have been a very simple thing to get going – a naked ADSL line – proved to be extremely difficult and expensive.

But now we have Internode naked ADSL and NodePhone. Finally.

(As an interesting side note, we retained our Melbourne based phone NodePhone (VoIP) number. When the Mitchell chemical fire occurred the other day and half of Canberra was on alert, we received a call on the VoIP number, as it is registered at this address. Both mine and my wife’s mobile phones are through Optus, also registered at this address and didn’t get an SMS or call. Either the emergency alerting system or Optus messed up there. I’d be guessing the latter.)

Unfortunately, we are so far away from the exchange that we only get around 500 KB a second (half a MB a second). Back in Melbourne, close to the exchange, I was getting 2.2 MB a second, so around four times faster).

But at least we have it

Hamish Taylor: A call to “standardised user account requirements” arms

Wed, 2016-05-11 13:06

We need to have a standard for management of user accounts.

Given the number of high profile companies that have been cracked into lately, I have been going through the process of closing accounts for services I no longer use.

Many of these accounts were established when I was more trusting and included real data. However now, unless I am legally required to, I no longer use my real name or real data.

But I have been bitterly disappointed by the inability of some companies to shut down old accounts. For example, one service told me that “At this time, we do not directly delete user accounts…”. I also couldn’t change my username. Another service emailed my credentials in plain text.

To protect the privacy and security of all users, an enforceable standard needs to be established covering management of user accounts. It needs to be applied across the board to all systems connected to the internet. I know how ridiculous this sounds, and that many sites wouldn’t use it, but high profile services should be able to support something like this.

Included in the standard should be:

  • the ability to completely delete accounts (unless there’s some kind of legislative requirement to keep, and then they should only retain the data that is absolutely necessary)
  • the ability to change all details including usernames
  • a requirement to encrypt and salt the password (that covers the credentials in plain text issue noted above)
  • determine the minimum practicable data set that you need to maintain an account and only ask for that. If there’s no need to retain particular account details, don’t collect them. For example, I’ve never been contacted by phone by any of these companies so why was I forced to enter a phone number?

This is a short list from my frustrations today. Please comment to help me flesh this out with other things that should be done on a properly supported user account management system.

And please let me know of your experiences with companies that were unable to properly protect your privacy and security.

Hamish Taylor: The woeful state of communications in Australia’s capital city

Wed, 2016-05-11 13:06

For those who may not know, I recently moved from Melbourne, Victoria to Canberra, Australian Capital Territory (ACT) and am now living in a house in the inner north-west. Of course, being a geek, I wanted to get the internet connected as soon as possible! After such a smooth transition I’d expected some problems and this is where they all cropped up.

In Melbourne I had an Internode ADSL connection and before I moved I called them up to relocate this service. This, of course, relied on getting an active Telstra line at the new house. I knew it would take a bit of time to relocate the service, so in the interim I bought a Telstra wi-fi internet device. This is actually a ZTE MF30 and supports up to 5 connections via wi-fi, so I can get both my iPhone and laptop on at the same time. Quite simply, this device is brilliant at what it does and I couldn’t be happier with it.

So, at the moment I’m online via the Telstra device, which is just as well really, as I soon encounter communication issue number 1: Optus.

It appears that Optus have a woeful network in Canberra. I have an iPhone 3GS, which I know can only use 850MHz and 2100MHz 3G networks. Optus uses 900MHz and 2100MHz for their 3G, so the iPhone will only work in Optus 2100MHz coverage. In Melbourne I never had a problem getting on the internet at good speeds.

When I looked at the Optus overage maps for ACT and click on “3G Single band” (the 2100MHz network coverage), it shows the inner north-west being well covered. It really isn’t. Both from home and at work in Belconnen, I can barely get two bars of GSM phone signal. The connectivity is so bad that I can barely make phone calls and send SMSs. Occasionally, I get the “Searching…” message which tells me that it has completely lost GSM connectivity. This never happened in Melbourne, where I had 4-5 bars of signal pretty much all the time.

The 3G connection drops in and out so often that I have to be standing in exactly the right location to be able to access the internet on my iPhone. Even this afternoon in Kingston in the inner south, I wasn’t able to get onto the internet and post to Twitter. I had to use the Telstra device, which hasn’t missed a beat in any location for network connectivity, to establish a connection. This really isn’t good enough for the middle of Canberra. I am seriously considering calling Optus, lodging a complaint and trying to get out of my 2 year contract (which has another 10 months to run), so I can switch over to Telstra. I never thought I’d say this, but I actually want to use a Telstra service!!!

Communications issue number 2: TransACT. From what I can find out TransACT have a cable TV network which also has telephone and internet capabilities. When this network was established about a decade ago, it was revolutionary and competitive. Today the network has been expanded to support ADSL connections, but there is no ability to get a naked service as all connections require an active phone service. Additionally, as a quick look at some of the internet connectivity plans show, after factoring in the required phone service, it is a costly service for below average download allowances.

When I moved into the house, the process of relocating the Internode ADSL service from Melbourne to Canberra triggered a visit from a Telstra technician. However, he wasn’t able to find a physical Telstra line into the house. Being an older suburb of Canberra, this house will have a Telstra cable. Or rather will have had as apparently it is not unknown for TransACT installers to cut the Telstra cables out as “You won’t need THAT anymore!”

So now I have to pay for a new cable to be installed from the house to the “Telstra network boundary” (presumably the street or nearest light pole where it can be connected to Telstra’s infrastructure). Then we have to pay again for a new Telstra connection at a cost of $299. Considering that if the Telstra cable had been left in place, the connection cost would be $55, this is turning into quite an expensive proposition just to get a naked DSL service.

All in all I am not impressed with the state of communications in Australia’s capital city, Canberra. All I can say is please, please, please bring on the National Broadband Network (NBN)!



Hamish Taylor: In an ideal world … how to change my address

Wed, 2016-05-11 13:06

Recently I moved house.

I  hate moving. Not just for the having to pack everything into boxes at one end then then unpack everything at the destination (which for this move I didn’t have to do!), but mostly because I have to go through the pain that is changing my address.

It turns out that I interact with a lot of organisations, from finance institutions (banks, credit card companies, car insurance, house insurance, health insurance, etc), to official organisations (driver licencing, Medicare, electoral, organ donor register, etc), to community (Red Cross blood donor, 3RRRFM, etc) and mundane organisations (Costco, etc). And that’s just a fraction of them.

I was thinking that, rather than having to fill in what feels like a million forms and waste time that could be spent being a productive public servant or dad for my kid, why isn’t there a central contact details database that I update once? I’m sure that smarter minds than mine have considered this, but I think an opportunity exists for some organisation (government or private) to do this. In the day and age of ‘over-sharing’, are people still averse to putting their address, phone number and email details into a central database? Login security could be addressed using two-factor authentication, such as used by Google Authenticator, or sending a one-time code via SMS or email.

Many services, such as Twitter and Facebook, are set up to authorise other apps to access them. An example of this is when I used my Facebook account to sign up for Freecycle which operates as a Yahoo Group.  I ‘authorised’ Facebook to talk to Yahoo. I’ve also authorised Twicca on my Android smartphone to talk to my Twitter account.

In the same way, in this theoretical single contact details database, I could let the various companies and organisations that I interact with, access my updated contact details. Maybe they could poll this database once a week to look for updated details. I understand they’d have many different backend CRM systems so there may be some manipulation required, but nothing that’s too hard to fix with a bit of scripting.

I could also remove their access when I cease using their services. If I’m not longer banking with Bank A, then I revoke their access so they can’t find out how to contact me.

Does this sound sensible or silly? If sensible why hasn’t Google or someone done this already?

Hamish Taylor: My new laptop!

Wed, 2016-05-11 13:06

In May 2010, I posted about what I thought were some pretty underwhelming specifications for laptops.

I have bitten the bullet and upgraded to a laptop with 1366×768 display resolution anyway.

But on a 13.3 inch screen. So it actually works pretty well.

It is a system worth about $2500 that I got for around $700. And no, it didn’t fall off the back of a truck! It fell off the back of the Dell Outlet Store.


  • Dell Latitude E6320
  • Core i5-2520M
  • 4GB RAM (although as an ‘Enterprise’ system, it came with Windows 7 32-bit, so only 3.2GB is visible to Windows. Fixed that by dual-booting Ubuntu 64-bit)
  • 250GB HDD
  • Wi-fi
  • Bluetooth (which I personally think is next to useless)
  • Backlit keyboard (which I think is the BEST thing ever!)
  • 6 cell battery

It’s also mil-spec hardened (or something) which means that it’s almost child-proof!

It does 1080p video and with 4 cores (2 physical and 2 virtual ‘hyper-threading’) video editing works well. Really well.

I want to post up a full review at some stage, but it may not be soon.

Hamish Taylor: Fun with JavaScript!

Wed, 2016-05-11 13:06

Hoping someone can help me with this JavaScript problem. I’m trying to pass an array to a getElementById with the purpose of making multiple cells in the table take the class. I can get it working with one array location but not with more than one. Please help!

<!DOCTYPE html>
function changecolors(redsarray,yellowsarray,greensarray,graysarray)

var redsarray = new Array();

var yellowsarray = new Array();

var greensarray = new Array();

var graysarray = new Array();

<style type=”text/css”>
.red {background-color:red;}
.yellow {background-color:yellow;}
.green {background-color:green;}
.gray {background-color:gray;]
Content …
<table border=”1″>
<td id=”r1_c1″>
<td id=”r1_c2″>
<td id=”r2_c1″>
<td id=”r2_c2″>
<td id=”r3_c1″>
<td id=”r3_c2″>
<td id=”r4_c1″>
<td id=”r4_c2″>

<button type=”button” onclick=”changecolors()”;>Button</button>




Hamish Taylor: Back to WordPress!

Wed, 2016-05-11 13:06

I’ve given up on Blogger and returned to WordPress. I’ll update the look and feel from the defaults and try to update it a bit more often!

Hamish Taylor: Stupidity with passwords

Wed, 2016-05-11 13:06

We all know and understand how important passwords are. We all know that we should be using strong passwords.

What’s a strong password? Something that uses:

  • lower case characters
  • punctuation, such as !@#$%^&*()<>?”:{}+_
  • and should be 8 characters or longer

So, to put it mildly, it really annoys me when I come across services that don’t allow me to use strong passwords. If I possibly could, I’d boycott these services, but sometimes that’s just not possible.

For example, my internet banking is limited to a password of between 6-8 characters. WTF?! This is hardly a secure password policy!

Another financial service I use is limited to 15 characters and doesn’t allow most of the punctuation set. Why? Is it too difficult to extend your database validation rules to cover all of the character set?

Ironically, I didn’t have a problem with Posterous, Facebook or Twitter (and others) in using properly secure passwords. So, these free services give me a decent level of security, but Australian financial services companies can’t. It’s stupidity in the extreme.

Hamish Taylor: Idea from BarCamp Canberra #barcampcbr

Wed, 2016-05-11 13:06

Yesterday I went to the second half of BarCamp Canberra 2012 (I was busy in the morning and couldn’t make it).

As per usual for a BarCamp there were many great ideas being discussed. Someone (Craig?) suggested that we all go home and write blog posts about our own great ideas.  So here goes …

My ideas is this: to build a website to facilitate the transfer of mobile phone credit from people who have a surplus to people who need it.

My wife and I are currently using Telstra pre-paid and every so often when it gets near the expiry date, if there’s any unused credit we transfer some (or all) of that to the other account. Telstra call this ‘CreditMe2U’ and my understanding is that it can be used on any post- or pre-paid accounts. There’s a few limitations, such a maximum of $10 per day and some limit per month.

I see the site facilitating someone posting up that they need, say $5 credit. Anyone should be able to do this for any reason. The request could be as little as just a phone number and an amount.

Someone else, who has surplus credit, would transfer them some credit from their account, and then mark that the transaction has happened. This ensures that the requester doesn’t get flooded with credit transfers and multiple people who have surplus credit don’t end up  helping just one person. The requester would also not be able to make another request for 24 hours (based on phone number).

I would be reluctant to require people to register for accounts, as I think that would kill it entirely. It should be able to be truly anonymous. I would also be really keen to see that the site is not indexed in any way (robots.txt, exclusions, etc), so that numbers can’t be linked with requests.

I’m not sure if carriers other than Telstra have this option, but it’s worth investigating.

While there would be obvious ways to ‘game’ this system, and it’s not a fully thought through idea, it could become so with some feedback. So, what do you all think?