PHP Accelerators

I was working programming a site today and was noticing that it seemed to be taking quite a while (5+ seconds) to generate the page.  I’ve been looking at some Apache and PHP optimization and decided that it was time to try a PHP accelerator.

I have previously installed the Zend Accelerator, but never really benchmarked it before.   I went to install it and found out that it has been incorporated into the commercial Zend Platform software.   Looking quickly at some alternatives, I settled on eAccelerator because it seems to be stable, in active development, and had decent documentation.

It didn’t take too much to install.  I just installed the php-devel package from yum, then ran ‘phpize’, ‘configure’, ‘make’, and ‘make install’.   Then copied the provided eaccelerator.ini into /etc/php.d/ and restarted Apache.

Based on some really simple and quick benchmarks using ‘ab’, it looks like about a 4x performance improvement overall.   Not bad for about a half hour of installing it and making it work.

WoW account hacking, and a potential solution?

A website just posted a story about how there is “no end in sight” to the hacking of World of Warcraft accounts. The story tells about hackers who install keylogging software on victims’ computers, then use it to relay the victims’ WoW username and password back to them. Then they simply log in as that user, transfer all of the victim’s valuable in-game assets to accounts that they control, and sell off everything for cash.

An idea I had on how to solve this, as well as lots of other online identity theft problems, is to allow users to opt-in to a login restriction based on IP Address. Blizzard could ask you if you want to restrict logins to your current IP (or, more likely, the first 22 bits or so of your IP address). Any attempt to login with an IP outside that range would require some kind of external verification, like an automated phone call where you verify the last four digits of your credit card number.

It would take a little work on their side, but surely Blizzard ought to be able to come up with something like this. I would think that the development time up front would save them lots money on customer service and canceled subscriptions down the line when accounts are compromised.

The solution does have a couple potential problems. Mainly, if a hacker is able to install keylogging software on a victims’ computer, they might also be able to install a proxy server of some sort to attempt to use the victims’ IP address anyway. There is some evidence that such Proxy programs already exist and are used for account leveling. If this type of proxy software becomes widely used, identifying hackers by IP becomes nearly impossible.

Its important to note that this idea does not apply just to WoW. Other companies like banks could use a similar security measure to protect against hackers logging in as real users. The fact that nobody has done this must mean that I’m missing something. Feel free to comment and let me know how this wouldn’t work.

Don’t use mod_deflate (or mod_gzip) for MP3 files

Today I solved a problem that I’ve had for a couple months.  I had a user complain that they the  MP3 Audio embedded on their home page file only played the first few seconds of the audio clip.   I tried it out on my browser and it worked fine.  I also tried it on a couple other machines which worked okay, but finally came across one using Firefox 1.5 that had the same problem.

Unfortunately, I kindof forgot about this until today.  I was looking at some statistics for mod_deflate and noticed that the time coincided with the date that the MP3 stopped working.   I configured Apache to not compress MP3 files, and now it plays fine.

I’m still not sure why it worked on some browsers and not on others, but the important thing is that it works.

Google MyMaps

Google just released a very cool update to their already useful Google Maps service.  Google MyMaps allows users to easily create customizable maps by using an intuitive web-based user interface to place points on the map, and draw lines and areas.   Any of the points can then be labeled with customizable text that may include photos and video clips.  I’ve always been impressed with Google Maps, and this is a nice addition that makes more useful in a much different way.

One of the interesting things about Google Maps is that they have always offered an API for others to extend the functionality.   I don’t think that the MyMaps feature adds much that couldn’t have been created by somebody else by using their existing APIs.

Traceroutes time out after turning on an iptables firewall

On many of the firewalls that I administer, the machine fails to respond to a traceroute. The traceroute would get the entire way to the host, and then fail to respond when it hit the host. I have messed with this on and off for a while, and finally came up with the problem and a solution.

First, I tried to make sure that the firewall was open to receive ICMP packets. I use these command to permit a few specific ICMP types:

## Accept ICMP Echo-Reply, Echo-Request, and Time-Exceeded packets
iptables -A INPUT -s 0/0 -d 0/0 -p icmp –icmp-type 0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p icmp –icmp-type 8 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p icmp –icmp-type 11 -j ACCEPT

However, just enabling those didn’t allow traceroutes to work correctly. There is also an ICMP type 30 for traceroute, but enabling that never got it working for me

So, I had to dig a little deeper into how traceroute works. What it does, is send a UDP packet to a port that it doesn’t expect to be open. The host then should send an ICMP ‘Unreachable’ packet back to the originating machine.

Turns out that the firewall rules that I was using blocked all incoming UDP requests (unless they were specifically allowed). This made it so that the machine never received the UDP request because the firewall blocked it.

Most traceroute implementations start sending requests on UDP port 33441, and then increment the port number sequentially for each one that it sends out. So I added this firewall rule to allow these packets through:

## Allow traceroutes, which send a packet to a UDP port in this general range
iptables -A INPUT -s 0/0 -p udp –destination-port 33441:33500 -j ACCEPT

Now those UDP packets get accepted and the machine properly replies with the ICMP packet like it should.

Mobile wireless data usage

I’ve seen people claiming that mobile wireless Internet is a good replacement for a home data service, especially if you have a laptop.  For some users that may be okay, but not for me.
Slashdot pointed me to a blog post that looked at the latest Terms of Service for Verizon’s service.  In there it says that with bandwidth usage over 5 GB per month, they assume that you must be doing something that violates their terms of service, and can therefore, discontinue your service.  I’ve never looked at my own bandwidth usage for home, but I’m pretty sure I do significantly more than 5GB in a month.

Also, interesting in their terms of service, it said that it was only to be used for Internet Browsing, Email, and intranet access.  It sounds like Gaming is out then. It also said that it is not allowed to be used as a substitute or backup for private lines.  Doesn’t sound like its good for very much then.