Brandon Checketts

Web Programming, Linux System Administation, and Entrepreneurship in Athens Georgia

Category: General (Page 13 of 25)

bcSpamblock Updated to Version 1.3

May 14, 2008 / / 0 Comments

Thanks to jontiw for pointing out a potential problem in my bcSpamblock code.  He noted the the PHP crypt() function returns the salt along with the encrypted value.  My code was passing the salt to the visitor so that an attacker could potentially learn the salt value that a website was using and create valid responses.

I modified the code to strip out that salt before passing it to the user.  I also modified the data used to create the salt so that previous vulnerable version doesn’t use the same value for the site.  The wordpress plugin has also been updated as well.

I was happy to see other people looking through my code and pointing this type of issue out.

Sending Yourself a File as an Attachment From the Command Line

May 8, 2008 / / 1 Comment

There are many occasions where I’ll have a file on a Linux machine that I want to email myself. If it is a text file, it’s pretty easy to just pipe the file to a mail command like this:

cat /home/brandon/some-file.txt | mail -s "Here is the file" [email protected]

That works well for the simple case of a text file. However, there are often cases where it either isn’t a text file, or maybe the text file is too large. Sending the file as an attachment would be ideal, but you can’t just pipe any type of data to the mail command.

Instead, I just learned how to use ‘mutt’ to send a file as an attachment. The command is something like this:

echo "see attached file" | mutt -s "Here is the file" -a /home/brandon/some-file.bin [email protected]

Where ‘See attached file’ is the body of the message. The -s argument of ‘Here is the file’ is the subject. /home/brandon/some-file.bin is the file I want to attach. And [email protected] is who I want to send the message to.

This would work well for quick files that you want to transfer to your PC – perhaps instead of using a file-transfer program like FTP. It can also be used in scripts. I had one customer, for example, who used this to email themselves a mysqldump of their database each night as a sortof backup.

Quick MRTG Install With Some Useful System Metrics

May 1, 2008 / / 0 Comments

I often have a need to monitor some basic system metrics such as memory usage, disk space free, load average, and network usage. MRTG is an ideal solution because it is lightweight and can graph just about anything on a system. Many people only think of MRTG as a tool to graph network interfaces, but because it is just a way to use rrdtool it can be be used for practically anything.

Getting it installed is pretty easy as well. Most distributions provide a package for it, so it is as simple as running ‘yum install mrtg’ or ‘apt-get install mrtg’. Unfortunately the basic package is pretty raw and doesn’t by default know how to obtain much useful data. Over time I’ve compiled a /etc/mrtg/ directory that does a lot of the common things that I like to monitor. Simply uncompress this file to your /etc/mrtg directory and you should have some common useful metrics. You can further customize it per-server if you’d like to monitor some additional things.

Enabling PHP Syntax Highlighting for .html Files in vim

April 16, 2008 / / 0 Comments

vim has a lot of default file types and syntax dictionaries set up. It determines which syntax highlighting to do based on a files extension. I have a bunch of .html files that contain PHP code and finally got frustrated enough with the incorrect highlighting to figure out how to correct it. After bit of research and experimentation, but I was finally able to do it by creating ~/.vim/filetype.vim with this content:

    if exists("did_load_filetypes")
      finish
    endif
    augroup filetypedetect
      au! BufRead,BufNewFile *.html     setfiletype php
    augroup END

Determining What a Server is Used For

April 5, 2008 / / 0 Comments

When looking at an existing server, it is sometimes difficult to know everything that the server does. I have had many instances when hired for a new job some of them even include some dental services as discounts on teeth whitening, or when looking at a client’s server where I have to find out everything that the server is used for without knowing much about it. Often times there are many more uses than it was originally designed for.

Here is a list of things that I usually check to try and identify what a server is used for:

1- Look at any processes listening on a network socket. I use ‘netstat -lnp’ to identify any listening sockets and what processes are using them. Its common to see SSH, Apache, MySQL, and a mail server. Sometimes there are other things that you should know about, such as FTP, a control panel (ie: webmin on port 10000), and a variety of other processes

2- Cron jobs – A lot of systems have automated processes that run periodically from cron. Make sure to check all of the various cron locations:

The main system crontab:

/etc/crontab

Drop location for cron jobs typically installed with packages:

/etc/cron.d/*

Periodically run jobs:

/etc/cron.*/*

(ie /etc/cron.daily, /etc/cron.hourly, /etc/cron.weekly, etc)

User crontabs

/var/spool/cron/*

3- Look at running processes. I use ‘ps auxf’ to identify any other processes that might be running

4- Processes run at boot. On Redhat and derivitives, use ‘ chkconfig –list|grep “:on” ‘ to see all processes that start when the machine boots.

5- Websites configured in Apache: Run ‘ apachectl -t -D DUMP_VHOSTS ‘ to see what Virtual Host are configured in Apache

6- Consider the server’s name, and reverse DNS for any IP’s assigned to it. These may give some hints as to things the server is being used for. For example, if a server has the name ‘mail.mydomain.com’ associated with it somehow, you should probably take a closer look at the mail configuration than you might initially think to do.

That should be a pretty good start of identifying everything that a particular server is used for. Please leave a comment if there is something else that I should add to the list.

Windows System Recovery

March 6, 2008 / / 0 Comments

I rarely write about Windows errors on my blog, but I ran across a weird error on my Windows Laptop the other day that was quite annoying, and a little difficult to fix. Very quickly after the POST, I got an error that said:

 “Windows could not start because the following file is missing or corrupt: C:\WINDOWS\system32\c_1252.nls”

It recommended trying to reinstall Windows using the recovery method. I didn’t have any XP CD’s around, so that wasn’t really an option for me.

I had a Knoppix disc around, so I started that up, and was able to see the partition fine and even mount it.  All of my semi-important files were safe, but I copied them onto another machine just to be sure. When I tried to do a directory listing inside of the windows\system32 directory, I got an I/O error that definitely looked nasty.

After a bit of googling, I came across this page, that has an ISO you can download and boot into a Windows XP Recovery Console.  Once, I was finally at the recovery console, I ran ‘chkdsk /r’ and it appeared to fix a couple problems.  I reran it with ‘chkdsk /r /f’ to be sure that everything was fixed.

After a quick reboot, it stared up Windows without any further issues.

GnuPG Encryption with PHP

February 26, 2008 / / 17 Comments

I found PHP’s documentation on the GnuPG functions to be pretty sparse, so thought I would share some specific steps that I went though in order to get everything working.

Prerequisites

First off, you have to install the GnuPG PHP libraries through pecl. It requires the GnuPG Made Easy (gpgme) packages to get working. The following shell commands will install the OS packages, install the GnuPG PHP libraries, then enable the PHP extension and restart Apache:

# apt-get install gnupg gpgme gpgme-devel

# pecl install gnupg

# echo extension=gnupg.so > /etc/php.d/gnupg.ini

# apachectl restart

Creating GnuPG Keys

Next, you need to create a set of keys to encrypt and decrypt your data. You’ll need to put the keys somewhere where the webserver can read and write to a directory. I’ll use /var/www/.gnupg since that is the default home directory for many Apache installations. After running the gpg command, answer the questions as prompted. User input is red in the output shown below.

# mkdir -p /var/www/.gnupg

# gpg --homedir /var/www/.gnupg --gen-keygpg
WARNING: unsafe permissions on homedir `/tmp/keys'

gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: keyring `/tmp/keys/secring.gpg' created
gpg: keyring `/tmp/keys/pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Fri Feb 23 16:35:14 2018 PST
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <[email protected]>"
Real name: Some User
Email address: [email protected]
Comment: This is a key for Some User
You selected this USER-ID:
    "Some User (This is a key for Some User) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key. Enter your passphrase here
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /tmp/keys/trustdb.gpg: trustdb created
gpg: key 21CCC3D6 marked as ultimately trusted
public and secret key created and signed.
.... a bunch of random characters here....
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-02-24
pub   1024D/21CCC3D6 2008-02-27 [expires: 2018-02-24]
      Key fingerprint = FA45 1EE9 8772 70EF 1CFA  99CE 048A 6139 21CC C3D6
uid                  Some User (This is a key for Some User) <[email protected]>
sub   2048g/A83E754B 2008-02-27 [expires: 2018-02-24]
#chown -R apache:apache /var/www/.gnupg

Make note of the key fingerprint in the 4th from the bottom line. You’ll need this in your PHP code when referencing the key. Also, make sure that you write down your pass phrase somewhere. Your encrypted data will be useless if you don’t have the pass phrase.

Your Application

Now you can write your PHP code that will do the encryption. Here is a sample that encrypts, then decrypts something:

<?php
$CONFIG['gnupg_home'] = '/var/www/.gnupg';
$CONFIG['gnupg_fingerprint'] = 'FA451EE9877270EF1CFA99CE048A613921CCC3D6';

$data = 'this is some confidential information';

$gpg = new gnupg();
putenv("GNUPGHOME={$CONFIG['gnupg_home']}");
$gpg->seterrormode(GNUPG_ERROR_SILENT);
$gpg->addencryptkey($CONFIG['gnupg_fingerprint']);
$encrypted =  $this->gpg->encrypt($data);
echo "Encrypted text: \n<pre>$encrypted</pre>\n";

// Now you can store $encrypted somewhere.. perhaps in a MySQL text or blob field.

// Then use something like this to decrypt the data.
$passphrase = 'Your_secret_passphrase';
$gpg->adddecryptkey($CONFIG['gnugp_fingerprint'], $passphrase);
$decrypted = $gpg->decrypt($encrypted);

echo "Decrypted text: $decrypted";
?>

It would be best to store $passphrase somewhere completely separate from your application configuration. Perhaps an admin user would be required to enter the passphrase when looking up this information. That way your passphrase is not stored in your config file or anywhere that an attacker could potentially gain access to it.

Troubleshooting

Make sure that the web server can write to the GnuPG Home directory. This obviously is not ideal, but seems to be required in the testing that I have done. I’ve been able to set ‘secring.gpg’ to be owned by root, but that does little good since the directory it is in has to be writable.

You can raise the error mode to GNUPG_ERROR_WARNING to generate PHP warnings on GnuPG errors. That might help to track down where errors are occurring

Receive $50 to $210 in free Money

February 22, 2008 / / 2 Comments

I don’t generally post about non-technical things on this blog, but these deals are too good to pass up. I just received my payments for $85 and am expecting $100 more by doing nothing more than signing up for a couple of web sites. There is no obligation required, you just need to sign up at these sites and provide them with some personal information and a bank account so that you can withdraw your money. Both sites are reputable companies.

LendingClub.com

The first free money comes from LendingClub.com. LendingClub is a peer to peer lending site when people can make to or receive loans from other people. The site gives you $25 just for signing up when you follow this link. Their referral program means that I earn $25 for referring you, and you if you are married, you can refer your spouse so you each earn $25. You can then withdraw your $50 and your spouse’s $25 with nothing more required. It takes about 4 business days between signing up and confirming your bank account, and then 4 more days to get the cash in your bank account.

If you have some extra money in your bank account and feel up for it, then each of those $25 bonuses double to $50 when your first bank activity is transferring $1000 into your LendingClub account. You would receive an additional $25 for signing up for you and your spouse, and the referral fee doubles to $50 when the referred person transfers in the $1000. Your $1000 can be immediately withdrawn without loaning it on the site. It ties up your $1000 for about 4 days when the money is transferred into the account, and 4 more days when you withdraw it back into your bank account.

So if you are married and take advantage of the $1000 bonus, you and your spouse can earn $150 from LendingClub for free. Instead of withdrawing it, you might actually try lending it to people on the site. If you invest your free $150 in some investments, you would receive around $4.80 per month for the next 36 months totaling $172.80.

RevolutionMoneyExchange.com

RevolutionMoneyExchange is a new site that seems to be competing directly with PayPal. The benefit over PayPal is that any transfers between members are completely free (Paypal charges 3% + $0.30). Seems like it is worth trying out and I know that PayPal needs some competition. They also give you $25 just for signing up and $10 for referring someone. So you could earn $60 free by signing up and referring your spouse.

The fee is only available when somebody refers you, so just let me know your email address in the box below, and I’ll send you an invitation.

Quick WordPress Upgrade

February 19, 2008 / / 0 Comments

WordPress has had a few security vulnerabilities recently, and I thought it best to upgrade all of my blogs. Although it is not at easy as dummy-proof as I would like, upgrading WordPress is pretty simple. The key to doing it safely is in not modifying any of the core wordpress files. As long as you don’t customize those at all, upgrading is a piece of cake. I just had to do it on three blogs that, and it took about a minute a piece. From a shell, just run these commands

cd <your_wordpress_directory>
mkdir /tmp/wpbackup
cp -R * /tmp/wpbackup
wget -O /tmp/wordpress.tar.gz https://wordpress.org/latest.tar.gz
tar -xvzf /tmp/wordpress.tar.gz  -C /tmp
unalias cp
cp -R /tmp/wordpress/* .
alias cp='cp -i'

Then hit your admin page in a web browser. If the database layout changed at all, you should be prompted to update your database with a single click. Once everything is done, look at the bottom of your admin page to make sure it is the current version.

« Older posts Newer posts »

© 2025 Brandon Checketts

Theme by Anders NorenUp ↑