Category: General (Page 20 of 25)

I attended a meeting tonight at my local Linux Users Group in Columbia Maryland.   The topic was on getting an Asterisk Voip server up and running and was presented by a couple members (John and Terry), who have both been playing with different Asterisk distrobutions.  John went the route of the full-featured trixbox, and Terry went for the minimal installation on an embedded device, showing just how flexible and customizable Asterisk is.

My work has recently agreed to migrate our phone system over to an Asterisk server, so I’m hoping to get that set up in the next week or two so that I can start playing with it.

CentOS 5 has been out for a little while now and I still haven’t had a chance to install and play with it. Today, though, I was able to make excuse to start on it. I actually created it on a virtual server though, and it’s much easier for me to just copy an existing file system over to a new virtual server than it is to create an entirely new file system. So, I started googling for ways to upgrade rather than do a fresh install.

I came across these instructions on how to upgrade an x86_64 architecture, and kindof adapted them to the i386 architecture that I was using. There was lots of trial an error to get it working, but overall it only took about two hours. I’m looking back in my history to make sure I got all of the important stuff. These instructions are based off of that. I’ll revise the instructions to get more exact the next time I try this.

Note, the CentOS5 mirror that I used can be changed for a mirror of your choice. If you are going to be doing this more than a couple times, I’d suggest setting up your own private repository so that you just download everything once. You can use this command to rsync to your local mirrors server:

/usr/bin/rsync -aqzH --delete mirror.chpc.utah.edu::CentOS/5.0/ /home/mirrors/centos/5.0

Again, adjust the mirror server to one that is close to you. You can find a good one on this list

Remove un-necessary packages

yum erase http* php* mysql* autofs glibc-kernheaders

Download and install the centos-release stuff:

wget  https://centos.sd2.mirrors.redwire.net/5.0/os/i386/CentOS/centos-release-notes-5.0.0-2.i386.rpm
wget https://centos.sd2.mirrors.redwire.net/5.0/os/i386/CentOS/centos-release-5-0.0.el5.centos.2.i386.rpm
rpm -Uvh centos-release*

Install the CentOS5 GPG Key

rpm --import https://mirrors.kernel.org/centos/RPM-GPG-KEY-CentOS-5

Create a file called ‘files’ and add this content:

rpm-libs-4.4.2-37.el5.i386.rpm
rpm-4.4.2-37.el5.i386.rpm
yum-3.0.5-1.el5.centos.2.noarch.rpm
rpm-python-4.4.2-37.el5.i386.rpm
popt-1.10.2-37.el5.i386.rpm
glibc-2.5-12.i386.rpm
glibc-common-2.5-12.i386.rpm
beecrypt-4.1.2-10.1.1.i386.rpm
glibc-headers-2.5-12.i386.rpm
glibc-devel-2.5-12.i386.rpm
binutils-2.17.50.0.6-2.el5.i386.rpm
elfutils-libelf-0.125-3.el5.i386.rpm
elfutils-0.125-3.el5.i386.rpm
elfutils-libs-0.125-3.el5.i386.rpm
beecrypt-python-4.1.2-10.1.1.i386.rpm
python-2.4.3-19.el5.i386.rpm
python-devel-2.4.3-19.el5.i386.rpm
python-elementtree-1.2.6-5.i386.rpm
python-sqlite-1.1.7-1.2.1.i386.rpm
python-urlgrabber-3.1.0-2.noarch.rpm
neon-0.25.5-5.1.i386.rpm
libxml2-2.6.26-2.1.2.i386.rpm
libxml2-python-2.6.26-2.1.2.i386.rpm
db4-4.3.29-9.fc6.i386.rpm
libselinux-1.33.4-2.el5.i386.rpm
libsepol-1.15.2-1.el5.i386.rpm
mcstrans-0.1.10-1.el5.i386.rpm
m2crypto-0.16-6.el5.1.i386.rpm
krb5-libs-1.5-17.i386.rpm
openssl-0.9.8b-8.3.el5.i386.rpm
readline-5.1-1.1.i386.rpm

Then run this to download them all:

for file in `cat files`
do
wget https://centos.sd2.mirrors.redwire.net/5.0/os/i386/CentOS/$file
done

Then install them all:

rpm -Uvh *.rpm  --nodeps

Clean up some old stuff:

rm -f /var/lib/rpm/__*
rpm --rebuilddb
yum clean all

Download and install the new kernel (This doesn’t do anything for me since I’m on a virtual server who’s kernel is controlled by the host. But it’s already running 2.6.20, so it should have any features that 2.6.18 uses)

wget https://centos.sd2.mirrors.redwire.net/5.0/os/i386/CentOS/kernel-2.6.18-8.el5.i686.rpm
wget https://centos.sd2.mirrors.redwire.net/5.0/os/i386/CentOS/kernel-headers-2.6.18-8.el5.i686.rpm
rpm -ivh kernel-* --nodeps

Now upgrade all of the packages:

yum upgrade

And re-install stuff that you removed before starting:

yum install mysql mysql-server httpd php

I read about some Google problems the other day and just experienced some of my own. Yesterday, when trying to log into my gmail account, I received an error that the service was unavailable. Its amazing how much we have come to rely on these free services. It does make me glad that I still use a thick mail client for my main email usage though.

The recent problems reinforced something that I realized about them when I was out there recently. That Google is essentially the same as most other IT companies around. They have problems just like anybody else does. Fortunately they have built things in a way that usually allows the problems to go un-noticed by users. It seems, however that with the added complexity of their applications, and with all of the new people being hired, that some of their rough edges are starting to show a little.

This is about the dumbest thing I’ve ever heard of (well not quite). I can’t believe a big company like AOL would actually do something this dumb:
https://blog.washingtonpost.com/securityfix/2007/05/aols_password_puzzler.html

Basically, for some users, (apparently those who started out as an old-school AOL think-client user) all passwords are truncated to 8 characters, made case insensitive, and had any special characters removed. Thus making ‘password123’ the same as ‘password%a93#$’.

Today I noticed an unusual program listening on one of the web servers that I managed. Upon investigating, I found out that the attacker was able to gain access through a program called cpCommerce that one of our customers had installed.

I was able to pretty quickly identify the security hole and hacked up the PHP code so that it wouldn’t work again. I then downloaded the latest release of this program and took a look at it to see if the bug had been fixed…and it hadn’t.

So, I headed over to their site to submit a bug report. Although, since it’s a security problem, I didn’t want to post all of the detail publicly so that it could be exploited further. After a little big of fighting with their forum software, I was able to send the developer all of the details, and he has since posted a patch for the program.

I’m not familiar with the program, but it doesn’t look like the patch is just a hack-job either. It looks like it was fixed correctly in a way that would possibly prevent other similar scripts in the program from having the same problem.
https://cpcommerce.cpradio.org/forums/index.php/topic,3430.0.html

The mod_proxy_balancer function included with Apache 2.2 is a great way to set up an Apache front end to a rails-based Mongrel cluster. The latest versions of many Linux distributions now include Apache 2.2 but unless you have a new server with the latest distro, it’s likely that your server is running Apache 2.0.

I usually try to avoid upgrading from Apache 2.0 to 2.2 by compiling it from source because of all of the interdependencies. You end up having to recompile so much other stuff, that it just turns out to be a mess.

Fortunately Apache 2.0 can use mod_rewrite which can be used to do some primitive random load balancing. Here is a sample configuration snippet:

<VirtualHost>
        ServerName mydomain.com
        ServerAlias www.mydomain.com

        ## The random map file of our clusters
        RewriteMap clusters rnd:/etc/httpd/conf/clusters.map
        RewriteEngine On

        ## Don't rewrite for static files
        RewriteCond %{REQUEST_FILENAME} !-f
        # Use mod_rewrite to randomly select from one of the Mongrel
        # cluster servers
        RewriteRule ^/(.*) https://${clusters:mongrel_cluster}/\ [P,L]
</VirtualHost>

The cluster.map file should contain something like this:

mongrel_cluster  localhost:3000|localhost:3001|localhost:3002

Obviously, you’ll want to substitute your server names where appropriate, and configure the correct ports for your instances in the map file

I’ve been getting tons of spam comments lately and am getting tired of deleting them. Today I had to scroll through over a hundred of them and pick out the one or two legitimate comments before deleting the rest. I already have BadBehavior installed, but its not catching any of these, which makes me think that the spam robots know how to get around it.

So, I went on a hunt to find a good another good spam prevention tool. On wordpress.org, I came across one called JSSpamBlock that had a pretty good idea. Essentially, it creates an extra textbox on the comment page. If you have JavaScript enabled, it uses JavaScript to populate that box with the answer and hide it. If a user doesn’t have JavaScript enabled, then they are instructed to copy a number into the box.

The result is a spam protection scheme that is invisible to the average user. Yet spam robots won’t know how to execute the JavaScript to bypass it.

As an added security, I modified the jsspamblock.php file to change the name of the input field. I figure that it would be easy enough to modify a spam robot to look for this particular plugin. But since I modified the input field, hopefully even attempts to do that will not leave my site vulnerable. To make the same change on your installation, just replace all instances of ‘jsspamblock_input’ with something unique to your site.

I use this quite frequently when trying to monitor network traffic to a host. This will save all of the traffic for a host to a file. The file can then be viewed with Ethereal (or some other tool)

tcpdump -n -i any -w /var/tmp/SOMEFILE -p -C 100 -W 10 -s 1500 host SOMEIP

This will make files up to 100 MB in size and keep up to 10 ‘rotations’ of it. Of course, you can use other parameters besides just the ‘host’ parameter to match whatever traffic it is that you want.