Brandon Checketts

Web Programming, Linux System Administation, and Entrepreneurship in Athens Georgia

Category: Linux System Administration (Page 8 of 11)

KnitMeter.com Beta

December 17, 2007 / / 12 Comments

My wife has gotten seriously into knitting in the past year and was recently wondering about how much she had knit in the past year. I was surprised that there doesn’t seem to be a website for tracking such information, so decided to make one for her (and for anybody else who might want it).

The concept is pretty simple – just put enter how much you knit each day and it will add it up for you and can summarize it by project. It generates a little widget that knitters can put on their blogs to compare with others.

The site still needs a little work here and there, but is pretty functional at this point. Users are free to sign up and try it out – all for free of course. I’m looking for user input to see what still needs some work.

Installing trac with webadmin on CentOS5

December 12, 2007 / / 0 Comments

I’m not overly familiar with Python applications, so it takes a little while for me to figure it out each time. I need to document it somewhere so I don’t have to reinvent the wheel every time – might as well do it here so that others can find it.

Install the rpmforge repository

wget  https://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

rpm -i rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Install trac from the rpmforge repo

apt-get install trac

Install ez_setup

wget https://peak.telecommunity.com/dist/ez_setup.py

python ez_setup.py

And install webadmin with easy_install

easy_install https://svn.edgewall.com/repos/trac/sandbox/webadmin/

Poor experience and uptime with rapidvps.com

December 10, 2007 / / 6 Comments

I heard good things about RapidVPS from several member of my local LUG.  I’d also heard good things about slicehost, but they seem to be perpetually unavailable.  So when I was setting up a new development and testing server, I figured that I’d give rapidvps a try.  I kindof like seeing how different companies do things and they have a pretty decent package for $30/month.

It turns out that was a poor choice.   I was unimpressed from the first day.   My new RapidVPS server was a pretty vanilla install of CentOS5.  Not much had been customized for their environment.   The name servers in /etc/resolv.conf didn’t even work and there were a bunch of other little annoyances that just didn’t make sense.  I blew it off at the time since I was able to get them resolved pretty quickly.

Their support staff was fairly responsive, but tended to skirt the direct questions that I asked.  For example, I asked specifically why the name servers were incorrect on a fresh install, and they just replied that they were fixed now.

I primarily use this machine for PHP development and testing.  I spend 6-8 hours a day logged in via SSH editing files directly.  So I notice pretty quickly when things go wrong.   One or two times a week I noticed that the IO load gets really high and things take forever.  Doing a simple directory listing was taking over 30 seconds.  When I sent in a support request about that, their reply was something along the lines that most customers use them for running LAMP websites, and that they generally work fine for that purpose, and that the high IO wouldn’t be a problem.

On several other occasions, their network has just become incredibly slow.   Replies from support indicated that one of their customers was getting attacked.    Right now, my server appears to be completely down, and they just replied that the machine is ‘recovering/doing a raid rebuild’ and will be up shortly.

So, I’ve had this machine for almost two months and had all of these problems.    I’d like to just ditch them and sign up for another server at RimuHosting.   But I’ve spent quite a bit of time getting everything configured just right and don’t have time at the moment to move everything somewhere else.

I guess I’ll have to deal with it for another month or so, until development slows down a little bit.  Then I’ll have to spend a few days migrating everything to a new service.  In the mean time, I definitely won’t be recommending RapidVPS to anybody.

Google Maps knows where you are

December 10, 2007 / / 0 Comments

Google Maps introduced a new feature recently that can determine your location when using their mobile version from a cell phone.   If your phone has GPS available it can use that to get a pretty precise location, otherwise it can somehow determine which cell tower you are on to get you an approximate location.   That is pretty powerful.

I wonder, though, how Google is able to determine which tower you are using.    That has some pretty big potential privacy issues if anybody you call or send a text message to, or any website you visit from your phone can somehow determine what tower you are on.

Mixed experiences with ScanAlert

December 7, 2007 / / 0 Comments

I’ve been seeing those ‘Hacker Safe’ logos on sites for a while now.  As a consumer I’ve always figured that they are kindof a joke, and that sites that display them really aren’t any more secure than any other site.  I’ve recently had some experience with being able to log into a ScanAlert account and seeing what kind of things they actually do.

Overall, they do the basic kinds of things like telling you what ports are open – stuff that the system administrator should already know and would just take a minute with nmap to find out.  They also check the banners for each service to tell you what version you are running.  It produces warning if you are using software that is more than a couple months old. You can alert and give warnings to other people.

What I found the most useful though, was its attempts to look for SQL Injection and XSS vulnerabilities.   From their FAQ:

ScanAlert audits every publicly available part of the domains Web application. This includes all HTTP services, configuration files, and any scripts (CGI, PHP, etc.). ScanAlert submits all database query parameters for vulnerabilities such as SQL injections and cross-site scripting. Since attacks along these vectors vary, ScanAlert must test each query parameter multiple times.

The website that I was looking at had an XSS vulnerability, and it goes into detail about what request parameters were used and everything to create it.   That is pretty useful information to have so that you can look into those pages and get them fixed.  It would take a while for me to go through every page and verify that I’m properly sanitizing user input everywhere.

However, with the site that this was scanning, I’m almost positive that there are really more XSS vulnerabilities than ScanAlert alerted me to.  I basically provided a place to start looking, but is certainly not an exhaustive test.    Moreover, the XSS vulnerabilities were scored only as a ‘Medium Risk’ – A 2 on a scale of 1 to 5 (1 being information disclosure like a robots.txt file, 5 being something really bad like hosting a virus or something).

I’m not sure at what point ScanAlert decides that a vulnerability is bad enough to not display their ‘Hacker Safe’ logo on a site.   Evidently it is higher than a 2 though, because this site still qualified for one.   So, ScanAlert is useful to system administrators and programmers to help identify threats.  It’s only useful though if the website owner actually does something about them.

I had several ‘Medium Risk’ vulnerabilities due to running slightly outdated versions of Apache and PHP.   Both were compiled from source and newer than what was available in the distro’s repositories, so I got them recompiled with the latest stable versions.   I doubt that most sites bother to resolve these issues since it takes a significant amount of work and doesn’t affect the ability to have that all-important ‘Hacker Safe’ banner on your site.

I still have the same opinion of it as a consumer though – basically that the website doesn’t have some blatant vulnerability that is easily exploitable.   There are so many other ways that attackers can gain access to information though, that having a little logo on your site doesn’t instill any confidence in me.

CentOS 5 Virtual Mail Toaster Howto

November 29, 2007 / / 2 Comments

I have recently configured several CentOS virtual mail servers.  It took me quite a while to figure it out the first time or two, but has gotten significantly easier since then. Initially, I pieced information together from a half-dozen or so various other howto’s that were either designed for a different distro, or were outdated (or both).

So when I put together another server last night, I made careful notes when installing it and generated a howto document.   It walks a user all the way from a clean CentOS 5 install, through to a functioning virtual mail server.  It uses postfixadmin as a web interface for managing the domains and accounts.  All domain and user information is stored in a MySQL database.   Postfix is installed for the MTA, and Dovecot for the POP3/IMAP server.    It doesn’t require system accounts for any of the users.  All mail services are accessible over encrypted SSL/TLS protocols.

My list of essential FireFox plugins

November 12, 2007 / / 1 Comment

I just got a new laptop, which is a good chance to start over with a clean system configuration.   After trying to use FireFox without any of my normal plugins, I realized how much I’ve come to rely on these plugins:

ColorZilla:  Adds a button the the bottom left of the status bar.  When you click on it, you can then highlight anywhere on the page to get the HTML Color value.

FasterFox:  A couple very handy utilities for timing page loads, and speeding them up in general.  I find myself watching the page load timer all of the time.  It simply displays the amount of time that each page takes to load in the status bar.  It has a few advanced options to preload links on pages, to increase the number of simultaneous HTTP requests to a server that makes your browsing experience faster.

FireBug: Modify HTML and CSS in real time – incredibly handle for HTML development work and debugging

Google Toolbar: My main point in using this is just to see the PageRank of each page.

MeasureIt: Adds an icon to your status bar that, when clicked, turns your cursor into a crosshair so that you can measure the size of any elements on your current web page.

no-referrer: Adds an option on the context menu for links to open the link in the new tab without passing the HTTP Referrer field.   I use this when on any ‘private’ pages like my awstats pages, or blog admin pages, where I don’t want to tell the world about via the HTTP referrer.

ShowIP: Adds an item to the status bar with the IP Address of the server – This is very useful information to have when doing system administration tasks.   May not always be correct when changing DNS entries though.  That is probably Firefox caching though instead of this plugin’s.

Web Developer: Adds all kinds of options for looking at some HTML details.  The main one I use is for looking at the HTTP Response headers.

The volatile Plesk / Apache relationship

November 4, 2007 / / 14 Comments

Plesk’s integration with Apache can be quite confusing for those used to manually modifying the Apache configuration files. It isn’t safe to modify most of the files, because Plesk rewrites them whenever a configuration change is made. Here’s a quick overview of how Plesk fits in with Apache:

The main Apache configuration in /etc/httpd/conf/httpd.conf (or /etc/apache2/apache2.conf on Debian/Ubuntu systems) is left unchanged. It includes /etc/httpd/conf.d/* (or /etc/apache2/conf.d/*). Plesk creates a file in that directory where it does most of its global configuration. That file is generally used for system-wide applications like webmail, mailman, etc. This file is overwritten when certain changes are made via Plesk. It also has an “Include” line for each virtual host like this:

Include /var/www/vhosts/mydomain.com/conf/httpd.include

These files contains the VirtualHost configuration for each domain. They also are overwritten whenever certain changes are made via Plesk (and sometimes just at random, it seems). When Plesk is recreating these files, it looks for a corrosponding ‘vhost.conf’ file in the same ‘conf’ directory. If it finds one, then the resulting httpd.include file Include’s that vhost.conf file. in it.

Therefore, if you want to manually make any changes to the Apache configuration for a website, you need to create a vhost.conf file for it, then re-save the domain’s configuration via plesk.

Also, if you’d like to bypass the whole plesk ordeal for a new domain, you can still create the Apache configuration manually in the original /etc/httpd/conf/httpd.conf file (or /etc/apache2/sites-available/* files).

Use ProxyPassReverseCookieDomain with to maintain Tomcat sessions through mod_proxy_ajp

October 27, 2007 / / 3 Comments

I had a customer today who had problems using Tomcat sessions after configuring his application to run through mod_proxy_ajp. Everything worked correctly when hitting the application correctly on port 8080, but any attempts to hit the site through Apache and mod_proxy_ajp would result in the sessions not being saved, and a new session being created on every request.

The problem is that Tomcat is sending a Set-Cookie header with the Path that it knows about – which is different than what the browser is requesting.

The application is at https://www.mydomain.com/, and mod_proxy_ajp is redirecting that to https://localhost:8009/myapp/.

Here is the HTTP Response Headers that Tomcat is sending

HTTP/1.1 200 OK
Date: Sun, 28 Oct 2007 01:39:44 GMT
Set-Cookie: JSESSIONID=TOMCAT_SESSION_ID_HERE; Path=/myapp
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 11234
Connection: close

You can see in the Set-Cookie header that it is setting a cookie path of /myapp. The browser receives this and will only send that cookie back on requests sent for requests beginning with /myapp. Fortunately Apache 2.2 includes the ProxyPassReverseCookiePath directive to rewrite the Set-Cookie headers on these requests. You can configure a virtual host like this:

<VirtualHost *:80>
    ServerName www.realdomain.com
    ProxyRequests Off
    ProxyPass / ajp://127.0.0.1:8009/myapp/
    ProxyPassReverse / ajp://127.0.0.1:8009/myapp/
    ProxyPassReverseCookiePath /myapp /
</VirtualHost>

And now the HTTP Response headers look like this:

HTTP/1.1 200 OK
Date: Sun, 28 Oct 2007 01:39:44 GMT
Set-Cookie: JSESSIONID=TOMCAT_SESSION_ID_HERE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 11234
Connection: close

The browser now sees that the cookie is for / and will send the JSESSIONID cookie for all requests to this server.

Block comment spam with bcSpamBlock

October 10, 2007 / / 25 Comments

A while ago I installed Paul Butler’s JSSpamBlock on my WordPress blog here. His original idea is simple and brilliant: Spambots don’t (yet) execute Javascript. In fact, they usually post directly to the form without even displaying the form first. By having a hidden input field that is populated by javascript, you can verify that users are hitting the page without the user even noticing. For users with JavaScript disabled (are there any of you out there), they simply have to copy/paste a small string into a textbox for verification.

Since implementing a slightly modified version of it on this blog, I have gotten zero spam posts. Now, I wanted some way to implement the same logic on some of my own custom PHP sites to prevent spam on them as well.

While working on a way to re-implement Paul’s WordPress plugin in my own sites, I came up with something pretty clever. Instead of saving a row to a database every time that the form is displayed, you can use a little cryptography to make the client pass all of the data needed to validate the request back to you on its own. The idea is sortof merger between the JSSpamBlock plugin and TCP Syncookies, which use a similar method of having the client store the data for you.

Essentially, how it works, is that the function generates a Random ID. It then encrypts the current timestamp and the random ID using PHP’s crypt() function with some cryptographic salt that is unique to each server. All three of those values (the random ID, the timestamp, and the encrypted value) are then passed to the browser. The timestamp and the encrypted value are stored in hidden <input> fields, while the random ID displayed for the user to verification. If the user has JavaScript enabled, a few lines of JavaScript copy the random ID into another textbox, and then hide that prompt, so that it is never seen by the user. If the user doesn’t have JavaScript enabled, the would have to copy/paste that random ID into the textbox themselves, similar to a captcha.

When the form is submitted, it checks to make sure that the timestamp is not too old, and then re-encrypts the passed in timestamp and random ID using the same salt value to make sure it matches the crypted value passed in from the form. If everything matches, the comment is approved, otherwise an error is displayed to the user.

I wrote this up into a simple include file that can be used for any PHP application. I also implemented a quick WordPress plugin that uses the generic version. More information about it can be found on my new bcSpamBlock home page

Update 2024-10-01:

There are much better spam blocking plugins now, so this has been discontinued.

« Older posts Newer posts »

© 2025 Brandon Checketts

Theme by Anders NorenUp ↑