Archive for the ‘unix’ Category

« Older Entries

Making Passwords for An Easier Life…….

Friday, September 16th, 2011

Hot on the heals of Companies Make VPN Easy For Yourselves……. comes another gem from the school of ‘kinda obvious if you think about it’ !

If you use the UK pound ‘£’ symbol in any passwords, at some point it will bite you in the ass when you are on an American keyboard (especially laptop keyboards).

With so many other non alphanumeric characters to choose from that are accepted in both UK and USA regions (ampersand, asterisk, exclamation mark, percent sign, carat) why run the risk of being unable to logon when not sat of your default location/system (this come from being unable to SU all bloody weekend on some Linux systems owing to my laptop be of the crappy USA keyboard variety….and yes I know about character map and such, but I couldn’t be bothered)

So from now on, I will never use pound ‘£’ or hash ‘#’ in my passwords just to be on the safe side (I guess some among you would consider this a security enhancement…….I suspect you are the same people who think obfuscation through DNS is also a security measure !)

DOH !

Tags: , , , ,
Posted in unix, windows | No Comments »

Apache Header Byte Range DoS Exploit…….

Saturday, September 3rd, 2011

Grrrrr, looks like there’s an unpatched exploit in *all* versions of Apache web server.

Is to do with using header byte ranges which allow http responses to be broken into smaller chunks before sending. You can read about them here and here.

There are multiple workarounds for mitigating the issue that can be read here and here.

And as of 30th August, version 2.2.20 of Apache was released which has mitigation built in (If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file.)

Guess what I’m going to be doing all next week ? :-/…….

Tags: , ,
Posted in apache, internet, IT, security, unix | No Comments »

Recursive Grep For Solaris…….

Thursday, August 11th, 2011

Solaris doesn’t seem to have a ‘-r’ switch to perform recursive string searches (at least not on version 10 on Intel x86 anyway)

:o(

The following works as a workaround/substitution


find -type f | xargs grep -i

 

That is all……..

 

Tags: ,
Posted in bash, scripting, solaris, unix | No Comments »

QNAP Data Recovery Hell…….

Wednesday, May 11th, 2011

It’s never goes easily does it ?!

Somehow, I had managed to almost fill my 1TB drives in my x2 bay QNAP NAS. Owing to my being paranoid about my data, I choose to mirror a pair of x1TB drives for 1TB total storage, rather the create a 2TB spanned volume using both of them.

I was down to a couple of hundred MB of free space, time to take action. I ordered a couple of shiny new Seagate 2TB drives online with the intention of going from a pair of mirrored 1TB drive to a pair of mirrored 2TB drives.

My plan was to removed one drive from the mirror set, and one of the new 2TB drives, wait for it to rebuild, and then replace the second drive and allow a subsequent rebuild to take place. Did not go according to plan :o(

I removed one of the 1TB disks, and then to ensure the 2TB disk would stand a greater chance of working, I upgraded the firmware (dumb dumb dumb !). I then installed one of the new 2TB disks.

The NAS did indeed rebuild/re-mirror with the new drive, but it created a 1TB volume on the 2TB disk. Not entirely unexpected, but not quite what I wanted :o(

Now I needed to get all the data off of the existing NAS 1TB disk onto something else, install both the new 2TB disks, create an empty 2TB volume, mirror it, and re-copy the data back onto the new larger volume. I attempted to connect one of the original 1TB disks to a Windows desktop machine with a SATA converter cabe/kit, and to mount the file system to copy the data off. And here’s where I hit real problems.

I could see the top level folder structure on the disk, but nothing below it ! :o( The QNAP version of EXT4 is a custom patched version that it seems can only be read by their chassis running their firmware. Fair enough, intellectual property and all that, but this was making my life a mite difficult now.

I tried putting the original drive back into the chassis and booting it to copy the files off over the network, but the new firmware update seemed not to like this, it booted ok, but the actual file server part did not kick in, I couldn’t see the device on the LAN to map a drive to.

In the end I had to ssh to the NAS device itself and use the Samba services to run a CIFS mount to my Windows desktop. I then spent several glorious days moving the files off folder by folder till I had them all. Then I put both new 2TB disks in, did a factory reset (including down grading the firmware as it seemed a little….buggy).

Once the device booted up and presented itself as a shiny new empty 2TB NAS, I began the unenviable task of copying all my crap back over…….several more lost days. Moral of the story for me would be:

a) don’t upgrade drivers/firmware for the sake of it
b) when dealing with a *lot* of data, *copy* and then delete, do not use move. even if a 20 stone psycho has a knife pressed to your throat

Ironically as I write this, my 2TB is being eaten into at a rate of knots. Am probably gonna have to buy a bigger NAS. Have my eye on one of these full to the brim with 3TB disks.

possibly all the storage I could need.......?

Tags:
Posted in IT, NAS, networking, storage, unix | 3 Comments »

Host Multiple WordPress Instances Using a Single Hosting Account

Saturday, September 18th, 2010

Running multiple WordPress instances is easy when you have multiple databases and directories at your disposal, but often you only get x1 database and x1 hosting folder when you sign up with a web provider.

Here’s how to run multiple instances of WordPress from their own urls out of subfolders in your personal hosting space.

First, we need to create some MySQL users for assigning permissions to the database (I have created a fictional database ‘wpdb’ here). You could also do this using a GUI based tool like phpMyAdmin if you are more comfortale with that.

mysql> create database wpdb;
Query OK, 1 row affected (0.00 sec)

mysql> create user 'wp1'@'localhost' identified by 'wp1';
Query OK, 0 rows affected (0.00 sec)

mysql> create user 'wp2'@'localhost' identified by 'wp2';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on wpdb.* to 'wp1'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on wpdb.* to 'wp2'@'localhost';
Query OK, 0 rows affected (0.00 sec)

Inside my web hosting folder I created x2 subfolders, ‘blog-one’ and ‘blog-two’, so my hosting directory looks like this

Next I download the latest version of WordPress from http://wordpress.org/latest.zip to my folder. Unzip the latest.zip file, it will expand the contents out into a ‘wordpress’ folder in the current directory.

Copy the contents of the ‘wordpress’ directory into the blog-one and blog-two folders.

Now go into the the blog-one folder and rename ‘wp-config-sample.php’ to ‘wp-config.php’.

Edit the ‘wp-config.php’. file with your favourite editor and set the following values:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wpdb');

/** MySQL database username */
define('DB_USER', 'wp1');

/** MySQL database password */
define('DB_PASSWORD', 'wp1');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix  = 'wp_1_';

Now go into the the blog-two folder and rename ‘wp-config-sample.php’ to ‘wp-config.php’.

Edit the ‘wp-config.php file with your favourite editor and set the following values:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wpdb');

/** MySQL database username */
define('DB_USER', 'wp2');

/** MySQL database password */
define('DB_PASSWORD', 'wp2');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix  = 'wp_two_';

What this will do is re-use the single database, but create uniquely named tables for each instance.

The url for my normal site is http://ubuntu.lan and here you can see the blog folders ready to use in my main folder.

I can access these WordPress instances by going to ‘http://ubuntu.lan/blog-one’ or ‘http://ubuntu.lan/blog-two’. But I don’t want my site url to be anything to do with these blogs, so we can use url rewriting to change them.

Create a .htaccess file with the following contents and place it into your root web hosting folder.

RewriteEngine On

RewriteCond %{HTTP_HOST} site2
RewriteCond %{REQUEST_URI} !^/blog-two
RewriteRule ^(.*)$ blog-two/$1 [L]

RewriteCond %{HTTP_HOST} site1
RewriteCond %{REQUEST_URI} !^/blog-one
RewriteRule ^(.*)$ blog-one/$1 [L]

This will allow me to use the url ‘http:/site1′ and ‘http:/site2′ to reach my blogs. Site1 and Site2 have the same ip address as my main site. When I type ‘http://site1′ into the browser, it goes to my web host and hits my default folder. There it finds the .htaccess file and reads it. It finds an entry matching ‘site1′ which tells it to go into the ‘blog-one’ folder for content. You can replace ‘site1′ for any url name you like, as long as the ip address points to your hosting server.

If you have edited ‘wp-config.php’ correctly, when you browse to http://site1, you should get the WordPress setup screen as shown below.

Fill in your values for site name, email contact etc. etc., the install will complete and you will be given the login details for the admin account.

You should now be able to logon to the site and it should look something like this.

Now you can repeat the steps for ‘http://site2′. If all goes well, you should have a second seperate blog site like below.

And if we look at the tables in our MySQL databse we see they all have wp_1_ and wp_two_ prefixes as shown below, isolating each site in the DB.

You can repeat this multiple times to suit your needs, as long as you can point the DNS for the url to your hosting server it should work fine.

Enjoy :o)

Tags: , ,
Posted in apache, blogging, rewrite, wordpress | No Comments »

Remove Tilde From URL On OS X Personal Web Sites

Saturday, August 14th, 2010

I’ve recently been helping a friend with some web site stuff. Nothing too complex, just some php that results in some html and css.

Continually ftp’ing the files back and forth to my ISP hosted account was becoming labour intensive, so I figured I would just use the apache web server built into OS X on my Mac Mini.

Some notes:

The main apache config file is located at:

/etc/apache2/httpd.conf

Each user has a personal apache config file that specifies the location of their personal web folder location. This file is located at:

/etc/apache2/users/<username>.conf

Each user/logon gets a folder called ‘Sites’ in their home location (so /Users/<user>/Sites/). This folder is the root folder of your personal web folder name space.

When you access the site, the url to use is:

http://servername/~username

If you don’t like the tilde character (~) being part of the url, you can get around it by editing the users personal apache config file. Add the following to the top of the file:

/etc/apache/user/<username>.conf

Restart apache (either from the Preferences panel, or with ‘apachectl restart’ and you should be good to go.

So my logon on my Mac Mini is Scott. The file I need to edit is:

/etc/apache2/users/Scott.conf

And I need to add the line:

Alias /Scott “/Users/Scott/Sites/”

I also add:

Alias /scott “/Users/Scott/Sites/”

So I don’t have to worry about case sensitivity. So now instead of using:

http://mymacmini/~Scott

you should be able to use:

http://mymacmini/scott

Tags: , ,
Posted in apache, apple, unix | No Comments »

Correct ESX NTP Time Periodically

Friday, May 14th, 2010

Just had an odd one. Everytime I rebooted any one of my Windows VM’s, when it came back up the clock would be out by a varying amount.

VM’s on the same physical host would be out by identical amounts, but Vm’s on different physical hosts would be out by different amounts.

The physical VM host servers are all running NTPd, and are configured to sync to the pool.ntp.org server lists, so I thought this was all sorted, seems I was wrong.

Each physical box, even though it was syncing with NTP peers in the outside world, was experiencing varying degrees of skew on the clock. The amount was up to 20mins across all the physical nodes.

To correct this, I have created a cron job on each server with the following entry

0 9 * * * /usr/sbin/ntpdate -s -b -p 4 -u 0.pool.ntp.org

Now the server will correct the clock skew once each day at 9am, and hopefully now I can forget all about this :-?

Tags: , , ,
Posted in esx, ntp, vmware | 2 Comments »

Change Ubuntu Default ‘ls’ Command Alias…….

Tuesday, April 27th, 2010

Change Default Ubuntu Aliases

By default Ubuntu (plus several others) change the ‘ls’ command to be an alias that colour codes the output. While I’m sure this is great for many people, I don’t like it :o(

I like back background, lime green text, directories indicated with a ‘/’ character at the end, and hidden files to be shown.

To change the default, you need to make the same change in a couple of places…….

Firstly, in your home directory. Edit the hidden file ‘.bashrc’. Find the line that reads alias ls=’ls –color=auto’ and comment it out with a ‘#‘ at the start.

Then add a new line (above or below, does not matter) with the following

ls=’ls -aF’ (in this case, ‘a’ shows all files including hidden ones, ‘F’ indicated a directory by adding a trailing forwardslash ‘/’ after the directory name

This will change your login only. If you also want to change the root ls alias you will need to follow the same steps for the file /root/.bashrc, but you will need to either use sudo with your edit command, or su to root and then edit.

The last place you may wish to edit is the skeleton template file used for all new users. This is located at /etc/skel/.bashrc. Again, eidt the file with the changes above, and all newly added users will recieve a copy of the file and have their ls command alias set to your formatting (if you so wish).

Tags: , , ,
Posted in unix | 2 Comments »

Enable The ‘root’ User Account In Ubuntu…….

Friday, March 12th, 2010

I like consistency. It makes things easier, and me faster and more accurate/efficient/amazing to watch etc. etc.

As Ubuntu is the 4th Linux distro I have ever had to work with (first being OpenBSD, the FreeBSD, then Red Hat) I was getting a little annoyed that after an install ‘su’ did not work as I was previously used to.

Ubuntu chose instead to lock the root account out and force you into using the ‘sudo’ command. This means that to do anything as ‘root’ you use

sudo <command to run>

The system will then prompt you for *your* password and, if you have sufficient permissions in the sudoers file, will execute the command you provided with root level permissions.

There are of course some benefits, mainly centered around security. But there are also some drawbacks such as having to maintain the sudoers file, and command output redirection. But given that OpenBSD is considered one of the most secure Unix operating systems around and they don’t feel the need to do it this way, I like to change this behaviour immediately after the first post install reboot.

To enable the root account, logon to the system with your account and run

sudo passwd root

The system will prompt you for *your* password. It will then prompt you to enter a new password for the root account, and then to confirm it a second time. Once this is done you can just switch to the root use using the plain old ‘su’ command.

Oh, and if you’re worried about being able to log directly onto SSH as the root account, simply edit

/etc/ssh/sshd_config

and change the line

PermitRootLogin yes

to

PermitRootLogin no

This will ensure that you have to login as a normal user and su to root from remote connections.

If you wish to revert back to the default Ubuntu behaviour, simply run (under your own logon)

sudo passwd -l root

Tags: ,
Posted in openvnp, ubuntu, unix | No Comments »

Make Nagios Web Interface Read-Only…..

Friday, March 5th, 2010

Even though we’re not a massive company (less than 50 butts on seats) we do have quite a bit of kit in an environment that is growing ever more complex.

To help we use Nagios to monitor key systems and services and to alert us via email when issues arise (and hopefully we can correct them before the masses notice)

My boss decided he wanted to share our Nagios screens with others (well, his boss) and so I installed a workstation with x2 flat screens lofted up on high so they could be seen from a distance.

But, I had a slight snag. We use authentication on Nagios and the account used for viewing the web console had enough permissions to be able to execute the host commands listed on the right hand side of interface (shown below)

This meant that should any passer by wish to, they could click the url link to say, turn off a check that was failing (not that any of our users would do such a thing !). So I needed a way to make the web interface either not display those links or be read-only for those links, essentially prevent people from altering the configuration.

Peeking through the config files for Nagios, it seems my predecessor had the same idea at some point, but had not quite managed to pull it off. Inside the cgi.cfg file (which was located at /usr/local/nagios/etc/cgi.cfg) are the following lines


default_user_name=
authorized_for_system_information=
authorized_for_configuration_information=
authorized_for_system_commands=
authorized_for_all_services=
authorized_for_all_hosts=
authorized_for_all_service_commands=
authorized_for_all_host_commands=

The ones of interest are :

authorized_for_all_services=

authorized_for_all_hosts=

By adding a user to these x2 lines *only*, the urls on the pages for running commands and viewing/modifying the config do not work and give a permissions error

You will also need to add the name you add to those x2 line to the /usr/local/nagios/etc/htpasswd file as well

Now, even though you can still see the command urls on the pages, you get this if you try to click them

nagios says no

So, how far had my predecessor gotten ? Well, something I take for granted that I guess he did not know, the list of names supplied should be comma seperated with no space between them

Easy when you know how :o)

Tags: ,
Posted in unix | 1 Comment »

« Older Entries