~chuck/blog

Being a Linux user, I am quite accustomed to the netstat flags that I use most often (plant, or sometimes tupac). I recently acquired a MacBook Pro, and found the netstat flags quite different.

clstearns@olly:~$ netstat -ntpl
netstat: l: unknown or uninstrumented protocol
clstearns@olly:~$ netstat -ntl | wc -l
221

clstearns@eli:~$ netstat -ntl | wc -l
6

How annoying it is, having to change one’s habits.

Rather than learning the new flags, I pulled out my trusty lsof:

$ lsof -i tcp:22
COMMAND  PID      USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
ssh     8383 clstearns    3u  IPv4 0×060b0334      0t0  TCP olly.ozymo.com:56829->mail.ozymo.com:ssh (ESTABLISHED)

Using lsof, I can see in the NAME field I can see what kind of connections I have open.

According to the lsof man page, the -i flag takes an option [i] specified as an Internet address. From the man page:

An Internet address is specified in the form (Items in square brackets are optional.):

[46][protocol][@hostname|hostaddr][:service|port]

where:

46 specifies the IP version, IPv4 or IPv6 that applies to the following address. ‘6′ may be be specified only if the UNIX dialect supports IPv6.  If neither ‘4′ nor ‘6′ is specified, the following address applies to all IP versions.

protocol is a protocol name – TCP, UDP

hostname is an Internet host name.  Unless a specific IP version is specified, open
network files associated with host names of all versions will be selected.

hostaddr is a numeric Internet IPv4 address in dot form; or an IPv6 numeric address in
colon form, enclosed in brackets, if the UNIX dialect supports IPv6.  When an IP version is selected, only its numeric addresses may be specified.

service is an /etc/services name – e.g., smtp – or a list of them.

port is a port number, or a list of them.

At  least  one  address  component  -  4, 6, protocol, ,IR hostname , hostaddr, or service – must be supplied. These addresses can get hairy, according to this example, which means TCP, ports 1 through 10, service name smtp, port 99, host name foo:

tcp@foo:1-10,smtp,99

lsof allows me to gain the information I need pertaining to my network connections, and when combined with some of the simpler options for MacOS’s netstat version (Mach-O universal binary with 3 architectures; it’s also the BSD4.2 version, whereas my Ubuntu box reports that the installed netstat command version 1.42 is from the net-tools package) it makes for a very handy tool.

Thanks to Greg and the man for the information on lsof.

/cs

Check this out:

$ doexec yes lolbutts > /dev/null &
$ ps auxww | grep lolbutts
500      28962 96.8  0.2  58908   544 pts/1    R    11:00   0:06 lolbutts

OK, so now here this:

$ doexec /tmp/udp.pl /usr/sbin/httpd &
$ ps auxww | grep httpd
apache   27601  0.0 12.9 264324 34016 ?        S    07:44   0:08 /usr/sbin/httpd
apache   27887  0.0 12.6 265956 33264 ?        S    08:42   0:06 /usr/sbin/httpd
apache   28103  0.0 11.2 257932 29452 ?        S    09:24   0:03 /usr/sbin/httpd
apache   28108  0.0 11.8 262884 31040 ?        S    09:24   0:04 /usr/sbin/httpd
apache   28580  0.1 11.0 257296 28948 ?        S    10:56   0:01 /usr/sbin/httpd
apache   29015 90.8  0.2  58908   548 pts/1    R    11:07   0:04 /usr/sbin/httpd

Can you pick which one isn’t really Apache?

Thanks to Kale for pointing out this nifty utility.

/cs

I do simple DNS checks on the hosts that attempt to send mail to my server.

Wal-Mart fails:

Jan 4 23:07:18 oz postfix/smtpd[25560]: NOQUEUE: reject: RCPT from mail1.walmart.com[161.170.244.39]: 450 4.7.1 < ndc-mta1.walmart.com >: Helo command rejected: Host not found; from=< batch@ndc-fulmailapp1.walmart.com > to=< addy@ozymo.com > proto=ESMTP helo=< ndc-mta1.walmart.com >

/cs

UPDATE: I’ve been asked to provide some background on this. So here goes: My wife requested her password for her Wal-Mart online account, and didn’t receive any email. Looking at the logs, I found the above failure. I have my server configured to reject mail from servers whose hostname doesn’t map correctly via forward DNS, and thus, Wal-Mart failed. /cs

I recently rediscovered some interesting functionality in the yum application used by CentOS, Fedora, Red Hat, and others. Namely, meta-packages or “groups” that will install a set of packages geared toward a specific function.

For instance, to list installed and available groups, do as such:

# yum grouplist

This will provide a list of all installed and available meta-packages by name. To install, say, a LAMP stack on a base CentOS install, run the following:

# yum groupinstall ‘Web Server’ ‘MySQL Database’

Happy Hacking!

/cs

In the event that you need to disable PHP’s APC, Advanced PHP Cache, module for a single domain, add the following to the Apache configuration:

<Directory /path/to/docroot>
php_admin_flag apc.enabled “0″
</Directory>

If you want to do this on the fly for developers so they can actually see their changes before the cache updates, simply throw it into a .htaccess file in the DocumentRoot.

/cs

Thanks to somerandomstuff.com for their excellent article on disabling SSLv2 ciphers in qmail.

Create this file:

# cat /var/qmail/control/tlsserverciphers
ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

Restart qmail, and done.

Happy hacking!

/cs

Here’s a little command line hack that will calculate the bandwidth for all maillogs on your Plesk server, for SMTP, and POP/IMAP send and receive:

(echo “smtp:  `(cat maillog maillog.processed && zcat maillog.processed.*) | grep bytes | grep qmail: | awk ‘{sum=sum+$11} END { print sum}’`” && (cat maillog maillog.processed && zcat maillog.processed.*) | grep pop3 | grep LOGOUT | awk ‘{print $13,$14}’ | sed ’s/,//g;s/….=//g’ | awk ‘{sumrcvd=sumrcvd+$1; sumsent=sumsent+$2} END {print “rcvd: “,sumrcvd,”\n” “sent: “,sumsent}’) | awk ‘{total=total+$2; print} END {print “total: “,total/1024/1024 “MB”}’

Run it from /usr/local/psa/var/log. It outputs something along these lines:

smtp: 397852373
rcvd: 228219
sent: 211813204
total: 581.64MB

Enjoy!
/cs

Rotating 2-sided Cube

I’ve been envious of a friend’s Visor app on her Mac for a while now, and finally decided to do something about it.

continue reading…

Yes, Google’s buttons got bigger.

/cs

Mostly just trying this bilbo thing out.

/cs

UPDATE: looks like it works pretty good.

So, I decided to add a little security to the mail system with SASL auth and TLS. We’ll discuss TLS configuration first because I set Postfix up to only allow TLS logins, so testing whether or not SASL is working later requires that TLS be set up, in this particular case.

continue reading…

My thanks to zulfikars.org for an excellent, easy-to-follow solution to the Pidgin-Yahoo problem. It worked like a champ, and I didn’t have to update to sid.

It’s also a great introduction to building packages in Debian.

/cs

UPDATE: After I implemented the above solution, I learned about Debian backports. zulfikars’s solution is excellent and informative, but backports.org’s is more user-friendly, and easier to handle for the noob.  /cs

This nearly scared the life out of me:

[chuck@thom ~]$ gpg -v
Warning: using insecure memory!
gpg: Go ahead and type your message ...

I was on a FreeBSD virtual machine, and had just installed GnuPG.  As it turns out, I rtfm’d and found the solution:

In the “BUGS” section of the gpg(1) man page:

On  many systems this program should be installed as setuid(root). This is necessary to lock memory pages. Locking memory  pages  prevents  the operating   system   from  writing  memory  pages  (which  may  contain passphrases or other sensitive material) to disk. If you get no warning message  about  insecure  memory your operating system supports locking without being root. The program drops root privileges as soon as locked memory is allocated.

Here are the steps I took to make the gpg2 binary setuid:

$ which gpg
/usr/local/bin/gpg
$ ls -lah /usr/local/bin/gpg
lrwxr-xr-x  1 root  wheel     4B Feb  3 04:36 /usr/local/bin/gpg -> gpg2
$ chmod 4755 /usr/local/bin/gpg2
$ ls -lah /usr/local/bin/gpg2
-rwsr-xr-x  1 root  wheel   576K Feb  3 04:36 /usr/local/bin/gpg2

So, sure enough, after setting the gpg2 binary to be setuid, everything worked:

[chuck@thom ~]$ gpg -v
gpg: Go ahead and type your message ...

Now I can safely, securely use gpg on FreeBSD.

/cs

I came across an issue where a customer needed education on using Redirect in the Apache config.  Particularly, the redirects were being configured through webmin (which, btw, does an amazing job of mangling the httpd.conf file!).  I though somebody may find it useful, and cleaned it up.  The names or websites have been changed to protect the innocent or the not-so-innocent.

Here is the syntax that webmin placed into the Apache config on your server for various redirects:

# grep ^Redirect /etc/httpd/conf/httpd.conf
Redirect http://kubrick.fruella.com “https://secure3.paymelater.net/csr/default.asp”
Redirect http://kubrick “https://secure3.paymelater.net/csr/default.asp”
Redirect http://epay.fruella.com “https://secure3.paymelater.net/fruella/”
Redirect http://epay.fruelladev.com “https://secure3.paymelater.net/fruella/”
Redirect http://epay “https://secure3.paymelater.net/fruella/”
Redirect 301 epay “https://secure3.paymelater.net/fruella/”
RedirectPermanent epay “http://www.gooboodle.com”
RedirectPermanent e-pay “http://www.gooboodle.com”

These will not work:

Redirect http://kubrick “https://secure3.paymelater.net/csr/default.asp”
Redirect http://epay “https://secure3.paymelater.net/fruella/”
Redirect 301 epay “https://secure3.paymelater.net/fruella/”
RedirectPermanent epay “http://www.gooboodle.com”
RedirectPermanent e-pay “http://www.gooboodle.com”

The reason that these won’t work is because you aren’t giving them a URL or URI to redirect. A proper 301 redirect (which is the most common type, and properly what you need) is as such:

Redirect 301 / http://www.example.com

This will take the root of the site (“/”) and redirect it to www.example.com. So, if your site is domain.com, and you visit domain.com in a browser, you’ll be redirected to www.example.com. The URL in the browser will change, and a new request to Apache is made for www.example.com.

If you have a particular page that needs to be redirected, the syntax would be similar:

Redirect 301 /store/secure/checkout.php http://www.paymesometime.com/

… or something similar to that.

This will take requests for domain.com/store/secure/checkout.php and redirect them accordingly.

Through webmin, you want to configure these as follows:

The first case:

From: /
Status: 301
To: http://www.example.com

The second case:

From: /store/secure/checkout.php
Status: 301
To: http://www.paymesometime.com/

Alternatively, in the “From:” section, you can specify a full URL, similar to the “To:” section, but I would recommend that it is easier to read them if you differentiate the syntax.

As for the entries in your configuration, here is an outline of what’s incorrect:

Incorrect:
Redirect http://kubrick.fruella.com “https://secure3.paymelater.net/csr/default.asp”

Correction:
Redirect 301 http://kubrick.fruella.com “https://secure3.paymelater.net/csr/default.asp”

You have provided a URL to redirect from (you could substitute with “/” in this case, because it’s the base URI). You have specified a URL to redirect to. You have NOT, however, provided a status. If this rule is updated in webmin with a “Status:” of 301, then it will work.

Incorrect:
Redirect http://kubrick “https://secure3.paymelater.net/csr/default.asp”

Correction:
Redirect 301 http://kubrick.fruella.com “https://secure3.paymelater.net/csr/default.asp”

This is incorrect because there is no status and because http://kubrick is not a fully qualified domain name.

Incorrect:
Redirect 301 epay “https://secure3.paymelater.net/fruella/”

Correction:
Redirect 301 / “https://secure3.paymelater.net/fruella/”

All of the parts including From:, To:, and Status: are here, but “epay” is neither a URI (which begins with a “/” character) nor a fully qualified domain name.

Redirects will be evaluated top to bottom, so if you have more than one that matches (such as two that redirect from “/” to another URL) then only the first will be effective, and the second is unnecessary.

This should be enough to get you started with redirects in Apache.

/cs

. . . so i created myip.ozymo.com which does the same thing:

$ curl myip.ozymo.com
64.39.19.8

Sometimes it’s nice to get just the IP returned without all the fluff.

/cs