Tuesday, November 5, 2013

Debian Squeeze 6.x on HP DL360gen8 not detecting the raid controller

Debian Squeeze cannot detect RAID controller on HP ProLiant DL360gen8.
In expert mode when installer prompts that it cannot detect hard disk, open a console (Alt+F2, hit Enter) and then type:
# modprobe -r hpsa
# modprobe hpsa hpsa_allow_any=1
First remove the driver if loaded and then load it again with hpsa_allow_any=1 parameter. Here is the result:
[    1.314375] scsi0 : hpsa
[    1.316649] hpsa 0000:02:00.0: RAID              device c0b0t0l0 added.
[    1.316654] hpsa 0000:02:00.0: Direct-Access     device c0b0t0l1 added.
[    1.316827] scsi 0:0:0:0: RAID              HP       P420i            4.66 PQ: 0 ANSI: 5
[    1.316958] scsi 0:0:0:1: Direct-Access     HP       LOGICAL VOLUME   4.66 PQ: 0 ANSI: 5
Now swtich back to installer (Alt+F1) and try again 'detect hard disks'. Now you can partition your raid logical volume.

Friday, October 18, 2013

Importing CSV file into django model.

Lets assume that we have the following django model:
class Person(models.Model):
    PersonID = models.CharField(max_length=10)
    FirstName = models.CharField(max_length=30)
    LastName = models.CharField(max_length=30)
    Address = models.CharField(max_length=30)

and we have a csv file with 4 elements on each row and we want to import them in our django database. Here is example (delimeter is !):
1!Nikolay!Hristov!Bulgaria, Gabrovo, Test street 18 
What we need to do is to make a view and attach it to certain url (for example http://localhost/import_db/). Here is the view:
def import_db(request):
   
    f = open('/path/to/filename-with-data.csv', 'r'
    for line in f:
        line =  line.split('!')
        tmp = Person.objects.create()
        tmp.PersonID = line[0]
        tmp.FirstName = line[1]
        tmp.LastName = line[2]
        tmp.Address = line[3]
        tmp.save()

    f.close()
Now all we have to do is to point our browser to http://localhost/import_db/ and wait for data to be imported.

Wednesday, September 18, 2013

Qmail starting error "alert: cannot start: unable to open mutex"

If you are getting this error message when you try to start qmail-send - most probably you are moving qmail from old installation to a new server.

The problem comes from missing diretories (and files) which are on most distributions links and when you archive it the real directories will not be trasfered.

Directory is /var/qmail/queue and as you can see from the example bellow it is just a symlink to another directory (example is from NetBSD qmail package):

 # ls -la /var/qmail      
drwxr-xr-x   2 root  wheel  512 Sep 18 15:25 .
drwxr-xr-x  26 root  wheel  512 Aug 24 22:11 ..
lrwxr-xr-x   1 root  wheel   24 Jul 16 04:36 alias -> /usr/pkg/etc/qmail/alias
lrwxr-xr-x   1 root  wheel   12 Jul 16 04:36 bin -> /usr/pkg/bin
lrwxr-xr-x   1 root  wheel   34 Jul 16 04:36 boot -> /usr/pkg/share/examples/qmail/boot
lrwxr-xr-x   1 root  wheel   26 Jul 16 04:36 control -> /usr/pkg/etc/qmail/control
lrwxr-xr-x   1 root  wheel   24 Jul 16 04:36 doc -> /usr/pkg/share/doc/qmail
lrwxr-xr-x   1 root  wheel   12 Jul 16 04:36 man -> /usr/pkg/man
lrwxr-xr-x   1 root  wheel   16 Jul 16 04:36 queue -> /var/spool/qmail
lrwxr-xr-x   1 root  wheel   24 Jul 16 04:36 users -> /usr/pkg/etc/qmail/users

So the real directory is "queue -> /var/spool/qmail" and here is the listing of subdirs:

# ls -la
drwxr-xr-x  11 qmailq  qmail  512 Sep 18 15:34 .
drwxr-xr-x   8 root    wheel  512 Jul 16 04:36 ..
drwx------   2 qmails  qmail  512 Sep  9 15:11 bounce
drwx------  25 qmails  qmail  512 Jan 19  2008 info
drwx------   2 qmailq  qmail  512 Sep 18 13:55 intd
drwx------  25 qmails  qmail  512 Jan 19  2008 local
drwxr-x---   2 qmailq  qmail  512 Jan 19  2008 lock
drwxr-x---  25 qmailq  qmail  512 Jan 19  2008 mess
drwx------   2 qmailq  qmail  512 Sep 18 13:55 pid
drwx------  25 qmails  qmail  512 Jan 19  2008 remote
drwxr-x---   2 qmailq  qmail  512 Sep 18 13:55 todo


Make sure to transfer this directory to the new server and also chown the dirs with correct permissions.

The actual error is caused by missing file sendmutex which resides in /var/spool/qmail/lock/ directory

# ls -la /var/spool/qmail/lock
total 12
drwxr-x---   2 qmailq  qmail   512 Jan 19  2008 .
drwxr-xr-x  11 qmailq  qmail   512 Sep 18 15:34 ..
-rw-------   1 qmails  qmail     0 Jan 19  2008 sendmutex
-rw-r--r--   1 qmailr  qmail  1024 Sep 16 09:39 tcpto


If this file does not exist just create it with the following command (make sure also to change the file owner):
# touch /var/qmail/queue/lock/sendmutex
# chown qmails:qmail /var/qmail/queue/lock/sendmutex


Saturday, September 7, 2013

ТУ Габрово, КСТ, задача 7, страница 79

КСТ, Задача (страница 79, задача 7):

Да се създаде програма, която въвежда символен низ. Да се преобразуват буквите му: от малки в големи и от големи в малки. За целта могат да се използват функциите isupper, islower, toupper, tolower от ctype.h

Таблица на съответствията

Наименование
Описание
broiach
Целочислена променлива, използвана за брояч на цикъл
buf(1024)
Буфер за символният низ със големина 1024 байта
p
Указател, нужен за функцията strchr()
tmp
Временна променлива тип «символ» (char)


Source Code на решението на задачата:

/* Author: Nikolay Hristov, 28.08.2013
 * Използвана литература:
 * - NetBSD Library Functions Manual, NetBSD 4.0, December 24, 2004
 * - Програмният език C, второ издание, Brian Kernigham, Dennis Richie,
 * издателство ZeST Pres, 2004 */

#include <stdio.h>
/* strchr() */
#include <string.h>
/* isupper(), islower(), toupper(), tolower() */
#include <ctype.h>

int main(void){

    int broiach;     /* ... */
    char buf[1024];    /* буфер */
    char *p;     /* указател, нужен за функцията strchr() */
    char tmp;    /* временна променлива тип char, нужен за isupper()/islower() */

    printf("Въведете текст за конвертиране: ");
    /* четем от стандартния вход (stdin) символен низ със размер
     * buf в случая 1024 bytes */
    while(fgets(buf, sizeof(buf), stdin)){
        /* Функцията strchr връща указател към търсения от нас символ.
         * Търсим символа 'нов ред' ('\n') и ако не открие такъв - връща NULL.
         * Ако не открие 'нов ред' в низа, това означава, че е въведен
         * низ > размера на буфера buf (в случая 1024 bytes), което означава,
         * че е натиснат Enter след края на буфера (въведени са минимум 
         * 1025 символа. */
        if((p = strchr(buf, '\n')) == NULL){
            printf("Въведен е прекалено дълъг низ.\n");
            return 1;
        }

        /* При откриване на съвпадение с 'нов ред' ('\n'),
         * функцията strchr връща указател към тази част от масива.
         * Задължително терминираме низа с s \0 */
        
        *p = '\0';
        
        /* Отпечатваме орогиналният низ */
        printf("Въведен низ    : %s\n", buf);
        
        /* Инициализираме броячът  */
        broiach = 0;

        /* Цикъл, който обхожда целия низ, докато стигне \0 */    
        while(buf[broiach]){
            /* Тък като islower/isupper работят само с char, 
             * обхождаме целия низ символ по символ */
            tmp = buf[broiach];

            /* Ако символа е с малки букви ... */
            if(islower(tmp)){
                /* правим ги на ГОЛЕМИ БУКВИ. */
                buf[broiach] = toupper(buf[broiach]);
            }

            /* Ако символа е с ГОЛЕМИ БУКВИ ... */
            if(isupper(tmp)){
                /* ПРАВИМ ГИ НА малки букви. */
                buf[broiach] = tolower(buf[broiach]);
            }

            /* Отиваме на следващия символ */
            broiach++;
        }

        /* Отпечатваме конвертирания текст */
        printf("Конвертиран низ: %s\n", buf);
        /* Очакваме ново въвеждане */
        printf("Въведете текст за конвертиране: ");
    }
}

Monday, July 22, 2013

NetBSD 6.1 filesystem notes.

The filesystem must be not mounted
root@farnsworth ~ # umount /disks/disk1
root@farnsworth ~ # umount /disks/disk2
root@farnsworth ~ # file -s /dev/wd1a
/dev/wd1a: Unix Fast File system [v1] (little-endian), last mounted on /disks/disk1, last written at Tue Jul 16 09:38:49 2013, clean flag 1, number of blocks 122096646, number of data blocks 121138363, number of cylinder groups 644, block size 32768, fragment size 4096, minimum percentage of free blocks 5, rotational delay 0ms, disk rotational speed 60rps, TIME optimization
root@farnsworth ~ # file -s /dev/wd2e
/dev/wd2e: Unix Fast File system [v1] (little-endian), last mounted on /disks/disk2, last written at Sat Jul 20 02:00:58 2013, clean flag 1, number of blocks 78142160, number of data blocks 77529094, number of cylinder groups 412, block size 32768, fragment size 4096, minimum percentage of free blocks 5, rotational delay 0ms, disk rotational speed 60rps, TIME optimization
root@farnsworth ~ #
Also you can do it with dumpfs:
root@farnsworth ~ # dumpfs -s /dev/wd1a
file system: /dev/rwd1a
format  FFSv1
endian  little-endian
magic   11954           time    Sat Jul 20 02:21:25 2013
superblock location     8192    id      [ 51e514a9 69cdbabc ]
cylgrp  dynamic inodes  4.4BSD  sblock  FFSv2   fslevel 4
nbfree  15140244        ndir    1       nifree  30334972        nffree  18
ncg     644     size    122096646       blocks  121138363
bsize   32768   shift   15      mask    0xffff8000
fsize   4096    shift   12      mask    0xfffff000
frag    8       shift   3       fsbtodb 3
bpg     23699   fpg     189592  ipg     47104
minfree 5%      optim   time    maxcontig 2     maxbpg  8192
symlinklen 60   contigsumsize 2
maxfilesize 0x004002001005ffff
nindir  8192    inopb   256
avgfilesize 16384       avgfpdir 64
sblkno  8       cblkno  16      iblkno  24      dblkno  1496
sbsize  4096    cgsize  32768
csaddr  1496    cssize  12288
cgrotor 0       fmod    0       ronly   0       clean   0x02
wapbl version 0x1       location 2      flags 0x0
wapbl loc0 488401024    loc1 131072     loc2 512        loc3 3
flags   wapbl
fsmnt   /disks/disk1
volname         swuid   0
Differences between FFSv1 and FFSv2

From newfs man page -O option:
0    4.3BSD; This option is primarily used to build root file systems that can be understood by older boot ROMs.  This generates an FFSv1 file system with level 1 format.
1    FFSv1; normal Fast File System, level 4 format. Also known as `FFS', `UFS', or `UFS1'.  This is the default.
2    FFSv2; enhanced Fast File System, suited for more than 1 Terabyte capacity.  This is also known as `UFS2'.

from fsck_ffs man page:

FFS1 level 0 = inode 4.2/4.3BSD static table
FFS1 level 1 = dynamic table
FFS1 level 2 = 32bit UID/GID, compact symlinks
FFS1 level 3 = free segment maps
FFS1 level 4 = FFS2 style superblock (allows WAPBL)
FFS2 level 5 = 64bit addresses, 64bit timestamps, birthtime, ext attributes 
FFSv2 is suitable for large disk (1TB)

Here is example how to change default percentage of disk space held back from normal users to 1%. Default is 5% and this is too much for large disks.
root@farnsworth ~ # tunefs -m 1 /dev/wd1a
tunefs: tuning /dev/rwd1a
tunefs: minimum percentage of free space changes from 5% to 1%
tunefs: should optimize for space with minfree < 5%


Monday, July 1, 2013

Lotus Domino 8.5 on Linux causing 100% CPU load.


This is known bug with platform statistics thread which is caught in infinite loop state. Solution is to modify your notes.ini file and disable platform stats:

PLATFORM_STATISTICS_DISABLED=1

Restart your server and there will be no more 100% cpu load.

Thursday, June 20, 2013

Using GDM and XDMCP with remote client

How to run Xorg session on client machine.

On the server (IP 10.10.10.1) by default GDM remote connect via XDMCP is disabled. We need to enable it. Configuration file is /etc/gdm/custom.conf (on RHEL/Oracle Linux) and /etc/gdm3/daemon.conf (on Debian). Example is from Oracle Linux 6.4:
# cat /etc/gdm/custom.conf
# GDM configuration storage

[daemon]

[security]

[xdmcp]

[greeter]

[chooser]

[debug]
Add these lines:
# cat /etc/gdm/custom.conf
# GDM configuration storage

[daemon]

[security]
DisallowTCP=false

[xdmcp]
Enable=true

[greeter]

[chooser]

[debug]
GDM must be restarted for this to work.

On client machine start the Xorg server like this (assuming that you have already X running on :0):
# X :1 -query 10.10.10.1
This will bring GDM to your display at display :1 and now you can login and work on client machine as you are logged directly to the server and switch between local and remote X with Alt + Fxx.

Monday, June 3, 2013

Roundcube missing contacts after changing IP address of the server.

If you have working installation of Roundcube and for some reason change your IP address the result is missing address book entries of all users.

If in the configuration file config/main.inc.php the line:
$rcmail_config['default_host'] = '10.10.200.1';
is changed to some other IP address (for instance 192.168.10.1) the result is missing address book entries.

In fact entries are not missing but Rouncube shows only enties for the users with current 'default_host' IP address. This means that you have two entries for each users with different 'default_host' field. How to fix it?

First delete all newly created entries with the new default_host:
old: 10.10.200.1, new: 192.168.10.1.
# mysql -u roundcubeuser -proundcubepass
mysql> use roundcube
mysql> delete from users where mail_host='192.168.10.1';
Query OK, 60 rows affected (0.07 sec)
Now change all remained entries with the new default_host:
mysql> update users set mail_host='192.168.10.1' where mail_host='10.10.200.1';
Query OK, 105 rows affected (0.08 sec)
Rows matched: 105  Changed: 105  Warnings: 0
Now you have your addressbook back.

Wednesday, May 1, 2013

Using $DISPLAY for remote administration.

On X server you can export your display so the apps starts on one server and interfaces shows on another X server. Here is example how to do it.

Configuration:

On remote Linux (192.168.10.5):

# export DISPLAY="192.168.10.9:0"

On local Linux (192.168.10.9):

KDM/GDM/XDM by default on Debian use option -nolisten tcp. You need to remove it to allow X server to accept connections. Restart of display manager is needed.

# xhost + 192.168.10.5

Next step is to start application on remote Linux and it will show on your local Linux X server.

# yast2

Wednesday, April 24, 2013

Novell Enterprise Linux Server Install and Migration Notes

Novell NetWare 5.1 to Novell Enterprise Linux (OES2) migration scenario: The idea is to add new OES2 server to the existing NetWare 5.1 tree, add replica of the tree, transfer data files from storage volumes and then remove old NetWare 5.1 server.


Notes are for this version of Novell Linux:
# cat /etc/novell-release
Novell Open Enterprise Server 11 (x86_64)
VERSION = 11.1
PATCHLEVEL = 1

Note #1
Updates - you need your registration codes and email address so you can use online updates and install from online repositories. YAST -> Software Management -> Configuration -> Online Update. This will launch browser and lead you to novell site where you need to enter your registration email/codes so the server can be authenticated as licensed one. If everything is ok the new repositories will be added automatically.

Note #2
Time between all servers in the tree must me synchronized. Use same time server for both servers.

Note #3
If you get error about Secure LDAP connection with Novell NetWare 5.x you need to generate valid certificate for Secure LDAP on NetWare with ConsoleOne app.

Note #4
"This user does not have the correct credentials to authenticate to the CIMOM client."
You get this error when trying to add the new server to existing tree. This is bug in installation process. The Unix Config Object which is needed to map users between eDirectory and linux/unix workstation/servers is not created in installation process. Solution is to remove /etc/nam.conf file and recreate it with namconfig.

# rm -f /etc/nam.conf
# namconfig add -a cn=admin,o=company_ltd -r o=company_ltd -w ou=servers,o=company_ltd -S 192.168.20.5:389 -l 636
Enter the admin(cn=admin,o=company_ltd) password:

namconfig.getSchemaName: schema name = cn=schema
NAM Schema is extended successfully.
NAM Unique id schema is already extended.
uidNumber and gidNumber attribute indices already exist in the LDAP server
Creating the Unix Config object...done.
Creating the Unix Workstation object...done.
Adding the workstation context...done.
Stopping the service 'namcd'...done.
Stopping the service 'nscd'...done.
Starting the service 'namcd'... Done.
Starting the service 'nscd'... Done.
Configure done successfully.
Now you can use iManager to enable users for linux (Linux User Management -> Enable Users for Linux)

Note #5
Removing the tree
# ndsconfig rm -a cn=adminuser.o=admincontext
Now start YAST and use OES Installation and Configuration utility to add it to the existing tree.

Note #6
OES Installation and Configuration utility won't start
This is known bug. Use command line to start what you need:
# yast edirectory
or you can see what options you have with the command:
# yast --list
Available modules:
add-on
add-on-creator
apparmor
arkmanager
audit-laf
autofs
autoyast
backup
bootloader
ca_mgm
checkmedia
common_cert
dhcp-server
dirinstall
disk
dns-server
dsl
edirectory
fingerprint-reader
.....
You can also use yast2 (graphical interface) in the same way.

Note #7
Adding replica to the newly connected server
Open your iManager with a browser, login to old server and then add the replica:

Partitions and Replica Management -> Replica View

Enter tree name: .YourTreeName. and hit OK. Now you can see your servers and replicas. Use the "Add Replica" button. If you get an error try using 'ndsrepair' on all servers and then try again.

Note #8
You can use miggui tool to transfer existing files/services to the new server but if you have files in cyrillic or in some other encoding created in the old days when nobody cared about encodings this tool won't work.

Thursday, April 11, 2013

Installing ezmlm on Debian squeeze with existing qmail and vpopmail system.

This is a quick explanation how to install and configure ezmlm-idx on Debian Squeeze on existing qmail/vpopmail installation.

Since ezmlm-idx is not on an official Debian release we need to build our own deb package. First we need to add experimental sources in /etc/apt/sources.list:

deb-src http://ftp.bg.debian.org/debian/ experimental main contrib non-free
Update and get the source:
# apt-get update
# apt-get source ezmlm-idx
Install additional packages needed by ezmlm-idx (if you are planning to use it with mysql/pgsql):
# apt-get install libmysqlclient-dev libpq-dev
There is a Debian specific bug (probably that is why ezmlm-idx is not in the official release) inside this package and it is path to qmail-queue program. The path to qmail-queue is hardcoded in file conf-qmail: "/var/lib/qmail" and ezmlm-manage tries to launch it from there. Solutions are either to edit conf-qmail file and change path to /usr/sbin or to make a link:
# mkdir /var/lib/qmail
# ln -s /usr/sbin /var/lib/qmail/bin
Now build the package:
# cd ezmlm-idx-7.1.1
# dpkg-buildpackage -uc -rfakeroot
If everything is ok there will be three new deb packages.
# ls -la
total 2232
drwxr-xr-x  3 root root    4096 Apr  8 11:58 .
drwxr-xr-x 10 root root    4096 Apr  8 11:50 ..
drwxr-xr-x  5 root root   24576 Apr  8 11:58 ezmlm-idx-7.1.1
-rw-r--r--  1 root root  104602 Apr  8 11:58 ezmlm-idx-mysql_7.1.1-1~exp0_i386.deb
-rw-r--r--  1 root root  105098 Apr  8 11:58 ezmlm-idx-pgsql_7.1.1-1~exp0_i386.deb
-rw-r--r--  1 root root    5508 Apr  8 11:57 ezmlm-idx_7.1.1-1~exp0.diff.gz
-rw-r--r--  1 root root     837 Apr  8 11:57 ezmlm-idx_7.1.1-1~exp0.dsc
-rw-r--r--  1 root root    2447 Apr  8 11:58 ezmlm-idx_7.1.1-1~exp0_i386.changes
-rw-r--r--  1 root root 1284294 Apr  8 11:58 ezmlm-idx_7.1.1-1~exp0_i386.deb
-rw-r--r--  1 root root  718954 Apr 17  2012 ezmlm-idx_7.1.1.orig.tar.gz
Install it:
# dpkg -i ezmlm-idx_7.1.1-1~exp0_i386.deb
Selecting previously deselected package ezmlm-idx.
(Reading database ... 42574 files and directories currently installed.)
Unpacking ezmlm-idx (from ezmlm-idx_7.1.1-1~exp0_i386.deb) ...
Setting up ezmlm-idx (7.1.1-1~exp0) ...
Processing triggers for man-db ...
#
Now we can make our mailing list. If vpopmail is installed in /home/vpopmail here is the command to make new mailing list:

# ezmlm-make /home/vpopmail/domains/lists.example.com/testlist /home/vpopmail/domains/lists.example.com/.qmail-testlist testlist lists.example.com

Change ownership of newly created files and directories.

# chown vpopmail:vchkpw  /home/vpopmail/domains/lists.example.com/* -R
# chown vpopmail:vchkpw  /home/vpopmail/domains/lists.example.com/.* -R

This will make mailing list "testlist" on domain lists.example.com. You can subscribe by sending mail at address testlist-subscribe@lists.example.com. For more information you can see man pages of ezmlm and by sending mail to testlist-help@lists.example.com.

Friday, April 5, 2013

Опасностите от DNSSEC протокола или как "събориха" www.spamhaus.org.

Нека да започнем с малко предистория... Краят на 90-те се появи първата атака от типа DDoS или Distributed Denial of Service, останала в историята като smurf атака. Накратко - чрез изпращането на ICMP пакети с подправен source IP адрес (с IP-то на жертвата) до broadcast адреси на големи мрежи се получаваше умножен в пъти ответен трафик към жертвата.

Този тип атаки биха се осъществили при наличието на три фактора:
  • Използването на stateless протокол, при който не се очаква обратна връзка - например ICMP, UDP;
  • Наличието на рутери по трасето до жертвата, позволяващи трафик с фалшив source IP адрес;
  • Пожелателно е да има някакъв вид умножение на трафик, тоест жертвата да получи в пъти повече трафик, отколкото атакуващият изпраща.

Тъй като icmp smurf атаката отдавна лесно се филтрира, и е заложено на новите рутери по default да не отговарят на icmp broadcast запитвания, като че ли напоследък този тип атаки бяха позабравени.

Ако се запитаме, кой протокол отговаря на гореспоменатите изисквания, веднага изниква един основен протокол в интернет - DNS. DNS работи както по UDP, така и по TCP (повече може да прочетете за това в една моя статия: http://geroyblog.blogspot.com/2012/07/dns-1-resolvers-cache.html). При наличието по дизайн на DNS cache сървъри се вижда, че dns протоколът отговаря и на изискването да има умножител на трафик. В случаят това са DNS cache сървърите.
Какво имам в предвид?
Нека да направим едно рекурсивно запитване към някой dns cache сървър (например google public dns - 8.8.8.8).

Запитване за mx запис без да се използва TCP:
# dig mx +notcp google.com @8.8.8.8
При пуснат tcpdump се вижда,че изпратената заявка е 28 байта, а полученият отговор е 136 байта.
11:26:05.900877 PPPoE  [ses 0xbb] IP 192.168.1.76.64805 > 8.8.8.8.53:  26451+ MX? google.com. (28)
11:26:05.945839 PPPoE  [ses 0xbb] IP 8.8.8.8.53 > 192.168.1.76.64805:  26451 5/0/0 MX aspmx.l.google.com. 10, MX alt2.aspmx.l.google.com. 30, MX alt1.aspmx.l.google.com. 20, MX alt3.aspmx.l.google.com. 40, MX alt4.aspmx.l.google.com. 50 (136)
Приблизително 4.9 пъти умножение на трафика. Ако направим запитване ANY - трафика се увеличава до 546 байта, при което умножението се качва до 19.5 пъти.
Ако променим 192.168.1.76 адреса, който е нашият, сложим този на "жертвата" и изпратим 1 мегабайт заявки към публичния DNS съръвр на google, "жертвата" ще получи 19.5 мегабайта трафик. Умножение има, и то не малко, но като цяло не би трябвало да достигне ефекта на ICMP Smurf атаката.

Не толкова отдавна беше предложен, приет, променен, надграждан много пъти една нова надстройка на текущия DNS протокол, която според създателите им (главно isc.org) би решила проблемa със сигурността му.

Тъй като и аз се оплетох при четене на RFC (над 20 rfc - http://www.dnssec.net/rfc), които стандартизират DNSSEC и като цяло мнението ми е, че е прекалено усложнен протокол, ще го кажа на кратко.
Идеята на DNSSEC е за всеки DNS запис да имате подписан със сертификат кореспондиращ запис. Това би предотвратило DNS cache poisoning атакаите при положение, че протокола масово навлезе при всички операционни системи - както сървърни, така и клиентски софтуер. Ако направим запитване за MX - запис, наблюдаваме следният ефект:

# dig mx +notcp +dnssec isc.org @8.8.8.8

; <<>> DiG 9.4.1-P1 <<>> mx +notcp +dnssec isc.org @8.8.8.8
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27208
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;isc.org.                       IN      MX

;; ANSWER SECTION:
isc.org.                6419    IN      MX      10 mx.pao1.isc.org.
isc.org.                6419    IN      MX      10 mx.ams1.isc.org.
isc.org.                6419    IN      RRSIG   MX 5 2 7200 20130501233249 20130401233249 50012 isc.org. v0fb7TcHcwdjN2XZqSZfogavpS7T1ODK+rau7j1hiMJML2UdSPGpqiwf xyizY5yIcObHmF926xebjOsg1WFPJy85Fdhv/r2uD+Ibzo7QQL3QbQbp FqQlgpZUQHUFU/dpmZswRoZcMlRC4AhpkbsvYic4xbFV6O4z0hpgYUQ9 jgM=

;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr  2 11:58:14 2013
;; MSG SIZE  rcvd: 251
Нека направим запитване ANY записи за домейна isc.org:

# dig any +notcp +dnssec isc.org @8.8.8.8

; <<>> DiG 9.4.1-P1 <<>> any +notcp +dnssec isc.org @8.8.8.8
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55327
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 27, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;isc.org.                       IN      ANY

;; ANSWER SECTION:
isc.org.                5644    IN      SOA     ns-int.isc.org. hostmaster.isc.org. 2013040200 7200 3600 24796800 3600
isc.org.                5644    IN      RRSIG   SOA 5 2 7200 20130501233249 20130401233249 50012 isc.org. k/eRQT9zlZu+9HQr3WLl5ZwCAagwbD4cKkbYX7poLGzWFDWbgPC2ZN6J ZmNEQnz6dS4GYiuFX5NiEEyxHAVlpxUz6mdBM21TjHEH6OBqOsyOHMbA RMi9ijCN2coY2X28uhZ/cpcZccTPXQwEIN2PwqILVxbMq31+2bEXUZa5 DOY=
isc.org.                5644    IN      NS      sfba.sns-pb.isc.org.
isc.org.                5644    IN      NS      ams.sns-pb.isc.org.
isc.org.                5644    IN      NS      ns.isc.afilias-nst.info.
isc.org.                5644    IN      NS      ord.sns-pb.isc.org.
isc.org.                5644    IN      RRSIG   NS 5 2 7200 20130501233249 20130401233249 50012 isc.org. opQ2IchpAm1TXFiXBDxCeHwnFDBWzn41PCeoKRpLmLqSGyx867360zSc sBDXtE4Co4Z5IG7S4jUVZd8iXz0Y3CK3FZ/Yd1PD9c3T0Xwjku+HvF8j /h9LrlnFGi40i/4k1vE/5sTb+U4NEYKLowKb/gsoXRgVrgiASKRnAdsw vXg=
isc.org.                5644    IN      A       149.20.64.42
isc.org.                5644    IN      RRSIG   A 5 2 7200 20130501233249 20130401233249 50012 isc.org. Y9xN05o0BP+l2S6wTHlIPbLo8DuBVZOhZZ750IO6nS+3cHZ0XJEa3DzL 2O1gXQW8kCadF4yrLFT5XmBhfDbI94VBzBiYGvZ2vRcjPYtto4O2sxPw NQ+u6e/IcnHIIdueklz1dI8LgLn8+ZwtZ9+CUCRMhjwQtlejbxQEjLBe Gmo=
isc.org.                5644    IN      MX      10 mx.ams1.isc.org.
isc.org.                5644    IN      MX      10 mx.pao1.isc.org.
isc.org.                5644    IN      RRSIG   MX 5 2 7200 20130501233249 20130401233249 50012 isc.org. v0fb7TcHcwdjN2XZqSZfogavpS7T1ODK+rau7j1hiMJML2UdSPGpqiwf xyizY5yIcObHmF926xebjOsg1WFPJy85Fdhv/r2uD+Ibzo7QQL3QbQbp FqQlgpZUQHUFU/dpmZswRoZcMlRC4AhpkbsvYic4xbFV6O4z0hpgYUQ9 jgM=
isc.org.                5644    IN      TXT     "$Id: isc.org,v 1.1791 2013-03-27 00:02:30 ziegast Exp $"
isc.org.                5644    IN      TXT     "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org.                5644    IN      RRSIG   TXT 5 2 7200 20130501233249 20130401233249 50012 isc.org. qW2z10OjWeBpQ34YhbbluUFK5N8ELTxDXsa3dN1LI+/KEu9F/rzWh+KL ndoq2PsMeznJ6vTFVOSwm+602sIPb++cajgg1+fZAewNAWALJpEYLpYp TgIwbwZo7NoyGo1EUmMjqslFP+2uOgylIl8MHv/+XzbNivBZBNG0n4eQ Rb8=
isc.org.                5644    IN      AAAA    2001:4f8:0:2::d
isc.org.                5644    IN      RRSIG   AAAA 5 2 7200 20130501233249 20130401233249 50012 isc.org. Vj/4QQYtDNPw8oNU3H7lXSIKsQQLSOQiyTq1oYgbCPp4sWcx8RMyW64e 962azK7av5/NqE0c4WSQ2NXN/rBL17U7iwdeFkVO8ZVQSNGp7Kanah8T LCzhpNqcV0Op2PIor1JgcuNXiYLp3b5H0KpAI+Ibue3wzfsr48LYs0D2 7ik=
isc.org.                5644    IN      NAPTR   20 0 "S" "SIP+D2U" "" _sip._udp.isc.org.
isc.org.                5644    IN      RRSIG   NAPTR 5 2 7200 20130501233249 20130401233249 50012 isc.org. pXwjHqeueJk64dm4FJKz7JuwBjaa2CK3zJ4sODtnnsj7yeesTHckfnHk O+DJUVlgXf/GbxQ0tQ1y+qZXjmHKmsjp+oapsmebC9T6pZZwy3EHznQW KLDhhcnbLztyXWMS8o0cDm1uk35YhGvfhLpgMV2grfVaX0WU8VZTLLjq HBI=
isc.org.                2044    IN      NSEC    _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF
isc.org.                2044    IN      RRSIG   NSEC 5 2 3600 20130501233249 20130401233249 50012 isc.org. fg3o/hFWeDIoFMo/pyKRGAz+LiE5f4HTJq6YvunBP/UpRenEFxZhVBxa tTn0v5ZeNq1XzLTm1JWl0yKUVmYwaHDnrH86j35iK+GnJ42UyQo0iv5r PHd6rakaPmMfq+6TK9FP1kUjJDgH/syYDRbSHbaynIBTR2zhpB8Y45xM Xa0=
isc.org.                5644    IN      DNSKEY  256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU=
isc.org.                5644    IN      DNSKEY  257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd
isc.org.                5644    IN      RRSIG   DNSKEY 5 2 7200 20130501230129 20130401230129 12892 isc.org. UFxebBneKnZHasXdUtdD6LsSbso2twRVuVOLuG6sMdfkV2io52GASy/a xIHHAJTOZYHOGyfqCrEKDkTJ3V6e0i9g52B5dy8IsAZY5IaGK4OmcCWr utkqzzBofeLkWP0UqNMc7xZsi6zD4CPqqi1sxT1sb7/fimImTTBJnr44 hcES7tVDttq9Nd0/wc+sSyFo9KIkhPNQgIc/t2SZ0jGJqJOiOnUI3SkH qVAkn+a0Km1cbkqd19JxMEPc+KP1ke4InCQPD+yHS/wWsjeJ2Ajh97vp +1HzivRA9rTRr20P3HrolyVzOPvV8r4n6LXmJDOHRfAnwzq+vnWqNPlE sLO6pQ==
isc.org.                5644    IN      RRSIG   DNSKEY 5 2 7200 20130501230129 20130401230129 50012 isc.org. vxFVIb9MIY4AnMTiADKkAtFo0nwgNh4B2UTSCDF7m5q3S8iJGTlfO3EK PK0ilpinqnHXFWx+k3UiR8eRf7xMPBKONjNA8GdcAZ7XgdPgi2Ri0yOs DXApZLKgByIkc5B976UKJ5wRFR/eGs5Loqby+j6HHpeNRS0v5N2rfbUI 3kU=
isc.org.                5644    IN      SPF     "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org.                5644    IN      RRSIG   SPF 5 2 7200 20130501233249 20130401233249 50012 isc.org. ZBxS3Pg0D3apDPAbIUcRVTBkIaScqYyWt2jUkeWbSZ4FrEpY4V8ZA2VN vsw/uu5WcAnxu42xOjLqGi0tLbpbcfKu7NnzijgzJcxGaBw3iIJrK9lS htqMysY1F14hn4r3NXzfN9hWps0v7IKPAbnKQHKtcThDjF7hE7S7EbLU gy4=

;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr  2 11:54:43 2013
;; MSG SIZE  rcvd: 3064
Тук се вижда, че при заявка от 36 байта се получава отговор от 3064 или 85.1 пъти повече трафик! Сега ако сменим source IP адреса на пакета с този на жертвата и това бъде направено от ботнет от 50000 зомбирани компютри, досещате ли се какво се получава?

Като цяло, изводът е, че DNSSEC протокола по дизайн е великолепен умножител на трафик. Наскоро проверявах, и се оказа, че всички основни домейни като .com, .net, .org, .info и т.н., както и cc-домейните (country code) като .bg, .ru, .se и т.н. са подписани и поддържат DNSSEC.
# dig any +dnssec com @8.8.8.8

; <<>> DiG 9.4.1-P1 <<>> any +dnssec com @8.8.8.8
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55969
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com.                           IN      ANY

;; ANSWER SECTION:
com.                    899     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1364891984 1800 900 604800 86400
com.                    899     IN      RRSIG   SOA 8 1 900 20130409083944 20130402072944 23975 com. ifejuy4CNjIISV4kpWe1jjrwM03nluADb6K43W4px4UWPj0JI8bQ61oN KEs1708MkGIbH9hLehTTEwKEZ0sKj91LXUyiWzIPF/oCjWkX+IeZYCTM tAM1euj+hOiaNiPVtQBChcgaQ0CiJM+DFxrofs/uk0Xcytvxw0MoJwVp DIY=
com.                    21599   IN      NS      j.gtld-servers.net.
com.                    21599   IN      NS      g.gtld-servers.net.
com.                    21599   IN      NS      i.gtld-servers.net.
com.                    21599   IN      NS      k.gtld-servers.net.
com.                    21599   IN      NS      l.gtld-servers.net.
com.                    21599   IN      NS      d.gtld-servers.net.
com.                    21599   IN      NS      c.gtld-servers.net.
com.                    21599   IN      NS      m.gtld-servers.net.
com.                    21599   IN      NS      a.gtld-servers.net.
com.                    21599   IN      NS      h.gtld-servers.net.
com.                    21599   IN      NS      f.gtld-servers.net.
com.                    21599   IN      NS      e.gtld-servers.net.
com.                    21599   IN      NS      b.gtld-servers.net.
com.                    21599   IN      RRSIG   NS 8 1 172800 20130408041926 20130401030926 23975 com. AOYql4O2Zi6v013LUQXSo5K0VuzmfSZzb9Qk/UEAlziHoDUVDvhkceQu 8nseo8PKKJZwhmjhRde5mIuVFfTHIb6Hbv+29UnXhBVguD54I4J7lbRE BEMnJIjrJSs84W8uUgiUsZ4dKuMU0pTXcEonLIfQuUNfltuTifYOOPm+ Mk8=
com.                    21599   IN      DNSKEY  257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh 2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK Nnv4oPo/
com.                    21599   IN      DNSKEY  256 3 8 AQPcnY9mVa8t+3ab9SsbKjGh38DXxdCZsL0sCdUEzyj1b3nN9BFLolfM o7PyfRhOw29YvgwHq1wRB2nRWcOpuUZhgZNOxWqLoOu84KR7HtQmY1yZ uSkh9WA6mUDQT+i/7zpUVbtmZqNJm5SuQZFE0hn+N5CMxnXOLOsHJsn6 WvB1sQ==
com.                    21599   IN      RRSIG   DNSKEY 8 1 86400 20130408182533 20130401182033 30909 com. ohJvhu03H5M8PrkIcQDoozJjpokwWKKNfFqUXeU/pdvlY3X63IyJWXTZ 8qBp0lvhYWKHTpmGCCDBTC1X/DO+RXyYZAiQBeh8MVjyW4ZC8gz2/lS7 NTGRHmhCOFjsvYk6WNHy9vUqUomNuDDD9qIAS1HkYCmNGuo/2umLb+zU lsU8gcl6TyZIyepbeuTZQ4rkf+O53yJLngitaAoVCDI+hJE0OWZNAYg0 8AmJyuEZcnYlFUbuqR/SnL5FAfdo7XY9I5y5eJnWRT1YoFFcp6NTwZl8 KLlSLRhfLmIsP8mPGf3inJNnJ79MB6m6aArvo5aXWDhBM4HxbjkRZlO3 +cBu4g==
com.                    21599   IN      TYPE51  \# 5 0100000000
com.                    21599   IN      RRSIG   TYPE51 8 1 86400 20130408041926 20130401030926 23975 com. 2dfpD6RLPMGOM3HrPfvhSAPKb26oCeF0jX6Kd8xrCI3/YhiRJu80ilPA 5mQo9uduxAPHcn0E+G+Vu69PEmlTySbDgjZ6m4TA6LeCx1wEdX+6x7uc Z2ksNVqQBitZnjl+3Fb+ou2ekJjSk8mUjqbsHNtz/4u2nJ4zD1/bkDcc 0Jc=

;; Query time: 326 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr  2 12:06:02 2013
;; MSG SIZE  rcvd: 1528
Тук стигаме и до атаката срещу анти-спам листата spamhaus.org. Тъй като те предоставяха лист от спамерски IP адреси дистрибутирани чрез DNS, тази атака доведе до отказ на услуги на този анти-спам доставчик. Атаката е била осъществена чрез множество DNS open recursive resolvers и DNSSEC протокола. Ендовременно с това се забелязва увеличение на спам - мейлите, които се разпространяват по интернет. Това означава, че атака е координирана.

Какви са защитите срещу това?
В общи линии трябва да се ограничат UDP - заявките за DNS да са до 512 байта от самите рутери по пътя. За DNSSEC да се използва само TCP (което би забавило отговорите така че няма пълно щастие). Rate limit на заявките по UDP към 53-ти порт от firewalls или от самата имплементация на софтуера за DNS cache сървър. Филтриране на трафик от spoofed source IP адреси.

Статията е публикувана и на адрес: http://www.linux-bg.org/cgi-bin/y/index.pl?page=article&id=games&key=455227892

Monday, March 25, 2013

Ураганен вятър в Габрово - последствия #2

От Градище към телевизионната кула по пътеката.



Телевизионната кула - разни неща паднали.


От кулата по пътя надолу.








През гората наодлу. Пътят е непроходим и пеша!




Tuesday, March 19, 2013

Ураганен вятър в Габрово - последствия.

Ето малко снимки от последствията от урагана на 14.03.2013 в Габрово.


Гората над "Петкова Нива"




Местност "Градище"
















Полянката до "Горското Ханче"


Такова чудо лично аз никога не бях преживявал.

Tuesday, March 12, 2013

Debian GNU/Linux mounting Novell NetWare volumes

This is example of mounting Novell NetWare 5.1 partitions with Debian GNU/Linux (in this case - unstable with kernel 3.2.0).

First we need ncpfs package.

# apt-get install ncpfs

Then we need ncpfs module in kernel (it comes with debian kernel).

# modprobe ncpfs

Novell Context is support.gabrovo.hq
Username is niki
Server IP address is 10.1.42.24
Volume to mount is called - data

# ncpmount -o tcp -S 10.1.42.24 -A 10.1.42.24 -U niki.support.gabrovo.hq -V data /mnt/
Logging into 10.1.42.24 as NIKI.SUPPORT.GABROVO.HQ
Password:
# ls -la /mnt/
total 5
drwxr-xr-x  1 root root  512 Jan  1  1986 .
drwxr-xr-x 24 root root 4096 Mar  7 14:12 ..
dr-xr-xr-x  1 root root  512 Mar 12 13:57 MAN

# df -h
Filesystem                                              Size  Used Avail Use% Mounted on
rootfs                                                  389G   23G  362G   6% /
udev                                                     10M     0   10M   0% /dev
tmpfs                                                   596M  848K  595M   1% /run
/dev/disk/by-uuid/2e00092b-1986-4e86-9887-996ff2949e05  389G  23G  362G   6% /
tmpfs                                                   5.0M     0  5.0M   0% /run/lock
tmpfs                                                   3.4G  172K  3.4G   1% /run/shm
10.1.42.24/NIKI.SUPPORT.GABROVO.HQ                               137G 132G  4.9G  97% /mnt
Mount options and what they mean as follow:
-o tcp - use tcp (or -o udp)
-S 10.1.42.24 - server name/ip address.
-A 10.1.42.24 - which server to ask for name addresses.
-U niki.support.gabrovo.hq - niki is the user name and support.gabrovo.hq is context tree.
-V data - name of the volume to mount - "data".

If you did something wrong when mounting you can clear all your connections to novell with the following command:

# ncplogout -a

Monday, March 4, 2013

Installing skype on Debian Unstable amd64

Installing skype on 64bit linux is easy but how to do it is hard to find on the skype site. Here is what you need to do.

In this case I will show how to install skype on Debian GNU/Linux Unstable amd64. First download the skype package from skype.com - Skype for Debian 7.0 (multiarch).

Install it with the following command:

# dpkg -i --force-all skype-debian_4.1.0.20-1_i386.deb

Now you have installed skype but it will not work because of missing libraries. You can see what is missing with the following command:

# ldd `which skype`
        linux-gate.so.1 =>  (0xf7793000)
        libasound.so.2 => not found
        libXv.so.1 => not found
        libXss.so.1 => not found
        librt.so.1 => /lib32/librt.so.1 (0xf776d000)
        libdl.so.2 => /lib32/libdl.so.2 (0xf7769000)
        libX11.so.6 => not found
        libXext.so.6 => not found
        libQtDBus.so.4 => not found
        libQtWebKit.so.4 => not found
        libQtXml.so.4 => not found
        libQtGui.so.4 => not found
        libQtNetwork.so.4 => not found
        libQtCore.so.4 => not found
        libpthread.so.0 => /lib32/libpthread.so.0 (0xf774e000)
        libstdc++.so.6 => not found
        libm.so.6 => /lib32/libm.so.6 (0xf7727000)
        libgcc_s.so.1 => /usr/lib32/libgcc_s.so.1 (0xf770a000)
        libc.so.6 => /lib32/libc.so.6 (0xf75a8000)
        /lib/ld-linux.so.2 (0xf7794000)

As we see there are missing libs and this happens because skype deb package is build for i386 arch and we have amd64.

We need to add another architecture to apt with the following command:

# dpkg --add-architecture i386
# apt-get update

Now we can install missing libs:

# apt-get -f install

This will download and install missing i386 libs. Now you can start skype.

Note: You can install any package by adding :i386 or :amd64 after the package name: apt-get install  tcpdump:i386

Friday, February 1, 2013

Подмяна на диск в 3ware 9650SE SATA-II RAID

Наскоро се сбъсках с такъв контролер - 3ware 9650SE и понеже нямах достъп до web интерфейса му се наложи да направя rebuild направо от конзолата. Командите са доста смаяни и дълги и за да не ги забравя реших  да си ги напиша тук.

Драйверите и програмката се теглят от техния сайт - http://www.3ware.com/support/. Командите се изпълняват с command line tool-а tw_cli.

# tw_cli info c4

Unit  UnitType  Status         %RCmpl  %V/I/M  Stripe  Size(GB) Cache  AVrfy
------------------------------------------------------------------------------
u0    RAID-1    DEGRADED     0%      -       -       1862.63   OFF    ON    

Port   Status           Unit   Size        Blocks        Serial
---------------------------------------------------------------
p0     OK               u0     1.82 TB     3907029168 JK1181YAJ283BV     
p1     DEVICE-ERROR     u0     1.82 TB     3907029168 WD-WMAY00539006

Където c4 е котролер номер 4, u0 = unit 0

Както се вижда, 2рия диск от RAID1 e счупен.

След като подменим диска, rebuild процеса би трябвало да тръгне сам. Ако това не стане вероятно не е пуснат автоматичния rebuild. Това се прави с командата:

# tw_cli /c4 set autorebuild=on

Текущото състояние на контролера можем да видим с (примера е след като е приключил rebuild процесът:

# tw_cli /c4 show
Unit  UnitType  Status         %RCmpl  %V/I/M  Stripe  Size(GB)  Cache  AVrfy
------------------------------------------------------------------------------
u0    RAID-1    OK             -       -       -       1862.63   OFF     ON    

Port   Status           Unit   Size        Blocks        Serial
---------------------------------------------------------------
p0     OK               u0     1.82 TB     3907029168    JK1181YAJ283BV     
p1     OK               u0     1.82 TB     3907029168    5YD31BS0           

Както се вижда, cache опцията се изключва автоматично при "счупен" raid. След като raid-а е възстановен, можем да пуснем кеширането отново:


# tw_cli /c4/u0 set cache=on
Setting Write Cache Policy on /c4/u0 to [on] ... Done.
 
# tw_cli /c4 show

Unit  UnitType  Status         %RCmpl  %V/I/M  Stripe  Size(GB)  Cache  AVrfy
------------------------------------------------------------------------------
u0    RAID-1    OK             -       -       -       1862.63   ON     ON    

Port   Status           Unit   Size        Blocks        Serial
---------------------------------------------------------------
p0     OK               u0     1.82 TB     3907029168    JK1181YAJ283BV     
p1     OK               u0     1.82 TB     3907029168    5YD31BS0           

Това е...

Saturday, January 12, 2013

How to debug qmail with simscan, clamav and spamassassin

How to debug qmail with simscan, clamav and spamassassin?

Qmail sends this error "451 mail server temporarily rejected message (#4.3.0)" and all messages are rejected but in logs there is nothing suspicious. How can this be debugged?

You need to edit your /etc/tcp.smtp and add some debug variables. Normally the file looks like this:

127.0.0.1:allow,RELAYCLIENT="",QMAILQUEUE="/usr/sbin/simscan"
:allow,QMAILQUEUE="/usr/sbin/simscan"

Modify your settings like this:

127.0.0.1:allow,RELAYCLIENT="",QMAILQUEUE="/usr/sbin/simscan"
:allow,SIMSCAN_DEBUG="2",NOP0FCHECK="1",QMAILQUEUE="/usr/sbin/simscan"

Make sure that QMAILQUEUE points to the right path of simscan.
Recompile your /etc/tcp.smtp

# tcprules /etc/tcp.smtp.cdb /tmp/t.tmp < /etc/tcp.smtp

Now logs are filled with needed information and you can debug your problem. Remember to remove debugging after the problem.

Example debug output:
# tail -f /var/log/qmail/smtpd/current
@4000000050f019b9351afa74 simscan: cdb looking up
@4000000050f019b9351c2f0c simscan: cdb for  found clam=yes,spam=yes,spam_hits=4.9
@4000000050f019b93521b51c simscan: pelookup clam = yes
@4000000050f019b93521b904 simscan: pelookup spam = yes
@4000000050f019b93521c0d4 simscan: pelookup spam_hits = 4.9
@4000000050f019b93521c8a4 simscan: starting: work dir: /var/qmail/simscan/1357912495.891056.16277
@4000000050f019bb13bc6804 simscan: pelookup: called with xxxasd@safds.com
@4000000050f019bb13bc9acc simscan: pelookup: domain is safds.com
@4000000050f019bb13bc9eb4 simscan: cdb looking up safds.com
@4000000050f019bb13bcae54 simscan: pelookup: local part is gxxxx
@4000000050f019bb13bccd94 simscan: cdb looking up xxxasd@safds.com
@4000000050f019bb13bce8ec simscan: pelookup: called with gxxxx@stemo.bg
@4000000050f019bb13bcfc74 simscan: pelookup: domain is stemo.bg
@4000000050f019bb13bd005c simscan: cdb looking up stemo.bg
@4000000050f019bb13bd1bb4 simscan: cdb for stemo.bg found clam=yes,spam=yes,spam_hits=5.7
@4000000050f019bb13bd2f3c simscan: pelookup clam = yes
@4000000050f019bb13bd2f3c simscan: pelookup spam = yes
@4000000050f019bb13bd3324 simscan: pelookup spam_hits = 5.7
@4000000050f019bb13bd46ac simscan: pelookup: local part is gxxxx
@4000000050f019bb13bd46ac simscan: cdb looking up gxxxx@stemo.bg
@4000000050f019bb13c65ecc simscan: calling clamdscan
@4000000050f019c110b86b1c simscan: fatal error executing clamdscan
@4000000050f019c110ba6304 simscan: exit error code: 71

Wednesday, January 9, 2013

Joomla FTP Layer - permissions and solution

When using commercial hosting with CPanel interface with Joomla you can be stuck by problem with file permissions. Errors like these are common:
Warning: Failed to move file!
The problem occurs  when uploading and installing modules/templates in Joomla admin interface. There are a lot of advises out there that suggest you to do "chmod 777 somedir" to resolve this problem. This is BAD solution and should never be used. Here is explanation why is this happening and how can you fix it without changing permissions.

When you buy hosting you get username/password for CPanel and ftp account which are identical. Installing Joomla on such hosting is not a problem but when trying to install template/module in Joomla admin panel you can see the above error message.

When uploading and installing files from Joomla admin panel, uploaded file is set to different owner than your username for the hosting. Uploaded file is owned by user started the apache web server. On most linux distributions it is www, www-data, http and so on. So when uploaded with different user the file can't even be deleted by your account and you need to contact hosting administrator to delete it for you. What you need to do is to make Joomla upload file with your hosting username/password. This is done by enabling FTP layer in Joomla global configuration tab and filling it with the right data (user/pass/ftp root). This can be done on installation process of Joomla but it is disabled by default. If you don't do this the final process of writing configuration.php will fail and you need to save and upload it manually.

How to enable it manually. Lets assume that your Joomla installation at address http://yousite.com/joomla. If you login in CPanel you will see that your home directory is something like "/home/username/". Document root of the web server is /home/username/public_html and Joomla is installed in /home/username/public_html/joomla. Here is configuration.php for ftp layer:

public $ftp_host = '127.0.0.1'; // change ftp ip address here
public $ftp_port = '21';
public $ftp_user = 'username';
public $ftp_pass = 'password';
public $ftp_root = 'public_html/joomla/';
public $ftp_enable = '1';

This should solve the problem with user mismatch when uploading modules/templates.
Other is hosting provider to support suPHP which is better solution to this problem.

Thursday, January 3, 2013

Windows 8 настройки

Новото чудо Windows 8 идва на пазара с гръм и трясък с интерфейс достоен за най-готиния телефон, но с много малка функционалност за десктоп машина.

За разлика от бета версията, при финалната са премахнали registry ключа който позволяваше да се върне стария облик със старт менюто и всичките му там функционалности на windows 7 (примерно).

За целта хора са си поиграли да направят програмка която връща тези фунционалности. Програмката е безплатна и може да бъде свалена от страницата на проекта Classic Shell.

Другото което ме подразни са новите themes, които са старите преработени така, че да изглеждат ужасно. След достатъчно ровене из google успях да намеря един theme pack който съдържа старите windows classic themes от win 7/vista/xp. Изтеглете ги от тук: http://windows8themes.ms/classic-themes-for-windows-8-classic-theme-brick-spruce-and-so-on-total-17-themes/.

Това е архив с файлове които се разархивират в директория: C:\Windows\Resources\Ease of Access Themes\. Вече са достъпни чрез right click -> personalize. Аз използвам Windows XP Classic.

В общи линии Windows 8 е голямо дърво. Предполагам че ще трябва поне service pack 2 да излезе за да стане използваем за всекидневна работа.