(   )
                          (    )
                           (    )
                          (    )
                            )  )
                           (  (                  /\
                            (_)                 /  \  /\
                    ________[_]________      /\/    \/  \
           /\      /\        ______    \    /   /\/\  /\/\
          /  \    //_\       \    /\    \  /\/\/    \/    \
   /\    / /\/\  //___\       \__/  \    \/
  /  \  /\/    \//_____\       \ |[]|     \
 /\/\/\/       //_______\       \|__|      \
/      \      /XXXXXXXXXX\                  \
        \    /_I_II  I__I_\__________________\
               I_I|  I__I_____[]_|_[]_____I
               I_II  I__I_____[]_|_[]_____I
               I II__I  I     XXXXXXX     I
            ~~~~~"   "~~~~~~~~~~~~~~~~~~~~~~~~

Mon, 11 Dec 2017

Unix Console Favorites

Jynx and Jandal posted on their favorite programs [0][1][2][3][4][5], and use of the Unix console in particular. I love hearing about how other people work in the console so I can try out new utilities or ways of getting things done.

read more after the break...

posted at: 13:42 | path: / | permalink | console, linux, unix

Sun, 14 Sep 2014

Back to Slackware

It's been a while since I updated the phlog/blog. Funny how things like this tend to go in spurts, at least for me. I can write regularly for a while, then lose interest but always come back at some point.

I have an old Thinkpad I use on the rare occasions I travel, I've had Ubuntu on it but grew tired of the breakage after simple updates. The most recent was a complete loss of Network Manager. No idea what happened, but I found out while traveling when I could not attach to any wireless networks. The network-manager applet was gone, and I couldn't connect to even open APs using iwconfig manually. For some strange reason, at boot it would still connect to my home AP automatically. Probably why I never noticed until I had to connect to an outside network.

Anyway, I have very little patience for such bullshit any more, in years past I would have spent days working through a fix, this time I just installed Slackware (I actually first tried to install Trisquel from my FSF member card, but the wireless chipset in my Thinkpad requires non-free drivers). Works like a champ, with zero BS. And I don't have to worry about updates borking the system. In fact, even though 14.1 has been out almost a year, there were only about 20 or so updates (I'm not tracking current, of course). They installed flawlessly.

posted at: 15:32 | path: / | permalink | blog, linux, phlog, slackware, trisquel

Wed, 12 Mar 2014

Adventures of a Sysadmin, Fun With cPanel Edition

Oh, how I loathe cPanel. It completely takes over your linux servers. Once installed, there is no uninstalling it, it has hooks into every part of the OS. Once infected by the cPanel virus, you must make all changes to the server configuration through cPanel, or cPanel's highly intuitive collection of command line utilities. Everything.

*~*~*~

I have a client for whom I assist in maintaining a cPanel-infected server. He has about 25 hosted accounts, and since cPanel has made it oh-so-easy for him to perform common administrative tasks himself, he felt the need to buy a shell domain just to use as a DNS zone for a handful of other domains - all on the same server (right, it doesn't make sense to me, either). In effect he's only using this dummy zone's NS records to get traffic to the server itself.

*~*~*~

So anyway, the other day he asks me to transfer one of his websites to a new server. No problem, cPanel provides a web-gui just for that! It first backs up the entire account, then, instead of just transferring it, it helpfully compresses it all and transfers the tarball to the new server. Of course, this is his biggest account, with 4GB of website. And holy fuck, this thing is the slowest compression utility I have ever seen, somehow it is gzipping at like 1MB every 20 seconds. It must be using some native perl interface to zlib. I'll let it run, why not? I've got time to kill. Two hours later...sigh, kill the web page, which is spinning aimlessly, kill the backup process. Delete the 270MB partial backup tarball (270MB in 2 hours...). Delve into the cPanel docs for that obscure command line switch not exposed to the web gui that will fix things.

Aha! --skiphomedir. Re-run backup from command line, which now takes 10 seconds. Install it on the new server, another 10 seconds. Rsync the home directory to the new server - a minute or two via a fast LAN connection. Phew.

Now my client says we MUST use the exact same DNS servers for this domain. "Problem," I say. "You're using the nameservers for this domain in six other domains. If we move the nameserver IPs, those other six sites will break. I'll just change the host records for this website to point to the new server...it will take a few seconds." This works, but I guess is not what he wants as it is far too easy. I should have intuited that moving a website meant also moving the DNS server. I change the IPs back, he buys a new domain name, I create a new dummy domain on the new server, and give its zone two NS records that point to...you guessed it, itself. Now he has to change the delegation at the registrar. And create the glue records. And this just became a whole lot harder to undo if there is a problem.

*~*~*~

Ah, cPanel's so-called easyapache. Re-compile apache and PHP, and choose all the addon modules you need. It's easy! Just don't think of using older versions of PHP. Or perhaps the older versions using deprecated functions still in use on a website you just transferred to a new server. Shit. . "Hmm, cPanel has old versions of PHP I can install, they are unsupported, but who cares! Sweet!" . Website now showing a blank page. . Apparently, enabling an old version of PHP as an addon module to easyapache helpfully ignores all other addon modules. I mean, it's old and unsupported, why would you need that pesky GD API?

*~*~*~

posted at: 16:50 | path: / | permalink | cpanel, linux, sysadmin

Mon, 10 Sep 2012

Musings on Network Security

As a sysadmin, I have always thought simplicity should be a key guideline when securing Linux or Unix servers. That sounds rather meaningless by itself, so an example is in order. Anyone who spends time looking at the log files on an internet-facing server or firewall will notice the almost constant barrage of SSH brute-force attacks. SSH is indispensable as a remote administration tool, so it is likely to be installed on every such Linux or Unix system. Some admins like to install automatic analysis and blocking tools (e.g., fail2ban), but I dislike such tools because they are just another way of "enumerating badness" [1]. So I secure SSH with a set of simple changes:

Many admins balk at only allowing SSH from static IP addresses, especially with the prevalence of 'pseudo-static' IP addresses assigned to home cable or DSL modems. But it's not as limiting as you may imagine. Cheap VPS (SDF [2], Linode or AWS) systems routinely come with static IPs, and shell services like SDF offer login servers with static IPs. Agent-forwarding [3] can help make login through intermediate hosts convenient. If you must allow login from anywhere, configure a default-drop firewall and use single-packet authorization (SPA) [4] instead.

Each of these in isolation might not be very effective against a determined attack. But taken together, they provide a very secure environment for SSH. That doesn't preclude a server being compromised through some other network-accessible application, but with these changes SSH itself is quite secure. The idea, of course, is to secure all of your internet facing applications in similar, simple ways and if possible with a default-drop mindset. Web or Internet applications meant for public consumption are the one exception where default drop just isn't possible. Particularly in those cases, I add outbound filtering to host-based firewall rules. That way, if your shiny new wordpress install is ever compromised (when, not if), you can at least contain the damage.

Speaking of disabling PAM authentication, this quote from Patrick Volkerding, the creator of Slackware Linux is a great example of choosing simplicity:

If you see a security problem reported which depends on PAM, you can be glad you run Slackware. I think a better name for PAM might be SCAM, for Swiss Cheese Authentication Modules, and have never felt that the small amount of convenience it provides is worth the great loss of system security. We miss out on half a dozen security problems a year by not using PAM, but you can always install it yourself if you feel that you're missing out on the fun. (No, don't do that) [5]

It is notable that even today, PAM is not used in Slackware.

posted at: 18:25 | path: / | permalink | linux, networking, pam, security, slackware, ssh, sysadmin, tips

Sun, 18 Mar 2012

WTF is Tracker and Why is it Using All of My Memory?

Recently, I updated by Debian testing XFCE desktop. Nothing unusual there, I've been using Debian for many years and after the gnome3 disaster, have pretty much settled on XFCE. This update brought in a surprise, however. My desktop with 3GB of RAM was sluggish, and 'top' showed I was using all my RAM *and* 500MB of swap. Hmmm...

slugmax@foo:~$ ps ax -o rss,user,command | sort -nr | head -n 10 1445784 slugmax /usr/lib/tracker/tracker-miner-fs ...

What. The. Fuck. I'd never heard of 'tracker-miner-fs' before, yet here it was soaking up half my RAM. I look to see where this thing is starting.

slugmax@foo:~$ ack-grep -a tracker /etc/ /etc/xdg/autostart/tracker-store.desktop 24:Name[sl]=Shramba tracker 53:Exec=/usr/lib/tracker/tracker-store 64:X-GNOME-Bugzilla-Product=tracker /etc/xdg/autostart/tracker-miner-fs.desktop 50:Exec=/usr/lib/tracker/tracker-miner-fs ...

So a bloated Gnome utility is being started by my XFCE session manager? Sure enough, checking the XFCE settings reveals the desktop search tool tracker has been set to autostart at login. Here are the packages installed, probably brought in as a "dependency", since I had given Gnome3 a try.

root@foo:/etc/xdg/autostart# dpkg -l | grep tracker ii libtracker-client-0.8-0 metadata database, indexer and search tool - library ii libtracker-extract-0.12-0 tracker extractor library ii libtracker-miner-0.12-0 tracker data miner library ii libtracker-sparql-0.12-0 metadata database, indexer and search tool - library ii tracker metadata database, indexer and search tool ii tracker-extract metadata database, indexer and search tool - metadata extractors ii tracker-gui metadata database, indexer and search tool - GNOME frontends ii tracker-miner-evolution metadata database, indexer and search tool - evolution plugin ii tracker-miner-fs metadata database, indexer and search tool - filesystem indexer ii tracker-utils metadata database, indexer and search tool - commandline tools ...

But why was this enabled in XFCE, by default and with no warning? A bit of searching showed some other guy wondering the same thing about his KDE desktop. So lemme get this straight, a bloated Gnome desktop search utility (reminds me of the last bloated desktop search utility from Gnome, called "beagle") is being started with my XFCE desktop session? I stopped using Gnome to get away from these ridiculous, un-customizable and unusable utilities meant for the unwashed masses. GNU findutils and pdfgrep work just fine for me, thanks. Mutt lets me search my email in a myriad of ways. So next time at least ask me if I want this thing.

posted at: 20:36 | path: / | permalink | bloat, debian, desktop search, linux, memory, tracker, wtf

Wed, 06 May 2009

Linux is Boring, or Saved by the Slack

I've always thought that Linux would be less popular with hard-core geeks once it became mainstream - that the initial attraction was Linux's unpolished installation and configuration, how it let you get your "hands dirty". I started with Red Hat Linux back in 1995, and spent many long nights configuring and tweaking to get a usable system. The thrill was in the learning. I've recently found myself bored with Linux, I think mainly for the reason that there is no challenge anymore, no sense of accomplishment. Much of the user experience is now hidden beneath layers of graphical abstraction. I certainly do appreciate this, and use Ubuntu myself on my work boxen, as there are times you just have to get stuff done. But I still like to tweak and fiddle. There are also times when things go wrong, and simplicity rules.

read more after the break...

posted at: 14:08 | path: / | permalink | linux, slackware