12.21.06
Posted in linux, web dev at 8:54 pm by Clinton
I know - emotive title, but zoneedit.com downtime does suck. Yes, I was using their “free” service, but if it doesn’t work it doesn’t matter what the price is. Not working still equals not working.
So, I have been a long time user of ZoneEdit.com, and although the web based interface is clunky (I’m sure it’s someones pride and joy, but I’m sorry, it really is poor) and in the past the pages only looked right in IE (its better these days…) BUT their reliability was good and their extra features (mail handling etc) were really good. I’ve recommended them to people many times.
Yesterday, one of the sites I host on my server wasn’t working for people. Specifically, email didn’t work. Then everything stopped. Eh? Problem? nslookup couldn’t resolve the domain. After some searching, I confirmed my suspicions with http://www.dnsstuff.com/ which gave me a lovely (exterior) view that the two nameservers were not responding at all.
Zoneedit allocates two (random?) nameservers when you add a zone. (They have many and they are well distributed as they should ideally be.) Unfortunately (?) the two allocated to that domain happened to be 2 of the 4 that, according to their online network status report were experiencing “issues”… aka not responding. Yes, that happens some times. It’s not a multi-million dollar ecommerce concern. Ok. But… it had been over 24hrs and still not working. Below is a later message when 3 were still not working.
We are currently experiencing issues with NS2.ZONEEDIT.COM, NS3.ZONEEDIT.COM and NS6.ZONEEDIT.COM. We are aware of the situation and our engineers are working diligently to get this resolved.
If reliable DNS service is critical for your site, we recommend logging into your account, clicking on “Nameservers” and purchasing a “tertiary” nameserver. 3 nameservers are exponentially more reliable than 2 nameservers.
So… I waited the day out. Like I said, not a critical site. I’m patient…
Note the advice to purchase a “tertiary” nameserver for “exponentially more reliable” service… urgh, whats an exponential of zero? ZERO!
Today: still not working. Okay, I thought, I need some working nameservers.
I’ll login to zoneedit and remove the zone and re-add it. I’ll get new nameservers allocated to me (each of the domains I’ve added in the past have different nameservers allocated to them - just as long as ONE of them works I’m happy.) WRONG. Only the first 5 zones (domains) added are free and I’ve used that quota now. If you remove one completely, you’ve still “used” it, so there you go.
Please genie in the bottle… can I have more wishes? :~)
Anyway, I’m not that bitter except that it feels like a ploy to get people to purchase zone credits. I hope it’s not, because it would be much better to just straight up say “we want money now”. I’d consider that. But not some underhanded “oh, sorry. We are diligently working on this…. but buy a nameserver and it will be working again.” Hmm… I wonder if “paid” zones get hosted on the “down” nameservers. I suspect not, but maybe that’s not fair. What I would have liked is a new nameserver for that zone, even temporary. Oh well.
Google time… free DNS service.
I’m now trying http://www.everydns.net and it’s been fine so far. They even have a PHP API if you want to code into that. They do ask for a donation, and after I’ve tried it for a while, I’ll do that.
For some reason I prefer to give everydns.net a donation when zoneedit.com felt like they were trying to squeeze $$ out of me. Maybe I just like conspiracy theories…
Permalink
11.10.06
Posted in linux, web dev at 8:46 pm by Clinton
I recently used apt-get upgrade on my Debian server, and that included a new version of apache2 (2.2.3) and suddenly the two uses of .htaccess+htpasswd files I have were broken! (Didn’t break anything but my personal stuff, so it wasn’t then end of the world, but I still wasn’t happy). The apache error.log gave me
... access to / failed, reason: require directives present and no Authoritative handler.
hmm… i thought. :)
Google’d with the error string (how did we solve problems before Google? can’t remember…) and found this post which really helped, but unlike their direct creation of a symlink (ln -s …) I used the a2enmod command to do the trick.
a2enmode authz_user
Then called /etc/init.d/apache2 force-reload (or alternatively apache2ctl restart). I always baby-sit a Debian update, and on the few occasions there’s a problem it’s never been too bad. I’m happy this one didn’t take too long thanks to someone else posting their experience in a forum - I like the ‘net.
Permalink
04.12.06
Posted in linux, general at 11:53 pm by Clinton
I kind of thought this would be a gimmick, but the questions are actually well thought out (and obviously including feedback from people I think), and the quiz came up with some good information and results. The act of taking the quiz makes you think about the differentiating qualities of linux distros too, which is a nice thing for an informed code monkey to have in mind.
Anyway, why not head over to the “linux distribution chooser” …
www.zegeniestudios.net/ldc/index.php
[Note: I had a slight love show/”perfect match”…”your compatibility rating is”… vision, hence the blog title. Although, knowing what that TV show is dates me… :~)]
Permalink
10.17.05
Posted in linux at 1:30 pm by Clinton
Finally decided that I should lock down my hosts.allow and hosts.deny files on my debian server to limit the script attacks I’ve been seeing in my log files. For example, heres an excerpt from my /var/log/auth.log file using nice simple grep 'Illegal' > dump.txt
Oct 17 20:05:50 ### sshd[9802]: Illegal user 1 from ::ffff:218.80.206.142
Oct 17 20:05:52 ### sshd[9804]: Illegal user 2 from ::ffff:218.80.206.142
Oct 17 20:05:56 ### sshd[9806]: Illegal user 3 from ::ffff:218.80.206.142
Oct 17 20:05:58 ### sshd[9808]: Illegal user a from ::ffff:218.80.206.142
Oct 17 20:06:01 ### sshd[9810]: Illegal user aa from ::ffff:218.80.206.142
Oct 17 20:06:07 ### sshd[9812]: Illegal user aaa from ::ffff:218.80.206.142
Oct 17 20:25:28 ### sshd[9853]: Illegal user annette from ::ffff:218.80.206.142
Oct 17 20:25:31 ### sshd[9856]: Illegal user anngret from ::ffff:218.80.206.142
Oct 17 20:25:34 ### sshd[9858]: Illegal user anni from ::ffff:218.80.206.142
Oct 17 20:25:38 ### sshd[9860]: Illegal user annica from ::ffff:218.80.206.142
Oct 17 20:25:40 ### sshd[9862]: Illegal user annick from ::ffff:218.80.206.142
Oct 17 20:25:42 ### sshd[9864]: Illegal user annie from ::ffff:218.80.206.142
Oct 17 20:25:45 ### sshd[9866]: Illegal user annigret from ::ffff:218.80.206.142
Oct 17 20:25:53 ### sshd[9869]: Illegal user annika from ::ffff:218.80.206.142
Oct 17 20:25:56 ### sshd[9871]: Illegal user annik from ::ffff:218.80.206.142
Oct 17 20:26:00 ### sshd[9873]: Illegal user annike from ::ffff:218.80.206.142
Oct 17 20:26:04 ### sshd[9875]: Illegal user annikki from ::ffff:218.80.206.142
Oct 17 20:26:06 ### sshd[9878]: Illegal user annina from ::ffff:218.80.206.142
Oct 17 20:26:09 ### sshd[9880]: Illegal user annita from ::ffff:218.80.206.142
Oct 17 20:26:12 ### sshd[9882]: Illegal user annk!athrin from ::ffff:218.80.206.142
etc…
Not happy Jan.
(Actually, i’m using the debian package of logcheck which sends me nice reports about what’s going on. You have to set up a few rules to quiet down when you first set it up, but its nice to see what has and hasn’t happened - very nice. Anybody use anything else?)
Now, I had debated using some of the nice responses people have used to counter the increase in this sort of attack. For example sshdfilter by Greg (?) updates iptables when it notes an attack in the log. There are other approaches that use Perl or Bash scripts and modify the hosts.allow and hosts.deny files - also nice.
But then i realised i was heading for overkill - keep it simple methinks.
If i really think about who and what is using my server via ssh!
d, surely it’s better in my case to just deny everyone from accessing my server via sshd unless i specifcially allow it. On the few occasions when i’m away, i can easily log in to an accepted machine and ssh across - it’s a nice simple and strong solution for now. Later… we’ll see if i need something else.
I had to look up the man files (with “pinfo” actually which i quite like) for “hosts_access” and “hosts_options”. I decided to use the extended “option” syntax so that I could keep all my new additions int the one “hosts.allow” file instead of splitting it across the two. It does mean i’ve actually got both the allow and the deny rules in the “allow” file, but i think that’s better. So, I added some entries like
#allow my local connections inside my firewalled lan
sshd: 192.168.: allow
#other entires i know i need ie work etc.
sshd: my.work.domain.: allow
...
#now deny everyone else who tries! :*p
sshd: ALL: deny
I’ll see how it goes for the next few days… and its nice to know there are other solutions out there if i need something with more smarts.
Permalink
09.21.05
Posted in linux at 7:38 pm by Clinton
I’m running Apache2 (on Debian), for several name-based virtual hosts. For a while now i’ve been wanting some of my admin pages to be using https so that I would be happy to allow myself the use them whem I’m outside the protected home LAN. (They currently use basic authentication / sessions / passwords, and that’s really safe in the big wide world now isn’t it! :~)
I am already aware that you can only run one https server (on port 443) because the SSL layer doesn’t allow the reuse of IP/ports for different identities as HTTP 1.1 will. Fine. But I just spent ages getting one https server to run with my other virtual existing servers… it should be easy right?Plenty of docs on the net right?
Ian Miller has a nice Debian, Apache2 and SSL primer, but it “assumed” some things about “default” files that didn’t match up to my current config or woes.
The apache2-ssl-certificate script is a very nice thing for apache2 certificate setup.
Well, it is easy if you know how - and if I had had better error messages then… but that really was the problem. My incorrect configuration problems were *working* configurations - but not the way I wanted (no https!!!) My precious https:// connections were being handled by my default http virtual host - gurr!
See, there are several flexible variations of virtual host matching/setup - that was the problem. They didn’t match easily to what I wanted to do with a new port specific “virtual” host.
Resources that were some help… (perhaps I should have read more and hacked less to start with…)
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
http://httpd.apache.org/docs/2.0/vhosts/examples.html
So anyway, below is a quick config example that is similar to my final result, and would really have helped me. (Its one of the apache2 doc examples modified for my virtual hosts + https case). It shows how I tell apache2 to listen to both port 80 and 443, and then two examples of virtual (name-based) hosting on port 80, and the all important single (~virtual) host on port 443 that uses mod_ssl. (I’m catching all IP’s with * so that a) its easier and b) it works for internal and external requests… but that’s another story.)
Listen 80
Listen 443
NameVirtualHost *:80
NameVirtualHost *:443
ServerName www.example1.com
DocumentRoot /var/www/example1-80
ServerName www.example2.org
DocumentRoot /var/www/example2-80
# there can be only one domainname certificate on this ip, so forget it.
# ServerName www.example.org
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
DocumentRoot /www/otherdomain-443
...
I’m really beginning to like the way that apache2 is setup on debian (i don’t know what is debian specific however). You create sites in /etc/apache2/sites-available/ and if you want to enable them a2ensite <i>myconfigfile</i> creates a symlink into /etc/apache2/sites-enabled for you and all the symlinks are read in by the main /etc/apache2/apache2.conf files. (I always forget ln syntax otherwise… :-). There is a matching a2dissite to remove sites from being active, and similar a2enmod/a2dismod to add and remove apache2 modules.
I also use the apache2ctl start:restart:stop script (rather than /etc/init.d/apache2 …)
Well, now that i’ve won that battle, I think I’ll probably move my admin status/ tools pages to a different port (ie 447 etc) so that I can leave the standard 443 port for typical *standard* visitors… seeing a strange port number in a url can really mess with less informed and cautious people I suspect.
I love sunrise… staying up with a … “challenge” … is my normal opportunity.
Permalink
09.19.05
Posted in linux at 1:32 pm by Clinton
That, and I didn’t think my baby would appreciate the self test beeps of complaint. :~)
So, I had to remember what the UPS brand/model was (APC Back-UPS Pro), and then did a bit of a search for suppliers/price. The final three contenders…
- From the manufacture website http://www.apc.com : $169.99 (US or AUS? +postage?? no thanks)
- From a company in sydney called UPS Solutions http://www.upssolutions.com: $134.02 (+postage??) Their online payment form appeared to be http not https… hmm. Better price, but No thanks.
- Battery World. No info online, but they have a store near me.
So I wandered up to battery world with a printout of the APC battery web page, and basically said “got one of these?” - “yes, i think so. How many do you need” - “one” - “that’s good, we only have one in stock”. $49.95. Yes thanks.
I removed the old battery (’you can do a “hot swap” - very cool, erugh.. hot… I had to tripple check the manual to be a believer though :) and inserted the new one. Great. However, the UPS firmware still thinks its got a dead battery and needed to be told to do a new self test. Bummer. I did find some docs related to doing a reset or test with the apcupsd tools, but didn’t quite figure it out. I used the MS approach and did a complete reboot. Fixed, but so much for my hot swap. It may have fixed itself at the next auto test time, but i was impatient.
Well, one final thing - i really wanted to update the battery date in the EEPROM of the UPS so my reports would be right… and if i’m still using this UPS in a few years i’ll know when it died. As i’ve mentioned before, I use debian
on my server, and i’ve been using the apcupsd package (apt-get install apcupsd == done (almost)) to monitor the power and perform auto warning, test, shutdown as need. I also have things set up to auto reboot when the power comes on, and that was fun to set up (not) but worth it in geek points to me when I set it up.
RIght - back to the date update. I used the “acptest” utility to connect and communicate to the UPS. Only, i needed to stop the monitoring daemon first so that the test util could do its thing.
/etc/init.d/apcupsd stop
Then:
> apctest
2005-09-19 17:18:44 apctest 3.10.18 (21 July 2005) debian
Checking configuration ...
Attached to driver: apcsmart
sharenet.type = DISABLE
cable.type = CUSTOM_SMART
You are using a SMART cable type, so I'm entering SMART test mode
mode.type = BKPRO
Setting up the port ...
Creating the device lock file ...
Hello, this is the apcupsd Cable Test program.
This part of apctest is for testing Smart UPSes.
Please select the function you want to perform.
1) Query the UPS for all known values
2) Perform a Battery Runtime Calibration
3) Abort Battery Calibration
4) Monitor Battery Calibration progress
5) Program EEPROM
6) Enter TTY mode communicating with UPS
7) Quit
I selected 5 to mess with the EEPROM
This is the EEPROM programming section of apctest.
Please select the function you want to perform.
1) Print EEPROM values
2) Change Battery date
3) Change UPS name
4) Change sensitivity
5) Change alarm delay
6) Change low battery warning delay
7) Change wakeup delay
8) Change shutdown delay
9) Change low transfer voltage
10) Change high transfer voltage
11) Change battery return threshold percent
12) Change output voltage when on batteries
13) Change the self test interval
14) Set EEPROM with conf file values
15) Quit
Select function number: 2
Enter new battery date -- DD/MM/YY: 19/09/05
Attempting to update UPS battery date ...
The old UPS battery date is: 03/23/99
The new UPS battery date is: 19/09/05
Done. Well, except i needed to start the monitor again.
/etc/init.d/apcupsd start
Very happy. Now I won’t be bugged with warning emails every 5 hours because of the stuffed battery and I can spend more time on other fun things!
Permalink
07.26.05
Posted in linux at 2:15 pm by Clinton
Setup:
2 x 80GB ATA HDD
Debian linux, 2.6.8… customised kernel (testing/stable)
Software raid1
ext3
We had 4 power drops last night. My second-hand UPS ($0) ain’t what it used to be.. something must have happened. investigation time.
Going over the logs (/var/log/messages) i saw that the server rebooted fine after the first power failure (5:35 am), and both disks were okay in the array on reboot.
At 6:07am the power fails again, the battery hasn’t charged fully - hard fail. :(
6:09am power returns. Server reboots automatically, and…
md: Autodetecting RAID arrays.
md: autorun ...
md: considering hdc1 ...
md: adding hdc1 ...
md: adding hda1 ...
md: created md0
md: bind
md: bind
md: running:
md: kicking non-fresh hda1 from array!
md: unbind
md: export_rdev(hda1)
raid1: raid set md0 active with 1 out of 2 mirrors
md: ... autorun DONE.
“non-fresh” eh? Whatever the hell that means… google time.
long story short.
After checking that the disk was okay with smartctl and hdparm I ended up typing
mdadm --assemble --force /dev/md0 /dev/hda1
and was told to go away because /dev/ md0 was already assembled. (Oh yeah. right).
So then i used
mdadm -a /dev/hd0 /dev/hda1
which worked! and the array started to rebuild the hda1partition. Then
watch -n 60 cat /proc/mdstat
just to keep track of progress. ~40mins later, all sync’ed. nice.
Permalink
Comments off