https://blog.wains.be/2026/2026-06-26-ansible-automation-platform-dynamic-surveys/ Recent content in Ansible Automation Platform and dynamic surveys on Sebastien Wains Hugo -- gohugo.io en-us Fri, 26 Jun 2026 00:00:00 +0200 https://blog.wains.be/2026/2026-06-26-ansible-automation-platform-dynamic-surveys/ Fri, 26 Jun 2026 00:00:00 +0200 https://blog.wains.be/2026/2026-06-26-ansible-automation-platform-dynamic-surveys/ As some of you may know, I work for Red Hat as an automation advocate in Belgium and Luxembourg. My work is to assist customers leveraging automation to achieve their business objectives, and Ansible Automation Platform (AAP) can be instrumental in achieving those goals. A request I hear from many customers is the desire for dynamic or programmable “surveys” inside Automation Controller (the REST API and Web UI part of AAP). https://blog.wains.be/2026/2026-03-02-cloudflare-zero-trust-pocketid/ Mon, 02 Mar 2026 00:00:00 +0100 https://blog.wains.be/2026/2026-03-02-cloudflare-zero-trust-pocketid/ This post is an update on my 2023 post that was using Authentik. I’ve moved away from Authentik because I was probably using 1% of the tool. I settled on PocketID because I expect it to be simpler to maintain. Assumptions: you are already exposing a simple website service.example.com through Cloudflare Zero Trust this service is currently publicly accessible with no authentication whatsoever you still have to install PocketID at id. https://blog.wains.be/2023/2023-12-11-shelly-mqtt-grafana/ Mon, 11 Dec 2023 00:00:00 +0100 https://blog.wains.be/2023/2023-12-11-shelly-mqtt-grafana/ I own a Shelly i4 (DC model) that keeps an eye on two doors contacts (also knowns as reed switches), which I augmented with a Shelly Plus Addon that keeps an eye on five DS18B20 temperature sensors. I use Homebridge so I can see the live state of doors and probes through the Homekit app on my phone. The problem is Homekit won’t provide historical graphs. I’d like to know (for example) if temperature went below 0 degree. https://blog.wains.be/2023/2023-01-09-ansible-automation-platform2-error/ Mon, 09 Jan 2023 00:00:00 +0100 https://blog.wains.be/2023/2023-01-09-ansible-automation-platform2-error/ I have a lab environment running Ansible Automation Platform 2.3 (AAP) that I use for my customer demos. At the end of 2022 I stopped the VM for a couple of days. Today I start my AAP VM as usual. Everything seemed to work except when I try to run a simple job template. I get an error “cannot re-exec process to join the existing user namespace” in the job output. https://blog.wains.be/2023/2023-01-07-cloudflare-zero-trust-authentik/ Sat, 07 Jan 2023 00:00:00 +0100 https://blog.wains.be/2023/2023-01-07-cloudflare-zero-trust-authentik/ Update Dec 25, 2024: steps updated for Authentik release 2024.12.1 Assumptions: you are already exposing a simple website service.example.com through Cloudflare Zero Trust this service is currently publicly accessible with no authentication whatsoever Authentik is already installed (it’s really just a .env and a docker-compose.yml) and available at https://auth.example.com (behind Cloudflare too, in my case). you want to put the service behind an OpenID connect authentication you want any authenticated Authentik user to access the webpage You will need to find the name of your Cloudflare team: https://blog.wains.be/2022/2022-12-18-shaarli-jwt-token/ Sun, 18 Dec 2022 00:00:00 +0100 https://blog.wains.be/2022/2022-12-18-shaarli-jwt-token/ Official documentation of Shaarli only gives a PHP example, but I’m more of a Python kind of guy. This is how to generate a JSON web token (JWT) using some Python or Javascript code. Python Keep in ming this uses PyJWT (pip install PyJWT) and not jwt. Replace SHAARLI_API_SECRET accordingly: #!/usr/bin/python3 import time import jwt now = int(time.time()) payload = { "iat" : now } SHAARLI_API_SECRET = "your shaarli REST API Secret" SHAARLI_HASH_ALGORITHM = "HS512" token = jwt. https://blog.wains.be/2022/2022-12-05-fix-error-1010-cloudflare/ Mon, 05 Dec 2022 00:00:00 +0100 https://blog.wains.be/2022/2022-12-05-fix-error-1010-cloudflare/ I recently moved from running a VPS in some cloud to running a VM on my home server and exposing it behind Cloudflare tunnels. Everything was great until I decided to host an instance of Ansible Automation Platform (AAP). I could reach the UI and API (using Insomnia). Somehow when trying to use the Automation Controller Ansible Collection to manage my AAP, I was getting an interesting error “Failed to get token: HTTP Error 403: Forbidden” with “response: error code: 1010”. https://blog.wains.be/2022/2022-08-30-netplan-vlan-virtual-machines/ Tue, 30 Aug 2022 00:00:00 +0200 https://blog.wains.be/2022/2022-08-30-netplan-vlan-virtual-machines/ I work at Red Hat but I happen to run some Ubuntu systems. Ubuntu has netplan for network management. I have to admit I find it easier than the nmcli or nmtui of Network Manager. In 2020, I wrote about how to configure VLAN for libvirt virtual machines. I’ll let you go through the 2020 article. The important thing to keep in mind is how a VM can’t connect to the host in the same VLAN in this setup. https://blog.wains.be/2022/2022-07-30-envsubst/ Sat, 30 Jul 2022 00:00:00 +0200 https://blog.wains.be/2022/2022-07-30-envsubst/ If you need to generate configuration files quickly based on templates, you can use envsubst to help you. On Fedora, envsubst is part of the gettext package, which is installed by default. Let’s imagine this template: - name: $name group: core url: "https://$name.wains.be/" interval: 5m conditions: - "[STATUS] == 200" - "[CERTIFICATE_EXPIRATION] > 48h" Now export a variable: export name=blog Now run envsubst: $ envsubst < config.yaml - name: blog group: core url: "https://blog. https://blog.wains.be/2022/2022-04-02-stackrox-k3s/ Sat, 02 Apr 2022 00:00:00 +0200 https://blog.wains.be/2022/2022-04-02-stackrox-k3s/ Tested on k3s 1.22.5. StackRox has been open sourced a couple of days ago! StackRox has been acquired in February 2021 by Red Hat (my employer) and we stick to our promise to Open Source communities so we finally contributed the code back to the community. The project is documented to install on k8s or OpenShift. I wanted to give the StackRox project a try on my own VPS (running this very blog) but I run k3s on Ubuntu 21. https://blog.wains.be/2022/2022-02-10-thunderbolt-security-management/ Thu, 10 Feb 2022 00:00:00 +0100 https://blog.wains.be/2022/2022-02-10-thunderbolt-security-management/ I have a Lenovo t14s and a Dell WD19TB Thunderbolt Dock. The thunderbolt security level is set to user authorized in the BIOS. You need to use boltctl to authorize devices. If you want to authorize the docking you can use: boltctl list # take note of the uuid of your device boltctl authorize XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX Authorizing won’t remember your docking if you unplug and replug it. You would have to authorize again. https://blog.wains.be/2021/2021-10-17-fedora-efi-fwupgrmgr/ Sun, 17 Oct 2021 00:00:00 +0200 https://blog.wains.be/2021/2021-10-17-fedora-efi-fwupgrmgr/ Lenovo Thunderbolt docking stations are terrible Ever since getting my new Thinkpad t14s, my Lenovo ThinkPad Thunderbolt 3 gen 1 docking (Type 40AC) started acting up on the USB side. The USB was flapping constantly (keyboard, mouse, camera and DAC attached to a USB switch plugged into the docking). The keyboard was missing keys, the mouse was lagging every other seconds, etc. As a workaround, I decided to plug my USB stuff directly into the laptop and move on with life. https://blog.wains.be/2021/2021-10-10-my-desktop-environment/ Sun, 10 Oct 2021 00:00:00 +0200 https://blog.wains.be/2021/2021-10-10-my-desktop-environment/ Moving from i3wm to bspwm In December 2019, I wrote about my Linux desktop environment running i3wm. In May 2021, I changed role at Red Hat, requiring me to present and share my screen a lot more than when I was a consultant. I started looking at how other tiling window managers were handling things and decided to give bspwm a try. After some tests I made the move in September, because it is indeed easier to manage windows, I really liked the “client” (called bspc allowing you to “talk” to the server component) and it also felt slightly lighter. https://blog.wains.be/2021/2021-10-10-fedora-cloud-image-k3s/ Sun, 10 Oct 2021 00:00:00 +0200 https://blog.wains.be/2021/2021-10-10-fedora-cloud-image-k3s/ There are many lightweight or light enough Kubernetes distributions out there: k0s, k3s, Microk8s, OpenShift CodeReady Containers, Microshift, etc. Those lightweight distributions are a very inexpensive way to learn Kubernetes or OpenShift, and is a good approach to eventually embrace Enterprise Kubernetes distributions. In this post I will show how to quickly spin up a virtual machine based on Fedora Cloud Image and install k3s on it. Using cloud images is the fastest way to provision and deprovision virtual machines, which allows you to create, play, break, destroy and respin very quickly. https://blog.wains.be/2021/2021-10-03-obs-studio-virtual-camera-fedora/ Sun, 03 Oct 2021 00:00:00 +0200 https://blog.wains.be/2021/2021-10-03-obs-studio-virtual-camera-fedora/ TESTED ON FEDORA 34 AND 40. PLEASE REPORT SUCCESS OR FAILURE FOR YOUR FEDORA VERSION IN THE COMMENTS By default on Fedora, when you install the package obs-studio you might not see the “Start virtual camera” button. The reason is that OBS is expecting a v4l2loopback module to be loaded. Installation In order to do so, you will need to enable rpmfusion repositories for your version of Fedora and install the package “v4l2loopback”: https://blog.wains.be/2021/2021-03-17-frp-alternative-to-ngrok/ Wed, 17 Mar 2021 00:00:00 +0100 https://blog.wains.be/2021/2021-03-17-frp-alternative-to-ngrok/ If you want to expose a service from your LAN to the internet and you can’t open ports, you can use ngrok, or its open source alternative FRP. Server The server will be the middle man between your service and the person visiting. Install FRP server (called frps). I installed my instance on Docker using Ansible and the cloverzrg/frps-docker image: --- - name: frps tunnel server side hosts: vps gather_facts: false become: true tasks: - name: frps docker_container: name: tunnel image: cloverzrg/frps-docker networks: - name: UserDefinedBridge purge_networks: yes restart_policy: "always" volumes: - /opt/docker/tunnel. https://blog.wains.be/2021/2021-03-03-fix-crackling-sound-in-libvirt-withpulseaudio/ Wed, 03 Mar 2021 00:00:00 +0100 https://blog.wains.be/2021/2021-03-03-fix-crackling-sound-in-libvirt-withpulseaudio/ So I run a Fedora virtual machine on a Libvirt host running in my garage. I use SPICE and virt-viewer from my laptop in the office to connect to the VM. Despite the cabled gigabit link, SPICE performances are not optimal. While I can live with poor full screen video performances in SPICE, I can’t stand crackling audio. The crackling audio was particularly bad when scrolling in a webpage in a browser or any kind of zooming on pictures. https://blog.wains.be/2020/2020-12-10-smart-doorbell/ Thu, 10 Dec 2020 00:00:00 +0100 https://blog.wains.be/2020/2020-12-10-smart-doorbell/ So you want a smart doorbell? I have wanted one for a long time. My expectations: as open source as possible notifications on phone and other devices notified when at home (obviously) but also when not at home I want a photo of the person, I don’t need to see the face in the notification, I only want to be able to tell if that’s the postman, the UPS guy, a neighbor or someone else (I can also review Zoneminder footage anyway) fast, definitely under one second between the press of the button and the notifications the doorbell should be able to withstand rain My problems: https://blog.wains.be/2020/2020-11-12-apcupsd-script-not-running/ Thu, 12 Nov 2020 00:00:00 +0100 https://blog.wains.be/2020/2020-11-12-apcupsd-script-not-running/ By default on a Fedora system running SELinux in enforcing mode, custom scripts won’t be able to make any connection through curl, wget or else. I changed /etc/apcupsd/onbattery to notify me on my Gotify instance, but it was not working when unplugging the UPS. A quick look in journalctl gives us a pretty good hint: Nov 12 22:04:47 yo.example.org python3[13500]: SELinux is preventing curl from name_connect access on the tcp_socket port 443. https://blog.wains.be/2020/2020-10-30-migrating-synology-surveillance-to-zoneminder/ Fri, 30 Oct 2020 00:00:00 +0100 https://blog.wains.be/2020/2020-10-30-migrating-synology-surveillance-to-zoneminder/ Motion without object detection is worthless I replaced my old Synology DS213j with a Fedora box. I have talked about this in a previous post. The one thing that held me for a while was Synology’s take on home security, called Surveillance Station. It was holding me from moving to a fully open source alternative, but admittedly Surveillance Station never worked quite well with my outdoor cameras (Eminent EM6360). I was getting one million false positives a day and just decided to turn off notifications and just record constantly, and check the recording in case of break in. https://blog.wains.be/2020/2020-10-07-replacing-synology-with-custom-build/ Wed, 07 Oct 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-10-07-replacing-synology-with-custom-build/ Ever since purchasing a Synology NAS, the Linux admin in me have been frustrated with the limitations and sometimes weird implentations of Synology DSM. I decided to go back to a fully open and much more manageable system for the sysadmin that I am. I have a small rack in the garage so I was looking for a small form factor. Mainboard: Gigabyte B450 I AORUS PRO WIFI ITX PSU: Be quiet! https://blog.wains.be/2020/2020-10-05-libvirt-trunk-vlan-vm/ Mon, 05 Oct 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-10-05-libvirt-trunk-vlan-vm/ Previous title was “libvirtd with trunk port and VM in VLAN aware bridges”. I use my small home server as a virtualization host running Fedora 32. It has only one network interface enp8s0. I have 3 VLANs: 10 home 20 guest 30 work My NAS sits in VLAN 10 and I wanted to be able to run virtual machines in VLAN 20 and 30 with no tagging done inside the guests VMs. https://blog.wains.be/2020/2020-09-30-enable-virtualization-amd-ryzen/ Wed, 30 Sep 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-09-30-enable-virtualization-amd-ryzen/ In BIOS: choose M.I.T. menu (whatever that stands for) Advanced CPU Core Settings SVM (whatever that stands for) Mode to Enabled Save and exit https://blog.wains.be/2020/2020-09-30-fedora-libvirtd-listen/ Wed, 30 Sep 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-09-30-fedora-libvirtd-listen/ If you have always passed the --listen option under /etc/sysconfig/libvirtd and you can’t get libvirt to listen on a recent Fedora install, read on. Fedora has changed the way to start libvirt in listen mode. The new way is to not touch /etc/sysconfig/libvirtd at all, and use libvirt socket services: systemctl enable libvirtd-tls.socket; systemctl start libvirtd-tls.socket. You can keep using the “old” way by setting --listen in /etc/sysconfig/libvirtd but before running systemctl enable libvirtd. https://blog.wains.be/2020/2020-09-23-ansible-uri-urlencode/ Wed, 23 Sep 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-09-23-ansible-uri-urlencode/ For the longest time I have been using this bit of (kinda incorrect) Ansible code to log into IdM: - name: Logging in to IPA and store session cookie uri: url: "{{ ipa_url }}/session/login_password" method: POST force_basic_auth: yes headers: Content-Type: "application/x-www-form-urlencoded" body: 'user={{ username }}&password={{ password }}' status_code: 200 validate_certs: false register: login It turns out, if the password contains a percent character % (such as blah%blah), uri will fail to authenticate. https://blog.wains.be/2020/2020-06-10-ansible-automates-emea-2020/ Wed, 10 Jun 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-06-10-ansible-automates-emea-2020/ For readers interested in Ansible, I gave a talk about Ansible and Red Hat Consulting at the Ansible Automates 2020 Event, with my colleagues Anton and Marc. Ansible Automates is a full day event, and it was virtual this year, as most events. Our talk was mostly targeted at a business audience (which might not be the dominant audience of this blog :-)). If you’re looking for more technical content, Ansible Automates is packed with great technical sessions. https://blog.wains.be/2020/2020-06-08-ultrawide-resolution-libvirt-vm/ Mon, 08 Jun 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-06-08-ultrawide-resolution-libvirt-vm/ I’ve been trying to add the new mode for my ultra wide monitor with resolution 3440x1440. I was getting this error: X Error of failed request: BadName (named color or font does not exist) Before my wide screen, I used to configure my VM with QXL drivers. It turns out QXL won’t accept the ultrawide resolution. Solution reconfigure your VM with Virtio graphical drivers execute this script: #!/bin/bash DISP=Virtual-1 cvt 3440 1440 # use the values returned by cvt xrandr --newmode $DISP "3440x1440" 419. https://blog.wains.be/2020/2020-06-02-hugo-search-lunr/ Tue, 02 Jun 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-06-02-hugo-search-lunr/ From Mkdocs to Hugo I moved this blog from Mkdocs to Hugo just yesterday. Mkdocs has a great search engine by default but no RSS. Hugo has RSS built in but no search engine. Some themes provide the search functionality, though. I like simple stuff and decided to go with Etch theme, which unfortunately is one of those themes with no search engine. Hugo doesn’t have search engine I decided to investigate my options and discovered that Lunr could help me on the task. https://blog.wains.be/2020/2020-05-05-caddy2-reverse-proxy-letsencrypt/ Tue, 05 May 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-05-05-caddy2-reverse-proxy-letsencrypt/ For the demonstration purpose, let’s create a container, we can use whoami: docker run --name whoami --net userbridge containous/whoami Create the configuration file for Caddy, for example under /opt/docker/caddy/Caddyfile: { # email to use on Let's Encrypt email youremail@example.org #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory #debug } example.org { file_server } who.example.org { reverse_proxy http://whoami:80 } Create your Caddy container: docker run -d -p 80:80 -p 443:443 \ --name caddy \ --net userbridge \ -v /opt/docker/caddy/Caddyfile:/etc/caddy/Caddyfile \ -v /opt/docker/caddy/data:/data \ caddy Caddy should sit in the same network as the container (here userbridge) you want to reverse proxy. https://blog.wains.be/2020/2020-05-04-traefik2-redirect-regex-file/ Mon, 04 May 2020 00:00:00 +0200 https://blog.wains.be/2020/2020-05-04-traefik2-redirect-regex-file/ /etc/traefik/traefik.yml: [...] providers: file: directory: "/etc/traefik/dynamic/" watch: true [...] /etc/traefik/dynamic/redirect.yml: http: middlewares: redir: redirectRegex: permanent: true regex: "http://old.wains.be/(.*)" replacement: "https://new.wains.be/${1}" routers: redir: rule: "HostRegexp(`old.wains.be`)" entrypoints: - http middlewares: - redir tls: certresolver: "letsencrypt" service: "ThisWillNeverBeUsedButNeedsToBeThere" services: ThisWillNeverBeUsedButNeedsToBeThere: loadBalancer: servers: - url: "http://127.0.0.1" As you can notice, we have to declare a dummy service, otherwise the redirect will never work. NOTE: if your old address used to be as https, Traefik should have a valid certificate for the URL. https://blog.wains.be/2020/2020-03-20-telegram-chatbot-kanboard/ Fri, 20 Mar 2020 00:00:00 +0100 https://blog.wains.be/2020/2020-03-20-telegram-chatbot-kanboard/ Context I’ve used a number of todo list applications over the years. I have recently decided to use a simple kanban with three columns (todo/wip/done) as my todo list, and it works wonders. I self-host a Kanboard instance, so I have full control over my boards. I no longer depend on a company that could decide to shut down the service overnight (not looking at you, Microsoft [after purchasing Wunderlist]). https://blog.wains.be/2020/2020-03-10-fix-synology-cloud-sync-unknown-error-occurs/ Tue, 10 Mar 2020 00:00:00 +0100 https://blog.wains.be/2020/2020-03-10-fix-synology-cloud-sync-unknown-error-occurs/ I sync my data from my Seafile instance back to my NAS. Well, when it works. In the most random fashion, my Synology NAS “Cloud Sync” enjoys to take a break. And up until now, it seemed impossible to get it back to sync. You would expect that restarting the app would trigger a resync, but alas, no, it doesn’t. We’re talking about Synology here, right. The only option was to unlinking and relinking stuff, which meant reconfiguring. https://blog.wains.be/2020/2020-02-25-nodered/ Tue, 25 Feb 2020 00:00:00 +0100 https://blog.wains.be/2020/2020-02-25-nodered/ As per their website: Node-RED is a programming tool for wiring together hardware devices, APIs and online services in new and interesting ways. With default install, you can wire up API, mostly. I installed Node-RED on my VPS using their Docker image: https://hub.docker.com/r/nodered/node-red If you want to use Ansible to deploy your Node-RED (in my case behind Traefik v2): - name: node docker_container: name: node image: 'nodered/node-red:latest' networks: - name: YOURBRIDGE purge_networks: yes env: TZ: "Europe/Brussels" labels: ansible: "true" traefik. https://blog.wains.be/2020/2020-02-17-mkdocs-publishing-workflow/ Mon, 17 Feb 2020 00:00:00 +0100 https://blog.wains.be/2020/2020-02-17-mkdocs-publishing-workflow/ I write articles on my personal computer. Mkdocs supports Markdown, which has some great advantages: articles are stored as plain text on disk the content is indexed making it easy to find content with Alfred/Spotlight/grep you can grep, sed, awk the hell out of your articles and bring corrections very quickly can (and should!) be stored in a Git repository This is my current publication workflow: I edit articles locally with [Visual Studio Code] (yes, it is an open source Microsoft product, and it is very good) I commit changes to my [GitHub] With an Alfred workflow, I automatically connect to my VPS and do: a “git pull” to retrieve updates rebuild the doc (which is served as static files by the HTTP server) https://blog.wains.be/2020/2020-01-12-swatch-log-monitor/ Sun, 12 Jan 2020 00:00:00 +0100 https://blog.wains.be/2020/2020-01-12-swatch-log-monitor/ swatchdog was originally called swatch. I’ll call it swatch in this article. So, swatch is a very simple process that can monitor a log file live, and take actions if a string is found. It’s an ideal situation if you don’t have the resources to run a full fledged monitoring solution such as Graylog. On Fedora, install the package: sudo dnf install swatch Create a configuration file .swatchrc, for example: https://blog.wains.be/2019/2019-12-11-my-linux-desktop-environment/ Wed, 11 Dec 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-12-11-my-linux-desktop-environment/ I have used Linux as a desktop environment since about 2006, mostly with Gnome or Cinnamon. Around 2016 I got bored of the general direction that most desktop environments (“DE” for short) were taking (what I would call “Apple-ization”) and decided to tailor, hand craft, optimize and automate my Linux DE. By no way the aim was to make it sexy, but rather making it more efficient, distraction-free, fast, favoring keyboard usage, using as much display estate as possible. https://blog.wains.be/2019/2019-12-08-ulauncher-tplink/ Sun, 08 Dec 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-12-08-ulauncher-tplink/ I have ordered a TPLink HS110 Smart Plug to test how it compares to my aging Wemo plugs. They are super straight forward, reliable and they don’t hiss like some Wemos can do. I have created an extension for Ulauncher allowing to manage my plug. It is available at https://ext.ulauncher.io/-/github-sebw-ulauncher-tplink-smartplug https://blog.wains.be/2019/2019-12-05-freeipa-authentication-failure-upn/ Thu, 05 Dec 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-12-05-freeipa-authentication-failure-upn/ Problem: Authentication fails for AD users on RHEL system in an Freeipa/AD trusted environment. The following errors can be found in the logs: Cannot find KDC for realm "EXAMPLE.COM" in /var/log/sssd/krb5_child.log Backend is marked offline, retry later! in /var/log/sssd/sssd_$domain.log pam_unix(sssd:auth): authentication failure in /var/log/secure Assumptions and context: AD domain: example.org Freeipa domain: linux.example.org AD User: test userPrincipalName (UPN) for “test”: firstname.lastname@example.com <— UPN domain example.com is different than example.org!!! Connection to RHEL client with: ssh test@example. https://blog.wains.be/2019/2019-11-13-full-screen-firefox-i3-container/ Wed, 13 Nov 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-11-13-full-screen-firefox-i3-container/ Problem So if you press F11 in Firefox, by default it goes 100% full screen. If you want to put Firefox in an i3 workspace shared with other applications and make Firefox “full screen” inside its container, as presented below: Solution In Firefox, in the URL bar type about:config. Then change: full-screen-api.ignore-widgets: true https://blog.wains.be/2019/2019-04-17-docker-iptables-block-dns-any/ Wed, 17 Apr 2019 00:00:00 +0200 https://blog.wains.be/2019/2019-04-17-docker-iptables-block-dns-any/ You can use the DOCKER-USER chain to pass any custom iptables rules you want. In my case, I run a DNS resolver publicly and want to prevent it from being abused in DNS amplification attacks. I use the following: iptables -I DOCKER-USER -p udp --dport 53 -m string --hex-string "|0000FF0001|" --algo bm --from 40 -j DROP iptables -I DOCKER-USER -p tcp --dport 53 -m string --hex-string "|0000FF0001|" --algo bm --from 52 -j DROP https://blog.wains.be/2019/2019-04-17-record-terminal/ Wed, 17 Apr 2019 00:00:00 +0200 https://blog.wains.be/2019/2019-04-17-record-terminal/ On Fedora you can install with: dnf install asciinema To start recording: asciinema rec /path/to/mysession.cast End recording: Ctrl-D or exit Play a session: asciinema play /path/to/mysession.cast Learn more at https://asciinema.org/ https://blog.wains.be/2019/2019-04-17-docker-remove-orphans/ Wed, 17 Apr 2019 00:00:00 +0200 https://blog.wains.be/2019/2019-04-17-docker-remove-orphans/ Orphan volumes List mountpoints that are not in use: for j in $(for i in $(docker volume ls -qf dangling=true) do docker volume inspect $i | grep "Mountpoint" | awk -F':' '{print $2}' | awk -F'"' '{print $2}' done) do du -h --max-depth=1 $j done Now feel free to remove folder that you considered not needed anymore. Orphan images Removing unused images is possible directly from the Docker command: $ docker image prune -a WARNING! https://blog.wains.be/2019/2019-03-16-gotify-self-hosted-push-notification/ Sat, 16 Mar 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-03-16-gotify-self-hosted-push-notification/ Project page Source code Gotify is: a simple server for sending and receiving messages self-hosted free and open source under MIT license a simple API a simple GUI written in Go building docker images at every release It comes with a nice Android application available on the Play Store and F-Droid, that listens for events over a websocket. I have been using it for about 10-12 days now, without noticeable impact on battery. https://blog.wains.be/2019/2019-03-08-simulating-slow-disks-with-libvirt/ Fri, 08 Mar 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-03-08-simulating-slow-disks-with-libvirt/ I once wrote about how to simulate latency on Linux. The article has been useful for myself recently, as I was at a customer who was having all kind of weird issues, probably caused by unreliable network, and slow performing disks. I recreated their environment on my Libvirt lab. You can throttle the I/O of a Libvirt disk, as documented here and here. Example: https://blog.wains.be/2019/2019-02-23-random-502-docker/ Sat, 23 Feb 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-02-23-random-502-docker/ For a long time I was getting random 502 errors “Bad Gateway” on my Docker instance running on a small VPS. I run my containers behind a reverse proxy, with Let’s Encrypt. Initially I was using Nginx, then moved on to Traefik, but the problem remained. I was thinking it was related to the number of containers (16 for 2GB of RAM), but that was a network issue according to logs (cannot connect to host). https://blog.wains.be/2019/2019-02-18-easy-pastebin/ Mon, 18 Feb 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-02-18-easy-pastebin/ Let me introduce you to Hastebin. It is a simple pastebin service that you can self-host. Server The server bits are available at https://github.com/seejohnrun/haste-server. I personally use this Docker container: https://hub.docker.com/r/mkodockx/docker-pastebin Client The awesome part is that you can paste from the command line! You have two choices: using gem or a simple bash alias that doesn’t require you to install anything (besides curl). Using Gem gem install haste Create an alias in your . https://blog.wains.be/2019/2019-02-18-zsh/ Mon, 18 Feb 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-02-18-zsh/ Everything has already been said and documented about ZSH. I made the switch two days ago and only regret I didn’t switch before. I have checked ZSH and Oh my zsh back and forth for the past two years, but never committing to it. I was thinking it was too much trouble learning something new, for too little benefits. Oh boy I was wrong. First of all, it’s 99% like bash but you get power user features making you even more efficient at the CLI. https://blog.wains.be/2019/2019-01-13-tmux-basics/ Sun, 13 Jan 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-01-13-tmux-basics/ A long long time ago I wrote about screen. While screen has been helping sharing terminals with colleagues or clients for many years, tmux is the alternative that can apparently achieve more. You can refer to https://tmuxcheatsheet.com/ for all the useful tips. My (very) basic usage of tmux is to split the screen when I need to work on anything else than my workstation (on which I run terminator that can split terminals). https://blog.wains.be/2019/2019-01-13-traefik-letsencrypt/ Sun, 13 Jan 2019 00:00:00 +0100 https://blog.wains.be/2019/2019-01-13-traefik-letsencrypt/ IMPORTANT: This blog post covers Traefik version 1. With Traefik, you can easily reverse proxy your containers, and automatically generate a Let’s Encrypt certificate for them. It’s pretty awesome. No more complicated Nginx containers coupled with another Let’s Encrypt companion! In the following setup, the name of the container will be used for the certificate generation. For example, if you define domain = example.org in Traefik configuration, and your container is called container01, a certificate will automatically be generated for container01. https://blog.wains.be/2018/2018-12-02-gtk3-app-browser/ Sun, 02 Dec 2018 00:00:00 +0100 https://blog.wains.be/2018/2018-12-02-gtk3-app-browser/ Start broadwayd broadwayd :5 & Start a GTK3 application (for example gtk3-demo) GDK_BACKEND=broadway BROADWAY_DISPLAY=:5 gtk3-demo Application can now be reached from http://hostname:8085. https://blog.wains.be/2018/2018-12-02-pxe-boot-libvirt/ Sun, 02 Dec 2018 00:00:00 +0100 https://blog.wains.be/2018/2018-12-02-pxe-boot-libvirt/ Allow TFTP for the libvirt network: virsh net-destroy lab virsh net-edit lab <name>lab</name> <uuid>7c0e845a-a3fa-4403-8fb4-2373dfcb416c</uuid> <forward mode='nat'/> <bridge name='virbr1' stp='on' delay='0'/> <mac address='52:54:00:aa:5f:89'/> <domain name='lab' localOnly='yes'/> <ip address='192.168.123.1' netmask='255.255.255.0'> <tftp root='/var/lib/tftpboot'/> <dhcp> <range start='192.168.123.2' end='192.168.123.254'/> <bootp file='pxelinux.0'/> </dhcp> </ip> </network> Install packages: sudo dnf install tftp vsftpd syslinux Change VSFTPD config in /etc/vsftpd/vsftpd.conf: anonymous_enable=yes Create TFTP config: cp -r /usr/share/syslinux/* /var/lib/tftpboot mkdir /var/lib/tftpboot/pxelinux.cfg touch /var/lib/tftpboot/pxelinux.cfg/default Mount ISO and copy pxeboot files to TFTP and ISO to FTP: https://blog.wains.be/2018/2018-09-03-yuibkey-shift-key/ Mon, 03 Sep 2018 00:00:00 +0200 https://blog.wains.be/2018/2018-09-03-yuibkey-shift-key/ For readers with Belgian or French keyboards. If you configure your Yubikey by default with HOTP, when you touch your Yubikey, the output gives characters instead of digits (like “&é”’(§"). You have two options: You can press the shift key when you touch your Yubikey You can configure the keymap, using ykpersonalize Option 2 can be achieved with the following command, taken from the documentation: ykpersonalize -S06050708090a0b0c0d0e0f111517181986858788898a8b8c8d8e8f9195979899a79e9fa0a1a2a3a4a5a6382b28 -y https://blog.wains.be/2018/2018-08-19-ubiquiti-mss-clamping/ Sun, 19 Aug 2018 00:00:00 +0200 https://blog.wains.be/2018/2018-08-19-ubiquiti-mss-clamping/ I just spent a couple of hours troubleshooting what was for me an odd network connectivity issue. I started my new job at Red Hat and received a Nokia 7 Plus smartphone, running Android 8.1. I reinstalled all my apps and moved all my data from my Moto G5 to the Nokia from my hotel room in Amsterdam, and all seemed fine. After coming back home from my business trip, the Nextcloud app started complaining about “SSL initialization problem”, or “connection time out” while trying to auto upload my pictures. https://blog.wains.be/2018/2018-08-12-sync-guest-clock-libvirt/ Sun, 12 Aug 2018 00:00:00 +0200 https://blog.wains.be/2018/2018-08-12-sync-guest-clock-libvirt/ My host is RHEL7 running Gnome. Guest is Fedora 28 running i3 windows manager. I use virt-manager and not virsh to manage my VM’s. TL;DR: it doesn’t work for me, jump to Conclusion to read about my endeavour. Edit: my host is now running Fedora 29 and the guest F29 too. The issue persists. On the host you need: systemctl enable libvirt-guests systemctl start libvirt-guests /etc/sysconfig/libvirt-guests: SYNC_TIME=1 Restart libvirt: systemctl restart libvirtd https://blog.wains.be/2018/2018-03-29-lightweight-alternative-gitlab/ Thu, 29 Mar 2018 00:00:00 +0200 https://blog.wains.be/2018/2018-03-29-lightweight-alternative-gitlab/ If you need to self-hosted and lightweight Github or Gitlab alternative, I suggest you give Gogs a try. Gogs provides Docker images here: https://hub.docker.com/r/gogs/gogs/ Start the image, put a reverse proxy in front, secure the whole thing with Let’s Encrypt, and you should be up and running in a couple of minutes. If you’re hosting a couple of repos and a few users, you can use a sqlite backend. You can also use Postgres or Mysql databases. https://blog.wains.be/2017/2017-11-17-mac-ethernet-alias/ Fri, 17 Nov 2017 00:00:00 +0100 https://blog.wains.be/2017/2017-11-17-mac-ethernet-alias/ Tested on High Sierra Create an alias: sudo ifconfig en0 alias 192.168.0.101 255.255.255.0 Remove the alias: sudo ifconfig en0 -alias 192.168.0.101 https://blog.wains.be/2017/2017-10-30-mkdocs/ Mon, 30 Oct 2017 00:00:00 +0100 https://blog.wains.be/2017/2017-10-30-mkdocs/ For the past two years, this site has been running with Wikitten, a PHP engine that renders Markdown pages to HTML. The project was not as actively maintained as Mkdocs though, so I decided to switch. Mkdocs is a static site generator written in Python. You write pages in Markdown, Mkdocs build the site and static pages are served by the HTTP server of your choice. Mkdocs offers a built-in dev-server that lets your preview your articles as you write them. https://blog.wains.be/2017/2017-07-24-android6-enable-usb-debug-recovery/ Mon, 24 Jul 2017 00:00:00 +0200 https://blog.wains.be/2017/2017-07-24-android6-enable-usb-debug-recovery/ Tested on a Moto G 1st gen XT1032 running Cyanogen 13 Enabling USB debug allowed me to get logcat working at boot. Android SDK tools should be installed on your computer (adb). Boot into recovery (power + volume down on Moto G) Plug your phone to the computer. Run “./adb shell mount data” from your computer shell. Run “./adb shell mount system” ./adb pull /data/property/persist.sys.usb.config /tmp Edit it to “mtp,adb” and save. https://blog.wains.be/2017/2017-05-14-fedora-firewalld-always-starts/ Sun, 14 May 2017 00:00:00 +0200 https://blog.wains.be/2017/2017-05-14-fedora-firewalld-always-starts/ I’ve been using iptables for more than 10 years and I don’t really like firewalld approach. When I installed my Fedora 25 workstation, I installed a GUI-less Fedora Server edition, and installed i3wm on top of that. One of the steps has been to disable firewalld and replace it by iptables, see doc here. The doc is outdated (for Fedora 19) but still relevant. After every reboot, firewalld always started in favor of iptables. https://blog.wains.be/2017/2017-04-20-saltstack-talk-jeudis-du-libre/ Thu, 20 Apr 2017 00:00:00 +0200 https://blog.wains.be/2017/2017-04-20-saltstack-talk-jeudis-du-libre/ I talked about configuration management and cloud orchestration with Salt at Jeudis du libre this April 20. The talk was divided in two parts: presentation and demo. The slides of both presentation and demo content are available at https://github.com/sebw/saltstack-talk Feel free to contact me if you have any question! https://blog.wains.be/2017/2017-03-01-mitmproxy-howto-android/ Wed, 01 Mar 2017 00:00:00 +0100 https://blog.wains.be/2017/2017-03-01-mitmproxy-howto-android/ Start mitmproxy: ./mitmproxy --host --follow Configure your Android device to use the proxy: go in Wi-Fi settings list the networks long press on the current network specify the proxy host and port In a browser on your Android device go to http://mitm.it (it is not an actual website, but the proxy that is displaying this page). Install and accept the certificate to validate websites Start apps or browse the web, you should see trafic in mitmproxy https://blog.wains.be/2017/2017-02-23-poor-performances-spice-qxl/ Thu, 23 Feb 2017 00:00:00 +0100 https://blog.wains.be/2017/2017-02-23-poor-performances-spice-qxl/ We entered the 21st century at work and got new workstations. I decided to install Red Hat Enterprise 7 as a virtualization host, running my usual Linux Mint LMDE as guest. I use virt-manager to connect to the guest over Spice. It turns out, video performances were terrible. For some reason QXL drivers were not loaded on Linux Mint. It was impossible to load those drivers. I could have been bothering recompiling those drivers and see if I could fix it that way, but I didn’t have to run Mint for any specific reason. https://blog.wains.be/2017/2017-02-22-salt-cloud-without-profile/ Wed, 22 Feb 2017 00:00:00 +0100 https://blog.wains.be/2017/2017-02-22-salt-cloud-without-profile/ You read everywhere (and especially here) in Salt documentation that you need a profile file to create virtual machines in one of the supported clouds. I found this approach not to be very dynamic. It is actually not necessary to have profiles. There is a cloud runner, with a function create, dedicated to creating virtual machines. You can pass VM specifications in a pillar. Your orchestration state /srv/salt/states/orch_vmware/createvm.sls: {% from "maps/salt. https://blog.wains.be/2017/2017-01-15-ubiquiti-access-point/ Sun, 15 Jan 2017 00:00:00 +0100 https://blog.wains.be/2017/2017-01-15-ubiquiti-access-point/ My old Linksys access-point was showing signs of weaknesses and I decided to change for something a bit more professionnal. I went (by mistake) with an Ubiquiti “UAP LR”. LR stands for “Long Range”. In reality, Ubiquiti don’t advertise UAP access-points so much anymore. Those are limited to 2.4GHz range. The one I really needed was the “UAP AC” model (dual band 2.4GHz and 5GHz) that is almost twice the price. https://blog.wains.be/2016/2016-12-04-yum-downgrade-rhel7/ Sun, 04 Dec 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-12-04-yum-downgrade-rhel7/ yum history list all yum history undo $ID –exclude=kernel* More info: https://access.redhat.com/solutions/29617 https://blog.wains.be/2016/2016-11-04-mysql-replication/ Fri, 04 Nov 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-11-04-mysql-replication/ Some assumptions: master> = mysql commands on master slave> = mysql commands on slave root@master = bash commands on master root@slave = bash commands on slave /var/lib/mysql/master01-bin.* = name of the replication logs, depending on your config master> STOP MASTER slave> STOP SLAVE root@master: service mysqld stop root@slave: service mysqld stop Take a snapshot of servers if possible root@master: service mysqld start master> RESET MASTER (this deletes binary files under /var/lib/mysql/master01-bin. https://blog.wains.be/2016/2016-06-18-security-elastic-api-haproxy/ Sat, 18 Jun 2016 00:00:00 +0200 https://blog.wains.be/2016/2016-06-18-security-elastic-api-haproxy/ 2016-06-18 Elasticsearch API is fully open by default and anyone can create (PUT method) or delete indices (DELETE method). In a project at work, I was asked to install a fully redondant cluster, and among other things expose the API: over HTTP with no auth for GET method for developers over HTTPS with auth for any methods (PUT, DELETE, etc.) for Elastic admins The Elastic cluster is orchestrated with Saltstack (I’ll publish the states later) and is made of 8 nodes, two of them act as clients (no master nor data role) and are only accessible from two HAproxy nodes (secured with iptables). https://blog.wains.be/2016/2016-03-23-simulating-latency-linux/ Wed, 23 Mar 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-03-23-simulating-latency-linux/ If for some reason you need to simulate latency, latency, loss, duplication or re-ordering on a linux machine, use netem (command tc) as root Adding a delay of 100ms on interface eth0: tc qdisc add dev eth0 root netem delay 100ms Changing the rule: tc qdisc change dev eth0 root netem delay 150ms Removing the rule is a simple: tc qdisc del dev eth0 root netem delay 100ms Simulate a delay of 100ms with a variation or plus or minus 10ms: https://blog.wains.be/2016/2016-03-21-fixing-x11-connection-rejected-because-wrong-authentication/ Mon, 21 Mar 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-03-21-fixing-x11-connection-rejected-because-wrong-authentication/ You get either “X11 connection uses different authentication protocol” or “X11 connection rejected because of wrong authentication”. The thing is, this is a very generic error message that will take you to multiple very different fixes. Many telling you to set a variable here and change a setting there. In my case, it was because the SSH server had a configuration under /etc/ssh/sshrc. I found the answer here. In my case, sshrc only had comments as I had stopped to use the file, so I just removed the config file and ssh -X user@server xclock worked again. https://blog.wains.be/2016/2016-03-17-netsed-stream-editor/ Thu, 17 Mar 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-03-17-netsed-stream-editor/ Netsed page Netsed is a network packet stream editor. On a Linux gateway, let’s set a silent redirect to the port netsed will be listening on: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 1080 Then start netsed: netsed tcp 1080 0 80 's/string%20A/string%20B/' Any “string A” in a web page will be replaced by “string B”. In the output you would see this: [+] Caught server -> client packet. https://blog.wains.be/2016/2016-03-10-parallels-copy-paste-not-working-fedora/ Thu, 10 Mar 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-03-10-parallels-copy-paste-not-working-fedora/ This one is weird but worked for me. You should set SELinux as permissive, reboot, and set it back to enforcing Edit /etc/selinux/config and change to SELINUX=permissive Reboot Set backup to enforcing SELINUX=enforcing Reboot again. Now copy-paste works for me. Let me know if it works for you :-) https://blog.wains.be/2016/2016-03-02-hipchat-notification-after-svn-commit/ Wed, 02 Mar 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-03-02-hipchat-notification-after-svn-commit/ Get a channel notification token from the Hipchat control panel. Put this script under the hooks directory of the SVN repository REPOS="$1" REV="$2" WHO="$(svnlook author -r $REV $REPOS)" LOG="$(svnlook log -r $REV $REPOS)" MESSAGE="Commit to $REPOS by $WHO ($LOG) - https://svn.example.org/blah/$REV/diff" ROOM_ID="123456" AUTH_TOKEN="token" curl --silent --insecure -H "Content-Type: application/json" \ -X POST \ -d "{\"color\": \"green\", \"message_format\": \"text\", \"message\": \"$MESSAGE\" }" \ https://api.hipchat.com/v2/room/$ROOM_ID/notification?auth_token=$AUTH_TOKEN Any commit will trigger the script and you’ll receive a message looking like: https://blog.wains.be/2016/2016-02-14-linux-limits/ Sun, 14 Feb 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-02-14-linux-limits/ #!/bin/bash for process in $@; do process_pids=`ps -C $process -o pid --no-headers | cut -d " " -f 2` if [ -z $process ]; then echo "[no $process running]" else for pid in $process_pids; do echo "[$process #$pid -- limits]" cat /proc/$pid/limits done fi done https://blog.wains.be/2016/2016-02-13-wemo-netatmo-workflow-alfred/ Sat, 13 Feb 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-02-13-wemo-netatmo-workflow-alfred/ I just published my two first Alfred workflows on Packal. Wemo Wemo v0.2 allows to get the status of your Wemo switches and changing their status with a simple click. It is based on a bash script found here in the comments. Netatmo Netatmo v0.2 retrieves weather information from your indoor and outdoor modules. It is based on a PHP script found a long time ago on http://maison-et-domotique.com. Download links Wemo v0. https://blog.wains.be/2016/2016-02-07-apache-cgi-bin-malformed-header/ Sun, 07 Feb 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-02-07-apache-cgi-bin-malformed-header/ If you want to run a bash script as a CGI and get this message: [Sun Feb 07 19:51:59.424071 2016] [cgi:error] [pid 4265] [client x.x.x.x:50952] malformed header from script 'weather.sh': Bad header: Searching via name.. Make sure to put an additional echo in your script after the content type #!/bin/bash echo "Content-type: text/html" echo your-command https://blog.wains.be/2016/2016-02-04-prey-recovering-device/ Thu, 04 Feb 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-02-04-prey-recovering-device/ I’ve been using Prey for a couple of years now. I track my Android phone and tablet, and my laptop. I was in San Francisco in May 2015 and got all my belongings stolen in busy downtown. My Macbook was in one of the stolen bags. (San Francisco has a big problem with smash and grab burglary, be careful). I immediately logged in Prey only to discover that my Macbook was running an outdated version of the client, and that most of the recovery features were not available anymore. https://blog.wains.be/2016/2016-01-21-undelete-files-with-lsof/ Thu, 21 Jan 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-01-21-undelete-files-with-lsof/ If you delete a file by mistake, there are several ways to recover it. I’m going to explain how to recover a file that has been deleted but still “active” on the system because locked by a running process. First, let’s create a file maintained by a lock. $ watch ps aux > log.txt Interrupt the process by hitting Ctrl+Z ps reveals the “watch” command is still being executed but in T state (T = traced or suspended process). https://blog.wains.be/2016/2016-01-20-parsing-xml-with-xgrep/ Wed, 20 Jan 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-01-20-parsing-xml-with-xgrep/ Imagine this file.xml containing: <vehicleinformation version="1.1" timestamp="1453323673"> <vehicle locationX="4.336531" locationY="50.835707">Be.NMBS.P8401</vehicle> <stops number="9"> <stop id="0" delay="16" canceled="0"> <station id="BE.NMBS.008814001">Brussel-Zuid / Bruxelles-Midi</station> <time formatted="2016-01-20T17:06:00">1453305960</time> <platform normal="1">12</platform> </stop> <stop id="1" delay="18" canceled="0"> <station id="BE.NMBS.008813003">Bru.-Centraal / Brux.-Central</station> <time formatted="2016-01-20T17:10:00">1453306200</time> <platform normal="1">3</platform></stop> [...] You can get the value of the delay in Brux.-Central (here 18 minutes) by specifying the XPath with the -x option, like this: xgrep -x "/vehicleinformation/stops/stop[2]//@delay" file.xml I use XPath Checker for Firefox to easily get the XPath. https://blog.wains.be/2016/2016-01-15-apache-rewrite-with-parameters/ Fri, 15 Jan 2016 00:00:00 +0100 https://blog.wains.be/2016/2016-01-15-apache-rewrite-with-parameters/ So let’s say you want to redirect http://example.org?id=2392 to http://example.org?id=256 You need to use the %{QUERY_STRING} option under RewriteCond like this: RewriteCond %{QUERY_STRING} id=2392 RewriteRule ^/index.php http://example.org/index.php?id=256 [L,R=permanent] https://blog.wains.be/2015/2015-09-18-firefox-recommended-about-config/ Fri, 18 Sep 2015 00:00:00 +0200 https://blog.wains.be/2015/2015-09-18-firefox-recommended-about-config/ The following is a recommended setup for Firefox as of September 2015 by https://www.privacytools.io/#about_config and https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH http://kb.mozillazine.org/Network.IDN_show_punycode network.IDN_show_punycode = true Display the “raw”, punycode version of internationalized domain names. privacy.trackingprotection.enabled = true This is Mozilla’s new built in tracking protection. geo.enabled = false Disables geolocation. browser.safebrowsing.phishing.enabled = false browser.safebrowsing.malware.enabled = false browser.safebrowsing.downloads.enabled = false browser.safebrowsing.blockedURIs.enabled = false Disable Google Safe Browsing malware and phishing checks. Security risk, but privacy improvement. dom. https://blog.wains.be/2015/2015-09-18-synology-illegal-certificate/ Fri, 18 Sep 2015 00:00:00 +0200 https://blog.wains.be/2015/2015-09-18-synology-illegal-certificate/ This happened to me yesterday as I was trying to import a valid Global-sign wildcard certificate. You just need to edit your private key, the certificate and the intermediate certificate and remove all the comments outside the delimiter lines. Example of how your certicate file should look like: ----BEGIN CERTIFICATE----- <your certificate is here> -----END CERTIFICATE----- Example of a private key: -----BEGIN RSA PRIVATE KEY----- <your private key is here> -----END RSA PRIVATE KEY----- It should NOT look like this: https://blog.wains.be/2015/2015-08-21-postfix-recipient-canonical-maps-ldap-regexp/ Fri, 21 Aug 2015 00:00:00 +0200 https://blog.wains.be/2015/2015-08-21-postfix-recipient-canonical-maps-ldap-regexp/ If you want to redirect emails you can use the recipient_canonical_maps option. This cleanup option is usually specified globally in main.cf. If you want to treat different domains with different filtering techniques, you can do this in master.cf instead: 0.0.0.0:2525 inet n - n - - smtpd -o cleanup_service_name=cleanup-2525 -o myhostname=mxrouting.ldap.example.org -o smtpd_banner=$myhostname cleanup-2525 unix n - n - 0 cleanup -o recipient_canonical_maps=ldap:/etc/postfix/routing-ldap.example.org 0.0.0.0:2526 inet n - n - - smtpd -o cleanup_service_name=cleanup-2526 -o myhostname=mxrouting. https://blog.wains.be/2015/2015-08-18-macosx-hammerspoon/ Tue, 18 Aug 2015 00:00:00 +0200 https://blog.wains.be/2015/2015-08-18-macosx-hammerspoon/ I’m spending a lot of time at work automating processes (with Rundeck, Salt, Jenkins, Nexus, SVN, etc.). At the personal level, I have automated most of my recurring tasks (disabling Wi-Fi automatically, silence mode at work, etc.) on Android using Automagic: http://automagic4android.com/en/ I discovered a couple of days ago Hammerspoon for Mac: http://www.hammerspoon.org/ Quoting their website: This is a tool for powerful automation of OS X. At its core, Hammerspoon is just a bridge between the operating system and a Lua scripting engine. https://blog.wains.be/2015/2015-08-15-markdown-wiki/ Sat, 15 Aug 2015 00:00:00 +0200 https://blog.wains.be/2015/2015-08-15-markdown-wiki/ Date: 2015-08-15 In the first half of this year, I migrated this site from Wordpress to Scriptogram. Scriptogr.am is tightly integrated to Dropbox, which means if you want to have two blogs running the same platform, you should have two Dropbox accounts. It was my case, and I never really got it to work properly on two Dropbox accounts, let alone one. Scriptogr.am had many sync hiccups. The project felt pretty dormant actually. https://blog.wains.be/2015/2015-06-18_switching-back-from-chromechromium-to-firefox-and-a-global-rant-about-google/ Thu, 18 Jun 2015 00:00:00 +0200 https://blog.wains.be/2015/2015-06-18_switching-back-from-chromechromium-to-firefox-and-a-global-rant-about-google/ Originally published 2015-06-18 I have used Chrome (and Chromium, depending on the platform I’m working on, from now on I’ll refer to it as Chrome) pretty much since it went out of beta. I started getting annoyed with the last few versions though. It all started when I installed a random application on a Windows 7 machine as a regular user. The app contained malware that didn’t get detected by the antivirus and it installed a couple of nasty Chrome extensions in the user profile. https://blog.wains.be/2015/2015-06-18_verify_expiration_local_x509_certificate/ Thu, 18 Jun 2015 00:00:00 +0200 https://blog.wains.be/2015/2015-06-18_verify_expiration_local_x509_certificate/ Date: 2015-06-18 Use this command: openssl x509 -noout -in /etc/pki/tls/certs/client.crt -dates Output would be: notBefore=Feb 20 16:20:08 2015 GMT notAfter=Feb 20 16:20:08 2016 GMT https://blog.wains.be/2015/2015-04-29-postfix-routing-and-rewriting-based-on-ldap/ Wed, 29 Apr 2015 00:00:00 +0200 https://blog.wains.be/2015/2015-04-29-postfix-routing-and-rewriting-based-on-ldap/ Date: 2015-04-29 Note: This has been tested on RHEL6 and Postfix 2.6.6 from RHEL repositories and version 2.10 from postfix.org. RHEL6 version contains a nasty bug, I recommend you use Postfix.org RPMS. We want to route emails thanks to rewriting capabilities of Postfix. An LDAP directory will provide us with an attribute. We will use the “mailstop” attribute here. Different values can be defined: “brussels” or “stockholm”. An email would be relayed through this Postfix instance. https://blog.wains.be/2015/2015-04-17-synology-hybrid-raid/ Fri, 17 Apr 2015 00:00:00 +0200 https://blog.wains.be/2015/2015-04-17-synology-hybrid-raid/ Date: 2015-04-17 I bought a Synology DS214j a couple of months ago. I bought only one 2TB disk in the first place. My plan was to buy a second disk a couple of months later so I would have a RAID1 array made of two disks with different mileage and probably different life expectancy. I set it up using the recommended option: “Synology Hybrid RAID (SHR)”. Personal opinion: I always believed that starting a RAID1 with disks from the same batch and more or less same production date is a recipe for disaster. https://blog.wains.be/2015/2015-02-25-samba-ad-rhel7/ Wed, 25 Feb 2015 00:00:00 +0100 https://blog.wains.be/2015/2015-02-25-samba-ad-rhel7/ Date: 2015-02-25 Tested with Active Directory 2003 and RHEL 7.0 For RHEL 6.0 see here I consider that the server is correctly set up, its hostname should be set accordingly to the Active Directory domain. It should also be synchronised with NTP. A clock drift could cause issues because of Kerberos. I assume an AD domain “EXAMPLE” (long name: intranet.example.org) # host -t srv _kerberos._tcp.intranet.example.org _kerberos._tcp.intranet.example.org has SRV record 0 100 88 srv00a. https://blog.wains.be/2015/2015-02-17-migration-to-scriptogram/ Tue, 17 Feb 2015 00:00:00 +0100 https://blog.wains.be/2015/2015-02-17-migration-to-scriptogram/ Date: 2015-02-17 I just migrated this blog from Wordpress to Scriptogr.am. Mainly because this blog isn’t so much active anymore, those SQL IOPS were useless for something that had become so static (I disabled the comments many years ago, tired of spam). I missed Posterous and started looking for something similar, until I found about Calepin.co and Scriptogr.am. For those of you who don’t know, Scriptogr.am will fetch markdown text files from your Dropbox and turn them into a website. https://blog.wains.be/2015/2015-02-16-android-automagic-webcam/ Mon, 16 Feb 2015 00:00:00 +0100 https://blog.wains.be/2015/2015-02-16-android-automagic-webcam/ Date: 2015-02-16 tags: Android, Automagic This has been tested on DCS-930L and DCS-5020L <?xml version='1.0' encoding='UTF-8' standalone='yes' ?> <data version="1.25.0"> <trigger type="wifi_connected"> <useDefaultName>true</useDefaultName> <name>WiFi Connected: SSID</name> <enabled>true</enabled> <all>false</all> <ssidList>SSID</ssidList> </trigger> <trigger type="wifi_disconnected"> <useDefaultName>true</useDefaultName> <name>WiFi Disconnected: SSID</name> <enabled>true</enabled> <all>false</all> <ssidList>SSID</ssidList> </trigger> <condition type="active_network_type"> <useDefaultName>true</useDefaultName> <name>Active Network Type: Mobile</name> <none>false</none> <mobile>true</mobile> <wifi>false</wifi> <wimax>false</wimax> <bluetooth>false</bluetooth> <ethernet>false</ethernet> </condition> <action type="http_request"> <useDefaultName>true</useDefaultName> <name>HTTP Request: POST https://webcam.public.url/setSystemMotion application/x-www-form-urlencoded ReplySuccessPage=motion.htm,ReplyErrorPage=motion.htm,MotionDetectionEnable=0,MotionDetectionScheduleDay=30,ConfigSystemMotion=Save store in motion</name> <url>https://webcam.public.url/setSystemMotion</url> <verifyCertificates>true</verifyCertificates> <basicAuthentication>true</basicAuthentication> <username>admin</username> <httpMethod>POST</httpMethod> <httpContentType>X_WWW_FORM_URLENCODED</httpContentType> <contentType>text/plain</contentType> <generalTextData></generalTextData> <formFieldList>ReplySuccessPage=motion. https://blog.wains.be/2015/2015-02-16-bash-loop-connection/ Mon, 16 Feb 2015 00:00:00 +0100 https://blog.wains.be/2015/2015-02-16-bash-loop-connection/ Date: 2015-02-16 Tags: linux, bash I use Terminator as my terminal app, and use the “watch for activity” feature a lot. With the following command, I’d get notified as soon as the connection is opened. while ! nc -vz localhost 3306 2> /dev/null; do sleep 1; done && echo "Available!" https://blog.wains.be/2015/2015-02-16-wireshark-tcpdump/ Mon, 16 Feb 2015 00:00:00 +0100 https://blog.wains.be/2015/2015-02-16-wireshark-tcpdump/ Date: 2015-02-16 tags: Linux, Network This command will allow you to pipe trafic generated by tcpdump on a remote machine into Wireshark running on your local machine: ssh root@dest tcpdump -U -s0 -w - 'tcp port 389' | wireshark -k -i - https://blog.wains.be/2014/2014-10-10-preservefqdn-and-escapecontrolcharactersonreceive-with-rsyslog/ Fri, 10 Oct 2014 00:00:00 +0200 https://blog.wains.be/2014/2014-10-10-preservefqdn-and-escapecontrolcharactersonreceive-with-rsyslog/ categories: Linux In legacy versions of rsyslog, if you want to use the option PreserveFQDN, you have to set the option before anything else, or it wouldn’t work. If you are having issues sending logs from nxlog on Windows to rsyslog legacy, you might want to have a look at EscapeControlCharactersOnReceive. http://www.rsyslog.com/doc/rsconf1_escapecontrolcharactersonreceive.html https://blog.wains.be/2014/2014-09-10-itop-rundeck-integration/ Wed, 10 Sep 2014 00:00:00 +0200 https://blog.wains.be/2014/2014-09-10-itop-rundeck-integration/ Date: 2014-09-10 Tags: code, php This PHP page allows to retrieve configuration items to populate Rundeck inventory: <?php // iTop CMDB inventory for Rundeck. // Virtual servers have VIRT tag, physicals get PHYS tag. $host = "127.0.0.1"; $db = "itop_srv"; $user = "root"; $pwd = ""; $connect = mysql_connect($host, $user, $pwd); mysql_select_db($db); $query_physical = "SELECT view_Server.id AS id, view_Server.name AS hostname, view_Server.description AS description, view_Server.osfamily_name AS osName, view_Server.osversion_name AS osVersion, view_Server. https://blog.wains.be/2013/2013-12-25-bash-set-builtin-pipefail/ Wed, 25 Dec 2013 00:00:00 +0100 https://blog.wains.be/2013/2013-12-25-bash-set-builtin-pipefail/ author: admin comments: false layout: post tags: bash, linux By default, if you pipe commands, the exit status reported will be the one of the last command. Example: ls -l test.txt | mail -s "test" example@example.org If test.txt doesn’t exist, the exit status would still be 0 because the mail command was successful. If you want to change that behavior, you should enable the pipefail builtin: > false > echo $? https://blog.wains.be/2013/2013-11-14-get-notified-when-a-change-occurs-on-the-filesystem/ Thu, 14 Nov 2013 00:00:00 +0100 https://blog.wains.be/2013/2013-11-14-get-notified-when-a-change-occurs-on-the-filesystem/ categories: Linux I can never seem to remember the correct command inotifywait -e modify -m -r /home/dir https://blog.wains.be/2013/2013-11-14-outbound-postfix-with-sasl-authentication-against-ldap-dovecot/ Thu, 14 Nov 2013 00:00:00 +0100 https://blog.wains.be/2013/2013-11-14-outbound-postfix-with-sasl-authentication-against-ldap-dovecot/ categories: Postfix I recently had to set up an outbound Postfix server with SASL authentication against LDAP. I’m a huge fan of Dovecot, so I did go with it instead of Cyrus which was a pain to set up a few years back. Not sure about now. I hadn’t done that in a while, and if you look up on this site, you’ll see I actually did SASL auth against MySQL, a couple of years ago. https://blog.wains.be/2013/2013-07-25-bash-limits/ Thu, 25 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-25-bash-limits/ Date: 2013-07-25 Tags: Bash, Linux Create this script, I’ll call it limits.sh: #!/bin/bash for process in $@; do process_pids=`ps -C $process -o pid --no-headers | cut -d " " -f 2` if [ -z $process ]; then echo "[no $process running]" else for pid in $process_pids; do echo "[$process #$pid -- limits]" cat /proc/$pid/limits done fi done Then: bash limits.sh 27193 https://blog.wains.be/2013/2013-07-17-debian-apt-get-tempdir/ Wed, 17 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-17-debian-apt-get-tempdir/ Date: 2013-07-17 Tags: Linux, Debian Under Debian, if /tmp is a partition and you set it as noexec, you might need to do this to avoid issues with apt-get. Create /etc/apt/apt.conf.d/50tmp APT { ExtractTemplates { TempDir "/var/tmp"; }; }; https://blog.wains.be/2013/2013-07-17-debian-network/ Wed, 17 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-17-debian-network/ Tags: Linux, Debian Date: 2013-07-17 This is a reminder as I always seem to forget something. /etc/network/interfaces: auto eth0 iface eth0 inet static pre-up iptables-restore < /etc/iptables.conf address 192.168.0.0 netmask 255.255.0.0 network 192.168.0.0 broadcast 192.168.255.255 gateway 192.168.0.1 https://blog.wains.be/2013/2013-07-17-debian-apt-getrecommended/ Wed, 17 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-17-debian-apt-getrecommended/ Date: 2013-07-17 Tags: Linux, Debian In /etc/apt/apt.conf APT::Install-Recommends "0"; https://blog.wains.be/2013/2013-07-17-macosx-screenshot-location/ Wed, 17 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-17-macosx-screenshot-location/ Date: 2013-07-17 Tags: Mac Type this in your terminal: defaults write com.apple.screencapture location /Full/Path/To/Folder https://blog.wains.be/2013/2013-07-17-image-metadata/ Wed, 17 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-17-image-metadata/ Date: 2013-07-17 tags: Linux Rename picture based on capture date: find -name 'IMG*.JPG' | while read PIC; do DATE=$(exiftool -p '$DateTimeOriginal' $PIC | sed 's/[: ]//g'); touch - t $(echo $DATE | sed 's/\(..$\)/\.\1/') $PIC;echo "Date:" $DATE "- " $PIC; mv -i $PIC $(dirname $PIC)/`date +%Y%m%d_%T`_$DATE.jpg; done Rename: exit2 -t *.jpg exiv2 -r Description_%Y%m%d_%H%M%S *.jpg Add copyright: exiftool -copyright="John Doe" *.jpg Add EXIF comment: exiv2 -M"set Exif.Photo.UserComment charset=Ascii This is a comment" *. https://blog.wains.be/2013/2013-07-17-linux-bashrc/ Wed, 17 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-17-linux-bashrc/ Date: 2013-07-17 Tags: Linux Not so much but it does the job. shopt -s histappend export HISTTIMEFORMAT='%F @ %T - ' export HISTCONTROL=erasedups:ignorespace export HISTIGNORE="pwd:[bf]g:jobs:j:h:history:exit:reboot:restart:init *" export HISTSIZE=5000 export HISTFILESIZE=5000 export VISUAL=vim https://blog.wains.be/2013/2013-07-17-ssh-client-configuration/ Wed, 17 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-17-ssh-client-configuration/ Date: 2013-07-17 Tags: ssh This is my configuration. It fits my environment, some settings might not be right for you. Host * ForwardAgent yes # I only connect to safe servers, not shared servers. GSSAPIAuthentication no # Because sometimes I have to deal with Windows DNS servers AddressFamily inet IdentityFile ~/.ssh/id_rsa SendEnv LANG LC_* HashKnownHosts yes # Hash FQDN in known_hosts GSSAPIDelegateCredentials no EscapeChar ~ ServerAliveInterval 60 ServerAliveCountMax 60 #User root StrictHostKeyChecking ask # Check SSHFP record #VerifyHostKeyDNS yes ControlMaster auto ControlPath ~/. https://blog.wains.be/2013/2013-07-17-python-dictionaries/ Wed, 17 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-17-python-dictionaries/ Date: 2013-07-17 Tags: python We create a dictionary called “d”: d = {'site1': {'servername': 'test.org', 'serveralias': 'www.test.org'}} We parse it with iteritems(): for key, value in d.iteritems(): print key print value['servername'] https://blog.wains.be/2013/2013-07-17-linux-rescan-scsi/ Wed, 17 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-17-linux-rescan-scsi/ Date: 2013-07-17 Tags: Linux Either: echo "- - -" > /sys/class/scsi_host/host0/scan Or (usually comes with sg3-utils): rescan-scsi-bus.sh If you want to hot extend a drive: echo 1 > /sys/class/scsi_device/device/rescan I discovered the extend trick here https://blog.wains.be/2013/2013-07-09-awk-print-numbered-line/ Tue, 09 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-09-awk-print-numbered-line/ Date: 2013-07-09 In this example, I’ll print line 20, 40, 60, 80, etc. of data.txt: awk '(NR%20==0)' data.txt NF The number of fields in the current input record. NR The total number of input records seen so far. https://blog.wains.be/2013/2013-07-06-python-webserver/ Sat, 06 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-06-python-webserver/ Simply run this from the command line and it will server the content of the current directory: python -m SimpleHTTPServer 80 I recommend setting an alias for that and make sure that the port is always open from the internet. It makes it very easy to share stuff with friends temporarily. Python 3 SimpleHTTPServer is gone in Python 3. You can now use: python3 -m http.server 8000 https://blog.wains.be/2013/2013-07-01-evaluating-ansible/ Mon, 01 Jul 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-07-01-evaluating-ansible/ categories: Automation Linux I’m currently actively working on Salt, I actually have a dozen production servers at work, running critical services through it. I commit new things into the production branch every couple of days. Since Ansible seems to get all the rage (at least convinced a couple of fellow FOSS friends, Fabian, Serge, etc), I decided to give it a try and compare the two solutions. I’m detailing here how you can start working with Ansible in about 3 minutes. https://blog.wains.be/2013/2013-06-30-tomcat-6-webapp-authentication-against-ad/ Sun, 30 Jun 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-06-30-tomcat-6-webapp-authentication-against-ad/ categories: Howto Security Tested on RHEL6 Add the following in /etc/tomcat6/server.xml (before the ending host tag) : <realm userbase="ou=users,dc=intranet,dc=example,dc=org" referrals="follow" connectionpassword="password" usersubtree="true" connectionurl="ldap://intranet.example.org:389" rolebase="ou=users,dc=intranet,dc=example,dc=org" classname="org.apache.catalina.realm.JNDIRealm" rolesubtree="true" authentication="simple" usersearch="(sAMAccountName={0})" connectionname="username" debug="99" rolename="cn" rolesearch="(member={0})"></realm> Add your users to the group (role in Tomcat terms, which we’ll call “myapplication” in this example) in AD. Now edit /etc/tomcat6/tomcat-users.xml with the users : <user name="user01" roles="myapplication"></user> So here we have a group “myapplication” (matching query ‘roleName=cn’) with member=user01 https://blog.wains.be/2013/2013-06-30-vlan-trunking-with-cisco-catalyst-2950-wap4410n/ Sun, 30 Jun 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-06-30-vlan-trunking-with-cisco-catalyst-2950-wap4410n/ Tags: Networks VLAN 10 is WORK VLAN 20 is HOME VLAN 30 is GUEST On the 2950, configure the port to the WAP4410N as trunk : switch#conf t switch(config)#interface fastEthernet 0/12 switch(config-if)#description WAP4410N switch(config-if)#switchport trunk native vlan 30 switch(config-if)#switchport trunk allowed vlan 10,20,30 switch(config-if)#switchport mode trunk By default all VLAN are allowed on a trunk. It is recommended to specify which VLAN you want on the trunk. Native VLAN will be the VLAN of any untagged frame. https://blog.wains.be/2013/2013-06-22-debian-installation-over-pxe-and-dnsmasq/ Sat, 22 Jun 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-06-22-debian-installation-over-pxe-and-dnsmasq/ categories: Automation Debian/Ubuntu The DHCP/TFTP server holds the IP 10.10.0.2 All commands as root : mkdir -p /srv/tftp cd /srv/tftp wget http://ftp.nl.debian.org/debian/dists/wheezy/main/installer-amd64/current/images/netboot/netboot.tar.gz tar xvzf netbook.tar.gz chown dnsmasq. * -R vim /etc/dnsmasq.conf dhcp-range=LAN,10.10.20.1,10.10.20.254,255.255.0.0,24h enable-tftp tftp-root=/srv/tftp dhcp-boot=pxelinux.0,pxeserver,10.10.0.2 /etc/init.d/dnsmasq restart https://blog.wains.be/2013/2013-06-21-repurposing-a-barracuda-spam-virus-firewall/ Fri, 21 Jun 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-06-21-repurposing-a-barracuda-spam-virus-firewall/ categories: Hardware Linux I got my hands on a out of warranty/subscription/whatever Barracuda unit. This unit is a Spam & Firewall 400 model from 2009 or something. Basically it’s regular computer hardware in a 1U rack, with a Barracuda logo on it. The mainboard is an MSI MS-7309, the CPU is an Athlon clocking at 2.7 GHz (VT available and enabled by default) and 2 GB of RAM. Storage is two drives of 250 GB in software RAID set up. https://blog.wains.be/2013/2013-06-06-mod_proxy_balancer-on-rhel6/ Thu, 06 Jun 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-06-06-mod_proxy_balancer-on-rhel6/ categories: tags: Apache tags: Linux tags: Red Hat/CentOS Tested on RHEL 6. This is the simplest setup possible, for my own reference. I may come up with a Salt state in the future. Reference : http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html /etc/httpd/conf.d/balancer-manager.conf : ` <Location /balancer-manager> SetHandler balancer-manager Order Deny,Allow Deny from all Allow from 192.168.0.0/24 ` /etc/httpd/conf.d/vhost.conf : ` <VirtualHost *:80> ServerAdmin someadmin@example.org ServerName xyz.example.org <Proxy balancer://xyz_example_org> BalancerMember http://backend01.example.org:80 BalancerMember http://backend02.example.org:80 ProxyPass /balancer-manager ! https://blog.wains.be/2013/2013-04-05-salt-stack-a-serious-alternative-to-puppet/ Fri, 05 Apr 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-04-05-salt-stack-a-serious-alternative-to-puppet/ I couldn’t write it better : see http://www.lecloud.net/post/29325359938/salt-to-the-rescue So basically, Salt is a configuration management system (à la Puppet) and allows remote execution (à la Rundeck). First thing first, it is very easy to install. I know Puppet now offers repositories and it’s probably as easy, but Salt is just a package with a couple of dependencies. Actually to achieve the same tasks you have to have Puppet and Mcollective, which are still two distinct products. https://blog.wains.be/2013/2013-04-05-see-changes-made-to-a-filesystem-with-inotify/ Fri, 05 Apr 2013 00:00:00 +0200 https://blog.wains.be/2013/2013-04-05-see-changes-made-to-a-filesystem-with-inotify/ categories: Linux Scripts Install the package “inotify-tools” with your package manager (in EPEL for RHEL). Then create and execute this script : inotifywait -m -r --format $'%T %e %w%f' --timefmt '%H:%M:%S' --exclude ~/'(\.mozilla|Documents/KeepNote)' -e modify -e move -e create -e delete ~ 2>&1 | awk '/^[0-9]/ { sub(/'"${HOME//\//\\/}"'/, "~", $0) split($0, a, " ") len=length(a[1])+length(a[2])+1 printf "%-20s %s\n", substr($0, 0, len), substr($0, len+2) // flush stdout system("") next } {print ; system("")} ' | tee -a /tmp/home_monitor Source : http://blog. https://blog.wains.be/2012/2012-12-03-rundeck-howto-and-examples/ Mon, 03 Dec 2012 00:00:00 +0100 https://blog.wains.be/2012/2012-12-03-rundeck-howto-and-examples/ categories: Automation Linux Tools Quoting rundeck.org : Rundeck is an Open Source process automation and command orchestration tool with a web console. As I understand it, it’s a fork of Control Tier : www.controltier.org I’m usually all for the command-line, but you have to admit the devs have done a pretty good job regarding the web console. The documentation is pretty good as well. No need to install agents on your servers. https://blog.wains.be/2012/2012-01-06-activemq-5-4-x-install-under-rhel-5-x/ Fri, 06 Jan 2012 00:00:00 +0100 https://blog.wains.be/2012/2012-01-06-activemq-5-4-x-install-under-rhel-5-x/ categories: ActiveMQ Howto Linux _Tested with ActiveMQ 5.4.3, Red Hat Linux Enterprise 5.7 64 bits with Sun JVM 1.5 ActiveMQ 5.5.x requires JVM 1.6_ The following is a simple copy and paste howto. Simply adapt the install variables and you’re good to go. Let’s declare some variables for the install process : AMQDIR="/usr/local" VERSION="5.4.3" Download and installation : cd /root wget http://apache.cu.be//activemq/apache-activemq/$VERSION/apache-activemq-$VERSION-bin.tar.gz cp /root/apache-activemq-$VERSION-bin.tar.gz $AMQDIR cd $AMQDIR tar xvzf apache-activemq-$VERSION-bin.tar.gz chown root. https://blog.wains.be/2011/2011-10-25-two-step-authentication-on-ssh-with-google-authenticator-under-debian-sid/ Tue, 25 Oct 2011 00:00:00 +0200 https://blog.wains.be/2011/2011-10-25-two-step-authentication-on-ssh-with-google-authenticator-under-debian-sid/ categories: Debian/Ubuntu Howto Security On a Debian Sid system, install the following : apt-get install libpam-google-authenticator Edit /etc/ssh/sshd_config and set : ChallengeResponseAuthentication yes Restart the service : service ssh restart Now run : google-authenticator Scan the barcode from the Google Authenticator app on your mobile device. Edit /etc/pam.d/sshd and add at the very beginning of the file : auth required pam_google_authenticator.so Now test a SSH connection. You should be prompted by a cool “Verification code :” Then by the regular password prompt. https://blog.wains.be/2011/2011-08-04-spin-down-external-usb-drive-on-debian-squeeze/ Thu, 04 Aug 2011 00:00:00 +0200 https://blog.wains.be/2011/2011-08-04-spin-down-external-usb-drive-on-debian-squeeze/ categories: Debian/Ubuntu Linux It seems like I have at least two options to spin down my external USB drive used for rsnapshot backups (Iomega 1TB). In the first place, I assumed it would spin down by itself by simply unmounting the volume, like on the Mac. But it doesn’t. So I gave sdparm a try : sdparm --command=stop /dev/backupdrive It doesn’t work :-) I found a working solution at http://forums.debian.net/viewtopic.php?f=7&t=60122 https://blog.wains.be/2011/2011-07-06-large-files-uploading-fail-with-apache-php-apc/ Wed, 06 Jul 2011 00:00:00 +0200 https://blog.wains.be/2011/2011-07-06-large-files-uploading-fail-with-apache-php-apc/ categories: Apache We had one quite interesting problem at work. We had a Drupal site where we couldn’t upload files larger than 32 MB, while having in php.ini : upload_max_filesize = 200 MB post_max_size = 200M After disabling APC, we could upload larger files. It turns out, it seems changing the following in apc.ini apc.rfc1867_freq=0 to apc.rfc1867_freq=100k fixed the problem. Doc : http://www.php.net/manual/en/apc.configuration.php#ini.apc.rfc1867-freq <code>apc.rfc1867_freq string The frequency that updates should be made to the user cache entry for upload progress. https://blog.wains.be/2011/2011-04-11-authenticate-linux-red-hat-with-microsoft-active-directory/ Mon, 11 Apr 2011 00:00:00 +0200 https://blog.wains.be/2011/2011-04-11-authenticate-linux-red-hat-with-microsoft-active-directory/ 2011-04-11 Tested with Active Directory 2003 and RHEL 6.0 Tested with Active Directory 2012 and RHEL 7.2 (September 2016) What we want to do : authentication against AD using Winbind and Kerberos allowing local and remote (SSH) authentication to members of a specific AD group (linuxadmin) allowing members of linuxadmin to use sudo UID/GID mapping against AD user homedir will be created at first log using pam_mkhomedir still possible to log in using local accounts, in case AD is unavailable Check if resolution works: https://blog.wains.be/2011/2011-04-05-postfix-ignoring-etcaliases-under-debian/ Tue, 05 Apr 2011 00:00:00 +0200 https://blog.wains.be/2011/2011-04-05-postfix-ignoring-etcaliases-under-debian/ categories: Debian/Ubuntu Linux Postfix So you are running Debian, you added some aliases into /etc/aliases, ran newaliases, but Postfix won’t take aliases into account despite what seems to be a correct configuration : /etc/postfix/main.cf : alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases /etc/aliases : account: someone@example.org Check the myorigin parameter : # postconf myorigin myorigin = /etc/mailname Now if you check the content of /etc/mailname : # cat /etc/mailname srv.intranet.example.com Change that to “intranet. https://blog.wains.be/2011/2011-03-13-importing-certificates-on-android-ca-and-client/ Sun, 13 Mar 2011 00:00:00 +0100 https://blog.wains.be/2011/2011-03-13-importing-certificates-on-android-ca-and-client/ categories: Android Tested on my HTC Hero running Android 2.2.1 They do not make it terribly obvious, so I believe this is worth a post. Android will not import CA cert in the PEM format, you’ll get a “no certificate to install” message at some point. You actually have to export a P12 certificate containing the client certificate and the CA. Use this command : openssl pkcs12 -export -in clientcert.pem -inkey clientcert. https://blog.wains.be/2011/2011-02-16-drbd-on-red-hat-enterprise-linux-5/ Wed, 16 Feb 2011 00:00:00 +0100 https://blog.wains.be/2011/2011-02-16-drbd-on-red-hat-enterprise-linux-5/ categories: High-Availability Red Hat/CentOS This is a rough guide and really for future personal references so I can rebuild a DRBD cluster in 3 minutes, without having to dig into DRBD docs again. Please correct me if something is wrong (I’m thinking about DRBD gurus, Arrfab coming to mind :-)) . This worked for me on RHEL5.6 64 bits and DRBD 8.2. I’ll call the DRBD resource “DRBDCluster” Install drbd8X and kmod-drbd8X (grab the RPMS at your favorite RPM retailer. https://blog.wains.be/2011/2011-02-16-red-hat-cluster-vmware-esx-fencing/ Wed, 16 Feb 2011 00:00:00 +0100 https://blog.wains.be/2011/2011-02-16-red-hat-cluster-vmware-esx-fencing/ categories: High-Availability Red Hat/CentOS Tested on Red Hat Enterprise Linux 5.6 64 bits and VMware ESX 3.5 Edit November 2011 : Tested on RHEL6.1 and VMware ESX 4.1 If you set up a cluster, in case of failure, you’ll probably want the surviving host to be able to “fence” or “stonith” the faulty node. Red Hat Cluster provides a collection of scripts for that purpose (for APC, ILO, DRAC, etc. and VMware). https://blog.wains.be/2010/2010-12-30-find-ip-ranges-from-an-asn/ Thu, 30 Dec 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-12-30-find-ip-ranges-from-an-asn/ categories: Networks $ whois 217.136.0.0 | grep origin: origin: AS5432 $ whois -h whois.ripe.net -i origin -T route AS5432 | grep -w "route:" | awk '{print $NF}' |sort -n 46.178.0.0/15 62.4.128.0/17 80.200.0.0/15 81.169.0.0/17 81.240.0.0/14 81.244.0.0/14 87.64.0.0/14 91.176.0.0/14 91.180.0.0/14 91.198.203.0/24 92.48.128.0/18 109.128.0.0/14 109.132.0.0/14 109.136.0.0/14 109.140.0.0/14 125.213.216.0/22 138.203.0.0/16 161.195.143.0/24 165.26.216.0/21 170.252.120.0/24 178.144.0.0/15 188.5.0.0/16 188.95.86.0/24 192.133.103.0/24 192.23.170.0/24 193.104.159.0/24 193.106.227.0/24 193.110.92.0/24 193.178.174.0/24 193.221.87.0/24 193.221.89.0/24 193.235.106.0/24 193.239.113.0/24 193.41.158.0/23 193.53.200.0/21 193.53.208.0/20 193.53.224.0/20 193.53.238.0/24 193.53.240.0/22 193.53.242.0/24 193.53.244.0/24 193. https://blog.wains.be/2010/2010-12-21-servname-not-supported-for-ai_socktype/ Tue, 21 Dec 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-12-21-servname-not-supported-for-ai_socktype/ categories: Linux If you get something like : fetchmail: getaddrinfo("pop.gmail.com","pop3s") error: Servname not supported for ai_socktype Make sure /etc/services exists and/or is readable (644). https://blog.wains.be/2010/2010-12-04-brother-hl-2150n-toner-rip-off-and-how-to-fix-it/ Sat, 04 Dec 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-12-04-brother-hl-2150n-toner-rip-off-and-how-to-fix-it/ categories: Misc I bought a Brother HL-2150N printer a couple of months ago. It’s actually a pretty nice B/W network laser printer, tagged at an affordable price. It works out of the box on OS X and Linux. Also, I was able to get the number of printed pages in Cacti, through SNMP. Pretty cool. I don’t print a lot, and usually nothing that requires color (flight reservations, administrative stuff, etc. https://blog.wains.be/2010/2010-09-02-setting-up-synergy-between-mac-os-and-linux/ Thu, 02 Sep 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-09-02-setting-up-synergy-between-mac-os-and-linux/ categories: Apple/Mac OS Linux This post should be OK for any kind of client/server combination. That’s just that I only had a MacBook and a Linux netbook under my hands at the moment of writing this. Quoting their homepage : “Synergy lets you easily share a single mouse and keyboard between multiple computers with different operating systems, without special hardware. All you need is a LAN connection. It’s intended for users with multiple computers, where each system uses its own display. https://blog.wains.be/2010/2010-08-31-force-ssh-password-authentication/ Tue, 31 Aug 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-08-31-force-ssh-password-authentication/ categories: SSH If for some reason you want to disable public key authentication temporarily when SSH’ing into a machine, type : ssh -o PubkeyAuthentication=no user@machine You should get the prompt for the password. This goes without saying, but ChallengeResponseAuthentication (at least on Debian) must be set to yes on the server side for this to work. Thanks to Philip for proof-reading this post :-) https://blog.wains.be/2010/2010-08-26-red-hat-cluster-suite-monitoring-with-snmp/ Thu, 26 Aug 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-08-26-red-hat-cluster-suite-monitoring-with-snmp/ categories: High-Availability Red Hat/CentOS I’ll consider your cluster is already up and running. Install cluster-snmp (available in Red Hat Cluster repository) : yum install cluster-snmp Let’s see what we have in there : # rpm -ql cluster-snmp /usr/lib/cluster-snmp /usr/lib/cluster-snmp/libClusterMonitorSnmp.so /usr/share/doc/cluster-snmp-0.12.1 /usr/share/doc/cluster-snmp-0.12.1/COPYING /usr/share/doc/cluster-snmp-0.12.1/README /usr/share/doc/cluster-snmp-0.12.1/README.snmpd /usr/share/doc/cluster-snmp-0.12.1/REDHAT-CLUSTER-MIB /usr/share/doc/cluster-snmp-0.12.1/REDHAT-MIB /usr/share/snmp/mibs/REDHAT-CLUSTER-MIB /usr/share/snmp/mibs/REDHAT-MIB Now on every node of the cluster, edit /etc/snmp/snmpd.conf and add this : At the very beginning of the file : dlmod RedHatCluster /usr/lib/cluster-snmp/libClusterMonitorSnmp. https://blog.wains.be/2010/2010-08-16-debugging-multicast/ Mon, 16 Aug 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-08-16-debugging-multicast/ categories: Networks On the “client” side : iperf -u -c 239.192.95.98 -p 10000 -b 1 -i 5 -T 10 -t 120 -u : use UDP -c : run in client mode -p : port -b : bandwidth in bits/sec -i : interval in second -T : TTL -t : time to transmit in seconds On the “server” side : iperf -s -i 1 -u -B 239.192.95.98 -p 10000 -s : run in server mode -B : bind to multicast address https://blog.wains.be/2010/2010-08-04-debian-purge-packages-marked-with-rc-status/ Wed, 04 Aug 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-08-04-debian-purge-packages-marked-with-rc-status/ categories: Debian/Ubuntu Packages with rc status are not completely removed from the system, configuration files are still present. If you have a bunch of rc packages you need to purge, as root, type : dpkg --list |grep "^rc" | cut -d " " -f 3 | xargs sudo dpkg --purge Source : http://joysofprogramming.com/remove-packages-marked-rc/ https://blog.wains.be/2010/2010-07-27-simple-http-server-from-the-command-line/ Tue, 27 Jul 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-07-27-simple-http-server-from-the-command-line/ categories: Tools Tested under Debian Lenny and Mac OS 10.6.3 I’ve been using this one for a year or so but failed to share it until now.. python -m SimpleHTTPServer 8000 This will start a simple HTTP server listening on port 8000. Python needed, of course. Run that command from the folder you want to share. By the way if William from Paris is reading this, thanks for the book :-) https://blog.wains.be/2010/2010-07-08-htc-hero-under-android-2-1-root-tethering-openvpn/ Thu, 08 Jul 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-07-08-htc-hero-under-android-2-1-root-tethering-openvpn/ categories: Android VPN So I finally jumped into the wonderful world of custom ROM, with my HTC Hero (unbranded German unit). This phone was very slow and frustrating with the stock 1.5 ROM. I was planning on getting the Nexus One while being in the US in late June, but finally preferred giving the custom ROM option a try. I think I was right, this saved me a couple hundred dollars, and the phone is amazingly fast now. https://blog.wains.be/2010/2010-06-03-several-workspaces-on-ubuntu-netbook-remix/ Thu, 03 Jun 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-06-03-several-workspaces-on-ubuntu-netbook-remix/ categories: Debian/Ubuntu Workspaces are “disabled” by default in Ubuntu Netbook Remix (actually set to one workspace) If you want 4 workspaces, in a terminal type : gconftool-2 -s /apps/metacity/general/num_workspaces 4 --type int You’ll navigate in the workspaces with the usual keyboard shortcuts : ctrl + alt + left/right arrow keys And : ctrl + alt + shift + left/right to move windows from one space to another. https://blog.wains.be/2010/2010-04-29-ssh-add-port-forwardings-on-a-live-connection-with-escapechar/ Thu, 29 Apr 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-04-29-ssh-add-port-forwardings-on-a-live-connection-with-escapechar/ categories: SSH Excerpt from the man page : The interesting part is in bold. <code>When a pseudo-terminal has been requested, ssh supports a number of functions through the use of an escape character. A single tilde character can be sent as ~~ or by following the tilde by a character other than those described below. The escape character must always follow a newline to be interpreted as special. The escape character can be changed in configuration files using the EscapeChar configuration directive or on the command line by the -e option. https://blog.wains.be/2010/2010-04-28-force-ip-renewal-on-cisco-837/ Wed, 28 Apr 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-04-28-force-ip-renewal-on-cisco-837/ categories: Networks Belgacom ISP force IP renewal for their residential ADSL customers every 36 hours for whatever stupid purpose (annoy us, sell their fixed IP option, etc.). Here’s how I force my Cisco 837 router to renew its WAN IP every night at 01:00am : <code>kron occurrence RENEW_IP at 1:00 recurring policy-list RENEW_IP kron policy-list RENEW_IP cli clear interface Dialer 1</code> I’m less likely to lose my SSH/VPN connections now.. https://blog.wains.be/2010/2010-04-10-udev-always-the-same-device-name-for-your-usb-drives/ Sat, 10 Apr 2010 00:00:00 +0200 https://blog.wains.be/2010/2010-04-10-udev-always-the-same-device-name-for-your-usb-drives/ categories: Linux Tested on Debian Lenny This is how your USB drive will get the same device name (/dev/sdXX or whatever) no matter when or which USB port you plug it in. # udevinfo -a -p $(udevinfo -q path -n /dev/sdd1) Where /dev/sdd1 is the partition you want to always get the same device name. You’ll get a bunch of output, but this is the interesting part : looking at parent device '/devices/pci0000:00/0000:00:1d. https://blog.wains.be/2010/2010-03-24-adding-a-new-disk-drive-to-a-vmware-host-without-rebooting/ Wed, 24 Mar 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-03-24-adding-a-new-disk-drive-to-a-vmware-host-without-rebooting/ categories: Linux Virtualization After adding a new drive to a VMware (and probably other virtualization systems) host, it is possible to make the Linux OS rescan the SCSI bus. The new drive would appear without the need to reboot the host. Use the following command : echo "- - -" > /sys/class/scsi_host/hostX/scan hostX is usually host0. If you check the output of dmesg, you should see the new drive detected. You can then proceed and partition and format your new drive. https://blog.wains.be/2010/2010-02-09-tool-of-the-day-etckeeper/ Tue, 09 Feb 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-02-09-tool-of-the-day-etckeeper/ categories: Linux Versioning http://joey.kitenet.net/code/etckeeper/ etckeeper is a collection of tools to let /etc be stored in a git, mercurial, darcs, or bzr repository. It hooks into apt (and other package managers including yum and pacman-g2) to automatically commit changes made to /etc during package upgrades. It tracks file metadata that revison control systems do not normally support, but that is important for /etc, such as the permissions of /etc/shadow. It's quite modular and configurable, while also being simple to use if you understand the basics of working with revision control. https://blog.wains.be/2010/2010-02-02-asterisk-wake-up-call-application/ Tue, 02 Feb 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-02-02-asterisk-wake-up-call-application/ categories: Asterisk VoIP If you want to be awaken by your Asterisk PBX, here’s a simple bit of code to add in your dial plan. Basically, you would call 9253 followed by the time the phone should ring, for example if you want to wake up at 06:30am you would call 92530630 before going to bed (on your dialpad WAKE0630). If you want to delete the 0630am alarm, call 6692530630 (on dialpad NOWAKE0630). https://blog.wains.be/2010/2010-01-27-a-basic-openldap-server-in-under-15-minutes/ Wed, 27 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-27-a-basic-openldap-server-in-under-15-minutes/ categories: Debian/Ubuntu Howto LDAP Tested under Debian Lenny This howto is basic, as in “no security involved”. I may come up with a second part to this guide about securing OpenLDAP with TLS, if I ever find the time. Meanwhile see http://www.openldap.org/doc/admin23/security.html for the security aspect of things. In this example, I’ll create a tree following this scheme : dc=my,dc=domain,dc=tld. It’s really up to you how you organize your tree, it’s really for organizational purposes. https://blog.wains.be/2010/2010-01-26-apache-simple-authentication-and-ldap-authentication-examples/ Tue, 26 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-26-apache-simple-authentication-and-ldap-authentication-examples/ categories: Apache LDAP The following are based on an OpenLDAP directory : Simple authentication : Users credentials are stored in a file created with htpasswd command AuthType Basic AuthName "Authentication" AuthUserFile /etc/apache2/passwd-file Require user username1 username2 If we want to allow all users in passwd-file, use : Require valid-user LDAP user authentication : We allow user1 and user2 found in the branch ou=People,dc=domain,dc=tld AuthName "Authentication" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldap://127. https://blog.wains.be/2010/2010-01-25-local-user-authentication-with-freeradius/ Mon, 25 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-25-local-user-authentication-with-freeradius/ categories: Debian/Ubuntu Howto Networks RADIUS Wifi This one is a bit less complex than http://blog.wains.be/post/wpa2-freeradius-eap-tls/ This is actually the most basic RADIUS configuration ever, useful for quick tests. I can only recommend checking the post mentioned above if you want to do something serious. # apt-get install freeradius <code># vim /etc/freeradius/users login Cleartext-Password := "password" login2 Cleartext-Password := "password2"</code> <code>#vim /etc/freeradius/clients.conf client localhost { ipaddr = 127.0.0.1 secret = radiuspassword } client router { ipaddr = 10. https://blog.wains.be/2010/2010-01-25-postfix-virtual-usersgroupsaliases-stored-in-ldap/ Mon, 25 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-25-postfix-virtual-usersgroupsaliases-stored-in-ldap/ categories: Howto LDAP Postfix This will just explain the configuration files needed for Postfix to check against the LDAP server. We want to be able to send emails to username@domain.tld We also want to have aliases for our users, for example : firstname.lastname@domain.tld pointing to username@domain.tld Finally, we want groups to act as a mailing list, forwarding emails to members of the group, for example : support@domain.tld LDAP tree <code>dc=domain,dc=tld |-------ou=Aliases,dc=domain,dc=tld |---------------cn=support,ou=Aliases,dc=domain,dc=tld | | cn : support | description : alias support | gidNumber : 50000 | mailRoutingAddress : support@domain. https://blog.wains.be/2010/2010-01-20-asterisk-xmpp-notifications-for-missed-calls/ Wed, 20 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-20-asterisk-xmpp-notifications-for-missed-calls/ categories: Asterisk Howto VoIP Tester under Asterisk 1.4.21. If someone calls and hangs up before leaving a voicemail (that means while the phone is ringing or during voicemail message), Asterisk will send a “missed call” notification by XMPP/Jabber. /etc/asterisk/jabber.conf : This file contains the info for Asterisk to connect to the Jabber server. When restarting Asterisk, it will connect automatically and add contacts specified under buddy fields to its contact list. https://blog.wains.be/2010/2010-01-20-installing-trac-with-apache2-and-mod-python-on-debian-lenny/ Wed, 20 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-20-installing-trac-with-apache2-and-mod-python-on-debian-lenny/ categories: Apache Debian/Ubuntu Howto Versioning This is based on a fresh install. Install the necessary stuff : `# apt-get install apache2 subversion trac libapache2-svn will enable dav and dav_fs modules. More stuff : # apt-get install libapache2-mod-python Create your directories for TRAC environments (/home/trac/), projects source files (/home/dev/) and SVN repositories (/home/svn/) : # mkdir /home/{trac,dev,svn} Create your first project : `# mkdir /home/dev/project1 Create the SVN repository for the project : https://blog.wains.be/2010/2010-01-15-asterisk-dependencies-on-debian-lenny-or-squeeze/ Fri, 15 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-15-asterisk-dependencies-on-debian-lenny-or-squeeze/ categories: Asterisk Debian/Ubuntu Can someone explain why build-essential is a dependency of Asterisk under Lenny or Squeeze ? 142 MB.. seriously ? Meanwhile Askozia fits on 30 MB, and that includes the OS. <code># apt-get install asterisk Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: asterisk-config asterisk-sounds-main binutils build-essential bzip2 ca-certificates cpp cpp-4.3 debhelper dpkg-dev file g++ g++-4.3 gcc gcc-4.3 gettext gettext-base html2text intltool-debian libasound2 libc-client2007b libc6-dev libcap2 libcompress-raw-zlib-perl libcompress-zlib-perl libcurl3 libdigest-hmac-perl libdigest-sha1-perl libfile-remove-perl libgmp3c2 libgomp1 libgsm1 libidn11 libiksemel3 libio-compress-base-perl libio-compress-zlib-perl libio-stringy-perl libldap-2. https://blog.wains.be/2010/2010-01-14-afp-server-in-under-15-minutes-debian/ Thu, 14 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-14-afp-server-in-under-15-minutes-debian/ categories: Apple/Mac OS Debian/Ubuntu Howto Tested under Debian Lenny 32 bits. This howto is based on http://www.kremalicious.com/2008/06/ubuntu-as-mac-file-server-and-time-machine-volume/ Matthias’ post is very comprehensive. This post is basically a raw copy paste of commands, if you want more information, go see Matthias post. If you find this useful, please give credit to Matthias :-) Why AFP (Apple Filing Protocol) ? I wanted to see if AFP was faster than SMB. A quick test showed my Macbook (running OS 10. https://blog.wains.be/2010/2010-01-05-nagios-sms-notifications-gammu-siemensmc35i/ Tue, 05 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-05-nagios-sms-notifications-gammu-siemensmc35i/ categories: High-Availability Howto What you need : a working Nagios a GSM modem (this has been tested with a Siemens MC35i) or a cellphone with modem capabilities supported by Linux (I don’t have that) Gammu Set up the modem : Connect the GSM modem to the Nagios machine through the serial port and make sure it receives signal from the carrier (LED blinking slowly means everything is OK, if not it blinks fast) https://blog.wains.be/2010/2010-01-05-proxmox-ve-accessing-com-port-from-the-host-in-a-vm/ Tue, 05 Jan 2010 00:00:00 +0100 https://blog.wains.be/2010/2010-01-05-proxmox-ve-accessing-com-port-from-the-host-in-a-vm/ categories: Virtualization If you want to access the COM/serial port of your host machine from a KVM virtual machine in Proxmox VE, simply do the following : vim /etc/qemu-server/104.conf where 104 is the ID of the VM add “args: -serial /dev/ttyS0” to the end of the file It should look like this : name: testVM ide2: debian-500-i386-netinst.iso,media=cdrom smp: 1 vlan0: rtl8139=XX:XX:XX:XX:XX:XX bootdisk: ide0 ide0: vm-104-disk.qcow2 ostype: other memory: 256 args: -serial /dev/ttyS0 https://blog.wains.be/2009/2009-09-24-script-renew-your-ip-automatically-through-your-router-web-interface/ Thu, 24 Sep 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-09-24-script-renew-your-ip-automatically-through-your-router-web-interface/ categories: Scripts A little background : If you are not interested in the explanation behind this, skip to the script section. OK, I’ve been using Scarlet ISP for my DSL connection for something like 5 years. My contract mentions I get a dynamic IP. The thing is, until two days ago, as long as my DSL router remained connected, I was keeping the same IP. Scarlet didn’t mind until Belgacom ISP bought them. https://blog.wains.be/2009/2009-09-13-wpa2-freeradius-eap-tls/ Sun, 13 Sep 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-09-13-wpa2-freeradius-eap-tls/ categories: Debian/Ubuntu Howto Networks RADIUS Security Wifi WPA/WPA2 Enterprise on your wired or wireless network. Tested under Debian Lenny (server side) and Mac OS X 10.6, Windows XP and Android 2.2, Ubuntu 10.10 (client side) BUILDING AND INSTALLING FREERADIUS WITH TLS SUPPORT This step is not needed anymore, starting from Debian Squeeze Freeradius comes with TLS support. Please, do not build stuff on your production server. Build on a dedicated build machine and then install the resulting packages on the production server. https://blog.wains.be/2009/2009-08-20-mac-os-x-time-machine-backup-on-a-samba-drive/ Thu, 20 Aug 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-08-20-mac-os-x-time-machine-backup-on-a-samba-drive/ categories: Apple/Mac OS Howto Edit Jan 2010 : you can also run Time Machine backups on an AFP drive, which is faster (at least for me), see [http://blog.wains.be/post/afp-server-in-under-15-minutes-debian/](http://blog.wains.be/post/afp-server-in-under-15-minutes-debian/) for more info on installing Netatalk on your server. Time Machine, the built-in backup utility of OS X is nice (in a “run and forget about it” way) but has a few limitations. The major problem is it will only backup your data to a physically attached drive (through USB or Firewire) by default. https://blog.wains.be/2009/2009-07-17-apache2-webdav-ssl-self-signed-on-debian-lenny/ Fri, 17 Jul 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-07-17-apache2-webdav-ssl-self-signed-on-debian-lenny/ categories: Apache Howto Install Install Apache2 and SSL apt-get install apache2 openssl ssl-cert Enable the Apache modules we’ll be using : a2enmod ssl a2enmod dav_fs a2enmod dav Make sure you find the line “listen 443” somewhere in /etc/apache2/ports.conf Create the SSL certificate mkdir /etc/apache2/ssl openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem chmod 600 /etc/apache2/ssl/apache.pem Apache config mkdir -p /var/www/ssl/webdav/ chown www-data. /var/www/ssl/webdav/ htpasswd -c /var/www/passwd.dav user https://blog.wains.be/2009/2009-07-15-querying-srv-records/ Wed, 15 Jul 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-07-15-querying-srv-records/ categories: DNS I seem to always forget how to query SRV records.. so here it goes : # host -t SRV _ldap._tcp.example.com _ldap._tcp.example.com has SRV record 0 100 389 ipaserver.example.com. https://blog.wains.be/2009/2009-07-07-squid-as-a-reverse-proxy-howto/ Tue, 07 Jul 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-07-07-squid-as-a-reverse-proxy-howto/ categories: Howto Linux Proxy The setup : We run a virtualization server on a server in a datacenter (for example Proxmox VE), we only have 1 public IP available. We run web servers on 2 different virtual machines inside that VM host. We want both web servers to be accessible through the public IP on port 80. We will use the Squid Proxy to act as a “reverse proxy” (http://en.wikipedia.org/wiki/Reverse_proxy). Squid will relay the requests to the destination depending on the hostname requested. https://blog.wains.be/2009/2009-06-30-gnbd-on-debian-installation-howto/ Tue, 30 Jun 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-06-30-gnbd-on-debian-installation-howto/ categories: Debian/Ubuntu Howto Linux GNBD is some kind of alternative to iSCSI and to a (much) lower extent to sshfs or other filesharing systems (NFS, Samba, etc.). Unlike iSCSI, there’s no authentication or such, I invite you to read the documentation to learn more about GNBD. Server (server.example.org) : Optional : Create a test filesystem dd if=/dev/zero of=/home/disk bs=1M count=1000 losetup -f (find the next available loop device) losetup /dev/loop0 /home/disk mkfs. https://blog.wains.be/2009/2009-06-19-google-car-spotted-in-belgium/ Fri, 19 Jun 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-06-19-google-car-spotted-in-belgium/ categories: Misc I spotted a Google car on the E42/A15 highway while driving from Namur to Liège this morning around 9AM. The cameras were covered. Click on the thumbnails to enlarge : I’m hopeful Google Street View will become available soon for us.. https://blog.wains.be/2009/2009-06-05-log-ssh-connections-with-etcsshsshrc/ Fri, 05 Jun 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-06-05-log-ssh-connections-with-etcsshsshrc/ categories: Linux SSH Yannick over at http://blog.uggy.org always comes up with interesting and valuable tips. Following his latest post regarding sshrc, I made my own sshrc script. Unlike his example, I didn’t make SSH email me whenever a connection is made. That would be overkill given the number of connections I can make on a single day. Instead I’m just logging dates and IP in a log file of its own, which I plan on keeping forever. https://blog.wains.be/2009/2009-05-27-tool-of-the-day-dropbox/ Wed, 27 May 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-05-27-tool-of-the-day-dropbox/ categories: Tools I finally gave Dropbox a try and it’s awesome ! Dropbox makes syncing files across computers a breeze (Linux, Mac OS X, Windows). I recommend you check their screencast here to get a better idea of what it does. By default, you get 2 GB with the free account. If you are interested in testing it, please use the link below for subscribing : https://www.getdropbox.com/referrals/NTEyMTA5NTc5 For any new user referred by me, both you and I will get an extra 250 MB on our accounts. https://blog.wains.be/2009/2009-05-05-overscan-problem-connecting-a-macbook-unibody-to-sony-bravia-lcd-hdtv/ Tue, 05 May 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-05-05-overscan-problem-connecting-a-macbook-unibody-to-sony-bravia-lcd-hdtv/ categories: Apple/Mac OS Hardware Misc Today I connected a MacBook Unibody (13" and 2,4 Ghz CPU) into a 40" LCD HDTV (Sony Bravia KDL40L4000) using a MiniDisplay Port to DVI connector, a DVI to HDMI converter and a 5 meter long HDMI cable. I ran into an “overscan” problem. Overscan means edges of the image are not viewable on the HDTV, which is pretty bad when you maximize a window. https://blog.wains.be/2009/2009-04-23-howto-setting-up-dns2tcp/ Thu, 23 Apr 2009 00:00:00 +0200 https://blog.wains.be/2009/2009-04-23-howto-setting-up-dns2tcp/ categories: DNS Howto Wifi The following article has been tested on Debian Etch (server) and Debian Lenny and Mac OS X (clients). Edit 03/2011 : dns2tcp client v0.5 won’t work with dns2tcp server v0.4. I’m not gonna explain what dns2tcp is, just how to get it running in less than 30 minutes. You need : a public server, reachable from anywhere, its UDP/53 port must be free (no DNS service running) and reachable (not filtered) a domain name or subdomain dedicated for dns2tcp a dns2tcp client computer, your laptop usually a “restricted” network (captive portal, firewalled network, paying hotspot) allowing DNS requests (in our examples, we’ll be using Google DNS server 8. https://blog.wains.be/2009/2009-03-15-skipping-ssh-banner-message/ Sun, 15 Mar 2009 00:00:00 +0100 https://blog.wains.be/2009/2009-03-15-skipping-ssh-banner-message/ categories: Linux SSH I’m talking about the banner displayed BEFORE connecting, not the MOTD By default : <code>$ ssh root@server *************************************************************************** NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. https://blog.wains.be/2009/2009-02-23-nokia-e71/ Mon, 23 Feb 2009 00:00:00 +0100 https://blog.wains.be/2009/2009-02-23-nokia-e71/ categories: Hardware VoIP I got myself a new cell phone, the Nokia E71. In the process I’m putting my old but faithful Sony Ericsson T610 to retirement. In order of importance, here are the reasons why I went with that particular phone : 1. Built-in GPS My wife landed a new job so she had to give her GPS back to her old company. I went with Sygic McGuider Europe 2009. https://blog.wains.be/2009/2009-02-10-mac-os-x-login-keychain-locked-when-screensaver-activates/ Tue, 10 Feb 2009 00:00:00 +0100 https://blog.wains.be/2009/2009-02-10-mac-os-x-login-keychain-locked-when-screensaver-activates/ categories: Apple/Mac OS I’ve been running Mac OS X at home for the past two months. I somewhat tightened Mac OS X security by disabling automatic logins, setting a password on the screensaver and such.. the usual steps. Somehow I set the system in the way that whenever I log in, the keychain will be automatically unlocked in the process. I actually don’t want to type two (identical) passwords in a row. https://blog.wains.be/2009/2009-01-16-unlocking-the-belgacom-wirelessvoipadsl-router-aka-philips-snv652018/ Fri, 16 Jan 2009 00:00:00 +0100 https://blog.wains.be/2009/2009-01-16-unlocking-the-belgacom-wirelessvoipadsl-router-aka-philips-snv652018/ categories: Hardware VoIP THE BORING PART : For the impatients out there, just skip to “Mandatory warnings”. A while back, Belgacom, the major ISP in Belgium used to sell the router mentionned above along with their “triple-play” offer. My dad just got a DSL connection and I got him that model on eBay. Not that I wanted that particular model or anything, I needed a wireless DSL router quick and for a reasonable price. https://blog.wains.be/2008/2008-12-07-tool-of-the-day-prefixsuffix/ Sun, 07 Dec 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-12-07-tool-of-the-day-prefixsuffix/ categories: Linux Tools If you want to batch rename files under Linux, check out PrefixSuffix. I’m usually all for the CLI, but this nifty tool is quite convenient (if you have a GUI available :-) ) It is available right in the Ubuntu repositories, but not under Debian’s. http://prefixsuffix.sourceforge.net/ (for the CLI addicts, feel free to post oneliners doing the same job (and even more)) https://blog.wains.be/2008/2008-12-07-zenity-and-timeout-option/ Sun, 07 Dec 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-12-07-zenity-and-timeout-option/ categories: Bash Linux Tools Lately I installed rsnapshot on my lappy to get my files backed up on my home server during the night, in case the laptop is on. Rsnapshot is only CLI, I still somewhat wanted to get some kind of visual notification saying the backup was starting (and ending).. just to avoid shutting down my machine while the backup process was still on, for example. Rsnapshot allows you, throught the cmd_postexec and cmd_preexec options, to run scripts before and after the backup job. https://blog.wains.be/2008/2008-12-03-ztdummy-for-debian-lenny/ Wed, 03 Dec 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-12-03-ztdummy-for-debian-lenny/ categories: Asterisk Debian/Ubuntu Linux VoIP I just compiled zaptel-modules for Debian Lenny (Kernel 2.6.26 i386) That package contains the ztdummy module. Here’s a link to the package : http://blog.wains.be/pub/zaptel-modules-2.6.26-1-686_1.4.11~dfsg-2+2.6.26-10_i386.deb https://blog.wains.be/2008/2008-11-15-essential-audio-tools/ Sat, 15 Nov 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-11-15-essential-audio-tools/ categories: Linux Tools I heavily rely on the following tools to manage my music. I must be using Easytag on a daily basis really. This is definitely the best tool to manage hundreds of MP3’s. If you are like me and like to see your music properly sorted in your player, this is definitely the tool you need. Sound Converter has been able to convert every file I submitted to it. https://blog.wains.be/2008/2008-11-13-networkmanager-and-resolvconf/ Thu, 13 Nov 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-11-13-networkmanager-and-resolvconf/ categories: Debian/Ubuntu Gnome Linux Networks VPN I’m under Debian Lenny at work. I installed the VPNC plugin (Cisco VPN) for NetworkManager today. I usually always connect to OpenVPN tunnels with the OpenVPN plugin, which works pretty well (at least on NM 0.6.6). After installing the VPNC plugin, I started having issues with my OpenVPN tunnels.. I was not able to resolve remote hostnames correctly. The problem was that my resolv.conf didn’t get updated upon connection to the OpenVPN. https://blog.wains.be/2008/2008-10-29-tool-of-the-day-pipeview-aka-pv/ Wed, 29 Oct 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-10-29-tool-of-the-day-pipeview-aka-pv/ categories: Linux Tools NAME pv - monitor the progress of data through a pipe SYNOPSIS pv [OPTION] [FILE]... pv [-h|-V] DESCRIPTION pv allows a user to see the progress of data through a pipeline, by giving information such as time elapsed, percentage completed (with progress bar), current throughput rate, total data transferred, and ETA. ...</code> Some examples : pv file | nc -w 1 somewhere.com 3000 cat file | pv -s 12345 | nc -w 1 somewhere. https://blog.wains.be/2008/2008-10-17-bug-nfs-client-under-debian-sid-wont-work-with-nfs-server-under-debian-etch/ Fri, 17 Oct 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-10-17-bug-nfs-client-under-debian-sid-wont-work-with-nfs-server-under-debian-etch/ Etch' categories: Debian/Ubuntu Linux NFS clients under Debian Sid (unstable) are not able to browse NFS shares running on a Debian Etch server. It is a bug in package nfs-common in Sid : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492970 Clients running nfs-common 1.1.3 or above will not be able to access an NFS share running on server version 1.0.10. You’d be able to mount the share just fine, but not browse the mounted directory : https://blog.wains.be/2008/2008-09-29-finding-duplicate-files/ Mon, 29 Sep 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-09-29-finding-duplicate-files/ categories: Linux Tools **Under Debian : ** apt-get install fdupes Then : fdupes -r /home/user > /home/user/duplicate.txt -r : recursive Output of the command goes in duplicate.txt fdupes will compare the size and MD5 hash of the files to find duplicates https://blog.wains.be/2008/2008-08-14-checking-for-bad-blocks-on-your-drive/ Thu, 14 Aug 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-08-14-checking-for-bad-blocks-on-your-drive/ categories: Hardware Linux If your partition is /dev/sda1 e2fsck -cc /dev/sda1 From the man pages : <code> -c This option causes e2fsck to use badblocks(8) program to do a read-only scan of the device in order to find any bad blocks. If any bad blocks are found, they are added to the bad block inode to prevent them from being allocated to a file or direc‐ tory. If this option is specified twice, then the bad block scan will be done using a non-destructive read-write test. https://blog.wains.be/2008/2008-07-23-ssh-local-and-remote-port-forwarding/ Wed, 23 Jul 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-07-23-ssh-local-and-remote-port-forwarding/ I use SSH local port forwarding on a daily basis but I rarely use remote port forwarding. Today I forgot (again) about the GatewayPorts option, so I decided to write a quick reminder about SSH port forwarding. Local port forwarding When to use? When you need to access a service on a remote server that is not exposed. In this example the remote service runs on port tcp/80. home$ ssh user@work. https://blog.wains.be/2008/2008-07-23-tools-of-the-day/ Wed, 23 Jul 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-07-23-tools-of-the-day/ categories: Linux Tools stow : Stow, a software installation management utility for Linux that offers a number of advantages over the tried-and-true Red Hat and Debian package management systems. With Stow, you can organize applications available in standard tar files and keep application binaries logically arranged for easy access. http://www.ibm.com/developerworks/linux/l-stow/ Official homepage : http://www.gnu.org/software/stow/stow.html iperf : Iperf was developed by NLANR/DAST as a modern alternative for measuring maximum TCP and UDP bandwidth performance. https://blog.wains.be/2008/2008-07-18-openvpn-routing-all-traffic-through-the-vpn-tunnel/ Fri, 18 Jul 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-07-18-openvpn-routing-all-traffic-through-the-vpn-tunnel/ Categories: Apache Debian/Ubuntu Howto Linux RHCE Security VPN I’m really into OpenVPN these days, see my two previous posts about it: Setting up OpenVPN for your road warriors: http://blog.wains.be/post/a-vpn-for-remote-users-with-openvpn/ Setting up a VPN between two sites: http://blog.wains.be/post/routed-openvpn-between-two-subnets-behind-nat-gateways/ Today : how to route all traffic through the OpenVPN tunnel On the server side: First of all, if you want to route all your traffic through the VPN tunnel, you need to turn on IP forwarding (also called routing) and add a masquerading rule on the server (where eth0 is the device connecting you to the internet): https://blog.wains.be/2008/2008-07-15-a-vpn-for-remote-users-with-openvpn/ Tue, 15 Jul 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-07-15-a-vpn-for-remote-users-with-openvpn/ categories: Networks VPN This article quickly explains how to set up a VPN for your remote users based on OpenVPN in around 5 minutes. If you want detailed informations about OpenVPN, certificates or other stuff, this is not the right place. This applies to Debian Etch but will work will little difference in paths under Red Hat. On the server Install OpenVPN and the dependencies : # apt-get install openvpn https://blog.wains.be/2008/2008-07-03-dhcp-and-dynamic-dns-with-bind/ Thu, 03 Jul 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-07-03-dhcp-and-dynamic-dns-with-bind/ categories: Debian/Ubuntu DNS Howto Linux Networks Tested under Debian Etch This is the network configuration of our DHCP/DNS server Hostname : router.static.example.org WAN interface (eth0) : 192.168.99.254 mask 255.255.255.0 LAN interface (eth1) : 172.30.200.254 mask 255.255.0.0 Default gateway : 192.168.99.1 First, we need to tell the DHCP server to only run on eth1 : /etc/default/dhcp3-server : INTERFACES="eth1" /etc/dhcp3/dhcpd.conf : This is the DHCP server configuration. When a computer requests network information from the DHCP server, the DHCP will update the DNS zones https://blog.wains.be/2008/2008-06-06-routed-openvpn-between-two-subnets-behind-nat-gateways/ Fri, 06 Jun 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-06-06-routed-openvpn-between-two-subnets-behind-nat-gateways/ categories: Networks Security VPN Edit : between two or MORE subnets. Check out the exchange between Michael Antal and me in the comments. He’s been able to interconnect 3 subnets using this method and some slight tweaks in routes. The following is the configuration needed to create a routed OpenVPN network between two remote subnets, both behind NAT gateways. On each side, the gateways will act as the VPN gateways. https://blog.wains.be/2008/2008-06-05-debian-how-to-keep-a-mixed-system/ Thu, 05 Jun 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-06-05-debian-how-to-keep-a-mixed-system/ categories: Debian/Ubuntu Linux Create or edit /etc/apt/apt.conf with this content : APT::Default-Release "stable"; Edit your APT source list /etc/apt/sources.list as the following (adapt to your favorite mirrors) : <code># unstable deb http://ftp.debian.skynet.be/ftp/debian/ unstable main deb-src http://ftp.debian.skynet.be/ftp/debian/ unstable main # stable deb http://ftp.debian.skynet.be/ftp/debian/ etch main deb-src http://ftp.debian.skynet.be/ftp/debian/ etch main # security updates deb http://security.debian.org/ etch/updates main contrib deb-src http://security.debian.org/ etch/updates main contrib</code> Now whenever you want to install a package in “unstable” on your “stable” system do the following : https://blog.wains.be/2008/2008-06-05-debia-preventing-a-package-from-being-updated/ Thu, 05 Jun 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-06-05-debia-preventing-a-package-from-being-updated/ categories: Debian/Ubuntu Linux Put a package on hold : echo "${package} hold" | dpkg --set-selections Remove the hold : echo "${package} install" | dpkg --set-selections where ${package} is the package name Knowing the status of your packages : dpkg --get-selections https://blog.wains.be/2008/2008-06-05-debian-store-boot-messages-in-log/ Thu, 05 Jun 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-06-05-debian-store-boot-messages-in-log/ categories: Debian/Ubuntu Linux NSLU2 Enable bootlog in /etc/default/bootlogd : BOOTLOGD_ENABLE=Yes Logs go under /var/log/boot Useful on systems with no monitor attached.. https://blog.wains.be/2008/2008-05-28-today-in-the-mail/ Wed, 28 May 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-05-28-today-in-the-mail/ After receiving a bottle of Jack Daniels from my buddy Seb in reward for helping him with several stuff… …today in the mail, another reward, I received this… Network Security Hacks Second Edition by O’Reilly Thanks to Rich Camp from Oakhurst, California! Thanks to the community. https://blog.wains.be/2008/2008-05-24-detaching-processes-from-the-current-bash-session/ Sat, 24 May 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-05-24-detaching-processes-from-the-current-bash-session/ categories: Bash Linux A bit of explanations : $ help disown disown: disown [-h] [-ar] [jobspec ...] By default, removes each JOBSPEC argument from the table of active jobs. If the -h option is given, the job is not removed from the table, but is marked so that SIGHUP is not sent to the job if the shell receives a SIGHUP. The -a option, when JOBSPEC is not supplied, means to remove all jobs from the job table; the -r option means to remove only running jobs. https://blog.wains.be/2008/2008-05-23-sharing-your-bash-session-using-screen/ Fri, 23 May 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-05-23-sharing-your-bash-session-using-screen/ categories: Bash Linux In this post I was describing how one can share a bash session using a named pipe. This is a great way if you can’t install anything on the machine. If you are able to get “screen” installed, screen provides a much easier way, which allows all connected users to interact on the shared session. The named pipe method only allowed one user to watch what the other user was doing. https://blog.wains.be/2008/2008-05-11-finding-data-having-more-than-one-hardlink-on-the-filesystem/ Sun, 11 May 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-05-11-finding-data-having-more-than-one-hardlink-on-the-filesystem/ categories: Linux find / ! -links 1 -type f https://blog.wains.be/2008/2008-04-27-keeping-ssh-connections-alive-behind-some-nat-routers/ Sun, 27 Apr 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-04-27-keeping-ssh-connections-alive-behind-some-nat-routers/ categories: SSH SSH connections made from behind my Linksys WAG54G NAT gateway like to die after idling for something like 5 minutes. The fix : Add in /home/USER/.ssh/config <code>Host * ServerAliveInterval 60 ServerAliveCountMax 60</code> The SSH client will send a packet every 60 seconds in order to keep the connection alive. The second option means that after 60 keepalive packets sent, it will stop trying to keep the connection alive, and the connection will eventually die. https://blog.wains.be/2008/2008-04-15-slimming-asterisk-for-the-nslu2-under-debian/ Tue, 15 Apr 2008 00:00:00 +0200 https://blog.wains.be/2008/2008-04-15-slimming-asterisk-for-the-nslu2-under-debian/ categories: Asterisk NSLU2 VoIP A FULLY WORKING ASTERISK SIP PBX RUNNING WITH ONLY 6 MODULES LOADED ! READ ON… This howto is based on Asterisk 1.2 under Debian Etch. Please let me know through the comments if it works for you under other versions (and if it doesn’t, please provide the steps to get a working system). Thanks. My needs : I had to slim Asterisk down to the most minimalistic configuration possible to run on my Linksys NSLU2 (ARM cpu @ 266 MHz, RAM 32 MB). https://blog.wains.be/2008/2008-03-18-backup-your-gmail-account-in-maildir-format-using-fetchmail/ Tue, 18 Mar 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-03-18-backup-your-gmail-account-in-maildir-format-using-fetchmail/ categories: Howto Linux Misc First of all, enable POP on your gmail account : settings Forwarding and POP/IMAP Enable POP for all mail (even mail that’s already been downloaded) Then, the configuration for fetchmail and procmail : You need to use procmail in order to be able to store the mails in maildir format (1 file per mail, mbox format is 1 big file for all emails) /home/USER/.fetchmailrc : poll pop. https://blog.wains.be/2008/2008-02-25-remotely-upgrade-your-kernel-without-dreading-a-kernel-panic/ Mon, 25 Feb 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-02-25-remotely-upgrade-your-kernel-without-dreading-a-kernel-panic/ categories: Linux If you’re trying to upgrade a kernel remotely, there’s always a risk of losing access to the machine because of a kernel panic when rebooting. In the following we will tell grub to try to boot the new kernel at least once, if it panics the machine will reboot and boot with the working kernel instead. Edit /boot/grub/menu.lst : Add panic=5 to the end of the kernel line for the new kernel, this means the machine will reboot 5 seconds after kernel panic upon boot. https://blog.wains.be/2008/2008-02-23-request-tracker-36-on-debian-etch-postfix-fetchmail/ Sat, 23 Feb 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-02-23-request-tracker-36-on-debian-etch-postfix-fetchmail/ categories: Howto Linux I’ll explain how to setup Request-Tracker (RT) on Debian Etch. This howto assumes you can’t install RT on the email gateway. I’ll use fetchmail to retrieve emails from the mail server and inject them into RT. Install Postfix, fetchmail and the deps : apt-get install postfix fetchmail Select “Internet Site” when prompted Install MySQL Server 5 and its deps : apt-get install mysql-server-5.0 Install Request-Tracker Apache2 package, it will install the necessary dependencies : apt-get install rt3. https://blog.wains.be/2008/2008-02-04-debian-get-an-email-when-updates-are-available-with-cron-apt/ Mon, 04 Feb 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-02-04-debian-get-an-email-when-updates-are-available-with-cron-apt/ categories: Debian/Ubuntu Linux Install cron-apt : # apt-get install cron-apt Edit its config files : # vim /etc/cron-apt/config You basically just need this in the config : MAILTO="user@example.com" MAILON="upgrade" cron-apt runs every night at 4AM (see /etc/cron.d/cron-apt) Source : http://www.debuntu.org/how-to-email-notification-upon-available-package-updates-with-cron-apt https://blog.wains.be/2008/2008-01-22-sudo-password-timeout/ Tue, 22 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-22-sudo-password-timeout/ categories: Linux By default, sudo keeps the password in “memory” for 5 minutes (at least under Ubuntu). If you want to change that value $ sudo visudo Add the following line before the other “Defaults” line : Defaults timestamp_timeout=2 Or simply append “timestamp_timeout=2” to the existing Defaults line like : Defaults !lecture,tty_tickets,!fqdn,timestamp_timeout=2 This will set the timeout to 2 minutes… Set to 0 to always require the password Set to “-1”. https://blog.wains.be/2008/2008-01-22-ubuntu-710-screen-doesnt-lock-when-closing-laptop-lid/ Tue, 22 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-22-ubuntu-710-screen-doesnt-lock-when-closing-laptop-lid/ categories: Linux This used to work in Ubuntu 7.04.. Here’s the fix until the feature works again (See bugreport 156226 in launchpad) Open gconf-editor Enable /apps/gnome-power-manager/lock/use_screensaver_settings You should also enable “blank-screen” in the same section, I noticed the screen doesn’t go blank when the lid is closed without it Solution provided by Pedro Villavicencio in the comments of the bug report (permalink) https://blog.wains.be/2008/2008-01-21-ubuntu-on-dell-xps-m1330/ Mon, 21 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-21-ubuntu-on-dell-xps-m1330/ categories: Hardware Linux Ubuntu 7.10 Desktop Edition Laptop specs : Dell XPS M1330 WLED screen Webcam 0.3 Mpixels Fingerprint scanner Media Card Reader Ricoh Wireless Intel iwl4965 AGN Cpu : T7500 2.2 Ghz Memory : 3 GB RAM 667 Mhz HDD : Seagate 200 GB 7200 RPM Sound : SigmaTel STAC9228 lspci : 00:00.0 Host bridge: Intel Corporation Mobile PM965/GM965/GL960 Memory Controller Hub (rev 0c) 00:01.0 PCI bridge: Intel Corporation Mobile PM965/GM965/GL960 PCI Express Root Port (rev 0c) 00:1a. https://blog.wains.be/2008/2008-01-18-set-the-default-editor-in-debian/ Fri, 18 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-18-set-the-default-editor-in-debian/ categories: Debian/Ubuntu Linux I can never seem to remember that command.. always starting the command with alt.. then tab-tab-tab for autocompletion.. but nothing relevant shows up.. Here it is : sudo update-alternatives --config editor Under Red Hat, both update-alternatives and alternatives commands work. Or one can always manually symlink editor to vim under /etc/alternatives https://blog.wains.be/2008/2008-01-14-changing-svn-repository-url/ Mon, 14 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-14-changing-svn-repository-url/ categories: Linux Versioning Not something I do on a daily basis, so here it goes : $ svn switch --relocate file:///home/old/path/to/svn/ file:///home/new/path/to/svn/ You may also want to update the SVN repository URL in your TRAC environments… $ vim /path/to/trac-env/conf/trac.ini Update the variable named repository_dir When done you need to resync the environments… $ trac-admin /path/to/trac-env/ resync https://blog.wains.be/2008/2008-01-10-bind-the-generate-directive/ Thu, 10 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-10-bind-the-generate-directive/ categories: DNS Linux From : http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#id2566761 BIND Master File Extension: the $GENERATE Directive Syntax: $GENERATE range lhs [ttl] [class] type rhs [ comment ] $GENERATE is used to create a series of resource records that only differ from each other by an iterator. $GENERATE can be used to easily generate the sets of records required to support sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation. $ORIGIN 0.0.192.IN-ADDR.ARPA. $GENERATE 1-2 0 NS SERVER$. https://blog.wains.be/2008/2008-01-10-installing-debian-on-a-linksys-nslu2/ Thu, 10 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-10-installing-debian-on-a-linksys-nslu2/ categories: Debian/Ubuntu Hardware Linux NSLU2 Grab firmware : http://www.slug-firmware.net/d-dls.php (optional) Install UpSlug2 on your computer : http://www.nslu2-linux.org/wiki/Main/UpSlug2 UpSlug2 is a tool to flash your NSLU2 from a computer on the same network. This is required if you are reinstalling an already Debianized NSLU2, otherwise you can use the web management on a new unit. Install Debian : http://www.cyrius.com/debian/nslu2/ In order for the install to complete as fast as possible, unselect any package group (even base). https://blog.wains.be/2008/2008-01-09-debian-etch-disable-the-mark-log/ Wed, 09 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-09-debian-etch-disable-the-mark-log/ categories: Debian/Ubuntu Linux NSLU2 I installed Debian on an NSLU2. The system is running off a USB thumb drive. In order to maximize the lifetime of the drive, I need to limit the number of writes to it. – MARK – entries in the logs are (from my understanding) pretty useless for that system, here’s how to disable them. Edit /etc/defaults/syslogd Change the SYSLOGD option to the following : SYSLOGD="-m 0" https://blog.wains.be/2008/2008-01-05-exporting-man-pages-to-pdf/ Sat, 05 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-05-exporting-man-pages-to-pdf/ categories: Linux man -t rsync | ps2pdf -> ~/Desktop/rsync.pdf Thanks to my buddy Seb for the command :-) https://blog.wains.be/2008/2008-01-04-data-recovery-with-linux-useful-tools/ Fri, 04 Jan 2008 00:00:00 +0100 https://blog.wains.be/2008/2008-01-04-data-recovery-with-linux-useful-tools/ Tags: Linux, Security, Tools Today, I had to recover some data from a (badly) failed drive. The drive was coming from a laptop. I first tried to recover stuff using the Ubuntu Live CD on the laptop, but it didn’t work. Whenever I was trying to install the necessary tools in the Live CD environment, the system was hanging and throwing IO errors from the failed drive. I attached the drive (using a 2"1/2 to 3"1/2 adapter) to my desktop machine and booted under Ubuntu. https://blog.wains.be/2007/2007-12-30-centos-5-preventing-brute-force-attacks-with-iptables/ Sun, 30 Dec 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-12-30-centos-5-preventing-brute-force-attacks-with-iptables/ categories: Iptables Linux Red Hat/CentOS Security Based on http://e18.physik.tu-muenchen.de/~tnagel/ipt_recent/ The following example is much simpler, it blocks hosts trying to connect more than 3 times to the SSH server within 60 seconds. If you need something more complex, check out the howto mentionned above. This is my /etc/sysconfig/iptables <code>*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LIMIT_SSH - [0:0] # accept localhost and related/established traffic -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT # transfer connections made to tcp/22 to the LIMIT_SSH chain -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j LIMIT_SSH # block anything else in the INPUT chain -A INPUT -j DROP # if host has made more than 3 attempts in 60 seconds, drop it -A LIMIT_SSH -m recent --set --name SSH -A LIMIT_SSH -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP -A LIMIT_SSH -j ACCEPT COMMIT</code> Recent module homepage : http://www. https://blog.wains.be/2007/2007-12-28-centos-5-sending-logs-to-a-central-log-server/ Fri, 28 Dec 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-12-28-centos-5-sending-logs-to-a-central-log-server/ categories: Linux Red Hat/CentOS Security On the log server : Edit /etc/sysconfig/syslog and change SYSLOGD_OPTIONS to match the following : SYSLOGD_OPTIONS="-m 0 -r -s example.com" -r : listen over the network, only necessary for log servers -s : strip that value out of the logs (client.example.com would become client in the logs) Restart the service : # service syslog restart The server will start listening on UDP/514 Make sure you allow that port in the firewall configuration on the log server https://blog.wains.be/2007/2007-12-17-backuppc-filersyncp-module-doesnt-exist/ Mon, 17 Dec 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-12-17-backuppc-filersyncp-module-doesnt-exist/ categories: Debian/Ubuntu Linux If you are trying to get BackupPC running under Debian and get the following message : File::RsyncP module doesn't exist Make sure you have the following package installed : apt-get install libfile-rsyncp-perl https://blog.wains.be/2007/2007-12-13-centos-5-chroot-dns-with-bind/ Thu, 13 Dec 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-12-13-centos-5-chroot-dns-with-bind/ categories: DNS Howto Linux Red Hat/CentOS Howto for CentOS 4 here : http://blog.wains.be/post/centos-chroot-dns-with-bind/ 1. Install packages : yum install bind bind-chroot bind-libs bind-utils caching-nameserver 2. Configure RNDC : cd /var/named/chroot/etc rndc-confgen > rndc.key chown root:named rndc.key Edit rndc.key so it looks like this : key "rndckey" { algorithm hmac-md5; secret "SGsvd1dF+mv+yU4ywCCkkg=="; }; You DON’T NEED anything else in the file (you must remove some option lines !) A symlink in /etc exists and points to the rndc. https://blog.wains.be/2007/2007-12-09-debian-etch-dspam-retraining-with-web-interface/ Sun, 09 Dec 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-12-09-debian-etch-dspam-retraining-with-web-interface/ categories: Debian/Ubuntu Linux Postfix A while ago, I wrote an howto explaining how to set up a Debian box with Postfix and DSPAM as anti-spam solution. I haven’t been able to test that howto in a real world environment yet (receiving and training the system with actual spam). Somehow, it has been reported by several persons that it was working (thanks guys !). The howto was considering a small domain where the sysadmin would take care of retraining the system. https://blog.wains.be/2007/2007-11-26-bash-tips-and-tricks/ Mon, 26 Nov 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-11-26-bash-tips-and-tricks/ categories: Bash Linux Richard posted some nice tips about bash history.. I’ll post his tips here in a shorter version The following snippets of code must be added to your .bashrc file. You open two terminals, when closing them, history of only one of both is saved ? This is the fix, that will merge/append histories from both terminals in the history : shopt -s histappend PROMPT_COMMAND=’history -a’ Avoiding spelling mistakes (like /ect instead of /etc) : https://blog.wains.be/2007/2007-11-24-firefox-gmail-blank-page-when-opening-attachment/ Sat, 24 Nov 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-11-24-firefox-gmail-blank-page-when-opening-attachment/ categories: Firefox See : http://groups.google.com/group/Gmail-Problem-solving/browse_thread/thread/b844fef88053e780/acdb3357fe4a2729?lnk=raot Problem : Since the new version of Gmail, I was having issues when downloading attachments. The Gmail tab would go blank. The only way to get back to Gmail was to close the tab and open Gmail again. Reloading was not helping. Solution : My problem was because of the add-on “Tab Mix Plus” Open Tab Mix Plus options Links tab Click on “edit” in regard to “Prevent blank tabs when downloading files” Remove from the list the lines /disp=attd&view=att/ and /view=att&disp=attd/ Issue is discussed here : http://tmp. https://blog.wains.be/2007/2007-11-24-function-key-on-your-laptop-not-controlling-sound/ Sat, 24 Nov 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-11-24-function-key-on-your-laptop-not-controlling-sound/ categories: Hardware Linux OK, this one is dumb. Until a few months ago, I was able to control the sound volume on my laptop using the dedicated function key (controlling the master output). Then, all messed up. Along with the dead function key, the master volume no longer had any effect on volume. Volume could only be controlled by the PCM switch. And the function key was controlling the master output ! https://blog.wains.be/2007/2007-11-24-linux-mint-gnome-vfs-issues-out-of-the-box/ Sat, 24 Nov 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-11-24-linux-mint-gnome-vfs-issues-out-of-the-box/ categories: Linux Yesterday I switched from Ubuntu to Linux Mint. I won’t discuss here the pros and cons of Mint since I first tested it yesterday and decided to install it on my laptop on the same day. Everything is supposed to work out of the box under Mint. Except it is not true. Apparently, Mint doesn’t ship a bunch of packages that come by default under Ubuntu (particularly Evolution, tsclient, etc. https://blog.wains.be/2007/2007-11-23-cut-mp3-under-linux-ubuntu/ Fri, 23 Nov 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-11-23-cut-mp3-under-linux-ubuntu/ categories: Linux If you want to cut MP3 files under Ubuntu, install the following package from the repositories sudo apt-get install poc-streamer It contains a utility mp3cut Syntax : mp3cut [ -o outputfile ] [ -T title ] [ -A artist ] [ -N album-name ] [ -t [hh:]mm:ss[+ms]-[hh:]mm:ss[+ms] ] mp3file [[ -t … ] mp3file1 …] The following examples cuts a 120 minute MP3 in 2 parts where the first file will be 70 min long : https://blog.wains.be/2007/2007-11-12-gmail-imap-under-thunderbird-problems-with-pdf-files/ Mon, 12 Nov 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-11-12-gmail-imap-under-thunderbird-problems-with-pdf-files/ categories: Misc My wife had some problems today sending her resume in PDF to some companies. She used the web interface of Gmail. Some people reported they were unable to open the file. We’ve made some tests. She tried to send an email with the PDF attachment to these recipients (carbon copy, not separate emails) : HER Gmail address configured in Thunderbird using IMAP MY Gmail address using the web interface MY work address configured in Thunderbird using IMAP (courier-imap server) I was able to open the file on my home and work addresses while she was not able to open the file in Thunderbird. https://blog.wains.be/2007/2007-11-08-sending-ctrl-alt-del-command-to-vnc-client-under-gnome/ Thu, 08 Nov 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-11-08-sending-ctrl-alt-del-command-to-vnc-client-under-gnome/ categories: Gnome Linux The problem : you want to send the “Ctrl-Alt-Del” command to a remote VNC server to unlock a Windows session, but you are under Gnome and all it does is opening a window with Gnome session options (lock session, restart, etc.) How to unlock a Windows session : Press “Shift-Ctrl-Alt-Del”. May seem obvious, but it tooks me a few minutes to figure out. Also, vncviewer.exe runs perfectly fine using Wine, probably better than the VNC clients available under Ubuntu. https://blog.wains.be/2007/2007-10-28-belgian-eid-under-ubuntu-710/ Sun, 28 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-28-belgian-eid-under-ubuntu-710/ categories: Firefox Hardware Linux I had almost forgotten that I was offered an eID card reader by our Federal Public Service FINANCE, a few months ago when I went up to their offices to get some info. I decided to give it a try tonight. The sticker on the back of the reader says “ACR38U-SPC-FDT (FW104)”. I first blindly tried to install some packages (beidgui to read my card info) but ran into several problems. https://blog.wains.be/2007/2007-10-27-squid-26-transparent-proxy/ Sat, 27 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-27-squid-26-transparent-proxy/ categories: Howto Linux Proxy I was explaining in this article how to enable the transparent proxy feature under Squid 2.5. The following options required for transparent proxy are no longer available under Squid 2.6 : httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on The new option under Squid 2.6 is the much simpler : http_port 8080 transparent You just need to append “transparent” to the http_port option line. If you upgrade to Squid 2. https://blog.wains.be/2007/2007-10-25-apache-disable-the-http-trace-method/ Thu, 25 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-25-apache-disable-the-http-trace-method/ categories: Apache Marius Ducea is sharing an interesting tip about Apache. Later versions of Apache now have a variable controlling if the trace request method is enabled. TRACE is a HTTP request method used for debugging which echoes input back to the user. http://www.ducea.com/post/apache-tips-disable-the-http-trace-method/ https://blog.wains.be/2007/2007-10-23-bash-converting-unix-timestamp-to-date/ Tue, 23 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-23-bash-converting-unix-timestamp-to-date/ categories: Bash Linux Under Debian or RHEL4 and later, it can be as simple as : $ date -d @1193144433 Tue Oct 23 15:00:33 CEST 2007 But that command doesn’t work under Red Hat EL 3, so you should use the following : $ date --date "1970-01-01 1193144433 sec" "+%Y-%m-%d %T" 2007-10-23 15:00:33 The output is different though You can always use the previous command under Ubuntu/RHEL4+ or the simpler : https://blog.wains.be/2007/2007-10-17-rrdweather-042/ Wed, 17 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-17-rrdweather-042/ categories: RRDWeather I’ve released a new version of RRDWeather. RRDWeather is a simple weather monitoring tool. It is a set of scripts collecting weather data from weather.com. These data go into RRDtool graphs. It’s released under the GPL… feel free to modify, improve, copy, etc, etc. Demo : http://blog.wains.be/cgi-bin/weather.cgi?zip=BEXX0014 Project page : http://blog.wains.be/projects/rrdweather/ Download : http://blog.wains.be/projects/pub/rrdweather-0.42.tar.gz https://blog.wains.be/2007/2007-10-15-upgrading-to-php5mysql5-under-centos-45/ Mon, 15 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-15-upgrading-to-php5mysql5-under-centos-45/ categories: Linux Red Hat/CentOS SQL I’m planning on moving to PHP 5 and MySQL 5 on our CentOS 4 production server. Before doing anything on the production machine, I’m testing the process on a fresh installation of CentOS on a virtual machine… I first tried to upgrade PHP… MySQL updates should be pulled out from the repository as well but it didn’t work. <code># yum update php --enable=centosplus Setting up Update Process Setting up repositories update 100% |=========================| 951 B 00:00 base 100% |=========================| 1. https://blog.wains.be/2007/2007-10-05-dhcp-snooping-on-cisco-catalyst-2950/ Fri, 05 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-05-dhcp-snooping-on-cisco-catalyst-2950/ categories: Hardware Networks Security I’ll explain the few commands used to enable DHCP snooping on our Catalyst switch at work. The users aren’t really tech savvy or anything, but it is painless to configure so it is worth having it enabled. switch1>enable First, we need to know which VLAN the DHCP server belongs to, “show arp” has that info : switch1#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192. https://blog.wains.be/2007/2007-10-05-howto-installing-trac-on-debian-etch/ Fri, 05 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-05-howto-installing-trac-on-debian-etch/ categories: Apache Debian/Ubuntu Howto Versioning Howto available here : http://blog.wains.be/pub/howto/trac-debian.txt This howto explains the steps from creating the SVN project to publishing it with TRAC. Along with this howto, you can download a script that automates the process of creating the SVN repository and TRAC environment. This script was made according to this howto and works under Debian. YOU SHOULD FIRST GO THROUGH THE HOWTO BEFORE USING THIS SCRIPT. http://blog.wains.be/pub/create_svntrac_project https://blog.wains.be/2007/2007-10-01-intel-pro-1000-generating-gratuitous-arp-traffic/ Mon, 01 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-01-intel-pro-1000-generating-gratuitous-arp-traffic/ categories: Networks Windows Finally, I have decided to take 5 minutes and focus on the gratuitous ARP broadcast issue I have with our Windows 2000 server (Fujitsu Siemens server). The problem is described here : http://blog.wains.be/post/unsolvable-gratuitous-arp-from-our-windows-2000-server-with-intel-pro-1000/ I have installed Wireshark on the Windows box, had to reboot (oh !) to get it working. Thanks to Wireshark, I figured out the gratuitous ARP traffic was generated as some lower level than Windows. https://blog.wains.be/2007/2007-10-01-tcpdump-advanced-filters/ Mon, 01 Oct 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-10-01-tcpdump-advanced-filters/ Introduction In this article, I will explain how to use tcpdump to: know if IP options are set find DF packets (packets which we don’t want to be fragmented) find fragmented packets find datagrams with low TTL find particular TCP flag combinations find datagrams with particular data (here, packets with command MAIL from the SMTP protocol and GET command from HTTP) Notes I usually type tcpdump -n -i eth1 -s 1600 before my filter but I won’t do that throughout the article. https://blog.wains.be/2007/2007-09-27-using-lsof-to-get-network-information/ Thu, 27 Sep 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-09-27-using-lsof-to-get-network-information/ categories: Howto Linux Networks I often use netstat to get network information (“netstat -napee” producing my favorite verbose output) You can also use lsof, which primary use is to list open files. Ideally, you will run lsof as root to get network info from privileged ports (< 1024). The syntax is : # lsof -i[46][protocol][@hostname|hostaddr][:service|port] List any network info (as with many other commands, -n avoids name resolution, which makes lsof faster) : https://blog.wains.be/2007/2007-09-12-howto-postfix-chrooted-debian-etch-ssltls-smtp-auth-sasl-quota-vda-postfix-admin-with-virtual-usersdomains-autoreply-disclaimerautosignature-procmail-dspam-clamassassinclam/ Wed, 12 Sep 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-09-12-howto-postfix-chrooted-debian-etch-ssltls-smtp-auth-sasl-quota-vda-postfix-admin-with-virtual-usersdomains-autoreply-disclaimerautosignature-procmail-dspam-clamassassinclam/ (VDA) + Postfix Admin with Virtual Users/Domains + Autoreply + Disclaimer/Autosignature Procmail + DSPAM + Clamassassin/ClamAV + RBL checks + Mime checks + Dovecot IMAP(S)/POP3(S) chrooted' categories: Howto Linux Postfix I have tried to document the new email setup I’m willing to install at work. My current setup is running under CentOS, uses SpamAssassin and courier-imap. I’m trying to make the switch to different technologies : Debian, DSPAM and Dovecot. https://blog.wains.be/2007/2007-09-09-get-your-hands-back-on-a-frozen-system/ Sun, 09 Sep 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-09-09-get-your-hands-back-on-a-frozen-system/ categories: Linux FOSSwire has an interesting article explaining how to get your hands back on your linux box when it appears to be badly frozen (yes it tends to happen on alpha releases of Ubuntu). Hold down the Alt and SysRq (Print Screen) keys. While holding those down, type the following in order. Nothing will appear to happen until the last letter is pressed: REISUB Watch your computer reboot magically. The key combination consisting of Alt, SysRq and another key, controls the command issued: https://blog.wains.be/2007/2007-09-02-bash-output-classified-in-columns/ Sun, 02 Sep 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-09-02-bash-output-classified-in-columns/ categories: Bash Linux My friend Jonathan just passed me another nice CLI tip Sometimes, some commands output are not really readable : Example : $ mount Readability can be improved by piping “mount” into the command “column” $ mount | column -t There are so many little useful commands like these under Linux, I wish I knew them all. Any other similar tips are welcomed ! https://blog.wains.be/2007/2007-08-26-nohup/ Sun, 26 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-26-nohup/ categories: Bash Linux See http://en.wikipedia.org/wiki/Nohup nohup is a Unix command that is used to run another command while suppressing the action of the HUP (hangup) signal, enabling the command to keep running after the user who issues the command has logged out. It is most often used to run commands in background as daemons. Output that would normally go to the terminal goes to a file called nohup.out if it has not already been redirected. https://blog.wains.be/2007/2007-08-26-subversion-integration-to-nautilus/ Sun, 26 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-26-subversion-integration-to-nautilus/ categories: Gnome Linux Versioning $ sudo apt-get install nautilus-script-collection-svn $ nautilus-script-manager enable Subversion Restart your computer (or if you are more experienced either restart Gnome (ctrl+alt+backspace) or kill nautilus) Now, there’s a new submenu when right-clicking on a directory/file Link : http://packages.ubuntu.com/gutsy/devel/nautilus-script-collection-svn https://blog.wains.be/2007/2007-08-23-postfix-and-dspam-varrundspamdspamsock-no-such-file-or-directory/ Thu, 23 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-23-postfix-and-dspam-varrundspamdspamsock-no-such-file-or-directory/ categories: Linux Postfix OS : Debian Etch Postfix : 2.3.8 Dspam : 3.6.8 I was following the official dspam documentation (http://dspam.nuclearelephant.com/text/README-3.6.7.txt) to set up Postfix and DSPAM. I had this under** /etc/postfix/master.rc** : <code>smtp inet n - n - - smtpd -v -o content_filter=lmtp:unix:/var/run/dspam/dspam.sock localhost:10026 inet n - n - - smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8</code> But Postfix would not connect to dspam socket, the logs were returning : https://blog.wains.be/2007/2007-08-23-why-im-switching-from-redhat-and-friends-to-debian-and-friends/ Thu, 23 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-23-why-im-switching-from-redhat-and-friends-to-debian-and-friends/ categories: Debian/Ubuntu Linux Red Hat/CentOS Yeah, I decided I’ll be switching my servers to Debian. It slowly started with my desktop OS, when I moved from Fedora to Ubuntu. (and CentOS before Fedora, until came the need for wireless with ipw3945 on my new laptop [was using Orinoco Gold on my old CentOS 4 laptop]). There was a reason why I chose to try something else. First, the (french) translation under Fedora was somewhat broken back then, sometimes resulting in frenglish sentences. https://blog.wains.be/2007/2007-08-21-compiz-fusion-keeps-snapping-windows-to-the-edge-of-screen-and-other-windows/ Tue, 21 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-21-compiz-fusion-keeps-snapping-windows-to-the-edge-of-screen-and-other-windows/ categories: Linux Even though the “snapping windows” plugin is disabled, the windows keep sticking to the edge of anything around. This is a major annoyance, leading me to struggle with the windows to go where I want them to go. This is really counter-productive. Fix : In CompizConfig Configuration Manager, navigate to Wobbly Windows and disable Snap Inverted. https://blog.wains.be/2007/2007-08-20-record-entries-in-log-files-with-logger/ Mon, 20 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-20-record-entries-in-log-files-with-logger/ categories: Linux Call me Mr. Obvious on this one, but I actually always need to check out the manpage for this… If you want to record entries in logs file : Example here in daemon.log $ sudo logger -p daemon.warn "This is a test" Where daemon is the facility, warn is the level Hit Ctrl+C when done. Result in /var/log/daemon.log : Aug 20 13:07:16 hostname user: "This is a test" https://blog.wains.be/2007/2007-08-18-viewcvs-importerror-no-module-named-svn-debian/ Sat, 18 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-18-viewcvs-importerror-no-module-named-svn-debian/ categories: Debian/Ubuntu Linux Versioning Even if properly configured for using Subversion repositories, you’d get this error messages from ViewCVS : <code>An Exception Has Occurred Python Traceback Traceback (most recent call last): File "/var/lib/python-support/python2.4/viewcvs.py", line 3235, in main request.run_viewcvs() File "/var/lib/python-support/python2.4/viewcvs.py", line 268, in run_viewcvs import vclib.svn File "/var/lib/python-support/python2.4/vclib/svn/__init__.py", line 27, in ? from svn import fs, repos, core, delta ImportError: No module named svn</code> The reason of the error is a package missing : python-subversion https://blog.wains.be/2007/2007-08-18-vmware-server-bridging-over-wireless-not-working/ Sat, 18 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-18-vmware-server-bridging-over-wireless-not-working/ categories: Wifi I was not able to get the bridging network mode working for my virtual machines under VMWare Server. Then, I figured out I was using the eth1 interface (the wireless interface), while the bridge mode was probably bound to eth0 (wire interface). This is how to fix the issue : $ sudo vmware-config-network.pl Would you like to skip networking setup and keep your old settings as they are? (yes/no) [yes] no https://blog.wains.be/2007/2007-08-16-sshfs-problem-when-mounting-a-remote-dir-under-media/ Thu, 16 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-16-sshfs-problem-when-mounting-a-remote-dir-under-media/ categories: Linux sshfs : http://fuse.sourceforge.net/sshfs.html (only tested under Ubuntu 7.04) When trying to mount a remote directory under /media on the local filesystem, you’ll get this : user@user:/media$ ls -l total 8 ?--------- ? ? ? ? ? remote_dir lrwxrwxrwx 1 root root 6 2007-04-24 11:29 cdrom -> cdrom0 drwxr-xr-x 2 root root 4096 2007-04-24 11:29 cdrom0 Notice the question marks.. ? No problem when mounting under, say /mnt : https://blog.wains.be/2007/2007-08-14-courier-imap-rpm-for-centos-5-i386/ Tue, 14 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-14-courier-imap-rpm-for-centos-5-i386/ categories: Linux Red Hat/CentOS Someone asked for help about installing courier-imap under CentOS 5. I made the RPM for him and thought I would share them here. The whole thing is packaged in a tar.gz Courier-authlib Version: 0.59.3 (22-Apr-2007) Courier-Imap Version: 4.1.3 (22-Apr-2007) Download : http://blog.wains.be/pub/courier-centos5-i386-20070814.tar.gz Packages tested and working. x86_64 Charles has been kind enough to build the RPMs for the x86_64 architecture and share them. Courier-authlib Version : 0. https://blog.wains.be/2007/2007-08-11-firefox-always-display-the-address-bar/ Sat, 11 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-11-firefox-always-display-the-address-bar/ categories: Firefox It is sometimes tedious when websites try to “hide” the URL in an attempt to prevent you from downloading some content. Here’s the fix : Type “about:config” in the address bar Find dom.disable_window_open_feature.location Double click to set the value to true Link : http://mozillalinks.org/wp/2007/03/keep-firefoxs-location-bar-on-sight/ https://blog.wains.be/2007/2007-08-10-how-to-debug-ssl-smtp/ Fri, 10 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-10-how-to-debug-ssl-smtp/ categories: Howto Security My friend Jonathan just told me about a nice command to debug SSL SMTP : $ openssl s_client -connect mail.server.be:465 Example : `$ openssl s_client -connect smtp.gmail.com:465 CONNECTED(00000003) depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com verify error:num=21:unable to verify the first certificate verify return:1 Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp. https://blog.wains.be/2007/2007-08-05-last-and-lastb/ Sun, 05 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-05-last-and-lastb/ categories: Linux From the man pages : Last searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty’s can be given, in which case last will show only those entries matching the arguments. Names of ttys can be abbreviated, thus last 0 is the same as last tty0. https://blog.wains.be/2007/2007-08-03-mysql-selecting-duplicate-entries/ Fri, 03 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-03-mysql-selecting-duplicate-entries/ categories: SQL This is the correct query : SELECT field from table GROUP BY field HAVING COUNT(field) > 1; Here’s an example where I have two duplicate entries (test and test3). <code># let's see the records mysql> SELECT field from `table`; +-------+ | field | +-------+ | test | | test | | test2 | | test3 | | test3 | +-------+ 5 rows in set (0.00 sec) # THIS IS NOT WHAT WE WANT ! https://blog.wains.be/2007/2007-08-02-ubuntu-704-my-personal-repository-list/ Thu, 02 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-02-ubuntu-704-my-personal-repository-list/ categories: Linux I’ll try to keep my custom repository list here, among the usual universe and multiverse repositories : # Canonical commercial (vmware, etc.) deb http://archive.canonical.com/ubuntu feisty-commercial main deb http://www.telemail.fi/mlind/ubuntu feisty fonts deb-src http://www.telemail.fi/mlind/ubuntu feisty fonts main deb http://dl.google.com/linux/deb/ stable non-free deb http://download.tuxfamily.org/3v1deb feisty eyecandy deb-src http://download.tuxfamily.org/3v1deb feisty eyecandy deb http://archive.ubuntustudio.org/ubuntustudio feisty main deb-src http://archive.ubuntustudio.org/ubuntustudio feisty main deb http://download.tuxfamily.org/syzygy42 feisty avant-window-navigator deb-src http://download.tuxfamily.org/syzygy42 feisty avant-window-navigator deb http://repository.debuntu.org/ feisty multiverse deb-src http://repository. https://blog.wains.be/2007/2007-08-02-ubuntu-710-alpha-3-small-fonts-in-firefox/ Thu, 02 Aug 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-08-02-ubuntu-710-alpha-3-small-fonts-in-firefox/ categories: Firefox Linux Fonts are smaller in Firefox than under Gnome. If you want to fix that small (and hopefully temporary) issue, under Firefox type in the URL bar : “about:config” Then in the filter box, search for “dpi” This will filter out the value “layout.css.dpi” having a default value of “-1” Change that value to “0” and restart Firefox, the fonts will be the same size as under Gnome. https://blog.wains.be/2007/2007-07-28-howto-fix-video-playback-issues-when-using-berylcompizcompiz-fusion/ Sat, 28 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-28-howto-fix-video-playback-issues-when-using-berylcompizcompiz-fusion/ categories: Linux I have used Beryl, Fusion and now run Compiz Fusion. I have been having the following issue since I first tried Beryl but did not care much about it until today. When I was playing a video (totem, VLC, etc..), I was getting a black screen instead of the video. The video would show up if I was moving the window around, but it would randomly become black again after a while or if I was doing anything while the video was playing. https://blog.wains.be/2007/2007-07-26-encrypted-partition-using-luks-under-debian/ Thu, 26 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-26-encrypted-partition-using-luks-under-debian/ categories: Howto Linux Security Install needed packages : # apt-get install cryptsetup Load modules (if needed) : `# modprobe aes LUKS on a free partition : # cryptsetup luksFormat -c aes -h sha256 /dev/hda6 This would erase any data on the partition ! THE PARTITION SHOULD NOT BE MOUNTED, if so “umount /dev/hda6” Formating the newly created partition : `# cryptsetup luksOpen /dev/hda6 secure where “secure” is the name given to the encrypted partition. https://blog.wains.be/2007/2007-07-23-put-a-password-on-your-screen-session/ Mon, 23 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-23-put-a-password-on-your-screen-session/ categories: Linux You can “protect” the access to a screen session. Don’t use your usual password, as the method used is pretty weak (standard DES) Open a screen session : $ screen Inside the session press “ctrl + a” then type “:password” If successfully set, you should see [ Password moved into copybuffer ] in the lower left corner of the terminal. Now you can detach by pressing “ctrl + a” then type “d” Reattach with “screen -r” from the prompt. https://blog.wains.be/2007/2007-07-21-apache-custom-404-error-page-returns-a-302-error-code/ Sat, 21 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-21-apache-custom-404-error-page-returns-a-302-error-code/ categories: Apache Linux First let’s look what the docs says about setting up a custom error page : http://httpd.apache.org/docs/2.0/en/custom-error.html If you set up your custom 404 error page pointing to a full URL like : ErrorDocument 404 http://blog.wains.be/404/index.html You would get an error 302 code. $ curl -I http://blog.wains.be/mlfkgldk HTTP/1.1 302 Found Date: Sat, 21 Jul 2007 09:20:40 GMT Server: Apache Location: http://blog.wains.be/404/index.html Connection: close Content-Type: text/html; charset=iso-8859-1 If you want to get the real deal : https://blog.wains.be/2007/2007-07-21-ssh-x11-forwarding-running-graphical-apps-remotely/ Sat, 21 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-21-ssh-x11-forwarding-running-graphical-apps-remotely/ categories: Linux SSH polishlinux.com has a great article about SSH and its powerful functions. Original link : http://polishlinux.org/apps/ssh-tricks/# Here’s an excerpt about X forwarding… One of the least known functions of SSH is X protocol forwarding. This enables us to run almost every X application remotely! It’s enough to connect to the remote server using the -X option: ssh -X user1@remote_serwer 'application' and the display of every X application executed from now on will be forwarded to our local X server. https://blog.wains.be/2007/2007-07-19-htaccess-pcfg_openfile-unable-to-check-htaccess-file-ensure-it-is-readable/ Thu, 19 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-19-htaccess-pcfg_openfile-unable-to-check-htaccess-file-ensure-it-is-readable/ categories: Apache Linux I got this error message in apache error logs : /some/path/to/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable I was trying to access an image to something like http://www.domain.be/image/picture.jpg The error message is very misleading because the real issue was just inappropriate rights on the folder “image”. (I did not have anything involving htaccess around there). I had the folder chmod’ed 644 for some reason. https://blog.wains.be/2007/2007-07-19-securely-surf-the-web-from-an-insecure-network-access-using-ssh-and-socks/ Thu, 19 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-19-securely-surf-the-web-from-an-insecure-network-access-using-ssh-and-socks/ categories: Linux Security SSH Posted by JoshTriplett on Mon 23 Oct 2006 at 12:35 From : http://www.debian-administration.org/articles/449 SSH has numerous uses beyond just logging into a remote system. In particular, SSH allows you to forward ports from one machine to another, tunnelling traffic through the secure SSH connection. This provides a convenient means of accessing a service hosted behind a firewall, or one blocked by an outgoing firewall. However, forwarding an individual port still requires you to change where your program connects, telling it to use a non-standard port on localhost rather than the standard port on the remote machine, and it requires a separate port forward for each machine you want to access. https://blog.wains.be/2007/2007-07-19-wordpress-the-uploaded-file-could-not-be-moved-to/ Thu, 19 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-19-wordpress-the-uploaded-file-could-not-be-moved-to/ categories: Security If you get this message when trying to upload a file into wordpress admin area, this may mean that : the webserver doesn’t have the write permissions on the upload directory safe mode is enabled on the webserver The easiest fix is to edit the value “safe_mode” to off in /etc/php.ini YOU MAY NOT WANT TO DO THAT, THIS IS NOT SAFE Read on.. What is safe mode ? https://blog.wains.be/2007/2007-07-18-lock-mysql-tables-in-order-to-make-a-backup-of-a-database/ Wed, 18 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-18-lock-mysql-tables-in-order-to-make-a-backup-of-a-database/ categories: Linux SQL In order to make a backup of a database, you have to make sure it’s not modified while it is in the process of backup. Let’s see here how to lock a single table or a full database.. Locking a table only : root@host# mysql -p mysql> CONNECT database; mysql> LOCK TABLE table READ ; Query OK, 0 rows affected (0.00 sec) mysql> INSERT INTO table VALUES (‘1’); ERROR 1099: Table ’table’ was locked with a READ lock and can’t be updated https://blog.wains.be/2007/2007-07-16-ubuntu-studio-artwork-under-ubuntu-classic/ Mon, 16 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-16-ubuntu-studio-artwork-under-ubuntu-classic/ categories: Gnome Linux Add this to /etc/apt/sources.list : deb http://archive.ubuntustudio.org/ubuntustudio feisty main Then at the command line type : $ wget -q http://archive.ubuntustudio.org/ubuntustudio.gpg -O- | sudo apt-key add - Then install the artwork packages : ubuntustudio-gdm-theme ubuntustudio-icon-theme ubuntustudio-sounds ubuntustudio-theme ubuntustudio-wallpapers Some packages are optionals, of course. You may want to install others, like screensaver or splashcreen To get an idea of what it looks like : Google is your friend :) https://blog.wains.be/2007/2007-07-13-centos-secure-openldap-traffic-with-ssl/ Fri, 13 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-13-centos-secure-openldap-traffic-with-ssl/ categories: Howto LDAP Linux Red Hat/CentOS Security I’ll consider you already have a database running. I’ll only review how to set up the SSL certificate and key and what to change in the config files. 1. SSL cert and key `# mkdir /etc/openldap/ssl && mkdir /etc/ssl This would create a self-signed certificate valid for 10 years. 2. Configure LDAP Under /etc/openldap/slapd.conf (server configuration) add (somewhere between include entries and database entries) : TLSCertificateFile /etc/ssl/ldap-cert. https://blog.wains.be/2007/2007-07-13-openldap-password-protection-security-and-authentication/ Fri, 13 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-13-openldap-password-protection-security-and-authentication/ categories: Howto LDAP Linux yolinux.com has a great guide about password protection, security and authentication for OpenLDAP. Source : yolinux.com Mirror : http://blog.wains.be/mirrors/yolinux.com/openldap-password/ https://blog.wains.be/2007/2007-07-12-faster-gnome-menus/ Thu, 12 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-12-faster-gnome-menus/ categories: Gnome Linux Edit the file “.gtkrc-2.0” under your home directory : $ cd ~ $ gedit ./gtkrc-2.0 Add : gtk-menu-popup-delay = 100 100 for 100 ms Log off and log back in. https://blog.wains.be/2007/2007-07-12-ubuntu-change-autohide-panel-behavior/ Thu, 12 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-12-ubuntu-change-autohide-panel-behavior/ categories: Gnome Linux Tested under Ubuntu only You can change some settings of the autohide feature of gnome panels (task bar). Like by default, if set to autohide, the bar is not disappearing completely. In a terminal : $ gconf-editor Then go under the key : /apps/panel/toplevels/top_panel_screen0 /apps/panel/toplevels/bottom_panel_screen0 The interesting keys are : auto_hide_size : set this to 0 if you want the bar to completely disappear hide_delay : change how fast the bar would hide unhide_delay : same for unhide. https://blog.wains.be/2007/2007-07-12-squid-cache-manager-error-socket-13-permission-denied/ Thu, 12 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-12-squid-cache-manager-error-socket-13-permission-denied/ categories: Linux Proxy Security If you get the error socket: (13) Permission denied while trying to connect to the cache manager of Squid using cachemgr.cgi, it probably means SElinux is enabled and is preventing cgi files from making TCP connections. Quick and dirty fix : disabling SElinux Edit /etc/sysconfig/selinux Change the value SELINUX to “disabled” Clean fix : make a rule in SElinux to allow the connection I don’t know much about SElinux yet, so if someone feels like pointing me to the right direction or submitting something, it is welcomed :) https://blog.wains.be/2007/2007-07-12-ubuntu-connect-to-your-secure-wireless-network-without-authenticating-against-keyring/ Thu, 12 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-12-ubuntu-connect-to-your-secure-wireless-network-without-authenticating-against-keyring/ keyring ' categories: Howto Linux Wifi From : original link By default, if your wireless network is secured by WPA or such, you have to save the info in your keyring manager, which is protected by a password. I personally have the same password for my Ubuntu session but also for the keyring manager. Whenever I log in, I have to authenticate with my user and password, then Gnome tries to connect to my wireless network and prompts me to unlock the keyring. https://blog.wains.be/2007/2007-07-11-howto-install-munin-on-centos/ Wed, 11 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-11-howto-install-munin-on-centos/ categories: Howto Linux Security From : http://blog.jploh.com/post/how-to-install-munin-on-centos/ Munin is a monitoring tool for servers. It uses RRDtool to log and graph data from your servers. The plugin API is very easy to grasp. Actually, I haven’t read the API documentation yet. I just looked at the output of the plugins and it looks easy to achieve. The data can be accessed through the web. This guide will walk you through installing and configuring Munin on CentOS 4. https://blog.wains.be/2007/2007-07-09-exporting-your-config-from-a-cisco-device-to-a-tftp-server/ Mon, 09 Jul 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-07-09-exporting-your-config-from-a-cisco-device-to-a-tftp-server/ categories: Hardware Linux Networks This has been tested under Ubuntu and a Cisco switch model Catalyst 2950 (IOS 12.1) 1. Set up your TFTP server $ sudo apt-get install xinetd tftpd tftp $ sudo vi /etc/xinetd.d/tftp service tftp { protocol = udp port = 69 socket_type = dgram wait = yes user = nobody server = /usr/sbin/in.tftpd server_args = /tftpboot disable = no } $ sudo mkdir /tftpboot $ sudo chmod 777 /tftpboot $ sudo chown nobody /tftpboot https://blog.wains.be/2007/2007-06-20-another-rant-against-linksys/ Wed, 20 Jun 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-06-20-another-rant-against-linksys/ categories: Hardware Misc As you may have read, I had some troubles with my Linksys ADSL Wireless router a while ago.. see here for the story At the end of this journey, I was still believing Linksys was a good company making good products. Read on. My father in law switched from a DSL connection to cable lately. The cable company provided a cable modem (a Kathrein DCM 52i+, they have been distributing this model for years). https://blog.wains.be/2007/2007-06-20-essential-ubuntu/ Wed, 20 Jun 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-06-20-essential-ubuntu/ I’m going to keep a list of tools I find essential under Linux. I’m using Ubuntu as my main desktop OS for now but it should apply to any other distro under Gnome. The tools are available in the Ubuntu repositories unless otherwise stated. Security tools : Seahorse : encryption keys manager (SSH, GPG) http://www.gnome.org/projects/seahorse/ Truecrypt : transparent volume encryption http://www.truecrypt.org Not available from the repositories Wipe : Secure file deletion https://blog.wains.be/2007/2007-06-18-smb_fill_super-missing-data-argument-when-trying-to-mount-a-samba-share/ Mon, 18 Jun 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-06-18-smb_fill_super-missing-data-argument-when-trying-to-mount-a-samba-share/ ?' categories: Linux Under Ubuntu, it means the package “smbfs” is missing.. Install the missing package $ sudo apt-get install smbfs Somewhat related to this article.. ? https://blog.wains.be/2007/2007-06-13-experience-with-linksys-technical-support-and-their-rma-procedure/ Wed, 13 Jun 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-06-13-experience-with-linksys-technical-support-and-their-rma-procedure/ categories: Hardware Misc I bought a Linksys wireless DSL gateway on Ebay in May. It was still under warranty as Linksys products are covered for 3 years. According to the seller, the unit was brand new and had never been used, as it was a unit that was sent to him from a RMA procedure. In the meantime, he had bought another router. The exact model I got was a WAG54G-E2 (hardware version 2) with firmware 1. https://blog.wains.be/2007/2007-06-07-blocking-internet-explorer-with-the-squid-web-proxy/ Thu, 07 Jun 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-06-07-blocking-internet-explorer-with-the-squid-web-proxy/ categories: Howto Linux Proxy This is my own way of blocking Internet Explorer : /etc/squid/squid.conf : <code>### We want to block IE, but some sites (grr) are only working under IE ### so we put up a list of safe URL for Internet Explorer in the following file acl safe_url_for_IE url_regex -i "/etc/squid/ACL/safe_url" ### The ACL for the IE user-agent acl internet_explorer browser MSIE ### The world acl all src 0. https://blog.wains.be/2007/2007-06-01-keeping-threaded-view-in-thunderbird/ Fri, 01 Jun 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-06-01-keeping-threaded-view-in-thunderbird/ categories: Misc I find this useful as I’m getting used to Gmail threaded view Users of Mozilla Thunderbird, may have noticed that if you are viewing messages in threaded view, clicking on a column name (other than the thread column) will turn off threaded view. What if you want to keep threaded view on? Go to Tools–>Options–>Advanced–>General, and click on “Config Editor“. In the Config Editor, search for the preference mailnews. https://blog.wains.be/2007/2007-05-29-temporary-spamassassin-rule-against-imageshack-spam/ Tue, 29 May 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-05-29-temporary-spamassassin-rule-against-imageshack-spam/ categories: Howto This would help blocking the new imageshack spam while we are waiting for a rule to be directly integrated into SpamAssassin : Create the new rule in a separate file : $ vi /etc/mail/spamassassin/imageshack.cf body __IMAGESHACK_URL /.*http://imgd+.imageshack.us.*/ meta SPAMSHACK __IMAGESHACK_URL describe SPAMSHACK ImageShack Spam ? score SPAMSHACK 10.00 Run spamassassin lint mode to check if everything is fine : $ spamassassin --lint A test file : <code>Received: from [200. https://blog.wains.be/2007/2007-05-21-howto-enable-openssh-on-a-synology-ds-101-nas/ Mon, 21 May 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-05-21-howto-enable-openssh-on-a-synology-ds-101-nas/ categories: Howto Linux I’ll explain how I enabled SSH on my Synology DS-101 box. This guide is based on Nicolas’ work : http://www.dotmana.com/index.php/?p=91 1. FIRMWARE UPGRADE Reboot the DS-101 (this is absolutely necessary in order to achieve the next step) Upgrade to the latest firmware available from Synology within 5 minutes after reboot. If you don’t upgrade within 5 minutes after reboot you’ll get an “error 24” message, and you’d need to reboot again. https://blog.wains.be/2007/2007-05-21-reviewing-the-synology-ds-101-nas/ Mon, 21 May 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-05-21-reviewing-the-synology-ds-101-nas/ categories: Hardware Misc NSLU2 I got my DS-101 (discontinued product) today and I’m so excited about it I want to tell the world ASAP :-D The Synology DS-101 is a Network Attached Storage unit. By default, it allows FTP and SMB connectivity. It is running Linux and thus is easily hackable. See : http://www.nslu2-linux.org/wiki/DS101/HomePage Through some hacking, I was able to enable SSH. Now, I can even browse my files through SSH from Linux. https://blog.wains.be/2007/2007-05-16-libclamav-error-database-directory-varclamav-not-locked/ Wed, 16 May 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-05-16-libclamav-error-database-directory-varclamav-not-locked/ categories: Linux If you get that message when using freshclam, check out the clamd sock file… Usually stored under /var/run/clamav/clamd.sock Verify the ownership on the file, directory, and verify if the owner is similar to the user running clamd. https://blog.wains.be/2007/2007-05-07-regex-to-match-a-valid-ip-address/ Mon, 07 May 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-05-07-regex-to-match-a-valid-ip-address/ categories: Linux Match an IPv4 address.. b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) .(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)b Test your regex rules online at http://www.regextester.com/ IPv6 rule soon ;) https://blog.wains.be/2007/2007-05-02-enable-query-cache-in-mysql/ Wed, 02 May 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-05-02-enable-query-cache-in-mysql/ categories: Linux Query caching should improve MySQL performances.. Edit /etc/my.cnf : Under the mysqld section add the following lines [mysqld] query-cache-type = 1 query-cache-size = 10M Restart MySQL : # service mysqld restart Make sure query caching is enabled : <code>[root@local](1008)# mysql -p Enter password: Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 9 to server version: 4.1.20 Type 'help;' or 'h' for help. https://blog.wains.be/2007/2007-05-02-vmware-server-on-ubuntu-704-the-easy-way/ Wed, 02 May 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-05-02-vmware-server-on-ubuntu-704-the-easy-way/ categories: Howto Linux You would find howtos here and there about installation of vmware server the manual way. There’s a much easier way, as it is available in the commercial repository of Canonical Add this line to /etc/apt/sources.list : deb http://archive.canonical.com/ubuntu feisty-commercial main From synaptic, install vmware-server, it will install its dependencies along. Obtain a serial number at http://register.vmware.com/content/registration.html As soon as it is installed, you can access the vmware console from the Applications menu > System tools > VMware server console https://blog.wains.be/2007/2007-04-27-clamscan-vs-clamdscan/ Fri, 27 Apr 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-04-27-clamscan-vs-clamdscan/ categories: Linux If you’re wondering what is best… I switched back to clamdscan at 5pm. Actually my system was using clamdscan under amavisd-new. After switching to clamassassin, it was using clamscan by default, I noticed that after a while, seeing how long it was taking for emails to be processed. Use ./configure –enable-clamdscan when building clamassassin (see README) https://blog.wains.be/2007/2007-04-26-postfix-spamassassin-clamav-with-procmail-without-amavisd-new/ Thu, 26 Apr 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-04-26-postfix-spamassassin-clamav-with-procmail-without-amavisd-new/ categories: Howto Linux Postfix Security I used to use Amavisd-new on our email gateway at work. It sucks. It was a memory hog and was consuming around 400 Mb of swap. It was making it difficult to upgrade clamav, something would break anytime you upgraded. I had a very basic use of amavis, I needed to get rid of it and find a better setup. Basically, I just wanted to pipe the mails into ClamAV then if no viruses were found, pipe them in SpamAssassin, ideally doing all that from procmail. https://blog.wains.be/2007/2007-04-23-another-review-of-ubuntu-704/ Mon, 23 Apr 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-04-23-another-review-of-ubuntu-704/ categories: Linux I freshly installed Ubuntu 7.04 on my Toshiba laptop. I first tried to update it but I was getting some slowliness issues for some unknown reason. Let’s start with the cons : Graphic installation anyone ? You can have all those fancy CD sleeves and a nice logo reworked at every release but that text installer would scare anyone used to GUI environments. (this comment apparently applies to the alternate version of Ubuntu, the desktop one has a graphical installer available within the live cd) https://blog.wains.be/2007/2007-04-23-eye-candy-ubuntu-704/ Mon, 23 Apr 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-04-23-eye-candy-ubuntu-704/ categories: Gnome Linux My personal top 3 for a nice looking desktop. Install Beryl from the repositories Install subpixel font rendering : explained here Prettify the Firefox widgets : explained here Backup of the widget package at http://blog.wains.be/pub/firefox-widgets-10.tar.bz2 https://blog.wains.be/2007/2007-04-23-installing-zoneminder-1223-under-centos-44/ Mon, 23 Apr 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-04-23-installing-zoneminder-1223-under-centos-44/ categories: Linux http://www.zoneminder.com/ ZoneMinder is intended for use in single or multi-camera video security applications, including commercial or home CCTV, theft prevention and child or family member or/ home monitoring and other care scenarios…. Disable SELinux (that’s the easy way, I know.. please provide the steps in the comment if you kept SELinux on) : Edit /etc/sysconfig/selinux Install RPMforge repository : See http://dag.wieers.com/rpm/FAQ.php#B Install necessary packages : # yum install mysql-server mysql php-mysql mysql-devel libjpeg-devel pcre-devel subversion ffmpeg perl-Archive-Tar perl-MIME-Lite perl-MIME-tools gcc gcc-c++ https://blog.wains.be/2007/2007-04-20-im-a-redhat-certified-engineer/ Fri, 20 Apr 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-04-20-im-a-redhat-certified-engineer/ Dear Sebastien Wains: The results of your RHCE Certification Exam are reported below. The RHCE Certification Exam allows candidates to qualify for the Red Hat Certified Engineer (RHCE) and Red Hat Certified Technician (RHCT) certificates. Please note that the RHCE designation is understood to both include and supersede the RHCT designation. SECTION I: TROUBLESHOOTING AND SYSTEM MAINTENANCE RHCE requirements: completion of compulsory items (50 points) overall section score of 80 or higher RHCT requirements: completion of compulsory items (50 points) Compulsory Section I score: 50. https://blog.wains.be/2007/2007-04-10-display-nfs-shares/ Tue, 10 Apr 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-04-10-display-nfs-shares/ categories: Linux List NFS shares from a remote (or even localhost) server : # showmount -e server https://blog.wains.be/2007/2007-04-10-vsftpd-on-rhel/ Tue, 10 Apr 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-04-10-vsftpd-on-rhel/ categories: Linux RHCE FTP server on RHEL RPM : vsftpd Config : /etc/vsftpd/vsftpd.conf By default : anonymous users will fall in a chroot located in /var/ftp/pub. They have read access only. local users are connecting in their /home and are not chrooted In order to chroot local users use in the config : chroot_local_user=YES Thanks to Toutim for pointing out a mistake I’ve made in this article. https://blog.wains.be/2007/2007-04-03-set-your-keyboard-rate-and-repeat-delay-under-linux/ Tue, 03 Apr 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-04-03-set-your-keyboard-rate-and-repeat-delay-under-linux/ categories: Linux Just found this out, didn’t know that command existed. $ kbdrate -r30 -d0 This sets the repeat rate to 30 characters per second (which is the maximum value) and a repeat delay of 250 ms (which is the lowest possible). You may sometimes notice your keyboard rate/repeat delay is slow after attaching it to a running system which was booted without a keyboard attached. I guess this command would help. https://blog.wains.be/2007/2007-03-30-connecting-to-your-linux-centos-box-using-serial-null-modem-cable/ Fri, 30 Mar 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-03-30-connecting-to-your-linux-centos-box-using-serial-null-modem-cable/ categories: Howto Linux This has been tested under CentOS 4.4. Why would I need that ? This is useful if you set up a server that will be located in a place where there’s low chance to have a keyboard and a monitor around. Or useful, when, like me, you’re given like 2 squared meters to store your servers. What you need : Server : At least one serial port available on the linux box and the “util-linux” package installed. https://blog.wains.be/2007/2007-03-29-allowing-apachemod_dosevasive-to-use-iptables-through-sudoers/ Thu, 29 Mar 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-03-29-allowing-apachemod_dosevasive-to-use-iptables-through-sudoers/ categories: Apache Howto Linux Security What is mod_dosevasive ? mod_dosevasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following: https://blog.wains.be/2007/2007-03-28-install-the-latest-kernel-from-kernelorg-under-centos-44/ Wed, 28 Mar 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-03-28-install-the-latest-kernel-from-kernelorg-under-centos-44/ categories: Linux Red Hat/CentOS This was just part of an experiment on a test machine. I wanted to see if it was a pain to install the latest kernel to a CentOS 4.4 system, and see if the system was stable etc. The following steps are based on http://howtoforge.com/kernel_compilation_centos guide. It is probably not the best way to deal with it. And you probably don’t want to install the latest kernel on a production system. https://blog.wains.be/2007/2007-03-27-swap-space-under-rhelcentos/ Tue, 27 Mar 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-03-27-swap-space-under-rhelcentos/ categories: RHCE Adding a 250 MB swap file to the system Create an empty 250M file : dd if=/dev/zero of=/swapfile bs=1024 count=256000 Create the swap on the newly created file : mkswap /swapfile Enable the new swap file : swapon /swapfile Edit fstab and add : /swapfile swap swap defaults 0 0 **Verify if the new swap space is enabled : ** cat /proc/swaps free -m A good idea is to have your swap partition as an LVM volume. https://blog.wains.be/2007/2007-03-26-managing-lvm-on-redhat-based-systems/ Mon, 26 Mar 2007 00:00:00 +0200 https://blog.wains.be/2007/2007-03-26-managing-lvm-on-redhat-based-systems/ categories: RHCE Steps : Creation of Physical Volumes (container of volume groups) Creation of Volume Groups (container of logical volumes) Creation of Logical Volumes (“partitions”) Formatting the Logical Volumes (optional) Resizing Logical Volumes 1. Creation of Physical Volumes (PV) pvcreate /dev/hda4 pvdisplay It is good practice to always use “(pv|vg|lv)display” after creating a volume. /dev/hda4 is an empty partition.. see fdisk manpages for help. 2. Creation of Volume Groups (VG) https://blog.wains.be/2007/2007-03-25-resetting-frozen-ipod/ Sun, 25 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-25-resetting-frozen-ipod/ categories: Apple/Mac OS My Ipod froze the other day and had to Google around to find how to reset the small piece of hardware. The following page has a nice interactive panel showing how to access hidden functions of your ipod. http://www.command-tab.com/post/hidden-ipod-commands/ https://blog.wains.be/2007/2007-03-24-unsolvable-gratuitous-arp-from-our-windows-2000-server-with-intel-pro-1000/ Sat, 24 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-24-unsolvable-gratuitous-arp-from-our-windows-2000-server-with-intel-pro-1000/ categories: Networks Windows With the accuracy of a swiss clock, our windows 2000 server at work sends gratuitous ARP requests every 30 seconds for some unknown reason. It has always been doing that. I’ve tried to figure out the issue every now and then, when I had some time to kill. The question is.. is it software or hardware related ? The strange thing is the gratuitous arp requests are supposedly from an IP totally unknown in the network. https://blog.wains.be/2007/2007-03-23-quota-on-rhelcentos/ Fri, 23 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-23-quota-on-rhelcentos/ categories: RHCE Here are the steps to implementing quotas on a RedHat based system : We will enable quotas on /home on the /dev/hda3 partition. Create user : useradd user1 passwd user1 Edit /etc/fstab : From : /dev/hda3 /home ext3 defaults 1 2 To : /dev/hda3 /home ext3 defaults,usrquota,grpquota 1 2 Remount the disk (make sure it’s not in use) : mount -o remount /home Check if usrquota and grpquota are enabled : mount | grep /home https://blog.wains.be/2007/2007-03-16-resize-ext3-partitions/ Fri, 16 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-16-resize-ext3-partitions/ categories: Howto Linux Say we have a brand new already ext3 formatted disk on our system.. say it has a 300 GB partition and it is brand new, so not running anything on the system. DO NOT TRY RESIZING PARTITIONS ON SYSTEM DISKS UNLESS YOU KNOW WHAT YOU ARE DOING. We are gonna copy the old 100 GB partition to the new partition. Old : sda2 New : sdb1 dd if=/dev/sda2 of=/dev/sdb1 bs=4k https://blog.wains.be/2007/2007-03-12-centos-raid-with-mdadm/ Mon, 12 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-12-centos-raid-with-mdadm/ categories: RHCE RHCE exam requires you to be able to create a RAID array on a running system, as well as with the installer. I won’t explain here how to deal with the installer as it’s pretty easy. 1. create the partitions Using fdisk or else Set the ID type to “fd” (Linux RAID autodetect) Say we got here /dev/hda2 and /dev/hdb2 2. create the RAID array with the first drive only https://blog.wains.be/2007/2007-03-07-spamassassin-razor2-on-centosrhel/ Wed, 07 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-07-spamassassin-razor2-on-centosrhel/ categories: Howto Linux Install SpamAssassin 3.1.8 Install razor-agents and perl-Razor-Agent from dag’s http://dag.wieers.com/rpm/packages/razor-agents/ Or from Razor homepage : http://razor.sourceforge.net/ Restart SpamAssassin : service spamassassin condrestart Run a test to see if razor2 is running (should be enabled by default in v310.pre) : spamassassin -t -D razor2 < /usr/share/doc/spamassassin-3.1.8/sample-spam.txt **Output : ** ``[1284] dbg: razor2: razor2 is available, version 2.82 Razor-Log: Computed razorhome from env: /root/.razor Razor-Log: Found razorhome: /root/.razor Razor-Log: No /root/. https://blog.wains.be/2007/2007-03-06-setting-up-httphttps-on-centos/ Tue, 06 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-06-setting-up-httphttps-on-centos/ categories: RHCE Packages needed : httpd + deps Package needed for https : mod_ssl yum install httpd mod_ssl service httpd start chkconfig httpd on Done ! I’m not sure what they could ask about Apache at the RHCE exam.. ? Virtual domains ? https://blog.wains.be/2007/2007-03-06-spamassassin-rules-du-jour-on-centosrhel-4/ Tue, 06 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-06-spamassassin-rules-du-jour-on-centosrhel-4/ categories: Howto Linux Red Hat/CentOS Download the script (functional for me as of today with SpamAssassin 3.1.8) : wget http://blog.wains.be/pub/rules_du_jour.gz -O /usr/local/bin/rules_du_jour.gz && gzip -d /usr/local/bin/rules_du_jour.gz I always find it difficult to download the script (site down, etc), so I put my current script online. Set the exec bit : chmod +x /usr/local/bin/rules_du_jour Create the config file : mkdir /etc/rulesdujour Create and edit /etc/rulesdujour/config : TRUSTED_RULESETS="SARE_ADULT SARE_STOCKS SARE_WHITELIST SARE_RANDOM SARE_EVILNUMBERS0 SARE_BML TRIPWIRE" SA_DIR=/etc/mail/spamassassin EMAIL_RDJ_UPDATE_ONLY= SINGLE_EMAIL_ONLY=true MAIL_ADDRESS=your@address. https://blog.wains.be/2007/2007-03-05-linux-anti-theft/ Mon, 05 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-05-linux-anti-theft/ categories: Linux-Anti-Theft I released a small utility mainly intended at my personal use. Homepage : http://blog.wains.be/projects/linux-anti-theft/ Download : http://blog.wains.be/projects/pub/ https://blog.wains.be/2007/2007-03-05-spamassassin-dcc/ Mon, 05 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-05-spamassassin-dcc/ categories: Howto Linux Postfix I decided to give a try to DCC on our CentOS 3.8 mail gateway running Postfix. SpamAssassin 3.1.8 was already installed. Install package : rpm -ihv http://repo.securityteam.us/repository/redhat/el3/i386/RPMS/dcc-1.3.12-1.i386.rpm In order to work properly, DCC needs the following iptables rule : iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 6277 -j ACCEPT Edit /etc/dcc/dcc_conf and enable dccifd : DCCIFD_ENABLE=on Edit /etc/mail/spamassassin/local.cf : use_dcc 1 dcc_home /etc/dcc https://blog.wains.be/2007/2007-03-03-hide-php-version-in-the-header-x-powered-by/ Sat, 03 Mar 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-03-03-hide-php-version-in-the-header-x-powered-by/ categories: Apache Linux Edit /etc/php.ini (under RHEL/CentOS) and set : expose_php = Off Before : $ curl -I blog.wains.be HTTP/1.0 200 OK Date: Sat, 03 Mar 2007 14:55:17 GMT Server: Apache X-Powered-By: PHP/4.x.x X-Pingback: http://blog.wains.be/xmlrpc.php Content-Type: text/html; charset=UTF-8 X-Cache: MISS from localhost Connection: close After : $ curl -I blog.wains.be HTTP/1.0 200 OK Date: Sat, 03 Mar 2007 15:11:36 GMT Server: Apache X-Pingback: http://blog.wains.be/xmlrpc.php Content-Type: text/html; charset=UTF-8 X-Cache: MISS from localhost Connection: close https://blog.wains.be/2007/2007-02-28-mount-ntfs-disks-under-centos/ Wed, 28 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-28-mount-ntfs-disks-under-centos/ categories: Red Hat/CentOS Download the NTFS kernel modules from : http://www.linux-ntfs.org/content/view/135/71/ The download for the current kernel at the time is kernel-module-ntfs-2.6.9-42.0.8.EL-2.1.20-0.rr.10.0.i686.rpm Install the RPM : rpm -ihv kernel-module-ntfs-2.6.9-42.0.8.EL-2.1.20-0.rr.10.0.i686.rpm Load the kernel module : modprobe ntfs Find the disk info : fdisk -l One partition should be mentionned as HPFS/NTFS Mount the partition : mkdir /media/win mount -t ntfs /dev/hdb1 /media/win Voilà ! https://blog.wains.be/2007/2007-02-28-setting-up-nfs-under-centos-4/ Wed, 28 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-28-setting-up-nfs-under-centos-4/ categories: RHCE Packages needed : nfs-utils Server side Edit /etc/exports : /home *(rw,sync) Start service and make sure it’ll start at boot service nfs start chkconfig nfs on Client side Check if you can reach the server : rpcinfo -p 10.0.0.254 Manually mounting the shared folder mount -t nfs 10.0.0.254:/home /home Setting up autofs on the client side to automount the NFS share : Package needed : autofs Let’s say we have a user “admin” https://blog.wains.be/2007/2007-02-28-setting-up-nis-under-centos-4/ Wed, 28 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-28-setting-up-nis-under-centos-4/ categories: RHCE Server : server.lab.local (10.0.0.254) Client : client1.lab.local (10.0.0.1) Server side : Packages needed : yp-tools ypbind ypserv portmap Edit /etc/yp.conf : domain lab.local server server ypserver server Following this scheme : domain ${domain} server ${host} ypserver ${host} By default /etc/ypserv.conf is ok. Edit /etc/sysconfig/network and add : NISDOMAIN=lab.local At the prompt : `# domainname lab.local Still under the prompt : service portmap start chkconfig portmap on Start the NIS server : service ypserv start https://blog.wains.be/2007/2007-02-26-creating-a-local-centos-mirror/ Mon, 26 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-26-creating-a-local-centos-mirror/ categories: RHCE For my RHCE prep, I’m setting up a small lab of 3 machines.. one machine will act as the server.. For my ease of use, I decided to build a local mirror of the CentOS repository (base and updates). I had downloaded the 4 ISO images of CentOS 4.4 overnight and burnt them. Please consider the following : I’m only building a local copy of the base and updates repo for CentOS 4. https://blog.wains.be/2007/2007-02-21-package-management/ Wed, 21 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-21-package-management/ categories: RHCE Compilation of most common commands dealing with package management. up2date Install up2date -i package Show packages groups up2date --show-groups Install a package group up2date -i @GROUP_NAME (e.g. : up2date -i @GNOME Desktop Environment) up2date sources specified under /etc/sysconfig/rhn/sources yum Install yum install package Get info yum info package Remove yum erase package Check if update available yum check-update Find package providing the file yum whatprovides /some/file Clean all yum caches yum clean all https://blog.wains.be/2007/2007-02-19-passwd-user-not-known-to-the-underlying-authentication-module/ Mon, 19 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-19-passwd-user-not-known-to-the-underlying-authentication-module/ categories: Linux RHCE If you ran “pwunconv” and try to change the password of a user, you may get that error message. passwd: User not known to the underlying authentication module Try “pwconv” and try again. pwconv explained here https://blog.wains.be/2007/2007-02-19-tar-gzip-bzip2/ Mon, 19 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-19-tar-gzip-bzip2/ categories: RHCE Overview of the most common commands when it comes to compression… Tar Create a tar file : tar -cpf target.tar source_folder/ Create a tar.gz file : tar -cpzf target.tar.gz source_folder/ Create a tar.bz file : tar -cpjf target.tar.bz2 source_folder/ -c : create -p : preserve permissions -z : gzip -j : bzip -f : file -x : extract -v : verbose -t : test Extract foo.tar : tar -xvf foo. https://blog.wains.be/2007/2007-02-19-the-linux-runlevel/ Mon, 19 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-19-the-linux-runlevel/ categories: RHCE I’m pretty sure they don’t provide the root password at the RHCE exam and ask you to deal with it :) Runlevels : * 0 - Halt the system * 1 - Single-user mode * 2 - Multi-user mode (without NFS) * 3 - Multi-user mode * 4 - Unused * 5 - Multi-user mode, graphical login * 6 - Reboot the system Switch runlevel while the system is running (example : switch to runlevel 5) : telinit 5 https://blog.wains.be/2007/2007-02-19-usersgroups-management-under-rhel/ Mon, 19 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-19-usersgroups-management-under-rhel/ categories: RHCE useradd [options] account usermod [options] account userdel [-r] account (-r would delete the home directory) Default values when creating a user stored under /etc/default/useradd # useradd defaults file GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel /etc/skel contains the skeleton of the files in the home directory of any newly created account /etc/login.defs file defines the site-specific configuration for the shadow password suite. Disable an account : passwd -l account Enable an account : passwd -u account https://blog.wains.be/2007/2007-02-18-analyzing-tcp-packets/ Sun, 18 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-18-analyzing-tcp-packets/ categories: RHCE Reviewing the basics of TCP/IP networking.. I wasn’t able to find the command displaying a full detail of datagrams using tcpdump.. And as I tend to always forget how to get that verbose output, I’ll post it here for good. Had to install Wireshark, as I couldn’t find how to get it under tcpdump (drop a comment if you know the answer ! :) ) Command : $ tshark -V -i eth0 https://blog.wains.be/2007/2007-02-18-environment-variables/ Sun, 18 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-18-environment-variables/ categories: RHCE Displaying global variables –> “printenv” or “env” Displaying local variables –> “set” Set a local variable : VARNAME="value" Local vars only available in the current shell. Set a global variable : export VARNAME="value" Useful special bash variables : $? Exit status of the most recently executed foreground pipeline. $$ Process ID of the shell. $! Process ID of the most recently executed background command. $0 Expands to the name of the shell or shell script. https://blog.wains.be/2007/2007-02-18-grep-sed-awk/ Sun, 18 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-18-grep-sed-awk/ categories: RHCE Let’s continue with the basics… Reviewing only the really useful, and not going into the deep If you have some useful tips, please share ! :) Grep grep : print lines matching a pattern (equals “grep -G” which is the default) egrep : equals grep -E (interpret extended regexp) grep -n : line numbered grep -i : ignore case grep -c : count matches grep -v : print non-matching lines grep -r : recursivity, read all files under each directory https://blog.wains.be/2007/2007-02-18-keep-your-machine-synchronized-using-ntp/ Sun, 18 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-18-keep-your-machine-synchronized-using-ntp/ categories: Howto Linux Security Install the package : yum install ntp Make a backup of the default config cp /etc/ntp.conf /etc/ntp.conf.default Minimal and pretty safe /etc/ntp.conf : server 0.europe.pool.ntp.org server 1.europe.pool.ntp.org server 2.europe.pool.ntp.org server 0.north-america.pool.ntp.org server 1.north-america.pool.ntp.org server 2.north-america.pool.ntp.org driftfile /var/lib/ntp/drift restrict default nopeer nomodify restrict 127.0.0.1 Make sure NTP daemon will start at boot : chkconfig ntpd on Start the NTP service : service ntpd on Verify if your server can reach the peers : `# ntpq -pn remote refid st t when poll reach delay offset jitter 195. https://blog.wains.be/2007/2007-02-18-reading-documentation-under-rhel/ Sun, 18 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-18-reading-documentation-under-rhel/ categories: RHCE Several ways to get help quickly. Need to get used to finding the missing info as fast as possible (I’m already pretty fast usually, but need to improve if possible).. # whatis named named (8) - Internet domain name server named-checkconf (8) - named configuration file syntax checking tool named-checkzone (8) - zone file validity checking tool named.conf [named] (5) - configuration file for named # apropos named Opcode (3pm) - Disable named opcodes when compiling perl code XML::DOM::NamedNodeMap (3pm) - A hash table interface for XML::DOM charnames (3pm) - define character names for eN{named} string literal escapes fifo (4) - first-in first-out special file, named pipe mkfifo (1) - make FIFOs (named pipes) mkfifo (3) - make a FIFO special file (a named pipe) named (8) - Internet domain name server named-checkconf (8) - named configuration file syntax checking tool named-checkzone (8) - zone file validity checking tool named. https://blog.wains.be/2007/2007-02-17-converting-watts-w-to-kilowatt-hours-kwh-and-vice-versa/ Sat, 17 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-17-converting-watts-w-to-kilowatt-hours-kwh-and-vice-versa/ categories: Misc If you draw 100 W / hour on average 100W x (8760 hours per year) / 1000 = 876 kWh Thus : 1 kWh = 0.114155 W on average 1 W on average = 8.76 kWh The power here costs 0.1429 € per kWh. 876 kWh * 0.1429 = €125.18 Leaving something on drawing 100W in average costs €125 per year. https://blog.wains.be/2007/2007-02-17-fixing-scrambled-terminal/ Sat, 17 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-17-fixing-scrambled-terminal/ categories: Linux To fix a scrambled terminal display, as it sometimes happens, (blindly) type at the prompt : reset Your terminal is now back in shape. https://blog.wains.be/2007/2007-02-17-inputoutput-redirections-and-pipes/ Sat, 17 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-17-inputoutput-redirections-and-pipes/ categories: RHCE Today is the day I’m diving into the docs getting ready for the RHCE exam (exam on April 20) I’m adding a RHCE category to the site. I’ll put all my study notes in there. Feel free to drop a comment if you have any useful tip or trick ! Let’s begin with the basics.. Standard input (stdin) : 0 Standard output (stdout) : 1 Error output (stderr) : 2 https://blog.wains.be/2007/2007-02-16-my-review-of-mac-os-x/ Fri, 16 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-16-my-review-of-mac-os-x/ categories: Apple/Mac OS I’ll describe here my experience with Mac OS X as my main OS after 5 days (installed it on Sun 11 Feb 2007). I’ll keep this post updated with my latest discoveries.. Don’t blame me if I’m complaining about something while I’m just missing the point, drop a comment if so, I’d love to have feedback from Mac users. Pros : It just works, insert the DVD, install, you’re done and it takes like 15 minutes (and not the usual 39 minutes (whether you have a P3 or a Dual Core 2. https://blog.wains.be/2007/2007-02-13-securely-synchronize-a-folder-from-a-remote-machine-with-ssh/ Tue, 13 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-13-securely-synchronize-a-folder-from-a-remote-machine-with-ssh/ categories: Howto Linux Security SSH rsync -vaz -e ssh user@server.domain.be:/home/user/ /home/user/ Source : user@server.domain.be:/home/user/ Target : /home/user/ -a : archive mode, preserve owner/group and permissions -v : verbose -z : compress data during transfer -e : the remote shell to use Output : receiving file list ... done created directory /home/user ./ 28403/ BEXX0014/ 28403.xml error.xml . sent 876 bytes received 1294165 bytes 2590082.00 bytes/sec total size is 1644823 speedup is 1. https://blog.wains.be/2007/2007-02-13-tunneling-udp-requests-through-ssh/ Tue, 13 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-13-tunneling-udp-requests-through-ssh/ categories: Howto Linux Security SSH Say you need to forward UDP packets between two remote networks securely. E.g : dns queries from your home machine to your dns servers at work. You should use a VPN between the networks in order to do so (see : http://blog.wains.be/post/routed-openvpn-between-two-subnets-behind-nat-gateways/) Otherwise, you can use the following way : 1. Connect to the remote server and set up TCP forward client$ ssh -L 22222:127.0.0.1:22222 remote. https://blog.wains.be/2007/2007-02-08-cross-monitoring-between-2-linux-machines-in-a-lan/ Thu, 08 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-08-cross-monitoring-between-2-linux-machines-in-a-lan/ categories: Howto Linux Security Scenario : You want 2 Linux machines in your network to monitor themselves. If one machines goes down, the other sends an email to the admin. machine A has the IP 192.168.1.1 (machineA.local.domain.be) machine B has the IP 192.168.1.2 (machineB.local.domain.be) Configuration : Install heartbeat. CentOS/RHEL Packages available here : http://dev.centos.org/centos/4/testing/i386/RPMS/ /etc/ha.d/authkeys Machine A + B : auth 3 3 md5 thisisarandomstringofcharacters The authkey is a shared secret between the machines, thus it has to be the same on the two machines. https://blog.wains.be/2007/2007-02-04-centos-chroot-dns-with-bind/ Sun, 04 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-04-centos-chroot-dns-with-bind/ categories: DNS Howto Linux Red Hat/CentOS I won’t go into the details of what is DNS, or the difference between an A record and a CNAME record.. just a quick howto to set up a chrooted DNS server using Bind under CentOS in a mere 5 minutes.. Howto available for CentOS 5 : http://blog.wains.be/post/centos-5-chroot-dns-with-bind/ 1. Install packages : yum install bind bind-chroot bind-libs bind-utils 2. Configure rndc : The rndc tool allow to get some useful info on your dns server (stats, status, etc. https://blog.wains.be/2007/2007-02-01-diy-passive-network-tap/ Thu, 01 Feb 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-02-01-diy-passive-network-tap/ categories: Hardware Networks Security I made a lan tap following this great guide : http://www.ossmann.com/5-in-1.html This is the schema : Another link : http://gd.tuwien.ac.at/infosys/security/snort/docs/tap/ I made a loopback plug too and the short cross over cable too… Here’s my kit : Passive network tap box Straight cable Cross over cable Coupler Loop connector Passive network tap connector https://blog.wains.be/2007/2007-01-31-kernel-panic-not-syncing-attempted-to-kill-init/ Wed, 31 Jan 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-01-31-kernel-panic-not-syncing-attempted-to-kill-init/ categories: Howto Linux My home server hard drive started to have problems (bad sectors, noisy, etc..) I decided it was time to reinstall CentOS before it was too late I had some important data on the old drive, I would recover the data by just pluging it when the new system would be installed on the new drive. So, I installed CentOS 4.4 and partitioned the new drive pretty much like the old one. https://blog.wains.be/2007/2007-01-30-pmb-php-yaz-sous-redhat-4-centos-4-fedora-fr/ Tue, 30 Jan 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-01-30-pmb-php-yaz-sous-redhat-4-centos-4-fedora-fr/ categories: Linux Nous utilisons PMB au travail (http://www.sigb.net). Ce logiciel offre une possibilité intéressante qui permet de contacter des bibliothéques PMB externes, cette fonction fait appel à un module appelé “YAZ” et son module au niveau du serveur web “PHP-YAZ”. Nous utilisons un serveur CentOS (équivalent Redhat Enterprise RHEL, voire Fedora Core). Le problème se situait au niveau des RPM disponibles sur le site des développeurs de Yaz. En installant les RPM yaz et libyaz, ça ne fonctionnait pas, le module PHP (php-yaz. https://blog.wains.be/2007/2007-01-30-reloading-etcinittab/ Tue, 30 Jan 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-01-30-reloading-etcinittab/ categories: Linux After any change made to /etc/inittab (like removing useless mingetty’s), type this to restart the init process without rebooting : init q https://blog.wains.be/2007/2007-01-29-usrbinld-cannot-find-lgcrypt/ Mon, 29 Jan 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-01-29-usrbinld-cannot-find-lgcrypt/ categories: Linux Red Hat/CentOS While trying to compile yaz, I got this error : “/usr/bin/ld: cannot find -lgcrypt” Simple fix : Install this package: libgcrypt-devel yum install libgcrypt-devel https://blog.wains.be/2007/2007-01-26-apache-conditional-http-authentication/ Fri, 26 Jan 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-01-26-apache-conditional-http-authentication/ categories: Apache Howto Linux Security This is what I needed to do : I have a virtual host (say sub.domain.be) running under Apache web server at work that should be accessible for everybody on the local network but as well for a bunch of people outside of it. The main concern is security, we would consider the local network as safe while anything else is not. Thus, the condition is this : https://blog.wains.be/2007/2007-01-26-make-an-iso-out-of-a-cd/ Fri, 26 Jan 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-01-26-make-an-iso-out-of-a-cd/ categories: Howto Linux dd if=/dev/hda of=/home/user/cd.iso bs=2048 conv=notrunc Where /dev/hda is your cdrom drive.. How do I find that out ? (snippet) user@localhost:~$ mount ... /dev/sda1 on /media/win type ntfs (rw) **/dev/hda on /media/cdrom0 type iso9660 (ro,noexec,nosuid,nodev,user=user)** The admin blogger mentionned an easier way : cat /dev/hda > /home/user/cd.iso More info : http://www.linuxquestions.org/linux/answers/Applications_GUI_Multimedia/How_To_Do_Eveything_With_DD https://blog.wains.be/2007/2007-01-25-new-neat-postfix-23-feature-custom-bounce-messages/ Thu, 25 Jan 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-01-25-new-neat-postfix-23-feature-custom-bounce-messages/ categories: Postfix Bounce messages sent by the postfix daemon used to be hardcoded until version 2.3. This is actually great news for non-english speaking or not email-litterate users. This is an excerpt of my postfix config : maximal_queue_lifetime = 1d delay_warning_time = 1h bounce_template_file = /etc/postfix/bounce.cf It is important to know the $delay_warning_time and $maximal_queue_lifetime time values. Let’s start by copying the default bounce template file : cp /etc/postfix/bounce.cf.default /etc/postfix/bounce.cf https://blog.wains.be/2007/2007-01-11-some-vi-tips/ Thu, 11 Jan 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-01-11-some-vi-tips/ categories: Linux RHCE This is my personal vi reminder. Feel free to share your tips ! Search and replace a string globally in a document : :.,$s/search_string/replacement_string/g Searching for a string : Type “/” followed by the string e.g. : /pattern Disabling highlighted patterns : Type “:nohl” to disable highlighting Comment out several lines at once (I like that one) : 1. Ctrl + V (visual block) 2. Select the lines you want to be commented out 3. https://blog.wains.be/2007/2007-01-10-subversion-automating-svnkeywords/ Wed, 10 Jan 2007 00:00:00 +0100 https://blog.wains.be/2007/2007-01-10-subversion-automating-svnkeywords/ categories: Howto Linux Versioning We’ll see here how you can automate the addition of SVN keywords to your newly added or imported file in your Subversion repository. Changes are being made on the client computer, NOT the repository. It means you need to apply the following to every computer accessing the SVN repository. For files already in the repository, you will need to manually set the keywords this way: svn propset svn:keywords "Id" file. https://blog.wains.be/2006/2006-12-31-side-buttons-with-intellimouse-optical/ Sun, 31 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-31-side-buttons-with-intellimouse-optical/ categories: Howto Linux Tested working under Ubuntu 6.10 With this enabled, you can go backward and forward under Firefox (and probably other apps). sudo gedit /etc/X11/xorg.conf and add : Option "ButtonMapping" "1 2 3 6 7 4 5" Option "ZAxisMapping" "4 5" sudo gedit /etc/X11/Xsession.d/63xmodmap (this is a new file) and add : xmodmap -e "pointer = 1 2 3 4 5 6 7" BINARY=$(which imwheel) $BINARY -k -p -b "67" https://blog.wains.be/2006/2006-12-29-install-fuzzyocr-on-centos/ Fri, 29 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-29-install-fuzzyocr-on-centos/ categories: Howto Linux Security Tested under CentOS 3.8 and CentOS 4.4, both running SpamAssassin 3.1.7 built from srpm wget http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-latest.tar.gz **Ungzip : ** gzip -d fuzzyocr-latest.tar.gz **Untar : ** tar xvf fuzzyocr-latest.tar Packages needed and found in the CentOS repositories : yum install netpbm netpbm-progs ImageMagick libungif libungif-progs Packages needed and found in SecurityTeamUS repository : First, you need to install that SecurityTeamUS repo : rpm -ihv http://repo.securityteam.us/repository/redhat/securityteamus-repo-latest.rpm Then : yum install perl-Digest-MD5 https://blog.wains.be/2006/2006-12-21-install-ntop-on-centosrhel/ Thu, 21 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-21-install-ntop-on-centosrhel/ categories: Howto Linux What is ntop ? : http://www.ntop.org/overview.html Install the SecurityTeamUS repo : rpm -ihv http://repo.securityteam.us/repository/redhat/securityteamus-repo-latest.rpm Install ntop (dependencies (gd) included on the base repo) : yum install ntop ntop requires that you create a password for it to run, type ntop at the prompt : Thu Dec 21 19:53:54 2006 NOTE: Interface merge enabled by default Thu Dec 21 19:53:54 2006 Initializing gdbm databases Thu Dec 21 19:53:54 2006 ntop will be started as user nobody Thu Dec 21 19:53:54 2006 ntop v. https://blog.wains.be/2006/2006-12-19-centosrhelfedora-web-proxy-antivirus-clamav/ Tue, 19 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-19-centosrhelfedora-web-proxy-antivirus-clamav/ categories: Howto Linux Proxy Red Hat/CentOS Security I’ll explain here how to setup a web proxy with antivirus capabilities. We will use these tools : Squid + ClamAV + a patched version of DansGuardian The clamav packages provided are now outdated, I’m going to build an updated version as soon as I can Squid : www.squid-cache.org ClamAV : www.clamav.net DansGuardian : dansguardian.org DansGuardian Antivirus plugin : http://www.harvest.com.br/asp/afn/dg.nsf You can download squid from the default CentOS repository. https://blog.wains.be/2006/2006-12-18-bash-shortcuts/ Mon, 18 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-18-bash-shortcuts/ categories: Bash Linux Great memo ! Original link 25 March 2007 : New memo from http://linuxhelp.blogspot.com/2005/08/bash-shell-shortcuts.html CTRL Key Bound Ctrl + a - Jump to the start of the line Ctrl + b - Move back a char Ctrl + c - Terminate the command Ctrl + d - Exit the current shell Ctrl + e - Jump to the end of the line Ctrl + f - Move forward a char Ctrl + h - Same as backspace Ctrl + k - Delete to EOL Ctrl + l - Clear the screen Ctrl + r - Search the history backwards Ctrl + R - Search the history backwards with multi occurrence Ctrl + t : Swap the last two characters before the cursor Ctrl + u - Delete backward from cursor Ctrl + w : Delete the word before the cursor Ctrl + xx - Move between EOL and current cursor position Ctrl + x @ - Show possible hostname completions Ctrl + z - Suspend/ Stop the command. https://blog.wains.be/2006/2006-12-18-squid-log-google-and-other-queries/ Mon, 18 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-18-squid-log-google-and-other-queries/ categories: Linux Proxy Security By default, the queries sent to google and other search engines are not logged into Squid proxy logs. This is meant to protect the user’s privacy. See below how to enable queries logging.. Add this to /etc/squid/squid.conf strip_query_terms off As a result, you’d get this in the logs : 1166463218.353 1285 192.168.1.10 TCP_MISS/200 6429 GET http://www.google.com/search?hl=en&q=s%C3%A9bastien+wains&btnG=Google+Search - DIRECT/64.233.161.104 text/html Instead of this : 1166463218.353 1285 192.168.1.10 TCP_MISS/200 6429 GET http://www. https://blog.wains.be/2006/2006-12-18-transparent-squid/ Mon, 18 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-18-transparent-squid/ categories: Howto Linux Proxy How to run squid as a transparent squid proxy : Squid 2.5 and earlier : Edit /etc/squid/squid.conf and add this : httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on To enable the transparent proxying, type this : iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 “-s 192.168.1.0/24” is optional but needed if you run a webserver on the squid machine. https://blog.wains.be/2006/2006-12-17-openldap-evolution-and-microsoft-outlook-howto/ Sun, 17 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-17-openldap-evolution-and-microsoft-outlook-howto/ categories: Howto LDAP Linux Matthew Feldt was kind enough to put up a guide explaining how to set up OpenLDAP as an addressbook compatible with Evolution and Microsoft Outlook. Please visit his page here : http://www.feldt.com/work/projects/openLDAP/ A mirror of his page is available here : http://blog.wains.be/mirrors/feldt.com/ The guide works for CentOS/RHEL 4.4. Thanks Matthew for that very well written howto ! For your information, LDAP support in Outlook is terrible. No autocompletion available. https://blog.wains.be/2006/2006-12-15-test-and-debug-auth-plain-authentication/ Fri, 15 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-15-test-and-debug-auth-plain-authentication/ categories: Howto Linux Postfix Security This command will give you the string that should be passed at AUTH PLAIN For test@domain.be, you’d type this : perl -MMIME::Base64 -e 'print encode_base64("00test@domain.be00password")' Where “test@domain.be” is your username and “password” is.. your password Your username and password should start with the string “00” The output is : AHRlc3RAZG9tYWluLmJlAHBhc3N3b3Jk Now, you can test the authentication.. user@host:~$ telnet mx.domain.be 25 Trying 10.0.0.1... Connected to mx.domain.be. Escape character is '^]'. https://blog.wains.be/2006/2006-12-13-rrdweather-040-released/ Wed, 13 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-13-rrdweather-040-released/ Download here: https://github.com/sebw/rrdweather Project page: https://www.wains.be/projects/rrdweather/ Changelog since version 0.36 Grégory Bittan reported an issue when the web connection is down. The script would still feed the RRD databases with a value of 0, messing up the average figures. The update script can now handle the monitoring of several cities Lionel Porcheron made RRDweather available to the Ubuntu Community trough the Universe repository To achieve the goal of monitoring several cities from a single script, RRDWeather had to use a new directory structure in order to store database files Better indenting Improved bash code Improved debugging mode … https://blog.wains.be/2006/2006-12-06-give-to-the-community-the-community-gives-it-back-to-you/ Wed, 06 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-06-give-to-the-community-the-community-gives-it-back-to-you/ categories: Rewards And this is what I got today :) This is a reward for helping a friend with Linux and some networking stuff :-D https://blog.wains.be/2006/2006-12-05-problems-with-accents-in-samba/ Tue, 05 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-05-problems-with-accents-in-samba/ categories: Linux Well I had problems with accents in filenames… I tried changing the filesystem localization to french, it didn’t help I tried changing the system locale (/etc/sysconfig/i18n under CentOS/RHEL), it didn’t help I figured out the accents trouble was only occuring when dropping a file though smb I then finally found out these parameters to add in your smb.conf configuration file : dos charset = CP850 unix charset = ISO8859-1 display charset = LOCALE It fixed the issue for me with the FS and system locale always under en_US https://blog.wains.be/2006/2006-12-04-ubuntu-fc5-low-volume-issue-with-intel-hda-onboard-card/ Mon, 04 Dec 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-12-04-ubuntu-fc5-low-volume-issue-with-intel-hda-onboard-card/ categories: Linux The bug is reported here : https://launchpad.net/distros/ubuntu/edgy/+source/alsa-driver/+bug/47755 My onboard card was recognized as “Generic 14f1 ID 5047”. root@portable:~# head -5 /proc/asound/card0/codec* Codec: Generic 14f1 ID 5047 Address: 0 Vendor Id: 0x14f15047 Subsystem Id: 0x1179ff31 Revision Id: 0x100000 The volume was low and distorted at 100 % with alsa-drivers 1.0.11 I followed this page http://www.alsa-project.org/alsa-doc/doc-php/template.php?company=Intel&card=ICH+southbridge+HD-audio+and+modem.&chip=ICH6%2C+ICH6M%2C+ICH7%2C+ESB2&module=hda-intel and upgraded manually to the alsa-drivers version 1.0.13 It fixed the issue. The chip is now recognized as a “Conexant ID 5047” root@portable:/# head -5 /proc/asound/card0/codec* Codec: Conexant ID 5047 Address: 0 Vendor Id: 0x14f15047 Subsystem Id: 0x1179ff31 Revision Id: 0x100000 https://blog.wains.be/2006/2006-11-22-invalid-command-secruleengine-perhaps-mis-spelled-or-defined-by-a-module-not-included-in-the-server-configuration/ Wed, 22 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-22-invalid-command-secruleengine-perhaps-mis-spelled-or-defined-by-a-module-not-included-in-the-server-configuration/ defined by a module not included in the server configuration' categories: Apache Linux Security If you try to install modsecurity2 on Apache without reading the docs, you may get this message : “Invalid command ‘SecRuleEngine’, perhaps mis-spelled or defined by a module not included in the server configuration” This is not a bug ! Just a RTFM alert ! :) You should thoroughly follow the following procedure (as described here ) to get modsecurity running : https://blog.wains.be/2006/2006-11-18-postfix-chroot-mysql/ Sat, 18 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-18-postfix-chroot-mysql/ categories: Howto Linux Postfix Security SQL Scenario : You run Postfix non-chrooted with a MySQL DB as backend. The issue : You can’t run Postfix chrooted because the MySQL sock is not located in the chroot area. **The fix : ** Edit /etc/my.cnf and add this line under the [mysqld] section : bind-address = 127.0.0.1 Restart mysql Make Postfix connect to MySQL using TCP instead of using sock Change your SQL files from : user = username password = password dbname = database hosts = localhost query = SELECT alias FROM batabase WHERE id = '%s' https://blog.wains.be/2006/2006-11-18-postfix-chroot-sasl-authentication-saslauthd/ Sat, 18 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-18-postfix-chroot-sasl-authentication-saslauthd/ categories: Howto Linux Postfix Security **Scenario : ** You run Postfix non-chrooted with SMTP auth though SASL authentication (using saslauthd) The issue : When chrooted, Postfix needs access to saslauthd sock file, which is not in the chroot area The fix : We consider Postfix chroot is under /var/spool/postfix mkdir -p /var/spool/postfix/var/run mv /var/run/saslauthd /var/spool/postfix/var/run/ ln -s /var/spool/postfix/var/run/saslauthd /var/run Configure Postfix to run chrooted (script available here : http://blog.wains.be/pub/postfix-chroot https://blog.wains.be/2006/2006-11-18-postfix-new-mysql-syntax-postfix-22/ Sat, 18 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-18-postfix-new-mysql-syntax-postfix-22/ categories: Linux Postfix SQL I found out just yesterday that Postfix uses a new syntax for SQL lookups. It seems like my old syntax was still compatible with Postfix 2.2.8. I guess it will be backward compatible for a while. For Postfix 2.2 and later : user = someone password = password dbname = database query = SELECT alias FROM alias_table WHERE alias='%s' For Postfix releases prior to 2.2 : user = someone password = password dbname = database select_field = alias table = alias_table where_field = alias https://blog.wains.be/2006/2006-11-17-windows-server-dont-ever-change-your-admin-password/ Fri, 17 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-17-windows-server-dont-ever-change-your-admin-password/ categories: Windows I guess when you pick up an administrator password on a windows server machine, you’ve got to stick with it until the end of the world. For security reasons, I changed the administrator password. It is like 16 character long now. After rebooting the machine : MS SQL was not starting It had been set up in NT services to start from the administrator account (don’t ask, I didn’t set it up that way, a company did). https://blog.wains.be/2006/2006-11-16-logwatch-7-under-centosrhel/ Thu, 16 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-16-logwatch-7-under-centosrhel/ categories: Linux Security I had the regular logwatch 5.2.2 running on my CentOS 3 box. For some legal reason, I keep 52 weeks worth of logs. Logwatch started behaving weird lately.. parsing events being 1 year old, it was a random mess of yesterday’s events and last year logs. I upgraded to Logwatch 7 (available at http://repo.securityteam.us/repository/) It looks like it fixed the issue. https://blog.wains.be/2006/2006-11-15-centosrhel-postfix-smtp-auth/ Wed, 15 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-15-centosrhel-postfix-smtp-auth/ **Thanks to Luca Gibelli for his document about Postfix SMTP AUTH. It helped me a lot, this article is largely based on his work, I adapted it to match RHEL/CentOS systems.** Scenario Your mail server hosts multiple domains. You use a MySQL database as backend for user authentication. Users authenticate to the POP3/IMAP server as: username : username@example.org password : test123 You want to allow them to authenticate with SMTP AUTH using the same credentials. https://blog.wains.be/2006/2006-11-14-delete-files-above-a-certain-size/ Tue, 14 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-14-delete-files-above-a-certain-size/ categories: Bash Linux Delete files in the current directory above 500Kb find -size +500 | xargs rm This may not work on files with spaces in their filename. Use the solution recommended in the comments. Other recipes : Change the permissions and set 750 on dirs and 0640 on files: find -type d -exec chmod 0750 '{}' ';' find -type f -exec chmod 0640 '{}' ';' https://blog.wains.be/2006/2006-11-14-run-courier-imap-4-as-non-root-on-centosrhel/ Tue, 14 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-14-run-courier-imap-4-as-non-root-on-centosrhel/ categories: Howto Linux Postfix Red Hat/CentOS What follows is an explanation on how I got courier-imap 4 running as non-root on my CentOS 3 system. I run Postfix 2.2 with virtual domains/users and a mysql backend Emails are stored here : drwxr-xr-x 5 postfix vmail 4.0K Nov 14 00:47 /var/spool/postfix/vmail/ Domain folders are stored under vmail and are owned by vmail. Emails are delivered to maildir with user vmail. The issue : courier-imap needs to run as user “vmail” to avoid permissions headaches. https://blog.wains.be/2006/2006-11-14-spamassassin-prefork-child-states-meaning/ Tue, 14 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-14-spamassassin-prefork-child-states-meaning/ categories: Linux I start SpamAssassin with 2 children and set the maximum children to 10 This is how I start SpamAssassin : spamd -d -u spamassassin --min-children=2 --max-children=10 -x -r /var/run/spamd.pid --socketowner=filter --socketgroup=filter --socketmode=664 --socketpath=/var/run/spamd.sock spamd will send messages like this : spamd[16437]: prefork: child states: II II means the two children are idle There are several status : I : idle S : starting K : killed (you should not get that one I guess :)) B : busy https://blog.wains.be/2006/2006-11-13-permission-denied-publickeykeyboard-interactive-when-trying-to-ssh-from-terminal-while-using-keychain/ Mon, 13 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-13-permission-denied-publickeykeyboard-interactive-when-trying-to-ssh-from-terminal-while-using-keychain/ terminal while using Keychain' categories: Bash Linux Security SSH “Permission denied (publickey,keyboard-interactive)” I’m not satisfied by SSH clients under Linux (like putty and the likes), the only ssh client I really enjoy is SecureCRT under Windows, it’s a great piece of software (okay it works with wine, I have tested it, but I want to stick withthe CLI under Linux). SSH agent forwarding ? With SecureCRT, I was able to ssh from machines to machines flawlessly… https://blog.wains.be/2006/2006-11-11-backup-partition-to-another-machine-over-the-network-centosrhel/ Sat, 11 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-11-backup-partition-to-another-machine-over-the-network-centosrhel/ categories: Howto Linux Security SSH There are many ways to backup partitions between machines (CIFS, NFS, etc.) I’ll describe what seems to be the easiest and quickest way, you don’t need to setup services like Samba or NFS here. Machine A (source) : 192.168.0.1 /dev/hda1 / /dev/hda2 /home /dev/hda3 /tmp Machine B (target) : 192.168.0.2 Tools needed : dd (diskdump), gzip, nc (netcat), pv (pipeview : optional) To save your home partition, on the source machine type this : root@source# dd if=/dev/hda2 | gzip -9 | nc -l -p 9999 https://blog.wains.be/2006/2006-11-11-disable-gnome-windows-effects/ Sat, 11 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-11-disable-gnome-windows-effects/ categories: Howto Linux From : http://www.g-loaded.eu/post/turning-off-window-animations-in-gnome/ In gconf-editor, turn this key on : /apps/metacity/general/reduced_resources Thanks to the author for sharing, I never really bothered trying to disable effects but that’s good to know it’s possible :) https://blog.wains.be/2006/2006-11-10-postfix-deliver-emails-to-the-same-accounts-on-several-virtual-domains/ Fri, 10 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-10-postfix-deliver-emails-to-the-same-accounts-on-several-virtual-domains/ categories: Howto Linux Postfix Let’s say you own several domains : **Your default domain : **my-domain.be The domain you registered to protect your trademark, copyright, brand, etc : mydomain.be my_domain.be Let’s say all these domains point to the same MX server. We assume your original email addresses are user.name@my-domain.be What if people try to send to user.name@my_domain.be ? What follows is how to setup Postfix to automatically redirect emails to the original domain without headache (no need to setup redirecting aliases on the parked domains). https://blog.wains.be/2006/2006-11-08-subversion-svnssh-no-repository-found-2/ Wed, 08 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-08-subversion-svnssh-no-repository-found-2/ categories: Linux Versioning You can use “svn checkout svn://hostname.tld/project/” but you can’t check out your projects using svn+ssh:// ? Let’s clear things, svn+ssh:// doesn’t require svnserve to run on the server as a daemon or through (x)inetd to work. svn+ssh:// is only doing some kind of scp connection to the server. That’s why you need to USE ABSOLUTE PATH WHEN USING svn+ssh Usage : svn only svn checkout svn://hostname.tld/project/ svn+ssh svn checkout svn+ssh://hostname. https://blog.wains.be/2006/2006-11-08-subversion-svnserve-over-xinetd/ Wed, 08 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-08-subversion-svnserve-over-xinetd/ categories: Howto Linux Security Versioning If you want to run svnserve through xinetd (documentation still refers to inetd) : Create file /etc/xinetd.d/svnserve : # default: on service svnserve { socket_type = stream protocol = tcp user = root wait = no disable = no server = /usr/bin/svnserve server_args = -i -r /path/to/svn/projects port = 3690 } /path/to/svn/projects is the repository you want to share, if you don’t use -r, you’d need to specify the full path to the svn repository, which should be avoided. https://blog.wains.be/2006/2006-11-04-nicer-radio-and-check-boxes-for-firefox-2-under-ubuntu-linux-610-edgy/ Sat, 04 Nov 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-11-04-nicer-radio-and-check-boxes-for-firefox-2-under-ubuntu-linux-610-edgy/ categories: Firefox Howto Linux While I run Beryl and XGL and have an eye candy desktop, I found the radio and check boxes to be very ugly under Firefox… I packaged all you need to get nicer boxes… Before : After : Download the package : http://blog.wains.be/pub/firefox-widgets.tar.gz Installation instructions can be found in the package A better package is available at : http://ubuntudaily.com/post/how-to-prettify-the-firefox-widgets/ https://blog.wains.be/2006/2006-10-27-ubuntu-the-networkmanager-applet-could-not-find-some-required-resources-it-cannot-continue/ Fri, 27 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-27-ubuntu-the-networkmanager-applet-could-not-find-some-required-resources-it-cannot-continue/ It cannot continue.' categories: Howto Linux The NetworkManager applet could not find some required resources. It cannot continue. To fix the issue, you just need to type the following line at the terminal and reboot : sudo gtk-update-icon-cache -f /usr/share/icons/hicolor What is gtk-update-icon-cache : DESCRIPTION gtk-update-icon-cache creates mmap()able cache files for icon themes. . It expects to be given the path to a icon theme directory containing an index.theme, e.g. /usr/share/icons/hicolor, and writes a icon-theme. https://blog.wains.be/2006/2006-10-22-bind-undefined-symbol-dns_resolver_setudpsize/ Sun, 22 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-22-bind-undefined-symbol-dns_resolver_setudpsize/ categories: DNS Linux If you get this error message under RHEL/CentOS when trying to start Named “undefined symbol: dns_resolver_setudpsize” “yum install bind-libs” should fix the problem https://blog.wains.be/2006/2006-10-19-tool-of-the-day-iptstate/ Thu, 19 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-19-tool-of-the-day-iptstate/ categories: Linux Security Tools iptstate provides live iptables monitoring iptstates shows all iptables activity in a top-style display: IPTables - State Top Version: 1.3 Sort: SrcIP s to change sorting Source Destination Proto State TTL 192.168.1.1,3834 193.40.133.134,123 udp 0:00:28 192.168.1.1,3822 216.58.31.84,123 udp 0:02:53 192.168.1.1,3828 216.52.237.153,123 udp 0:02:47 192.168.1.10,43496 192.168.1.26,22 tcp ESTABLISHED 119:59:59 192.168.1.11,57252 71.87.212.168,8080 tcp ESTABLISHED 29:43:53 192.168.1.25,57505 209.40.99.8,80 tcp ESTABLISHED 3:48:32 iptstate has a number of useful commands, such as setting the refresh interval, sorting by different columns values, resolving domain names, and a number of interactive commands to use while it’s running. https://blog.wains.be/2006/2006-10-18-a-simple-tcp-proxy-using-rinetd/ Wed, 18 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-18-a-simple-tcp-proxy-using-rinetd/ categories: Howto Linux Security Rinetd redirects TCP connections from one IP address and port to another. rinetd is a single-process server which handles any number of connections to the address/port pairs specified in the file /etc/rinetd.conf. Since rinetd runs as a single process using nonblocking I/O, it is able to redirect a large number of connections without a severe impact on the machine. This makes it practical to run TCP services on machines inside an IP masquerading firewall. https://blog.wains.be/2006/2006-10-18-apache-benchmark/ Wed, 18 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-18-apache-benchmark/ categories: Apache Linux ab is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server. It is designed to give you an impression of how your current Apache installation performs. This especially shows you how many requests per second your Apache installation is capable of serving. Included into httpd package under CentOS http://httpd.apache.org/docs/2.0/programs/ab.html https://blog.wains.be/2006/2006-10-18-simple-load-balancing-behind-one-public-ip/ Wed, 18 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-18-simple-load-balancing-behind-one-public-ip/ categories: Linux Security Balance would help you setting up a SIMPLE load balanced cluster. It will balance equally between nodes, which could still lead to troubles, if one machine is much slower/busier than the other. It only manages 16 connections per nodes and 16 nodes. If you want something more powerful, take a look at IPVSADM http://www.inlab.de/balance.html http://dag.wieers.com/packages/balance/ Example : Machine A : Director / Load Balancer IP : 10.1.20.254 https://blog.wains.be/2006/2006-10-18-tool-of-the-day-watch/ Wed, 18 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-18-tool-of-the-day-watch/ categories: Linux Tools watch - execute a program periodically, showing output fullscreen DESCRIPTION watch runs command repeatedly, displaying its output (the first screenfull). This allows you to watch the program output change over time. By default, the program is run every 2 seconds; use -n or –interval to specify a different interval. The -d or --differences flag will highlight the differences between successive updates. The --cumulative option makes highlighting "sticky", presenting a running display of all positions that have ever changed. https://blog.wains.be/2006/2006-10-16-backtrackwhax-on-usb-drive/ Mon, 16 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-16-backtrackwhax-on-usb-drive/ categories: Howto Linux Security First of, I’d like to thank Dries who kept me updated on this issue. Indeed, back in the BackTrack beta days, you were able to install BT on your USB drive using a tool called MySLAXCreator (http://myslax.bonsonno.org). When BT Final was released, it was no longer possible to use MySLAXCreator to install it on the USB drive. The whole process is described by Dries in the comments, but I’m gonna try to make it clearer here. https://blog.wains.be/2006/2006-10-10-tool-of-the-day-an-image-sniffer-driftnet/ Tue, 10 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-10-tool-of-the-day-an-image-sniffer-driftnet/ categories: Security Tools http://www.ex-parrot.com/~chris/driftnet/ Inspired by EtherPEG (though, not owning an Apple Macintosh, I’ve never actually seen it in operation), Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic. Do not abuse, this is for educational purpose only ! https://blog.wains.be/2006/2006-10-09-tcp_wrappers-acl-for-your-ssh-server/ Mon, 09 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-09-tcp_wrappers-acl-for-your-ssh-server/ categories: Howto Linux Security SSH Among the many protections you can set to restrict connections to your server, there’s tcp_wrappers that turns out to be pretty useful. Edit /etc/hosts.sshd Put into this file all the IP’s, hostnames (avoid this as much as possible) or ranges allowed to ssh into the machine E.g : 192.168.1.1 10.0.0. 66.77. *.somedomain.be Edit /etc/hosts.allow Add this line at the beginning : sshd: /etc/hosts.sshd Add this line at the end : ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s “Port Denial - daemon %d hostname %h IP %a” root; /bin/echo %a » /var/log/port. https://blog.wains.be/2006/2006-10-08-simple-vpn-tunnel-using-openvpn/ Sun, 08 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-08-simple-vpn-tunnel-using-openvpn/ categories: Howto Linux Security VPN I’ll explain how I used a static key configuration to get a simple VPN tunnel to connect to my samba share at home from work. OpenVPN GUI for Windows : Download at http://openvpn.se/download.html I don’t know any good GUI for Linux, I simply use the CLI (install the package openvpn for your distribution) OpenVPN 2 Server : Grab the latest version for your distribution at http://dag. https://blog.wains.be/2006/2006-10-08-search-in-bash-history/ Sun, 08 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-08-search-in-bash-history/ categories: Bash Howto Linux You typed a long command earlier and don’t want to bother retyping it ? At the prompt, press Ctrl + r You’ll be in “reverse-search-history” mode. Type the beginning of the command, and type Ctrl + r again to browse through the history. Sometimes I’m starting typing a command and realize I must already have that command in history. I can’t use Ctrl + r in the middle of the command and expect reverse-search-history to work. https://blog.wains.be/2006/2006-10-07-dns-resolver-order/ Sat, 07 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-07-dns-resolver-order/ categories: Linux You should edit /etc/host.conf Edit the line “order” order hosts,bind : will query your hosts file first, then bind order bind,hosts : will query bind, and if no result is found, query your hosts file order bind : will only query bind, pay attention to maintain localhost and 127.0.0 zones ! If not, this would lead to many troubles with many services https://blog.wains.be/2006/2006-10-05-prohibit-direct-linking-from-your-site/ Thu, 05 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-05-prohibit-direct-linking-from-your-site/ categories: Apache Howto Linux Security Sick of people direct linking ( http://en.wikipedia.org/wiki/Direct_linking ) images from your site ? Use this under an .htaccess file or your apache configuration (modrewrite needed) This one would display the image owner.jpg : RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*myspace.com.*$ [NC] RewriteRule .*.(gif|jpg|jpeg|swf|png)$ http://www.site.be/images/owner.jpg [NC] This one would block direct linking, at all : RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*myspace.com.*$ [NC] ReWriteRule .*.(gif|png|jpg|jpeg|swf)$ - [F] https://blog.wains.be/2006/2006-10-03-enabling-remote-desktop-under-linux-xdmcp/ Tue, 03 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-03-enabling-remote-desktop-under-linux-xdmcp/ categories: Howto Linux Under CentOS 4, edit /etc/X11/gdm/gdm.conf Search for the section [XDMCP] Change the line “Enable=false” to “Enable=true” Restart X You should now be able to remotely connect using X-Win32 or such You may need to configure iptables to allow connections : iptables -A INPUT -p udp -m udp --dport 177 -j ACCEPT iptables -A OUTPUT -p udp -m udp -m state --state RELATED,ESTABLISHED -j ACCEPT Pay close attention to the security risks, don’t open it wide to the internet https://blog.wains.be/2006/2006-10-02-truecrypt-on-ubuntu-606-kernel-2615/ Mon, 02 Oct 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-10-02-truecrypt-on-ubuntu-606-kernel-2615/ categories: Howto Linux Security You’re done ! https://blog.wains.be/2006/2006-09-30-ubuntu-606-dapper-on-my-toshiba-l100-181/ Sat, 30 Sep 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-09-30-ubuntu-606-dapper-on-my-toshiba-l100-181/ categories: Linux Red Hat/CentOS I really needed VMware Workstation (VMW) to work on my laptop. Basically, that would be my main activity on the laptop, the underlying OS would only help in surfing the web, checking my mails and SSH’ing into servers. I tried hard to run VMW under Fedora Core 5 but always failed with kernel issues. (see http://blog.wains.be/?p=122) I had read VMW was supporting Ubuntu 6.06 which I installed. https://blog.wains.be/2006/2006-09-30-useful-tool-of-the-day/ Sat, 30 Sep 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-09-30-useful-tool-of-the-day/ categories: Linux Security Tools http://www.gentoo.org/proj/en/keychain/ keychain script makes handling RSA and DSA keys both convenient and secure. It acts as a front-end to ssh-agent, allowing you to easily have one long-running ssh-agent process per system, rather than per login session… https://blog.wains.be/2006/2006-09-28-linksys-wap54g-v2-firmware-hyperwap-v304-wpa2/ Thu, 28 Sep 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-09-28-linksys-wap54g-v2-firmware-hyperwap-v304-wpa2/ categories: Hardware I used to run my Linksys WPA54G v2 AP with the HyperWAP 1.0 firmware (it original came with a v2.08 firmware) It was allowing me to decrease the signal so no one could catch my signal across the street. HyperWAP 1.0 was based on Linksys 2.07 firmware which is quite old. Linksys released a 3.04 firmware a while ago. Some people released an HyperWAP based on this firmware, adding the few options HyperWAP was already giving and WPA2 security. https://blog.wains.be/2006/2006-09-28-minimum-password-length-on-linux-accounts/ Thu, 28 Sep 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-09-28-minimum-password-length-on-linux-accounts/ categories: Howto Linux Red Hat/CentOS By default, the minimum password length under CentOS is set to 6 characters. Edit /etc/login.defs Set PASS_MIN_LEN to whatever length you want https://blog.wains.be/2006/2006-09-26-vmware-serverworkstationplayer-under-ubuntu-606-dapper/ Tue, 26 Sep 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-09-26-vmware-serverworkstationplayer-under-ubuntu-606-dapper/ categories: Linux I got VMware Workstation running quite easily under Ubuntu 6.06 : sudo apt-get install linux-headers-uname -r build-essential xinetd unzip the VMW source cd vmware-distrib sudo ./vmware-install.pl and follow the steps Download http://ftp.cvut.cz/vmware/vmware-any-any-update104.tar.gz Unzip and execute runme.pl Execute ./vmware-config.pl and follow the configuration steps You should be able to run /usr/bin/vmware https://blog.wains.be/2006/2006-09-23-disabling-usb-under-windows/ Sat, 23 Sep 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-09-23-disabling-usb-under-windows/ categories: Windows Use the registry files below to disable or enable USB under Windows : Disable USB : http://blog.wains.be/pub/disable_USB.reg Enable USB : http://blog.wains.be/pub/enable_USB.reg https://blog.wains.be/2006/2006-09-21-vmware-on-fedora-core-5/ Thu, 21 Sep 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-09-21-vmware-on-fedora-core-5/ categories: Linux Source : http://tredosoft.com/node/9 I wasn’t able to get VMware Workstation working under FC5 using the following guide. It was painless to get it working under Ubuntu 6.06, see here : http://blog.wains.be/?p=129 We want to install VMWare’s free VMWare Player 1.0.1 build 19317 on Fedora Core 5. As far as I can tell this guide works with other VMWare products as well (eg. VMware Workstation/ ESX / GSX / Server etc. https://blog.wains.be/2006/2006-09-18-openldap-log/ Mon, 18 Sep 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-09-18-openldap-log/ categories: LDAP Linux OpenLDAP logs via syslogd LOCAL4 so to stream the log you will need to add a line like this to syslog.conf (normally /etc/syslog.conf): local4.* /var/log/ldap.log The above command will log all levels of local4 (OpenLDAP) output to the defined file. In many systems you need to create an empty log file before logging will be visible. The OpenLDAP logging level is set using the following command: loglevel number https://blog.wains.be/2006/2006-09-18-openldap-not-listening-on-port-389/ Mon, 18 Sep 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-09-18-openldap-not-listening-on-port-389/ categories: LDAP Linux For some reason openldap stopped running and listening on port 389 after our server had a problem… The database files (BDB type) were actually corrupted… This is how to fix the issue and recover the DB : install db4-utils (under Red Hat) cd /var/lib/ldap (or whatever directory in which the DB files are located) /etc/init.d/ldap stop run /usr/sbin/slapd_db_recover in the directory /etc/init.d/ldap start The server was up again after fixing the DB https://blog.wains.be/2006/2006-08-17-my-new-toshiba-satellite-l100-181/ Thu, 17 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-17-my-new-toshiba-satellite-l100-181/ categories: Hardware This is my new laptop [ I can’t swear it is fully Linux compatible, I haven’t tested the modem yet. EDIT 24 jan 07 : Sound issue was fixed by installing the latest alsa drivers manually (I currently am under Ubunbu 6.10) Specifications : Intel Core Duo T2300 @ 1.66 Ghz 512 MB DDR2 533 Mhz 60 Gb HDD Fujitsu 5400 RPM SATA DVD+-RW 15" XGA 1024x768 56K Modem / LAN Wireless Intel IPW3945 abg (WPA2 working under Ubuntu 6. https://blog.wains.be/2006/2006-08-15-nautilus-shortcut-for-root-under-users-session/ Tue, 15 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-15-nautilus-shortcut-for-root-under-users-session/ categories: Linux As root, create a file called “Nautilus-root.desktop” into /usr/share/applications [Desktop Entry] Name=File Browser (Root) Comment=Browse the filesystem with the file manager TryExec=nautilus Exec=sudo nautilus --no-desktop --browser %U Icon=file-manager Terminal=false StartupNotify=true Type=Application Categories=GNOME;Application;System;Utility;Core;X-Red-Hat-Base; OnlyShowIn=GNOME; X-GNOME-Bugzilla-Bugzilla=GNOME X-GNOME-Bugzilla-Product=nautilus X-GNOME-Bugzilla-Component=general X-Desktop-File-Install-Version=0.10 When done, killall gnome-panel After gnome is done restarting, you’ll notice a new shortcut under Applications > System tools Users need to be in the sudoers to be able to execute the file browser… Howto : http://blog. https://blog.wains.be/2006/2006-08-14-disable-cpu-frequency-scaling/ Mon, 14 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-14-disable-cpu-frequency-scaling/ categories: Linux Tested under Fedora Core 5 and an Intel Core Duo T2300 If you want your CPU to run at full speed (eg : while on power) : service cpuspeed stop https://blog.wains.be/2006/2006-08-12-mount-unknown-filesystem-type-smbfs/ Sat, 12 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-12-mount-unknown-filesystem-type-smbfs/ categories: Linux While trying to mount a samba share under Fedora Core 5, I got this message : “mount: unknown filesystem type ‘smbfs’” The command I was trying was “mount -t smbfs -o username=user //server/share /mnt/dir” “smbfs” has been replaced by “cifs” Now, you need to use : “mount -t cifs -o username=user //server/share /mnt/dir” https://blog.wains.be/2006/2006-08-11-sudo-under-redhat/ Fri, 11 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-11-sudo-under-redhat/ categories: Linux This will allow users in the wheel group to use sudo without being prompted for the root password : Edit /etc/sudoers Uncomment the line %WHEEL ALL=(ALL) NOPASSWD: ALL Add a user to the wheel group # gpasswd -a johndoe wheel where johndoe is the user https://blog.wains.be/2006/2006-08-11-tool-of-the-day-truecrypt/ Fri, 11 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-11-tool-of-the-day-truecrypt/ categories: Linux Security Tools Windows http://www.truecrypt.org/ Free open-source disk encryption software for Windows XP/2000/2003 and Linux Main Features: * Creates a virtual encrypted disk within a file and mounts it as a real disk. * Encrypts an entire hard disk partition or a device. * Encryption is automatic, real-time (on-the-fly) and transparent. * Provides two levels of plausible deniability, in case an adversary forces you to reveal the password: 1) Hidden volume (steganography – more information may be found here). https://blog.wains.be/2006/2006-08-11-windows-not-booting-with-a-nforce4-mainboard-native-command-queuing-ncq/ Fri, 11 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-11-windows-not-booting-with-a-nforce4-mainboard-native-command-queuing-ncq/ categories: Windows I had a computer for repair lately. After several attempt to install Windows XP, it was always randomly hanging (1 out of 5 times, it would boot) while booting the system. I had to disable Native Command Queuing (NCQ) to avoid the problem, the maxtor hard drive or the mainboard chipset wasn’t fully compatible with NCQ. http://en.wikipedia.org/wiki/Native_command_queueing Where to disable NCQ under Windows XP (under an admin account) : [ https://blog.wains.be/2006/2006-08-10-building-truecrypt-modules/ Thu, 10 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-10-building-truecrypt-modules/ categories: Howto Linux You may need to rebuild the truecrypt module anytime there is a kernel update… yum install kernel(-smp)-devel wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/SRPMS/kernel-2.6.1(VERSION)_FC5.src.rpm Optional for SMP : Edit /usr/src/redhat/SPECS/kernel-2.6.spec %define buildsmp 1 rpmbuild -bp –target=$(arch) kernel-2.6.spec (I use i686 as arch) when done : cd BUILD/kernel-2.6.xx/linux-2.6.xx cp configs/kernel-2.6.xx-$(arch)-(smp).config .config This is a list of available config files : [root@localhost configs]# ll total 544 -rw-r--r-- 1 root root 61336 Aug 14 20:45 kernel-2. https://blog.wains.be/2006/2006-08-06-apache-order-directive/ Sun, 06 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-06-apache-order-directive/ categories: Apache Howto Linux Lately, I had to work around the security of a particular host… which lead me to the Apache docs… **Description:** Controls the default access state and the order in which Allow and Deny are evaluated. **Default:** Order Deny,Allow The Order directive controls the default access state and the order in which Allow and Deny directives are evaluated. Ordering is one of Deny,Allow The Deny directives are evaluated before the Allow directives. https://blog.wains.be/2006/2006-08-06-share-your-bash-session/ Sun, 06 Aug 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-08-06-share-your-bash-session/ categories: Bash Howto Linux From a cool blog : Yannick’s blog You may know “screen”, tool that can help you put your session on hold and and get back to it whenever you want. Described below is a way to share your session with someone… this can come in handy while doing support or if you just want to share your session for some reason You should follow the following steps carefully https://blog.wains.be/2006/2006-07-28-useful-tools-of-the-day/ Fri, 28 Jul 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-07-28-useful-tools-of-the-day/ categories: Linux Tools screen : http://www.gnu.org/software/screen/ Screen is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells… **mod_security : **http://www.modsecurity.org/ ModSecurity is an open source intrusion detection and prevention engine for web applications (or a web application firewall)… mod_evasive : http://www.zdziarski.com/projects/mod_evasive/ mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack… https://blog.wains.be/2006/2006-07-27-installing-modsecurity/ Thu, 27 Jul 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-07-27-installing-modsecurity/ From http://michael-and-mary.net/?q=node/1261 Modsecurity is an open source web application firewall for the Apache server that helps to keep the malicious people at bay. To install Modsecurity, first install the package: httpd-devel (yum install httpd-devel) [as root]. Next, execute the following commands (as root) to install and configure Modsecurity: cd /root wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz tar -xvzf modsecurity-apache_1.9.4.tar.gz cd modsecurity-apache_1.9.4/apache2/ /usr/sbin/apxs -cia mod_security.c The last line of the compilation should read: activating module ‘security’ in /etc/httpd/conf/httpd. https://blog.wains.be/2006/2006-07-26-screen-help/ Wed, 26 Jul 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-07-26-screen-help/ Based on http://www.rackaid.com/resources/tips/linux-screen.cfm A good reminder :) At the prompt, type “screen”, then… Ctrl + A ? : help Ctrl + A C : create a screen session Ctrl + A N : switch to the next session Ctrl + A P : switch to the previous session Ctrl + A K or exit : exit session Ctrl + A D : detach session screen -r session : re-attach to a detached session Ctrl + A M : look for activity within the screen session Ctrl + A _ : look for silence within the screen session Ctrl + A Esc : allows to scroll back in the buffer https://blog.wains.be/2006/2006-07-15-introduction-to-svn-importing-a-new-project/ Sat, 15 Jul 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-07-15-introduction-to-svn-importing-a-new-project/ This post is aimed to those (like me) who can easily forget the SVN syntax : Create a new repository : $ svnadmin create --fs-type fsfs /home/user/svn Suppose you have an existing project you wish to import in SVN : $ svn import /path/to/project/ file:///home/user/svn/project -m 'Initial import' Checking out your project : $ svn checkout file:///home/user/svn/project /home/user/dev/project A version controlled copy of the project is now available under /home/user/dev/project/ https://blog.wains.be/2006/2006-06-24-windows-annoyance-how-do-i-check-the-date-under-windows-xp/ Sat, 24 Jun 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-06-24-windows-annoyance-how-do-i-check-the-date-under-windows-xp/ For security reasons, I run my session as a limited user (Group “Users” under security settings). What if I want to check today’s date ? Double-click over the time in the lower right corner of the screen ? A window pops up saying I don’t have the rights needed to EDIT the system hour.. Hell, I just want to check today’s date buddy, not modify it ! If you are fortunate enough and leave your pointer over the hour for a few seconds, a tooltip window will appear (occurs about 1 out of 20 times for me)… and if your are really fortunate, this tooltip would appear above the traybar, not under (never happened for me) ! https://blog.wains.be/2006/2006-06-22-cups-pdf-color-printer/ Thu, 22 Jun 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-06-22-cups-pdf-color-printer/ We suppose you already have a properly configured and running CUPS system. Grab the RPM or SRPM from http://www.physik.uni-wuerzburg.de/~vrbehr/cups-pdf/ rpm -ihv cups-pdf-something.rpm (unless you want to go through the whole rebuild process which I won’t describe here) service cups restart You should see the new PDF printer under http://yourserver:631 Now let’s share the PDF printer for your Windows clients : Edit /etc/samba/smb.conf and add this section [printers] path = /some/path/to/spool browsable = yes guest ok = no writable = no valid users = +print_users printable = yes create mask = 0770 https://blog.wains.be/2006/2006-06-16-basic-security-rules-under-windows/ Fri, 16 Jun 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-06-16-basic-security-rules-under-windows/ Run your session as a “user”, don’t ever run your session as “administrator” if you don’t need it Read your emails as plain text, HTML emails could contain bad code (and write as plain text as well, I cannot stress this more : emails were not designed for HTML !! Screw you with your incredimail and the like !!) Run a firewall and antivirus on your workstation Regularly try to download the test virus from eicar. https://blog.wains.be/2006/2006-06-15-apache-remove-footer-signature/ Thu, 15 Jun 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-06-15-apache-remove-footer-signature/ This will remove the signature added at the bottom of index pages : /etc/httpd/conf/httpd.conf ServerTokens Prod ServerSignature Off https://blog.wains.be/2006/2006-06-06-enable-ip-forward-under-rhelcentos/ Tue, 06 Jun 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-06-06-enable-ip-forward-under-rhelcentos/ The regular way Edit /etc/sysctl.conf Edit the “net.ipv4.ip_forward” line and set it to 1 <code># Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding <strong>net.ipv4.ip_forward = 1</strong> # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel. https://blog.wains.be/2006/2006-06-04-centos-43-postfix-229-tlsssl-rbl-blocking-spamassassin-312-amavisd-new-pop-before-smtp-procmail-vmail-disclaimer/ Sun, 04 Jun 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-06-04-centos-43-postfix-229-tlsssl-rbl-blocking-spamassassin-312-amavisd-new-pop-before-smtp-procmail-vmail-disclaimer/ Edit 16 nov 2006 : please consider using SMTP AUTH instead of pop-before-smtp: https://blog.wains.be/2013/2013-11-14-outbound-postfix-with-sasl-authentication-against-ldap-dovecot/ This is not aimed to be a step by step guide.. This is just a review of my current config with some helpful notes, it is probably meant for already advanced postfix users seeking for tips and tricks. WordPress may have reformated the code in some weird way.. don’t do massive copy paste and hope it works fine straight away, please review everything carefully ! https://blog.wains.be/2006/2006-06-04-postfix-virtual-users-and-domains-kill-spam-under-spamassassin-using-procmail/ Sun, 04 Jun 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-06-04-postfix-virtual-users-and-domains-kill-spam-under-spamassassin-using-procmail/ I needed to be able to kill spam reaching a certain score on my email gateway, which only delivers to virtual users and virtual domains… When delivering locally using the “local” delivery agent, you can easily use procmail by setting “mailbox_command = /usr/bin/procmail -whatever options”.. this option doesn’t work for the “virtual” delivery agent though.. I’ll explain below how to trigger procmail when using the virtual delivery agent :) The following configuration does this : If an email reaches the inbound interface on the email gateway, the email will get piped through the “procmail-test” filter, which will run a procmail script. https://blog.wains.be/2006/2006-05-24-simple-openvpn-setup/ Wed, 24 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-24-simple-openvpn-setup/ This will explain how to setup a simple OpenVPN tunnel between two computers (at a time). If someone attempts to connect while another person is already connected, that person will get bounced from the VPN tunnel.. On the server-side : yum install openvpn edit /etc/openvpn/server.conf dev tun ifconfig 10.0.0.1 10.0.0.2 secret static.key port 1194 proto udp user nobody group nobody daemon comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key log /var/log/openvpn.log verb 1 openvpn –genkey –secret /etc/openvpn/static. https://blog.wains.be/2006/2006-05-23-postfix-as-the-default-mta-under-centos/ Tue, 23 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-23-postfix-as-the-default-mta-under-centos/ Make sure both sendmail and postfix packages are installed Install “system-switch-mail” from the base repository Run /usr/sbin/system-switch-mail Set Postfix as the default MTA You are done :) https://blog.wains.be/2006/2006-05-17-my-installation-of-centos/ Wed, 17 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-17-my-installation-of-centos/ Please pay attention this is my personal setup for a SERVER (running only CLI etc) Edit /etc/sysconfig/network and add (disable zeroconf, allow routing) : NOZEROCONF=yes FORWARD_IPV4=yes Disable ipv6 : echo "alias net-pf-10 off” >> /etc/modprobe.conf “yum erase” these: acpid apmd anacron at atd bluez-bluefw bluez-hcidump bluez-libs bluez-utils cups dhclient dhcpv6_client dmraid eject finger hal htmlview irda-utils isdn4k-utils lftp mailx mgetty minicom ncurses NetworkManager nfs-utils openldap pcmcia-cs pinfo pm -e irda-utils portmap ppp procmail proftpd python-sqlite redhat-logos redhat-lsb redhat-menus rhnlib rp-pppoe rsh setools setserial setuptool sqlite system-config-securitylevel-tui up2date wireless-tools wvdial xinetd ypbind yp-tools https://blog.wains.be/2006/2006-05-16-block-msn-and-other-messengers-on-your-network/ Tue, 16 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-16-block-msn-and-other-messengers-on-your-network/ 1. Iptables This is my iptables config stored under /etc/sysconfig/iptables : (eth0 = WAN interface, eth1 = LAN interface) You’ll notice 192.168.1.16 is allowed to connect to any services You’ll also notice that the default stance for output traffic is ACCEPT. You can of course set it to DROP and only accept what you specifically define. <code>*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Basic protections against syn floods and other stuff -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Block MSN -I FORWARD -s 192. https://blog.wains.be/2006/2006-05-11-linux-console-screensaver/ Thu, 11 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-11-linux-console-screensaver/ setterm -blank nn will tell the console driver to blank the screen after nn minutes of inactivity. (With nn = 0, screensaving is turned off.) /usr/bin/setterm -blank 0 https://blog.wains.be/2006/2006-05-11-rebuilding-failed-linux-software-raid/ Thu, 11 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-11-rebuilding-failed-linux-software-raid/ This post will explain how I have rebuilt a software RAID array after a disk failure I recently got a notification from the SMART daemon saying this: <code>This email was generated by the smartd daemon running on: host name: gateway.domain.be DNS domain: domain.be NIS domain: (none) The following warning/error was logged by the smartd daemon: Device: /dev/hdd, 131 Currently unreadable (pending) sectors For details see host's SYSLOG (default: /var/log/messages). You can also use the smartctl utility for further investigation. https://blog.wains.be/2006/2006-05-10-block-forwarding-on-port-tcp-25-under-iptables/ Wed, 10 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-10-block-forwarding-on-port-tcp-25-under-iptables/ Just like ISP’s do! Find out viruses on your network and prevent spammers from abusing your wireless network ! With simple iptables rulesets… OK, let’s calm down, this needs a bit of explanation before proceeding. ISP’s usually block port 25 : Unlike many ISP’s, mine doesn’t ! They still allow customers to send emails directly through and to any SMTP servers (tcp/25). The goal in blocking port 25 is to block viruses from spreading around by sending emails using their own SMTP daemon. https://blog.wains.be/2006/2006-05-07-get-useful-info-about-your-hard-drive/ Sun, 07 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-07-get-useful-info-about-your-hard-drive/ (just because I’ll forget the command again, [that’s actually the whole point of this site :)] I needed to make a post about it :)) tune2fs -l /dev/XdXX <code>[root@localhost](1199)# tune2fs -l /dev/hda1 tune2fs 1.35 (28-Feb-2004) Filesystem volume name: /boot Last mounted on: Filesystem UUID: 1ba17048-a79d-444d-a712-a9c90aa97a04 Filesystem magic number: 0xEF53 Filesystem revision #: 1 (dynamic) Filesystem features: has_journal ext_attr filetype needs_recovery sparse_super Default mount options: (none) Filesystem state: clean Errors behavior: Continue Filesystem OS type: Linux Inode count: 26104 Block count: 104391 Reserved block count: 5219 Free blocks: 88910 Free inodes: 26058 First block: 1 Block size: 1024 Fragment size: 1024 Blocks per group: 8192 Fragments per group: 8192 Inodes per group: 2008 Inode blocks per group: 251 Filesystem created: Fri Nov 26 20:09:34 2004 Last mount time: Sun May 7 10:56:40 2006 Last write time: Sun May 7 10:56:40 2006 Mount count: 428 Maximum mount count: -1 Last checked: Fri Nov 26 20:09:34 2004 Check interval: 0 () Reserved blocks uid: 0 (user root) Reserved blocks gid: 0 (group root) First inode: 11 Inode size: 128 Journal inode: 8 Default directory hash: tea Directory Hash Seed: 47a6d832-2794-4e6e-ac27-2e0d51ab1af0 Journal backup: inode blocks</code> Another command will display even more information (superblocks, etc. https://blog.wains.be/2006/2006-05-07-load-additional-iptables-modules-under-centos-4x/ Sun, 07 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-07-load-additional-iptables-modules-under-centos-4x/ If you need a recurrent iptables modules to be loaded (let’s say the conntracking modules for FTP connections) you can either : issue “modprobe ip_conntrack_ftp” at the CLI everytime you need it add “modprobe ip_conntrack_ftp” under rc.local edit /etc/init.d/iptables and add “modprobe ip_conntrack” under the “start” argument or the proper way : edit /etc/sysconfig/iptables-config IPTABLES_MODULES="ip_conntrack_ftp" Anytime you’ll start or restart iptables, the modules will be loaded : <code>[root@localhost](1035)# service iptables condrestart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: nat filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_ftp [ OK ]</code> https://blog.wains.be/2006/2006-05-03-basic-iptables-configuration/ Wed, 03 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-03-basic-iptables-configuration/ Published 2006-05-03 14:17:59 This is the most basic iptables configuration for a CentOS/RHEL gateway (eth0 = WAN, eth1 = LAN) /etc/sysconfig/iptables 01. *filter 02. :INPUT DROP [0:0] 03. :FORWARD DROP [0:0] 04. :OUTPUT ACCEPT [0:0] 05. -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT 06. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 07. -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 08. -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT 09. https://blog.wains.be/2006/2006-05-03-issues-with-iptables-and-frox-ftp-transparent-proxy/ Wed, 03 May 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-05-03-issues-with-iptables-and-frox-ftp-transparent-proxy/ If you set up a transparent ftp proxy using frox (as described here : http://blog.wains.be/?p=46) with iptables along on your linux gateway, you’ll probably stumble upon some issues… Let’s say you run frox on port 2121 and redirect any request made on port 21 to frox, you should use this kind of rule : iptables -A PREROUTING -s 10.0.0.0/24 -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 2121 You should first make sure you’ve set these rules for frox : https://blog.wains.be/2006/2006-04-12-disable-su-for-users/ Wed, 12 Apr 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-04-12-disable-su-for-users/ Uncomment the following line to only allow users in the “wheel” group to be able to su : Edit /etc/pam.d/su : # Uncomment the following line to require a user to be in the "wheel" group. auth required /lib/security/$ISA/pam_wheel.so use_uid https://blog.wains.be/2006/2006-04-04-apache-force-ssl-using-a-rewrite-rule/ Tue, 04 Apr 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-04-04-apache-force-ssl-using-a-rewrite-rule/ This rewrite rule will redirect the requests to https (SSL) : RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] The module mod_rewrite is needed. Something like “LoadModule rewrite_module modules/mod_rewrite.so” in your apache config should enable it. https://blog.wains.be/2006/2006-04-04-centos-36-postfix-229-tls-virtual-users-mysql-backend/ Tue, 04 Apr 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-04-04-centos-36-postfix-229-tls-virtual-users-mysql-backend/ This article will review my current configuration, this is an update to a previous article : CentOS + Postfix + virtual users + Squirrelmail + … What I stopped using since the previous article : vacation message because the script I was using had a few annoying bugs that I haven’t figured out yet. squirrelmail replaced by roundcube webmail (still beta !!), I don’t have many webmail users so I can afford using roundcube, which still has a lot of bugs. https://blog.wains.be/2006/2006-04-04-postfix-mysql-proxymap/ Tue, 04 Apr 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-04-04-postfix-mysql-proxymap/ I discovered I could improve Postfix performances when using MySQL as backend According to http://spike.porcupine.org/test/html/proxymap.8.html : To consolidate the number of open lookup tables by sharing one open table among multiple processes. For example, making mysql connections from every Postfix daemon process results in “too many connec- tions” errors. **Edit /etc/postfix/main.cf : ** <code># Allow proxy for the settings using MySQL proxy_read_maps = $virtual_alias_maps $virtual_mailbox_maps $transport_maps $virtual_uid_maps $virtual_gid_maps # add proxy: in front of any mysql: virtual_mailbox_base = /var/spool/postfix/vmail virtual_minimum_uid = 1000 virtual_mailbox_maps = proxy:mysql:/etc/postfix/vmailsql/vmailbox virtual_alias_maps = proxy:mysql:/etc/postfix/vmailsql/valias transport_maps = proxy:mysql:/etc/postfix/vmailsql/transport virtual_uid_maps = proxy:mysql:/etc/postfix/vmailsql/vuid virtual_gid_maps = proxy:mysql:/etc/postfix/vmailsql/vgid local_recipient_maps = $virtual_mailbox_maps</code> https://blog.wains.be/2006/2006-04-04-postfix-spf/ Tue, 04 Apr 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-04-04-postfix-spf/ Enable SPF if you believe you need it.. For your information, SPF is not widely used You’ll need Mail::SPF::Query : `1. perl -MCPAN -e shell Under CPAN : install Mail::SPF::Query Quit CPAN after installation of the library` Install libspf2-1.0.4 and libspf2-devel-1.0.4 from http://www.city-fan.org/ftp/contrib/libraries/ wget http://spf.pobox.com/postfix-policyd.txt -O /etc/postfix/spf-policy.pl chmod 755 /etc/postfix/spf-policy.pl Edit /etc/postfix/master.cf : spfpolicy unix - n n - - spawn user=nobody argv=/usr/bin/perl /etc/postfix/spf-policy.pl Edit /etc/postfix/main.cf : <code>check_policy_service unix:private/spfpolicy smtpd_recipient_restrictions = reject_unauth_destination reject_unknown_recipient_domain reject_unverified_recipient check_policy_service unix:private/spfpolicy</code> service postfix restart https://blog.wains.be/2006/2006-04-04-postfix-tls/ Tue, 04 Apr 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-04-04-postfix-tls/ This document describes how to install a mail server based on postfix that is capable of TLS. I tested it on CentOS 3.6 and 4.2. I’m not sure which packages are actually needed for Postfix using TLS.. these are the ones installed on my system : [root@server](1013)# rpm -qa | grep -i sasl cyrus-sasl-gssapi-2.1.15-10 cyrus-sasl-plain-2.1.15-10 cyrus-sasl-2.1.15-10 cyrus-sasl-md5-2.1.15-10 cyrus-sasl-devel-2.1.15-10 Generate your SSL key and pem (based on http://www.projektfarm.com/en/support/howto/postfix_smtp_auth_tls.html): <code>openssl genrsa -des3 -rand /etc/hosts -out smtpd. https://blog.wains.be/2006/2006-04-01-an-openldap-directory-for-thunderbird/ Sat, 01 Apr 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-04-01-an-openldap-directory-for-thunderbird/ This guide will help you setting up an LDAP directory under RHEL 4/CentOS 4 systems, 100 % compatible with Mozilla Thunderbird 1.5. Management of the LDAP directory will be done with phpLdapAdmin. 1. Install the needed packages # yum install openldap-servers openldap-clients 2. Download the LDAP schema for Thunderbird # wget http://blog.wains.be/pub/thunderbird.schema -O /etc/openldap/schema/thunderbird.schema 3. Create the directory tree in which the database will be stored # mkdir /var/lib/ldap/local 4. Change ownership # chown ldap:ldap /var/lib/ldap/local https://blog.wains.be/2006/2006-03-30-howto-fix-bind-to-port-22-on-0000-failed-address-already-in-use-error/ Thu, 30 Mar 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-03-30-howto-fix-bind-to-port-22-on-0000-failed-address-already-in-use-error/ The error when starting and restarting sshd : Mar 30 23:35:11 x sshd[9151]: Server listening on :: port 22. Mar 30 23:35:11 x sshd[9151]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. Mar 30 23:38:07 x sshd[9151]: Received signal 15; terminating. Mar 30 23:38:07 x sshd[1977]: Server listening on :: port 22. Mar 30 23:38:07 x sshd[1977]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. https://blog.wains.be/2006/2006-03-30-how-to-not-disable-ipv6-on-rhelcentos-4/ Thu, 30 Mar 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-03-30-how-to-not-disable-ipv6-on-rhelcentos-4/ There’s a myth on the web surrounding the method on how to disable IPv6 under RHEL/CentOS 4 Adding “NETWORKING_IPV6=no” to /etc/sysconfig/network DOES NOT work If you want to disable IPv6, the only true working trick is : echo "alias net-pf-10 off" >> /etc/modprobe.conf Period https://blog.wains.be/2006/2006-03-29-courier-imap-secure-pop3-and-imap/ Wed, 29 Mar 2006 00:00:00 +0200 https://blog.wains.be/2006/2006-03-29-courier-imap-secure-pop3-and-imap/ Generate the key : $ openssl genrsa -out imap.key 1024 Result: Generating RSA private key, 1024 bit long modulus ..............++++++ ................................................................................................++++++ e is 65537 (0x10001) We need to generate a CSR : $ openssl req -new -key imap.key -out imap.csr Result : `You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. https://blog.wains.be/2006/2006-03-05-centos-42-orinoco-monitorscan/ Sun, 05 Mar 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-03-05-centos-42-orinoco-monitorscan/ According to http://blog.wains.be/?p=25, it was quite a pain to get the orinoco drivers with scan and monitor capabilities.. Being sick at the debianess of Ubuntu, I switched my laptop to the good old and lovely CentOS 4.2. Having the orinoco_cs drivers with monitor mode running was a question of minutes.. Grab the drivers at the usual place : http://www.projectiwear.org/~plasmahh/orinoco.html I grabbed this one : http://www.projectiwear.org/~plasmahh/orinoco-0.13e-SN-7.tar.bz2 Untar somewhere on the disk.. make a backup of the good orinoco drivers located at /lib/modules/2. https://blog.wains.be/2006/2006-03-05-dsniff-working-under-centos-42/ Sun, 05 Mar 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-03-05-dsniff-working-under-centos-42/ I’ve been able to get dsniff working under CentOS 4.2.. I just needed to find the right packages, right versions, etc You’ll need to downgrade some packages version and it may break your system ! Ethereal will stop working after applying these packages. You’ll need to downgrade to compat-db-4.0.14-2, gnome-libs depends on compat-db-4.1.25-9 (gnome is still running fine but that’s risky) You can always compile these packages by hand : http://www. https://blog.wains.be/2006/2006-02-28-the-wonders-of-winxp/ Tue, 28 Feb 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-02-28-the-wonders-of-winxp/ My sound card stopped working for some unknown reason just in the middle of a session… I tried repairing the drivers, then took the card out of the case and plugged it back in… Windows XP found out a new device.. a network card….. Then I came across this wizard… [ Pressed ESC, it prompted me for a reboot… Finally, the sound card is working again.. don’t ask me about that new NIC, I have no idea what it was… https://blog.wains.be/2006/2006-02-27-logwatch-and-logrotate-might-create-a-blind-spot-in-reporting/ Mon, 27 Feb 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-02-27-logwatch-and-logrotate-might-create-a-blind-spot-in-reporting/ From : http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-01/0295.html Date: Tue, 25 Jan 2005 16:21:44 +0200 (EET) To: BUGTRAQ —–BEGIN PGP SIGNED MESSAGE—– Hash: SHA1 Hello BUGTRAQ, I’m sorry, if this is old news to you, but I couldn’t find similar cases in BUGTRAQ archives. logwatch (www.logwatch.org) is widely recommended tool for creating nice reports of various, often security related logfiles. logwatch is included at least in recent Red Hat/Fedora linux distributions, probably others as well. https://blog.wains.be/2006/2006-02-20-installed-amavisd-new-on-my-postfix-gateway/ Mon, 20 Feb 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-02-20-installed-amavisd-new-on-my-postfix-gateway/ I may have been naive but mime_checks used to catch 100 % of any virus sent to us. Until I found out it was possible to bypass the checks by using special characters like “é”, “� " and such in the filenames.. doh ! I decided to install amavisd-new along with clamav. I’ll try to explain how i got the whole thing working, including some personal tips.. You will need several packages, usually downloadable from your regular repo https://blog.wains.be/2006/2006-02-11-upgrading-from-courier-imap-3-to-4/ Sat, 11 Feb 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-02-11-upgrading-from-courier-imap-3-to-4/ Along with CentOS 4.2 came MySQL 4.1, great news ! BUT… My old Courier-Imap version was only compatible with MySQL 3.x.. I had to upgrade to Courier-imap 4. My buddy kindly compiled the packages for me and published it on his repository : http://repo.securityteam.us/repository/ A few issue then came up with my imap configuration, I noticed a few changes had been made to Courier-Imap about MySQL connectivity.. As explained here http://blog. https://blog.wains.be/2006/2006-02-08-easily-upgrade-from-centos-36-to-42/ Wed, 08 Feb 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-02-08-easily-upgrade-from-centos-36-to-42/ To counter-strike all the rants and posts I have seen on the web about how difficult it was to upgrade from CentOS 3 to 4, this post is here to testify it was actually easy -at least for a friend and myself-. I’ve been wandering around trying to find people experiences about such an upgrade and all i found was complains, failures, rants and so. Until my friend said the night before, he had upgraded without any problem https://blog.wains.be/2006/2006-01-24-slow-logins-under-proftpd-using-xinetd/ Tue, 24 Jan 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-01-24-slow-logins-under-proftpd-using-xinetd/ I was able to connect from european machines to my local FTP server located in Belgium (running proftpd from xinetd) very fast but some machines in North Carolina had very sloooow login prompt… I tried about anything from PAM to iptables, then i found out running proftpd as standalone fixed the problem. The issue was on the xinetd side. Finally found this out when googling around : <code>The USERID option tells xinetd to query the remote host for a username. https://blog.wains.be/2006/2006-01-16-script-generate-iptables-rule-that-will-ban-some-country-ip-ranges-to-access-your-machines/ Mon, 16 Jan 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-01-16-script-generate-iptables-rule-that-will-ban-some-country-ip-ranges-to-access-your-machines/ Let’s say you want to completely ban a country from accessing your servers.. E.g. : countries that have very shallow internet laws Note : in regards to Epe’s comment, this article has been updated with a newer script, which should be doing a better job. Please drop me a comment, I’d love to hear feedback ! This script will parse the RIPE database and generate the iptables rules automatically.. Download the script here : https://www. https://blog.wains.be/2006/2006-01-16-failed-to-create-cache-file-maildirwatch/ Mon, 16 Jan 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-01-16-failed-to-create-cache-file-maildirwatch/ I got this error anytime i was consulting my IMAP mailbox running under courier-imap : `Jan 16 17:21:24 server imapd: Failed to create cache file: maildirwatch (account@domain) Jan 16 17:21:24 server imapd: Error: Input/output error Jan 16 17:21:24 server imapd: Check for proper operation and configuration Jan 16 17:21:24 server imapd: of the File Access Monitor daemon (famd). Just add this line to /etc/xinetd.d/sgi_fam : flags = NOLIBWRAP Should look like : service sgi_fam { type = RPC UNLISTED socket_type = stream user = root group = nobody server = /usr/bin/fam wait = yes protocol = tcp rpc_version = 2 rpc_number = 391002 bind = 127. https://blog.wains.be/2006/2006-01-16-rrdweather-035-is-out/ Mon, 16 Jan 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-01-16-rrdweather-035-is-out/ Version 0.36 of RRDWeather is out… Thanks to Will Davies, Thomas Tague and Florus Both for their support and feedback. Download : http://blog.wains.be/projects/pub/ More info : http://blog.wains.be/projects/rrdweather/ https://blog.wains.be/2006/2006-01-16-script-courier-imap-virtual-mail-accounts-listing/ Mon, 16 Jan 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-01-16-script-courier-imap-virtual-mail-accounts-listing/ I made this little script to get a daily report of the usage of our virtual mailboxes at work, the POP3 server is courier-imap. I don’t need to run any quota on the accounts but I just want to make sure people regularly check their mailboxes. <code>#!/bin/sh # Check storage used by virtual mail accounts under courier-imap DOMAINS="domain1.be domain2.be" TIMESTAMP=`date +%d/%m/%Y` echo "REPORT DATE : $TIMESTAMP" echo " " for domains in $DOMAINS do echo "---------------------------" echo "$domains" echo "====================================================" echo "Size Accounts" echo "---------------------------" echo " " du -h /var/spool/postfix/vmail/$domains/ --max-depth=2 -c | egrep "/var/spool/postfix/vmail/$domains/[a-z]/" | sed -re "s//var/spool/postfix/vmail/$domains/[a-z]///g" | egrep "[0-9]{2,3}M" | awk '{print $1, " ",$2}' | sort -r du -h /var/spool/postfix/vmail/$domains/ --max-depth=2 -c | egrep "/var/spool/postfix/vmail/$domains/[a-z]/" | sed -re "s//var/spool/postfix/vmail/$domains/[a-z]///g" | egrep "[0-9]{1}. https://blog.wains.be/2006/2006-01-13-tv-out-on-nvidia-geforce-2-mx-440-display-black-and-white/ Fri, 13 Jan 2006 00:00:00 +0100 https://blog.wains.be/2006/2006-01-13-tv-out-on-nvidia-geforce-2-mx-440-display-black-and-white/ I’ve been scratching my head for a while on this issue but I finally found a fix ! I tried about anything, knowing it used to work a while ago (like 2 years from now with older drivers). My Nvidia Geforce 2 MX 440 was displaying a black and white output when using a S-VHS (or S-video) cable plugged into my scart TV My drivers : ForceWare Release 80 Version: 81. https://blog.wains.be/2005/2005-12-14-script-easily-check-services-status-easily/ Wed, 14 Dec 2005 00:00:00 +0100 https://blog.wains.be/2005/2005-12-14-script-easily-check-services-status-easily/ Since arpwatch and spamassassin crashed for some unknown reasons (probably bugs) lately, I needed a tool that would monitor services status on a regular basis. I found Nagios http://www.nagios.org/ but it was not really what I needed. Indeed, Nagios can only monitor some specific services (usually services opening a tcp port) and it offered just way too many features, thus requiring a lot of dependencies and was not the easiest piece of software to install. https://blog.wains.be/2005/2005-12-13-spamassassin-310-crash-tcp-timeout-issue/ Tue, 13 Dec 2005 00:00:00 +0100 https://blog.wains.be/2005/2005-12-13-spamassassin-310-crash-tcp-timeout-issue/ SpamAssassin 3.1.0 crashed last week. I looked up the logs and found out these errors Dec 5 00:15:04 fedora spamd[29470]: tcp timeout at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/SpamdForkScaling.pm line 195. Dec 5 00:15:04 fedora spamd[29470]: tcp timeout at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/SpamdForkScaling.pm line 195. Dec 5 00:28:22 fedora spamc[8763]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Dec 5 00:28:23 fedora spamc[8763]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Dec 5 00:28:24 fedora spamc[8763]: connect(AF_INET) to spamd at 127. https://blog.wains.be/2005/2005-11-18-howto-setting-up-a-transparent-ftp-proxy-using-frox-and-proftpd/ Fri, 18 Nov 2005 00:00:00 +0100 https://blog.wains.be/2005/2005-11-18-howto-setting-up-a-transparent-ftp-proxy-using-frox-and-proftpd/ Running a transparent FTP proxy is an easy way to control FTP connections made by people on your network (using ACL’s) If you are already running Squid as a transparent (web) proxy, it cannot act as a transparent FTP proxy along, thus you have to use another tool for FTP proxying : frox will do the job Installation & compilation Grab the latest version of Frox at http://frox.sourceforge.net/ Compile the package the usual way. https://blog.wains.be/2005/2005-11-17-howto-proftpd-mysql-authentication-virtual-users-xinetd/ Thu, 17 Nov 2005 00:00:00 +0100 https://blog.wains.be/2005/2005-11-17-howto-proftpd-mysql-authentication-virtual-users-xinetd/ Compilation & installation wget [http://dag.wieers.com/packages/proftpd/proftpd-1.2.10-8.dag.src.rpm](http://dag.wieers.com/packages/proftpd/proftpd-1.2.10-8.dag.src.rpm) yum install pkgconfig mysql-devel rpm -ihv proftpd-1.2.10-8.dag.src.rpm rpmbuild -ba --with-mysql /usr/src/redhat/SPECS/proftpd-1.2.10-dag.spec For the lazy asses out there, this is the compiled version : wget [http://blog.wains.be/pub/proftpd-1.2.10-8_mysql.dag.i386.rpm](http://blog.wains.be/pub/proftpd-1.2.10-8_mysql.dag.i386.rpm) rpm -ihv proftpd-1.2.10-8_mysql.dag.i386.rpm User configuration groupadd -g 5500 ftpgroup adduser -u 5500 -s /bin/false -d /bin/null -c "proftpd virtual user" -g ftpgroup ftpuser Building the MySQL database mysql -u root -p create database proftpd_auth; grant select, insert, update on proftpd_auth.* to proftpd@localhost identified by 'password'; use proftpd_auth; CREATE TABLE ftpgroup ( groupname varchar(16) NOT NULL default '', gid smallint(6) NOT NULL default '5500', members varchar(16) NOT NULL default '', KEY groupname (groupname) ) TYPE=MyISAM COMMENT='ProFTP group table'; INSERT INTO ftpgroupVALUES ('ftpgroup', 5500, 'ftpuser'); INSERT INTOftpgroupVALUES ('ftpgroup', 5500, 'ftpguest'); CREATE TABLE ftpuser ( id int(10) unsigned NOT NULL auto_increment, userid varchar(32) NOT NULL default '', passwd varchar(32) NOT NULL default '', uid smallint(6) NOT NULL default '5500', gid smallint(6) NOT NULL default '5500', homedir varchar(255) NOT NULL default '', shell varchar(16) NOT NULL default '/sbin/nologin', count int(11) NOT NULL default '0', accessed datetime NOT NULL default '0000-00-00 00:00:00', modified datetime NOT NULL default '0000-00-00 00:00:00', PRIMARY KEY (id), UNIQUE KEY userid (userid) ) TYPE=MyISAM COMMENT='ProFTP user table'; INSERT INTOftpuser VALUES (1, 'guest', 'guest', 5500, 5500, '/home/ftp/guest', '/sbin/nologin',0,'',''); exit; https://blog.wains.be/2005/2005-11-05-get-a-1024x768-tty-console-under-ubuntu/ Sat, 05 Nov 2005 00:00:00 +0100 https://blog.wains.be/2005/2005-11-05-get-a-1024x768-tty-console-under-ubuntu/ Just add “vga=792” to the end of the line “kernel” under /boot/grub/menu.lst Example /boot/grub/menu.lst : title Ubuntu, kernel 2.6.12-9-686 root (hd0,0) kernel /boot/vmlinuz-2.6.12-9-686 root=/dev/hda1 ro quiet splash vga=792 initrd /boot/initrd.img-2.6.12-9-686 savedefault boot Just in case, make a copy of the previous settings, so you would always be able to boot again if something had to go wrong This may require packages like libdirectfb and such, i’m not too sure.. it worked with a regular install of ubuntu on my HP laptop https://blog.wains.be/2005/2005-11-05-ubuntu-breezy-510-kismet-orinoco-patched-drivers-for-monitoring-and-scan-modes/ Sat, 05 Nov 2005 00:00:00 +0100 https://blog.wains.be/2005/2005-11-05-ubuntu-breezy-510-kismet-orinoco-patched-drivers-for-monitoring-and-scan-modes/ I installed a fresh copy of Ubuntu Breezy on my laptop I had to recompile the orinoco drivers to get the monitoring capabilities of the card… This is the how-to : Grab a copy of the sources here : http://www.projectiwear.org/~plasmahh/orinoco.html. You should get the version 0.13 revision 8 if you run kernel 2.6.12 Extract the files somewhere on the disk, let’s say /tmp/orinoco Make a copy of the current orinoco and hermes modules in a safe place : mkdir /orinoco-backup cp /lib/modules/2. https://blog.wains.be/2005/2005-11-03-compiler-son-kernel-sous-centos/ Thu, 03 Nov 2005 00:00:00 +0100 https://blog.wains.be/2005/2005-11-03-compiler-son-kernel-sous-centos/ The package kernel-sources is needed You need to make sur /usr/src/linux is a symlink pointing to the kernel sources directory Example : lrwxrwxrwx 1 root root 9 Jul 2 13:57 linux -> linux-2.4 lrwxrwxrwx 1 root root 18 Sep 29 18:57 linux-2.4 -> linux-2.4.21-37.EL drwxr-xr-x 16 root root 4096 Nov 2 15:33 linux-2.4.21-37.EL If not : cd /usr/src ln -s linux-2.4 linux Then : cd /usr/include for link in asm linux scsi ; do mv $link $link-old ; done --> should avoid error when compiling the kernel ln -s /usr/src/linux/include/asm-i386 asm --> this link is needed for a proper compilation ln -s /usr/src/linux/include/linux linux --> dito ln -s /usr/src/linux/include/scsi scsi --> dito cd /usr/src/linux cp /usr/src/linux/configs/kernel-2. https://blog.wains.be/2005/2005-11-01-unknown-key-pressed-use-setkeycodes/ Tue, 01 Nov 2005 00:00:00 +0100 https://blog.wains.be/2005/2005-11-01-unknown-key-pressed-use-setkeycodes/ Under Ubuntu Breezy, I kept getting an error message fulfilling /var/log/messages whenever I was pressing any arrow keys : Oct 30 10:50:27 pc1 kernel: [4323215.043000] atkbd.c: Unknown key pressed (translated set 2, code 0xaa on isa0060/serio0). Oct 30 10:50:27 pc1 kernel: [4323215.043000] atkbd.c: Use 'setkeycodes e02a keycode' to make it known. Adding this line to /etc/sysctl.conf fixed the problem : setkeycodes e02a 104 (104 is for page up key as far as I know) https://blog.wains.be/2005/2005-10-30-smb-mount_data-version-1919251317-is-not-supported/ Sun, 30 Oct 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-10-30-smb-mount_data-version-1919251317-is-not-supported/ Under a fresh install of Ubuntu 5.10, I had an error when trying to mount a SMB share on my CentOS 3.5 server : user@host:/media$ sudo mount -t smbfs //server/path /media/path -o rw,username=username,password=password mount: wrong fs type, bad option, bad superblock on //server/path, missing codepage or other error In some cases useful info is found in syslog - try dmesg | tail or so Let’s see what the logs say : https://blog.wains.be/2005/2005-10-29-rrdweather-031-is-out/ Sat, 29 Oct 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-10-29-rrdweather-031-is-out/ A new release of RRDWeather is out… Changelog : better XML parsing some minor changes Download : http://blog.wains.be/projects/pub/ More info : http://blog.wains.be/projects/rrdweather/ https://blog.wains.be/2005/2005-10-29-shbin-bad-interpreter-no-such-file-or-directory/ Sat, 29 Oct 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-10-29-shbin-bad-interpreter-no-such-file-or-directory/ If a script you are trying to run returns : sh/bin bad interpreter: No such file or directory Try this : dos2unix filename Before dos2unix : head -1 filename | od -c should return : 0000000 #! / b i n / s h r n 0000013 After dos2unix : head -1 filename | od -c should return : 0000000 #! / b i n / s h n 0000013 Noticed the r character ? https://blog.wains.be/2005/2005-10-27-install-centos-from-the-web/ Thu, 27 Oct 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-10-27-install-centos-from-the-web/ This could work under Fedora and other RHEL flavored distributions… Download the first CD of CentOS Edit March 31 2006 : I found out you can avoid downloading the full first CD (See ftp://ftp.belnet.be/mirror/ftp.centos.org/4/os/i386/images/README) This directory contains image files that can be used to create media capable of starting the CentOS-4 i386 installation process. The boot.iso file is an ISO 9660 image of a bootable CD-ROM. It is useful in cases where the CD-ROM installation method is not desired, but the CD-ROM’s boot speed would be an advantage. https://blog.wains.be/2005/2005-10-27-moving-a-folder-to-a-new-partition/ Thu, 27 Oct 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-10-27-moving-a-folder-to-a-new-partition/ Let’s say you have enough remaining free diskspace on your harddrive, you may want to move directories like /home or /tmp to a new partition… YOU MUST BE ROOT UNDER TTY AND ANY OTHER USER MUST BE LOGGED OFF `- fdisk -l /dev/hda –> you’ll see the list of your current partition setup fdisk /dev/hda –> the drive you want to allocate the new partition press m to display the menu –> it will show some error messages, if you have a recent computer, you can avoid the messages and press m press n to create a new partition if you already have 3 partitions (let’s say /boot, / and swap), you will need to create an extended partition it will give you the opportunity to choose from which cylinder the partition should begin, fdisk will guess the default value, just - press enter last cylinder, same as above, press enter –> the extended partition has been created : /dev/hda4 back to the menu, press c to create a new partition select “logical partition” enter the size of the partition (+5000M for 5 Gb) –> the logical partition has been created : /dev/hda5 back to the menu, press w to save the changes` Reboot the machine https://blog.wains.be/2005/2005-10-26-disabling-irq-5-error-when-installing-redhatcentos-on-a-asus-p4p800/ Wed, 26 Oct 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-10-26-disabling-irq-5-error-when-installing-redhatcentos-on-a-asus-p4p800/ When starting the Red Hat/CentOS installer, it kept giving me an error, over and over : “disabling IRQ 5” The installer was running very slow as well.. It seemed to me IRQ 5 was bound to the DVD drive I had to disable the “enhanced mode” of the IDE drives under the (AMI) BIOS : Steps : Boot the machine (no way !) Enter the BIOS Main menu IDE Configuration Onboard IDE Operate Mode Enhanced Mode –> Compatible Mode Save and reboot The Red Hat/CentOS was no longer giving the error after changing this setting… Hope it helps. https://blog.wains.be/2005/2005-09-27-rrdweather-020-is-out/ Tue, 27 Sep 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-09-27-rrdweather-020-is-out/ What is RRDWeather ? RRDWeather is a weather monitoring tool based on RRDtool and weather.com. It regularly collects weather data from a XML file and put them in nice graphs “a la RRDtool”. Go to http://blog.wains.be/projects/rrdweather/ for more… Questions can be submitted here in the comments https://blog.wains.be/2005/2005-09-15-how-to-fix-the-mailspfquery-error-after-upgrading-to-spamassassin-310/ Thu, 15 Sep 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-09-15-how-to-fix-the-mailspfquery-error-after-upgrading-to-spamassassin-310/ A new version of SpamAssassin has been released lately.. Upgrade from version 3.0.4 to 3.1.0.. The upgrade led to an error : Sep 15 17:21:44 xxx spamd 13300 : Can't locate Mail/SPF/Query.pm in @INC (@INC contains: ../lib /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl) at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/SPF.pm line 272, <GEN101> line 1545. After a few researches, I have figured out the perl library Mail::SPF::Query was needed This new version of SpamAssassin apparently has SPF enabled by default now… https://blog.wains.be/2005/2005-09-10-migration-de-sus-vers-wsus-sur-windows-2000-serveur/ Sat, 10 Sep 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-09-10-migration-de-sus-vers-wsus-sur-windows-2000-serveur/ SUS had been working pretty well for the last two years to deploy updates througout a network of around 30 clients under Win2000/XP. Given the notification of the end of support of SUS by the 6th of June, I dived into the migration of the new release, the so called WSUS. BE AWARE : migrate SUS during off peak hours, the server will be rebooted several times to complete the installation (critical apps, go to hell) https://blog.wains.be/2005/2005-06-27-centos-faulty-hard-drive-grub-recovery/ Mon, 27 Jun 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-06-27-centos-faulty-hard-drive-grub-recovery/ The story : For 3 days in a row, one of our Linux CentOS servers (small squid, DNS, MRTG, apache server running on a P3 450/192 Mb) has been randomly rebooting. After the usual checkup, I came to the conclusion it wasn’t a power outtage nor a UPS issue and the box hadn’t been hacked,.. The SMART table had critical values recorded, the hard drive was about to faint (a 1999 maxtor unit) https://blog.wains.be/2005/2005-06-22-centos-postfix-virtual-users/ Wed, 22 Jun 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-06-22-centos-postfix-virtual-users/ I manage a network of around 30 computers (25 active clients win/linux, 7 servers win/linux) I have implemented an email solution based on CentOS and Postfix to easier mail exchange internally and avoid slowness of our ex host. This article is not really meant to be an howto but an overview of our current configuration. It may give you ideas or help figuring out some parameters. Some stuff may be missing as well. https://blog.wains.be/2005/2005-06-17-hacking-the-orinoco-silver-into-an-orinoco-gold/ Fri, 17 Jun 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-06-17-hacking-the-orinoco-silver-into-an-orinoco-gold/ When inserting my Orinoco card into my laptop, dmesg was telling my card was able to do WEP 128 bits. After several failed attempts, I went with WEP 64 bits that worked fine. dmesg returned this : eth1: Station identity 001f:0001:0008:0048 eth1: Looks like a Lucent/Agere firmware version 4.02 eth1: Ad-hoc demo mode supported eth1: IEEE standard IBSS ad-hoc mode supported eth1: WEP supported, 104-bit key eth1: MAC address 00:02:2D:XX:XX:XX eth1: Station name "HERMES I" eth1: ready eth1: index 0x01: Vcc 5. https://blog.wains.be/2005/2005-06-17-ubuntu-hp-omnibook-xe3-orinoco/ Fri, 17 Jun 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-06-17-ubuntu-hp-omnibook-xe3-orinoco/ I run Ubuntu on a HP laptop recently bought on eBay. The model is a Omnibook XE3. It has a Celeron 750 Mhz CPU and 192 Mb of RAM, a 10 Gb hard drive and a TFT 13" screen. Installation of Ubuntu on this machine went pretty well, not a single issue during the installation. The whole hardware has been detected and installed without any glitch. For wifi connectivity, I bought -from eBay as well- an Orinoco silver card, automatically detected as using the orinoco firmware. https://blog.wains.be/2005/2005-06-17-ubuntu-orinoco-modes-scan-monitor-kismet-wifi-radar-2/ Fri, 17 Jun 2005 00:00:00 +0200 https://blog.wains.be/2005/2005-06-17-ubuntu-orinoco-modes-scan-monitor-kismet-wifi-radar-2/ Since writing this article, I switched my laptop to CentOS 4 My Orinoco experiences under CentOS are available at : http://blog.wains.be/?p=68 MONITOR MODE ONLY I’ve been using the default ubuntu drivers for my orinoco card for a while. I used a patch available on kismet website to get monitor capabilities. http://www.kismetwireless.net/code/orinoco-2.6.9-rfmon-dragorn-1.diff I followed this guide to get the modules compiled : https://wiki.ubuntu.com//OrinocoMonitorKismet2005Hoary Kismet 2004 was working perfectly and was stable. I’d avoid Kismet 2005 for some reason, it was very unstable under Hoary.