find out if your Apache is really serving the right hosts

Posted on November 19, 2009 by Marcus Pauli

From time to time it can happen that websites that used to be on your webservers are being moved by your clients without notifying you. Therefore, you will have to search for «zombie websites».

I have the following setup: There is an Apache webserver that has a lot of websites. Each website has at least two Virtual Hosts, a first for the main website and a second one fetching all the aliases and redirecting them to the first. Each website has its own config file.

So, if I want to know whether a website is still being served by my machine, I run the following:

for host in `grep "Server\(Alias\|Name\)" _config/apache/*
| awk '{ for(i=3 ; i<=NF ; i++)printf "%s\n", $i}'`; do echo
 -n `nslookup "$host" | grep -A1 Name | grep Address | awk
'{print $2}'`; echo " $host"; done

Okay, let’s go through it step by step:

for host in `grep “Server$Alias\|Name$” _config/apache/*

Here we extract all lines containing ServerAlias or ServerName in all config files. The output will look like

_config/apache/foo.bar.conf: ServerName www.foo.bar

 _config/apache/foo.bar.conf: ServerAlias foo.bar fuh.bar www.foo.bar
_config/apache/example.com.conf: ServerName www.example.com
_config/apache/yah.conf: ServerAlias    example.com

As we can see, the results have a varying size. Therefore, we have to tell awk about it.

| awk ‘{ for(i=3 ; i<=NF ; i++)printf “%s\n”, $i}’`

Awk takes each line and starts to read it from the third column (each seperated with a space) until EOL. What we get is being printed with a CRLF so that we do not get example.com fuh.bar www.foo.bar but

example.com
fuh.bar
www.foo.bar

do echo -n

Now we print each of the results of the following command without a CRLF afterwards.

`nslookup “$host” | grep -A1 Name | grep Address | awk ‘{print $2}’`;

Here we perform a IP lookup of the current host, grep for a string called “Name” and let it print the following line as well as it contains the IP address we are looking for. As we just need the IP address, we do another grep on the result and pick the second line. But we don’t want the “Address” string here, so we awk it away. To make it a little bit easier to understand, I will quickly show you what these commands do:

nslookup example.com
Server:         213.133.100.100
Address:        213.133.100.100#53
Non-authoritative answer:
Name:   example.com
Address: 192.0.32.10
---
nslookup example.com | grep -A1 Name
Name:   example.com
Address: 192.0.32.10

---

nslookup example.com | grep -A1 Name | grep Address
Address: 192.0.32.10

---

nslookup example.com | grep -A1 Name | grep Address | awk '{print $2}'

192.0.32.10

echo ” $host”

Now we have an IP but we would like to know what the corresponding hostname is, so we quickly echo it.

Done. Afterwards we can see:

192.0.32.10 www.example.com

yetanotherhost.mil

Posted in howto, Linux, Webserver | Tagged apache, awk, awk example, bashscript, code, find ip of apache host, find ip of vhost, find vhosts, grep, grep example, howto, Linux, nslookup, server, Software, vhost, Webserver | Leave a comment

SFTP only and SSH only OpenSSH system with gentoo

Posted on February 12, 2009 by Marcus Pauli

Although there are many ways workarounding the lack of security with ye olde FTP, there is a quite handy solution: use OpenSSH via SCP/SFTP to handle the file transfers.

There are many solutions which all try to restrict the access for some users. That’s not what we are trying to do. At the end, we will have two running openssh-instances. One for ssh and the other for sftp/scp.

With Gentoo, this is quite easy to do, but even for the other distros, this howto should be usable.

Here are the steps:

1. Get OpenSSH. (Should already been done at install time)

emerge openssh

2. Copy some files, make links

cp /etc/ssh /etc/ssh2 -R
 cp /etc/conf.d/ssh /etc/conf.d/ssh2
 ln -s /etc/init.d/sshd /etc/init.d/sshd2
 ln -s /usr/sbin/sshd /usr/sbin/sshd2

3. SSH-Server

Now edit /etc/ssh/sshd_config and remove the line containing internal subsystem. Now you can decide what to do: either bind the servers to different IP and the same ports or vice versa or both. :-) Anyway, the options for this are:

Port <portnumber>
 ListenAddress <ip-address>

3. SFTP-Server

Now edit /etc/ssh2/sshd_config and keep the Port- & IP-Settings of the SSH-server in mind.

Subsystem       sftp    internal-sftp
# These lines must appear at the *end* of sshd_config
ChrootDirectory %h
ForceCommand internal-sftp

This will force every successful login to start the internal sftp server and chroot to its home directory.

Edit /etc/conf.d/sshd2

# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR="/etc/ssh2"# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=""
# Pid file to use (needs to be absolute path).
SSHD_PIDFILE="/var/run/sshd2.pid"
# Path to the sshd binary (needs to be absolute path).
SSHD_BINARY="/usr/sbin/sshd2"

4. Add SFTP to the runlevels

rc-update add ssh2 default

5. Check permissions

Make sure, that the path to each user’s home directory is being set 0755 for root:root. Otherwise, you won’t be able to log in. Let’s say, your home directory is /home/users/domains/e/example.com/t/testuser. Then, each of the path’ elements must be set to 0755 root:root. This leads to an inability of creating and removing files in the home-root. Create an incoming-files directory to get around of this.

6. EXTRA: DenyHosts just for SFTP

emerge denyhosts

edit /etc/denyhosts.conf and adapt the options to fit your needs. There is just one thing you must change:

BLOCK_SERVICE  = sshd2

If you choose to run denyhosts as daemon, I suggest to add t to the default runlevel as well. And – of course – start it.

rc-update add denyhosts default
 /etc/init.d/denyhosts start

That’s all, folks! :-)

Posted in howto, Linux, Software | Tagged chroot, gentoo, howto, jail, Linux, openssh, scp, server, setup, sftp | 2 Comments

rebuilding Cyrus indexes

Posted on January 15, 2009 by Marcus Pauli

You might know the situation, something happened, and afterwards you get error messages from Cyrus telling you that your databases just have crashed. Then, your Inbox is shown empty while the filesystem does show the correct files.

What happened?

Every Cyrus folder contains three files «cyrus.cache», «cyrus.header» and «cyrus.index». These are responsible for telling the mail client how many mails the specific folder contains and which flag has been set per mail. they are your per-folder-message-database. And that’s exactly the point why Cyrus is that much faster than any other MDA. If a mail client connects, the server just looks into these databases to serve the necessary information and just if you actually read the message, it is being loaded.
So if these databases are being corrupted, you won’t see anything but big emptiness although you might have several millions of messages physically stored in the folder.

Here are some example error messages…

Jan 12 15:02:32 host cyrus/imap[23319]: DBERROR: dbenv->open ‘/var/imap/db’ failed: Permission denied
Jan 12 15:02:32 host cyrus/imap[23319]: DBERROR: init() on berkeley
Jan 12 15:02:32 host cyrus/imap[23319]: DBERROR: reading /var/imap/db/skipstamp, assuming the worst: Permission denied
Jan 12 15:02:32 host cyrus/imap[23319]: executed
Jan 12 15:02:32 host cyrus/imap[23319]: IOERROR: opening /var/imap/mailboxes.db: Permission denied
Jan 12 15:02:32 host cyrus/imap[23319]: DBERROR: opening /var/imap/mailboxes.db: cyrusdb error
Jan 12 15:02:32 host cyrus/imap[23319]: Fatal error: can’t read mailboxes file
Jan 12 16:00:21 host cyrus/imaps[31010]: DBERROR db4: PANIC: fatal region error detected; run recovery
Jan 12 16:00:21 host cyrus/imaps[31010]: DBERROR: critical database situation
Jan 12 16:04:32 host cyrus/lmtpunix[31504]: DBERROR: opening /var/imap/deliver.db: Permission denied
Jan 12 16:04:32 host cyrus/lmtpunix[31504]: DBERROR: opening /var/imap/deliver.db: cyrusdb error
Jan 12 16:04:32 host cyrus/lmtpunix[31504]: FATAL: lmtpd: unable to init duplicate delivery database

Yes, this is exactly my problem! What’s next?

We created a little script that runs through every user’s mailbox and rebuilds the databases. the only problem is that after a successfull rebuild every message is being marked as unread. But that’s a rather small problem, we think. :o)

Where can I get it from? I’m in a hurry!

We know you are. But before you download, please have a look at the readme or at least at the file in order to assure that the settings are correct. And don’t forget to backup. We do not grant for anything.

Download

Gentoo users can use our siczb portage overlay. Please have a look at this article to get to know how to access the overlay.

Posted in howto, Linux, Mailserver, Software | Tagged code, cyrus, gentoo, howto, imap, index, indexes, layman, overlay, portage, recover, rescue, Software | Leave a comment

Request Tracker 3.8.2 on gentoo

Posted on January 9, 2009 by Marcus Pauli

We finally managed to release a package for the (currently) recent version of Best Practical’s Request Racker (rt). We added it to our layman / portage overlay. see the following article for information on how to add it to your portage tree.

Additional Notes:

There are several packages which are masked at the moment. We do not know what they do to your system.
The additional dev-perl/Encode is an rt dependency which probably will override some files originally owned by perl itself.
The USE flag “fastcgi” seems to be mandatory. In other words, rt won’t compile if you don’t set this flag.
As you might have realized by now, the whole thing is still under development so please be very careful with you system. We do not grant for anything.

Posted in allgemein, Linux, Software, Webserver | Tagged gentoo, layman, overlay, portage, request tracker, rt | Leave a comment

our own gentoo portage overlay

Posted on January 9, 2009 by Marcus Pauli

Gentoo has, is and will be the distribution of our choice. As it is with every love, nothing is perfect. So is Gentoo. We missed the recent packages for Bestpractical’s Request Tracker. Therefore, we created our own Layman overlay. That’s a thing we were thinking of for a long time and now there was a good chance to play around. Okay, here’s what you should do in order to use the overlay:

edit your local layman overlay file (e.g. /usr/portage/local/layman/cache_65bd38402ac8431067b54904bd2ed2d1.xml)

add the following before the </layman> line:

<overlay
contact=”direktion@informations-compagnie.de”
name=”siczb”
src=”http://dev.informations-compagnie.de/svn/gentoo”
status=”unofficial”
type=”svn”>
<link>http://dev.informations-compagnie.de/svn/gentoo</link
<description>
Additional packages by saechsische Informations-Compagnie zu Berlin
</description>
</overlay>

do a simple layman -a siczb to add our repo to your portage tree

As usual, we do not grant for anything. So don’t blame us if your box suddenly starts burning.

Posted in Linux, Software | Tagged gentoo, layman, overlay, portage | 1 Comment

tomcat on port 80

Posted on September 16, 2008 by Marcus Pauli

You might know the situation: You’d like to run tomcat from a privileged port, but the bloody thing just won’t start. Of course, it’s java-specific. Usually, a daemon gets its port from root. Not with Java. Your possibilities are therefore somewhat cruel. let us think about the options…

run it as root. that’s ugly and not secure, but quick & dirty and just works.
use jsvc. this will force you to mess up the funky startup script.
write a C programm or use iptables. The C-thing doesn’t work (for me). iptables… mmmh…

terrible, didn’t I tell you? Well… there’s another way:

use the good-old xinetd. the way is described here (search for xinetd) and the essence comes as followed.

If you want to set up Tomcat to handle port 80 requests on your system, you’ll need to add a xinetd configuration file for this purpose. Assuming xinetd is installed with the usual paths, you can do this by adding a file (as user root) to the /etc/xinetd.d directory. Listing 1 gives a sample configuration file for Tomcat.

Listing 1. xinetd redirect configuration

# Redirects any requests on port 80
# to port 8080 (where Tomcat is listening)
service tomcat
{
socket_type = stream
protocol = tcp
user = root
wait = no
port = 80
redirect = localhost 8080
disable = no
}

After you’ve added the configuration file, you’ll need to restart xinetd to actually activate the redirection.

cool, eh?

Posted in howto, Linux, Software, Webserver | Tagged gentoo webserver tomcat howto non-root | 4 Comments

creating apache vhosts with style

Posted on August 28, 2008 by Marcus Pauli

We decided to have a reverse domain name structure that conatains (beside the htdocs) all vhost-related information like logs, stats and config.

The reverse structure is neccessary to get an quick overview not about the subdomains but the domains.

Additionally, we wanted to have a script which sets up the structure and creates the necessary files. If executed, the script fetches the domain name and if it starts with www a permanent redirect from example.com to www.example.com is being added as well. Moreover, we create a awstats config as well. In order to get this working properly, you will need a preconfigured awstats configuration (/etc/awstats.model.conf).

Okay. This would be the structure for the host www.example.com:

/WEBROOT/com.example.www:

conf
htdocs
logs
stats

/WEBROOT/com.example.www/conf:

awstats.www.example.com.conf
vhost.conf

/WEBROOT/com.example.www/htdocs:

/WEBROOT/com.example.www/logs:

access
error

/WEBROOT/com.example.www/stats:

As setting this up can be somewhat boring, we created a little script which can be downloaded here.

Posted in howto, Webserver | Tagged apache, bashscript, lighttpd, setup, vhost, Webserver | Leave a comment

recursive md5 hashing with Linux

Posted on July 30, 2008 by Marcus Pauli

The problem: You need a md5sum of a directory. Unfortunately, md5sum just accepts files as input.

The solution: Let’s use find! Okay. Here we go:

find DIRECTORY -type f -exec md5sum ‘{}’ \; | md5sum – | awk ‘{print $1}’

explanation:

-type f

just shows files

-exec

run the following command

‘{}’

find’s results to hand over to the command

tell -exec that end of command has been reached

| md5sum -

hand over the results of the first md5sum (one sum for each file) to another

| awk ‘{print $1}’

beautify the output as we just want to have the md5sum. nothing more, nothing less.

Posted in howto, Linux | 1 Comment

Serverupdate

Posted on June 28, 2008 by Marcus Pauli

Irgendwann ist es soweit: Ein Update muss her! Da wir immer bestrebt sind, die verwendete Software aktuell zu halten, ist es von Zeit zu Zeit notwendig, einige größere Aktualisierungen durchzuführen. Heute, nach 577 Tagen Dauerbetrieb des Servers ist es mal wieder soweit.

Natürlich tun wir unser Bestes, die Aktualisierungen so reibungslos wie möglich einzuspielen, doch bei der Anzahl an Geschäftsfällen kann es vorkommen, dass der eine oder andere Fehler unentdeckt bleibt.

Sollte also etwas nicht wie gewünscht funktionieren, schreiben Sie uns bitte eine Mail und wir kümmern uns umgehend darum.

Posted in allgemein, Groupware, Webserver | 1 Comment

O2 Memory Project

Posted on May 8, 2008 by Marcus Pauli

Inzwischen ist die heiße Phase vorbei, dafür sieht man das Ganze nun in seiner Vollständigkeit. Sicherlich ist der Leser nun geneigt, nach dem Inhalt dieses ominösen O2 Memory Projects zu fragen.

Nun.

Das Leben in unseren Städten rauscht an uns allen vorbei, ohne dass das Alltägliche, das ja doch den größten Teil unserer Wahrnehmung bestimmt, jemals in die Annalen Einzug halten könnte. Das Leben der Stadt wird wurde bisher nicht dokumentiert. Jason Bruges hat sich dieses Themas angenommen und ein Cyclorama erschaffen, das eben dieses Leben dokumentiert.

Es besteht aus einem begehbaren Zylinder, der verschiedene britische Städte dokumentiert, indem er minütlich elf Bilder von den Kameras an seiner Außenwand schießt und diese sowohl in seinem Inneren als auch auf der Projektwebsite verfügbar macht. Beide – das Zylinderinnere und die Webseite – haben nette Gimmicks. So befinden sich im Zylinder Displays, die einen Blick auf das ermöglichen, was die Kamera an der anderen Seite der Wand gesehen hat. Nähert man sich dem jeweiligen Schirm, so reist man in die Vergangenheit. Bleibt man stehen und geht einmal im Kreis, so sieht man, welche Bilder die anderen Kameras just in diesem Moment aufgenommen haben. Die Webseite nun ermöglicht es einerseits, durch eben diese fotografierten Ringe – Zylinder! – zu scrollen; andererseits bietet sie die Möglichkeit, mittels Webcam eigene Ringe zu erstellen, die dann sowohl auf der Webseite als auch via Facebook sichtbar sein können.

Wie üblich bestand unsere Aufgabe im wenig Sichtbaren, aber Wesentlichen: Wir durften die Server einrichten. Nun, es ist ein Failoversystem bestehend aus zwei Athlon 64 X2 5600+ bestückt mit jeweils 4GB RAM und natürlich auch einem Gigabitanschluß. Dort spielten wir ein gehärtetes gentoo Linux auf und konnten schlussendlich noch die Performance von Webserver und Datenbank ein wenig optimieren.

Links:

www.o2memoryproject.com Die Webseite zum Projekt
www.blog.lessrain.com Der dazugehörige blog-Eintrag der Erschaffer der Webseite
news.bbc.co.uk BBC-Interview mit Jason Bruges

Bilder:

Zunächst der Zylinder selbst…

… ein kurzer Blick ins Innere…

… und schlussendlich die Silhouette, in der der Zylinder seine Umgebung «filmt»

Posted in allgemein | Tagged clients, projects | 2 Comments

Wandzeitung