Monday, August 24, 2009

Using the new sourceforge shell interface

Sourceforge has changed their shell access procedure again. This time it is a little complicated and unintuitive. You need to create a shell (time limited) with:

ssh -t username,projectname@shell.sourceforge.net create

Then you can copy files to your website using:

scp index.html username@web.sourceforge.net:/home/groups/p/pr/projectname/htdocs/

Sunday, August 23, 2009

HOWTO configure zabbix to send emails with postfix

Under Admin|Media Types configure the email option as:

SMTP server: localhost
SMTP helo: myinternetdomain.com
SMTP email: zabbix@myinternetdomain.com

Add a user with email media notifications. It didn't seem to be enough to have this setting, I also had to add an Action. The triggers were an "AND" of:

(A) Trigger severity >= "High"
(B) Trigger value = "PROBLEM"

with the recovery option ticked this got me a PROBLEM email and a RECOVERY email for all triggers above "high". Without the PROBLEM condition I didn't get the recovery message I specified: instead I got two PROBLEM emails with different trigger status (what the?). Others have run into the same issue.

Install postfix and set:

myhostname = myinternetdomain.com
inet_interfaces = 127.0.0.1

You now have a postfix listening on localhost - you can test it with the 'sendmail' terminal command.

Trac error: Unsupported version control system "darcs"

I got this error after an OS upgrade:
Unsupported version control system "darcs": Can't find an appropriate component, maybe the corresponding plugin was not enabled?

To solve it I grabbed the latest darcs trac plugin:
darcs get http://darcs.arstecnica.it/trac-darcs
and installed it:
sudo python setup.py install

I then had to upgrade and resync each repository:
trac-admin /var/lib/trac/myrepo/ upgrade
trac-admin /var/lib/trac/myrepo/ resync

Thursday, August 20, 2009

What's wrong with Zabbix

I have been using Zabbix for monitoring for a while now, and have been really happy so far. Today I ran into some things that are really annoying:

  • You can't change the X-axis on any graph. It is always time. The time period can be adjusted using the little calendar app in the bottom left corner of the browser. I don't really like this approach. I'd like to also be able to specify time periods per screen, because what makes sense for one graph may not work for all the others.
  • You can't have a graph of one item (e.g disk-usage) across all hosts. Suck! I want to have a graph of OS versions on the y-axis and hostnames on the x-axis. Not possible!
  • net.tcp.listen[port] isn't supported on linux(?) - you will need to use net.tcp.port[,port] instead.

HOWTO: Monitor puppet with zabbix and do agent command testing/troubleshooting

This turned out to be really easy, but not obvious with the GUI. The GUI shows the proc.num syntax as:
proc.num[ <,user> <,state>]
but the manual has the real story:
proc.num[ <,user> <,state> <,cmdline>]

So you can use the cmdline to monitor something like this:

ruby /usr/sbin/puppetd -w 0
with:
proc.num[ruby,,,"/usr/sbin/puppetd"]

To troubleshoot agent monitoring strings, use the commandline on the box (quicker than clicking around in the GUI) like this:
zabbix_agent -t proc.num[ruby,,,"/usr/sbin/puppetd"]

Wednesday, August 5, 2009

Eliminating openldap '(uid) not indexed' errors

My ldap server logs were full of hundreds of these:
slapd[2921]: <= bdb_equality_candidates: (uid) not indexed

Basically one of these gets written every time a ldap search is done on a non-indexed attribute. The fix is, like most things with LDAP, completely unintuitive.

Take a look at the current indexing being done by:

sudo /usr/sbin/slapcat -n 0 -l output.ldif

and grep for olcDbIndex (mine was only indexing objectClass by default).

Create a ldif file (indexchanges.ldif) to change the indexing attribute:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: uid,uidNumber,gidNumber,memberUid,uniqueMember,objectClass,cn eq


And run it with:

sudo ldapmodify -f indexchanges.ldif -D cn=admin,cn=config -x -y /etc/ldap.secret

Note that as I mentioned previously ldapmodify fails if you are only listening on ldaps. Change SLAPD_SERVICES to include ldap:/// in '/etc/default/slapd', restart ldap, use ldapmodify, change back, restart ldap.

You then need to tell it to actually build those indexes (need to keep the index files owned by openldap user):

sudo /etc/init.d/slapd stop
sudo su -s /bin/bash -c slapindex openldap
sudo /etc/init.d/slapd start

MythTV and Lirc, adding pause to mplayer

Needed to add a keybinding for pausing video playback when MythTV uses mplayer, thought I might as well record how it worked here. The global lirc config (/etc/lircd.conf) points to your remote, in my case:

include /usr/share/lirc/remotes/dvico/lircd.conf.fusionHDTV

You then configure the appropriate buttons in
/home/mymythuser/.mythtv/lircrc
the pause button is as below. Most of the entries in this file will be for 'prog=mythtv' rather than mplayer:

begin
remote = DVICO_DUAL
prog = mplayer
button = playpause
config = p
repeat = 0
delay = 0
end

Tuesday, August 4, 2009

HOWTO delete a moinmoin wiki user

The MoinMoin instructions for how to delete a user, while correct, suck. First find your wiki settings file (mine is in /etc/moin/mywiki.py). In that file find your 'data_dir', mine was pointing to '/var/local/somewiki_wiki'. The user files sit in '/var/local/somewiki_wiki/user', one for each user. Grep that directory for the name you are looking for.

Delete the appropriate user file and also delete the cached username mapping file in ../cache/mywiki/user/name2id (this will be regenerated by django). Restart apache.

iptables the Ubuntu way

First, get your rules right on the commandline, some examples:
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT 
iptables -A INPUT -i eth+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
iptables -A INPUT -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Then save to a file:
iptables-save >/etc/iptables.rules

Then in your /etc/network/interfaces file in the block for your interface:
pre-up iptables-restore < /etc/iptables.rules
If you are using network manager, you might want to put a script in dispatcher.d instead of using network/interfaces.

Another alternative is installing the iptables-persistent package, which installs a service that runs iptables-save and iptables-restore against rules in these files (for IPv4 and IPv6):
/etc/iptables/rules.v4
/etc/iptables/rules.v6
You can do iptables-save to create those files, or just get the rules the way you want then let the package do it for you:
sudo dpkg-reconfigure iptables-persistent

Sunday, August 2, 2009

mdd for windows memory dumps

I have used 'dd.exe' from the Forensic Acquistion Utilities toolkit for Windows memory dumps in the past. The website now appears to be down, so I tried out mdd, an open source project. Worked a treat.

And more malware - lsass.exe

Turns out the previous post wasn't the last of it. An AV message popped up alerting me to a buffer overflow on the heap triggered by C:\windows\cursors\lsass.exe (what is a regular user supposed to do about that?). There may have been some level of rootkitting because I couldn't see the file on the commandline or with windows explorer - booting a linux live CD fixed that problem. This is a location that has been associated with sasser, and this *may* have been a variant, but not a single AV picked it up at virus total. It was using this key to persist:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe C:\\WINDOWS\\Cursors\\lsass.exe"

Sent to McAfee again, and a different Bangalore monkey produced another signature! Win.