Category Archives: Computers

Linux Server management tools

I have started exploring options to manage 15-20 linux servers running CentOS 6.  This is the list of what I’ve found.  I’d love to get some opinions, pros vs cons, evaluation procedure recommendations, etc.

Environment: 15-20 CentOS 6 (well, two 5.8 that will be going away soon) and one Oracle Linux servers. most are VMWare VMs but a couple are on Hyper-V and one is a physical box.  These run a variety of applications on Apache, some on Tomcat, a few MySQL servers, and and Oracle server.

I don’t deploy new machines very often, and given my current setup they are manually installed and configured via an internal checklist.  I’d like to find a better way to manage patching, users, and configurations that can do group dependent deployment (like production vs test, web vs mysql, etc) instead of ClusterSSH which is my current “bulk management” tool.

(Not really a deployment/management tool, more a local repo management tool.)

Any relevant comments would be appreciated.

phpns and silentium uploader – two great scripts that go great together

phpns a while back, and it’s been used effectively on one of the sites I designed. However, it’s missing one feature that would make it so much more useful for me: an upload facility. I started hunting around for a decent, simple file upload script that could be incorporated into phpns, and found Silentium Uploader from After spending a couple of hours playing with it, I now have hacked Silentium into phpns. Like peanut butter and chocolate…they go great together! The download is available here: I’ve also submitted it to the phpns developers if they want to incorporate it into their next version (if there is one…)

Linux traffic shaping in Fedora Core 4

CBQ.init to do some limiting of outbound SMTP traffic. You see, I run a mailing list that has multiple large attachments that are resent to 50+ subscribers, and trying to send that out effectively kills my DSL line. When I set up the new server, I set up CBQ.init 0.7.3 using the same configuration as on the old (Fedora Core 1) machine. Today, I found out that my limiting was not working…seems that there is an error in the CBQ.init script that prevented it from running correctly. The error manifests as follows:
[root@server rc.d]# ./cbq.init compile
find: warning: you have specified the -maxdepth option after a non-option argument (, but options are not positional (-maxdepth affects tests specified before it as well as those specified after it). Please specify options before other arguments. find: warning: you have specified the -maxdepth option after a non-option argument (, but options are not positional (-maxdepth affects tests specified before it as well as those specified after it). Please specify options before other arguments.
The error is actually a mistake in the find command syntax of two lines in the script. Here is the corrected script (those are line numbers in front).
577 ### Get a list of configured classes
578 CLASSLIST=`find $1 -maxdepth 1 \( -type f -or -type l\ ) -name 'cbq-*' \
579 -not -name '*~' -printf "%f\n"| sort`
580 [ -z "$CLASSLIST" ] &&
581 cbq_failure "no configuration files found in $1!"
583 ### Gather all DEVICE fields from $1/cbq-*
584 DEVFIELDS=`find $1 -maxdepth 1 \( -type f -or -type l \) -name 'cbq-*' \
585 -not -name '*~'| xargs sed -n 's/#.*//;
586 s/[[:space:]]//g; /^DEVICE=[^,]*,[^,]*(,[^,]*)?/ \
587 { s/.*=//; p; }'| sort -u`
The change is the location of the -maxdepth 1 argument: it must be immediately after the last path in the statement, and before any other options. The original looked like this:
### Get a list of configured classes
CLASSLIST=`find $1 \( -type f -or -type l \) -name 'cbq-*' \
-not -name '*~' -maxdepth 1 -printf "%f\n"| sort`
[ -z "$CLASSLIST" ] &&
cbq_failure "no configuration files found in $1!" ### Gather all DEVICE fields from $1/cbq-*
DEVFIELDS=`find $1 ( -type f -or -type l ) -name 'cbq-*' \
-not -name '*~' -maxdepth 1| xargs sed -n 's/#.*//; \
s/[[:space:]]//g; /^DEVICE=[^,]*,[^,]*\(,[^,]*\)\?/ \
{ s/.*=//; p; }'| sort -u`
After making this change, the script works as expected! I’m posting this on the off-chance that someone else might be having the same issue I did, and this will help them, too. Oh, and if anyone is interested, here is my script to limit SMTP outbound traffic on my 3Mbit/768Kbit DSL line. It’s called cbq-0256.SMTP-out:
Good luck!]]>

Abandoned? No, just ignored….

blown caps issue). I was unable to keep much of the filtering running because of the RAM requirements, and thus was making do with only Postfix’s RBL checks and Policyd greylisting service. Now it’s all running, and I’m much happier with the systems…. Final note, I’m now also an admin/developer for PluggedOut Blog, the blog script that runs this site. If you’re looking for an easily customizable, flexible, feature-rich blog script in PHP, check it out!

Who is really responsible?

filed a lawsuit against the MySpace social networking website. According to this article from The Register: “Myspace didn’t act quickly enough to protect users who are minors from adult predators. The plaintiffs say their daughters were solicited and abused by adults using the site.” [rant mode on]
At what point did parents stop being responsible for the care of their children, and children stop being responsible for their own actions? When did MySpace (or Facebook, or Yahoo, or any other website) take over that role in the raising of a child? I’ve talked with parents, and I’m going to be one in a few months. Parents must take an active role in their child’s development, including monitoring what they do on the computer, or who their friends are. This includes knowing the parents of their friends and how those parents raise their own children.
[rant mode off] In the Houston case, I seem to recall that the mother had blocked internet access on their home computer, or they didn’t have a computer. So, the daughter used her cell phone’s browser to go to MySpace, or a computer at a friend’s house. This goes back to being involved, both with the child and the parents of the child’s friends. MySpace cannot be responsible because someone using their free, unmonitored service lied about their age or lured an irresponsible teenager into a compromised situation. Consider MySpace and the other sites as “common carriers”: just like the phone company is not responsible for someone using the telephone to plan a robbery, or Cingular would not responsible for someone using a cell phone to trigger a bomb, MySpace and other social networking sites cannot be victimized by someone who is willing to lie to get somewhere. If MySpace implements the new rules they are discussing, it’s simply going to generate hundreds of additional profiles; more people who will lie that they are either over age or under age to meet the people they are targeting. Short of turning into a pay service, and alienating their current major userbase (most of whom probably don’t have credit cards or paypal accounts), I don’t see any changes that will substantially alter the current situation. I really hope that the courts decide to throw out this case, with prejudice, and make those filing the lawsuit pay their own legal fees. Along with a stern lecture about parenting. Maybe that will make people think twice in this “I don’t like you I’m going to sue” society.]]>

lessons in system configuration

I started setting up the box last week with custom-compiled versions of Postfix, Dovecot IMAP server and several other packages. Now I’m starting to configure things to closely match the existing mail server, including Samba. This makes some administrative tasks a bit easier, like updating some web pages (this basically only hosts SquirrelMail and PostfixAdmin). There’s not much web service to do, but Samba makes it easier to move logfiles to the Windows box and copy new files over without having to run FTP or wget all the time. The problems started after I copied the smb.conf file (Samba config) from the existing server to the new box. I tweaked it, fixed some server-specific settings, and set it off. First, it wouldn’t even see itself as an SMB server. found and fixed that. Then, it appeared to be fighting with my WINS server (another Linux box) to be the master browser. Fixed that setting too. Finally was able to resolve itself by name and local IP. Now to get it to see the rest of the network (and the rest of the network to see it, as well). OK…started through the diagnostics document from Samba. Step 1…good. Step 2…good. Step 3…er…step 3….errors. Troubleshooting was going nowhere. 45 minutes later, had a thought…firewall? Iptables was running, since this box faces both the internet and my local lan on different NICs. turned off iptables and gee…it works! Start tweaking around with firewall rules. Seems the syntax has changed slightly between the Fedora Core 1 and Fedora Core 4 versions, so the rules from the old box don’t quite work on the new one. Found the system-config-firewall-tui utility, and set up custom rules for the right ports, and restarted both iptables then samba. Gee wiz, it works now! I can see it from the other computers, and it finds the rest of the network too! Well, that was a good waste of several hours that I’ll never get back. I guess the next step is to set up Postfix, policyd, amavisd and the new MailZu web interface for amavis. Oh, and pray that Dovecot 1.0 final will make it out in the next two weeks before I’m ready to bring the new monster live….

More Good Reasons to Stay AWAY from Windows Vista

This article by Peter Gutmann talks a lot about the DRM risks and limitations in Windows Vista (especially if you have SPDIF or component video), but several items mentioned are important to malware fighters as well, especially regarding future reverse-engineering issues. Executive Summary:

Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called “premium content”, typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it’s not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server). This document analyses the cost involved in Vista’s content protection, and the collateral damage that this incurs throughout the computer industry.


Firefox 2 Tweaks

about:config — browser.tabs.closeButtons = 3
browser.tabs.tabMinWidth = 10 Install Tabbrowser Preferences: tabbrowser_preferences- Edit UserChrome.css (in user profile directory): /* Disable “List all Tabs” Button */
.tabs-alltabs-button {
display: none !important;
} /* Disable Container box for “List all Tabs” Button */
.tabs-alltabs-box {
display: none !important;
/* remove new tab button */
.tabs-newbutton { display: none; }
Edit: one more tweak for download dialogs
Edit the file %programfiles%\Mozilla Firefox\components\nsHelperAppDlg.js Find the line // hide featured choice
edit the line below that:
this.mDialog.document.getElementById(“normalBox”).collapsed = true;
change “true” to “false”

ISP (dis)Services

OpLink in the last year and a half. Unfortunately, we will be moving soon (end of lease, and some problems with our house) and several of the houses we are looking at are in areas not covered by Oplink.

Right now, we live just between Houston and Katy, Texas, in the no-man’s-land of Harris County. However, we do get some “benefits” of Houston, since SBC (or “the new AT&T”) provides our phone service. Oplink runs over the SBC phone system to provide DSL service.

Unfortunately, SBC doesn’t provide phone service into the heart of Katy. That luxury is provided by Consolidated Communications. Which means my only choice for DSL service appears to be Consolidated Communications.

This wouldn’t be so bad, except… To get the same level of service that I have with Oplink, it would cost over $80 more per month. That is, I pay $65 a month right now for 1.5 Mbit/384 kbit plus a block of 6 static IP addresses. I am allowed to run servers (which is where this site, and several others, as well as email, are hosted). I have virtually unlimited bandwidth (which is nice when there are several thousands of people trying to download a malware fix file).

Consolidated requires a business account to host servers, at a cost of $59 a month, plus $20 a month for static IP addresses (I currently use three). And that only guarantees me 1 Mbit/384 kbit rates. So, for $110 a month, I can get less features than I currently have, with less customer service (I’ve had to deal with Consolidated’s attempt at customer service for some clients). I don’t even know if they have bandwidth caps; haven’t checked on that yet.

So, what about cable modem service? Well, since the only option for that seems to be RoadRunner (thanks, Time Warner….) I checked into their pricing and features. To get a single static IP address, I again have to have “business class service”, and it would cost me at least $129 a month. For a block of 5 addresses, it’s nearly $200 a month! Therefore, that becomes a non-option.

I just talked to Earthlink, who offers cable modem service in that area as well. Unfortunately, they don’t even have an OPTION for static IP addresses.

So, it looks like I’m stuck. I know, I’ve got at least a month before this becomes a real issue, and we may find a different property that we like that falls into the SBC service area. Until then, I’ll keep searching….

Back from the Storm

For those interested in the details, it’s a Biostar IDEQ 210V, an AMD Sempron 2400+ with 512MB of PC3200 DDR RAM. I recycled the CD and FD and second NIC from the old system, and using the same hard drive recovery took only minutes with the kudzu utility working quite well to reconfigure the hardware. The biggest problem was getting the net cables plugged into the right NICs (I had them backwards at first).

The old system was a Shuttle SV25, with an FV25 motherboard (the one with the bad caps). This is a known and notorious problem…as a friend of mine once said, he hopes that someone has paid dearly for the capacitor problems in the last few years…..]]>