Zenovation's Blog » Web Server

Valid flash in XHTML (killing )

Michael — Mon, 08 Sep 2008 21:02:05 +0000

I wanted to validate my xhtml code for the new site design, and ran into the following fun errors from w3c:
Line 25, Column 15: there is no attribute "src". Line 26, Column 18: there is no attribute "wmode". Line 27, Column 17: there is no attribute "type". Line 28, Column 18: there is no attribute "width". Line 28, Column 31: there is no attribute "height". Line 28, Column 38: element "embed" undefined.

Which was caused by this tag, my Digsby chat widget:

^?View Code HTML

A little research and an article from A List Apart later, I’ve found valid input for including flash in Transitional XHTML:

^?View Code HTML

Dropping multiple tables in mysql (drop tables with wildcard)

Michael — Wed, 06 Aug 2008 17:02:03 +0000

I wanted to drop all mysql tables from a db that had a certain prefix, such as xx_.

Well this turned out to be an adventure…

The First Attempt

The first solution I found was to use sed/grep sort of logic:

^?View Code BASH

#mysqlshow -u username -p dbname xx\\_% |sed 's/[|+-]//g'|sed 's/[ ]*$/,/'>droptables.sql

(xx\\_% is how you tell it to show tables starting with xx_)

This produced a semi-useful list. But I had to manually edit out the extra commas and line feeds to get a pure list, then add “DROP TABLE ” to the beginning of the list. Then feed this into mysql as follows:

^?View Code BASH

#mysql -u username -p dbname < droptables.sql

I wasn’t real happy with that answer, naturally, so I researched more…

A Better Solution

I came across an alternative in this command:

^?View Code BASH

mysqldump -u username -p --add-drop-table --no-data dbname | grep "^DROP.*\`xx_" | mysql -u username -p dbname

(replace xx_ with the prefix you want to remove, to do all tables, try just “grep ^DROP”

You can test it first by cutting off the last “| mysql…” bit and see the output, which is useful for debugging, before you go blowing away your tables.

Starting services automatically in CentOS

Michael — Mon, 04 Aug 2008 03:24:03 +0000

Had a service in CentOS 4 server that went down every time the box rebooted. Got tired of starting it manually so I had to go find the command to start it automagically.

Surprisingly, it has nothing to do with “service”, which is how you start/stop it manually. It has the very unintuitive command “chkconfig” to make it start on boot. What a choice: chckconfig!

Oh well, here it is:

^?View Code BASH

chkconfig --add httpd
chkconfig httpd on

Checking out Virtualmin Pro on Ubuntu

Michael — Thu, 22 Nov 2007 16:14:56 +0000

I’m setting up a new hosting server for several clients. I purchased a download of Virtualmin Pro and checked it out as a total management solution. Although it supports Ubuntu Edgy (6.06.1), it does not support 7.1.

So I did what any good programmer would do… I tried it anyways. It failed. So I fixed the bug and tried it again. That one failed. So I went to the forums and got another suggestion and tried that one. It failed, burned down, fell over and sank into the swamp. So Installed 6.06.1 and the FOURTH ONE STAYED.

So don’t try virtualmin with 7.1, unless you’re glutton for punishment too…

Securing an SSH Server

Michael — Mon, 19 Nov 2007 22:24:23 +0000

I set up a new OpenSSH server on Ubuntu and had to remember how to lock down the settings again. Here is a quick guide to securing SSH against attacks.

Set up an RSA key to use instead of a password
This is an encrypted file which is used to replace your password, providing significant login security (there’s no way someone will guess one of these in the next 10,000 years).

This step assumes you are logged into the server where you will be ssh’ing to. To do this from the client, you create the keygen file as normal, but you then have to upload the id_rsa to your web server’s ~/.ssh/known_hosts (instead of copying it locally as shown below).

Here is the procedure for generating the keyfiles:

^?View Code BASH

#generate the public/private key pair
#leave the passphrase blank (or you'll have to type it constantly)
kato@zephyr:~/$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kato/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kato/.ssh/id_rsa.
Your public key has been saved in /home/kato/.ssh/id_rsa.pub.
The key fingerprint is:
0d:a6:cd:1c:53:ab:b2:1b:b5:7e:ce:15:96:35:97:f9 kato@zephyr
kato@zephyr:~/.ssh$ cd /home/kato/.ssh
kato@zephyr:~/.ssh$ ls -l
-rw------- 1 kato kato 1675 2007-11-19 16:56 id_rsa
-rw-r--r-- 1 kato kato  393 2007-11-19 16:56 id_rsa.pub
#your server might show identity and identity.pub... that's fine, use those in place of id_rsa
$ cat id_rsa.pub &amp;gt;&amp;gt; authorized_keys
$ chmod 644 authorized_keys
kato@zephyr:~/.ssh$ ls -l
-rw-r--r-- 1 kato kato  214 2007-11-19 16:04 authorized_keys
-rw------- 1 kato kato 1675 2007-11-19 16:56 id_rsa
-rw-r--r-- 1 kato kato  393 2007-11-19 16:56 id_rsa.pub
#some older servers will require you to use authorized_keys2 for ssh2 clients!

Now download the private file (the one without .pub on the end) to your client. You will want to configure your client to load this keyfile automatically. This is easy enough with putty, for other clients, check out pageant (which can intercept password requests and supply the key).
[img]putty_keyfile.jpg:Loading ssh key into putty…[img]

First decide if you will be using SSH1 or SSH2 (or both). Most likely you’ll want to stick with SSH1 (until OpenSSH is installed at PPPL, or until SSH2 is installed, etc).
Generate public/private keypair for SSH1: [b]ssh-keygen[/b]. This will generate [b]~/.ssh/identity[/b] and [b]~/.ssh/identity.pub[/b].
Do this on each machine you want to access (to/from) using ssh (only need to do this once on the PPPL unix cluster)
Take all of the identity.pub files (which contain a public key on one line) and create an [b]~/.ssh/authorized_keys[/b] file by placing the contents of each separate identity.pub file on a single line of the [b]~/.ssh/authorized_keys[/b] file (then place on all sshable hosts).
For SSH2, use [b]ssh-keygen -t {rsa,dsa}[/b] (you choose between rsa keys or dsa keys, currently I use DSA), which will generate [b]~/.ssh/id_{dsa,rsa}[/b] and [b]~/.ssh/id_{dsa,rsa}.pub[/b].
Follow instructions for SSH1 keys, but instead generate a [b]~/.ssh/authorized_keys2[/b] file using the id_{dsa,rsa}.pub files.

Specify who can log in with ssh
From the cli, type:

^?View Code BASH

groupadd sshaccess

Then add your login account:

^?View Code BASH

usermod -a -G sshaccess kato

Configure SSH
On Ubuntu and Gentoo, open [b]/etc/ssh/sshd_config[/b]. Now we will tweak several properties:

Changing the Port will shut off 98% of the attacks on your ssh server. As long as you have the skills to get through the firewall, this is your best defense. To pick a port number which won’t conflict with any other apps, check out this comprehensive list of ports. I used port 27.
Turn off PermitRootLogin
Enable PubKeyAuthentication
Do not PermitEmptyPassword
Restrict users who can log in with AllowGroups
Enable logging with SysLogFacility and LogLevel

Here is what my finished script looks like:

^?View Code PROPS

# What ports, IPs and protocols we listen for
@@Port 27
 
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
 
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
 
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
 
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
 
# Logging
SyslogFacility AUTH
LogLevel INFO
 
# Authentication:
LoginGraceTime 120
@@PermitRootLogin no
StrictModes yes
 
#RSAAuthentication yes
@@PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys
 
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
@@RhostsRSAAuthentication no
# similar for protocol version 2
@@HostbasedAuthentication no
 
# To enable empty passwords, change to yes (NOT RECOMMENDED)
@@PermitEmptyPasswords no
 
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
 
# Change to no to disable tunnelled clear text passwords
@@PasswordAuthentication no
 
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
 
# Allow client to pass locale environment variables
AcceptEnv LANG LC_
@@AllowGroups termgroup
 
Subsystem sftp /usr/lib/openssh/sftp-server
 
UsePAM yes

References
Creating RSA and DSA keys for SSH
SSH User dentities
Creating SSH Key Pairs

Configure Ubuntu Server with Static IP Address

Michael — Mon, 19 Nov 2007 21:35:48 +0000

I wanted to set up an Ubuntu server at home, but the install CD automagically sets it up using dhcp. Tsk, tsk; who wants a web server with a dynamic ip address, after all? Here is how to get it running with a static ip…

Edit /etc/network/interfaces

Adjust as needed… here is a sample config for a linksys/d-link home network:

^?View Code PROPS

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth0
 
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1