Using proc to force a reboot

So we just had this little discussion on IRC and I figured I'd save it for posterity here:

[11:37:36]  to force a 'hard' reboot (if reboot is not working) - equivalent to pulling the power cable:
[11:37:44]  echo 1 > /proc/sys/kernel/sysrq; echo b > /proc/sysrq-trigger
[11:40:45]  come on dom, you know you want to try it.
[11:41:21]  heh
[11:42:29]  what's this do?  what's this do?  what's it do???
[11:43:13]  you tell us
[11:47:09]  yeah, that's awesome
[11:47:24]  it just tells BIOS to reboot
[11:47:35]  (or something like that anyhow)
[11:47:58]  so, immediate reboot in other words?
[11:47:58]  system just goes *blip* and starts posting

So there you go. Want to reboot without waiting for all those nasty processes to finish or phyiscally pressing the power button? That's your way out.

Thanks, toddz :D

- Arch

Apache and LDAP users

Requisites:

Apache 2.2
mod_authnz_ldap (and enabled with a2enmod authnz_ldap under Debian+Ubuntu)

In your httpd.conf or your htaccess file, add the following:

    # Access control for this directory
    AuthBasicProvider ldap
    AuthType Basic
    AuthName "Password Required"

    AuthLDAPURL "ldap://localhost:389/OU=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)" NONE

    AuthLDAPBindDN readonly@example.com
    AuthLDAPBindPassword plaintextpassword

    Require ldap-group CN=somegroup,OU=someou,OU=Groups,DC=example,DC=com

This example is for connecting to an MS Active Directory server. For an OpenLDAP server, you may find that you don't need the BindDN/Pass options and you need uid instead of sAMAccountName (or possibly just "ldap://localhost/DC=domain,DC=tld").

If you look at other sites online, you'll find that a lot of users say they have to fiddle the config to get it working. Some of the common things I saw were:

1. Setting "AuthzLDAPAuthoritative off"


2. Specifying at least one container under the base DN (as in my example)


3. Tweaking the GroupAttribute and GroupIsDN options


4. Using a DN for the AuthLDAPBindDN (UPN used in my example)


5. Enabling SSL or TLS


6. Multiple domain controllers (simply specify them separated by spaces in your URL)


7. Filters with "Require ldap-filter"

... As you can see there can be a lot of tweaking for specific sites. But all-in-all, the basic configuration is quite simple. If your LDAP server allows anonymous searches, you really only need the AuthLDAPURL line and it can be as simple as "ldap://localhost/DC=example,DC=com".

- Arch

Google Apps

One of the cool services that Google offers is the hosting of various services for your domain. Basically, you can brand Google with your own domain including mail, calendar, chat, docs, sites and "mobile" (I haven't used "mobile", but it includes sync services). The service is called Google Apps.

The "standard edition" is pretty much the standard services and limits you to 50 user accounts. And 50 people is quite a few for a personal domain or even a small business. Once you need more features or more accounts, its $50 / year per account. Which, truth be told, is pretty cheap since even just paying for anti-spam/anti-virus filtering is about $30 / year for pretty basic service from Symantec of whomever.

At any rate, I found it a bit confusing at first but mostly because I was setting this up in a sub-domain (dl.thenibble.org) on GoDaddy. But once I got in, it's pretty easy. You get this dashboard which shows you which services are activated and you can just click on whichever ones you want and if DNS changes are required, it will tell you and give you pretty specific instructions. But there's a lot. You have to do one just to activate the domain, add aliases for all your services (unless you want to use google.com/apps/mydomain or whatever), and then for email, there's 5 MX records and for chat there's about 10 SRV records.

But now that it's all setup, it's pretty fancy. You can create email groups, use docs, publish calendars, etc. I tried poking around a bit and really all that Google does for stuff like "sites" when you create an alias under your domain is it just redirects the user to sites.google.com/domain/whatever ... So it won't be a replacement for having a web host. But for email, it will just accept mail at your domain so it's a full email service.

And standard edition is free. Did I mention that? Yeah, it's ad-supported, but otherwise free.

Fun!
- Arch

Hardening a RHEL5 Box and the NSA

Hardening a server takes two general activities: Reducing the number of services that can be attacked and protecting any services that are still required.

There are a lot of discussions on how to do this for various operating systems including RedHat Linux. RedHat's Deployement Guide is a good resource.

The NSA also has documents on securing your operating system. However, they're a little hard to get. I tried searching for RHEL5 on their site and had some difficulty access the documents in the search results:



Now it's a little hard to access the documents on the NSA's E drive, but I was able to eventually find them by getting in another way ;) ;) ... Okay, I didn't breakin to the NSA to get on their E drive, I found the page that actually good links: NSA/CSS Operating Systems.

There's a longer document (about 170 pages) and also a short reference (2 pages) which gives lots of good things to secure.

There are a lot of other good resources Online as well, so I won't ramble further. Just turn off anything you don't need, update what you do need frequently, and secure your system with a firewall, and other security tools (PortSentry, fail2ban, DenyHosts, anti-virus software, rootkit detection, etc, etc, etc).

- Arch

Virtual Host Debugging

I just came across this obscure feature of apache2ctl / httpd:

# apache2ctl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  webmail.nibble.bz (/etc/apache2/sites-enabled/webmail.nibble.bz:3)
*:80                   is a NameVirtualHost
         default server alia.dl.nibble.bz (/etc/apache2/sites-enabled/000-default:2)
         port 80 namevhost alia.dl.nibble.bz (/etc/apache2/sites-enabled/000-default:2)
         port 80 namevhost blog.nibble.bz (/etc/apache2/sites-enabled/blog.nibble.bz:3)
         port 80 namevhost www.nibble.bz (/etc/apache2/sites-enabled/blog.nibble.bz:17)
         port 80 namevhost forums.thenibble.org (/etc/apache2/sites-enabled/forums.thenibble.org:2)
         port 80 namevhost lists.thenibble.org (/etc/apache2/sites-enabled/lists.thenibble.org:10)
         port 80 namevhost siona.nibble.bz (/etc/apache2/sites-enabled/siona.nibble.bz:1)
         port 80 namevhost uro.mine.nu (/etc/apache2/sites-enabled/uro.mine.nu:2)
         port 80 namevhost webmail.nibble.bz (/etc/apache2/sites-enabled/webmail.nibble.bz:51)
         port 80 namevhost www.thenibble.org (/etc/apache2/sites-enabled/www.thenibble.org:3)
         port 80 namevhost thenibble.org (/etc/apache2/sites-enabled/www.thenibble.org:15)
Syntax OK

"man apache2ctl" doesn't give the switch parameters but merely alludes to the presence of them:

SYNOPSIS
When acting in pass-through mode, apachectl can take all the arguments available for the httpd binary.

apachectl [ httpd-argument ]

And on my system (Ubuntu 8.04), "man httpd" doesn't report diddly. It is in a manpage *somewhere* so I found it Online:

http://www.manpagez.com/man/8/httpd/

And what it says is:

-S Show the settings as parsed from the config file (currently only
shows the virtualhost settings).

So there you go. Hidden away in the documentation "somewhere" is possibly the most useful virtual host diagnostic tool.

- Arch

Retiring the old hand-made blog

On the weekend I finally decided to shutdown my old blog (it was under http://dl.nibble.bz/~archangel). I'd started in in early 2003 and sortof just build my own code. Needless to say, it was very simple with basic "categories" features for links and I built my own archives system, syndication, everything. Well, WordPress also started in 2003 and it now has all these features and they work better and are richer. And their code is maintained.

Moving to WordPress is certainly simple. It imports blogs from many different formats including RSS 2.0 which is a widely accepted standard for blog syndication. Since I'd already built a feed for my blog, but in Atom, I simply had to covert my code to generate RSS 2.0 and then have it pit out all my posts (about 200) into a single RSS 2.0 file.

For the switch to RSS 2.0, I just pulled an RSS 2.0 feed from WordPress. I then used the old copy & paste coding to make a syndication script which produced similar output. Then I debugged by running my output through the W3C Feed Validation Service.

Once my RSS 2.0 was validating, I made the script spit out the full content for all my posts rather than the usual 20, went into WP and just imported it and it took them all just fine.

And now, here we are!

- Arch

Renaming Wordpress Blogs

Under Debian (Ubuntu), there's a helper script which does a lot of the work for adding a new blog. You need to create a hostname, add it as an alias in your apache config, and a database. Then use this helper script to setup the database and config:

/usr/share/doc/wordpress/examples/setup-mysql

Now if you want rename your blog say from "inaction.example.com" to "takeaction.example.com", it's pretty simple.

1. Create the new hostname in DNS,


2. Add it as an alias to your apache config,
<

3. Create a soft-link to the current config using the new name,


4. Edit the settings for your blog and give the new URL.

Edit: You can easily change the settings (from the last step) in the the db. If something goes terribly wrong, just poke around in there and update anything with the wrong URL.

- Arch