Installing uglyfi-js and node on Ubuntu 12.10

The e-Classifieds ® Corporate edition uses lots of JavaScript code, so to help speed things up we compress the code. Previously this has been done using JavaScript::Minifier::XS from CPAN, but all the cool kids are using UglifyJS. So I thought I would see how it compared.

Read more of this post

Advertisements

AIDE constantly reporting prelink errors

We added a couple of new boxes running CentOS 6 here at Hagen Hosting. They generally work really nicely, but I’ve been having this on going fight with AIDE and prelink.

Prelink seems like a good idea because it reduces the chance of an exploit working, but the honest truth is that it is annoying, potentially troublesome in terms of legal issues and security. More over, from what I read, prelink doesn’t add much extra security.

I find it particularly annoying when prelink runs each week and I’m confronted with the output from AIDE saying a bunch of files have changed. It would take hours to compare them all to see if they had changed because of an intrusion so I have to assume that they have changed because of prelink because they are listed in the prelink logs and timestamps match. But, you know, it just doesn’t feel secure.

More over prelink has become very annoying because for some reason that I have yet to work out, each night it keeps prelinking the same set of files. A few are compiled-from-source programs (like Apache), but some are standard libs.

To get it to stop I had to run prelink on those files manually and keep re-running it until it stopped saying that some of the files needed prelinking.

However after a valient attempt I’ve realised that prelink is just causing too many headaches and so I took the ultimate step — to disable it.

To disable prelink edit

/etc/sysconfig/prelink.conf

/etc/sysconfig/prelink

and change

PRELINKING=yes

to

PRELINKING=no

Sometime in the next few days it will run prelink -ua to undo the pre-linking on all files then I’ll be done with it and the only changes to the system will be updates (or bad stuff :-)

Edit: 2014-05-22T13:25:56+00:00

I just had this error message coming up on a box after updating a library. prelinking is disabled but I would still get this same error message from AIDE.

Running

prelink -ua

did not stop the error messages because running this command checks the value of PRELINKING and so it doesn’t run – at least I think so. The error occurs because AIDE detects that the library has changed and so runs prelink directly on those files:

4574 [pid 12916] execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "--verify", "/usr/local/apache2/modules/libph"...], [/* 44 vars */]) = 0

Since I have PRELINKING=no defined, but I was getting this error message, it would appear that if you specify a filename to prelink then it runs as it normally would, regardless of this global setting. It makes sense, I suppose.

The answer therefore was to use this knowledge that prelink still works on specific files, but not globally, and “un-prelink” the library in question. In otherwords run;

prelink -ua <file>

Doing this caused AIDE to no longer run prelink.

aide.conf syntax errors contain junk line information

The latest servers that we added to run our e-Classifieds (r) platform use CentOS 6. I definitely like the boxes but Prelink and AIDE have been a pain.

After trying to stop AIDE checking some folders I started getting this report:

271:syntax error: <junk>
271:Error while reading configuration: <junk>

It turns out that this really was a syntax error. It really was on line 271 because rather daftly I had been thinking in terms of RegExps and added the line as

!^/usr/local/....

The ^ generates the syntax error. But apparently AIDE has a free/malloc/pointer bug in this error message as it prints random junk after the error message. Initally made me think that the error that was being reported was that the aide.conf file contained those characters and I couldn’t see then and therefore oooh filesystem/disk corruption… I was relieved to find that it was a bug in AIDE’s error message.

I moved my Blog to perladmin.oreally.co.uk

I moved my blog to WordPress hosted on my own box. It can now be accessed via the URL http://perladmin.oreally.co.uk/

As for why? Well I’ve played with wordpress on and off for a while, but I never really liked the previous versions that much and had given up several revisions ago. I decided to try looking at it again this time around and really prefered the interface. I’m still not at all convinced about much of the rest of it, particularly it being written in PHP since I have issues with that on several levels, but it is what it is. I decided to try it on line via this site with wordpress.com.

Interestingly enough Google must love this place because for certain searches the site is coming up in first place. Which is surprising, if not troubling since its a new site and if I can do it, any spammer can. I’ve even had people start stealing the content already, and there’s barely anything here…

But what I didn’t like is that I couldn’t customize it the way I wanted to. My PHP is limited but I know enough to hack on the code a little and wanted to try doing that on WP 2.6.2 as I have on earlier versions. I also wanted to try a different theme than the half dozen offered, and even something as simple as changing the CSS couldn’t be done without a paid update. This seemed a little much to ask for something so relatively simple, so I decided to move it off to my own box.

I’m not sure how well it will work since my box is about 10 years old, but hopefully it will be upgraded soon, and I have other options if needed :-)

So come on over to the new site, see if you like it:

http://perladmin.oreally.co.uk/

Colin.

Why does IPTables not log when it is started/stopped?

I have to say that it is very strange that iptables doesn’t log when it is started, stopped, restarted or even when a rule is added. Given how big of a part in the security scene iptables plays, you’d think that by default it would send a notice to syslog, probably at daemon.notice level, when it is stopped and started. After all this is one fairly important tool. Not the only (hopefully) but usually a pretty important one and in many cases it really is the only thing between a server and the bad guys (yes, I know, that it shouldn’t be the only thing..).

I mention this because I just came back from lunch to find my SSH connection wouldn’t respond to input. This has happened occasionally, but as far as I’ve been able to tell (by piecing together information afterwards), it has invariably been because iptables was restarted.

Now me, I just add the new rule to the firewall and if it works and I want to keep it, add it to the config file separately. I don’t believe in restarting iptables because if you f*ck up the new rule and restart the firewall you’re not only screwed then, but if you reboot the server too. For a remote connection that’s bad news. At least if you screw up the rule you know that you did the moment that you add it to the firewall, so if it comes to remotely rebooting the box you know it will come back up without a problem. And yes, I did do that once. It was a case of

“I’ll just update the firewall rules before I leave this morni… oh er.. oh, what did I type? Sh*t!”.

But my colleague believes that you should add it to the config file and restart because that way you’re only entering it once. Which is nice, and does indeed have its merits because there’s less chance of a typo, getting the order wrong, etc., but it also means you need to stop and restart iptables. Aside from the risk of locking yourself out of the server to me that’s a royal pain. You lose any temporary rules, and you worst of all you lose the connection tracking. Which means my nice and quiet SSH session which was working before lunch and has my open Vim session in it … is now not working because its state is not new or established or related, and thus not a valid connection state as far as iptables is concerned and thus the packets are blocked, and the connection gets dropped. *grr*

More irritatingly though is that I can’t *know* that that’s what happened because iptables doesn’t log when it stopped or started. Which is pretty crazy really if you think about the fact that every daemon under the sun logs that kind of information. It never occurred to me before, but its true, at least on my box.

Incidentally, if you’re looking to fiddle with the firewall remotely, a few good tricks are;

  1. Add a rule to allow your SSH connection through as a first rule. E.g.iptables -I INPUT 1 -p tcp --dport 22 -s <your ip> -j ACCEPT
  2. Use a sleep; undo system. This works for both the command line and restarting iptables. For example;
    1. Add a rule on the command line, knowing the rule number you’ll give it, and then set it to undo a moment later;iptables -I INPUT 23 <what you want to happen>; \
      sleep 10; \
      iptables -D INPUT 23
    2. Restart iptables, then stop it again if it doesn’t work;/etc/init.d/iptables restart; sleep 10; /etc/init.d/iptables stop

The second tip uses the a chain of commands which do whatever might go wrong, sleep and then undo it. The reason for this is that it will execute a command and then move on to the next command in the list, so if you submit the commands like this, where you must include the semi-colons between the commands, (don’t forget the \’s in the first case, or just ignore them and don’t hit return) , then the shell will execute them one after another like this … do “fiddle with firewall command”, sleep, and do “undo fiddle command”. In the even that you don’t do anything, the firewall will be restarted and then ten seconds later, stopped. This is good because in the event that you f*ck up the firewall rules and can’t type, 10s later you’ll be able to type again because the firewall has been taken down again.

But the best part of this trick is that in the event that you can type you do … you wait a second or so, and then type Ctrl-C to interupt the currently running command. This will be the sleep command, so you’ll interrupt that and interrupt the list of commands to execute so your last command, the “undo” command, is never run. So if you can’t get into the box it unsets its firewall. If you can get in then you kill the sleep command before it finishes thus the “undo” is never executed.

As a tip, if you’re not sure when to hit Ctrl-C, add a command echo “Sleeping” into the list just before the sleep command. If you don’t see that then the firewall was messed up. If you do see it then your changes worked, and you can kill the rest of the commands with Ctrl-C.

Colin.

Virtualbox 2.0 is out

For those who have never used it, Virtualbox is Virtual Machine software from Sun Microsystems, who bought the previous owners, innoTek Gmbh. While my experience with VM software is not extensive, I’ve used a few programs on a Windows host and I’m pretty impressed with Virtualbox. VMWare was, by comparision much much slower, although this may have changed in more recent editions. I also hated how tightly into the OS VMWare wove itself. Uninstalling it has broken several computers of mine and resulted in days of trying to unbreak its grip on my network adapter. (Trying to remove the virtual adapters from the MAC bridge when VMWare was no longer installed). In comparision to VB, MS Virtual PC appears to be lacking features – or at least an interface, and plainly has no design to support anything but Windows with boot options of “Windows 95, 98, NT, 2000, XP, Vista and OTHER”. It isn’t surprising, given that they sell Windows, but I can’t help but wonder how effective it can really be for non-windows, which at the moment is my thing since I’m running Windows as the host OS.

Virtualbox gives a nice range of features and appears pretty fast. 2.0 is no exception, appearing to most fix a few gotchas which never bit me. My only complaint about it is that aperiodically I’ve found that the clipboard will break. This is from Windows as a HostOS to CentOS and Fedora 8 as guest OS’s. You’ll be typing along and suddenly the clipboard won’t work, for Windows or in the guestOS and you end up needing to restart the Vbox to clear it.

I’ve yet to see any information explaining what is happening, but what I suspect is happening is that an event is being lost on the client end and this ties up the entire clipboard because Windows doesn’t get the acknowledgement that the event was processed. I did once see an error message from the Xserver about it dropping events so this seems to be a reasonable guess.

My solution to this has been to work around it and instead of using X directly on the console of the Vbox to connect to it via Nomachine’s NX client. This no only gives me the equivalent of “screen” under X, with the ability to disconnect and reconnect later, but I’ve never had the clipboard cross-over screw up. Which is really handy.

So if you haven’t already tried it but you’d like to, or you’d like to try VM’s and don’t know where to start, or you’re looking to try Linux, but are too addicted to your Windows apps to be logged out of your computer, Virtualbox will be great for you.

As for choice in Linuxes, well I’ve going with Fedora 8 and CentOS 5.2. Personally I’ve been concerned about the direction of Fedora, especially with its “pump a new version out every few months” attitude, (as opposed to putting out something decent). I did try Fedora 9 from the live CD and it sucked, especially when compaired to F8. F8 has, so far, been a pinnacle in the Fedora for me. By comparison CentOS 5.2 appears to have a very strong stable base, and ever bit as usable for a desktop OS as a server OS. As a quick comparison when running under Virtualbox in order to be able to have a graphical resolution which matches my windows box (which is only 1280px by 1024px, so nothing to write home about) Fedora 8 requires you allocate 32Mb of memory for graphics, but CentOS 5.2 requires only 16Mb. I think it says something about F8.

Colin.