Monthly Archives: April 2011

Getting default site in Apache2 to display a 404

Rather than showing the alphabetically first virtualhost (alphabetically based on file name, if you have one file for each virtualhost, otherwise it will show whatever’s at the top of your single virtualhost file).

<VirtualHost *:80>
    Redirect 404 /.*
</VirtualHost>

I’m getting some errors when trying to do the same with SSL sites, out of time now but will try and sort another day.

hosts.deny not working?

Similar to the previous post…this was the method I tried first to block some spammy IP addresses connecting to Apache (they were not spammy enough for me to worry about the resource-usage difference between hosts.deny and iptables – it is better using ufw/iptables), and it didn’t work.

I found an awesome forum post describing why that I’d like to save for future reference.

Files hosts.allow and hosts.deny work through a daemon (a program running in the background) called inetd. (On some systems, xinetd is used.) Other files used by inetd are /etc/services and /etc/inetd.conf. The purpose of inetd is to listen on various ports; when it accepts a connection on one of these ports, it fires up the appropriate service.

You can set up your system so that one of the services that inetd passes off connections to is a web server. For the purpose of efficiency, though, most systems do not have their web servers set up that way; they listen directly to the appropriate ports (usually port 80 at least).

If your web server is configured so that it listens directly to the appropriate ports, then inetd is not offering the protection you request in file hosts.deny. There’s nothing wrong with this; you just have to configure your web server (Apache, in your case?) to provide the appropriate protection.

Ref: http://www.linuxquestions.org/questions/linux-security-4/hosts-deny-not-working-ubuntu-6-06-a-537239/

Rules in UFW not working?

Check the order…I stupidly assumed it would match the last rule as that’s the most recent rule you’ve added…but nope!  It matches the first rule, so if you add a rule to allow incoming connections on port 80, then try and block an IP address that’s spamming you with bad requests, it won’t work unless you add an extra parameter (that I’d not heard of before, and I’ve read a few posts on setting up / using UFW – it’s right at the end of the list of parameters on the UFW online man page though) to push the new rule above others.

It also doesn’t add a rule if you have the same existing rule, even if you’re trying to add it above the existing rule (ie, give it a higher priority).

So, list the existing rules with numbers:

ufw status numbered

Delete any rules you want to move up (eg, rule number 8):

ufw delete 8

Add a rule in a particular place (eg, at the very top of the rules):

ufw insert 1 deny from bad.spammy.ip.address

 

Setting a umask for chrooted sftp users

It took at least an hour of Googling to find this solution, so I’m posting it here for reference and hopefully it could help others.

If you’re not using a chroot jail, you can follow this: http://jeff.robbins.ws/articles/setting-the-umask-for-sftp-transactions

This involves setting the umask in sshd_config in the Subsystem line, however, it doesn’t work for chrooted users as the umask gets set, ssh session starts and the chroot recreates the umask info (this is how I understand it, anyway).

So if you’re using chroot for users, you probably have something similar to this in your sshd_config:

Subsystem sftp internal-sftp

UsePAM yes

Match user username
ChrootDirectory /path/to/directory
ForceCommand internal-sftp

You should then edit the file /etc/pam.d/sshd and add the following:

session optional pam_umask.so umask=0002

And in /etc/profile, if it’s not already there (it was for me on Ubuntu 10.10), add the following at the bottom:

umask 022

And that’s it.  internal-sftp does not execute any shells so it won’t take any notice of information in profile/login/rc etc, however, pam authentication is used so the configuration is seen there instead (unless, of course, you’ve turned it off).

Ref: http://ubuntuforums.org/archive/index.php/t-1107974.html

RSA authentication with chrooted sFTP – authorized_keys location

There’s something slightly annoying about the default location of the authorized_keys file when you’re working with chrooted sFTP.

The user’s home directory is relative to the chroot jail, however, the authorized_keys file default location (%h/.ssh/authorized_keys) is relative to the root of the server (even though the path is %h, rather than /%h).  (To be clear, %h = home directory.)

So, for example, you have the following setup:

username = sftp
chroot jail = /home/sftp/jail/
home directory = /upload
(therefore actual directory = /home/sftp/jail/upload)

(I use a folder upload as the home directory as the root of the chroot jail cannot be writable, as it has to be owned by root – if you create an additional directory owned by user sftp and direct them into their by default when they log in, they can then read and write to that directory without having to change directories to do anything.)

In this setup, using the default ssh authorized_keys file location, you need to create a new directory /upload in the root of your server just to store the authorized_keys file of this user…not a great solution.

So what to do?  Change the default location of the authorized keys file; I’ve done the following:

/usr/local/share/keys/sftp/.ssh/authorized_keys (create additional directories for each user that needs to use sFTP OR SSH)

And then in the /etc/ssh/sshd_config file, you can use the following for the authorized_keys:

/usr/local/share/keys/%u/.ssh/authorized_keys

Obviously move the authorized_keys from the default location of /home/sftp/.ssh/authorized_keys to this new location, and make sure your user (sftp in this case) is the owner of the file.  Do this for all users of sftp or ssh.

Restart ssh and you’re done.

Using an OEM licence with a retail copy of Microsoft XP

The only OS I’ve done this with is XP Home, they have tools for Vista and Windows 7 so could possibly work for them as well.

Also, I was on the phone to a guy in Microsoft at the time; I assume anyone could do this, but there’s a slight chance that he did something to allow my key to convert.

In any case, the instructions are very simple:

1) Go to this page: http://windows.microsoft.com/en-US/windows/help/genuine/product-key and choose Windows XP tab at the top

2) Click on the link for the Windows Product Key Update Tool, and run it

3) Follow the installer, it should tell you it’s been successful when completed, and wants a restart

The Microsoft page says after activating you are required to activate Windows XP; I didn’t need to do this so not sure how accurate it is.

 

If anyone has tried the Windows Vista and Windows 7 versions (these say explicitly that they’re for using a, for example, Windows 7 Home licence with an installation of Windows 7 Ultimate, whereas the XP version doesn’t really say what it’s for, so I’m not sure if they have the same magical retail <> OEM conversion abilities – talking of which, I’m pretty sure this didn’t actually convert my licence to a retail copy, just forced my retail installation to accept my OEM key) let me know how it went.

mp4 files not streaming over HTTP?

Probably because the metadata is in the wrong place (ie, not at the beginning of the file).

I downloaded two programs to move the metadata; MetaData Mover (http://rndware.info/products/metadata-mover.html) and MP4 Fast Start (http://www.datagoround.com/lab/), both of which killed my mp4 files, leaving them with 67kb per file.  Perhaps my mp4 files were encoded in a strange way?  They’re recorded using a fairly standard video camera.

In any case, after a long time of searching for the solution, turns out I only needed to do the following:

apt-get install mpeg4ip
mp4creator -optimize myfile.mp4

In my case I have a client that needs to be able to upload streaming videos to her WordPress site; she now just needs to upload the video files directly from her video camera, click a little button I’ve put on the WordPress site to search for unoptimized files and optimize them.  Excellent.

Iterate through find results in bash

find [insert parameters here] | while read line
do [insert stuff to do here]
done

You can use the variable $line here, for the path to each file that ‘find’ finds.  And you can use `(basename $line)` to get the filename only (removing the path).  For some reason, I couldn’t do, eg NAME=`(basename $line)` or NAME=$(basename $line).  (Well, I could, it worked, however at the end of the script it gave me basename missing operand error.  If anyone could enlighten me…

Custom WP plugin ‘Do not have sufficient permissions’ when accessing options page

If you’re using, for example, this tutorial from NetTuts: http://net.tutsplus.com/tutorials/wordpress/creating-a-custom-wordpress-plugin-from-scratch/

Beware this bit of code:

function oscimp_admin_actions() {
add_options_page("OSCommerce Product Display", "OSCommerce Product Display", 1, "OSCommerce Product Display", "oscimp_admin");
}

The fourth option in the array is the URI of the page; the spaces are taken out automatically by WordPress, but the case remains, so if you’re using a case-sensitive web server you’ll get permissions errors when trying to access the page.

Change it to something like ‘oscommerce_product_display’ and you should be fine.