sandip's blog

IP range to CIDR conversion

I've often had to convert IP range with netmask to a CIDR notation. Below is a quick perl script to help with the conversion:

#!/usr/bin/perl -w
# range2cidr.pl

use Net::CIDR;
use Net::CIDR ':all';

if (@ARGV == 0) {
  die "Usage Example: $0 192.168.0.0-192.168.255.255 \n";
}

print join("\n", Net::CIDR::range2cidr("$ARGV[0]")) . "\n";

Track files uploaded via pure-ftpd

Recently, I've had more than one occurrence of files being messed up due to bad uploads from users on a cpanel server running pure-ftpd.

Here is a simple one liner to get a report of uploads:

/bin/grep pure-ftpd /var/log/messages| grep upload | grep -v <trusted ip address>

"trusted ip address" would possibly be your own.

I put the above on a daily cron and keep an eye out for user uploads.

apache internal dummy connection

I've noticed these in httpd access log starting with Apache2.2:

::1 - - [09/May/2008:14:53:29 -0400] "GET / HTTP/1.0" 200 5043 "-" "Apache (internal dummy connection)"

The apache server occasionally hits localhost to signal its children. See the apache wiki for more info.

"When Apache HTTP Server manages its child processes, it needs a way to wake up processes that are listening for new connections. To do this, it sends a simple HTTP request back to itself...
These requests are perfectly normal and you do not, in general, need to worry about them. They can simply be ignored."

Unfortunately, the homepage I host is a dynamic one and this becomes very costly during busy times. I see a large number of those internal dummy connection requests during an apache graceful restart (SIGUSR1) and at the same time the cpu load on the Apache2.2 server maxes out at nearly 100%. I do not see this cpu load during a graceful restart on apache 2.0 httpd servers.

With the below mod_rewrite rule in place I was able to reduce the load by pointing http request coming from HTTP_USER_AGENT, "internal dummy request" to an empty static html page.

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]
RewriteRule ^/$ /blank.html [L]

Also, removed logging of such requests via:

SetEnvIf Remote_Addr "::1" dontlog
CustomLog /var/log/httpd/access.log combined env=!dontlog

apcupsd rpm rebuild on CentOS-5

Apcupsd is a daemon for controlling APC UPSes. It can be used for power mangement and controlling most of APC's UPS models on Unix and Windows machines. Apcupsd works with most of APC's Smart-UPS models as well as most simple signalling models such a Back-UPS, and BackUPS-Office. During a power failure, apcupsd will inform the users about the power failure and that a shutdown may occur. If power is not restored, a system shutdown will follow when the battery is exhausted, a timeout (seconds) expires, or runtime expires based on internal APC calculations determined by power consumption rates.

I kept getting failure when rebuilding from source rpm and was able to resolve once the package latex2html was installed. Although, it did not come up with any dependency failure when trying to build the package.

The required packages I had to install were: gd-devel, tetex, tetex-latex, glibc-devel, ghostscript, latex2html.

Check service linked to libwrap / tcpwrapper

In order to use hosts_access (hosts.allow/hosts.deny), a service would need to be compiled in with tcpwrapper (tcpd) support and can be checked easily with the below commands.

hosts_access is great as an alternative to iptables and firewall, specifically if you are hosted on a VPS with limited resources for iptables rules.

# ldd `which sshd` | grep -i libwrap

or

# strings `which sshd` | grep -i libwrap

Both the commands should echo out libwrap.so.0 which would mean hosts_access can be used for service sshd.

Make sure you are able to connect to ssh, add your IP to "/etc/hosts.allow". In the below case I am using the full range of my local intranet (LAN).

# Allow localhost
ALL: 127.
# Allow LAN
sshd: 192.168.

Now to block ssh access to others, simply add the below lines to "/etc/hosts.deny".

# Block everyone else from SSH
sshd: ALL

Note: hosts.allow takes precedence over hosts.deny.

Issues with receiving mail on Plesk server

I was not receiving mails from a particular email address. The MX records checked out fine. The mail server was not in any of the DNSBL list I was subscribed to. There was nothing in the logs that mentioned that there was any emails coming in from the user. However, it did have a lot of relaylocks for the mail servers IP address.

Digging in some more, I found a similar issue discussed at theplanet forum where the issue was caused due to conflict of timeouts and auth packets being dropped instead by the sender mail server, so I adjusted qmail timeout which seemed to push the conversation between the MTAs forward and the emails are now being accepted.

I changed the default timeout from 30 seconds to 15 seconds by editing the /etc/inetd and adding -t15 as below.

smtp stream tcp nowait.1000 root /var/qmail/bin/tcp-env tcp-env -t15 /usr/sbin/rblsmtpd  -r bl.spamcop.net -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
smtps stream tcp nowait.1000 root /var/qmail/bin/tcp-env tcp-env -t15 /usr/sbin/rblsmtpd  -r bl.spamcop.net -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

Incremental snapshot backups via rsync and ssh

In follow-up to the previous post, I am compiling this as a separate post as this solution is been running very stable for a while with quite a few updates and changes...

I will be setting up a back-up of a remote web-host via rsync over ssh and creating the snapshot style backup on the local machine.

The backups are done incremental, only the files that have changed are backed up so there is very less bandwidth used during the backup and also does not cause any load on the server.

These are sliced backups, meaning that you get a full backup of the last 4 days, and the last 4 weeks. So data can be restored for upto a month of back date.

Below is an example listing of backups you would see.

Mar 11 - daily.0
Mar 10 - daily.1
Mar 9 - daily.2
Mar 8 - daily.3
Mar 5 - weekly.0
Feb 27 - weekly.1
Feb 20 - weekly.2
Feb 13 - weekly.3

Each of those is a full snapshot for the particular day/week. The files are all hard-linked and would only require 2 to 3 times the space used on the server. The backups should consist of web, database, email and some of the important server configuration files.

Tuning TCP - sysctl.conf

Recent versions of Linux (version 2.6.17 and later) have full autotuning with 4 MB maximum buffer sizes. Except in some rare cases, manual tuning is unlikely to substantially improve the performance of these kernels over most network paths, and is not generally recommended

Since autotuning and large default buffer sizes were released progressively over a succession of different kernel versions, it is best to inspect and only adjust the tuning as needed. When you upgrade kernels, you may want to consider removing any local tuning.

Patching gpans' ensim squirrelmail

Here's is how I updated gpans' squirrelmail package with the current version (1.4.13).

# cd /usr/share
# wget 'http://superb-west.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1.4.13.tar.gz'
# tar -xvzf squirrelmail-1.4.13.tar.gz
# rm squirrelmail-1.4.13.tar.gz
# rm squirrelmail-1.4.13/config/config.php
# rm squirrelmail-1.4.13/config/config_local.php
# ln -s /etc/squirrelmail/config.php squirrelmail-1.4.13/config/config.php
# ln -s /etc/squirrelmail/config_local.php squirrelmail-1.4.13/config/config_local.php

Then changed the below files to include the Ensim virtualization hack (See attached diff patch):

squirrelmail-1.4.13/functions/prefs.php
squirrelmail-1.4.13/functions/global.php
squirrelmail-1.4.13/src/redirect.php
squirrelmail-1.4.13/src/login.php

Finally, I moved the old squirrelmail folder and symlinked to the new one.

# mv squirrelmail squirrelmail-1.4.8-1.1.ensim.ct
# ln -s squirrelmail-1.4.13 squirrelmail

Kernel compile from source

1) cd /usr/src
2) unlink linux
3) rm -rfv linux-oldversion
4) wget http://kernel.org/pub/linux/kernel/v2.6/li...version.tar.bz2 (see www.kernel.org)
5) tar -jxvf linux-newversion.tar.bz2
6) ln -s linux-newversion linux
7) cd linux
8) make mrproper
9) make oldconfig (you may have to select new options available that wasn't on the old kernel. Generally, you're safe to just keep presseing enter for it to select the default for those new options.)
10) make menuconfig (ONLY if you want to edit kernel configuration)
11) make (go make some coffee)
12) make modules_install

Syndicate content
Comment