SW Designs

Munin is a simple to use, client-server based system monitoring tool. Data is presented using nice RRDtool driven graphs via a webpage. Installation on Debian is just a matter of installing munin munin-node munin-plugins-extra packages. Additional plugins are enabled by creating symlinks in /etc/munin/plugins/ from /usr/share/munin/plugins/* and then restarting munin. By default, graphs are created under /var/www/munin/ so are accessable in your browser assuming a web server, such as Apache, is installed.

If you can’t find a plugin you need, try MuninExchange or if you have some scripting experience (any language will do) you can write your own plugin.

For some reason Adobe Air apps do not like KDEs’ desktop effects.  When these effects are enabled with the default settings, Air apps such as Tweetdeck and Twhirl have a fit when they try to restore from the system tray and cause the system to become unresponsive.

After a bit of googling, I found a workaround in KDE’s bug tracker. It seems the problem is related to KDE’s feature that keeps thumbnails of running applications. Anyway, the workaround is to completely disable this feature by setting System Settings -> Desktop -> Advanced -> Keep window thumbnails to “never”.

I joined the notebook community at Christmas last year when I unwrapped my Asus 901 (Linux variant). It runs a custom build of Xandros which is itself a fork of Debian. Asus provide software updates using their own repository which Eee’s are pre-configured to use exclusively. This means upstream software updates including security patches from Debian and Xandros have to be merged into their repository by Asus in order for Eee customers to benefit and run secure systems. That’s how it should work…

Continue reading ‘Poor security on Asus Eee’

Most people know Facebook for their contribution to the social networking phenomena along with the likes of MySpace, etc. Their rapid and massive increase in popularity has brought interesting technical challenges and today Facebook are one of the biggest PHP users in the world. This in detailed presentation Aditya Agarwal, Director of Engineering at Facebook talks about their software stack and how they use PHP and 25TBs worth of Memcached storage to serve their 200 million users.

If this stuff interests you, also check out their engineering blog.

Despite being introduced in PHP 5.1.0 that was released in late 2005, there are a pair of less well known php.ini directives that can have a noticeable affect on performance, especially for developers who work with spagetti code.  These options control how PHP files are cached internally by PHP when using, for example, the include/require constructs (not functions!).  These options are,

realpath_cache_size

Determines the size of the realpath cache to be used by PHP. This value should be increased on systems where PHP opens many files, to reflect the quantity of the file operations performed.

realpath_cache_ttl

Duration of time (in seconds) for which to cache realpath information for a given file or directory. For systems with rarely changing files, consider increasing the value.

So why should people care about these options?  Well, everytime that a file is loaded using a relative path PHP first has to lookup where that file exists on the filesystem.  Once cached futher includes will be far cheaper, however with small cache size by default entries will quickly churn when you consider that PHP frameworks such as Zend Framework contain well over a thousand files.

So what should it be set to?  Well that largely depends on your personal situation, those with extreme symptoms of spaghetti-code-itous which vast numbers of library files should use higher values.  Personally, on my modest Zend Framework installation I find a cache size of 128KB works well.  As for the time to live (ttl) value this defaults to 2 minutes and should be tweaked on a per-case basis depending on how frequently the application is updated.

References,

1. http://uk.php.net/ini.core

The iptables recent module can be used to,

track seen IP addresses and be able to match against them using some criteria.

This enables admins to identify and block traffic brute force attacks.  In the following config will only allow 4 connections to port 22 within a 60 second time frame from a given IP address.  Subsequent connections will be logged and dropped.  The disadvantage of this approach is that iptables can not distinguish between successful and unsuccessful connections.  This means that you potentially lock yourself out of your server!  To help overcome this problem a whitelist of admin IP addresses is added.

Continue reading ‘Block brute force attacks with iptables’

Xubuntu Intrepid Ibex has done away with the traditional hacking ofm the X11 config file for monitor, mouse, keyboard and other I/O device setup. This latest release uses HAL to automatically configure itself with ‘reasonable defaults’. For me however, these defaults don’t play nicely with my IBM Thinkpad and Apple keyboard combination.

To emulate the standard wheel functionality I made the following changes,

$ cat /etc/hal/fdi/policy/mouse-wheel.fdi
<match key="info.product" string="TPPS/2 IBM TrackPoint">
<merge key="input.x11_options.EmulateWheel" type="string">true</merge>
<merge key="input.x11_options.EmulateWheelButton" type="string">2</merge>
<merge key="input.x11_options.XAxisMapping" type="string">6 7</merge>
<merge key="input.x11_options.YAxisMapping" type="string">4 5</merge>
<merge key="input.x11_options.ZAxsisMapping" type="string">4 5</merge>
<merge key="input.x11_options.Emulate3Buttons" type="string">true</merge>
</match>

And turn off the brightness, volume, eject, etc keys by default on Mac keyboards add line this to /etc/modprobe.d/options

options hid pb_fnmode=2

My hosting companies recent upgrade from Virtuozzo Power Panel to HyperVM resulted in a change to how RAM usage is calculated (and therefore restricted).  Despite top telling I was only using ~80% of my RAM, after the upgrade I started receiving frequent emails from cron informing me that processes were running out of memory and I even had problems opening SSH connections to the server.

Continue reading ‘Free memory upgrade’

Since the Debian security advisory was published there has been plenty of discussion about who is to blame and how such a bug has gone unnoticed since September 2006. While they are important discussions that need to be had, I’ll focus on how to protect your Debian based PCs, laptops, servers, etc. First thing’s first, upgrade OpenSSH and the relevant packages.

$ sudo apt-get update
$ sudo apt-get upgrade

Where you have OpenSSH installed, the host keys must be regenerated.

$ sudo rm /etc/ssh/ssh_host_*
$ sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd.

SSHing onto the server will display a warning because the client’s host key in the known_hosts file does match what the server presents. Just delete the referenced line from known_hosts.

$ ssh server
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

If you use public key authentication you’ll need to regenerate those keys, remembering to remove the old entry from authorized_keys on the server. The same goes for SSL certs used by web servers.