ArghWebWorks

can DIAF.

That is all.

Oy. Permissions. Permissions in a Linux / Unix environment can be a headache; and who knows what all those little numbers and letters mean?

I do, and you will too.

Of course, every book in the world will tell you that there are three sets of permissions; user, group and world. So something that’s rw-r–r– is writable only by the user but readable by everyone. There’s read, write and executable settings for each one, and they’re marked by “bits”. You know that computers think in binary, and in binary there are only zeroes and ones. Here’s what we’re interested in for the next few minutes.

Decimal 0 = Binary 000
Decimal 1 = Binary 001
Decimal 2 = Binary 010
Decimal 4 = Binary 100

If you look those over, you’ll see there’s only one way to get each of the numbers from 0 to 7 using only one of a number ( ie, you can’t replace a 4 with 2 2s ). A seven has to be a four, a two and a one. No other options. So when you’re saying “change the ownership of somefile to 755″ what you mean is you want the ownership to be read:ON, write:ON, execute:ON for the owner, and read:ON write:OFF execute:ON for everyone else.

If you’re ssh’d into your server and you run an “ls -la somefile” you’ll see something that looks like

-rw-r--r--

which translates to

011000100

or, taking off the first one ( because it’s special and I won’t talk about it here),

110 100 100

If you treat those each as binary numbers and translate them to decimal, you’ll have 644.

What’s this mean?
Basically, 4 is read permissions only. 2 is write permissions only but you can add them together and get 6 which is read and write permissions. There’s only one way to get a six; a four and a two ( you can’t have two threes or three twos ). When you add “executable” to the mix, you’ll see that you can add executable to any of these numbers and get 5 ( read and execute, don’t write ), 3 ( write and execute, don’t read ( weird ) ), 7 ( read, write and execute ).

Note that it doesn’t really make sense to “execute” a directory. The “executable bit” for directories translates to “traversable.” Or, in english, a user can go through the directory without needing read permissions. For instance, to use a contrived example, you could have a /var/logs/user/ directory and just give the users permission to see their own directory; the logs directory could not be readable or writable but be traversable; they could go through it. But if they did a “ls -la /var/logs”, they’d get back an error.

I’ll be honest, I do a lot of command line work. Of course you know by now that Telnet, the granddaddy of connecting-to-command-line programs isn’t very secure, so reasonable people ( and even a few unreasonable ones ) have turned to an encrypted protocol called SSH for their command line needs.

I ssh to the servers my sites are on in order to look at server statistics. I can’t stand automatically generated passwords with numbers, letters, capital letters, punctuation and more than thirty-five characters. They’re irritating, though pretty secure, I’ll admit. So here’s what to do in order to connect more automatically with your server.

First, make sure you have SSH access. With Site 5, it took me an email. With Hostgator, it took an email and a scanned copy of my driver’s license. No big deal, really. Ok, now you’ve got access to the server, what next?

I like a SSH client named Putty. Don’t use this in countries that outlaw encryption, for gods’ sake! Download Putty and PuttyGen ( you’ll need this in a couple of minutes). You can save them to your desktop, or to a thumbdrive, or whatever. Save the files.

Then run PuttyGen by double clicking on the icon. You want to create a SSH RSA 2 key. Click “generate.” You’ll need to “create some randomness” by moving the cursor around the blank area. Nothing fancy, just move the mouse. Click “save public key” to save the public key. You’ll want to come up with some identifying name for it; let’s use myserver.pub. And then you’ll need to save the private key. Click “Save Private Key” and it’ll ask you for a passphrase. A passphrase is a good idea, but if your computer is in your house and nobody else uses it, et cetera, you may not need one. Use your judgement. If you’re doing this on a laptop or a thumbdrive, you’ll want to use a passphrase. It’s just like a password. Enter “myserver.ppk as the name of the key and click OK to continue.

Hopefully this is the only time you’ll need your password for your account at your host. Click on the putty.exe file and run it. Type the name of your host ( possibly www.domainname.com, however you’d normally connect ) into the host box and make sure “ssh” is selected for connection type. Connect, and type in your password. You’re logged in now! Yay! See if there’s already a .ssh directory there with the command “ls .ssh”. If it’s not there, create the .ssh directory with the command “mkdir .ssh.” Chmod it to usable only by you: “chmod 700 .ssh”.

Enter the .ssh directory ( cd .ssh ) and look for a file named “authorized_keys.” If it’s not there, don’t worry, we’ll create it. Go back to where you saved your public key ( above, with the PuttyGen software. The public key is the one named “myserver.pub.” Open it up with a text editor like notepad. It should look something like this:

ssh-rsa AAB3NzD+rXhGEB9Bt6kEotYi/+gvcGKrRpeNIIekJvnCj4jAsmu9eQHgwxJq1rsTqo0iJAw0B6w0LPn+0omkorYcqA89OK/gsI1VuFuS+WV4oFCXbRBqJJkdkxz972uOqj/rn7re/zn3oKzsPhqUKCtdjz/c7S/zAX5DLT/DDhWkzS4QzrlZYWI0H8ruKh7ZcmOd7texXFkFFRYca7djvsFIbLQ//KVMAZ2l78r53SSvnNd2GoF3n9yvQsslze0t7Dh9t1i4Hni53rc990jpw==

with a comment at the right end of it ( leave the comment there ). Copy that entire thing. Go back to the Putty window and type “cat >> authorized_keys” and hit return. The cursor will drop to the next line. Paste in your public key, hit enter, and then hit “Ctrl-D” and enter, and your authorized keys file will be complete. You’ll want to “chmod 600 authorized_keys” to make sure that only you can read it. Or write it. Make sure the file is only one line long; the ssh key shouldn’t be broken into separate lines.

Ok, exit from your putty program. Close it up and restart it. Enter your server’s host name again in the box, and ensure it’s set for SSH. On the left hand window pane, go to “connection” and then to “rlogin.” Enter your username. Then go down a little more in the left window and hit “SSH” and then “Auth.” Use the myserver.ppk private key for authentication. It’s just like every other file- browse box. Make sure you go back to the left hand pane, back up to “Session” and save it. You’ll need to enter a name in the “name” box and then press “save.”

To use it, double click on the saved name in the little window. If everything went according to plan, Putty will read the private key (you’ll need your passphrase here if you used one ), generate the public key, and then use that to authenticate with the server, and then log you in.

Note to self:don’t do “yum -y remove coreutils.”

It seemed like a good idea at the time. I installed CentOS 5 on a new computer with a big hard drive, intended solely for network storage over NFS. So I figured I’d remove all the unneeded packages. I ran “yum list | grep installed” to get a list of all the installed packages, and then made a long list of packages to remove.

When it got to the “doing it” part, it started throwing out this error…

/etc/rc.d/init.d/nfs: line 125: rm: command not found
/etc/init.d/functions: line 303: rm: command not found

/etc/rc.d/init.d/rpcidmapd: line 68: rm: command not found
/etc/rc.d/init.d/nfslock: line 29: uname: command not found

Well, what happened?

When I ran my “yum remove” line to remove the 25 or so packages, I included the -y flag, which assumes “yes” for everything. I scrolled up and it was removing some packages that required some of the packages that I was deleting. So, for instance, it was removing python. Nevermind that yum requires python. It was going. It was also removing coreutils, which is where uname and rm went. When I realized what it was doing, I aborted it.

My terminal is already fubar though.

scp still works, however, so I’m copying the /usr/ and the /lib/ and the /bin/ directories from another system with the same release and the same processor type, and I hope that when I do a “yum install” to replace all the packages that were removed that I’ll be back to normal in relatively no time. I don’t really feel like driving back down to the colocation again; it’s been twice already today.

Edit:
Nope, it’s broken. Off to the colo again. Don’t feel right about charging the client for my enthusiasm so it’ll be just me.

This script ( see that download link far to the right of “An MRTG script to allow graphing of concurrent calls in asterisk” ? ) is good, but I think it could be somewhat better.

That’s because in the version of asterisk we have on our system, the Manager interface outputs the channel in upper case not lower case: SIP not sip. So we had it configured for “sip” and it wasn’t returning anything. I changed it to “SIP” and it’s working again, but a case-insensitive flag would help me

Sometimes I wish that Panda Antivirus worked on a linux server. We had a server go rampant this morning, ramping its load from 0.25 to 299 ( and higher ) and the network traffic flipped a lid. When I finally got logged back into it, I discovered a file in a world-writable directory that was a user space ftp daemon( indiftpd ). It was, of course, running and listening to port 1940. Someone had put about 16GB of info on our server and it was being downloaded all over the net.

This server’s under suspicion now; I’ve removed the files and the daemon and I’ve fixed the world-writable directories. And then I went and made a mrtg page with just the network traffic information on it for each of the servers I maintain.

I’m giving serious thought to implementing iptables on all of these servers, though, and not merely the firewall. It’d be nice to know that it’s just me and a select group of freedomfighters who can connect to port 22 ( sshd ).

Here are two steps to using ssh to secure your server.

First, I assume you use ssh to connect to the server, and use a public/private key pair to help with security. In your .ssh/authorized_keys file, in front of the public key entry for the one you use, put “from=’(address)’ . So your line looks like this:

from=”209.31.6?.*,192.168.?.*” ssh-rsa (redacted).

What this’ll do is restrict the use of your key to your ip address ( as you can see from the example, you can use wildcards ).

Additionally, if you have a portable drive, like a usb keyfob, you can create a secondary key ( with a passphrase ) and add that as well; put the private key file ( not the .pub one ) on the drive. Add the shared public key to the authorized key file.

If you’re using linux’s ssh to connect, use the -i switch to specify the identity file ( the alternative key file ) like this:

ssh -i id_alternate user@server

It’ll prompt you for the passphrase.

I found this interesting tool that should help with search engine optimization.

While I’ve been around the internet a few times ( I’ve been here since 1993 ), I tend to think that SEO is easy. Using a tool like this does the quick tests for me and determines how well I’m doing. It gives good reminders for things like alt tags, description tags and the page title, and how well they match to the page.

Learned a lot about cacti today.

First, had a problem where I couldn’t get anything to go into the $argv variables in php. Even in a dummy “print_r($argv)” script. Nothing. var_dump claimed that the $argv array was null. I finally gave up and forced it to use the right php.ini file with the -c (path to php.ini) flags.

Second, had a problem where the mysql version didn’t support the global use of “show status” — so I had to make the adjustment to the mysql_stats file listed here… http://forums.cacti.net/about6108-0-asc-105.html

Third, had to remove the texts in “unit grid value” and recreate all my graphs. http://forums.cacti.net/about12327-0-asc-15.html

Fourth, and I was starting to feel kind of old-hat at this; some of the servers I was configuring were deduced by cacti to be “down” — and it refused to make graphs for me. I had to remove the snmp community string and cacti figured out not to check that for those servers (those servers didn’t have snmp running ).