ArghWebWorks

Note to self:don’t do “yum -y remove coreutils.”

It seemed like a good idea at the time. I installed CentOS 5 on a new computer with a big hard drive, intended solely for network storage over NFS. So I figured I’d remove all the unneeded packages. I ran “yum list | grep installed” to get a list of all the installed packages, and then made a long list of packages to remove.

When it got to the “doing it” part, it started throwing out this error…

/etc/rc.d/init.d/nfs: line 125: rm: command not found
/etc/init.d/functions: line 303: rm: command not found

/etc/rc.d/init.d/rpcidmapd: line 68: rm: command not found
/etc/rc.d/init.d/nfslock: line 29: uname: command not found

Well, what happened?

When I ran my “yum remove” line to remove the 25 or so packages, I included the -y flag, which assumes “yes” for everything. I scrolled up and it was removing some packages that required some of the packages that I was deleting. So, for instance, it was removing python. Nevermind that yum requires python. It was going. It was also removing coreutils, which is where uname and rm went. When I realized what it was doing, I aborted it.

My terminal is already fubar though.

scp still works, however, so I’m copying the /usr/ and the /lib/ and the /bin/ directories from another system with the same release and the same processor type, and I hope that when I do a “yum install” to replace all the packages that were removed that I’ll be back to normal in relatively no time. I don’t really feel like driving back down to the colocation again; it’s been twice already today.

Edit:
Nope, it’s broken. Off to the colo again. Don’t feel right about charging the client for my enthusiasm so it’ll be just me.

This script ( see that download link far to the right of “An MRTG script to allow graphing of concurrent calls in asterisk” ? ) is good, but I think it could be somewhat better.

That’s because in the version of asterisk we have on our system, the Manager interface outputs the channel in upper case not lower case: SIP not sip. So we had it configured for “sip” and it wasn’t returning anything. I changed it to “SIP” and it’s working again, but a case-insensitive flag would help me

Sometimes I wish that Panda Antivirus worked on a linux server. We had a server go rampant this morning, ramping its load from 0.25 to 299 ( and higher ) and the network traffic flipped a lid. When I finally got logged back into it, I discovered a file in a world-writable directory that was a user space ftp daemon( indiftpd ). It was, of course, running and listening to port 1940. Someone had put about 16GB of info on our server and it was being downloaded all over the net.

This server’s under suspicion now; I’ve removed the files and the daemon and I’ve fixed the world-writable directories. And then I went and made a mrtg page with just the network traffic information on it for each of the servers I maintain.

I’m giving serious thought to implementing iptables on all of these servers, though, and not merely the firewall. It’d be nice to know that it’s just me and a select group of freedomfighters who can connect to port 22 ( sshd ).

Here are two steps to using ssh to secure your server.

First, I assume you use ssh to connect to the server, and use a public/private key pair to help with security. In your .ssh/authorized_keys file, in front of the public key entry for the one you use, put “from=’(address)’ . So your line looks like this:

from=”209.31.6?.*,192.168.?.*” ssh-rsa (redacted).

What this’ll do is restrict the use of your key to your ip address ( as you can see from the example, you can use wildcards ).

Additionally, if you have a portable drive, like a usb keyfob, you can create a secondary key ( with a passphrase ) and add that as well; put the private key file ( not the .pub one ) on the drive. Add the shared public key to the authorized key file.

If you’re using linux’s ssh to connect, use the -i switch to specify the identity file ( the alternative key file ) like this:

ssh -i id_alternate user@server

It’ll prompt you for the passphrase.