ArghWebWorks

Every morning, I had a client calling me and asking “Is our server abnormally unresponsive?” They were browsing their website and it seemed to them that the pages were taking longer than usual to render. Once I figured out why they were asking and what they were measuring with, I realized I could graph this amount of time, the important thing was figuring out how to get this information.

Here’s what I came up with: I was already running mrtg-rrd to do much of their graphing, so I wanted to create a MRTG Target line to correspond to “how long does our page take to render.” I wrote a script to run “/path/towget –delete-after -pq (page) -O /tmp/garbage” and display the amount of time it took. I wrote it in php because it was easiest.


$wget="/usr/bin/wget -pq --delete-after -O /tmp/garbage";
$toget = "$site";
$start=microtime(true);
exec( "$wget $toget", $out, $e );
$end=microtime(true);
$dur=round( $end-$start, 3 );
print "$dur\n";


The problem with this is that I was running it on their gateway; their gateway is also the monitor and grapher. It was taking less than a second to render the page ( because of local network speeds ). Instead, I wanted it to more closely correspond to what the client would be seeing. Their development server is at their office; so I put the script there and wrote the MRTG target to point at a local ( on the gateway ) script that got the value from the development server, printed it twice, printed the date and the name of the site. It looks like this:

$user='foo';
$password='bar';
$sitename='example.com';
exec("/usr/bin/lynx -auth=$user:$password --dump http://developmentserver.com/scriptname.php ", $out, $e );
$time=0;
while ( ($time==0) && (count( $out ) > 0 ) ) {
$time=(float) array_shift( $out );
}
print "$time\n";
print "$time\n";
print date("r\n");
print "$sitename\n";


A couple of important caveats. The day after I started running this ( it averages around 4.6 seconds, btw, much too long imho ), the displayed time doubled. It could have been a change to the page we’re looking for, but it turned out to be a DNS issue on the development server. So DNS is important. This doesn’t take into account the amount of time a browser takes to render a page; it’s just the time to download all the pieces. So processor intensive stuff, like super heavy javascript or super heavy tables, won’t show up here. However, if you keep in mind what the value is- how long to resolve and download all the pieces of a web page, this is a useful metric.

I’ll be honest, I do a lot of command line work. Of course you know by now that Telnet, the granddaddy of connecting-to-command-line programs isn’t very secure, so reasonable people ( and even a few unreasonable ones ) have turned to an encrypted protocol called SSH for their command line needs.

I ssh to the servers my sites are on in order to look at server statistics. I can’t stand automatically generated passwords with numbers, letters, capital letters, punctuation and more than thirty-five characters. They’re irritating, though pretty secure, I’ll admit. So here’s what to do in order to connect more automatically with your server.

First, make sure you have SSH access. With Site 5, it took me an email. With Hostgator, it took an email and a scanned copy of my driver’s license. No big deal, really. Ok, now you’ve got access to the server, what next?

I like a SSH client named Putty. Don’t use this in countries that outlaw encryption, for gods’ sake! Download Putty and PuttyGen ( you’ll need this in a couple of minutes). You can save them to your desktop, or to a thumbdrive, or whatever. Save the files.

Then run PuttyGen by double clicking on the icon. You want to create a SSH RSA 2 key. Click “generate.” You’ll need to “create some randomness” by moving the cursor around the blank area. Nothing fancy, just move the mouse. Click “save public key” to save the public key. You’ll want to come up with some identifying name for it; let’s use myserver.pub. And then you’ll need to save the private key. Click “Save Private Key” and it’ll ask you for a passphrase. A passphrase is a good idea, but if your computer is in your house and nobody else uses it, et cetera, you may not need one. Use your judgement. If you’re doing this on a laptop or a thumbdrive, you’ll want to use a passphrase. It’s just like a password. Enter “myserver.ppk as the name of the key and click OK to continue.

Hopefully this is the only time you’ll need your password for your account at your host. Click on the putty.exe file and run it. Type the name of your host ( possibly www.domainname.com, however you’d normally connect ) into the host box and make sure “ssh” is selected for connection type. Connect, and type in your password. You’re logged in now! Yay! See if there’s already a .ssh directory there with the command “ls .ssh”. If it’s not there, create the .ssh directory with the command “mkdir .ssh.” Chmod it to usable only by you: “chmod 700 .ssh”.

Enter the .ssh directory ( cd .ssh ) and look for a file named “authorized_keys.” If it’s not there, don’t worry, we’ll create it. Go back to where you saved your public key ( above, with the PuttyGen software. The public key is the one named “myserver.pub.” Open it up with a text editor like notepad. It should look something like this:

ssh-rsa AAB3NzD+rXhGEB9Bt6kEotYi/+gvcGKrRpeNIIekJvnCj4jAsmu9eQHgwxJq1rsTqo0iJAw0B6w0LPn+0omkorYcqA89OK/gsI1VuFuS+WV4oFCXbRBqJJkdkxz972uOqj/rn7re/zn3oKzsPhqUKCtdjz/c7S/zAX5DLT/DDhWkzS4QzrlZYWI0H8ruKh7ZcmOd7texXFkFFRYca7djvsFIbLQ//KVMAZ2l78r53SSvnNd2GoF3n9yvQsslze0t7Dh9t1i4Hni53rc990jpw==

with a comment at the right end of it ( leave the comment there ). Copy that entire thing. Go back to the Putty window and type “cat >> authorized_keys” and hit return. The cursor will drop to the next line. Paste in your public key, hit enter, and then hit “Ctrl-D” and enter, and your authorized keys file will be complete. You’ll want to “chmod 600 authorized_keys” to make sure that only you can read it. Or write it. Make sure the file is only one line long; the ssh key shouldn’t be broken into separate lines.

Ok, exit from your putty program. Close it up and restart it. Enter your server’s host name again in the box, and ensure it’s set for SSH. On the left hand window pane, go to “connection” and then to “rlogin.” Enter your username. Then go down a little more in the left window and hit “SSH” and then “Auth.” Use the myserver.ppk private key for authentication. It’s just like every other file- browse box. Make sure you go back to the left hand pane, back up to “Session” and save it. You’ll need to enter a name in the “name” box and then press “save.”

To use it, double click on the saved name in the little window. If everything went according to plan, Putty will read the private key (you’ll need your passphrase here if you used one ), generate the public key, and then use that to authenticate with the server, and then log you in.

Note to self:don’t do “yum -y remove coreutils.”

It seemed like a good idea at the time. I installed CentOS 5 on a new computer with a big hard drive, intended solely for network storage over NFS. So I figured I’d remove all the unneeded packages. I ran “yum list | grep installed” to get a list of all the installed packages, and then made a long list of packages to remove.

When it got to the “doing it” part, it started throwing out this error…

/etc/rc.d/init.d/nfs: line 125: rm: command not found
/etc/init.d/functions: line 303: rm: command not found

/etc/rc.d/init.d/rpcidmapd: line 68: rm: command not found
/etc/rc.d/init.d/nfslock: line 29: uname: command not found

Well, what happened?

When I ran my “yum remove” line to remove the 25 or so packages, I included the -y flag, which assumes “yes” for everything. I scrolled up and it was removing some packages that required some of the packages that I was deleting. So, for instance, it was removing python. Nevermind that yum requires python. It was going. It was also removing coreutils, which is where uname and rm went. When I realized what it was doing, I aborted it.

My terminal is already fubar though.

scp still works, however, so I’m copying the /usr/ and the /lib/ and the /bin/ directories from another system with the same release and the same processor type, and I hope that when I do a “yum install” to replace all the packages that were removed that I’ll be back to normal in relatively no time. I don’t really feel like driving back down to the colocation again; it’s been twice already today.

Edit:
Nope, it’s broken. Off to the colo again. Don’t feel right about charging the client for my enthusiasm so it’ll be just me.

This script ( see that download link far to the right of “An MRTG script to allow graphing of concurrent calls in asterisk” ? ) is good, but I think it could be somewhat better.

That’s because in the version of asterisk we have on our system, the Manager interface outputs the channel in upper case not lower case: SIP not sip. So we had it configured for “sip” and it wasn’t returning anything. I changed it to “SIP” and it’s working again, but a case-insensitive flag would help me

Here are two steps to using ssh to secure your server.

First, I assume you use ssh to connect to the server, and use a public/private key pair to help with security. In your .ssh/authorized_keys file, in front of the public key entry for the one you use, put “from=’(address)’ . So your line looks like this:

from=”209.31.6?.*,192.168.?.*” ssh-rsa (redacted).

What this’ll do is restrict the use of your key to your ip address ( as you can see from the example, you can use wildcards ).

Additionally, if you have a portable drive, like a usb keyfob, you can create a secondary key ( with a passphrase ) and add that as well; put the private key file ( not the .pub one ) on the drive. Add the shared public key to the authorized key file.

If you’re using linux’s ssh to connect, use the -i switch to specify the identity file ( the alternative key file ) like this:

ssh -i id_alternate user@server

It’ll prompt you for the passphrase.

Learned a lot about cacti today.

First, had a problem where I couldn’t get anything to go into the $argv variables in php. Even in a dummy “print_r($argv)” script. Nothing. var_dump claimed that the $argv array was null. I finally gave up and forced it to use the right php.ini file with the -c (path to php.ini) flags.

Second, had a problem where the mysql version didn’t support the global use of “show status” — so I had to make the adjustment to the mysql_stats file listed here… http://forums.cacti.net/about6108-0-asc-105.html

Third, had to remove the texts in “unit grid value” and recreate all my graphs. http://forums.cacti.net/about12327-0-asc-15.html

Fourth, and I was starting to feel kind of old-hat at this; some of the servers I was configuring were deduced by cacti to be “down” — and it refused to make graphs for me. I had to remove the snmp community string and cacti figured out not to check that for those servers (those servers didn’t have snmp running ).

I’ve learned something very important in a project I’ve been working on this week. You get what you pay for. Never again will I purchase a hosting package at 1and1.com. Between problems transferring my domain, to problems importing a database, even to problems setting up a database- How can it take three hours to create a freaking database? I’m talking “create database” here!

IMified is getting the means to watch an RSS feed, and I myself rely on lots of RSS feeds throughout my day. I wanted to cobble together a Snort->RSS feed tool, and couldn’t find one. So I wrote a perl script- but my perl-fu isn’t what I’d like it to be. Feel free to comment on this terrible script. It does, however, validate and work.

• Read more: Snort Alerts via RSS

I used to work for a self-proclaimed genius. One thing he drilled into my head, however, was that “one random pass is good enough,” because you couldn’t really get more random. And as a corellary, he only believed that we needed to encrypt things once; you take a document, or a password, or whatever, and encrypt it, and it’s essentially unbreakable.

I’ve been taught differently now. Basically it’s true that undoing encryption hasn’t gotten much easier, but it might be difficult to survive a dictionary attack where they use the same encryption on your password that you used; the goal is not to find out what your password is, but rather to get past the password. So this author recommends encrypting the password ten times. What that would do is essentially multiply-by-ten the time it would take to build the password list. ( They also recommend several other steps; I recommend you read their article). And it also multiplies by ten the number of keys the cracker has to try; one for each level of encryption.