HOWTO monitor your servers via Twitter
Alert: your server has failed!
The other day I got inspired to write a script that would allow me to monitor my servers via Twitter. The idea of having a column in Tweetdeck set aside to inform me of my servers’ statuses’ sounded cool, plus, it’s quicker than checking email. I know sending tweets from the command-line had been done before, but after seeing briealeida’s post titled Tweeting Cron Jobs I really got inspired. While hers was written in Perl, I didn’t want to go that route since I had a few, self imposed, restrictions I wanted to stick to. One, I only wanted to use standard shell commands, the ones you get by default in Linux, so you would have absolutely no dependencies to install for this to work. Two, I wanted to see how much info I could stuff into a 140 character tweet, and still have it make sense. While I’m still working on adding more info, the current state of the script gives me a quick snapshot of seven specifics metrics on a selected server, which I’m quite happy with. To try it yourself only takes a few minutes. (more…)
HOWTO use monit to monitor sites and alert users
Ok, I’ve used the process management software, monit, since at least 2004, and it is simply an indespensible tool in my sysadmin cache. Basically it watches a process, say like Apache, and restarts it if it dies. But wait, that’s not all, it does tons of other things. Want it to watch it and restart it at a certain time? Sure. How about if it uses 50% of system memory in 5 cycles (cycles are checks, 120 seconds by default)? Yep, it’ll take care of that. How about watching a file and stopping a service and/or issuing an alert by email or web if the file’s UID, permission, or whatever has changed? No problem. Disk space is greater than 90% on one partition you want an email to go out to the admin? Easy. Seriously, once you start using monit you’ll be amazed at what you can cover, it’s truly one of the best tools I’ve ever used, and of course it’s GPL’d open source.
So, this week we had an issue where a some of our sites were down, and the monitor that watches them were internal to our network, and relied on some of the same resources; which is lees than ideal. I have a remote server running at one of our partner’s sites, so it’s the perfect canidate to watch our sites from a ‘real world’ view. (more…)
HOWTO run Chromium OS on a Dell Mini 9 with wifi
UPDATE: I’m now running the latest build of Hexxeh’s Chrome OS named Flow – and everything just works out of the box. The release is much improved, and it’s getting very close to being the perfect day-to-day netbook OS as far as I’m concerned. Great work!
While I still really dig my Dell Mini 9, even with 2Gig of RAM it feels kinda sluggish when I have my normal 50 tabs open, and I’ve always known someone could do better (since I’m too lazy to recompile a kernel for it like I would have in the past). With all the focus on netbooks it was bound to be addressed, and while Android looks promising, it’s currently still more of a phone OS than something you’d be able to use on your netbook. I’ve run it off a USB drive on the Mini 9 just to check it out, it was cool, but again, not really usable enough for a ‘top – maybe that’s not the target. Another I want to check is Moblin, Intel’s effort using Ubuntu as a base, but I haven’t seen a Mini 9 HOWTO (maybe I’ll have to write my own…) for that. So, enter Google Chrome OS, Google’s idea of how to not only address this problem, but perhaps lay out how we will use these computers in the future. It’s always funny when I start talking about cloud and thin clients, it takes me back to dumb terminals talking to mainframes, but I digress. The point is, thanks to great posts at jasongriffey.net and Lifehacker, it’s really easy to install Google’s Chrome OS on a Dell Mini 9, the only thing I really have to add is that you have to use ChromeOS Zero from the hexxeh.net site. After all, this is an open source project, so folks are going to make changes/fix things and share with everyone. Looking at the site they had a new release, yesterday (gotta love it!) The last time I tried a build the wifi on my Mini just worked, so it looks like those problems are a thing of the past.
HOWTO defend databases from SQL attacks with GreenSQL
UPDATE: as if to underscore the importance of this tool and approach, yesterday a story hit about a SQL Injection attack infecting over 132,000 systems in short order. Net-Security have the full details on this attack, including how it probes the host via JavaScript to check for known vulnerabilities, how it exploits them, and how it ultimately downloads a back-door trojan to get the game going. It’s really amazing to see how complicated and professional these things have gotten, and just adds to the reasoning that we have to step up to the plate and learn how to better defend against them.
I’ve been privy to some log dumps showing real, and successful, SQL attacks on some MSSQL servers before, and they weren’t pretty. Of course a SQL injection attack has little to do with the database (well, as long as it’s still SQL based at least (nod to CouchDB and MongoDB)), and more with the code that calls it, and how that code deals with sanitizing inputs. For this reason MySQL is just as vulnerable, after all, bad code is bad code. While a client of mine opted for a firewall ‘module’ they had to buy an additional licence for, that set them back many thousands of dollars, I knew there had to be cheaper/better ways to address this kind of vulnerability. One way of course is to fix the code, but with legacy sites that no one has touched for years, this may be impractcal (I didn’t say this, I only heard it), and the other idea is to proxy the SQL and ‘clean’ it before it hits the database. The advantage of this approach is that it protects against known attacks, as well as unknown attacks, since it limits so much of what an attack is allowed to accomplish when trying to get its’ foot in the door. This approach is what the folks over at GreenSQL have done, and it’s very impressive. They sum things up nice and sweet with, “GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.” (more…)
HOWTO build your own open source Dropbox clone
UPDATE: Thanks to everyone who has contributed to this, and the Reddit thread, as it has provided some great ideas building off of my concept. I’m starting to rethink about how we could have version control on top of things, and I’ll update things when I have more to share. Also, does anyone have iFolder (thanks for the proper link working? It looks like you need SUSE Linux, which I don’t have access to, plus I know most Novell projects need a *ton* of Mono dependencies installed to have any of their stuff working, at least on the server side; but it sounds like they have Mac, Linux and Windows clients, which is encouraging. While for my needs something a bit more ‘close to the bone’ (as below) might be better for the server side, having it be inter-operable with something like iFolder could provide a lot more functionality for others.
First off, if you haven’t tried Dropbox, you should check it out; sync all of your computers via the Dropbox servers, their basic free service gives you 2Gigs of space and works cross-platform (Windows, Mac, Linux). I use it daily at home and work, and just having a live backup of my main data for my work workstation, my home netbook, and any other computer I need to login to is a huge win. Plus, I have various ‘shared’ folders that distribute certain data to certain users that I’ve granted access to, this means work details can be updated and automatically distributed to the folks I want to review/use the data. I recommend everyone try it out, and see how useful it is, it’s turned into a game changer for me. So a few months ago they made headlines on supporting Linux as they released the client as open source. While this got hopes up for many, it was only the client that was open source, the server is still proprietary. While slightly disappointing, this is fine, they’re a company trying to make money. I don’t fault them for this, it’s just that a free, portable service like that would be a killer app. (more…)
File system full, but why?
UPDATE: posted my workaround code below, good feedback already from Ryan (djatoka dev) and I’ll be testing the proper fix on the server soon.
I’ve got a server that keeps filling up its disk space and failing to serve images after it gets to the file system full error message. First of all let me say, I don’t blame it in the least, if the admin (aka me) doesn’t do enough to secure the server enough disk space to do its job, I say, let me have it. But after I’ve set the suspect daemon to use a *reasonable* amount of space I stopped thinking of it as the culprit, so when this issue arose again, I looked elsewhere for the cause. Fast forward to today, the server’s file system filled up again, and refused to serve any more data, again, I totally understand where the server is coming from, if it doesn’t have enough disk space to do its job, it shouldn’t have to apologize to anyone; it’s all on the admin (again, aka, me), but what was going on? (more…)
Four free Linux eBooks
While looking for something else, (which is mainly when I find *other* interesting things) I found an article which included links for four free Linux eBooks. This is a great resource for anyone with some Linux experience, back to others who may be looking to get started with tux, and I would have loved to have this when I started, but that was before the Internet was available to most people. So, if you’re new to Linux, or want to get started (I used Red Hat Unleashed in 1996, here it is online!), here’s some great downloads to learn from: (more…)
HOWTO: serve jpeg2000 images with a scalable infrastructure
At the Biodiversity Heritage Library, we have replaced a proprietary jpeg2000 image server, that was straining under the load, with a new, open source jpeg2000 server, djatoka. Chris Freeland and Chris Moyers cover the background in far more detail on the BHL Blog, so here I’ll cover my rationale and decisions I made to provide a scalable, stable infrastructure to provide the images as efficiently as possible.
When I started sketching out how I wanted to run djatoka, I knew I wanted it to provide security, caching for performance and scalability and fault tolerance. Our server runs Tomcat, which I didn’t want to be public facing. Because of this I proxy Tomcat requests through Apache with the use of ajp_proxy, the successor to the old mod_jk. Initially I was using nginx in place of Apache, but after reading about all the functionality and performance improvements ajp_proxy offered, it was a no brainier; this is how to present Tomcat in a production environment.
Black Hat and Defcon: all the drama you’ve been craving
This is great, Defcon16 is a mere few days away, but already, the drama has started! Of course there’s the excitement about security guru/celebrity Dan Kaminsky discovering the DNS flaw a few months back that will be revealed this week (so that folks won’t be able to reverse-engineer them to exploit the vulnerability…ahead of time at least), but now there’s a reneg by Apple that’s sure to raise a few feathers, as well as highlight how they weren’t the most forthcoming with their DNS fix (which hasn’t hit yet even though all other vendors have released patches). In an interview, Kaminsky talks about the ‘bug’ he found in DNS, “We got lucky in this particular bug, because it’s a design flaw,” Kaminsky said in an interview. “It shows up in everyone’s network, but the fix is a design fix that doesn’t point directly at what we’re improving.” After peer review it was deemed this was indeed a huge deal, and even the original developer of BIND (the dns software in question) urged everyone to patch. “It took a couple of hours to find the bug,” said Kaminsky, “and a couple of months to fix it.” Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking “by complete and total accident.” Smaller DNS flaws have been used before to “poison” the servers that send people to the numerical address of the website name they enter. [...] “This is about the integrity of the Web, this is about the integrity of e-mail,” Kaminsky said. “It’s more, but I can’t talk about how much more.” So learning more about that exploit will be very interesting, and should lead to more people investigating and deploying DNSSEC, a DNS option built with security in mind from the ground up. So there’s that, but now there’s something even more fun because it deals with a companies lack of openness in regards to their security methods. A talk at Black Hat yesterday was scrubbed at the last minute by folks over in marketing at Apple. It seems that they blocked the scheduled presentation that was, “…to give an inside look at the ultra-secretive company’s security response team. “Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,” a Black Hat organizer told IDG News.” This is unfortunate for Apple, who are reeling after a week of beatings in the ‘blogosphere’ over their handling, or non-handling, of their update for the DNS flaw we mentioned above! “Apple’s policy of saying next to nothing about how it goes about protecting its users from escalating threats is, to say the least, unfortunate. Just last week, the company said it had patched its software from a serious flaw in the net’s address lookup system. Three days after two separate researchers warned Mac clients are still vulnerable to the flaw, Apple hasn’t uttered a word, an omission that generates confusion and doubt in those who depend on the vendor. Apple’s tight-lipped policy.” Come on Apple, you preach about how you’re ‘Open Source’, but then continue along the path of the old school hide and seek ways. Hell, people are already pointing out how their methods are less open than Microsoft’s in releasing information about security. What are they so afraid of? Ah, but we’ll learn more come Thursday, I’ll be in Vegas for my third Defcon and can’t wait. Watch for updates here, or more timely ones over at our Twitter profile.
HOWTO: automatically reconfigure Xorg in Debian
If you’re like me, you’ve messed up your xorg.conf before and wanted to start over with the default that you know dpkg-reconfigure can set it to. Because of this I’m posting here because I’ve needed it multiple times in the past and have tired of looking it up! To automatically reconfigure Xorg in Debian or Ubuntu issue the following:
sudo dpkg-reconfigure -phigh xserver-xorg
Then logout/login or restart X via contrl-alt-backspace. As one who tweaks things a bit more than he should, this has saved me a few times now. Props go to a poster on this page.
HOWTO: Configure nginx for Debian / Ubuntu
UPDATE: I’m reworking my config blending in the security ideas found on camomel.org they’re really thought things through on this, this should make for a very secure environment.
I’m always trying new software, and with the webserver I’ve moved from Apache 1.3 to 2.0 to 2.2, and then later I moved everything over to Lighttpd, which I’ve liked, save for some memory issues that popped up. Now, enter a web server named nginx (engine x), written by a Russian hacker. It’s already proved it’s meddle by running some of the largest Russian sites for years now. It has the speed of Lighttpd, but with none of that memory weirdness, plus it uses a fraction of the CPU, so scaling should be smooth for highly visited sites. It also does cool things like load balancing, reverse proxy, IMAP and POP proxy, etc, so I can see it being used in a variety of ways on a network. It took me some time to understand how to configure it, which was a case of me just making it harder than it really is, so I wanted to post it here. Look for updates as we go along, but this is currently backing a Production site I manage.
user www-data www-data;
worker_processes 5;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr $host $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" "$http_user_agent" '
'"$request_time" "$gzip_ratio"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
sendfile on;
tcp_nopush on;
tcp_nodelay off;
keepalive_timeout 65;
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_buffers 16 8k;
#gzip_proxied expired no-cache no-store private auth;
gzip_proxied any;
gzip_min_length 1000;
gzip_types text/plain text/html text/css application/json application/x-javascript
text/xml application/xml application/xml+rss text/javascript;
server {
listen 80;
client_max_body_size 50M;
server_name server.domain.com;
root /var/www;
index index.html index.php;
access_log /var/log/nginx/access.log main;
error_page 500 502 503 504 /500.html;
location = /500.html {
root /var/www;
}
location ~* ^.+.(jpg|jpeg|gif)$ {
root /var/www;
expires 30d;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
}
}
}HOWTO: log the user’s IP, not the proxy’s, in Lighttpd access log
When you run a webserver behind a reverse proxy or HTTP accelerator like Squid or Varnish, the webserver access logs will display the IP of the proxy (generally 127.0.0.1) instead of the end user’s IP. This not only breaks any kind of tracking or reporting you want to run against your webserver logs, but it also takes away a datapoint I’ve had use for in general server admin tasks. This server runs Varnish in front of Lighttpd, and it reveals the end user’s IP in the header as X-Forwarded-For, so it’s just a matter of making Lighttpd (lighty) use that variable in its access logs instead of the default variable defining the referring IP. Once we know that, the configuration is simple; in lighttpd.conf, enter this:
accesslog.format = "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b /
\"%{Referer}i\" \"%{User-Agent}i\""For the definition of these variables, and plenty more, hit Lighty’s wiki. Props to the poster on the Varnish mailing list for bringing this up and reminding me to fix it! I’ve sent this link to the list so now it’s out there.
PayPal: Open Source Essential to Success
PayPal has used Open Source and Linux exclusively. In an op-ed piece, Matthew Mengerink from PayPal gives his four reasons why Open Souce is Essential to Success. “PayPal transacts more than US$1,500 every second of every day, with millions of people around the world relying on the robustness of its system. It comes as a surprise to many people that PayPal runs such a large financial services company on an open source platform, but that’s precisely how we’re able to deal with the two competing demands our business Over 800,000 High Quality Domains Available For Your Business. Click Here. model places on us: security and innovation. The economic, operational, development and security advantages of open source and Linux put us in the perfect position to both grow and innovate in a safe and secure manner. Here are four reasons why we love our open source system — and four tips for you if you’re thinking of making the switch.“
Buying a Linux laptop in 2007
It’s time for a new laptop, as I’ve detailed, I’ve ripped apart, inserted coins and duct-taped the old iBook back together again enough times, and it’s no longer viable. It’ll work fine on a flat surface, but if you try to use it as a laptop the minor flexing must loosen the video chip, because you quickly find your video locked, with a hard reboot the only fix. The wildcards are me as a buyer, since I’m hardly ordinary with my expectation that any laptop or desktop I’m going to buy is only going to run Linux, and the recent announcements by HP, IBM/Lenovo and Dell about their Linux support (some even pre-installed), I knew I’d finally have choices to consider. In the end I came up with a pretty current system, that Debian or Ubuntu will be 100% compatible with, and will be proud to call home. The detailed specs:
Intel Core 2 Duo T5470, 1.6GHz, 800Mhz FSB, 2M L2 Cache
15.4 inch Wide Screen XGA LCD display
1GB, DDR2, 667MHz 2 DIMM
128MB NVIDIA GeForce 8400M GS
120G 5400RPM SATA Hard Drive
Integrated 10/100 Network Cardand Modem
8X DVD+/-RW with double-layer DVD+R write capability
Integrated High Definition Audio 2.0
Intel 3945 WLAN (802.11a/g) Mini Card
Integrated 2.0 mega pixel webcam
Integrated Bluetooth
85 WHr 9-cell Lithium Ion Primary Battery
This is more system that I originally spec’d out, but the price was right, so I’m very happy. Before I reveal which brand I picked, I’ll tell the interesting story of how I ended up with the ‘top I did, and how things compare for laptop Linux options these days, it’s an interesting ride.
NOTE: feel free to Digg this article if you like it.
Software support must evolve with Open Source
As a IT contractor I’m enjoying giving my opinion when asked, and sometimes even when I’m not asked; I have the confidence to be open and honest with everyone and want them to know that. Because of this I’ve been getting to do things I otherwise would not have since they would not have known I was interested or experienced in such things. One of the things I was hired for was to setup Apache on Linux to work with their web instances. It’s been fun, and while I’ve used Apache for over 10 years, there’s always new things to learn. Recently they asked for my opinion on ‘support’ options for Apache. Keeping in mind, they already have support for the hardware and support for the Linux distribution, they still think they need another support channel for Apache. To me this a big waste of money and have somewhat made my case to them. While I understand their position that this support is a way to cover themselves if Apache ‘breaks’, the fact that this software is Open Source has to change the way they have traditionally considered support.
Dell’s Linux support numbers
I’ve read a few posts online that review Dell’s Linux support, and most complain that they have to call the ‘regular’ number first, only to get the “What version of Windows are you running?” support. After redirected to the correct number for Linux support, they get excellent support. So, to try and help propogate the Linux support numbers, I present them here. Dell’s Linux support number for hardware is 866-622-1947, and for software it’s 866-982-8688. Additionally, the online Linux Community Support forum will likely solve most problems for you even before you’re done dialing.
Tux on a Visa
Classic, nice to have this back as an option; you can now get Tux on a Visa card from linuxfund.org. If I wasn’t completely enamored with my ‘Working Assets’ card I’d grab one of these. Who knows, maybe sometime down the road I’ll get one, it’s for great causes of course, “Each time a cardholder uses their card, a donation is made to The Linux Fund by the card issuer, U.S. Bank. These donations add up to tens of thousands of dollars per year which The Linux Fund then gives out in grants. The Linux Fund has donated to new ideas and teams who maintain things like Debian“. Would be really funny to see Puffy from OpenBSD on a credit card…but I’m not sure if I’d want to use that one!
Defcon15
Oh yeah, I’m going to Defcon again this year, just found out this Friday for sure. It’s August 3rd – 5th, in Las Vegas, and this year it’s all paid for by my new consulting group; what a great thing. I argued that I would learn so much more there than any class, for a fraction of the cost; and I will. More on this later.
HOWTO: failed to set xfermode [SOLVED]
UPDATE: thanks to a comment below from Ted, we now have a solution to have this option persist across kernel updates. In grub, “…at the end of this new menu item add it as an argument to the line:
defoptions=quiet splash irqpoll
I knew there had to be a way, thanks for the post Ted!
There’s a known bug in Ubuntu 7.04 (Feisty) with some ata detection routine that causes the system to take over 2 minutes to boot. Since this has happened to me more than once I’m documenting it here for me, and for other desperate souls that may find their way here. If your system is very slow to boot, and you see error messages in your dmesg (`dmesg | grep ata`) such as this:
[ 34.122465] ata1.00: qc timeout (cmd 0xef) [ 34.122519] ata1.00: failed to set xfermode (err_mask=0x4) [ 34.122565] ata1: failed to recover some devices, retrying in 5 secs [ 46.260055] ata1: port is slow to respond, please be patient (Status 0x90) [ 69.218482] ata1: port failed to respond (30 secs, Status 0x90)
You just need to ad `irqpoll` to your grub line. So in so in /boot/grub/menu.lst I added irqpoll to the kernel line:
kernel /boot/vmlinuz-2.6.20-15-generic root=UUID=48c5a348-eb39-4171-8531-671a49fdb75b ro quiet splash irqpoll
and it fixes the issue. Probably a work around, but since this resets every time you install a new kernel you’ll realize when it’s broken and when it’s fixed. Oh, and my system boots in 21 seconds now…is it geeky that I know that, and I tweaked the system to make it boot faster than the 27 seconds it was booting in? I guess we’ll never know! 
HOWTO: Jimmac mouse cursors on XP
So the only thing I don’t love about my new job is the same old thing; you have to run Windows XP on the desktop. Yeah, I’ll give it a bit more time before I really start pushing to run Linux on the desktop, so until then it’s my ongoing struggle to get XP to work the way I want it to (ie- more like Linux). One simple way is to install the excellent Jimmac mouse cursor theme that’s the default for the majority of Linux distributions. Jakub Steiner (aka Jimmac) is the famous designer of this set, and with a 3rd party app called CursorXP , it’s a snap to get them into XP. First grab the Jimmac theme created to work with CursorXP, then Download and install CursorXP and get into its config menu, which is a new tab under Settings > Mouse. From the drop down list choose <Broswe>, point it to the theme and you’re done. You wouldn’t think a change of mouse cursors would change the feel of a system so much, but these do; I feel more at home. Even if you’ve never used Linux you’ll still love this cursor set, try it, it’s all free.
The best companies to work for
It’s rewarding when you work at a company that seems universally recognized as a great place to work. I’ve only found this out recently, since my current employer, Edward Jones, always makes the ‘best of’ lists. Today it was ranked on Computerworld’s list of 100 Best Places to Work in IT at number 52. Meanwhile Jones has been on Fortune’s 100 Best Companies To Work For for years, and they’re currently ranked at 29. That’s awesome, it really says something about the company if internal and external forces are agreeing on things. I’m happy since I get too play in Linux while avoiding the stress of support. /me ahhh…
Making the case for Google Linux
There’s been plenty of talk of late about Google getting more behind Linux, but theories abound as to what role they would play. Some of this may be answered soon, judging by some back room dealings going on over there in conjunction with The Linux Foundation, the group that “offers programs to promote standardization and technical collaboration” for Linux, as well as sponsoring Linus Torvalds so he can continue to work fulltime on the Linux kernel. First we heard from Google’s Chris DiBona about how Linux graphic drivers provided by nVidia and ATI should be open source. (why would they bring this up?) Then, last week, Google sponsored the first-ever Linux Foundation Collaboration Summit.
Apache server lockdown challenge
One of my favorite things about being a Linux admin is the ability to specify how things are going to be executed on the servers. I’ve been running the Apache web server for over 10 years now (1997), so setting up a new environment is no big deal, but I wanted to take it farther and cut as much out of a base install as possible, which still having it do what I need. I started with a Google search and a blank file for my httpd.conf, and went from there. Some background, since this is a work project I have a few restraints. First, we’re running on Red Hat Enterprise Server 4 with some pretty beefy hardware. Also, currently we ARE NOT building from source (something I usually do on my own Apache instances) since we’re still working out support options, which limits what we can do down to the almighty httpd.conf. I’ve trimmed down my conf at home, but since we have a smaller and more specific set of tasks for Apache here, I wanted to trim it down to the bone. So far I’ve gone through the Apache Security site, where I found their chapter on Installation and configuration especially helpful. I followed their suggestion of starting httpd.conf as a blank file. Later I ran my newly created conf through an Apache 2.0 Hardening Guide, and even combed through the Apache HTTP Server Module guide to be sure I wasn’t using anything extraneous. Now I’m being a bit idealistic with this config I know, but again, it’s for a specific purpose, and I don’t need to worry about many other factors that would cloud the waters as far as providing more options. I’ve taken out any specific modules that need to be loaded as part of my work so as not to confuse things, but I’ve left in our token variables (those that start with a T_) that get substituted just before install, so the question is, is there anything else I could cut back on? Also, is there anything missing that could lock things down further that don’t need to be installed separately? (ie- I’m not going to be installing mod_security…yet, but I’d like to). Read on to see my current ‘locked down’ config, all suggestions and (constructive?) criticisms appreciated.
Hi, I'm fak3r and I've been online for over 15 years, blogging for 10. I work with open source software, various hardware and whatever else that I can hack on. I enjoy learning by doing, painting infrequently and listening to more music than the law allows. Feel free to follow me and comment on my thoughts and ideas; we're all in it together kid.
Resolving LSIDs with URL resolvers and CouchDB
Apr 29, 2009 | Categories: commentary, featured, geek, headline, linux | Tags: CouchDB, database replication, link resolver, LSID protocol, network time protocol, ntp, Open Calais, P2P, php, RDFa, unix, url resolver, XML | View Comments