Archive for the “Linux” Category
Part 1, what is varnish?
The varnish cache project is one you really need to get familiar with if you manage any high volume websites, it can mean the difference between a self destructing web app that buckles under it’s own load, and an apparently seamless web app serving 1000′s of concurrent connections per second with relative ease.
How does it work?
Varnish acts as a proxy server, in that when a use sends a GET request varnish will lookup in its internal database for a cached version and if it can not find one it will pass the request to the “back end” or in this case an apache server, varnish will then cache the response for subsequent accesses.
Now you may ask yourself why do you need this? this boils down to what you are trying to achieve with your web application, if your application is heavily reliant on dynamic content and regularly gets some 400 concurrent users for example, lets assume the following:
- 400 concurrent unique users
- Average page render time is 0.85s
The Math
Based on this if you were to place varnish in front of your application with a 60second ttl (time to live, length of time varnish will hold an object in cache):
- Varnish ttl 60 seconds
- 400/0.85 = 470.59/second
- 28235.29/minute
- Factor of reduction to “back end”: x28235.29
So in the example above simply by caching a page for as little as 60 seconds, the requests/minute as reduced from 28235.29 to 1, now even reducing the cache times to 10 seconds in this example would give a x4705.88 reduction.
How is this reduction a good thing, well time on cpu for one, varnish when configured correctly is very very fast, and even with an out of the box configuration it’s still going to be much faster than your dynamic web application.
Summary
So here ends a brief introduction to varnish and why you realy want to start using it, in the following parts we will cover
- Configuration overview
- brief overview of each sub section based on the 2.1 syntax
- Advanced configuration
- Load balancing
- Failover handling
- Raising cache hitrate
- Pros and cons of each setup
- Benchmarks
Tags: cache, high, memory, performance., varnish
3 Comments »
Posted by Buzz in Linux
This is one of those things I find my jaw dropping at, whilst punching myself for not knowing about it sooner.
It’s true as much as I live in the cli & ssh to do my job I find sometimes I require a VNC connection (i.e. the plethora of system-config-* stuff in RH)
Now however there is an alternative (so long as your client machine has x11 installed)
1
| SSH -X <server ip> -l <user> |
That’s it simple as that, now use a cli command to launch your normal gui tool i..e
And x11 will launch on the machine you are working from, now don’t think the gui is running form your machine it’s not!
your machine is now acting as a thin client simply interacting over SSH, with the gui tool running from the server itself!
And there is where the awesomeness lies, esp if like me you run OSX whilst managing *nix servers.
*grin*
Tags: forward, ssh, x11
No Comments »
Posted by Buzz in Linux
Namely a bug to do with iptables rate limiting,
1
| iptables -I INPUT 2 -p tcp --dport http -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j LOG --log-level=7 |
works!
1
2
| iptables -I INPUT 2 -p tcp --dport http -m state --state NEW -m recent --update --seconds 60 --hitcount 60 -j LOG --log-level=7
iptables: Unknown error 18446744073709551615 |
-j REJECT also produces the same.
Simply increasing the “hitcount” causes this error, the only work around I have come up with is decreasing the –seconds arg, to yield more hits/sec, still bloody annoying!
Tags: b0rk, iptables, limit, rate, wtf
2 Comments »
Posted by Buzz in Linux
ESP Ghostscript 815.02: Unrecoverable error, exit code 255
I got this issue today whilst running CentOS 5.4 x64 post investigation of images not being scaled when processing a specific PDF, the solution unfortunately is to build ghostscript and imagemagick from the latest sources.
1
2
| wget http://ghostscript.com/releases/ghostscript-8.71.tar.gz
wget http://image_magick.veidrodis.com/image_magick/ImageMagick-6.6.3-0.tar.gz |
Unpack, configure, make && make install
To fix compatibility with pear imagick
1
2
3
| ln -s /usr/local/lib/libMagickCore.so /usr/lib64/libMagick.so.10
ln -s /usr/local/lib/libMagickWand.so /usr/lib64/libWand.so.10
ln -s /usr/local/bin/gs /usr/bin/gs |
Tags: 255, exit, ghostscript, image, imagick, magic, unrecoverable
No Comments »
Posted by Buzz in hacking, Linux
Most of the time when I review our log watches each morning I become enraged at the number of automated attacks,
But ever so occasional I find one that frankly intrigues me.
Today is just such an occasion where I have had multiple Brute force login attempts, the ingenious part is this attack has been designed to bypass tools such as fail2ban, blockhosts etc, and this is how
- Attack is launched from
- has PTR set for
- Failed login attempts record due to reverse lookup
- There is no A record, attacker maintains their own nameservers for the
- fail2ban notes failed logins, attempts to resolve to an IP but fails, due to missing A record
- Attacker can continue brute force attempts unhindered by being banned
I am still reading into how to counter this and will update this post as I figure out how to work around it, it’s a very sneaky and frankly quiet clever method of working around most automated blacklisting/banning tools.
Update 1:
One method I am trialing is the “log target” feature of iptables, in an attempt to match login failure times to the iptables log, I’ll post back with results.
1
| iptables -A INPUT -p tcp --dport ftp -j LOG |
Outputs
1
2
3
4
5
6
7
8
| Jul 23 11:45:57 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=47423 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 23 11:45:57 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=45370 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0
Jul 23 11:45:57 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=46896 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0
Jul 23 11:46:01 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=63 TOS=0x00 PREC=0x00 TTL=55 ID=38502 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul 23 11:46:02 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=32551 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0
Jul 23 11:46:02 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=59735 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0
Jul 23 11:46:04 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=66 TOS=0x00 PREC=0x00 TTL=55 ID=23116 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul 23 11:46:07 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40246 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0 |
Update 2: Defeating the hack
Now granted this would be a lot worse had the attacking IP been dynamic, fortunatly in this case it’s not
1
| grep kernel /var/log/messages | awk '{print $9}' | sed 's/SRC=//' | uniq -c | sort |
1
2
| 390 173.XXX.XXX.XXX
4 195.XXX.XXX.XXX |
Ip’s have been masked to prevent anyone complaining or threatening legal action (again) for inferring you should block their ip / network range … and me firing off the obligatory “Well if you policed your own network I wouldn’t have to post this no would I” email,
Maybe I am just being Cynical in my “old” age …
Any how as you may have guess I’m black holing the ip with the 390 connection entries.
Thanks
Being as I spoke to a load of people during the course of this I realy can not remember who contributed what to this solution, so I’ll just have to thank you all let me know if you want a crediting link.
Tags: brute, dissecting, fail2ban, force, hack
1 Comment »
Posted by Buzz in Linux
This is something I have wanted to get working for some time now, and thanks to James P for passing me a note that as of OpenSSH 4.4 you can infact add command line args for the Subsystem configuration, which when combined with the (I assume new) logging functionality of the sftp-service allows you to finally log what is occuring during an sftp session.
Note: Requires OpenSSH >= 4.4
Replace the susbsystem line in your /etc/ssh/sshd_config with
1
| Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l INFO |
Add the following to /etc/syslog.conf
1
2
| #sftp logging
local5.* /var/log/sftpd.log |
Restart the sshd and syslog services, try an sftp upload and review the logs @ /var/log/sftpd.log
Tags: logging, sftp, ssh, sshd
1 Comment »
Posted by Buzz in Linux
Ever wanted / needed HTTPD or another service to run with a raised thread priority?
Well you have a couple of options, add additional lines to the /etc/init.d script to change the nice level by adding additional lines on startup, or if you only need to do this on a temporary basis without restarting the service but need every thread to have a raised priority you can use a bash script
1
2
3
4
5
6
| #!/bin/bash
PIDS=`ps aux | grep httpd | grep -v 'grep' | awk '{print $2}'`;
for PID in ${PIDS[@]}
do
renice 20 -p $PID
done |
You can renice between -20 and +20, depending on your requirements you can use this script in a cron job to raise/lower priorities, change httpd for whatever service you want to change the thread priority for.
Ever needed to check files were being accessed / written to?
For this one you’re going to need the inotify-tools package, specifically the inotifywait binary.
1
| inotifywait -m --timefmt "[%a %b %d %H:%M:%S %Y]" --format "%T [%e] %f" -r /folder/to/watch |
An example usage is to ensure that caching is working correctly and that cache files are being used in place of processing PHP files, simply change “/folder/to/watch” to be your cache folder, and refresh a few pages.
All being well you’ll get an output similar to the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| y-tools-3.14)
(root@132 BUZZ1) # /usr/local/bin/inotifywait -m --timefmt "[%a %b %d %H:%M:%S %Y]" --format "%T [%e] %f" -r /path/to/saiweb/wp-content/cache/supercache/*
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
[Thu Jul 15 20:59:37 2010] [OPEN] index.html
[Thu Jul 15 20:59:37 2010] [CLOSE_NOWRITE,CLOSE] index.html
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] security
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] vsftpd-chrooting-without-the-headache-allowing-shared-directories
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] vsftpd-chrooting-without-the-headache-allowing-shared-directories
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] the-zen-of-secured-shared-hosting-part-1
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] the-zen-of-secured-shared-hosting-part-1
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] php-security-considerations
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] php-security-considerations
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] antivirus-xp-2008-removal
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] antivirus-xp-2008-removal
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] suphplookupexception
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] suphplookupexception
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] honeypotting-for-viruses-statement-of-fees-200809
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] honeypotting-for-viruses-statement-of-fees-200809
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] security
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] |
As can be seen the re-write rules are redirecting users to the cached files/folders, in the example above I have used my wp-supercache folder.
Ever needed to quickly get the memory usage of all threads for a service?
You have two options for this a single line
1
| ps -Ao rsz,comm,pid | grep <process name> |
or a bash function you can place in your ~/.bashrc
1
2
3
4
5
6
7
8
| function appmem(){
if [ -z "$1" ]; then
echo "appmem <string to filter>"
echo "i.e. appmem httpd";
else
ps -Ao rsz,comm,pid | grep $1
fi
} |
You can then call this (after logging back in again to load the .bashrc up) using
replacing for instance with httpd will give you an output similar to the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| 8032 httpd 6207
33080 httpd 13828
8552 httpd 14095
28952 httpd 14102
8540 httpd 14103
30848 httpd 16741
31296 httpd 16832
30452 httpd 18439
31044 httpd 19996
30968 httpd 23287
30356 httpd 23300
25636 httpd 24553
29712 httpd 24771
25588 httpd 24777
31632 httpd 24778
25608 httpd 24796
29716 httpd 24812
28152 httpd 24813
31684 httpd 31291 |
This shows memory in kilobytes, command, process id, you can see here I currently have 3mb/pid for each httpd process (due to my optimizations, I highly recommend you read parts 1-3)
Dump mysql data and compress on the fly
1
| mysqldump -h <host> -u <user> -p <dbname> | bzip2 -c7 > /path/to/dump.sql.bz2 |
Self explanatory that one, pipes the output from mysqldump through bzip2 (which has better compression over gzip) and dumps it out to a file, if you _realy_ need a gziped file just replace bzip2 with gzip in the line above.
Ever needed a selection of passwords generated?
For this one you can use the secpwgen
1
2
3
| function pwgen(){
for (( i=0; i<=10; i++ )) do pwd=`secpwgen -Aadhs 10 2>&1 | grep ENTROPY | awk '{print $1}';`; echo "$i: $pwd"; done;
} |
Plant this in your ~/.basrc for a callable function that will genrate a selection of 10 secure passwords, handy when you’re fed up of 1337′ifying everything
example output:
1
2
3
4
5
6
7
8
9
10
11
| 0: 4>&B.\2R+--
1: )`WREEGZP{
2: ^)3"=F==|?0
3: ?1/|;;GF-2
4: [..///_([=AZ
5: }^%RC~U8//L
6: \//VNTQ[)->
7: @HE5@3)A%?
8: )|1C[BSIT*
9: C[//X^W<$G1
10: EOQ#Y%NI>- |
Modify the “-Aadhs” args to your taste.
This concludes Volume 1 and a very long post, please contribute your one liners / helper scripts via the comments.
Cheers
buzz
Tags: bash, handy, lhol, liners, Linux, one, scripts
2 Comments »
Posted by Buzz in Linux, mySQL
I’ve no idea to this day why my bash script would not work with a CSV export from mysql by simply using mysql -e “SQL COMMAND HERE”.
So I had to come up with a workaround quickly.
This lead to using expect, scripting in this method can be used for numerous purposes, I am currently in the process of writing a few test scripts using tcl and this package for pop,imap,smtp testing.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| #!/usr/bin/expect -f
set DB "<database>"
set USER "<user>"
set PASS "<password>"
spawn mysql -u $USER -p $DB
match_max 100000
expect -exact "assword: "
send -- "$PASS\r"
set SQL "SELECT * INTO OUTFILE '/tmp/csvfile.csv' FROM table";
expect -exact "mysql> "
send -- "$SQL;\r"
expect -exact "mysql> "
sent -- "exit;/r" |
Pretty simple realy once you have the hang of it, you tell it what to expect and what to reply with, there are more advanced methods going on from here, including conditional sends based on response.
I’ll be covering those soon.
Tags: csv, expect, mySQL, tcl
No Comments »
Posted by Buzz in Linux
Strangely I’ve had some people reporting issues with being prompted for a username and password when accessing files on svn.saiweb.co.uk
it would appear in mod_dav_svn-1.4.2-4.el5_3.1 that this directive: AuthzSVNNoAuthWhenAnonymousAllowed
now defaults to OFF, well that was a p.i.t.a trying to track down, having never seen that directive in ANY of the documentation …
Anyway pass this on to other facing the same issue.
Tags: AuthzSVNNoAuthWhenAnonymousAllowed, broken, fubar, fucked, mod_authz_svn, mod_dav_svn, svn, wtf
2 Comments »
Posted by Buzz in Linux
The default install of VI is very basic, and being as I spend a lot of my time in there I find syntax highlighting invaluable, to get this however you will need the vim-enhanced package.
So run the following to install this package and setup an alias for vi.
1
2
3
4
| yum install vim-enhanced
echo "alias vi='/usr/bin/vim'" >> ~/.bashrc
echo "syntax on" >> ~/.vimrc
alias vi='/usr/bin/vim' |
And you’re done:
Tags: CentOS, highlight, rhel, syntax, vi, vim-enhanced
No Comments »
|
Entries (RSS)