blog.zelut.org

I’ve recently migrated my server(s) to a new VPS, one which offers BSD as a hosting option. I have long been a fan of FreeBSD on my servers, so this was a deal I couldn’t pass up. I did, however, run into one fairly difficult problem based on my combination of FreeBSD and lighttpd web server. I felt it was important to blog about it so that “teh internets” could share the wisdom and, hopefully, others could solve this same issue quickly. Problem The web server seemed to work great. It was handling traffic efficiently. Logs were going where they were expected. Rewrites were working. All the main things that I would expect to test were working just fine. And then I uploaded a file. Hard lock. Panic. Do not pass go. Do not collect $200. This was bad. I was even able to reproduce it. Anytime I would upload a file to the server (in my case via WordPress upload form), the server would hard-lock and I’d have to manually bring it back up. Read more

I needed to mount an .iso file this morning, which I’ve done dozens of times in Linux, and I realized the command I’d normally use in Linux does not work. For example: Linux mount -o loop image.iso /mnt This works fine in Linux and lets you “mount” the .iso file as if it were burned and in the drive. This does not work on FreeBSD. You get an error like: mount: image.iso mount option is unknown: Invalid argument FreeBSD The solution (the only one I’ve found so far) is to use a much more in-depth command like: mount_cd9660 -o ro /dev/$(mdconfig -a -t vnode -f /path/to/file.iso) /mount-point Hopefully this little note helps someone else have less trouble than I did in mounting .iso images in FreeBSD.

I read an article today regarding an alleged Facebook based virus from the “Fan Check” application. I will admit I’ve been sucked into the Facebook, but to my defense I primarily stick to just a few applications. Reading about this makes me glad that I’m running Chromium browser on Linux. I think, between the two of those, my chances of becoming infected are pretty slim. The chances of becoming infected with any kind of virus are pretty limited by using Linux in the first place, but that is pretty obvious. What I found interesting about this article and the related “infection” is that, so far, there haven’t been any proven cases of the Facebook application actually directly infecting anyone. The infection is caused by third-party websites provided through search engine results, and then by way of social engineering. Whether from the Facebook application or the third-party websites, this infection does not rely on browser vulnerabilities or outdated software. Read more

I find that I run into this problem everytime I reinstall Arch, so I figured it was time to document those pesky missing peices. Considering Arch Linux is more of a “do-it-yourself” distribution there are more peices to the puzzle than you might find in Ubuntu or similar. In this short article I’ll outline everything required to playback DVDs on Arch Linux. Required Packages As is the problem with any major Linux distribution, DVD playback can’t be enabled by default for “potential patent issues“. The required packages have to be installed manually. This is done using the command: sudo pacman -S libdvdcss libdvdread Required Groups In order to have required access to the audio, video and optical devices the user needs to be in the required groups. You can ensure your user is in the required groups for DVD playback with the command: sudo gpasswd -a username audio,video,optical Read more

I’ve been spending a lot of time lately researching FreeBSD security solutions. Topics such as pf (packet filter), system hardening, etc. One of the tips that I thought I’d share here is a method of configuring your system to use blowfish encryption for passwords as opposed to the default MD5. If you are on a system that has a lot of users it might be prudent to update the encryption type to make your stored passphrase safer. Configure /etc/login.conf The password format is stored within the /etc/login.conf file. The default value being “md5”. To update your configuration to use blowfish instead make the following change to your file: – :passwd_format=md5:\  :passwd_format=blf:\ After you’ve made this change you’ll need to rehash the login database, which is done using the cap_mkdb command: cap_mkdb /etc/login.conf At this point any newly assigned passwords will be created using blowfish instead of MD5. Read more

I’m looking for some good pf (packet-filter) documentation if anyone has anything to suggest. I’ve added a second FreeBSD machine to my public-facing network, and may be adding a third soon. I want to make sure that my firewall is setup properly but I’m not very familiar with pf. Can anyone suggest a book, online document, etc that has good examples for setting up pf?

A friend of mine shot me this article today (What’s cooking for FreeBSD 8?), which is a pretty detailed outline of the things coming up for FreeBSD 8. I have to say, some of the things have got be excited! Some of the highlights that I want to see: Parallel Ports Build (announcement) Jails v2 (commit message) Xen Dom-U support (wiki page) There is actually quite a bit more, but those are the immediate ones that look like they’d noticeably affect me. I’d really love to have FreeBSD setup on a VPS via Xen, with Jails for each of my services. Currently I have that setup at home (jails), but its on old hardware that takes forever to compile. Parallel Ports Build would sure be a nice improvement, assuming the hardware can handle it (which my current hardware cannot). To any of you other FreeBSD users out there, what are you excited for in the list and why? Read more

I don’t know how many times I have had to look up this information in the past. In hopes of learning-through-writing I’ve decided to publish these methods of recovering or resetting the MySQL root password. Set Initial Password If you’ve just installed MySQL and have never set the root password a password is not yet needed. Until one is defined you should be able to access your database(s) without the password. To set a password for the first time you can use: mysqladmin -u root password NEWPASSWORD Update Root Password If you want to update or change the existing root password you can use: mysqladmin -u root -p'oldpassword' password newpass You should note that this will require that you know the current password. Recover Lost Password If you have completely lost the MySQL root password and need to reset it you can. This will require short downtime on your database(s). Read more

Not long ago we rebuilt a number of servers within our production environment at work, migrating from FreeBSD to CentOS. One of the requirements in this migration was that we needed a server that would act as an SSH-only Jail on the new platform. This meant I needed to setup a system where users could SSH into a machine but the only thing they could do on that machine was SSH back out again. We used this as our “bounce” machine. Users would have outside access to their Desktops or other machines only by way of this secured SSH-only machine. The solution I found was a tool called “JailKit“, which allows you to create chroot jails is a very simple way. Below I’ll outline the requirements for installing JailKit and using it to create an SSH chrooted “Jail”. Step 1: Install JailKit I was unable to find an up to date package for JailKit on CentOS, so I did the following to install from source: Read more

Today I have finally found some time to catch up on my blogging. I’ve got a whole slew of backlogged information that I want to post, so hopefully my fingers (and my brain!) can keep up long enough to get it all published. The topic I wanted to start with today is mrepo: RPM Repository Mirroring made easy. Mrepo is a tool developed by Dag Wieers of rpmforge fame. If you’ve ever run an RPM based distribution (Red Hat, Fedora, CentOS, etc) you’ve very likely heard of Dag Wieers. He keeps the package machine running and provides those packages not otherwise available in the core repositories. I read that he developed this tool to help streamline the creation and deployment of RPM mirrors and network install servers, which he so often needed in dealing with clients. I used this exact setup to create and maintain an internal repository for our company which supplies network-based installation capabilities for Red Hat Enterprise 3, 4 and 5, CentOS 3, 4 and 5, Fedora 10 and 11, and openSUSE. Read more