Thursday, January 20, 2011

SSH sometimes screws up connection when terminal overflows?

I've got a problem with SSH on a Debian Lenny based server (it's a vHost within a Xen environment, booted on a Xen kernel). I hope someone can help me with this.

The SSH connection seems somehow getting screwed up frequently when the terminal overflows (new lines beyond the bottom of the terminal, usually forcing it to scroll). The connection gets lost but not regularly disconnected. It nearly always happens when I do the following:

  • an existing SSH connection gets disconnected (regularly)
  • I order putty to reestablish the connection
  • login-prompt appears at the very bottom of the putty terminal window
  • I enter my login-name, press the enter key
  • I'm asked for the password, I enter it, press the enter key and BOOM! Nothing more happens. I have to reconnect again.

So it is reproducable.

I'm not totally sure if the connection crashes before or after I enter the password.

Furthermore it also happens when there is much text to be displayed (for example when I compile something or do an ls -l on a directory with many entries).

Using 'screen', however, helps to reduces the frequency of occurence but doesn't solve the problem completely.

It's occurence is independent from which terminal software I use. I mostly use putty but it also happens with other clients.

I certainly hope somebody can help me solving this problem.

Thanks in advance!

//edit: I've just made a Wireshark trace of the ssh connection and there is nothing, I repeat, nothing different between the working and the failing connection (at least aside from frame numbers, ports and times that obviously can't be equal). This leads me to the assumption that the error has to happen on the server's side.

From serverfault SeveQ

  • From your initial descriptions, it appears that some special character communication is being escaped to do something to the SSH shell itself.
    These are some things you can try,

    1. Keep a wireshark track to check if the SSH connection actually shows a TCP-FIN sequence when you get a stall (check how this happens in the wireshark view when you exit a normal connection for a reference).
      • if the FIN sequence is not seen the SSH has stalled in some way (not closed)
    2. When you are stalled try the key sequence Ctrl+Q

    You can also try to eliminate specific end-point behavior with these things if any of them can be done in your setup,

    1. Try to reproduce from another client machine and the same server
    2. Try to reproduce with the same client machine on a different server
    3. Try to run the client with '-v -v -v' debug logging options
    4. Try to run the server with '-d -d -d' debug logging options (look at /var/log/syslog or /var/log/auth.log for the server debug messages
    5. When you get a reproduction with screen does it continue to stall when you attempt a disconnect and reconnect: "-D -R" on the screen?
    SeveQ : I have tried starting the ssh server with the triple -d. It logged everything on the console. So here is what I got... first the connection that worked: http://pastebin.com/bWZabYaG and the connection that got lost while logging in (where the login prompt was at the very bottom of the terminal): http://pastebin.com/rA5fziZ6
    Marco Ramos : +1 for the excellent and detailed answer. I'd also recommend a strace to trace system calls.
    From nik

  • Sounds like your connection gets dropped when you start to reach the maximum packet size for the TCP connection. With SSH, normally transfers are of fairly small data and you remain well below MTU.

    Is there a firewall inbetween which is dropping all ICMP packets? Is there a router numbered in RFC1918 address space?

    As a crude hack, if you run, as root, on the server:

    ifconfig eth0 mtu 1420

    does that alleviate the problem? If so, Path MTU Discovery is broken (misconfigured firewall somewhere) and you have a link in the way which has a lower MTU than the links local to each end-point. You haven't solved the problem, you've hacked around it by lowering the MTU at the server side.

    From Phil P
Posted by Mu Cat at 6:57 AM 0 comments

Trying Apache 2 with SSL, I'm getting an "Invalid command '-----BEGIN', on my .CRT

I went through this tutorial http://www.vanemery.com/Linux/Apache/apache-SSL.html setting up my SSL on Apache2. But when I attempt to start my server I get this error:

Syntax error on line 1 of /etc/apache2/conf.d/ssl.crt/foo-server.crt: Invalid command '-----BEGIN', perhaps misspelled or defined by a module not included in the server configuration

What does it seem like I'm missing in my Apache setup? How can I check?

Aay help is greatly appreciated!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

below is my vhost file:

<IfModule mod_ssl.c>

  <VirtualHost *:443>
    ServerName  foo.ca
    ServerAlias www.foo.ca

    RailsEnv development

    DocumentRoot /home/dan/rails/foo/public

    SSLEngine On
    SSLCipherSuite HIGH:MEDIUM
    SSLProtocol all -SSLv2
    SSLCertificateFile /etc/apache2/conf.d/ssl.crt/foo-server.crt
    SSLCertificateKeyFile /etc/apache2/conf.d/ssl.key/foo-server.key
    SSLCertificateChainFile /etc/apache2/conf.d/ssl.crt/foo-ca.crt
    SSLCertificateFile /etc/apache2/conf.d/ssl.crt/foo-ca.crt

    <Directory "/home/dan/rails/foo/public">
      Order allow,deny
      Allow from all
    </Directory>

  </VirtualHost>

</IfModule>
From serverfault $pageUsers[$entry.posts[0].author].name

  • Check your include directive. It appears httpd is trying to run your certificate file as if it was a configuration file. So the "---begin RSA key" at the start of certificate file is getting handled like an (invalid) command. In your main httpd.conf file, I'm betting your include is something like this: Include conf.d/ssl.crt/* when it should be more like this: Include conf.d/ssl.crt/*.conf or Include conf.d/*.conf

    Include is used to pull in all the additional configuration files for other httpd modules. One of which is ssl.conf. However, you don't want those keys to be treated like config files, else you get the error you're seeing.

    From Christopher Karel
Posted by Mu Cat at 6:57 AM 0 comments

Torrent caching

Hi friends!

I am looking for torrent caching software (like SQUID for http). Do you know any?

From serverfault TiFFolk

  • PeerApp can do that but probably doesn't suit the scale you are looking at.

    How many torrent users and what bandwidth/volume do you want to apply the cache to? What platform do you want to run it on? Do you need to handle a specific torrent app/protocol, and be able to cache SSL torrent downloads?

    From William

  • The mechanisms for doing this are now built into the bittorrent protocol: http://en.wikipedia.org/wiki/Cache_Discovery_Protocol

    However as mentioned in the article, to date no specs have been released to allow support.

    From Chris Thorpe
Posted by Mu Cat at 6:57 AM 0 comments

Will a wildcard CNAME take precedence over a named CNAME record ?

Hi Guys,

Generally wondering whether its possible to have both a CNAME entry with a " * " to domain and a seperate subdomain mapping i.e. like

*              | CNAME | domain.com
bla.domain.com | CNAME | some.example.com

Is this possible or does the * overwrite the "bla.domain.com" and therefore when you enter "bla.domain.com" you go to "domain.com" ?

From serverfault $pageUsers[$entry.posts[0].author].name

  • In BIND, the wildcard matches when another record does not exist. See http://en.wikipedia.org/wiki/Wildcard_DNS_record.

    BrianEss : Not just BIND, any RFC 1912 DNS server will do this.
    Alnitak : RFC1912 is telling _operators_ how not to do wildcards. RFC 1035 is the one that _servers_ comply with.
    From Warner

  • A more specific entry always overrides a wildcard, not the other way around.

    For chapter and verse, see §4.3.3 of RFC 1034.

    From Alnitak
Posted by Mu Cat at 6:57 AM 0 comments

PostgreSQL user permissions

I have a PostgreSQL database on a Debian box and i've (from the shell):

su postgres
createdb dnls
createuser dnls -P
Enter password for new user: somepass [enter]
Enter it again: somepass [enter]
Shall the new user be allowed to create databases? (y/n) n [enter]
Shall the new user be allowed to create more new users? (y/n) n [enter]

After that i added the user/pass/dbname in my Django app settings.py and then i did a manage.py syncdb and django created the tables for my models.

How come the dnls user has read/write permissions to dnls database?
I did not gived him any permissions anywhere.
Does he has access just because the database has the same name as him? This doesn't look secure.

From serverfault daniels

  • Your new user didn't automatically get read/write permission to your database just because his name is the same as the database. You will find that info if you consult the createdb and createuser man pages.

    What IS going on is that even though that user is not the owner, he has rights to read/write to all databases that aren't specifically restricted. This is controlled by the template that is used during the database creation. If you don't like that behavior, you can create your own template and in the future use the template during database creation.

    daniels : So this is happening only because i created the users using 'createuser'? If i would've created him using SQL (psql, and create user dnls...) then he wouldn't had access until i explicitly given him?
    Magnus Hagander : No, it's because the default permissions on the PUBLIC schema is that anybody can create objects in it (as the answer says, you can change this by changing the template - or you can change it directly in your target database). Once that is done, the user becomes the owner of those objects, and thus have permissions. It doesn't matter which way you create your user - "createuser" just calls the same SQL command you'd call manually.
    From Josh Budde
Posted by Mu Cat at 6:57 AM 0 comments

Toshiba eStudio 281c turn off snmp in driver.

I have a customer with an eStudio 281c colour copier/printer and I'm having an issue with terminal services.

Basically, the driver has the ability to query the printer for its configuration over snmp. I've set it to manual rather than auto so it's effectively switched off. Trouble is, when logging into terminal services it's still trying to communicate with the printer. This is an issue because when it fails it then defaults to being a different printer model with a different tray configuration. Users can still print but the settings are wrong.

Any ideas?

From serverfault Matt

  • getting exactly the same problem with the 3520C model...

    Dennis Williamson : This should have been posted as a comment instead of an answer.
    From jimmy
Posted by Mu Cat at 6:57 AM 0 comments

Linux IPTables / routing issue

Hi all,

EDIT 1/3/10 22:00 GMT - rewrote some of it after further investigation

It has been a while since I looked at IPtables and I seem to be worse than before as I can not seem to get my webserver online. Below is my firewall rules on the gateway server that is running the dhcp server accessing the net. The webserver is inside my network on a static IP (192.168.0.98, default port).

When I use Nmap or GRC.com I see that port 80 is open on the gateway server but when I browse to it, (via public URL. http://www.houseofhawkins.com) it always fails with a connection error, (nmap cannot connect and figure out what the web server is either).

I can nmap the webserver and browse to it just fine via same IP inside my network. I believe it is my IPTable rules that are not letting it through.

Internally I can route all my requests. Each machine can browse to the website and traffic works just fine. I can MSTSC / ssh to all the webservers internally and they inturn can connect to the web.

IPTABLE:

*EDIT - Added new firewall rules 2/3/10 *

#!/bin/sh

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"

EXTIF="eth2"
INTIF="eth1"

load () {

  $depmod -a

  $modprobe ip_tables
  $modprobe ip_conntrack
  $modprobe ip_conntrack_ftp
  $modprobe ip_conntrack_irc
  $modprobe iptable_nat
  $modprobe ip_nat_ftp

echo "enable forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# start firewall

  # default policies
  $iptables -P INPUT DROP
  $iptables -F INPUT
  $iptables -P OUTPUT DROP
  $iptables -F OUTPUT
  $iptables -P FORWARD DROP
  $iptables -F FORWARD
  $iptables -t nat -F

#echo "   Opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

#echo "   Allow all connections OUT and only existing and related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$iptables -A FORWARD -j LOG  --log-level 7 --log-prefix "Dropped by firewall: "

$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

#echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

#echo "   Allowing packets with ICMP data (i.e. ping)."
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

#echo "   Port 137 is for NetBIOS."
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

#echo "   Opening port 53 for DNS queries."
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

#echo "   opening Apache webserver"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.0.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.0.96 --dport 80 -j ACCEPT

}

flush () {

   echo "flushing rules..." $iptables -P FORWARD ACCEPT
   $iptables -F INPUT
   $iptables -P INPUT ACCEPT
   echo "rules flushed"

}

case "$1" in

   start|restart)
     flush
     load
     ;;
   stop)
     flush
     ;;
*)
    echo "usage: start|stop|restart."
    ;;

esac
exit 0

route info:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
5e0412a6.bb.sky *               255.255.255.255 UH    0      0        0 eth2
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
default         5e0412a6.bb.sky 0.0.0.0         UG    100    0        0 eth2

ifconfig:

eth1      Link encap:Ethernet  HWaddr 00:22:b0:cf:4a:1c
      inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
      inet6 addr: fe80::222:b0ff:fecf:4a1c/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:79023 errors:0 dropped:0 overruns:0 frame:0
      TX packets:57786 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:11580918 (11.5 MB)  TX bytes:22872030 (22.8 MB)
      Interrupt:17 Base address:0x2b00

eth2      Link encap:Ethernet  HWaddr 00:0c:f1:7c:45:5b
      inet addr:94.4.18.166  Bcast:94.4.18.166  Mask:255.255.255.255
      inet6 addr: fe80::20c:f1ff:fe7c:455b/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:57038 errors:0 dropped:0 overruns:0 frame:0
      TX packets:34532 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:21631721 (21.6 MB)  TX bytes:7685444 (7.6 MB)

lo        Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:16436  Metric:1
      RX packets:16 errors:0 dropped:0 overruns:0 frame:0
      TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:1517 (1.5 KB)  TX bytes:1517 (1.5 KB)

EDIT

OK so as requested I will try and expand on my infrastructure:

I previously had it setup with a Sky broadband modem router that did the DHCP and I used its web interface to port forward the web across to the web server. The network looked something like this:

Layout Graphic

I have now replaced the sky modem with a dlink modem which gives the IP to the gateway server that now does the DHCP. It looks like:

Layout Graphic

The internet connection is a standard broadband connection with a dynamic IP, (use zoneedit.com to keep it updated).

I have tried it on each of the webservers(one Ubuntu Apache server and one WS2008 IIS7).

I think there must also be an issue with my IPTable rules as it can route to my win7 box which has the default IIS7 page and that would not display when I forwarded all port 80 to it.

I would be really grateful for any and all help with this.

Thanks

Jon

From serverfault Jon

  • Please describe in detail how all your servers are physically connected including ethernet cable routing and any switch configuration.

    You may have issues using network address translation via your gateway, as it's daisy-chained to a router. What sort of router? What sort of Internet connection? Can you connect your gateway directly to the Internet? It should be the primary router.

    Regardless, we should be able to isolate the cause of the communication issue with your gateway and Web server.

    Do you have any firewall rules on your Web server? Please verify and be certain.

    What does the routing table and interface list look like on your Web server?

    Enable logging for easier debugging:

    $iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG -log-level 7 --log-prefix "Dropped by firewall: "


    Edit 1

    Thanks for the update and diagrams. Good stuff. I'm not certain that I understand the difference in performance between the IIS and Apache server. Can both be contacted via the gateway on port 80?

    Have you added the logging statements? That will help.

    I will review everything in detail again later this evening.

    Edit 2

    Oh, it sounds like the DNAT doesn't work. Previously, it read like you were having trouble communicating internally between your gateway and your Web servers as well.

    Try replacing:

    $iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.0.98:80 $iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.0.98 --dport 80 -j ACCEPT

    With:

    $iptables -A PREROUTING -t nat -p tcp -d 94.4.18.166 --dport 80 -j DNAT --to-destination 192.168.0.98:80

    Edit 3

    Script it. For example:

    EXTIP=`/sbin/ifconfig $EXTINT | grep 'inet addr' |awk '{print $2}' | sed 's/addr://g'`
$iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to-destination 192.168.0.98:80`

    Any additional logic can be added based on whatever desired performance.

    Jon : added logging and pics / description of network.
    Jon : Hi Warner, added the two log statements in. Not sure where it records the logging in the system. couldn't find anything saying "Dropped by firewall:" Thanks for the help, very grateful. Have updated my post with new info.
    Jon : Hi Warner, I am worried that this solution may work at the moment but I have a dynamic public IP and when that changed the firewalls would break again.
    Jon : oh that's clever!!!! (will look at that tonight). I think I might have found something out, (at work atm), but it would seem the site is working from outside my home network, but no one is home to test if it is working side network. I am guessing that there is something happening from inside my network that is stopping the routing working correctly, but from the outside world it works fine. Will have to check and confirm this tonight.
    Warner : It wasn't last night but is now. I suspect you changed the rules?
    Jon : I will have to double check and repost the new rule set. I was working through a number of sites checking what may have wrong. Thanks for all the help, very grateful. :)
    Warner : You're welcome! Just don't forget to rate/accept, please.
    Jon : OK, updated firewall rules. Thought I would install gnome desktop on server just to see what the browser can do from there and it can see the internal webserver.
    From Warner
Posted by Mu Cat at 6:57 AM 0 comments

OS X Server not showing in Windows Vista Shared

I have OS X Server installed. I am using Window Vista on a PC. But on my network I can't see the OS X server. But I can see other Mac computers in shared but not OS X server.

I am able to ping the IP.

What should I do?

From serverfault Master

  • On the OS X server you should disable the builtin Firewall (if you have it enabled) and enable the Windows file sharing service in Server Admin.

    Master : There is no problem with OSX as all other computer on netwrok can see it
    Master : even ubutntu can see the server but not windows vista
    From Josh Budde
Posted by Mu Cat at 6:57 AM 0 comments

Are there any hosting plans that allow multiple sites to be hosted out of the same account?

I have a couple of sites which I would like to host out of the same account and each should be accessible by their unique domain name (not out of a sub directory or sub-domain) instead of paying individually for several hosts. Are there any companies out there that allows this (or is this not possible on a technical level?). I am not looking for a dedicated but a shared host.

Thanks.

From serverfault $pageUsers[$entry.posts[0].author].name

  • You could buy a reseller account and create sub-accounts for each domain. There is also the possibility of just using a regular shared hosting account with cPanel as long as the plan offered by the host supports "add-on" domains, in which case they will all sit in your public_html in their own directory.

    Chris S : Many hosts will let you share your capacity/transfer among several domains and VirtualHost each in it's own directory as gekkz points out. Just find a hosting provider you like and give them a call (they don't bite, just make the call).
    From gekkz

  • We do exactly that using a shared hosting account at PerformanceHosting. We're currently running 6 domains under the one account.

    From John Gardeniers

  • I don't like to promote these guys any more since they were bought out and their service went to hell, but I used www.dotable.com for years and years, and they have multi-domain accounts which permit this.

    From Farseeker

  • Most web hosting company offer such plan. Having multiple sites sometimes mean you may need more support than usual. I suggest you look for quality support above everything, features and price comes next.

    From Embreau
Posted by Mu Cat at 6:57 AM 0 comments

Downloading file with different unique name

How to download file with different unique name each time

wget -O image.jpg "http://localhost/cgi-bin/nph-zms?mode=single&monitor=1"

Using wget's -O option overwrites file each time. What I want is: image-1.jpg, image-2.jpg, image-3.jpg etc. each time wget is run from cron.

From serverfault 
  • wget -O image-`date +%H`.jpg "http://localhost/cgi-bin/nph-zms?mode=single&monitor=1"

    If you are doing an hourly check. From looking at the URL you appear to be grabbing it from a webcam.

    Your images should be labeled as:

    • image-01
    • image-02
    • [...]
    • image-14
    • image-15
    • [...]
    : Thanks, exactly what I need.
    freedom_is_chaos : Just realize that unless you throw another option to make like the day or something that it will overwrite the images daily.
    From freedom_is_chaos 
  • ser=$(</var/local/image.ser); echo $((++ser)) > /var/local/image.ser; wget -O image-${ser}.jpg "http://localhost/cgi-bin/nph-zms?mode=single&monitor=1"
    From Dennis Williamson
Posted by Mu Cat at 6:57 AM 0 comments

can't backup to a NAS drive as offline schedule task

I have seen this problem issue discussed in several forums including this one, but could not find a solution. On MS server 2003 I configured a Backup task, the target backup is on a NAS disc (Seagate BlackArmor NAS 110). The backup task is working well as a scheduled task or by a direct command, when I am logged on. It is not working when the user is offline (in this case - Administrator).

I already tried the following actions: 1) addressing to the target as network drive (Y:location..), 2)Using UNC instead, 3) making the drive a domain member (the NAS admin S/W allows to define itself as a domain member) The result log message for 1 and 2 is: "The operation was not performed because the specified media cannot be found." The result log message for 3 is empty file. The schedule task "RUN" command is: C:\WINDOWS\system32\ntbackup.exe backup "@C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\de-board.bks" /a /d "Set created 2/14/2010 at 5:10 PM" /v:yes /r:no /rs:no /hc:off /m incremental /j "de-board" /l:s /f "\10.0.0.8\public\Backups\IBMServer\de-board.bkf" 10.0.0.8 is the static IP of the NAS. "Run only if logged on" is NOT marked. Password of the administrator user is set.

It is obvious that there is no access to the NAS when the user is logged-out. Do you have any idea how can I solve it?

Thanks

From serverfault $pageUsers[$entry.posts[0].author].name

  • Have you tried using a service account rather than a user account.

    From technet:

    A service account is often described as any account that does not correspond to an actual person. These are often built-in accounts that services use to access resources they need to perform their activities.

    http://technet.microsoft.com/en-us/library/cc875826.aspx

    From fergNab
Posted by Mu Cat at 6:57 AM 0 comments

What's the equivalent of <Location> in .htaccess?

Hi,

I'm setting up Trac, and want to password protect the login page, as suggested here. I'm on a shared hosting setup, so I can't modify the httpd.conf, I have to use .htacces. How do I restrict just the login page without restricting other pages? The Trac docs suggest:

<Location "/trac/login">
  AuthType Basic
  AuthName "Trac"
  AuthUserFile /somewhere/trac.htpasswd
  Require valid-user
</Location>

But the Location tag is only for httpd.conf, it doesn't work in .htaccess. How can I get the same effect? There's no "login" directory to put a .htaccess file into, it needs to go into the main trac directory.

From serverfault Martin C. Martin

  • This is just a guess, but can you place that in a .htaccess file, minus the <Location> and </Location> tags, inside the /trac/login directory?

    Also, be sure to have your htpasswd file outside the document root (commonly public_html) otherwise it can be downloaded and cracked.

    From mlambie

  • It turns out, dreamhost has a page on this very problem. Short answer: there's no good way to do it through apache configuration, so use the TracAccountManager plugin instead.

    From Martin C. Martin
Posted by Mu Cat at 6:57 AM 0 comments

How can I monitor whether my HDDs are in standby?

How can I monitor if/when and for how long my hard drives go into standby?

I've a Windows Server with a RAID5 (software) for data and another regular disk on which the OS is installed. I want to make sure that the RAID goes into standby when no data is read (i.e. no background task I'm currently unaware of accesses the drives and disrupts their standby).

Ideally, I'd like to see some sort of graph that has the last couple of hours on the x-axis and the disk state (busy, idle, standby) on the y-axis.

Is there a tool that does that or do I need to code it myself? If so, can I access this information via a command line tool or do I need to dig into the depths of the Windows API?

Edit: It would of course be completely awesome if such a tool could log which process interrupted the standby.

From serverfault n3rd

  • If you're looking to just be able to look at a window and see if the disks are being accessed, the Resource Monitor (accessible through the task manager) will let you look at what processes are reading/writing what files (and from there you can see what partition the files are on). If you want it logged, I believe this should be doable through creating a log in the Reliability and Performance Monitor, though apart from pointing you in that direction I can't give a step by step process.

    From Solipsism

  • You can use the windows port of hdparm to view/modify the power state of individual drives. ( hdparm -C ) - the Cygwin package works fine for me. Note that it doesn't make any sense to ask if your RAID is in standby (as it's in software), only the component disks.

    You may have better luck with a vendor-specific drive tool.

    As far as pretty pictures go, the Performance Monitor -> LogicalDisk provider is pretty flexible.

    As far as tracing the program that caused a disk access, you could use something like diskmon.

    If you could get all of these integrated in one place, I think that would be a pretty cool tool.

    From quadruplebucky
Posted by Mu Cat at 6:57 AM 0 comments

Is there a PC software to manage a dedicated server

Hi..

I have a dedicated server running "debian GNU/linux" and i want a cpanel like which is a pc software based, so i can manage the server without a browser.

Maybe some software use SSH to process the queries or something like that.

i should be able to manage pop3 emails and mysql databases and so on....

Thanks

From serverfault Tom

  • What's the point of using SSH queries? Security? Then use SSL on your web connections. Any other program is just mimicking a web server-client model, and introducing more points of security holes onto the server.

    Use already good code that works, use it securely and intelligently.

    Otherwise, learn the commands yourself and use ssh via putty remotely.

    John Gardeniers : +1 for "learn the commands".
    From freedom_is_chaos
Posted by Mu Cat at 6:57 AM 0 comments

Cisco PIX Port Fort Forwarding

I have the pix running on this network range

192.100.10.0 255.255.255.0

And my server which is on the network

192.200.10.0 255.255.255.0

And my servers IP: 192.200.10.11

I added these commands into the conf of the PIX

static (inside,outside) tcp interface 80 192.200.10.11 80 netmask 255.255.255.255
access-list outside-inbound permit tcp any host xx.xx.xx.20 eq 80

Where the xx.xx.xx.20 is my Pix's External IP

I cant seem to access the port from the outside. What am i doing Wrong?

From serverfault Shahmir Javaid

  • I think 'interface' needs to be replaced with the external IP.

    Shahmir Javaid : That dont work for me it moans about the external interface being the same as the outside interface of the PIX
    From Chris Thorpe
Posted by Mu Cat at 6:57 AM 0 comments

PHP FastCGI HTTP Error 500 on Windows 7

I've just installed PHP (5.3.1) and MySQL (5.1.44) on my development machine. Then I used the Web Platform Installer to install a copy of Joomla and Drupal.

However, when I tried to browse either site application, I get a HTTP Error 500:

Module  FastCgiModule
Notification    ExecuteRequestHandler
Handler PHP_via_FastCGI
Error Code  0x00000000
Requested URL   http://localhost:808/drupal/index.php
Physical Path   D:\Projects\drupal\index.php
Logon Method    Anonymous
Logon User  Anonymous

PHPInfo.php reports that FastCGI is configured (not sure if that is significant). Sure the fact that PHPInfo.php reports anything is perhaps an indication that PHP itself is working...?

I'm struggling to know where to look for a solution... Each application appears to be configure similarly to my other [ASP/ASP.NET] applications.

From serverfault CJM

  • Do you have custom error pages enabled?

    If so, IIS will replace the error output that PHP gives you with a custom error page. Try disabling that, et voila, there is your debug output.

    Probably a script error.

    CJM : No, custom error pages are not enabled. While it could be a script error, it would be a little surprising given that both Drupal and Joomla are similarly affected, and given that they were default installations from the Web Platform Installer (i.e. meant to be easy installs).
    From Matthias Vance
Posted by Mu Cat at 6:57 AM 0 comments

virtual machine to another computer?

i am using windows xp as a virtual machine installed on windows 7. my laptop(computer A) is connected to another computer(B) through a lan cable. what configuration should i make (what settings should i put on vmware, default gateway...) in order to successfully ping from machine B to the XP virtual machine on laptop A.

so in other words i want to connect my virtual machine to another computer.

From serverfault $pageUsers[$entry.posts[0].author].name

  • Simply configure the network adapter on VMWare to bind on your physical network adapter.

    Earlz : Yup, I'm not sure about VMWare, but in Virtual Box this is called "Bridge Mode"
    From Paulo Santos
Posted by Mu Cat at 6:57 AM 0 comments

Openvpn for client/server in same subnet

Apologies in advance of lack of clickable links, I am a new user and limited to 1 hyperlink (actually, I can't even get 1 to work, links are at the bottom)

I'm trying to openvpn into an office network (192.168.1.0/24) from a client sitting on a network with the same subnet (also 192.168.1.0/24). It is a linux (ubuntu 9.10) server and windows client.

I followed this ubuntu openvpn community documentation guide (REF 1) and from what I can tell the base connection works fine. Of course I get a bunch of error/warnings about ip address collisions.

I was then trying to follow this guide on 'Dirty NAT tricks to get a VPN to work with clients also numbered in the private address space' (REF 2) but have not been successful. While I have a theoretical understanding of routing/masquerading I have relatively little practical experience and am unsure what is wrong.

Thus far, I have gotten to the point where the client connects to the server and is assigned an IP 10.22.8.10. However I am unable to ping the server ip 10.22.8.1 like the documentation suggests I should be able to.

The server config is basically identical to (REF1) with the modifications from (REF2), i.e. setting the 'server-bridge 10.22.8.1 255.255.255.0 10.22.8.10 10.22.8.120' and 'push "route 10.22.0.0 255.255.0.0 10.22.8.1"'. In addition I add the tap interface configuration commands to up.sh.

The client config remains the same as (REF1).

Server 'ifconfig tap0' (edit: sorry if this looks screwy. In the preview pane of editing this post it looks fine)

tap0 Link encap:Ethernet HWaddr ee:ee:a8:04:8a:fc inet addr:10.22.8.1 Bcast:0.0.0.0 Mask:255.255.255.0 inet6 addr: fe80::ecee:a8ff:fe04:8afc/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:610 errors:0 dropped:0 overruns:0 frame:0 TX packets:4533 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:111341 (111.3 KB) TX bytes:650830 (650.8 KB)

The client log on connection:

  Mon Mar 01 00:30:13 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009  
    Mon Mar 01 00:30:13 2010 WARNING: No server certificate verification method has been enabled.  See URL-REDACTED for more info.
    Mon Mar 01 00:30:13 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Mar 01 00:30:13 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Mon Mar 01 00:30:13 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:13 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:13 2010 LZO compression initialized
    Mon Mar 01 00:30:13 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Mon Mar 01 00:30:13 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Mar 01 00:30:13 2010 Local Options hash (VER=V4): '13a273ba'
    Mon Mar 01 00:30:13 2010 Expected Remote Options hash (VER=V4): '360696c5'
    Mon Mar 01 00:30:13 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Mon Mar 01 00:30:13 2010 UDPv4 link local: [undef]
    Mon Mar 01 00:30:13 2010 UDPv4 link remote: REDACTED:1194
    Mon Mar 01 00:30:13 2010 TLS: Initial packet from REDACTED:1194, sid=11055cf2 cc0d1ea0
    Mon Mar 01 00:30:14 2010 VERIFY OK: depth=1, REDACTED
    Mon Mar 01 00:30:14 2010 VERIFY OK: depth=0, REDACTED
    Mon Mar 01 00:30:14 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 00:30:14 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:14 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 00:30:14 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 00:30:14 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Mon Mar 01 00:30:14 2010 [server] Peer Connection Initiated with REDACTED:1194
    Mon Mar 01 00:30:17 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Mon Mar 01 00:30:17 2010 PUSH: Received control message: 'PUSH_REPLY,route 10.22.0.0 255.255.0.0 10.22.8.1,route-gateway 10.22.8.1,ping 10,ping-restart 120,ifconfig 10.22.8.10 255.255.255.0'
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: route options modified
    Mon Mar 01 00:30:17 2010 OPTIONS IMPORT: route-related options modified
    Mon Mar 01 00:30:17 2010 ROUTE default_gateway=192.168.1.254
    Mon Mar 01 00:30:17 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{7464875E-98E9-46AF-8F86-69FF32FFB722}.tap
    Mon Mar 01 00:30:17 2010 TAP-Win32 Driver Version 9.6 
    Mon Mar 01 00:30:17 2010 TAP-Win32 MTU=1500
    Mon Mar 01 00:30:17 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.22.8.10/255.255.255.0 on interface {7464875E-98E9-46AF-8F86-69FF32FFB722} [DHCP-serv: 10.22.8.0, lease-time: 31536000]
    Mon Mar 01 00:30:17 2010 Successful ARP Flush on interface [33] {7464875E-98E9-46AF-8F86-69FF32FFB722}
    Mon Mar 01 00:30:22 2010 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
    Mon Mar 01 00:30:22 2010 C:\WINDOWS\system32\route.exe ADD 10.22.0.0 MASK 255.255.0.0 10.22.8.1
    Mon Mar 01 00:30:22 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Mon Mar 01 00:30:22 2010 Route addition via IPAPI succeeded [adaptive]
    Mon Mar 01 00:30:22 2010 Initialization Sequence Completed
    Mon Mar 01 01:30:14 2010 TLS: soft reset sec=0 bytes=648728/0 pkts=3922/0
    Mon Mar 01 01:30:14 2010 VERIFY OK: depth=1, REDACTED
    Mon Mar 01 01:30:14 2010 VERIFY OK: depth=0, REDACTED
    Mon Mar 01 01:30:15 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 01:30:15 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 01:30:15 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar 01 01:30:15 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar 01 01:30:15 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

The client route seems to be pushed ok (route print):

  Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.23     25
        10.22.0.0      255.255.0.0        10.22.8.1       10.22.8.10     30
        10.22.8.0    255.255.255.0         On-link        10.22.8.10    286
       10.22.8.10  255.255.255.255         On-link        10.22.8.10    286
      10.22.8.255  255.255.255.255         On-link        10.22.8.10    286
    ...

However when I try to get to 10.22.8.1 it still seems to want to hop out of my local internet connection:

  C:\Windows\system32>tracert 10.22.8.1
    Tracing route to 10.22.8.1 over a maximum of 30 hops
      1     1 ms     1 ms     1 ms  home.gateway [192.168.1.254]
      2  nexthop.qld.iinet.net.au [203.55.228.88]  reports: Destination net unreachable.

Can anybody advise me as to what I'm doing wrong (or alternatively, if there is an easy, more tenable way of doing what I want - note that as per solution #1 in ref.2, renaming either subnet is not possible)

ref.1 https //help.ubuntu.com/community/OpenVPN

ref.2 http //nimlabs.org/~nim/dirtynat.html

From serverfault fostandy

  • What you need to do, is to remove the default route and add a route specific only to your VPN server and mark it available through your local router.

    So, you should have 3 routes:

    vpn.example.com   255.255.255.255 gw 192.168.1.254
192.168.1.0       255.255.255.0   gw 10.22.8.1
0.0.0.0           0.0.0.0         gw 10.22.8.1
    From Hubert Kario
Posted by Mu Cat at 6:57 AM 0 comments

How to install windows on a server with no CD or DVD drive

Hello, I've found a few posts on this site, however my situation is different.

I have a new Dell server with no OS installed. And I would like to install Windows 2008 Web Edition.

I have a few USB ports and Ethernet. No CD or DVD drives.

Is this article the best & only way to proceed? Installing Windows 2008 via USB thumbdrive

Or should I just get a external hardrive and hook it up to a usb. Once the OS is installed I'll never need a DVD drive again - so that's idea is a waste of money.

From serverfault

  • Why not just connect a USB CD\DVD drive and install from there?

    mh : That's what I'd do. Chances are you're going to need that external drive again sometime, and it's not like they're hideously expensive anyway.
    John Gardeniers : This should be on every admin's "must have" list.
    From joeqwerty

  • I installed windows 7 via a bootable thumbdrive...really easy to do, and I assume windows 2008 would be about the same effort. It is not something that you need to do everyday for this server, so you really don't need the "best way", just anyway that works.

    From EJB

  • use unattended (http://unattended.sourceforge.net/) or RIS from Microsoft. We install all systems (windows/linux) from pxe and you know that they are all installed the way you wanted them to.

    Sure, it costs you more to do it the first times, but these is one of the things that when you implement then you say to yoursel: why didn't we do this before?

    From natxo asenjo
Posted by Mu Cat at 6:57 AM 0 comments

What is a a good serial-to-USB adapter?

Serial ports on devices are still used for many things, especially on network devices. However, most modern laptops no longer have serial (aka "COM") ports.

So what I'm curious about is: what is a good adapter, or chipset used in adapters, that people use?

Ideally it would simply be plug into a machine and Just Work(tm) without having to install any drivers. This way anyone on a sysadmin team could simply grab it and use it without having to find the software CD or going online to find drivers. Also, I guess it should Just Work(tm) on Windows XP & 7, Mac OS X (10.5?, 10.6), and preferably Linux (2.6+) as well.

From the serial end of things, connecting a light-blue Cisco cable to it should make things run for any RJ-45-type serial console found on a good portion of equipment nowadays. (Generally assuming 9600 8N1.)

Thanks for any info.

From serverfault $pageUsers[$entry.posts[0].author].name
Posted by Mu Cat at 6:57 AM 0 comments

What should I do if a package has not installation candidates?

I am trying to install php5-sqlite3. In the command line I type:

sudo apt-get install php5-sqlite3

As I result I get:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package php5-sqlite3 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package php5-sqlite3 has no installation candidate

What is happening here and how I can solve this problem?

From serverfault Roman

  • I think you want php5-sqlite.

    Roman : Thank you. It worked. I was able to install php5-sqlite and after that I was able to use sqlite from PHP without any additional changes.
    From alex

  • You could have found the package you were searching for by using:

    $ sudo apt-cache search php sqlite

    More information on the search command from the apt-cache man page:

    search regex [ regex ... ]

    search performs a full text search on all available package lists for the regex pattern given. It searches the package names and the descriptions for an occurrence of the regular expression and prints out the package name and the short description. If --full is given then output identical to show is produced for each matched package, and if --names-only is given then the long description is not searched, only the package name is.

    Separate arguments can be used to specify multiple search patterns that are anded together.

    From mrucci
Posted by Mu Cat at 6:57 AM 0 comments

Elastic IPs in Amazon EC2

When I use Elastic IPs in I can't use SSH. When I try to login, following message is show

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
From serverfault saturngod
Posted by Mu Cat at 6:57 AM 0 comments
Subscribe to: Posts (Atom)