HTTP Compression on Redhat / CentOS / Fedora

I was doing some testing on my server the other day, and realised that http compression within apache (httpd) was not enabled by default. Further digging showed me that mod_defate was what I needed, and infact it was installed by default on my CentOS box.

How to enable mod_default on Centos: Create /etc/httpd/conf.d/deflate.conf with the following contents

     # Insert filter
     SetOutputFilter DEFLATE

     # Netscape 4.x has some problems...
     BrowserMatch ^Mozilla/4 gzip-only-text/html

     # Netscape 4.06-4.08 have some more problems
     BrowserMatch ^Mozilla/4.0[678] no-gzip

     # MSIE masquerades as Netscape, but it is fine
     BrowserMatch bMSIE !no-gzip !gzip-only-text/html

     # Don't compress images
     SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary

        # Don't compress already compressed stuff !
        SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
        SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary

     # Make sure proxies don't deliver the wrong content
     Header append Vary User-Agent env=!dont-vary

        # Log Stuff !
#        DeflateFilterNote Input input_info
#        DeflateFilterNote Output output_info
#        DeflateFilterNote Ratio ratio_info
#        LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate
#        CustomLog /var/log/httpd/deflate_log deflate

restart httpd (/etc/init.d/httpd restart) and your done :-)

References:

Extra Packages for Enterprise Linux… CentOS !

Why has it taken me so long to spot this ? Looks like this draft was written on the 13th May, if I hadn’t have been just about to download FC7 then I’d have missed it !

EPEL – Fedora Project Wiki
EPEL is a volunteer-based community effort from the Fedora project to create a repository of high-quality add-on packages that complement the Fedora-based Red Hat Enterprise Linux (RHEL) and its compatible spinoffs like CentOS or Scientific Linux.

About time, and thank you redhat/fedora, want fedora extra packages in centos, then install this epel-release .rpm frickin’ sweet ! :cool:

DenyHosts – Protecting against SSH Brute Force Attacks

If you look after a remote linux box, the chances are you use SSH, in order to connect to it you may even have to leave PORT 22 open to the whole Internet !

There are some basic security steps that you can do to protect SSH, such as block the root user from logging in, and force users to use STRONG authentication.

Even after you’ve done all you can, logwatch will report that people are still wasting your time & resource by trying to break in ! This is where DenyHosts step in, it’s a small script (daemon) that keeps an eye on your SSH log file, if it spots someone trying to Brute Force Attack your SSH accounts, it adds them to hosts.deny (it’s like a firewall for some applications) and stops them from being able to connect.

I’m using redhat, so a pre-built rpm is available, if you already have DAG setup, you can use…

yum install denyhosts

I then had to run through the following steps (as root).

mkdir /usr/share/denyhosts
mkdir /usr/share/denyhosts/data/
echo '127.0.0.1' > /usr/share/denyhosts/data/allowed-hosts
cd /usr/share/denyhosts
cp /usr/share/doc/denyhosts-2.6/denyhosts.cfg-dist ./denyhosts.cfg
cp /usr/share/doc/denyhosts-2.6/daemon-control-dist ./daemon-control
chmod 700 /usr/share/denyhosts/daemon-control
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
ln -s /usr/share/denyhosts/denyhosts.cfg /etc/denyhosts.cfg
/sbin/chkconfig denyhosts on

once you’ve charged through that marathon, in /etc/denyhosts.cfg you may want to take a look (and change) the following settings (Variables)

PURGE_DENY =
ADMIN_EMAIL =
SMTP_FROM = DenyHosts <nobody@localhost>

finally once you’re happy, start the DenyHosts service

/etc/init.d/denyhosts start

Now you’re logwatch report will show how may tries they had, and then Denied !

Refused incoming connections: 1.2.3.4  (some.name.com ): 2 Time(s)

Of course one option commonly suggested is to change the SSH port number from 22 to something else, where as this will reduce the amount of attacks on the service, it does absolutely nothing to protect it; of course you could do both, it’s all a matter of choice :)

Service Recovery Scripts & Error Page Tips.

A couple of weeks ago, I was proper ill with flu; the problem with looking after your own server is that only you can fix it – it’s well and good having monitoring systems (nagios) telling you about faults, but if you can’t read or see the alerts the fault won’t get resolved.

During this time I was ill, for an unknown reason the mySQL process on my server died, as such my website (and others I look after) were down for 8 hours. The fix was simple, one command, restart the service and normal service was resumed (excuse the pun).

This led to me to the conclusion that there must be a way to get the server to fix it’s self. after all, why do a job when you can get a computer to do it for you ! Fortunately I had a light bulb moment and realised that I could use the init scripts that are provided by redhat, the below code will restart apache (httpd) and mySQL on a redhat based system in the event that the service was not stopped cleanly. (In-fact this config has only be tested on CentOS, your mileage may vary on anything else)

#!/bin/bash

# taken from redhast default scripts - /etc/rc.d/init.d/functions

# Set up a default search path.
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin"
export PATH

status() {
        local base=${1##*/}
        local pid

        # Test syntax.
        if [ "$#" = 0 ] ; then
                echo $"Usage: status {program}"
                return 1
        fi

        # First try "pidof"
        pid=`pidof -o $$ -o $PPID -o %PPID -x $1 ||
             pidof -o $$ -o $PPID -o %PPID -x ${base}`
        if [ -n "$pid" ]; then
# Uncomment this if you want OK messages
#               echo $"${base} (pid $pid) is running..."
                return 0
        fi

        # Next try "/var/run/*.pid" files
        if [ -f /var/run/${base}.pid ] ; then
                read pid < /var/run/${base}.pid
                if [ -n "$pid" ]; then
                        echo $"${base} dead but pid file exists"
                        /etc/init.d/${base} restart
                        return 1
                fi
        fi
        # See if /var/lock/subsys/${base} exists
        if [ -f /var/lock/subsys/${base} ]; then
                echo $"${base} dead but subsys locked"
                /etc/init.d/${base} restart
                return 2
        fi
        echo $"${base} is stopped"
        return 3
}

# found in /etc/init.d/httpd
httpd=${HTTPD-/usr/sbin/httpd}

status mysqld
status $httpd

If you save this, as /etc/cron.hourly/auto_recovery.sh , then do chmod +x /etc/cron.hourly/auto_recovery.sh , assuming you’ve not changed the default cron setup, every hour mySQL & httpd will be checked, if they have died the’ll be restarted and root will get an e-mail about what happened.

Cool eh !

A final finishing touch: I wanted to change the default “Database Down” error messages on my two most popular applications.

  • Melvin Rivera has written a tutorial on how to customize the wordpress error page, note that it involves editing a file outside of wp-content, that means you’ll have to re-do this “hack” every time you upgrade wordpress.
  • PHPBB: Setting a custom error page on that is really easy, first create a php page displaying your message. Then at the bottom of /path/to/phpbb-install/includes/db.php you’ll see
    // Make the database connection.
    $db = new sql_db($dbhost, $dbuser, $dbpasswd, $dbname, false);
    if(!$db->db_connect_id)
    {
    message_die(CRITICAL_ERROR, "Could not connect to the database");
    }

    change it to

     // Make the database connection.
    $db = new sql_db($dbhost, $dbuser, $dbpasswd, $dbname, false);
    if(!$db->db_connect_id)
    {
     include("/path/to/my-custom-error-page.php");
            die();
    }

Now if you database dies, for the time it’s down (before cron fixes it) wordpress & phpbb sites would get a much prettier error message. Obviously there’s no solution for apache as there’s nothing to serve the pages, but hopefully this kind of thing doesn’t happen to often :D

SNMP v3 on Redhat Linux

I think it’s safe to say, if you can’t get something to work then the manual is rubbish or the user is stupid, with setting up snmp v3 on linux, the user is me, so the fault is probably lies there.

SNMPv3 moves away from the community string idea from older version, and into a username & password combo. The correct tool for creating users is snmpusm, but no matter how many times I read the man page I can’t work it out. I get that you copy a user from the initial user, but how do you create the initial user ? If I try on my box I just get an “snmp timeout” error.

I found a work around for my stupidity, on redhat based boxes (RHEL, CENTOS, WHEL, FEDORA) there is a development package to do the job, so to to get the snmp v3 encrypted goodness going run,

yum install net-snmp-utils net-snmp-devel 

Yum will pick up the dependencies you need. Now as root, run (make sure snmpd is stopped first)

/usr/bin/net-snmp-config --create-snmpv3-user -a PASSWORD MYUSERNAME

You’ll get the following output…

adding the following line to /var/net-snmp/snmpd.conf:
   createUser MYUSERNAME MD5 "PASSWORD" DES
adding the following line to /usr/share/snmp/snmpd.conf:
   rwuser MYUSERNAME

Before testing make sure that UDP 161 is permitted through iptables, and restart snmpd

/etc/init.d/snmpd start

now from another box, you can test, snmpwalk is the command, if it works your screen will fill up with loads of interesting snmp stuff, if it fails you’ll get an error. Timeout usually means UDP 161 is blocked or they can’t ping each other, and you’ll get authentication failure messages if there is a problem with your snmp accounts.

snmpwalk -v 3 -a md5 -A PASSWORD -x des -X PASSWORD -u MYUSERNAME IP.ADD.RE.SS

good luck !

FC 6 Is out !

…and their server is down…..

Fedora Project
We are working hard to bring fedora.redhat.com back up to its fully operational state.

DOH !

Oh well I haven’t got time to install it now anyway, I’ll wait for the “Zod” frenzy to finish I think ;)

Yum Fun !

This has been on my to do list for a while… I have finally converted my little reporsitory of rpm’s into a proper yum repo !

The old xfce repo has been mergered into a new Whitebox repo, which in fact can be used for CentOS, WBEL or Red Hat Enterprise Linux (RHEL).

A new fedora repo exists as well, those with a keen eye will see new rpm sections for FC5 64_86 (my new pc!).

All packages will be signed with my gpg key, and config files can be found here:

  • linickx-fedora.repo
    [LINICKX] 
    name=LINICKX Fedora Yum Repo
    baseurl=http://www.linickx.com/files/rpm/fedora/$releasever/$basearch/
    gpgkey=http://www.linickx.com/files/GPG-KEY-NICK
    gpgcheck=1
    
  • linickx-whitebox.repo
    [LINICKX] 
    name=LINICKX WBEL Yum Repo
    baseurl=http://www.linickx.com/files/rpm/whitebox/$releasever/$basearch/
    gpgkey=http://www.linickx.com/files/GPG-KEY-NICK
    gpgcheck=1
    

copy the .repo’s into your /etc/yum.repo.d dir and you should be away ! Let me know if you have any problems :cool:

Firefox i386 on x86_64 rpm – ( Fedora Core 5 )

There are loads of posts on this and they all miss out a couple of pieces of information

How ?
Well I downloaded the latest firefox from fedora’s update page , then I ran: (as root)

rpm -ev firefox

then from the directory I downloaded firefox to:

rpm -ivh –nodeps firefox-VERSION-.i386.rpm

What happens Next ?
The first time I ran it, I got a pop up complaining about an install.rdf, I ignored this, and firefox loaded fine, but without any of my extensions in my profile. I then closed firefox, and the second time it ran by extension loaded :-) ….. finally I noticed that the beagle index extension wasn’t loaded, so within firefox, I did a file open

/usr/lib64/beagle/beagle.xpi

and that seemed to do the job – Bring on the Java & Flashy plug-in goodness

Feed is not a registered protocol – Firefox , gnome and Fedora Core

I’ve put up with this error message for some time now:

Feed: is not a registered protocol

I run a firefox on gnome on fedora core, installation on my laptop. No matter how much googleing I did, I could not work out which part of the puzzle was at fault.

Well, today I sussed it, if I visit feed:myfeed the feed opens in google reader :cool:

So what have I done ?
Well it turns out that gnome was at fault :( Basically firefox passed the Feed: protocol back to the os (which gnome handles), what you need to do, is tell gnome what to do with Feed:. on my laptop there are two directories of interest:

  • /home/nick/.gconf/desktop/gnome/url-handlers
  • /etc/gconf/gconf.xml.defaults/schemas/desktop/gnome/url-handlers

what I did, was go into each of these can copy the http directory as feed.
This will cause the feed protocol to be opened with your web-browser (you may need to log in & out each time you change these file or directories), In my case this is firefox, and firefox doesn’t know what to do with the links. So to change where to send the feed protocol else where I edited /etc/gconf/gconf.xml.defaults/schemas/desktop/gnome/url-handlers/feed/%gconf.xml so that the command ran was “feed %s” (rather than firefox %s) I then created a bash script called feed (and placed it in my $PATH).

#!/bin/bash
FEED=${1#*:}
firefox http://www.google.com/reader/preview/*/feed/$FEED

Now when I click feed:myfeed it previews the feed in google :D

FC3 X11 On a Sony PCG-C1F

So I’ve been clearing out some stuff and I found another thing of use.

When I had a Sony Vaio, I remember the most annoying thing to get working was X11, specifically finding the right Fedora Core xorg.conf. I’ve uploaded my working xorg.conf here , now if you’re a really newbie and need some steps read-on, else you’re probably done ;)

Firstly, if you boot the PCG-C1F from the CD-ROM, and just hit enter at the install prompt, anaconda will try and start X, and when it does it can’t set the resolution right. So, the best thing to do is install in text mode. Text mode is started at the install prompt with:

linux text

The install should go fine, upon 1st reboot, Fedora will try to load X (assuming you’ve installed it) , and you won’t be able to go any further as you need to select I agree on the user agreement, but the button is off the screen :’(

To go further you’re probably gonna need a USB disk, copy my xorg.conf onto the disk, and boot the Vaio from the Fedora Core Install CD with your USB disk plugged in (If the disk isn’t plugged in, the drivers won’t be loaded), But this time from the install prompt go into rescue mode….

linux rescue

Copy the xorg.conf from the USB disk to /etc/X11 and reboot.

X11 will boot up and now you can accept the user agreement, you’ll hit next, next, next and find on your 2nd reboot that X is broken again :mad:

This time hold down ctrl & alt at the same time and hit F2 and you’ll get a shell prompt, log in as root, mount your USB disk and overwrite /etc/xorg.conf again, final reboot, and all is good :D

Look a screen-shot to prove I got it working ! :cool:

Sony Vaio PCG-C1F

B4 I forget – SSL XMMS

A while ago I put some effort into getting SSL support working with XMMS on Fedora Core 3, unfortunatley I didn’t get very far :(

Ages a go Dustin Kirkland was kind enough to help me out (he wrote an SSL patch for XMMS), but I never got a change to finish, Since this message has been flagged for follow up for soooooo long now, I thought it only fair to share what Dustin sent me, when (& if) I get this finished I’ll publish an rpm :cool: good luck !

———- message ———-
From: Dustin kirkland
Date: May 27, 2005 1:15 PM
Subject: Re: [Bug 1579] – Https / SSL support for streaming mp3 and ogg
To: “bugzilla-daemon@bugs.xmms.org”

Nick-

I, too, am running Fedora Core 3 and I also cannot build the version
straight out of CVS. I’ve tried a handful of different back- and
forward-level auto* tools and I still get problems with some of the
macros.

You can try this, though, as it did work on my FC3 system:

> cd /tmp
> wget http://www.xmms.org/files/1.2.x/xmms-1.2.10.tar.gz
> tar zxvf xmms-1.2.10.tar.gz
> cd xmms-1.2.10
> wget http://bugs.xmms.org/attachment.cgi?id=320&action=view
> patch -p1 < attachment.cgi\?id\=320

At this point, I have 1 minor hunk that fails. It's like 4 lines that
you can manually plop in. Take a look at Input/mpg123/mpg123.c.rej
and at the lines that start with + into Input/mpg123/mpg123.c. I
replaced lined 927 with:

#ifdef HTTP_SSL
if (strncasecmp(filename, "http:// " , 7 ) &&
strncasecmp(filename, "https://", 8 ))
#else
if (strncasecmp(filename, "http:// " , 7 ) )
#endif

> ./configure
> make
> make install

Hope that takes care of you. If anyone else figures out how to
extract from CVS and compile XMMS on FC3, I’m all ears. I asked this
question earlier on the mailing list and didn’t find a silver bullet:

http://lists.xmms.org/pipermail/xmms-devel/2005-January/002965.html

———- end of message ———-

thanks again Dustin

Downloader for X… for FC3

ok, so it’s been a while since I’ve needed to rebuild an rpm, I guess it just goes to show what a good job those repo-boys are doing !

Well I’ve just noticed Solaris 10 is available and I needed a download manager. Normally the built in download manager in firefox will do, but today I wanted to be able to control the speed at which I downloaded ;) … et voila d4x, an rpm hasn’t been build since fc2 so I built one.

Here’s a screen shot to keep you interested !

Download d4x