Walking in Light With Christ - hip0's personal blog on System Administration, Free Software, Computer Security and Religion

Recently, I had a task to install FuzzyOCR on Debian Lenny in order to reduce the amount of the "image spam" delivered to the end users.Since there is no official install tutorial for debian users I decided to create this one with the hope it might be useful for others.
Here are few lines that explain what is FuzzyOCR;

FuzzyOcr is a plugin for SpamAssassin which is aimed at unsolicited bulk mail (also known as "Spam") containing images as the main content carrier. Using different methods, it analyzes the content and properties of images to distinguish between normal mails (Ham) and spam mails. The methods mainly are:

Now I won't get into details anymore and I'll get you to the concrete packages and configurations I've done in order to have the software up and running.

1. Install required debian packages

debian-server# apt-get install netpbm gocr giftext giflib-tools libungif-bin \
libpng3 libungif libungif-bin libungif4g gifsicle ocrad \
libstring-approx-perl libmldbm-perl libmldbm-sync-perl \
liblog-agent-perl libpng12-dev libtiff4-dev libsvga1-dev libx11-dev


2. Download latest version of FuzzyOCR


debian-server# http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-3.6.0.tar.gz


3. Copy some FuzzyOCR configuration and installation files in /etc/mail/spamassassin/

debian-server# cp -rpf FuzzyOcr.scansets /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.preps /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.pm /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr/ /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.cf /etc/mail/spamassassin


4. Create some log files and files in order to use FuzzyOCR with a hashing database.

debian-server# touch /var/log/qmail/FuzzyOcr.log
debian-server# chown vpopmail:vchkpw /var/log/qmail/FuzzyOcr.log
debian-server# touch /etc/mail/spamassassin/FuzzyOcr.db
debian-server# chown vpopmail:vchkpw /etc/mail/spamassassin/FuzzyOcr.db
debian-server# touch /etc/mail/spamassassin/FuzzyOcr.safe.db
debian-server# chown vpopmail:vchkpw /etc/mail/spamassassin/FuzzyOcr.safe.db

5. Edit FuzzyOcr configuration files.

debian-server# vim /etc/mail/spamassassin/FuzzyOcr.cf


You need to put there the following directives:

focr_enable_image_hashing 2
focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db
focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db
focr_db_max_days 15


Now there are few more things that need to be done before we have a complete install, e.g. we need to compile netpbm from source, because three of the binary executables required by FuzzyOcr are for some reason not bundled with debian lenny netpbm package. So;
So first we download and untar the latest version of netpbm:

debian-server# links "http://downloads.sourceforge.net/project/netpbm/super_stable/10.35.73/netpbm-10.35.73.tgz?use_mirror=sunet"
debian-server# tar -zxvvf netpbm-10.35.73.gz


We need to have the following "hack" in order to have the source compile properly:

debian-server# mkdir /usr/X11R6/lib
debian-server# ln -sf /usr/lib/libX11.so /usr/X11R6/lib/libX11.so


Next we compile the source of netbpm and install it:


debian-server# cd netpbm-10.35.73
debian-server# make && make install


If it happens that your build fails during the "make", then you must use the apt-file program to determine which debian package contains the missing header files because of which the build has failed
We proceed next, with the installation of tesseract . Tesseract is 1 of the best OCR open source engine available nowadays
Therefore we now download and install it:

debian-server# wget http://tesseract-ocr.googlecode.com/files/tesseract-2.04.tar.gz
debian-server# tar -zxvvf tesseract-2.04.tar.gz
debian-server# cd tesseract-2.04
debian-server# ./configure && make && make install


In order to load FuzzyOcr in spamassassin we have to restart Spamassassin:

debian-server# /etc/init.d/spamassassin restart


Note: If you are have spamassassin running via djb daemontools restart spamassassin via the svc command:

Last thing we do is the check out if FuzzyOcr is correctly loaded and checking against image spam when new messages arrives, so here is how:

Change back to your FuzzyOcr-3.6.0/ directory:

debian-server# cd FuzzyOcr-3.6.0/
debian-server# cd samples
debian-server# spamassassin --debug FuzzyOcr < ocr-animated.eml >/dev/null


Check out the lines related to FuzzyOcr, you should have some lines in the output reporting FuzzyOcr has found a spam in the ocr-animated.eml file.
Another possible approach to test what is happening in spamassassin is to use:


debian-server# spamassassin -D


The above command will provide you with information about spamassassin in real time.
This article is pretty much in a beta stage, I'll be glad of any feedback on it so I can advance it!
Thanks for reading!

1. Install apache2 on your Debian Lenny

server# apt-get install apache2


2. Install openssl and it's corequirements

server# apt-get install openssl ssl-cert


In case if you need php support as well on your Lenny:
server# apt-get install libapache2-mod-php5


3. Generate Self Signed SSL certificate

server# openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem

You might consider changing the /etc/apache2/apache.pem to whatever you like your ssl certificate file to be called.
Now you must ensure yourself that the newly generated ssl certificate has proper permissions issue the command.

server# chmod 600 /etc/apache2/apache.pem
The default behaviour of the Apache server is to server unencrypted HTTP traffic on port 80, however in our case we need to enable SSL connections and therefore configure apache to serve and listen for traffic on port 443.

Therefore, we need to have Listen 443 in our /etc/apache2/ports.conf another thing we should do is to enable the ssl module with command:

server# a2enmod ssl


That should be it, now we have to restart the Apache webserver:

server# /etc/init.d/apache2 restart


To enable SSL on virtualhosts it's required to change NameVirtualHost * in /etc/apache2/sites-available/default file
to:
NameVirtualHost *:80
NameVirtualHost *:443


To use SSL encryption on a specific Virtualhost, all you need to do is:
include:

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem


Two days ago, I watched Grave of the Fireflies , a Japanese movie from 1988 which has taken the hearts and minds of dozen of people throughout the years. Yes I have to admit the movie is really increadinble in a sense it deals with Human personages, philosophy, love, hate. It's a good example why we humans should keep peace on earth and not start wars. The whole story is about a boy and a girl (a brother and sister), who live in Japan in the climax of the Second World War. Both the children are under the full legal age and face the "nightmares" and the terrible consequences of the war. Their mother dies and they have to go to live to some relatives (their aunts). However the war tragedy goes on, the bombing doesn't drop. The two children have to leave their aunt, cause she is unwilling to take care for them anymore, since they are not working and not bringing money / food in the house. They leave and find a sort of a tomb where start living on they own. Now the older brother has to provide his little sis with food, nomatter how. He uses all kind of tricks, cheats, thefts etc. to find the needed food to sustain his sister's life. Though the unhuman efforts to keep her alive, his sister gets a disease because of lack of nourishment and dies near the end of the movie. Though she dies, I won't call the movie a tragedy. Yes it's a sad movie but it's also really beautiful and touching. I could classify it amongst my movie list of spiritual movies that are, "a must see" ones.

Below are some valuable advices on Wireless Access Point initial install and configuration to better off your Wireless connection. It's worthy to note that the 2.4 GHz Wi-Fi signal range is divided into a number of smaller bands or "channels," similar to television channels. I decided to run my wireless on channel 12 since this there was no other wireless routers operating on that frequency, though most routers are preconfigured to spread it's signal on channel 6. There is a difference in channels available for setup for 802.11b and 802.11g wireless networks in the United States and the European Union. In the USA the wireless channels available are from (1 to 11) whether in the EU it's in the range of (1-13). Each of the Wireless channels run on a different frequency. The lower the number of the channel is the lowest the radiating frequence band on which data is transmitted . Subsequently, increasing the channel increases the frequency slightly. Therefore the higher the channel you select on your AP the lesser the overlap with other devices running on the same channel and thus the lesser the possibility to overlap and interference. It's quite likely that you experience problems, if you use the default wireless channel which is 6. If that's the case it's recommended to use either channel 1 or channel 11. In case of interference, i.e. overlap with other wireless networks, cellphones etc., there are 2 possible ways to approach the situation. In case of smaller interference, any change in channel on which there is no wireless device running could fix it up. The second way is to cho ose a wireless channel for your router in between 1,6 or 11 in (The USA) or 1,7,13 in Europe. Up to 3 networks can run on the same space with m inimum interference, therefore it would be a wise idea to check the list of wireless routers in your and check if there are others running on t he same frequency. As I mentioned in the beginning of the post I initially started running my wireless on channel 12, however after I discovered it is recommended to run your wireless router either on channel 1 7 or 13 in Europe I switched my D-Link DI-524 wireless router to transmit it's signal on Channel 13. I should testify that after changing the wireless channel, there was quite an improvement in my wireless connection. For instance before I change to Channel 13 (when my wireless internet was still streamed on channel 12) my wireless had constantly issues with disconnects because of low wireless signal. Back then My wireless located phisically in like 35 meters away set in another room, I can see my wireless router hardly connected on like 35%, changing to channel 13 enhanced my connection to the current 60% wireless router availability. It's also an interesting fact that Opened Wireless networks had better network thoroughput, so if you're living in a house with a neighbors a bit distant from your place then you might consider it as a good idea to completely wipe out Wireless Router security encryption and abandon the use of WEP or WPA network encryption. In case if all of the above is not working for you, you might consider take a close look at your Wireless Wireless LAN pc card and see if there are no any kind of bumps there. Another really interesting fact to know is that many people here in Bulgaria tend to configure there Wireless Access Points on channels either 1,6 or 11 which is quite inadequate considering that we're in the EU and we should use a wireless channel between 1, 7 or 13 as prescribed for EU citizens. Another thing not to forget is to place your wireless in a good way and prevent it from interferences with other computer equipment. For example keep the router at least few meters away from PC equipment, printers, scanners, cellphones, microwaves. Also try to put your wireless router on some kind of central place in your home, if you want to have the wireless signal all around your place. At my place I have a microwave in the Kitchen which is sometimes an obstacle for the Wireless signal to flow properly to my notebook, fortunately this kind of interference happens rare (only when the Microwove is used to warm-up food etc.).Upgrading 802.11b wireless card / router to a better one as 802.11g is a wise idea too. 802.11g are said to be like 5 times faster than 802.11b. You can expect 802.11b wireless network to transfer maximum between 2-5 Mbp/s whether 802.11g is claimed to transfer at approximately (12 to 23 Mbp/s). If even though the above prescriptions there is no wireless signal at some remote place at your home, you might consider adding a wireless repeater or change the AP router antenna. By default wireless Routers are designed to be omni-directional (in other terms they broadcast the wireless signal all around the place. Thus is quite unhandy if you intend to use your Wireless net only in certain room or location at your place. If that's the case for you, you might consider upgrading to a hi-gain antenna that will focus the wireless signal to an exact direction. Let me close this article with a small diagram taken from the net which illustrates a good router placement that will enable you to have a wwireless connection all over your place.

I enjoyed watching this two movies. Both are claimed to be movie classics and truly they're. Okay let me give you a short review about this classics.

1. Rear Window is a movie of Alfred Hitchcock. The movie is a story about a guy with a broken leg who is boredto death and as an escape of his boredom starts "spying" on his neighbours through the Window. The guy is an ordinary person with an extraordinary girlfriend and another old lady who is is responsible for his rehabilitation procedures. By accident the guy catch a sight of one of his neighbors acting really weird, putting a saw and a knife in his brief case. The guy used to went out of his home every evening at a certain time. His wife is missing for a couple of days. The guy starts, like an anonymous investigation on the case ... won't tell you more, if interested in the scenario just check out the movie.

2. The second one Chinatown , though a great movie was a rather odd movie. It's closing is far from the normal movie's "good guys win" plot. So let me tell you a few words about the movie. The story progresses around a private investigator who was hired by a woman to perform surveilance on her Husband as she has her doubts he is cheating on her. After a short follow-up the investigator recognizes that the woman's suspicion claimed to be true. The guy has been into an illegitimate affair with a woman. A picture of the love affair appears in the Los Angeles local newspapers and a big scandal arouses. Sooner the investigator is puzzled when he realized that the woman that hired him is actually not the guy's wife. Soon after the public outbreak the guy involved in the affair is find dead near one of the cannals, and it looked like an accident. However this is far from the truth, the investigator suspects the guy is murdered and finds that things the trace about the murder leads to a big conspiracy by a major business person who tries to manipulate the Los Angeles water supply. The movie turns a couple of unexpected turn arounds in the mean time. The killed person's wife happened to have a sister and be a mother of her sister (in other words her father raped her as a child and she bore a child ...). The movie is a mix of psychological drama and a mystery. Just check it out to see it's unexpected ending. Have a nice watching time.

Before we start it might be a good idea to check out apache-mpm-itk's official homepage to get a general idea of what apache mpm-itk is.
So please visit Apache2-mpm-itk's homepage here
Now let's continue with the installation;


1. Install Apache2-mpm-itk

# apt-get install apache2-mpm-itk


2. Configure Apache2-mpm-itk
In order to configure Apache-MPM-ITK we have to do it for each of the configured VirtualHosts, e.g. no global options are required.
There is only one configuration Directive that has to be included in each and every Virtualhost configured in your Apache.
This is the AssignUserId and takes two parameter, (user name and group name), this are the user name and group name that the files on the specified virtualhosts will be executed as.

3. Here is an example on how to configure it for the default Apache virtualhost and the "example" user and group id.
AssignUserId web1_admin web1
\

So for instance edit vim /etc/apache2/sites-available/default and place there;

AssignUserId web1_admin web1


4. Last step is to restart Apache for the new VirtualHost configuration to be preloaded.

# /etc/init.d/apache2 restart

The End :)

My daily duties as a sys admin today included installation and configuration of SuPHP .
SuPHP is an apache dynamic module for executing PHP scripts with the permissions of their owners. It consists basicly of two parts Apache module (mod_suphp) and a setuid root binary (suphp). The suphp module is invoked by the mod_suphp module and instructs Apache to change the user id (uid) of the process executing the PHP script.
SuPHP is not a standard Apache module so it's not 100% tested. Therefore from security point of view it's better not to use SuPHP.
So beware use it at your own risk! You better know what you're doing if you're installing this piece of soft.

The official SuPHP documentation is rather I would say archaic and it's completely out of date. Though according to the official documentation it's noted that suphp module won't work with Apache 2.2.x, it actually works perfectly fine.
I've checked and I couldn't find any tutorials on installing suphp on Debian Lenny therefore I decided to write this tutorial to shed some light on it.
So enough talk let's approach to the installation and configuration of suphp;

1. Install the module itself from the debian package

debian-server# apt-get install libapache2-mod-suphp

Debian will enable the mod_suphp automatically after installation, though this kind of behaviour is pretty stupid, since it won't disable mod_php5 which is enabled by default.

2 Therefore we need to disable mod_php5 from executing to enable suphp.

debian-server# a2dismod php5


3. Enable suphp globally for the Apache
Edit /etc/apache2/apache2.conf and put in the end of the configuration file

# Enable SuPHP
suPHP_Engine on
suPHP_AddHandler application/x-httpd-php


In my case I'm not using Debian's default DocumentRoot website location for both my Apache and my VirtualHosts, therefore I need also to configure
suphp.conf

4. Edit /etc/suphp/suphp.conf and change;

;Path all scripts have to be in
docroot=/var/www/

to let's say:
;Path all scripts have to be in
docroot=/home/


5. Restart your Apache server

debian-server# /etc/init.d/apache2 restart


Now test if mod_suphp is working on your Apache. We will test it through a tiny php script;
Paste the script to let's say suphp.php




Now if suphp is working you'll see something like:
uid=1002(myuser) gid=1002(myuser) groups=1002(myuser)
instead of the default;
uid=33(www-data) gid=33(www-data) groups=32(www-data)

Now there are a few more drawbacks with SuPHP which I feel obliged to discuss.
On the first place suphp will excecute through php5-cgi and therefore the script execution
should be considered a way slower comparing to the default mod_php5.
I cannot precisely tell how much slower would be php script execution compared to mod_php5 but I
pressume at least 10 to 20% of the usual performance will be gone.
One of the possible ways to speed-up php execution in that case is to use mod_fastcgi.

I'm gonna do a fast walk through on installing and enabling mod_qos on Debian, original article is available in Bulgarian on mpetrov's blog .
So let's go...
1. Install required development files and tools to be able to proper compile:

debian-server# apt-get install apache2-threaded-dev gcc


2. Download the mod_qos latest archive from sourceforge

debian-server# cd /usr/local/src debian-server# wget http://freefr.dl.sourceforge.net/project/mod-qos/mod-qos/9.7/mod_qos-9.8.tar.gz


3. Unarchive (Untar) the mod_qos archive and compile the module

debian-server# tar zxvf mod_qos-9.8.tar.gz
debian-server# cd mod_qos-9.8/apache2/
debian-server# apxs2 -i -c mod_qos.c


You can see from the compile output module is installed to; usr/lib/apache2/modules

4. Now let us create mod_qos configuration files

debian-server# cd /etc/apache2/mods-available/
debian-server# echo "LoadModule qos_module /usr/lib/apache2/modules/mod_qos.so" > qos.load


debian-server# vim /etc/apache2/mods-available/qos.conf

## QoS module Settings

IfModule mod_qos.c

# handles connections from up to 100000 different IPs

QS_ClientEntries 100000

# will allow only 50 connections per IP

QS_SrvMaxConnPerIP 50

# maximum number of active TCP connections is limited to 256

MaxClients              256

# disables keep-alive when 70% of the TCP connections are occupied:

QS_SrvMaxConnClose      180

# minimum request/response speed (deny slow clients blocking the server,

# ie. slowloris keeping connections open without requesting anything):

QS_SrvMinDataRate       150 1200

# and limit request header and body (carefull, that limits uploads and post requests too):

# LimitRequestFields      30

# QS_LimitRequestBody     102400

/IfModule

5. All left is to load the mod_qos module into Apache and restart the webserver

debian-server# a2enmod qos
debian-server# /etc/init.d/apache2 restart


Congratulations, Now slowloris and many other Apache DoS techniques won't bother you anymore!

I'm building a new subversion repository, after installing it and configuring
it to be accessed via https:// I stumbled upon the error;
Could not open the requested SVN filesystem when accessing one of
the SVN repositories. The problem was caused by incorrect permissions of
the repository, some of the files in the repository had permissions of the system user with which the files were imported.
simply changing the permissions with to make them readable for apache
fixed the issue.