Archive for February, 2010

Install Apache2 with SSL support on Debian Lenny Linux / (Quick way to generate Self Signed SSL certificate)

Thursday, February 25th, 2010

1. Install apache2 on your Debian Lenny

server# apt-get install apache2

2. Install openssl and it’s corequirements

server# apt-get install openssl ssl-cert

In case if you need php support as well on your Lenny:
server# apt-get install libapache2-mod-php5

3. Generate Self Signed SSL certificate

server# openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem
You might consider changing the /etc/apache2/apache.pem to whatever you like your ssl certificate file to be called.
Now you must ensure yourself that the newly generated ssl certificate has proper permissions issue the command.

server# chmod 600 /etc/apache2/apache.pemThe default behaviour of the Apache server is to server unencrypted HTTP traffic on port 80, however in our case we need to enable SSL connections and therefore configure apache to serve and listen for traffic on port 443.

Therefore, we need to have Listen 443 in our /etc/apache2/ports.conf another thing we should do is to enable the ssl module with command:

server# a2enmod ssl

That should be it, now we have to restart the Apache webserver:

server# /etc/init.d/apache2 restart

To enable SSL on virtualhosts it’s required to change NameVirtualHost * in /etc/apache2/sites-available/default file
to:
NameVirtualHost *:80
NameVirtualHost *:443

To use SSL encryption on a specific Virtualhost, all you need to do is:
include:

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem

A touching movie (Grave of the Fireflies)

Thursday, February 25th, 2010

Grave of the Fireflies movie logo

Two days ago, I watched Grave of the Fireflies , a Japanese movie from 1988 which has taken the hearts and minds of dozen of people throughout the years. Yes I have to admit the movie is really increadinble in a sense it deals with Human personages, philosophy, love, hate. It’s a good example why we humans should keep peace on earth and not start wars. The whole story is about a boy and a girl (a brother and sister), who live in Japan in the climax of the Second World War. Both the children are under the full legal age and face the “nightmares” and the terrible consequences of the war. Their mother dies and they have to go to live to some relatives (their aunts). However the war tragedy goes on, the bombing doesn’t drop. The two children have to leave their aunt, cause she is unwilling to take care for them anymore, since they are not working and not bringing money / food in the house. They leave and find a sort of a tomb where start living on they own. Now the older brother has to provide his little sis with food, nomatter how. He uses all kind of tricks, cheats, thefts etc. to find the needed food to sustain his sister’s life. Though the unhuman efforts to keep her alive, his sister gets a disease because of lack of nourishment and dies near the end of the movie. Though she dies, I won’t call the movie a tragedy. Yes it’s a sad movie but it’s also really beautiful and touching. I could classify it amongst my movie list of spiritual movies that are, “a must see” ones.

The real Apple PC

Tuesday, February 23rd, 2010

A Real Apple PC

Selecting Best Wireless channel / Choosing Best Wi-FI channel for Wireless Routers or (How to improve Wireless Network performance)

Monday, February 22nd, 2010

Wireless AP
Below are some valuable advices on Wireless Access Point initial install and configuration to better off your Wireless connection.It’s worthy to note that the 2.4 GHz

Wi-Fi signal range is divided into a number of smaller bands or “channels,” similar to television channels. I decided to run my wireless on channel 12 since this there was no other wireless routers operating on that frequency, though most routers are preconfigured to spread it’s signal on channel 6.

There is a difference in channels available for setup for 802.11b and 802.11g wireless networks in the United States and the European Union. In the USA the wireless channels available are from (1 to 11) whether in the EU it’s in the range of (1-13). Each of the Wireless channels run on a different frequency.

The lower the number of the channel is the lowest the radiating frequence band on which data is transmitted .Subsequently, increasing the channel increases the frequency slightly. Therefore the higher the channel you select on your AP the lesser the overlap with other devices running on the same channel and thus the lesser the possibility to overlap and interference.
It’s quite likely that you experience problems, if you use the default wireless channel which is 6.
If that’s the case it’s recommended to use either channel 1 or channel 11. In case of interference, i.e. overlap with other wireless networks, cellphones etc., there are 2 possible ways to approach the situation. In case of smaller interference, any change in channel on which there is no wireless device running could fix it up. The second way is to choose a wireless channel for your router in between 1,6 or 11 in (The USA) or 1,7,13 in Europe.
Up to 3 networks can run on the same space with minimum interference, therefore it would be a wise idea to check the list of wireless routers in your and check if there are others running on the same frequency.
As I mentioned in the beginning of the post I initially started running my wireless on channel 12, however after I discovered it is recommended to run your wireless router either on channel 1 7 or 13 in Europe I switched my D-Link DI-524 wireless router to transmit it’s signal on Channel 13.

I should testify that after changing the wireless channel, there was quite an improvement in my wireless connection.For instance before I change to Channel 13 (when my wireless internet was still streamed on channel 12) my wireless had constantly issues with disconnects because of low wireless signal.

Back then My wireless located physically in like 35 meters away set in another room, I can see my wireless router hardly connected on like 35%, changing to channel 13 enhanced my connection to the current 60% wireless router availability.

It’s also an interesting fact that Opened Wireless networks had better network thoroughput, so if you’re living in a house with a neighbors a bit distant from your place then you might consider it as a good idea to completely wipe out Wireless Router security encryption and abandon the use of WEP or WPA network encryption.

In case if all of the above is not working for you, you might consider take a close look at your Wireless Wireless LAN pc card and see if there are no any kind of bumps there. Another really interesting fact to know is that many people here in Bulgaria tend to configure there Wireless Access Points on channels either 1,6 or 11 which is quite inadequate considering that we’re in the EU and we should use a wireless channel between 1, 7 or 13 as prescribed for EU citizens.

Another thing not to forget is to place your wireless in a good way and prevent it from interferences with other computer equipment. For example keep the router at least few meters away from PC equipment, printers, scanners, cellphones, microwaves. Also try to put your wireless router on some kind of central place in your home, if you want to have the wireless signal all around your place.

At my place I have a microwave in the Kitchen which is sometimes an obstacle for the Wireless signal to flow properly to my notebook, fortunately this kind of interference happens rare (only when the Microwove is used to warm-up food etc.).Upgrading 802.11b wireless card / router to a better one as 802.11g is a wise idea too. 802.11g are said to be like 5 times faster than 802.11b.

You can expect 802.11b wireless network to transfer maximum between 2-5 Mbp/s whether 802.11g is claimed to transfer at approximately (12 to 23 Mbp/s). If even though the above prescriptions there is no wireless signal at some remote place at your home, you might consider adding a wireless repeater or change the AP router antenna.

By default wireless Routers are designed to be omni-directional (in other terms they broadcast the wireless signal all around the place. Thus is quite unhandy if you intend to use your Wireless net only in certain room or location at your place. If that’s the case for you, you might consider upgrading to a hi-gain antenna that will focus the wireless signal to an exact direction. Let me close this article with a small diagram taken from the net which illustrates a good router placement that will enable you to have a wwireless connection all over your place.

improve wireless router placement diagram

Rear Window (1954) & Chinatown 1974

Sunday, February 21st, 2010

I enjoyed watching this two movies. Both are claimed to be movie classics and truly they’re.Okay let me give you a short review about this classics.

1. Rear Window is a movie of Alfred Hitchcock. The movie is a story about a guy with a broken leg who is boredto death and as an escape of his boredom starts “spying” on his neighboursthrough the Window. The guy is an ordinary person with an extraordinarygirlfriend and another old lady who is is responsible for his rehabilitationprocedures. By accident the guy catch a sight of one of his neighbors actingreally weird, putting a saw and a knife in his brief case. The guy used to wentout of his home every evening at a certain time. His wife is missing for a couple of days. The guy starts, like an anonymous investigation on the case … won’t tell you more, if interested in the scenario just check out the movie.

2. The second one Chinatown , though a great movie was a rather odd movie. It’s closing is far from the normal movie’s “good guys win” plot. So let me tell you a few words about the movie. The story progresses around a private investigator who was hired by a woman to perform surveilance on her Husband as she has her doubts he is cheating on her. After a short follow-up the investigator recognizes that the woman’s suspicion claimed to be true. The guy has been into an illegitimate affair with a woman. A picture of the love affair appears in the Los Angeles local newspapers and a big scandal arouses. Sooner the investigator is puzzled when he realized that the woman that hired him is actually not the guy’s wife. Soon after the public outbreak the guy involved in the affair is find dead near one of the cannals, and it looked like an accident. However this is far from the truth, the investigator suspects the guy is murdered and finds that things the trace about the murder leads to a big conspiracy by a major business person who tries to manipulate the Los Angeles water supply.The movie turns a couple of unexpected turn arounds in the mean time. The killed person’s wife happened to have a sister and be a mother of her sister (in other words her father raped her as a child and she bore a child …).The movie is a mix of psychological drama and a mystery. Just check it out to see it’s unexpected ending. Have a nice watching time.

Running VirtualHosts under separate user ids (uid) and group ids (gid) on Debian Lenny (Apache 2.2.x) – A substitute alternative to suphp with Apache MPM-itk

Friday, February 19th, 2010

Before we start it might be a good idea to check out apache-mpm-itk’s officialhomepage to get a general idea of what apache mpm-itk is.
So please visit Apache2-mpm-itk’s homepage here
Now let’s continue with the installation;

1. Install Apache2-mpm-itk

# apt-get install apache2-mpm-itk

2. Configure Apache2-mpm-itk
In order to configure Apache-MPM-ITK we have to do it for each of the configuredVirtualHosts, e.g. no global options are required.
There is only one configuration Directive that has to be included in each and every Virtualhost configured in your Apache.
This is the AssignUserId and takes two parameter, (user name and group name), this are the user name andgroup name that the files on the specified virtualhosts will be executed as.

3. Here is an example on how to configure it for the default Apache virtualhost and the “example” user and group id.

<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>

So for instance edit vim /etc/apache2/sites-available/default and place there;


<IfModule mpm_itk_module>
AssignUserId web1_admin web1
</IfModule>

4. Last step is to restart Apache for the new VirtualHost configuration to be preloaded.

# /etc/init.d/apache2 restart

The End 🙂

Installing SuPHP on Debian Lenny 5.04 with Apache 2.2.9

Thursday, February 18th, 2010

My daily duties as a sys admin today included installation and configuration of SuPHP .
SuPHP is an apache dynamic module for executing PHP scripts with the permissions of their owners. It consists basicly of twoparts Apache module (mod_suphp) and a setuid root binary (suphp). The suphp module is invoked by the mod_suphp module and instructsApache to change the user id (uid) of the process executing the PHP script.
SuPHP is not a standard Apache module so it’s not 100% tested. Therefore from security point of view it’s better not to use SuPHP.
So beware use it at your own risk! You better know what you’re doing if you’re installing this piece of soft.

The official SuPHP documentation is rather I would say archaic and it’s completely out of date. Though according to the official documentation it’s noted that suphp module won’t work with Apache 2.2.x, it actually works perfectly fine.
I’ve checked and I couldn’t find any tutorials on installing suphp on Debian Lenny therefore I decided to write this tutorial to shed some light on it.
So enough talk let’s approach to the installation and configuration of suphp;

1. Install the module itself from the debian package

debian-server# apt-get install libapache2-mod-suphp
Debian will enable the mod_suphp automatically after installation, though this kind of behaviour is pretty stupid, since it won’t disable mod_php5 which is enabled by default.

2 Therefore we need to disable mod_php5 from executing to enable suphp.

debian-server# a2dismod php5

3. Enable suphp globally for the Apache
Edit /etc/apache2/apache2.conf and put in the end of the configuration file

# Enable SuPHP
suPHP_Engine on
suPHP_AddHandler application/x-httpd-php .php

In my case I’m not using Debian’s default DocumentRoot website location for both my Apache and my VirtualHosts, therefore I need also to configure
suphp.conf

4. Edit /etc/suphp/suphp.conf and change;

;Path all scripts have to be in
docroot=/var/www/

to let’s say:
;Path all scripts have to be in
docroot=/home/

5. Restart your Apache server

debian-server# /etc/init.d/apache2 restart

Now test if mod_suphp is working on your Apache. We will test it through a tiny php script;
Paste the script to let’s say suphp.php

<? system( "id" ); ?>

Now if suphp is working you’ll see something like:
uid=1002(myuser) gid=1002(myuser) groups=1002(myuser)
instead of the default;
uid=33(www-data) gid=33(www-data) groups=32(www-data)

Now there are a few more drawbacks with SuPHP which I feel obliged to discuss.
On the first place suphp will excecute through php5-cgi and therefore the script execution
should be considered a way slower comparing to the default mod_php5.
I cannot precisely tell how much slower would be php script execution compared to mod_php5 but I
pressume at least 10 to 20% of the usual performance will be gone.
One of the possible ways to speed-up php execution in that case is to use mod_fastcgi.

Quick way to install mod_qos on Debian Lenny to protect from Slowloris

Thursday, February 18th, 2010

I’m gonna do a fast walk through on installing and enabling mod_qos on Debian, original article is available in Bulgarian on mpetrov’s blog .
So let’s go…
1. Install required development files and tools to be able to proper compile:

debian-server# apt-get install apache2-threaded-dev gcc

2. Download the mod_qos latest archive from sourceforge

debian-server# cd /usr/local/srcdebian-server# wget http://freefr.dl.sourceforge.net/project/mod-qos/mod-qos/9.7/mod_qos-9.8.tar.gz

3. Unarchive (Untar) the mod_qos archive and compile the module

debian-server# tar zxvf mod_qos-9.8.tar.gz
debian-server# cd mod_qos-9.8/apache2/
debian-server# apxs2 -i -c mod_qos.c

You can see from the compile output module is installed to; usr/lib/apache2/modules

4. Now let us create mod_qos configuration files

debian-server# cd /etc/apache2/mods-available/
debian-server# echo "LoadModule qos_module /usr/lib/apache2/modules/mod_qos.so" > qos.load

debian-server# vim /etc/apache2/mods-available/qos.conf

## QoS module Settings
<IfModule mod_qos.c>
# handles connections from up to 100000 different IPs
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 180
# minimum request/response speed (deny slow clients blocking the server,
# ie. slowloris keeping connections open without requesting anything):
QS_SrvMinDataRate 150 1200
# and limit request header and body (carefull, that limits uploads and post requests too):
# LimitRequestFields 30
# QS_LimitRequestBody 102400
</IfModule>

5. All left is to load the mod_qos module into Apache and restart the webserver

debian-server# a2enmod qos
debian-server# /etc/init.d/apache2 restart

Congratulations, Now slowloris and many other Apache DoS techniques won’t bother you anymore!

(Could not open the requested SVN filesystem) cause and solution

Thursday, February 18th, 2010

I’m building a new subversion repository, after installing it and configuring it to be accessed via https:// I stumbled upon the error;
Could not open the requested SVN filesystem when accessing one of the SVN repositories. The problem was caused by incorrect permissions of the repository, some of the files in the repository had permissions of thesystem user with which the files were imported.
simply changing the permissions with to make them readable for apache fixed the issue.

Solution to a problem with VirtualHosts on Debian Lenny (Default Virtualhost opening by default overwritting the rest of the configured VirtualHosts)

Wednesday, February 17th, 2010

Configuring some Virtualhosts on a Debian server I administrate has led me to a really shitty problem. The problem itself consisted in that nomatter what kind of the configured VirtualHosts on the server I try to access the default one or the first one listed among Virtualhosts gets accessed. Believe me such an Apache behaviour is a real pain in the ass! I went through the VirtualHosts configurations many without finding any fault in them, everything seemed perfectly fine there. I started doubting something might prevent VirtualHosts to be served by the Webserver. Therefore to check if VirtualHosts configurations are properly loadedI used the following command:

debian-server:~# /usr/sbin/apache2ctl -S

Guess what, All was perfectly fine there as well. The command returned, my webserver configured VirtualHosts as enabled (linked) in: /etc/apache2/sites-enabled I took some time to ask in irc.freenode.net #debian channel if somebody has encountered the same weirdness, but unfortunately noobody could help there. I thinked over and over the problem and I started experimenting with various stuff in configurations until I got the problem.

The issue with non-working Virtualhosts in Debian lenny was caused by;
wrong NameVirtualHost *:80 directive
It’s really odd because enabling the directive as NameVirtualHost *:80 would report a warning just like there are more than one NameVirtualHost variable in configuration, on the other hand completely removing it won’t report any warnings during Apache start/restart but same time VirtualHosts would still be non-working.

So to fix the whole mess-up with VirtualHosts not working I had to modify in; my /etc/apache2/sites-enabled/000-default as follows;

NameVirtualHost *:80 changes toNameVirtualHost *

The rest of the Virtualhost stays the same;
This simple thing eradicated the f*cking issue which tortured me
for almost 3 hours! ghhh