Archive for March, 2010

« Older Entries
Newer Entries »

Problem with OpenOffice after upgrade on Debian Sid Testing/Unstable – (openoffice.org: Component manager is not available.)

Wednesday, March 17th, 2010

A few days ago I did an upgrade using apt-get which upgraded my openoffice to 3.2.04 on my Desktop machine (a notebook running Debian Sid – Testing/Unstable). Since then I haven’t started the openoffice, however today an ex-college colleague of mine (Burcu), drop by home to give her some help about a project. In that relation I had to open a .doc file. I launched my oowriter in an attempt to open the document without success a stupid error poped up saying something is wrong with some kind of Openoffice registry and most importantly claiming the following error:

openoffice.org: Component manager is not available.

First thing I tried in order to resolve the issue was simply moving my ~/.openoffice.org/ and ~/.openoffice-org2/ directories to ~/.openoffice.org-bak/ and respectively ~/.openoffice.org2:

hipo@noah:~$ mv ~/.openoffice.org/ ~/.openoffice.org-bak/
hipo@noah:~$ mv ~/.openoffice.org2/ ~/.openoffice.org2-bak/

Regrettably I realized this this approach failed when I launched the oowriter to regenerate it’s working directories.

Therefore I executed another strategy 🙂 to fix the issue completely reinstalling the openoffice with apt:

hipo@noah:~# apt-get install --reinstall openoffice.org-core

After a while, now all is back to normal with my Openoffice :)Though it’s a real lose of time implying such a dumb workarounds, I always hated linux as a desktop platform just because of misbehaves like that.

Tags: , , , , ,
Posted in Linux and FreeBSD Desktop | 1 Comment »

A few helpful Bind DNS server configuration options

Wednesday, March 17th, 2010

It’s quite useful in bind to have the following configurations options in either named.conf options {} configuration block or (in case if on Debian Linux in named.conf.options.
Please edit your required file respectively and find the options {} directive and set within the options {} block the following:


zone-statistics yes;
notify yes;
transfer-format many-answers;

Here I have to clarify that the zone-statistics directive instructs the server to collect statistical data about all zone files, this statistics can later be accessed via the:
rndc stats command.

transfer-format many-answers is actually a default directive since bind 9 and you might even like to skip that one if on bind version 9 or 9+
notify yes; – will instruct the nameserver to replicate change in zone files to a seconday configured name server.

Another really vital thing in my view is to enable Bind DNS server logging into file.

In order to do that put in named.conf:

logging {
channel _default_log {
file "/var/log/named/named.log";
severity debug;
print-time yes;
};
category default {
_default_log;
};

Note that it’s required to create the log file with proper permissions as in the location where specified in the above configuration in this case /var/log/named/named.log :


debian-server# mkdir -p /var/log/named
debian-server# touch /var/log/named/named.log
debian-server# chown -R bind:bind /var/log/named/

In this case I change the directory and file to be owned by the bind user and group, however on different linux distribution like Redhat the user could be different like on Redhat the user is usually named.
To find the correct user permissions check the user with which the Bind server is running using a simple:

debian-server# ps axu|grep -i bind
or
# ps axu|grep -i named

Tags: , , ,
Posted in System Administration | 1 Comment »

3 Major incorrect beliefs about Global DNS (root DNS) servers

Tuesday, March 16th, 2010

Until today, since I started getting into the depth of DNS some years from now, I always thought that there are 13 major super-computers used as a Global DNS servers which were responsible for caching in all the domain names on the IPv4 and IPv6 internet and that’s all I knew about this matter.
Today I had to review my knowledge on the subject of DNS protocol, BIND server etc. in order to be able to fix an issue with a newly configured BIND dns server. In relation to that I red a bunch of interesting articles online discussing a matters concerning root DNS servers.
Here are two major articles worthy to read:

1. DNS Root Name Servers Explained for Non-Experts – by Daniel Karrenberg
2. DNS Root servers in the World
This blow off the myth about 13 major super-servers running on top of backbones to serve DNS requests online. By the way it’s interesting fact that I’ve learned that myth from some O’reilly’s books that were explaining the Redhat Linux distrubution long time ago.
It could be that long time ago this was true but not anymore!

As of today’s date: Tue Mar 16 17:19:02 EET 2010, there are 425 DNS root servers which are an Internet’s bone today.

Interestingly enough full list of the root servers is available via isoc.org’s website along with many more information on the subject of how root DNSes works, how the DNS is served on the Internet as well as the RFC which explain the proper way to implement a DNS server.

A copy of the zonefile containing in it all the root DNSes can be obtained via isoc’s website

Another wrong idea about Global DNS servers that I kept with me over the years is that most of the root servers are geographically located in USA.

A good proof to this delusion is root-servers.org website which contains a wonderful Google map with pinpointed geographical locations of all root servers .Along with this there is a plenty of extensive information on root DNS servers.

Another misbelief when talking about DNS servers is that the A-root server is the main DNS server in the Global DNS cluster.

Another good reading location concerning DNS Root servers is The DNS Root Name Server FAQ .

Tags: , , , , ,
Posted in System Administration | No Comments »

What causes the “nRRPResponseCode 531” error, A fix to the nasty “nRRPResponseCode 531” error during domain name DNS change

Tuesday, March 16th, 2010

For two days now, I’m trying to set a custom DNS server for a (.net) domain purchased by gigaspark.com . Every time I try to change the nameservers for the (.net) domain an irritating error pops up, the error reads “nRRPResponseCode 531” and I cannot set my custom configured Bind DNS server for the (.net) domain. I believe the same problem happens also with (.com) domains.

In this relation, I tried googling online searching and searching what might be the stupid cause of the “nRRPResponseCode 531” error that prevents me from setting my custom configured Bind domain name servers to mydomain.net . I also contacted the support team from gigaspark multiply until I found out what is the trouble cause.
In short the “nRRPresponseCode 531” is an error that indicates your .net or .com domain is not figuring in VeriSign’s GRS domain database .
The Verisign GRS domain database contains a list of DNS servers that are correctly configured and trustworthy enough. I’ve seen many people online suffering from the same terrible error,
who pointed out that the error is caused by misconfigurations in the Bind DNS server or the zone file for the problematic domain name, though I’ve looked through multiple times to possibly track the problem in both my major named.conf and the rest of bind’s configuration files as well as in the domain name I had registered mydomain.net ,there was nothing misconfigured or unusual.
I have to admit, this problem is really odd, because I was able to successfully set the same custom configured Bind DNS server for mydomain.info and mydomain.biz but, yet whenever trying to set the same Bind DNS for mydomain.net I came across the shitty nrRRPResponseCode 531 .
Thanks to the kind help of Gigaspark’s tech support together with some google posts on the matter I figured out Gigaspark are using ENOM – a major domain name registrar offering easy ways for an end domain providers to become their resellers.
It seems ENOM’s policy is enforces you as a domain name customer to register your full DNS domain name let’s say (ns1.mydns.com) in Verisign’s GRS domain database otherwise they refuse you the right to set yourself your ns1.mydns.com for your domain, because if the DNS domain name is not figuring in that database it’s not trust worthy!
I believe many people would agree with me this is a real shit! You pay for your domain and you should have the full rights over it.
I mean you should be allowed to set whatever DNS domain name even, if it’s not an existing one and they shouldn’t bother you with stupid DNS domain name registrations in stupid Verisign GRS databases and so on!
Now you probably wonder what is the required steps to take to be able to register the domain in that Verisign GRS database in order to be able to set your ns1.mydomain.com as a default DNS server for your mydomainname.com .
Well you have to contact your domain registrar, let’s say gigaspark.com .
You log to your account on tucowsdomains for your domain mydomain.com … then you find something similar to: “register a nameserver” among the overall menus options.
Then you have to register your nameserver ns1.mydomain.com. Then you wait between 24 up to 48h and then you have to test if your NS has already properly entered the Verisign GRS database you have to visit on Verisign GRS Whois .
Hopefully the guys from Verisign GRS would approve your DNS host to enter there database and then at last you might be able to set in your DNS host as a preferred DNS for your (.net) / (.com?) domain name.
So go back to gigaspark’s slovenian interface and try changing the DNSes once again! If you’re lucky with God’s help (for sure), you would be at last be successful in setting your BIND name server as a primary DNS.

Tags: , , , , , , , , ,
Posted in System Administration | 6 Comments »

Disable DNS recursion and AXFR requests in BIND on Debian Linux and FreeBSD / How to test a nameserver if AXFR requests are allowed with dig command

Monday, March 15th, 2010

I am playing with bind on a newly configured server and therefore doing my best to configure the nameserver in a good manner. In that manner of thoughts I remembered about the good old “recursion” which could pose a security hole in your DNS systems. I won’t buffle on how bad it is for a BIND domain resolver to have Domain recursion switched on, there is plenty of information you can read further online. Anyways here is a brief overview on recursion:
Recursive DNS is essentially the opposite of Custom DNS. Custom DNS is an authoritative DNS service that allows others to find your domain, and Recursive DNS allows you to resolve other people’s domains.

So considering the above definition if you decide to leave the default behaviour of the Bind nameserver (which by the way is also default behaviour of many other DNS servers including Microsoft DNS), this would mean that your DNS will be left open for the whole world to be able to serve resolve requests for any domain name requested by end users. In other words somebody out there might decide to use your nameserver to resolve all internet domains, like: google.com, yahoo.co.uk etc.

It is wise to enable recursion only for localhost on your bind name server, So to achieve that on Debian:
Open /etc/bind/named.conf.options and insert into it
Right before the options {

acl recurseallow { 1.2.3.4; 127.0.0.1; };

Also in the options {} include the following lines:

allow-recursion { recurseallow; };recursion yes;

On FreeBSD you need to include the same in /var/named/etc/namedb/named.conf by default or any other location if you have some specific named.conf file location.

Another truly Vital things to include in /etc/bind/named.conf.options on Debian Lenny among options {} is:

auth-nxdomain no;

Including this in the options {} configuration block would completely disable AXFR transfer requests on your nameserver on FreeBSD the procedure is absolutely analogous, just open /var/named/etc/namedb/named.conf and include the auth-nxdomain no; in the options configuration block.

To stress out the importance of disable AXFR it’s important to know that if you don’t disable the AXFR which is enabled by default in many nameservers out there you’re risking that a malicious person could list the whole zone files for each and every of the configured domains in the DNS server and consequently the attacker can learn a lot about the DNS topology of your network etc.
So to complete the article I’m gonna give an example on how the dig command can be used in order to check a certain DNS server if it has enabled the AXFR requests (e.g. if it’s vulnerable to this type of DNS information leak).

dig @somenameserver.net somedomainname.net axfr

In the above example somenameserver.net = is a random name server hosting a specific DNS domain
somedomainname.net = is the DNS domain name / (a.k.a. zone file) hosted on somenameserver.net

If everything is configured properly in your the namesever you’re running the axfr test against you should see something like:

; <<>> DiG 9.6.1-P1 <<>> @somenameserver.net somedomainname.net axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.

Tags: , , , , ,
Posted in Computer Security, System Administration | 2 Comments »

Howto check and isolate problems with DNS servers and Domain records

Monday, March 15th, 2010

There are two handy websites online which helps quite extensively in tracking problems with domain name records and DNS incosistencies.
I used them today to learn more about a problem with a non-resolving DNS though it has already a record in a properly configured Bind nameserver possessing a proper PTR record. Here are three handy online DNS checkers:
1. Squish.Net/DNSCheck – contains Tons of useful debugging information related to the possible problem

2. DNSCheck.iis.se – provides with less information, though still really handy

Some more handy information realted to DNS can be obtained via R. Scott’s DNS Oversimplified

3. TheDNSReport – provides good and extensive info on problems

Tags: , , , , ,
Posted in System Administration | No Comments »

Add DCC (Distributed Checksum Clearing Houses), Pyzor and Razon checks in Spamassassin on Debian Lenny / Howto improve spamassassin anti spam protection on Debian GNU / Linux

Sunday, March 14th, 2010

In accordence to a recent qmail install, here is few things to install in order to improve the native spamassassin anti-spam mail server protection capabilities.
1. Install Pyzor and Razor

debian-server# apt-get install pyzor razor

2. Edit /etc/mail/spamassassin/local.cf and put the following lines in it:

use_razor2 1
razor_config /etc/razor/razor-agent.conf
razor_timeout 8
use_pyzor 1
pyzor_path /usr/bin/pyzor
add_header all Pyzor _PYZOR_
clear_report_template

3. Edit /etc/mail/spamassassin/v310.pre and make sure the following lines are included and uncommented:
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop

4. Now we modify /etc/mail/spamassassin/local.cf once more to enable Bayesian Filtering, so include in the conf the following:
use_bayes 1
bayes_file_mode 0700
bayes_path /var/spamd/.spamassassin/bayes
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 8.0
use_auto_whitelist 1

In my case I use /var/spamd/.spamassassin directory for bayesian filter files, anyways you might desire to have it in a different lacation, however if you desire to use the same directory as me, make the appropriate directories and files as shown below:

debian-server# mkdir -p /var/spamd/.spamassassin/
debian-server# touch /var/spamd/.spamassassin/bayes_{seen,toks} /var/spamd/.spamassassin/bayes
debian-server# chown -R vpopmail:vchkpw /var/spamd/

Note that in the above example whenever I’m using user vpopmail:vchkpw I did that because my spamassassin is running under the vpopmail:vchkpw user and group, in case if you’re using a different uid and gid please change the commands in accordance with ‘em.

5. Next we need to download and install the required DCC (Distributed Checksum Clearing Houses) binaries, Regrettably no debian package is available so we will compile it and install it from source:

debian-server# wget http://www.rhyolite.com/dcc/source/dcc.tar.Z
debian-server# tar -zxvf dcc.tar.Z
debian-server# cd dcc-1.3.120/
debian-server# ./configure && make && make install
debian-server# cdcc info > /var/dcc/map.txt
debian-server# chmod 0600 /var/dcc/map.txt
debian-server# rm /var/dcc/map
debian-server# cdcc "new map; load /var/dcc/map.txt"
debian-server# cdcc "delete 127.0.0.1"

6. Again we have to edit /etc/mail/spamassassin/local.cf and include in it:

use_dcc 1
dcc_timeout 8
dcc_home /var/spamd/
dcc_path /usr/local/bin/dccproc
add_header all DCC _DCCB_: _DCCR_

7. Last I include few configuration options I find handy, this is not required to have pyzor, razond and DCC properly configured, so it’s completely up to you to decide if you want that or not:
rewrite_subject 1
subject_tag [SPAM found in message]
dns_available yes
ok_locales all
add_header spam Flag _YESNOCAPS_
report_safe 1

Herein I also include a link to my whole local.cf spamassassin configuration file in a hope that it’s easier to check the above directives directly in the conf.

Tags: , , , , ,
Posted in System Administration | 3 Comments »

Nanoblogger Yahoo Search Field Plugin (yahoo.sh) download / install and how to properly escape code in nanoblogger

Saturday, March 13th, 2010

Since some time I’m trying to setup Yahooo Search Field on my nanoblogger without success. I also have difficulties every now and then with escaping source code whenever I decide to drop it in my nanoblogger. Knowing that the official nanoblogger page has the yahoo search next to the google search enabled up and running and considering the fact I couldn’t find any tutorial or instructions online both on nanoblogger’s official webpage as well as to the rest of the searchable internet, I decided to mail Nanoblogger’s author to ask him if he could help me setting up this Yahoo Search Field Plugin as well as ask him what I can do to have a proper code escaping without breaking the blog. I explained that currently I tried a bunch of things without success etc. Below you’ll find my correspondence with Kevin Wood (Nanoblogger’s Author):

Date: Mon, 22 Feb 2010 17:09:58 +0200
From: "G. Georgiev" myemail@gmail.com
User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20091109)
To: n1xt3r@fastmail.fm
Subject: 2 questions concerning nanoblogger
Hi man,
First Thanks for the wonderful soft.
I have two questions.
1. Where can I get yahoo.sh script which is
used on http://nanoblogger.sourceforge.net
2. Whenever I try to post codethat needs to be escaped let's say apache
directives an error occurs,
during generation of the blog and I cannot
seem to get the post online
How can I get through that?

Thanks in advance.

Kindest Regards
Georgi

Date: Sat, 27 Feb 2010 20:46:34 -0500
From: Kevin Wood kevinw@fastmail.fm
To: "G. Georgiev" myemail@gmail.com
Subject: Re: 2 questions concerning nanoblogger
User-Agent: Mutt/1.5.20 (2009-06-14)

Hi Georgi,
Attached is my yahoo.sh plugin. Just drop it in your plugins directory
and add $NB_Yahoo to your main_index.htm template. In order to work, it
expects that you have BLOG_FEED_URL set in blog.conf.

You should use the markdown.sh plugin to post escaped HTML code. When
editing your entry you can add markdown to the FORMAT field. Oh, the
markdown plugin requires that you have Markdown installed on your
system and you may have to tweak MARKDOWN_CMD and MARKDOWN_OPTS in your
blog.conf before it will work. Good luck!

>From http://daringfireball.net/projects/markdown/basics

Kevin

Now here is the yahoo.sh nanoblogger yahoo search plugin that Kevin sent me.
After putting it in my nanoblogger plugins directory and enabling BLOG_FEED_URL, now all works like a charm.

Tags: , , , ,
Posted in System Administration | No Comments »

Reset Windows (NT, 2000, XP, Vista and Windows 7) password / Reset Windows Forgotten Password / Reset Windows Administrator password

Friday, March 12th, 2010

Recently I was in the Pomorie’s Monastery – St. George .
One layman left his notebook (maybe as a donation) to the monks. However the notebook was protected by both: fingerprint check, as well as administrator password and therefore the notebook was completely unusable and was thrown away with many other unused belongings.
When the abbot of the monastery found out I’m adept with computers, he asked if I can fix up the notebook and somehow remove the password, or reinstall the machine to make it usable.
So here I decided to blog what I undertook to reset the windows password with the hope somebody else could benefit from that as well.

1. Go to Offline NT Password & Registry Editor, Bootdisk / CD website

2. Download the bootable CD image zip archive of Offline NT Password & Registry Editor and burn the iso to a CD using K3b (on Linux), Nero or CDBurnerXP on (Windows).

3. Follow the step by step walkthrough manual (here) to either change Some Windows user password or completely reset administrator or any other user password.

Following the walkthrough literally prooved to be quite succesful for me and I was able to properly reset the administrator password!
So Hooray it works again! The monks can now benefit of the cute Toshiba satellite machine.

Tags: , , , , , , , , ,
Posted in System Administration | 2 Comments »

Ubunchu – The world’s first? romantic school comedy (A Linux Related Manga Magazine)

Thursday, March 11th, 2010

Ubunchu a Linux Manga Fun Magazine

I came along a nice Linux Related magazine called Ubunchu It’s a short story about few kids membering in a pc geek club. The 3 kids start installing ubuntu and getinto the ordinary quarrels on the topic of “which linux distribution is better?” and is Linux alreadydesktop ready. Download and read the mirrored copy of Ubunchu Magazine here

Tags: , , , , ,
Posted in Entertainment | No Comments »

« Older Entries
Newer Entries »