March 2010 Archives
Wed Mar 31 16:37:42 EEST 2010
Howto resolve issues with "Call to undefined function xslt_create()" and my QmailAlizer bitter experience / IsoqLog a good alternative to QmailAlizer
Today I got the intention to install
some software that would report Statistics for Qmail in a Web
Interface.
In other words I wanted to have Web qmail statistics that would report information about the sent and received emails per domain name from the Vpopmail.
Some time ago I used a project called qmailalizer . I modified it a bit back then because all it's interface was in German and the install was a hell so I added up a little install.sh script that simplifies the installation project with qmailalizer.
Therefore I decided to install and test the software on debian 2.6.26-2-amd64 (64 bit) platform. The build failed ofcourse and therefore I needed to install some packages which included the required header files by the qmailalizer source code. This are:
Hopefully afterwards your build won't fail, but whenever you install the software you're about to face another unsavoury, error caused by the old PHP code which was dedicated to run on top of PHP4 and this days most of us uses PHP5 on our Debians. So whenever I tried to access qmailalizer I received the ugly php error:
Call to undefined function xslt_create()
In order to fix that error I used a code from a nice article by Alexandre Alapetite titled XSL transition from PHP4 xslt to PHP5 xsl . All that is necessery to be done to weed out the error is:
Copy paste the following code:
inside the php that breaks with the error "Call to undefined function xslt_create()"
And then download xslt-php4-to-php5.php and save the file with a php extension.
That's it now your "Call to undefined function xslt_create()" shouldn't bug you any more.
Now back to the qmaializer, though I was able to succesfully compile the qmaializer. I couldn't make the qmaializer binary work. Whenever I execute the qmaializer binary it crashes with Segmentation Fault like that:
I tried using debugging what exactly procudes the segmnentation fault with Qmaializer using strace . All I can found out was that it has something to do with /etc/localtime.
A bit of googling revealed that Debian has some issue with the rrdtool binary package compiled for 64 bit architectures that dates back from the year 2007.
The exact thread concerning rrdtool and a 64 bit architecture can be red here .
This bug report advices that rrdtool is recompiled with a change in CFLAGS in debian/rules from the debian rrdtool source package whether the change should be like follows:
I experimented changing the CFLAGS compile time options in the source of qmaializer but that didn't do any good.
I've decided to drop qmailalizer for the moment and use it's substitute called isoqlog . The main motive to choose drop out with qmaializer though I really like this piece of archaic soft, is that it no longer supported since the '2004.
Luckily isoqlog is a supported piece of software and is capable of producing most of the reports produced by qmailalizer if not all of them.
So in case if you're looking for good alternatives to QmailAlizer you should definitely check isoqlog.
Some other possibilities to Calculate and Report from your qmail logfiles is awstast, I've found the following article called Calculate Statistics From your Qmail logfiles an interesting reading and a good learning point.
Hope it's gonna be helpful for you too. Maybe I'm gonna try a bit more to fix up the broken isoqlog but it depends if I'll have enough time.
If I eventually succeed and fix it. I'll share the working copy of qmailalizer with the world.
In other words I wanted to have Web qmail statistics that would report information about the sent and received emails per domain name from the Vpopmail.
Some time ago I used a project called qmailalizer . I modified it a bit back then because all it's interface was in German and the install was a hell so I added up a little install.sh script that simplifies the installation project with qmailalizer.
Therefore I decided to install and test the software on debian 2.6.26-2-amd64 (64 bit) platform. The build failed ofcourse and therefore I needed to install some packages which included the required header files by the qmailalizer source code. This are:
debian:~# apt-get install libgd2-xpm-dev libxml2-dev
libxslt1-dev php5-xsl libxslt1-dev libxml2-dev \
sablotron libsablot0
Hopefully afterwards your build won't fail, but whenever you install the software you're about to face another unsavoury, error caused by the old PHP code which was dedicated to run on top of PHP4 and this days most of us uses PHP5 on our Debians. So whenever I tried to access qmailalizer I received the ugly php error:
Call to undefined function xslt_create()
In order to fix that error I used a code from a nice article by Alexandre Alapetite titled XSL transition from PHP4 xslt to PHP5 xsl . All that is necessery to be done to weed out the error is:
Copy paste the following code:
if
((PHP_VERSION>='5')&&extension_loaded('xsl'))
require_once('xslt-php4-to-php5.php');
inside the php that breaks with the error "Call to undefined function xslt_create()"
And then download xslt-php4-to-php5.php and save the file with a php extension.
That's it now your "Call to undefined function xslt_create()" shouldn't bug you any more.
Now back to the qmaializer, though I was able to succesfully compile the qmaializer. I couldn't make the qmaializer binary work. Whenever I execute the qmaializer binary it crashes with Segmentation Fault like that:
debian:~# qmailalizer
Qmailalizer version 0.32, Copyright (C) 2001 Wolfgang Pichler
I/O warning : failed to load external entity
"/var/www/qmailalizer/results.xml"
Parsing file ....
Parsing file: @400000004bb33dfc09e78f84.s
Segmentation fault
I tried using debugging what exactly procudes the segmnentation fault with Qmaializer using strace . All I can found out was that it has something to do with /etc/localtime.
A bit of googling revealed that Debian has some issue with the rrdtool binary package compiled for 64 bit architectures that dates back from the year 2007.
The exact thread concerning rrdtool and a 64 bit architecture can be red here .
This bug report advices that rrdtool is recompiled with a change in CFLAGS in debian/rules from the debian rrdtool source package whether the change should be like follows:
Change CFLAGS from debian/rules from
CFLAGS := -O2
to
CFLAGS := -g3 -ggdb3
I experimented changing the CFLAGS compile time options in the source of qmaializer but that didn't do any good.
I've decided to drop qmailalizer for the moment and use it's substitute called isoqlog . The main motive to choose drop out with qmaializer though I really like this piece of archaic soft, is that it no longer supported since the '2004.
Luckily isoqlog is a supported piece of software and is capable of producing most of the reports produced by qmailalizer if not all of them.
So in case if you're looking for good alternatives to QmailAlizer you should definitely check isoqlog.
Some other possibilities to Calculate and Report from your qmail logfiles is awstast, I've found the following article called Calculate Statistics From your Qmail logfiles an interesting reading and a good learning point.
Hope it's gonna be helpful for you too. Maybe I'm gonna try a bit more to fix up the broken isoqlog but it depends if I'll have enough time.
If I eventually succeed and fix it. I'll share the working copy of qmailalizer with the world.
Tue Mar 30 09:28:23 EEST 2010
Howto resolve issues with gmplayer errors "[AO_ALSA] Unable to find simple control 'PCM',0"
It's really easy to solve, all you
need to do is open gmplayer.
Go to gmplayer's Prefences -> Audio there you should tick the
Enable Software Mixer. That's it you shouldn't experience the problem any longer :)
Go to gmplayer's Prefences -> Audio there you should tick the
Enable Software Mixer. That's it you shouldn't experience the problem any longer :)
Mon Mar 29 18:21:16 EEST 2010
Few MySQL helpful commands in MySQL maintenance (MySQL rename Table, Empty MySQL Table Contents / Null Table records, Get info about variables in a Table, Change record in existing MySQL table, Get MySQL table privileges info, Some basic commands for MySQL issues debugging)
This days I'm playing with MySQL
trying out stuff. I decided it could be helpful to somebody to
share few things I learned.
So there we go:
1. To Rename MySQL existent table name
2. To completely wipe out the content of an existing Table in MySQL
table_name = your table name to truncate
3. To RENAME column name in MySQL to another one
Note that in the above example to rename column in MySQL you should always specify the new column variable type e.g. VARCHAR(100)
or anything else you like.
4. To get information about a table e.g. variables and there type in a MySQL table
5. To change some Value in a Column to another one based on another value
Here;
column_name = is your column name
other_column_name = is some other column_name which you're going to search in for a certain some_value content
6. To get a thorougful information about MySQL table, it's variables and the privileges
Here Table should be your table name.
7. To get information about privileges of some mysql user
8. To create new user and grant certain privileges to some Database
database_name = is your desired database
username = is your user of choice
CREATE,INSERT,DELETE,UPDATE,SELECT = is your preferred privileges to the database_name for the selected username
In case if you want to grant all possible user privileges that could be assigned to a table use the following code:
9. Another really helpful few commands on daily basis whever you're responsible for MySQL server are:
Which is always helpful in debugging in MySQL.
And:
That two would inform you about the status of various key variables and could also be a precious debugging tool.
So there we go:
1. To Rename MySQL existent table name
RENAME TABLE old_table_name to
new_table_name;
2. To completely wipe out the content of an existing Table in MySQL
TRUNCATE TABLE table_name;
table_name = your table name to truncate
3. To RENAME column name in MySQL to another one
ALTER TABLE your_table_name CHANGE current_column_name
new_column_name VARCHAR(100);
Note that in the above example to rename column in MySQL you should always specify the new column variable type e.g. VARCHAR(100)
or anything else you like.
4. To get information about a table e.g. variables and there type in a MySQL table
DESCRIBE table_name;
5. To change some Value in a Column to another one based on another value
UPDATE table_name column_name SET column_name='Lecturer' WHERE
other_column_name='some_value';
Here;
column_name = is your column name
other_column_name = is some other column_name which you're going to search in for a certain some_value content
6. To get a thorougful information about MySQL table, it's variables and the privileges
SHOW FULL COLUMNS from Table;
Here Table should be your table name.
7. To get information about privileges of some mysql user
SHOW GRANTS FOR your_user@host;
8. To create new user and grant certain privileges to some Database
grant CREATE,INSERT,DELETE,UPDATE,SELECT on database_name.*
to username@localhost;
set password for username@host =
password('mysecretpassword');
Where:database_name = is your desired database
username = is your user of choice
CREATE,INSERT,DELETE,UPDATE,SELECT = is your preferred privileges to the database_name for the selected username
In case if you want to grant all possible user privileges that could be assigned to a table use the following code:
GRANT ALL ON database_name.* TO username identified by
'mysecretpassword' with grant option;
9. Another really helpful few commands on daily basis whever you're responsible for MySQL server are:
SHOW warnings;
Which is always helpful in debugging in MySQL.
And:
SHOW status;
SHOW processlist;
That two would inform you about the status of various key variables and could also be a precious debugging tool.
Fri Mar 26 16:47:19 EET 2010
Auto insert password for a Trusted SSL Certificate / Automatically enter password for an SSL Certificate during Apache startup on Debian Lenny
I've recently installed a Trusted
certificate that I've previously protected with a pass-phrase to an
Apache server running on top of Debian in order to have a better
security.
Now everytime I restart Apache it's pretty annyoing and non-practical at the same time, to enter the Passphrase assigned to the SSL certificate.
It's also dangerous because if Apache crashes and tries to resurrect itself restartig it might not start-up again.
Another unpleasant possible scenario is if for example some of the php code developers tries to change something minor in some Virtualhost and afterwards restarts Apache for the new configurations to take place, again Apache won't bring up and a chaos would emerge.
So I decided to configurate my Apache that it auto fills in the passphrase each time it's being started or restarted. To do that I consulted some online resources and I end up redirected by a blog post to the mod_ssl ssl_reference web page
There is plenty of stuff on that document however in my case all I needed was one directive in /etc/apache2/mods-avalable/mods-available/ssl.conf :
The above code must replace:
Now last step is to prepare the /etc/apache2/mods-available/passphrase .
Make sure the file has the following content:
Change above yoursecretpassword with your configured passphrase.
Also please make sure /etc/apache2/mods-availabe/passphrase has proper set permissions. In my case I've set the following permissions for the file:
That should be it, Restart Apache and make sure Apache is properly loaded without any SSL passphrase prompts.
However you should have in mind that auto enabling passphrase loading on starting in Apache is much more insecure than typing in the password every time you restart Apache. Storing the passphrase in a file is quite insecure compared to if you type it every time Apache starts.
For instance if a hacker breaks into your server he might be able to steal your SSL certificate as well as the passphrase file.
And surely this is something you don't want. Anyways flexibility has a price and if you decide to go the way described, please note the risk first.
Now everytime I restart Apache it's pretty annyoing and non-practical at the same time, to enter the Passphrase assigned to the SSL certificate.
It's also dangerous because if Apache crashes and tries to resurrect itself restartig it might not start-up again.
Another unpleasant possible scenario is if for example some of the php code developers tries to change something minor in some Virtualhost and afterwards restarts Apache for the new configurations to take place, again Apache won't bring up and a chaos would emerge.
So I decided to configurate my Apache that it auto fills in the passphrase each time it's being started or restarted. To do that I consulted some online resources and I end up redirected by a blog post to the mod_ssl ssl_reference web page
There is plenty of stuff on that document however in my case all I needed was one directive in /etc/apache2/mods-avalable/mods-available/ssl.conf :
SSLPassPhraseDialog
exec:/etc/apache2/mods-available/passphrase
The above code must replace:
SSLPassPhraseDialog builtin
Now last step is to prepare the /etc/apache2/mods-available/passphrase .
Make sure the file has the following content:
#!/bin/sh
echo "yoursecretpassword"
Change above yoursecretpassword with your configured passphrase.
Also please make sure /etc/apache2/mods-availabe/passphrase has proper set permissions. In my case I've set the following permissions for the file:
debian:~# chown www-data:www-data
/etc/apache2/mods-available/passphrase
debian:~# cmod 700
/etc/apache2/mods-available/passphrase
That should be it, Restart Apache and make sure Apache is properly loaded without any SSL passphrase prompts.
However you should have in mind that auto enabling passphrase loading on starting in Apache is much more insecure than typing in the password every time you restart Apache. Storing the passphrase in a file is quite insecure compared to if you type it every time Apache starts.
For instance if a hacker breaks into your server he might be able to steal your SSL certificate as well as the passphrase file.
And surely this is something you don't want. Anyways flexibility has a price and if you decide to go the way described, please note the risk first.
Fri Mar 26 14:43:39 EET 2010
Fix to "Init: Private key not found" whenever trying to configure Apache to run with a Trusted SSL Certificate issued from RapidSSL
Yesterday I had to fight for a while
before I can properly install a Trusted SSL certificate issued by
RapidSSL.
The problem persisted for a couple of hours before I can realize it was caused by myself.
So here is the error I encounted in my Apache error.log.
It took me a couple of hours in futile attempts to fix the error.
Anyways I'll try to explain in a few words some of the things I tried following mostly suggestions by web forums and other blogs by which it was claimed that was the corner stone that drove Apache out of the the track.
1. I checked if the .PEM certificate files are readable by all users including www-data (since I'm running Apache on Debian).
It's best if your .pem file permissions are set like:
-rw-r--r-- 1 www-data www-data 3158 2010-03-25 11:07 /etc/apache2/ssl/www.domain.com.pem
2. I tried to hand out the .CRT file and the .KEY file from Apache directives as shown below:
3. I tried modifying /etc/apache2/mods-enabled/ssl.conf
There I attempted to change:
This try wasn't helpful as well.
4. I tried Removing the encryption from the RSA private key (while preserving the original file)
So unecrypting the RSA private key from it's DES3 encryption and passing it to the Apache Webserver didn't changed anything,
Whenever I restarted Apache it refused to run once again, though I was not asked for a passphrase after trying the above code.
Since all of the above failed I also tried checking if the .csr, the crt and .key file aren't broken or something.
I checked the output from the above commands and I compared the output for Modulus.
If everything is okay with your .key .csr and .crt files then the result for Modulus from the above commands should be equal.
This prooved there is no match in the modulus between the www.domain.com.crt and the www.domain.com.key.
This gave me the idea that probably something is wrong with the www.domain.com.key and it's not the same file I used to generate the .csr (Certificate Signing Request) file later.
I checked and realized all the time I was using a .key file from my notebook Desktop and the file from my notebook Desktop is not the original file from the server.
So I immediately jumped to the server ssh-ing and deleted the inappropriate .key file I have stored in /etc/apache2/ssl/www.domain.com.pem with the correct one.
Now after restarting the webserver, all worked like a charm! Praise God :)
This experience is another good example that the simplest human mistakes creates the biggest, which are also the hardest to track.
The problem persisted for a couple of hours before I can realize it was caused by myself.
So here is the error I encounted in my Apache error.log.
[Thu Mar 25 09:29:41 2010] [error] Init: Private key not
found
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218710120
error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218529960
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218595386
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218734605
error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib
It took me a couple of hours in futile attempts to fix the error.
Anyways I'll try to explain in a few words some of the things I tried following mostly suggestions by web forums and other blogs by which it was claimed that was the corner stone that drove Apache out of the the track.
1. I checked if the .PEM certificate files are readable by all users including www-data (since I'm running Apache on Debian).
It's best if your .pem file permissions are set like:
-rw-r--r-- 1 www-data www-data 3158 2010-03-25 11:07 /etc/apache2/ssl/www.domain.com.pem
2. I tried to hand out the .CRT file and the .KEY file from Apache directives as shown below:
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
SSLCertificateKeyFile
/etc/apache2/ssl/www.domain.com.key
3. I tried modifying /etc/apache2/mods-enabled/ssl.conf
There I attempted to change:
SSLProtocol all -SSLv2
to
SSLProtocol all
This try wasn't helpful as well.
4. I tried Removing the encryption from the RSA private key (while preserving the original file)
debian:~# cp -rpf /etc/apache2/ssl/www.domain.com.key
/etc/apache2/ssl/www.domain.com.key.orig
debian:~# /usr/bin/openssl rsa -in
/etc/apache2/ssl/www.domain.com.key.orig -out
/etc/apache2/ssl/www.domain.com.key
So unecrypting the RSA private key from it's DES3 encryption and passing it to the Apache Webserver didn't changed anything,
Whenever I restarted Apache it refused to run once again, though I was not asked for a passphrase after trying the above code.
Since all of the above failed I also tried checking if the .csr, the crt and .key file aren't broken or something.
debian:~# /usr/bin/openssl x509 -noout -modulus -in
/etc/apache2/ssl/www.domain.com.crt
debian:~# /usr/bin/openssl rsa -noout -modulus -in
/etc/apache2/ssl/www.domain.com.key
debian:~# /usr/bin/openssl req -noout -modulus -in
/etc/apache2/ssl/www.domain.com.csr
I checked the output from the above commands and I compared the output for Modulus.
If everything is okay with your .key .csr and .crt files then the result for Modulus from the above commands should be equal.
This prooved there is no match in the modulus between the www.domain.com.crt and the www.domain.com.key.
This gave me the idea that probably something is wrong with the www.domain.com.key and it's not the same file I used to generate the .csr (Certificate Signing Request) file later.
I checked and realized all the time I was using a .key file from my notebook Desktop and the file from my notebook Desktop is not the original file from the server.
So I immediately jumped to the server ssh-ing and deleted the inappropriate .key file I have stored in /etc/apache2/ssl/www.domain.com.pem with the correct one.
Now after restarting the webserver, all worked like a charm! Praise God :)
This experience is another good example that the simplest human mistakes creates the biggest, which are also the hardest to track.
Thu Mar 25 20:42:28 EET 2010
Howto install GeoTrust RapidSSL certificate on Debian Lenny 5.0
I faced the task of generating
official Validated SSL Certificates by in my daily duties as a System Administrator
at cadiaholding.com .
Though generating self-signed SSL certificate is comparatively easy
task. It was a pain in the ass setting Apache version
2.2.9-10+lenny6 to correctly serve pages through https:// protocol
over openssl version 0.9.8g-15+lenny6. I'll try to go through the
whole process of Generating the certificate in order to help some
other Debian users out there to face less setbacks in such a simple
task as installing a Trusted SSL Certificate issued (bought) by
RapidSSL. Even though this article will mostly deal with SSL
certificate issued by RapidSSL, it should be not a problem to apply
this methodogy with Verisign or some of the other Geotrust issued
Secure Socket Layer certificates.
In generating the Validated certficate I used enom which is a domain name, ssl certificates, email and hosting company whole-saler.
Fron emon's website after logging in and using the web interface, there are two major things required to fill in in order to issue your Trusted SSL certificate.
1. Fill in in a form a CSR file, this is usually generated on the Linux server using the openssl.
To issue the CSR file required by Enom use the following commands:
a. First we generate an DES3 RSA encrypted key which we will use next to generate the opeensl CSR file required by ENOM.
You'll be required to fill in a pass-phrase that will be later be required to fill in before Apache servers starts or restarts, so make sure you fill something you either remember or you keep the password stored in a file.
You have to change also the www.domain.com.key in accordance with your domain name.
Now as we already have a proper generated DES3 RSA key afterwards it's necessery to generate the CSR file with the openssl command line frontend.
So here is how:
Again in the above example change all the paths and file names as you wish.
It's necessery that the end user fill in a number of questions related to the Certificate Signing Request.
Herein I'll list what kind of prompts will emerge after executing the above command:
Note that you'll hav eto fill in the pass phrase previously entered during the generation of the www.domain.com.key file.
In case if you'd like to read more thoroughly on the subject of howto create a Certificate Signing Request or (CSR) as we called it on multiple times, you can read About Certificate Signing Request (CSR) Generation Instructions - Apache SSL more in depth here
2. Hopefully following the above instructions you'll now have a file named www.domain.csr Just open the www.domain.scr and copy paste it's content to the ENOM website CSR * webform. 3. Further on select your Webserver type on Enom's website: In our case we have to select Apache + ApacheSSL
4. What follows next is filling in your company contact information This is also required for proper certificate generation, you have to think twice before you fill in this data, take a note this can't be changed later on without issuing a brand SSL new certificate.
Apart from the 3 major above requirements to fill in Enom there are some few more radio buttons to use to make some selections according to your personal preferences, however I won't take time to dig in that and I'll leave this to you.
After all the above is fulfilled you'll have to submit your certificate details and choose an email address to which you will receive in a minute a RapidSSL Certificate Request Confirmation
Following a link from the email, will show you some basic information about the certificate about to be generated. That's your final chance to cancel the issued Trusted Certificated.
If you're absolutely sure the information about to enter the certificate is correct then you'll have to follow a link and approve the certificate.
You'll be informed that you'll receive your certificate either through Certifier website (e.g. Enom's website) or via another email.
I thought it's more probable I receive it via email but anyways I was wrong. More thank 4 hours has passed since the certificate was issued and is available via Enom's interface but I haven't received nothing on my mail.
Therefore my friendly advice is to check about your brand new shiny Trusted Certificate on Emom's website. I had mine ready in about 10 minutes after the CSR was issued.
Assuming that you've succesfully obtained the SSL Trusted certificate from RapidSSL what follows is setting up the certificate.
Initially I tried using documentation from RapidSSL website called Installing your SSL Certificate / Web Server Certificate / Secure Server Certificate from RapidSSL.com
I tried to configure one of my Virtualhost as shown in their example inserting in my /etc/apache/sites-available/www.domain.com file, few directives within the VirtualHost something like the shown below
After trying the above configuration and restarting apache with:
Apache failed to start, it might be helpful to somebody out there the error I had in my apache error.log:
The error.log red the following:
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
After some 30 minutes or an hour of Googling on the error I came to the conclusion that the error is caused, because Apache is supposed to work with .PEM files instead of the classical .CRT and .KEY files as normally approached in most of the other Unix operating systems.
It took me a bit more of reading on the internet to find out that actually the .pem files so widely adopted in Debian simply contain both the www.domain.com.key file and the www.domain.com.crt key simply pasted one after another, this I also observed from the default Apache self-signed certificate that I believe comes with debian /etc/apache2/ssl/apache.pem .
So I copied both the content of my www.domain.com.key and www.domain.com.crt and store it in one file:
/etc/apache2/ssl/www.domain.com.pem
Also the following configuration:
had to go in your
/etc/apache2/sites-enabled/www.domain.com
Last thing that's left is to restart your Apache;
Apache will prompt you for your certificate password entered by you during the www.domain.com.key generation. Type your password and with a bit of luck and hopefully with God's help you'll be having a Trusted Certificate on your webserver.
Last step is to check if the certificate is okay accessing your domain https://www.domain.com.
Well this is the end of the article, hope you enjoy.If you do please leave your comments, any corrections are also welcomed :)
In generating the Validated certficate I used enom which is a domain name, ssl certificates, email and hosting company whole-saler.
Fron emon's website after logging in and using the web interface, there are two major things required to fill in in order to issue your Trusted SSL certificate.
1. Fill in in a form a CSR file, this is usually generated on the Linux server using the openssl.
To issue the CSR file required by Enom use the following commands:
a. First we generate an DES3 RSA encrypted key which we will use next to generate the opeensl CSR file required by ENOM.
debian:~# /usr/bin/openssl genrsa -des3 -out
www.domain.com.key 2048
Enter pass phrase for www.domain.com.key:
You'll be required to fill in a pass-phrase that will be later be required to fill in before Apache servers starts or restarts, so make sure you fill something you either remember or you keep the password stored in a file.
You have to change also the www.domain.com.key in accordance with your domain name.
Now as we already have a proper generated DES3 RSA key afterwards it's necessery to generate the CSR file with the openssl command line frontend.
So here is how:
debian:~# /usr/bin/openssl req -new -key
/home/hipo/www.domain.com.key -out
/home/hipo/www.domain.com.csr
Again in the above example change all the paths and file names as you wish.
It's necessery that the end user fill in a number of questions related to the Certificate Signing Request.
Herein I'll list what kind of prompts will emerge after executing the above command:
Enter pass phrase for /home/hipo/www.domain.com.key:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Note that you'll hav eto fill in the pass phrase previously entered during the generation of the www.domain.com.key file.
In case if you'd like to read more thoroughly on the subject of howto create a Certificate Signing Request or (CSR) as we called it on multiple times, you can read About Certificate Signing Request (CSR) Generation Instructions - Apache SSL more in depth here
2. Hopefully following the above instructions you'll now have a file named www.domain.csr Just open the www.domain.scr and copy paste it's content to the ENOM website CSR * webform. 3. Further on select your Webserver type on Enom's website: In our case we have to select Apache + ApacheSSL
4. What follows next is filling in your company contact information This is also required for proper certificate generation, you have to think twice before you fill in this data, take a note this can't be changed later on without issuing a brand SSL new certificate.
Apart from the 3 major above requirements to fill in Enom there are some few more radio buttons to use to make some selections according to your personal preferences, however I won't take time to dig in that and I'll leave this to you.
After all the above is fulfilled you'll have to submit your certificate details and choose an email address to which you will receive in a minute a RapidSSL Certificate Request Confirmation
Following a link from the email, will show you some basic information about the certificate about to be generated. That's your final chance to cancel the issued Trusted Certificated.
If you're absolutely sure the information about to enter the certificate is correct then you'll have to follow a link and approve the certificate.
You'll be informed that you'll receive your certificate either through Certifier website (e.g. Enom's website) or via another email.
I thought it's more probable I receive it via email but anyways I was wrong. More thank 4 hours has passed since the certificate was issued and is available via Enom's interface but I haven't received nothing on my mail.
Therefore my friendly advice is to check about your brand new shiny Trusted Certificate on Emom's website. I had mine ready in about 10 minutes after the CSR was issued.
Assuming that you've succesfully obtained the SSL Trusted certificate from RapidSSL what follows is setting up the certificate.
Initially I tried using documentation from RapidSSL website called Installing your SSL Certificate / Web Server Certificate / Secure Server Certificate from RapidSSL.com
I tried to configure one of my Virtualhost as shown in their example inserting in my /etc/apache/sites-available/www.domain.com file, few directives within the VirtualHost something like the shown below
SSLEngine on
# domain.com.crt cointains the Trusted SSL certificate generated
and obtained by you from RapidSSL
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
# www.domain.com.key contains the file used to generate the CSR
file as described earlier in this post
SSLCertificateKeyFile
/etc/apache2/ssl/www.domain.com.key
After trying the above configuration and restarting apache with:
/etc/init.d/apache2 restart
Apache failed to start, it might be helpful to somebody out there the error I had in my apache error.log:
The error.log red the following:
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
After some 30 minutes or an hour of Googling on the error I came to the conclusion that the error is caused, because Apache is supposed to work with .PEM files instead of the classical .CRT and .KEY files as normally approached in most of the other Unix operating systems.
It took me a bit more of reading on the internet to find out that actually the .pem files so widely adopted in Debian simply contain both the www.domain.com.key file and the www.domain.com.crt key simply pasted one after another, this I also observed from the default Apache self-signed certificate that I believe comes with debian /etc/apache2/ssl/apache.pem .
So I copied both the content of my www.domain.com.key and www.domain.com.crt and store it in one file:
/etc/apache2/ssl/www.domain.com.pem
Also the following configuration:
SSLEngine on
SSLCertificateFile
/etc/apache2/ssl/www.domain.com.pem
had to go in your
/etc/apache2/sites-enabled/www.domain.com
Last thing that's left is to restart your Apache;
/etc/init.d/apache2 restart
Apache will prompt you for your certificate password entered by you during the www.domain.com.key generation. Type your password and with a bit of luck and hopefully with God's help you'll be having a Trusted Certificate on your webserver.
Last step is to check if the certificate is okay accessing your domain https://www.domain.com.
Well this is the end of the article, hope you enjoy.If you do please leave your comments, any corrections are also welcomed :)
Tue Mar 23 15:27:28 EET 2010
Howto import a UTF8 textbook (book) in MySQL table / A simple step by step guide through on howto import books in MySQL
I was looking forward to import a
textbook I own to MySQL in order to be able later to easily
manipulate the text with MySQL queries. After some time spend on
trying hard. Here is the steps I took to import the textbook:
1. First we create necessery database and set default charset to UTF8:
2. Then we CREATE Necessery database that will use further as a table to import the textbook into:
Below we create the table "textbook" with one column "sentence"
3. Now we import the book:
4. Last it might be a good idea to add some extra numbered column to be able to track the lines of the textbook as below:
In my case the book was in cyrillic and after I've taken the above steps I didn't have any problems with cyrillic letters in the table.
Of course the above method is a bit dump since it's not flexible enough and doesn't track the textbook parts or titles, however it's still a good way to store example on how to store text data in mysql table and could help somebody further in his journey in learning MySQL and next to that serving some simple daily SQL taks.
1. First we create necessery database and set default charset to UTF8:
freebsd$ mysql -u root -p
# create database textbook in mysql and change it to your
likings
mysql$ CREATE database "textbook";
mysql$ use textbook;
mysql$ SET NAMES UTF8;
2. Then we CREATE Necessery database that will use further as a table to import the textbook into:
Below we create the table "textbook" with one column "sentence"
mysql$ CREATE table textbook (sentence
varchar(5000);
3. Now we import the book:
mysql$ LOAD DATA INFILE '/path/to/file/textbook.txt' INTO
TABLE textbook;
4. Last it might be a good idea to add some extra numbered column to be able to track the lines of the textbook as below:
mysql$ ALTER table textbook ADD COLUMN ID INT NOT NULL
auto_increment FIRST, ADD PRIMARY KEY(ID);
In my case the book was in cyrillic and after I've taken the above steps I didn't have any problems with cyrillic letters in the table.
Of course the above method is a bit dump since it's not flexible enough and doesn't track the textbook parts or titles, however it's still a good way to store example on how to store text data in mysql table and could help somebody further in his journey in learning MySQL and next to that serving some simple daily SQL taks.
Mon Mar 22 22:51:41 EET 2010
Fix weird problem with Apache default encoding (AddDefaultCharset) not taking effect on FreeBSD with Apache version (2.0.63)
I encountered a weird problems a
couple of minutes before. I tried to put some text files written in
UTF-8 which contain cyrillic in the file names as well as the
content the files has in my Apache directory listing. Trying that
produced a lot of "alien symbols" for both file names and file
content.
I have to admit that wasn't exactly what I expected. I've checked my /usr/local/etc/apache/httpd.conf just to find out I already have the:
within in the configuration, I thought that somehow Apache could have difficulties applying that rules for the custom Virtualhost and therefore give the directive a try locally in the VirtualHost. Grievously that didn't produced any positive result. That's why I decided to check if somebody has experienced the same weird behavior and I stumbled on this wondeful blog post .
In short on the plug and pray's blog ... Wait and moment plug and pray? Yes you read that correctly it's plug and pray :), on that blog it's explained that newer versions of Apache 2.2.4 as this is the version the blogger talks about as well as the latest Apache release has an issue with AddDefaultCharset not working anymore. Fortunately the issue with the AddDefaultCharset not taking effect in Apache no more is easily solved. All that needs to be done is including the:
Within Apache conf file. In my case on FreeBSD I had to include that in /usr/local/etc/apache2/httpd.conf after which all worked perfectly fine and I can see all my cyrillic symbols showing anew.
I have to admit that wasn't exactly what I expected. I've checked my /usr/local/etc/apache/httpd.conf just to find out I already have the:
AddDefaultCharset utf-8
within in the configuration, I thought that somehow Apache could have difficulties applying that rules for the custom Virtualhost and therefore give the directive a try locally in the VirtualHost. Grievously that didn't produced any positive result. That's why I decided to check if somebody has experienced the same weird behavior and I stumbled on this wondeful blog post .
In short on the plug and pray's blog ... Wait and moment plug and pray? Yes you read that correctly it's plug and pray :), on that blog it's explained that newer versions of Apache 2.2.4 as this is the version the blogger talks about as well as the latest Apache release has an issue with AddDefaultCharset not working anymore. Fortunately the issue with the AddDefaultCharset not taking effect in Apache no more is easily solved. All that needs to be done is including the:
IndexOptions Charset=UTF-8
Within Apache conf file. In my case on FreeBSD I had to include that in /usr/local/etc/apache2/httpd.conf after which all worked perfectly fine and I can see all my cyrillic symbols showing anew.
Mon Mar 22 17:45:20 EET 2010
Change mc (midnight commander) editor to mcedit / How to make mcedit default editor for mc once again / Change Debian Default editor the correct way
I'm considering to use mc (midnight commander) to
review some dozens of source files in php/css and Java. However
currently on my Debian Lenny I have configured vim to be the default editor in the
system. The way I've setupped my vim to be the default editor is
not really canonical, I mean I did it through $EDITOR variable in
my /root/.bashrc and my ~/.bashrc file. In other words I
have:
in my .bashrc files.
Though the correct way to do that is actually either by:
or through by linking /etc/alternatives/editor to your vim for instance:
As a result of my non-canonical ways to do things on the Debian as whenever I tried opening files with midnight commander (mc), files ended opening with vim.
I have to note that really sux a lot and therefore I hurried up to change mc's behaviour back to normal.
Here is how:
While in mc press F9 and go to the Options menu, then navigate to Configuration
Now tick on the text reading: use internal edIt
afterwards it might be also a good idea to select Save Setup from the Options in order to save changed settings for future use.
export VISUAL='vim'
export EDITOR='vim'
in my .bashrc files.
Though the correct way to do that is actually either by:
hipo@noah:~# update-alternatives --config
editor
or through by linking /etc/alternatives/editor to your vim for instance:
hipo@noah:~# rm -f /etc/alternatives/editor
hipo@noah:~# ln -sf /usr/bin/vim
/etc/alternatives/editor
As a result of my non-canonical ways to do things on the Debian as whenever I tried opening files with midnight commander (mc), files ended opening with vim.
I have to note that really sux a lot and therefore I hurried up to change mc's behaviour back to normal.
Here is how:
While in mc press F9 and go to the Options menu, then navigate to Configuration
Now tick on the text reading: use internal edIt
afterwards it might be also a good idea to select Save Setup from the Options in order to save changed settings for future use.
Thu Mar 18 17:11:38 EET 2010
Mounth Athos Sideview
This wonderful picture of Mounth Athos - Holy Mountain (A monk republic situated in Northern Greece) was taken by my kind-hearted girlfriend Dorothy (Angellyca / GrimminaGroll) , during her trip to Kabala and some other Tourist destinations in Greece, while on a boat crossing near Mount Athos. I hope she won't be very angry with me that I post her picture, but I felt obliged to do so!
So Thank you Dear Dorothy, and please don't be mad at me :)
Wed Mar 17 20:41:24 EET 2010
Problem with OpenOffice after upgrade on Debian Sid Testing/Unstable - (openoffice.org: Component manager is not available.)
A few days ago I did an upgrade using
apt-get which upgraded my openoffice to 3.2.04 on my Desktop
machine (a notebook running Debian Sid - Testing/Unstable). Since
then I haven't started the openoffice, however today an ex-college
colleague of mine (Burcu), drop by home to give her some help about
a project. In that relation I had to open a .doc file. I
launched my oowriter in an attempt to open the document without
success a stupid error poped up saying something is wrong with some
kind of Openoffice registry and most importantly claiming the
following error:
First thing I tried in order to resolve the issue was simply moving my ~/.openoffice.org/ and ~/.openoffice-org2/ directories to ~/.openoffice.org-bak/ and respectively ~/.openoffice.org2:
Regrettably I realized this this approach failed when I launched the oowriter to regenerate it's working directories.
Therefore I executed another strategy to fix the issue completely reinstalling the openoffice with apt:
After a while, now all is back to normal with my Openoffice Though it's a real lose of time implying such a dumb workarounds, I always hated linux as a desktop platform just because of misbehaves like that.
openoffice.org: Component manager is not available.
First thing I tried in order to resolve the issue was simply moving my ~/.openoffice.org/ and ~/.openoffice-org2/ directories to ~/.openoffice.org-bak/ and respectively ~/.openoffice.org2:
hipo@noah:~$ mv ~/.openoffice.org/
~/.openoffice.org-bak/
hipo@noah:~$ mv ~/.openoffice.org2/
~/.openoffice.org2-bak/
Regrettably I realized this this approach failed when I launched the oowriter to regenerate it's working directories.
Therefore I executed another strategy to fix the issue completely reinstalling the openoffice with apt:
hipo@noah:~# apt-get install --reinstall
openoffice.org-core
After a while, now all is back to normal with my Openoffice Though it's a real lose of time implying such a dumb workarounds, I always hated linux as a desktop platform just because of misbehaves like that.
Wed Mar 17 20:10:04 EET 2010
A few helpful Bind DNS server configuration options
It's quite useful in bind to have the
following configurations options in either named.conf options {}
configuration block or (in case if on Debian Linux in
named.conf.options.
Please edit your required file respectively and find the options {} directive and set within the options {} block the following:
Here I have to clarify that the zone-statistics directive instructs the server to collect statistical data about all zone files, this statistics can later be accessed via the:
rndc stats command.
transfer-format many-answers is actually a default directive since bind 9 and you might even like to skip that one if on bind version 9 or 9+
notify yes; - will instruct the nameserver to replicate change in zone files to a seconday configured name server.
Another really vital thing in my view is to enable Bind DNS server logging into file.
In order to do that put in named.conf:
Note that it's required to create the log file with proper permissions as in the location where specified in the above configuration in this case /var/log/named/named.log :
In this case I change the directory and file to be owned by the bind user and group, however on different linux distribution like Redhat the user could be different like on Redhat the user is usually named.
To find the correct user permissions check the user with which the Bind server is running using a simple:
Please edit your required file respectively and find the options {} directive and set within the options {} block the following:
zone-statistics yes;
notify yes;
transfer-format many-answers;
Here I have to clarify that the zone-statistics directive instructs the server to collect statistical data about all zone files, this statistics can later be accessed via the:
rndc stats command.
transfer-format many-answers is actually a default directive since bind 9 and you might even like to skip that one if on bind version 9 or 9+
notify yes; - will instruct the nameserver to replicate change in zone files to a seconday configured name server.
Another really vital thing in my view is to enable Bind DNS server logging into file.
In order to do that put in named.conf:
logging {
channel _default_log {
file "/var/log/named/named.log";
severity debug;
print-time yes;
};
category default {
_default_log;
};
Note that it's required to create the log file with proper permissions as in the location where specified in the above configuration in this case /var/log/named/named.log :
debian-server# mkdir -p /var/log/named
debian-server# touch /var/log/named/named.log
debian-server# chown -R bind:bind
/var/log/named/
In this case I change the directory and file to be owned by the bind user and group, however on different linux distribution like Redhat the user could be different like on Redhat the user is usually named.
To find the correct user permissions check the user with which the Bind server is running using a simple:
debian-server# ps axu|grep -i bind
or
# ps axu|grep -i named
Tue Mar 16 17:31:07 EET 2010
3 Major incorrect beliefs about Global DNS (root DNS) servers
Until today, since I started getting
into the depth of DNS some years from now, I always thought that
there are 13 major super-computers used as a Global DNS servers
which were responsible for caching in all the domain names on the
IPv4 and IPv6 internet and that's all I knew about this
matter.
Today I had to review my knowledge on the subject of DNS protocol, BIND server etc. in order to be able to fix an issue with a newly configured BIND dns server. In relation to that I red a bunch of interesting articles online discussing a matters concerning root DNS servers.
Here are two major articles worthy to read:
1. DNS Root Name Servers Explained for Non-Experts - by Daniel Karrenberg
2. DNS Root servers in the World
This blow off the myth about 13 major super-servers running on top of backbones to serve DNS requests online. By the way it's interesting fact that I've learned that myth from some O'reilly's books that were explaining the Redhat Linux distrubution long time ago.
It could be that long time ago this was true but not anymore!
As of today's date: Tue Mar 16 17:19:02 EET 2010, there are 425 DNS root servers which are an Internet's bone today.
Interestingly enough full list of the root servers is available via isoc.org's website along with many more information on the subject of how root DNSes works, how the DNS is served on the Internet as well as the RFC which explain the proper way to implement a DNS server.
A copy of the zonefile containing in it all the root DNSes can be obtained via isoc's website
Another wrong idea about Global DNS servers that I kept with me over the years is that most of the root servers are geographically located in USA.
A good proof to this delusion is root-servers.org website which contains a wonderful Google map with pinpointed geographical locations of all root servers .Along with this there is a plenty of extensive information on root DNS servers.
Another misbelief when talking about DNS servers is that the A-root server is the main DNS server in the Global DNS cluster.
Another good reading location concerning DNS Root servers is The DNS Root Name Server FAQ .
Today I had to review my knowledge on the subject of DNS protocol, BIND server etc. in order to be able to fix an issue with a newly configured BIND dns server. In relation to that I red a bunch of interesting articles online discussing a matters concerning root DNS servers.
Here are two major articles worthy to read:
1. DNS Root Name Servers Explained for Non-Experts - by Daniel Karrenberg
2. DNS Root servers in the World
This blow off the myth about 13 major super-servers running on top of backbones to serve DNS requests online. By the way it's interesting fact that I've learned that myth from some O'reilly's books that were explaining the Redhat Linux distrubution long time ago.
It could be that long time ago this was true but not anymore!
As of today's date: Tue Mar 16 17:19:02 EET 2010, there are 425 DNS root servers which are an Internet's bone today.
Interestingly enough full list of the root servers is available via isoc.org's website along with many more information on the subject of how root DNSes works, how the DNS is served on the Internet as well as the RFC which explain the proper way to implement a DNS server.
A copy of the zonefile containing in it all the root DNSes can be obtained via isoc's website
Another wrong idea about Global DNS servers that I kept with me over the years is that most of the root servers are geographically located in USA.
A good proof to this delusion is root-servers.org website which contains a wonderful Google map with pinpointed geographical locations of all root servers .Along with this there is a plenty of extensive information on root DNS servers.
Another misbelief when talking about DNS servers is that the A-root server is the main DNS server in the Global DNS cluster.
Another good reading location concerning DNS Root servers is The DNS Root Name Server FAQ .
Tue Mar 16 12:46:30 EET 2010
What causes the "nRRPResponseCode 531" error, A fix to the nasty "nRRPResponseCode 531" error during domain name DNS change
For two days now, I'm trying to set a
custom DNS server for a (.net) domain purchased by gigaspark.com . Every time I try to change
the nameservers for the (.net) domain an irritating error pops up,
the error reads "nRRPResponseCode 531" and I cannot set my custom
configured Bind DNS server for the (.net) domain. I believe the
same problem happens also with (.com) domains.
In this relation, I tried googling online searching and searching what might be the stupid cause of the "nRRPResponseCode 531" error that prevents me from setting my custom configured Bind domain name servers to mydomain.net . I also contacted the support team from gigaspark multiply until I found out what is the trouble cause.
In short the "nRRPresponseCode 531" is an error that indicates your .net or .com domain is not figuring in VeriSign's GRS domain database .
The Verisign GRS domain database contains a list of DNS servers that are correctly configured and trustworthy enough. I've seen many people online suffering from the same terrible error,
who pointed out that the error is caused by misconfigurations in the Bind DNS server or the zone file for the problematic domain name, though I've looked through multiple times to possibly track the problem in both my major named.conf and the rest of bind's configuration files as well as in the domain name I had registered mydomain.net ,there was nothing misconfigured or unusual.
I have to admit, this problem is really odd, because I was able to successfully set the same custom configured Bind DNS server for mydomain.info and mydomain.biz but, yet whenever trying to set the same Bind DNS for mydomain.net I came across the shitty nrRRPResponseCode 531 .
Thanks to the kind help of Gigaspark's tech support together with some google posts on the matter I figured out Gigaspark are using ENOM - a major domain name registrar offering easy ways for an end domain providers to become their resellers.
It seems ENOM's policy is enforces you as a domain name customer to register your full DNS domain name let's say (ns1.mydns.com) in Verisign's GRS domain database otherwise they refuse you the right to set yourself your ns1.mydns.com for your domain, because if the DNS domain name is not figuring in that database it's not trust worthy!
I believe many people would agree with me this is a real shit! You pay for your domain and you should have the full rights over it.
I mean you should be allowed to set whatever DNS domain name even, if it's not an existing one and they shouldn't bother you with stupid DNS domain name registrations in stupid Verisign GRS databases and so on!
Now you probably wonder what is the required steps to take to be able to register the domain in that Verisign GRS database in order to be able to set your ns1.mydomain.com as a default DNS server for your mydomainname.com .
Well you have to contact your domain registrar, let's say tucows.com .
You log to your account on tucowsdomains for your domain mydomain.com ... then you find something similar to: "register a nameserver" among the overall menus options.
Then you have to register your nameserver ns1.mydomain.com. Then you wait between 24 up to 48h and then you have to test if your NS has already properly entered the Verisign GRS database you have to visit on Verisign GRS Whois .
Hopefully the guys from Verisign GRS would approve your DNS host to enter there database and then at last you might be able to set in your DNS host as a preferred DNS for your (.net) / (.com?) domain name.
So go back to gigaspark's slovenian interface and try changing the DNSes once again! If you're lucky with God's help (for sure), you would be at last be successful in setting your BIND name server as a primary DNS.
In this relation, I tried googling online searching and searching what might be the stupid cause of the "nRRPResponseCode 531" error that prevents me from setting my custom configured Bind domain name servers to mydomain.net . I also contacted the support team from gigaspark multiply until I found out what is the trouble cause.
In short the "nRRPresponseCode 531" is an error that indicates your .net or .com domain is not figuring in VeriSign's GRS domain database .
The Verisign GRS domain database contains a list of DNS servers that are correctly configured and trustworthy enough. I've seen many people online suffering from the same terrible error,
who pointed out that the error is caused by misconfigurations in the Bind DNS server or the zone file for the problematic domain name, though I've looked through multiple times to possibly track the problem in both my major named.conf and the rest of bind's configuration files as well as in the domain name I had registered mydomain.net ,there was nothing misconfigured or unusual.
I have to admit, this problem is really odd, because I was able to successfully set the same custom configured Bind DNS server for mydomain.info and mydomain.biz but, yet whenever trying to set the same Bind DNS for mydomain.net I came across the shitty nrRRPResponseCode 531 .
Thanks to the kind help of Gigaspark's tech support together with some google posts on the matter I figured out Gigaspark are using ENOM - a major domain name registrar offering easy ways for an end domain providers to become their resellers.
It seems ENOM's policy is enforces you as a domain name customer to register your full DNS domain name let's say (ns1.mydns.com) in Verisign's GRS domain database otherwise they refuse you the right to set yourself your ns1.mydns.com for your domain, because if the DNS domain name is not figuring in that database it's not trust worthy!
I believe many people would agree with me this is a real shit! You pay for your domain and you should have the full rights over it.
I mean you should be allowed to set whatever DNS domain name even, if it's not an existing one and they shouldn't bother you with stupid DNS domain name registrations in stupid Verisign GRS databases and so on!
Now you probably wonder what is the required steps to take to be able to register the domain in that Verisign GRS database in order to be able to set your ns1.mydomain.com as a default DNS server for your mydomainname.com .
Well you have to contact your domain registrar, let's say tucows.com .
You log to your account on tucowsdomains for your domain mydomain.com ... then you find something similar to: "register a nameserver" among the overall menus options.
Then you have to register your nameserver ns1.mydomain.com. Then you wait between 24 up to 48h and then you have to test if your NS has already properly entered the Verisign GRS database you have to visit on Verisign GRS Whois .
Hopefully the guys from Verisign GRS would approve your DNS host to enter there database and then at last you might be able to set in your DNS host as a preferred DNS for your (.net) / (.com?) domain name.
So go back to gigaspark's slovenian interface and try changing the DNSes once again! If you're lucky with God's help (for sure), you would be at last be successful in setting your BIND name server as a primary DNS.
Mon Mar 15 17:29:46 EET 2010
Disable DNS recursion and AXFR requests in BIND on Debian Linux and FreeBSD / How to test a nameserver if AXFR requests are allowed with dig command
I am playing with bind on a newly
configured server and therefore doing my best to configure the
nameserver in a good manner. In that manner of thoughts I
remembered about the good old "recursion" which could pose a
security hole in your DNS systems. I won't buffle on how bad it is
for a BIND domain resolver to have Domain recursion switched on,
there is plenty of information you can read further online. Anyways
here is a brief overview on recursion:
Recursive DNS is essentially the opposite of Custom DNS. Custom DNS is an authoritative DNS service that allows others to find your domain, and Recursive DNS allows you to resolve other people's domains.
So considering the above definition if you decide to leave the default behaviour of the Bind nameserver (which by the way is also default behaviour of many other DNS servers including Microsoft DNS), this would mean that your DNS will be left open for the whole world to be able to serve resolve requests for any domain name requested by end users. In other words somebody out there might decide to use your nameserver to resolve all internet domains, like: google.com, yahoo.co.uk etc.
It is wise to enable recursion only for localhost on your bind name server, So to achieve that on Debian:
Open /etc/bind/named.conf.options and insert into it
Right before the options {
Also in the options {} include the following lines:
On FreeBSD you need to include the same in /var/named/etc/namedb/named.conf by default or any other location if you have some specific named.conf file location.
Another truly Vital things to include in /etc/bind/named.conf.options on Debian Lenny among options {} is:
Including this in the options {} configuration block would completely disable AXFR transfer requests on your nameserver on FreeBSD the procedure is absolutely analogous, just open /var/named/etc/namedb/named.conf and include the auth-nxdomain no; in the options configuration block.
To stress out the importance of disable AXFR it's important to know that if you don't disable the AXFR which is enabled by default in many nameservers out there you're risking that a malicious person could list the whole zone files for each and every of the configured domains in the DNS server and consequently the attacker can learn a lot about the DNS topology of your network etc.
So to complete the article I'm gonna give an example on how the dig command can be used in order to check a certain DNS server if it has enabled the AXFR requests (e.g. if it's vulnerable to this type of DNS information leak).
In the above example somenameserver.net = is a random name server hosting a specific DNS domain
somedomainname.net = is the DNS domain name / (a.k.a. zone file) hosted on somenameserver.net
If everything is configured properly in your the namesever you're running the axfr test against you should see something like:
Recursive DNS is essentially the opposite of Custom DNS. Custom DNS is an authoritative DNS service that allows others to find your domain, and Recursive DNS allows you to resolve other people's domains.
So considering the above definition if you decide to leave the default behaviour of the Bind nameserver (which by the way is also default behaviour of many other DNS servers including Microsoft DNS), this would mean that your DNS will be left open for the whole world to be able to serve resolve requests for any domain name requested by end users. In other words somebody out there might decide to use your nameserver to resolve all internet domains, like: google.com, yahoo.co.uk etc.
It is wise to enable recursion only for localhost on your bind name server, So to achieve that on Debian:
Open /etc/bind/named.conf.options and insert into it
Right before the options {
acl recurseallow { 1.2.3.4; 127.0.0.1; };
Also in the options {} include the following lines:
allow-recursion { recurseallow; }; recursion
yes;
On FreeBSD you need to include the same in /var/named/etc/namedb/named.conf by default or any other location if you have some specific named.conf file location.
Another truly Vital things to include in /etc/bind/named.conf.options on Debian Lenny among options {} is:
auth-nxdomain no;
Including this in the options {} configuration block would completely disable AXFR transfer requests on your nameserver on FreeBSD the procedure is absolutely analogous, just open /var/named/etc/namedb/named.conf and include the auth-nxdomain no; in the options configuration block.
To stress out the importance of disable AXFR it's important to know that if you don't disable the AXFR which is enabled by default in many nameservers out there you're risking that a malicious person could list the whole zone files for each and every of the configured domains in the DNS server and consequently the attacker can learn a lot about the DNS topology of your network etc.
So to complete the article I'm gonna give an example on how the dig command can be used in order to check a certain DNS server if it has enabled the AXFR requests (e.g. if it's vulnerable to this type of DNS information leak).
dig @somenameserver.net somedomainname.net
axfr
In the above example somenameserver.net = is a random name server hosting a specific DNS domain
somedomainname.net = is the DNS domain name / (a.k.a. zone file) hosted on somenameserver.net
If everything is configured properly in your the namesever you're running the axfr test against you should see something like:
; <<>> DiG 9.6.1-P1 <<>>
@somenameserver.net somedomainname.net axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.
Mon Mar 15 13:31:57 EET 2010
Howto check and isolate problems with DNS servers and Domain records
There are two handy websites online
which helps quite extensively in tracking problems with domain name
records and DNS incosistencies.
I used them today to learn more about a problem with a non-resolving DNS though it has already a record in a properly configured Bind nameserver possessing a proper PTR record. Here are three handy online DNS checkers:
1. Squish.Net/DNSCheck - contains Tons of useful debugging information related to the possible problem
2. DNSCheck.iis.se - provides with less information, though still really handy
Some more handy information realted to DNS can be obtained via R. Scott's DNS Oversimplified
3. TheDNSReport - provides good and extensive info on problems
I used them today to learn more about a problem with a non-resolving DNS though it has already a record in a properly configured Bind nameserver possessing a proper PTR record. Here are three handy online DNS checkers:
1. Squish.Net/DNSCheck - contains Tons of useful debugging information related to the possible problem
2. DNSCheck.iis.se - provides with less information, though still really handy
Some more handy information realted to DNS can be obtained via R. Scott's DNS Oversimplified
3. TheDNSReport - provides good and extensive info on problems
Sun Mar 14 17:11:21 EET 2010
Add DCC (Distributed Checksum Clearing Houses), Pyzor and Razon checks in Spamassassin on Debian Lenny / Howto improve spamassassin anti spam protection on Debian GNU / Linux
In accordence to a recent qmail
install, here is few things to install in order to improve the
native spamassassin anti-spam mail server protection
capabilities.
1. Install Pyzor and Razor
debian-server# apt-get install pyzor razor
2. Edit /etc/mail/spamassassin/local.cf and put the following lines in it:
3. Edit /etc/mail/spamassassin/v310.pre and make sure the following lines are included and uncommented:
4. Now we modify /etc/mail/spamassassin/local.cf once more to enable Bayesian Filtering, so include in the conf the following:
In my case I use /var/spamd/.spamassassin directory for bayesian filter files, anyways you might desire to have it in a different lacation, however if you desire to use the same directory as me, make the appropriate directories and files as shown below:
Note that in the above example whenever I'm using user vpopmail:vchkpw I did that because my spamassassin is running under the vpopmail:vchkpw user and group, in case if you're using a different uid and gid please change the commands in accordance with 'em.
5. Next we need to download and install the required DCC (Distributed Checksum Clearing Houses) binaries, Regrettably no debian package is available so we will compile it and install it from source:
6. Again we have to edit /etc/mail/spamassassin/local.cf and include in it:
7. Last I include few configuration options I find handy, this is not required to have pyzor, razond and DCC properly configured, so it's completely up to you to decide if you want that or not:
Herein I also include a link to my whole local.cf spamassassin configuration file in a hope that it's easier to check the above directives directly in the conf.
1. Install Pyzor and Razor
debian-server# apt-get install pyzor razor
2. Edit /etc/mail/spamassassin/local.cf and put the following lines in it:
use_razor2 1
razor_config /etc/razor/razor-agent.conf
razor_timeout 8
use_pyzor 1
pyzor_path /usr/bin/pyzor
add_header all Pyzor _PYZOR_
clear_report_template
3. Edit /etc/mail/spamassassin/v310.pre and make sure the following lines are included and uncommented:
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
4. Now we modify /etc/mail/spamassassin/local.cf once more to enable Bayesian Filtering, so include in the conf the following:
use_bayes 1
bayes_file_mode 0700
bayes_path /var/spamd/.spamassassin/bayes
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 8.0
use_auto_whitelist 1
In my case I use /var/spamd/.spamassassin directory for bayesian filter files, anyways you might desire to have it in a different lacation, however if you desire to use the same directory as me, make the appropriate directories and files as shown below:
debian-server# mkdir -p /var/spamd/.spamassassin/
debian-server# touch /var/spamd/.spamassassin/bayes_{seen,toks}
/var/spamd/.spamassassin/bayes
debian-server# chown -R vpopmail:vchkpw
/var/spamd/
Note that in the above example whenever I'm using user vpopmail:vchkpw I did that because my spamassassin is running under the vpopmail:vchkpw user and group, in case if you're using a different uid and gid please change the commands in accordance with 'em.
5. Next we need to download and install the required DCC (Distributed Checksum Clearing Houses) binaries, Regrettably no debian package is available so we will compile it and install it from source:
debian-server# wget
http://www.rhyolite.com/dcc/source/dcc.tar.Z
debian-server# tar -zxvf dcc.tar.Z
debian-server# cd dcc-1.3.120/
debian-server# ./configure && make && make
install
debian-server# cdcc info > /var/dcc/map.txt
debian-server# chmod 0600 /var/dcc/map.txt
debian-server# rm /var/dcc/map
debian-server# cdcc "new map; load /var/dcc/map.txt"
debian-server# cdcc "delete 127.0.0.1"
6. Again we have to edit /etc/mail/spamassassin/local.cf and include in it:
use_dcc 1
dcc_timeout 8
dcc_home /var/spamd/
dcc_path /usr/local/bin/dccproc
add_header all DCC _DCCB_: _DCCR_
7. Last I include few configuration options I find handy, this is not required to have pyzor, razond and DCC properly configured, so it's completely up to you to decide if you want that or not:
rewrite_subject 1
subject_tag [SPAM found in message]
dns_available yes
ok_locales all
add_header spam Flag _YESNOCAPS_
report_safe 1
Herein I also include a link to my whole local.cf spamassassin configuration file in a hope that it's easier to check the above directives directly in the conf.
Sat Mar 13 13:04:33 EET 2010
Nanoblogger Yahoo Search Field Plugin (yahoo.sh) download / install and how to properly escape code in nanoblogger
Since some time I'm trying to setup
Yahooo Search Field on my nanoblogger without success. I also have
difficulties every now and then with escaping source code whenever
I decide to drop it in my nanoblogger. Knowing that the official nanoblogger
page has the yahoo search next to the google search enabled up
and running and considering the fact I couldn't find any tutorial
or instructions online both on nanoblogger's official webpage as
well as to the rest of the searchable internet, I decided to mail
Nanoblogger's author to ask him if he could help me setting up this
Yahoo Search Field Plugin as well as ask him what I can do to have
a proper code escaping without breaking the blog. I explained that
currently I tried a bunch of things without success etc. Below
you'll find my correspondence with Kevin Wood (Nanoblogger's
Author):
Now here is the yahoo.sh nanoblogger yahoo search plugin that Kevin sent me.
After putting it in my nanoblogger plugins directory and enabling BLOG_FEED_URL, now all works like a charm.
Date: Mon, 22 Feb 2010 17:09:58 +0200
From: "G. Georgiev" myemail@gmail.com
User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20091109)
To: n1xt3r@fastmail.fm
Subject: 2 questions concerning nanoblogger
Hi man,
First Thanks for the wonderful soft.
I have two questions.
1. Where can I get yahoo.sh script which is
used on http://nanoblogger.sourceforge.net
2. Whenever I try to post code that needs to be escaped let's say
apache
directives an error occurs,
during generation of the blog and I cannot
seem to get the post online
How can I get through that?
Thanks in advance.
Kindest Regards
Georgi
Date: Sat, 27 Feb 2010 20:46:34 -0500
From: Kevin Wood kevinw@fastmail.fm
To: "G. Georgiev" myemail@gmail.com
Subject: Re: 2 questions concerning nanoblogger
User-Agent: Mutt/1.5.20 (2009-06-14)
Hi Georgi,
Attached is my yahoo.sh plugin. Just drop it in your plugins
directory
and add $NB_Yahoo to your main_index.htm template. In order to
work, it
expects that you have BLOG_FEED_URL set in blog.conf.
You should use the markdown.sh plugin to post escaped HTML code.
When
editing your entry you can add markdown to the FORMAT field. Oh,
the
markdown plugin requires that you have Markdown installed on
your
system and you may have to tweak MARKDOWN_CMD and MARKDOWN_OPTS in
your
blog.conf before it will work. Good luck!
>From http://daringfireball.net/projects/markdown/basics
Kevin
Now here is the yahoo.sh nanoblogger yahoo search plugin that Kevin sent me.
After putting it in my nanoblogger plugins directory and enabling BLOG_FEED_URL, now all works like a charm.
Fri Mar 12 17:33:49 EET 2010
Reset Windows (NT, 2000, XP, Vista and Windows 7) password / Reset Windows Forgotten Password / Reset Windows Administrator password
Recently I was in the Pomorie's Monastery - St.
George .
One layman left his notebook (maybe as a donation) to the monks. However the notebook was protected by both: fingerprint check, as well as administrator password and therefore the notebook was completely unusable and was thrown away with many other unused belongings.
When the abbot of the monastery found out I'm adept with computers, he asked if I can fix up the notebook and somehow remove the password, or reinstall the machine to make it usable.
So here I decided to blog what I undertook to reset the windows password with the hope somebody else could benefit from that as well.
1. Go to Offline NT Password & Registry Editor, Bootdisk / CD website
2. Download the bootable CD image zip archive of Offline NT Password & Registry Editor and burn the iso to a CD using K3b (on Linux), Nero or CDBurnerXP on (Windows).
3. Follow the step by step walkthrough manual (here) to either change Some Windows user password or completely reset administrator or any other user password.
Following the walkthrough literally prooved to be quite succesful for me and I was able to properly reset the administrator password!
So Hooray it works again! The monks can now benefit of the cute Toshiba satellite machine.
One layman left his notebook (maybe as a donation) to the monks. However the notebook was protected by both: fingerprint check, as well as administrator password and therefore the notebook was completely unusable and was thrown away with many other unused belongings.
When the abbot of the monastery found out I'm adept with computers, he asked if I can fix up the notebook and somehow remove the password, or reinstall the machine to make it usable.
So here I decided to blog what I undertook to reset the windows password with the hope somebody else could benefit from that as well.
1. Go to Offline NT Password & Registry Editor, Bootdisk / CD website
2. Download the bootable CD image zip archive of Offline NT Password & Registry Editor and burn the iso to a CD using K3b (on Linux), Nero or CDBurnerXP on (Windows).
3. Follow the step by step walkthrough manual (here) to either change Some Windows user password or completely reset administrator or any other user password.
Following the walkthrough literally prooved to be quite succesful for me and I was able to properly reset the administrator password!
So Hooray it works again! The monks can now benefit of the cute Toshiba satellite machine.
Thu Mar 11 13:48:48 EET 2010
Ubunchu - The world's first? romantic school comedy (A Linux Related Manga Magazine)
I came along a nice Linux Related magazine called Ubunchu It's a short story about few kids membering in a pc geek club. The 3 kids start installing ubuntu and get into the ordinary quarrels on the topic of "which linux distribution is better?" and is Linux already desktop ready. Download and read the mirrored copies of all Ubunchu comics so far below:
Ubunchu Linux Comics Magazine - Vol. 1
Ubunchu Linux Comics Magazine - Vol. 2
Ubunchu Linux Comics Magazine - Vol. 3
Ubunchu Linux Comics Magazine - Vol. 4
Ubunchu Linux Comics Magazine - Vol. 5
Thu Mar 4 23:35:26 EET 2010
Howto install FuzzyOcr on Debian 5.0 (Lenny) / FuzzyOCR install tutorial on Debian Linux
Recently, I had a task to install FuzzyOCR on Debian Lenny in order to reduce the amount of the "image spam" delivered to the end users.Since there is no official install tutorial for debian users I decided to create this one with the hope it might be useful for others.
Here are few lines that explain what is FuzzyOCR;
FuzzyOcr is a plugin for SpamAssassin which is aimed at unsolicited bulk mail (also known as "Spam") containing images as the main content carrier. Using different methods, it analyzes the content and properties of images to distinguish between normal mails (Ham) and spam mails. The methods mainly are:
Now I won't get into details anymore and I'll get you to the concrete packages and configurations I've done in order to have the software up and running.
1. Install required debian packages
debian-server# apt-get install netpbm gocr giftext giflib-tools
libungif-bin \
libpng3 libungif4g gifsicle ocrad \
libstring-approx-perl libmldbm-perl libmldbm-sync-perl \
liblog-agent-perl libpng12-dev libtiff4-dev libsvga1-dev
libx11-dev
2. Download latest version of FuzzyOCR
debian-server# wget
http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-3.6.0.tar.gz
3. Copy some FuzzyOCR configuration and installation files in /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.scansets
/etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.preps /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.pm /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr/ /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.cf
/etc/mail/spamassassin
4. Create some log files and files in order to use FuzzyOCR with a hashing database.
debian-server# touch /var/log/qmail/FuzzyOcr.log
debian-server# chown vpopmail:vchkpw
/var/log/qmail/FuzzyOcr.log
debian-server# touch /etc/mail/spamassassin/FuzzyOcr.db
debian-server# chown vpopmail:vchkpw
/etc/mail/spamassassin/FuzzyOcr.db
debian-server# touch /etc/mail/spamassassin/FuzzyOcr.safe.db
debian-server# chown vpopmail:vchkpw
/etc/mail/spamassassin/FuzzyOcr.safe.db
5. Edit FuzzyOcr configuration files.
debian-server# vim
/etc/mail/spamassassin/FuzzyOcr.cf
You need to put there the following directives:
focr_enable_image_hashing 2
focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db
focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db
focr_db_max_days 15
Now there are few more things that need to be done before we have a complete install, e.g. we need to compile netpbm from source, because three of the binary executables required by FuzzyOcr are for some reason not bundled with debian lenny netpbm package. So;
So first we download and untar the latest version of netpbm:
debian-server# links
"http://downloads.sourceforge.net/project/netpbm/super_stable/10.35.73/netpbm-10.35.73.tgz?use_mirror=sunet"
debian-server# tar -zxvvf netpbm-10.35.73.gz
We need to have the following "hack" in order to have the source compile properly:
debian-server# mkdir /usr/X11R6/lib
debian-server# ln -sf /usr/lib/libX11.so
/usr/X11R6/lib/libX11.so
Next we compile the source of netbpm and install it:
debian-server# cd netpbm-10.35.73
debian-server# make && make install
If it happens that your build fails during the "make", then you must use the apt-file program to determine which debian package contains the missing header files because of which the build has failed
We proceed next, with the installation of tesseract . Tesseract is 1 of the best OCR open source engine available nowadays
Therefore we now download and install it:
debian-server# wget
http://tesseract-ocr.googlecode.com/files/tesseract-2.04.tar.gz
debian-server# tar -zxvvf tesseract-2.04.tar.gz
debian-server# cd tesseract-2.04
debian-server# ./configure && make && make
install
In order to load FuzzyOcr in spamassassin we have to restart Spamassassin:
debian-server# /etc/init.d/spamassassin restart
Note: If you are have spamassassin running via djb daemontools restart spamassassin via the svc command:
Last thing we do is the check out if FuzzyOcr is correctly loaded and checking against image spam when new messages arrives, so here is how:
Change back to your FuzzyOcr-3.6.0/ directory:
debian-server# cd FuzzyOcr-3.6.0/
debian-server# cd samples
debian-server# spamassassin --debug FuzzyOcr < ocr-animated.eml
>/dev/null
Check out the lines related to FuzzyOcr, you should have some lines in the output reporting FuzzyOcr has found a spam in the ocr-animated.eml file.
Another possible approach to test what is happening in spamassassin is to use:
debian-server# spamassassin -D
The above command will provide you with information about spamassassin in real time.
This article is pretty much in a beta stage, I'll be glad of any feedback on it so I can advance it!
Thanks for reading!