Walking in Light With Christ - hip0's personal blog on System Administration, Free Software, Computer Security and Religion

Today I got the intention to install some software that would report Statistics for Qmail in a Web Interface.
In other words I wanted to have Web qmail statistics that would report information about the sent and received emails per domain name from the Vpopmail.
Some time ago I used a project called qmailalizer . I modified it a bit back then because all it's interface was in German and the install was a hell so I added up a little install.sh script that simplifies the installation project with qmailalizer.
Therefore I decided to install and test the software on debian 2.6.26-2-amd64 (64 bit) platform. The build failed ofcourse and therefore I needed to install some packages which included the required header files by the qmailalizer source code. This are:

debian:~# apt-get install libgd2-xpm-dev libxml2-dev libxslt1-dev php5-xsl libxslt1-dev libxml2-dev \
sablotron libsablot0


Hopefully afterwards your build won't fail, but whenever you install the software you're about to face another unsavoury, error caused by the old PHP code which was dedicated to run on top of PHP4 and this days most of us uses PHP5 on our Debians. So whenever I tried to access qmailalizer I received the ugly php error:

Call to undefined function xslt_create()

In order to fix that error I used a code from a nice article by Alexandre Alapetite titled XSL transition from PHP4 xslt to PHP5 xsl . All that is necessery to be done to weed out the error is:

Copy paste the following code:

if ((PHP_VERSION>='5')&&extension_loaded('xsl'))
require_once('xslt-php4-to-php5.php');


inside the php that breaks with the error "Call to undefined function xslt_create()"

And then download xslt-php4-to-php5.php and save the file with a php extension.
That's it now your "Call to undefined function xslt_create()" shouldn't bug you any more.

Now back to the qmaializer, though I was able to succesfully compile the qmaializer. I couldn't make the qmaializer binary work. Whenever I execute the qmaializer binary it crashes with Segmentation Fault like that:

debian:~# qmailalizer
Qmailalizer version 0.32, Copyright (C) 2001 Wolfgang Pichler
I/O warning : failed to load external entity "/var/www/qmailalizer/results.xml"
Parsing file ....
Parsing file: @400000004bb33dfc09e78f84.s
Segmentation fault


I tried using debugging what exactly procudes the segmnentation fault with Qmaializer using strace . All I can found out was that it has something to do with /etc/localtime.
A bit of googling revealed that Debian has some issue with the rrdtool binary package compiled for 64 bit architectures that dates back from the year 2007.
The exact thread concerning rrdtool and a 64 bit architecture can be red here .
This bug report advices that rrdtool is recompiled with a change in CFLAGS in debian/rules from the debian rrdtool source package whether the change should be like follows:

Change CFLAGS from debian/rules from
CFLAGS := -O2
to
CFLAGS := -g3 -ggdb3


I experimented changing the CFLAGS compile time options in the source of qmaializer but that didn't do any good.

I've decided to drop qmailalizer for the moment and use it's substitute called isoqlog . The main motive to choose drop out with qmaializer though I really like this piece of archaic soft, is that it no longer supported since the '2004.
Luckily isoqlog is a supported piece of software and is capable of producing most of the reports produced by qmailalizer if not all of them.
So in case if you're looking for good alternatives to QmailAlizer you should definitely check isoqlog.
Some other possibilities to Calculate and Report from your qmail logfiles is awstast, I've found the following article called Calculate Statistics From your Qmail logfiles an interesting reading and a good learning point.
Hope it's gonna be helpful for you too. Maybe I'm gonna try a bit more to fix up the broken isoqlog but it depends if I'll have enough time.
If I eventually succeed and fix it. I'll share the working copy of qmailalizer with the world.

It's really easy to solve, all you need to do is open gmplayer.
Go to gmplayer's Prefences -> Audio there you should tick the
Enable Software Mixer. That's it you shouldn't experience the problem any longer :)

This days I'm playing with MySQL trying out stuff. I decided it could be helpful to somebody to share few things I learned.
So there we go:
1. To Rename MySQL existent table name

RENAME TABLE old_table_name to new_table_name;


2. To completely wipe out the content of an existing Table in MySQL

TRUNCATE TABLE table_name;


table_name = your table name to truncate

3. To RENAME column name in MySQL to another one

ALTER TABLE your_table_name CHANGE current_column_name new_column_name VARCHAR(100);


Note that in the above example to rename column in MySQL you should always specify the new column variable type e.g. VARCHAR(100)
or anything else you like.

4. To get information about a table e.g. variables and there type in a MySQL table

DESCRIBE table_name;


5. To change some Value in a Column to another one based on another value



UPDATE table_name column_name SET column_name='Lecturer' WHERE other_column_name='some_value';


Here;
column_name = is your column name
other_column_name = is some other column_name which you're going to search in for a certain some_value content
6. To get a thorougful information about MySQL table, it's variables and the privileges

SHOW FULL COLUMNS from Table;


Here Table should be your table name.

7. To get information about privileges of some mysql user

SHOW GRANTS FOR your_user@host;


8. To create new user and grant certain privileges to some Database

grant CREATE,INSERT,DELETE,UPDATE,SELECT on database_name.* to username@localhost;
set password for username@host = password('mysecretpassword');
Where:
database_name = is your desired database
username = is your user of choice
CREATE,INSERT,DELETE,UPDATE,SELECT = is your preferred privileges to the database_name for the selected username

In case if you want to grant all possible user privileges that could be assigned to a table use the following code:

GRANT ALL ON database_name.* TO username identified by 'mysecretpassword' with grant option;


9. Another really helpful few commands on daily basis whever you're responsible for MySQL server are:

SHOW warnings;


Which is always helpful in debugging in MySQL.

And:

SHOW status;


SHOW processlist;


That two would inform you about the status of various key variables and could also be a precious debugging tool.

I've recently installed a Trusted certificate that I've previously protected with a pass-phrase to an Apache server running on top of Debian in order to have a better security.
Now everytime I restart Apache it's pretty annyoing and non-practical at the same time, to enter the Passphrase assigned to the SSL certificate.
It's also dangerous because if Apache crashes and tries to resurrect itself restartig it might not start-up again.
Another unpleasant possible scenario is if for example some of the php code developers tries to change something minor in some Virtualhost and afterwards restarts Apache for the new configurations to take place, again Apache won't bring up and a chaos would emerge.
So I decided to configurate my Apache that it auto fills in the passphrase each time it's being started or restarted. To do that I consulted some online resources and I end up redirected by a blog post to the mod_ssl ssl_reference web page
There is plenty of stuff on that document however in my case all I needed was one directive in /etc/apache2/mods-avalable/mods-available/ssl.conf :

SSLPassPhraseDialog exec:/etc/apache2/mods-available/passphrase


The above code must replace:

SSLPassPhraseDialog builtin


Now last step is to prepare the /etc/apache2/mods-available/passphrase .
Make sure the file has the following content:

#!/bin/sh
echo "yoursecretpassword"


Change above yoursecretpassword with your configured passphrase.
Also please make sure /etc/apache2/mods-availabe/passphrase has proper set permissions. In my case I've set the following permissions for the file:

debian:~# chown www-data:www-data /etc/apache2/mods-available/passphrase
debian:~# cmod 700 /etc/apache2/mods-available/passphrase


That should be it, Restart Apache and make sure Apache is properly loaded without any SSL passphrase prompts.
However you should have in mind that auto enabling passphrase loading on starting in Apache is much more insecure than typing in the password every time you restart Apache. Storing the passphrase in a file is quite insecure compared to if you type it every time Apache starts.
For instance if a hacker breaks into your server he might be able to steal your SSL certificate as well as the passphrase file.
And surely this is something you don't want. Anyways flexibility has a price and if you decide to go the way described, please note the risk first.

Yesterday I had to fight for a while before I can properly install a Trusted SSL certificate issued by RapidSSL.
The problem persisted for a couple of hours before I can realize it was caused by myself.
So here is the error I encounted in my Apache error.log.


[Thu Mar 25 09:29:41 2010] [error] Init: Private key not found
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib


It took me a couple of hours in futile attempts to fix the error.
Anyways I'll try to explain in a few words some of the things I tried following mostly suggestions by web forums and other blogs by which it was claimed that was the corner stone that drove Apache out of the the track.

1. I checked if the .PEM certificate files are readable by all users including www-data (since I'm running Apache on Debian).

It's best if your .pem file permissions are set like:

-rw-r--r-- 1 www-data www-data 3158 2010-03-25 11:07 /etc/apache2/ssl/www.domain.com.pem

2. I tried to hand out the .CRT file and the .KEY file from Apache directives as shown below:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key


3. I tried modifying /etc/apache2/mods-enabled/ssl.conf

There I attempted to change:

SSLProtocol all -SSLv2
to
SSLProtocol all

This try wasn't helpful as well.

4. I tried Removing the encryption from the RSA private key (while preserving the original file)

debian:~# cp -rpf /etc/apache2/ssl/www.domain.com.key /etc/apache2/ssl/www.domain.com.key.orig
debian:~# /usr/bin/openssl rsa -in /etc/apache2/ssl/www.domain.com.key.orig -out /etc/apache2/ssl/www.domain.com.key


So unecrypting the RSA private key from it's DES3 encryption and passing it to the Apache Webserver didn't changed anything,
Whenever I restarted Apache it refused to run once again, though I was not asked for a passphrase after trying the above code.

Since all of the above failed I also tried checking if the .csr, the crt and .key file aren't broken or something.

debian:~# /usr/bin/openssl x509 -noout -modulus -in /etc/apache2/ssl/www.domain.com.crt
debian:~# /usr/bin/openssl rsa -noout -modulus -in /etc/apache2/ssl/www.domain.com.key
debian:~# /usr/bin/openssl req -noout -modulus -in /etc/apache2/ssl/www.domain.com.csr


I checked the output from the above commands and I compared the output for Modulus.
If everything is okay with your .key .csr and .crt files then the result for Modulus from the above commands should be equal.
This prooved there is no match in the modulus between the www.domain.com.crt and the www.domain.com.key.
This gave me the idea that probably something is wrong with the www.domain.com.key and it's not the same file I used to generate the .csr (Certificate Signing Request) file later.
I checked and realized all the time I was using a .key file from my notebook Desktop and the file from my notebook Desktop is not the original file from the server.
So I immediately jumped to the server ssh-ing and deleted the inappropriate .key file I have stored in /etc/apache2/ssl/www.domain.com.pem with the correct one.

Now after restarting the webserver, all worked like a charm! Praise God :)
This experience is another good example that the simplest human mistakes creates the biggest, which are also the hardest to track.

I faced the task of generating official Validated SSL Certificates by in my daily duties as a System Administrator at cadiaholding.com . Though generating self-signed SSL certificate is comparatively easy task. It was a pain in the ass setting Apache version 2.2.9-10+lenny6 to correctly serve pages through https:// protocol over openssl version 0.9.8g-15+lenny6. I'll try to go through the whole process of Generating the certificate in order to help some other Debian users out there to face less setbacks in such a simple task as installing a Trusted SSL Certificate issued (bought) by RapidSSL. Even though this article will mostly deal with SSL certificate issued by RapidSSL, it should be not a problem to apply this methodogy with Verisign or some of the other Geotrust issued Secure Socket Layer certificates.
In generating the Validated certficate I used enom which is a domain name, ssl certificates, email and hosting company whole-saler.
Fron emon's website after logging in and using the web interface, there are two major things required to fill in in order to issue your Trusted SSL certificate.

1. Fill in in a form a CSR file, this is usually generated on the Linux server using the openssl.
To issue the CSR file required by Enom use the following commands:

a. First we generate an DES3 RSA encrypted key which we will use next to generate the opeensl CSR file required by ENOM.
debian:~# /usr/bin/openssl genrsa -des3 -out www.domain.com.key 2048
Enter pass phrase for www.domain.com.key:


You'll be required to fill in a pass-phrase that will be later be required to fill in before Apache servers starts or restarts, so make sure you fill something you either remember or you keep the password stored in a file.
You have to change also the www.domain.com.key in accordance with your domain name.
Now as we already have a proper generated DES3 RSA key afterwards it's necessery to generate the CSR file with the openssl command line frontend.
So here is how:

debian:~# /usr/bin/openssl req -new -key /home/hipo/www.domain.com.key -out /home/hipo/www.domain.com.csr


Again in the above example change all the paths and file names as you wish.
It's necessery that the end user fill in a number of questions related to the Certificate Signing Request.
Herein I'll list what kind of prompts will emerge after executing the above command:

Enter pass phrase for /home/hipo/www.domain.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


Note that you'll hav eto fill in the pass phrase previously entered during the generation of the www.domain.com.key file.
In case if you'd like to read more thoroughly on the subject of howto create a Certificate Signing Request or (CSR) as we called it on multiple times, you can read About Certificate Signing Request (CSR) Generation Instructions - Apache SSL more in depth here



2. Hopefully following the above instructions you'll now have a file named www.domain.csr Just open the www.domain.scr and copy paste it's content to the ENOM website CSR * webform. 3. Further on select your Webserver type on Enom's website: In our case we have to select Apache + ApacheSSL

4. What follows next is filling in your company contact information This is also required for proper certificate generation, you have to think twice before you fill in this data, take a note this can't be changed later on without issuing a brand SSL new certificate.

Apart from the 3 major above requirements to fill in Enom there are some few more radio buttons to use to make some selections according to your personal preferences, however I won't take time to dig in that and I'll leave this to you.
After all the above is fulfilled you'll have to submit your certificate details and choose an email address to which you will receive in a minute a RapidSSL Certificate Request Confirmation
Following a link from the email, will show you some basic information about the certificate about to be generated. That's your final chance to cancel the issued Trusted Certificated.
If you're absolutely sure the information about to enter the certificate is correct then you'll have to follow a link and approve the certificate.

You'll be informed that you'll receive your certificate either through Certifier website (e.g. Enom's website) or via another email.
I thought it's more probable I receive it via email but anyways I was wrong. More thank 4 hours has passed since the certificate was issued and is available via Enom's interface but I haven't received nothing on my mail.
Therefore my friendly advice is to check about your brand new shiny Trusted Certificate on Emom's website. I had mine ready in about 10 minutes after the CSR was issued.

Assuming that you've succesfully obtained the SSL Trusted certificate from RapidSSL what follows is setting up the certificate.
Initially I tried using documentation from RapidSSL website called Installing your SSL Certificate / Web Server Certificate / Secure Server Certificate from RapidSSL.com
I tried to configure one of my Virtualhost as shown in their example inserting in my /etc/apache/sites-available/www.domain.com file, few directives within the VirtualHost something like the shown below

SSLEngine on
# domain.com.crt cointains the Trusted SSL certificate generated and obtained by you from RapidSSL
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
# www.domain.com.key contains the file used to generate the CSR file as described earlier in this post
SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key


After trying the above configuration and restarting apache with:

/etc/init.d/apache2 restart


Apache failed to start, it might be helpful to somebody out there the error I had in my apache error.log:
The error.log red the following:

[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

After some 30 minutes or an hour of Googling on the error I came to the conclusion that the error is caused, because Apache is supposed to work with .PEM files instead of the classical .CRT and .KEY files as normally approached in most of the other Unix operating systems.

It took me a bit more of reading on the internet to find out that actually the .pem files so widely adopted in Debian simply contain both the www.domain.com.key file and the www.domain.com.crt key simply pasted one after another, this I also observed from the default Apache self-signed certificate that I believe comes with debian /etc/apache2/ssl/apache.pem .
So I copied both the content of my www.domain.com.key and www.domain.com.crt and store it in one file:
/etc/apache2/ssl/www.domain.com.pem

Also the following configuration:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www.domain.com.pem

had to go in your
/etc/apache2/sites-enabled/www.domain.com

Last thing that's left is to restart your Apache;

/etc/init.d/apache2 restart

Apache will prompt you for your certificate password entered by you during the www.domain.com.key generation. Type your password and with a bit of luck and hopefully with God's help you'll be having a Trusted Certificate on your webserver.

Last step is to check if the certificate is okay accessing your domain https://www.domain.com.

Well this is the end of the article, hope you enjoy.If you do please leave your comments, any corrections are also welcomed :)

I was looking forward to import a textbook I own to MySQL in order to be able later to easily manipulate the text with MySQL queries. After some time spend on trying hard. Here is the steps I took to import the textbook:

1. First we create necessery database and set default charset to UTF8:

freebsd$ mysql -u root -p
# create database textbook in mysql and change it to your likings
mysql$ CREATE database "textbook";
mysql$ use textbook;
mysql$ SET NAMES UTF8;


2. Then we CREATE Necessery database that will use further as a table to import the textbook into:
Below we create the table "textbook" with one column "sentence"

mysql$ CREATE table textbook (sentence varchar(5000);


3. Now we import the book:

mysql$ LOAD DATA INFILE '/path/to/file/textbook.txt' INTO TABLE textbook;


4. Last it might be a good idea to add some extra numbered column to be able to track the lines of the textbook as below:

mysql$ ALTER table textbook ADD COLUMN ID INT NOT NULL auto_increment FIRST, ADD PRIMARY KEY(ID);


In my case the book was in cyrillic and after I've taken the above steps I didn't have any problems with cyrillic letters in the table.
Of course the above method is a bit dump since it's not flexible enough and doesn't track the textbook parts or titles, however it's still a good way to store example on how to store text data in mysql table and could help somebody further in his journey in learning MySQL and next to that serving some simple daily SQL taks.

I encountered a weird problems a couple of minutes before. I tried to put some text files written in UTF-8 which contain cyrillic in the file names as well as the content the files has in my Apache directory listing. Trying that produced a lot of "alien symbols" for both file names and file content.
I have to admit that wasn't exactly what I expected. I've checked my /usr/local/etc/apache/httpd.conf just to find out I already have the:

AddDefaultCharset utf-8


within in the configuration, I thought that somehow Apache could have difficulties applying that rules for the custom Virtualhost and therefore give the directive a try locally in the VirtualHost. Grievously that didn't produced any positive result. That's why I decided to check if somebody has experienced the same weird behavior and I stumbled on this wondeful blog post .
In short on the plug and pray's blog ... Wait and moment plug and pray? Yes you read that correctly it's plug and pray :), on that blog it's explained that newer versions of Apache 2.2.4 as this is the version the blogger talks about as well as the latest Apache release has an issue with AddDefaultCharset not working anymore. Fortunately the issue with the AddDefaultCharset not taking effect in Apache no more is easily solved. All that needs to be done is including the:

IndexOptions Charset=UTF-8


Within Apache conf file. In my case on FreeBSD I had to include that in /usr/local/etc/apache2/httpd.conf after which all worked perfectly fine and I can see all my cyrillic symbols showing anew.

I'm considering to use mc (midnight commander) to review some dozens of source files in php/css and Java. However currently on my Debian Lenny I have configured vim to be the default editor in the system. The way I've setupped my vim to be the default editor is not really canonical, I mean I did it through $EDITOR variable in my /root/.bashrc and my ~/.bashrc file. In other words I have:

export VISUAL='vim'
export EDITOR='vim'

in my .bashrc files.
Though the correct way to do that is actually either by:

hipo@noah:~# update-alternatives --config editor


or through by linking /etc/alternatives/editor to your vim for instance:

hipo@noah:~# rm -f /etc/alternatives/editor
hipo@noah:~# ln -sf /usr/bin/vim /etc/alternatives/editor


As a result of my non-canonical ways to do things on the Debian as whenever I tried opening files with midnight commander (mc), files ended opening with vim.
I have to note that really sux a lot and therefore I hurried up to change mc's behaviour back to normal.
Here is how:

While in mc press F9 and go to the Options menu, then navigate to Configuration
Now tick on the text reading: use internal edIt
afterwards it might be also a good idea to select Save Setup from the Options in order to save changed settings for future use.

This wonderful picture of Mounth Athos - Holy Mountain (A monk republic situated in Northern Greece) was taken by my kind-hearted girlfriend Dorothy (Angellyca / GrimminaGroll) , during her trip to Kabala and some other Tourist destinations in Greece, while on a boat crossing near Mount Athos. I hope she won't be very angry with me that I post her picture, but I felt obliged to do so!

So Thank you Dear Dorothy, and please don't be mad at me :)

A few days ago I did an upgrade using apt-get which upgraded my openoffice to 3.2.04 on my Desktop machine (a notebook running Debian Sid - Testing/Unstable). Since then I haven't started the openoffice, however today an ex-college colleague of mine (Burcu), drop by home to give her some help about a project. In that relation I had to open a .doc file. I launched my oowriter in an attempt to open the document without success a stupid error poped up saying something is wrong with some kind of Openoffice registry and most importantly claiming the following error:

openoffice.org: Component manager is not available.

First thing I tried in order to resolve the issue was simply moving my ~/.openoffice.org/ and ~/.openoffice-org2/ directories to ~/.openoffice.org-bak/ and respectively ~/.openoffice.org2:

hipo@noah:~$ mv ~/.openoffice.org/ ~/.openoffice.org-bak/
hipo@noah:~$ mv ~/.openoffice.org2/ ~/.openoffice.org2-bak/


Regrettably I realized this this approach failed when I launched the oowriter to regenerate it's working directories.

Therefore I executed another strategy to fix the issue completely reinstalling the openoffice with apt:

hipo@noah:~# apt-get install --reinstall openoffice.org-core


After a while, now all is back to normal with my Openoffice Though it's a real lose of time implying such a dumb workarounds, I always hated linux as a desktop platform just because of misbehaves like that.

It's quite useful in bind to have the following configurations options in either named.conf options {} configuration block or (in case if on Debian Linux in named.conf.options.
Please edit your required file respectively and find the options {} directive and set within the options {} block the following:

zone-statistics yes;
notify yes;
transfer-format many-answers;


Here I have to clarify that the zone-statistics directive instructs the server to collect statistical data about all zone files, this statistics can later be accessed via the:
rndc stats command.

transfer-format many-answers is actually a default directive since bind 9 and you might even like to skip that one if on bind version 9 or 9+
notify yes; - will instruct the nameserver to replicate change in zone files to a seconday configured name server.

Another really vital thing in my view is to enable Bind DNS server logging into file.

In order to do that put in named.conf:
logging {
channel _default_log {
file "/var/log/named/named.log";
severity debug;
print-time yes;
};
category default {
_default_log;
};


Note that it's required to create the log file with proper permissions as in the location where specified in the above configuration in this case /var/log/named/named.log :

debian-server# mkdir -p /var/log/named
debian-server# touch /var/log/named/named.log
debian-server# chown -R bind:bind /var/log/named/


In this case I change the directory and file to be owned by the bind user and group, however on different linux distribution like Redhat the user could be different like on Redhat the user is usually named.
To find the correct user permissions check the user with which the Bind server is running using a simple:
debian-server# ps axu|grep -i bind
or
# ps axu|grep -i named


Until today, since I started getting into the depth of DNS some years from now, I always thought that there are 13 major super-computers used as a Global DNS servers which were responsible for caching in all the domain names on the IPv4 and IPv6 internet and that's all I knew about this matter.
Today I had to review my knowledge on the subject of DNS protocol, BIND server etc. in order to be able to fix an issue with a newly configured BIND dns server. In relation to that I red a bunch of interesting articles online discussing a matters concerning root DNS servers.
Here are two major articles worthy to read:

1. DNS Root Name Servers Explained for Non-Experts - by Daniel Karrenberg
2. DNS Root servers in the World
This blow off the myth about 13 major super-servers running on top of backbones to serve DNS requests online. By the way it's interesting fact that I've learned that myth from some O'reilly's books that were explaining the Redhat Linux distrubution long time ago.
It could be that long time ago this was true but not anymore!

As of today's date: Tue Mar 16 17:19:02 EET 2010, there are 425 DNS root servers which are an Internet's bone today.

Interestingly enough full list of the root servers is available via isoc.org's website along with many more information on the subject of how root DNSes works, how the DNS is served on the Internet as well as the RFC which explain the proper way to implement a DNS server.

A copy of the zonefile containing in it all the root DNSes can be obtained via isoc's website

Another wrong idea about Global DNS servers that I kept with me over the years is that most of the root servers are geographically located in USA.

A good proof to this delusion is root-servers.org website which contains a wonderful Google map with pinpointed geographical locations of all root servers .Along with this there is a plenty of extensive information on root DNS servers.

Another misbelief when talking about DNS servers is that the A-root server is the main DNS server in the Global DNS cluster.

Another good reading location concerning DNS Root servers is The DNS Root Name Server FAQ .

For two days now, I'm trying to set a custom DNS server for a (.net) domain purchased by gigaspark.com . Every time I try to change the nameservers for the (.net) domain an irritating error pops up, the error reads "nRRPResponseCode 531" and I cannot set my custom configured Bind DNS server for the (.net) domain. I believe the same problem happens also with (.com) domains.

In this relation, I tried googling online searching and searching what might be the stupid cause of the "nRRPResponseCode 531" error that prevents me from setting my custom configured Bind domain name servers to mydomain.net . I also contacted the support team from gigaspark multiply until I found out what is the trouble cause.
In short the "nRRPresponseCode 531" is an error that indicates your .net or .com domain is not figuring in VeriSign's GRS domain database .
The Verisign GRS domain database contains a list of DNS servers that are correctly configured and trustworthy enough. I've seen many people online suffering from the same terrible error,
who pointed out that the error is caused by misconfigurations in the Bind DNS server or the zone file for the problematic domain name, though I've looked through multiple times to possibly track the problem in both my major named.conf and the rest of bind's configuration files as well as in the domain name I had registered mydomain.net ,there was nothing misconfigured or unusual.
I have to admit, this problem is really odd, because I was able to successfully set the same custom configured Bind DNS server for mydomain.info and mydomain.biz but, yet whenever trying to set the same Bind DNS for mydomain.net I came across the shitty nrRRPResponseCode 531 .
Thanks to the kind help of Gigaspark's tech support together with some google posts on the matter I figured out Gigaspark are using ENOM - a major domain name registrar offering easy ways for an end domain providers to become their resellers.
It seems ENOM's policy is enforces you as a domain name customer to register your full DNS domain name let's say (ns1.mydns.com) in Verisign's GRS domain database otherwise they refuse you the right to set yourself your ns1.mydns.com for your domain, because if the DNS domain name is not figuring in that database it's not trust worthy!
I believe many people would agree with me this is a real shit! You pay for your domain and you should have the full rights over it.
I mean you should be allowed to set whatever DNS domain name even, if it's not an existing one and they shouldn't bother you with stupid DNS domain name registrations in stupid Verisign GRS databases and so on!
Now you probably wonder what is the required steps to take to be able to register the domain in that Verisign GRS database in order to be able to set your ns1.mydomain.com as a default DNS server for your mydomainname.com .
Well you have to contact your domain registrar, let's say tucows.com .
You log to your account on tucowsdomains for your domain mydomain.com ... then you find something similar to: "register a nameserver" among the overall menus options.
Then you have to register your nameserver ns1.mydomain.com. Then you wait between 24 up to 48h and then you have to test if your NS has already properly entered the Verisign GRS database you have to visit on Verisign GRS Whois .
Hopefully the guys from Verisign GRS would approve your DNS host to enter there database and then at last you might be able to set in your DNS host as a preferred DNS for your (.net) / (.com?) domain name.
So go back to gigaspark's slovenian interface and try changing the DNSes once again! If you're lucky with God's help (for sure), you would be at last be successful in setting your BIND name server as a primary DNS.

I am playing with bind on a newly configured server and therefore doing my best to configure the nameserver in a good manner. In that manner of thoughts I remembered about the good old "recursion" which could pose a security hole in your DNS systems. I won't buffle on how bad it is for a BIND domain resolver to have Domain recursion switched on, there is plenty of information you can read further online. Anyways here is a brief overview on recursion:
Recursive DNS is essentially the opposite of Custom DNS. Custom DNS is an authoritative DNS service that allows others to find your domain, and Recursive DNS allows you to resolve other people's domains.

So considering the above definition if you decide to leave the default behaviour of the Bind nameserver (which by the way is also default behaviour of many other DNS servers including Microsoft DNS), this would mean that your DNS will be left open for the whole world to be able to serve resolve requests for any domain name requested by end users. In other words somebody out there might decide to use your nameserver to resolve all internet domains, like: google.com, yahoo.co.uk etc.

It is wise to enable recursion only for localhost on your bind name server, So to achieve that on Debian:
Open /etc/bind/named.conf.options and insert into it
Right before the options {

acl recurseallow { 1.2.3.4; 127.0.0.1; };


Also in the options {} include the following lines:

allow-recursion { recurseallow; }; recursion yes;

On FreeBSD you need to include the same in /var/named/etc/namedb/named.conf by default or any other location if you have some specific named.conf file location.

Another truly Vital things to include in /etc/bind/named.conf.options on Debian Lenny among options {} is:

auth-nxdomain no;


Including this in the options {} configuration block would completely disable AXFR transfer requests on your nameserver on FreeBSD the procedure is absolutely analogous, just open /var/named/etc/namedb/named.conf and include the auth-nxdomain no; in the options configuration block.

To stress out the importance of disable AXFR it's important to know that if you don't disable the AXFR which is enabled by default in many nameservers out there you're risking that a malicious person could list the whole zone files for each and every of the configured domains in the DNS server and consequently the attacker can learn a lot about the DNS topology of your network etc.
So to complete the article I'm gonna give an example on how the dig command can be used in order to check a certain DNS server if it has enabled the AXFR requests (e.g. if it's vulnerable to this type of DNS information leak).

dig @somenameserver.net somedomainname.net axfr


In the above example somenameserver.net = is a random name server hosting a specific DNS domain
somedomainname.net = is the DNS domain name / (a.k.a. zone file) hosted on somenameserver.net

If everything is configured properly in your the namesever you're running the axfr test against you should see something like:

; <<>> DiG 9.6.1-P1 <<>> @somenameserver.net somedomainname.net axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.


There are two handy websites online which helps quite extensively in tracking problems with domain name records and DNS incosistencies.
I used them today to learn more about a problem with a non-resolving DNS though it has already a record in a properly configured Bind nameserver possessing a proper PTR record. Here are three handy online DNS checkers:
1. Squish.Net/DNSCheck - contains Tons of useful debugging information related to the possible problem

2. DNSCheck.iis.se - provides with less information, though still really handy

Some more handy information realted to DNS can be obtained via R. Scott's DNS Oversimplified

3. TheDNSReport - provides good and extensive info on problems

In accordence to a recent qmail install, here is few things to install in order to improve the native spamassassin anti-spam mail server protection capabilities.
1. Install Pyzor and Razor

debian-server# apt-get install pyzor razor

2. Edit /etc/mail/spamassassin/local.cf and put the following lines in it:

use_razor2 1
razor_config /etc/razor/razor-agent.conf
razor_timeout 8
use_pyzor 1
pyzor_path /usr/bin/pyzor
add_header all Pyzor _PYZOR_
clear_report_template


3. Edit /etc/mail/spamassassin/v310.pre and make sure the following lines are included and uncommented:
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop


4. Now we modify /etc/mail/spamassassin/local.cf once more to enable Bayesian Filtering, so include in the conf the following:
use_bayes 1
bayes_file_mode 0700
bayes_path /var/spamd/.spamassassin/bayes
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 8.0
use_auto_whitelist 1


In my case I use /var/spamd/.spamassassin directory for bayesian filter files, anyways you might desire to have it in a different lacation, however if you desire to use the same directory as me, make the appropriate directories and files as shown below:

debian-server# mkdir -p /var/spamd/.spamassassin/
debian-server# touch /var/spamd/.spamassassin/bayes_{seen,toks} /var/spamd/.spamassassin/bayes
debian-server# chown -R vpopmail:vchkpw /var/spamd/


Note that in the above example whenever I'm using user vpopmail:vchkpw I did that because my spamassassin is running under the vpopmail:vchkpw user and group, in case if you're using a different uid and gid please change the commands in accordance with 'em.

5. Next we need to download and install the required DCC (Distributed Checksum Clearing Houses) binaries, Regrettably no debian package is available so we will compile it and install it from source:

debian-server# wget http://www.rhyolite.com/dcc/source/dcc.tar.Z
debian-server# tar -zxvf dcc.tar.Z
debian-server# cd dcc-1.3.120/
debian-server# ./configure && make && make install
debian-server# cdcc info > /var/dcc/map.txt
debian-server# chmod 0600 /var/dcc/map.txt
debian-server# rm /var/dcc/map
debian-server# cdcc "new map; load /var/dcc/map.txt"
debian-server# cdcc "delete 127.0.0.1"


6. Again we have to edit /etc/mail/spamassassin/local.cf and include in it:

use_dcc 1
dcc_timeout 8
dcc_home /var/spamd/
dcc_path /usr/local/bin/dccproc
add_header all DCC _DCCB_: _DCCR_


7. Last I include few configuration options I find handy, this is not required to have pyzor, razond and DCC properly configured, so it's completely up to you to decide if you want that or not:
rewrite_subject 1
subject_tag [SPAM found in message]
dns_available yes
ok_locales all
add_header spam Flag _YESNOCAPS_
report_safe 1


Herein I also include a link to my whole local.cf spamassassin configuration file in a hope that it's easier to check the above directives directly in the conf.

Since some time I'm trying to setup Yahooo Search Field on my nanoblogger without success. I also have difficulties every now and then with escaping source code whenever I decide to drop it in my nanoblogger. Knowing that the official nanoblogger page has the yahoo search next to the google search enabled up and running and considering the fact I couldn't find any tutorial or instructions online both on nanoblogger's official webpage as well as to the rest of the searchable internet, I decided to mail Nanoblogger's author to ask him if he could help me setting up this Yahoo Search Field Plugin as well as ask him what I can do to have a proper code escaping without breaking the blog. I explained that currently I tried a bunch of things without success etc. Below you'll find my correspondence with Kevin Wood (Nanoblogger's Author):

Date: Mon, 22 Feb 2010 17:09:58 +0200
From: "G. Georgiev" myemail@gmail.com
User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20091109)
To: n1xt3r@fastmail.fm
Subject: 2 questions concerning nanoblogger
Hi man,
First Thanks for the wonderful soft.
I have two questions.
1. Where can I get yahoo.sh script which is
used on http://nanoblogger.sourceforge.net
2. Whenever I try to post code that needs to be escaped let's say apache
directives an error occurs,
during generation of the blog and I cannot
seem to get the post online
How can I get through that?

Thanks in advance.

Kindest Regards
Georgi

Date: Sat, 27 Feb 2010 20:46:34 -0500
From: Kevin Wood kevinw@fastmail.fm
To: "G. Georgiev" myemail@gmail.com
Subject: Re: 2 questions concerning nanoblogger
User-Agent: Mutt/1.5.20 (2009-06-14)

Hi Georgi,
Attached is my yahoo.sh plugin. Just drop it in your plugins directory
and add $NB_Yahoo to your main_index.htm template. In order to work, it
expects that you have BLOG_FEED_URL set in blog.conf.

You should use the markdown.sh plugin to post escaped HTML code. When
editing your entry you can add markdown to the FORMAT field. Oh, the
markdown plugin requires that you have Markdown installed on your
system and you may have to tweak MARKDOWN_CMD and MARKDOWN_OPTS in your
blog.conf before it will work. Good luck!

>From http://daringfireball.net/projects/markdown/basics


Kevin


Now here is the yahoo.sh nanoblogger yahoo search plugin that Kevin sent me.
After putting it in my nanoblogger plugins directory and enabling BLOG_FEED_URL, now all works like a charm.

Recently I was in the Pomorie's Monastery - St. George .
One layman left his notebook (maybe as a donation) to the monks. However the notebook was protected by both: fingerprint check, as well as administrator password and therefore the notebook was completely unusable and was thrown away with many other unused belongings.
When the abbot of the monastery found out I'm adept with computers, he asked if I can fix up the notebook and somehow remove the password, or reinstall the machine to make it usable.
So here I decided to blog what I undertook to reset the windows password with the hope somebody else could benefit from that as well.

1. Go to Offline NT Password & Registry Editor, Bootdisk / CD website

2. Download the bootable CD image zip archive of Offline NT Password & Registry Editor and burn the iso to a CD using K3b (on Linux), Nero or CDBurnerXP on (Windows).

3. Follow the step by step walkthrough manual (here) to either change Some Windows user password or completely reset administrator or any other user password.

Following the walkthrough literally prooved to be quite succesful for me and I was able to properly reset the administrator password!
So Hooray it works again! The monks can now benefit of the cute Toshiba satellite machine.

I came along a nice Linux Related magazine called Ubunchu It's a short story about few kids membering in a pc geek club. The 3 kids start installing ubuntu and get into the ordinary quarrels on the topic of "which linux distribution is better?" and is Linux already desktop ready. Download and read the mirrored copies of all Ubunchu comics so far below:
Ubunchu Linux Comics Magazine - Vol. 1
Ubunchu Linux Comics Magazine - Vol. 2
Ubunchu Linux Comics Magazine - Vol. 3
Ubunchu Linux Comics Magazine - Vol. 4
Ubunchu Linux Comics Magazine - Vol. 5

Recently, I had a task to install FuzzyOCR on Debian Lenny in order to reduce the amount of the "image spam" delivered to the end users.Since there is no official install tutorial for debian users I decided to create this one with the hope it might be useful for others.
Here are few lines that explain what is FuzzyOCR;

FuzzyOcr is a plugin for SpamAssassin which is aimed at unsolicited bulk mail (also known as "Spam") containing images as the main content carrier. Using different methods, it analyzes the content and properties of images to distinguish between normal mails (Ham) and spam mails. The methods mainly are:

Now I won't get into details anymore and I'll get you to the concrete packages and configurations I've done in order to have the software up and running.

1. Install required debian packages

debian-server# apt-get install netpbm gocr giftext giflib-tools libungif-bin \
libpng3 libungif4g gifsicle ocrad \
libstring-approx-perl libmldbm-perl libmldbm-sync-perl \
liblog-agent-perl libpng12-dev libtiff4-dev libsvga1-dev libx11-dev


2. Download latest version of FuzzyOCR


debian-server# wget http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-3.6.0.tar.gz


3. Copy some FuzzyOCR configuration and installation files in /etc/mail/spamassassin/

debian-server# cp -rpf FuzzyOcr.scansets /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.preps /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.pm /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr/ /etc/mail/spamassassin/
debian-server# cp -rpf FuzzyOcr.cf /etc/mail/spamassassin


4. Create some log files and files in order to use FuzzyOCR with a hashing database.

debian-server# touch /var/log/qmail/FuzzyOcr.log
debian-server# chown vpopmail:vchkpw /var/log/qmail/FuzzyOcr.log
debian-server# touch /etc/mail/spamassassin/FuzzyOcr.db
debian-server# chown vpopmail:vchkpw /etc/mail/spamassassin/FuzzyOcr.db
debian-server# touch /etc/mail/spamassassin/FuzzyOcr.safe.db
debian-server# chown vpopmail:vchkpw /etc/mail/spamassassin/FuzzyOcr.safe.db

5. Edit FuzzyOcr configuration files.

debian-server# vim /etc/mail/spamassassin/FuzzyOcr.cf


You need to put there the following directives:

focr_enable_image_hashing 2
focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db
focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db
focr_db_max_days 15


Now there are few more things that need to be done before we have a complete install, e.g. we need to compile netpbm from source, because three of the binary executables required by FuzzyOcr are for some reason not bundled with debian lenny netpbm package. So;
So first we download and untar the latest version of netpbm:

debian-server# links "http://downloads.sourceforge.net/project/netpbm/super_stable/10.35.73/netpbm-10.35.73.tgz?use_mirror=sunet"
debian-server# tar -zxvvf netpbm-10.35.73.gz


We need to have the following "hack" in order to have the source compile properly:

debian-server# mkdir /usr/X11R6/lib
debian-server# ln -sf /usr/lib/libX11.so /usr/X11R6/lib/libX11.so


Next we compile the source of netbpm and install it:


debian-server# cd netpbm-10.35.73
debian-server# make && make install


If it happens that your build fails during the "make", then you must use the apt-file program to determine which debian package contains the missing header files because of which the build has failed
We proceed next, with the installation of tesseract . Tesseract is 1 of the best OCR open source engine available nowadays
Therefore we now download and install it:

debian-server# wget http://tesseract-ocr.googlecode.com/files/tesseract-2.04.tar.gz
debian-server# tar -zxvvf tesseract-2.04.tar.gz
debian-server# cd tesseract-2.04
debian-server# ./configure && make && make install


In order to load FuzzyOcr in spamassassin we have to restart Spamassassin:

debian-server# /etc/init.d/spamassassin restart


Note: If you are have spamassassin running via djb daemontools restart spamassassin via the svc command:

Last thing we do is the check out if FuzzyOcr is correctly loaded and checking against image spam when new messages arrives, so here is how:

Change back to your FuzzyOcr-3.6.0/ directory:

debian-server# cd FuzzyOcr-3.6.0/
debian-server# cd samples
debian-server# spamassassin --debug FuzzyOcr < ocr-animated.eml >/dev/null


Check out the lines related to FuzzyOcr, you should have some lines in the output reporting FuzzyOcr has found a spam in the ocr-animated.eml file.
Another possible approach to test what is happening in spamassassin is to use:


debian-server# spamassassin -D


The above command will provide you with information about spamassassin in real time.
This article is pretty much in a beta stage, I'll be glad of any feedback on it so I can advance it!
Thanks for reading!