Posts Tagged ‘enable’

How to enable HaProxy logging to a separate log /var/log/haproxy.log / prevent HAProxy duplicate messages to appear in /var/log/messages

Wednesday, February 19th, 2020

haproxy-logging-basics-how-to-log-to-separate-file-prevent-duplicate-messages-haproxy-haproxy-weblogo-squares
haproxy  logging can be managed in different form the most straight forward way is to directly use /dev/log either you can configure it to use some log management service as syslog or rsyslogd for that.

If you don't use rsyslog yet to install it: 

# apt install -y rsyslog

Then to activate logging via rsyslogd we can should add either to /etc/rsyslogd.conf or create a separte file and include it via /etc/rsyslogd.conf with following content:
 

Enable haproxy logging from rsyslogd


Log haproxy messages to separate log file you can use some of the usual syslog local0 to local7 locally used descriptors inside the conf (be aware that if you try to use some wrong value like local8, local9 as a logging facility you will get with empty haproxy.log, even though the permissions of /var/log/haproxy.log are readable and owned by haproxy user.

When logging to a local Syslog service, writing to a UNIX socket can be faster than targeting the TCP loopback address. Generally, on Linux systems, a UNIX socket listening for Syslog messages is available at /dev/log because this is where the syslog() function of the GNU C library is sending messages by default. To address UNIX socket in haproxy.cfg use:

log /dev/log local2 


If you want to log into separate log each of multiple running haproxy instances with different haproxy*.cfg add to /etc/rsyslog.conf lines like:

local2.* -/var/log/haproxylog2.log
local3.* -/var/log/haproxylog3.log


One important note to make here is since rsyslogd is used for haproxy logging you need to have enabled in rsyslogd imudp and have a UDP port listener on the machine.

E.g. somewhere in rsyslog.conf or via rsyslog include file from /etc/rsyslog.d/*.conf needs to have defined following lines:

$ModLoad imudp
$UDPServerRun 514


I prefer to use external /etc/rsyslog.d/20-haproxy.conf include file that is loaded and enabled rsyslogd via /etc/rsyslog.conf:

# vim /etc/rsyslog.d/20-haproxy.conf

$ModLoad imudp
$UDPServerRun 514​
local2.* -/var/log/haproxy2.log


It is also possible to produce different haproxy log output based on the severiy to differentiate between important and less important messages, to do so you'll need to rsyslog.conf something like:
 

# Creating separate log files based on the severity
local0.* /var/log/haproxy-traffic.log
local0.notice /var/log/haproxy-admin.log

 

Prevent Haproxy duplicate messages to appear in /var/log/messages

If you use local2 and some default rsyslog configuration then you will end up with the messages coming from haproxy towards local2 facility producing doubled simultaneous records to both your pre-defined /var/log/haproxy.log and /var/log/messages on Proxy servers that receive few thousands of simultanous connections per second.
This is a problem since doubling the log will produce too much data and on systems with smaller /var/ partition you will quickly run out of space + this haproxy requests logging to /var/log/messages makes the file quite unreadable for normal system events which are so important to track clearly what is happening on the server daily.

To prevent the haproxy duplicate messages you need to define somewhere in rsyslogd usually /etc/rsyslog.conf local2.none near line of facilities configured to log to file:

*.info;mail.none;authpriv.none;cron.none;local2.none     /var/log/messages

This configuration should work but is more rarely used as most people prefer to have haproxy log being written not directly to /dev/log which is used by other services such as syslogd / rsyslogd.

To use /dev/log to output logs from haproxy configuration in global section use config like:
 

global
        log /dev/log local2 debug
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

The log global directive basically says, use the log line that was set in the global section for whole config till end of file. Putting a log global directive into the defaults section is equivalent to putting it into all of the subsequent proxy sections.

Using global logging rules is the most common HAProxy setup, but you can put them directly into a frontend section instead. It can be useful to have a different logging configuration as a one-off. For example, you might want to point to a different target Syslog server, use a different logging facility, or capture different severity levels depending on the use case of the backend application. 

Insetad of using /dev/log interface that is on many distributions heavily used by systemd to store / manage and distribute logs,  many haproxy server sysadmins nowdays prefer to use rsyslogd as a default logging facility that will manage haproxy logs.
Admins prefer to use some kind of mediator service to manage log writting such as rsyslogd or syslog, the reason behind might vary but perhaps most important reason is  by using rsyslogd it is possible to write logs simultaneously locally on disk and also forward logs  to a remote Logging server  running rsyslogd service.

Logging is defined in /etc/haproxy/haproxy.cfg or the respective configuration through global section but could be also configured to do a separate logging based on each of the defined Frontend Backends or default section. 
A sample exceprt from this section looks something like:

#———————————————————————
# Global settings
#———————————————————————
global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#———————————————————————
defaults
    mode                    tcp
    log                     global
    option                  tcplog
    #option                  dontlognull
    #option http-server-close
    #option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 7
    #timeout http-request    10s
    timeout queue           10m
    timeout connect         30s
    timeout client          20m
    timeout server          10m
    #timeout http-keep-alive 10s
    timeout check           30s
    maxconn                 3000

 

 

# HAProxy Monitoring Config
#———————————————————————
listen stats 192.168.0.5:8080                #Haproxy Monitoring run on port 8080
    mode http
    option httplog
    option http-server-close
    stats enable
    stats show-legends
    stats refresh 5s
    stats uri /stats                            #URL for HAProxy monitoring
    stats realm Haproxy\ Statistics
    stats auth hproxyauser:Password___          #User and Password for login to the monitoring dashboard

 

#———————————————————————
# frontend which proxys to the backends
#———————————————————————
frontend ft_DKV_PROD_WLPFO
    mode tcp
    bind 192.168.233.5:30000-31050
    option tcplog
    log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
    default_backend Default_Bakend_Name


#———————————————————————
# round robin balancing between the various backends
#———————————————————————
backend bk_DKV_PROD_WLPFO
    mode tcp
    # (0) Load Balancing Method.
    balance source
    # (4) Peer Sync: a sticky session is a session maintained by persistence
    stick-table type ip size 1m peers hapeers expire 60m
    stick on src
    # (5) Server List
    # (5.1) Backend
    server Backend_Server1 10.10.10.1 check port 18088
    server Backend_Server2 10.10.10.2 check port 18088 backup


The log directive in above config instructs HAProxy to send logs to the Syslog server listening at 127.0.0.1:514. Messages are sent with facility local2, which is one of the standard, user-defined Syslog facilities. It’s also the facility that our rsyslog configuration is expecting. You can add more than one log statement to send output to multiple Syslog servers.

Once rsyslog and haproxy logging is configured as a minumum you need to restart rsyslog (assuming that haproxy config is already properly loaded):

# systemctl restart rsyslogd.service

To make sure rsyslog reloaded successfully:

systemctl status rsyslogd.service


Restarting HAproxy

If the rsyslogd logging to 127.0.0.1 port 514 was recently added a HAProxy restart should also be run, you can do it with:
 

# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)


Or to restart use systemctl script (if haproxy is not used in a cluster with corosync / heartbeat).

# systemctl restart haproxy.service

You can control how much information is logged by adding a Syslog level by

    log         127.0.0.1 local2 info


The accepted values are the standard syslog security level severity:

Value Severity Keyword Deprecated keywords Description Condition
0 Emergency emerg panic System is unusable A panic condition.
1 Alert alert   Action must be taken immediately A condition that should be corrected immediately, such as a corrupted system database.
2 Critical crit   Critical conditions Hard device errors.
3 Error err error Error conditions  
4 Warning warning warn Warning conditions  
5 Notice notice   Normal but significant conditions Conditions that are not error conditions, but that may require special handling.
6 Informational info   Informational messages  
7 Debug debug   Debug-level messages Messages that contain information normally of use only when debugging a program.

 

Logging only errors / timeouts / retries and errors is done with option:

Note that if the rsyslog is configured to listen on different port for some weird reason you should not forget to set the proper listen port, e.g.:
 

  log         127.0.0.1:514 local2 info

option dontlog-normal

in defaults or frontend section.

You most likely want to enable this only during certain times, such as when performing benchmarking tests.

(or log-format-sd for structured-data syslog) directive in your defaults or frontend
 

Haproxy Logging shortly explained


The type of logging you’ll see is determined by the proxy mode that you set within HAProxy. HAProxy can operate either as a Layer 4 (TCP) proxy or as Layer 7 (HTTP) proxy. TCP mode is the default. In this mode, a full-duplex connection is established between clients and servers, and no layer 7 examination will be performed. When in TCP mode, which is set by adding mode tcp, you should also add option tcplog. With this option, the log format defaults to a structure that provides useful information like Layer 4 connection details, timers, byte count and so on.

Below is example of configured logging with some explanations:

Log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"

haproxy-logged-fields-explained
Example of Log-Format configuration as shown above outputted of haproxy config:

Log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"

haproxy_http_log_format-explained1

To understand meaning of this abbreviations you'll have to closely read  haproxy-log-format.txt. More in depth info is to be found in HTTP Log format documentation


haproxy_logging-explained

Logging HTTP request headers

HTTP request header can be logged via:
 

 http-request capture

frontend website
    bind :80
    http-request capture req.hdr(Host) len 10
    http-request capture req.hdr(User-Agent) len 100
    default_backend webservers


The log will show headers between curly braces and separated by pipe symbols. Here you can see the Host and User-Agent headers for a request:

192.168.150.1:57190 [20/Dec/2018:22:20:00.899] website~ webservers/server1 0/0/1/0/1 200 462 – – —- 1/1/0/0/0 0/0 {mywebsite.com|Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/71.0.3578.80 } "GET / HTTP/1.1"

 

Haproxy Stats Monitoring Web interface


Haproxy is having a simplistic stats interface which if enabled produces some general useful information like in above screenshot, through which
you can get a very basic in browser statistics and track potential issues with the proxied traffic for all configured backends / frontends incoming outgoing
network packets configured nodes
 experienced downtimes etc.

haproxy-statistics-report-picture

The basic configuration to make the stats interface accessible would be like pointed in above config for example to enable network listener on address
 

https://192.168.0.5:8080/stats


with hproxyuser / password config would be:

# HAProxy Monitoring Config
#———————————————————————
listen stats 192.168.0.5:8080                #Haproxy Monitoring run on port 8080
    mode http
    option httplog
    option http-server-close
    stats enable
    stats show-legends
    stats refresh 5s
    stats uri /stats                            #URL for HAProxy monitoring
    stats realm Haproxy\ Statistics
    stats auth hproxyauser:Password___          #User and Password for login to the monitoring dashboard

 

 

Sessions states and disconnect errors on new application setup

Both TCP and HTTP logs include a termination state code that tells you the way in which the TCP or HTTP session ended. It’s a two-character code. The first character reports the first event that caused the session to terminate, while the second reports the TCP or HTTP session state when it was closed.

Here are some essential termination codes to track in for in the log:
 

Here are some termination code examples most commonly to see on TCP connection establishment errors:

Two-character code    Meaning
—    Normal termination on both sides.
cD    The client did not send nor acknowledge any data and eventually timeout client expired.
SC    The server explicitly refused the TCP connection.
PC    The proxy refused to establish a connection to the server because the process’ socket limit was reached while attempting to connect.


To get all non-properly exited codes the easiest way is to just grep for anything that is different from a termination code –, like that:

tail -f /var/log/haproxy.log | grep -v ' — '


This should output in real time every TCP connection that is exiting improperly.

There’s a wide variety of reasons a connection may have been closed. Detailed information about all possible termination codes can be found in the HAProxy documentation.
To get better understanding a very useful reading to haproxy Debug errors with  is in haproxy-logging.txt in that small file are collected all the cryptic error messages codes you might find in your logs when you're first time configuring the Haproxy frontend / backend and the backend application behind.

Another useful analyze tool which can be used to analyze Layer 7 HTTP traffic is halog for more on it just google around.

Rsync copy files with root privileges between servers with root superuser account disabled

Tuesday, December 3rd, 2019

 

rsync-copy-files-between-two-servers-with-root-privileges-with-root-superuser-account-disabled

Sometimes on servers that follow high security standards in companies following PCI Security (Payment Card Data Security) standards it is necessery to have a very weird configurations on servers,to be able to do trivial things such as syncing files between servers with root privileges in a weird manners.This is the case for example if due to security policies you have disabled root user logins via ssh server and you still need to synchronize files in directories such as lets say /etc , /usr/local/etc/ /var/ with root:root user and group belongings.

Disabling root user logins in sshd is controlled by a variable in /etc/ssh/sshd_config that on most default Linux OS
installations is switched on, e.g. 

grep -i permitrootlogin /etc/ssh/sshd_config
PermitRootLogin yes


Many corporations use Vulnerability Scanners such as Qualys are always having in their list of remote server scan for SSH Port 22 to turn have the PermitRootLogin stopped with:

 

PermitRootLogin no


In this article, I'll explain a scenario where we have synchronization between 2 or more servers Server A / Server B, whatever number of servers that have already turned off this value, but still need to
synchronize traditionally owned and allowed to write directories only by root superuser, here is 4 easy steps to acheive it.

 

1. Add rsyncuser to Source Server (Server A) and Destination (Server B)


a. Execute on Src Host:

 

groupadd rsyncuser
useradd -g 1000 -c 'Rsync user to sync files as root src_host' -d /home/rsyncuser -m rsyncuser

 

b. Execute on Dst Host:

 

groupadd rsyncuser
useradd -g 1000 -c 'Rsync user to sync files dst_host' -d /home/rsyncuser -m rsyncuser

 

2. Generate RSA SSH Key pair to be used for passwordless authentication


a. On Src Host
 

su – rsyncuser

ssh-keygen -t rsa -b 4096

 

b. Check .ssh/ generated key pairs and make sure the directory content look like.

 

[rsyncuser@src-host .ssh]$ cd ~/.ssh/;  ls -1

id_rsa
id_rsa.pub
known_hosts


 

3. Copy id_rsa.pub to Destination host server under authorized_keys

 

scp ~/.ssh/id_rsa.pub  rsyncuser@dst-host:~/.ssh/authorized_keys

 

Next fix permissions of authorized_keys file for rsyncuser as anyone who have access to that file (that exists as a user account) on the system
could steal the key and use it to run rsync commands and overwrite remotely files, like overwrite /etc/passwd /etc/shadow files with his custom crafted credentials
and hence hack you 🙂
 

Hence, On Destionation Host Server B fix permissions with:
 

su – rsyncuser; chmod 0600 ~/.ssh/authorized_keys
[rsyncuser@dst-host ~]$

 

For improved security here to restrict rsyncuser to be able to run only specific command such as very specific script instead of being able to run any command it is good to use little known command= option
once creating the authorized_keys

 

4. Test ssh passwordless authentication works correctly


For that Run as a normal ssh from rsyncuser

On Src Host

 

[rsyncuser@src-host ~]$ ssh rsyncuser@dst-host


Perhaps here is time that for those who, think enabling a passwordless authentication is not enough secure and prefer to authorize rsyncuser via a password red from a secured file take a look in my prior article how to login to remote server with password provided from command line as a script argument / Running same commands on many servers 

5. Enable rsync in sudoers to be able to execute as root superuser (copy files as root)

 


For this step you will need to have sudo package installed on the Linux server.

Then, Execute once logged in as root on Destionation Server (Server B)

 

[root@dst-host ~]# grep 'rsyncuser ALL' /etc/sudoers|wc -l || echo ‘rsyncuser ALL=NOPASSWD:/usr/bin/rsync’ >> /etc/sudoers
 

 

Note that using rsync with a ALL=NOPASSWD in /etc/sudoers could pose a high security risk for the system as anyone authorized to run as rsyncuser is able to overwrite and
respectivle nullify important files on Destionation Host Server B and hence easily mess the system, even shell script bugs could produce a mess, thus perhaps a better solution to the problem
to copy files with root privileges with the root account disabled is to rsync as normal user somewhere on Dst_host and use some kind of additional script running on Dst_host via lets say cron job and
will copy gently files on selective basis.

Perhaps, even a better solution would be if instead of granting ALL=NOPASSWD:/usr/bin/rsync in /etc/sudoers is to do ALL=NOPASSWD:/usr/local/bin/some_copy_script.sh
that will get triggered, once the files are copied with a regular rsyncuser acct.

 

6. Test rsync passwordless authentication copy with superuser works


Do some simple copy, lets say copy files on Encrypted tunnel configurations located under some directory in /etc/stunnel on Server A to /etc/stunnel on Server B

The general command to test is like so:
 

rsync -aPz -e 'ssh' '–rsync-path=sudo rsync' /var/log rsyncuser@$dst_host:/root/tmp/


This will copy /var/log files to /root/tmp, you will get a success messages for the copy and the files will be at destination folder if succesful.

 

On Src_Host run:

 

[rsyncuser@src-host ~]$ dst=FQDN-DST-HOST; user=rsyncuser; src_dir=/etc/stunnel; dst_dir=/root/tmp;  rsync -aP -e 'ssh' '–rsync-path=sudo rsync' $src_dir  $rsyncuser@$dst:$dst_dir;

 

7. Copying files with root credentials via script


The simlest file to use to copy a bunch of predefined files  is best to be handled by some shell script, the most simple version of it, could look something like this.
 

#!/bin/bash
# On server1 use something like this
# On server2 dst server
# add in /etc/sudoers
# rsyncuser ALL=NOPASSWD:/usr/bin/rsync

user='rsyncuser';

dst_dir="/root/tmp";
dst_host='$dst_host';
src[1]="/etc/hosts.deny";
src[2]="/etc/sysctl.conf";
src[3]="/etc/samhainrc";
src[4]="/etc/pki/tls/";
src[5]="/usr/local/bin/";

 

for i in $(echo ${src[@]}); do
rsync -aPvz –delete –dry-run -e 'ssh' '–rsync-path=sudo rsync' "$i" $rsyncuser@$dst_host:$dst_dir"$i";
done


In above script as you can see, we define a bunch of files that will be copied in bash array and then run a loop to take each of them and copy to testination dir.
A very sample version of the script rsync_with_superuser-while-root_account_prohibited.sh 
 

Conclusion


Lets do short overview on what we have done here. First Created rsyncuser on SRC Server A and DST Server B, set up the key pair on both copied the keys to make passwordless login possible,
set-up rsync to be able to write as root on Dst_Host / testing all the setup and pinpointing a small script that can be used as a backbone to develop something more complex
to sync backups or keep system configurations identicatial – for example if you have doubts that some user might by mistake change a config etc.
In short it was pointed the security downsides of using rsync NOPASSWD via /etc/sudoers and few ideas given that could be used to work on if you target even higher
PCI standards.

 

How to activate (enable) telnet client on Windows XP and Windows 7

Thursday, November 22nd, 2012

1. Enable / Disable Telnet Client command on Windows XP

By default telnet is enabled on Windows XP. However on some messed up Windows installations, cause of viruses or some custom users changes the PATH variable set for command prompt to C:\WINDOWS\system32\
is missing and therefore typing in telnet in cmd.exe fails to find the command. Thus it is good idea before trying to enable telnet with dism command to try running in Command Prompt

C:\WINDOWS\system32\telnet.exe,

 If the command is not found  by giving it full path, then you can read down the article how to enable it.
Launch command prompt cmd.exe and type:

dism /online /Enable-Feature /FeatureName:TelnetClient

dism command enable disable telnet client command on windows 7 and windows 2008 servers Launching again:

dism /online /Enable-Feature /FeatureName:TelnetClient

Disables telnet, whether it is enabled on system, on some systems XP admins might want to do this for increasing system security 

2. Enabling Telnet client using XP Graphical interface

Start (button) -> Control Panel -> Add / Remove Programs-> (Click on Turn Windows features on and Off )

3. Turn on Windows Telnet Client on Win 7  using Graphical Environment

Probably out of security, concerns within Microsoft took a wise decision to make Telnet Client disabled by default on Windows 7. Thus just trying to run it via cmd.exe users one gets 'telnet is not recognized as internal or external command, operable program or batch file'

Telnet not recognized as internal or external command message on Windows 7

Start (button) -> Control Panel -> Program and Features -> (Click on Turn Windows features on and Off )

turning on-telnet client control panel turn windows features on and off screenshot

You will get a dialog listing a number of things you can turn on you need to set tick on
Telnet Client

windows 7 windows features on and off enable telnet tickset

 Then a pop-up User Account Control will require you to enter administrator user password (if not already logged in as administrator).

Please wait while Windows makes changes to features, installing telnet client post dialog window

Further on launch cmd.exe and type telnet

Start (menu) -> Start Search -> cmd.exe
or pressing Windows Button + R and type in cmd.exe and type telnet

4. Turn on ( Install ) Win 7 Telnet Client from command line:

Launch command prompt (cmd.exe) and type in:

C:\Windows> pkgmgr /iu:"TelnetClient"

Installing using pkgmgr /ui: "TelnetClient" should be able to install telnet also on Windows 2008, Windows 2008 R2 Servers and Windows Vista

Happy telnet-ing 🙂

Enable write “write” command between logged in users on Debian GNU / Linux

Tuesday, October 9th, 2012

efault Debian GNU / Linux install does not permit messaging between ssh logged in users. Messages are disabled like this for security reasons as if they are on by default it is quite easy to flood one’s terminal with messages using a little loop like for instance:


while [ 1 ]; do
echo "You're flooded" | mesg username
done

Hence smartly, all users between write is switched off, i.e. mesg n

For those unfamiliar with mesg I suggest you check man mesg – which is one of the shortest UNIX manual written 🙂

Mesg head manual description is:


mesg - control write access to your terminal

Options mesg can accept are either yes or no ( y / n ).
To check on current logged in user if write username messaging is turned on, on any logged in user shell use:


# mesg
mesg is n

While mesg is set to no by default, if you try to message a random logged in system user you will get a message like:


$ write testuser
write: write: you have write permission turned off.

It is actually, quite handy to have messages switched on especially if you have a Linux host with user accounts which are friends of yours and
it is not very likely mesg is used for bad.

To change the default mesg n to mesg y you need to edit /etc/bash.bashscr (in case if all users are configured to use bash) or even better to set mesg y for all existing users add a new line on top or at the end of /etc/profile file:


echo 'mesg y' >> /etc/profile

On next login via ssh or physical tty, messaging will be on. To check re-login and type:


$ mesg
is y

One note to make here, is even though if you set messaging to yes for all users via /etc/profile, still for some reason the root user m
essaging keeps set to NO.


$ mesg
is y

One note to make here, is even though if you set messaging to yes for all users via /etc/profile, still for some reason the root user m
essaging keeps set to NO.


root@debian:~# mesg
is n

I have no clue, like this happens, but if you need to enable mesg to root as well add mesg y to /root/.bashrc

Well that’s all, I hope this helps someone 🙂 Cheers.

How to enable cron log separately in cron.log in Debian GNU / Linux

Thursday, October 4th, 2012

Default logging mechanism in and rest of its forks Ubuntu, Xubuntu whatever is done that there is no separate logging for cron daemon (/usr/sbin/cron). Instead all output messages from cron service gets logged in /var/log/auth.log

I don’t like this and since I ever remember using Linux I always liked it whether cron logs its activities in /var/log/cron.log.

Hence on each and every new Desktop or Server install, one of my first things is to set crond log msg separately in /var/log/cron.log.

In older Debians syslog, was used whether in Debian Squeeze, (Wheezy) and onwards releases rsyslog is used.

On hosts depending on syslogd or rsyslogd to manage logs, to enable cron.log just uncomment in either /etc/syslog.conf or /etc/rsyslog.conf:


# cron.* /var/log/cron.log


cron.* /var/log/cron.log

Create cron.log


linux:~# touch /var/log/cron.log

And restart syslogd / rsyslogd and cron


linux:~# /etc/init.d/rsyslogd restart
Stopping enhanced syslogd: rsyslogd.
Starting enhanced syslogd: rsyslogd.
linux:~# /etc/init.d/cron restart
Restarting periodic command scheduler: cron.
....

Check cron.log to see it logs fine:


linux:~# tail -n 5 /var/log/cron.log
Oct 4 16:31:27 pcfreak /usr/sbin/cron[32413]: (CRON) STARTUP (fork ok)
Oct 4 16:31:27 pcfreak /usr/sbin/cron[32413]: (CRON) INFO
(Skipping @reboot jobs -- not system startup)
Oct 4 16:32:35 pcfreak /usr/sbin/cron[32468]: (CRON) INFO
(pidfile fd = 3)
Oct 4 16:32:35 pcfreak /usr/sbin/cron[32469]: (CRON) STARTUP
(fork ok)
Oct 4 16:32:35 pcfreak /usr/sbin/cron[32469]: (CRON) INFO
(Skipping @reboot jobs -- not system startup)

How to enable UserDir /home/*/public_html on Debian GNU / Linux 6.0.5 (Squeeze)

Saturday, September 22nd, 2012

Enabling mod userdir on Apache server in Debian GNU Linux Squeeze

By default UserDir module is not enabled on Debian. The original documentation related to UserDir is found on Apache’s main website here
On Debain by default the module userdir is installed in directory /usr/lib/apache2/modules/, e.g.:


debian:~# ls -al /usr/lib/apache2/modules/*userdir*
-rw-r--r-- 1 root root 9696 Apr 1 09:40 /usr/lib/apache2/modules/mod_userdir.so

It is installed as external module (not compiled in Apache) – btw something interesting for many might be to see which modules are copmiled as static modules default in Apache by issuing:


debian:~# /usr/sbin/apache2 -l
Compiled in modules:
core.c
mod_log_config.c
mod_logio.c
prefork.c
http_core.c
mod_so.c

In Debian Apache is configured to use Debian’s standard directory locations and use Debian’s config, structure and how to generally manage it, hence in order to add (load) mod_userdir to Apache it is necessery to exec a2enmod perl script:


debian:~# a2enmod userdir
Enabling module userdir.
Run '/etc/init.d/apache2 restart' to activate new configuration!

Another way, which I personally prefer is to create directly symlinks loading the module:


debian:~# ln -sf /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load
debian:~# ln -sf /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf

Next restart Apache server to load the it as suggested by a2enmod:


debian:~# /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .

If you want to Allow /home/*users* to be able to use .htaccess, php or simply install CMS systems or alike it is good idea to also change default AllowOverride settings for public_html for that edit /etc/apache2/mods-enabled/userdir.conf and change:



AllowOverride FileInfo AuthConfig Limit Indexes
....

to:



# AllowOverride FileInfo AuthConfig Limit Indexes
AllowOverride all
...

If you do so don’t forget to once again restart apache with /etc/init.d/apache2 restart.

One more thing is to enable PHP for /home/*/public_html, to do so edit /etc/apache2/mods-enabled/php5.conf and comment out:




php_admin_value engine Off




#
#
# php_admin_value engine Off
#

#

#

Thanks to Activating userdir on Debian server blog for pointing out how to enable php for userdirs 🙂

Another alternative way to enable userdirs is to directly create symlinks for each user public_html directory but I guess this is not a best practice, anyways if you prefer to use this instead of using mod_userdir do it with:


ln -sf '/var/www/~username' /home/username/public_html
ln -sf '/var/www/~username1' /home/username1/public_html
...

If you prefer to do symbolic links to public_html for all user homes, you can do it directly in a quick for bash loop by issuing:


for i in /home/*; do
f=$(echo $i | sed -e "s#/home/##g");
ln -sf "/var/www/~$f" /home/"$f"/public_html;
done

How to enable directory listing in apache

Friday, January 15th, 2010

I created a new domain for pc-freak’s exploit collection
I faced a small issue in creating the new VirtualHost to have a proper directory
listing, cause by default directory listing on my FreeBSD running Apache 2.0.63
is disabled.
It’s quite a common problem I’ve faced over the years of administration of
Apache Servers, everyting I had to enable directory listing for some domain
I had to check in Google again and again. I have to admit this is pretty boring.
Thus I decided to post the solution on my blog just in case if I have to enable
directory listing in the future. Here is the exact configuration directives:
ServerAdmin someemail@somehost.com DocumentRoot /util/exploitworld/ ServerName someservername.com AddDefaultCharset Off Options Indexes FollowSymLinks ExecCGI AllowOverride All Order allow,deny Allow from allThat’s it directory listing for someservername.com is already enabled. Cheers 🙂

Enable festival Linux (text-to-speech-system) to read/speak PDF and DOC files (Speech PDF and DOC in Festival Script)

Sunday, September 20th, 2009

Today I wondered if festival supports reading of PDF files on Linux? The answer due to my short research was NO!.

Well though I couldn’t find official program to speak PDFs for me it’s not such a big deal since it’s not so hard to convert PDF files into plain text files in Linux with pdftotext command. 

pdftotext is part of the poppler-utils which is a nice package which alsocontains pdfimages – enabling you to extract images from pdfs,
pdftohtml – pdf to html converter and
pdffonts – pdf font analyzier. The normal way to read PDF files via festival is: First use pdftotext to convert your PDF to text file

$ pdftotext filename.pdf outputfile.txt

and then to make computer speak it over festival default configured synthesizer:

$ cat outfile.txt | festival –tts
For convenience I’ve created a small shell script I calledfestival-read-pdf.sh which does this directly.

Please download the festival-read-pdf.sh shell script here Furthermore I wondered how to make the Microsoft Office .doc files to be played throughfestival. On that account It was required something to convert again the .doc file extension to plain text. I came across antiword which I’ve blogged about in my previous post. Thus to carry it via festival you need to: antiword filename.doc | festival –tts I’ve fastly scripted it for some convenience. Download the festival-doc-read.sh script here I’ve also created a third bash script which enables you to select either to play DOC or PDF file in Festival.
Here is a link to the festival’s festival-read-doc-en-pdf.sh PDF, DOC speaker script .
Talking about festival it might be interesting to mention fala – A simple text reader.If you’re a Debian user you’ll be glad to know there is already a package containg fala. Well I hope you’ll find the PDF, DOC festival speech scripts useful. Enjoy

END—–