November 3, 2013
I just had the problem that I was not able to resume a suspended KVM guest. It happened when I powered my KVM server down to add a new hard disk. My server did not power the guest down but did instead suspended them. I realized that only after I did have no “Run” .. just a “Restore” to choose from.
When I tried to “Restore” it I go following:
The problem was that I removed a mapped USB device some time ago but at resuming KVM checked for it. The solution was to remove the corrupted suspended virtual machine session so I could boot the machine again – naturally I did lose the suspended session, but that was ok.
[root@kvmserver ~]# virsh managedsave-remove <NameOfGuest>
Removed managedsave image for domain servicesint
Maybe there is a graphical way to do it, but I didn’t look further – as it worked.
September 28, 2013
I just had to find out the external IP address (as seen from the Internet) of a Linux server which is behind a NAT router. The normal way to goto WhatsMyIP didn’t work as I was only connected via SSH to this server. But the solution is quite easy thanks to the guys from ipecho, just type:
wget http://ipecho.net/plain -O - -q ; echo
Thats so easy! And even faster than using a browser in the first way …..
September 15, 2013
I’ve just upgraded my PHP install from 5.3.25 to 5.4.19 and I ran into the problem that some PHP programs on my server stopped working. The first I found to have a problem was Tiny Tiny RSS as I use it myself. I was not able to login into it anymore and in the log file I found following:
[Sun Sep 15 11:00:31 2013] [warn] [client xxx.xxx.xxx.xxx] mod_fcgid: stderr: PHP Warning: Unknown: Failed to write session data (user). Please verify that the current setting of session.save_path is correct (/var/xxxxxx/sessions/) in Unknown on line 0, referer: https://xxxxxxxx/
After searching really long I found out that it worked again if I disabled suhosin (which is a module to harden PHP) by editing
/etc/php.d/suhosin.ini and putting a ; in front of
But this is not secure way to handle this, therefore I search further and found a pull request on GitHup which solves the problem. Ok you need to patch and compile the module … but technically it is fixed
September 1, 2013
A friend asked me how he can access his Nexus 7 device via USB on his Ubuntu 12.04 notebook. With Android versions below 4.0 that was simple as the device registered as mass storage device. The problem now is the stock Ubuntu 12.04 does not support MTP via GVFS (the virtual filesystem of the GNOME desktop). Newer Ubuntu versions e.g. 13.04 have already a GVFS version which support MTP. But these are no LTS versions of Ubuntu, which I recommend for the average user. But it is quite easy to install a newer version of GVFS on Ubuntu 12.04 (and 12.10) that does support it.
First you need to start a terminal. For this click on the dash home icon (1) and than type “
terminal” (2) and you’ll the terminal icon – click on it (3.)
Now copy and paste following into the Terminal (the PC needs to be connected to the Internet while going through these steps):
sudo add-apt-repository ppa:langdalepl/gvfs-mtp
Enter your user password and than you’ll be shown following text:
You are about to add the following PPA to your system:
These builds of gvfs have my native mtp backend backported from gvfs master. Use this to easily access MTP based devices with Nautilus.
More info: https://launchpad.net/~langdalepl/+archive/gvfs-mtp
Press [ENTER] to continue or ctrl-c to cancel adding it
Hit the Enter Key. After this is done you need to type following command, which updates the package list:
sudo apt-get update
After this was successful you need to upgrade the installed packages with:
sudo apt-get upgrade
It should show something like this:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
gvfs gvfs:i386 gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs gvfs-libs:i386 libmtp-common libmtp-runtime libmtp9
12 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,193 kB of archives.
After this operation, 4,157 kB of additional disk space will be used.
Do you want to continue [Y/n]?
Just press Enter here (the Y is the default section) to install the packages.
Now you just need to restart your PC and after login just connect your Android device to the PC and the file manager Nautilus will launch with your USB device.
August 26, 2013
I needed to move to a new mail server as the old one got too old. I had one problem – i didn’t know the old passwords of the virtual courier-imap users and the new system didn’t use the same hashing. It was ok to use new passwords for the new server, but as I needed to sync the most mails before I disabled the old mail server. This was needed as some users had really big mailboxes which would take too long to sync. So I needed a way to access the mails without knowing or reseting the old password. This post describes how I did the migration:
- I created a new user called “migrate” on the old mail server. I removed than its mail directory, in my case:
rm -rf /var/mail/domains/penz.name/migrate
And than I created a symlink to the mail of a user I wanted the mails to migrate:
ln -s /var/mail/domains/penz.name/robert/ /var/mail/domains/penz.name/migrate
Now I was able to login to the account with the “migrate” user and password
- For the migration I used the defacto standard “imapsync”. I called it for the first user to check if it worked correctly. (checked also the mails on the new server and so on …)
- Now I wrote a small script which did create a symlink, started imapsync, removed the symlink, create a new symlink, …… sure with some error handling
- All of the above was done without the user noticing. Most Mails where now migrated except the changes to the old mailboxes after imapsync did its job.
- I did send a mail to the users telling them of the move to the new server and providing them with the exact date of the change and their new login data, and that it could take some hours until all of there mails were migrated.
- At the given date I changed the DNS entries to the new server and stopped the SMTP/Webmail service on the old server and made sure the IMAP service was only reachable for the imapsync script (with iptables – localhost and uid check). The users which already got to the new mailserver (be it with Webmail or IMAP) got most of their mails - they others couldn’t connect until there dns server got the change. (It was done on a weekend)
- New mails from other SMTP servers where deferred or already delivered to the new server.
- After I made sure that the old mailboxes can’t be changed I started the script again and sync the differences to the server. This was now really fast as imapsync needed only to transfer a few mails.
- After the script was through I could switch the old server off.
I hope these steps help others – if you’ve an other/better way to migrate, tell me about it in the comments. Thx.
May 27, 2013
I now know this script was there for years but I just found it some month ago, when I installed MySQL on a CentOS and it told me to use it. But I checked, it is also present on an old Ubuntu 8.04 LTS (released 5 years ago). The script is called:
Here are the questions you get asked by it:
Change the root password? [Y/n]
Remove anonymous users? [Y/n]
Disallow root login remotely? [Y/n]
Remove test database and access to it? [Y/n]
Reload privilege tables now? [Y/n]
You really should run this program as it makes the basic securing of MySQL really easy.
May 20, 2013
As Google is discontinuing their Google Reader I needed to look for alternatives and after some looking I went for Tiny Tiny RSS, which I can run on one of my web servers. At least this was the theory . The problems I faced were that Tiny Tiny RSS seems to have problems with a half-way secure PHP setup, and I needed therefore to make some changes to get it working. As I didn’t find that much documentation on this topic and it seams the Tiny Tiny RSS developers are not really security affine.
1. open_basedir is not supported
I did as described in the Install Notes and went to the
http://your.site.com/tt-rss/install/ URL to use the installer to configure my Tiny Tiny RSS, but I was prompted with this error message:
PHP configuration option open_basedir is not supported. Please disable this in PHP settings file (php.ini).
I searched through the Internet and it seams that some obscure errors can occur if you use open_basedir. But to me it seem more like: I (=developer) don’t have the problem and the user has it and he has open_basedir activated so this must be the problem. Anyway, open_basedir is an imported security measure for PHP hosting, do not ever disabled it, specially if you have more than one vhost. I running with enabled open_basedir for 2 weeks now without getting any obscure errors (or any errors at all). At the time of writing this blog post I was running PHP 5.3.23 and 5.3.25 on this server.
After these preliminary words – how did I get rid of this error messages? Simple I just commented raising of the exceptions out. For this open the
install/index.php in a text editor and search for the line containing “
option open_basedir is not supported“, comment it out like this:
And you need to do the same in the
2. passthru disabled
I wanted to call the
./update.php --daemon command from the command line but I got following error message:
PHP Warning: passthru() has been disabled for security reasons in /var/www/xxxx/html/update.php on line 150
This is because a secure configured default
php.ini has following set:
disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
I remove disabled functions per vhost so I don’t have the least common denominator for security. In this case needed to make sure that the
update.php called via the command line uses a custom made
php.ini. I therefore created this bash script.
In this directory a special
php.ini is located which has
3. undefined function posix_getpid
I wanted to use the
update_daemon2.php script as it is recommended but I got following error message:
[09:48:30] [MASTER] installing shutdown handlers
PHP Fatal error: Call to undefined function posix_getpid() in /var/www/xxxx/html/update_daemon2.php on line 223
PHP Fatal error: Call to undefined function posix_getpid() in /var/www/xxxx/html/update_daemon2.php on line 236
PHP Fatal error: Call to undefined function posix_getpid() in /var/www/xxxx/html/update_daemon2.php on line 99
The solution on Centos/RHEL/SL is easy, just install the posix package for php:
yum install php-posix
I hope this post helps others which move to Tiny Tiny RSS and still want a reasonably secure PHP setup.
May 12, 2013
I was searching again for some directories or files on one of my servers, which were filling the hard disk. Normally I used
du -hs * starting via / and going downwards in the directory structure …. but not this time … I went on the search for a command line program which makes that easier … and I found it: Welcome NCurses Disk Usage.
On CentOS/RHEL/SL you need the EPEL repository and than just type
yum install ncdu. On Ubuntu just type
sudo apt-get install ncdu.
If you use it via SSH it is recommended to use the option
-q which does according to the manual:
-q Quiet mode. While calculating disk space, ncdu will update the screen .10 times a second by default, this will be decreased to once every 2 seconds in quiet mode. Use this feature to save bandwidth over remote connections.
And as I normally know on which partition I want to look (
df -h tells me which hard disk is getting full ), I use following option too:
-x Only count files and directories on the same filesystem as the specified dir.
which leads to this output after starting it:
February 26, 2013
With SSL protected resources it is easy to find a command line to retrieve the certificate. Following is documented at many places:
openssl s_client -connect www.google.com:443
But if you use use this with a TLS server, be it SMTP or FTP you’ll get
527654:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607:
The solution ins quite easy (if you know it) .. use following command line:
openssl s_client -connect ftp.xxxx.at:21 -starttls ftp
openssl s_client -connect smtp.xxxx.at:25 -starttls smtp
February 24, 2013
A friend of mine got a new root server and asked me to help him set it up. And of course I helped and as he got a free IPv6 subnet I thought lets configure it. He is running Proxmox as his host system, which is based on Debian.So this guide is also true for Debian systems which have OpenVZ installed.
- You want to use IPv6 for the host system, you need to add at least following to
iface vmbr0 inet6 static
up ip -6 route add default via 2001:xxxxx:beef::1 dev vmbr0
down ip -6 route del default via 2001:xxxxx:beef::1 dev vmbr0
eth0if you’re not using Proxmox and only OpenVZ on Debian.
- The ISP my friend has the server located at uses a default gateway, which is not in his IPv6 subnet, you need therefore add a host route. Which is done be following 2 lines
up ip -6 route add 2001:4ba0:fff7:1:beef::1 dev vmbr0
down ip -6 route del 2001:4ba0:fff7:1:beef::1 dev vmbr0
- Restart the networking with:
- Test it with following:
ping6 2001:4860:4860::8888(Google IPv6 DNS Server)
- Add following to
/etc/sysctl.confand make sure it is not defined two times
# IPv6 Packet Forwarding and Proxy NDP
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.proxy_ndp = 1
net.ipv6.conf.all.proxy_ndp = 1
sysctl -pto activate it at once (so no reboot is required)
- Go to
/etc/vz/vz.confand make sure following is in there
- You currently can’t add an IPv6 address through the web GUI of Proxmox – so you need to use the CLI (replace with a IP adresse from your IPv6 range
vzctl set <VEID> --ipadd 2001:xxx:xxx::xxx --save
- restart the VE, and try the ping stuff from step 4 in the VE. (ps: It can take up to 5 pings before you get a response the first time.)
More is not needed … its quite easy!
ps: don’t forget to add an IPv6 DNS server, if it is a IPv6 only VE. This can currently not be done via Proxmox web GUI.
pps: iptables does not filter IPv6 .. you need ip6tables for this. don’t think that you’re secure, if you didn’t open anything with iptables.