Tuesday, January 16, 2007

Configure an apache web server to redirect http connections to https

Is easy to configure an apache web server to enable SSL access, but sometimes people tries to access the server without using SSL.

If you don't have configured any virtualserver with the same host address as your SSL one they will access to the first virtualserver host that apache will found at port 80 (non-SSL port).

To prevent this kind of access, you can configure a non-SSL virtualserver host with the SSL hostname and inside it redirect the calls to the SSL one. That will prevent your user to access the wrong server and will give you the pace of mind to know all the communication with your SSL enabled server is *really* encripted.

The easiest way to do it is using the mod_rewrite engine with the following lines at the beginning of your SSL virtualserver config file:


<VirtualHost *:80>
DocumentRoot /var/www
ServerName <full_qualified_hostname>
<Location />
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</Location>

</VirtualHost>


Now all the http connections to your SSL server will be redirected to the SSL connection.

Good luck.

Monday, December 18, 2006

Bind9: Unable to stop / restart

Today I found that I was not able to stop or to restart the bind daemon, getting the error: rndc: connection to remote host closed

Googling a few minutes I found the problem is about the public key system used to communicate the program to manage the daemon (rndc) and the daemon itself (named). How to solve it? That's what I'll explain in this post:

1. Generate a new pair of public/private keys:


To do it, you need to execute the following command:

root@:/etc/bind# dnssec-keygen -a hmac-md5 -b 256 -n HOST
K.+175+31628

Replacing by the name of the host we are configuring. That's will generate two files, the K.+175+31628.key and K.+175+31628.private.

2. Create a new config file for rndc:



Now we'll create the config file for rndc, but first we'll try to know the private key that we have created in the previous step:

root@:/etc/bind# cat /etc/bind/K.+175+31628.private

Getting the following content:

Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: vqwertysx8jccnXb/B/rCjevk9inRtou9nS36NxxbxII=

Now we create a file called rndc.conf in the /etc/bind directory, writing the following:

key {
algorithm hmac-md5;
secret "vqwertysx8jccnXb/B/rCjevk9inRtou9nS36NxxbxII=";
};

server localhost {
key ;
};

options {
default-server localhost;
default-key "";
};

Take care that the secret line contents the key line founded in the private key file. Also note that you have to replace with the name of your host ;-)

3. Edit the named config file:


The last step is to edit the named.conf file, adding the following lines:

key {
algorithm hmac-md5;
secret "vqwertysx8jccnXb/B/rCjevk9inRtou9nS36NxxbxII=";
};

server 127.0.0.1 {
keys { ;};
};

controls {
inet 127.0.0.1 allow { localhost; } keys { ; };
};

Take in care again to replace the key with your own key and with your own hostname.

4. Testing the new config:


Now it's time to test our job. To do it i'll recommend you to tail -f the named.log located in /var/log to detect any error, or the syslog if you don't have an exclusive log file for the bind daemon.

To stop and start the daemon the first time (assuming that you were not able to do it before the changes made in this tip, you'll have to kill -9 the daemon, and then execute:

root@# /etc/init.d/bind9 start

Now your daemon is able to be managed by you again, executing a:

root@# /etc/init.d/bind9 stop or
root@# /etc/init.d/bind9 restart

Without any anoying messages.

If you have any other problem, let me know.

Good luck.

Monday, September 04, 2006

Disable preview of video files in Explorer

Advance in technology is good, but so offen it give you a lot of problems too. That's the case of Microsoft advances.

When you reach a folder with avi, mpeg, wmv or any other video formats available under the Redmond platform, the explorer tries to open it to give you the first frame on the left of the screen. That's so useless, because it's so offen to have a blank screen as the first one on a movie, or the logo of the movie record. The problem arises when you try to delete the file, or doing anything with it and Windows give you an error saying the file is busy and cannot be deleted, because the Explorer tries to open it to show you the preview.

In this cases I recomend to disable the preview option of explorer of media files. That will give you a lot of speed browsing folders with video, and the problems managing those files will desapear. To do it you only have to open a command line window (Start -> Execute -> cmd) and on the black screen write the following:

regsvr32 /u shmedia.dll

Now the preview of media files are disabled.

Monday, August 28, 2006

Diferent ways to start a Linux when it doesn't boot

Linux is a hard operating system, with strong security, and a stable kernel (operating system core) and a lot of flexibility, but that can be your worst nightmare if you write the wrong commands: It's easy to destroy a Linux system if you ask it to do it.

One of the more tipical situations is to have a Linux system that doesn't boot. That is a simple problem, but it's possible you feel to be naked, because you are not able to write anything to your Linux, because it doesn't start!!

The more typical non-boot situations I have found are:

  1. The owner of the installation forbid the root password

  2. The new and incredible Linux kernel recently installed give you a kernel panic

  3. LILO hangs in the boot process and the kernel doesn't start

  4. You have installed a new Linux and it doesn't start up


There is a lot of problems that can cause any of the problems named before, but it's clear that in all those situations the first problem we have is that we cannot access a shell, so we cannot write the needed commands to solve the problem. In this page I'll try to solve the more usual problems, but feel free to write a comment if you cannot solve your problem with this tips to help you and complete the page.

So, the first thing we have to do is to access our crashed Linux. There are a few ways, depending of the nature of the problem:

1. Reset the root password


The best problem is to doesn't remember the root password. To solve it we have to start the boot process, pressing the SHIFT key when LILO shows on the screen. A prompt will apear. If we press the TAB key we'll see the available kernels we have. We'll choose the first one usually called linux, so we'll write the following command at LILO prompt:

LILO: linux init=/bin/sh

What we are saying is that Linux has to start executing at first step of the boot process the shell, so we'll access the operating system without entering any password. Now we have to execute another command, because during the boot process the root partition is mounted as read-only, so we need to remount it read-write to reset the password:

# mount -o rw,remount /

Now we can execute the passwd command without parameters to reset the root password.

2. The kernel give you a kernel panic


To solve that problem we need a new kernel to boot the operating system. Under Debian , and installing the new kernel using the dpkg tool, the system save the previous kernel as an old kernel.
When you see the LILO word during the startup process, you can press the SHIFT key to enter a boot command. The TAB key it give us the list of kernels, and writing the name of another kernel in place of linux will boot a previous kernel. Now we'll be able to uninstall the new kernel.

3. LILO hangs in the boot process and the kernel doesn't start


That problem can be solved with a live-cd or the install CDs of our distribution. Under Debian you can use the first or five CD (or the DVD of the distribution) to start a Debian install. At the first screen of the install process press the CTRL+F2 keys to switch to a shell. The following command mounts the root filesystem and executes the lilo to reinstall it:

# mount /dev/hda1 /mnt
# chroot /mnt
# lilo
# exit

It's clear that you have to replace hda1 for your root partition. The root partition is usually located under hda1 for a Linux only disk or hda2 for a dual boot Windows and Linux disk.

4. You have installed a new Linux and it doesn't start up


The last step when you install an operating system is to enable the disk to boot. If there is a problem during this step, or you cancel it, the operating system is correctly installed but the computer doesn't know that the installation was done.

To tell the computer that all is wright and it can start our new operating system we can start again the installation process and execute the same steps of problem numbered 3 (LILO hangs) in this page.

Friday, August 25, 2006

Are your servers cool enough?

During a SAP R/3 implementation a few years ago in our company, with a startup of more than 10 modules and an Add-On (IS-U/CCS), can you say what was our worst problem during the startup? The temperature!

A month prior to the startup, at the begining of June, we received the hardware to install the productive system. The development was very well, adjusted to dates and the startup day, august 1, seemed to be a comfortable date to start, just when the people starts his holidays in Spain.

The problem arises when we start the new productive cluster systems and the SAN array. The temperature of the datacenter was increased until july 20, when the productive system stoped itself for overtemperature.

That mistake, that was solved buying a portable air conditioning system until the datacenter was upgraded with more cooling power, was a serious problem for a project with more than 60 people involved and six month of work.

That's something it will never happen again to me. The new datacenter has cooling power enough to mantain as far as the double of our current servers, and has multiple independent systems, but that will not be enough if you are not aware of what temperature is running on the datacenter, because the cooling systems can fail or can be power off by the cleaning lady ;-)

Now I have multiple hardware termomethers with TCP/IP, SNMP and web server enableds that can be found at W&T. That system has multiple temperature sensors so you can be aware of multiple critical points of temperature. Connecting the system to an snmp agent and you can have an online temperature monitor that can alert you of temperature arises.

About Secunia

As a system administrator, I have found a very useful companion in Secunia, a company that receives information about security vulnerabilities of major hardware and software vendors and classifies the advisories sending in a tagged way only the advisories you are interested in.

It's a way to increase the security of a company or at least to know how are you dealing with security in your company, helping you manage the balance between security and time.

I'm a customer from half a year ago and I'm very glad of the service. I recomend to any sysadmin that has not enought time to take care of bugtrack lists and support web pages, or any CIO concerned about the security of his IT infrastructure.

Oracle ORA 221 Error

Recently I had found an ORA-0021 on one of my customers. The problem was arised when a SCSI controller failed resulting in a I/O error writing one of the control files.

The problem is serious, because the database stops and is not able to start again, but don't panic, the solution is so easy.

Controlfiles are readed during the instance start. You can see the error, as ORA 221 or ORA-00221 in the alert log leaving the database unmounted.

To solve the problem, stop the instance and then, looking the alert log and locating the entry about the 221 error, look for the controlfile corrupted. Then, rename the corrupted file (I have learned in all my years as system administrator that you should not delete never a file, rename it and delete it a few weeks before when you are sure you'll not need any more), and finally copy one of the other controlfiles to the name of the first one.

Now, if you restart the database all should be fine.

Monday, June 19, 2006

Problems with sudo and remote connections by ssh

SSH is a great tool that give you security on your terminal sessions. As an improvement, it also provides a way to redirect your X-Windows session througt it, giving you a way to have in a local machine the ability to execute any graphical application.

To work in this way under Windows I use the X-Win32 program, that give you a way to connect to a X-Windows server, and in the latests versions, provides a SSH client (PuTTY) that let you connect using the SSH as descrived above.

The way SSH tunnels the connection is creating a virtual display that redirects the information of the graphical session throught the ssh stablished connection to the client host. That is easy to see if you take a look to the DISPLAY environment variable.

The problem comes when you have opened a remote xterm and now you change of user using commands like sudo or su. That applications erase all the environment variables including DISPLAY.

The workaround is to create an script that passes that information to a new shell. In the following lines I'll detail that script, that I called sudox.

-------------8<--------------------------------------
#!/bin/sh
#
# sudox by jllaurado
#
SHELL=/bin/bash

sudo $SHELL -i -l -c "DISPLAY=$DISPLAY;XAUTHORITY=$HOME/.Xauthority;export DISPLAY XAUTHORITY;$SHELL"
-------------8<--------------------------------------

As you can see, the script executes a bash terminal (you can change the shell to your preferred one), and then export the DISPLAY and XAUTHORITY environment variables.
The first, as explained before, points to the virtual SSH X-Windows display, and the last points to the cookie X-Windows use to control who is allowed to access your own display. That is important, because this script only will work if you change to the user root, because root has access to the .Xauthority file of any user.

Another way to do this is copying the .Xauthority file from the user that executes the sudox script to the home of the new user, but that way to solve the problem give to the new user access to you session also before you leave that shell (you'll have to delete it.

Wednesday, May 03, 2006

New Firefox release

Mozilla Fundation has published a new release of their sucessfull web browser Mozilla Firefox. This release (1.5.0.3)is published to solve a vulnerability categorized as Highly critical by Secunia in his advisory.

You can download it from Mozilla and it's available in multiple languages.

Firefox is a browser based in the source code of Mozilla Web Browser, and previously from Netscape Navigator, that is eating every month market share from Internet Explorer. Looking for a few statistics I have found a browser market share from W3Schools giving a 25% of the market to Firefox, and the worse I have found give a market share of 10,68% to Firefox and rising.

Anyway it's clear that Firefox is the direct competitor of Internet Explorer, you only have to look at the new design of IExplorer 7 to see how Microsoft is learning from the OpenSource guys ;-)