Aug 232011
 

Installing mwforum on Debian Lenny 5.0 and 6.0

There are many perl packages required by MWForum, Im not totally sure if all of them are required, but here is the list of packages that will get MWForum fully working with Image Uploading, Image resizing, attaching image, Avatar, text quote and email support.

Install required debian packages with aptitude:

# aptitude install libgd-gd2-perl libgd2-xpm imagemagick libimage-base-bundle-perl libimage-magick-perl libimage-info-perl libimage-exif-perl libimage-base-perl libimage-imlib2-perl libimage-size-perl libgeo-ip-perl libgeo-ipfree-perl libemail-mime-perl libmail-sendmail-perl libmail-rfc822-address-perl libmail-sender-perl libmail-perl libnet-cidr-lite-perl libtext-reform-perl libtext-quoted-perl mysql-server libdbd-mysql-perl libdbi-perl libcompress-zlib-perl libwww-perl liburi-perl libxml-perl libxml-regexp-perl libxml-sax-expat-perl libxml-sax-perl libxml-xslt-perl perl-modules perlmagick libtext-iconv-perl libsocket6-perl  libtimedate-perl libnet-daemon-perl libmailtools-perl libhtml-clean-perl libhtml-format-perl libhtml-parser-perl libhtml-tree-perl libcflow-perl libdata-flow-perl apache2-mpm-prefork libapache2-mod-perl2 libapache2-mod-apreq2 libapreq2 libapache2-request-perl -V

Now check latest version for download from http://www.mwforum.org/forum/topic_show.pl?tid=4222
In this setup I will put mwforum in /var/www/mwforum/htdocs/ (gentoo style folder)

Download MWforum and extract

# mkdir -p /var/www/mwforum/
# cd /var/www/mwforum/
# wget http://www.mwforum.org/dl/stable/mwforum-2.24.1.tar.gz
# tar xpf mwforum-2.24.1.tar.gz
# mkdir htdocs
# cp -a mwforum-2.24.1/script/* htdocs/
# cp -a mwforum-2.24.1/data/* htdocs/

Setup Configuration files

# cd ./htdocs
# mv MwfConfigGlobalDefault.pm MwfConfigGlobal.pm
# mv MwfConfigDefault.pm MwfConfig.pm

Edit config file with your mysql username/password, site name and url.

# vi MwfConfig.pm

Inside Mysql shell create database and username/password for mwforum:

mysql> CREATE DATABASE mwforum CHARSET=utf8;
Query OK, 1 row affected (0.30 sec)

mysql> GRANT ALL ON mwforum.* TO mwforum@localhost IDENTIFIED BY 'sk8hg4I2mxW';
Query OK, 0 rows affected (0.60 sec)

mysql> flush privileges;

Install MWForum database:

# perl install.pl

Activate Apache modules:

# a2enmod perl
# a2enmod apreq 
# a2enmod headers

Add the apache Virtualhost config file:

# vi /etc/apache2/sites-availables/mwforum
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<VirtualHost *:80>
    ServerName myforum.com
    ServerAlias www.myforum.com
    ServerAdmin webmaster@myforum.com
    DocumentRoot /var/www/mwforum/htdocs
    DirectoryIndex forum_show.pl
    #XSendFile on
    #XSendFileAllowAbove on
    ScriptAlias /cgi-bin/ "/var/www/mwforum/htdocs/"
    <Directory "/var/www/mwforum/htdocs">
        Options +ExecCGI FollowSymLinks -Indexes
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    RewriteEngine On
    # Uncomment to force redirect to https, but you need to create https vhost
    # RewriteCond %{HTTPS} off
    # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

Add PerlSwitches:

# vi /etc/apache2/conf.d/mwforum 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
PerlSwitches -I/var/www/mwforum/htdocs
<Directory /var/www/mwforum/htdocs/>
    DirectoryIndex forum.pl
    Options -Indexes
    <Files "*.pl">
        Options +ExecCGI
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
        PerlOptions -SetupEnv -ParseHeaders
    </Files>
    <Files "*.pm">
        Deny from all
    </Files>
</Directory>

Now activate mwforum and check for configurations

# a2ensite mwforum
# apache2ctl configtest
Syntax OK

If syntax OK, then restart

# /etc/init.d/apache2 restart

Security and Cleanup:

# rm install.pl upgrade.pl
# cat ./mwforum-2.24.1/example/script.htaccess >> htdocs/.htacess
# cat ./mwforum-2.24.1/example/attach.htaccess >> htdocs/.htacess

 Posted by at 11:25 am
Jan 252011
 

Strongly typed Languages and Security. From Schneier on Security.
A Great comment I believe it’s worth sharing. Source http://www.schneier.com/blog/archives/2010/10/firesheep.html#c478900


I can’t agree more that the average quality of programmers (and therefore reusable components) is miserable. Code reuse can be very messy and anyone serious about quality is forced to reinvent the wheel over and over.

Of course I also agree that not all standards are good, as I don’t consider the web’s standards good.

However, there are fake high level languages and real high level languages. You cannot really build a complex system in a low level language, and even if you did, it would be full of abstractions, effectively making it a high level language via design patterns.

Look at PHP, it’s a horrible mess, a big ball of crap thrown together to make a “framework” to “ease” web development. The developers don’t have a clue what they’re doing and there are lots of new vulns in it every month at both the high and low levels. The builtin functions are completely inconsistent, some things return magic values and some things raise exceptions. PHP just takes random features from other languages and piles them together in an incoherent way. PHP is weakly typed (which is _always_ useless and causes more bugs). PHP is configurable, different libraries depend on different configurations of it. PHP has a garbage optional security model thing called safe-mode, which doesn’t work as it’s just more crap incoherently thrown together.

Now look at a real high level language, like Haskell, everything is immutable, which immediately mitigates one of the big class of bugs. Lazy evaluation means everything is more efficient most of the time (most problems are best solved lazily), but can be turned off when needed. The type system tells you all the information you’d ever want to know about the architecture of a given program, as well as catches _lots_ of bugs up front. Functions can easily be reasoned about due to type safety and immutability. This is a language that was actually thought out, unlike PHP.

Also, there are capability-secure languages/OSs, such as E (language), where security is orthogonal and forces the principle of least authority upon the entire architecture from the ground up. They have already been proven easy to use (obviously, much easier to use than any *nix crap because they have strong typing and aren’t C) and exponentially more secure. E is basically reifies one of the things computing is meant to have but doesn’t currently: you can run any code without caring if it’s evil or crappy. Sort of like the web but not completely flawed/unusable/insecure. The capability model also stop programs from dumping random garbage all over your OS, which is what happens on *nix and Windows.

Did I mention POLA is important? Why one would ever want to run random code off the internet with full privileges is beyond me. Java has an actual _half_ decent security/object model BTW, but it was ruined by pragmatism, and now everyone just signs their applets and the users can’t run them unless they modify their JVM or allow the code to run with full privileges.

Heck, even QNX is vastly superior to *nix just because they took a few old academic ideas into practice.

But what I really want to get down to is that strong typing is mandatory. (Strong typing in the data sense as well as language).

What I mean by strong typing in the data level is that you don’t take a bunch of random text and try to interpret it. You don’t take a bunch of machine words off the stack/heap and try to interpret them. Data must be organized mechanically, never trust the human.

Stack smashing happens because of lack of strong typing; array’s don’t really exist, you just get pointers to memory and are free to do anything with them, integers don’t exist either, you just have machine words. Actually nothing exists because C is just one crappy abstraction with a ton of undefined behavior. Strongly typed arrays cannot be violated, nor can ints etc. C is another example of this nonsense re-usability notion, to make it “fast”, _as well_ as portable, it has to have tons of undefined behavior. A secure system would have a high level language and the underlying low level components would be written in a way specialized to that architecture, in which case you can get performance as well as **no** undefined behavior.

XSS is because of lack of strong typing, you are just taking a bunch of text and blindly treating it as code or crap to inject into some text that is meant to be code. This is about as unreliable as it gets. Strongly typed declarative data structures prevent this.

SQL Injection? Ditto. But has been solved by A) ORMs that aren’t vulnerable B) Object databases (which are on par and sometimes better than RDBMS with respect to performance, BTW) C) HaskellDB ;)

HTTP injection? Well this doesn’t happen as much because one typically uses a safe API to build the HTTP request as opposed to editing it and parameterizing it by hand. This is analogous to using a safe API to manipulate a binary data structure (that is strongly typed). Hey? Binary is compact and efficient, then why do we have text protocols and formats? Oh yeah, someone thought it would be a good idea to have plaintext stuff because maybe we would be able to edit it by hand or something. BS. Do they expect us to edit 20MB XML documents by hand? You should be using a graph editor that provides a set of idiomatic transforms and queries (does this exist for XML? it should.). The only time you can edit _any_ plaintext document by hand is when it’s tiny, except this still doesn’t work because you don’t know what character set encoding to use… XML sucks, it’s not a cyclic graph so you have to retype things instead of just putting a reference to them, or invent an ad-hoc way of doing this for your schema. This is clearly propagated by the “simple” design of plaintext XML, if it were binary, they probably would have just made a real cyclic graph. This stuff also reminds me of another major issue with *nix, everything is a file (which is nonsense, everything should be an object, or maybe there is something better? I dunno, but objects are already superior to files in every way. Want streams? read: lazy evaluation), which for some reason, means everything is text with an arbitrary grammar, so you have to write a ton of regular expressions to get anything done in *nix. Ooh and you have magic numbers as return values from programs. Except these both break all the time as new versions of the programs come out. And they are a bitch to fix because they aren’t objects; you have to rewrite the parsers (text) instead of using the new fields (objects). Even the input to any *nix program is braindead and violates strong typing principles so they can’t be used without causing new vulnerabilities. Even if you escape the input to make it safe for bash or whatever shell you are using, the data within that parameter might still need to be further escaped because it’s passed as an SQL string or some other weakly typed system. I don’t know why “command line” mantra even exists anymore (now that we don’t use ancient terminal things anymore, well some people do, but not me at least), every program that has an interactive bash shell thing is different and crappy and has no multiline input and a lot of them overwrite your input as you’re typing it with output. Command line apps shouldn’t exist, there should just be objects that you invoke methods on with a _real_ (bash isn’t a real language) statically strongly typed language and get back some other objects. Static typing allows *rich* auto-completion for free. The shell can infer the variables in the local namespace that match the input parameter you are on, and then suggest them all. And the shell should actually be a decent thing, not a stupid pair of I/O streams. *nix terminal things suck **hard**. If you copy and paste some text from a web page, it might contain malicious code followed by a newline (a page can make you copy something other than what is displayed and highlighted on it), and you get owned. Oooh, oooh, X11 is also broken, it doesn’t let non-you users display to a constricted area on it, so you have to run random crap programs off the internet as you, and they get to steal all your non-root stuff (the stuff that *actually* matters). But they get root by ptracing your bash shell and escalating to root the next time you sudo or su. The Qubes OS tries to fix some of this stuff, but fails miserably, because it’s not even as good as or better than the Object Capability Model, which was invented decades ago, but I guess this is because they want compatibility with current software, which means they have to diminish security. Maybe they would be better off joining Tunes.

Computing sucks hard for many other reasons, but I’m getting tired of writing for now and am hungry.

What does this all have to do with firesheep? Dunno, but it’s not surprising what firesheep can do, and it’s about time someone is stepping up and trying to expose more loudly one of the many critical flaws that have been being used for malicious purposes for the past decades. I predict the next movement is for someone to write a nice metamorphic virus and take over hundreds of millions of boxes on the internet and all those crappy embedded devices. (It’s not that hard to pull off.)

Anyone interested in creating a secure computing paradigm and ditch all this other nonsense? Call me.

 Posted by at 10:02 pm
Jan 012011
 

I had to setup AFP (netatalkd) on a centos 5.5 machine. Many tutorials had something missing. so I took the best of each and put here.

You will need gcc and some packages/libs for building berk-db and netatalkd, like “patch” and “make”

  yum install openssl.x86_64 libssl-dev gcc automake autoconf GSSAPI libgssapi-devel libgssapi  libgssapi-devel krb5-devel pam-devel shadow-devel openssl-devel cracklib wget

1. Download the latest berkeley-db 4.8 (5.0 and 5.1 did not work for me), compile and install

wget http://download.oracle.com/berkeley-db/db-4.8.30.tar.gz
tar xpf db-4.8.30.tar.gz
cd db-4.8.30/build_unix/
../dist/configure
make
make install

2. Download latest netatalkd, compile, install and copy config files to /etc/atalk
AFP works fine with the default configuration files.

wget "http://downloads.sourceforge.net/project/netatalk/netatalk/2.1.5/netatalk-2.1.5.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fnetatalk%2F&ts=1293643408&use_mirror=biznetnetworks"
tar xpf netatalk-2.1.5.tar.bz2
cd netatalk-2.1.5

./configure --enable-redhat --enable-pgp-uam --enable-krb4-uam --enable-krbV-uam --with-bdb=/usr/local/BerkeleyDB.4.8/
make
make install
mkdir -p /etc/atalk/
cp -a config/*.conf /etc/atalk/
chkconfig netatalk on
service netatalk start

Extra:

When you mount this filesystem on mac, all files and directory permissions will be reset to 755, which is really annoying, specially if you use git. Git will show all the file permission changes to 755 instead of 644 for files.

so, to solve the problem edit the file /etc/atalk/AppleVolumes.default and update the last line on the file

  vi /etc/atalk/AppleVolumes.default
  # change from
    :DEFAULT: options:upriv,usedots
  # to
    :DEFAULT: options:upriv,usedots dperm:0755 fperm:0644

Resources:

 Posted by at 4:18 pm
Nov 192010
 

This is a monit recipe for a rails app with 4 Unicorn threads using SOCKET. The app averages a total memory usage of 600 MB.
If it goes over 800 MB send email alert only.
If over 860 MB, reload the app.
Also if it’s using too much CPU, alert by email.

I use unicorn_rails on socket mode with nginx, and preload_app = true.

check process myapp_unicorn 
  with pidfile /var/www/apps/my_app.com/shared/pids/unicorn.pid
group unicorn
if totalmem > 800 MB for 2 cycles 
  then alert
if totalmem > 860 MB for 2 cycles 
  then exec "kill -HUP `cat /var/www/apps/my_app.com/shared/pids/unicorn.pid`"
if cpu > 40% for 2 cycles then alert
if cpu > 20% for 4 cycles then alert
if failed 
  unixsocket /var/www/apps/my_app.com/shared/pids/unicorn.sock 
  then alert

note: the HUP signal will reload the children processes without reloading code changes. This is fast and desirable.

Resources:
http://unicorn.bogomips.org/SIGNALS.html
http://mmonit.com/monit/documentation/monit.html

 Posted by at 7:18 pm  Tagged with:
Jul 092010
 

Now a days there are so many good and cheap OpenVZ VPS providers out there.
Just have a look at this blog and you will see what I mean. [http://www.lowendbox.com/tag/openvz/]

The way OpenVZ virtual machines offers RAM resource is quite different from XEN.
You get Dedicated Ram (guaranteed ram) and Burstable Ram.

Burstable Ram is good when your server has sporadic load spikes, such as blogs and news sites.
Ideally you should not rely on burstable ram, it depends on the Host System. if the host system starts get low on free ram, you will lose that memory and the kernel will kill your processes to recover the ram.

Best is to keep below 90% of your Dedicated ram.

So, here I have an script that will monitor your memory limits. Also check for errors on your openVZ.
it’s perfect for an hourly cron job. It will print output on warnings and errors only.
Will suppress output if your openVZ container is behaving well. :)

for example, put on /etc/cron.hourly/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/env ruby
#
# Program to check for failed count on OpenVZ systems
#   Failed counts indicate over commit on memory. 
#   it should always be zero.
 
 
@file = `cat /proc/user_beancounters`.split("\n")
 
# Delete the first 3 lines, which are irrelevant to us.
@file.delete_at(0)
@file.delete_at(0)
@file.delete_at(0)
 
@failcnt = []
 
@file.each do |t|
  tmp = t.split
  unless tmp.last == "0"
    @failcnt << tmp
  end
end
 
# Check that 'held' is less than 'barrier' 
#   held = current count
#   barrier = soft limit
# only checking for:
#   privvmpages @file[1] 
#   oomguarpages @file[7] 
# 
# oomguarpages : 
#   The out-of-memory guarantee, in pages. 
#   Any VE process will not be killed even in case of heavy 
#   memory shortage if the current memory consumption 
#   (including both physical memory and swap) 
#   does not reach the oomguarpages barrier.
#
# privvmpages: 
#  The size of private (or potentially private) memory allocated by an application. 
#  The memory that is always shared among different applications 
#  is not included in this resource parameter.
# 
# Sources: 
#  - http://wiki.openvz.org/UBC_secondary_parameters
#  - http://wiki.vpslink.com/Meaning_of_the_/proc/user_beancounters_Values
 
privvmpages = @file[1].split
privvmpages_current = privvmpages[1].to_i
privvmpages_limit = privvmpages[3].to_i
if privvmpages_current > privvmpages_limit
  puts "WARNING: #{privvmpages[0]} has passed the limit: #{privvmpages_current}/#{privvmpages_limit}"
  puts "WARNING: Server may crash or reboot"
end
# Also check it we are getting close to 70% of usage
privvmpages_pc = ((privvmpages_current.to_f/privvmpages_limit)*100).ceil
if privvmpages_pc > 70
  puts "WARNING: #{privvmpages[0]} is high: #{privvmpages_pc}% of limit"
end
 
oomguarpages = @file[7].split
oomguarpages_current = oomguarpages[1].to_i
oomguarpages_limit = oomguarpages[3].to_i
if oomguarpages_current > oomguarpages_limit
  puts "WARNING: #{oomguarpages[0]} has passed the limit: #{oomguarpages_current}/#{oomguarpages_limit}"
  puts "WARNING: Some Processes may be killed"
end
# Also check it we are getting close to 85% of usage
oomguarpages_pc = ((oomguarpages_current.to_f/oomguarpages_limit)*100).ceil
if oomguarpages_pc > 85
  puts "WARNING: #{oomguarpages[0]} is high: #{oomguarpages_pc}% of limit"
end
 
unless @failcnt.empty?
  puts "=================================="
  puts "Found Memory problems with OpenVZ:"
  puts "=================================="
  @failcnt.each do |t|
    puts "#{t.join(' - ')}"
    puts "=================================="
  end
end

 Posted by at 9:37 pm

Switch to our mobile site