November 24th, 2009 — Linux
Doing a lots of db import/export/migration tasks on my Linux notebook on large DB tables, I’ve seen slow responsiveness from the system. After a small investigation I’ve seen that my OS is swapping out too much causing performance degradation and making my system unusable.
By default Linux kernel is configured for server environments. One important parameter that should be considered when using Linux as desktop is vm.swappines, by default it’s value is 60.
That’s fine for a server as it swaps out memory to disk aggressively to release it for active processes, but on desktops this value is to high, the recommended value is 10 to allow the system to be more responsive.
[root@silver ~]# tail -2 /etc/sysctl.conf
# desktop settings
vm.swappiness = 10
More details:
Ubuntu Swap Faq
Optimizing Desktop Performance, Part I
Optimizing Desktop Performance, Part II
Optimizing Desktop Performance, Part III
October 12th, 2009 — Linux, Security
I would not talk about how important is to secure your ssh server. One of the tools that helps us to secure ssh server is DenyHosts. From the DenyHosts home page:
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
Sending accidentally wrong password to server will block your access. You can avoid it by using public key authentication or when it’s not possible you can configure DenyHosts to ignore IP addresses from your network:
How can I prevent a legitimate IP address from being blocked by DenyHosts?
Since it is quite possible for a user to mistype their password repeatedly it may be desirable to have DenyHosts prevent specific IP addresses from being added to /etc/hosts.deny. To address this issue, create a file named allowed-hosts in the WORK_DIR. Simply add an IP address, one per line. Any IP address that appears in this file will not be blocked.
[...]
more
I do prefer the TCP wrappers way, I’ll just bypass DenyHosts for local networks.
Configure DenyHosts to write blocked IPs to /etc/denyhosts/blocked:
# /etc/denyhosts/denyhosts.cfg
HOSTS_DENY = /etc/denyhosts/blocked
BLOCK_SERVICE =
Allow ssh connection if listed in /etc/denyhosts/ignored, and then the last rule is to allow ssh access unless listed in /etc/denyhosts/blocked:
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# ssh access
sshd: /etc/denyhosts/ignored : allow
sshd: ALL EXCEPT /etc/denyhosts/blocked
Add IPs/networks to ignore:
# /etc/denyhosts/ignored
# hosts allowed to connect bypassing DenyHosts
192.168.10.0/255.255.255.0
More on the file format:
December 23rd, 2008 — Linux, Shell
Rename it’s handy command from util-linux package when you need to rename multiple files. From the manual:
NAME
rename - Rename files
SYNOPSIS
rename from to file...
DESCRIPTION
rename will rename the specified files
by replacing the first occurrence of
from in their name by to.
...
Example usage:
[vitalie@silver london]$ ls -1
DSC00967.JPG
DSC00968.JPG
DSC00969.JPG
DSC00970.JPG
DSC00971.JPG
[vitalie@silver london]$ rename DSC00 london_ *.JPG
[vitalie@silver london]$ ls -1
london_967.JPG
london_968.JPG
london_969.JPG
london_970.JPG
london_971.JPG
December 23rd, 2008 — Linux, Plesk
If your server allows recursive queries it can be exploited by malicious users. It should be restricted only to ip addresses from your local nets.
To accomplish this, edit your /etc/named.conf and specify in “options” section which ACL are allowed to run recursive queries with allow-recursion option:
# /etc/named.conf
acl localnets { 127.0.0.1; 192.168.0.0/24; };
options {
...
allow-recursion { localnets; };
...
};then restart bind server:
[root@red ~]# /etc/init.d/named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
In Plesk it can be done from the Control Panel:
Server->DNS Settings->DNS Preferences->Allow recursion
and choose localhost or localnets.
November 21st, 2008 — Linux
Open your /etc/modprobe.conf file and append:
# Turn off IPv6
alias net-pf-10 off
alias ipv6 off
Then restart your server.
November 17th, 2008 — Linux
Lame server is when a NS record for a domain specifies a server which is not authoritative for that domain.
To keep your logs clean from lame server messages (/var/log/messages):
[...]
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 19:43:25 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 19:43:25 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
[...]
Edit your /etc/named.conf and add:
logging {
category lame-servers { null; };
};Then restart bind daemon.
August 26th, 2008 — Linux
If you receive this error then your plugin needs patching:
ERROR: is not executable by (uid 0:gid(0 10 6 4 3 2 1 0))
The patch:
--- /usr/lib/nagios/plugins/check_mailq 2007-04-20 23:14:48.000000000 +0300
+++ check_mailq 2007-06-04 11:53:06.000000000 +0300
@@ -40,7 +40,7 @@
sub print_usage ();
sub process_arguments ();
-$ENV{'PATH'}='';
+$ENV{'PATH'}='/bin:/usr/bin';
$ENV{'BASH_ENV'}='';
$ENV{'ENV'}='';
$PROGNAME = "check_mailq";
@@ -49,6 +49,9 @@
$msg_p = 0 ;
$state = $ERRORS{'UNKNOWN'};
+#
+$utils::PATH_TO_QMAIL_QSTAT = "/var/qmail/bin/qmail-qstat";
+
Getopt::Long::Configure('bundling');
$status = process_arguments();
if ($status){
@@ -63,7 +66,6 @@
alarm($opt_t);
# switch based on MTA
-
if ($mailq eq "sendmail") {
## open mailq
August 1st, 2008 — Linux
If you are working on a x86_64 system don’t even try to go with 64bit of FireFox, just install 32bit version and enjoy all FireFox’s plugins: flash, java, … don’t waste your time.
Adobe didn’t released yet a 64bit flash plugin for linux, although there exists different workarounds to make 32bit plugins to work on the x86_64 platform they are still buggy.
If you’ll try to use nspluginwrapper you’ll end up with FireFox eating 1GB of ram after you’ll open a few flash sites because it’s leaking memory.
Let’s go to install firefox with flash-plugin, firstly remove firefox x86_64 version and then install i386 version:
[root@silver ~]# yum remove firefox.x86_64
[...]
[root@silver ~]# yum install firefox.i386
[...]
Then we’ll download rpm for linux from Adobe :
http://www.adobe.com/shockwave/download/alternates/
[root@silver ~]# rpm -ivh flash-plugin-9.0.124.0-release.i386.rpm
[...]
Now, you are ready to use your favorite browser on linux x86_64 with flash player.
Update:
An alpha refresh of 64-bit Adobe Flash Player 10 for Linux operating systems was released on 12/16/2008.
Download it from here:
http://labs.adobe.com/downloads/flashplayer10.html
August 1st, 2008 — Linux
If are seeing a lots of “TCP: drop open request from A.B.C.D” messages and you don’t expect a real load the server, you’ll need to enable syncookies. Edit your /etc/sysctl.conf and append the following lines:
# enable syncookies
net.ipv4.tcp_syncookies = 1
Then restart network service.
[root@centurion ~]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Setting network parameters: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
July 31st, 2008 — Linux, Plesk
If you are trying to backup your server to a ftp location don’t forget to specify destination file on the remote server, or you’ll receive this error:
[root@apollo ~]# export FTP_PASSWORD="secret"
[root@apollo ~]# /usr/local/psa/bin/pleskbackup --no-gzip all --skip-logs ftp://backup:@backup.example.com/
Unable to parse options: Bad FTP file format at /usr/local/psa/bin/pleskbackup line 287.