2006/12/30

Firefox settings to change

In Firefox 2, type "about:config" in the location bar, and press enter. You'll get some settings. Here are the ones I change:

Old New Setting/Affect
3 1 browser.cache.check_doc_frequency - check page every load.
true false browser.cache.disk.enable - don't cache to disk
140 140 browser.tabs.tabClipWidth - don't shot close button on tabs narrower than this
100 30 browser.tabs.tabMinWidth - let tabs become this narrow
1 3 browser.startup.page - restore your previous browsing session

2006/12/29

MS SQL Tips

Here are some MS SQL Tips, Tricks, Recipes, etc.:

• Find out who's using what databases:
1. Open SQL Query Analyzer
2. type "exec sp_who" into the Query window.
3. Click "Execute Query" or press F5.
• From cryptosid at experts-exchange:
• before using DBCC REBUILD_LOG better check this article and read it through
http://www.sqlmag.com/Articles/Index.cfm?ArticleID=9011

a safe alternative would be
Backup the consistent Database.
and RESTORE the database with the MOVE option using which u can move the database files to whichever drive u want...
• Get information on a DB's logfile:
1. Open Query Analyzer
2. Type this in the query window, then click Execute Query:
• use db_name
• dbcc LOGINFO
• Detach and re-attach a database:
1. confirm that nothing has the db open. Open QA and run "exec sp_who"
2. If nobody is using the db, detach the database with the QA command "EXEC sp_detach_db 'db_name' ", or right-click the DB in the enterprise mgr and select "detach database".
3. Re-attach the DB by using the QA command "EXEC sp_attach_db 'db_name', 'x:\full\path\to\db\file\db_filename.MDF' " or by right-clicking the databases in the enterprise mgr, and select "attach database".
• How to set up SQL mail
• http://support.microsoft.com/?id=263556
• Safely delete a transaction log:
1. make sure nobody's using the database, as above under "Detach..."
2. Backup the database.
3. make sure nobody's using the database still.
4. detach the database, as above.
5. rename the log file (.LDF file)
6. re-attach the database, as above.
7. logfile should be automatically re-created.
• From rsrm at experts-exchange, http://www.experts-exchange.com/Databases/Microsoft_SQL_Server/Q_20823435.html
•  Comment from rsrsm Date: 12/11/2003 07:29PM PST Comment If the log file is deleted for the database and SQL server is not able to locate it..you can rebuild the log. try the following steps (But if the log file is not deleted then you can ignore this comment):REBUILD LOG and recover a suspect database:1. Back up the .mdf/.ndf and .ldf files.2. Change the database context to Master and allow updates to system tables: Use Master Go sp_configure 'allow updates', 1 reconfigure with override Go3. Set the database in Emergency (bypass recovery) mode: select * from sysdatabases where name = '' -- note the value of the status column for later use begin tran update sysdatabases set status = 32768 where name = '' -- Verify one row is updated before committing commit tran If you run DBCC REBUILD_LOG without setting the database in Emergencymode, the command does not work. You do not receive an error, but the log isnot rebuilt either.4. Stop and restart SQL server. If you run DBCC REBUILD_LOG without recycling the server, the following message displays: Server: Msg 5023, Level 16, State 2, Line 1 Database must be put inbypass recovery mode to rebuild the log. DBCC execution completed. If DBCCprinted error messages, contact your system administrator.5. The syntax for DBCC REBUILD_LOG is as follows: DBCC REBUILD_LOG('','') where is the name of the database and is the physical path to the new log file, not a logical file name. If youdo not specify the full path, the new log is created in the Windows NT systemroot directory (by default, this is the Winnt\System32 directory). If the file is placed in the Winnt\System32 folder, you can move it to a different folder by running the following commands from the SQL Query Analyzer: sp_detach_db '' Go Move the log file over from the Winnt\System32 folder to the preferred folder. sp_attach_db '', '', '' Go If a log file with the same name as specified in DBCC REBUILD_LOG already exists in that directory, then the following message occurs: Server: Msg 5025, Level 16, State 1, Line 1 The file 'C:\MSSQL7\Data\' already exists. It should be renamed or deleted so that a new log file can be created. DBCC execution completed. If DBCC printed error messages, contact yoursystem administrator. You will need to specify a different filename or rename or delete theexisting one. Rebuild the log with this code: DBCC TRACEON (3604) DBCC REBUILD_LOG('','') Go If the command is successful, the following message appears: Warning: The log for database '' has been rebuilt. Transactional consistency has been lost. DBCC CHECKDB should be run to validate physical consistency. Database options will have to be reset,and extra log files may need to be deleted. After the log is successfully rebuilt, the database is placed in DBO UseOnly mode. That is, the status of the database is 2048 irrespective of whatthe status was previously. You must reset the status using sp_dboption orthrough the SEM.6. Set the database in single-user mode and run DBCC CHECKDB to validate physical consistency: sp_dboption '', 'single user', 'true' DBCC CHECKDB('') Go begin tran update sysdatabases set status = where name = '' -- verify one row is updated before committing commit tran Go7. Turn off the updates to system tables by using: sp_configure 'allow updates', 0 reconfigure with override GoWARNING: After verifying the consistency of the database by running DBCCCHECKDB,and fixing any errors, please make sure to check the database for logicalconsistency as well. Because a new log has been built, the transactions intheold log are lost, hence you must also verify the logical consistency of thedataas well.

2006/12/18

bash shortcuts

from http://www.howtogeek.com/howto/ubuntu/keyboard-shortcuts-for-bash-command-shell-for-ubuntu-debian-suse-redhat-linux-etc/

Ctrl + A : Go to the beginning of the line you are currently typing on
Ctrl + E : Go to the end of the line you are currently typing on
Ctrl + L : Clears the Screen, similar to the clear command
Ctrl + U : Clears the line before the cursor position. If you are at the end of the line, clears the entire line.
Ctrl + H : Same as backspace
Ctrl + R : Let’s you search through previously used commands
Ctrl + C : Kill whatever you are running
Ctrl + D : Exit the current shell
Ctrl + Z : Puts whatever you are running into a suspended background process. fg restores it.
Ctrl + W : Delete the word before the cursor
Ctrl + K : Clear the line after the cursor
Ctrl + T : Swap the last two characters before the cursor
Esc + T : Swap the last two words before the cursor
Alt + F : Move cursor forward one word on the current line
Alt + B : Move cursor backward one word on the current line
Tab : Auto-complete files and folder names

2006/12/15

SCSI Tape status codes in Linux

Status Bit   DescriptionBOT          The tape is positioned at the beginning of the first            file.EOT          A tape operation has reached the physical End Of            Tape.EOF          The tape is positioned just after a filemark.WR_PROT      The tape (or drive) is write-protected. For some            drives this can also mean that the drive does not            support writing on the current medium  type.ONLINE       The drive has a tape in place and ready for            operation.DR_OPEN      Door is open. Depending on the type of drive, this            usually means that the drive does not have a tape in            place.IM_REP_EN    Immediate report mode. This bit is set if there are            no guarantees that the data has been physically            written to the tape when the write call  returns. It            is set to zero only when the driver does not buffer            data and the drive is set not to buffer data.SM           The tape is currently positioned at a setmark. DDS            specific.EOD          The tape is positioned at the end of recorded data.            DDS specific.D_6250D_1600D_800        This "generic" status information reports the current            density setting for 9-track 1/2 inch tape drives only.

2006/12/13

Linux kernel debugging first steps on i386

(from the SGI XFS mailing list)If you have compiled in kdb and you get an oops (at least in 2.4 series kernels):Next time it hangs, enter these kdb commands andcapture the output on the serial console.set LINES 10000set BTAPROMPT 0-md1c320 system_utsname-id %eip-0x40-cpu-ps-dmesg 200-bt-bta

2006/12/01

Hide OS and Apache version number

By default (at least on RHEL 4, CentOS 4.x, and related distros), Apache web server will give the version number of Apache, as well as your OS. This will make it easier for an attacker to guess what vulnerabilities your web server (or host OS) may have. This information can be hidden by changing these two lines in /etc/httpd/conf/httpd.conf:
ServerTokens ProductOnlyServerSignature Off
Note that this won't actually fix any vulnerabilities, but it will make an attacker have to either guess or scan to determine what vulnerabilities you may have.

An even better idea is to front your apache with modsecurity (perhaps even on a separate (virtual) server), and have modsecurity tell everyone that your apache web server is really an IIS server.

To hide the Apache PHP version number, add/change this line in /etc/php.ini:
expose_php = Off

2006/11/27

Broadcasts on UDP port 41224

In case it helps someone else:

I was seeing broadcasts ( dst:255.255.255.255 ) about every 30 seconds (top and middle of the minute) to UDP port 41224 from a windows box. The a process named "java" was sending to UDP port 41224, and a different "java" thread was listening on UDP port 41224.

The UDP payload only included the text, "KEY:ABCDXYZ"....

It turns out, it’s an e-trade streaming quote applet, runs in an IE window, but uses the java plugin (process name ‘java.exe' ). Apparently it's pay-ware, and it regularly sends out its key and listens for other applets with the same key, ostensibly to ensure that someone isn't running the same license on multiple computers.

2006/11/17

Quickly create or request ssl certificate for Apache

#Create different directories for the different data (this is the path for RedHat derivatives)
cd /etc/httpd/conf
mkdir ssl.csr ssl.key ssl.crt
chmod 700 ssl.*

Self-Signed Certificate

# Create the cert request. Common Name (CN) should be the FQDN, e.g., myhost.foo.com
# 2048 bits is probably adequate these days. Expiration more than 5 years makes little sense.
# PEM passphrase is what the server process (or user) will have to type to use the cert; it
# can be bypassed if you want with the key file in the next step.  EDIT: current versions
# of openssl that ship with CentOS/RHEL do not let you bypass the PEM
# passphrase. Give it one, then create the key file if you want to eliminate the need for it.
openssl req -newkey rsa:2048 > ssl.csr/myhost.foo.com.csr

# create the key file, myhost.foo.com.key (careful! this makes it so that e.g. httpd will
# not prompt for the key on startup, but so that the cert is easily
# read if the host is compromised.)
openssl rsa -in privkey.pem -out ssl.key/myhost.foo.com.key

# self-sign/create the cert, myhost.foo.com.crt
openssl x509 -in ssl.csr/myhost.foo.com.csr -out ssl.crt/myhost.foo.com.crt -req -signkey ssl.key/myhost.foo.com.key

Externally signed certificate request
openssl req -newkey rsa:1024 -keyout ssl.key/myhost.foo.com.key -out ssl.csr/myhost.foo.com.csr

mail the myhost.foo.com.csr file to your ssl provider.
Make the key unencrypted if you want:
openssl rsa -in ssl.key/myhost.foo.com.key -out ssl.key/myhost.foo.com.key.unenc
...and reference the unenc file in your ssl host config file. This will prevent having to enter the encryption key passphrase every time the httpd is restarted, but it will mean your key could be compromised if the box is compromised.

Linux password policies

Password expiration (when password is changed or account is created):

edit login.defs

parameters are:
Password policies include: PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MIN_LEN

Complexity:
From http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords and http://kbase.redhat.com/faq/FAQ_80_6045.shtm:

Create backup then list contents of the tar file:

# tar -cvf backup.tar /etc/pam.d/system-auth /lib/security/*
# tar -tf backup.tar

Open file /etc/pam.d/system-auth file with an editor such as vi. Inside the /etc/pam.d/system-auth file you will find line:

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type= To require a password of at least 8 characters, including at least one lower-case, one upper-case, on numeric, and one other character, replace that line with: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

reset perl CPAN configuration

# run cpan shell
cpan

# reset config options
cpan> o conf init

Getting started - MySQL on CentOS

yum install mysql-server.x86_64
# ( or .i386, etc)

mysql_install_db

/usr/bin/mysqld_safe &

# (please don't use "password" -- duh!)
/usr/bin/mysqladmin -u root password "password"

# start mysql client
mysql -u root -p

# give remote access to root if root is accessing mysql from hostname.foo.com (think before you do this -- you probably don't want to leave it like this:
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'hostname.foo.com'
mysql> IDENTIFIED BY 'password' WITH GRANT OPTION;

# give root access to root from localhost, .e.g, for accessing mysqld locally over tcp socket.
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY
mysql> 'password' WITH GRANT OPTION;

# give root access to root from anywhere -- why on earth would you want to do this???!!
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY
mysql> 'password' WITH GRANT OPTION;

# give reload+process access to all databases for admin@localhost
mysql> GRANT RELOAD,PROCESS ON *.* TO 'admin'@'localhost';

# give usage access to all databases for dummy@localhost:
mysql> GRANT USAGE ON *.* TO 'dummy'@'localhost';

# now, stop mysqld from running in "safe" mode
service mysqld stop
service mysqld start

2006/11/13

Open Source CMS Comparison

One of my clients has a static web site. When they need content or layout changes, they tell me and then I edit the html. Very painful, for them and for me (that's not how I like to earn my keep).

I'm preparing a comparison of various free (and open source) Content Management Systems. The spreadsheet comparison is here:

Open Source CMS Comparison

2006/11/08

TIP: grub+RAID1 /boot

Adapted from http://gentoo-wiki.com/HOWTO_Gentoo_Install_on_Software_RAID :

If you are using a RAID 1 mirror disk system, you will want to install grub on all the disks in the system, so that when one disk fails, you are still able to boot. The find command above will list the disks, e.g.

grub> find /boot/grub/stage1
(hd0,0)
(hd1,0)
grub>

Now, if your disks are /dev/sda and /dev/sdb, and /boot is its own partition at /dev/sd(a-?)1 , do the following:
device (hd0) /dev/sda
root (hd0,0)
setup (hd0)

This will install grub into the /dev/sda MBR, and

device (hd0) /dev/sdb
root (hd0,0)
setup (hd0)

...will install grub onto the /dev/sdb MBR. The device command tells grub to assume the drive is (hd0), i.e. the first disk in the system, when it is not necessarily the case. If your first disk fails, however, your second disk will then be the first disk in the system, and so the MBR will be correct.
...repeat for all physical disks that have a mirror of /boot.

The grub.conf does change from the normal install. The difference is in the specified root drive, it is now a RAID drive and no longer a physical drive.

2006/11/02

Good tutorial on manual linux tape backups

http://ploug.eu.org/doc/l-bu-a4.pdf

2006/09/02

My kitty needs a home

Well, my kitty cat, "Katie", needs a new home. She has been good to/for me. I adopted her about two years ago; she was about a year old at the time. She's a good kitty, and very affectionate; but I can't give her a home any more.

She is spayed (of course!), has a clean bill of health and just recently got her booster shots. She's declawed in front (that's how I got her). She tolerates our dog well enough, and is good with older children.

If you or anyone you know can provide her a good home, please call/email me and you can meet her: 577-5854. Of course, I'll pass along her brush, carrier, kitty box, and some food and litter.

2006/07/25

First Post

Well,

I've always felt I should document my history. I received counsel once to "document [my] geneaology", and I think personal history is part of that. Perhaps having it online will make documenting the more public aspect of my life and experiences a little more do-able.

This is just my first post. They'll (probably) get better over time.

Cheers.