sysadmin

Report on (successfully) installing Samsung SCX-2160 printer/scanner on Debian Lenny

The summary is that the printer is indeed mostly working, but requires a bit
of hacking.

Splix driver

I tried first using the Splix printer
driver as it looked a bit more clean than the foo2qpdl
recommended by the Open
Printing Database
.

The printer requires the libjbig library that is not available on Debian due
to unclear licensing. However, Markus
Kuhn
distributes the jbig-kit package that can be
compiled easily. The only strange annoyance being that its makefile has no
install target, so I just copied the library and its header files to
/usr/lib and /usr/include. After that, Splix compiled
flawlessly and afer running make install, and restarting cups, the
printer was available for configuration in the cups web interface

Samsung unified driver

The printer has a USB interface for scanning on a USB key, but I decided to
install the Samsung unified driver, anyway. It is now intelligent enough to
suggest adding existing users to the lp groups and after that, xsane is able
to scan under non-root users.

The official printer driver does not print well (see image), all text appears bold and
blurred, but I use the Splix driver am very satisfied with the results.

A first-hand account of a DDOS attack mitigation

A few days ago, I lived through a DDOS attack at one of the sites I run. It started with the general unavialability of Apache, although the system was idle and the ssh access functioned perfectly. As I already had some experience with DDOS attacks, I immediately looked at the network connections using netstat and saw over 300 IPs sending SYN_REC packets in mass. The attack was much more powerful than I ever experienced.

~# netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'| sort |uniq |wc -l
310

I immediately started the APF firewall with RAB enabled and a script to block the offending IPs in iptables, as I had these at hand from the previous DDOS attack:

BEGIN {
 pipe = "netstat -n|gawk '{print $5}'|gawk 'BEGIN{FS=\":\"}{print $1}'|sort|uniq -c |sort -n"
 while (( pipe| getline) > 0 )  {
   if ($1 > 29 && $2 != "") {
     command="/sbin/iptables -I INPUT -s " $2 " -j DROP"
     date="date"
     command | getline result
     date | getline dateresult
     print dateresult " - command: " command ", result: " result >>"/var/log/firewall.log"
     }
   }
   close(pipe)
}

After a few hours it became clear that the IPs are rotating too often and the size of the botnet is well over 10.000, so I was left with a choice of either dying under DDOS or dying due to the performance hit of the large pool of IP addresses in iptables. The SYN_REC part was being filtered easily by syncookies, APF activated them on launch. The real problem was the HTTP flood.

Bye-bye, Yahoo!

I am probably the last webmaster in the world to ban Yahoo! Slurp from indexing my sites. Now, I am resolved. Bye-bye, Yahoo! You were just behaving too badly.

iptables -A INPUT -s 66.196.64.0/18 -j DROP
iptables -A INPUT -s 68.142.192.0/18 -j DROP
iptables -A INPUT -s 72.30.0.0/16 -j DROP
iptables -A INPUT -s 74.6.0.0/16 -j DROP

How to expose a web application through Apache

I did this a few times in my life, and every time it was painful to reconstruct the necessary toolset and configuration options. So, here it goes. First, enable the proxy support.

~# a2enmod proxy # utility functions
~# a2enmod proxy_http # http forwarding
~# a2enmod proxy_html # html rewriting
~# a2enmod headers # http headers rewriting

Then, assuming that your web application runs on port 3031 on the same host as Apache, and you want to make it available at the /demo url in Apache, write the following in the Apache config:

<IfModule mod_proxy.c>
  <IfModule mod_proxy_http.c>
    <IfModule mod_proxy_html.c>
      <IfModule mod_headers.c>
        ProxyRequests Off
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        ProxyPass  /demo http://localhost:3301
        ProxyPassReverse /demo http://localhost:3301
        <Location "/demo">
            # ask the localhost to return the uncompressed HTML
            RequestHeader   unset   Accept-Encoding
            # Filter Responses through mod_proxy_html
            SetOutputFilter proxy-html
            # convert URLs in CSS and JavaScript as well
            ProxyHTMLExtended On
            # convert URLs in a.hrefs
            ProxyHTMLURLMap ^/ /demo/ R 
            # convert URLs in CSS and JS
            ProxyHTMLURLMap "'/" "'/demo/" 
            # convert URLs in CSS and JS
            ProxyHTMLURLMap "\"/" "\"/demo/" 
        </Location>
      </IfModule>
    </IfModule>
  </IfModule>
</IfModule>

Tutorial on NetBSD 4.0 i386 setup in kvm.

Create a 10G disk image:

qemu-img create -f qcow2 netbsd-4.0-i386.qcow2 10G

Avoid hangup on boot with --no-acpi and the default network card timeout by trying out a different card, e.g. -net nic,model=ne2k_pci:

kvm -hda netbsd-4.0-i386.qcow2 -cdrom i386cd-4.0.iso --no-acpi -net user -net nic,model=ne2k_pci

Walk through the installer.

Install additional packages with pkg_add:

export PKG_PATH=ftp://ftp.netbsd.org/pub/NetBSD/packages/4.0/i386
pkg_add vim ctwm firefox wget

Include them in path:

echo "PATH=$PATH:/usr/pkg/bin" >>/etc/profile
. /etc/profile

Install the latest stable pkgsrc:

wget ftp://ftp.netbsd.org/pub/pkgsrc/pkgsrc-2008Q1/pkgsrc-2008Q1.tar.gz
tar xzf pkgsrc-2008Q1.tar.gz -C /usr

Make sure that pkgsrc fetches binary packages for dependencies, when possible:

echo ".ifdef BSD_PKG_MK
BINPKG_SITES=ftp://ftp.NetBSD.org/pub/NetBSD/packages/4.0/i386
BINPKG_SITES+=/usr/pkgsrc/packages/All
.endif" > /etc/mk.conf

Configure pkg_online to be able to search for packages

cd /usr/pkgsrc
cvs -d:pserver:anonymous@pkgsrc-wip.cvs.sourceforge.net:/cvsroot/pkgsrc-wip login
cvs -z3 -d:pserver:anonymous@pkgsrc-wip.cvs.sourceforge.net:/cvsroot/pkgsrc-wip checkout -P wip
cd /usr/pkgsrc/wip/pkg_online
unset PKG_PATH
make package DEPENDS_TARGET=bin-install

Search for additonal packages

pkg_online_find :s:pptp

P.S. Thanks to Aleksey Cheusov <vle@gmx.net> for implementing and making available pkg_online.

Лучшие фото фотосайта на рабочем столе, дубль 2

Ну вот и ещё один дубль. Восьмого января фотосайт изменил структуру сайта и поломал так полюбившийся многим photosight wallpaper под Windows, а также скрипты дла автоматической установки "фото дня" на рабочий экран, используемые пользователями других OS.

Впрочем, от упрямого айтишника ничто не спасёт. Вот новый скрипт под Gnome Desktop для всеобщего пользования:

cd /tmp
ID=`wget -q -O - http://www.photosight.ru/wallpaper/week.wp` && \
wget -q -N  http://img-`date '+%Y-%m'`.photosight.ru/`date '+%d'`/$ID.jpg && \
gconftool-2 -t str --set /desktop/gnome/background/picture_filename /tmp/$ID.jpg && \
gconftool-2 -t str --set /desktop/gnome/background/picture_options "centered"

А вот версия под KDE по мотивам комментария

cd /tmp
ID=`wget -q -O - http://www.photosight.ru/wallpaper/week.wp` && \
wget -q -N  http://img-`date '+%Y-%m'`.photosight.ru/`date '+%d'`/$ID.jpg && \
dcop kdesktop KBackgroundIface setWallpaper /tmp/$ID.jpg 4

Controlling the size of the $PWD in bash, version 2

Er... after reading the insightful comments at debian-administration.org, I figured out a much shorter version which is also easier to understand. Tested on GNU bash, version 3.1.17(1)-release (i486-pc-linux-gnu).

{syntaxhighlighter brush: bash}
function truncate_pwd
{
newPWD="${PWD/#$HOME/~}"
local pwdmaxlen=$((${COLUMNS:-80}/4))
if [ ${#newPWD} -gt $pwdmaxlen ]
then
newPWD=".+${newPWD: -$pwdmaxlen}"
fi
}

PROMPT_COMMAND=truncate_pwd
PS1="${ttyname}@\h:\${newPWD}\\$ "
{/syntaxhighlighter}

Pages