Upgraded server kernel to 2.6.11-hardened-r15. Updraded a few system utilities. No casualties have apeared.
So I’ve been setting up Webalizer and I got it all working with my virtual hosts, and was looking through the results and noticed that biz.mindstab.net was getting a lot of referals from places like www.halfpricesbooks.ca. I was confused so I went to the site. And it was my site. So…
haplo@nika ~/src/apps/ww2d $ dig www.halfpricebooks.ca ; <<>> DiG 9.3.1 <<>> www.halfpricebooks.ca ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4044 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.halfpricebooks.ca. IN A ;; ANSWER SECTION: www.halfpricebooks.ca. 43200 IN A 220.127.116.11 ;; AUTHORITY SECTION: halfpricebooks.ca. 86400 IN NS ns2.netnation.com. halfpricebooks.ca. 86400 IN NS ns1.netnation.com. ;; ADDITIONAL SECTION: ns1.netnation.com. 64772 IN A 18.104.22.168 ns2.netnation.com. 66831 IN A 22.214.171.124 ;; Query time: 115 msec ;; SERVER: 126.96.36.199#53(188.8.131.52) ;; WHEN: Fri Sep 30 23:01:03 2005 ;; MSG SIZE rcvd: 136
Thats right. Their domain now resolves to me. And we can thank our colocation company in common, Netnation, for this. And according to my logs its been going on at least this whole month. I also have bclotto.ca and www.zyrtec.ca.
I upgraded Apache using Gentoo’s new ebuild which have MPM support. I selected the somewhat experimental MPM Peruser because it’s a good solution for security. Each vhost can have it’s own user/group settings. The Gentoo Ebuild even has a patch that the core peruser patch doesn’t have which allows it to not crash during CGI operations on Apache 2.0.54. Very nice. Anyways, due to the way peruser works, it doesn’t work with mod_ssl. So as recommended, I’ve dropped pound on in front of port 443. Pound is a reverse proxy which amoung other things, can do https. So everything seems to be coming back into place. I also upgraded PHP, Wodpress, Mediawiki, and Gallery.
A note to myself for the future as much as anyone. The ident protocol sucks. Its old, insecure, and no one uses it, and yet all server programs seem to check with it, which blows with firewalls because it usually times out slowing everything down. Anyways, for proftpd:
Well, with the news that Hotmail will soon be enforcing SPF I decided to get around to working around the Telus firewall that blocks all outgoing smtp traffic except to their spamhole. So I used iptables to route port 8025 to 25. So far so good. I got smtp auth working, but qmail only accepts it if you are using SSL. Ok. Well, everything is in place, lets give it a test. Unfortunately it seems to take 5 minutes for each message to be sent with evolution. I’ve tried a few things (turn off any qmail and tcpserver reverse lookups) but nothing seems to work. Then I added SPF info to my dns configs. So I have slow outgoing, but it’s SPF certified. I blame the Telus firewall somehow. I need to get my hands on a rogers internet connection.
Frost is officially offline for the first time since september 2002. A good long run (2.5 years). I dropped Janus in tonight as the replacement (133mhz:80mb to 166mhz:128mb). Which probably doesn’t mean too much to any of you since the whole site and such has been moved to kvasir already, how ever frost was still providing limited public services in the form of a secondary dns for mindstab.net. And my personal firewall. That is all at an end tonight though. Janus has assumed all the responsibilities and seems to be working well so far. I’ll play around with frost in the next little while to see if I can resurrect it as a menial spare firewall, but in the last month since the last power failure frost’s been painfully slow, and I’m blaming it’s harddrive (and hopefully that’s all):
root@frost ~ # hdparm -tT /dev/hda /dev/hda: Timing buffer-cache reads: 8 MB in 2.74 seconds = 2.92 MB/sec Timing buffered disk reads: 4 MB in 4.81 seconds = 851.56 kB/sec
Ok. So I’ve almost learned my lesson. No messing around what so ever with the “production” server. I’ve been playing with apache which is why things have been a bit off the last few days. Plus some odd bugs. I guess thats what I get for some of the neat patches in the unstable version. mpm_peruser is the future. It allows each vhost to run with a different user group and chroot. However right now it also seems to do things for me like make apache seg fault when ever anyone connects with a post form :(. So I’ll wait. So yeah. Things seem to be coming back into shape.
In more interesting news I grabbed a little note book (paper kind) to carry around and jots notes in on projects in an effort to motivate me to work on stuff. So I’ve already thought of some profileing tests I want to run before I start vm2. Whee. And I’m trying to install win xp in qemu so I can play starcraft without rebooting. Wish me luck. I’ll be home permenently thursday (house sitting now) so that should speed things up (and is why you’ve heard precious little from me this month).
So I’m house sitting with less than optimal net connections: a shared mac with mac os 9. So I’ve just been ignoring it. The I get a call saying the site is down. Boo. so I check it out. Down. Google and get mac ssh and ssh to frost. Kvasir is unresponsive to pings. Big boo. Call Netnation (my colo facility) and ask when I can come in to look at my server because it seems to have crashed? or something. And lo and behold it turns out they had a massive power surge on the weekend. Shortly there after they turn my server on manually. And here we are back online. I’m not stunningly comforted by the fact that this was the first in 8 years. I’ve only been with them like a month and a half. Power doesn’t seem to like me. Anyways, everything seems to be ok so far.
Well, I got Qmail admin working so that users can now change email passwords from an online interface. This is good(tm). I am pleased. Next up, the other half: getting a system in place so that users can change their ftp password. That might be a little harder with my current vsftp setup. More research is required.