‘./NS/IN’ denied?
The world of server maintenance has drawn me in yet again. It seems as though my server has been rebooting itself for no apparent reason.
While trying to track this down I noticed something odd in /etc/log/syslog. There seems to be an interesting DNS request from a single IP address every second or so.
Mar 2 20:09:27 neaz named[4701]: client 62.109.4.89#32136: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:28 neaz named[4701]: client 62.109.4.89#50634: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:30 neaz named[4701]: client 62.109.4.89#14324: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:32 neaz named[4701]: client 62.109.4.89#19968: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:33 neaz named[4701]: client 62.109.4.89#35100: query (cache) ‘./NS/IN’ denied
Mar 2 20:09:34 neaz named[4701]: client 62.109.4.89#18747: query (cache) ‘./NS/IN’ denied
I seems that this is a possible DDOS. Roughly speaking someone is sending small packets to my machine and it’s replying to the IP address specified. The problem is that the IP address my server is responding to *may not be the one actually asking* - this is done through IP spoofing.
So to solve this problem I initially just banned the IP address from connecting.
sudo iptables -I INPUT -s 62.109.4.89 -j DROP
This seems to have stopped the DNS problem - but it has a nasty side effect - this IP address can’t actually connect to my server for anything (mail, web, etc). Not necessarily a big deal. What is a big deal is that if someone else’s IP address is spoofed. I’d then have to run the iptables command again, and again, and again.
Now the good thing is that Tom Hayward’s seen this problem and has a slightly better solution.
sudo iptables -I INPUT -p udp --dport 53 -m length --length 45 -j DROP
He’s gone to the trouble of sniffing the length of the packet and applying that to the iptables rule. This rule basically stops all udp traffic on port 53 (DNS) that’s 45 bytes long from being process by the server.
You can test this out if you have a shell open.
dig . NS @localhost
Or you can head over to the SANS Internet Storm Center who’ve been monitoring this problem and use their webtool
Lastly, make sure you save any changes to your iptables or they’ll disappear on a reboot. (thanks DA)
sudo iptables-save > /etc/iptables.rules
sudo echo "#!/bin/sh" > /etc/network/if-up.d/iptables
sudo echo "iptables-restore < /etc/iptables.rules" >> /etc/network/if-up.d/iptables
sudo chmod +x /etc/network/if-up.d/iptables
Wordpress 2.6 to 2.7.1 Upgrade
This post is short and sweet - just like the wordpress upgrade I just did. I went through the “hassle” of doing the svn checkout during my last upgrade (to 2.6) which if I recall correctly wasn’t too difficult - just a little time consuming. Well it just paid off. I ran the upgrade in two minutes. I SSH’d into the server. Went to the wordpress root and ran svn sw http://svn.automattic.com/wordpress/tags/2.7.1/.
The site stayed up and running and I only had to click on one button in the admin to upgrade the database. Thank you wordpress - you guys rock!
Oh, and just for reference - here’s the svn upgrade url.
Evils of Calorie Counting
Steve’s post about his Raw Food Diet has me thinking again about how having an unhealthy diet affects me physically and mentally. It seems that over the years (decades?!?) my diet has devolved into little more than fast food & junk food.
In 2002, I had experienced a significant weight gain (due to stress & overeating) and came across The Hackers Diet by John Walker, which was revolutionary for me. I had heard of calorie-counting, though it was typically phrased as “portion control”, and THD introduced me to what calories actually are and gave me a format/formula to follow.
Being a lazy programmer, the Taking the easy way out section was quite appealing; buy pre-packaged food with the calories labeled right on the package. It made counting calories easy. And it was easy for breakfast and lunch. Dinner was a bit more difficult since it wasn’t just for myself, but I managed to struggle through it “guessing” the calories I was consuming. I had faith in the feedback loop that I had setup (i.e. daily weigh-ins with weekly adjustments).
I was quite happy calorie counting this way and initially lost 10 pounds in about a month.
Problems started to arise slightly after this though. I found that while I was loosing weight, I was also not feeling very well physically nor mentally. I was eating a very unbalanced diet, probably close to 80-90% carbs. I started to get colds that would not go away. My mind would be “fuzzy” for most of the day. My emotions started to become very chaotic. I would get “sugar highs” shortly after eating followed by crashes.
This is when the real problems started. I was now addicted to carbs, namely mashed potatoes, spaghetti/noodles, and soda pop. I started to crave calorie rich foods and found I was eating more and more fried and/or fast food. It was at this point that I noticed that my feedback loop was broken (I began to gain weight), and that mixed with a negative emotional cycle pushed me to accelerate my weight gain even further.
I gained over 35 lbs before I was finally able to slow down and stabilize things. I began to cut out fast food, junk food & fried food. I still ate a carb rich diet, but at least that weight gain had stopped.
It’s been 5 years and my weight has been stable. I still crave carbs, but I try to have “good carbs” from fruit instead of from soda pop. Fast food is rare. Meals are a little more balanced. The feedback loop is still in place, I still do daily weigh-ins. I still watch (not count) the calories.
I still want to loose weight (50 lbs if I can) and think that I might experiment with some form of vegetarian diet for a few months, probably by replacing a meal a week with a vegetarian one. Of course, this means I’ll have to brush up on the meal planning skills and quite possibly the culinary ones as well.
I’ve learned a lot about myself since the last time I’ve tried to tackle my weight and know that I’ll need more than just a calorie feedback loop to succeed.
Here’s to figuring out what else I’ll need!
Cheers,
Brad
Good People
I spend a lot of time trying to surround myself with good people. It’s hard to define exactly what makes a person “good” in my books, but honesty, integrity, and a fundamental belief in win-win is definitely high up on the list.
Why am I writing this? I’ve been trying out a new online resume service and it seems that the site was down for a bit (at least for me). I noticed this as I was in the process of sending out an application and wanted to attach a copy of my resume.
I sent an email out to their technical contact and gave them a heads-up and some (probably not so helpful) diagnostic info.
I ended up getting a response from someone there, who absolutely made my day. I was just looking to be able to download my resume, i.e. get the service back up and running, and it turns out that through corresponding with him, he showed he was a “win-win” person and has unexpectedly helped me out with my job hunt.
Here’s a big thanks to you.
Cheers,
Brad
Lunar Eclipse
Wow. The eclipse last night was something awesome. Not only was this the first lunar eclipse I’ve bear witness to - I was able to see it through three different telescopes.
Now, I missed the first part of the eclipse - the viewing area was on the far side of the city - but the important part where the moon actually passes behind the earths shadow I was able to see and catch on film. This is not a professional photo - it’s my old 2 megapixel camera literally held up to the eye piece. This is however the best one I got and illustrates the three “phases” of the moon during an eclipse (normal, penumbra & umbra).
As the moon goes through the earths shadow it starts to darken as it passes through the penumbra and eventually turns into a rusty red when its fully into the umbra.
Are you Galileo?
I’ve been hanging out with a new buddy of mine and he mentioned that he’s built his own telescope. What?!? I had no idea that people still built their own telescopes - I thought it was just Galileo (yes I’m being facetious).
We chatted for quite some time about this (I’m a sci-fi nut so it’s not too far of a stretch to find common ground).
Apparently Calgary gets to witness a total lunar eclipse on the 27th. I’m going to try to bear witness to the entire thing since I’ve never had the opportunity before. And lucky enough I will get to see it through a homemade telescope to boot!
The eclipse is scheduled to start at 7:14pm (MST) and the moon is fully eclipsed by 8:23pm. It starts coming out of the total eclipse at 9:44pm, nearly and hour and a half! The eclipse finally ends at 10:53pm.
Should be an interesting event to watch.
Don’t Blame Sendmail…
I’ve been having a hell of a time trying to figure out why I can receive some email and not others from my mail server. I noticed a week ago that emails were not getting through from certain domains and it was starting to drive me crazy not being able to figure it out. I’ve had a few problems with my server as of late, this being one of them. My company ended up moving offices on the 1st, so I initially wanted to blame my ISP (who wouldn’t?!?).
After spending quite a bit of time Googling and reading sendmail man pages I had finally learned enough to debug this. How many of you out there know that you can telnet to port 25 and send commands directly to the mail server? In the course of debugging I had figured out that I could receive connections on port 25 and the standard “handshaking” would happen (EHLO, etc…), but for some connections, it would get stuck on the DATA portion.
I finally ended up posting on comp.mail.sendmail. For some odd reason I needed top drop the MTU on my server from 1500 to 576 bytes.
To change the MTU, all you need to do is ifconfig eth0 mtu 576.
http://www.sendmail.org/faq/section3.html#3.10
http://www.sendmail.org/tips/pathmtu.html
Friend for Budda?
I have a cat. No I’m not a cat lover, but somehow I ended up with a cat.
A good friend of mine early last year was having a bit of a problem. You see, he and his wife are wonderful people and have over the course of years accumulated, oh, 9 cats. A mess, on most days. What’s a bigger mess, well when one of the cats gets sick. How long does it take for 9 cats to get sick, not long at all.
They shortly ran out of room to quarantine, and I opened my door to one of their cats, a 7lb runt named Budda. She’s a lovely tabby, about 2/3 the size of a normal cat and was very sheepish. I saw her maybe once a week over the course of a month.
The day came when finally Budda could head “home”, but I - uh - ended up suggesting that she stay. She’d become a little more accustomed to me (and me to her).
Fast-forward a year and a half, I’m glad I kept her. She’s a weird cat, who’s slowly been coming out of her shell - she was at one point a stray so she’s a *lot* shy. I showed her “outdoors” this summer. She would constantly sit by the patio door when the weather was nice (and occasionally meow to let me know she was there). Of course, the slightest noise or movement would have her scurrying back inside in a flash.
My cat friends called me the other night and told me that a good friend of theirs had decided that she was going to be giving up her cat. The question was posed as to whether Budda would like a playmate? Of course, the *real* question is - do I want another cat? This decision has been bothering me for a few days & nights and I just can’t decide - on one hand Budda would have a buddy to run around with, and going from one to two cats isn’t as big of a jump for me as going from none to one was. On the other hand, it’s been a bit of a rollercoaster ride for me as of late - I have so many other challenges in my life right now I doubt I’d keep my sanity if a second cat comes into the picture and it turns out to be a hellion.
What are your thoughts?
Tags: budda
Single Sign on with Tomcat
I’ve been asked by a client to take a look at integrating two of their applications to use single signon. They currently have a “members” area which contains secure webpages for individual clients to see. Typically, each client has their own secure area that no one else can access. This is implemented using BasicAuth in an .htaccess file.
The web application is a Java based (Struts) content management system which uses tomcat’s j_security_check for authentication.
The way that I’ve tried to integrate these two is to convert the apache security over to tomcat. This was easy to do. I just basically created a new context and moved the content into the appropriate directory. The only thing I needed to do was create the WEB-INF/web.xml directory/file. I needed to tweek the web.xml to restrict files the way I wanted it to. Basically, if someone goes to http://www.example.com/members/ the are forced to login (Basic authentication for now). There’s an index.jsp file that check the user name and redirects the client to http://www.example.com/members/”username”/.
Integrating the two webapps was also fairly easy. I needed to move the realm from each of the contexts and move them into the host portion of the server.xml file. Basically, this forces all of the contexts in the host to use the same authentication module and thus they can share sessions. The only other thing was to add this…
<Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"/>
…inside of the host portion as well.
There’s a whole lot more that can be done, but this is great for a start since it only took a few hours to figure out and fix any problems I encountered.
Calgary Stampede
I went to see the chuckwagon races at the Calgary Stampede yesterday. What a blast. It had been a long time since I’ve been to a wagon race - I’m embarrassed to say close to 20 years. Joe Carbury is legendary, you just won’t find too many announcers being able to draw you into a race like he can. Now I don’t really follow the sport, so it’s interesting to note that some of these guys - probably most of them - are professionals. It’s amazing that guys can make a living off of riding a wagon in a circle.
As for the rest of the day, there’s the Grandstand Show right after the chucks followed by fireworks later on. Of course, there’s tonnes of other things too - casino, amusement park & rides, lots of well known musicians play for free on the grounds, a petting zoo for the kids (and adults), and the best part the beer gardens 
If you’re ever in Calgary during Stampede time, get in the spirit & grab a cowboy hat and some boots - I have no doubt in my mind that you’ll love every minute of it.