Category Archives: In English

Traffic shaper

In English, opensource, Teknoblogia

I’ve been promoting Firehol to those who needs a good firewall. Firehol is actually not a firewall by itself, it’s a firewall scripting language, which is very easy to use even for newbies. Underneath, it uses Linux’s iptables to build the firewall.
I recommend Firehol to others because it’s really easy to script (and I mean it), therefore minimizing the chance for human error; but it still allows us to build a complex firewall should there’s a need to do so. And because everything is configured via a file (/etc/firehol.conf), I can easily manage firewall for servers all over the world via SSH connection.

But I still yet to find a good traffic shaper solution to accompany this. I’ve been asked by a client where I installed Firehol as part of my consulting work there, she needs a way to control bandwidth utilization of her Internet connection. So far, I couldn’t find anything suitable.
Some traffic shaper requires its own firewall, some needs dedicated server for itself, others just plain cumbersome to manage, and so on.

Luckily, today I read on firehol’s mailing list about [ CTshaper ].
It was based on Wondershaper, but has since developed extensively and no longer resembles it. What’s special about it is that CTshaper is similar to Firehol in terms of easy of use, and also it can work with our existing Firehol setup. It couldn’t be easier, just include “extras/shaper.conf” on top of Firehol’s config file, and that’s it. I like how simple this is.

Hopefully you’ll find it useful too.

Linux diagnostic software

In English, Open-Source, opensource, Teknoblogia

One of the server under my supervision has started to experience problems since a few weeks ago. It has experienced several kernel Oops-es (equivalent to Windows’ BSOD I think), but sometimes it just crashed hard – no message whatsoever in the logfiles. This has me baffled for a while – I thought Fedora needed to be upgraded to the latest version at first. But then it was clear that even after updated with the latest updates, it’s still experiencing problems.

Somebody pointed out that memory should be the prime suspect at this case. So I ran memtest86, and true enough; it found hundreds of bad bits in the first 512MB.
Unfortunately, it is NOT possible to print out the error messages from memtest86, which will cause problem for me when I tried to return the memory module to the supplier. So I started to look around.
(note to self: recheck that these errors are not caused by wrong memory timing in BIOS)

Thankfully there’s memtester. I’ll give it a try probably tomorrow.

Along the way, I found several other relevant links:

[ An excellent guide on troubleshooting hardware problems on Linux ]
[ List of many diagnostic tools on Linux ]
[ Comprehensive list of tools and procedures for testing hardware on Linux ]

Hope you’ll find it useful.

phpMailman

In English, opensource, PHP

Last year I spent about 2 weeks working on [ phpMailman ].
Unfortunately, I had to abandon it because I was assigned to other projects.

It was the most interesting projects, and potentially quite useful, that I’ve been working on. And it seems that quite a lot of others agree – I still got emails asking about it.

In short – phpMailman is a milis (mailing list) software, composed of php scripts and uses MySQL database to store its data.
It require very little to run (most webhosting package will suffice) and easy to set up. These two are things that I found lacking in other milis software.

I apologize that I’m still not able to continue my work on it. Meanwhile, I’ve updated the page with more useful information, and a link to the latest version. Hope someone will find it useful.

[ homepage of phpMailman ]

suPHP

In English, opensource, PHP

suPHP is an Apache module which will force PHP scripts to be executed with the permission of its owner.

What does that mean ?

It means that if a script contains a vulnerability, and got exploited, then only that particular user will be affected.

This module is not supposed to be used together with mod_php, and anyway, if you’re using mod_php, any exploited PHP script will give the intruder access to everything accessible by Apache (since mod_php execute scripts as Apache’s user)

Needless to say, suPHP would be of high interest to webhosters, along with mod_security.

mod_security

In English, opensource, Teknoblogia

mod_security is an Apache module which is designed to do things that a conventional firewall couldn’t – block application-level attacks.

While a firewall block attacks at packet level, most of them have port 80 opened to allow access to the webserver behind it. And with conventional firewall getting very good nowadays at doing its job, criminals have started to find that it can be very easy to breach your network using this route instead.

This is where mod_security come to your assistance.

It’s able to do quite a lot. For example, it’s able to filter user requests (based on your own rules), both POST and GET – protecting you from potential SQL injection, XSS, root traversal, and other attacks.
Those are already quite powerful, but there are more. It’s also makes it easy to make Apache runs chroot-ed, invoke virus scanner on uploaded files, limiting admin access based on IP address, detecting instrusions, stopping information leak – even disabling the famous FormMail from sending spam. Your creativity is pretty much the limit with it.

I can’t praise this thing enough. If you haven’t install it, I recommend you do, asap.

Further readings:
# Excellent introduction to mod_security
# chroot-ing Apache with mod_security
# ApacheSecurity.net – the website for Ivan’s (yet to be released) book, but already contains a few security tools which may be of interest to you
# HOWTO: installing mod_security on Debian stable