How-To
How To disable Time Machine’s MobileBackup
Starting with Lion I noticed that Time Machine is running even when my Time Capsule is not available. I also noticed that Finder shows a different amount of used disk space than df. My MacBook Pro’s SSD also got somewhat slow. Turned out it’s Time Machines MobileBackup function.
If you want to disable MobileBackup and free up the abused disk space, simply run the following command and reboot.
sudo tmutil disablelocal
How to fix SSH UTF-8 issues in Mac OS X Lion
After upgrading from Snow Leopard to Lion, ssh connections to remote servers using iTerm2 have issues with non ascii characters.
Luckily that’s easy to fix. Simply comment SendEnv LANG LC_* in /etc/ssh_config out.
Host * # SendEnv LANG LC_* # ForwardAgent no # ForwardX11 no ...
No other changes are needed. You could also permanently change your locale to UTF-8.
Just place export LANG=en_US.UTF-8 in your shell’s source file.
A few WordPress security tips
A month or so ago my Website got attacked a couple of times using DDoS and application specific attacks. I don’t want to delate anyone, but this happened at exactly the same time my travel report about Prague suddenly got a lot of attention. Just sayin’…
Nothing happened, no one could break in using any exploits or brute force and the website didn’t even go down.
So as a guy with a few years of experience with Apache, Unix and at least a little bit of experience with WordPress, I thought I’d share the things I do to secure my blog. No, I am not a big fan of security trough obscurity. 
I run this website on my own server, not all of this might be possible if you’re on a shared hosting!
- non admin username
- get ssl (for wp-admin)
- require ssl for wp-admin in wp-config.php (add to end of file)
define('FORCE_SSL_ADMIN', true); - restrict access to wp-admin using htpasswd on ssl vhost
AuthType Basic AuthName "Unixhosts.org" AuthBasicProvider file AuthUserFile /etc/apache2/htpasswd Require valid-user
- enforce ssl for wp-admin and also htaccess authentication on default vhost
SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.chrisk.de" ErrorDocument 403 https://www.chrisk.de/blog/wp-admin/ - ‘chown’ everything to root:root with only read access for the webserver
- and as always: use as few plugins as possible
There is one plugin you might want to use if you’re on a shared ssl: WordPress HTTPS. This helps you redirecting you to the correct folders on your shared ssl. Though it was still kind of buggy.
How to Check services and restart using Monit
I have a monitoring service (Zabbix) which dies every few weeks, because it’s MySQL tables were locked for too long during a backup… Annoying! mostly because it’s then dead unnoticed for not just a few minutes. So, how do you monitor a monitoring service? Or simply… How do you restart any service that has just gone away in a simple way?
I recently came across monit. They state it’s up and running in just 15min. I got it faster
# Daemonize and check every 2mins.
set daemon 120
# Mail settings, in case you want to receive notifications
set mailserver relay.example.org
set mail-format { from: root@host1.example.org }
set alert admin@example.org
# The first check
check process zabbix_server with pidfile /var/run/zabbix/zabbix_server.pid
start program = "/etc/init.d/zabbix-server start"
stop program = "/etc/init.d/zabbix-server stop"
group server
You can also monitor network availability, application availability, file permissions and system utilization…
I think this tool is really great for a small network, though I don’t think it would scale that well. Just give it a try.
How to DSL and UMTS Failover on OpenBSD
OpenBSD. Is. Awesome. pf, carp, pfsync, ifstated, openbgp, openospfd… awesome. 
Here is my ifstated.conf to fail-over between DSL and UMTS connections. Note that this only really works with OpenBSD >=4.9, because earlier versions seem to have issues where set-state is executed before init finished, which causes UMTS to start on every 24h disconnect of the DSL line.
init-state auto
# pppoe0 is my DSL connection
pppoe0_up = "pppoe0.link.up"
# figure out which state to start with
state auto {
if $pppoe0_up {
set-state dsl_up
}
if !$pppoe0_up {
set-state dsl_down
}
}
# DSL is up. Don't do anything until it fails.
state dsl_up {
init {
run "/sbin/ifconfig | mail -s 'DSL up' root"
}
if !$pppoe0_up {
set-state dsl_down
}
}
# DSL is down. Wait a few seconds (24h disconnect).
# Then go ahead and start UMTS, but only if DSL isn't back up!
state dsl_down {
init {
run "/bin/sleep 30; /sbin/ifconfig | mail -s 'DSL down' root"
}
if $pppoe0_up {
set-state dsl_up
}
if !$pppoe0_up {
set-state umts_start
}
}
# Start pppd and bring UMTS up, until pppoe0 is still down
state umts_start {
init {
run "/usr/sbin/pppd call o2"
run "sleep 30; /sbin/ifconfig | mail -s 'Starting UMTS' root"
}
if $pppoe0_up {
set-state umts_stop
}
}
# If pppoe0 is back up, kill pppd and switch back to dsl_up
state umts_stop {
init {
run "/usr/bin/pkill pppd"
run "/sbin/ifconfig | mail -s 'Stopping UMTS' root"
}
set-state dsl_up
}
How to OpenBSD with Huawei E1750 UMTS
Getting my OpenBSD (4.8) box to talk an Huawei E1750 USB UMTS Stick as a backup solution turned out to be not very straight forward, so in case you are in a similar situation…
Have a look at man umsm to see which devices are supported by OpenBSD.
The UMTS (USB)-Sticks are registered as /dev/cuaUX, where X is the number of your device… You’ll need userland pppd to connect. Place your peer configuration in /etc/ppp/peers/o2 for example:
cuaU0 connect /etc/ppp/connect.o2 disconnect /etc/ppp/disconnect.o2 nocrtscts xonxoff #:0.0.0.2 because 0.0.0.1 is the alias for my DSL default gateway :0.0.0.2 noipdefault ipcp-accept-local defaultroute novj nobsdcomp novjccomp nopcomp noaccomp noauth nomagic persist
You’ll also need Chat scripts to connect and disconnect the connection. Note that you’ll need to at least adjust /etc/ppp/connect.o2 to suit your provider:
#!/bin/sh chat -vs \ ABORT 'NO CARRIER' \ ABORT 'NO DIALTONE' \ ABORT ERROR \ ABORT 'NO ANSWER' \ ABORT BUSY '' \ at OK \ atz OK \ # uncomment the following if your SIM is PIN protected # and replace **** with your PIN #at+cpin=**** OK \ 'AT+CGDCONT=1,"IP","pinternet.interkom.de"' OK \ 'atdt*99***1#' CONNECT
And /etc/ppp/disconnect.o2 looks like:
#!/bin/sh chat -vs \ ABORT 'NO CARRIER' \ ABORT 'NO DIALTONE' \ ABORT ERROR \ ABORT 'NO ANSWER' \ ABORT BUSY '' \ '\K' '' '+++ATH'
Now make sure ppp0 is initialized on startup…
touch /etc/hostname.ppp0 sh /etc/netstart ppp0
… and to connect simply run pppd call o2 and pkill pppd to disconnect. Run ifconfig ppp0 to see if your connection is up and running:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
priority: 0
groups: ppp egress
inet 10.150.81.109 --> 0.0.0.2 netmask 0xfffffffc
Next post will be about auto fail-over between this and my regular DSL connection.
How to PXE boot GRML and OpenBSD without NFS (like boot.kernel.org)
I was looking for a way to install/rescue a couple of embedded devices in different (remote) locations. PXE booting a Linux system comes to mind, but that usually requires NFS, which is a pain in the ass when it comes to firewalls…
Most Linux based LiveCDs use Busybox and Squashfs for booting… Busybox has wget built in, so it’s possible to skip the NFS part, use wget and HTTP and load the squashfs to RAM. One still has to get TFTP trough firewalls, since it is needed to load the Kernel and Busybox, but OpenBSD for example has tftp-proxy built-in… So you need:
- DHCP to supply PXE options
- TFTP to serve the base system(s)
- PXELINUX as a kind of bootloader
- HTTPd to serve the rest of the system(s)
I want to have my favorite LiveCD GRML handy for rescue and Linux install purposes and OpenBSD of course
Let’s start with the Server you want to use to boot from:
Install tftpd-hpa, syslinux and a httpd, start tftpd-hpa with the ‘secure’ flag and place a copy of pxelinux.0 (usually in /usr/lib/syslinux/ in your $tftproot.
For GRML you’ll need to place linux26 and minirt.gz from the grml_netboot_package in your $tftproot. You’ll also need grml.squashfs from either grml-small, grml-medium or grml. I’d suggest grml-small as it needs to fit in your RAM. Place it in your $httproot.
Now configure (ISC) DHCPd to supply PXE informations:
next-server 10.1.32.1; filename "/pxelinux.0";
Create a file called ‘default’ in a folder pxelinux.cfg in your $tftproot:
label GRML kernel linux26 append initrd=minirt.gz fetch=http://<serverip>/grml.squashfs boot=live
Most PXE Loaders will try to find a file with the name of their IP Address, written in hex, then remove one case after another and fall back to ‘default’ if it doesn’t find anything. So symlink the appropriate files if you want to speed things up. ‘fetch’ tells GRML’s busybox to load it’s system files from the URL given.
To also serve the OpenBSD installer you need to download pxeboot and place it as pxeboot.0 in your $tftproot. You also need bsd.rd from any Release/Snapshot you want to serve. Call them whatever you want and also place them in your $tftproot. To serve pxeboot.0 (The OpenBSD Bootloader btw) add these two lines to ‘default’ in pxelinux.cfg:
label OpenBSD kernel pxeboot.0
You’re done. Try booting your System from PXE. You’ll get a ‘boot>’ promt. Select your system, by typing whatever you supplied as ‘label’ in your ‘default’ config… e.g. GRML or OpenBSD… in case of OpenBSD you’ll then need to supply bsd.rd to boot, or whatever you renamed that file to…
If you encounter any problems, grep the logs, use ‘tcpdump’ and have a look at the SYSLINUX Wiki…
How to Create your own ‘DynDNS’ Service
First off: This is not DynDNS as you might know it from dyndns.org. You can’t use clients like ddclient. I’m using DNSSEC and ‘nsupdate’. You’ll need to be familiar with Bind and some shell scripting… Also I only got this working on *nix and I don’t have any intention to try it on Windows.
Let’s start with what you have to do on your client:
$ dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom host1.dyn.example.org
Now copy Khost1.dyn.example.org.+157+39064.key (your pubkey) to your server’s configdir (in case of Debian: /etc/bind) and define it as follows:
key host1.dyn.example.org. {
algorithm HMAC-MD5;
secret "<put key from Khost1.dyn.example.org.+157+39064.private here>";
};
zone "dyn.example.org" {
type master;
file "master/dyn.example.org";
allow-update { key host1.dyn.example.org.; };
};
This allows everyone with the Ktest.unixhosts.org.+157+39064.private key, to update zone ‘dyn.example.org’. Feel free to find out how to do privilege separation on your own Back to your client: Since we can’t use ddclient or similar clients, I wrote my own small script:
#!/bin/sh
dir=$(dirname $0)
old_ip=$(cat $dir/ip_cur.txt)
new_ip=$(ifconfig pppoe0 | grep -E 'inet.[0-9]' | \
grep -v '127.0.0.1' | awk '{ print $2}')
if [ $old_ip != $new_ip ];
then
echo $new_ip >> $dir/ip_log.txt
echo "server <yourserver>\nzone dyn.example.org \
\nupdate delete host1.dyn.example.org. A\
\nupdate add host1.dyn.example.org. 60 A $new_ip \
\nsend" > $dir/ip_nsupdate_instructions.txt
nsupdate -k $dir/Kfhost1.dyn.example.org.+157+25504.private \
$dir/ip_nsupdate_instructions.txt || exit 1
echo $new_ip > $dir/ip_cur.txt
fi
My script get’s the current IP Address of pppoe0, compares it to the one from it’s previous run and executes ‘nsupdate’ if they mismatch. ‘nsupdate’ doesn’t accept it’s configuration from stdin, that’s why I needed to hack around with echo… If ‘nsupdate’ fails (due to connection issues or something like that) my script exits. If update was successful it writes the current ip into ip_cur.txt, so the script only executes ‘nsupdate’ on IP Address change and not every time your run it. Add my script to crontab to run it once a minute or so…
* * * * * ip_update.sh
How to Set up a ‘hidden primary’ DNS
I just had to guide a friend of mine trough the setup of a ‘hidden primary’ or ‘hidden master’ via mail, so I thought I’d also post a quick summary here to keep my blog alive ;P
First off: A ‘hidden primary’ setup, uses one server for all zone-file changes that isn’t listed anywhere and doesn’t get any queries from clients, and two or more ‘slaves’ that do the actual work. Have a look at this example zone-file:
$ORIGIN unixhosts.org.
unixhosts.org. IN SOA amy.unixhosts.org. hostmaster.unixhosts.org. (
201102111 ; serial
3h ; refresh
1m ; retry
1w ; expire
1m) ; minimum
IN NS ns.inwx.de.
IN NS ns2.inwx.de.
IN NS ns3.inwx.de.
The host amy.unixhosts.org is my ‘hidden primary’. As you can see, it’s not listed as NS, so it won’t get queries from actual client resolvers. ns[2,3].inwx.de are my name-servers for this zone, configured as slaves.
The ‘hidden primary’ config looks like:
zone "unixhosts.org" {
type master;
file "master/unixhosts.org";
allow-transfer { unixhosts; inwx; };
also-notify { 10.0.1.1; 10.0.2.1; 10.0.3.1; };
};
Whereas a ‘slave’ config looks like:
zone "unixhosts.org" {
type slave;
file "slave/unixhosts.org";
masters { 10.0.0.1; };
allow-transfer { clients; };
};
If your Infrastructure isn’t large enough to take responsibility for 3 public DNS servers, you might want to have a look at InterNetworX. I’m running their servers as ‘slaves’ for a few months now. Their support team is great and I haven’t had any issue within years!
How to Fix “The file server has closed down” issues in Mac OS and netatalk
Netatalk versions older than 2.1.3 had some issues with the TCP/IP Stack on Linux which resulted in errors like
Luckily they seem to have fixed this in 2.1.3 as the ChangeLog states: fix a serious error in networking IO code.
So the solution is as easy as upgrading. I am running Ubuntu, but two months after netatalk-2.1.3 has been released, they don’t even have it in unstable. Lucky Gentoo users you! I needed to fix this very quickly as it started to disrupt my workflow. Sadly I currently don’t have the time to dig into the packaging system of Debian or Ubuntu, so I looked up Debian’s configure options and just compiled from source:
cp -a /etc/netatalk/ ~ aptitude purge netatalk apt-get build-dep netatalk wget http://sourceforge.net/projects/netatalk/files/netatalk/2.1.3/netatalk-2.1.3.tar.bz2/download tar xjvf netatalk-2.1.3.tar.bz2 cd netatalk-2.1.3 ./configure --with-shadow --enable-fhs --enable-tcp-wrappers --enable-timelord --enable-overwrite --with-pkgconfdir=/etc/netatalk --enable-krb4-uam --enable-krbV-uam --with-cnid-dbd-txn --with-libgcrypt-dir --with-cracklib=/var/cache/cracklib/cracklib_dict --enable-debian --disable-srvloc --enable-zeroconf --with-ssl-dir --enable-pgp-uam --prefix=/usr/local/netatalk/ make sudo make install mv ~/netatalk /etc/ /etc/init.d/netatalk start
This saves a copy of your running netatalk configuration to your home directory, removes netatalk, downloads all necessary libraries to build netatalk, downloads netatalk from SourceForge, extracts it, configures it, builds it, installs it, restores the configuration and starts it as usual.
I am running netatalk 2.1.3 for a week now and the error seems to be gone
If you know how to easily create a Debian package, feel free to post in the comments.
Search this Site
Hi, my name is Chris. I am a wannabe photog, traveler & geek that lives in Hesse, Germany. more about me...
follow me on TwitterMy flickr Fotos
Sponsoring
