Chris’ Blog

After my recent break in I have looked into ways of protecting SSH and my server resources. I employ fail2ban on my main server, it has the resources to run such a programme - my Linksys NSLU2’s however do not. The solution is to use iptables to limit the number of connections any host can make in a given time frame. I wrote up a quick how to on this over at my wiki. Enjoy.

I have made the decision to disable Akismet, after reading some hype about the new Wordpress 2.3’s plugin version check API, which turned out to be negative but reveals something interesting with regards to Akismet. The following code is taken from the official Akismet plugin for Wordpres.

        $ignore = array( 'HTTP_COOKIE' );

        foreach ( $_SERVER as $key => $value )
                if ( !in_array( $key, $ignore ) )
                        $comment["$key"] = $value;

        $query_string = '';
        foreach ( $comment as $key => $data )
                $query_string .= $key . '=' . urlencode( stripslashes($data) ) . '&';

        $response = akismet_http_post($query_string, $akismet_api_host, '/1.1/comment-check', $akismet_api_port);

The bit that worries me is the use of $_SERVER, the only item from this array not sent is HTTP_COOKIE, fair enough. But why do you need to know the full paths to the files on my server and other server environment variables Akismet? I do not have a problem with sending data to Akismet, just not this data!

Source

My laptop and desktop are not always connected to the same network as my server and when this is the case its most likely I do not have control of the network or want the information passed over the internet in plain text. So this is my answer to remote munin nodes, using the remote forwarding feature of SSH.

1. Install Munin Node:

   $ sudo aptitude install munin-node

2. Create the upstart event file:

   $ sudo -e /etc/event.d/munin-tunnel

   Write in the following text:

   start on runlevel 2
   start on runlevel 3
   
   stop on runlevel 0
   stop on runlevel 1
   stop on runlevel 4
   stop on runlevel 5
   stop on runlevel 6
   
   exec sudo -u munin ssh -N munin-reporter@munin-server.example.com
   respawn

3. Generate a SSH key for munin:

   You do not want to set a password on the SSH key

   $ sudo sudo -H -u munin /bin/bash
   $ mkdir /var/lib/munin/.ssh/
   $ cd /var/lib/munin/.ssh
   $ ssh-keygen -b 1024 -C munin@`hostname -f` -t rsa
   $ exit

4. Edit the SSH configuration for the munin user:

   $ sudo -e /var/lib/munin/.ssh/config
   $ sudo chown munin:munin /var/lib/munin/.ssh/config

   Insert:

   Host munin-server.example.com
   RemoteForward some-port-number localhost:4949

5. Now you need to do some leg work on your server first create a user so that the SSH tunnel can be created, I used munin-reporter. Then you need to copy the munin users public key on your client into the ~munin-reporter/.ssh/authorized_keys file on your munin server. I will leave this as a user task, set up how you like on your server. I would recommend prepending the munin public key with the following in the authorized_keys file to restrict what the user can do.

   no-pty,no-X11-forwarding,no-agent-forwarding

6. Again, on your server, we need to tell munin where to get the data about the remote host from, using the snippet below:

   sudo nano /etc/munin/munin.conf

   [node.example.com]
   address 127.0.0.1
   port some-port-number
   use_node_name yes
   

7. Next we need to test the connection and verify the host signature so, that it doesn’t need to be done again.

   $ sudo sudo -u munin ssh munin-reporter@munin-server.example.com -v

   Check for any errors etc. if you spot a problem retrace your steps.

8. All that is left is to start the upstart event and wait for some pretty graphs

   sudo start munin-tunnel

Another release of Wordpress another potentially PITA upgrade to complete, but it isn’t thanks too patch. I quickly ran a diff of the Subversion repository like so:

$ svn diff http://svn.automattic.com/wordpress/tags/2.1.2 http://svn.automattic.com/wordpress/tags/2.1.3

Piped it to a file and applied it to Wordpress using patch, no drama no mess no effort. Just the way I like it

I have upgraded the version of Wordpres my blog runs, for me this is a pain in the ass due to custom modifications. So, this time I decided to use their subversion repository to create a patch and use that, guess what it worked first time.

To patch:

$ patch -i ./wordpress-2.1_2.1.2.diff -d /path/to/wordpress -p0

I struggled a little to find out how to get the SSH fingerprint of an SSH key earlier so, I thought I would preserve how for ever more. The snippet below will return the SSH fingerprint for the machines public RSA key (under Debian derived distributions at least.)

$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
2048 d6:59:bc:0b:18:ba:17:15:41:fc:d0:2a:60:f4:7e:e8 /etc/ssh/ssh_host_rsa_key.pub

I am in the process of writing a guide detailing how it is possible to install Ubuntu 7.04 (yet to be released) on to a hard disc for a laptop or another computer without the use of any CDs or temporary partitions to hold to root partition while you encrypt what will be the root partition which most other guides demonstrate, this is fine if you want to keep the partition say for /home or something but my laptops hard drive is not big enough for that sort of segregation. I use debootstrap to install Ubuntu on the laptop hard disc mounted on another Ubuntu machine. My method has huge advantages, you don’t need to burn any CDs, its far quicker because it is more direct.

I will be tidying this up and possibly turning it into a automated script. I must admit this has not been easy no one guide has got it going it has taken multiple HOWTOs to inch every step of the way, but now I have it done I am happy, the gotchas were rather frustrating at time due to the difficulty of easily debugging the initial ram image when the machine is booting.

It always amazes me what nice features can be found in about:config, such as sending DNS requests to a SOCK’s proxy.