Weblogs for simonw
#339
Posted by simonw on Tue 30 Jun 2009 at 15:27
The default timeout in rsync is 0, meaning never timeout.
For years this has never caused me any issues, however recently found box with 8 days worth of backup scripts all running at once. Seems the receiving server was in a mess, logging kernel messages about CPUs being stuck, as a result the rsync was never finishing, and never timing out.
So note for self, always set a timeout for rsync (and always remember the delete option as well)!
For years this has never caused me any issues, however recently found box with 8 days worth of backup scripts all running at once. Seems the receiving server was in a mess, logging kernel messages about CPUs being stuck, as a result the rsync was never finishing, and never timing out.
So note for self, always set a timeout for rsync (and always remember the delete option as well)!
#338
Posted by simonw on Fri 26 Jun 2009 at 01:34
Decided to write a couple of short scripts
that make Debian truetype fonts available
as a zip file, so that I can install then
on any website that needs some custom
fonts without any fuss.
http://simonwaters.technocool.net/fonts.htm
Demo page
that make Debian truetype fonts available
as a zip file, so that I can install then
on any website that needs some custom
fonts without any fuss.
http://simonwaters.technocool.net/fonts.htm
Demo page
#337
Posted by simonw on Wed 24 Jun 2009 at 20:24
Netcraft just published an article bemoaning the slow response of registrars in dealing with fraudulent websites but it omits a key point.
The DNS architecture is flawed in regard of the hierarchy. There is no way to tell when a domain is deleted or expired what domains are hosted on name servers in that domain. One can only tell what domains aren't hosted on name servers in that domain.
Now most domains don't have name servers, so most of the time
suspending a domain name has no such effect, but some domains do, and suspending it will stop any domains which have name servers in that domain from working.
Suspending domains is thus like lopping branches of a tree, a tree whose branches are all the same thickness so provide no clue to how much tree is on the end of it. Most of the branches you prune turn out to be twigs, but every so often you'll lop off a big chunk of tree by accident.
We use nameservers in two domains to prevent such a single point of failure, but many domains don't do this including "." "com." "net." "co.uk." "microsoft.com." oh and "netcraft.com.". And I've seen enough plugs pulled on sites causing collateral damage to know this will eventually happen if registrars get too keen at dropping domain names without detailed investigation.
http://news.netcraft.com/archives/2009/06/22/faster_actions_needed_against_phishing_domains.html
The DNS architecture is flawed in regard of the hierarchy. There is no way to tell when a domain is deleted or expired what domains are hosted on name servers in that domain. One can only tell what domains aren't hosted on name servers in that domain.
Now most domains don't have name servers, so most of the time
suspending a domain name has no such effect, but some domains do, and suspending it will stop any domains which have name servers in that domain from working.
Suspending domains is thus like lopping branches of a tree, a tree whose branches are all the same thickness so provide no clue to how much tree is on the end of it. Most of the branches you prune turn out to be twigs, but every so often you'll lop off a big chunk of tree by accident.
We use nameservers in two domains to prevent such a single point of failure, but many domains don't do this including "." "com." "net." "co.uk." "microsoft.com." oh and "netcraft.com.". And I've seen enough plugs pulled on sites causing collateral damage to know this will eventually happen if registrars get too keen at dropping domain names without detailed investigation.
http://news.netcraft.com/archives/2009/06/22/faster_actions_needed_against_phishing_domains.html
[0 Comments
| Add Comment
|
]
]
#336
Posted by simonw on Tue 23 Jun 2009 at 14:40
Messed up hosts.allow on a rackforce virtual server, locking all SSH users out.
Ticket was acknowledged by a human (who clearly understands hosts.allow syntax) 4 minutes after entering it through support interface, and the issue fixed, my confirmation of that fix acknowledged, and closed 7 minutes later, making a total of 11 minutes from opening to closing the support request.
Okay this is a premium support service, a simple problem, and I did ask in their normal working day, but still impressed by turn around. As it happens this wasn't an urgent issue, but it adds confidence to our use of them as a provider.
Ticket was acknowledged by a human (who clearly understands hosts.allow syntax) 4 minutes after entering it through support interface, and the issue fixed, my confirmation of that fix acknowledged, and closed 7 minutes later, making a total of 11 minutes from opening to closing the support request.
Okay this is a premium support service, a simple problem, and I did ask in their normal working day, but still impressed by turn around. As it happens this wasn't an urgent issue, but it adds confidence to our use of them as a provider.
[0 Comments
| Add Comment
|
]
]
#335
Posted by simonw on Mon 22 Jun 2009 at 09:55
My computer should know that /var/log/squid/access.log.9.gz
is less import that /var/spool/squid and /var/log/squid.access.log.8.gz.
Thus when disk space is tight rather than failing, it should free low priority files (obviously with a limit beyond which it has to fail - so I don't lose my data - but so it can lose transient files of no permanent interest). Windows already does this for files in the Trash can (allegedly).
Similarly my database is more important than the contents of /usr/share/doc.
I appreciate these priorities would have to be configurable, because some folks have a legal obligation to keep old email log files for example. So how priorities are assigned is difficult, on the other hand this is about what it should do, not how to do it. I suspect defaults that mean cache files are a low priority, and that old log files are less important than new one.
Sure disk space is cheap - but cache files and log files are a common pattern. I want to cache/log as much as possible but without undue pain.
is less import that /var/spool/squid and /var/log/squid.access.log.8.gz.
Thus when disk space is tight rather than failing, it should free low priority files (obviously with a limit beyond which it has to fail - so I don't lose my data - but so it can lose transient files of no permanent interest). Windows already does this for files in the Trash can (allegedly).
Similarly my database is more important than the contents of /usr/share/doc.
I appreciate these priorities would have to be configurable, because some folks have a legal obligation to keep old email log files for example. So how priorities are assigned is difficult, on the other hand this is about what it should do, not how to do it. I suspect defaults that mean cache files are a low priority, and that old log files are less important than new one.
Sure disk space is cheap - but cache files and log files are a common pattern. I want to cache/log as much as possible but without undue pain.
[0 Comments
| Add Comment
|
]
]
#334
Posted by simonw on Wed 17 Jun 2009 at 21:40
I saw a comment that firefox 3.5 will support @font-face, allowing downloadable fonts.
However dreams of a nice universal font downloaded on demand are stomped on by IE only supporting some Microsoft proprietary embeddable font designed to prevent people sharing font files (even those they are allowed to).
Finding a succinct source with accurate data on browser support for this was hard, a bug report on the Microsoft web site was the best I found.
Wikipedia has two articles, both of them pretty useless.
Obligatory Test page:
http://simonwaters.technocool.net/test/fonts.html
Soon everyone will have a browser that supports downloadable fonts, just you have to do more work to make it work in IE - alternatively they could just "get Firefox". So the above test page should display in an almost unreadable script font everywhere but IE. If it doesn't show as a handwriting font - get a better browser.
However dreams of a nice universal font downloaded on demand are stomped on by IE only supporting some Microsoft proprietary embeddable font designed to prevent people sharing font files (even those they are allowed to).
Finding a succinct source with accurate data on browser support for this was hard, a bug report on the Microsoft web site was the best I found.
Wikipedia has two articles, both of them pretty useless.
Obligatory Test page:
http://simonwaters.technocool.net/test/fonts.html
Soon everyone will have a browser that supports downloadable fonts, just you have to do more work to make it work in IE - alternatively they could just "get Firefox". So the above test page should display in an almost unreadable script font everywhere but IE. If it doesn't show as a handwriting font - get a better browser.
#333
Posted by simonw on Tue 16 Jun 2009 at 13:09
Discovered Google indexing content for a secure server using a weird domain name.
On inspection Google is indexing content using the domain name supplied, and ignoring the certificate (and the certificate mismatch).
So it seems if you want the secure content of www.example.com indexed only under www.example.com, you need to add:
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
ReWriteRule ^/(.*) https://www.example.com/$1 [L,R]
Since otherwise someone could create duplicate content in Google merely by pointing an A record at you and creating a link for Google to follow.
Surely there is a better way of doing this in Apache?
On inspection Google is indexing content using the domain name supplied, and ignoring the certificate (and the certificate mismatch).
So it seems if you want the secure content of www.example.com indexed only under www.example.com, you need to add:
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
ReWriteRule ^/(.*) https://www.example.com/$1 [L,R]
Since otherwise someone could create duplicate content in Google merely by pointing an A record at you and creating a link for Google to follow.
Surely there is a better way of doing this in Apache?
[0 Comments
| Add Comment
|
]
]
#332
Posted by simonw on Fri 12 Jun 2009 at 10:17
Google Page Speed - a Firefox plugin that extend Firefox is cool.
However top recommendation for Javascript on one of our sites....
Minify JavaScript
There is 44kB worth of JavaScript. Minifying could save 6.3kB (14.3% reduction).
* Minifying https://ssl.google-analytics.com/urchin.js could save 3.7kB (16.7% reduction). See minified version.
[0 Comments
| Add Comment
|
]
]
#331
Posted by simonw on Fri 5 Jun 2009 at 18:25
Having dealt with JSRedir-R, some bunch of script kiddies found a bit of one of our webservers that shouldn't have been running PHP, but was. My fault no doubt.
Just cleaning up, but would be easier if they hadn't run a defacement script over many many gigabytes of stuff that only looks like web pages.
As far as I can tell they defaced 1 website, put 10 defacement files in the wrong place, and defaced thousands and thousands of directories that aren't visible to anyone but me (and my boss if he cared to look).
Annoyingly the one website defaced was one I'd changed to be owned by "www-data" having advised this may have adverse security implications. Guess it did - hohum.
On the upside did find one script kiddie toolkit stashed away, which had been uploaded for safe keeping to one of our web hosting accounts.
Now have to take lots of tedious precautions, for people who probably don't know a c-shell from a sea shell.
Just cleaning up, but would be easier if they hadn't run a defacement script over many many gigabytes of stuff that only looks like web pages.
As far as I can tell they defaced 1 website, put 10 defacement files in the wrong place, and defaced thousands and thousands of directories that aren't visible to anyone but me (and my boss if he cared to look).
Annoyingly the one website defaced was one I'd changed to be owned by "www-data" having advised this may have adverse security implications. Guess it did - hohum.
On the upside did find one script kiddie toolkit stashed away, which had been uploaded for safe keeping to one of our web hosting accounts.
Now have to take lots of tedious precautions, for people who probably don't know a c-shell from a sea shell.
[0 Comments
| Add Comment
|
]
]
#330
Posted by simonw on Thu 4 Jun 2009 at 08:37
One of the sites I work on for fun got hit with this.
Injection of Javascript malware between "/head" and "body" tag, that is obfuscated, the usual replacing "exec" with "alert" shows it is sending folk to gumblar.cn for the rest of the abuse to follow.
The files are owned by the user who should own them, no write permission from www-data. No Apache requests that match the exploit date/time.
So looks like the exploit was done using FTP, or on the end users PC before uploading. Seems I don't have sufficient logging on FTP to establish this for sure. My guess is compromise of the FTP password, or infection on the PC that usually edits the files (someone elses).
Some folk report a trojan that steals the users FTP passwords, but I can't find a convincing explanation. Does anyone here know for sure?
Injection of Javascript malware between "/head" and "body" tag, that is obfuscated, the usual replacing "exec" with "alert" shows it is sending folk to gumblar.cn for the rest of the abuse to follow.
The files are owned by the user who should own them, no write permission from www-data. No Apache requests that match the exploit date/time.
So looks like the exploit was done using FTP, or on the end users PC before uploading. Seems I don't have sufficient logging on FTP to establish this for sure. My guess is compromise of the FTP password, or infection on the PC that usually edits the files (someone elses).
Some folk report a trojan that steals the users FTP passwords, but I can't find a convincing explanation. Does anyone here know for sure?