sysadmin

Sequel Pro’s SQL Inserts

Published by Anonymous (not verified) on Wed, 11/04/2018 - 8:24pm in

Tags 

sysadmin

Another tool I’ve  been becoming more familiar with for sites that don’t have phpMyAdmin to access the MySQL databases is Sequel Pro. It’s an open source application for managing SQL databases on the Mac.  I have come to appreciate it in newfound ways after the UNLV migration; it is to databases management what Transmit has been to moving around files via FTP.  Anyway, one think I discovered it can do is copy the structure of a database table, such as wp_users:

And then insert it as SQL code in something like PHPMyAdmin:

Sequel Pro does all SQL query structuring for me, which is awesome. Was a nice little bonus to discover, and another trick for the toolbox.

 

Digital Ocean’s One-Click Apps vs. Cloudron

Published by Anonymous (not verified) on Wed, 24/01/2018 - 9:44pm in

Tags 

sysadmin

Digital Ocean has been en fuego as of late. They announced a whole bunch of new droplet plans, and the price-point for all of them has gone down. This is very good news for Reclaim Hosting because it gives us some breathing room with our infrastructure costs allowing us to continue to keep costs low.  We have been slowly moving most of our infrastructure from Linode and ReliableSite to Digital Ocean, and we could not be happier. They are constantly improving their offerings, and being in a virtual environment where we can increase storage or scale CPU instantaneously makes our life (and our clients’) a lot easier.

One-click Apps at Digital Ocean

One-click Apps at Digital Ocean

In addition to new plans and pricing, I noticed they were featuring one-click apps as well (though not sure how new this is), and I took a peak to see what they offered. It was interesting to see that some of the application they featured, namely Discourse (the forum software) and Ghost (the blogging app), were apps Reclaim was offering beyond our shared hosting cPanel-based LAMP stack. Given we’ve been exploring a one-click option with Cloudron (I recently blogged about setting up Ghost using Cloudron) I wanted to compare Digital Ocean’s idea of one-click to Cloudron’s. Long story short, there is no comparison.

Here is Digital Ocean’s command line interface for setting up Ghost:


Command line interface during Ghost setup on Digital Ocean’s one-click apps

Here is Cloudron’s:


One-click install of Ghost on Cloudron

Digital Ocean is amazing at what they do, but their idea of one-click installs still assumes a sysadmin level of knowledge, which, to be fair, make sense given they are a service designed for sysadmins. When I tried the Ghost app it was, indeed, installed on a droplet in seconds, but the actual configuration to setup required full-blown tutorial for command line editing the setup. In addition to the domain pointing, this was setting up SSL and Nginx, granted that simply meant typing “yes” or “no” and clicking enter, but even when you did the setup was not guaranteed. 

After following the tutorial to the letter I still got the Nginx 502 bad gateway error, which means I was stuck.


Ghost 502 Bad Gateway Nginx Error

I could have tried to troubleshoot the 502 error, but at this point it was just a test and from my experience it was far from one-click.


Discourse example

I then tried the Discourse, and this was definitely easier than Ghost. It still required a tutorial, but that was primarily focused on setting up an SMTP account through Mailgun so the application could send email. After that, the setup was simple, but again the one-click setup process on Digital Ocean assumes an understanding of API-driven transactional email services like Mailgun or Sparkpost. Cloudron does not have a Discourse installer, so no real comparison there, but if it could manage the SMTP email setup in the background, I imagine it would be just as simple as their Ghost installer.

I’m glad I explored Digital Ocean’s one-click application offerings because it confirms for me the potential power of tools like Cloudron that truly make it simple to install applications. Our community by and large will not be folks with sysadmin level knowledge, so integrating a solution that is truly one-click, avoiding DNS and command line editing,  would be essential. 

Upton Sinclair would have Laughed

Published by Anonymous (not verified) on Tue, 23/01/2018 - 8:01pm in

Tags 

Fun, sysadmin, spam

I follow the Bitninja blog because we use this service as an external firewall at Reclaim Hosting, and they are pretty awesome. We run it on all of our shared hosting servers, and many of our bigger schools, and it often can identify and prevents problems before they even reach out servers—it’s beautiful.

Anyway, the other day they shared a story about a recent attack that was trying to take advantage of a vulnerability on contact form to sent spam. Pretty common type of attack, but what was different about this one was while it’s message was targeted at a Chinese audience pushing a a finance product, in order to get past automated spam checkers they needed to include English (a whitelisted language) in the message—so they appended passages from Upton Sinclair’s 1906 classic The Jungle to every message. In fact, you could actually read the book from beginning to end if you following the spam messages chronologically—which is how the system analyst watching the attack picked it up. 

Date: 2018-01-18 08:52:52
Victim domain: www.######.hu
Attacker ip: 117.70.173.46
Url: [www.#####.hu/de/kontact]
Remote connection [117.70.173.46:51668]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)]
Post data: [Array
(
[jform[contact_name]] => ???
[jform[contact_email]] => ###635271@qq.com
[jform[contact_subject]] => [Shared Post] Glory In The Mountains of WV?? ###635271@qq.com
[jform[contact_message]] => ????28???????????????????????www.601204.com/?
??????????????“?”????“???”????155555??1??????????1.0%?????30??????
??????“????”???10??18?????50???28?.
------------------------------------------
o’me wouldn’t be let hear’em.Not but what I did hear,as how could I help it?There’ll be no good come of it.Who’s to be axed to the wake,I’d like to
[jform[contact_email_copy]] => 1
[option] => com_contact
[task] => contact.submit
[return] =>
[id] => 1:mast-shake-shingle-information
[] => 1
)
]
Date: 2018-01-18 08:51:47
Victim domain: www.#####.hu
Attacker ip: 60.174.17.29
Url: [www.#####.hu/de/kontact]
Remote connection [60.174.17.29:59218]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)]
Post data: [Array
(
[jform[contact_name]] => ???
[jform[contact_email]] => ###80474@qq.com
[jform[contact_subject]] => ACT - Campanha Trabalho em Espa?os Confinados??? ###80474@qq.com
[jform[contact_message]] => ?????????????28?www.601641.com/?
??????????“?”????????????1??????30?????????????+V??love9191love ??????.
------------------------------------------
boys annoyed me.Finally Dan said musingly:“Some gentlemen don’t know how to put on kid gloves at all,but some do.”And the doctor said(to the moon,I
[jform[contact_email_copy]] => 1
[option] => com_contact
[task] => contact.submit
[return] =>
[id] => 1:mast-shake-shingle-information
[] => 1
)
]
Date: 2018-01-18 08:51:16
Victim domain: www.#####.hu
Attacker ip: 60.174.17.29
Url: [www.#####.hu/de/kontact]
Remote connection [60.174.17.29:58943]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)]
Post data: [Array
(
[jform[contact_name]] => ???
[jform[contact_email]] => ###3579@qq.com
[jform[contact_subject]] => ACT - Campanha Trabalho em Espa?os Confinados??? ###3579@qq.com
[jform[contact_message]] => ?????????????28?www.601641.com/?
??????????“?”????????????1??????30?????????????+V??love9191love ??????.
------------------------------------------
still that sound of lonely weeping came from over the hill.Listening,but looking at those wild,mourning eyes that never moved from him,he lay.Once he
[jform[contact_email_copy]] => 1
[option] => com_contact
[task] => contact.submit
[return] =>
[id] => 1:mast-shake-shingle-information
[] => 1
)
]

Crazy on so many levels. I wonder if this ostensibly Chinese spam attacker was cognizant of all the levels. First the “whitelisting” of the email by including the dominant language of the web, and the strange twist of advertising finance products to the “communist” Chinese consumer—it’s like flash fiction about geopolitical change over the last 25 years written into a server log. But then, the kicker, using Upton Sinclair’s muckraking novel about regulating the meat packing industry as the trojan horse for sending spam. The irony is too brilliant not to think this attacker was having a laugh. 

Users and groups in Debian: getting it right

Published by Matthew Davidson on Thu, 19/10/2017 - 1:15pm in

So ideally when I set up a new computer, I want all the users I trust — including, by necessity and regrettably, myself — to be in the staff group, and all the files they create to be by default writable by anyone in that group. This ought to be easy, and in fact now is, but has changed repeatedly over the decades I've been using Debian GNU/Linux, so I can never remember how it's done, hence this note.

You will need to do all this as root, and to be on the safe side, make sure any user(s) you want to put into the staff group are not currently logged in, as files and directories in the affected home directories will be reassigned to the group, which (I guess) won't work for any currently opened by a running process.

If you enable the pam_umask PAM module, you will only need to configure group-writability once, and it will work regardless of whether you're logging in locally, SSHing, or whatever. As root, edit /etc/pam.d/common-session to include this line:

session optional        pam_umask.so

Then edit the umask line in /etc/login.defs like so:

UMASK 002

If yours isn't a fresh Debian install, the umask setting may already have been overridden in one or more of:

  • /etc/profile
  • /etc/bash.bashrc
  • ~/.profile
  • ~/.bashrc

If so, delete or comment out where necessary. (Source)

Adding a user to the staff group is:

usermod -a -G staff myusername

Making staff the user's primary group — the one which by default newly created files and directories are owned by — is just:

usermod -g staff myusername

Too easy.

Saturday, 7 October 2017 - 6:42pm

Published by Matthew Davidson on Sat, 07/10/2017 - 6:42pm in

I should never reboot my computer.

I am so out of touch that I didn't realise that a new version of Debian came out in June. "Splendid!", I thought. So:

# apt-get update
# apt-get dist-upgrade

… then off for a walk while two gigabytes downloaded (really must get rid of all those first-person shooters that are anyway far too violent for a gentleman of my advanced years).

Get through the upgrade, reboot the computer, and my USB WiFi dongle doesn't work. Here's how to diagnose/fix:

# lsusb
Bus 002 Device 002: ID 8087:8000 Intel Corp. 
[…]
Bus 003 Device 003: ID 045e:00cb Microsoft Corp. Basic Optical Mouse v2.0
Bus 003 Device 002: ID 413c:2003 Dell Computer Corp. Keyboard
Bus 003 Device 007: ID 0bda:8178 Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter
[…]

Yes, I use a Microsoft mouse. Microsoft branded peripherals have generally been pretty darn good. I think this mouse is at least ten years old, and it's as good as the day I bought it. So now I know the WiFi chipset. I go to the Debian Wiki WiFi page, and find that I need the rtl8192cu driver, which is in the (non-free) firmware-realtek package, which is of course already installed because the blasted thing used to work. So now it's just a matter of:

# modprobe rtl8192cu

…and we're back in business. For good measure, I added rtl8192cu to the /etc/modules file, so that maybe I'll survive the next reboot unscathed. Not that I will be rebooting any time soon.

Note to self

Published by Matthew Davidson on Mon, 08/02/2016 - 3:05pm in

I forget this every time I go to upgrade Drupal, because it's so simple, and spend an hour trying to make absolutely sure I have it right and haven't missed anything. So assuming you're deploying Drupal with git (with the contents of sites/ untracked, presumably), all you have to do is:

git fetch
git rebase origin/7.x
drush @sites updb

Optionally, you can do a git hard reset to the latest tagged release.