Archive for April, 2010

yum install and weird architecture behaviour

Friday, April 23rd, 2010

I was just trying to accomplish what you would think was a relatively easy task – installing the PHP-GD package from the Atomic Rocket Turtle repository for 64bit CentOS 5 and ran into a slightly cryptic problem.

Running yum install php-gd simply produced a dependancy error

php-gd-5.2.13-1.el5.art.i386 from atomic has depsolving problems
–> Missing Dependency: libt1.so.5 is needed by package php-gd-5.2.13-1.el5.art.i386 (atomic)
Error: Missing Dependency: libt1.so.5 is needed by package php-gd-5.2.13-1.el5.art.i386 (atomic)
You could try using –skip-broken to work around the problem
You could try running: package-cleanup –problems
package-cleanup –dupes
rpm -Va –nofiles –nodigest
The program package-cleanup is found in the yum-utils package.

A quick check that I’m using an up to date mirror along with a yum clean all to make sure nothing weird is happening leaves me back where I started, but a bit of digging later reveals that this is an interesting problem with yum on 64bit systems where it is trying to install the 32bit package and looking for 32bit dependancies. Forcing the install to be 64bit with yum install php-gd.x86_64 works first time 🙂

iPhone OS 4 beta 2

Wednesday, April 21st, 2010

Worms still doesn’t work on iPhone OS 4 beta 2 with a completely erased and reset phone! I may have to actually spend my days being productive instead…

WHMCS’ HyperVM module and the importance of the product type

Tuesday, April 20th, 2010

If you’re integrating WHMCS with HyperVM using the built in module, then there’s one thing that you need to be careful of and that’s which “product type” you set for your products/services – despite one of them being called “VPS/Dedicated servers” you actually need to use the “other” group or the HyperVM module simply won’t work.

If you are having problems with module operations such as create and suspend as well as the “login to control panel” link in the admin area then it is likely that you are running into this problem. Another symptom is that every time you view a HyperVM based product/service in the client or admin area then the server entry against that particular client’s service gets unset in the database (the ID used for the link gets set to 0)
In addition to changing the product type for all of the HyperVM based products/services to “other”, you will need to run an update on the MySQL database to set the server column in the tblhosting table back to the right ID for the HyperVM server in the tblservers table. A couple of quick bits of SQL to do this are:

update tblhosting set server=(select id from tblservers where type=’hypervm’ limit 1) where packageid in (select id from tblproducts where servertype = ‘hypervm’);
update tblproducts set type=’other’ where servertype=’hypervm’;

If you have more than one HyperVM server configured in WHMCS then you will need to modify this SQL slightly.

Spellchecker in iPhone OS4

Saturday, April 17th, 2010

iPhone OS4 has a spellchecking feature! 😀 This is going to be a lifesaver for me!

Any word you misspell is underlined with a red squiggly line, just like in the full blown OS X. A quick tap on a misspelt word pops up a menu in the same style used for the select/cut/copy/paste options with various suggestions from the dictionary.

MySQL system tables and blank entries in the Host column

Thursday, April 15th, 2010

I discovered some interesting behaviour under MySQL 4.1 recently (I know it’s old, but it’s not within my power to upgrade it) whereby empty entries in the Host column of the users table under the mysql system database were causing all remote (i.e. TCP and not socket) connections to be refused with a message saying “Host ‘1.2.3.4’ is not allowed to connect to this MySQL server” without even asking for login credentials.
Telneting to the server’s IP address on port 3306 received the same message straight away and then disconnected the session.

The solution to this was simple, but somewhat obscure – update the Host column in the user table of the mysql system database so that any blank records are changed to “localhost” (secure) or ‘%’ (safer) and then run “flush privileges”.
I have no idea how the blank records got in there in the first place, but I couldn’t find any reference to this being the cause of such behaviour anywhere on the MySQL site. Everywhere seems to suggest that this message indicated that you need to grant privileges to the user for them to be able to connect remotely – which would be true, if I was getting as far as supplying login credentials!

Zimbra anti-spam improvements

Sunday, April 11th, 2010

The built in Zimbra anti-spam system is quite a neat bundle of Amavisd-new, SpamAssassin and ClamAV with some fancy automated ham/spam training based on messages being moved in and out of a “Junk” mailbox under each user’s account, but it lacks a few nice to have extra features. Luckily, it’s quite easy to enhance the Zimbra Amavisd and SpamAssassin with a new plugins such as DCC, Pyzor and Razor as well as enabling SPF record checking and turning on DSPAM.

Zimbra includes DSPAM as well, but doesn’t use it by default. You can change this quite simply by updating the Zimbra LDAP configuration with the following:

zmlocalconfig -e amavis_dspam_enabled=true

I’d recommend upgrading to 6.0.5 if you are going to use DSPAM as there are annoying bugs in earlier versions such as needing to chown the DSPAM folder as zmfixperms used to set the permissions incorrectly. There is also an updated version of DSPAM in Zimbra 6.0.5.
The beauty of DSPAM with Zimbra is that the zmtrainsa utility run nightly on the spam/ham mailboxes also trains DSPAM from the same messages.

Now I’m presuming that you don’t already have the RPMforge (formerly Dag Wieers) and Atomic Rocket Turtle yum repositories installed on your Zimbra server and that you’re using CentOS/Red Hat like I am. We will install these two repositories but restrict them to only provide the packages that we are interested in so that they don’t clash with each other or the base vendor repositories.

wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm
rpm -Uvh rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm

Now you need to edit /etc/yum.repos.d/rpmforge.repo to add the line includepkgs=perl-Error perl-NetAddr-IP perl-version perl-Mail-SPF as well as /etc/yum.repos.d/atomic.repo to have includepkgs=dcc pyzor razor-agents under the [atomic] section
Now the packages we need are available through a normal yum install:

yum install dcc pyzor razor-agents perl-Mail-SPF

Now we just need to create a custom SpamAssassin configuration file to tweak the settings for the plugins that we just installed. To do this, go to /opt/zimbra/conf/spamassassin/ and create a new .cf file with the following:

loadplugin Mail::SpamAssassin::Plugin::DCC

score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000
score DCC_CHECK 4.000
score RAZOR2_CHECK 2.500
score PYZOR_CHECK 2.500

The Zimbra SpamAssassin configurations already load the Pyzor and Razor plugins if present, but don’t load DCC by default (even if it is present) as it isn’t open source. Rather than edit files that Zimbra will then reset on an upgrade, we create a new .cf file that does this as well as settings the scores given by DCC, Pyzor, Razor and SPF. You might want to tweak these depending on how much you trust each service/test or you might want to skip these lines altogether and leave the scores set as the SpamAssassin defaults.
Remember to chown the file to zimbra:zimbra and chmod it to 0444 to be in line with the other SpamAssassin .cf configuration files.

The last thing that you need to do is restart the Zimbra MTA and Amavisd-new so that it loads the new configuration.

su – zimbra
zmantispamctl reload

If you want to test your new SpamAssassin setup then run the following (test and Debug mode) on the GTUBE sample provided by SpamAssassin

wget http://spamassassin.apache.org/gtube/gtube.txt
/opt/zimbra/zimbramon/bin/spamassassin -D -t < gtube.txt

Like the EICAR signiture for anti-virus scanners, GTUBE is a signature for anti-spam systems that will always show as spam so you can easily test your anti-spam setup. Among others, you should see RAZOR2_CHECK, PYZOR_CHECK and DCC_CHECK flagged with their appropriate scores if everything is working properly.
You will need to test DSPAM in the same way as you would with SpamAssassin’s bayesian filtering as well as checking SPF failures manually by sending a message from a server not designated in the SPF records.

iPhone OS 4.0

Friday, April 9th, 2010

I’ve been playing with iPhone OS 4.0 on my iPhone 3GS since it became available to developers after the press conference yesterday and so far impressions are good – it has broken the Worms app which won’t even launch any more 🙁 but everything else seems to be fine.

Multitasking pause/resume of apps seems to work quite well and is a welcome improvement, it will be interesting to see what happens once developers start to take advantage of the new APIs.

The folders/groups/stacks of apps is a great addition for those a little bit OCD who like to keep the apps on their phone organised. It’s already cut the number of screens on my phone from six to two (which could technically even fit on one!) which makes navigating between apps a lot easier.

There’s an interesting addition I’ve noticed where you can now set “complex” unlock passcodes which allows longer, alphanumeric strings to be used.

Sharing one keyboard and mouse between several Macs

Thursday, April 8th, 2010

If you have multiple computers, each with it’s own monitor then it can get really confusing having multiple keyboards and mice in front of you, not to mention somewhat disrupting to your workflow every time you have to change between them and reposition your hands appropriately.

Having a KVM switch can help with this, but only lets you use a single monitor at once.
There is a great bit of software for Windows and Linux called Synergy2 that lets you share the keyboard and mouse from one computer between multiple machines. Synergy does have a Mac OS X port, but in the author’s own words it is “incomplete”.

Fortunately, there is a great bit of donation-ware software for Mac OS X called “Teleport”. This essentially does the same thing as Synergy, but in a nice easy to use Mac preference pane with full zeroconf auto-discovery of other Teleport equipped Macs, certificates for authentication and the option of encryption. It can also synchronise the clipboard between two Macs.
Take a look at http://abyssoft.com/software/teleport/ to download it, and if you like it as much as me then I would encourage you to donate.

Detecting brute force attacks on Zimbra with zmauditswatch

Wednesday, April 7th, 2010

Zimbra 5.0.11 introduced the zmauditswatch script which notifies a specific e-mail address of a potential brute force attack if certain conditions are met. This is disabled by default and the documentation to enable it isn’t particularly clear, so here is a quick run through:

zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=60
touch /opt/zimbra/conf/auditswatchrc
touch /opt/zimbra/conf/auditswatchrc.in
zmauditswatchctl start

Obviously use a relevant IP address and tweak the various thresholds appropriately to better suit your environment.

Nominet Automaton bulk modify

Friday, April 2nd, 2010

The bulk modify feature of the Nominet Automaton can be a real time saver when you need to update a load of domains in one go.
For example, I just used it to add a tertiary name server to a load of domains under the FREETHOUGHT tag. To make sure that I only updated domains using the Freethought nameservers, I put a filter on the bulk update:

operation: bulk
filter: ‘primary.freethought-dns.co.uk’ in nservers
update: nservers = [ ‘primary.freethought-dns.co.uk’, ‘secondary.freethought-dns.co.uk’, ‘tertiary.freethought-dns.co.uk’ ]

Nominet have some quite useful documentation along with several examples of the various update commands and filters available to control each of the different Automaton fields available on their web-site at http://www.nominet.org.uk/registrars/systems/auto/bulkmodify/