CodeSnippets: jason

Using HTTP conditions and url.access-deny to have Lighttpd block some user agents and referers

to lighttpd http conditionals url.access-deny blocks security by jason on May 26, 2005

# deny access for Indy Library a Tester
$HTTP["useragent"] =~ "Indy" { url.access-deny = ( "" ) }
 
# deny access for a hydrocodone containing refer 
$HTTP["referer"] =~ "hydrocodone" { url.access-deny = ( "" ) }

Lighttpd proxy with Tracd specific example

to lighttpd trac tracd proxy vhost by jason on May 26, 2005

$HTTP["host"] == "trac.textdrive.com" #the == is to exactly match
{
proxy.server = (
"" => (                               #this is for the root, can be a .extension in other uses
"trac" => (                           #just a name, your choice
"host" => "70.84.29.150", 
"port" => 9000 
           )
       )
                )
}

Upgrading a kernel

to freebsd kernel installation cvsup stable by jason on May 26, 2005

Install CVSup

cd /usr/ports/net/cvsup-without-gui
make install distclean

Make and populate the CVSup config file

touch /root/cvsup-stable-src.sup
echo '*default host=cvsup14.us.FreeBSD.org' >> /root/cvsup-stable-src.sup
echo '*default base=/var/db' >> /root/cvsup-stable-src.sup
echo '*default prefix=/usr' >> /root/cvsup-stable-src.sup
echo '*default release=cvs tag=RELENG_5' >> /root/cvsup-stable-src.sup
echo '*default delete use-rel-suffix compress' >> /root/cvsup-stable-src.sup
echo ' src-all' >> /root/cvsup-stable-src.sup

Update the /usr/src/ tree

cvsup /root/cvsup-stable-src.sup

Get rid of any old "worlds" and make a new one

rm -rf /usr/obj/usr
cd /usr/src/
make buildworld

Make changes to /usr/src/sys/i386/conf/GENERIC and name it was what you want.

Build the kernel, install the kernel, verify it and dot.old in /boot/, run mergemaster, and install the new world.

make buildkernel KERNCONF=GENERIC
make installkernel KERNCONF=GENERIC
mergemaster -p
make installworld
mergemaster
ls -l /boot/
shutdown -r now

Note, we often run in a securelevel of 1 and have immutable binaries in the system folders. You'll need to edit rc.conf.

nano /etc/rc.conf

kern_securelevel_enable="NO"
kern_securelevel="1"

Reboot

shutdown -r now

Then make things mutable

chflags noschg /bin/*
chflags noschg /sbin/*
chflags noschg /bin
chflags noschg /sbin
chflags noschg /usr/bin/*
chflags noschg /usr/sbin/*
chflags noschg /usr/bin
chflags noschg /usr/sbin

How to setup NTP on BSD

to ntpdate ntpd ntp.conf time date by jason on May 26, 2005 1 Comments

echo xntpd_enable=\"YES\" >> /etc/rc.conf
echo xntpd_program=\"/usr/sbin/ntpd\" >> /etc/rc.conf
echo xntpd_flags=\"-p /var/run/ntpd.pid\" >> /etc/rc.conf
ntpdate time.nist.gov
ntpdate time.nist.gov
mkdir /etc/ntp
touch /etc/ntp/drift

touch /etc/ntp.conf
echo server time.nist.gov >> /etc/ntp.conf
echo driftfile /etc/ntp/drift  >> /etc/ntp.conf
/etc/rc.d/ntpd start

Using pw to add a group and user in FreeBSD

to sysadmin pw groupadd useradd passwd freebsd by jason on May 26, 2005

Using "textdrive" as an example

pw groupadd textdrive
pw useradd textdrive -m -c "Main Textdrive account" -d /home/textdrive -s /bin/tcsh -G textdrive -k /usr/share/skel/

Then set the password:

passwd textdrive

Locking your Rails app to specific gem versions

to rails gems environments version locking by jason on May 26, 2005

To lock in a gem, you can modify your environments files, like how

config/environments.rb

has

# Require Rails gems.
require 'rubygems'
require_gem 'activerecord'
require_gem 'actionpack'
require_gem 'actionmailer'
require_gem 'rails'

Change it to the versions you are using, like

# Require Rails gems.
require 'rubygems'
require_gem 'activerecord', '<= 1.30'
require_gem 'actionpack', '<= 1.1.0'
require_gem 'actionmailer', '<= 0.5.0'
require_gem 'rails', '<= 0.9.1'

SSH tunneling for MySQL

to mysql ssh tunneling remote by jason on May 26, 2005

No forking in background and verbose

ssh -2 -v -c blowfish -C -N user@servername.textdrive.com -L 3370/127.0.0.1/3306

Forking in background

ssh -2 -f -c blowfish -C -N user@servername.textdrive.com -L 3370/127.0.0.1/3306

Mod_security audit_log analysis

to mod_security log analysis by jason on May 26, 2005

egrep 'Host:'  audit_log | sort | uniq -c | sort -rn | sed "s/mod_security-message\: Access denied with code 412\. //g" >

egrep 'mod_security-message'  audit_log | sort | uniq -c | sort -rn  | mod_security-message-sort.txt

egrep "^HTTP/" audit_log | sed  "s/HTTP\/[01].[019] //g" | sort | uniq > HTTPcodes-audit.txt

Check out what's being used in the access_log headers

cat httpd-access.log | awk '{print $7}' | sort |  uniq -c | sort -rn | less

View processes, grep out by user and then kill all their PIDs

to awk ps sysadmin grep kill by jason on May 26, 2005

ps axu | grep user | kill -9 `awk �{print $2}�`

Sort a list of processes by users into more

to ps sort more processmanagement sysadmin by jason on May 26, 2005

ps axu | sort -rn | more

CodeSnippets > jason

jason's Tags

Never been to CodeSnippets before?

About this user

On This Page:

Using HTTP conditions and url.access-deny to have Lighttpd block some user agents and referers

Lighttpd proxy with Tracd specific example

Upgrading a kernel

How to setup NTP on BSD

Using pw to add a group and user in FreeBSD

Locking your Rails app to specific gem versions

SSH tunneling for MySQL

Mod_security audit_log analysis

View processes, grep out by user and then kill all their PIDs

Sort a list of processes by users into more

On This Page:

Joyent

CodeSnippets > jason

jason's Tags

Never been to CodeSnippets before?

About this user

On This Page:

On This Page: