Thursday, December 08, 2005
A Ruby in one hand is worth more than a thousand Perls
My first encounter with the Ruby programming language was when I took Programming Languages my Sophomore year in college. This was about three years ago. Then, Ruby was listed as one - of about a dozen languages we could choose from - on which, we could present for extra credit if we wanted extra points. I must say, I wish I would have kept up with what I was reading back then about Ruby, because now I am so excited about RubyOnRails (RoR) that I am now revisiting Ruby.
Before RoR, I used PHPPear and loved it! Back then I thought PHPPear was the greatest to hit the web for developing database backends. I even used it to build my senior project before graduating in 2005. I was in for a big suprise when I tried ROR. I wish I would have known about Rails then.
Like most people I was a little skeptical about using Rails. I finally decided to purchase the book "Agile Web Development with Rails", by Dave Thomas and David Heinemeier Hansson and after reading and a rails article www.OnLamp.com I was convenced that Ruby with Rails will be the next killer app when it comes to developing database backend sites
With Rails I was able to develop a database app in the matter of minutes with out hardly any work. The Rails framework is an excellent one indeed. I still have a lot to learn, so back to the books for me.
Who needs Exceed Anymore?
Exceed has officially been ditched!
Friday, November 18, 2005
Who needs Microsoft Office anymore when there is OpenOffice?
I am almost tempted to de-install Microsoft Office, but I will wait a few months to make sure I do not have any incompatibility issues with Office documents. The best feature I like about OpenOffice is the ability to Export to PDF right out of the box! It exported just about all the MS Office documents to PDF fabulously with ease. This my friend is impressive. I am just waiting for the ability to edit the PDF's I open as well.
Monday, November 07, 2005
Installing Apache2 in FreeBSD
$> cd /usr/ports/www/apache2
$> make -DWITH_EXPERIMENTAL_MODULES -DWITH_LDAP_MODULES -DWITH_MISC_MODULES -DWITH_PROXY_MODULES -DWITH_SSL_MODULES -DWITH_SUEXEC_MODULES -DWITH_THREADS_MODULES install clean
...
mod_mem_cache.c: In function `remove_entity':
mod_mem_cache.c:556: error: structure has no member named `lock'
mod_mem_cache.c:557: error: structure has no member named `lock'
mod_mem_cache.c:571: error: structure has no member named `lock'
mod_mem_cache.c:572: error: structure has no member named `lock'
mod_mem_cache.c: In function `remove_url':
mod_mem_cache.c:644: error: structure has no member named `lock'
mod_mem_cache.c:645: error: structure has no member named `lock'
mod_mem_cache.c:654: error: structure has no member named `lock'
mod_mem_cache.c:655: error: structure has no member named `lock'
mod_mem_cache.c: In function `store_body':
mod_mem_cache.c:928: error: structure has no member named `lock'
mod_mem_cache.c:929: error: structure has no member named `lock'
mod_mem_cache.c:964: error: structure has no member named `lock'
mod_mem_cache.c:965: error: structure has no member named `lock'
mod_mem_cache.c: In function `mem_cache_post_config':
mod_mem_cache.c:1034: error: structure has no member named `lock'
mod_mem_cache.c:1034: error: `APR_THREAD_MUTEX_DEFAULT' undeclared (first use in this function)
mod_mem_cache.c:1034: error: (Each undeclared identifier is reported only once
mod_mem_cache.c:1034: error: for each function it appears in.)
...
Stop in /usr/ports/www/apache2/work/httpd-2.0.55/modules/experimental.
*** Error code 1
...
From the error I could deduce that there were problems with the experimental modules. Since I did not need experimental I just removed it for the make options.
$> make -DWITH_LDAP_MODULES -DWITH_MISC_MODULES -DWITH_PROXY_MODULES -DWITH_SSL_MODULES -DWITH_SUEXEC_MODULES -DWITH_THREADS_MODULES install clean
After removing the flag "-DWITH_EXPERIMENTAL_MODULES", old object files needed to be removed as well before make could succeed.
$> make clean
===> Cleaning for libiconv-1.9.2_1
===> Cleaning for autoconf-2.59_2
===> Cleaning for gettext-0.14.5
===> Cleaning for gmake-3.80_2
===> Cleaning for libtool-1.5.20
...
$> make -DWITH_LDAP_MODULES -DWITH_MISC_MODULES -DWITH_PROXY_MODULES -DWITH_SSL_MODULES -DWITH_SUEXEC_MODULES -DWITH_THREADS_MODULES install clean
...
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/opt/etc/rc.d/apache2.sh
/opt/etc/rc.d/000.apache2libs.sh
...
===> Cleaning for autoconf-2.59_2
===> Cleaning for gettext-0.14.5
===> Cleaning for gmake-3.80_2
===> Cleaning for libtool-1.5.20
...
Well, that did the trick, so I can now work on configuring the config files.
Sunday, November 06, 2005
Upgrading to FreeBSD 6.0-Stable
I recently upgraded my FreeBSD server at home to 6.0-Stable after sticking it through with 5.3 for sometime now.
The upgrade was pretty simple.
Edit: /usr/sup/stable-supfile
Changed:
*default release=cvs tag=RELENG_5 to *default release=cvs tag=RELENG_6
$> cd /usr/src
$> make update
--------------------------------------------------------------
>>> Running /usr/local/bin/cvsup
--------------------------------------------------------------
Parsing supfile "/usr/sup/stable-supfile"
Connecting to cvsup11.FreeBSD.org
Connected to cvsup11.FreeBSD.org
Server software version: SNAP_16_1h
Negotiating file attribute support
Exchanging collection information
Establishing multiplexed-mode data connection
Running
...
I then read over /usr/src/UPDATING (... from 5.x-stable or higher to 6.x-stable.) to make sure there was nothing critical which had to be done before upgrading.
$> make buildworld
$> make kernel
Note that I did not specify KERNCONF. This is because I have this variable defined in make.conf along with others. It is highly recommended to reboot into single at this point, but I choose not to. After make kernel, I proceeded with:
$> mergemaster -p
$> make installworld
$> mergemaster -i
before rebooting the machine. After "make installworld" "mergemaster -i" it is essential that the machine is rebooted, otherwise the system will become unstable real quick. I was releived to see the following when the machine started:
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.0-STABLE #0: Sat Nov 5 12:54:51 EST 2005
Thursday, July 21, 2005
Using Portsnap
$> portsnap fetch
Fetching snapshot tag... done.
Fetching snapshot metadata... done.
Updating from Fri Jul 22 00:57:39 UTC 2005 to Fri Jul 22 02:22:01 UTC 2005.
Fetching 4 metadata patches... done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 4 patches... done.
...
Fetching 0 new ports or files... done.
$> portsnap extract
/usr/ports/x11/xtermset/
/usr/ports/x11/xtestpicture/
/usr/ports/x11/xtoolwait/
/usr/ports/x11/xtrlock/
/usr/ports/x11/xtset/
/usr/ports/x11/xvattr/
/usr/ports/x11/xvkbd/
/usr/ports/x11/xwatchwin/
/usr/ports/x11/xwit/
/usr/ports/x11/xxkb/
/usr/ports/x11/xzoom/
/usr/ports/x11/yalias/
/usr/ports/x11/yelp/
/usr/ports/x11/zenity/
Building new INDEX files... done.
$> portsnap update
Removing old files and directories... done.
Extracting new files:
/usr/ports/editors/abiword-devel/
/usr/ports/editors/abiword/
/usr/ports/irc/p5-POE-Component-IRC/
/usr/ports/www/chtml/
Building new INDEX files... done.
The fetch command fetches and stores a compressed snapshot of the ports tree, which is usually around 35MB in size. The compressed snapshot is stored in /usr/local/portsnap for later extraction using the 'extract' command. The extract command does exactly what it says, it extracts the contents of the compressed tree into /usr/ports/. Since this was my first time using portsnap and converting from cvsup, it was required that I extracted the compressed snapshot before I could use the update command to update my ports. Update is pretty fast compared to cvsup.
Now I just needed to see which ports were out dated:
$> pkg_version -L =
...
glib <
gnomekeyring <
iwi-firmware ?
k3b <
libidn <
mozilla <
...
There were about 20 ports which needed to be upgraded. Before I issuded the portupgrade command I needed to check for any stale dependencies and make sure my ports had no broken parts.
$> pkgdb -F
---> Checking the package registry database
Stale origin: 'sysutils/iwi-firmware': perhaps moved or obsoleted.
[Updating the portsdb
.........7000.........8000.........9000.........10000.........11000.........12000
.........13000.. ..... done]
Skip this for now? [yes] yes
The -F option lets you interactively fix the registry database if there appears to be a problem with a particular port. When I ran pkgdb one file was detected to have a stale origin, but I know this is no error as I have manually installed iwi-firmware to enable my ThinkPad wireless BG card to work correctly. iwi-firmware as of FreeBSD 5.4-Release was not included within the ports tree, but I assume that will change soon. I can now safely upgrade my the installed packages which need updating with portupgrade.
When I use portupgrade I like to first fetch all the required packages before compiling. I do a recursive fetch for all the ports which will be needed for the compile:
$> portupgrade -arF
$> portupgrade -ar
The -F option causes portupgrade to just fetch packages and store them in /usr/ports/distfiles for later compilation. -a and -r are for all packages and recursive respectively.
Saturday, May 28, 2005
Power a wireless mouse with RFID?
A4 Tech has created the worlds first battery free mouse, which uses A4 Tech's Innovative Radio Frequency Identification Technology. The mouse, in order for it to work must be accompanied by its trusty friend, the mouse pad. "The Mouse Pad transfers instant and constant power to the mouse as a replacement for batteries." Even though the mouse is wireless, the mouse pad is not. The mouse pad has a cord that must be connected to the computers USB port for the mouse to work. So, where the mouse pad goes the mouse must follow obediently. Hence the wireless mouse is limited only by the length of the cord which connects the mouse pad to the computer.
Saturday, April 23, 2005
OPNET IT Guru: Quality of Service
OPNET is a network simulation tool with many capabilities. It can simulate several different types of networks in its entirety and predict the outcome its events. Events such as QoS, network performance other measures.
Quality of Service (QoS) gives routers the ability to classify packets into different queues based on their priority level.
For this lab two FTP applications are to be created each running on its own client workstation with different priorities, one higher one lower. The Type of Service (ToS) set for the first application will be Best Effort, which has the lowest priority level. The second application will have its ToS set to Excellent Effort. Although Excellent Effort is not the highest priority it is certainty higher than Best Effort. In addition to the two clients, two routers will be setup. On of the routers is just a regular router and the outer denoted as a QoS router. The two routers are connected to each other via PPP_DS1 links, while the QoS router is connected to a FTP Server via a PPP_DS3 link. The speed of the DS1 link is 1.5 Mbps (made of 24 DS0s, 64Kbps)and the speed of the DS3 link is 44.7 Mbps (the number of DS0s is a lot!). DS3 is short for Digital Signal Level. Both routers are configured to have the same QoS scheme of Priority Queuing. Different packets originating from two different applications will have their ToS field in its IP header checked to determine which will get the higher priority.
With the FIFO QoS Scheme the higher priority application always took precedence. It waited in the queue buffer much less than the lower priority packets. Jitter was experienced hardly ever experienced. And, the length of time to wait in the queue was pretty much never, because for as long as their are packets waiting in the this high priority queue packets in the low priority are never sent out.
:::snip:::
Due to time I have to finish this lab before it is due within the next few days. Coincidently, while working on this Lab my professor steped in the advanced lab and found me working on it. To his surprise I was the only one who did not have trouble with this lab. He himself had problems actually getting this lab to function as the tutorial stated.
Friday, April 22, 2005
Random Quote
Thursday, April 21, 2005
"The TCP Three-Way Handshake gone stale"
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN ACK before the connection is established. This is referred to as the "TCP three-way handshake."
While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.
The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Since the SYN ACK is destined for an incorrect or non-existent host, the last part of the "three-way handshake" is never completed and the entry remains in the connection queue until a timer expires, typically for about one minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services (such as e-mail, file transfer, or WWW) to legitimate users.
IP Spoofing has its good uses
One of the good uses for Spoofing is to reduce the required bandwidth on network by having devices such as bridges or routers answer for remote devices. This is done to fool (spoof) a LAN device into thinking a remote host is still connected to the network when in actually this host could be disconnected from the network. This saves bandwidth because no packet is ever sent out on the WAN. ["Network Spoofing" by Jeffrey Fritz, BYTE, December 1994, pages 221 - 224].
This is good to know because IP Spoofing always has associated with it negative connotations.
Tuesday, April 05, 2005
Change many extensions all at once!
$> ls
Person.sql lds_Author.sql lds_Patron.sql lds_WrittenBy.sql
lds_AllTables.sql lds_Book.ddl lds_Transaction.sql
To change all these file extensions to .sql I had to do:
$> foreach file (*.sql)
foreach? echo "Moving $file to $file:r.ddl"
foreach? mv $file $file:r.ddl
foreach? end
Moving Person.sql to Person.sql.ddl
Moving lds_AllTables.sql to lds_AllTables.sql.ddl
Moving lds_Author.sql to lds_Author.sql.ddl
Moving lds_Book.sql to lds_Book.sql.ddl
Moving lds_Patron.sql to lds_Patron.sql.ddl
Moving lds_Transaction.sql to lds_Transaction.sql.ddl
Moving lds_WrittenBy.sql to lds_WrittenBy.sql.ddl
$> ls
Person.ddl lds_Author.ddl lds_Patron.ddl lds_WrittenBy.ddl
lds_AllTables.ddl lds_Book.ddl lds_Transaction.ddl
Saturday, April 02, 2005
"I just saved a bunch of money on my car insurance by switching to Gecko"
Mail: Forward and leave a local copy using .forward
A Google search for this solution, forwarding and leaving a local copy of mail, was found in this article on the University of South Wales Computer Science web site
Basically all you have to do in addition to adding a forward address to the .forward file is to pre-prepend your local username before your forward email and delimiting optional sub-sequent email addresses with a comma. For instance, since my username is winful and my address to forward emails is winful@gmail.com, my .forward file looks like the following:
winful,winful@gmail.com
It is as simple as that!
Monday, March 28, 2005
Update to my FreeBSD Checklist
Partition Setup:
================
/ <400MB>
/var <400MB>
/tmp <400MB>
/usr
/storage
FreeBSD Security Checklist, taken from www.sddi.net
Installation
[ ] separate slices for /
/usr/home(G), /var(MB), /storage(G) using the ufs2 fs
[ ] no inetd.conf, or nfs since port_map is not being used.
[ ] no ntp, since rdate is being used
[ ] add /sysutils/rdate-1.0 & /security/chkrootkit-0.36
[ ] add non-privileged user account in wheel group
Users
[ ] vipw and remove toor user, rename Charlie&, change shells
[ ] in /etc/group, and add ssh:*:0:sshusergroup
This is to disallow root the ability to ssh into the box
motd
[ ] cp /etc/motd /etc/motd.old
[ ] rm /etc/motd
[ ] touch /etc/motd
[ ] vi /etc/motd and create
What ever message you want to see when you or others users
login to the box.
[ ] cp /etc/motd /etc/issue
/etc/ssh/sshd_config
[ ] port 22
I change my port to 2222 to prevent default scans from
triggering alerts to port 22.
[ ] protocol 2
[ ] #Hostkey /etc/ssh/ssh_host_key
[ ] PermitRootLogin no
[ ] MaxStartups 5:50:10
After 5 bad logins, refuse 50% of new ones and refuse more than
10 total
[ ] X11Forwarding no
X11 forwarding does not prevent users from forwarding X11
traffic, as users can always install their own forwarders.
[ ] PrintLastLog yes
[ ] SyslogFacility auth
Sends log information to /var/log/auth
[ ] LogLevel VERBOSE
[ ] PasswordAuthentication no
[ ] Banner /etc/issue
[ ] AllowGroups sshusers
/etc/ssh/ssh_config
[ ] ForwardAgent no
[ ] ForwardX11 no
[ ] PasswordAuthentication no
[ ] CheckHostIP yes
This allows ssh to detect if a host key changed due to DNS
spoofing.
[ ] Protocol 2
DSA Key Generation (as opposed to passwd)
[ ] su - {nonprivuser} as root
[ ] ssh-keygen -t dsa
[ ] accept default /.ssh/id_dsa
[ ] enter passwords twice
[ ] cd .ssh
[ ] cat id_dsa.pub > authorized_keys2
[ ] copy key to floppy, and confirm
[ ] delete key from server
rc.conf
[ ] inetd.conf="NO"
[ ] syslogd_enable="YES"
[ ] syslogd_flags="-ss"
This disables port 514 to prevent logging to and from the
server.
[ ] icmp_drop_redirect="YES"
Ignore pings?
[ ] icmp_log_redirect="YES"
[ ] clear_tmp_enable="YES"
Empty /tmp on boot
[ ] portmap_enable="NO"
If not running nfs
[ ] icmp_bmcastecho="NO"
Prevent springboarding & smurf attacks
[ ] fsck_y_enable="YES"
fun fsck -y if the initial preen of filesystems fail?
-y assumes yes to all questions.
[ ] update_motd="NO"
We do not want to overwrite the mssage of the day on boot
[ ] tcp_drop_synfin="YES"
Drop packets with the syn or fin bit set.
[ ] log_in_vain="YES"
Log all attempts to access the box by a closed port.
[ ] sshd_enable="YES"
Run our sshd daemon on boot.
login.conf & auth.conf
[ ] vi /etc/login.conf
[ ] :passwd_format=blf: Change default password encryption from md5 to blowfish, an
algorithm yet to be broken.
[ ] :passwordtime=52d: Renew passwords every 52nd day
[ ] mixpasswordcase=true:
[ ] :minpasswordlen=9:
[ ] :idletime=32: This can be annoying!
[ ] cap_mkdb /etc/login.conf
[ ] confirm with vipw that password field starts with $2 for flowfish
[ ] confirm shells for users
[ ] vi /etc/auth.conf
[ ] crypt_default=blf
This makes blowfish the default algorithm for all new users
added
sysctl.conf
[ ] vi sysctl.conf
[ ] kern.ipc.shmmax=67108864
[ ] kern.ipc.shmall=32768
To further optimise performance
To enhance the shared memory X11 interface, it is recommended
that the values of some sysctl(8) variables should be increased
[ ] net.inet.tcp.blackhole=2
[ ] net.inet.udp.blackhole=1
[ ] kern.ps_showallprocs=0
[ ] vfs.usermount=1
Allows for normal users to mount filesystems
[ ] hw.ata.atapi_dma=1
Enables DMA access for ATAPI devices.
[ ] kern.ps_showallprocs=0
Disallow the viewing of other users processes. For normal users
only
[ ] net.inet.ip.forwarding=1
Enable IP Forwarding
[ ] net.inet.ip.check_interface=1
This verifies that an incoming packet arrives on an interface
that has an address matching the packet's destination address
[ ] net.inet.tcp.recvspace=65535
To enable high performance data transfers. This is good when
transfering files.
[ ] net.inet.tcp.sendspace=65535
<>
[ ] net.inet.tcp.blackhole=2
[ ] net.inet.udp.blackhole=1
[ ] kern.ipc.shm_allow_removed=1
For vmware
fstab
[ ] vi /etc/fstab
[ ] /tmp to rw,noexec
[ ] /usr/home to rw,nosuid,noexec
[ ] /floppy to rw,noauoto,noexec,nosuid,nodev,noatime
[ ] /cdrom to ro,noauto
cvsup
[ ] vi /etc/make.conf
...
crontab
[ ] chmod 600 /etc/crontab
[ ] touch /var/cron/allow and add users who can change cron jobs
[ ] chmod 600 /var/cron/deny
[ ] vi /var/cron/deny and add users to disallow
[ ] add 0 2 * * * root /usr/libexec/locate.updatedb
[ ] add 0 2 * * * root /usr/local/sbin/rdate {ntpserver}
[ ] add 1 3 * * * root /usr/local/sbin/chkrootkit
Kernel Changes /usr/src/sys/i386/conf/{kernelname}
[ ] #pseudo-device bpf
[ ] options SC_NO_HISTORY
[ ] options SC_DISABLE_REBOOT
[ ] options SC_DISABLE_DDBKEY
[ ] options TCP_DROP_SYNFIN
[ ] options RANDOM_IP_ID
[ ] options ICMP_BANDLIM
[ ] confirm settings in /usr/src/sys/i386/conf/LINT
[ ] rebuild kernel and reboot
making world
[ ]
... Dave, do your magic
File Permissions
[ ] chmod 700 /root
[ ] chmod 600 /etc/syslog.conf
[ ] chmod 600 /etc/rc.conf
[ ] chmod 600 /etc/newsyslog.conf
[ ] chmod 600 /etc/hosts.allow
[ ] chmod 600 on /etc/login.conf
[ ] chmod 700 /usr/home/*
Network Time Protocol
[ ] restrict default ignore
TCP Wrappers
vi /etc/hosts.allow
[ ] sshd : localhost : allow
[ ] sshd : x.x.x.x, x.x.x.x : allow
[ ] sshd : all : deny
[ ] ftpd : ALL : deny and so on for unused services
Console Access
[ ] vi /etc/ttys
[ ] first line: console none unknown off insecure
[ ] on insecure for each tty
Bash Shell
[ ] vi /usr/share/skel/.bash_logout
[ ] clear
chflags
[ ] list files to sappnd & schg
Clean-up
[ ] sockstat -4
[ ] tcpdump -xX
======================================================================
Tuesday, March 22, 2005
Create a bootable WinXP cd from the contents of your /i386 directory
Sunday, March 06, 2005
ThinkPads with IPS Technology
X-Bit's Guide has great details on IPS and other LCD technologies. According to X-Bit's guide, the IPS technology was originally developed by Hitachi in 1996 and has since been improved by companies such as NEC, IBM, Samsung and others. IBM's improvement on IPS is better known as Dual Domain IPS (DD-IPS) and they do not share this technology with just anyone.
Friday, March 04, 2005
Come to Papa
Tuesday, February 08, 2005
Remote backup with ease... I mean SSH
( cd SOURCEDIR && tar cvf - . | gzip -1 -) | ssh target_address "(cd DESTDIR && cat - > remotefile.tgz )"
Blog Archive
-
►
2006
(2)
- ► 07/02 - 07/09 (2)
-
▼
2005
(19)
- ► 04/17 - 04/24 (4)
- ► 03/27 - 04/03 (3)
-
►
2004
(47)
- ► 11/28 - 12/05 (1)
- ► 10/31 - 11/07 (1)
- ► 10/17 - 10/24 (2)
- ► 09/19 - 09/26 (4)
- ► 09/12 - 09/19 (2)
- ► 09/05 - 09/12 (1)
- ► 08/29 - 09/05 (1)
- ► 08/22 - 08/29 (6)
- ► 08/15 - 08/22 (1)
- ► 08/08 - 08/15 (3)
- ► 08/01 - 08/08 (6)
- ► 07/25 - 08/01 (7)
- ► 05/23 - 05/30 (3)
- ► 05/16 - 05/23 (9)