Sysadmins be welcome!
Sysadmins of the North is just another technical blog, like so many others out there. Most posts are written in English, some in Dutch. For the most part, I write as it comes; posts may seem incoherently written sometimes (my apologies). Here on Saotn.org you’ll find all kinds of computer, server, web, sysadmin, database and security related stuff. Browse the latest posts per category here, search for posts, or make a selection from the categories menu.
Delete all MAILER-DAEMON emails in Postfix queue if it matches a sender or recipient email address condition. When a large scale spam run was sent through your mail servers, you need to clean up and remove those spam messages. Doing so guarantees normal, valid email messages being sent quickly and the spam messages never leave your queue. In Postfix, there are various similar commands to delete messages from the Postfix mail queue. Based on the Message-ID and/or email address…
Malware Must Die! has done a great, and extensive write-up on the subject of hacked and abused FTP sites (accounts). This topic fits well within my daily routine investigating and closing down hacked websites, for which I have to use various techniques for finding those hacked sites. As you might know, website security is one of the major themes of this site.
Test MySQL database connectivity with ASP.NET, PHP, ASP
Whenever you need to test the MySQL database connectivity from a website or server, it’s handy to have various test scripts nearby. Whether it is because you are setting up a new website or you have just installed a new server and are running your tests. Nowadays, many websites depend on a MySQL or MariaDB database because CMS systems like WordPress, Joomla and Drupal are so popular, and Umbraco too. You want your webserver to connect to MySQL fast and properly
How to hide file extensions, such as .php or .asp, with URL Rewrite.
Sometimes it’s important to hide the file extension of scripts you use. Security by obscurity might be one of those reasons, if you don’t want others to know what script language you are using. Or you just want to hide the file extension for no apparent reason.
Test StartTLS connections and SMTP-AUTH from the Linux and Windows command line
While investigating SMTP authentication issues, over an Transport Layer Security (TLS) encrypted connection, it’s always handy if you are able to test the SMTP authentication and StartTLS connection from the command line. SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol whereby an SMTP client may log in using an authentication mechanism chosen among those supported by the SMTP server.
On StrongLoop we find an interesting article on scaling Node.js with proxies and clusters:
Node apps essentially run single-threaded, even though file and network events could leverage multiple threads. This architecture thereby binds the performance of each application instance/process to one logical CPU core that the thread it’s attached to. To a J2EE architect like me, this highlights immaturity in Node as an enterprise ready technology. Application servers like JBoss or Weblogic already solved this 10 years back using server core multi-threading and parallelism. Little did I realize that context switching between threads ate up my memory and I still had a blocking IO problem.
In a way, discovering the lack of threading prepares the Node developer to write scalable asynchronous code and use libraries like web-sockets from the get-go rather than worry about scalability later in the application life cycle. But this code optimization is still capped to the scaling limits of a single CPU core. So, how is production scaling achieved in the Node world today?
Brandon Cannadya – the CTO of Modulus, a Node.js application hosting platform – wrote an absolute beginner’s guide to node.js.
There’s no shortage of Node.js tutorials out there, but most of them cover specific use cases or topics that only apply when you’ve already got Node up and running. I see comments every once and awhile that sound something like, “I’ve downloaded Node, now what?” This tutorial answers that question and explains how to get started from the very beginning.
What is Node.js?
A lot of the confusion for newcomers to Node is misunderstanding exactly what it is. The description on nodejs.org definitely doesn’t help.
Read on at An Absolute Beginner’s Guide To Node.js
Saotn.org uses IIS Outbound Rewrite Rules to offload content from a different server and/or host name. This should improve website performance. Just recently I noticed these Outbound Rules confliced with compressed (gzip) content. I started noticing HTTP 500 errors with the error message:
Outbound rewrite rules cannot be applied when the content of the HTTP response is encoded ("gzip").
This is how I resolved this error.
Gary Pendergast writes on Make WordPress Core:
In WordPress 3.9, we added an extra layer to WPDB, causing it to switch to using the mysqli PHP library, when using PHP 5.5 or higher.
For plugin developers, this means that you absolutely shouldn’t be using PHP’s mysql_*() functions any more – you can use the equivalent WPDB functions instead.
This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see below. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops!
So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?
Maximiliano Curia posted a call for help from the KDE team to the debian-devel mailinglist:
For quite a while now the KDE team has been severely understaffed. We maintain
a lot of packages, with many different kinds of bugs, but we don’t have enough
people to do all the work that needs to be done. We have tools that help us
automate the update to new upstream releases, but that’s just the tip of the
iceberg of our work and so we are writing to invite more people to get
involved in the team and help us get KDE software in Debian into better shape.
Some of the tasks that we need help with are:
Read the entire post at lists.debian.org:
Subject: Call for help from KDE Team.
Optimize WordPress wp_options table
This probably isn’t a big issue, but today I noticed a slow MySQL query coming from a WordPress database (WordPress wp_options table). This made my decide to investigate and optimize the WordPress wp_options table “autoload” feature. The autoload feature loads and caches all autoloaded options, if available, or all options. The default option is to autoload, and over time when the wp_options table grows, this drains performance .
Time for Windows Update; Patch also available for Windows XP!
Microsoft released a fix for the recently discovered remote code execution vulnerability in Internet Explorer. This remote code execution vulnerability affects all Internet Explorer versions from IE 6 through IE 11. The security update is also known as KB2964358 and Microsoft also published Security Bulletin MS14-021.
It surprised me the update was marked as Important in Windows Update, not critical.
Automate WordPress customization and plugin installation
WordPress has a little drop-in plugin option available in the form of
/wp-content/install.php. This install.php file is not present at default, but when created it can be used to install plugins without wp-admin access. This is neat for automatic or unattended WordPress installations, customizations and so on.
Contact Form 7 is a WordPress plugin which provides a simple but flexible contact form. On IIS webservers it has one HUGE disadvantage: temporary captcha files that are created and placed in
wp-content/uploads/wpcf7_captcha are not automatically removed. The files are made read only. In a short amount of time, the number of temporary captcha files created by Contact Form 7 increases to enormous numbers, and slowing down your website.
Here is how to remove Contact Form 7 temporary captcha files on IIS.
MySQL string comparison functions for MD5 and SHA1 hashes; how to calculate MD5 and SHA1 hashes in MySQL and compare strings with MySQL.
Some web scripting languages like classic ASP don’t have native string hashing functions – like MD5 or SHA1. This makes it quite difficult to hash or encrypt user supplied input, and to perform string comparison to compare hashes. Let’s make MySQL do the string comparison and hash calculations for us!
Chmod.php, change file attributes with PHP, to make files read only or normally accessible on Windows/IIS servers.
Sometimes you need
chmod to make files read only on your website, or make them normally accessible in case they already are read only. For instance Drupal’s
settings.php configuration file, or WordPress Contact Form 7 temporary captcha files, are examples of read-only files.
It is important to validate the MIME type of files. Especially MIME types of files which are uploaded by an upload form on your website. With PHP, the best way to validate the MIME type is with the PHP extension Fileinfo. Any other method might not be as good or secure, and unfortunately those other methods are still wildly used.
Prepare your Umbraco website for high performance web garden or web farm, and load balancing environments: Store your sessions out-of-process (OutProc). As opposed to the default in-process (inProc) sessions, where sessions are saved in the worker process.
$mysqli->multi_query($query) to optimize all database tables in a single statement. This boosts MySQL and PHP performance.
The PHP MySQLi extension supports multiple queries which are concatenated by a semicolon. We can use this to optimize all MySQL tables in one single multi_query() statement.
Add custom headers to System.Net.Mail
When sending an email using the MailMessage class (System.Net.Mail namespace) in an ASP.NET website, certain email headers like Message-ID are not always set.
If a Message-ID header is missing, email might be blocked by the recipients SMTP server. Therefor it is necessary to set such headers…
The following PHP fix goes for nearly all PHP Call-time pass-by-reference errors:
The WordPress plugin In Over Your Archives is a plugin to display your archive page in a nice way, just like on inoveryourhead.net. The plugin hasn’t been updated in quite some time and breaks with PHP version 5.4:
If you run a WordPress blog where you display (parts of) source code, syntax highlighting is a must! It prettifies the code which makes it easier to read and it distinguishes code from text. However, most syntax highlighting is made available through plugins, and we all know too many plugins bring a lot of overhead to your blog.
Too many plugins and much overhead results in a slower blog. We don’t want a slow blog, so here is how to fix that.
Information about HeartBleed and IIS
Via Erez’s IIS Blog:
The Heartbleed vulnerability in OpenSSL (CVE-2014-0160) has received a significant amount of attention recently. While the discovered issue is specific to OpenSSL, many customers are wondering whether this affects Microsoft’s offerings, specifically Windows and IIS. Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.
We also want to assure our customers that default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.