AdvisorBits

I was very jazzed when I realized that I could answer my friend's question with a GNU (GNU's Not Unix see: http://www.gnu.org) answer. What is so utterly cool about this factoid is that he uses an Apple. OS X is a BSD dirivative, which gives it most of the tools that make *nix such a powerful platform. And oh yea, this trick works on Windows too! I am so happy to see a single simple program that will work on all the PC platforms I know anything about. That's real platform independence and it is good for users.

The question was, "How do I mirror a web site easily, if I do not have FTP access to the files?" The answer is really quite simple.

So I finally got around to an install of RH9. There was a glitch at the end of the first disk and the install died. When I rebooted, I had enough of an install complete that it booted and most services started. I had half a mind to see what would happen if I launched KDE.

Fortunately it was the half that doesn't stay focused on one thing for long, and I rebooted to the installation.

The install started again, but once I made all the basic selections (keyboard, mouse, time zone, etc) and the package selection (um, just upgrade whatever you recognize and leave the rest alone) I was able to upgrade the only redhat installation left on my hard disk, the one that just failed.

And it worked. The install skipped to where it died, installed the rest of the RPMS and everything came back fine.

Except Apache. Sometime between 7.2 and 9 RedHat updated the world's most popular web server from 1.3.27 to 2.0.40 and that played hell with the mod_perl application I am working on here. I got Apache upgraded and running and then it turns out my handler needs upgrading too.

For most users this shouldn't present as much of and issue as I think relatively few people write thier own mod_perl handlers. And those that do are probably more aware of these kinds of changes than I was.

I need a compiler to install some perl modules. (???) So I start...

[root@NewShoebox i386]# rpm -Uvh gcc-3.2.2-5.i386.rpm
error: Failed dependencies:
binutils >= 2.12.90.0.7-1 is needed by gcc-3.2.2-5
cpp = 3.2.2-5 is needed by gcc-3.2.2-5
glibc-devel >= 2.2.90-12 is needed by gcc-3.2.2-5
[root@NewShoebox i386]# rpm -Uvh glibc-devel-2.3.2-27.9.7.i386.rpm
error: Failed dependencies:
kernel-headers is needed by glibc-devel-2.3.2-27.9.7
kernel-headers >= 2.2.1 is needed by glibc-devel-2.3.2-27.9.7
[root@NewShoebox i386]# rpm -Uvh kernel-source-2.4.20-31.9.progeny.5.i386.rpm
error: Failed dependencies:
gcc >= 2.96-98 is needed by kernel-source-2.4.20-31.9.progeny.5
[root@NewShoebox i386]#

Now what?
There's no "kernel-headers" package anymore with RH9, the kernel headers for building the kernel come with the kernel-source package. But I can't install that without gcc. Actually forcing the issue won't fix my problem, because glibc-devel doesn't understand the kernel headers are installed if one forces the issue with the kernel source package. rpm -Uvh --no-deps kernel-source...

Doesn't do it.

The answer is glibc-kernheaders package. (Of course, why didn't I think of that?) Everything will work neatly.

I am a little embarrassed to report I discovered this via the RedHat Install/Upgrade program on the original media... I conveniently used this method to install the packages I really missed, and which program being smarter than I am, knew about the kernheaders thing.

SANS Institute Free Webcast: Honeypots

Today I listened to this live webcast by Lance Spitzner, founder of the Honeynet Project. I've read a lot of Lance's stuff before so it was kind of exciting to hear him speak, in a really geeky sort of way.

You'll have to register to hear the webcast, registration is free. Spitzner has an interesting background, and I'm always interested to hear the military style tactical assessments of IT security incidents. According to his bio at http://www.spitzner.net/ he sounds a little like me, now...

"Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was in the Army where he blew up things of a different nature."

(I was never in the Army but my Dad was, so I think I understand what he means there too. Artillery.)

I was pleased when I knew what they were talking about when they discussed tarpits. Its also really great to hear him talk about honeypots and honeynets because he's such a passionate advocate of the technology. I won't bother you with the details of what a honeypot is, this post isn't really about that.

If you're technically inclined and want to know, the webcast is archived and well worth about an hour's listening to get a thorough introduction to the technology and some Open Source implementations.

If you're not technically inclined, imagine a computer on the network that is designed to catch unauthorized users, sort of like when Winnie the Pooh gets his head stuck in a HONEY POT.

In my last post I mentioned a webcast about honeynets and honeypots by Lance Spitzner. Last week he posted a short report titled "Know Your Enemy: Trend Analysis" which is an analysis of data collected by the Honey Net Project. (It is one answer to the question, "what does one do with a Honeypot?")

http://www.honeynet.org/papers/trends/life-linux.pdf

The report says that some unpatched Linux machines remained on the Internet uncompromised for up to three months. This is considerably longer than I would have predicted.

I have been looking for a new Linux distrubution ever since I figured out that "Enterprise" is corporate speak for "Give me all your money". (See Understanding RedHat's Strategy.) My primary business applcation only supports a few different Linux distros, so my choices are limited. The other day I was abruptly made aware of another contender I had better take seriously, Trustix.

I have to take this distribution seriously because the company that owns Trustix just bought the company that makes my business application. http://www.comodogroup.com/news/press_releases/24_01_05.html

The ncurses based install was pretty easy. It allowed me to set everything up on raid partions. There was an option for minimal install which was pretty darn minimal. (This is a good thing by me.)

The installation did not leave any services listening on network interfaces. This is great because it saves me the time of shutting down all the ones I don't need. This install was so locked down, I had to turn on sshd to get to the box from my desk. I am very impressed by this.

And thank goodness, there wasn't one silly question about X Windows. As they say in the literature, Trustix is built for servers.

I did have a hard time finding out what the difference between the free version (www.trustix.org) and the commercial version (www.trustix.com) is. I will write a future article on the specific technical differences. I have installed the free version at my office, but have also purchased and downloaded the commercial version for deploying on a new server.

For now it appears the free version will continue to be supported for 2.5 years from its realease earlier this month. They are both made by the same people. Given my first impressions and the fact that I can get an entry level commercial license for about $150 per year, it seems like a good value. Trustix.com does more expensive licensing options available with addtional support and services for those who want that.

I hope it holds up to its first impression.

I have recently installed both TSL 2.2 (Sunchild) and TSEL (release 2) so I am no expert, but there don't seem to be a lot of big differences, except for the no fee license distribution has a far spiffier release code name.

Sunchild. I just have to like something at least a little if it is called Sunchild. Not sure why, just but it just seems a happy name.

Both distributions use RPM packages to manage software, and the patch level revisions are a little higher (more recent) in the TSL (Sunchild) distribution. Those Debian users who are used to and like apt and friends will like the way swup, the Trustix SoftWare UPdater, handles RPM dependancies automatically.

RedHat users like myself will like some of the built in search and testing features of swup. It automatically gets and installs all the required RPMs to satisfy any package you ask to install. (I get so tired of RPM error messages.) Once you've used swup to put together your Trustix server, systems admins can easily keep either Trustix disro fully up-to-date with a simple swup --upgrade

I haven't found all of the support resources yet. It appears, from this early vantage, that this distribution like some others I have used has that "Unix is user friendly, its just choosy about it friends" attitude. There is a mailing list for TSL, and some largely unused forums for the TSEL distro. (Why does everyone seem to want to use those ucky forums to support their products? What is wrong with mailing lists?) Otherwise you call England for phone support on a pay per minute basis I think.

As a RedHat guy for many years, I am pretty familiar with the layout so support in that sense isn't a big issue for me. I know where chkconfig is and what service does. Converts from other Linuxes converts may need more support. I bought the entry level commercial license to TSEL and I was a bit dissapointed in the support that comes with that. If I had shelled out more bucks, there were other support options.

The main thing I need is committment to provide updates on a timely basis to patch against emergent issues.

Also from my RedHat administrator perspective, Trustix installs a lot (REALLY!) less cruft. This is important to businesses. We spend time every day updating out networks and computers. Time is money, and I don't want to pay for updating software I don't use, or worse yet for software I don't use, but can't uninstall because of some obscure interdepedancies that I can't resolve.

There are no regular network services setup to listen on the network by default. The base install doesn't start sshd, or put it into any init scripts. I had several extra trips up and down the stairs to the basement before I remembered to set sshd to start on boot.

One thing I wish they had also borrowed from RedHat is to include iptables in the base install. It's not, and this may be the reason it doesn't restart with the network. Both of these firewall features seem to me like perhaps they should be included in a secure distribution.

Finally for those of you who care about these things, a few version numbers:

• Kernel 2.4.28
• GCC 3.3.3
• OpenSSH 3.8.0p1
• Apache 2.0.52
• MySQL 4.0.21
• Postfix 2.0.18
• Bind 9.2.3

Only the kernel, postifx and OpenSSH are installed as a part of the base install.

Other related AdvisorBits entries:

Our memories of Picasso
Trustix gives a good first impression

Debian released Sarge as "stable" yesterday, June 6th. This is good news for fans of free Linux distributions, its been three years in the making and some of us have wandered off to other distros while we were waiting. I hope PSoft jumps on the bandwagon to support this distro. I like the idea that Trustix would have competition, and I would have a choice between a couple of distros I feel an affinity for. I don't count RedHat because of previous disappointments, this leaves out CentOS and [shudder] Fedora Core too.

http://www.debian.org/releases/stable/
http://www.debian.org/News/2005/20050606
(Credit to goes to LadyLinux for pointing this out.)

In related news a whole bunch of "really smart people" have figured out that Windows actually costs less than Linux. I notice that the really smart people in this case all seem to be paid by Microsoft, and I wonder if it is a coincidence.

I read another important bit of history the other day. I have written before of the Open Source movement, and a variety of open source tools. Many of these tools I have mentioned, such as GIMP and GRUB are part of the GNU project, primarily sponsored by the Free Software Foundation. It would be fair to call theses tools "Free Software" as much as it would be to classify them as "Open Source".

The other day, I read a biography of RMS by Sam Williams entitled Free as in Freedom: Richard Stallman's Crusade for Free Software. This book is available through the publisher O'Reilly, and also released under the GNU Free Documentation License.

I thought the book was interesting for two reasons. It brought some of the distinctions between the advocacy of RMS leader of the Free Software movement, and that of Eric Raymond, who has become one of the leading advocates of the term "Open Source" in place of "Free Software". To put it in a nutshell, which is arguably where both of these heroes of mine belong, RMS demands source code for political reasons, while ESR demands the same in the name of improving the quality. I think that is in essence a business argument.

A lot of times in this space, you'll find me rambling on about Linux servers and other cool open source stuff that I use. I like typing commands and geeky stuff like that, but I know most people don't. This post is a pointer for the average user who interacts with a desktop computer and is more comfortable in a graphical (point and click) environment.

Ubuntu is free (available without cost also) distribution of GNU/Linux with the GNOME desktop environment tightly integrated. According to the project home page:

"Ubuntu" is an ancient African word, meaning "humanity to others". Ubuntu also means "I am what I am because of who we all are". The Ubuntu Linux distribution brings the spirit of Ubuntu to the software world.

If you look very closely, you'll notice I've updated the name of the GNU/Linux category. This came about after I recently went with my friend Eric Sundwall to see Richard Stallman speak about Free Software at Williams College. Actually that was a couple of weeks ago, but the very cool SBS Diva got the meaning of free all wrong in her funny diatribe about the "Religious Wars", and the whole thing stuck me as cosmically comic.

Stallman is actually a bit of a religious figure, as well as being an critical contributor to the tools so many of us (RMS would have us call it GNU/Linux) call simply Linux. And to carry the whole metaphor a bit further, one might bring up the question of whether Stallman is the last of the Cathedral Builders. Levy called him the last Hacker, but as Raymond more specifically describes his historical role in the The Cathedral and the Bazaar:

Indeed, for more than a decade after its founding RMS's Free Software Foundation would largely define the public ideology of the hacker culture, and Stallman himself would be the only credible claimant to leadership of the tribe.

So, when we speak of Free Software we are talking about about ideology, and the word free refers to Freedom, not cost. Stallman defines the four requirements for software to meet the definition of Free Software:

• The freedom to run the program, for any purpose (freedom 0).
• The freedom to study how the program works, and adapt it to your needs (freedom 1). Access to the source code is a precondition for this.
• The freedom to redistribute copies so you can help your neighbor (freedom 2).
• The freedom to improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3). Access to the source code is a precondition for this.

While they may sound a bit idealistic, those freedoms actually grant me much more as a business owner than some more popular and widely deployed software which I cannot look at the code in order to know what it does. As a consultant, I am specifically in the business of helping my neighbor, so freedom 2 is significant to me. Make no mistake, Free Software like the Apache web server does exist and it does play a big part in today's Internetworked world.

I recently decided to install a new operating system on a server that has been running for about 2 years. I have had a few problems with bad discs; but I put that down to a bad shipment, because some from the same batch failed in another location too. They have all been replaced for about a year now.

When I tried to install, I got an error and was unable to complete the installation. The screen was a little garbled, but I saw words (signal 11) which subsequently lead me to believe this was a memory error. I fiddled around a bit, and on the 4th try I was able to get a basic operating system installed and running. And so I went off to find a program to check the memory for me.

What I found was Memtest86+ a "Stand-alone Memory Diagnostic" developed by Chris Brady, released under the GNU public license. Since it is a stand alone program, it doesn't run under Linux or Windows, or DOS. (Although the release notes mention the bootstrap does come from a Linux Kernel) You boot your computer to the program and it runs patterns through all your memory repetitively to look for errors. It will keep running forever, but the web site indicates one pass through all the tests should catch most errors.

There are instructions on how to make a boot disk under Windows and Linux, although under Linux, this wasn't necessary for me, I added the image to grub and rebooted. So far, it has made one successful pass, but I think I will let it run through a few more times just to be sure.

One thing that is key to make a web services business successful is to have the service up all the time. For almost as many years as I have run my web hosting business, I have relied on Big Sister to monitor my network performance and some specific metrics and to notify me of problems when they arise. I recently switched to the Trustix Linux Sunchild distribution, and I had problems getting Big Sister setup there. On top of Trustix, I run hosting management software called H-Shpere which has some components with which I am not as familiar as I would like.

As I worked through the installation, I ran into and solved a couple of different problems which mostly related to the constraints I mentioned above. In the rest of this post I will provide a series of instructions that a systems administrator can use as a starting point to setup Big Sister, more or less out-of-the-box, to monitor their own cluster of H-Sphere servers. Once you have finished these instructions, you will still want to learn much more about monitoring so you can adjust and refine the scenario described here to meet your own needs.

Big Sister Screen monitor home

To verify the information for this post, I did another install on a fresh Trustix "server", which was setup using the "minimal" option. If you are interested, I was able to make it run on a Pentium or Pentium 2 with 64MB of RAM. Maybe if you monitor a whole bunch of servers then you will need to get a bigger display server; I'm not there yet.

Thanks

Thanks to Thomas Aeby for writing Big Sister and also to Joerg Fritsch for managing the Big Sister documentation project which had some bits which were helpful in completing my setup and this post.

Fine Print

You should understand the steps I describe before wildly following my instructions because if some of your training wheels fall off in the process, I assume no responsibility for any slips or falls you may take. (On the other hand, if you impress your boss, you can take the credit too!)

I am working on a couple of small new things right now, but the one that actually interests me the the most at the moment is the conversion of a couple friends to Linux from Windows. This started with my wife's Windows computer going belly-up, and all I had was an old Dell with Ubuntu on it that I was playing around with.

I gave it to her to use, and she didn't complain. So I left it there. She uses Open Office Writer and Calc with no problem. She used Firefox on Windows, so that's no big deal. She barely notices the lack of an Exchange server now that she has migrated from Outlook to Evolution .

And believe me, I feel pretty silly now that I have my own private Exchange server. (At least she still uses the Windows file services there, and the HP network printer was no problem either.)

Now I am working with my friend Brenda long distance to get her computer in VA up and running, and connected to DirectWay, Hughes Net's residential offering. I'll let you know how that works out.

Christian Seifert has investigated a series of on-going attempts to login to Unix servers on the Internet, and he has publish the report entitled Analyzing malicious SSH login attempts at Security Focus.

This caught my eye because I have recently seen evidence of this that I do not ordinarily see. Not only that but since I was on vacation, the person keeping an eye on things saw it too. There is nothing earth shattering about the techniques described in the report, but the analysis and narrative of the investigation was very interesting to me as a systems administrator.

I mentioned my friend Brenda, a fairly courageous computer user to begin with, was getting started with Ubuntu. In about 45 minutes on the phone one Saturday, we installed the operating system on a clean hard drive we had purchased for her the last time I visited.

She doesn't have the nice easy HughesNet device with an Ethernet interface yet, so she ran into problems setting up networking. We expect them to ship the new device any day now, she seems pretty excited.

I am not planning to do anything until I get the Hughes modem......I don't want to mess up the ubuntu! At some point I will go ahead and explore the dialup connection but right now I'll just keep everything just as it is.

John, this looks like it is going to have or can add everything I need...

The other day William Favorite posted a great description of what a SAN or Storage Area Network is. He posted this to the Albany NY Capital District Linux Users Group (CDLUG) mailing list.

If you get a chance to visit Favorite's web site, be sure to check out his beautiful collection of historical maps shown with their modern Google maps counterparts.

Mom told me, “If you can't say something nice don't say anything at all.” Well, that about sums up January this year.

HOW TO: “Orton Imagery” translated for GIMP

To get February off on the right foot, I thought I would show you a new photomanipulation technique, and give instructions for achieving the technique with the GIMP. This technique is named after a Canadian photographer named Michael Orton. I have just become aware of his work and I like it a lot. Some of his work with long exposures is very nice, and it reminds me of a couple of mine. (His timed exposures are of water and such, and mine of dogs, but never-the-less...)

I found out about Michael Orton from an article by Darwin Wiggett on Nature Photographers on-line magazine. It is instructions for Photoshop in that article that I am translating to GIMP.

I have never really used Flash for anything. My attitudes and knowledge of it all stem from experiences gained around 2000. When I read Dan Webb's post about how he was going to start to learn more about the newer versions of Flash, I had a kind of smart-aleck response: Ya sure, if it runs under X Windows on Linux.

But Dan has a lot of comments on this post.

The comments point out that these things are never as black and white as that. Theres a lot more to this subject that I don't know about and his commenters provided even more links to read. They definitely add to the value of Dan's content.

I regularly encourage new bloggers to encourage comments, and respond to comments. I encourage readers to make comments where they feel they can add to the discussion.

Pandora's box is open.

Bridges have been burned.

Things will never be the same.

Its the first day of the rest of our lives.

Insert silly metaphor here.

Anil Dash said

As of today, and forever forward, Movable Type is open source. This means you can freely modify, redistribute, and use Movable Type for any purpose you choose.

Sure enough there's a GNU license in the Nightly Build.

And I am very pleased.

Tim (we didn't write the book on MT, just the manual) Appnel wrote to the MTOS mailing list, ostensibly addressing reasons for using CPAN modules in place of MT code that replicates pre-existing CPAN mods. He made a technical point, but I think this point is so much more important, I have quoted it. I removed the parts where he was being diplomatic and stating that this is his opinion.

He's right, so he needn't be self-deprecating.

Another [reason to use CPAN mods in certain instances] is in better embracing open source. [...] Releasing MT under the GPL is a good first step, but there is still a certain level of mistrust (I'm not suggesting that its founded or not) nor are open source developers knock[ing] down the MTOS doors to contribute. Drawing in developers from other communities with some of the tools they are already familiar with and using would [...] contribute to generating more interest and breaking done the walls that [...] surround MT.

Conversely taking parts of MT that don't exist in the Perl/CPAN world (the template engine, registry, Promise, FileMgr ) and breaking them off as their own standalone library would have a similar effect [...] . Developers are more likely to write MT like apps that borrow from how it works indirectly learning about MT and perhaps contributing back to its development. Doing both of these clearly demonstrate that Six Apart is serious about MT as open source software and that there is something to gain by contributing.