Fail2ban Configuration for NGINX anomalies

0
29 days
by in network, security

Fail2ban is a really cool log analyzer (mostly) that can block ips using several different methods (iptables, ipfw, ip route blackhole, etc.). The problem is that you have to define filters (regexes in fact) that will trigger the ban for each service, because each one has a different way to report anomalies. There are not so much given examples on the official wiki. On other websites I couldn’t find anything about nginx filters. Even worse, several websites report that you can use the filters defined  for Apache2, which is false, they will NOT work, the logs are very different.

For example, here is a trace for a non existent requested resource:

2011/12/29 16:13:33 [error] 3212#0: *241787 open() "/opt/foo/default/admin/phpmyadmin/index.php" failed (2: No such file or directory), client: 58.19.239.205, server: , request: "GET //admin/phpmyadmin/index.php HTTP/1.1", host: "88.191.135.71"

So, to be able to detect such hack tentative and block it, create a file named nginx-noscript.conf, and put:

[Definition]
failregex = open\(\) "/\S*(\.php|\.asp|\.exe|\.pl)\S*" failed.*client: <HOST>,.*
ignoreregex =

Then, add its definition in an entry in the /etc/fail2ban/jail.conf:

[nginx]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx*/*error.log
maxretry = 6

Here, if there are more than 6 occurences of a failed 404 request in less than 600 seconds (the default value, modifiable with the ‘findtime’ variable), the ip will be added to the ban list.

pdf-screen

New version of chess PGN to TeX to PDF converter

1
396 days
by in chess, kid, latex, python

OK, I’m shameful. After fighting with Scid’s exporter, and then correcting bugs in pgn2ltx’s source, I finally decided to take a look at that PGN file format. And guess what? It’s already composed of FEN notation. And guess what? that super-über cool new skaknew module for LaTeX gets its input as FEN!!

(more…)

Updated mate-in-one document, now includes chess coordinates

0
396 days
by in chess, kid, latex

After a request to have coordinates on the board, to be able to write answers (a really nice idea, especially that Ido begins writing), I noticed I couldn’t do it so easily, because the LaTeX module (chess12) didn’t support that. What a disappointment!

And the only way I had for converting from PGN to TeX was through Scid (still cool, still being developed), but supporting only exports to TeX with chess12 module. Fortunately, Dirk Baechle wrote a tool to convert directly from PGN format to TeX, using his tool pgn2ltx. That tool, written in C++ hasn’t been updated since 2003, so after a small patch to the source, it worked!

And the best part, is that it generates TeX files for the skak module, the best alternative to the old, dead chess12 module.

(more…)

Auto-provisioning with Asterisk and ST2030 Technicolor/Thomson phones

0
397 days
by in asterisk, software, voip

An introduction to the ST2030

The ST2030 is one of the few SIP phones distributed by Thomson (now changed name to Technicolor). In fact there are only 2 models: the ST2020, and the ST2030, and also a new one, the TB30, which is the successor to the ST2030. The ST2030 is supposed to have an End-of-Life set to the end of this year (2010), but I read that its EOL has been extended to the end of 2012.
In my personal experience, I think the ST2030 has the best price/functionalities/quality ratio. It has features like:

  • PoE (Power over Ethernet).
  • Headphone plug with a button on the phone to pickup with the headphone (or if you have a compatible headphone, pickup directly with a button on the headphone).
  • XML based Directory support, that you can interface with a remote HTTP server.
  • 4 differents lines/profiles (but not at the same time).
  • BLF (Busy Lamp Fields) to monitor other’s phone status (if they are using their phone, and even possibility to intercept a call).
  • Full compatibilty with Asterisk (tested on Asterisk 1.6+ and 1.8+).
  • Auto-provisioning with support for TFTP but also for HTTP/HTTPS, which simplifies quite a lot the provisioning configuration.

In this document, we’ll see the auto-provisioning process through DHCP+HTTP.

(more…)

How to make the simplest unittests in Python

0
500 days
by in python, ruby

Testing your code is nearly a requirement (even more so in Ruby). Unittests are now the most vital elements for evaluating the quality/viability of a project.
I was a little jealous of Ruby where you don’t have so much to write to implement unittests. Here is a simple example:

1
2
3
4
5
6
7
8
9

require "mymodule"
require "test/unit"
 
class TestMyModule &lt; Test::Unit::TestCase
 
  def test_simple
     assert_equal(1, 1 )
  end
end

Now, using Nose, you can get even shorter code. If you do standard Python projects, you’ll use a setup.py file. To use nose, you do not even need to specify the path where to find the tests, just add two lines (tests_require and test_suite) to call nosetest:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

from setuptools import setup, find_packages
import sys, os
import mymodule
 
version = mymodule.__version__
 
setup(name='myproject',
      version=version,
      description="Module to display blah blah blah.",
      long_description=""" """,
      classifiers=[], # Get strings from http://pypi.python.org/pypi?%3Aaction=list_classifiers
      keywords='mymodule foobar',
      author='Luc Stepniewski',
      author_email='[email protected]',
      url='',
      license='GPL',
      packages=find_packages(exclude=['ez_setup', 'examples', 'tests']),
      include_package_data=True,
      tests_require='nose',
      test_suite='nose.collector',
      zip_safe=False,
      install_requires=[
          # -*- Extra requirements: -*-
          'simplejson',
      ],
      entry_points="""
      # -*- Entry points: -*-
      [console_scripts]
      mymodule = mymodule.mainmodule:main
      """,
      )

Now, to add tests, you just have to create a directory named tests (in the root of your project, where your setup.py resides, and then add a python file()s. No need to add a __init__.py to set the directory as a module. Now just add simple python files, like my-tests.py :

1
2
3
4
5
6
7
8
9
10
11

import mymodule
 
class TestAstInfoCli(object):
    def setup(self):
        pass
 
    def teardown(self):
        pass
 
    def test_annuaire_inverse(self):
        assert 1 == 1

As you can see, no need to import anything for doing unittests, not even the standard python unittest module! That’s better than ruby! The downside of this is that nose is an ‘external’ package, so you’ll have to install it first (or set it as a dependency in your setup.py file, as shown above).

If you don’t use a setup.py, you can call nose directly from the command line, with ‘nosetest’.

Now, let’s find an equivalent to the really cool rspec ruby module!

Default behaviour in implementation of STOMP protocol in RabbitMQ with python

4
518 days
by in network, python, rabbitmq

Why STOMP?

Why STOMP, and not directly AMQP, as I’m using RabbitMQ. No real reason, but the fact that there are less dependencies on a STOMP client, as it’s just a socket with text sent.

Implementations

There are several implementations of the STOMP protocol for Python. The module I chose is python-stomp (version 0.2.9), from Benjamin W. Smith. It’s simple and easy to understand.

Simple Code Examples

sto_send.py:

1
2
3
4
5
6

from stompy.simple import Client
 
stomp = Client(host='rabbitmq2')
stomp.connect(username='guest',password='noneofyourbusiness')
stomp.put('Thomas est une b*te à Tetris...', destination='/queue/jeuvideo')
stomp.disconnect()

sto_receive.py:

1
2
3
4
5
6
7
8
9
10
11
12

from stompy.simple import Client
 
stomp = Client(host='rabbitmq2')
stomp.connect(username='guest',password='noneofyourbusiness')
stomp.subscribe('/queue/jeuvideo')
message = stomp.get()
 
print message.body
 
#stomp.ack(message)
stomp.unsubscribe('/queue/video')
stomp.disconnect()

Everything is working fine, when launching sto_receive.py, I receive the message. But when I launched several receivers, I noticed, that ONLY ONE programs received the message! After some research, I found the answer: As documented in the RabbitMQ wiki, the default exchange is ‘direct’:

[...]when messages leave a queue for a consumer, they are not duplicated. One message, sitting on a queue, is delivered to only one of the available consumers. [...] If there are multiple clients, all SUBSCRIBEing to the same queue, then there will be multiple consumers all on the same queue, leading to round-robin delivery to those clients.

There is an explanation on how to change the behaviour, by changing the exchange type, and some of particular bits (like the id). I even found an example of modification for use in the equivalent STOMP Ruby module.

Here are the modifications. The good news is that there is no need to patch the stompy module, as the author provided the possibility to pass arbitrary parameters to the headers by the use of the ‘conf’ variable.

The important points are:

  • You need to define an exchange of type amq.topic
  • You need to set an id, which is different for each client
  • As you’re using topics, you’ll have to specify a routing_key

sto_receive.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

from stompy.simple import Client
import uuid
 
unique_id = uuid.uuid4()
 
stomp = Client(host='rabbitmq2')
stomp.connect(username='guest',password='nonononono')
 
stomp.subscribe('',
                conf={'exchange': 'amq.topic',
                      'routing_key':'x.#',
                      'id': unique_id,
                      })
 
# Wait for a message to appear
while 1:
    message = stomp.get()
    print message.body
 
#stomp.ack(message)
stomp.unsubscribe('',conf={'id': unique_id})
stomp.disconnect()

sto_send.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

from stompy.simple import Client
 
 
 
stomp = Client(host='rabbitmq2')
stomp.connect(username='guest',password='nonononono')
 
 
for i in range(10000):
 stomp.put('Thomas est une b*te au Tetris...', destination='x.y',
          conf={'exchange':'amq.topic',
                #  'routing_key':'x.y'
                })
 
stomp.disconnect()

Puppet: Files found in modules without specifying ‘modules’ in file path will be deprecated in the next major release

0
526 days
by in network, puppet, ruby

DEPRECATION NOTICE: Files found in modules without specifying ‘modules’ in file path will be deprecated in the next major release.

If you get this warning in your puppet logs, you should take action (only if you don’t have any Puppet agent with a version <= 0.24) and modify all you references to file resources.
For example, if you have a module named 'ssh', normally, up to puppet 0.25 you would reference a file to it as:

source => ["puppet:///ssh/authorized_keys",]

But now, you need to insert a ‘module’ identifier in between like this:

source => ["puppet:///modules/ssh/authorized_keys",]

Just a small note: It seems that the templates do not need any modification.

Where do I find pngout for Linux?

0
752 days
by in software

I just found a nice comparison chart of different compression programs for PNG images (optimizations). It seems that PNGout is the best of the best :-) On the author’s website, there’s only a windows version. The link to the Linux version gets redirected to a gtagaming website?!
After asking the great oracle Google where I could find a version for Linux, he replied to me I could find it on JonoF’s website.

New chess website for Chess education/promotion

0
759 days
by in chess, kid

Chess setBNPParibas in association with the FIDE created a new nicely done website (in french only). The goal of this website is to show the usefulness of chess to parents/teachers or schools. Children will also be happy to consult this website, there are cool games, and even a quiz, where one can win a sort of printable “diploma”. A really nice initiative.

Asterisk: DADHI module not working when using Xen

5
1038 days
by in asterisk, software, voip

If you want to use any Asterisk module that needs a timer, like MeetMe, you have to use a module named dahdi (previously named zaptel). DAHDI has one module for each Digium supported card (B410P), and a dummy module (named dahdi_dummy) if you don’t have a hardware card, like me.

The problem appears when you have your Asterisk in a Xen environment. Xen does not allow the use of the RTC, so when using Dahdi/meetme, you get the following in you logs:

res_timing_dahdi.c: Asterisk has detected a problem with your DAHDI configuration and will shutdown for your protection.

So get the sources, and let’s patch it!

svn co http://svn.digium.com/svn/dahdi/linux-complete/trunk DAHDI

In dahdi_dummy.c, you’ll have to comment the two defines USE_RTC, as in a Xen, you can’t use it:

# diff -u dahdi_dummy.c.ori dahdi_dummy.c
--- dahdi_dummy.c.ori	2009-03-23 09:50:36.000000000 +0000
+++ dahdi_dummy.c	2009-03-23 08:55:38.000000000 +0000
@@ -59,11 +59,11 @@
 #if defined(CONFIG_HIGH_RES_TIMERS) && LINUX_VERSION_CODE >= VERSION_CODE(2,6,22)
 #define USE_HIGHRESTIMER
 #else
-#define USE_RTC
+//#define USE_RTC
 #endif
 #else
 #if 0
-#define USE_RTC
+//#define USE_RTC
 #endif
 #endif
 #endif

Then compile the module, as usual, with :

/etc/init.d/dahdi stop
make all
make install
make config

Verify that your module has been correctly installed:

ls -al ./2.6.24-19-xen/dahdi/dahdi_dummy.ko

Comment out all the defined modules in the /etc/dahdi/modules file.

/etc/init.d/dahdi start
# dmesg
1007539.576458] dahdi: Telephony Interface Registered on major 196
[1007539.576468] dahdi: Version: SVN-trunk-r6201M
[1007540.642839] dahdi: Registered tone zone 2 (France)

Next »
Go to Top