Lior Gradstein

Lior Gradstein

This user hasn't shared any profile information

Home page: http://www.gradstein.info

Posts by Lior Gradstein

Fail2ban Configuration for NGINX anomalies

0
38 days
by in network, security

Fail2ban is a really cool log analyzer (mostly) that can block ips using several different methods (iptables, ipfw, ip route blackhole, etc.). The problem is that you have to define filters (regexes in fact) that will trigger the ban for each service, because each one has a different way to report anomalies. There are not so much given examples on the official wiki. On other websites I couldn’t find anything about nginx filters. Even worse, several websites report that you can use the filters defined  for Apache2, which is false, they will NOT work, the logs are very different.

For example, here is a trace for a non existent requested resource:

2011/12/29 16:13:33 [error] 3212#0: *241787 open() "/opt/foo/default/admin/phpmyadmin/index.php" failed (2: No such file or directory), client: 58.19.239.205, server: , request: "GET //admin/phpmyadmin/index.php HTTP/1.1", host: "88.191.135.71"

So, to be able to detect such hack tentative and block it, create a file named nginx-noscript.conf, and put:

[Definition]
failregex = open\(\) "/\S*(\.php|\.asp|\.exe|\.pl)\S*" failed.*client: <HOST>,.*
ignoreregex =

Then, add its definition in an entry in the /etc/fail2ban/jail.conf:

[nginx]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx*/*error.log
maxretry = 6

Here, if there are more than 6 occurences of a failed 404 request in less than 600 seconds (the default value, modifiable with the ‘findtime’ variable), the ip will be added to the ban list.

pdf-screen

New version of chess PGN to TeX to PDF converter

1
405 days
by in chess, kid, latex, python

OK, I’m shameful. After fighting with Scid’s exporter, and then correcting bugs in pgn2ltx’s source, I finally decided to take a look at that PGN file format. And guess what? It’s already composed of FEN notation. And guess what? that super-über cool new skaknew module for LaTeX gets its input as FEN!!

(more…)

Updated mate-in-one document, now includes chess coordinates

0
405 days
by in chess, kid, latex

After a request to have coordinates on the board, to be able to write answers (a really nice idea, especially that Ido begins writing), I noticed I couldn’t do it so easily, because the LaTeX module (chess12) didn’t support that. What a disappointment!

And the only way I had for converting from PGN to TeX was through Scid (still cool, still being developed), but supporting only exports to TeX with chess12 module. Fortunately, Dirk Baechle wrote a tool to convert directly from PGN format to TeX, using his tool pgn2ltx. That tool, written in C++ hasn’t been updated since 2003, so after a small patch to the source, it worked!

And the best part, is that it generates TeX files for the skak module, the best alternative to the old, dead chess12 module.

(more…)

Auto-provisioning with Asterisk and ST2030 Technicolor/Thomson phones

0
406 days
by in asterisk, software, voip

An introduction to the ST2030

The ST2030 is one of the few SIP phones distributed by Thomson (now changed name to Technicolor). In fact there are only 2 models: the ST2020, and the ST2030, and also a new one, the TB30, which is the successor to the ST2030. The ST2030 is supposed to have an End-of-Life set to the end of this year (2010), but I read that its EOL has been extended to the end of 2012.
In my personal experience, I think the ST2030 has the best price/functionalities/quality ratio. It has features like:

  • PoE (Power over Ethernet).
  • Headphone plug with a button on the phone to pickup with the headphone (or if you have a compatible headphone, pickup directly with a button on the headphone).
  • XML based Directory support, that you can interface with a remote HTTP server.
  • 4 differents lines/profiles (but not at the same time).
  • BLF (Busy Lamp Fields) to monitor other’s phone status (if they are using their phone, and even possibility to intercept a call).
  • Full compatibilty with Asterisk (tested on Asterisk 1.6+ and 1.8+).
  • Auto-provisioning with support for TFTP but also for HTTP/HTTPS, which simplifies quite a lot the provisioning configuration.

In this document, we’ll see the auto-provisioning process through DHCP+HTTP.

(more…)

How to make the simplest unittests in Python

0
509 days
by in python, ruby

Testing your code is nearly a requirement (even more so in Ruby). Unittests are now the most vital elements for evaluating the quality/viability of a project.
I was a little jealous of Ruby where you don’t have so much to write to implement unittests. Here is a simple example:

1
2
3
4
5
6
7
8
9

require "mymodule"
require "test/unit"
 
class TestMyModule &lt; Test::Unit::TestCase
 
  def test_simple
     assert_equal(1, 1 )
  end
end

Now, using Nose, you can get even shorter code. If you do standard Python projects, you’ll use a setup.py file. To use nose, you do not even need to specify the path where to find the tests, just add two lines (tests_require and test_suite) to call nosetest:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

from setuptools import setup, find_packages
import sys, os
import mymodule
 
version = mymodule.__version__
 
setup(name='myproject',
      version=version,
      description="Module to display blah blah blah.",
      long_description=""" """,
      classifiers=[], # Get strings from http://pypi.python.org/pypi?%3Aaction=list_classifiers
      keywords='mymodule foobar',
      author='Luc Stepniewski',
      author_email='[email protected]',
      url='',
      license='GPL',
      packages=find_packages(exclude=['ez_setup', 'examples', 'tests']),
      include_package_data=True,
      tests_require='nose',
      test_suite='nose.collector',
      zip_safe=False,
      install_requires=[
          # -*- Extra requirements: -*-
          'simplejson',
      ],
      entry_points="""
      # -*- Entry points: -*-
      [console_scripts]
      mymodule = mymodule.mainmodule:main
      """,
      )

Now, to add tests, you just have to create a directory named tests (in the root of your project, where your setup.py resides, and then add a python file()s. No need to add a __init__.py to set the directory as a module. Now just add simple python files, like my-tests.py :

1
2
3
4
5
6
7
8
9
10
11

import mymodule
 
class TestAstInfoCli(object):
    def setup(self):
        pass
 
    def teardown(self):
        pass
 
    def test_annuaire_inverse(self):
        assert 1 == 1

As you can see, no need to import anything for doing unittests, not even the standard python unittest module! That’s better than ruby! The downside of this is that nose is an ‘external’ package, so you’ll have to install it first (or set it as a dependency in your setup.py file, as shown above).

If you don’t use a setup.py, you can call nose directly from the command line, with ‘nosetest’.

Now, let’s find an equivalent to the really cool rspec ruby module!

Default behaviour in implementation of STOMP protocol in RabbitMQ with python

4
528 days
by in network, python, rabbitmq

Why STOMP?

Why STOMP, and not directly AMQP, as I’m using RabbitMQ. No real reason, but the fact that there are less dependencies on a STOMP client, as it’s just a socket with text sent.

Implementations

There are several implementations of the STOMP protocol for Python. The module I chose is python-stomp (version 0.2.9), from Benjamin W. Smith. It’s simple and easy to understand.

Simple Code Examples

sto_send.py:

1
2
3
4
5
6

from stompy.simple import Client
 
stomp = Client(host='rabbitmq2')
stomp.connect(username='guest',password='noneofyourbusiness')
stomp.put('Thomas est une b*te à Tetris...', destination='/queue/jeuvideo')
stomp.disconnect()

sto_receive.py:

1
2
3
4
5
6
7
8
9
10
11
12

from stompy.simple import Client
 
stomp = Client(host='rabbitmq2')
stomp.connect(username='guest',password='noneofyourbusiness')
stomp.subscribe('/queue/jeuvideo')
message = stomp.get()
 
print message.body
 
#stomp.ack(message)
stomp.unsubscribe('/queue/video')
stomp.disconnect()

Everything is working fine, when launching sto_receive.py, I receive the message. But when I launched several receivers, I noticed, that ONLY ONE programs received the message! After some research, I found the answer: As documented in the RabbitMQ wiki, the default exchange is ‘direct’:

[...]when messages leave a queue for a consumer, they are not duplicated. One message, sitting on a queue, is delivered to only one of the available consumers. [...] If there are multiple clients, all SUBSCRIBEing to the same queue, then there will be multiple consumers all on the same queue, leading to round-robin delivery to those clients.

There is an explanation on how to change the behaviour, by changing the exchange type, and some of particular bits (like the id). I even found an example of modification for use in the equivalent STOMP Ruby module.

Here are the modifications. The good news is that there is no need to patch the stompy module, as the author provided the possibility to pass arbitrary parameters to the headers by the use of the ‘conf’ variable.

The important points are:

  • You need to define an exchange of type amq.topic
  • You need to set an id, which is different for each client
  • As you’re using topics, you’ll have to specify a routing_key

sto_receive.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

from stompy.simple import Client
import uuid
 
unique_id = uuid.uuid4()
 
stomp = Client(host='rabbitmq2')
stomp.connect(username='guest',password='nonononono')
 
stomp.subscribe('',
                conf={'exchange': 'amq.topic',
                      'routing_key':'x.#',
                      'id': unique_id,
                      })
 
# Wait for a message to appear
while 1:
    message = stomp.get()
    print message.body
 
#stomp.ack(message)
stomp.unsubscribe('',conf={'id': unique_id})
stomp.disconnect()

sto_send.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

from stompy.simple import Client
 
 
 
stomp = Client(host='rabbitmq2')
stomp.connect(username='guest',password='nonononono')
 
 
for i in range(10000):
 stomp.put('Thomas est une b*te au Tetris...', destination='x.y',
          conf={'exchange':'amq.topic',
                #  'routing_key':'x.y'
                })
 
stomp.disconnect()

Asterisk: DADHI module not working when using Xen

5
1047 days
by in asterisk, software, voip

If you want to use any Asterisk module that needs a timer, like MeetMe, you have to use a module named dahdi (previously named zaptel). DAHDI has one module for each Digium supported card (B410P), and a dummy module (named dahdi_dummy) if you don’t have a hardware card, like me.

The problem appears when you have your Asterisk in a Xen environment. Xen does not allow the use of the RTC, so when using Dahdi/meetme, you get the following in you logs:

res_timing_dahdi.c: Asterisk has detected a problem with your DAHDI configuration and will shutdown for your protection.

So get the sources, and let’s patch it!

svn co http://svn.digium.com/svn/dahdi/linux-complete/trunk DAHDI

In dahdi_dummy.c, you’ll have to comment the two defines USE_RTC, as in a Xen, you can’t use it:

# diff -u dahdi_dummy.c.ori dahdi_dummy.c
--- dahdi_dummy.c.ori	2009-03-23 09:50:36.000000000 +0000
+++ dahdi_dummy.c	2009-03-23 08:55:38.000000000 +0000
@@ -59,11 +59,11 @@
 #if defined(CONFIG_HIGH_RES_TIMERS) && LINUX_VERSION_CODE >= VERSION_CODE(2,6,22)
 #define USE_HIGHRESTIMER
 #else
-#define USE_RTC
+//#define USE_RTC
 #endif
 #else
 #if 0
-#define USE_RTC
+//#define USE_RTC
 #endif
 #endif
 #endif

Then compile the module, as usual, with :

/etc/init.d/dahdi stop
make all
make install
make config

Verify that your module has been correctly installed:

ls -al ./2.6.24-19-xen/dahdi/dahdi_dummy.ko

Comment out all the defined modules in the /etc/dahdi/modules file.

/etc/init.d/dahdi start
# dmesg
1007539.576458] dahdi: Telephony Interface Registered on major 196
[1007539.576468] dahdi: Version: SVN-trunk-r6201M
[1007540.642839] dahdi: Registered tone zone 2 (France)

Django: How to find the url/path you’re into, in a template loaded by a generic view

0
1053 days
by in django, python, software

In a Django project, I have a template that is used by two urls, which is quite common (generic views, using ‘create_object’ and ‘update_object’). The problem is that I had to add a supplementary menu just when the template is loaded from the ‘update’ generic view, and not from the ‘create’ generic view.

Making the difference between the two urls calls at the template level is a problem because it’s managed by generic views, so the same template is used.

Anyways, there are several possibilities:

In urls.py, use the ‘template_name’ variable, where you can speficy a specific template for this url(). That is instead of using the default <model>_form.html.
What I don’t like in this situation, is that I will have two nearly similar templates, just for an added menu. Not cool. Another problem is that I use a loop to create all my urls. So if I add a special template, I’ll add it to ALL my models :-(.

Another solution, is to find a way to use a variable in the template that would be different wether the template has been loaded by update_object or create_object.

In our urlpatterns in urls.py, we can use the ‘extra_context‘ variable (takes a dictionnary as parameter). It is correctly managed, even when using generic views. So, you’ll have :

url(r'foo/ajouter/$', 'django.views.generic.create_update.create_object',  
		dict(form_class=modelForm,
                extra_context={'usage':'create'},
                name='foo_create',))
 
url(r'foo/%s/(?P<object_id>\d+)/modifier/$',
                'django.views.generic.create_update.update_object',
		dict(form_class=modelForm,
                extra_context={'usage':'modify'},
                name='foo_update'))

We can also use, in urls.py, the ‘context_processors’ variable. For more information about the context processors, have a look at this tutorial. The goal is to add ‘django.core.context_processors.request’, like this:

from django.core.context_processors import request

and in the url(), add context_processors:

url(r'foo/ajouter/$', 'django.views.generic.create_update.create_object',  
		dict(form_class=modelForm,
		context_processors=[request,]),
                name='foo_create',))

The last possiblity is a more global solution. It’s like the context_processors usage above, but added into every templates automatically.
To do this, you’ll have to edit the list of Template Processors in your settings.py file. That list is run each time a template is loaded, and allows one to add any variable to the template automatically. By default (on Django 1.0.x) this list is commented out, so it has by default the list:

("django.core.context_processors.auth",
"django.core.context_processors.debug",
"django.core.context_processors.i18n",
"django.core.context_processors.media")

You’ll have to uncomment it, and add ‘django.core.context_processors.request’. By doing this, you get the variable ‘request.path’ available in your template.

Finally, you’ll be able to test your variable with {% ifequal %} and display your conditional elements.

calcubetimer moved to Google Code

2
1054 days
by in rubik

Calcubetimer’s website doesn’t seem to work anymore :-( Fortunately, gnehzr has moved the code to Google Code.

Asterisk cirpack problem with Free and freephonie.net

0
1089 days
by in asterisk, software, voip

If you configured your Asterisk/FreeSWITCH server to talk to your freephonie.net (french Free ISP provider), you’ll see in the logs the following warning message:
[Feb 12 09:29:06] WARNING[9228]: chan_sip.c:6624 determine_firstline_parts: Bad request protocol Packet

This is not really a problem, but an annoyance, as it fills up your logs. This is a known problem for more than years, but has never been corrected (neither by Asterisk nor by Cirpack devs). The usual correction was to add the following line to your startup scripts (/etc/rc.local on Debian for example):
iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "Cirpack KeepAlive Packet" -j DROP

But the syntax has changed in iptables, and you’ll get the error:
iptables v1.3.6: STRING match: You must specify `--algo'

so, just add one of the 2 available algorithms (bm and kmp):
iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "Cirpack KeepAlive Packet" --algo bm -j DROP

Next »
Lior Gradstein's RSS Feed
Go to Top