Mail log IP address count

The following monster will parse the mail log and report on unique host connections along with a count.

cat /var/log/mail.log | \
  grep ' connect from unknown' | \
  awk '{ print $8 }' | \
  sort | \
  sed -n 's/.*\[\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)\].*/\1/p' | \
  awk '{count[$1]++} END {for (word in count) print count[word], word}' | \
  sort -n

Remove Boot Text On The Raspberry Pi For Noobs

Today I read Remove Boot Text On The Raspberry Pi For Noobs:

vim /boot/cmdline.txt

You will see a single line with all the boot options. Scroll along and change the following making sure not to add any linebreaks:

  • Replace console=tty1 to console=tty3 to redirect boot messages to the third console.
  • Add loglevel=3 to disable non-critical kernel log messages.
  • Add logo.nologo to the end of the line to remove the Raspberry PI logos from displaying
vim /boot/config.txt
  • add disable_splash=1 at the end of the file.

KCachegrind doesn’t open cachegrind profiler log file

So I had an issue with KCachegrind where I would open a cachegrind profile file and “nothing happened”. The status bar said the file had loaded, but the user interface widgets were all empty. Turns out clicking Settings -> Sidebars -> Function Profile loaded the part of the UI I needed to get started… everything is easy when you know how!

HTTPS+SSLVerifyClient require in <Directory>+big POST = Apache error

I was configuring MediaWiki to allow uploads and was getting an error in the browser about the POST data being too large (“does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.”). I had a look in the Apache error log and found:

[Thu Feb 23 16:12:45 2012] [error] [client 60.240.67.126] request body exceeds m
aximum size (131072) for SSL buffer, referer: https://www.jj5.net/morpheus/Speci
al:Upload
[Thu Feb 23 16:12:45 2012] [error] [client 60.240.67.126] could not buffer messa
ge body to allow SSL renegotiation to proceed, referer: https://www.jj5.net/morp
heus/Special:Upload

So I did some research. I found this document, File upload size which suggested editing /etc/php5/apache2/php.ini which I did:

upload_max_filesize = 20M
post_max_size = 80M

That didn’t fix the problem though. I found Request entity too large which suggested checking my setting for LimitRequestBody, but that wasn’t the problem either.

Eventually I found Bug 491763 – HTTPS+SSLVerifyClient require in <Directory>+big POST = Apache error which suggested I needed to apply the SSLRenegBufferSize directive which I did like this:

  <Location /morpheus>
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLRenegBufferSize 20971520
  </Location>

And then after restarting Apache the problem was solved.

Resolved: warning: request to update table btree:/var/run/smtp_tls_session_cache in non-postfix directory /var/run

There were a few warning popping up in my /var/log/mail.warn log for Postfix, like this:

Feb  4 09:16:15 sixsigma postfix/tlsmgr[3394]: warning: request to update table
btree:/var/run/smtpd_tls_session_cache in non-postfix directory /var/run
Feb  4 09:16:15 sixsigma postfix/tlsmgr[3394]: warning: redirecting the request
to postfix-owned data_directory /var/lib/postfix
Feb  4 09:16:15 sixsigma postfix/tlsmgr[3394]: warning: request to update table
btree:/var/run/smtp_tls_session_cache in non-postfix directory /var/run
Feb  4 09:16:15 sixsigma postfix/tlsmgr[3394]: warning: redirecting the request
to postfix-owned data_directory /var/lib/postfix

I fixed the problem by reconfiguring /etc/postfix/main.cf and changing this:

smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache

To this:

smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache

Configure fail2ban to use route instead of iptables to block connections

Today I read about how to configure fail2ban to use route instead of iptables to block connections. I’m not planning to switch to the route command just yet, because I think when fail2ban uses IP tables it only bans an IP address from accessing a particular port (or set of ports). Although maybe I don’t care about that and just banning the whole host altogether would be OK.

The reason I’ve been looking in to fail2ban is that I have a heap of errors in my logs from fail2ban trying to use iptables and failing, e.g.:

 2012-02-04 00:23:02,939 fail2ban.actions.action: ERROR  iptables -D fail2ban-ssh -s 125.211.221.117 -j DROP returned 100
 2012-02-04 00:59:12,456 fail2ban.actions.action: ERROR  iptables -I fail2ban-ssh 1 -s 50.30.33.90 -j DROP returned 100
 2012-02-04 01:59:12,930 fail2ban.actions.action: ERROR  iptables -D fail2ban-ssh -s 50.30.33.90 -j DROP returned 100
 2012-02-04 08:35:13,252 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
 2012-02-04 08:35:36,688 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh-ddos
 2012-02-04 08:35:36,695 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-overflows
 2012-02-04 08:35:36,703 fail2ban.actions.action: ERROR  iptables -N fail2ban-postfix

Watching the web-logs on all of my servers in real time

I have a computer sitting on my desk that is always on (it’s my file server) and it has a monitor attached which is almost never in use (I ssh to that server if I want to do things so it’s hardly ever logged in).

I thought it would be cool if on that monitor the web-logs from all of the systems I manage were shown so I could keep an eye on things and maybe learn a thing or two about my web-sites and how people are using them.

So the first thing I did was write a script to grab any given web log:

root@orac:~# cat /root/get-web-log.sh
#!/bin/bash
echo Starting download of $3...
while : ; do
  su -c "ssh $1 tail -f /var/log/apache2/$2 < /dev/null" jj5 \
    | tee -a /var/log/web.log \
    | grep --line-buffered -v "Mozilla.5.0 .compatible. Googlebot.2.1. .http...www.google.com.bot.html." \
    | grep --line-buffered -v "Baiduspider...http...www.baidu.com.search.spider.htm." \
    | grep --line-buffered -v "Mozilla.5.0 .compatible. Baiduspider.2.0. .http...www.baidu.com.search.spider.html." \
    | grep --line-buffered -v "Mozilla.5.0 .compatible. Exabot.3.0. .http...www.exabot.com.go.robot." \
    | grep --line-buffered -v "Mozilla.5.0 .compatible. YandexBot.3.0. .http...yandex.com.bots." \
    > /var/log/web/$3
  sleep 60
  echo; echo; echo Restarting download of $3...; echo; echo;
done

Then I wrote a series of scripts which call the get-web-log.sh script for specific web-sites on specific servers, e.g.:

root@orac:~# cat /root/web-log/get-jsphp.co
#!/bin/bash
/root/get-web-log.sh honesty www.jsphp.co-access.log jsphp.co
exit

Then I wrote a main script, rather unoriginally called info.sh, that kicks off the web logs downloads and then monitors their progress as they come through:

root@orac:~# cat /root/info.sh
#!/bin/bash

# disable the screensaver
setterm -blank 0 -powersave off -powerdown 0

# start downloading the web-logs
cd /root/web-log
./get-jsphp.co &
sleep 1
#...all the other downloaders, one for each site

# watch the web-logs
cd /var/log/web
tail -f *

# stop downloading the web-logs
kill %1
#...all the other kills, one for each downloader

exit

Then I edited /etc/init/tty1.conf so that on tty1, instead of having a login console, I automatically ran my info.sh script:

root@orac:~# cat /etc/init/tty1.conf
# tty1 - getty
#
# This service maintains a getty on tty1 from the point the system is
# started until it is shut down again.

start on stopped rc RUNLEVEL=[2345]
stop on runlevel [!2345]

respawn
#exec /sbin/getty -8 38400 tty1
exec /root/info.sh < /dev/tty1 > /dev/tty1 2>&1

And that was it. The only trick was that I needed to disable the screen saver (as shown in the info.sh script) so that the screen didn’t constantly blank.

And now I can watch the web activity on all of my sites in real time.