Year: 2011

IT

Syslog kills Postfix performance

This night, some scriptkiddie decided it'd be fun to overload one of my servers by bruteforcing the FTP. The FTP server taking 90% of the CPU made the whole server slow. Especially the Postfix mailserver experienced a huge delay.

Anyway, I just firewalled out the scriptkiddie and Postfix could start processing the queue. But for some reason, it delivered no more than 5-10 mails a second. That would mean that processing the queue of 18.000 mails would take 30-60 minutes.

I've tried to figure out why Postfix was so slow before. Without any luck. Using the well known tuning pages didn't help me at all. Today, I opened up /usr/bin/top, to see that the system was doing a lot of I/O. I accidently found out why: I like to have syslog write *.* to /var/log/allmessages.

This simple rule caused so much extra I/O, that postfix was slowed down 90%. After disabling "allmessages" performance went up, and the queue was processed within minutes. Makes me wonder what happens if I...

  • disable logging at all, which is a bad idea as you can no longer spot abuse
  • find a way to enable write-cache - the default syslog of CentOS 5 does not support this AFAIK
  • write logs to another device

Interesting...

© GeekLabInfo Syslog kills Postfix performance is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

My little SEO project (part 2)

Last week I built a site for rental of sinterklaas, a figure in Dutch holiday tradition.

I set up a WordPress blog with Woothemes Inspire. I used a few plugins to do SEO and to speed up the site:
Contact Form 7
Google Analyticator
Google XML Sitemaps
My Page Order
W3 Total Cache
WordPress SEO (yoast)
WP to Twitter
Yoast Breadcrumbs

Within 24 hours, we made it to the first page for relevant keywords. I got a first response in about 20 hours from launch. Then the ranking dropped. Anyway, I'm still pretty impressed.

© GeekLabInfo My little SEO project (part 2) is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

My little SEO project

Last week I built a site for my motorcycle driving instructor, partly for him, partly for myself to see what I can do with SEO.

I set up a WordPress blog with Woothemes Inspire. I used a few plugins to do SEO and to speed up the site:
Contact Form 7
Google Analyticator
Google XML Sitemaps
My Page Order
W3 Total Cache
WordPress SEO (yoast)
WP to Twitter
Yoast Breadcrumbs

Within 24 hours, we made it to the first page for relevant keywords. I got a first response in about 20 hours from launch. Then the ranking dropped. Anyway, I'm still pretty impressed.

© GeekLabInfo My little SEO project is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Simple dual uplink configuration

Last week I switched from ADSL to EuroDOCSIS cable. I couldn't just shut down the DSL connection as several services were still connecting to that IP. So I made my home router (Fedora 15) kind of multihomed.

Configuration

I haven't even taken the time to seperate the ADSL and cable modems, I just hooked them up to the same network interface. Of course, they got their own IP range.

ADSL modem: 192.168.2.254/24
Cable modem: 192.168.1.1/24

Step 1: Add ip
ip addr add 192.168.1.2 dev eth0

Step 2: Routing
By default we send all outgoing packages to the default gateway at 192.168.2.254. Only packets that are answers to incoming packets on the 192.168.1.x network must be routed back to 192.168.1.1
ip rule add from 192.168.1.0/24 lookup 1001
ip route add default gw 192.168.1.1 table 1001

That's all. Of course, above setup only takes care of answering to incoming packets. If you want to load-balance or have a fail-over setup, I suggest you read the Linux Advanced Routing & Traffic Control HOWTO.

© GeekLabInfo Simple dual uplink configuration is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Backup your website over FTP

One of my customers is being hosted at a crappy hosting provider, which I do not trust at all. In fact, I have actually seen that I made changes to the website, which were reverted a couple of days later.

To never lose any data on the FTP, I wrote a script to make backups of the FTP, while not wasting too much bandwidth or disk space. I based this script on the principle that rsnapshot uses: hardlinks and rotation.

#!/bin/bash    
 
for i in `seq 100 -1 2`; do
        if [ -d $i ]; then
                echo mv $i $((i+1))                                                                 
                mv $i $((i+1))
        fi
done
echo cp -al 1 2
cp -al 1 2
 
HOST="type-hostname-here.com"
USER="type-username-here"
PASS="type-password-here"
LCD="/backups/1"
RCD="/remote/path/httpdocs"
 
mkdir -p $LCD            
lftp -c "set ftp:list-options -a;
set ftp:ssl-force;
open ftp://$USER:$PASS@$HOST;
lcd $LCD;
cd $RCD;
mirror --verbose \
       --delete \
       --exclude-glob __old \
       --exclude-glob phpmyadmin

In this example the directory __old is not copied, nor is phpmyadmin. What is does, is move the directory 99 to 100, then it moves 98 to 99, 97 to 98 etc until 2 is moved to 3. It then hardlinks the directory 1 to 2. This way, a 100Mb file that is not modified can exist in all 100 directories while only using one single block of 100Mb of disk space.

Finally, the script uses lftp to download all modified files from the remote ftp server. Luckily, lftp doesn't just open a local file to modify its contents: instead remotely modified files are first unlinked locally, then re-downloaded. This way, lftp does not interfere with the hardlink system.

Database backup

This method does NOT backup your database. Don't forget to backup your database!

© GeekLabInfo Backup your website over FTP is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Install mod_auth_ntlm_winbind on CentOS 6.0

Step 1. Install ntp and synchronize clocks

We'll be using winbind, kerberos and ntlm to authenticate the user. This requires the clocks of the AD server and the proxy server to be synchronized.

yum -y install ntp

sed -i "s/^server /#server /g" /etc/ntp.conf

echo "server YOURSERVERNAME" >> /etc/ntp.conf

ntpdate YOURSERVERNAME #synchronize right now

service ntpd start #and keep in sync

chkconfig ntpd on #after reboot as well

Step 2. Update system and install required software

yum update
yum install mc vim httpd php svn httpd-devel make autoconf gcc ntp krb5-workstation \
samba-common authconfig samba-winbind

Step 3. Connect to active directory

Please note that MYCOMPANY.local and mycompany.local may be different domains due to the upper/lowercase.
ADSERVER=sbs.MYCOMPANY.local
DOMAIN=MYCOMPANY.local
WORKGROUP=MYCOMPANY
authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=$ADSERVER \
--krb5realm=$DOMAIN --smbservers=$ADSERVER --smbworkgroup=$WORKGROUP \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall
service winbind start ; chkconfig winbind on
setsebool -P allow_httpd_mod_auth_ntlm_winbind on

Now check your winbind connection using the following commands:
wbinfo -u
wbinfo -g

The socket /var/lib/samba/winbindd_privileged/pipe should be writable by the webserver. To allow that access, I add user apache to the group wbpriv: usermod -G wbpriv apache

Step 4. Download and compile mod_auth_ntlm_winbind

svn co svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind
cd mod_auth_ntlm_winbind/
autoconf
./configure
apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c

Step 5. Configure it

In /etc/httpd/conf.d/mod_auth_ntlm_winbind.conf I put the following configuration
LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so

Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "NTLM Authentication"
AuthType NTLM
Require valid-user
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on

In /etc/httpd/conf/httpd.conf, change KeepAlive Off to KeepAlive On. Preferably, also set MaxKeepAliveRequests and KeepAliveTimeout to a high value. On my intranet server, they're set to 1000 requests and 600 seconds.:w

Step 6. Change your firewall to enable incoming HTTP

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
service iptables save

Step 7. Go!

Run service httpd restart, make httpd start on reboot using chkconfig httpd on and test your configuration.

© GeekLabInfo Install mod_auth_ntlm_winbind on CentOS 6.0 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
IT

Android: Calendar items set to tentative

Yay, I got myself a Samsung Galaxy SII. Great phone running Android!

There's just one thing that annoys the shit out of me: When I create a new agenda item in my google agenda, it shows up in my thunderbird as "tentative". These items will have a lower opacity, which makes the agenda harder to read.

I've google'd around, and found a lot of complaints about this problem, but there's no solution to make appointments confirmed right away. And I'm definitely not opening all items in thunderbird to confirm them by hand.

There's a simple solution to this problem: I made Thunderbird render the agenda differently. Using the file userChrome.css, I set opacity to 100%. (If you don't know what userChrome.css is, read this page at mozilla.org.) The actual CSS is:
calendar-event-box[invitation-status="TENTATIVE"],
calendar-editable-item[invitation-status="TENTATIVE"],
calendar-month-day-box-item[invitation-status="TENTATIVE"],
calendar-event-box[status="TENTATIVE"],
calendar-editable-item[status="TENTATIVE"],
calendar-month-day-box-item[status="TENTATIVE"]
{
opacity: 1 !important;
}

Restart thunderbird and you're done.

This "solution" does not set any appointments to "confirmed". It just renders tentative appointments the same as confirmed items, so that you don't see the difference anymore.

© GeekLabInfo Android: Calendar items set to tentative is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 5.00 out of 5)
Loading...