We started cracking down a bit on system binaries being executeable by end users on our shared hosting servers, which consisted of chmod-ing things like ‘wget’ to 700 so only root users have access. If you’re on shared host, it’s likely that you’ve encountered this kind of restriction before, and if you’re a server admin you probably know why this is necessary.

A typical scenario I’ve seen in many cases is some user’s crappity software gets exploited and executes the ‘wget’ command to download hacks and warez onto the server. I’ve also seen typical Linux functions be abused by hack processes because the access was not being controlled — it’s only safe to say that certain system binaries should be restricted to only trusted users….programs that I find particularly pervious to hacks are those like wget, lynx, scp, sh, and exec.

The issue with this (and the point of this article) is that if you suddenly disable these functions you’ll probably find yourself with a dozen complaints from your users who were using them. I’m all about fairness, so I’m not about to tell someone to rewrite their scripts because of a server-side change. Instead, I created a group on the server and added those users to be able to have access to what they needed, and chgroup-ed the binaries to that group.

I’ll use the wget example first. Say you have ‘user1‘ and ‘user2‘ that both need to be able to use wget, which is currently set to root:root 700. You’ll need to first create a file called ‘addtogroup.sh’ and insert this script:

#!/bin/bash
if [ $# -ge 2 ]; then
if [ $UID == 0 ]; then
egrep ^$1 /etc/group > /dev/null
if [ $? == 0 ]; then
GROUPNAME=$1
shift
while [ $# -gt 0 ]; do
CURRENT=$1
echo $GROUPNAME `groups $CURRENT` |sed 's/.*: //g' | sed 's/ /,/g' | usermod -G `cat -`,$GROUPNAME $CUR$
shift
done
else
echo "the group $1 does not exist."
fi
else
echo "you must be ROOT to run this script."
fi
else
echo "usage: $0 grp usr1 [usr2 ... usrN]"
fi

I know, I know, you’re probably asking why I dont use useradd +G or something like that. I tried, but in this case those commands are not appropriate. Anyways, go ahead and create your group:

root@vps [~]# groupadd wgetters

Now, simply run the script and add your users to that group:

root@vps[~]# sh addtogroup.sh wgetters user1 user2

Run id user1 to make sure that user was added to the group — you should see something like this:

uid=32010(user1) gid=32012(user1) groups=32012(user1),32014(wgetters)

Now if you chown the wget binary to root:wgetters / 750 , then only the users in that group can use wget, and their actual group identity would be unaffected.

It wouldn’t hurt mentioning that wget is often unnecessary, as many scripts can be run other ways:

php -q scriptname.php

perl scriptname.cgi

python scriptname.py

lynx http://website.com/somefile.php (assuming that you have lynx enabled)

My Good Luck Pineapple broke today and I’m very upset….it’s the very first pineapple I bought when I moved out of my parents’ house three years ago, and it’s been in my freezer ever since.  Man, the last time I was this upset was when I bought Capone a fish named Charlie…and then he ate it.

A recent topic in the webhosting business is wildcard DNS.  Setting up a wildcard record will allow you to essentially have infinite subdomains all pointing to the same place…. you can try this on my site if you’d like by typing in any random subdomain (like lkjairl.v-nessa.net) and then see if point back to my primary, unless it’s one that I’ve actually created.  Now if you combine this ‘technology’ with the power of .htaccess rewrites, then congratulations.  You’ve just cheated your host and obtained unlimited subdomains.

The first thing you would need to do is have a wildcard DNS record set up.  If you have access to your own zone files, that’s great, otherwise you’ll need to ask your host to set it up for you.  Fair warning though, your hosting company is not stupid (unless it’s Dreamhost) so don’t be surprised if they decline your request.  To set up the DNS zone you simple need to add an a-record “*” like so:

* 14400 IN A 205.134.252.71

*Note: Some argue that you need to use the full  *.domain.com. as the first field…this is actually not required at all, nor recommended!

Depending on your platform, you’ll likely find your domain’s zone file in /var/named/domain.com.db unless you have this feature in your host’s control panel.  Once you’ve added the record simply reload named/BIND with the /etc/init.d/named reload command if needed.   If you’re using an interface it will probably do this for you automatically.

Now you need to add ServerAlias line to your httpd.conf for the wildcard, if your host does not already have Apache configured this way.  Inside the <virtualhost> tags for your domain, add this line:

ServerAlias *.domain.com

Then restart Apache as usual (/etc/init.d/httpd restart) and test a random subdomain to see if it’s working.

So now you will notice that any non-distinguished subdomain shared the same document root as your primary….that’s great and all but it really serves no purpose, so that is where mod_rewrite comes in.  You can add and modify the follow code in your .htaccess to have Apache direct these subdomains to where they need to go:

RewriteEngine On
RewriteRule ^\.htaccess$ – [F]
RewriteCond %{HTTP_HOST} !^www\.example\.com?$
RewriteCond %{HTTP_HOST} ^([^.]+)\.example\.com?$
RewriteRule ^$ /folder/page.html [L]

Using your imagination you can write your own script that can create subdomains and the appropriate .htaccess entries on-demand (assuming that this is not blocked by mod_security).  The end result is seemingly unlimited subdomains on your account!  Also, the changes are usually immediate and do not require propagation.

It’s been almost a year since I stumbled upon this article that outlines the top 10 URL flops on the internet.  If you haven’t been there, check it out dammit.

And I use the word “released” very loosely. Yes, I just upgraded my blog to use WordPress 2.2 after this guy made it sound delicious. No, I don’t regret it, but I do think it would be best to wait for a bugfix. I shall start with the positives:

- It’s optimized a bit more to help your site load faster. This may or may not be noticeable to you, but it probably is to your webhost

- It’s harder to break your site by enabling a botched plugin. I tried to enable Staticized-Reloaded and I got what I interpret as the “WordPress Screen of Death”:

This is also a shame because this happens to be one bad-ass plugin.

Now for the bad, which outweighs the good:

- Don’t be surprised if your plugin database disappears. From some odd reason, WordPress could only find it after I created a new plugins folder and copied over my plugin files again….and yes, I had to re-enable all 30 of them.

- WP-Cache no longer works (at the time of this writing), and you’ll find that enabling it will cause some strange behavior on your blog. Oddly enough it also caused my plugin database to be erased yet again

- TinyMCE (the WYSIWYG editor) malfunctions, esp. in Firefox when trying to use certain functions.

- You may need to tweak your theme a bit. I had to make several code modifications to my sidebar and header files.

- Your boobs might shrink in size. Oops, wait…that’s what happens when you stop taking birth control.

Anywho, those of you who are thinking on upgrading, be prepared to spend a few minutes messing with your site and testing your plugins and such. It may be a good idea to wait for a bugfix, which by WordPress history will probably be out within the next few days.

Apparently someone thinks that my website is too slow in its load time. I never really thought it was that bad, but his little handy danty Firefox plugin claims that it takes my site approximately 6-7 seconds to load initially, which kinda sucks. I know that I’ve written some stuff on optimizing php performance and I tell customers on a daily basis how to keep their sites from bogging down our servers, but I never really cared to optimize my own site because I have a v-dedicated server. So anyways, I’ve made a few modifications to both my site and the server environment to help speed things up a bit.

You might want to read my article on Optimizing PHP as well.

Enable Compression with Apache

If you are running on Apache 2, mod_deflate should already be installed on your system — all you have to do is enable it. I recently downgraded my server back to Apache 1.3.37 (mainly because of cPanel) so I’m using the mod_gzip alternative. Basically, mod_gzip compresses the contents of your site server-side and then passes the file onto your compression-enabled browser to decompress the file. The overhead on the server may be slightly higher during heavier traffic times, but you’ll find yourself saving bandwidth and load time since the server is passing less data between it and your clients.

To install mod_gzip on Apache:

wget http://easynews.dl.sourceforge.net/sourceforge/mod-gzip/mod_gzip-1.3.26.1a.tgz
tar -zxvf mod_gzip-1.3.26.1a.tgz
cd mod_gzip-1.3.26.1a


If you’re on a cPanel system, you’ll need to modify the path to apxs:

pico Makefile

Change APXS?=/usr/local/sbin/apxs to APXS?=/usr/local/apache/bin/apxs

Then just do the normal make && make install

Now enable the dynamic modules in the Apache config:

pico /usr/local/apache/conf/httpd.conf

Uncomment out these lines:

#LoadModule gzip_module libexec/mod_gzip.so
#AddModule mod_gzip.c

Now all you need to do is restart Apache as normal. To see if compression is working on your site, just hop on over to this page and run the test.

Change The KeepAliveTimeout

By default your Apache configuration will probably have keep connections alive for up to 15 seconds before they die off. For busier sites this can be a little too long. I suggest setting this to 3 or 5 seconds in your httpd.conf.

Adjust the PHP Output Handler

Your PHP scripts are constantly recompiiling themselves every time a page is loaded. If your site is heavily reliant on PHP, you may find it beneficial to have PHP send its output to a compression function in your php.ini

output_handler = ob_gzhandler

Check Your resolv.conf

It’s obvious that your settings are fine if your site and email are working, but your resolver may not be set to do the fastest lookups. If you have a caching or local nameserver, you will want that listed first in /etc/resolve.conf . I’ve seen a drastic decrease in performance on some customer VPS’s because the servers were doing DNS lookups through external nameservers. I have dedicated nameservers, so my resolve.conf looks like this:

search v-nessa.net
nameserver 205.134.252.71
nameserver 4.2.2.1
nameserver 4.2.2.3

Optimize!

One of the major changes I made on my site was to the image and page sizes… I did a lot of code and image compression to decrease the amount of time it takes to load my site. A majority of this consisted of simply saving my images in .gif or .png formats and removing plugins and includes that were not needed.

If you haven’t noticed that my site’s been down for the last hour, it’s because I activated this mailing plugin that completely messed up my whole site to the point where I couldn’t even log in to deactivate it. It eventually came to me that if I move the plugin file it would de-activate automatically and poof, my website came right up. I guess my boss was right when he said I tend to be over-technical and miss the easy things.

Anywho, I’ve messed around with a lot of plugins and I’ve composed a tiny list of ones that you would probably be better off not installing. Some of these result in what Dan would call “the Internet version of ‘the clap’”

On the reverse, if you want to see the plugins that I recommend, you can view my post on the 13 Sexiest WordPress Plugins.

I figured out a way to create a php website crawler that can be run via web browser instead of command line. You can use this to harvest links from a website for use in a database or search engine…or to see how easily a spider or bot can creep your site. Try it here!

<html>
<head><title>PHP Website Crawler</title></head>
<body>
<font face="verdana" color=#66ccff">
<form id="crawl" method="post" action="">

<label>URL:
<input name="url" type="text" id="url" value="<?php $url; ?>http://website.com" size="70" maxlength="255" />
</label>
<br />
<br />
<label>
<input type="submit" name="Submit" value="Crawl!" />
</label>
<br />
</form>
</body>
</html>
<?php
if (isset($_POST['url'])) {
$url = $_POST['url'];
$f = @fopen($url,"r");
while( $buf = fgets($f,1024) )
{
$buf = fgets($f, 4096);
preg_match_all("/<\s*a\s+[^>]*href\s*=\s*[\"']?([^\"' >]+)[\"' >]/isU",$buf,$words);
for( $i = 0; $words[$i]; $i++ )
{
for( $j = 0; $words[$i][$j]; $j++ )
{
$cur_word = strtolower($words[$i][$j]);
print "$cur_word<br>";
}
}
}
}
?>

I’ve been getting a sudden influx of traffic so I decided to take a look at my referrer stats, and even though there wasn’t anything blatently obvious out there, I did notice some strange injection-like URL strings coming from a certain ISP. I figured the best way to block them without having to figure out and set an IP range to block is to just fake the existence of my whole website. Here’s how you can force users from an entire [unwanted] ISP to a 404 page…you’d want to put this in a page that is consistently loaded with your site. If you’re a WordPress user, the best spot would be your header.php.

$host = gethostbyaddr($REMOTE_ADDR);
if (stristr($host, "anyisp.com")) {
Header("HTTP/1.1 404 Not Found");
print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL / was not found on this server.<P>
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
<HR>
<ADDRESS>Apache/1.3.37 Server at www.v-nessa.net Port 80</ADDRESS>
</BODY></HTML>";
exit;
}
?>

I haven’t really had a whole time to play around with Ruby, but I managed to write a little script that I call boobs.rb.  It was my attempt to take advantage of Ruby’s ability to define your own functions. Maybe if I’m lucky I would be able to actually define my own bra size too.

#!/usr/bin/ruby

def sayBoobs(name)
result = "Hey, " + name + " wears a size DD. \n "
return result
end

puts sayBoobs("Nessa")

This puts out something that looks like this: