Νεύρα;

Μερικές φορές σκέφτομαι (ναι το κάνω αυτό!) πως ίσως ο Null έχει δίκιο που αναρωτιέται για το αν πρέπει να κάνουμε παιδιά. Ή τουλάχιστον αυτός έχει χάσει τη μπάλα.

Ξύδι.

Debian Sarge and php4-mysql

I was bitten by this lately, so I post it here as a hint (it may bite you too):

You use apt on your Debian/Sarge to install apache2, mysql, php4 and of course you also install php4-mysql. One should expect that after:

apt-get install php4-mysql

you can connect immediately from your php script to a MySQL database. Calling simply phpinfo() will prove you wrong because of a minor detail: You must add the following line

extension=mysql.so

at /etc/php4/apache2/php.ini and then issue an apache2ctl graceful .

Now you are OK.

Protected: Ζώα και αρχαία θέατρα

Γράμμα από το Λίβανο

Από ένα φίλο Λιβανέζο Χριστιανό:

:

i am in the north, so we dont have a lot of pressure
things are much more better then the south !!

:

Peοple who try to defend their land are “terrorist”
i hope that later we can say much about these issues
now we want the war to stop because each day we have masacres..

:

bogusmx.rfc-ignorant.org

RFCI publishes a number of usefull lists that can be used to effectively filter incoming email. One of the most usefull is bogusmx.rfc-ignorant.org which essentialy is a DNSBL that contains domain names with bogus MX servers (like localhost, 0.0.0.0 and so on):

” If any publicly listed MX record for domain contains a hostname which points to bogus IP address space, such as those documented in RFC 3330, or if the domain contains an MX RR that points to an IP address, in violation of RFC 1035 or if the domain has MX RRs which point to hostnames which themselves do not have an associated A record (including MXs which return an NXDOMAIN, or which are CNAMEs)”.

If you are a sendmail user,the trouble with bogusmx.rfc-ignorant.org is that you cannot use it with FEATURE(dnsbl). So you may need to write your own sendmail ruleset. Like this:

LOCAL_CONFIG
# Normally these should not be defined, since Kdnsbl does exactly what
# Kbmx_check does, and Kmacro does what Kbmx_macro does.
Kbmx_check dns -R A -a.FOUND -T.TMP
Kbmx_macro macro

LOCAL_RULESETS
SLocal_check_mail
R$*			$: $>canonify $1
R$* < @ $+ . > $*	$1 < @ $2 > $3
R$* < @ $+ > $*		$: $2
R$*			$: $(bmx_macro {Bmx} $@ $1 $) $1
# The next line is broken in two for readability
R$*			$: $(bmx_check $&{Bmx}.bogusmx.rfc-ignorant.org. $: $1.NOTFOUND $)
# The next line is broken in two for readability
R$* . FOUND		$#error $@ 5.7.1 $: Mail from $&{Bmx} refused.It is listed in bogusmx.rfc-ignorant.org.

You can grab the above sendmail code fragment from here. Always be careful if copy-pasting because sendmail uses tabs and not spaces to distinguish between LHS and RHS.

An alternative on how to use domain based blacklist zones is shown by RFCI here (and also has pointers for mail servers other than sendmail).

Protected: Γαϊδούρια

Αντίο

Σήμερα που όλοι αποχαιρετούν τον Μπόμπαν Γιάνκοβιτς, εγώ θα χαιρετήσω εσένα.

Πρέπει να ήσουν ο τρίτος άνθρωπος που γνώρισα στη σχολή. Φίλοι γίναμε αμέσως, άσχετα αν δεν βγαίναμε βόλτες μαζί. Άλλωστε η λέξη φίλος είναι δύσκολη (και δε συνδέεται πάντα με τη διασκέδαση). Για δέκα χρόνια ήμασταν σε διπλανά εργαστήρια (και ταυτόχρονα δουλεύαμε μαζί είτε στο NOC, είτε στο ΤΕΕ). Δεν υπήρξε ποτέ περίπτωση να αφήσεις κάτι ημιτελές, γιατί έφυγες λοιπόν;

Τελευταία φορά που σε είδα ήταν στο γάμο μου. Τελευταία φορά μιλήσαμε στη γιορτή σου. Τώρα το μόνο που έχει μείνει είναι το SMS που μου έστειλες πριν μια εβδομάδα.

Συγνώμη που δεν ήρθα να σε δω.

Αντίο φίλε Δημήτρη.

virbl.tee.gr

Actually my previous post, together with me using virbl.dnsbl.bit.nl made me think how one can share such data between many email servers under the same administrative domain. Well the answer is fairly easy:

Publish them using rbldnsd. Rbldnsd reads text files, so all you have to do is dump the B-Tree data to a text file of type ip4tset (read rbldnsd(8)):

makemap -u btree /var/cache/local/virbl/virbl.db | awk '{print $1}'

Then instruct sendmail / postfix / whatever email server you are using to use the zone you publish with rbldnsd as a DNSBL.

At this time we have a rate of blocking ~3500 connections daily from infected machines with no complaints by any user (ours or remote).

You may use virbl.tee.gr at your own risk. Machines are listed in and delisted from it automatically. Any machine that gets listed is delisted within an hour. Sending viral email to our mail servers results in relisting it. It’s governing policy is described at http://www.postmaster.tee.gr/ in Greek.

An interesting observation I have made is that (infected) machines that target one set of mail servers do not necessarily target another set (eg. your servers) within the hour. So instead of using virbl.tee.gr (if you find it a good idea) it might suit you better to implement a similar scheme for your servers.

MIMEDefang and virii

OK so you use MIMEDefang together with ClamAV[*] to check incoming messages for viral content. But given the fact that an infected machine will bomb you with many many messages, why should you check every message sent for a given time window? This is what I came up with:

The default mimedefang-filter(5) has the following check which discards viral messages:

if ($FoundVirus) {
  md_graphdefang_log('virus', $VirusName, $RelayAddr);
  md_syslog('warning', "Discarding because of virus $VirusName");
  return action_discard();
}

Changing it to:

if ($FoundVirus) {
  # OK log $RelayAddr
  # If you are on a Debian-like system you have to put
  # use DB_File in /etc/mail/mimedefang.pl.conf
  # otherwise you have to put it somewhere in mimedefang-filter
  my %vbl;
  my $now;
  tie %vbl, 'DB_File', "/var/cache/local/virbl/virbl.db", O_CREAT|O_RDWR, 0644, $DB_BTREE or die;
  $now = time;
  $vbl{$RelayAddr} = $now;
  untie %vbl;
  md_graphdefang_log('virus', $VirusName, $RelayAddr);
  md_syslog('warning', "Discarding because of virus $VirusName");
  return action_discard();
}

logs $RelayAddr (the IP address of the infected machine) together with a timestamp in a BerkeleyDB B-Tree. In our example this is /var/cache/local/virbl/virbl.db. You have to make this file writeable by the user that runs MIMEDefang on your system. And now using the following sendmail.mc code one can block this IP address prior to inspecting the message content:

LOCAL_CONFIG
# .db is appended by sendmail automagically
Kvirbl btree -a.FOUND /var/cache/local/virbl/virbl

LOCAL_RULESETS
# Always remember:  In sendmail the LHS and the RHS of the sendmail.mc/.cf is 
# separated with tabs and not spaces.  So do not copy-paste this fragment,
# type it.
SLocal_check_relay
R$*                     $: $&{client_addr}
R$*                     $: $(virbl $1 $: $1.NOTFOUND $)
# The next line broken in two for readability
R$* . FOUND             $#error $@ 5.7.1 $: You have sent us mail containing
           a virus and are blocked from our systems for an hour.

So now you need an expiration proccess. How long shall these IP addresses remain in your database? I keep them for one hour. It seems to be a reasonable default. A simple expiry script is the following perl snippet:

#!/usr/bin/perl
use DB_File;
$db = shift or die;
$threshold = shift or die;
tie %d, 'DB_File', $db, O_RDONLY, 0644, $DB_BTREE;
$now = time;
foreach $i (keys %d) {
        $diff = $now - $d{$i};
        if ($diff > $threshold) {
                delete $d{$i};
        }
}
untie %d;

You can run this script from cron every ten minutes or so. I’ve written my expiry program in C and run it every two minutes. If you also want to do this, you have to remember that the perl snippet on mimedefang-filter that logs $RelayAddr and the timestamp stores the timestamp as a string and not as an integer.

[*] There exist many HOWTOs on how to setup MIMEDefang to work with ClamAV. Just use Google.

Protected: Conspiracy theory?