Nuffnang

Thursday, February 28, 2013

How To : Apache and Self Signed Certificates

Whether it is on your desktop or server installation of Ubuntu, there will come a time that you may need to work with Apache and certificates. We will go into full certificates from Certificate Authorities (like Verisign or Entrust) as well as exploring some of the ‘Open Source’ Certificate Authorities (read: free) in a later article. Today we are discussing how to prepare Apache to answer HTTPS requests in the VHOSTS as well as installing and configuring the pieces. Finally, we will install a self signed certificate and access our system over HTTPS to verify it all works.

Assembling All the Pieces
The first thing we need to do (assuming that Apache 2 is already installed) is to make sure we have all the pieces. Let’s install the SSL package and module we need:
sudo apt-get install openssl
This will install the parts needed to generate our certificate and the module that apache needs to enable SSL support (NOTE: Apache 2 must be installed prior to running this command in order for the module to be installed in the proper location). Once that is installed, apache needs to be told to enable the module:
sudo a2enmod ssl
If this is the first time you have used apache’s shortcut scripts, you may not be familiar with the most common one’s – you will want to be familiar with the following scripts when using apache in any Debian based distribution (including Ubuntu):
  • a2enmod: Shortcut for ‘Available To Enabled Module’, takes an installed module and creates a link from ‘/etc/apache2/mods-available’ to ‘/etc/apache2/mods-enabled’ so that when apache is restarted, the module will be enabled in the live configuration
  • a2dismod: Shortcut for ‘Available to Disabled Module’, removes the link from ‘/etc/apache2/mods-enabled’ created when the module was enabled (see above), the module will then be disabled after apache is restarted
  • a2ensite: Shortcut for ‘Available to Enabled Site’, takes an installed site (vhost) and creates a link from ‘/etc/apache2/sites-available’ to ‘/etc/apache2/sites-enabled’ so that when apache is restarted, the site will be enabled in the live configuration
  • a2dissite: Shortcut for ‘Available to Disabled Site’, removes the link from ‘/etc/apache2/sites-enabled’ created when the site was enabled (see above), the site will then be disabled after apache is restarted
Generating the Certificate
Our module is installed and active (at least the next time we restart apache), so now we need to generate a certificate and then note their locations (we will place our resulting certificate files and keys in the most ‘standard’ locations, but they can be changed to whatever is appropriate in your circumstance as long as you note where they are during our vhost setup later). First, we need to generate the ‘Certificate Request’ file:
Creating Our Certificate Request
As you can see, you will be asked for a number of pieces of information. During the generation and installation of a ‘Self Signed’ certificate, like we are installing, this information is unimportant. However, in our next article on the topic, it will be important since some of these items will generate the key embedded in your certificate and that is used by the Certificate Authority who issues the final certificate to validate your identity and secure your site. At this point, as you can see I did, you can put in almost anything you want.
A couple more things to complete the creation of our certificate and move the files into place. See the following screen shot:
Creating Our Certificate and Moving Files
Informing Our Web Server
A couple more steps and we are ready to test. We need to grab a vhost for apache to use for SSL requests and then we need to make some changes to it in order to use our key and certificate file. The easiest way to do this is to copy the following:
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/my-ssl
Then edit the ‘my-ssl’ file and be sure to add the following (comment out or remove existing entries if they are different than this):
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
NOTE: change the path for the certificate and/or key if you saved or named them something else in our earlier steps.
Finally, we need to restart apache so that the new virtual host is picked up:
sudo service apache2 restart
You can then go to your browser and enter ‘https://localhost’ to see your new certificate in action. You WILL get a browser security warning since this is a SELF SIGNED certificate and not issued by a Certificate Authority. This is normal and in our next article, we will cover installing a CA signed certificate which will fix that.

Monday, February 25, 2013

Mitigate or Stop the Effects of DDoS Attacks



Load Balancing. 
For network providers, there are a number of techniques used to mitigate the effects of a DDoS attack.  Providers can increase bandwidth on critical connections to prevent them from going down in the event of an attack.  Replicating servers can help provide additional failsafe protection in the event some go down during a DDoS attack.  Balancing the load to each server in a multiple-server architecture can improve both normal performance as well as mitigate the effect of a DDoS attack.

Throttling.  
One proposed method to prevent servers from going down is to use Max-min Fair server-centric router throttles. This method sets up routers that access a server with logic to adjust (throttle) incoming traffic to levels that will be safe for the server to process.  This will prevent flood damage to servers.  Additionally, this method can be extended to throttle DDoS attacking traffic versus legitimate user traffic for better results. This method is still in the experimental stage, however similar techniques to throttling are being implemented by network operators.  The difficulty with implementing throttling is that it is still hard to decipher legitimate traffic from malicious traffic.  In the process of throttling, legitimate traffic may sometimes be dropped or delayed and malicious traffic may be allowed to pass to the servers.

Drop Requests.  

Another method is to simply drop requests when the load increases.  This can be done by the router or the server.  Alternatively, the requester may be induced to drop the request by making the requester system solve a hard puzzle that takes a lot of compute power or memory space, before continuing with the request.  This causes the users of zombie systems to detect performance degradation, and could possibly stop their participation in sending DDoS attack traffic.

Monday, February 18, 2013

Benefits of Software-Defined Networking

There has been lots of talk about how software-defined networking (SDN) will change the face of networking, including reasons for adoption and the unique opportunity made available for the channel to expand its business and improve customer retention.

1.Operational Savings: SDNs lower operating expenses. Network services can be packaged for application owners, freeing up the networking team.
2. Flexibility: SDNs create flexibility in how the network can be used and operated. Resellers can write their own network services using standard development tools.
3. Improved Uptime: By eliminating manual intervention, SDNs enable resellers to reduce configuration and deployment errors that can impact the network.
4. Better Management: Managed Service Providers (MSPs) can use a single viewpoint and toolset to manage virtual networking, computing and storage resources.
5. Planning: Better visibility into network, computing, and storage resources means resellers can also plan IT strategies more effectively for their customers.
6. Infrastructure Savings: Separating route/switching intelligence from packet forwarding reduces hardware prices as routers and switches must compete on price-performance features.

Wednesday, February 6, 2013

Android is the new Windows CE



My conclusion is that while iPhone and Windows Phone are revolutionary smart phones, Android is the closest thing I ever seen to an evolution of Windows CE. Android is the next generation Windows CE.

It has a freakin' Desktop!

Do you have any doubt that Android *is* Windows CE? It has a desktop! A place you drag icons and create shortcuts to apps. Really. It makes the entire experience one order of magnitude more complex than iOS/WP, where the apps are just there (side note: Windows Phone has tiles that can be thought of as shortcuts to apps, but they actually have additional value, contrary to Android plain shortcuts).

Poor Design

The most obvious aspect of people will feel when using an Android is the poor design. I'm not talking about the UX or interaction design -- which I'll comment later -- I'm talking about icons that could have been designed by me! And I suck at it. The "Browser" icon on Android looks like it was found on a free icon collection from 1997. On the other hand, you might say that Android designers were explicitly going after a vintage look, but that isn't true either. There are at least 3 or 4 different styles from the get go for the icons. Some are flat, some are 3D, some are B&W, some have shadows, etc. Both iPhone and Windows Phone are very consistent on their apps and button icons.

"I'm Google, I'm Google, I'm Google"

I tend to think that companies which over-emphasize their own brand or features with no value to users as a low self-esteem issue. Android suffers the problem of over-emphasizing Google's technology but I don't think they have low self-esteem. I think they have the opposite: too much confidence and they've been drinking too much of their Kool-aid.

Android comes with Google Earth in addition to Google Maps and a "Navigation" app. Why? It comes with a "Gmail" app in addition to an Email app -- I don't know how many people are like me, but the first thing I did was setup my email (which is GMail), but I clicked on the email app. When it asked for POP/IMAP and SMTP Server I knew I've done something wrong. Wait, I knew that Google had screwed up the UX somewhere.

It has a "Google" app. Now, if you are not an Android user and you never clicked on it, can you guess what it does? It takes you Google.com. Why?! There is a huge bar taking 10% of the screen on top that does exactly the same thing. It has a "Messaging" app and a "Messenger" app. And then, there is the "app store"…

Where are the apps?

Not only I have low attention span, I'm very busy and pragmatic. I don't like to spend one hour exploring things. I'm totally task oriented. I want to install the Facebook App. I have 3 minutes to get it done. Go! Well, where the heck is the app store on this thing? It took me a while to find out that "Play Store" is the app store. The reason I didn't click on it was because it was next to "Play Books", "Play Magazines", "Play Movies", "Play Music", "Play Store". If you read it like this, you think of "Play Store" as "Game Store" not "App Store". The Android UX team are thinking as engineers, not as users. I know that very well because I worked at Microsoft and we suffered the same problem. Naming and branding features is what we did day-in day-out and once a feature is elevated to a product status (by having a name), you have to treat it like a product. Turns out the line between software and content has been blurred a long time ago and there is no reason to distinguish them. Is Yelp software or content? Is the NYT App software or content? Yes, the iOS App Store suffers a similar issue.

Loved It

First of all, I really like the concept of swipe to "archive" / "dismiss" items that is used in many places and many apps. It's very fast and intuitive. On the iPhone you have to swipe and then press "archive" to archive an email. On Android that's a single motion, with an option to undo. Same thing for notifications on Android. I loved the Tethering feature. That alone might be worth using the phone if you care to not pay the Carrier tax for tethering. I also liked some of the geekier features, like network usage per day and per app, and ability to set alerts if you are getting close to your monthly data transfer limit.

Random rants


  • PIN number of variable length -- which means I have to click "enter". Since I have an yet to be named psychological condition that requires me to check email every 3 minutes while I'm awake, every time I pulled the phone out of my pocket I have to press 5 buttons, instead of 4. Yeah, nitpicky, but it bothered me enough to write here.
  • There is a "downloads" app. It's noise. No value.
  • Photo Album is called "Gallery" -- that's not how people name their personal pictures.
  • The GMail app crashed several times. 
  • The GMail app also had poor indication of when it last synced or if during sync things were working or not. It felt like sometimes it failed to sync, but gave no indication of it. Also, when I forced sync the animation stopped and it seemed there was no email, and 10 seconds later (after I left the app) the email notification icon would pop. It was liked the app fetched the email but spent 10 seconds rendering it -- or preparing to tell me they were there.
  • "News & Weather" should have been two apps and the weather part is bad because I'm always checking the weather of multiple cities, particularly when I'm days or weeks from a trip, and it only supported one city.
  • Search for "Yelp" on the "Play Store" and the first result is "Yelp Lookup for Thrutu by David Drysdale" (doesn't feel like the official Yelp app). Second result is "Maps by Google, Inc" with a special "Editors' Choice". I thought there was no Yelp app for Android until I went to yelp.com and it prompted me to install the Yelp App. Strange. Very strange. NOTE: Turns out that because I've got a SIM Card from Brazil, Google automatically assumed I wanted the "Play Store" from Brazil. That's probably a fringe issue since not many people will face it.
  • Why the web browsing app is called "Browser" and not "Chrome"?
  • Google's own Google Reader suck on their Browser app. Every time you click "Next Item" on Google Reader the Browser navigation bar would appear for 3-5 seconds covering the next "Next Item" button making quickly scanning blog posts very annoying.


Android is successful and it will continue to grow

There is a big difference between great products and great businesses. We all want to believe that great products inevitably lead to great business but that's not true. Great value generation is what create great businesses and Android does it. It delivers incredible value to carriers, which allows them to customize and sell smart phones for much cheaper price than iOS or Windows Phone devices, which means value to a huge segment of consumers. It has the technology horse power to be configured in many interesting ways (just like Windows CE had) and, above all, it has not competitor for what it's doing. People who want incredible control and power have no choice of smart phone but Android.

For me, Android doesn't work because I'm way too much focused on getting things done fast. I don't want to have 100% of features I need at the cost of making 90% of my most used features slower or harder to use.

Ado[t from : http://blog.calbucci.com/2013/02/android-is-new-windows-ce.html

Monday, February 4, 2013

New Linux Monitoring Tools : Glances

Glances is a free software (licensed under LGPL) to monitor your GNU/Linux or BSD operating system from a text interface. Glances uses the library libstatgrab to retrieve information from your system and it is developed in Python.
So another top/htop clone ?
Yes and no, an unique thing about glances that I’ve immediately seen is that you can configure thresholds in its configuration file and see the status of your system resources with colors that indicates if everything is fine or not, at a glance.



Installation

Glances is available for some distributions: Debian (SID), Arch, Fedora, Redhat, FreeBSD but not for Ubuntu or Mint (for what I’ve found at least) so to install the latest version (1.6 at the moment) my suggestion is to use PyPi, an official Python package manager.
$ sudo apt-get update
$ sudo apt-get install python-pip build-essential python-dev
Then install the latest Glances version:
$ sudo pip install Glances
 
Downloading/unpacking Glances
  Downloading glances-1.6.tar.gz (674Kb): 674Kb downloaded
  Running setup.py egg_info for package Glances
 
Downloading/unpacking psutil>=0.4.1 (from Glances)
  Downloading psutil-0.6.1.tar.gz (138Kb): 138Kb downloaded
  Running setup.py egg_info for package psutil
 
Installing collected packages: Glances, psutil
  Running setup.py install for Glances
 
    Installing glances script to /usr/local/bin
  Running setup.py install for psutil
    building '_psutil_linux' extension
    gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c psutil/_psutil_linux.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_linux.o
    gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro build/temp.linux-x86_64-2.7/psutil/_psutil_linux.o -o build/lib.linux-x86_64-2.7/_psutil_linux.so
    building '_psutil_posix' extension
    gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o
    gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o -o build/lib.linux-x86_64-2.7/_psutil_posix.so
 
Successfully installed Glances psutil
Cleaning up...
Now you can test it typing in a terminal: glances, you should see some similar to this output:
glances
In glances you’ll see a lot of information about the resources of your system: CPU, Load, Memory, Swap Network, Disk I/O and Processes all in one page, by default the color code means:
  • GREEN : the statistic is “OK”
  • BLUE : the statistic is “CAREFUL” (to watch)
  • VIOLET : the statistic is “WARNING” (alert)
  • RED : the statistic is “CRITICAL” (critical)
When Glances is running, you can press some special keys to give commands to it:
a Sort processes automatically this means that:
  • if CPU IoWait > 60% sort by process “IO read and write”
  • If CPU > 70%, sort by process “CPU consumption”
  • If MEM > 70%, sort by process “memory size”
c Sort processes by CPU%
m Sort processes by MEM%
p Sort processes by name
i Sort processes by IO Rate
d Show/hide disk I/O stats
f Show/hide file system stats
n Show/hide network stats
s Show/hide sensors stats
b Bit/s or Byte/s for network IO
w Delete warning logs
x Delete warning and critical logs
1 Global CPU or Per Core stats
h Show/hide this help message
q Quit (Esc and Ctrl-C also work)
l Show/hide log messages

Configuration file

glances3
You can set your thresholds in Glances configuration file, on GNU/Linux, the default configuration file is located in /etc/glances/glances.conf.
Note that if you have installed the package via PyPy you’ll not have that directory or the file, so you can start downloading the file https://gist.github.com/4647457, this is a good template that you can modify to put your values.
As you can see in the file is defined a section for each statistics (CPU, LOAD, MEM …) type Careful limits (to monitor), Warning (to treat), Critical (to be treated in an emergency).
The Limits used are available in the help window in the form of a table.


Client/server mode

Another interesting feature of this monitoring tool is that you can start it in server mode just typing glances -s, this will give an output like Glances server is running on 0.0.0.0:61209 and now you can connect to it from another computer using glances -c @server where @server is the IP address or hostname of the server.
Glances uses a XML/RPC server and can be used by another client software.
In server mode, you can set the bind address (-B ADDRESS) and listening TCP port (-p PORT), the default binding address is 0.0.0.0 (Glances will listen on all the networks interfaces) and TCP port is 61209.
In client mode, you can set the TCP port of the server (-p port).
In client/server mode, limits are set by the server side.
The version 1.6 introduces a optional password to access to the server (-P password) that if set on the server must be used also on the client.

Conclusions

Glances is really an interesting project, it adds to the tools similar to top the concept of threshold, that can be useful when you manage a large quantity of servers and want to setup different views (perhaps is normal that your DB server uses 95% of the CPU, but it’s not fine if this is done by the web server), and also the concept of client/server, this open new opportunity like having a central point that collects all the info from your server, or build a web frontend that parses these data and put them in some nice web-pages.