When you generate a key pair in SecureCRT, it generates it in this format:

—- BEGIN SSH2 PUBLIC KEY —-
Subject: dave
Comment: “something”
ModBitSize: 1024
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDQNXZosE8eAu6t9dsznpimQAXdaqkSmgKAgZ4+
gP9tW/j+wKtsEOBGasp4/AQu89Avscku+zp6lEuy9PCtBt03IdaQwls9GBl67EUzrKM
3NLNscuCt/LAsdjHfjvBL4q0Oh+MsHu0c6G6ltICqYmvAHYNAYBoPJv+0RMvxPdoNQ==
—- END SSH2 PUBLIC KEY —-

This key if fine, but if you run a linux server such as CentOS, RedHat, Fedora, or many others which use OpenSSH for it’s sshd; then this key does not work in ~/.ssh/authorized_keys. In order to convert this key to the one liner necessary for openssh, first upload it to the server. Either cutting and pasting into your text editor of choice, or uploading the file directly will work.

Then run the following command to add this key file to your authorized keys:

ssh-keygen -i -f /tmp/identity2.pub >> ~/.ssh/authorized_keys

You can then log in using your private key.

Here is the switch we are using:

-i Convert IETF SECSH to OpenSSH key file.

Awesome article on using vi/vim:

Do whatever you want. Don’t learn it if you feel it’s too much effort just for nothing. Learn emacs instead. Or stay in your IDE using a lousy editor. Whatever. But in any case, don’t ever claim again that those ‘vi guys are nutheads’ - I hope that I have succeeded in showing you why they (we) stick to it, and you should at least be able to understand its power, even if you prefer to stay away from it.

I first used vi around 1996 and it is still my preferred text editor while working with configuration files or even light coding. It sort of defied logic, but me, as well as unix geeks around the world, feel compelled to continue using it. This article is a great writeup for the advocacy of a great text editor.

If you use a windows ssh terminal client, or even macosx’s terminal.app, the functionality of your page up and page down key may not behave like you want it to. For example, in SecureCRT using pageup will actually page up your scroll buffer, and pagedown will scroll down your page buffer.

You’ll need to remap your keys to send the correct signal to your terminal. Change it from the default system function to “send string” and the following strings:

PageUp = \033[5~
PageDown = \033[6~

\033 is a shortcut for the ESCAPE key (esc) since in some programs you can’t type in the actualy escape key.

Here are some other codes as well in case you need to remap keys.

Pause = \032
Macro = \003 # Break (Shift-Pause)
Home = \033[1~
Insert = \033[2~
Remove = \033[3~ # Delete
End = \033[4~

In SecureCRT the area to remap your keys is Tools -> Keymap Editor.

This is especially handy if you use command line IRC clients such as Irssi or BitchX.

Developing web apps cross platform can be a pain sometimes, as the drivers used in Windows are typically not available (by default anyway) in linux. For example, if you are using perl based software in linux, and you need to connect to a Windows database (for example, MSDE 2000 or SQL Server)

There are two essential pieces of open source software you will need to use. The first one is UnixODBC [http://www.unixodbc.org]. This software provides the software to create an ODBC connection. Secondly, you will need the driver to connect to your Windows data source. This driver is provided by FreeTDS [http://www.freetds.org].

After installing this software according to their respective websites, if you are using perl you need to also install the module “DBD::ODBC”.

perl -MCPAN -e 'install DBD::ODBC'

You can now set up datasources in your configuration files. In my case, it would be located in /usr/local/etc/odbc.ini, but you can find the location of your driver file using the command
odbcinst -j
In addition to setting up your connection here, you can create a “DSN-less” connection using a connection string. Depending on how your system is set up, you may need to supply the connection password in your connection string anyway.

I’m not going to go over the coding of the database connection, for better instructions on how to use the UnixODBC software see their website:

• Perl ODBC Documentation
• PHP ODBC Documentation

The software I am using as a particular example is Lyris Technologies ListManager. You can synchronize your mailing lists with your database. Depending on your database software your needs will change, so you will need to talk to your software provider for specific information. The information I am providing below is for iMIS software from Advanced Solutions International (ASI).

For the connection string in ListManager, you will use the following syntax:
DRIVER=FreeTDS;SERVER=10.0.0.X;UID=dbusername;PWD=dbpassword;DATABASE=dbname;TDS_Version=8.0;Port=1433;

dbusername = database username, must have dbreader access to your database
dbpassword = password to match username
dbname = actual database name

Make sure your SERVER IP is correct, and the port for MSDE 2000 is 1433 by default. (As a gotcha, make sure any firewall installed allows connections between your servers and ports).

This allows your linux server to connect to your windows server running the database.

Additionally, you’ll need to provide the query string. I’ve found that Listmanager’s tolerance is not very good when dealing with SQL queries, for example it does not accept JOINs. You need to use an alternative method of joining tables. Refer to the Listmanager documentation to see what variables you can pull into their databases.

Below is the SQL statement for 2 different mailing lists.

Selecting a particular Committee or Section:
SELECT Name.EMAIL AS EmailAddr_, Name.FULL_NAME AS FullName_, Name.ID AS Additional_, 'H' AS MailFormat_
FROM Name, Activity, Product
WHERE Activity.ID = Name.ID AND Activity.PRODUCT_CODE = Product.PRODUCT_CODE AND Product.PRODUCT_MINOR ='TEC'
In this case, ‘TEC’ is the code used in iMIS for the committee. You use the WHERE clause to specify joins. I do not think this is the best way, but it works in this case.

To select all Active Members:
SELECT Name.EMAIL as EmailAddr_, Name.FULL_NAME as FullName_, Name.ID as Additional_, 'H' AS MailFormat_
FROM Name
WHERE ((Name.MEMBER_TYPE)='REG' Or (Name.MEMBER_TYPE)='AFF' Or (Name.MEMBER_TYPE)='HON' Or (Name.MEMBER_TYPE)='SEN') AND ((Name.STATUS)='A')

As you can see, it is not exactly simple but it is easy enough to do once you have the right software. Once your software is talking to your databases, it makes things a lot easier!

Well I got a lesson in properly configuring your e-mail server’s error messages. Since setting up postfix as a anti-spam and anti-virus gateway for my exchange system (see my article Postfix as proxy to exchange server), I had left the option
soft_bounce = yes
enabled in my postfix configuration.

This worked fine for months. However, I was then “joe jobbed” - which means that some spammer used my domain name as the “from” or “reply to” address on their e-mails. This causes a flood of e-mails from mail servers, which messages such as, no user exists, this account has been deleted, etc. These e-mails are completely valid and authentic responses from e-mail servers.

Now - it is my personal opinion that mail servers should reject connections to users who are not real - not generate more messages and bandwidth sending out their rejection response. But I understand why some e-mail providers wish to keep this option on, and I think Exchange has it on by default. So trying to change peoples minds is not going to work - we need to deal with these rejection messages responsibly.

Here is where my server configuration showed its flaws. Here is the official definition of the 450 and 550 error messages:

450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy)
550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons)

The difference between the two error codes is not really apparent at first glance. However, 400 level commands tells the remote servers that there is a temporary error, and it should try again later. How much later depends on each server’s settings. The 500 level commands tell the remote server that it is a permanent failure, and it should not try again later.

In the case of a joe job - you have thousands of servers responding to your server that addresses can’t be found (or any other error). When you have each of those servers “retrying” their e-mail connects every 10 minutes or so, your server will quickly find itself rejecting a whole lot of messages.

Fortunately, the fix is easy. Fix your server to respond with a 550 instead of 450. Look at the change in the graph below - almost immediately after I switched to the 550 message:

You can see the benefits of keeping the 550 message. In postfix, the change is simple, change the soft_bounce line to:

soft_bounce = no

You can also customize your rejection codes for particular errors as below.

unknown_local_recipient_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

For more codes: Postconf manual

If you try to make or install a program and you receive an error like this:

make[2]: cc: Command not found

Then that means you don’t have a C+ compiler installed!

If you are using centOS or other yum based distro, type:

yum install gcc-c++

That will install the needed RPMs for you.

If your Mozilla Thunderbird is slow to open the inbox, or any other folder for that matter, there are two things that you can do to try to fix this problem.

Step #1: The first thing is to try to compact the folder. This should help if you have a large inbox. If you can’t even get to this step, or if it is just too slow, try step #2.

Step #2: The .msf “index” file is corrupted. If this file gets corrupted, you could see a slow initial loading of your inbox, messages will not open, you can not delete messages, etc. You may also see a message in the status windows when you open Thunderbird that says something about rebuilting index. The solution to this is to first close out of Thunderbird, then delete the inbox.msf file. If this is for a different folder name, you will see “folder name.msf” file corresponding to that folder. This file is located in your profile directory. For me this was: “C:\Documents and Settings\Dave\Application Data\Thunderbird\Profiles\default\svxnp81c.slt\Mail\systembash.com”
But this varies because of the random profile string and your account profile name.
Delete this file. Make sure you leave the real inbox file alone - this is a file that is named “inbox” (or your folder name) without a file extension.

Re-open Thunderbird - the index will automatically be rebuilt and you should now have normal access to your inbox!

Problem: Checking the apache server status with the command “apachectl status”, “service httpd fullstatus” or by viewing http://server/server-status I get the message: “The requested URL /server-status was not found on this server” or your alternative 404 page not found error.

Answer: Assuming you have the module loaded and set up per the documentation of mod_status, this is this most likely a VirtualHost problem.

If you use NameVirtualHost *:80 directive, or any *:port, to run multiple name based virtual hosts, this configuration does not allow server-status on any of the publicly accessible addresses. This is because the first Virtual Host in the directive is considered the “Default Virtual Host”, any unknown entries on the NameVirtualHost space - in this example anything accessing port 80 on any IP address, will default go to this virtual host and hence you will get a 404 page not found error. Furthermore you can not place the server-status configuration inside of a VirtualHost directive to be read from a full domain name.

Solution: There are two basic ways to solve this. The first is to make the server listen on an alternative port (such as port 8080). Adding “Listen 8080″ to the configuration will allow you to access the server status from http://yourip:8080/server-status.

The second will allow the command ‘apachectl status’ or ’service httpd fullstatus’ to work properly but it will not allow external access. If you switch each * to the actual IP address to work from, then accessing from localhost (127.0.0.1) will work. So, you would need to change:
NameVirtualHost *:80
<VirtualHost *:80>
to
NameVirtualHost 10.0.0.3:80
<VirtualHost 10.0.0.3:80>
And then restart your server.

By that way, unless you need it, make sure to turn ExtendedStatus Off. This directive collects a lot of data from the site visitors and can slow down a busy server.

I recently had a problem where my Spamassassin install started thinking that a lot of spam messages were really ham (non-spam). Since these were getting BAYES_00 scores of -2.5 they were almost all getting through my spam filter. These particular messages all were regarding STOCK quotes and were pretty obviously spam just by looking at the text of the messages. Somehow my Spamassassin install thought that they were not spam because the messages were being passed as ham by the Bayesian filter. Since they kept getting past, the bayesian filter kept learning them as HAM.

In order to break this vicious cycle, you just need to clear out the bayesian tokens. It’s very easy to do. As root user, type:
sa-learn --clear
This starts you fresh. By default, Spamassassin won’t use the bayes filter until it has 200 spam and ham messages, so until you get to that level it will continue to learn based the other Spamassassin detection settings.

Ideally, I would have sa-learn train using these spam messages. But since I use Outlook, and there is no “easy” way to have it interface with sa-learn, I find it easier to clean out the bayes tokens every once in a while. SpamAssassin Coach is a plugin for outlook which should connect to your spamd server and “learn” a message as ham or spam. But in practice, it did not work for me. It looks like the project has a lot of potential.

For more information on how Bayesian filtering works, check out this wikipedia article.

This one is neat - you can control those APC PDU Power Poles over the network via SNMP. This works for the APC Switched Rack Unit PDU, but it may work for others.

I use this on a PDU with Network Management Card AOS version v2.6.4 and Rack PDU APP v2.6.5, so of course this is not guaranteed for any other versions.

First, set up the PDU on the network. Then, you need to configure the SNMP write string. You do this by navigating the menu (default username password is apc/apc):
Control Console->Network->SNMP

Change one of the strings to Write+ and preferable change it from public/private to your own string. You can also limit access from certain hosts for extra security. I always keep the APC PDUs on a private network since the APC telnet/web interface is so insecure.

Once you have that set up, your PDU is read to accept SNMP commands from your script of choice. I use PHP, so my examples use PHP code.

The APC MIB which controls the status of the power ports is: .1.3.6.1.4.1.318.1.1.12.3.3.1.1.4., where is the power port you wish to control.

I created a function that controls the port, it is as follows:

In config.php:
// translates APC IDs into their IP addresses
$apcids = array(
"APC01" => "10.0.1.2",
"APC02" => "10.0.1.6",
"APC03" => "10.0.1.10",
"APC04" => "10.0.1.14",
"APC05" => "10.0.1.18",
"APC06" => "10.0.1.22",
);

// This is your SNMP Write+ String
$apcsnmp = "rwstring";

In functions.php:
//
// string function displayPowerStatus
// $apcid = ID of the APC unit as defined in config.php
// $apcport = Port of the outlet on the APC Switch
// returns STRING On, Off, Rebooting, or Error
function displayPowerStatus($apcid, $apcport) {
include('config.php');
$ip = $apcids[$apcid];
$mib = $apcportcontrolmib.$apcport;
$a = trim(snmpget($ip, $apcsnmp, $mib, 20000), "INTEGER: ");
switch ($a) {
case 1:
return "On";
case 2:
return "Off";
case 3:
return "Rebooting";
default:
return "Error";
}
}

// bool function manageAPCPort
// $apcid = ID of the APC unit as defined in config.php
// $apcport = Port of the outlet on the APC Switch
// $apcpass = APC Pass (SNMP Community String)
// $action {
// immediateOn (1),
// immediateOff (2),
// immediateReboot (3),
// delayedOn (4),
// delayedOff (5),
// delayedReboot (6),
// cancelPendingCommand (7)
// }
// returns TRUE or FALSE
function manageAPCPort($apcid, $apcport, $apcpass, $action) {
include('config.php');
$ip = $apcids[$apcid];
$mib = $apcportcontrolmib.$apcport;
$VERIFY = snmpset($ip, $apcpass, $mib, i, $action);
return $VERIFY;
}

Note that this code required the php snmpset function, which is not compiled into php by default. If you receive some error about snmpset or snmpget function not found, this is why.