I know a lot of people use prefer the LAMP (Linux Apache MySQL PHP) stack but for me I like PostgreSQL. The main reason I prefer PostgreSQL to MySQL (recently purchased by Sun) is I come from a SQL Server/Oracle background and feel that PostgreSQL has a better implementation of the SQL (Standard Query Language) standard. That being said I also am a .NET/CF programmer so prefer Mono/Tomcat if when I host web based applications on non windows systems. So anyway when I got my new Dual-Opteron server I wanted to load PostgreSQL on it but its more complicated than just running a make install from ports in FreeBSD.

First being that I like to separate application data from the operating system I generally setup a separate partition for my apps to store data on. In this case I have a 18GB partition labeled /data upon which I will store the database files. Unfortunately this box is a 1U server and only has space for two drives (RAID-1) so I didn't have the option to put the database data on its own drives which I have found is helpful in windows systems.

Next I ran the make install from the postgresqlxx-server directory with options being the optimized build and 64-bit date support. Upon completion of the install I was notified that to support more connections I should rebuild my kernel with some options to increase shared memory.

  options         SYSVSHM
  options         SYSVSEM
  options         SYSVMSG
  options         SHMMAXPGS=65536
  options         SEMMNI=40
  options         SEMMNS=240
  options         SEMUME=40
  options         SEMMNU=120

I generally use a slightly modified GENERIC kernel, I use to heavily modify it but found that the performance gain was rather small, so the first three options were already in the kernel. After I added the bottom five options I ran buildkernel and installkernel which is covered in my previous post and rebooted the server.

After the server restarted I logged back in and proceeded to edit the rc.conf file in /etc to add the following lines:

postgresql_enable="YES"
postgresql_data="/data/pgsql"

The first line tells the operating system to start PostgreSQL when the server is started, the second tells PostgreSQL to use the /data/pgsql folder to store database data. At this point I thought all i needed to do to be up in running was run /usr/local/etc/rc.d/postgresql initdb and /usr/local/etc/rc.d/postgresql start. Well I was almost correct I forgot that the pgsql user did not have write access to the /data partition. So I created the folder /data/pgsql using the mkdir command and then gave the pgsql user ownership of the folder using chown pgsql:pgsql -R /data/pgsql. Next I re-ran the initdb command which executed successfully. Last I decided it would be a good idea to restart the server to make sure everything came up correctly which it did.

Now all i need to do is start the joyous of task of migrating databases, normally not a big deal but I have one thats rather large and will require me to schedule an outage. Undoubtedly this will mean I will have to do it at some awful hour in the morning, most likely on a weekend. Yeah me.

For a long time I use to see reports of brute force SSH attacks aganist my FreeBSD machines in mailbox every morning. Finnaly I got fed up not that they were even getting close to getting in but just tired of getting these huge reports. So I decided it was time to do something about it. First let me say I run PF (BSD Packet Filter) on all my FreeBSD machines. Its quite easy to setup so I will start there.

1. Rebuild your kernel to enable ALTQ being able to trottle bandwidth is pretty cool (optional)
1. Create a folder in /root called /kernels
   

   [root@test] [/usr/src/sys/i386/conf]# mkdir /root/kernels

2. Make a copy of the GENERIC kernerl profile and place it in the /root/kernels directory. Keep in mind that if your running say an AMD64 this directory will be slightly different.
   

   [root@test] [/usr/src/sys/i386/conf]# cp GENERIC /root/kernels/

3. Rename the file to something else like GENERIC-PF
   

   [root@test] [/usr/src/sys/i386/conf]# mv /root/kernels/GENERIC /root/kernles/GENERIC-PF

4. Link the new kernel file to directory where your kernel configuration files exist.
   

   [root@test] [/usr/src/sys/i386/conf]# ln -s /root/kernels/GENERIC-PF

5. Open the file in your favorite editor (vi for me)
   

   [root@test] [/usr/src/sys/i386/conf]# vi GENERIC-PF

   You may want to change the ident so that it reflects the changes you make to the kernel as well.
   

   ident         GENERIC-PF

   and add the following lines below the last line that starts with option and above the first line that beings with device.
   

   options         ALTQ
   options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
   options         ALTQ_RED        # Random Early Detection (RED)
   options         ALTQ_RIO        # RED In/Out
   options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
   options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
   options         ALTQ_NOPCC      # Required for SMP build
   

6. Rebuild your kernel
   

   [root@test] [/usr/src/sys/i386/conf]# cd ../../../
   [root@test] [/usr/src]# make buildkernel KERNCONF=GENERIC-PF

7. If everything goes right install your new kernel
   

   [root@test] [/usr/src]# make installkernel KERNCONF=GENERIC-PF

8. Reboot
2. Enable PF in your /etc/rc.conf by adding the following lines to the end of the file
   

   pf_enable="YES"
   pflog_enable="YES"
   

3. Edit your /etc/pf.conf to setup some basic rules. Before doing this you should know what kind of network card you have you can find this info by running the command ifconfig. In the box I have at the house I have a VIA NIC so the driver is vr0. this
   
1. Edit the entry for ext_if="eth0" to contain your NIC driver ext_if="vr0". If your going to do ther filtering you will want to setup the ext_addr with your external ip address.
   
2. Let pf know your local interface is safe by telling it to skip filtering
   set skip on lo0
3. Its also not a bad idea to check malformed incoming packets this can be done by adding the line
   scrub in on $ext_if all
4. Setup a rule to block everything you don't explicitly want to allow and pass the good stuf
   block in log on $ext_if all
   block out log on $ext_if all
   pass  out on $ext_if inet proto tcp all flags S/SA keep state
   pass  out on $ext_if inet proto udp all keep state
   pass  out on $ext_if inet proto icmp all keep state
   
5. Enable ssh through the firewall
   pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
   
6. Next you will probably want to setup your basic rules if you using any services such has http or ftp.
7. Add the table used to stop those script kiddies in their tracks.
   # sshd attacks
   table <ssh-violations> persist file "/etc/ssh-violations"
   block drop in from <ssh-violations> to any
4. You should end up with something that looks similar to this.
   

   ext_if="vr0"
   ext_addr="10.11.12.13"
   
   set skip on lo0
   scrub in on $ext_if all
   
   block in  log on $ext_if all
   block out log on $ext_if all
   
   pass  out on $ext_if inet proto tcp all flags S/SA keep state
   pass  out on $ext_if inet proto udp all keep state
   pass  out on $ext_if inet proto icmp all keep state
   
   #ssh
   pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
   
   #http
   pass  in  on $ext_if proto tcp from any to any port 80 flags S/SA keep state
   
   # sshd attacks
   table <ssh-violations> persist file "/etc/ssh-violations"
   block drop in from <ssh-violations> to any
   
   antispoof for $ext_if

   
   
5. Next create a blank ssh-violations file.
   

   [root@test] [/etc]# touch ssh-violations

6. Enable PF
   

   [root@test] [/etc]# rc.d/pf start

7. Now that you have PF up and running comes the good part open up your favorite editor and create a file in the /root directory named sshd-fwscan.sh and paste the following.
   

   #!/bin/sh
   COMMAND="/sbin/pfctl"
   $COMMAND -t ssh-violations -T flush
   for ips in `cat /var/log/auth.log | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
          $COMMAND -t ssh-violations -T add $ips
   done
   for ips in `cat /var/log/auth.log | grep sshd | grep "Invalid" | awk '{print $10}
   ' | uniq -d` ; do
          $COMMAND -t ssh-violations -T add $ips
   done
   cat /var/log/auth.log | grep sshd | grep "Failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
   ( while read num ips; do
       if [ $num -gt 5 ]; then
            if ! $COMMAND -s rules | grep -q $ips ; then
                   $COMMAND -t ssh-violations -T add $ips
           fi
       fi
     done
   ) 
   

8. Change the permissions on that file to +x
   

   [root@test] [/root]# chmod +x sshd-fwscan.sh

9. Setup crontab so that the file is run say every 2 minutes.
   */2 * * * *     /root/sshd-fwscan.sh > /dev/null 2>&1
   

At this point, if you have done everything correctly, it should make be really hard for them to suceessfully a brute force attack SSH since they only have 120 seconds to figure out your password before they get dropped like a bad habit by the firewall.

Rarely do you find "Free" software that does not require either several steps to setup or custom tweaks to get working the way you want to. For the past couple months I have been playing with FCKEditor which is nice don't get me wrong but its not the easiest to setup for some people (hence why I have had to do it for a few people). Once its working its great and couldn't be easier. That being said I have now found a tool that I believe is even better since it requires almost no setup at all. That tool is FreeTextBox, now I havn't tested any of the advance features but I have to say I do like that everything is contained in the library (images, javascript, etc.). It makes using this component a breeze I am definately going to see what it will take to get OpenFlashChart.NET to have similar functionality, I know its not difficult but it I just haven't done it before.

I wrote this a while ago with the intention of releasing it but never could find out where it would fit best. Anyway its a .NET implementation of Poul-Henning Kamp md5crypt routine for generating passwords. I personally am using it for creating passwords in a PostgreSQL database that is being used by a FreeBSD mail server. Its pretty easy to use and pretty safe too, word on the street is this is the same routine that cisco uses to encrypt passwords on routers and obviously its still used to create passwords in FreeBSD.

Koolwired.Cryptography.zip (4.82 kb)

Since its a static method in a static object there is no need to create an instance of the class just call it as such:

string newpass = Koolwired.Cryptography.md5crypt.crypt("password");

The example above creates a new password, this can also be used to verify existing passwords once you know the "salt/magic". The format is for this type of password is $[magic]$[salt]$[encrypted password] so its pretty easy to seperate. If you didn't know one if the benefits of salt is that two users could have the exact same passwords but the encrypted passwords would be different because the most likely do not have the same salt string.

string verify = Koolwired.Cryptography.md5crypt.crypt("password", "$1$salt");

So earlier today I was asked to update this site I do maintenance on to filter out products from displaying more than once per page. Normally this is no problem because I would just do it in the query using a group by or sub query if I had to. In this particular case doing it in the query would have required substantial re-work of a query that is already quite complex. Basically products can exist in many categories and this is a report that is grouped by category. The client decided they did not want to see the product more than once per page regardless of if it existed in more than one category. So I started to look at what it would take to write something in cold fusion. After looking on line for a few minutes I noticed that I could not find a simple function that would suit my needs and prevent me from having to do something like this in the future. So I opened up CF-Eclipse (I am totally spoiled on visual studio now, if I had to do CF more often I think I would go back and get Home site 5.5+ again) and began to write a simple function. I decided the function should be able to dynamically rebuild the query results regardless of the column names and filter out multiple values on a particular column.

First I realized I needed an easy way to find out if a value already existed in an array. Unfortunately Cold Fusion lacks a IndexOf method for searching arrays so that would be step 1.

<cffunction name="IndexOf">
    <cfargument name="arr" type="Array">
    <cfargument name="val" type="String">
    <cfif ArrayLen(arr) gt 0>
        <cfloop from="1" to="#ArrayLen(arr)#" index="i">
            <cfif arr[i] is val>
                <cfreturn i>
            </cfif>
        </cfloop>
    </cfif>
    <cfreturn 0>
</cffunction>

I created another function that would dynamically recreate the recordset but filter on a column named productid.

<cffunction name="UniqueQuery">
    <cfargument name="query" type="query">
    <cfset columns = query.ColumnList>
    <cfset myQuery = QueryNew(columns)>
    <cfset items = ArrayNew(1)>
    <cfloop query="query">
        <cfif IndexOf(items, productid) is 0>
            <cfset temp = ArrayAppend(items, productid)>
            <cfset newRow = QueryAddRow(myQuery)>
            <cfloop list="#columns#" index="i">
                <cfset temp = QuerySetCell(myQuery, i, evaluate(i), myquery.recordcount)>
            </cfloop>
        </cfif>
    </cfloop>
    <cfreturn myQuery>
</cffunction>

Now this is all well in good and works for what I want but with a little tweaking it could be better and more portable.

<cffunction name="UniqueQuery">
    <cfargument name="query" type="query">
    <cfargument name="filter" type="string">
    <cfset columns = query.ColumnList>
    <cfset myQuery = QueryNew(columns)>
    <cfset items = ArrayNew(1)>
    <cfloop query="query">
        <cfif IndexOf(items, evaluate(filter)) is 0>
            <cfset temp = ArrayAppend(items, productid)>
            <cfset newRow = QueryAddRow(myQuery)>
            <cfloop list="#columns#" index="i">
                <cfset temp = QuerySetCell(myQuery, i, evaluate(i), myquery.recordcount)>
            </cfloop>
        </cfif>
    </cfloop>
    <cfreturn myQuery>
</cffunction>

Keep in mind that only the first two snippets have been tested but I don't see why the third would not work. I know this isn't hard or really that complicated but maybe this will help someone out so they don't have start from scratch.

I've owned this domain for a while now and never really had a use for it but I guess now is as good a time as any. Originally i wanted to do some kind of code sharing but there are so many services out there that already do it. I use a couple of them including source-forge and codeplex. Anyway this is my feeble attempt at doing something useful.

A little background info on me: I am a C# .NET developer these days but that was not always the case. In the past I did cold fusion and asp. Before that I was at the time a real guru in Java Script and HTML back when that was king. I also am a self proclaimed database guru, most of my current projects use PostgreSQL but I'm no stranger to SQL Server or Oracle. In addition to all this I sometimes act as system administrator for Windows, Unix-like operating systems and on occasion even OSX, although my preference is Free BSD.

Lately I have noticed that I have no real record of many of the problems and solutions I have encountered so this will be my attempt at cataloging those. Most of the posts here will most likely be in reference to things I am doing with C# and Free BSD but don't be surprised to see some Cold Fusion or Java Script to pop up every now and again.