Robert de Bock

Ssh through a proxy from your Apple Mac OS X

For Linux using Corkscrew and for Windows using Putty it is possible to punch through proxies to connect to a remote SSH-server. Let's do the exact same thing from an Apple, using Mac OS X.

You will need to download Corkscrew. Open a Terminal to type some of these commands:

$ cd Downloads
$ tar -xvzf corkscrew-x.y.tar.gz
$ cd corkscrew-x-y
$ ./configure --host=apple
$ make
$ cp corkscrew $HOME/.ssh/

If that does not work; try downloading my compiled version (right click -download linked file), maybe that works on your mac.

Now you need to tell your ssh client (also on your Apple) to use corkscrew. In that same terminal, either use vi(1) or simple copy-change-paste these commands to suit your situation:

echo "Host machine-on-the-outside-network.example.com" >> $HOME/.ssh/config
echo "ProxyCommand $HOME/.ssh/corkscrew proxy.on-the-inside-network.example.com 8080 %h %p" >> $HOME/.ssh/config

Replace machine-on-the-outside-network.example.com by the machine that you want to reach, mostly a server, or your home-computer running an ssh daemond. Replace proxy.on-the-inside-network.example.com by the name of the proxy server you are using. You can find this at the Network preference in Advanced at Proxies. Replace 8080 by the port your proxy is listening to, mostly 8080 or 3128.

You are now done, in that terminal that is or was open, type:

$ ssh machine-on-the-outside-network.example.com

and you should be done!

Best new features in OpenBSD 4.3

In May 2008, OpenBSD 4.3 will be released. Check the new features of OpenBSD 4.3 for a full list. These are the features that I like best:

  • New tools: snmpd(8), implementing the Simple Network Management Protocol.
  • New functionality: The periodic security(8) reports now include package changes.
  • Assorted improvements and code cleanup: The disklabel(8) -E mode does not allow manual editing of the 'c' partition, which is always set to cover the entire disk.
  • OpenSSH 4.8: Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory".
  • Some highlights: Gnome 2.20.3.

The OpenBSD team has been working hard for (at least) the last half year! Thanks!

Check your password for strength

Here is a very cool website to check how strong the password is that you are typing. Surprising how different passwords give different scores.

Would like to integrate a tool like this in applications like Drupal.

Using corkscrew and an HTTP proxy to ssh anywhere through firewalls

Bacause the article "Using Putty and an HTTP proxy to ssh anywhere through firewalls" was read well, here is the same trick, but then on Linux/UNIX/*BSD.

Imagine you are using a Linux/UNIX/*BSD system and you can't use ssh to go outside of your companies network. Here is a trick to ssh through the proxy.

Just to be sure, here is the list of requirements:

  • A Linux/UNIX/*BSD workstation that has OpenSSH installed.
  • A (company) proxy that enables you to surf the web.
  • Not being able to use ssh to connect to machines on the internet. If you are able to ssh from your workstation directly to the destination, skip this article, you will not benefit from it.
  • A program called corkscrew. You can download it and compile it. You do not need to install it in /usr/local/bin, but for this example we did. A location in your home directory will be sufficient.
  • A Linux/UNIX machine to be used as an ssh server. I will use the host "machine-on-the-outside-network.example.com" in this example.

So, you got them all? Let's go then.

Finding out what proxy you are using

If you are lucky you can just open the preferences of your webbrowser and see what proxy (and ports, mostly 3128 or 8080. 80 could also be used.) you are using.
If you are using a PAC file and can't figure out what proxy you are using, follow these steps to check out what proxy you are using:

  1. Open a website in your browser. Any website will do, but the best website will work better. ;-)
  2. Open a terminal.
  3. Run netstat -an You will see many entries, try looking (grep) for port 3128, 8080 or 80. Most proxies use one of these ports.
  4. Take a not of the host that is the proxy. You will need this when configuring ssh. In my example, the proxy name will be: "proxy.on-the-inside-network.example.com, listening to port 3128.

Configuring OpenSSH to use that proxy

OpenSSH opens an optional configuration file when starting the client. You can set options for all sessions or specific hosts in ~/.ssh/config .
My configuration looks like this:

Host machine-on-the-outside-network.example.com
ProxyCommand /usr/local/bin/corkscrew proxy.on-the-inside-network.example.com 3128 %h %p

Now start the connection to see if it works:

$ ssh machine-on-the-outside-network.example.com

Hopefully this will work for you, you might get more information if you add the -v switch to the ssh command.

Making a shell function debug

When you are writing a shell script, you can set the shell script to debug, like this:

#!/bin/sh -x

But; when you are using functions, the debugging is disabled for the functions. When you set -x the function will also debug, like this:

#!/bin/sh

function-whatever () {
set -x
echo "Hello World!"
}

function-whatever

What is this standard out, standard in and standard error?

For people unknown to shell scripting, here is a little help on the "channels" stdout, (standard out, 1) stderr, (standard error, 2) and stdin (standard in, 0).

When you launch a command like ls, it will output the list of files to /dev/stdout . (a.k.a. channel 1 or standard out)

When a command has an error to report, it reports it to /dev/stderr . (a.k.a. channel 2 or standard error)

Normally both stdout and stderr are displayed at your screen, so you do not know about these channels. Lets do an experiment to demonstrate the different channels.

$ ls
myfile
yourfile
$ ls myfile nofile
myfile
ls: nofile: No such file or directory
$ ls myfile nofile > /dev/null
ls: nofile: No such file or directory
$ ls myfile nofile 2> /dev/null
myfile
$ ls myfile nofile > /dev/null 2>&1
$

So what just happened?

  1. ls This just list the files, no arguments are given, just the command ls
  2. ls myfile nofile This command has two arguments, myfile exists, nofile does not exist. ls reports one file and one error.
  3. ls myfile nofile > /dev/null Here the standard out is redirected to /dev/null, the bit bucket/trash-bin. This would mean only errors are reported, because that is not being sent over standard out.
  4. ls myfile nofile 2> /dev/null In this example, the standard output is displayed, but the standard error (2) is thrown away by sending it to /dev/null.
  5. ls myfile nofile > /dev/null 2>&1 You will see this syntax appended to commands when you want to disregard everything that commands produces, both standard out and standard error. What it literally means: "Send standard out to /dev/null. Send standard error to where standard out is going.

Telnet trick on shell command prompt

Here is a simple telnet trick, so check if a port is open and responding as expected. Be aware that the check described here is a bit simplistic, but it does demonstrate the capabilities of telnet on the shell.

$ smtpserver="smtp"
$ smtpport="25"
$ ( echo open $smtpserver $smtpport ; sleep 1 ; echo quit ) | telnet 2>&1 | grep 220 > /dev/null 2>&1
$ echo $?

This will print "0" when everything is correct, and 1 when the grep did not work.

If social networks were companies

Imagine the rules of a social network would apply to corporate enterprises, these strange situations would arise:

  • The boss and your manager would be chosen by you and your colleagues.
  • Your manager or boss would be extremely popular today, but would be so yesterday tomorrow.
  • Just like StumbleUpon traffic, it would be extremely busy with visitors this week, while next week could be so quiet.
  • Your boss would be well connected on Linked In, have loads of friends on FaceBook and would own a huge area in My Space.
  • You would spends hours trying to gain friends and fans in order to become boss tomorrow.
  • Bosses over 40 would be thrown out tomorrow, colleagues of 19 or younger would determine the long term strategy.
  • Being in the coffee corner for more than an hour would actually help your career.

Wow, that would actually be a very positive thing!

Sustaining busy times with Apache

When administering an Apache web server, you will encounter moment when some of your clients, but hopefully you, published something that causes a rush of visitors to your web server. How do you manage that peak? Here are some tricks that you could use:

1. Limit the available slots

Apache has many performance related configuration options. When you run a small server, the default configuration of Apache might cause requests to be answered very slowly.
Apache runs on a desktop-comparable machine for my website, so I have altered these settings. The impact of this change was huge! Where the default settings would cause extreme high (100+) loads and extremely slow request, the web server runs healthy now.

StartServers         16
MinSpareServers      8
MaxSpareServers      32
ServerLimit          32
MaxClients           32
MaxRequestsPerChild  4000

At first this might scare you off; allowing less connections, but you will have to realize that a small server can't cope with 100+ simultaneous connections. Limiting the amount of connections will speed up the connected clients. Clients that visit your web server during busy times will have to wait a few seconds before being served.

2. Check the /server-status page

Configure Apache to allow you to see the status pages. This will help you identify what is using all the resources.

ExtendedStatus On
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

And run apachectl status and lynx http://localhost/server-status for extended information. Onlamps website explains what these values mean.

3. Move services to different machines

When you are in deep shit, move services like the database, email, domain name resolution, etc to a different machine. This will help you spread the load and will also help you identify where the problem exactly is.

4. Optimize code

After figuring out what virtual host eats all CPU cycles or available memory, check to see the (php) code. If you are not comfortable with it, let the user (and owner) do this. He/she is responsible for hir/her code.
This is the most difficult step to take and is in a gray area; it's not system administration, but sure comes close.

Coping with visitors statistics in Drupal

Drupal users might agree: Drupal does not provide sufficient statistics to get a good overview of what their visitors are doing. Here are some ways to get the most out of your statistics using Drupal.

Enable the Statistics module. It comes with Drupal and the only thing it does is keep counters of what nodes are read. Other information is stored, but so difficult to find, that I consider it useless.

Use Google Analitics

There is a Drupal Google Analytics module that you can install. Besides that, you also need a Google Analytics account.
Installation is simple; enable the module, get yourself a Google Analytics account and copy the code into drupal. That code looks something like this: UA-1234567-1

Use SQL to extract some statistics

Write your own code to see what stories are popular. I use this code, but you might need to adapt it a little:

<table>
<tr><td><b>Article</b></td><td><b>Views today</b></td><td><b>Total views</b></td><td><b>Author</b></td></tr>
<?php
$result
= mysql_query("SELECT node.nid, node.title, node_counter.daycount, node_counter.totalcount, users.name FROM node, node_counter, users WHERE node.nid=node_counter.nid AND users.uid=node.uid AND (node.type=\"story\" OR node.type=\"book\") ORDER BY node_counter.totalcount DESC LIMIT 3;");
while (
$row = mysql_fetch_array($result, MYSQL_NUM)) {
echo
"<tr><td><a href=\"/node/$row[0]\">$row[1]</a></td><td><a href=\"/node/$row[0]/track\">$row[2]</a></td><td>$row[3]</td><td>$row[4]</td></tr>";
}
?>

</table>

Syndicate content