Speeding up SSH logon

A firewall blocks port 53 for my servers so ssh is trying to resolve my address every time I attempt log in.

The timeout is frustrating, so I read the man page [1] and found this configuration directive

  UseDNS  Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is ''yes''.

I set it to 'no' and restarted the service and it worked like a charm :D

Note:
  When working on OpenBSD, be sure to be logged in on the console by other method (like physical console access or serial) because restarting the ssh service on OpenBSD causes all remote sessions to be closed.

[1] http://linux.die.net/man/5/sshd_config

--
  = ^ . ^ =

Kill annoying processes that match a pattern

So, there was a bunch of annoying processes named wit a pattern and I wanted to kill all of them

Here is the script (I know this can be done in a much cleaner way in awk, but I like this way)


#!/bin/sh

P="master(-worker)?"

PS=/bin/ps

SED=/bin/sed

KILL=/bin/kill

GREP=/bin/grep

CUT=/usr/bin/cut

$KILL `$PS ax | $GREP -E $P | $GREP -v grep | $SED -e 's/^\ \+//g' | $CUT -d ' ' -f 1 | $GREP -E '^[[:digit:]]+'`

--

  = ^ . ^ =

VirtualBox serial console on Mac OS X

I normally access a VirtualBox VM serial console through minicom in GNU/Linux, but for some reason it didn't worked on Mac OS X, so I researched about how can I access the serial console.

VirtualBox (and VMware for what I saw on the pages [1]) map the serial device of the virtual machine to a "Named Pipe" (actually a UNIX Domain Socket) which can be accessed using netcat or minicom. I tried the nc -U variant as stated in the page but I had no luck making it work because the mac ports version of netcat does *not* support attaching to UNIX domain sockets [2].

The screen man page [3] describe how to attach to a existing tty device but the file is a named pipe so the program cannot do its magic with it. There were some pages describing how to use socat [4] to map a UNIX domain socket to a tty device (actually a PTY) [5] [6] [7]. I also found a couple VMware forum posts with useful links [8] [9].

Thanks to this I can happily run the following two commands to attach to the serial console

% socat -d -d ./Thesis.ttyS0 PTY
2012/05/29 01:08:00 socat[29713] N opening connection to LEN=16 AF=1 "./Thesis.ttyS0"
2012/05/29 01:08:00 socat[29713] N successfully connected from local address LEN=16 AF=1 ""
2012/05/29 01:08:00 socat[29713] N successfully connected via
2012/05/29 01:08:00 socat[29713] N PTY is /dev/ttys007
2012/05/29 01:08:00 socat[29713] N starting data transfer loop with FDs [3,3] and [4,4]
In this case the desired PTY is /dev/tty007 and then in another terminal window

% screen /dev/ttys007

I wanted to do this as painful (automated) as possible, but there were a few problems:

1. The PTY device allocated on Mac OS X is subject to the number of terminals currently being used, so it is a variable device.
2. I have to run two commands in order to get the PTY and attach to it (socat, then screen)
3. Simple shell magic can't work because socat outputs the messages to stderr.

I decided to do some shell magic to automate the task in several steps

1. Map the UNIX domain socket to a PTY
2. Somehow, get the PTY name (the tricky part)
3. Once the name is known, attach to the PTY

Map the socket to a PTY

Same as above, still the messages are output to stderr

socat -d -d ./Thesis.ttyS0 PTY

Get the PTY name

The device name is printed to stderr and simply by doing a 2>&1 and pipe it through a sed or awk instance will do the trick. NO!!!, for some reason (still unknown to me) sed and grep got stuck and even if they got the apropriate input they didn't send anything to the screen.

I managed to solve the problem by redirecting the socat output to a file (which might also be a FIFO if you are interested), and then pointing grep to get the desired line and piping that output to sed to clean the text and get the desired PTY name.

Making it work altogether

Since the device is dynamically allocated and the socat output may vary, this kind of magic can be done, yes it might also be done with an sed [10] or awk script [11], but there was 2 or 3 AM and I just made it work.

screen `socat -d -d ./Thesis.ttyS0 PTY 2>&1 | tee /tmp/x &>/dev/null & grep '.*N\ PTY\ is\ ' /tmp/x | sed -e 's/.*N\ PTY\ is\ //g'`

So the above line does the following:

1. Map the socket
2. Two choices here, I chose the first one because was faster but YMMV.
1.  Use 2>&1 | tee /tmp/x &>/dev/null and redirect the output to a file and optionally to the terminal (I did it for debugging but wasn't interested in keeping it).

socat -d -d ./Thesis.ttyS0 PTY 2>&1 | tee /tmp/x &>/dev/null & grep '.*N\ PTY\ is\ ' /tmp/x | sed -e 's/.*N\ PTY\ is\ //g'


1. Use &> /tmp/x & sleep 1 to give time to socat to write in the file and then read it to get the device name.

socat -d -d ./Thesis.ttyS0 PTY &> /tmp/x & sleep 1 ; grep '.*N\ PTY\ is\ ' /tmp/x | sed -e 's/.*N\ PTY\ is\ //g' 


3. Attach to the screen
   screen `all the above thing in backquotes to execute it before`

Again the final one-liner

screen `socat -d -d ./Thesis.ttyS0 PTY 2>&1 | tee /tmp/x &>/dev/null & grep '.*N\ PTY\ is\ ' /tmp/x | sed -e 's/.*N\ PTY\ is\ //g'`

--

  = ^ . ^ =

[1] http://wiki.networksecuritytoolkit.org/nstwiki/index.php/Console_Output_and_Serial_Terminals

[2] http://fixunix.com/slackware/537945-nc-does-not-support-unix-domain-socket.html

[3] http://linux.die.net/man/1/screen

[4] http://www.dest-unreach.org/socat/

[5] http://www.linuxsmiths.com/blog/?p=312

[6] http://blackmagic02881.wordpress.com/2007/02/05/linux-serial-console-how-to-with-vmware-server/

[7] http://thewayeye.net/2009/december/4/connecting-virtual-machines-serial-console-os-x-and-vmware-fusion[8] http://communities.vmware.com/thread/33528

[9] http://communities.vmware.com/thread/28508

[11] http://linux.die.net/man/1/sed 

[10] http://linux.die.net/man/1/awk

Update: I ported the script to make it work with Linux, check out the new post for details and also the @Github gist.
--
= ^ . ^ =


show my ip address

#!/bin/sh

IP=/bin/ip

SED=/bin/sed

CUT=/usr/bin/cut

IF=en0

if [ ! -z ${1} ]

then

  IF=${1}

fi

$IP addr show dev $IF | $SED -n 3p | $SED -e 's/\ \+/\ /g' -e 's/\/.*$//g' | $CUT -d ' ' -f 3

--

  = ^ . ^ =

IPv4 and IPv6 SOCKS proxy

$ cat Makefile
XTERM=/usr/bin/xterm
SSH=/usr/bin/ssh
GEOMETRY=169x39-0-0
IPv6_LOCALHOST=::1
PROXY_PORT=1080
SSH_PORT?=22
IPv4_PROXY=127.128.129.130
IPv6_PROXY=${IPv6_LOCALHOST}
IPv4_REMOTE?=127.126.125.124
IPv6_REMOTE=${IPv6_LOCALHOST}
IPv4_BIND=127.127.127.127
IPv6_BIND=${IPv6_LOCALHOST}

proxy:
        ${XTERM} -geometry ${GEOMETRY} -iconic -T "IPv4 proxy" \
          -e ${SSH} -v -x -n -N -b $(IPv4_BIND) -p ${SSH_PORT} \
          -D ${IPv4_PROXY}:${PROXY_PORT} ${IPv4_REMOTE} &
        ${XTERM} -geometry ${GEOMETRY} -iconic -T "IPv6 proxy" \
         -e ${SSH} -v -x -n -N -b $(IPv6_BIND) -p ${SSH_PORT} \
         -D [${IPv6_PROXY}]:${PROXY_PORT} ${IPv6_REMOTE} &

$ make proxy

--

  = ^ . ^ =

Keep the robots out

Keep the robots out of your website

% cat $DocumentRoot/robots.txt

User-agent: *

Disallow: /

--

= ^ . ^ =

Apache httpd identification strings

The problem...

$ curl --verbose --user-agent "= ^ . ^ =" "http://localhost:80/info.php" > /dev/null

* About to connect() to localhost port 80 (#0)

* Trying 127.0.0.1... connected

* Connected to localhost (127.0.0.1) port 80 (#0)

> GET /info.php HTTP/1.1

> User-Agent: = ^ . ^ =

> Host: localhost

> Accept: */*

>

< HTTP/1.1 200 OK

< Date: Thu, 19 Jan 2012 23:59:59 GMT

< Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8o

< X-Powered-By: PHP/5.3.3-7+squeeze3

< Vary: Accept-Encoding

< Transfer-Encoding: chunked

< Content-Type: text/html

<

{ [data not shown]

* Connection #0 to host localhost left intact

* Closing connection #0

The solution...

/etc/apache2/conf.d/security

• ServerTokens Prod
• ServerSignature Off

/etc/php5/apache2/php.ini

• expose_php = Off

/etc/init.d/apache2 restart

$ curl --verbose --user-agent "= ^ . ^ =" "http://localhost:80/info.php" > /dev/null

* About to connect() to localhost port 80 (#0)

* Trying 127.0.0.1... connected

* Connected to localhost (127.0.0.1) port 80 (#0)

> GET /info.php HTTP/1.1

> User-Agent: = ^ . ^ =

> Host: localhost

> Accept: */*

>

< HTTP/1.1 200 OK

< Date: Thu, 20 Jan 2012 00:00:00 GMT

< Server: Apache

< Vary: Accept-Encoding

< Transfer-Encoding: chunked

< Content-Type: text/html

<

{ [data not shown]

* Connection #0 to host localhost left intact

* Closing connection #0

# rm -v /var/www/info.php

--

= ^ . ^ =

Monitoring my network traffic

Today I wrote this simple script to monitor my network traffic. I release this script under GPLv3

Enjoy

#!/bin/sh

# monitor-traffic.sh - Monitor network traffic excluding common requests

# Andres Hernandez - Tonejito

TCPDUMP=/usr/sbin/tcpdump

IP=/sbin/ip

DEV=en1

ADDR=`$IP addr show dev $DEV | grep 'inet ' | cut -d ' ' -f 6 | cut -d '/' -f 1`

$TCPDUMP -ni $DEV "host $ADDR and port not (67 or 68 or 80 or 443 or 1863 or 5222 or 587 or 993 or 995)"

--

= ^ . ^ =

ssh write failed: broken pipe

I hate when this kind of things so I surfed the net looking for an answer [1], the cause of the problem was the inactivity in the ssh session, so a keep-alive must be implemented somewhere.

It turned out in the manpages of ssh_config and sshd_config there were a couple keep alive settings:

/etc/ssh/ssh_config
ServerAliveInterval 30
TCPKeepAlive yes

/etc/ssh/sshd_config
ClientAliveInterval 30
TCPKeepAlive yes

Server/Client Alive interval are protocol-specific settings, and TCP is a connection-specific setting.

[1] https://bbs.archlinux.org/viewtopic.php?id=97003

[2] LIDSOL website

init 0 ;