Category Archives: Technical

CentOS / CloudLinux 6 locale issue

When you use Terminal to ssh into a freshly installed CentOS / CloudLinux 6, you would encounter this:

-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory

There are a few solution out there, but the best and simplest is this:

echo ‘LC_CTYPE=”en_US.UTF-8″‘ >> /etc/sysconfig/i18n

Done.

References:
http://serverfault.com/questions/320971/centos-6-and-locale-error

Dynamic DNS + tunnelbroker MikroTik script for HE.net (Hurricane Electric)

 

Note: Tested on MikroTik 6.2

/system script
add name=he-dns policy=ftp,read,write,policy,test,winbox,api source=”# Update Hurricane Electric DDNS IPv4 address\r\
\n\r\
\n#make sure previousip is initialized with a value (0.0.0.0) before the script is first run\r\
\n:global previousip\r\
\n\r\
\n:local ddnshost \”DYNAMIC_HOSTNAME\”\r\
\n:local key \”KEY\”\r\
\n:local updatehost \”dyn.dns.he.net\”\r\
\n:local WANinterface \”WAN_INTERFACE_NAME\”\r\
\n:local outputfile \”he-dns.txt\”\r\
\n\r\
\n# Internal processing below…\r\
\n# ———————————-\r\
\n:local currentip\r\
\n\r\
\n# Get WAN interface IP address\r\
\n:set currentip [/ip address get [/ip address find interface=\$WANinterface] address]\r\
\n:set currentip [:pick [:tostr \$currentip] 0 [:find [:tostr \$currentip] \”/\”]]\r\
\n:log info (\”previous ip = \”.\$previousip.\”, current ip = \”.\$currentip)\r\
\n\r\
\n:if ([:len \$currentip] = 0) do={\r\
\n :log error (\”Could not get IP for interface \” . \$WANinterface)\r\
\n :error (\”Could not get IP for interface \” . \$WANinterface)\r\
\n}\r\
\n\r\
\n:if (\$currentip != \$previousip) do={\r\
\n :log info (\”Updating DDNS IPv4 address\” . \” Client IPv4 address to new IP \” . \$currentip . \”…\”)\r\
\n\r\
\n /tool fetch mode=http user=\$ddnshost password=\$key url=\”http://\$updatehost/nic/update\\\?hostname=\$ddnshost&myip=\$currentip\” \\\r\
\ndst-path=\$outputfile\r\
\n\r\
\n :log info ([/file get \$outputfile contents])\r\
\n /file remove \$outputfile\r\
\n :set previousip \$currentip\r\
\n} else={\r\
\n :log info (\”IP has not changed, no update necessary\”)\r\
\n}”
add name=he-tunnelbroker policy=ftp,read,write,policy,test,winbox,api source=”# Update Hurricane Electric tunnelbroker IPv4 address\r\
\n\r\
\n#make sure previousip is initialized with a value (0.0.0.0) before the script is first run\r\
\n:global previousip\r\
\n\r\
\n:local tunnelid \”TUNNEL_ID\”\r\
\n:local tunnelinterface \”TUN_INTERFACE_NAME\”\r\
\n:local user \”USERNAME_TUNNELBROKER\”\r\
\n:local pass \”PASSWORD_TUNNELBROKER\”\r\
\n:local updatehost \”ipv4.tunnelbroker.net\”\r\
\n:local WANinterface \”WAN_INTERFACE_NAME\”\r\
\n:local outputfile \”he-tunnelbroker.txt\”\r\
\n\r\
\n# Internal processing below…\r\
\n# ———————————-\r\
\n:local currentip\r\
\n\r\
\n# Get WAN interface IP address\r\
\n:set currentip [/ip address get [/ip address find interface=\$WANinterface] address]\r\
\n:set currentip [:pick [:tostr \$currentip] 0 [:find [:tostr \$currentip] \”/\”]]\r\
\n:log info (\”previous ip = \”.\$previousip.\”, current ip = \”.\$currentip)\r\
\n\r\
\n:if ([:len \$currentip] = 0) do={\r\
\n :log error (\”Could not get IP for interface \” . \$WANinterface)\r\
\n :error (\”Could not get IP for interface \” . \$WANinterface)\r\
\n}\r\
\n\r\
\n:if (\$currentip != \$previousip) do={\r\
\n :log info (\”Updating tunnelbroker client IPv4 address to new IP \” . \$currentip . \”…\”)\r\
\n\r\
\n /tool fetch mode=https user=\$user password=\$pass url=\”https://\$updatehost/nic/update\\\?hostname=\$tunnelid&myip=\$currentip\” \\\r\
\ndst-path=\$outputfile\r\
\n\r\
\n /interface 6to4 set \$tunnelinterface local-address=\$currentip\r\
\n\r\
\n :log info ([/file get \$outputfile contents])\r\
\n /file remove \$outputfile\r\
\n :set previousip \$currentip\r\
\n} else={\r\
\n :log info (\”IP has not changed, no update necessary\”)\r\
\n}”

Initialize previousip with the following command in the Terminal:

:global previous “0.0.0.0″

References:

Recipient MX-based dnslookup routing for cPanel’s Exim

I host a few websites and emails for my friends and relatives on my cPanel server.  I need to ensure that their emails don’t end up in Spam/Junk folder when they send to email addresses hosted on Google/Yahoo/Hotmail (common problem with small webhosting companies).  I can easily forward/relay every single remote delivery via an ESP’s smarthost, but that would be too costly for me since ESPs charge by the amount of emails relayed.  Getting certified by ReturnPath is also expensive and takes some time.  I just need at least the major ones to be relayed, so I needed a recipient MX-based routing for my Exim.  It doesn’t look proper, but it works great!  I’m sure many small cPanel hosts will face this similar problem.

authenticators:

esp_relay_login:
driver = plaintext
public_name = LOGIN
client_send = : ${extract{user}{${lookup{${lookup{$sender_address_domain}lsearch*{/etc/mail_relay_mapping}{$value}}}lsearch{/etc/mail_relay_secret}{$value}}}} : ${extract{pass}{${lookup{${lookup{$sender_address_domain}lsearch*{/etc/mail_relay_mapping}{$value}}}lsearch{/etc/mail_relay_secret}{$value}}}}

routers:

smarthost_dkim:
driver = dnslookup
domains = !+local_domains : ! /etc/mail_domain_excluded_from_using_relay
require_files = “+/var/cpanel/domain_keys/private/${sender_address_domain}”
transport = remote_smtp_smart_dkim
ignore_target_hosts = ! /etc/mail_ips_of_domains_to_be_relayed
senders = ! /etc/mail_exclude_from_relay

smarthost_regular:
driver = dnslookup
domains = !+local_domains : ! /etc/mail_domain_excluded_from_using_relay
transport = remote_smtp_smart_regular
ignore_target_hosts = ! /etc/mail_ips_of_domains_to_be_relayed
senders = ! /etc/mail_exclude_from_relay

transports:

remote_smtp_smart_dkim:
driver = smtp
hosts_require_tls = *
interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch{/etc/mailips}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailips}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailips}{$value}{}}}}}}}}
helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch{/etc/mailhelo}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}
dkim_domain = $sender_address_domain
dkim_selector = default
dkim_private_key = “/var/cpanel/domain_keys/private/${dkim_domain}”
dkim_canon = relaxed
hosts_require_auth = *
hosts = ${lookup{$sender_address_domain}lsearch*{/etc/mail_relay_mapping}{$value}}::587
hosts_override = yes

remote_smtp_smart_regular:
driver = smtp
hosts_require_tls = *
interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch{/etc/mailips}{$value}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailips}{$value}{}}}}}}}}
helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch{/etc/mailhelo}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}
hosts_require_auth = *
hosts = ${lookup{$sender_address_domain}lsearch*{/etc/mail_relay_mapping}{$value}}::587
hosts_override = yes

 

Files needed:

/etc/mail_domain_excluded_from_using_relay: (exclude emails sent to these domains from being relayed to smarthost)
abc.com
cde.com

/etc/mail_exclude_from_relay: (exclude emails sent from these domains from being relayed to smarthost, this should be your customers’ domains hosted on your server)
def.com
ghi.com
jkl.com
mno.com

/etc/mail_ips_of_domains_to_be_relayed: (MX IPs of domains which Exim will relay via smarthost)
#Google
74.125.0.0/16
173.194.0.0/16
#Hotmail
65.52.0.0/14
#Yahoo APAC
106.10.128.0/18
#Yahoo EU
188.125.64.0/21
#Yahoo US
68.180.128.0/17
98.136.0.0/14
66.196.64.0/18
63.250.192.0/19

/etc/mail_relay_secret: (list of credentials for smarthosts, list down all smarthosts that you will use in /etc/mail_relay_mapping below)
smtp.example.com: user=postusername pass=password
smtp.example.net: user=postuser pass=pass123
smtp.example.org: user=boo pass=hoo

/etc/mail_relay_mapping: (list of domains to explicitly map to certain smarthost, last entry is default smarthost)
ghi.com: smtp.example.org
def.com: smtp.example.net
jkl: smtp.example.org
*: smtp.example.com

Thus if mno.com sends an email to Gmail/Hotmail/Yahoo, it will be relayed via smtp.example.com.

How do you check if it works?  Test by sending an email to certain domain like Yahoo and watch Exim’s log.  For domains that should be relayed, it should say remote_smtp_smart_regular or remote_smtp_smart_dkim transport (T) in the logs:

1VFjpE-0002oA-Tb => xxxxx@yahoo.com R=smarthost_regular T=remote_smtp_smart_regular H=smtp.example.com [123.123.123.123] X=TLSv1:DHE-RSA-AES256-SHA:256
1VFjFr-0007hX-QJ => xxxxx@gmail.com R=smarthost_dkim T=remote_smtp_smart_dkim H=smtp.example.org [124.124.124.124] X=TLSv1:DHE-RSA-AES256-SHA:256

Normal route would be remote_smtp or dkim_remote_smtp:

1VDN3n-00088z-46 => yyyyy@gmail.com R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.79.26] X=TLSv1:RC4-SHA:128
1VDWNC-0002Zo-OB => zzzzzz@hotmail.com R=dkim_lookuphost T=dkim_remote_smtp H=mx2.hotmail.com [65.55.92.152]

Thanks to Chris Siebenmann!

References:
http://www.gossamer-threads.com/lists/exim/users/97299
http://www.tgunkel.de/docs/exim_smarthosts.en

Noteworthy links:
http://serverfault.com/questions/347285/exim-redirect-to-smart-host-based-on-mx-record
http://www.gossamer-threads.com/lists/exim/users/97056

Facebook Page fan photos

In case you wonder why “Add Photos” link on your Facebook Page is no longer working as expected (directs you back to your Facebook Home), I believe it’s because they have changed the way fan photos work on Facebook Pages (without informing users).

Like usual, Facebook developers are changing and implementing things quickly without updating all necessary help information to guide users with these changes.  These days bugs are easily spotted on Facebook.  It’s understandable to have bugs at their current size, but implementing changes before/without communicating these changes to users is a very stupid move.  Not to mention they never reply to (real) bug reports.

Two weeks ago, for 1 day, no one could write a comment to wall posts of the Facebook Pages.  Only comments for photos were normal.  I think I’m starting to hate Facebook, plus the fact that they have removed Profile’s boxes and tabs.  Someone should really make a good copy of Facebook when it had all the cool features.

These past 3 days I have waited for a reply from Facebook to fix or at least address fan’s “Add Photos” link issue, but I got nothing.  I need this feature to work ASAP for my marketing team, so I looked around and found a discussion link on Facebook.  Basically these people complain about the same thing, apparently this feature has been buggy since last year.

Abbey Butler‘s post on page 7 of the thread is the answer.  Thanks, Abbey! :)

Areca RAID cards and WDC desktop-class HDDs (non-RE)

First of all, avoid any green drives (including WDC RE-GP drives) at all cost for RAID setups.

I have Areca’s ARC-1210 and ARC-1220 RAID cards installed on my Tyan servers (with S5397 and S5211 motherboards).  Some of these servers are using WDC GP drives (my vendor ordered the GP drives), despite having TLER-enabled, they will drop from the RAID sets within days or weeks.  Enabling TLER does help, but don’t count too much on it.  This is caused by the IntelliPower feature that limits its RPM to 5400.  RAID drives are supposed to be fast, GP drives are slow.

Few weeks ago I tried to get a pair of WDC WD2500AAJS-22VTA0 to run Windows Server 2003 R2 Standard Edition.  The installation went well until few days of uptime, the server rebooted itself after showing this error message:

The instruction at “0×76946203″ referenced memory at “0×76946203″. The required data was not placed into memory because of an I/O error status of “0xc000000e”. Click on OK to terminate the program.

Prior to this error message, it showed a yellow popup (like the low disk space popup) on the systray but I couldn’t get a screenshot as it happened really fast.  It states (IIRC) that files are missing/corrupted in the RECYCLER folder.

I tried disabling write cache on the RAID card and Windows, but no luck.  Tried to enable TLER (it wasn’t on before), also no luck.  Finally I consulted Google and found out that disabling NCQ help on some hard drives.  I disabled NCQ and rebooted the server, so far it has been up for almost a month.  Before this, it couldn’t even reach a week of uptime.

Now I use the WDC RE3 drives (WD5002ABYS) to replace the GP drives.  The temperature of the RE3 drives are much lower (8-10C lower) than the desktop drives, despite having less cooling in the room.

Hopefully this post can help others to avoid the issues I encountered.

Issues with NTP

If you wonder why your VPS or specifically OpenVZ VE’s ntpd is stuck at stratum 16 or stratum 0 while ntpq -p shows no abnormality (use ntpq -c rv to check state, it should say state=3 when abnormal), then try executing ntpdate manually. If it says “ntpdate: step-systime: Operation not permitted”, then you need to reconfigure your OpenVZ VE or ask your host to do it for you: vzctl set 123 –capability sys_time:on –save

If everything is fine but this message “ntpdate: no server suitable for synchronization found” keeps coming up, then it could be your ISP blocking UDP port 123. Use ntpdate -u to verify, this option should circumvent the firewall.

References:
http://blog.haite.ch/2009/05/22/1242984900000.html

iptables mangle and NAT notes, etc.

PREROUTING in nat table: DNAT, REDIRECT
POSTROUTING in nat table: SNAT/MASQUERADE

PREROUTING in mangle table: alter routing (e.g. source-based routing)
FORWARD in mangle table: traffic shaping for tc (flowid)

In MikroTik RouterOS, /ip firewall nat:
srcnat chain = PREROUTING
dstnat chain = POSTROUTING

/ip firewall mangle:
prerouting chain = global-in
forward chain = global-out (support NAT traffic shaping, higher load on router)

Update: I used to think that global-in literally means global input, while global-out literally means global output.  Apparently I was mistaken.  The parent queues MUST be matched to the right parent, either global-in, global-out, global-total, or one of the network interfaces depending on the mangle rules.  Top-most queue parent (global-in, global-out, global-total) doesn’t decide whether it’s up/down.  The mangle rules do the direction decision trick, whether a packet is incoming/download or outgoing/upload.  This makes perfect sense now! (doh)  I kept wondering why half of my queues (download queues’ top-most parent was global-in) weren’t working, when all my mangle rules were in forward chain.  Obviously they wouldn’t, because global-in marks both direction in prerouting chain.

Update 2: mangle: download rules first then upload rules. global-in, connection mark: prerouting; packet mark: prerouting. global-out, connection mark: forward, packet mark: postrouting.

 

This didn’t make sense until I read the URL listed below under References.  Silly me!  Assumption is the root of most, if not all, problems indeed.

References:
http://wiki.ispadmin.eu/index.php/Documentation/Mikrotik_guide#.22Global-in.22_vs._.22global-out.22_setup

MikroTik simple script to update ZoneEdit Dynamic DNS

I have a MikroTik router (RouterOS v4.x) with an ADSL connection at work, unfortunately it comes with dynamic public IP address.  I need to connect to my office workstation or simply the MikroTik router from home or elsewhere but I need to know its latest IP address all the time, so I decided to use ZoneEdit’s Dynamic DNS service.

Add a new script to the MikroTik router (replace those in bold):

  • /system script add name=zoneedit-dyndns source=”/tool fetch url=\”http://dynamic.zoneedit.com/auth/dynamic.html\?host=dyndns.example.com&dnsto=127.0.0.1\” user=ZEUser password=ZEPass keep-result=no\r\n/delay 30\r\n/tool fetch url=\”http://dynamic.zoneedit.com/auth/dynamic.html\?host=dyndns.example.com\” user=ZEUser password=ZEPass keep-result=no” policy=read

Test the script by running it manually:

  • /system script run zoneedit-dyndns

If it shows 2 lines of “status: finished”, then the script works properly.

Schedule the script to run regularly (in this case, every 10 minutes):

  • /system scheduler add name=”zoneedit-dyndns” interval=10m on-event=”/system script run zoneedit-dyndns” policy=read,test

Why does it require 2 “fetch” commands to update?  I think there is a bug in ZoneEdit’s Dynamic DNS updater, so it needs to be forced. The new dynamic DNS change entry has to be significantly different from the previous dynamic DNS entry before the ZoneEdit backend would really update it.

Thanks, ZoneEdit!

BIS-capable SSH client for BlackBerry

If you need an SSH client for BlackBerry, you can use MidpSSH. However, this client doesn’t allow you to use your BIS subscription. Luckily someone has modified MidpSSH to work over BIS.

Once you have installed the modified MidpSSH, there is a very good chance that your mobile operator blocks outgoing TCP port 22 on your BIS plan. You need to reconfigure your SSH server to listen on another port (port 2222 works for me).

In case you wonder how to specify the custom port (since there is no specific port field), specify the port in the Host field, e.g. 127.0.0.1:2222.

Hope this helps!

VPS (HyperVM) initial setup

I just purchased a VPS account from a local VPS provider (using HyperVM). The first thing I was to rebuild the VPS because it has LXAdmin installed by default. I want a lightweight VPS with everything minimal.

I was excited to see some minimal OS templates on the web Control Panel. I have a Debian 4.0 UK VPS. This time I choose Ubuntu 6.06, because there are lots of Ubuntu repository mirrors in Indonesia. :)

Once I rebuilt the VPS with Ubuntu template, the VPS cannot be instantly ssh’d into. sshd fails to start because  udev is installed and we need to remove that. Quickly remove udev by typing the following on Command Center: apt-get -y remove udev

Once it’s removed, reboot the VPS. Voila! You should be able to login using SSH now. :)

No need to do mknod /dev/random c 1 8, mknod /dev/urandom c 1 9, /sbin/MAKEDEV tty, /sbin/MAKEDEV ttyp, nor /sbin/MAKEDEV pts.

References:
http://prajizworld.com/?p=5