Clamav/Freshclam update fails!

Problem: I got the following error message in the the freshclam.log file on several servers with clamav installed.

ERROR: getpatch: Can’t download daily-16682.cdiff from database.clamav.net

Due to this bug the virus database wasn’t updated for days!

It seams to be a bug in clamav with dialy-16682.cdiff (dialy.cvd increment)Normally that would be solve automatically by downloading daily.cvd (non-incremental), but this also fails with:

ERROR: Can’t download daily.cvd from database.clamav.net

Solution/Workaround: remove /var/lib/clamav/daily.cvd and rerun freshclam.

Linux on HP servers

Problem: You want to check the hardware health status on you debian server running on an HP ProLiant hardware.

After spending some time on the HP.com homepage, I got really angry. HP does a really bad job on their support homepage. If you search for DL360 G5 you see a list of operating systems. The list of Debian OSs ends with 5.0. There you find an outdated bloated ISO image with lots of stuff. It looks like, if HP never used Linux on their machines, and knows nothing about how Linux admins do their work (CLI! CLI! CLI!)

But then, I found out…

Solution: HP is providing a (hard to find) Debian repository of system administration tools. So add the following line to you “/etc/apt/sources.list”
   deb http://downloads.linux.hp.com/SDR/downloads/MCP squeeze/current non-free

Then you can do:
# aptitude update
# aptitude install hp-health

   # hpasmcli  
   hpasmcli> show iml      # message list
   hpasmcli> show fan      # fan status
…. etc.

Versions: tested on Debian Squeeze 6.0 and HP tools Version 9.25

CDP / LLDP Fun

Problem: You want to know which switch and what port your Linux machine is connected to?

Solution: If the switch does CDP (all Cisco switches do), it tells you a lot of information. Tcpdump can capture and show this information.

# tcpdump -i eth0 -n -v -s 1500 -c 1 'ether[20:2] == 8192' 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
16:47:43.099633 CDPv2, ttl: 180s, checksum: 692 (unverified), length 438
         Device-ID (0x01), length: 4 bytes: 'SW10'
         Platform (0x06), length: 20 bytes: 'cisco WS-C3750G-48TS'
         Address (0x02), length: 13 bytes: IPv4 (1) XXX.XXX.XXX.10
         Port-ID (0x03), length: 21 bytes: 'GigabitEthernet3/0/25'
         Capability (0x04), length: 4 bytes: (0x00000029): Router, L2 Switch, IGMP snooping
         Protocol-Hello option (0x08), length: 32 bytes: 
         VTP Management Domain (0x09), length: 7 bytes: 'XXX'
         Native VLAN ID (0x0a), length: 2 bytes: 1
         Duplex (0x0b), length: 1 byte: full
         Management Addresses (0x16), length: 13 bytes: IPv4 (1) XXX.XXX.XXX.10

I highlighted the most relevant information in bold.

CDP is quite old and on the way out. LLDP is the new standard with similar content:

# tcpdump -i eth0 -n -v -s 1500 -c 1 ether proto 0x88cc
tcpdump: listening on eth0
09:48:18.267131 LLDP, length 83
Chassis ID TLV (1), length 7
Subtype MAC address (4): XX:XX:XX:XX:XX:XX
Port ID TLV (2), length 7
Subtype Local (7): Port 4
Time to Live TLV (3), length 2: TTL 120s
Port Description TLV (4), length 6: Port 4
System Name TLV (5), length 4: UBNT
System Description TLV (6), length 37
USW-8P-150, 4.3.20.11298, Linux 3.6.5
System Capabilities TLV (7), length 4
System Capabilities [Bridge] (0x0004)
Enabled Capabilities [Bridge] (0x0004)
End TLV (0), length 0


Sample Output from an Ubiquitiy switch.

ejabberd on debian with pam

Problem: After updating from debian lenny (5) to squeeze (6) ejabberd authentication (PAM) stopped working.

Solution: ejabberd uses an external programm called epam to authenticate. But this programm had no permission to use pam. I had to type these commands:
chown root.ejabberd /usr/lib/ejabberd/priv/bin/epam
chmod 4750 /usr/lib/ejabberd/priv/bin/epam
killall epam

ejabberd 2.1.5-3+squeeze1

Apache Authentication by IP and Password at the Same Time

If you like to restrict access to a directory on your Apache web server to users from a fixed IP range without password, and the rest of the world with password authentication the httpd.conf section can look like this for Apache-2.2:

<Directory "/var/www/htdocs/protected">
  AuthType Basic
  AuthName "Protected Area"
  AuthUserFile /etc/apache/passwd
  Require valid-user

  Order deny,allow
  Allow from 80.80.80.0/24
  Deny from all

  Satisfy any
</Directory>

For apache-2.4 the syntax has changed to:

<Directory "/var/www/htdocs/protected">
  AuthType Basic
  AuthName "Protected Area"
  AuthUserFile /etc/apache/passwd
  
  <RequireAny>
     Require valid-user
     Require ip 80.80.80.0/24
  </RequireAny>
</Directory>

Multiple Routing Tables with IPTables

Challenge: You have a linux based firewall, which should forward all internal and external traffic of its connected clients through a VPN tunnel, and at the same time the traffic from the firewall itself should not go through the tunnel (e.g. the tunnel connection packets).

Solution: There are lots of howtos for this probably. Here is my very simple and quick  (3 lines) solution.

Mark all packets that should go through the tunnel:
> iptables -t mangle -A PREROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -i eth1 -j MARK –set-mark  3

Setup a second routing table:
> ip route add table 3 default dev tun0

Add a rule to use routing-table 3 for packets marked with 3:
> ip rule add fwmark 3 table 3

192.168.2.0/24: client IPs
tun0: device of the vpn tunnel

One Mouse and Keyboard for Two Computers

I just read that MircoSoft announced a “new” software to control two WindowsPCs with one keyboard and mouse. It might be new to MircoSoft but a software for this exists since about 1998.

When I had both Linux and Windows on my desktop some years ago I used x2vnc for this.

Read on: http://fredrik.hubbe.net/x2vnc.html