The following monster will parse the mail log and report on unique host connections along with a count.
cat /var/log/mail.log | \
grep ' connect from unknown' | \
awk '{ print $8 }' | \
sort | \
sed -n 's/.*\[\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)\].*/\1/p' | \
awk '{count[$1]++} END {for (word in count) print count[word], word}' | \
sort -n
Today I read Remove Boot Text On The Raspberry Pi For Noobs:
vim /boot/cmdline.txt
You will see a single line with all the boot options. Scroll along and change the following making sure not to add any linebreaks:
vim /boot/config.txt
So I had an issue with KCachegrind where I would open a cachegrind profile file and “nothing happened”. The status bar said the file had loaded, but the user interface widgets were all empty. Turns out clicking Settings -> Sidebars -> Function Profile loaded the part of the UI I needed to get started… everything is easy when you know how!
If you send non-printable characters to your TTY you might corrupt it, and that’s no fun.
So before you print log files which might contain dodgy data to a console clean it by piping it through tr like this:
tr -c '\11\12\15\40-\176' '?'
Today I ran the following command to see how many people accessed the ProgClub wiki over the previous 5 hours:
jj5@charity:/var/log/apache2$ grep "GET /wiki/" access.log |
grep "13/Jul/2013:0" | grep -Eo '^([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq | wc
I was configuring MediaWiki to allow uploads and was getting an error in the browser about the POST data being too large (“does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.”). I had a look in the Apache error log and found:
[Thu Feb 23 16:12:45 2012] [error] [client 60.240.67.126] request body exceeds m aximum size (131072) for SSL buffer, referer: https://www.jj5.net/morpheus/Speci al:Upload [Thu Feb 23 16:12:45 2012] [error] [client 60.240.67.126] could not buffer messa ge body to allow SSL renegotiation to proceed, referer: https://www.jj5.net/morp heus/Special:Upload
So I did some research. I found this document, File upload size which suggested editing /etc/php5/apache2/php.ini which I did:
upload_max_filesize = 20M post_max_size = 80M
That didn’t fix the problem though. I found Request entity too large which suggested checking my setting for LimitRequestBody, but that wasn’t the problem either.
Eventually I found Bug 491763 – HTTPS+SSLVerifyClient require in <Directory>+big POST = Apache error which suggested I needed to apply the SSLRenegBufferSize directive which I did like this:
<Location /morpheus>
SSLVerifyClient require
SSLVerifyDepth 1
SSLRenegBufferSize 20971520
</Location>
And then after restarting Apache the problem was solved.
There were a few warning popping up in my /var/log/mail.warn log for Postfix, like this:
Feb 4 09:16:15 sixsigma postfix/tlsmgr[3394]: warning: request to update table btree:/var/run/smtpd_tls_session_cache in non-postfix directory /var/run Feb 4 09:16:15 sixsigma postfix/tlsmgr[3394]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix Feb 4 09:16:15 sixsigma postfix/tlsmgr[3394]: warning: request to update table btree:/var/run/smtp_tls_session_cache in non-postfix directory /var/run Feb 4 09:16:15 sixsigma postfix/tlsmgr[3394]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfixI fixed the problem by reconfiguring /etc/postfix/main.cf and changing this:smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cacheTo this:
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
Today I read about how to configure fail2ban to use route instead of iptables to block connections. I’m not planning to switch to the route command just yet, because I think when fail2ban uses IP tables it only bans an IP address from accessing a particular port (or set of ports). Although maybe I don’t care about that and just banning the whole host altogether would be OK.
The reason I’ve been looking in to fail2ban is that I have a heap of errors in my logs from fail2ban trying to use iptables and failing, e.g.:
2012-02-04 00:23:02,939 fail2ban.actions.action: ERROR iptables -D fail2ban-ssh -s 125.211.221.117 -j DROP returned 100 2012-02-04 00:59:12,456 fail2ban.actions.action: ERROR iptables -I fail2ban-ssh 1 -s 50.30.33.90 -j DROP returned 100 2012-02-04 01:59:12,930 fail2ban.actions.action: ERROR iptables -D fail2ban-ssh -s 50.30.33.90 -j DROP returned 100 2012-02-04 08:35:13,252 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh 2012-02-04 08:35:36,688 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh-ddos 2012-02-04 08:35:36,695 fail2ban.actions.action: ERROR iptables -N fail2ban-apache-overflows 2012-02-04 08:35:36,703 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
I have a computer sitting on my desk that is always on (it’s my file server) and it has a monitor attached which is almost never in use (I ssh to that server if I want to do things so it’s hardly ever logged in).
I thought it would be cool if on that monitor the web-logs from all of the systems I manage were shown so I could keep an eye on things and maybe learn a thing or two about my web-sites and how people are using them.
So the first thing I did was write a script to grab any given web log:
root@orac:~# cat /root/get-web-log.sh
#!/bin/bash
echo Starting download of $3...
while : ; do
su -c "ssh $1 tail -f /var/log/apache2/$2 < /dev/null" jj5 \
| tee -a /var/log/web.log \
| grep --line-buffered -v "Mozilla.5.0 .compatible. Googlebot.2.1. .http...www.google.com.bot.html." \
| grep --line-buffered -v "Baiduspider...http...www.baidu.com.search.spider.htm." \
| grep --line-buffered -v "Mozilla.5.0 .compatible. Baiduspider.2.0. .http...www.baidu.com.search.spider.html." \
| grep --line-buffered -v "Mozilla.5.0 .compatible. Exabot.3.0. .http...www.exabot.com.go.robot." \
| grep --line-buffered -v "Mozilla.5.0 .compatible. YandexBot.3.0. .http...yandex.com.bots." \
> /var/log/web/$3
sleep 60
echo; echo; echo Restarting download of $3...; echo; echo;
done
Then I wrote a series of scripts which call the get-web-log.sh script for specific web-sites on specific servers, e.g.:
root@orac:~# cat /root/web-log/get-jsphp.co #!/bin/bash /root/get-web-log.sh honesty www.jsphp.co-access.log jsphp.co exit
Then I wrote a main script, rather unoriginally called info.sh, that kicks off the web logs downloads and then monitors their progress as they come through:
root@orac:~# cat /root/info.sh #!/bin/bash # disable the screensaver setterm -blank 0 -powersave off -powerdown 0 # start downloading the web-logs cd /root/web-log ./get-jsphp.co & sleep 1 #...all the other downloaders, one for each site # watch the web-logs cd /var/log/web tail -f * # stop downloading the web-logs kill %1 #...all the other kills, one for each downloader exit
Then I edited /etc/init/tty1.conf so that on tty1, instead of having a login console, I automatically ran my info.sh script:
root@orac:~# cat /etc/init/tty1.conf # tty1 - getty # # This service maintains a getty on tty1 from the point the system is # started until it is shut down again. start on stopped rc RUNLEVEL=[2345] stop on runlevel [!2345] respawn #exec /sbin/getty -8 38400 tty1 exec /root/info.sh < /dev/tty1 > /dev/tty1 2>&1
And that was it. The only trick was that I needed to disable the screen saver (as shown in the info.sh script) so that the screen didn’t constantly blank.
And now I can watch the web activity on all of my sites in real time.