High server load

During the last few days, I experienced a high load on my server (sometimes up to 15). Each time it happens, I observed that apache was unable to serve pages. Restarting it regularly seemed to fix the problem.

Yesterday, I started to investigate the problem. Actually it was "referer spam". The stats of my blog are generated with webdruid and are available on http://blog.aurel32.net/stats/ . Some spammers tried to increase their website's page rank by submitting spoofed referers. It seems that they use zombie hosts, as the requests come from many IPs. The bad thing is that the hosts don't close the TCP connections, causing a lot of apache processes to be unable to serve pages. It's like a DoS, though this was not the aim.

A search on Google gave me a way to stop that. I added the following lines to /etc/wordpress/htaccess:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://www.spammersite1.com [OR]
RewriteCond %{HTTP_REFERER} ^http://www.spammersite2.com
RewriteRule .* - [F,L]

The load started to go down. Good! I also added a robots.txt, so that the stats pages are not indexed anymore by the search engines (note to the wordpress maintainer: it would be nice to have a /etc/wordpress/robots.txt).

After a day, I grepped the apache logs to find all the zombies IPs, and I blacklisted all of them on my firewall with iptables, ie. 217 IPs!

This event reminds me that my server doesn't have enough RAM and that I should add some more.

Do some kind of greylisting on Debian bugs?

Over the last few months, it seems that the number of silly bugs is increasing. Of course, in most of the cases, the severity of such silly bugs is set to critical. I won't list all that silly bugs (it would take too long :) ), but I'll take two examples, that are very recent as they occured today yesterday.

The first one is the bug #289666 titled "sane only work as root on 2.6.10 (2.6.*)". The bug reporter explains that the module scanner.o has been removed from the kernel and thus he, and all other users, should use the root account to scan a document. He think it is a critical security bug. I don't know why Julien Blache wrote a README to explain how to be able to scan as user! The command is very simple: adduser user scanner.

The second annoying bug was filled today on OpenOffice.org. It is bug #289800 and is titled "openoffice.org: please enable autosave per default". Basically, the user was writting a text on OpenOffice.org, and its machine crashed. As he hasn't saved the document, and as autosave was not enabled, he lost it. Surely not a critical bug. Maybe the user should learn all to click on the save icon instead of sending bug reports!

Maybe we should do something to avoid these annoying bugs. A kind of greylisting, which first sends back an email to the bug reporters (asking them if they have read the documentation, if they have verified that the bug has not been already reported, if they are using the latest version) and then that waits for a key contained in the email to be returned to validate the bug. This could also avoid people using invalid email addresses.

Yes, such a system looks like a bit silly... just as some of the bug reporters.

Back on the Internet

My ADSL line was opened yesterday, so I am back on the Internet! Actually during the last two months, I still had an Internet connection, but only though a 56k modem, not really useable for maintaining Debian packages or for doing an "apt-get upgrade" on my machines (and a bit costly).

I am in my apartment for a month, and it tooks two weeks to get the invoice of my telephone line, one more week to get the ADSL line and one more week to get my modem from the post.

The connection is an ADSL2+ connection, so there is enough upload rate to be able to host websites. I moved all my websites to my home server, and I am just waiting the activation of the reverse DNS to be able to host an SMTP server.

US presidential elections

John Kerry has just called George Bush to congratulated him. As most European people I am disappointed by the result of the elections.

But maybe the question is why US elections is so important for European people. Maybe Europe is not enough united to be an alternative to the US power...

My new apartment

Yesterday I moved to my new apartement. Moving was not really easy as it was running cats and dogs. The apartement now looks a bit empty, as I currently only have a camping mattress, a sleeping bad, a few clothing, without forgetting my computers... I need to buy a mattress, a fridge, solid plates, etc.

In the next few days, I'll have to open a telephone line, with an ADSL connection. I hope it wouldn't take too much time, as it's not very easy to only have an Internet access at work. That's why I am not so active into Debian by now, though I am still reading my mails and uploading packages.

Switching to kernel 2.6 (part 2)

Yesterday I switched all of my machines but one to kernel 2.6. The last one to migrate is a SparcStation 4. It is a little bit complicated as the BIOS refuse to recognize my hard-drive since I changed it from a 2.1GB one to a 9.1GB. After an afternoon of tests, I decided to boot this workstation via the network, as the Linux kernel recognizes it.

Using a 2.4 kernel was very easy, you just have to convert the Debian kernel in aout format using zcat and elftoaout. For a 2.6 kernel, it is a little more complicated as Debian ships them with an initrd image. After a few minutes searching google, I found the solution:

zcat /boot/vmlinuz > vmlinux
elftoaout -o netboot.img vmlinux piggyback netboot.img /boot/System.map /boot/initrd.img

It seems to work well, however the image is 271,654,944 bytes long. I still don't understand why.

My firewall

In my latest post (Switching to kernel 2.6), I spoke quickly about my firewall. In the comments, I was asked for information about it. So I decided to write a new post.

My firewall is based on a micro-ATX PIII mainboard with an Intel Celeron 600. I know that it is too much for my use (the load is almost always 0), however I already had the mainboard. This processor is one of the slowest processor that the mainboard accepts (the lowest speed is 500 MHz). Anyway that kind of processor is a good choice for such a computer, as it is one of the first processor using a 0.18µm technology, thus it doesn't need a lot of power (for an x86). Using an Aqua 690 heatsink it can run without a fan.

This mainboard has an integrated Ethernet adapter, and 3 PCI ports. I chose to use them to plug three Ethernet adapters, that is to say a total of four. Currently three of them are setup in bridge, but I can later un-bridge one or more ports if I need. It could be useful to plug a WiFi access point, or to create a DMZ for my servers (just for the fun as I am the only user of my LAN).

Instead of using an hard-drive, that makes noise and heat, I chose to use a 256MB Compact Flash instead. I made a CF/IDE adapter using the article published in Elektor (April 2002 for the French edition). It is now possible to find such an adapter in some webshops.

I packed all that stuff in a metal box, with a 120W Shuttle Power Supply. The longest part was to machine the metal, with a drilling machine and a file in my case.

On the software side, this firewall is running Debian, with two scripts of my own using iptables: one for IPv4 and one for IPv6. 256 MB is enough for that and some useful packages (ADSL modem drivers, radvd, ping, traceroute, tcpdump, ethstatus, lm-sensors, snmpd, ntp, logcheck, etc.).

Below is a photo of the inside (sorry for the poor quality, I took it with my webcam as I still don't have a digital still camera):

Inside my firewall

You can see a fan grille on the front, however there is no fan behind it. I removed it as it was making noise, and was not really necessary. Concerning the processor's fan, I control it using lm-sensors, and it is almost always off, resulting in a very silent firewall.

I used the same box for my servers, however they are using an hard-drive. It is possible to put up to two hard-drives (useful for RAID1) in a such box, if you are using low profile RAM.

Switching to kernel 2.6

I decided to switch all my machines to kernel 2.6. I now consider the kernel 2.6 stable enough, at least for the use of my machines. Except for my workstation on which I like to add some patches, I am using Debian kernels for my other machines. Moreover some of them are very slow (a parisc@60 MHz and a sparc@110 MHz), and building a kernel on such machines takes very long time.

I started with my a backup server, it was very easy, apt-get install and voilà!

Then I switched my firewall. It was not so easy as for my backup server, as I only have a 256 MB disk (actually a compact flash card). Because of its size, it was not possible to have two kernels at the same time on the disk. I decided to remove the old 2.4 kernel (/boot and /lib/modules), to install the new 2.6 kernel. Then I typed reboot, and started to pray. As I don't have neither a display nor a keyboard on that machine, I started to look both at the hard disk's LED and at a console on my workstation on which I started ping fourier. After a some time (I don't know exactly how much, in such situations seconds are like minutes), there was some echo reply. Wonderful!

After such successes, I decided to continue and to switch my hppa machine. Again apt-get, then a quick look at the palo's documentation to know how to specify an initrd image, and then reboot. After a lot of time, it was still not possible to ping the machine. Shit! PALO has the possibilty to specify an alternate kernel in case of a problem, however in that case it seems it has failed... or the boot was mabe successfull. Half an hour later, after I plugged a screen, a keyboard and a null-modem serial cable, I understood the problem: the module for the network card was not loaded (whereas it was directly binded into the 2.4 kernel). And hotplug doesn't load it as it is not on a PCI bus. I tooked my keyboard and started to write my login. Nothing. The keyboard's module was also not loaded. I switched back to the 2.4 kernel, I put a lot of modules into /etc/modules (network card, keyboard, mouse, sound card, parallel port, serial port, etc.). And it worked!

Moral: Don't change your kernel when you only have very few time to do that. It always take a lot longer than expected.

Finding a flat

On monday, I received a phone call to tell me that I am accepted at the Centre de Recherche Astronomique de Lyon to do a PhD. I will begin it the 1st of October.

I am currently living at my parents' house, which is located in Toulouse, so I have to find a flat very quickly. I'll take the train to Lyon tomorrow, and I hope my search will be successfull.

Fixing gcc-m68h1cx

Today, I spent all the day fixing gcc-m68hc1x. It is gcc built for cross-compiling to 68HC11 and 68HC12 microcontrollers. There was a strange bug: an ICE on 64-bit hosts. Actually the bug was there for a long time, but I had decided that the version currently in testing will be enough. However, yesterday a bug was filled as a package need to build it was not available anymore in testing.

So I started to try to debug it. It was the first time I was looking at gcc's sources. Whow! I didn't know were to start to find the bug. I asked on IRC on #gcc, but people were no encouraging me: "aurel32, that bug is not easy to tackle for newbies". I first reduced the file causing the ICE to a single line in a function, I added a lot of printf in gcc's sources, and then tried to compile the same testcase both on a 32-bit host and a 64-bit host. At the end of the day I found some differences, and with that, the bug!

As the ICE was triggered by the build of libgcc2, gcc-m68hc1x was unbuildable on 64-bit hosts. Now that this bug is fixed, it means one RC bug less.

And in short for any people writing code: please don't assume that a 64-bit number needs two int to be represented!