Why Use a Passphrase, Reprisal

I read a rebuttal or two to my previous post, where I mentioned that using a passphrase protects your private key, if someone gains access to your account. Their main argument was that if your system gets hacked, then the bad guy has complete access to your machine and you’re screwed anyways. True, if someone gets root on your machine, the game is pretty much over. As root, they can do really nasty things like steal ssh-agent identities and install key loggers to snoop your passphrase.

The problem is that root exploits are not the only way to get hacked. What if a bug in a web browser’s Javascript exposes local filesystem access? A nasty web page could read your private key file (~/.ssh/id_rsa), and post it to a website, for example. Or what if you accidentally left your laptop unattended (and unlocked) for a few minutes at the coffee shop? Someone could grab the private key file and stick it on a USB drive. If the attacker was even half way smart, they’d grab ~/.ssh/known_hosts along with your key, since that contains host names you’ve connected to.

Without a passphrase, your private key is completely usable to the bad guy. Using a passphrase encrypts your private key, so that they would have to crack your passphrase to get access to it. In summary, an empty passprhase on your private key is a bad idea. It’s just asking for trouble.

The Über-server

Okay, back to the topic at hand: ssh-agent on Leopard. One of the benefits of SSHKeychain (or one of the other ssh-agent apps for OS X) is that it starts ssh-agent at login time. It also sets the SSH_AUTH_SOCK environment variable (which points to a Unix domain socket) to be accessible by all apps (usually by modifying ~/.MacOSX/environment.plist). Leopard gives you the equivalent of this, out of the box. Open up a terminal and see:

% echo $SSH_AUTH_SOCK
/tmp/launch-nZRFjA/Listeners
While this environment variable is automatically set for all processes, this is a little deceiving. ssh-agent does not actually get started when you log in. Go ahead and see for you self, by running this command right after you login:

% ps xa | grep ssh-agent | grep -v grep
You should get nothing back. It turns out that ssh-agent gets started on demand, the first time something tries to connect to the socket:

ps xa | grep ssh-agent | grep -v grep ssh-add -l
The agent has no identities.
% ps xa | grep ssh-agent | grep -v grep
10877 ?? S 0:00.02 /usr/bin/ssh-agent -l
The ssh-add -l tried to connect to the socket, and thus caused ssh-agent to launch. Pretty nifty.

But how can the SSH_AUTH_SOCK be valid without ssh-agent? The magic sauce is launchd. launchd was introduced in Mac OS X 10.4 as a replacement for many traditional Unix daemons such as cron, xinetd, and init. Since (x)inetd is known as a super-server, and launchd replaces xinted plus a few other daemons, I like calling launchd an über-server. In this context, launchd creates the Unix domain socket and listens for connections, on behalf of ssh-agent. When something connects, it automatically launches ssh-agent. Since launchd is always running, it can listen for connections right after you login.

For the curious, this is done with the new SecureSocketWithKey plist key for launchd. From launchd.plist(5):

This optional key is a variant of SockPathName. Instead of binding to a known path, a securely generated socket is created and the path is assigned to the environment variable that is inherited by all jobs spawned by launchd.

Rock! The launchd plist file for ssh-agent is at:

/System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
The benefit of this lazy launching is that ssh-agent is only run if you use ssh. If you never use ssh, the agent never gets launched, and you don’t waste any resources running it.

Keychain Integration

But the awesomeness doesn’t stop there. If you have an SSH key and try to connect to a server, you’ll get this nifty dialog box asking for your passphrase:

The first benefit of this dialog box is that it uses a secure text field for your passphrase. This field is not copiable and not snoopable via universal access or low-level keyboard routines. The real benefit, though, is the second checkbox: “Remember password in my keychain.” While it does store the passphrase in your keychain, it actually does more than that. It also adds the identity to your ssh-agent for you:

ssh-add -l

The agent has no identities. ssh dave@example.com
... Type passphrase and check "Remember in my keychain" ...
example.com> exit
Connection to example.com closed.
% ssh-add -l
2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /Users/dave/.ssh/id_rsa (RSA)
By adding your identity to the agent, you can now log right back into the same machine, without typing any passphrase. However, ssh does not prompt for you passphrase because it gets it from the agent, not your keychain. Remove your identity from the agent, and try again:

ssh-add -D

All identities removed. ssh dave@example.com
You’ll get that same GUI dialog box again. But it stores your passphrase in your keychain, right? Then why is it asking for your passphrase if it’s in your keychain? And, why would it store the passphrase in your keychain if it’s not going to actually use it? I know I was scratching my head at this point. Well, it does use the keychain, just not how you may think.

It turns at that when ssh-agent is started, it automatically adds all identities that have passphrases stored your keychain. So the normal workflow, where identities are not removed from the agent, just works. Since the GUI dialog box added your identity to the agent when it added the passphrase to your keychain, you don’t need enter your passphrase again for the rest of that login session. For all future sessions, the identity is automatically added when ssh-agent starts. And remember from above, that ssh-agent starts on demand, only when needed. Thus, you only enter your passphrase once, and from then on it grabs it from the keychain.

Manually Adding Identities

If you do want to remove your identities, you can manually add all the identities from the keychain with the Apple-specific -k option on ssh-add. From ssh-add(1):

Add identities to the agent using any passphrases stored in your keychain.

Sweet! Let’s try it out:

ssh-add -D

All identities removed. ssh-add -l
The agent has no identities.
ssh-add -k

Added keychain identities. ssh-add -l
2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /Users/dave/.ssh/id_rsa (RSA)
Beware, the passphrase dialog box is not a GUI version of SSH_ASKPASS, though. Try adding identities without consulting the keychain, and you’ll still get prompted in the terminal:

ssh-add -D

All identities removed. ssh-add
Enter passphrase for /Users/dave/.ssh/id_rsa:
And that covers it. I’m a little too paranoid to use this default behavior, though, as I don’t want my passphrase to be stored in my login keychain. Thus, I’ve written a follow-up article that discusses possible ways to beef up security of your passphrase

# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

1 CLOSE_WAIT 1 established)
1 Foreign
3 FIN_WAIT1
3 LAST_ACK
13 ESTABLISHED
17 LISTEN
154 FIN_WAIT2
327 TIME_WAIT

# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

2 LAST_ACK 2 LISTEN
4 FIN_WAIT1
14 ESTABLISHED
91 TIME_WAIT
130 FIN_WAIT2

# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n

15 CLOSE_WAIT 37 LAST_ACK
64 FIN_WAIT_1
65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED

# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l

449

# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

1 10.0.77.52 2 10.1.11.3
4 12.109.42.21
6 12.191.136.3
.....
...
....
13 202.155.209.202
18 208.67.222.222
28 0.0.0.0
233 127.0.0.1

You can use tcptrack command to display the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.
Display Summary Statistics for Each Protocol

# netstat -s | less # netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s

88354557 total packets received 0 forwarded
0 incoming packets discarded
88104061 incoming packets delivered
96037391 requests sent out
13 outgoing packets dropped
66 fragments dropped after timeout
295 reassemblies required
106 packets reassembled ok
66 packet reassembles failed
34 fragments failed

18108 ICMP messages received 58 input ICMP message failed.
ICMP input histogram:
destination unreachable: 7173
timeout in transit: 472
redirects: 353
echo requests: 10096
28977 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 18881
echo replies: 10096

1202226 active connections openings 2706802 passive connection openings
7394 failed connection attempts
47018 connection resets received
23 connections established
87975383 segments received
95235730 segments send out
681174 segments retransmited
2044 bad segments received.
80805 resets sent

92689 packets received 14611 packets to unknown port received.
0 packet receive errors
96755 packets sent

48452 invalid SYN cookies received 7357 resets received for embryonic SYN_RECV sockets
43 ICMP packets dropped because they were out-of-window
5 ICMP packets dropped because socket was locked
2672073 TCP sockets finished time wait in fast timer
441 time wait sockets recycled by time stamp
368562 delayed acks sent
430 delayed acks further delayed because of locked socket
Quick ack mode was activated 36127 times
32318597 packets directly queued to recvmsg prequeue.
741479256 packets directly received from backlog
1502338990 packets directly received from prequeue
18343750 packets header predicted
10220683 packets header predicted and directly queued to user
17516622 acknowledgments not containing data received
36549771 predicted acknowledgments
102672 times recovered from packet loss due to fast retransmit
Detected reordering 1596 times using reno fast retransmit
Detected reordering 1 times using time stamp
8 congestion windows fully recovered
32 congestion windows partially recovered using Hoe heuristic
19 congestion windows recovered after partial ack
0 TCP data loss events
39951 timeouts after reno fast retransmit
29653 timeouts in loss state
197005 fast retransmits
186937 retransmits in slow start
131433 other TCP timeouts
TCPRenoRecoveryFail: 20217
147 times receiver scheduled too late for direct processing
29010 connections reset due to unexpected data
365 connections reset due to early user close
6979 connections aborted due to timeout

# netstat --interfaces=eth0

Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 2040929 0 0 0 3850539 0 0 0 BMRU

LSOF provides verbose output and is useful in tracking down all sorts of information. For example, it allows you to see what program is operating on an open port, which daemons have established connections, and what ports are open on your server.

While similar in many ways to utilities like netstat and fuser, LSOF has many unique options that let you find specific information on ports, users, processes, and files.

Getting and installing LSOF

On many Linux systems, LSOF will be installed by default. Try running lsof -v to see whether the program exists on your system. If it doesn't, you will need to download one of the many packages available and install it yourself. Source and binary versions are available here, while distribution-specific packages are available from locations such as Rpmfind.net and are included in databases for apt-get, up2date, and urpmi.

If you are installing from source, download the tarball and perform these commands:

tar xpfz lsof_4.64.tar.gz
cd lsof_4.64
tar xpf lsof_4.64_src.tar
cd lsof_4.64_src
./Configure linux make

During the configuration, you have the option of running an inventory to verify that all the files necessary for compilation are present. You will be asked if you want to customise the installation. This shouldn't be necessary on most Linux platforms, so answering no is fine. If you encounter any problems running LSOF later, you may want to come back and try some customisation. Customisation may also be needed if you upgrade or modify your kernel.

After running make, the executable lsof should appear in the directory. There is no default make install rule, so you can create your own or just copy lsof to your directory of choice. Keep in mind that you may need to modify its permissions to be setuid-root if you want regular users to be able to see all open files. Not that this is necessarily recommended, but it's good to remember, since the output generated when LSOF is run as root will be different from the output generated when it's run by a normal user account.

Looking at network connections

As its name indicates, LSOF deals with open files on a Linux system. An open file can be a regular file, a directory, a library, a stream, or a network socket. You can take advantage of various LSOF options, depending on what you're looking for.

Running lsof by itself will output all open files corresponding to every active process on the box. This can be quite lengthy, so it's best to know what you are looking for in advance. You can get a quick rundown of the options with lsof -h, and the man page goes into much further detail. Let's take a look at some common switches and what they will show us.

lsof -i

The lsof -i command lists all open files associated with Internet connections. It is similar in format to netstat -a -p and will look something like Listing A.

By default, LSOF lists detailed information about each connection. In Listing A, we see the command or program involved, the process ID (PID), the user running the command, the file descriptor (FD), the type of connection, the device number, the Internet protocol, and the name of the file or Internet address. The -i option can be useful when you're attempting to secure your Linux box. You can quickly determine what ports are open and listening for incoming connections. LSOF will also associate them with a program name. Thus, you can quickly identify unnecessary security risks and shut them down.

Ports that are awaiting connections have the keyword LISTEN appended to them. These are ports that are open and accepting connections. Note that LSOF will not distinguish between ports that are completely open and ones that have filters applied. The keyword ESTABLISHED indicates that a connection on the given port has been made. In Listing A, there is an SSH session from labrat.remote.net to test.com. You can see multiple processes associated with the sshd daemon. The main daemon, PID 597, handles incoming requests and forks itself as needed. PID 8545 was spawned by sshd and is responsible for the 8547 process. The only noticeable difference between 8545 and 8547, besides the PID, is in the user field. Notice that lhutz is the user who has remotely logged in to this box. This is useful information that goes beyond merely presenting network connections.

You can narrow your search by specifying a particular port, service, or host name using techniques such as:

lsof -i :587
lsof -i :smtp
lsof -i @labrat.remote.net

LSOF will then output all matching connections. The above examples will list connections listening or established on port 587, list connections associated with the well-known service SMTP, and list connections coming from or going to the host labrat.remote.net, respectively. These techniques are handy if you know what you are looking for in advance. You can watch and see whether inbound SMTP connections are taking too long, possibly causing timeouts. You can verify that the service is in fact running and what port it is listening on. And you can see if anyone from a certain device is connected to your system, whether it is via SSH, Telnet, FTP, or just about any other way possible.

lsof -p 409

LSOF will also accept a PID and output all open files it is using. In this particular instance, we performed an lsof -I to determine what PID number NameD (BIND DNS service) was operating under. Once we discovered it was 409, we issued the command lsof -p 409. The output is shown in Listing B.

You'll notice the different FDs, or file descriptors, right away. The cwd variable represents the current working directory of the process; txt defines the program text, which is the executable itself; mem is a file held in memory, in this case a library; the 4 and 21 represent files in use by this particular process; and the u designator defines them as having both read and write access. These all help you determine whether something physically exists on the system, is being used by the process, or is being held in memory.

lsof +d

The command lsof +d /var/log/apache/ is similar to fuser. It basically associates open files with their processes. In this case, we are looking at all regular files in the /var/log/apache/ directory. The output would look something like Listing C. In this example, Apache is keeping track of two sets of log files, an access and an error log for two domains. As you can see, there are some differences between regular files and Internet connections. For one thing, the TYPE is now REG, indicating a regular file. Also, a SIZE variable is present, which indicates the actual size in bits the file takes up. Notice too that the DEV variable indicates they all use the same device, in this example, a single hard drive. The +d flag that was issued with LSOF tells the command not to leave the top-level directory, while +D would perform a recursive check on all subdirectories.

lsof -F <...>

The -F switch provides an excellent way to format LSOF output. This built-in feature allows you to pipe information directly into external programs, such as a Perl script, a C program, or even a monitoring program like MRTG. You do this by specifying which fields you would like printed. For example, lsof -F pcfn would print the process ID, the command name, the file descriptor, and the filename. Many options are available, and this can save you time in working with the raw data yourself.

We've covered just a few of the options LSOF provides, but the man page covers the full spectrum of LSOF capabilities. Some LSOF commands may be processor intensive, due to the sheer number of processes on a system, so be as selective as possible when running commands.

Summary

LSOF is an excellent utility for managing and tracking network connections on your Linux system. Although a number of utilities can perform similar functions, none is quite as robust as LSOF. With LSOF, you can list open ports, identify connections currently being made to your system, and determine what resources a process is using. Not only that, but you can also determine what processes a particular user has and find detailed information about file and directory usage.

First thing's first: In your Plesk control panel, make sure that you have your server updated with Ruby On Rails is installed. To do so, go to Server > Updater and enable "Ruby on Rails Support."

After this, go to your domain, and enable FastCGI, which will allow your site to use RoR.

Change to your httpdocs directory:

Code:

cd /var/www/vhosts/{domainname.com}/httpdocs

Create a basic rails application. To do so, use this command:

Code:

rails {railsapp}

Remember to replace {railsapp} with the name of your application.

Change the file ownership to the domains user/group:

Code:

chown {user}:{group} {railsapp}

Change the permissions on the sessions directory:

Code:

chmod 777 {railsapp}/tmp/sessions

Note: Someone let me know if this is a bad idea ... I don't think it is, but I'm not sure. My system had problems writing to the sessions folder unless I chmod'd 777.

Change directory to your new application and edit your .htaccess file in the public/ directory:

Code:

nano {railsapp}/public/.htaccess

On line 2, change:
Code:

AddHandler fastcgi-script .fcgi

To:
Code:

AddHandler fcgid-script .fcgi

On line 32, change:
Code:

RewriteRule ^(.*)$ dispatch.cgi [QSA,L]

To:
Code:

RewriteRule ^(.*)$ dispatch.fcgi [QSA,L]

Test your installation. Go to http://www.{domainname.com}/{railsapp}/public/

You should see the standard "Welcome Aboard" Rails index page.

https://sourceforge.net/project/sho...lease_id=137934

You can find there as RPM as well as source RPM packages. So instructions are simple:

Create an empty directory to restore the back up file:

1. mkdir recover
2. cd recover

Create ungzipped copy of the backup in the current directory.
# gunzip < /PATH_TO_BACKUP/BACKUP_FILE > domain-backup.mime

Run munpack to extract content of directories from the backup file
# munpack domain-backup.mime
# ls -al

Untar the needed directory. For example if you need to restore httpdocs:

#mkdir httpdocs/
# tar xvf DOMAIN.TLD.httpdocs -C httpdocs/

In destination directory - httpdocs you should get all files.

1. There is a button in the middle of the page labelled 'Browse'. Click
'Browse' and navigate to the location of the saved site certificate you
received from Starfield. Selecting it, then select 'Send File', this will
upload and install the certificate against the corresponding Private Key.
2. The certificate name will now appear in the list of certificates at the
bottom of the page.
3. Click on the name of the Certificate from the list.
4. The box on the page labelled 'CA Certificate'. You will need to paste
both the Starfield intermediate certificate and ValiCert root certificates
from the .zip file you have received into this box.

They must be pasted this in order, the Starfield intermediate
certificate first, followed by the ValiCert root certificate, the result will
look similar to the example below (Please note: no blank line between
then end of one certificate and the start of the next):

-----BEGIN CERTIFICATE-----
MIIEQTCCA6qgAwIBAgICAQQwDQYJKoZIhvcNAQEFBQAwgbsxJD
AiBgNVBAcTG1Zh
bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVm
FsaUNlcnQsIElu
Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IF
ZhbGlkYXRpb24g
QXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZX
J0LmNvbS8xIDAe
BgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MD
ExNDIxMDUyMVoX
DTI0MDEwOTIxMDUyMVowgewxCzAJBgNVBAYTAlVTMRAwDgYDVQ
QIEwdBcml6b25h
MRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZm
llbGQgVGVjaG5v
bG9naWVzLCBJbmMuMTAwLgYDVQQLEydodHRwOi8vd3d3LnN0YX
JmaWVsZHRlY2gu
Y29tL3JlcG9zaXRvcnkxMTAvBgNVBAMTKFN0YXJmaWVsZCBTZW
N1cmUgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkxKjAoBgkqhkiG9w0BCQEWG3ByYW
N0aWNlc0BzdGFy
ZmllbGR0ZWNoLmNvbTCBnTANBgkqhkiG9w0BAQEFAAOBiwAwgY
cCgYEA2xFDa9zR
aXhZSehudBQIdBFsfrcqqCLYQjx6z59QskaupmcaIyK+D7M0+6
yskKpbKMJw9raK
gCrgm5xS4JGocqAW4cROfREJs5651POyUMRtSAi9vCqXDG2jim
o8ms9KNNwe3upa
JsChooKpSvuGIhKQOrKC1JKRn6lFn8Ok2/sCAQOjggEhMIIBHTAMBgNVHRMEBTAD
AQH/ MAsGA1UdDwQEAwIBBjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi
8vY2VydGlm
aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvcm
9vdC5jcmwwTwYD
VR0gBEgwRjBEBgtghkgBhvhFAQcXAzA1MDMGCCsGAQUFBwIBFi
dodHRwOi8vd3d3
LnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkwOQYIKwYBBQ
UHAQEELTArMCkG
CCsGAQUFBzABhh1odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNoLm
NvbTAdBgNVHQ4E
FgQUrFXet+oT6/ yYaOJTYB7xJT6M7ucwCQYDVR0jBAIwADANBgkqhkiG9w0BAQUFAAOBgQB+HJi+rQONJYXufJCIIiv+J/RCsux/tfxyaAWkfZHvKNF9IDk7eQg3aBhS
1Y8D0olPHhHR6aV0S/xfZ2WEcYR4WbfWydfXkzXmE6uUPI6TQImMwNfy5wdS0XCP
mIzroG3RNlOQoI8WMB7ew79/RqWVKvnI3jvbd/TyMrEzYaIwNQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBA
cTG1ZhbGlDZXJ0
IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcn
QsIEluYy4xNTAz
BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYX
Rpb24gQXV0aG9y
aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS
8xIDAeBgkqhkiG
9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMT
k1NFoXDTE5MDYy
NjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYX
Rpb24gTmV0d29y
azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLF
ZhbGlDZXJ0IENs
YXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHw
YDVQQDExhodHRw
Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEW
luZm9AdmFsaWNl
cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOn
HK5avIWZJV16vY
dA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl
6zfN1SLUzm1NZ9
WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwbP7RfZHM047QS
v4dk+NoS/ zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADt
/UG9v
UJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQ
C1u+mNr0HZDzTu
IYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMMj4QssxsodyamEwC
W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd
-----END CERTIFICATE-----

5. Click the 'Send Text' button.
6. Now click 'Up Level' from the top right of the screen and choose
'Setup'.
7. At the top of the page, change the 'SSL Certificate' drop-down
menu to the certificate you have just installed.
8. Click the 'Server' item from the left hand menu.
9. Click on the 'Service Management' menu item.
10. You now need to Stop and Start the Apache process.

NOTE: Restarting Apache will NOT work. You must stop the service, then
start it again to complete the installation

Good luck!

Mac users have become quite familiar with using Sleep mode. In Sleep mode, Macs go into a very low-power mode, while saving the current session for later use. Putting a Mac to sleep will continue to power RAM in sleep mode, so that whatever was in RAM when the computer went to sleep will still be there when the computer wakes. Sleep mode is almost instantaneous, consumes very low power, and as a PowerBook owner its indispensable to me. Still though, it requires a power-source (however low) and there are times when laptop batteries are completely depleted or a user wants to completely power-off their Mac.

Similar to Sleep, Windows “Hibernates,” while Linux “Software Suspends”. They are not as fast as Sleep mode, but they take it a step further by not using any power. When Hibernating, a PC quickly saves the current session to the hard drive, shuts-down, and completely powers-off the computer. Upon powering-on, the user is quickly returns to the previous session.

Safe Sleep

Up until recently, Mac users didn’t have a similar Sleep mode which required no power. When Apple announced new PowerBooks in October 2005, it also introduced Safe Sleep to Mac OS X, an extention to Sleep mode that allows for hibernation without power.

According to an Apple article:

Safe Sleep ensures that data stored in main memory will not be lost should the system shut down due to a loss of power during sleep mode. Prior to your system entering sleep, Safe Sleep automatically saves the contents of main memory […] to the hard drive. In the event the battery becomes completely depleted while the system is asleep, the computer will shut down. But when a power adapter is connected or a freshly charged battery is installed, the PowerBook can be restarted and it will automatically return to the desktop state that existed prior to entering sleep.

When restarting a PowerBook from Safe Sleep, a progress bar indicates that the PowerBook is waking from Safe Sleep. The screen is also in gray-scale and slightly blured.

How to Enable Safe Sleep

Safe Sleep is so-far only officially available on the new PowerBooks. But Safe Sleep is very much software based , not hardware based. With Apple’s release of mac OS 10.4.3, Safe Sleep can be enabled on many Macs thanks to an excellent hack. To do so first insure Mac OS X, is up-to-date to with version 10.4.3 (or above). If not, run Software Update.

Reportedly working laptops include (but not necessarily limited to) iBook G4s, Aluminum PowerBook G4s. You may also try Safe Sleep on desktops. For a much more technical look into enabling it, visit the source information on the hack.

Warning: Enabling Safe Sleep is essentially a hack. It is very likely to work on recent Macs, but enabling Safe Sleep may cause your Mac to explode, implode, melt, freeze, have a heart-attack, or develop an inguinal hernia.

1. Apply Safe Sleep Property

To summarize, new PowerBooks have the “has-safe-sleep” property. To apply this property to your Mac, something needs to be run in Open Firmware at boot. In the Terminal enter the folling, hitting return at the end of each line:

sudo nvram nvramrc='" /" select-dev
" msh" encode-string " has-safe-sleep" property
unselect
@'@

sudo nvram "use-nvramrc?"=true

In a Terminal shell it should look as follow:

Last login: Fri Nov 11 11:11:11 on ttyp1
Welcome to Darwin!
computer:~ User$ sudo nvram nvramrc='" /" select-dev
> " msh" encode-string " has-safe-sleep" property
> unselect
> '
computer:~ User$ sudo nvram "use-nvramrc?"=true

The Mac must be restarted to set the changes.

2. Allow Hibernate Mode

To continue, you must have at least as much free disk space as physical memory , plus 750MB. To enable Sleep Safe, in the Terminal enter:

sudo pmset -a hibernatemode 3

If you have secure virtual memory enabled, use 7 rather than 3 to disable encrypted hibernation. Encrypted hibernation does not work. Do not set it to 7 if you do not have secure virtual memory.

This should create the file /var/vm/sleepimage.

When your Mac is set to sleep, it will now enter regular Sleep mode (consuming minimal power) first. If you prefer to enter Safe Sleep mode directly (note: it takes a few seconds more to sleep and wake-up) then instead enter:

sudo pmset -a hibernatemode 1

Use 5 with secure virtual memory.

To disable Safe Sleep:

sudo pmset -a hibernatemode 0

The Mac does not need to be restarted to set the changes to hibernate mode.

3. Verify Sleeping

Put the Mac to sleep and wait for the light to start pulsing. Wait a few more seconds. Wake it normally (by hitting the space bar for example).

Open Console and view system.log, or simply open the file /var/log/system.log. Look for a line indicating that the process worked. It is similar to:

Nov 11 12:15:33 computername kernel[0]: System SafeSleep

4. Verify Safe Sleep

Now attempt to actually Safe Sleep for real. Put the Mac to Sleep, and wait for the light to start pulsing. Remove the power-source plug and the battery. Wait for the light to stop pulsing and turn off, which may take a a couple of minutes. Your Mac should now be in Safe Sleep mode. Plug the power back in and add the battery. Start-up. It should show the previous saved desktop (blurred and in grayscale) along with a progress bar as pictured above. The system should be back to the way you left it.

Troubleshooting

You may have problems with a bad hibernate images, which may repeatedly kernel panic. Try restarting which will start the image again. It may work. It may not, and repeatedly fail. This can happen if you don’t set hibernatemode properly with secure virtual memory (try alternating between 1+5 or 3+7). If a bad hibernate image keeps booting then crashing reboot the mac holding down Command-Option-O-F to get in to Open Firmware. Type:

setenv boot-image
Hit return, then enter:

boot

Disable Safe Sleep

To disable Safe Sleep enter in the Terminal:

sudo pmset -a hibernatemode 0

No need to restart.

For a more full undo, disable all nvramrc variables:

sudo nvram "use-nvramrc?"=false
Enter password, then restart.

Conclusion

Now that Safe Sleep is working for me, I have set my PowerBook to use Safe Sleep, instead of just regular Sleep mode that consumes power. It take about 15 seconds to enter Safe Sleep, and about 40 seconds to wake-up from it. That is way longer than the 2 seconds it takes for regular Sleep and wake-up.

Safe Sleep seems very promising though and it will be interesting to see if Apple supports it with older laptops.

Enable Directory Browsing

Options +Indexes
## block a few types of files from showing
IndexIgnore *.wmv *.mp4 *.avi
Disable Directory Browsing

Options All -Indexes
Customize Error Messages

ErrorDocument 403 /forbidden.html
ErrorDocument 404 /notfound.html
ErrorDocument 500 /servererror.html
Get SSI working with HTML/SHTML

AddType text/html .html
AddType text/html .shtml
AddHandler server-parsed .html
AddHandler server-parsed .shtml
# AddHandler server-parsed .htm
Change Default Page (order is followed!)

DirectoryIndex myhome.htm index.htm index.php
Block Users from accessing the site

order deny,allow
deny from 202.54.122.33
deny from 8.70.44.53
deny from .spammers.com
allow from all

Allow only LAN users

order deny,allow
deny from all
allow from 192.168.0.0/24
Redirect Visitors to New Page/Directory

Redirect oldpage.html http://www.domainname.com/newpage.html
Redirect /olddir http://www.domainname.com/newdir/
Block site from specific referrers

RewriteEngine on
RewriteCond site-to-block\.com [NC]

RewriteCond {HTTP_REFERER} site-to-block-2\.com [NC]
RewriteRule .* - [F]
Block Hot Linking/Bandwidth hogging

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]
Want to show a “Stealing is Bad” message too?

Add this below the Hot Link Blocking code:

RewriteRule \.(gif|jpg)$ http://www.mydomain.com/dontsteal.gif [R,L]
Stop .htaccess (or any other file) from being viewed

order allow,deny
deny from all

Avoid the 500 Error

1. Avoid 500 error by passing charset
   AddDefaultCharset utf-8
   Grant CGI Access in a directory

Options +ExecCGI
AddHandler cgi-script cgi pl
# To enable all scripts in a directory use the following
# SetHandler cgi-script
Save Bandwidth

1. Only if you use PHP
   
   php_value zlib.output_compression 16386
   
   Password Protecting Directories

Use the .htaccess Password Generator and follow the brief instructions!

The CheckSpelling Directive

From Jens Meiert: CheckSpelling corrects simple spelling errors (for example, if someone forgets a letter or if any character is just wrong). Just add CheckSpelling On to your htaccess file.

The ContentDigest Directive

As the Apache core features documentation says: “This directive enables the generation of Content-MD5 headers as defined in RFC1864 respectively RFC2068. The Content-MD5 header provides an end-to-end message integrity check (MIC) of the entity-body. A proxy or client may check this header for detecting accidental modification of the entity-body in transit.

Note that this can cause performance problems on your server since the message digest is computed on every request (the values are not cached). Content-MD5 is only sent for documents served by the core, and not by any module. For example, SSI documents, output from CGI scripts, and byte range responses do not have this header.”

To turn this on, just add ContentDigest On.

This plugin allows you to define search and replace parameters for
elements you produce from Movable Type templates.

Tags made available through this plugin:

- a utility tag to add a Perl regular expression that
can be used in conjunction with the global 'regex' post processor
attribute.

- a tag for including/excluding content compared with
either a constant value or a regular expression pattern.

- Container tag for processing any portion of a template.

- Returns matches from the contained text.

These attributes are allowed:

* name
If given, the regular expression can be individually referenced
by name.

* no_html
If specified for a replacement regular expression, it will ignore
any tags

Perl regular expressions are incredibly powerful constructs that can
be used to manipulate text in a variety of ways.

Here's an example (place at the top of your template):

s|:-D||g

The above will replace all occurrances of :-D with a tag that
displays a smiley.gif instead.

In order to activate the search and replace for any given <$MT$>
variable, use the global "regex" modifier:

<$MTEntryBody regex="1"$>

This will 'turn on' the regex operation for that output.

Sometimes you might want to selectively pick and choose from various
regular expression patterns. To do that, name the expressions like
this:

s/Brad/Perl Nut/gi
s|google\(([^\)]+)\)|$1|g

Note: "patt2" shown above gives you the ability to write like this
in your blog entry:

google(some text)

That produces a "Google This" link right in your entry. This kind of
thing is what makes this plugin so useful!

Now, with your <$MT$> vars, you can specify things like this:

<$MTEntryTitle regex="patt1"$> (only applies patt1 to this part)
<$MTEntryBody regex="patt2"$> (only applies patt2 to this part)
<$MTEntryBody regex="1"$> (applies all regex patterns)
<$MTEntryBody regex="patt1 patt2"$> (applies both patt1 and patt2)

You can also specify an inline regex like this:

<$MTEntryBody regex="s/this/that/g"$>

You can only specify a single regular expression using that technique.
Also, you cannot currently use the letter '$' inside an inline
expression due to a parsing limitation in the current (2.21) version
of Movable Type. In order to use '$' in your expressions, create a
named expression using the MTRegexDefine tag.

This tag allows you to output content based on whether it matches
a value or regular expression.

These attributes are allowed:

* var
If specified, var is evaluated as a Movable Type variable.
The result is used to compare against the constant 'val'
attribute value or the regular expression provided with
the 'pattern' attribute value.

If unspecified, the tag will use the contained data as the
value to compare against the constant/pattern.

* expr
An alternative to 'var' that allows for any Movable Type
expression (use [ and ] instead of < and > for the tag
delimiters).

* value
If specified, value is a string constant to compare with.

* pattern
If specified, pattern defines a named regular expression
or a matching pattern to compare against.

Usage examples:

.. other tags/values here-- outputs data only if content includes the
string 'something' somewhere inside ..

--

.. output entry data (only outputs data authored by Brad, Ben and
Mena ..

--

WOW! We've reached 1,000 blog entries!

--

m/something/

.. other tags/values-- outputs data only if content includes
a match for the named regular expression 'somematch' ..

This tag allows you to process a block with previously defined regex
patterns, or an individual regex pattern.

These attributes are allowed:

* pattern
Can either be a matching regex which will select named regex
patterns that are selected using that pattern, or a replacement
regex pattern which will be applied by itself.

* no_html
Forces the regex operations to exclude any tags.A

Please note: Perl regular expressions are very powerful, but if you're
not familiar with them already, it will take some time to learn how to
use them. The links provided below are very helpful. Also, be patient
as you are creating them-- if they aren't working, don't assume that
this plugin is at fault-- more than likely, it is an improperly
constructed expression.

This tag allows you to search the block contained by the Grep tag.
Lines that match the given pattern(s) are taken and joined together
using the 'glue' attribute given (or the newline character if no glue
attribute is specified).

These attributes are allowed:

* pattern
Can either be a matching regex which would be used for matching
the text block or a space-delimited list of named patterns (specified
previously using the RegexDefine tag).

* glue
Text to be used to piece the matches together.

* default
Text to be returned in case no matches are found.

FOR MORE INFORMATION

Documenting Perl regular expressions goes way beyond the scope of this
readme.txt file. For a tutorial on using Perl regular expressions
visit this page:

http://www.perldoc.com/perl5.6.1/pod/perlretut.html

And for advanced documentation, look here:

http://www.perldoc.com/perl5.6.1/pod/perlre.html

Hi, folks! It seems a few of y’all might be interested in hearing how to get Ruby on Rails set up on a Plesk server. I did it last month, and it wasn’t terribly difficult, so I thought I’d write a quick guide to the process.
But first, two quick caveats:
1. I did this on a server running PSA 7.5.2 on Red Hat Enterprise Linux 3. The process is probably the same for other Red Hat/Fedora versions, but it might be a bit different on other distros or FreeBSD.
2. I’m assuming that you are comfortable with compiling and installing software from source. If that’s not something you’re familiar with, there is great little howto here that can help you get started.

Step one: Install Ruby

You need Ruby 1.8.2 or later to run rails. If your OS vendor supplies a packaged version for you, use that. Otherwise, you’ll need to download the latest source from ruby-lang.org) and compile it yourself. I didn’t do anything unusual on my ruby installation; just ./configure, make, and make install.

Step two: Install the FCGI Development Kit

There are three pieces of FastCGI software that must be installed on your server to run rails applications: The FastCGI development kit, the mod_fastcgi Apache module, and the Ruby FastCGI bindings. We’ll do the first one now. You can download it from fastcgi.com. This one is just like the Ruby installation: ./configure, make, and make install.

Step three: Install mod_fastcgi

Mod_fastcgi doesn’t have an automated installation process, so this one is a bit more complicated:
1. Download the source code from fastcgi.com and extract it into /usr/local/src.
2. cd mod_fastcgi-2.4.2
3. cp Makefile.AP2 Makefile (this is required since we’re using apache 2.x, not 1.3)
4. Open Makefile in your favorite editor. Change the line that says top_dir = /usr/local/apache2 to top_dir = /usr/lib/httpd
5. make
6. make install

Step four: Install RubyGems

RubyGems is the ruby package manager (If you’re familiar with Perl’s CPAN module, RubyGems is basically the same idea). It can be downloaded from rubyforge.
RubyGems doesn’t use GNU autoconf or automake, so the installation command is a bit different: instead of ./configure, make, and make install, you just do ruby setup.rb all.

Step five: Install Rails, Ruby-FCGI and Ruby-MySQL

Once you have Ruby and RubyGems installed, getting rails is easy: just gem install rails. It will ask you whether it should install some dependencies; say “y” to all of them. When that’s done, gem install fcgi to get the Ruby FastCGI bindings, and gem install mysql to get the Ruby MySQL bindings.

Step six: Configure Apache

To make Apache use the FastCGI module, copy this into /etc/httpd/conf.d/fastcgi.conf:
LoadModule fastcgi_module modules/mod_fastcgi.so
FastCgiWrapper on
FastCgiConfig -idle-timeout 900
Restart apache, and you’re done!

Wait—two more quick notes!

1. This guide only covers server-wide configuration; there are a few tricks to setting up individual rails apps in Plesk as well. If an article about setting up an individual rails app would be helpful to you, drop me a line and I’ll see what I can do. (Update: The follow-up article is available here)

2. This guide is only based on my own experience. If you use it, and find ways that it could be better or more complete, leave a response, and by all means, I’ll do my best to fix it.