Hopefully something here will be useful

iPod Nano and the folder with an exclamation point

So I received a new iPod Nano the other day and from the moment I first plugged it in it wasn't working properly. When starting up I'd get the familiar folder with exclamation point along with the URL to Apple's iPod support. It would then power down. Starting it back up had the same effect. If I plugged it in then it would remain on and the computer would detect it and I could load music onto it, but it was useless as I couldn't unplug it nor could I access the menus while it was plugged in. The battery meter and iPod diagnostics showed the battery was indeed fully charged. After following the 5R's Apple suggests for repairing iPod problems several times I ultimately ended up allowing the iPod to discharge fully to the point where it would not even start up. I then plugged it back in where it would start up, give me the same error as before, be detected by the computer, and then shut off. Possibly due to lack of battery. Leaving it connected for a few minutes eventually charged the battery to the point where it would not keep resetting. I then ran a Restore again using the updater utility as I'd done a number of times before, but this time the utility worked and repaired my iPod properly. So if you've run into this situation, try discharging your iPod fully and then see if repairing it works.

To fully discharge the iPod I needed a way for it to stay on. In the diagnostics menu I found a FlashScan option which worked nicely because it kept the backlight on and also constantly showed the remaining battery remaining. There are plenty of articles explaining how to get into diagnostics mode, but briefly stated you hold the action button and the previous song button at the same time while resetting.

Name-based SSL virtual hosts ... it's possible

So I always thought it was not possible to do name-based virtual hosts with SSL. I thought that no matter what you were forced to either place each different SSL site on its own port or its own IP. Apparently this is not true... at least with Apache. I dont know about other web servers.

First, some conditions. This only works well if your sites are all only subdomains of a single domain. For example, site1.foo.com, site2.foo.com. What you first need is an SSL certificate for "*.foo.com". This allows you to use the same certificate for each of your SSL sites that ends in foo.com.

Next all you have to do is configure Apache to use name-based virtual hosting on the SSL port the same way you'd configure it for a non-SSL port (i.e. setup separate NameVirtualHost and VirtualHost directives for the SSL port). For each SSL virtual host the SSL info must be the same. Since SSL itself has no concept of name-based virtual hosts the SSL negotiation for each virtual host will identical and only a single certificate can be presented across all the virtual hosts on a particular IP and port. This is why we want to make sure the certificate will work for all the subdomains of our site. This way the visitor doesn't get a warning that the name of the site doesn't match the certificate when he visits a subdomain other than the one the certificate was originally intended for. Once the SSL negotiation has taken place apparently Apache processes the underlying HTTP request like any other which means we can treat the virtual hosts just like we would non-SSL virtual hosts.

Configuring Asterisk to connect to Gizmo including Call Out functionality

For initial Asterisk-Gizmo configuration, go here.

That documentation will get you far enough to use Asterisk to make calls to other Gizmo users. What I wanted to do, however, was use Gizmo's "Call Out" feature to make calls through Asterisk to the PSTN. I was unable to find any documentation on setting up Asterisk to make PSTN calls through Gizmo, so I decided to figure it out myself. With the help of Ethereal and Gizmo's client I was able to determine the format of the SIP request Gizmo's servers were expecting. One of the key parts I was missing which caused problems authenticating with Gizmo was the "fromdomain". Apparently they're expecting the From domain in the SIP request to be proxy01.sipphone.com. By default it was using the IP address of my Asterisk server.

Here's a snippet from my sip.conf showing how I configured Asterisk. Make sure to substitute your Gizmo phone number and password where applicable:
[to_gizmo]
type=friend
host=proxy01.sipphone.com
username=17470000000
fromuser=17470000000
fromdomain=proxy01.sipphone.com
secret=YOURPASSWORD
canreinvite=no
reinvite=no
nat=yes


Thank you, Gizmo, for offering a product based on open standards. The ability for me to use Asterisk to connect to your network is the reason I buy Call Out minutes from you.

Getting root access on Fastora NAS-T4

The Fastora NAS-T4 is a rather inexpensive RAID array which runs FreeBSD. I purchased one of these so I could have a large amount of NAS storage available for all my machines to backup to. One complaint I had was that I wanted shell access so I could make any config changes I want to it. The product allows root ssh access, but loads into their custom shell which only lets you perform a few restricted things.

**
The information that follows can be used to potentially render your NAS-T4 inoperable. If you do this don't expect Fastora to help you. They lock you out of root for a reason.
**

Fortunately the designers of this custom shell don't know enough about validating user input. The ping utility they're nice enough to provide can be used to execute arbitrary commands on the NAS-T4 as root since it just hands off whatever you type to the shell as an argument to ping. So when prompted for an IP address, a simple IP of "192.168.0.1 ; cat /etc/passwd" is nice enough to show us /etc/passwd, albeit severely unreadable because of their gui's screen formatting. No matter, though, because something as simple as "192.168.0.1 ; cp -R /etc /volume1/public1" will copy the entire /etc folder over to the default shared directory that it should have created when you setup the NAS-T4. From there you're free to browse all the files in /etc to your heart's content.

Now for some useful tricks. If you ever try to ssh in using a non-root account you've created you get a Login Denied error. To fix this, just ping "192.168.0.1 ; rm /var/run/nologin". Now your non-root accounts will login and get a shell. Nice.

Of course, the real goal is root, so let's do that. The quickest way to do that is a simple ping to "192.168.0.1 ; mv /root/bin/uishell /root/bin/uishell.old ; ln -s /bin/sh /root/bin/uishell". Now try to ssh in as root and you're greeted with a beautiful sight:

_____________________________________________________________
| |
| Welcome to Synology Filer! |
|___________________________________________________________|

root> id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 99(users)
root>

iptables (netfilter) and passive mode FTP

I'm running iptables/netfilter on one of my RHEL servers and just recently decided to add FTP access. I'm using the stock rules that come with RHEL with a few custom rules where necessary. By default it does perform stateful inspection taking advantage of the ip_conntrack module. The following rules exist in the table:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

With connection tracking you'd think that's sufficient. When the PASV command is sent netfilter should keep track of the relevant information and allow the subsequent passive FTP session... but it doesn't. Apparently you need to make sure that the ip_conntrack_ftp module is loaded as well. You can load it for testing using "/sbin/modprobe ip_conntrack_ftp", but to have iptables load it automatically just add the following to /etc/sysconfig/iptables-config:
IPTABLES_MODULES="ip_conntrack_ftp"

Making mysql output more readable

When using the mysql CLI to perform queries on tables with many attributes the resulting output is often unreadable because of all the line wrapping. Here's a tip. Instead of terminating the query with a semicolon, terminate it with \G (case-sensitive). This will display your results vertically which is often MUCH more readable when dealing with results with many attributes. In my specific instance I was trying to display the replication status on a slave. By using "show slave status\G" instead of "show slave status;" the output was much easier to read.

2005 Prius check engine light

I posted the previous entry in preparation for this one. While driving home from work last week my "check engine" light came on. I brought my car in to Cherry Hill Toyota as the manual said to bring the car in in response to this light. Beforehand I was hoping to extract the error codes by placing the car into diagnostic mode, but apparently the diagnostic mode doesn't give you access to the OBDII error codes which are what you really need. Toyota told me that the particular error they extracted is due to the emissions test failing. One common source of automobile emissions is a loose or nonexistant gas cap which causes gasoline to evaporate. As part of being a PZEV (Partial Zero Emissions Vehicle) it tests any emissions coming from the gas cap area. Apparently when it detects the cap is loose and gasoline vapor is escaping it triggers the "check engine" light. For something so obvious and easily resolved Toyota really should have had it trigger a message on the multi-function display screen, but alas they didnt. So the Toyota tech tightened the gas cap and cleared the error from the computer. PLEASE NOTE: Just tightening the gas cap DOES NOT cause the "check engine" light to go out. According to Toyota the light wont go out until the computer performs another emissions test. According to Paul Schreiber at http://paulschreiber.com/blog/2005/05/10/my-prius-check-engine-light you "have to drive the car for at least 20 minutes 2-4 times for the car to believe the gas cap really is fixed."

2005 Prius diagnostic mode

The Toyota Prius never ceases to amaze me with all the things you can do using some arcane techniques. To enter diagnostic mode, first place the car in IG-ON mode by pressing the power button twice without pressing the brake. You can also do this while the car is running. Next hold in the Info button while switching the headlights from Off to Parking and back 3 times. Then release the Info button. The display should now enter diagnostic mode.

Updating User Agent Switcher breaks Firefox

Twice I've run into a problem where updating the User Agent Switcher extension for Firefox has broken the browser. When you try to start the browser none of the buttons work and your left with a pretty worthless window. Apparently the User Agent Switcher extension would prefer to be uninstalled and reinstalled manually rather than updated. Ok, so first you need to get into Firefox. Fortunately Firefox can be started in safe mode which does not load any extensions. To do this run the Firefox executable manually (or edit the shortcut) with the "-safe-mode" argument to it. Once in Firefox you can just uninstall the extension and then proceed to install it again.

spamass-milter 0.2.0

After adding a bit of debugging information to Received.pm I was able to
track down the problem I was having with SpamAssassin and the -notfirsthop
rules. The following line is the code in spamass-milter that send the
pseudo header to Spamassassin:
assassin->output((string)"Received: from "+macro_s+"
("+smfi_getsymval(ctx,"_")+") by "+smfi_getsymval(ctx,"j")+";
"+macro_b+"\r\n");

macro_b is only available to spamass-milter if defined in Sendmail's
configuration; it's not defined in my Sendmail configuration. As a result
macro_b gets set to an empty string, but there is a space prior to macro_b
which remains. The end result is a whitespace preceding the newline
characters. In SpamAssassin's Received.pm we have the following:
my rcvd = ($hdrs =~ /^(\S.+\S)$/gm);

This code populates rcvd with the headers that will be passed to
parse_received_line(). As you can see from the regex, it doesn't take
kindly to whitespaces before the newline characters. As a result the pseudo
header from spamass-milter never gets parsed and SpamAssassin never knows
that the sending MTA existed. This causes problems since the assumption is
made that the Received: header added by the receiving MTA has already been
added before SpamAssassin processes the email.

This results in behavior such as header checks (including RBL checks) not
being performed on the sending MTA. This caused -notfirsthop rules like
DYNABLOCK to be practically useless since it would not catch open proxies on
cable/dsl machine which delivered directly to the SpamAssassin mail server.
In addition rules like DYNABLOCK would generate false-positives on emails
from dialup and cable/dsl users which traveled through a single hop (such as
their ISP's mail server) before reaching SpamAssassin since SpamAssassin
would see only a single header (the one added by the ISP) and would believe
that the mail had been delivered directly to SpamAssassin from the user's
machine.

My workaround was just to modify the spamass-milter code and remove the
macro_b and preceding space from the code since I'm not using it. There are
a couple obvious other solutions to this problem (in order of decreasing
preference) such as modifying the spamass-milter code to only insert the
whitespace if macro_b is defined, adding the required macro to the Sendmail
config, or modifying the SpamAssassin code to accept (but not store)
whitespace before the newline character.

This problem was fixed in spamass-milter HEAD and should also be fixed in spamass-milter 0.3.0 which was released in February 2005.

• 0 Comments/Trackbacks