miniconomics.com is an easy-to-use tool designed to manage your personal expenses that we have been developing over the last few months. The key benefits of the tool at this point in time:

• It is alive, changing every day, release early, release often. miniconomics.com is under a never ending churning process.
• It is simple, a no brainer, you have categories and you have expenses, you put expenses in your categories and miniconomics.com gives you all sorts of useful information, stats and nice shinny graphs.
• Is accessible, forget about maintaing a spreadsheet with your data in your home computer or laptop. Use an online service, use it no matter where you are, no matter when, just log in and add your expenses.
• It is as geek as a tool can be. We are still developing it and we are keen on trying all sorts of approaches. We have some cool toughts on plugins and addons that we will be developing in the future. Give us your feedback and let us know what you do you want out of the tool, chances are we will develop it!
• miniconomics.com is free, free to use, free to register, free to enjoy, free to everything

I hope you decide to give it a try (you don’t have to register for a test drive) and let us know what you think. And of course if you like it, just spread the word.

After years of thinking about, writing about, and filtering messages, I’ve decided that the best strategy for me is to not filter spam, but instead to filter non-spam

The full article at Reverse Spam Filtering: “Winning Without Fighting” by Nancy McGough.

One morning, exactly at sunrise, a Buddhist monk began to climb a tall mountain. A narrow path, no more than a foot or two wide, spiraled around the mountain to a glittering temple at the summit. The monk ascended at varying rates of speed, stopping many times along the way to rest and eat dried fruit he carried with him. He reached the temple shortly before sunset. After several days of fasting and meditation he began his journey back along the same path, starting at sunrise and again walking at variable speeds with many pauses along the way. His average speed descending was, of course, greater than his average climbing speed. Prove that there is a spot along the path that the monk will occupy on both trips at precisely the same time of day.

As for the second question, the sort answer is that chances are that you really do not need one but for the shake of the experiment lets get our hands dirty!

First of all, I need to clarify that my interest in this topic was also risen by the fact that Verisign has switched to a two-tier hierarchy of Certificate Authorities, and this has some implications specially in the configuration of web server software:

“As of April 2006, all SSL certificates issued by VeriSign require the installation of an Intermediate CA Certificate. The SSL certificates are signed by an Intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of your SSL Certificate. If the proper Intermediate CA is not installed on the server, your customers will see browser errors and may choose not to proceed further and close their browser.” (boldface is mine)

This means that while the users do not need to modify anything (if their browser already has Verisigns Root CA certificate) the server owners need to ensure that the server is able to provide the so called trust chain to the users’ browser when the SSL handshake is performed.

Never mind, lets get back to it. In order to get your Intermediate CA working, first you need a Root CA (if you already have a CA, feel free to skip the next section). Remember that in order to get this working you need to have a copy of the openssl toolkit installed in your system.

Configure the Root CA

<br />
mkdir /var/ca<br />
cd /var/ca/<br />
mkdir certs crl newcerts private<br />
echo "01" > serial<br />
cp /dev/null index.txt<br />
# beware that the location of the sample file is dependent on your environment<br />
cp /usr/lib/ssl/openssl.cnf .<br />

You may want to modify some of the settings in the configuration file to save you some time in the future when creating the certificates: default_bits, countryName, stateOrProvinceName, 0.organizationName_default, organizationalUnitName and emailAddress.

Now you are ready to create the CA:

<br />
# generate a private key<br />
openssl genrsa -des3 -out private/cakey.key 4096<br />
# create a self-signed certificate valid for 5 years<br />
openssl req -new -x509 -nodes -sha1 -days 1825 -key private/cakey.pem -out cacert.pem<br />
# go for the default values if you adapted the settings in the openssl.cnf file or enter the values you desire<br />

Now you have everything you need to run a successful CA.

Configure an Intermediate CA

The idea is simple, we will create a new CA following the same template that we used in the previous section, but this time instead of generating a self-signed certificate we will generate a certificate sign request that we will sign using the Root CA.

First we create the folder structure:

<br />
cd /var/ca/<br />
mkdir ca2008<br />
cd ca2008<br />
cp ../openssl.cnf .<br />
mkdir certs crl newcerts private<br />
echo "01" > serial<br />
cp /dev/null index.txt<br />

Then the Intermediate CA private key:

<br />
#generate the key<br />
openssl genrsa -des3 -out private/cakey.pem 4096<br />
#generate a signing request (valid for 1year)<br />
openssl req -new -sha1 -key private/cakey.pem -out ca2008.csr<br />
# go for the default values if you adapted the settings in the openssl.cnf file or enter the values you desire<br />

Move the sign request to the Root CA directory and sign it:

<br />
mv ca2008.csr ..<br />
cd ..<br />
openssl ca -extensions v3_ca -days 365 -out ca2008.crt -in ca2008.csr -config openssl.cnf<br />
mv ca2008.* ca2008/<br />
cd ca2008/<br />
mv ca2008.crt cacert.pem<br />

And that was it. The next thing to do is start using your Intermediate CA to sign your new certificates. But just before that, remember that
to verify a certificate signed by an Intermediate CA the web browser has to verify both the certificate against the Intermediate CA and the certificate of the Intermediate CA against a Root CA.

In order to allow the browser to do this, a certificate chain file needs to be installed in the server. A certificate chain is a plaintext file that contains all the certificates from the Authority issuing a given certificate up to the Root of the certificate tree. In this case our chain has only two levels and the chain file is created like this:-

<br />
# first the intermediate CA certificate<br />
cat cacert.pem > chain.crt<br />
# then the Root CA cert<br />
cat ../cacert.pem >> chain.crt<br />

This file is the one you need to specify in the SSLCertificateChainFile of your server.

Create a new server certificate

<br />
# make sure you are in the Intermediate CA folder and not in the Root CA one<br />
cd /var/ca/ca2008/<br />
# create the private key<br />
openssl genrsa -des3 -out {server_name}.key 4096<br />
# generate a certificate sign request<br />
openssl req -new -key {server_name}.key -out {server_name}.csr<br />
# sign the request with the Intermediate CA<br />
openssl ca -config openssl.cnf -policy policy_anything -out {server_name}.crt -infiles {server_name}.csr<br />
# and store the server files in the certs/ directory<br />
mkdir certs/{server_name}<br />
mv {server_name}.key {server_name}.csr {server_name}.crt certs/<br />

Then you should securely copy the .key and .crt files to the server and configure it to use them.

Apache server configuration

Just in case you are using Apache server and for the shake of completeness, these are the settings that you need to modify (possibly in your extra/http-ssl.conf):-

<br />
SSLCertificateFile /var/ca/ca2008/certs/{server_name}.crt<br />
SSLCertificateKeyFile /var/ca/ca2008/certs/{server_name}.key<br />
SSLCertificateChainFile /var/ca/ca2008/chain.crt<br />

References

• SSL/TLS Strong Encryption: FAQ
• Creating Your Own CA
• Be your own Certificate Authority
• Very brief introduction to create a CA and a CERT

As an example we are going to resize /dev/sda1 from 200G to 50G. Since the partition is the primary /root we need to use a rescue disk to boot the system, I used BackTrack from a USB stick (Howto:USB Stick).

1. use tune2fs to remove the journal from your ext3 partition:

   tune2fs -O ^has_journal /dev/sda1

   Now the partition is effectively an ext2 file system.

2. use “resize2fs /dev/sda1 50G” to resize the file system.
3. use fdisk to resize the partition: delete the old partition (no data will be lost! :twisted:). Create a new one of the desired size (exercise caution see below). Save changes.
4. use “resize2fs /dev/sda1” (no size this time) to resize the file system to the maximum available.
5. use tune2fs to add the journal agai:

   tune2fs -j /dev/sda1

   This turns the partition back to ext3.

Regarding the new size for the partition, it is important to allocate enough physical space to support the file system. I used the formula recommended by [2]:

We multiply the amount of blocks from the resize2fs output (1536000) by the size of a block (4k), and to go sure the partition is big enough, we add 3 to 5% to it (3% was enough for me, but if you want to go sure take 5%):

1536000 * 4k * 1.03 = 6328320k

The interesting number is the first one, and you can get it by looking at the output of resize2fs on step 2. You just need to specify that number when asked by fdisk (step 3) for the last cylinder of the new partition. Again from the same reference:

Last cylinder or +size or +sizeM or +sizeK (1-1247, default 1247): +6328320K

Note that this is not the vaule I used (I forgot to write it down), but I guess that this number depends on the hardware and the important bit is to learn how to apply The Formula.

References

This post consists of 100% recycled information, credit goes to:

• [1] Another resize ext3 problem
• [2] How To Resize ext3 Partitions Without Losing Data

Last minute note

Support for ext3 was added to resize2fs in version 1.19, more than 7 years ago. There is no reason to convert to ext2 first unless you are running a REALLY old system.

So you may avoid steps 1 and 5 if your resize2fs supports ext3.

Download an uncompress

cd /usr/local/src/
wget http://mirror.public-internet.co.uk/apache/httpd/httpd-2.2.4.tar.gz
tar -xvvzf httpd-2.2.4.tar.gz
wget http://uk2.php.net/get/php-5.2.3.tar.gz/from/this/mirror
tar -xvvzf php-5.2.3.tar.gz

Install software
Required by Apache:

apt-get install gcc make libc6-dev libc-dev \
linux-kernel-headers libssl-dev zlib1g-dev

Required by PHP:

apt-get install g++ g++-4.1 libfreetype6 \
libfreetype6-dev libgd2-noxpm libgd2-noxpm-dev \
libjpeg62 libjpeg62-dev libmysqlclient15-dev \
libpng12-0 libpng12-dev libstdc++6-4.1-dev \
libxml2 libxml2-dev

Tweak Apache
Get rid of the server banner, edit /usr/local/src/httpd-2.2.4/include/ap_release.h:

define AP_SERVER_BASEVENDOR "nomejortu"
define AP_SERVER_BASEPROJECT "nmt server"
define AP_SERVER_BASEPRODUCT "server"

Configure, compile and install

cd /usr/local/src/httpd-2.2.4/
./configure --disable-info --disable-autoindex \
--disable-include  --disable-userdir --disable-status \
--disable-imagemap --disable-cgid --disable-cgi \
--disable-proxy --enable-ssl=static \
--enable-rewrite=static --enable-dir=static \
--enable-unique_id=static --enable-so
make
make install

With the previous configure line we are removing modules that either disclose too much information or we do not need (wach out! you may need some of them). All inluded modules are statically linked to the binary. The only dynamic modules that we will be using are the mod_php and mod_security.

• –disable-info, –disable-status: we don’t need server info or status at all.
• –disable-autoindex, –disable-userdir: no automatic directory listings, no username enumeration through the /~ technique.
• –enable-dir: redirect malformed urls (requests to directories without trailing slash) and the DirectoryIndex directive.
• –disable-include, –disable-imagemap : no server side includes or image maps handled by the server.
• –disable-cgid, –disable-cgi : no cgi interfaces.
• –disable-proxy, –enable-ssl, –enable-rewrite: disable the proxy capanility, enable SSL and the rewrite engine.
• –enable-unique_id: needed for mod_security (see below).
• –enable-so:

Configure apache
In apache2’s configuration file (/usr/local/apache2/conf/httpd.conf) append:

# server banner
ServerSignature  Off
ServerTokens  Prod
# disable TRACE requests
TraceEnable off

If needed, add the index.php as a default file to DirectoryIndex directive on Line 165:

DirectoryIndex index.php index.html

In the same way, if you need virtual hosts enabled, uncomment the line 386 (or equivalent):

Include conf/extra/httpd-vhosts.conf

Add your options to that file. And if you need SSL support, uncomment the line 398 (or equivalent) of the same file:

Include conf/extra/httpd-ssl.conf

Change ownership of the htdocs and remove unnecessary files and folders:-

chown daemon.daemon /usr/local/apache2/htdocs/ -R
rm -rf /usr/local/apache2/htdocs/*
rm -rf /usr/local/apache2/cgi-bin/*
rm -rf /usr/local/apache2/icons

If you want your server to start at boot time, issue the following commands:-

rm /etc/init.d/apache2
ln -s /usr/local/apache2/bin/apachectl /etc/init.d/apache2
update-rc.d apache2 defaults

Be careful because if you have configured SSL with a certificate whose private key requires a pass phrase, the system will request the pass phrase and wait upon restart.

PHP
Not much on the PHP side. Download and compile:

cd /usr/local/src/php-5.2.3
./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql=/usr/include/mysql --with-config-file-path=/etc --with-gd --with-zlib-dir=/usr/lib/

make
make install

• –with-apxs2: compile a module for apache2 in the specified location.
• –with-mysql: .enable mysql support.
• –with-config-file-path: .specify where you want the php.ini config file.
• –with-gd: .the graphical library if you need it.
• –with-zlib-dir: .use system’s zlib (downloaded from packages).

Although the php installation adds the LoadModule line, but you still need to edit apache configuration file (httpd.conf) and add the following:

AddType application/x-httpd-php .php .phtml

Modify the DirectoryIndex directive if you want the server to default to index.php when a directory is requested.

mod_security
Download:

cd /usr/local/src/
wget http://www.modsecurity.org/download/modsecurity-apache_2.1.2.tar.gz
tar -xvvzf modsecurity-apache_2.1.2.tar.gz
cd modsecurity-apache_2.1.2/apache2/

Edit the Makefile to adjust the following lines (compile mod_security with Apache’s version of the pcre library):

top_dir      = /usr/local/apache2
INCLUDES = -I /usr/include/libxml2 -I /usr/local/src/httpd-2.2.4/srclib/pcre/

Compile and install:

make
make install

Copy the default rule set to apache directory and include them in the main apache configuration file:

cp -r /usr/local/src/modsecurity-apache_2.1.2/rules/ \
/usr/local/apache2/conf/modsecurity

In /usr/local/apache2/conf/httpd.conf add the following lines:

LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf

In order to enforce the rules (by default mod_security would simply log requests that matched the rules), go to each and single file and change the SecDefaultAction to:

SecDefaultAction "phase:2,log,deny,status:400"

The End: up and running
Last but not least do not forget to remove software that you no longer need! No compilers or development libraries should remain in the sever.

First software needed to compile Apache:

apt-get remove --purge binutils cpp cpp-4.1 gcc-4.1 \
libssp0 make gcc libc6-dev libc-dev \
linux-kernel-headers libssl-dev zlib1g-dev

And also the one needed for PHP:

apt-get remove --purge libxml2-dev libfreetype6-dev \
libgd2-noxpm-dev libjpeg62-dev libpng12-dev libgd2-dev \
libmysqlclient15-dev g++ g++-4.1 libstdc++6-4.1-dev

Remove all the sources that we have used:

rm -rf /usr/local/src/*

And of course:-

/usr/local/apache2/bin/apachectl start

References

• Apache 2.0 Hardening Guide

After some research I found a set of scripts that actually do what I want (credit goes to Heiner Steven). The bad news is that this is not a full-bash solution. The scripts use the metasend command to send files as MIME atachments.

This is a easy two-step process. First, you need to install the metamail (this is the name of the Debian GNU/Linux package) in your box. Then grab this two scripts (sendfile, getmimetype). The first one does the call to metasend. From it’s usage information:

usage: sendfile [-f] [-s subject] [-m mimetype] recipient file ...
    -f:  force sending of mail even for invalid recipients
    -s:  subject of the mail message
    -m:  mime-type (i.e. "application/octet-stream")

Multiple files may be specified. If no mimetype was given,
it is determined via a call to "getmimetype".

And you are ready to go.

#!/bin/bash

for foo in `ps aux | grep $1 | awk '{print $2}'`;  do kill -9 $foo; done

Just run: matar <program name> and that’s it. They are all gone.

You have to use the bash function ${foo//string1/string2}. Check the Advanced Bash-Scripting Guide for a complete list of string manipulating functions.

for foo in *; do mv "$foo" ${foo// /_}; done