 Questions
and Answers
Amy Rich
Q We have an old Sun E250 that's
acting as a test database server. During a maintenance window, we
replaced a power supply that had died, but the new power supply
didn't work either. We then tried it with a known good power supply
from a functioning machine and it still failed. Do we need to replace
the backplane in the machine to get the second power supply back
online?
A Most likely the problem is that
you've run into an issue with the power supply memory latch function.
From the E250 product notes:
The Sun Enterprise 250 power supply has a memory latch function
that allows the power supply to remember its last power on/off state
in response to a power outage or removal of the AC power cord. This
feature allows the power supply to resume operation automatically
once power is restored. It also enables hot-swapping of power supplies.
Under some circumstances, this feature can be misdiagnosed as
a power supply failure. If you remove a power supply from a system
that is powered off and attempt a hot-plug installation into a system
that is powered on, the power supply will remain in the Off state.
This should not be interpreted as a power supply failure. To activate
the power supply, simply turn the front panel keyswitch from the
Power-On position to the Diagnostics position, and then back to
the Power-On position. Alternatively, you may press the Power-On
key on a Sun Type-5 keyboard attached to the system.
If there is a hardware failure that's not the power supply itself,
it may be with the DC Power Distribution Board, part number 501-4683
or the system board, part number 501-5440.
The E250's power components are detailed at:
http://sunsolve.sun.com/handbook_pub/Systems/E250/component.power.html
The exploded system view is at:
http://sunsolve.sun.com/handbook_pub/Systems/E250/component.exploded.html
The wiring diagram is at:
http://sunsolve.sun.com/handbook_pub/Systems/E250/wiring_1.html
Q I'm a Bourne shell
programmer who's been thrust into the role of developing some Perl
code. Is there anything in Perl similar to sh -x to trace
the program execution?
A If you take a look at the man
page for perlrun, it suggests the following:
All these flags require -DDEBUGGING when you compile the
Perl executable (but see Devel::Peek, which may change this). See
the INSTALL file in the Perl source distribution for how to do this.
This flag is automatically set if you include -g option when
"Configure" asks you about optimizer/debugger flags.
If you're just trying to get a print out of each line of Perl
code as it executes, the way that sh -x provides for shell
scripts, you can't use Perl's -D switch. Instead do this:
# If you have "env" utility
env=PERLDB_OPTS="NonStop=1 AutoTrace=1 frame=2" perl -dS program
# Bourne shell syntax
$ PERLDB_OPTS="NonStop=1 AutoTrace=1 frame=2" perl -dS program
# csh syntax
% (setenv PERLDB_OPTS "NonStop=1 AutoTrace=1 frame=2"; perl -dS program)
You can also try running Perl with -Dlts to get some useful
debugging output.
Q I run sendmail 8.12.11 for a small
subset of domains and know it reasonably well. I want to add some
spam filtering functionality, but I don't want to rely on a number
of more complicated programs like procmail or milter, etc. I'm really
looking for some rulesets that I can plug into my mc file instead
of additional programs I can use to supplement sendmail. Any suggestions?
A There are a number of hacks out
there and a lot you can do with DNSBLs and regular expression matching
that could cut down on your spam. You can also use the access functionality
to block huge swathes of IPs and/or domains if you want to really
limit whom you receive mail from. If you're looking for some pre-rolled
rulesets, you might want to check SpamFilters:
http://www.visi.com/~hawkeyd/spamfilters.html
Be aware that your spam blocking could have a significant negative
impact on your mail delivery if you're doing a lot of expensive lookups
and/or handling a lot of mail.
Q I've been looking at adding some
extra RAM to an old Sun U5 I have acting as a desktop. I've found
some sites that say that they can sell me 256M strips, but Sun seems
to claim that the U5s only support up to 128M strips and that I
need a U10 for 256M strips. Can I actually put the 256M strips into
the machine, or are the sites selling them incorrect?
A The U5 and the U10 have exactly
the same motherboard and support the same components. The difference
between the U5 and the U10 is the chassis. The U5 has a smaller
chassis than the U10 and therefore didn't have the room to hold
full-height 256M DIMMs. If you purchase low-profile 256M DIMMs,
though, you can put them into the Ultra 5 without any modification.
If you purchase regular-height DIMMs, then you'll need to remove
the floppy drive because the taller DIMMs get in the way of the
UPA slot on the motherboard in the U5.
Q I've been seeing a number of connections
to sshd for the users "test" and "guest". Neither of these accounts
exists on my systems, so I figured that this was some sort of scanning
effort by hackers to try to get into my machines. Should I be concerned,
or is this just simple fishing?
A There are several ssh scanners
that crackers are using these days, often distributed as ssh.tgz.
One kit that I've seen contains a network scanner that scans a user-supplied
netblock, collects IP addresses running sshd, then tries to connect
to the identified host as a default user (guest, test, root, admin,
etc.). Mostly these crackers are looking for default accounts/passwords
set during an install of a specific OS distribution. The payload
could be easily adapted to exploit any holes in sshd, of course,
but that's not generally the aim.
If you're running an OS without any default accounts/passwords
then you should be reasonably safe. For any non-user accounts, be
sure to add them to the DenyUsers or DenyGroups line of the sshd
configuration file as well as disabling the accounts at a system
level (locking the password field, giving them invalid shells, and
possibly also giving them invalid home directories).
Q I have a 220R running Solaris
8, and I'm trying to run the sysdef command to get some information
about the machine. When I run sysdef, I get a weird error.
The command works fine on other machines of the same type running
the same OS, though. I've deleted the actual hostid in the output
below, but the rest is the same:
*
* Hostid
*
********
cannot open /dev/kmem
The permissions on /dev/kmem, the file it actually points to,
and sysdef are:
lrwxrwxrwx 1 root other 27 May 28 2002 \
/dev/kmem -> ../devices/pseudo/mm@0:kmem
crw-r----- 1 root sys 13, 1 May 28 2002 \
/devices/pseudo/mm@0:kmem
-r-xr-xr-x 1 root sys 31520 May 28 2002 \
/usr/sbin/sparcv9/sysdef
As far as I can tell, everything looks just fine, so why am I getting
an error?
A Presumably if you run this command
as root it works fine? The sysdef binary needs to be SGID
sys in order to be run by non-root users. Perhaps you've removed
SGID/SUID permissions to harden this particular machine or someone
accidentally or maliciously changed the machine. Check the md5 signatures
on the system just to be certain if you don't know how the file
got changed.
Q We have a number of home users
running Linux (Fedora Core 2) who need to set up a packet filter
of some sort to increase security. We've told our users to install
and configure iptables, but some of them aren't that technically
inclined. Could you point me to some good resources to help the
less Linux oriented users get up to speed?
A There's a lot of information
out there on iptables, starting with the Netfilter Web site:
http://www.netfilter.org/documentation/index.html#documentation-howto
If you're looking for something to help your users generate configuration
files without having much iptables knowledge, take a look at FireHOL:
http://firehol.sourceforge.net/
While the configuration language still looks rather technical, it
abstracts the iptables rules into more generic statements about the
services that a machine runs.
Q I'm trying to use sendmail 8.12.11
LMTP with procmail as the local delivery agent. I've modified the
mc file thusly:
define('LOCAL_MAILER_ARGS', 'procmail -Y -a $h -z')
define('LOCAL_MAILER_FLAGS', 'SPXhmnz9')
define('LOCAL_MAILER_DSN_DIAGNOSTIC_CODE', 'SMTP')
Unfortunately, I'm losing the plussed detail when I try to deliver
messages to multiple recipients. As an example, when a message is
delivered to mary+de@domain.name and bob+tail@domain.name,
the plus detail for both mary and bob is "de"
because mary's address was processed first. I realize that this is
probably the side effect of the -a switch to procmail, since
the procmail man page says:
-a argument This will set $1 to be equal to argument. It can be
used to pass meta information along to procmail. This is typically
done by passing along the $@x information from the sendmail mailer
rule.
So, how do I work around this so that each recipient gets the
correct individual plus detail?
A There's an LMTP patch available
for procmail 3.22 available from Claus Aßmann's Web page at
Sendmail:
http://www.sendmail.org/~ca/email/patches/procmail.lmtp.p0
After patching, invoke procmail as procmail -z+ to get the
correct LMTP functionality.
Q I have a headless E280R running
Solaris 9 that's being put into production to generate some graphs
using in-house software. Unfortunately, this software requires a
graphics device, so I've run Xvfb to simulate the hardware so that
the product works. This worked fine when we were doing a small number
of operations, but now that the machine is seeing more use, the
CPU is bogging down. What's the best way to work around this issue?
Should I just add more CPU to the machine, install a graphics card,
move the process off to another machine (very sub-optimal)?
A There are a couple of things
you could try to improve performance. First, I'd try to get your
in-house software team to fix their software so that no graphics
device was needed to render the images in the first place. Barring
that, you can try to run additional Xvfb instances on different
virtual displays if you're rendering multiple images at the same
time and you have more than one CPU. This only works if the in-house
application can direct its individual renderings to different displays,
of course. If it can, you'll at least be utilizing both CPUs to
do the work instead of serially hitting one CPU. You can also put
in a graphics accelerator such as the XVR-500:
http://www.sun.com/desktop/products/graphics/xvr500/details.html
http://sunsolve.sun.com/handbook_pub/Devices/Graphics/GRAPH_XVR_500.html
The approach that works best will depend on the type/size of images
being rendered and the capabilities of your in-house software, though.
Q We're using screen to connect
to a terminal server and log console output for a number of machines.
We run screen in detached mode because we're mostly just interested
in the log files. Occasionally, we need to kill off one of the screen
windows since the console for a given machine hangs and needs manual
intervention. We don't really want to have to reattach to the screen
session to do this, but it appears that that's the only way to accomplish
what we're after since screen -X will only send commands
to the current attached window. Is there some sort of macro or wrapper
we can write to tell screen it should act on a window of our choosing?
A Screen actually has a built-in
mechanism that will handle this for you. If your screen session
is detached, specify the -p flag in conjunction with the
-X flag to tell screen that you wish to pre-select the specified
window. From the man page (spelling errors corrected):
-p number_or_name Pre-select a window. This is useful when you
want to reattach to a specific window or you want to send a command
via the "-X" option to a specific window. As with screen's select
command, "-" selects the blank window. As a special case for reattach,
"=" brings up the windowlist on the blank window.
-X Send the specified command to a running screen session. You
can use the -d or -r option to tell screen to look
only for attached or detached screen sessions. Note that this command
doesn't work if the session is password protected.
So, to kill window 6 of your detached session on 848.pts-4.hostname
without actually doing a reattach:
screen -r 848.pts-4.hostname -p 6 -X kill
Q I'm running SpamAssassin
to try and catch the majority of spam that hits my inbox. Sometimes
a piece of spam manages to pass through SA without getting flagged.
I've also tried forwarding this spam to another system and it passes
there, too. If I run SA on it by hand, though, it's very evidently
tagged as spam. How come SA is missing some of the spam when it's
filtering automatically?
A Without the specific piece of
spam and more knowledge of your SA setup, it's difficult to diagnose.
A potential issue might be the size of the message, though. If you're
using the example procmail recipe, as shown below, SA only processes
messages up to 256K.
:0fw: spamassassin.lock
* < 256000
| spamassassin
Also, spamc has a default maximum size of 250K, which can be increased
by using the -s flag. From the spamc man page:
-s max_size Set the maximum message size which will be sent
to spamd -- any bigger than this threshold and the message will
be returned unprocessed (default: 250k). If spamc gets handed
a message bigger than this, it won't be passed to spamd.
The size is specified in bytes, and if you send it a negative
number, things are quite likely to break very hard.
If you're using a milter in conjunction with sendmail, look for
message size limits there as well.
Amy Rich, president of the Boston-based Oceanwave Consulting,
Inc. (http://www.oceanwave.com), has been a UNIX systems
administrator for more than 10 years. She received a BSCS at Worcester
Polytechnic Institute, and can be reached at: qna@oceanwave.com.
| 
