http://customerdomain/~customerusername will no longer work

http://defaultserverhostname/~customerusername continues to work normally

This is due to permissions issues since the requests are now being served by the nobody account.

More specifically, you download the latest airspace update file which will be named something like

Airac[month][year].update

e.g. Airac0212.update

The problem

Using the above example, we rename Airac0212.update, to Airac0212.zip, unpack it, and then copy the contents of the resulting Airac0212 directory into the root of the SD card. Simple enough, but this totally destroys any saved routes on the device.

The solution

I found that by copying the file

/Data/User/Route

from the SD card to somewhere safe (shown opposite) – then performing the update as usual, and then finally copying my old Route file back onto the SD card, that any saved routes are preserved. I notified Airbox Aerospace of this, and they confirmed that “all seems to work fine with this process”.

Once he’s hacked your account, there’s a good chance he will also be able to get a list of all linux users on the server. Then, all he has to do is look for the commonly found configuration files in each users account.

Hacker, being lazy, will just try to create symlinks to the files in question, whether they exist or not. Now, if the hacker has used a kiddie script the chances are you have already detected his attack – but just in case he’s a little more resourceful, then here’s how you can search all cpanel accounts for evidence of Symlinks to files outside of each respective cpanel account:

Apache Directives to prevent Symlink Attacks

In WHM Main >> Service Configuration >> Apache Configuration >> Global Configuration you will find the settings for Directory “/” Options.

To maintain a more secure server, you should only tick SymLinksIfOwnerMatch and NOT FollowSymLinks. This ‘might’ break some things depending on what you are trying to do legitimiaterly, but SymLinksIfOwnerMatch will only allow Apache to follow a symlink if the target has the same owner as the symlink.

Regardless of the primary or secondary function of a design, bad design is always obvious, especially when you encounter it in your day to day life.

An instruction manual that makes it awkward to find essential information, a website that makes it incredibly hard to find essential information, or a fashion magazine with no glamorous pictures are all unlikely to make you a repeat customer (unless you like that sort of thing!).

Design success

When you interact with anything, be it a physical object or something that is based solely upon the transfer of information and aesthetics (such as advertising), your experience of that interaction is the most important factor in determining your emotional involvement with that thing.

In order to attract people to your brand, event, cause or whatever, there has to be a balance struck between aesthetic beauty and the ability to transfer information effectively. This is what I always aim to do. Simple and straightforward design, that doesn’t loose sight of its purpose (something that happens all too often, and for no other reason than to boost the designer’s ego).

I’m sure I haven’t told you anything here that you didn’t already appreciate, but it is worth sitting down and considering these aspects of design before embarking on any project. Then, by working together, I’m confident we can produce the successful designs that your business needs to prosper.

Steve Sant

Despite only recently going live with the website, the GritFree team had been busy throughout 2011 and the Soda Blasting examples shown in their Portfolio page demonstrate how well the process is trusted by prestige customers.

Unlike shot blasting, the GritFree process is non-destructive. It was important to emphasise this, so graphics that were originally developed for parent company Ecoblast UK Ltd were re-used.

The job required a logo to be developed from the Ecoblast brand, some custom illustrations, and some original photography!

7 days ago the hosting company I work for found a client who’s site had been hacked. It was quite nasty, and a perl script was pumping out spam at a pace. Within an hour or so, we had tracked it down and got it shut down. Too late. We had appeared on a couple of blacklists, including spamhause and spamcop, and SORBS (just 46 hits).

Within a few hours, the world recognised that we had stemmed the problem, and all was fine again… or was it…

SORBS still listed us. We tried to remove ourselves. SORBS  has to be THE worst system I’ve ever used, ever. And I’ve used some pretty bad systems. If you’re going to allow companies to use your data to make decisions about whether or not to deliver email you at least owe it to run a service that isn’t completely broken. 

Let me give you concrete examples:

We couldn’t remember the password on an old account. Our fault, but not an uncommon issue, a quick password reset should do it right? The system wouldn’t let us reset it.

So, we created a new account. The confirmation email never arrived, I don’t think it was dispatched.

We attempted on 5 different occasions over a 3 day period to request a reset.

The system would take ages to deliver a message of the format;

“Confirmation email resent to: <BLANKNESS>”

Notice the blankness, it’s like the DB had timed out and it hadn’t got the value, or didn’t know it?!

o.k, this is ridiculous, I need support. But wait! You need an account! How delightful! I’m stuck in a catch 22.

We tried the “Talkback to SORBS” – but this throws a database correction error, and has done for the last week. Why bother having the link there if you’re not going to run it?

In the end we managed to find our old username/password otherwise we would have had to have waited however many days for the old account that you couldn’t confirm to drop off the system so that we could try again, naturally with little chance it’d actually work.

We loogged in, started the delisting process to be told I don’t have access to perform a delisting?! Having jumped through all these hoops, the SSL crap, the gammy signup, the slowness/timeouts, the broken links, now having authenticated with this steaming POS we don’t have the authority?!

It’s not like we are a tinpot organisation, RIPE can verify that a pretty sizeable IP block belongs to us.

For example, I am currently using something like:

/usr/sbin/cxs –report /var/log/cxs.scan –logfile /var/log/cxs.log –mail reports@myhost.co.uk –vir -I /etc/cxs/cxs.ignore –options mMOfSGChednWZDR –script /root/cxswatchscript.sh –xtra /etc/cxs/cxs.xtra -Z –sum -F 200000 -C /var/clamd -T 10 -B –allusers

the script defined above, /root/cxswatchscript.sh, receives 4 arguments from CXS

$1 = filename
$2 = option triggered
$3 = message reported
$4 = account name

As I wasn’t sure if I could get away with running a perl script directly, I use cxswatchscript.sh as a wrapper. cxswatchscript.sh contains:

Then cxswatchscript.pl contains:

The reason I don’t use the “Option Triggered” argument (the second one) is that ClamAV also picks up some javasript viruses, and while these things might technically be a virus, they don’t pose a threat to the server, and I wouldn’t want to suspend a user account based on finding one. The perl script allows us to be far more selective in the conditions that lead to a suspension.

• Got ConfigServer Exploit Scanner – CXS – installed on your cPanel/WHM server?
• Doing a full server scan every now and then, and getting swamped with the reports?
• Want a script that will trawl the reports, and email the cpanel users with their problems automatically?

Then you came to the right place!

Requirements

You need to have CXS installed, and you need to be generating a Scan Report Log file after your periodic scan. This is the file that is in this sort of format:

Jan 21 02:34:45 apollo cxs[526881]: ['/home/username/public_html/thingybob.info/adsense/volume1.zip'] – ClamAV detected virus = [HTML.Phishing.Bank-581]

It’s important to ensure this file is truncated before each CXS run, otherwise you will be sending out an ever increasing number of warning emails each week!

This Perl script also uses a couple of Perl modules that are normally available by default – Email::Valid and MIME::Lite

That’s it!

Just pop the script somewhere safe, and cron it to run a safe time after your cxs scan is schedules to run (to make sure it parses the completed log file). It will email (via Sendmail) a report to each cPanel user (via the cPanel account’s contact email address) with their affected files in an attached text file.

Version 2!

This version is now aware of resellers, and will email the reseller instead of the cpanel user directly.

Oh, yes, and obviously, you use this entirely at your own risk – absolutely at your own risk!!!

You may find instances where a local user tries to send mail to a host that operates greylisting. The messages never gets to the recipient. You see things like this in the exim_mainlog

Possible simple reasons for messages failing due to greylisting

Queue Interval time

Now, I’m assuming here that you have a sensible queue retry interval set in the exim command ( the -q switch ). You can check this by running

ps aux | grep exim

and checking the output…

/usr/sbin/exim -bd -q15m

The -q15m above means the queue is running every 15 minutes. In a WHM/cPanel environment you should set this in the Tweak Settings > Mail section.

If your retry interval is too long, you may miss the greylist window, and get greylisted again upon retrying, and thus eventually the message will fail.

Max load queue runner sleep factor

By default, exim will not run the queue if the system linux load average goes above 3.00 – on a modern server with a dozen cpu cores this is a patently silly value. The value should really be set to at least the number of cores on the machine. The actual exim config variable concerned is deliver_queue_load_max.

You can adjust/over-ride the value in the default exim.conf file by adding this to the first box at the top of the advanced exim config screen in WHM.

deliver_queue_load_max = 12

More tricky reasons for messages failing

Exim uses a number of hints databases. On a cPanel server, these are in /var/spool/exim

First thing to do is check what exim thinks the next retry will be for your failed message:

Now. In this instance I know the message was only sent on 16th Nov so there must be a bug somewhere for exim to think it was first sent on 03rd Nov.

My first try was to run

# exim_tidydb -t 7d /var/spool/exim retry

This removed a whole bunch of retry data from the database, but to no avail. Exim still had any message going to this domain as originally failing on the 3rd Nov.

I then decided to rip out the data for this domain directly using exim_fixdb. The man entry for exim_fixdb is a bit dry, and doesn’t really tell you how to identify the record keys, but it’s actually quite easy once you find out how!

First, search the database for your suspect domain:

The key to the hints database record is

R:remoteuser@remotedomain.co.uk:<localuser@localdomain.co.uk>

So, now just run exim_fixdb

the d command just deletes the most previously viewed record. That’s it! Now run exinext again:

# exinext remoteuser@remotedomain.co.uk
No retry data found for remoteuser@remotedomain.co.uk

That’s it – any messages sent to the remote domain should now retry properly again.

Enjoy.

• I don’t like being forced to upgrade to iCloud
• I don’t like being forced to upgrade to Lion to use iCloud
• As a user of Adobe CS5 and numerous peripherals for photo/print etc, I can’t see how upgrading to Lion is going to make anything easier for me (actually the reverse)
• I felt it was time to move my online self to a domain that I control, instead of me.com or mac.com

So, how to do it? I run a number of Macs, and an iPhone so whatever I choose has to work on both, and be relatively painless. This guide isn’t for total beginners, I wish I had the time to describe every step in detail with screenshots, but anyone with a sense of adventure should get through this guide without difficulty.

Step 1 – buy a domain

OK, so I got myself a domain, for the sake of argument mrsant.co.uk – that was the easy bit.

Step 2 – sign up to Google Apps Free

Again, this was pretty easy. I just went to

http://www.google.com/apps/intl/en/group/index.html

And went through their sign up process. You will need to verify your domain by adding a dns TXT record to the zone file, or by uploading a file to the website for your domain – but this is straightforward and much the same as verifying a website for use with Google’s Webmaster Tools or Analytics.

Once you have verified that you own the domain, then you need to active the services. Activating your email in Google Apps will require you to configure the MX records for your domain to point at Google’s mail cluster.

You will be asked at some point if you want to set up other users – just select No at this stage as we are only interested in setting up the first mailbox account.

Once you have got this bit done, you should be able to log into Google using your new email address (e.g. steve@mrsant.co.uk) and start using gmail in the way you already know and love.

Step 3 – Configure mail.app for Google Apps

OK, this is where I learnt a few things about how Google handles IMAP folders and how mail.app can be configured to work with it.

Enable IMAP access for your Google mailbox. This is done in your mailbox settings (click the gear/cog icon top right of your Google mail window) > Forwarding and POP/IMAP tab. Leave the options as default (Auto-Expunge on).

Now, in mail.app, just set up your account as follows:

And the SMTP settings that matter…

Mailbox behaviours that work for me

And finally, the advanced settings

Getting the folders to behave themselves

To prevent mail.app from creating extra folders in the gmail system you must tell mail.app which folders in the Google Apps mailbox to use as the default Sent Items, Trash, Junk, and Draft. You do this by expanding the new Gmail mailbox in mail.app’s left column, and selecting each folder in turn, then selecting from the mail.app menu, Mailbox > User This Mailbox For > [Draft, Sent, Trash, Junk]

Once you have done this correctly, you should just be left with the Starred and Important folders, as shown in the screenshot opposite.

About Gmail’s folder system

Gmail (Google Apps mail) uses a slightly funky system for storing messages in IMAP folders. It’s actually pretty neat, and allows very effective use of space. It creates folders virtually from the labels you attach to messages in the web interface. So, if you have a message with a 10Mb attachment, and assign it to two labels, then it will only take up 10Mb in your Gmail account. Try it and see! However, when you view it using mail.app or any other IMAP client, you will see the same message in two folders. Unfortunately, on your Mac, if storing the messages locally (which I always do) then the magic is lost and you will be keeping two separate copies.

This is esoteric, and doesn’t really matter in day to day usage, but sometimes, you might want to find a message on your Mac, and you might think it’s gone… forever. But – there is an idiosyncrasy in the way IMAP clients interact with the labelling system. If you drag a message from a Gmail folder in mail, to a local folder on your mac, you might think yo uhave removed it from your Google account. You haven’t. What you have done is remove Gmail label from the message in the Gmail system, and copied the message to your local Mac disk. The message will still exist in the  Gmail account in the “All Mail” folder.

The “All Mail” folder in Gmail is (you guessed), another virtual folder, but this one is a bit special. It contains all messages including those that have no labels at all… i.e. those messages that do not appear in any folder in an IMAP client such as mail.app. So, if you can’t find a message in Mail.app, then there is always a slim chance it might be buried somewhere in your Gmail account.

Currently, there is no easy way to filter out all unlabelled mail in Gmail. This is something that people have requested for years, but Google have not yet provided.