Simple PHP mail wrapper

If you run a webserver with several hundreds of virtual hosts running PHP, you definitely need to monitor or log the access to PHP’s mail() function. I describe in a short tutorial how to painlessly setup a simple sendmail wrapper to accomplish this.
This has been tested on a Debian Lenny 5.0 system running PHP 5.2.8 and Postfix.

Read More

Process hiding Kernel patch for 2.6.24.x

Currently all Linux kernel security patch projects seem to be sleeping. There is no useful kernel patch that provides us with a decent patch set allowing us to strengthen the Linux kernel. Some years ago I was using Grsecurity, a wonderful solution to enforce security on 2.4.x kernels at that time. The project seems to be pretty dead by now.

During the last months I was using RSBAC, a great set of security enhancements to the 2.6.x kernels. RSBAC seems to be a great project and I like the way they provide pre-patched vanilla kernels. But again, reaction time is way too slow. Root exploits for Linux kernels seem to appear all the time and force a server administrator to react fast. The lately published vmsplice root exploit made me give up on RSBAC as it’s just always a step behind. I decided to switch back to self compiled vanilla kernels from

Read More

Leopard 10.5.1 massive data loss bug / JPEG corruption

I strongly do NOT recommend to use Mac OS X Leopard in a productive environment!

The initial release 10.5 got launched on October 26, 2007. It contained a number of serious bugs which should have been addressed in the first upgrade. On November 15th Apple released the first major upgrade 10.5.1. Most people believe all serious bugs are squashed by now and start to use Leopard in productive environments. I would rather wait for 10.5.2 or even 10.5.3!

Here you’ll find an extensive article about the massive data loss bug in Leopard by Tom Karpik.
His tests are based on Leopard 10.5 and I didn’t find any information about this bug still persisting in 10.5.1. But I was pretty shocked about what happened to me last night…

Read More

Mac OS X 10.5 Leopard Tips & Tricks

Warning: This article was written by a Windows/Linux User who just started to switch to OS X after a period of 10 macless years.

Two days ago I got my new Mac Mini and finally I’m serious about switching from Windows Vista to Mac OS X Leopard. It’s just too annoying to wait 4 years for a new Windows system which is worse than it’s predecessor and which might start to get useful as of SP1 which still is not out (my standby still does not work and I gave up on installing «SP1 beta pre-RC1» – what the hell?!!). Vista is more like a blown-up XP that does everything worse than XP. I like its user interface but not if I need to sacrifice 50% of my CPU-power on a powerful IBM T60p.

My first impression of OS X Leopard: WOW!
My second impression: If you go with all the defaults, it works like a charm. If you want to get a bit further, OS X is no way easier to fine tune as a Windows OS but still much easier as tuning a Linux.
My conclusion: Cool, Leopard rocks! But hey, be realistic, each OS got his pros and cons.

Here are my Tips & Tricks of the last two days…
Read More

ProFTPd xferlog via MySQL

Logging your FTP transfers to xferlog with ProFTPd is a nice thing. This can easily be done by a one-liner in /etc/proftpd/proftpd.conf:

This generates a nice transfer log which we could then parse for transfer statistics. But there is a much better way to accomplish this: MySQL. Let’s use MySQL for everything!
It’s pretty straightforwarded to get ProFTPd to log into a MySQL table.

Read More

RSBAC – Kernel based process hiding

A webserver usually is the primary target to intrude into any network. If you provide web hosting services for your customers you have to provide them with a lot of features to make them happy. The main requirement for any hosting provider is PHP, probably the widest spread web scripting language out there.

Some customers only start to get happy if you give them PHP without any safe_mode restrictions, if you provide them with custom CGI scripting next to the basic good old SSI features (which in my eyes no one really needs since we got PHP) by Apache HTTP Server, if you give them FTP access and let them manage their account by themselves.

Rule Set Based Access ControlIn every feature there is always a hidden security risk. We cannot give all this to our customers without thinking about security and its consequences if a user gets hold of data which does not belong to himself or even breaks into the whole system. So, let’s start at the basics: No customer should be able to see any other running processes on the system except the ones that belong to himself. We want to hide all processes that the given customer is not allowed to see. That’s process hiding. And because on a Linux box it’s always smart to implement something from bottom up, we name it kernel based.

There is no simple solution for this problem. Some rootkits simply overwrite the ‹ps› command. But we want something more trustworthy, somehow deeper anchored in the system (got that?). The only kernel patch I found was the one from (Rule Set Based Access Control), a full blown kernel security patch. The only feature we actually need is «CAP process hiding».

Read More

LEX NEO – A fanless CF-Boot Setup

This tutorial tries to show you how to setup a wonderful quiet fanless system.
I’ve bought a LEX NEO, a terribly nice Mini-ITX fanless barebone which includes an onboard bootable CF-card slot.
Thomas Bocek ( helped me out with the following configuration.
The idea was:

  • The harddisk should only run when used
  • The whole system should be stored on a CF-card
  • We don’t want to stress our CF-card. Directories with a lot of access like /var/log should be run in RAM

We decided to install Debian Linux by USB-install, using a USB-stick instead of running some PXE network install which seems to be far more complicated.
Here’s a short HOWTO (for more detailed instructions, please check Debian USB memory stick booting:
Download boot.img.gz (7.9 MB). Also, download the official netinst image (108 MB). If you can’t find it, check and download the stable i386 version.

Read More

Rsync – Full System Mirroring

Rsync is a command line utility traditionally used in synchronizing files between two computers over the network, but rsync can also be used as an effective backup tool.
This article explains how to use rsync to backup your whole Linux system setup to a second drive attached to your system. You can use a removable drive, such as an external USB hard drive, so that you can store the backups in a safe place away from your working environment.

Read More

Linux kernel compilation HOWTO

I’d just like to publish this small kernel compilation HOWTO’s that I once wrote and used by myself each time compiling a new kernel.
They are just quick and dirty HOWTO’s that cover the commands used to compile a kernel, nothing more than that. But I’m sure someone might find them useful.
Kernel compiling is easy! Don’t be afraid of it. Just be careful when configuring your bootloader, e.g. LILO – first think and then act, especially if you’re compiling a new kernel on a remote host where you haven’t got any physical access.

If you wish further information about kernel compilation under Debian, consult this wonderful tutorial:
again, to make it short, really really short, here’s what to do under Debian:

Good luck and happy compiling!

PHP: class Sd_Yabd

…Yet Another Browser Detector
First I thought about calling this script ‹ExtrAgent›, then I thought, hey,
there’s a whole bunch of other browser detection scripts around, so actually
it’s just yet another browser detector!
I have just updated this code and replaced the old function with the new class Sd_Yabd. It takes part of my upcoming PHP framework «Sourdough» which will be released in april/may 2004.

Read More