A Big F-U to GoDaddy

So its been a very busy month. I took some holiday time at the beach. From there I was in Bangkok for a week of Vendor training. My return home was filled with long days and nights trying to get caught up as well as, prepare for a week long business trip to Singapore next week.

During all this hubbub of activity, I accidentally let my domain expire. Opps! Oh well, there is a grace period, I can just renew it right? Not exactly. Turns out that the grace period is only 12 days. After that GoDaddy penalizes you with on outragous $80 USD "Registry Redemption Fee". Umm, what? Srsly?

"Ok, no problem", I think. I'll just re-register it at another Registrar. NOPE! The domain still shows up as registered to me, but locked by GoDaddy.

So..... Just wait for it to expire and then pounce on it again to re-register? NOPE! Not so easy. Then GoDaddy puts your domain up for Auction for 10 days! Ok, so wait for the auction to finish and hope nobody bids on it? WRONG AGAIN! GoDaddy then puts your domain up on a 5-day Closeout auction /Firesale!

So, in reality when GoDaddy says "Registry Redemption Fee" what they really mean is "We Are Holding Your Domain Hostage Until You Pay an Ungodly Ransom".

Now, because I am in Thailand, lets put that $80 USD into prospective. The average Thai salary here in Chiang Mai is about 10,000 THB/ month. Assuming a 4 week month and 40 hours per week (most work more hours and days than that), that means the average pay here is 62.5 THB/ hour. Exchange rate is approximately 35 THB per $1 USD. That means that GoDaddy's ransom money equates to about 45 hours of work here. MORE than one weeks pay!! Or in other terms, about 93 average lunches (30 THB).

So GoDaddy, as I really have no recourse other than to publize your horrible business practises. Additionally, did a little bit of google searching, and seems I'm not the only one upset with GoDaddy.

I urge everyone to take a look at (nmap) Fyodor's NoDaddy site.

So, again, screw you GoDaddy. Enjoy the extortion money.

Tip of the Day: Keeping Web Directories Clean

Just a simple system admin tip of the day.

One issue that I tend to run into quite frequently, are linux directories that are full of crude from other people and their OS's. A perfect example of this, is a web server, where multiple people have access to the directory to upload new content, etc. Invariably you end up with backup files, systems files from VSS, Windows Thumbs.db files, Apple OSX .DS_Store files, etc.



So to help me clean house, I add 5 or 6 simple rules to the end of my mightly cron jobs:

cd /var/www/html

find . -name "*.bak" -exec rm -rf {} \;
find . -name "vssver.scc" -exec rm -rf {} \;
find . -name "Thumbs.db" -exec rm -rf {} \;
find . -name ".DS_Store" -exec rm -rf {} \;

This will seek out and all these files for me, on a nightly basis.

CentOS patching

In my normal everyday job, I am tasked with managing and maintaining about 30-40 production CentOS servers. Being a security guy, I maintain a pretty rigorous patching routine. However, because these servers are customer production servers, one very important caveat is that I need to do everything I can to minimize customer downtime.

Normally when I patch a server, my routine is:

yum check-update (check what updates are available)

yum -y update (update everything)

And if the list produced by check-update shows the kernel or kernel-headers packages in the list, I promptly reboot the server. This translates into about 5 minutes of downtime for the customer as the server reboots.

So that got me thinking. Is every kernel update critical or can they easily be delayed? So then I stumbled across this excellent plug-in for yum.

yum-changelog-1.1.10-9.el5.centos

Name : yum-changelog
Arch : noarch
Version: 1.1.10
Release: 9.el5.centos
Size : 12 k
Repo : installed
Summary: Yum plugin for viewing package changelogs before/after updating
Description:
This plugin adds a command line option to allow viewing package changelog
deltas before or after updating packages.

Perfect! That will allow me to see exactly what is changing with each new version of the kernel. So I install that with:

yum install yum-changelog

Now we can use yum to show us the change log for certain packages. So, if I want to see the change log for the kernel related package, I could run something like:

yum update kernel kernel-headers --changelog

This will produce output similiar to:

Changes in packages about to be updated:

kernel-headers - 2.6.18-92.1.22.el5.x86_64
* Wed Dec 17 06:00:00 2008 Karanbir Singh [2.6.18-92.1.22.el5.centos]
- Roll in CentOS Branding

* Sat Dec 6 06:00:00 2008 Jiri Pirko [2.6.18-92.1.22.el5]
- [misc] hugepages: ia64 stack overflow and corrupt memory (Larry Woodman ) [474347 472802]
- [misc] allow hugepage allocation to use most of memory (Larry Woodman ) [474760 438889]


Ah, ha. As I suspected. Two memory related bugfixes and CentOS branding. Because we are currently not expirencing any memory related issues, this patch does NOT rate as critical and warrent immediate customer downtime. This can be delayed.

So now I can apply the other patches and exclude the kernel upgrades with:

yum update --exclude=kernel,kernel-headers

Now, I have a script that runs nightly on all my CentOS servers. This script gathers nightly statistics, logs entries, etc from my servers and emails it to me. This is pretty much jsut a CentOS port of my old Gentoo Update Script, with some CentOS speficic changes and additional features. The other thing it does, is generate a list (via yum check-update) of all the updates required. So the question now is, now can I get this interactive command to run via an automated script? The easiest way I could come up with is:

echo n | yum update kernel kernel-headers --changelog

Probably not the cleanest way, but does the job very well.

Bungling Sys Admin Gets It Right

Wanted to point out an excellent post on The Bungling Sys Admin Blog. It's a response to TaoSecurity's Recommendations for Introduction to UNIX post. Bejtlich, who tends to be a bit of a FreeBSD homer, recommends FreeBSD with Ubuntu and/or Debian as alternatives.

Matt, who has about 10 years of corporate linux administration expirence under his belt, makes an excellent counterpoint. His arguement is, if you are going to spend the time to learn, why not learn on a distribution that there is a high probability you will encounter in a real world production environment? He offers up Red Hat Enterprise Linux, CentOS, and Solaris as much more applicable alternatives.

I wholeheartedly agree with both both the choice of OS's and the reasoning behind them. Although I do have specific figures to back up my assertions, I would say that based on my expirences, these 3 OS's compose the lion's share of the *NIX market place and that if you were going to be maintaining a unix/linux based system in a real worl corporate environment, very high likely hood it will be one of these.

Cudo's to Matt for hitting the nail squarely on the head.

Undelete Snooping Fun

Alright, I have a confession to make..

One of my guilty pleasures in life, is to take USB drives that coworkers, friends, and family leave laying around and examine their contents. Not the contents that they KNOW are there, I'm more excited by what they have deleted. Using the free windows tool, FreeUndelete, you can very quickly and easily view and restore deleted content from any NTFS or FAT formatted drive. Can usually find some interesting things.

All well and good. But of course my compulsive snooping side can't stop there. I also like to keep a cheap 100 Baht, all-in-one USB memory card reader handy. I will then temporarily swipe the memory cards from digital cameras and mobile phones. As it turns out, most of these devices use a FAT formatted file system as well. It is absolutely AMAZING what you can find on these cards!

Moral of the story,

A.) most people will go out of thier way to protect or remove embarassing content from their PC. Most people don't think twice about these other devices. Makes for an interesting (and entertaining) "attack" vector.

B.) Maybe its time that digital camera manufacturers, mobile phone makers, and the lot, start offering "secure delete" options on their devices?

Blog Personality

I came across this post over on the Bungling Sys Admin Blog (does this mean this is a post about a post about a post about a post about a site??), that points to a tool called Typealyzer. This tool analyzes the writing style of your blog in an attempt to determine your personality type.

I let it analyze Monkey - House, and here is what it had to say about me:

INTJ - The Scientists

The long-range thinking and individualistic type. They are especially good at looking at almost anything and figuring out a way of improving it - often with a highly creative and imaginative touch. They are intellectually curious and daring, but might be pshysically hesitant to try new things.

The Scientists enjoy theoretical work that allows them to use their strong minds and bold creativity. Since they tend to be so abstract and theoretical in their communication they often have a problem communcating their visions to other people and need to learn patience and use conrete examples. Since they are extremly good at concentrating they often have no trouble working alone.

So, folks that know me, what do you think? Sound like me?

Blog Disclaimer

Due to unexpected corporate pressures, I feel compelled to add this disclaimer to my blog. All though it's nothing but a blatant restatement of the obvious, here it goes:

This is a personal blog. The opinions expressed here represent my own and not those of my employer, past or present. Additionally, this blog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my own personal opinion.

Feel free to challenge me, disagree with me, or tell me I’m completely nuts in the comments section of each blog entry, but I reserve the right to delete any comment for any reason whatsoever (abusive, profane, rude, or anonymous comments) - so keep it polite, please.

In addition, my thoughts and opinions change from time to time. I consider this a necessary consequence of having an open mind. This blog is intended to provide a semi-permanent point in time snapshot and manifestation of the various thoughts running around my brain (see banner graphic), and as such any thoughts and opinions expressed within out-of-date posts may not the same, nor even similar, to those I may hold today.

Additional disclaimer, most of the verbiage in this disclaimer has been borrowed from various other sources. :)