sonyboy.dk » linux

Apache2 hangs with ‘Digest: generating secret for digest authentication’

Sonyboy — Tue, 20 Oct 2009 12:31:24 +0000

I was running Apache2+SSL on a VM (Virtual Machine).

After enabling SSL and trying to add another SSL site, apache would refuse to restart and the following error would show up in /var/log/apache2.log

Digest: generating secret for digest authentication

After doing some research, it turns out that the VM did not have enough entropy to generate much of anything. Increasing this is easy, but may not be completely secure.

$ cat /proc/sys/kernel/random/entropy_avail
139

I found that rng-tools could help me solve this.

apt-get install rng-tools

Start the service

rngd -r /dev/urandom -o /dev/random

After running rngd, the entropy will increase at a gradual rate.

cat /proc/sys/kernel/random/entropy_avail
2220

If you want this to survive a reboot, you’ll need to put it in a startup script.

Apache2 – No space left on device

Sonyboy — Wed, 22 Jul 2009 07:32:59 +0000

I had problems restarting Apache2… After researching a lot I found that it was due there were myriads of semaphore-arrays left, owned by my www-data user.

The following appears to be some of the errors Apache writes in the log.

[emerg] (28)No space left on device: Couldn’t create accept lock

or
[crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock Configuration Failed

or
[error] (28)No space left on device: Cannot create SSLMutex

After stopping Apache I found the semaphores with the following command

ipcs -s | grep www-data

Removing this semaphores immediately solved the problem.

ipcs -s | grep www-data | perl -e ‘while () { @a=split(/\s+/); print `ipcrm sem $a[1]`}’

HOWTO: Purge files from an already removed package

Sonyboy — Tue, 23 Jun 2009 14:00:48 +0000

Simply use the following command:

dpkg –purge PACKAGENAME

NTP: Who is using my NTP server?

Sonyboy — Sun, 28 Sep 2008 21:36:06 +0000

You can check which hosts are talking to your time server by using the monlist command of ntpdc, e.g. ntpdc -c monlist Please note that a maximum of 600 entries is supported with current versions of ntpdc. The protocol (or better: the contents of the return packets) used by ntpdc is not standardized, therefore it is recommended to only use ntpdc with a matching ntpd, i.e. both should have the same version number.

To get by this 600 entry limitation, many server operators run client statistics scripts, such as Wayne Schlitt’s ntp_clients and ntp_clients_stats scripts, which can be found at http://www.schlitt.net/scripts/ntp/index.html . They work very well, but can use quite a bit of system resources if your client counts are in the high thousands. Examples of these scripts in action can be found at:

http://www.schlitt.net/ntpstats/ntp_stats.txt
http://saturn.dennishilberg.com/ntpstats/ntp_clients_stats.php (slightly modified)

ntpq -p

The character in the left margin indicates the fate of this peer in the clock selection process. The codes mean:

discarded due to high stratum and/or failed sanity checks;
“x” designated falsticker by the intersection algorithm;
“.” culled from the end of the candidate list;
“-” discarded by the clustering algorithm;
“+” included in the final selection set;
“#” selected for synchronization but distance exceeds maximum;
“*” selected for synchronization;
“o” selected for synchronization, PPS signal in use.

Disable AppArmor

Sonyboy — Sun, 28 Sep 2008 21:27:57 +0000

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only AppArmor was causing the problem).

We can disable it like this:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove