Marti’s Home

e-mail delivery can’t be guaranteed

One of my business partners has something like this in his disclaimer:

Messages sent to and from CompanyName may be monitored to ensure compliance with internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be error free. Anyone who communicates with us by email is taken to accept these risks.

In my opinion this is perfect definition of whole mailsystem based at pop3 and smtp protocol. It is doddored like whole Internet (which “be or not to be” is based at 13 global nameservers). The main problem is that is has been invented in time - when security was not considered.

Of course - we have the tls/ssl in mail comunication, but we cannot enforce the second server to use it, because of compatibility, and risk of loosing some mails.

No provider can guarantee email delivery. ISP’s have different rules about SPAM detection based on content, subject and how many of their users are reporting emails as SPAM. The best way to make sure that your specific survey invitation is not blocked as SPAM is to pre-test it with free email addresses from hotmail, yahoo etc. But as I said WITH NO GUARANTEE

next problem is that we cannot be sure, that person who send us an e-mail is the real person, not an robot or sth. Yes - there is an SPF - but enforcing it like tls/ssl can make some serious problems to delivery. And like you can read here SPF in his simplicyty is vulnerable too… which is not a good news.

Tags: mail systems, spam delivery

resolution: test every disk even if its state is NEW

Some time ago, I bought six samsung 1TB drives (P/N HD103UJ), and 3 of them has been damaged (they were pretty new, and I bought them directly from distributor!)!. Two of them has read-write errors (called bad sectors ) and one does not spin up (it has S.M.A.R.T error just at system boot). Why I chose Samsung? Because this was the only one which produced 1TB with 3 plates (6 heads). Now, because I do not trust Samsung at all I bought just a newness Seagate 1TB (P/N ST31000333AS) (same 6 heads). Samsung was a trauma for me, I wonder if Seagate has same problems. I tested this two drives, and just at start I found sth strange. One of disk does not start in one of SATA ports (another disk worked fine (I swapped them). Anyway after booting up the system, I started testing:

# smartctl -A /dev/sdf |grep On
9 Power_On_Hours 0×0032 100 100 000 Old_age Always - 0
# smartctl -A /dev/sdg |grep On
9 Power_On_Hours 0×0032 100 100 000 Old_age Always - 3

Why one of disks has 3 working hours and one has 0? Maybe because they were tested by support?

now is a time for whole surface test:

# badblocks -s -v /dev/sdf
Checking blocks 0 to 976762583
Checking for bad blocks (read-only test): done
Pass completed, 0 bad blocks found.

# badblocks -s -v /dev/sdg
Checking blocks 0 to 976762583
Checking for bad blocks (read-only test): done
Pass completed, 0 bad blocks found.

now - I am little bit more sure and I can use it

so maybe some performance test? because I do not have enought time to use bonnie++ I use a simple dd.
read:

# dd if=/dev/sdf of=/dev/null bs=1M count=8000
8000+0 records in
8000+0 records out
8388608000 bytes (8.4 GB) copied, 72.6436 s, 115 MB/s

# dd if=/dev/sdg of=/dev/null bs=1M count=8000
8000+0 records in
8000+0 records out
8388608000 bytes (8.4 GB) copied, 69.6747 s, 120 MB/s

write:

# dd if=/dev/zero of=/dev/sdg bs=1M count=8000
8000+0 records in
8000+0 records out
8388608000 bytes (8.4 GB) copied, 70.9014 s, 118 MB/s

# dd if=/dev/zero of=/dev/sdf bs=1M count=8000
8000+0 records in
8000+0 records out
8388608000 bytes (8.4 GB) copied, 71.8908 s, 117 MB/s

nice

Tags: HD103UJ, ST31000333AS, test hard disk

long time without post

Sorry for everyone… but many things happened - I changed the job (good news :), it will make my blog updated increasigly (I hope), second reason holiday time (almost 1 month)… so, with new strenght - welcome in August!

sync mount flag # UPDATED

I have an usb disk, quite quick, because it is WD MyBook… I mounted it with sync flag, because I want to have every data synced in case of power down or sth, but it was extremally slow!

# dd if=/root/plik of=/mnt/usb-disk/test.plik
1503+0 records in
1503+0 records out
769536 bytes (770 kB) copied, 20.2588 s, 38.0 kB/s

without sync flag:

# dd if=/root/plik of=/mnt/usb-disk/test.plik
3420160+0 records in
3420160+0 records out
1751121920 bytes (1.8 GB) copied, 59.4326 s, 29.5 MB/s

so i added a sync to the end of my backup script and it is really faster!

— UPDATE —

OK… because I was not exact in my tests… and it was quite unprofessional…

two test files (to be sure that nothing has been cached in ram):

# dd if=/dev/urandom of=/root/file.test bs=1M count=200
200+0 records in
200+0 records out
209715200 bytes (210 MB) copied, 61.2699 s, 3.4 MB/s

# dd if=/dev/urandom of=/root/file2.test bs=1M count=200
200+0 records in
200+0 records out
209715200 bytes (210 MB) copied, 61.3002 s, 3.4 MB/s

one drive:

Vendor: WD Model: 7500AAC External

formated with ext3 FS,

TEST 1:
/dev/sde1 on /mnt/usb-disk type ext3 (rw)

mounted without sync flag… so the test will be:

# time dd if=/root/file.test of=/mnt/usb-disk/file1; sync
409600+0 records in
409600+0 records out
209715200 bytes (210 MB) copied, 4.13321 s, 50.7 MB/s

real 0m8.887s
user 0m0.184s
sys 0m3.536s

TEST 2:
/dev/sde1 on /mnt/usb-disk type ext3 (rw,sync)

now the test with sync flag
I know that it is quite not full… but I give up after 18 minutes…

# time dd if=/root/file2.test of=/mnt/usb-disk/file2
94360+0 records in
94360+0 records out
48312320 bytes (48 MB) copied, 1127.69 s, 42.8 kB/s

real 18m48.073s
user 0m0.000s
sys 0m0.192s

Tags: slow sync

security model in polish companies

how security model looks in polish conditions, God save but sometimes like this:

By Clay Bennett

and how simple it should be:

by White Gold Solutions

Tags: security cycle

what IBM thinks about HP :)

DO you belive in coinicence? I think that it is part of unfair competition between two giants IBM and HP. so.. what IBM thinks about HP hard drives - that it is toaster take a look:

just like this:

original link to: nokaut.pl

Tags: hp, toaster

raid 10 at DS3200,3300,3400

In every marketing documentation I can find, that IBM TotalStorage DS3xxx series support RAID10. But reality is not always such nice as the marketing shit. The official ds3200 documenation says that It can do raid 10. Because as you can see below it is not listed:

I tried to do two raid 1 arrays and make a raid 0 from them, but it is imposible… So i have to read and search a lot of IBM Redbooks, and finaly find that:

When RAID level 1 is implemented and the number of drives increases to more than two, RAID level 10 is automatically implemented.

Very good news and it really works:

Tags: DS3200, IBM, RAID10

glsa-check… securitity in gentoo

what is glsa-check - you can find here http://gentoo-wiki.com/Glsa-check

why to use it - because it shows every possible security hole made by outdated software. Because the output of glsa-check is rather chatty - my own grep method is like this:

glsa-check -d affected |grep -e “Affected package”

Tags: gentoo, glsa-check

mess with uptime… wtf?

hmmm… on my virutal machine (pld builder), i got sth like this

[root@builder ~]# date
Sat May 31 22:03:00 CEST 2008
[root@builder ~]# uptime
22:03:02 up 14994 days, 16:48, 2 users, load average: 0.25, 0.42, 0.44
[root@builder ~]# cat /proc/uptime
1295542137.91 7051085.16
[root@builder ~]#

i have no idea what happened but looks cool

Tags: abnormal uptime

some apache performance issues

I had some problems with apache… the php was very very slow. The system has linux gentoo with hardened profile, so me and x0ff believed that this was the main reason of poor apache performance. But recompiling php without “-pic” flag does no effect.

after

# ab -c 100 -n 10000 http://localhost/test.php

Benchmarking localhost (be patient)
Completed 1000 requests
apr_socket_recv: Connection reset by peer (104)
Total of 1810 requests completed

and in apache log:

[Fri May 30 19:40:54 2008] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 81
[Fri May 30 19:40:54 2008] [alert] Child 16566 returned a Fatal error… Apache is exiting!
[Fri May 30 19:40:54 2008] [emerg] (22)Invalid argument: couldn’t grab the accept mutex

So… it is not - the performance problem, because only 1810 requests were done.

Because system is hardened, i have a lot of limits in /etc/security/limits.conf. I was not sure if apache uses these vaules (because they are connected with PAM!!!!), but apache did ;(

http://bugs.gentoo.org/show_bug.cgi?id=64700

so the way to make it work was adding to
/etc/init.d/apache2 a line:

ulimit -u unlimited

the whole start section looks now like this

start() {
checkconfig || return 1
ebegin “Starting apache2″
[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
ulimit -u unlimited
${APACHE2} ${APACHE2_OPTS} -k start
eend $?
}

to be sure that everything works fine a did a ab test one more time (with pic enabled).

# ab -c 100 -n 10000 http://localhost/test.php
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Finished 10000 requests

Server Software: Apache
Server Hostname: localhost
Server Port: 80

Document Path: /test.php
Document Length: 45361 bytes

Concurrency Level: 100
Time taken for tests: 48.260264 seconds
Complete requests: 10000
Failed requests: 100
(Connect: 0, Length: 100, Exceptions: 0)
Write errors: 0
Total transferred: 455159500 bytes
HTML transferred: 453609500 bytes
Requests per second: 207.21 [#/sec] (mean)
Time per request: 482.603 [ms] (mean)
Time per request: 4.826 [ms] (mean, across all concurrent requests)
Transfer rate: 9210.29 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 13 46.3 0 361
Processing: 9 466 200.4 472 4058
Waiting: 1 422 101.7 458 756
Total: 20 479 194.3 475 4058

Percentage of the requests served within a certain time (ms)
50% 475
66% 486
75% 498
80% 509
90% 546
95% 616
98% 708
99% 860
100% 4058 (longest request)

Without “pic” enabled i got:

Requests per second: 234.96 [#/sec] (mean)

so there is no big difference.

The test.php script consist of:

<?
phpinfo();
?>

niggle: note that there is no security problem with no limit - the apache has internal limiting functions

Tags: apache, gentoo, hardened, limits.conf, performance, test