SSH Timeouts

Do you work in an environment where you bounce through a bunch of firewalls? Do you hang out on idle ssh connections that often times get dropped after a certain amount of idle time? I do and it has always annoyed me. To the point that once I connect to a box that I will be coming back to, I will run top and move on. Well, not anymore. You can set your SSH client to automatically send a bit of data over your connection every X seconds. Here is how it is done for Mac and Linux boxes.

In your home directory, edit your .ssh/config file. If you don’t have one, that’s not a problem, simply create a new one. Then enter in the following line:

ServerAliveInterval 60

And you’re done! Now wasn’t that easy?

Happy terminal camping partner!

Monit Tricks

Recently I had a chance to do a little monit foo with a co-worker for a rather interesting project that we will hopefully be sending off into the intertubes.

For one part of this project, I got the chance to get my hands dirty with my old friend monit. Monit, for those that don’t know, is a UNIX system administrators dream.

Here’s a brief run down of what monit can do from the web site:

Monit can start a process if it does not run, restart a process if it does not respond and stop a process if it uses too much resources. You can use Monit to monitor files, directories and filesystems for changes, such as timestamp changes, checksum changes or size changes. You can also monitor remote hosts; Monit can ping a remote host and can check TCP/IP port connections and server protocols. Monit is controlled via an easy to use control file based on a free-format, token-oriented syntax. Monit logs to syslog or to its own log file and notifies you about error conditions and recovery status via customizable alert.

So…with that little bit of unnecessary advertising going on. What was I trying to do? It was pretty simple really. Monitor a process, if it is not running, restart it. However, there was a twist that I hadn’t done before. It needed to restart as a particular user. My past experience had always been monitoring applications such as a ssh server or smtp server. I hadn’t gone down the path of monitoring an application that a user could start. But if you are doing anything like a kiosk, this type of functionality might come in handy for you.

The solution is ridiculously simple. All you need to do is add an “as” line to the start portion of your script. Here’s an example I found online:

start program = "/etc/init.d/tomcat start"
              as uid nobody and gid nobody
        stop program  = "/etc/init.d/tomcat stop"
              # You can also use id numbers instead and write:
              as uid 99 and with gid 99

I’m sure I’m not the only one that has run into this so I figured I would help spread the word on a very obvious and probably overlooked monit feature.

Setting up a silent DNS master server

Recently, I have begun the process of moving my domains from the DNS servers at my previous employer. They have allowed me to continue hosting my domains there as I still send them a spam feed of unknown addresses from my various domains. Yes spammers, keep that mail coming. Its only doing you good, I promise 😉

The main reason for the change is that the former employer is locking down the admin access to a standard that as a non-employee, I can no longer get to the admin interface. That’s fine, very understandable. So its time to make a change and I decided to go the route of a silent master.

DNS Overview

If you don’t know what DNS is, then I highly recommend reading the wikipedia aricle. The short definition of what DNS is supposed to do is that for every name that is out there on the internet, there is a corresponding IP address. As an example, if you attempt to look up one of my domains usrlocal.com, you will find the IP address of 66.18.16.207.

What is a Silent Master server?

The way that our DNS system works is that for every domain out there, there are a set of servers that will answer for that domain authoritatively. If you have registered your domain at some of the big regisrars, they will often throw in DNS hosting for free or a very nominal fee. Depending on who your ISP is, they will often allow you to host your domains for pretty cheap as well. The idea of a silent master is that there is a server that you control that is _not_ listed in the authoritative DNS servers for your domain. What happens is that you set the servers that are going to answer authoritatively for your domain to load your domain as a secondary zone. The theory is that you can have a lower powered server that is protected from the outside world doing the updates on your domain while the rest of the world hits your authoritative DNS servers.

Why would you do this?

There are really two reasons why you would want something like this:

  • Control over your domain – It could be that your DNS provider doesn’t have a very nice interface for controlling your domain or doesn’t allow you to control it directly. It may be that you have to open a support ticket for each update.
  • Save on internet traffic – Basically, I don’t want all of that traffic hitting the lowly DNS server that I have. I would rather them hit the DNS servers at my ISP and pound on those bad boys. They can take it, they’re beefy for a reason.

Technical Details

So here is how you setup your DNS zone to work appropriately. I’m going to use BIND in my example as that is one of the more popular DNS servers out there.

I have setup my server with the following configuration options. First I setup an ACL list of the servers that are allowed to pull information from my server. My example looks something like this:

acl le_dns {
        11.22.33.123; // ns1.isphost.com
        22.11.33.124; // ns2.isphost.com
        33.11.22.125; // ns3.isphost.com
};

Now, I allow them to connect to the server and pull domains.

options {
        directory "/var/named";
        allow-query { le_dns; };
        allow_transfer { "le_dns"; };
        recursion no;
};

Then each zone file is treated as you normally would if you were serving it up authoritatively.

zone "usrlocal.com" IN
{
        type master;
        file "usrlocal.com";
        allow-update { none; };
};

Next, tell your authoritative DNS server to grab the zones as secondary zones. Depending on where you are hosting things, it may be a configuration that you need to put in place, something along the lines of this:

zone "usrlocal.com" IN
{
        type slave;
        file "usrlocal.com";
        masters {11.11.11.22; 11.22.33.11};
};

Finally, update your registrar to point to your DNS servers that you have setup that are serving up the secondary zone. It may take 24-72 hours for the new information to propagate, but after that you should have the full control, and bandwidth savings of a silent DNS master server.