WordPress 2.5.1 Upgrade

I finally got around to upgrading this site to WordPress 2.5. Since it coincided with the release of WordPress 2.5.1 I went straight to this version even though all my testing was with the earlier 2.5.0 version. The upgrade itself was extremely straight-forward.

Earlier in the week I made sure all my plugins were at the latest version so I wouldn’t have to worry about them during the actual upgrade. Except for the Popularity Contest plugin they all worked under WordPress 2.3.x and WordPress 2.5.

The one plugin that I had to change for WordPress 2.5. (and 2.5.1) was Popularity Contest. I used the instructions found at Blogvaria for the minor modifications. Following the link for full details but the short version is to change line 59 from require('../../wp-blog-header.php'); to require('../wp-blog-header.php');.

I use the Sandbox theme and I’d also have to upgrade it during the upgrade to WordPress 2.5. I modify a couple of the theme’s files so I had also prepared those ahead of time. This was a simple cut and paste.

Once everything was ready I did another set of backups and enabled the Maintenance Mode plugin to block traffic to the site. I then deactivated all the other plugins and started the upgrade and followed the regular WordPress upgrade instructions. Once the WordPress files were copied I copied the new theme files and the updated Popularity Contest plugin before running the WordPress upgrade script to upgrade the database. Once that was done I enabled all the plugins one at a time to make sure they started OK.

The entire upgrade took less than 30 minutes and I didn’t get burned by testing on WordPress 2.5.0 and upgrading to WordPress 2.5.1.

Ubuntu 7.10 Server to Ubuntu 8.04 Server (Hardy Heron) Under Parallels

Even though I’m still in the middle of building my Ubuntu test server I decided to go ahead and upgrade it to Ubuntu Server 8.04 (Hardy Heron). Sure, I’m still learning all this stuff and this will make it harder to troubleshoot problems. Upgrade issue? My configuration error? Oh well, it’s all for fun anyway.

My environment is Ubuntu Server 7.10 under Parallels Desktop 3 Build 5584 running on OS X 10.5.2. For complete details you can see earlier articles in the Ubuntu Server series.

First off I make sure everything is up to date by running:

sudo aptitude update

sudo aptitude safe-upgrade

Then I made sure the update manager was installed:

sudo aptitude install update-manager-core

Then I use Parallels snapshot manager to create a snapshot of my now up-to-date Ubuntu 7.10 server so I can easily roll back. I start the upgrade with:

sudo do-release-upgrade

Since I’m doing this through SSH from terminal on my iMac I’m given the following warning:

ReleaseUpgrade-01

I go ahead and do the installation. Everything is on my local network so I shouldn’t have a problem. I could do the upgrade directly in the VM but I prefer to continue with the illusion that the server is remote. Once I acknowledge that I want the upgrade the installer does some calculations and tells me:

ReleaseUpgrade-02

I go ahead and start the upgrade. Things are a bit slower than the estimated two minutes, the downloads take about 30 minutes. I’m using the default repositories and with the new release they are probably being pounded. But since I could let the update run while I did other things so it was no big deal.

After the download the installer started unpacking the files and updating the software which took another 20 minutes. I was prompted for a few file replacements and in all cases I chose to keep my current file. The prompts were for the MySQL my.cnf, the apache2.conf, the php.ini for Apache and the configuration file for the default Apache site. Once the updating is finished I need to restart Ubuntu.

I do some quick testing by connecting via terminal using SSH and connecting to my website using both a regular http connection and an SSL connection. Everything seems to work fine. We’ll see what happens in the days ahead.

Safari 3.1.1 Released

Apple has released Safari 3.1.1 for both OS X and Windows. I installed it on my two Leopard Macs without a problem through Apple’s Software Update and a reboot was required. It’s also available as a standalone download.

The update includes four security fixes (two are Windows only). One of the patches plugs the vulnerability that won the PWN to OWN contest at CanSecWest.

There’s also the standard

…improvements to stability, compatibility…

The reboot displayed a blank blue screen for a nerve-racking length of time but was otherwise uneventful.

[Updated April 17th:] Well, I may have spoken too soon. My iMac was stable until the first reboot after the patch. At that point it wouldn’t finish loading and would lock up shortly after logon. Starting in Safe Boot mode would allow the logon but instability would ensue after running an app or two. The update itself doesn’t seem to be the problem as a new user profile runs Safari and other apps just fine. Also, my MacBook is running fine.

Ubuntu Server Project #9: SFTP, Fake DNS, and Apache SSL

Things are moving along with the Ubuntu Server Project but there’s a bunch of small tasks and configuration changes that will make life easier going forward. This article will cover installing vsftpd, setting up a self-signed SSL certificate in Apache, and configuring my local Mac to access the Ubuntu server virtual machine by name. Even though the server is a VM sitting on my Mac and not accessible from the Internet I’ll still be treating it as if it was on the Internet and needs to be secure.

vsftpd

The installation of vsftpd is simple using aptitude: sudo aptitude install vsftpd

Since I don’t plan to use regular ftp, just sftp, I don’t have to make any changes in the iptables firewall settings. SSL connections are already allowed through and I still want to block regular ftp connections. I also want to limit connections to just the users that are set up on the server.

I fire up Transmit (my FTP client) and set up a connection with the following settings:

Server: 10.0.1.200  (the IP address of the VM)

User Name/Password: I leave these fields blank because I’m using SSL certificates from this Mac

Port: 22222  (the SSL port I configured)

Protocol: SFTP

I don’t set up any default remote path. I connect in and it defaults to the home directory of my Ubuntu ID. I try a regular ftp connection, as expected it fails due to the firewall. Even though I’m good to go I’m going to go through the vsftpd configuration file and make some changes as if this was a live server. I load the file into the nano editor (sudo nano /etc/vsftpd.conf) and scroll down the file. It’s well commented, although it doesn’t contain all the configuration options.

I turn off anonymous ftp by changing anonymous_enable to anonymous_enable=NO.

At the end of the file I add ssl_enable=YES to explicitly turn on SSL. Even though they are documented as the default settings I also add force_local_data_ssl=YES and force_local_logins_ssl=YES to the end of the file in order to force all logons and connections to use SSL. You can view the complete vsftpd file here (obsolete file removed).

Editing the Mac OS X Hosts File

Apple has a support article for editing a hosts file which you can refer to if you’re using a version of OS X prior to 10.2. For my purposes I’ve decided to use a dev subdomain for the sites on my virtual server. So the website on my vm will be dev.osquest.com. I’ll add this to the local hosts file on my Mac so that it will resolve to my Ubuntu VM. I also add a fictitious domain just so I can test Apache with multiple domains. I’ll use myfakedomain.ray as this domain. Because I’ll be resolving this name locally the fact that’s it an invalid domain extension isn’t a problem.

I start terminal on my Mac and load the hosts file into the nano editor, using admin privileges:

sudo nano /etc/hosts

I want the domains to be dev.osquest.com & fakedomain.com, the ip address of my vm is 10.0.1.200 so I add the following lines at the end of the hosts file:

10.0.1.200     dev.osquest.com

10.0.1.200     fakedomain.ray

10.0.1.200     www.fakedomain.ray

I add the www for myfakedomain so I can test both methods of addressing a domain.

Once I save the file I can ping the server by name from terminal:

Ping

If a site was already set up in Apache, or the default site was enabled, I could access it  through the browser. It might be necessary to clear the DNS cache of the Mac if you make multiple changes. Run dscacheutil -flushcach from terminal to clear the cache in Leopard and lookupd -flushcache to clear the cache in Tiger. I can still access my production website from my Mac because only the dev subdomain is directed to the VM by my hosts file.

Self-Signed SSL Certificate

Because this is only a test server I’m going to set it up with a self-signed SSL certificate. With earlier versions of Ubuntu a self-signed certificate could be easily created by running sudo apache2-ssl-certificate. This script is no longer part of Ubuntu (because it was dropped by Debian) so I had to use a workaround. I already installed SSH so I already have the tools needed to generate a self-signed certificate.

I’ll use make-ssl-cert to generate the certificate. By default the certificate is only good for a month but I don’t want to generate a new certificate every month. A ten year certificate for testing should do nicely (well almost 10 years, I’ll ignore the days added in leap years). I’ll need to edit make-ssl-cert so I load it into nano.

sudo nano /usr/sbin/make-ssl-cert

Scroll to line 118 (at least in my file) or search for openssl req until you see the line:

openssl req -config $TMPFILE -new -x509 -nodes -out $output -keyout $output > /dev/null 2>&1

Change it to:

openssl req -config $TMPFILE -new -x509 -nodes -out $output -keyout $output -days 3650 > /dev/null 2>&1

Note the added -days 3650 parameter which will create a 10 year certificate. Once the modified file is saved I can create the certificate.

First I create a directory for the certificates:

sudo mkdir /etc/apache2/ssl

Then I create the certificate:

sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Enabling SSL

Next up I need to configure the default Apache site to listen for SSL connections. If I had already configured other sites I’d need to configure those too. This is well covered in the Virtual Hosts section of this document. I won’t repeat all the steps here, but here’s my updated virtual host file: view file (obsolete file deleted)

In my installation the default ports.conf file was already set to listen on port 443 if the ssl module is loaded, but be sure to check it (it’s in /etc/apache2):

portsconf

And finally, I need to enable the SSL module…

sudo a2enmod ssl

and reload Apache to enable all the changes I made:

sudo /etc/init.d/apache2 force-reload

Testing & Summary

I still haven’t created the actual dev.osquest.com website but any connections should be sent to the default website. I test a http and https connection and I get the “It Works” page that I created for the default site.

The self-signed certificate isn’t suitable for a production environment but it’s fine for testing. I can tell my browsers to always accept the certificate since I know how they’re created. But no one else would trust them (at least they shouldn’t). The screenshot below shows the certificate as seen by Firefox.

certificate

Also, only one certificate per IP address can be used, so if I host multiple websites all but one of the sites will generate a second error saying that the certificate wasn’t issued for the site being accesses (this assumes that one site does in fact match). I’d have to assign each site a unique IP address to get around this.

So now I can access the web server on my vm by name, I can upload files via SFTP and I can test SSL pages. I guess I’ve put it off long enough and I’ll have to start building some websites.

Additional Reading

This thread on the Ubuntu Forum has a short discussion on the dropping of the apache2-ssl-certificate script from Ubuntu along with some workarounds, including the one I used.

No Trail Log for April 13th

There’s no OS Quest Trail Log this week. The day job and other activities have kept me away from the computer so not much happened. Hopefully that will change this coming week. Enjoy the week and happy tax day to those of you in the U.S.

Microsoft Security Bulletins for April 2008

Another “Super Tuesday” patched this week but I just got around to firing up my Windows VM’s today (actually it’s been about 12 days since I’ve been in Windows). There were ten updates waiting for me on Windows Vista and eight on Windows XP Home, although not all were security related.

This month’s updates included:

KB945553 (MS08-020) – Vulnerability in DNS client could allow spoofing. This is rated as “Important” for all supported desktop OS’s except Windows Vista SP1, which doesn’t need the update.

KB948590 (MS08-021) – Vulnerability in GDI could allow remote code execution. This is rated as “Critical” for all supported desktop OS’s.

KB944338 (MS08-022) – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution. This is rated as “Critical” for all desktop OS’s except Windows Vista, which doesn’t need the update.

KB948881 (MS08-023) – Critical security update for ActiveX killbits. This is required for all supported desktop OS’s, although the severity ranges from “Important” to “Critical”.

KB947864 (MS08-024) – Cumulative security update for Internet Explorer. As expected, all supported versions of IE get the update and all are rated “Critical”.

KB941693 (MS08-025) – Vulnerability in Windows Kernel could allow elevation of privileges. This one has an “Important” rating for all supported desktop OS’s.

There were also some security patched for applications. MS08-018 patches a Project vulnerability while MS08-019 patches a vulnerability in Visio. I don’t run either Project or Visio so I didn’t install the updates.

The Malicious Software Removal Tool, Junk Email Filter update (Vista only, in my case at least) and Windows Defender definition updates were also included.

I also received KB938371 (on my Vista SP1 vm) which is an updated needed to add or remove Vista SP1. Since I received Vista SP1 successfully I already had some of the components. According to the bulletin Vista SP1 install “will only install the new components in this rereleased update.”

Non-security related patches included an update to Live Writer and a optional Group Policy patch. For some reason my Windows XP Home installation also received .NET 2.0 SP1 although it appears that it was released back in December and I installed the base .NET 2.0 in early January, two patch Tuesday’s ago.

As expected, a reboot was required. So far I haven’t encountered an differences or problems since applying the updates.

Windows Home Server Security Updates

I don’t have my Windows Home Server set to automatically install updates from Microsoft. today was the day I went into the console and told it to pull down the updates. Even though I tell it not to automatically install the updates the process is unstoppable once I click the update now button. I don’t get a preview of the updates that will be installed.

Today’s updates included:

KB941693 (MS08-025) – Vulnerability in Windows Kernel could allow elevation of privilege.

KB945553 (MS08-020) – Vulnerability in DNS client could allow spoofing.

KB948590 (MS08-021) – Vulnerability in GDI could allow remote code execution.

KB948881 (MS08-023) – Critical security update for ActiveX killbits.

KB947864 (MS08-024) – Cumulative security update for IE7.

The Malicious Software Removal Tool also ran.

As expected, a reboot was required.

So far I haven’t encountered an differences or problems since applying the update.

The OS Quest #31 Trail Log: Host Blues Edition

Things began to go bad Monday night, although I didn’t know how bad until Tuesday. On Monday I got an email from SiteUpTime saying my site was inaccessible and sure enough it was – for about 45 minutes. Bluehost said the server was experiencing performance issues and was looking into it. When the site came back online I checked it through my stats package URL instead of a WordPress URL, so while I got a response from the site I didn’t realize that the WordPress DB was corrupt. Now since I don’t know exactly what happened I can’t absolutely blame Bluehost for the corruption – but I don’t believe in coincidence. Anyway, the long overnight outage was my fault since I hadn’t bothered to properly check my site.

When I noticed the lack of traffic the next morning I checked the real site and found WordPress had gone into install mode. A repair on the WordPress DB showed the config table was corrupt and now fixed, although it took awhile to get to that point. Surprisingly the settings themselves were fine when I went through them. I later found the the WordPress portion of the .htaccess file had been blow away (I assume by WordPress when it went into install mode), breaking all URLs except the main one. That was easy enough to fix from a restore. The last thing I noticed was that all the static pages were missing. They had been converted to regular posts. I considered blowing everything away and just restoring from backup and maybe I still should. But I decided to restore the pages via cut-and-paste and make sure the URLs stayed the same as the pre-crash URLs. It was certainly quicker than a full restore although I waited until Saturday to do it.

Bluehost continued to have problems earlier in the week. SiteUpTime reported 4 more outages over April 1st and 2nd. Three were under 30 minutes each and the fourth was between 30 and 60 minutes. Not a good week for Bluehost, or me. I experienced the biggest downside of using a shared host.

On the fun side of things, I scoped out running a website on Apache, using my Ubuntu Server VM. I think I’m ready to install WordPress and get a test site going.

I was looking at my site stats and noticed that in March there was a pretty big jump in visitors using Windows, although Mac users still account for over half the visitors. Mac users dropped from 60 to 53% with Windows picking up those 7% to hit 39%. Linux was level at 7%. IE users were up almost as much, by 6%. Firefox and Safari lost 3 points each to IE although IE is still in third place at 20% of visitors. Most visitors (43%) use Firefox and 32% use Safari.

Software Updates

Apple released some software updates this week. I usually apply them right away, at least to one of my Macs, but this time I didn’t want to take the chance of encountering any more problems so I delayed everything. On Saturday I finally went ahead and updated my iMac although my MacBook and Mac Mini remain unpatched for now. iTunes 7.6.2 was described as having “…bug fixes to improve stability and performance.” There was also QuickTime 7.4.5 which includes security and other fixes. There’s four possible QuickTime download, depending on the OS and this one requires a reboot on Macs. Front Row 2.1.3 was released to improve iTunes compatibility. Finally, Keynote 4.0.3 addresses problems when dealing with large documents (not something I worry about). I didn’t have any problems installing these on my iMac, but like I said, there was a restart.

Frustrations

The web site problems were certainly on the top of the frustrations list this week. But there was more. The main reason I installed the updates on my iMac is because I was having iPod problems and figured I try the new iTunes. While infrequent, my iPod has developed the ability to crash iTunes when it connects. And then when iTunes restarts and connects it sees my iPod as a new device. While the iPod retains all the information I have to re-establish my sync settings. It’s a pain but at least it doesn’t try to replace everything on the iPod at the first sync. I’ll see if the iTunes update helps. If not, it’ll be an iPod restore next.

I’ve also noticed that Safari is crashing more since the last update. It’s not a lot, not even once a day. Maybe two or three times a week since I installed it, but it’s still up from zero before the update. No noticeable pattern and it’s on sites I visit frequently. Anyone else seeing this?

Mozy also contributes to my frustration every now and them. It’s still pre-release (although now officially a release candidate) for Mac so problems are to be expected. The most annoying one is where the status reports nothing is backed up and last the last backup(s) sent nothing, although it shows a status of successful. The log file usually either says the user account is in use or it couldn’t register the machine on the account. Mozy doesn’t provide a way to unload and reload the software so I end up restarting my Mac and the next backup works. Since the backup after the restart always works this seems to be a client problem.

The Week Ahead

I think it’ll be another slow week for site updates unless something unexpected catches my attention. I’ll probably work on getting WordPress running on my Ubuntu VM and look into upgrading to WordPress 2.5. I figure I’ll hold off on the upgrade until I check out my site a bit more to make sure I don’t need a full restore due to remaining problems.

Site Outage

The OS Quest went down yesterday and stayed down for over 12 hours. It appears I had some database corruption that began with a hosting problem. Seems like everything is almost back to normal now although there may be some problems lurking in the shadows. One problem is that the menu bar to the pages is missing, still working on that although any page links in the articles will still work.

Seems like there was some corruption in the WP database that began around when Bluehost reported a problem with my shared server. I ended up running a database repair that allowed me back into WordPress. I also had to add the WordPress modifications back to my .htaccess files. The .htaccess file settings were probably blown away when WordPress went into install mode after to corruption.