DEV Community: Tayyebi

Deepest internet censorship on earth: How does it look like?

Tayyebi — Thu, 09 Feb 2023 07:46:55 +0000

First of all, I express my deepest gratitude to all kind people in the free world, especially those who write open-source code and keep their services accessible for everyone, and it doesn't matter for them if their users are black, female, or Iranian.

Imagine you are a Linux systems administrator, and you want to install an open-source personal CRM for your own stuff, but when you try any apt command, this will print on your terminal:

E: Failed to fetch http://▮▮.archive.ubuntu.com/ubuntu/pool/universe/t/▮▮▮/▮▮▮-1_amd64.deb  503  Service Unavailable

Same for grabbing a Docker image,

🦮 $ docker run mysql
Unable to find image 'mysql:latest' locally
docker: Error response from daemon: error parsing HTTP 408 response body: invalid character '<' looking for beginning of value: "<html><body><h1>408 Request Time-out</h1>\nYour browser didn't send a complete request in time.\n</body></html>\n".
See 'docker run --help'

Same for npm, yarn, pip, etc.

Is that a problem with your network? Let's figure out through traceroute to Google, there are 30+ nodes on this unstable always-changing network, that are applying different levels of censorship, and your ping time is >300ms on average, but that "408 Request Time-out" was not from your side definitely:

traceroute to google.com (142.251.163.100), 64 hops max
  1   192.168.1.1  2.003ms  1.752ms  1.527ms 
  2   1▮▮.▮▮▮.▮▮▮.▮▮▮  43.129ms  42.336ms  44.380ms 
  3   1▮▮.▮▮▮.▮▮▮.▮▮▮  147.223ms  52.188ms  43.277ms 
  4   ▮▮▮.▮▮▮.▮▮▮.▮▮▮  51.598ms  51.720ms  53.908ms 
  5   ▮▮▮.▮▮▮.▮▮▮.▮▮▮  60.701ms  51.035ms  50.648ms 
  6   ▮▮▮.▮▮▮.▮▮▮.▮▮▮  52.848ms  58.920ms  50.796ms 
  7   *  *  *
same
 29   *  *  * 
 30   ▮▮▮.▮▮▮.▮▮▮.▮▮▮  284.808ms  244.162ms  267.002ms

Meanwhile, if you are upset by the slow network (<2MBps), TLS warnings, SSH drops, timeouts, and chronic anxiety of leaking your IP with WebRTC, or getting blocked from accessing your business profile on GitHub, you can't even play music to chill down, because YouTube is banned from inside of the country and iTunes is not allowed to give you services from outside (:

A simple installation of a WordPress instance on a fresh server, which may take uttermost 10 mins in Germany, will take you 9+ hours! If you are done with the installation of your website, now it's time to share your business on Google Maps, but still, you are not allowed! That's all we know!

"Ok, at least I know a lot, I can get certified for my skills on edX, Coursera, Udemy, or LinkedIn", you may think to yourself; but no, You can't! Because you can't pay for it. Even if you could, a simple certificate would cost you $50 which is a quarter of your income, if you are a lucky highly-paid nerd. FYI, official inflation rate is 60% in a single year.

This country with 636,296 sq mi coverage, even does not exist on earth!

This is our life and youth which is wasting behind "Loading..."s, CAPTCHAs, 503s, 403s, 408s, "Not available in your area"s. Thinking about what if life doesn't go that way, scratches my mind. Being obsessive will make it even worse. I take my tension pills every day and get back to work. I write books, I build software, and I try to live. And I take other pills again to sleep without nightmares.

I remind myself: "No matter, do good. That's all you know."

Analysis of Administrator Propaganda: Story of a web service troubleshoot, without touching the code.

Tayyebi — Fri, 07 Feb 2020 09:09:44 +0000

Hooray! It's Friday (Weekend in bloody middle east) and time to write a blog post. And wish you are good.

Problem

In a troubleshoot problem we had a cute experience yesterday. And It was about '403 Forbidden Error' from company's server to a third party business's API.

Everything was fine until this week. And no code was changed, nothing in network was moved, no new firewall policy was applied, and everything was totally same as previous weeks.

But Server B (which requests last image from Server A), was accepting 'HTTP Error 403' and everyone was shocked. Out IIS logs also confirmed that it was our side.

We just reviewed App 1 and App 2 codes. The idea behind App 1 is to download images from cameras, using ffmpeg, convert them and keep a copy of that for archive and store last image in a directory, with a specific name, so App 2 (Which is a asmx web service also), can wait for a request from Server B to send image byte array as response.

Troubleshoot steps:

1- Double-checked network architecture and gained permission to review network engineers reports: nothing.

2- Double-checked git changes: nothing.

3- Double-checked the SOAP API changes with third-party business: No changes was applied, and We were the only contractor who had this error.

4- Reviewed the code, database was OK, and only thing which is not under our control is File System who is the accused 🔍🎩 !

5- Reviewed the GetFiles() function documentation from Microsoft website. Took a look in Exceptions section and Voilà!

UnauthorizedAccessException
The caller does not have the required permission.

6- Definitely it was GetFiles() but why? Maybe when ffmpeg was downloading and converting image (APP 1), App 2 was requesting the file because of critical section we web service was broken. That was also wrong because ffmpeg's has a different behavior that creates the file at the end, and instantly release it.

7- Key question: Which user is running App 1?: Administrator. And which user is running App 2?: IIS_IUSRS! that's it!

8- App 1 is triggered from Windows Scheduler every one minute to take a snapshot, and we just simply set user as IIS_IUSRS in scheduler tasks from security options>Change User or Group.

Conclusion.

Not always it's because of code. Don't blame developers!
Maybe IIS has a list in cache which when a file creates in it's website directory, that list keeps permission details about that file, so when ffmpeg creates the file and then updates the permissions after logic end, IIS does not update the file details instantly after modification. And this will cause exceptions in higher layers, especially when folder gets heavier in time.
Use powershell more. All those stuff could be simply handled using .bat and basic Windows commands. Complexity makes troubleshooting difficult.
Comment any code, any where, even if it is as simple as a foreach thing in GetFiles()
When it comes to a code which is going to run million times a day, check each obvious line of code again, and Copy-Paste potential errors from documentation to code comments with link and details.

Hope you will let me know if there is any comments. Thank you!

Messing with the Enemy: Surviving in a NoSQL world of MongoDB, dirty code, and resources limitation.

Tayyebi — Fri, 01 Nov 2019 20:10:36 +0000

CTO called me early in morning: “Server is down”. He was talking about an old GoLang code which was a acting as a store-and-forward server with a MongoDB behind. The database was used to save a copy of all passed traffic from clients.

I wasn’t familiar with that code. It wasn’t a well formatted code, no comments and lots of files in bad named directories.

“Do we have backup?”, I asked. And the answer was positive. The Network & Virtualization team is hero. They create a backup from whole machine periodically, and it’s perfect.

So we asked for a mirror server to keep service online. They switched IP addresses of main server and the mirror server, and we were online! Bravo!

Now we have to find the problem. We don't have time. Mirror server will die soon. So simply sshed to the server (which is not currently under load) and asked for top process list and df disk status.

Disk was full!!! There wasn’t any free space. Even for a byte of data! I just asked the hero team (Network & Virtualization) to add some space to sda1. And they said that it’s not possible on their infrastructure. Maybe because that server’s startup time was for more than a year, software was old, no updates, nothing, totally an orphan server that no one cares about it’s existence.

At first we thought that we must read the source code. How this code is working? Which data is it storing? What’s going on?
But later we figured out that these are not good questions in this moment. We must ask, how can we kill this snake? The resource limitations? And which files we have to move?

sudo du -a / | sort -n -r | head -n 5 → We called this command on the second server that had free space. It will not run on a machine which is out of space.

So again we asked N&V team to add an external drive to the Ubuntu machine. A giant disk was added and it was time to move database files to new directory. We did so.

Time for some edits in services. sudo service mongod status. Failed to start with lots of errors in log file. But EXEC command was a big help. It was a --quite run of MongoDB. So I pasted it in terminal: mogod –config /etc/mongod.conf

Edited the dbpath to new directory. And it was another little problem. mongodb user wasn’t permitted to r/w on that directory. I don’t know why but chown mongodb:mongodb -R /media/blob/bob did not work for us so we changed the .service user to whoami output with a nice 755 permission to the mentioned username.

It’s time to clear the database log : > /var/log/mongodb/mongodb.log and remove the lock file which allows MongoDB to fire sudo rm /tmp/mongodb-27017.sock and sudo rm /var/lib/mongodb/mongodb.lock.

We are now refactoring the code, moving data to a safe place, and writing a new SOS protocol.

Lessons we learned:

Never accept a bad documented code.
Write a rescue plan that a five year old kid can read, understand, and perform it's actions step by step.
It's not important that how much big and complicated your business is, never forget old servers. Pay someone to take care of old infrastructure.
Never keep your technical support team busy with non-critical stuff.
Ask system administrators to make limitations on software and users, so they will shutdown before reaching operating system's red lines.
Use SSH-based monitoring tools to monitor details which are not accessible from ESXi monitoring panel.

7 face dice

Tayyebi — Thu, 31 Oct 2019 17:27:23 +0000

"God does not play dice", says Einstein. But we do! What if there were 7 players and you have to randomly choose one with a 6 face dice?

Let me deface the question: What if there was a function (Called rand6) that randomly generates a Natural number between 1 to 6 and you have to write another function (Called rand7) that generates a random Natural number between 1 to 7 using first function (rand6)? And rand6 is balanced.

Note that the probability of all events must be equal!

Wait a moment! Think! or just skip this step to my stupid solution.

This is the answer if you wish:

But how?

The idea is to launch an election campaign! there will be a local_max_count that will keep top candidates count which have equal votes. Candidates are one of {1,2,3,4,5,6,7} that will go for a second, third, or n*th* election. And there is also a global_max variable that keeps the maximum count of votes of top candidate.

int local_max_count = -1;

In each election, we play dice for each candidate (not really what Facebook is made because of), and the number will be it's vote count.

for (int i = 0; i < 7 ; i ++)
    if (votes[i] == global_max)
    {
        local_max_count ++;
        // call the rand6()
        votes[i] = rand6();
    }

then global max is defined as:

// Find the array maximum
for (int i = 0; i < 7 ; i ++)
    global_max = max (global_max, votes[i]);

And if there was a unique top candidate, function will return that as answer:

if (local_max_count == 0)
    for (int i = 0; i < 7 ; i ++)
        if (votes[i] == global_max)
            return i + 1; // i + 1 because normal people start counting from 1.

But what if there were two or many other candidates?

There is the point that way we have to recursively call our function and change a line in // Election code to add value to previous value:

votes[i] += rand6();

Test

You can run this function for 1000 times and visualize output with pyplot or any thing you wish. But it has to be something like image below because all numbers must have same chance to keep fair.

Question!

What if rand6 function was unbalanced?

PHP as a Pain Reliever

Tayyebi — Fri, 18 Oct 2019 21:09:47 +0000

Intro 🎬

If you are a dead eye and you don't wan't to fall on boss's sword, and go nuclear ☢️ (frameworks like Laravel I mean) to create a simple CRUD app, this post is written for you!
I will talk about a solution that helps us to rapidly create a PHP-based mini-framework that handles authentication, authorization, tables CRUD, Server status monitor, and etc in some simple magic 🧙 steps like shooting fish in a barrel 🛢️.

Demo 🎥

Some GIFs are provided in side each subtitle.

Overview 🔭

MySQL functions are used to handle auth, we write HTML in SQL(!), and lots of other spaghetti 🍝 stuff to build the solution fast.

File Structure 🗂️

- index.php
- lib.php
- master/
---- header.php
---- footer.php
- pages/
---- crud.php
---- superlitesql.php
---- users.php
- reports/
---- a_report.sql
---- filters/
-------- a_report.sql.csv

Step by step 🔬

master/header.php and master/footer.php

You any theme on you own. Maybe bootstrap is a good choice. I just copied all the stuff in this example inside header and footer files. Note that you have to keep a free space for variable contents. header and footer files are here to give us a taste of master page just like what we had in ASP.NET web forms (RIP ⚰️).

header.php

<!doctype html>
<header>...<header>
<html><body>
    <main>

footer.php

    </main>
    <script>...</script>
</body></html>

index.php

This file handles authentication, calls header.php and footer.php, and totally he is a good boy, we can call him loader or anything else.

How to authenticate with MySQL users?

$conn = @new mysqli($servername
    , $_SERVER['PHP_AUTH_USER'] // Username
    , $_SERVER['PHP_AUTH_PW'] // Password
    , $dbname);

// Set database charset to support persian.
mysqli_set_charset($conn,"utf8");

// Check Auth
if (!isset($_SERVER['PHP_AUTH_USER'])
    || $conn->connect_error
) {
    // Send login failed error to browser and expire temp login.
    header('WWW-Authenticate: Basic realm="Tayyebi Realm"');
    header('HTTP/1.0 401 Unauthorized');
    // die("Connection failed: " . $conn->connect_error);
    echo 'Access Denied';
    exit;
}

This will use browser basic authentication to ask for SQL connection info. If connection to database was successful, then code will pass to next lines.

Code below, allows us to access to any page content we decide, with passing its id to index.php as a query string:

// Header
include ('master/header.php');

// Container
$_GET['id'] = isset($_GET['id']) ? $_GET['id'] : 'welcome';
// includes the page content
include ('pages/' . $_GET['id'] . '.php');

// Footer
include ('master/footer.php');

lib.php [src]

There are two important functions in this static class. First to create a form from SQL table describe and second to create a HTML table from SQL query.

<?php
abstract class SuperLiteSql {
    // Function to create tables from queries
    static function createTable_from_sql_select_query($sql_link, $query) {
        // ...
        echo $table;
    }

    // This function creates an HTML form from SQL table
    static function GenerateFormFromTable($table_name, $conn, $values) {

        // ...

        return $form;
    }
}
?>

SuperLiteSQL [src]

Here we have a textbox and a button that allows you to submit the query and it will print out the results. Also we can pass .sql file names to the page and it will automatically post it to those functions; so we will be able to simply create SQL reports.

if (isset($_GET['entry']))
    $_POST['the_query'] = file_get_contents("reports/" . $_GET['entry']);
// ...
if (isset($_POST['the_query']))
    SuperLiteSql::createTable_from_sql_select_query($conn, $_POST['the_query']);

crud.php [src]

CRUD is CRUD, everywhere. There is Create, Select, Update, and Delete on a table row which is known by a key.
So the CRUD.php will use functions defined in lib.php to create a table from items table and a form for each individual row. Finally it will listen for posted data to decide what to edit or delete.

if (isset($_POST['insert'])
{
        // ...
}
else if (isset($_POST['update'])
{
        // declare variables
        $update_query_key_values = '';

        // Get table structure
        // In this case: todo table
        $result = $conn->query("DESCRIBE " . $table_name);

        // output data of each row
        while ($row = $result->fetch_assoc()) {
            if ($row["Field"] != $table_id) { // because of auto increment
                // dont insert comma for the last record
                if ($update_query_key_values != '')
                    $update_query_key_values .= ', ';

                // apend keys to keys array
                $update_query_key_values .= '`' . $row["Field"] . '` = ';

                // Get field type
                // if it was a stirng, add quote in first and last of value
                $type = substr($row["Type"], 0, strpos($row["Type"], '('));
                $symbol = '';
                if ($type == "varchar"
                or $type == "char" ) {
                    $symbol = '\'';
                }


                // If value is posted and its not null
                if (! isset( $_POST[ $row["Field"] ] ) ) {
                    $update_query_key_values .= "NULL" ;
                }
                else if ($_POST[ $row["Field"] ] == ''
                    and ( $type == "int" or $type == "bit" or $type == "decimal" )
                ) {
                    $update_query_key_values .= "NULL" ;
                }
                else {
                    // append value to values array
                    $update_query_key_values .= $symbol . $_POST[ $row["Field"] ]  . $symbol;
                }
            }
        }

        // assemble final query
        $update_query  = 'UPDATE ' . $table_name . ' SET ' . $update_query_key_values . ' WHERE ' . $table_id . ' = '. $_POST[$table_id] ;

        // run the query !
        mysqli_query($conn, $update_query);
}
else if (isset($_POST['delete']))
{
        // ...
}

Users and Permissions

We can easily manage users access level to any table using MySQL predefined functionality.

Bash script to log database transactions

while true
do
        mysql -u root -p<yourpasshere> -e "insert into test.mysql_general_log select * from mysql.general_log where argument like '%tss%' or argument like '%todo%' or argument like '%Transactions%'"
        mysql -u root -p<yourpasshere> -e "truncate mysql.general_log"
done

In the code provided above, which you can call it log.sh and run it in background, MySQL cli will make a copy of all logs that have todo or Transaction tables name into the local mysql_general_log which is made using the result of SHOW CREATE TABLE mysql.general_log query.

Dynamic reports

We can create dynamic filters by merging our scripts and comma separated value info about tables. We can define variables using a @ symbol and then generate forms that will accept user inputs.

Downloads 📩

Github Release page: https://github.com/tayyebi/tiny-php-pain-reliever/releases

Ref ⚓

https://7esl.com/weapons-idioms

Linux as a web server

Tayyebi — Wed, 25 Sep 2019 04:36:31 +0000

FAQ

Who is this post for?

Those who need some #eli5 step by step notes, to simply configure a web server, to host multiple websites on a single server.

Is this everything about configuring of a web server?

No it's just a tranquilizer to newbie programmers mental challenges on hosting, and rapid Wordpressers who wanna mine money faster!

Spoil it!

Finally you will install Apache, MySQL, BIND, PHP, and etc... on a Linux server and configure it to host multiple domains like a.b.com and d.e.com.

Where to learn theory of everything?

Just Google it with the following keyword: LPIC

Connect to your server!

use ssh <IP> or ssh <Domain> command to connect to your server.
(e.g-> ssh example.com)

Install Apache

What is Apache? Apache serves your content to the world. And also it can give you a hand to create dynamic website with PHP which Wordpress is also a PHP thing.

To install Apache

1- sudo yum install httpd mod_ssl

2- sudo /usr/sbin/apachectl start

If message appears: Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName, edit the configuration file using vim or any editor you wish (Step 3).

3- sudo vim /etc/httpd/conf/httpd.conf

and bring the following line out of comment:

4- #ServerName www.example.com:80 => ServerName MyServerName (which MyServerName is your own server name!)

Allow Apache in firewall. As you know, Apache listens on port HTTP 80 by default.

5.1- sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT

5.2- sudo service iptables save

Restart Apache:

6- sudo /usr/sbin/apachectl restart

Test your installation:

7- curl 127.0.0.1

As you know, it's very critical to allow Apache to access your codes!

8- sudo chcon -t httpd_sys_rw_content_t /var/www/html/mysite -R

Learn more about FirewallD

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

Install PHP

Install and enable EPEL repository:

1- sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Install and enable Remi repository

2- sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm

Install yum-config-manager

3- yum install yum-utils

Install PHP modules which programmers use to reduce their headache

4- yum install php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo

Test the PHP's command line interface (CLI)

5- php -v

Wanna create a secondary sysadmin user? (Sudoer guy)

Create a user

1- ‍‍‍a‍dduser theusername (you say theusername)

Choose a password

2- passwd theusername (you said theusername)

Just like school, anyone is in a group. So you have to add new user to wheel, which is a super user level group:

3- usermod -aG wheel theusername

Switch user

4- su - username

Disable a user login (EMail or FTP accounts maybe)

1- Edit the /etc/passwd

2- Change shell to /bin/nologin

Learn more about configuring FTP server:

https://linuxize.com/post/how-to-setup-ftp-server-with-vsftpd-on-centos-7/

Hey server! KEEP EVERYTHING IN MIND; even "Clean your mind"

Edit ~/.bashrc

1- vim ~/.bashrc

2- Put following lines at the end of the file:

export HISTCONTROL=ignoredups:erasedups  
shopt -s histappend
export PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND$'\n'}history -a; history -c; history -r"
export HISTTIMEFORMAT='%F %T '

3- Test it: history

How to install MySQL

Install wget which is more handy tool than curl for heavy downloads.

1- yum install wget

Download the package:

2- wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm

Add the package:

3- sudo rpm -ivh mysql-community-release-el7-5.noarch.rpm

Update package manager:

4- yum update

Install the package:

5- sudo yum install mysql-server

Start daemon:

6- sudo systemctl start mysqld

Configure installation:

7- sudo mysql_secure_installation

Test installation:

8- mysql -u root -p (which root is the root username)

Create a MySQL user:

9- mysql> create user 'testuser'@'localhost' identified by 'mysecretpass'; (username is testuser and the password is mysecretpass)

Grant permissions to user:

10- mysql> grant all on databasename.* to 'testuser' identified by 'mysecretpass'; (replace databasename with the database name)

WhatIsMyIP?

If ifconfig doesn't work:

use: ip addr show

Change hostname

Configuration file is located in /etc/sysconfig/network. So open it in editor and find the related line:

HOSTNAME=myserver.domain.com

Also you can change the host that is associated with the main IP address for your server in /etc/hosts file.

Test command: hostname

Carefully restart networking (You may lose your connection to remote server!): /etc/init.d/network restart

BIND DNS (Domain Name Server: The magic behind mycustomcomputername.com)

You can check each domain's propagation using DNS checkers online. e.g-> https://dnschecker.org/
Also there is a geeky way: nslookup domain.com

Install BIND

1- sudo yum install bind bind-utils -y

Configure BIND (Remember that you can define your zones here, but it's better to keep the standards.

2- sudo cat /etc/named.conf

Look for included files, and edit the file as described below:

3- sudo vi /etc/named.rfc1912.zones

Define your zones in file same as following lines:

zone "mydomain.ir" IN {
    type master;
    file "mydomain.ir.zone";
    allow-transfer { none; };
};

zone "mycustomer1domain.com" IN {
    type master;
    file "customers.zone";
    allow-transfer { none; };
};

zone "mycustomer2domain.com" IN {
    type master;
    file "customers.zone";
    allow-transfer { none; };
};

So you have to create the customers.zone and mydomain.ir.zone files you just mentioned in directory /var/named:

5.1- sudo touch /var/named/customers.zone
5.2- sudo touch /var/named/mydomain.ir.zone

Then edit them as you wish:

$TTL 86400
@   IN  SOA     ns1.mydomain.com. root.mydomain.com. (
        2013042201  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
; Specify our two nameservers
        IN  NS      ns1.mydomain.ir.
        IN  NS      ns2.mydomain.ir.
; Resolve nameserver hostnames to IP, replace with your two droplet IP addresses.
ns1     IN  A       SERVER_IP_HERE
ns2     IN  A       SERVER_IP_HERE

; Define hostname -> IP pairs which you wish to resolve
@       IN  A       SERVER_IP_HERE
www     IN  A       SERVER_IP_HERE

Then any domain that is decided to be hosted on this server, must set ns1.mydomain.ir and ns2.mydomain.ir as their name server in domain control panel. If website was defined as a Virtual Host in Apache, it will be accessible.

Virtual Hosts

Edit the config file: sudo vi /etc/httpd/conf/httpd.conf foreach website you want to host.

<VirtualHost *:80>
   DocumentRoot "/var/www/html/domainname"
   ServerName domainname
   ServerAlias www.domainname
   RedirectPermanent / https://domainname2
</VirtualHost>

Refrence:

https://twitter.com/MRezaTayyebi/status/1152794765164974080
https://support.rackspace.com/how-to/centos-6-apache-and-php-install/
https://www.tecmint.com/install-php-7-in-centos-7/
https://www.digitalocean.com/community/tutorials/how-to-create-a-sudo-user-on-centos-quickstart
https://gist.github.com/tayyebi/5e03f83dff1b897a51e530748d74e872
https://www.linode.com/docs/databases/mysql/how-to-install-mysql-on-centos-7/
https://support.rackspace.com/how-to/centos-hostname-change/
https://www.digitalocean.com/community/tutorials/how-to-install-the-bind-dns-server-on-centos-6
https://httpd.apache.org/docs/2.4/vhosts/examples.html