April 22, 2010

McAfee Response To Current False Positive Issue

Filed under: Uncategorized — paragon @ 1:30 pm

In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer’s memory.

The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21.

McAfee is aware that a number of customers have incurred a false positive error due to this release. We believe that this incident has impacted less than one half of one percent of our enterprise accounts globally and a fraction of that within the consumer base–home users of products such as McAfee VirusScan Plus, McAfee Internet Security Suite and McAfee Total Protection. That said, if you’re one of those impacted, this is a significant event for you and we understand that.

Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3.The immediate impact on corporate users was lessened for corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, though those customers could also be impacted when running an on demand scan.

The faulty update was removed from all McAfee download servers within hours, preventing any further impact on customers.

McAfee teams are working with the highest priority to support impacted customers. We have also worked swiftly and released an updated virus definition file (5959) within a few hours and are providing our customers detailed guidance on how to repair any impacted systems.

Corporate Customers
– These entries in our virus information library and the knowledge baseprovide workarounds for this issue for corporate customers
– Customers are discussing the issue in our online support community

Consumers
– This support page provides information for impacted consumers
– Consumers are also discussing the topic in the online community

To contact McAfee by phone in your region, go to the “Contact Us” page on our Web site and select your country for the correct number.

We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring.

We sincerely apologize for the inconvenience this has caused our customers and will update this blog posting as more details become available.

Barry

PS: I just published another blog in response to some of your comments below.

(Updated at 3.35 PM PT to include statement on number of customers impacted.)
(Updated at 3.50 PM PT with a link to details for consumers who were impacted.)
(Updated at 5.13 PM PT with link to knowledge base.)
(Updated at 5.44 PM PT to correct the number of impacted consumers.)
(Updated at 8.20 PM PT removing detail on 5959 DAT capabilities.)
(Updated at 9.27 PM PT to provide additional detail on customer impact added link to new blog post.)
(UPdated at 10.01 PM PT to add a link to the support community.)

Comments (1)

April 10, 2010

Install software updates and security patches without rebooting

Filed under: Uncategorized — paragon @ 5:59 am

This story appeared on Network World at
http://www.networkworld.com/newsletters/techexec/2010/021510bestpractices.html

Install software updates and security patches without rebooting

IT Best Practices Alert By Linda Musthaler, Network World
February 12, 2010 12:03 AM ET

Leave a Comment

March 26, 2010

Configuring Litespeed Webserver

Filed under: Uncategorized — paragon @ 1:41 pm

Configuring Litespeed Webserver

Source: http://bobcares.com/blog/?p=114

If you are looking for a fast webserver, stop searching and take a look at LiteSpeed Webserver. It is an apache emulator with high performance. It can double the server speed at the same time reduce the server load by half. LiteSpeed has now powered some of the world’s popular websites like WordPress.Com, AirLiners.Net (both having 30+ millions hits per day). LiteSpeed Web Server is the core product of LiteSpeed Technologies Inc. The web server survey conducted on 2006 shows that LiteSpeed powers over 3,00,000 domains and is the 6th most popular web server platform in the world.

1.1 Features of LiteSpeed WebServer

– Runs on almost all platforms like Linux, FreeBSD, Solaris, Mac OS X etc
– It is fully compatible with most of the common control panels like cPanel, Ensim, DirectAdmin, Plesk, etc.
– PHP scripting is up to 50% faster than Apache’s mod_php
– supports CGI, Fast CGI, PHP, Servlet/JSP, Proxy, SSLv2/SSLv3/TLSv1, IPv4 and IPv6
– GZIP compression
– high performance .htaccess implementation, this alone can double the server capacity and reduce server load by 5-10 times against using apache.
– LDAP authentication
– Apache compatible URL rewrite engine
– MS FrontPage Server Extension
– Strictest HTTP request validation
– Deny any buffer-overrun attempt
– Secure against popular DoS attacks
– Chroot support
– Chroot and suexec CGI script
– supports FastCGI suEXEC for improved security
– Small memory footprint
– Thousands of concurrent connections
– Increase scalability of external web applications
– Efficient and high performing CGI daemon and Perl daemon
– SSL Hardware acceleration
– can recover from service failure instantly
– Migration from other webservers is quite quick and easy
– this can also act as a security guard in front of current webserver and hence improving performance, scalability and security.
– can perform up to 50% better during high loads when compared to httpd and lighttpd.
– PHP CGI/FCGI SAPI
– With PHP LiteSpeed SAPI, LiteSpeed’s PHP performance is up to 100% better than Apache’s mod_php.
– Ruby LSAPI is about 50% faster than Ruby FCGI for the simple “Hello, World” test.

2. Install LiteSpeed

# cd /usr/src
# wget http://litespeedtech.com/packages/3.0/lsws-3.1.1-std-i386-linux.tar.gz
# tar -xvzf  lsws-3.1.1-std-i386-linux.tar.gz
# cd lsws-3.1.1
# ./install.sh

You will encounter few questions and need to select the following options:

Do you agree with above license? Yes
Destination [/opt/lsws]: /opt/lsws [ /usr/local/lsws can also be used]
User name [admin]: admin
Password: youradminpassword
Retype password: youradminpassword
User [nobody]: nobody [use a non-system user that doesn’t have a shell access and home directory]
Group [nobody]: nobody [group the webserver will be running as]
HTTP port [8088]: 1080 [you can give any port you wish to run lsws. If any other webserver is running on this port, stop it before starting lsws]
Admin HTTP port [7080]: 7080
Both these ports should be enabled in the firewall
Setup up PHP [Y/n]: Y
Suffix for PHP script(comma separated list) [php]: php
Would you like to change PHP opcode cache setting [y/N]? N
Would you like to install AWStats Add-on module [y/N]? N
Would you like to import Apache configuration [y/N]? N
Would you like to have LiteSpeed Web Server started automatically when the machine restarts [Y/n]? Y
Would you like to start it right now [Y/n]? Y

LiteSpeed Web Server started successfully! Have fun!

2.1 Check Litespeed

Take http://192.168.1.19:1080/ on the browser, you will see a Litespeed welcome page.

Let us check if it is listening to the port we have mentioned.

# netstat -pant | grep lshttpd
tcp        0      192.168.1.19:7080            0.0.0.0:*       LISTEN      18718/lshttpd
tcp        0      192.168.1.19:80                0.0.0.0:*      LISTEN      18718/lshttpd

2.2 Admin Area

You can manage the admin area at

http://192.168.1.19:7080/.

Here 192.168.1.19 is my local machine’s ip.

2.3 Log Files

The log files are located at /opt/lsws/logs.

3. To Integrate with Cpanel

LiteSpeed Web Server works very well with cPanel managed web sites. The
performance will increase up to 10x times by replacing apache with lsws.

To replace Apache with LSWS :-

3.1 Goto admin area

Access admin area at http://192.168.1.19:7080 and with the admin username and password.

3.2 Goto Configurations >> Server >> General.

Keeping the cursor against the button along with each option will give you a small definition about the same.

3.3 Scroll down to “Using Apache Configuration File”

        Load Apache Configuration => Yes
        Auto Reload On Changes    => Yes (Changes made in WHM/cPanel will be applied automatically)
        Apache Configuration File => /usr/local/apache/conf/httpd.conf
        Apache Port Offset  => 1000    (Try LiteSpeed on port 1080 and 1443 first, change to 0 later)
        Apache IP Offset    => 0
        PHP suEXEC          => Yes        (Run PHP in suEXEC mode)
        PHP suEXEC Max Conn => 8  (The maximum PHP processor each account can have)

3.4 Scroll back up to “Index Files” and set it as follows:

            Index Files                index.html, index.php, index.php5, index.php4, index.htm
            Auto Index                 Not Set
            Auto Index URI             Not Set

3.5 scroll down to “HT Access”

    Allow Override   Check: Limit, Auth, FileInfo, Indexes, Options Uncheck: None
    Access File Name        .htaccess

3.6 Goto Configurations >> Server >> Listeners

delete all current listeners.

3.7 Now restart the webserver

    service lsws restart

4. PHP

By default, Litespeed comes with PHP 4.4.x compiled with LSAPI and hence we have to install latest stable version of PHP with LSAPI for our LiteSpeed. With PHP LiteSpeed SAPI, LiteSpeed’s PHP performance is much more efficient than Apache’s mod_php or fast_CGI.

# /opt/lsws/fcgi-bin/lsphp -v
PHP 4.4.7 (litespeed) (built: May  30 2007 05:16:33)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

4.1 Download the latest stable PHP

# wget http://in2.php.net/distributions/php-5.2.3.tar.gz
# tar -zxf php-5.2.3.tar.gz
# cd php-5.2.3
# cd sapi

4.2 Download and expand latest LSAPI for PHP into the “sapi”folder:

# wget http://www.litespeedtech.com/packages/lsapi/php-litespeed-4.0.tgz
# tar -zxf php-litespeed-4.0.tgz

4.3 Change directory to php-5.2.3 and run commands:

# cd ..
# touch ac*
# ./buildconf --force

4.4 Configure/Compile PHP:

4.4.a # php -i | grep configure | sed "s/'//g" | sed "s/'//g"
4.4.b # Remove the "--with-apxs=/usr/local/apache/bin/apxs" part from 6.4.a
and add '--prefix=/php5' '--with-litespeed' '--with-config-file-path=../php'
# ./configure '--prefix=/php5' '--with-litespeed'
'--with-config-file-path=../php' --with-mysql ...[append the full options from
4.4.a]
# make
# make install

Note: You must compile PCRE (Perl Compatible Regular Expressions) support in
order for the default auto-index PHP script to work correctly (at least this
is true for 3.0RC2).

4.5 Replace the lsphp binary in /opt/lsws/fcgi-bin/lsphp with /php-5.2.3/sapi/litespeed/php:

# cd /opt/lsws/fcgi-bin/
# mv lsphp lsphp.old
# cp /php-5.2.3/sapi/litespeed/php lsphp

4.6 To check installation success:

# /opt/lsws/fcgi-bin/lsphp -v

PHP 5.2.3 (litespeed) (built: May  31 2007 14:05:12)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies

4.7 php.ini

The php.ini file will be located at /opt/lsws/php/php.ini

If we want to use the old PHP.ini just copy it here.

# cd /opt/lsws/php
# mv php.ini php.ini.old
# cp /usr/local/ZEND/etc/php.ini .

4.8 Restart Litespeed Webserver

Finally restart LSWS and use our new PHP binary.

/opt/lsws/bin/lswsctrl restart and thats it.    You are done !!!

5. Limitations

This webserver comes as Standard version (which is free and it has several limitations) and it comes as an Enterprise version (which is more optimized and it doesn’t have much limitations). Few drawbacks of free version are: the Maximum Concurrent Connections is limited to 150, it cannot utilize more than one processor etc. Hence, to utilize the full advantage of LSWS you have to purchase the Enterprise version.

6. Conclusion

We have installed LiteSpeed Webserver and integrated it to use with CPanel. Now the web pages will load fast. At the same time the server load and memory usage will be lower. More web sites can now be hosted on this server and we can feel the speed. In short, LiteSpeed is the best choice for shared hosting service providers in terms of performance, security and server capacity.

Go ahead, give LiteSpeed a try and discover why over 300,000 internet domains are currently powered by LSWS.

References:

http://litespeedtech.com/
http://en.wikipedia.org/wiki/LiteSpeed_Web_Server/
http://creativeflux.co.uk/entry/replacing-apache-with-litespeed/
http://www.usefuljaja.com/litespeed

Downloads:

http://www.php.net/downloads.php
http://www.litespeedtech.com/products/web

Leave a Comment

March 25, 2010

cpanel php out of memory wordpress, phpbb, etc

Filed under: Uncategorized — paragon @ 2:03 pm

cpanel php out of memory wordpress, phpbb, etc

By TEDDY | Published: FEBRUARY 9, 2010

Source: http://blog.bubblemonkey.com.au/2010/02/cpanel-php-out-of-memory-wordpress-phpbb-etc/

in short: Check the apache RLimitMEM in httpd.conf.. remove it if not really required.

complete story:

did you just install cpanel fresh? after installing wordpress, phpbb, or any other php applications… did you have a problem like “Fatal error: Out of memory (allocated 20185088) (tried to allocate 13056 bytes)” ?

well, i just got that problem. and after hours of trial and errors, i overlooked the fact that i had this module enabled in apache.. i thought the problem was only php

so i checked the php.ini and .htaccess trying to remove/tweak the memory_limit setting

i saw this option “Memory Usage Restrictions” in the apache configuration page of cpanel/whm, but couldnt remove it..

so i went to edit it manually, vim /usr/local/apache/conf/httpd.conf

and removed the two entries RLimitMEM and RLimitCPU

for cpanel to store your changes permanently, run

/usr/local/cpanel/bin/apache_conf_distiller –update

restart apache, and violla! all works fine now.. phew..

i hope that helps others too.

this was on cPanel 11.25.0, CENTOS 5.4 x86_64, PHP 5.2.12, Apache 2.2.14

cpanel php out of memory wordpress, phpbb, etcBy TEDDY | Published: FEBRUARY 9, 2010in short: Check the apache RLimitMEM in httpd.conf.. remove it if not really required.
complete story:did you just install cpanel fresh? after installing wordpress, phpbb, or any other php applications… did you have a problem like “Fatal error: Out of memory (allocated 20185088) (tried to allocate 13056 bytes)” ?
well, i just got that problem. and after hours of trial and errors, i overlooked the fact that i had this module enabled in apache.. i thought the problem was only phpso i checked the php.ini and .htaccess trying to remove/tweak the memory_limit setting
i saw this option “Memory Usage Restrictions” in the apache configuration page of cpanel/whm, but couldnt remove it..so i went to edit it manually, vim /usr/local/apache/conf/httpd.confand removed the two entries RLimitMEM and RLimitCPUfor cpanel to store your changes permanently, run/usr/local/cpanel/bin/apache_conf_distiller –update
restart apache, and violla! all works fine now.. phew..i hope that helps others too.
this was on cPanel 11.25.0, CENTOS 5.4 x86_64, PHP 5.2.12, Apache 2.2.14

Leave a Comment

March 20, 2010

SoftLayer® Adds IPsec for Secure, Robust Remote Access

Filed under: Internet, Networks, Technology — paragon @ 2:03 pm

Press Release

SoftLayer^® Adds IPsec for Secure, Robust Remote Access
IPsec Provides Customers Remote Access to Infrastructure and Services

DALLAS—March 10, 2010—SoftLayer^®, a global provider of on-demand data center hosting and cloud services, has announced the addition of Internet Protocol Security (IPsec) to its best-in-class portal allowing customers to securely connect to their infrastructure environment through a Virtual Private Network (VPN).

IPsec provides a framework of protocols for protecting transmissions over an IP network. This allows the creation of a secure VPN over the existing Internet, with data fully encrypted and secure when transferred between two points. IPsec resides at the network level and can be implemented regardless of applications used, giving remote users full access to their network and to robust data, voice, or video applications.

IPsec at Softlayer includes:

Secure, site-to-site network connectivity (PPTP and SSL VPN are generally limited to desktop-to-site connectivity)
Multi-phase authentication process (in contrast to username/password security common to PPTP and SSL)
Network Address Translation (simplifying the connection of resources on either side of the IPsec tunnel)
Transparent connectivity for applications (other technologies often require additional configuration)

“As we continue to enhance the SoftLayer customer experience, IPsec VPN services bring an additional option for remote access,” said Ric Moseley, SoftLayer Vice President of Network Operations. “IPsec provides customers an extremely robust pipeline for accessing information on their SoftLayer infrastructure. IPsec’s extensive level of access to remote applications makes it ideal for managing applications from a distance and increasing productivity.”

About SoftLayer Technologies
Headquartered in Plano, Texas, SoftLayer provides best in class, on-demand IT services on a global basis from facilities in Dallas, Seattle, and Washington, DC. SoftLayer integrates and automates all IT elements to innovate industry-leading services—including cloud, dedicated, and virtual computing environments—all managed through a single interface. Enterprises of all sizes benefit from gaining complete control, security, scalability, and ease-of-management for their IT solution. For more information, please visit www.softlayer.com or call 866.398.7638.

Contact:
James McDowell
marketing@softlayer.com
+1 244 442 0600

Leave a Comment

December 15, 2009

Net Nanny® Mobile is Here!

Filed under: Content Watch — paragon @ 1:59 pm

December 2009

Net Nanny® Mobile is Here!

50% OFF for all Current Net Nanny® Subscribers

Cell phones have quickly become the primary interface for communication and online activities. This limitless connectivity adds convenience and entertainment, though exposes children to a wide variety of dangerous and undesirable situations. Online bullying, sexual exploitation, sexting and misconduct are all exacerbated by this constant and readily available connectivity.

Net Nanny® Mobile provides parents unprecedented access to monitor and control their child’s mobile related activities, while also protecting the device against Loss, Theft, Spyware and Viruses.

How Do I Get Net Nanny® Mobile?

Current Net Nanny subscribers can purchase Net Nanny® Mobile today and receive 50% OFF.

Net Nanny® Mobile Used To Stop Sexting, CyberBullying and Misconduct

Net Nanny Mobile gives parents unprecedented control over the content on Smartphones

With the average child sending over 2000 text message per month,
children are being placed in a very precarious position. The ability to instantly share pictures increases the problem and parents must closely monitor these activities. Net Nanny® Mobile enables parents to:

View pictures taken, sent or received via text or e-mail
View all text and e-mail messages
Receive alerts when inappropriate keywords are sent or received
View their contacts and address book
View where they are at any time (literally).
All this can be accessed from a browser, anywhere, anytime.

Protect your kids from Sexting and Cyberbullies Today! Current Net Nanny subscribers can purchase Net Nanny® Mobile today and receive 50% OFF.

Net Nanny® Mobile Provides Communication Control

Whether it’s CyberBullying, undesirable friends or other inappropriate communications, Net Nanny® Mobile enables parents to control who is able to communicate with their child. Parents can easily blacklist individuals – silently and automatically blocking any phone calls or text messages received by them.

Manage your kid’s phone Today! Current Net Nanny subscribers can purchase Net Nanny® Mobile today and receive 50% OFF.

In this issue

Net Nanny® Mobile Provides Industry-Leading AntiVirus and AntiSpyware Protection

It’s the easiest way to block malicious attacks on your Smartphone

Just as with personal computers, cell phones are susceptible to viruses, worms, spyware and trojans. With songs and applications constantly being downloaded from online application stores and websites, the likelihood of infection has increased dramatically. The built-in Antivirus and AntiSpyware capabilities of Net Nanny® Mobile ensures your child’s device is free of viruses and isn’t secretly being monitored by a person with malicious intent.

Protect your phone against Spyware and Malware Today! Current Net Nanny subscribers can purchase Net Nanny® Mobile today and receive 50% OFF.

Net Nanny® Mobile Can Help You Recover a Lost or Stolen Phone

It’s the best way to protect your confidential information

The ultra-portable nature of cell phones makes them easy to carry to school, baseball practice, parties, etc. Unfortunately, it also increases the chances that your child’s phone will become lost or stolen. With Net Nanny® Mobile, parents can easily locate, lock, and wipe a lost or stolen device to ensure that the child’s personal data doesn’t fall into the wrong hands. As an added benefit, the child’s personal data can be remotely backed-up and easily imported into their new phone.

What type of phone do you have?
Symbian Series 60
Windows Mobile 6.0/6.1
Blackberry
Android

Protect your phone against Theft Today! Current Net Nanny subscribers can purchase Net Nanny® Mobile today and receive 50% OFF.

Unsubscribe

If you no longer wish to receive emails from us, please unsubscribe here.

To sign up for NetNanny or Content Watch – Contact ParagonHost http://www.ParagonHost.com

Leave a Comment

December 5, 2009

iPhone Worm Attack – jailbroken iPhones

Filed under: Uncategorized — paragon @ 1:24 am

Due to the iPhone being a hit in the smartphone market, network security researchers warned that the iPhone’s popularity will lead to cyber-criminals to taking an interest in mobile phones. With the increase in horsepower and functionality in smartphones phones, they are essentially mini computers. We all know the types of threats and vulnerabilities computers face and our phones are no exception.

Recently, some iPhone users were attacked by a worm – the first of its kind found on the iPhone. The virus automatically replaces the iPhone wallpaper with a photo of 80’s pop singer Rick Astley and displays a message “Never give up your” (ikee is never going to give you up), but stops there and does not perform further attacks on the iPhone. The worm was written by a 21-year-old Australian hacker Ashley Towns to prepare, Towns said the production of the worm is to have iPhone users realize the risks of not changing the default root password.

However, only jailbroken iPhones are vulnerable to the worm virus. Jailbreaking is a process that allows iPhone and iPod Touch users to run homebrew apps on their devices by bypassing Apple’s App Store. Once jailbroken, iPhone users are able to download homebew applications as well as cracked applications through unofficial installers such as Cydia, Rock App, Icy, and Installer. Jailbroken versions of Apple’s iPhone is eligible for technical support and Apple has many times through software upgrades prevented users from cracking their iPhones. Apple also noted that Jailbreaking an iPhone is illegal. Users who jailbreak their iPhone, installed SSH, and did not change their default root password “alpine” were found with the worm. Once infected, the worm will attempt to search and spread to other jailbroken iPhones in the same network. This threat can be mitigated by changing the default password of their iPhone.

Prior to this incident, iPhone users have already been the target in attacks. A week ago, Dutch users received messages from an the attacker that warned of a security vulnerability in their cell phone and requested that these users donate 5 Euros each to a PayPal account. The attackers have since apologized and provided a fix. This is an example of an attacker who exploited the same flaw but not in the form of a virus or worm.

Leave a Comment

October 28, 2009

How does FreeSWITCH compare to Asterisk? The Back Story of Free Switch IP-PBX

Filed under: Internet, IP-PBX, Networks, Technology, Telecom, VOIP — paragon @ 11:33 pm

Source: http://www.freeswitch.org/node/117

Author / Founder: Free Switch

Note: CudaTel a IP-PBX from Barracuda ( http://www.BarraGuard.com )

Visit: Virtual Graffiti for your Technology and Network Security Needs! http://www.VirtualGraffiti.com

How does FreeSWITCH compare to Asterisk? Why did you start over with a new application? These are questions I’ve been hearing a lot lately so I decided to explain it for all of the telephony professionals and enthusiasts alike who are interested to know how the two applications compare and contrast to each other. I have a vast amount of experience with both applications with about 3 years of doing asterisk development under my belt and well, being the author of FreeSWITCH. First I will provide a little history and my experience with Asterisk, then I will try to explain the motivations and the different approach I took with FreeSWITCH.

I first tried Asterisk in 2003. It was still pre 1.0 and VoIP was still very new to me. I downloaded and installed it and in a few minutes I was tickled pink over the dial tone emitting from my phone plugged into the back of my computer. I spent the next few days playing with my dial plan and racking my brain to think of cool stuff I could do with a phone that was hooked up to a Linux PC. Since I had done an extensive amount of web development in my past life I had all sorts of nifty ideas like matching the caller id to the customer’s account number and trying to guess why they were calling etc. I also wanted to move on in my dial plan based on pattern matching and started hacking my first module. Before I knew it I had made the first cut of app_perl, now res_perl where I had embedded a Perl5 interpreter in Asterisk.

Now that I had that out of my system, I started developing an Asterisk-driven infrastructure to use for our inbound call Queues. I prototyped it using app_queue and the Manager Interface now proudly dubbed “AMI” (initials always make things sound cooler). It was indeed magnificent! You could call in from a PSTN number over a T1 and join a call queue where our agents who also called in could service the calls. “This rocks!” I thought to myself as I watched from my fancy web page showing all the queues and who was logged in. It even refreshed periodically by itself which was why I was surprised when the little icon in the corner of my browser was still spinning for quite some time. That’s when I first heard it. That word. The one I can never forget, deadlock.

That was the first time, but it wasn’t the last. I learned all about the GNU debugger that day and it was just the first of many incidents. Deadlock in the queue app. Deadlock in the manager, Avoiding Deadlock on my console. It was starting to get to me a little but I kept going. By this time I was also quite familiar with the term Segmentation Fault another foe to the computer developer. After about a year’s time wrestling with bugs I found myself a lot more well-versed in the C programming language than I even imagined and near Jedi caliber debugging skills. I had a working platform running several services on a DS3 worth of TDM channels spread over 7 asterisk boxes and I had given tons of code to the project including some entire files on which I hold the copyright. http://www.cluecon.com/anthm.html

By 2005, I had quite a reputation as an asterisk developer. They even thanked me in both the CREDITS file and in the book, Asterisk, The Future of Telephony. I not only had tons of applications for asterisk in tree, I had my own collection of code they did not need or want on my own site. (Still available today at http://www.freeswitch.org/node/50)
Despite all of this I could not completely escape the deadlocks and crashes. I hid the problem well with restart scripts and 7 machine clusters but I could not see a way to scale my platform much more. I had to abandon some features because they just would not work right based on the way Asterisk was designed.

Asterisk uses a modular design where a central core loads shared objects to extend the functionality with bits of code known as “modules”. Modules are used to implement specific protocols such as SIP, add applications such as custom IVRs and tie in other external interfaces such as the Manager Interface. The core of Asterisk is a threading model but a very conservative one. Only origination channels and channels executing an application have threads. The B leg of any call operate only within the same thread as the A leg and when something happens like a call transfer the channel must first be transferred to a threaded mode which often times includes a practice called channel masquerade, a process where all the internals of a channel are torn from one dynamic memory object and placed into another. A practice that was once described in the code comments as being “nasty”. The same went for the opposite operation the thread was discarded by cloning the channel and letting the original hang-up which also required hacking the cdr structure to avoid seeing it as a new call. One will often see 3 or 4 channels up for a single call during a call transfer because of this.

/* XXX This is a seriously wacked out operation. We’re essentially putting the guts of
the clone channel into the original channel. Start by killing off the original
channel’s backend. I’m not sure we’re going to keep this function, because
while the features are nice, the cost is very high in terms of pure nastiness. XXX */

This became the de facto way to pull a channel out of the grips of another thread and the source of many headaches for application developers. This uncertain threading scheme was one of the motivating factors for a rewrite.

Asterisk uses linked-lists to manage its open channels. A linked-list is a series of dynamic memory chained together by using a structure that has a pointer to its own type as one of the members allowing you to endlessly chain objects and keep track of them.
They are indeed a useful programming practice but when used in a threaded application become very difficult to manage. One must use mutexes, a kind of traffic light for threads to make sure only 1 thread ever has write access to the list or you risk one thread tearing a link out of a list while another is traversing it. This also leads to horrible situations where one thread may be destroying or masquerading a channel while another is accessing it which will result in a Segmentation Fault which is a fatal error in the program and causes it to instantly halt which, of course means in most cases all your calls will be lost. We’ve all seen the infamous “Avoiding initial deadlock” message which essentially is an attempt to lock a channel 10 times and if still won’t lock, just go ahead and forget about the lock.

The manager interface or AMI has a concept where the socket used to connect the client is passed down into the applications letting your module have direct access to it and essentially write any data you want to that socket in the form of Manager Events which are not very structured and thus the protocol is very difficult to parse.

Asterisk’s core has linking dependencies on some of it’s modules which means that the application will not start if a certain module is not present because the core is actually using some of the binary code from the module shared object directly. To make a call in asterisk in at least version 1.2 you have no choice but to use app_dial and res_features because the code actually lives in those modules. The logic to establish a call and to do things like a forked dial actually reside in app_dial not the core, and res_features actually contains the top level function that bridges the audio.

Asterisk has no protection of its API. The majority of the functions and data structures are public and can easily be misused or bypassed. The core is anarchy with assumptions about channels having a file descriptor, which is not always necessary in reality but is mandatory for any asterisk channel. Many algorithms are repeated throughout the code in completely different ways with every application doing something different on seemingly identical operations.

This is only a brief summary of the leading issues I had with Asterisk. I donated my time as a coder, my servers to host the CVS repository and served as a bug marshal and maintainer. I organized a weekly conference call to plan for the future and address some of the issues I have described above. The problem was, when one looks at this long list of fundamental changes then thinks about how much work it would take and how much code may have to be erased or rewritten, the motivation to address the issues begins to fade. I could tell not many people would be on board with my proposal to start a 2.0 branch and rewrite the code. That is why in the summer of 2005 I decided I would do it myself.

My primary focus on FreeSWITCH was to start from the core and trap all the common functionality under the hood and expose it in a pyramid to the higher levels of the application. Like Asterisk, the Apache Web Server heavily inspired me and I chose to use a modular design. From the first day the basic fundamentals I chose to adhere to were that every channel has it’s own thread no matter what it was doing and that thread would use a state machine function to navigate its way through the core. This would ensure that every channel would follow the same predictable path and state hooks and overrides could be placed into the machine to add important functionality very similar to how methods and class inheritance works in an object oriented programming language.

It hasn’t been easy. Let me tell you. I’ve had my fair share of Segmentation Faults and Deadlocks while coding FreeSWITCH , (a lot more of the former than the latter I must say). But I built the code from the core and went from there. Since all of the channels operate in their own thread and there are occasions where you need to interact with them, I use read/write locking so the channels can be located from a hashing algorithm rather than a linked list and there is an absolute guarantee that the channel cannot be accessed or go away while an outside thread has reference to it. This alone makes it much easier to sleep at night and obsoletes the need for “Channel Masquerades” and other such voodoo.

The majority of functions and objects supplied by the FreeSWITCH core are protected from the caller by forcing them to be used the way they were designed. Any concept that is extensible or provided by a module has a specific interface which is used to front end that functionality therefore the core has no linking dependency on any of its modules.
There is a clear cut layered API with the core functions being on the bottom and the amount of functions on each subsequent layer decreasing as the functionality increases.
For instance it’s possible to write a large function that uses an arbitrary file format module to open and play audio to a channel. But in the next layer of API there is simply a single function that will play a file to a channel that is then extended to the dial plan tools module as a tiny application interface function. So you can execute the playback from your dial plan, from your custom C application using the same function or you can write your own module that manually opens the file and plays it all using the services of the file format class of modules without ever divulging it’s code.

FreeSWITCH is broken into several module interfaces. Here is a list of them:

Dialplan:
Implement the ring state of a call, take the call data and make a routing decision.

Endpoint:
Protocol specific interface SIP, TDM etc.

ASR/TTS:
Speech recognition and synthesis.

Directory:
LDAP type database lookups.

Events:
Modules can fire existing core events as well as register their own custom events
Which can be parsed from an event consumer at a later time.

Event Handlers:
Remote access to events and CDR.

Formats:
File formats such as wav.

Loggers:
Console or file logging.

Languages:
Embedded languages such as Python and JavaScript.

Say:
Language specific modules to construct utterances from sound files.

Timers:
Reliable timers for packet interval timing.

Applications:
Applications you can execute on the call such as Voicemail.

FSAPI (FreeSWITCH API interface [see I use initials too!] )
Command line functions, XMLRPC functions, CGI type functions, Dialplan function variables exposed with a string in, string out prototype.

XML
There are hooks to the core XML registry that make it possible to do realtime
lookups and create XML based CDRs

All of the FreeSWITCH modules work together and communicate with each other only via the core API and the internal event system. Great care was taken to ensure this and avoid any unwanted behavior from outside modules.

The event system in FreeSWITCH was designed to keep track of as much as possible. I designed it under the assumption that most users of the software would be connecting to FreeSWITCH remotely or using a custom module to gather call data. Thus, every important thing that happens in FreeSWITCH results in an event firing. The events are very similar to an email format having headers and a body. Events can be serialized into either a standard text format or an XML representation. Any number of modules may be written to connect to the event subsystem and receive events about presence, call state and failures. The in-tree mod_event_socket provides a TCP connection on which events can be consumed as well as log data. In addition call control commands may be sent over this interface as well as bi-directional audio flow. The socket can be established by either an in-progress call as an outbound connection or from a remote machine as an inbound connection.

Another important concept in FreeSWITCH is the centralized XML registry. When FreeSWITCH loads it opens a top-level XML file which is fed into a pre-processor that parses special directives to include other smaller xml files and to set global variables which can be referenced from that point forward to template the configuration.
For instance you can set the preprocessor directive to set a global variable like this:

<X-PRE-PROCESS cmd=”set” data=”moh_uri=local_stream://moh”/>

now even on the next line in the file you can use $${moh_uri} and it will be replaced by local_stream://moh in the post processed output. The final post processed registry is loaded into memory and accessed by the modules and the core to provide several vital sections to the application:

Configuration
Configuration data to control the behaviour of the application.

Dialplan
An XML representation of a dialplan that can be used by mod_dialplan_xml to
route calls and execute applications.

Phrases
A markup of IVR phrase macros to use from IVRs and to speak multiple languages.

Directory
A collection of domains and users for registration and account management.

Using XML hook modules, you can bind your module to lookups in the XML registry and, in real time, gather the required information and return it to the caller in place of the static data in the file. This makes it possible to do purely dynamic SIP registrations and dynamic voice mailboxes and dynamic configuration of a cluster using the same model as a web browser and a CGI application.

With embedded languages such as JavaScript, Java, Python and Perl, it’s possible to write scripted application that can control the underlying power with a simple high-level interface.

The first phase of the FreeSWITCH project was to create a stable core on which to build scalable applications. I am happy to report that it will be completed on May 26th 2008 with the release of FreeSWITCH 1.0 “phoenix”. We have been able to out perform Asterisk by a factor of 10 in similar situations according to the accounts of two separate early adopters brave enough to go into production pre-1.0.

I hope this explanation is sufficient to outline the difference between FreeSWITCH and Asterisk and will shed some light on my decision to start the FreeSWITCH project. I will forever remain an Asterisk developer due to my vast involvement in the project and I wish them all the luck in the world with the future design of the application. I may even dig up some more of my long lost Asterisk code in my personal archives and release it to the public as a gesture of good will towards the project that gave me my start in telephony.

Asterisk is an open source PBX and FreeSWITCH is an open source soft switch. There is plenty of room for both applications among the other great open source Telephony applications such as Call Weaver, Bayonne, sipX, OpenSER and many many more. I look forward every year to presenting with and talking to all the developers of these projects at ClueCon in Chicago this summer. http://www.cluecon.com

We can all inspire each other to push the envelope on Telephony even farther. The most important question you can ask is. “Is it the right tool for the job?”

Comments (1)

October 20, 2009

10 things you should know about moving from Windows XP to Windows 7

Filed under: Internet, Microsoft, Networks, Security Focus, Software, Technology, Windows Stuff, Windows Vista — paragon @ 4:31 pm

10 things you should know about moving from:

Windows XP to Windows 7

Greg Shultz

September 4, 2009

If you skipped Windows Vista and stuck with Windows XP, chances are good that you are now seriously considering moving to Windows 7 after it’s released on October 22. If so, there is much for you to do. Not only should you begin planning for your operating system migration, but you should begin learning as much as you can about Windows 7. Here are 10 things you can do to get ready for the switch.

1: Check your hardware

Windows 7 was designed to be lean in terms of hardware, so that it will be able to function satisfactorily on sub-powered netbooks. If you’re running Windows XP on a computer manufactured within the last three or four years, chances are good that Windows 7 will run fine on your system. However, you can make sure that your hardware is compatible by running Microsoft’s Windows 7 Upgrade Advisor.

The Windows 7 Upgrade Advisor will perform a detailed scan of your entire system, checking hardware, programs, and peripheral devices. Once the scan is complete, the Upgrade Advisor will display a report telling you whether your system meets the hardware requirements and idenfying are any known compatibility issues with your programs and devices. If it finds problems, the Upgrade Advisor will provide suggestions you can use to better analyze your upgrade options to Windows 7.

You can download the Windows 7 Upgrade Advisor from the Microsoft Download Center. At the time of this writing, this tool is listed as being a Beta version. However, running it now will give you a good idea of what you will be facing as you prepare for your upgrade.

If you’re planning a much bigger Windows XP to Windows 7 migration, you’ll want to investigate the Microsoft Assessment and Planning Toolkit. This free toolkit, which runs across the network without having to install software on client systems, will allow you to investigate systems and compile reports on hardware and device compatibility.

2: Understand the Custom Install

If you’re running Windows XP on your computer and you want to use Windows 7 on that same computer, you’ll purchase an Upgrade license package of Windows 7. However, you won’t be able to perform an in-place upgrade. In other words, you won’t be able to upgrade to Windows 7 on top of XP and keep all your applications and settings “in place.” Instead, you’ll have to perform a Custom Install, which Microsoft describes as follows:

A custom (clean) installation gives you the option to either completely replace your current operating system or install Windows on a specific drive or partition that you select. You can also perform a custom installation if your computer does not have an operating system, or if you want to set up a multiboot system on your computer.

When you completely replace Windows XP, the installation procedure will not totally obliterate it. In fact, the installation procedure will create a folder on the hard disk called Windows.old and will place the Windows, Documents And Settings, and Program Files folders from your Windows XP installation in it. Your data files will be safe and accessible, but your applications will not be viable. (Even though the Custom Install saves your data in the Windows.old folder, you will want to have a separate backup on hand just in case!)

Regardless of whether you choose to completely replace Windows XP or set up a multiboot system, you are going to have to back up and transfer all of your data, reinstall all of your applications, and reconfigure all of your settings.

3: Consider a setting up a multiboot configuration

When pondering a Custom Install, you should consider setting up a multiboot configuration. That will place both Windows XP and Windows 7 at your disposal, which will be a big advantage as you begin migrating your settings, documents, and applications. More specifically, you can boot into Windows XP to check out how something is set up and then boot into Windows 7 to re-create the same configuration. Once you have everything in Windows 7 exactly the way you had it in Windows XP, you can remove the multiboot configuration set Windows 7 as the primary OS and then remove Windows XP.

To be able to perform this type of switch, both XP and 7 must be installed on the same hard disk but on separate partitions. (If you install Windows 7 on a second hard disk, the boot partition will exist on the first hard disk, so you won’t be able to remove that drive once you’re ready to get rid of XP.) As a result, you’ll need to repartition your hard disk to make room for Windows 7. To repartition your hard disk without destroying data, you can take advantage of partition management software, such as Norton PartitionMagic 8.0, which retails for about $70, or Easeus Partition Manager Home Edition 4.0.1, which is available for free and earned a 4.5 star rating in a recent CNET editors’ review.

4: Plan your backup and restore strategy

Before you move from one operating system to another, you’ll want to back up all your data – at least once and maybe twice, just in case. While it may sound like overkill, having an extra backup will give you peace of mind.

If you’re using a third-party backup program, you will need to check the manufacturer’s Web site to see whether the program will be upgraded to work in Windows 7. If you aren’t using a third-party backup program, you’re probably using Windows XP’s native Backup Utility. As you may have heard, the file format used for this tool isn’t compatible with Windows Vista’s Backup And Restore Center. To provide for that, Microsoft released a special version of the XP Backup Utility, called the Windows NT Backup – Restore Utility. It’s designed specifically for restoring backups made on Windows XP to computers running Windows Vista. While I was unable to get official confirmation, it is a safe bet that this special version will work in Windows 7 or will be adapted to do so.

If you aren’t willing to take that bet or you are not sure whether your third-party backup program will be upgraded to work in Windows 7, you can simply make copies of all your data files on CD/DVD or on an external hard disk.

5: Plan your data transfer strategy

To move from one operating system to another, you’ll probably want to use a transfer program that will scan your XP system, pull out all your data and settings, and then transfer them to Windows 7. Fortunately, the Windows 7 Easy Transfer utility can provide this service for you. However, before you perform this transfer operation, it will be in your best interest to have a separate back up copy of your data (see #4).

The new operating system will come with two copies of the Windows 7 Easy Transfer. One copy will be on the DVD and the other will be installed with the operating system. Before you install Windows 7, you will run Windows 7 Easy Transfer from the DVD and back up all your files and settings. Then, once you have Windows 7 installed, you’ll use it to move all your files and settings to the new operating system. You can learn more about the Windows 7 Easy Transfer by reading the article Step-by-Step: Windows 7 Upgrade and Migration on the Microsoft TechNet site.

6: Inventory your applications and gather your CDs

Since you won’t be able to perform an in-place upgrade when you move from Windows XP to Windows 7, you’ll have to reinstall all your applications that passed the Windows 7 Upgrade Advisor compatibility tests (see #1). It will be helpful to have an inventory of all the installed applications so that you can track down all your CDs or compile a list of Web sites for those applications you downloaded.

While the report generated by the Upgrade Advisor will be helpful as you create an inventory, it won’t be comprehensive. To create a detailed inventory, you can use something like the Belarc Advisor. For more details, see the article Gather detailed system information with Belarc Advisor.

7: Become familiar with the new UI

The UI in Windows 7 is quite different from the UI in Windows XP, and it offers a lot of new features. As a result, you may encounter what I call “UI Shock.” You’ll know what you want to do, but you’ll experience a momentary lapse of composure as you strive to adapt what you know about XP’s UI to what you’re seeing and experiencing in Windows 7.

To ease the level of UI shock, you’ll want to become as familiar as possible with the features of the new Windows 7 UI. One starting point is Microsoft’s Windows 7 page. While a lot of the content here is essentially marketing related, it will give you a good idea of what to look for when you actually move into the Windows 7 operating system.

To help you get right to the good stuff, check out:

The Windows 7 features section, where you’ll find a host of short videos and descriptions.
The Windows 7 Help & How-to section, where you’ll find a whole slew of step-by-step articles that show you how get around in Windows 7. Be sure to check out the section on installing Windows.

You’ll also find useful information on the Windows Training Portal on the Microsoft Learning site. Be sure to check out:

The Windows 7 Learning Snacks, which are short, interactive presentations. Each Snack is delivered via animations and recorded demos using Microsoft Silverlight.
The Microsoft Press sample chapters from upcoming Windows 7 books. Viewing the free chapters requires registration, but it is a short procedure. Once you’re registered, you can access sample chapters from Windows 7 Inside Out, Windows 7 Resource Kit, Windows 7 Step by Step, and Windows 7 for Developers.

8: Check for XP Mode support

If you discover that some of the applications you’re currently running in Windows XP are not compatible with Windows 7 (see #1) or you just want to keep Windows XP accessible, don’t forget about Windows XP Mode. This virtual environment includes a free, fully licensed, ready-to-run copy of Windows XP with SP3 that runs under Windows Virtual PC in Windows 7.

As you consider the Windows XP Mode, keep these things in mind:

Windows XP Mode is available only in Windows 7 Professional, Enterprise, and Ultimate editions.
Your computer must support processor-based virtualization.

You can learn more about Windows XP Mode from the following TechRepublic resoruces:

9: Ask questions

You aren’t the only one making the move from Windows XP to Windows 7, so ask questions and share information you pick up along the way. Of course, you can use the TechRepublic discussion forums. But you should cast a wider net.

One good place to connect with Microsoft experts is the Getting Ready for Windows 7 section of the Microsoft Answers site. Another good place is in the Windows 7 forums in the Windows Client TechCenter on the Microsoft TechNet site.

10: Subscribe to the Windows Vista and Windows 7 Report

TechRepublic’s free Windows Vista and Windows 7 Report newsletter, which is delivered every Friday, offers tips, news, and scuttlebutt on Windows 7. As we count down to October 22, the day that Windows 7 is to be released to the general public, we will be covering topics of interest to Windows XP users in more detail. You can sign up on the TechRepublic newsletters page.

Comment on this article: TechRepublic blog.

Leave a Comment

October 11, 2009

Slash notation for subnet masks quick reference

Filed under: Uncategorized — paragon @ 10:37 pm

One thing I can never remember quickly is slash notation, it is not difficult but I just can’t seem to remember it quickly! So here is a quick reference guide. In slash notation, a single number indicates how many bits of the IP address identify the network the host is on. A netmask of 255.255.255.0 has a netmask of 8 + 8 + 8 = 24.

For example, writing 192.168.42.23/24 is the same as specifying an IP address of 192.168.42.23 with a corresponding netmask of 255.255.255.0. Often you have to enter the netmask as slash notation, an easy task with the usual 255.255.255.0. However if your network doesn’t have 255 hosts, for example only 8 hosts, then the netmask will be 255.255.255.248.

The following table lists the variable length subnets from 1 to 32, the CIDR [3] representation form (/xx) and the Decmial equivalents. (M = Million, K=Thousand, A,B,C= traditional class values)

Conversion table here:

http://www.mattwaddell.com/2008/08/26/slash-notation-for-subnet-masks-quick-reference/

Leave a Comment

Older Posts »