1&1 VNC Remote Console Java Security Issue

Java has consistently been updating its security to reduce it’s potential for spreading malware. Good news! Unfortunately older online java apps will sometimes break to the point of being unusable. One of those apps is the VNC Console for the 1&1 Dynamic Cloud servers. I found this article that explained how to add a line into the policy file to allow the IP that is getting blocked. Here is the article:

https://community.rackspace.com/general/f/34/t/4951

I had to add this code:


permission java.net.SocketPermission "74.208.2.19:993", "connect, accept";

to this file on OSX (windows has a similar file in JAVAHOME somewhere):

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.policy

You can add additional lines to this file for any legacy app you encounter.

The error I was getting in the java console when I had this issue was:

"Network Error: access denied ("java.net.SocketPermission" "74.208.2.19:993" "connect,resolve")

As always have fun!

Adding PECL Uploadprogress to 1&1 shared hosting for Drupal 7 (updated)

Drupal 7.x is the platform we use to build great websites. There are modules that allow the ability to update a progress meter when uploading a file. This requires installing a PECL extension to PHP called uploadprogress. Here is the process I used to get it working on a 1and1.com hosting package. You will need a hosting package with ssh support currently the Business and Developer packages do.

  • Download PECL uploadaccess to your 1&1 account
  • Extract the package
    tar xvzf uploadprogress-1.0.3.1.tgz
  • Go into the directory
    cd uploadprogress-1.0.3.1
  • Run phpize5.5
    phpize5.5
  • Change php-config to php-config5.5 in configure script
    sed -i 's/=php-config/=php-config5.5/g' configure
  • Run Configure
    ./configure
  • Change include directives in Makefile
    sed -i 's#-I/usr/include/php#-I/usr/include/php5.5#g' Makefile
  • Run make and make test
    make
    make test
  • Make new extensions folder for new extension to go in
    mkdir ~/extensions
  • Copy uploadprogress extension to new folder
    cp .libs/uploadprogress.so ~/extensions/
  • Create new php.ini under your main folder (or under a single subfolder for just that application) to add new extension_dir then add this code to the file
    extension_dir=/kunden/homepages/6/d87663654/htdocs/extensions/
    extension=uploadprogress.so

That should be it. You should now be able to see the “Upload progress Enabled (PECL uploadprogress)” on the admin/reports/status page in Drupal.

Links that helped me with the above info:

This is an update from the original Drupal 6 article. (http://jheslop.com/2009/05/27/adding-pecl-uploadprogress-to-11-shared-hosting-for-drupal-filefield/) Just thought I would pass along as it was a little different that the previous article.

Drush on 1and1 Shared Hosting php cgi

I’ve had to search for setting this up so many times I figure I should write my own howto on setting up drush on 1and1 hosting packages. Because 1and1 only has php-cgi and not php-cli we will have to force the drush.php file to behave differently.

NOTE: This only works on 1and1 packages with ssh.

Adding pdftk to 1and1 shared hosting

UPDATE 2010-09-03: I updated a couple links to reflect newer downloads. Because 1and1 shared hosting is on an older debian (etch) system I had to tweak the steps for using lenny based packages. ENJOY!

There are some cases where you might need a powerful pdf toolkit to use with php. 1and1 does not come with any built in pdf processors or pdf libraries built into php. Here is the process I used to integrate phptk into my 1and1 shared hosting account.

Requirements: 1and1 shared plan that has ssh support

– Download pdftk deb file for debian lenny:

wget http://ftp.us.debian.org/debian/pool/main/p/pdftk/pdftk_1.41-3_i386.deb

– Extract the pdftk deb file:

ar xv pdftk_1.41-3_i386.deb

– Extract the data.tar.gz file:

tar xvzf data.tar.gz

– Download libgcj deb file for debian lenny:

wget http://ftp.us.debian.org/debian/pool/main/g/gcj-4.2/libgcj8-1_4.2.4-4_i386.deb

– Extract the libgcj deb file:

ar xv libgcj7-0_4.1.1-20_i386.deb

– Extract the data.tar.gz file:

tar xvzf data.tar.gz

– Download libstdc++ deb file for debian lenny (backport file http://packages.debian.org/lenny-backports/i386/libstdc++6/download):

wget http://mirror.linux.org.au/backports.org/pool/main/g/gcc-4.3/libstdc++6_4.3.4-6~bpo50+1_i386.deb

– Extract the libstdc++6 deb file:

ar xv libstdc++6_4.3.4-6~bpo50+1_i386.deb

– Extract the data.tar.gz file:

tar xvzf data.tar.gz

– Create a script to link libgcj and libstdc++6 for pdftk (use nano or vi):

#!/bin/bash

LD_LIBRARY_PATH="usr/lib:$LD_LIBRARY_PATH" usr/bin/pdftk $*

– Chmod the pdftk script so it can run:

chmod 755 pdftk

Now you can run pdftk from your main directory and process files from php or cronjobs.

If you run into any problems try running the pdftk command with some test files. If you have any problems please leave a comment. Thanks!

1&1 tightens up Email spam rules

I use 1and1 for my personal and business websites as well as for our clients. We’ve had a client recently that was not receiving emails from one of their colleagues and of course the other company’s IT person said it was our problem. Having been an email administrator for many years I always like to look into the bounced back messages, smtp connection info, email headers, and more to track down a problem. This particular issue was perplexing because there where not many posts on the net about it. When someone was trying to send an email to a domain hosted at 1and1 it sent this error after the RCPT TO line:

421 invalid sender domain, possibly misconfigured

I tested at http://www.wormly.com/test_smtp_server (which is a great site btw) to get test the error.

So I sent an email to 1and1 support to see if they could help. This was the very speedy response:

The circumstances you have just described is caused by a RFC-non-compliant configuration of the despatcher-domain. The MX-Server
of the domain has no registered A-record, but merely a CNAME-record this is why the e-mail is rejected by our e-mail servers.

You can find some general information about this topic here:

http://www.faqs.org/rfcs/rfc2181.html

To provide the e-mail delivery as fast as possible again, we kindly advise you to inscribe the target domain of the CNAME-record as MX-record. For further information, please contact the provider of the despatcher-domain.

Looks like the 1and1 is blocking any non RFC compliant domains. In the rfc spec above it says:

10.3. MX and NS records

The domain name used as the value of a NS resource record, or part of
the value of a MX resource record must not be an alias.

Additional section processing does not include CNAME records, let alone the address records that may be associated with the canonical name derived from the alias.

So if you are a DNS admin or setup DNS for clients make sure to have the MX record for your domains be A records (they directly resolve to an ip) not CNAME records. So far I have had to email a couple of hosting companies related to this issue. I applaud 1and1 for locking down their email servers even more to thwart spam, but it would have been nice to have had a link or faq on their site explaining what was going on. Thus the reason for this lengthy blog post.

Some other posts on the web about this issues:

Useful links to test out DNS and MX records: