Category Archives: Server/Webserver

Accessing Django Template Variables in Javascript

How do we follow the Django DRY principle and avoid as many hard coded elements as possible in our project when we need to include Javascript? A good example of this is if we are pulling in a bookmarklet that will be offered on the site. We need to reference the domain of our project in the bookmarklet, but this then yields code buried in our project’s static files that needs to be altered by anyone that might be utilizing your open sourced code.

This example presents a little bit of a challenge. If this were HTML in our template we could simply reference a DOMAIN variable that we would feed in through a view. However, this is a static Javascript file, so how do we go about utilizing Django template variables in supposedly static Javascript?

Here is a simple method. In our HTML template, we will setup a Javascript global variable that is created to reference a template variable that we feed in from our view, here a domain, and this variable is then referenced in our static Javascript files.

<!-- Our HTML Template (templates/index.html) that is fed data from views.py -->
{% extends "base.html" %}
{% block content %}

<script type="text/javascript" src="/static/somejs.js"></script>

<script> 
var DOMAIN = "{{ site_domain }}";
</script>

<!-- rest of our template, business as usual. -->
{% endblock %}

As you can see, we would feed in a site_domain variable from views.py that might be created something like this.

from django.contrib.sites.models import Site
from django.shortcuts import render_to_response

def index(request):
    '''Our main index view.'''
    site_domain = smart_str(Site.objects.get_current().domain)
    # more of our view code...
    
    return render_to_response('templates/index.html', {
	'site_domain': site_domain,
        #...rest of our template vars
    })

Now, how do we use this in our static Javascript? We reference that global Javascript variable we declared in our template using our Django template variable site_domain.

// Our Javascript file ... /static/somejs.js 
alert("Your current domain is: "+DOMAIN);

Now our code is much more portable, even in places where things should essentially be static.

Analyzing Brute Force Attempts in BASH

If you have a public facing SSH server running on the standard port, your message log is probably filled with failed authentication attempts from brute force attacks. Let’s mash up some quick BASH commands to analyze this data. For our purposes, we’ll look at the top attacker IPs and the top usernames tried.

First, pull down all of your message files and decompress them in a working directory using bunzip2.

Once you have all your message logs ready, we will search through them and pull out all of the authentication failure entries and grab the IP and username for each attempt.

grep -r "authentication error" messages* | awk '{split($0,a," "); print a[NF],a[NF-2]}' > attempts

So we first use grep to look for failed authentications by searching recursively for the string “authentication error” in all of our message logs by using the wildcard. We then pipe this to awk and split each input line found into an array delimited by a whitespace. The last part of each line, and therefore our new array, goes something like: ‘authentication error for USERNAME from IP’. So to get the username and IP from our array we can use the array length variable NF and use that to index the variables we need. Here we grab the last using a[NF] and two in from that with a[NF-2]. Finally, we output this to a file called attempts.

Now, let’s use more BASH magic to do the analyses for us. Our attempts file now is in the format as follows: IP USERNAME. We want to see the top IPs and usernames and we can do that with some sorting commands.

cut -d ' ' -f2 attempts | sort | uniq -c | sort -nr > attempts_username
cut -d ' ' -f1 attempts | sort | uniq -c | sort -nr > attempts_ip

Here, we simply grab either the username in the second column or the IP in the first with cut, sort this data, prepend lines with the number of occurrences of each, and then sort by this occurrence number and output to a new file. You can now view attempts_username and attempts_ip to see the top usernames and IPs, respectively, of brute force attacks.

Lastly, we can associate the keep usernames and IPs together and sort on one or the other to see the correlation between the two. To end our initial analyses, we will sort on usernames and find out for the top attempted usernames, what are the top originating IPs.

 sort -k 2,2 attempts| uniq -c | sort -nr | head -n 10

Next time we will be using some GEOIP methods to see where our top attack attempts are originating.

Stumpy v1.4 – Grab it now!

Stumpy has been updated to v1.4.

UPDATE: v1.4 and prior has a bug in short url lookups. v1.4.1 fixes this bug and should used over previous versions. See post here.

There are several fixes here which I will simple highlight as being numerous production setting bug fixes as well as a few visual updates and tweaks. Rolling Stumpy from Django debug mode to a production version run by way of fastcgi revealed a few bugs relating to redirects and submissions running into some problems with WSGI. These have been addressed in the latest set of commits and checking out version 1.4 from the GitHub page should give you something ready to roll non-development setting.

You can get this release here: https://github.com/mutaku/Stumpy/tree/v1.4

In this image you can see the main interface of Stumpy that is presented when you visit the root of your install. A bookmarklet button can be found at the top followed by some basic statistics as well as the most recent stumps and those that have been most utilized.

Stumpy main page

The following image shows part of the admin section for registered users that have been granted permission to access the stump section. This allows for viewing of all the details from the stump model, submission of a URL right through the interface, as well as sorting and viewing URLs through advanced filters or search. Remember, to submit a URL you must be logged into Stumpy as a registered user. You can add users through the root admin interface (not pictured).

Stumpy admin interface - stumps view

I have included a sample Lighttpd stanza in the readme file that can help you setup your webserver to point to Stumpy. Simply edit this file to match your paths and make sure your webserver can run the fcgi script as well as access the socket paths setup in the stanza. You can then change your local_settings debug value to False. Just remember that any changes to files after the server has started won’t take effect until you have either restarted your webserver or the fcgi script. You will also need to have Flup installed  for Django to use fastcgi. Lastly, make sure you have setup your FQDN in the sites section of the admin interface to ensure that links are displayed appropriately as several things use the domain read in from this value.

Stumpy is Now Available!

Stumpy has gone v1.0 and is now available on Github. The project is a URL shortener that I originally wrote in Python and have recently rebuilt from scratch to use the Django Python web framework. Now that I’ve reached what I felt was 1.0 functional code, I’ve moved the repository to the Github public section and is available under a BSD license.

Stumpy goes open source on Github

In brief, I have sucked in the first parts of the README.textile file you can find in the repository which should do most of the explaining as to the what and why. The full file contains instructions on setting everything up and how to get testing it out. If you should have any questions, please feel free to contact me. However, I’ve tried to keep the README as clear as possible to be able to drop into a Django environment and the code should be pretty self explanatory.

STUMPy

Mutaku URL Shortener

WHAT IS STUMPY?

STUMPy is a URL shortener written by xiao_haozi (Mutaku) using the django python web framework.

WHY STUMPY?

There are many url shorteners out there, and STUMPy does not do anything groundbreaking.
However, there are several benefits that encouraged it’s development:

  • you keep all the data and can access it at your will
  • you keep all the code and can access/change it at your will
  • simple to use, simple to run, and simple code
  • because of it’s simplicity, it is easy to understand how url shorteners work and some of the possible optimizations
  • uses the django framework which allows for easy expansion, management, and tweaking
  • django also allows for a nice web UI for administration of all of the data

REQUIREMENTS:

Everything is still in active development, so feel free to watch the repository to keep up with it’s evolution on Github. I will soon have the active Mutaku version of Stumpy up and running which I will post as soon as it’s up so that you can see the code in action.

Head over to the home at Github and clone or fork the source and have at it. Please be sure to add any comments or problems to the issues page on Github and feel free to send in pull requests if you’ve added any fun, interesting, or helpful code.

Better Python Redirect

Not too long ago, I showed you how to do a simple redirect with Javascript. This works, of course, but it’s far from ideal.

So let’s do it a more correct way.
You ask, “How do we do that and still keep it a hack <scratching head>?”
We will set the Location and Status headers. And to keep things rebellious, we will be using python.

#!/usr/bin/env python
import cgi
url = "http://example.com/"
print "Status: 302 Moved"
print "Location: %s" % url
print

** Note that, as always when doing CGI with Python, we need to have an alone print statement after our header writes. Haven’t seen this before? Here is the same concept, but this time instead of doing a redirect we can see Python CGI in action simply printing out “Hello, world.” :

#!/usr/bin/env python
import cgi
print "Content-type: text/html"
print
print "Hello, world."

That’s it. It’s much more proper, and it’s noticeably faster. Try it both ways and you’ll see.

Don’t have your webserver setup for Python? What are you waiting for? Do yourself a favor and install Lighttpd, configure out fastcgi, and get cranking in Python.

Simple Javascript Redirect

Need a quick redirect for a page? A simple Javascript location set can get the job done just fine.

Let’s redirect mutaku.com/github to go to the Mutaku GitHub Page. All we need to do is create an index.html file with the following in our subdirectory of choice (here we would have it residing at mutaku.com/github/index.html).

<script type="text/javascript">
   window.location = "https://github.com/mutaku"
</script>

Now, as you would expect, if you visit mutaku.com/github you will be redirected to the GitHub page.