Turns out there are a few things to keep in mind when setting up an XMPP (Jabber) server. I had to change the domain name a couple times and add a couple service records but the system is now up and running in a standard open-federation configuration. Users on Siona can use their system login for user@dl.nibble.bz and then *poof* that's it. We can message eachother, message other users of different XMPP servers. Access for server-to-server in Jive can be configured eiher by white-list or black-list so I'm just running ours open for now.
And Google developers have said they will join the open federation as soon as possible. One of the sticking points they want to address is control over spammers and bots who could register on any server in the community that allows public registration and then spam the crap out of the Google Talk users. Which is a fair concern but we're all egerly awaiting Google's move to the open federation.
I've been spending more time working with Tocaraul as a front-end for the Icecast server I'm running from home. All the good Ogg encodings are in the library for a whopping total of 2377 songs. Tocaraul is a couple of Python scripts to handle song requests from a web interface. Basically, I'm learning Python :P It's pretty handy stuff. For info on Tocaraul progress, take a look at the WebSVN page there and there's both a change log and a TODO for upcoming features.
Monday, 31 October 2005
Friday, 21 October 2005
Things are Looking up in the Directory
Siona is now running a live LDAP directory and so far it is going pretty well. System authentication is all directory based. Logins and sessions and all that good fun. I configured a Jabber server (Jive Messenger) to auth users against the directory and it works swell! Any system users can login with their system account on the Jabber server and IM and that fun stuff.
I plan to migrate Samba next which is not a very big impact but would be good to get in the central user directory. Dovecot for IMAP and POP authentication after that. Postfix eventually as well which will be interesting. With Postfix, that will afect how mail is routed possibly making it easier to setup virtual domains or whatever. I think that about covers the auth stuff that's offered.
That Jabber server is a little special. I'll have to get some of the peeps using it so we can try to test some of the features. Just basic stuff like authorizing users and setting up or joining chat rooms. So far it seems a little sketchy. There are also some other handy features of the server like a searchable directory. I don't know how that will work out. I just know that I don't know how to get my IM client to even use that feature :P
At any rate, the LDAP works really great and after a bit of a rough start out of the gate, it is really going to be useful as heck. This Jabber we will have to see but it seems promising.
I plan to migrate Samba next which is not a very big impact but would be good to get in the central user directory. Dovecot for IMAP and POP authentication after that. Postfix eventually as well which will be interesting. With Postfix, that will afect how mail is routed possibly making it easier to setup virtual domains or whatever. I think that about covers the auth stuff that's offered.
That Jabber server is a little special. I'll have to get some of the peeps using it so we can try to test some of the features. Just basic stuff like authorizing users and setting up or joining chat rooms. So far it seems a little sketchy. There are also some other handy features of the server like a searchable directory. I don't know how that will work out. I just know that I don't know how to get my IM client to even use that feature :P
At any rate, the LDAP works really great and after a bit of a rough start out of the gate, it is really going to be useful as heck. This Jabber we will have to see but it seems promising.
Sunday, 16 October 2005
Auth This...
Well, I'm finally going to try to get a working LDAP server up and running on Siona finally. There are so many services that would just work better with a working directory, I gots to put one in. I'm still struggling with bootstrapping the whole operation. I've read some stuff, looked for some tools, but basically unless it's part of a big enterprise package, it's a little, uh, heavy for most operation.
But basically I would be able to run everything through it. Users could save their contact lists online. Login info could come from the directory for any number of services inluding system logins, Samba, Jabber, email, the works! It's all patched together right now with a crude mix of pam, maintenance scripts, and just plain not working. The only common service that I have been able to find is LDAP. PAM is really promising but a bunch of services, like Samba, do a challenge type auth so the passwords have to be decryptable rather then a straight hash.
And all-in-all, setting LDAP as a n00b is really confusing. I just hope this all works out in the end and we'll have world peace and a fair distribution of wealth.
But basically I would be able to run everything through it. Users could save their contact lists online. Login info could come from the directory for any number of services inluding system logins, Samba, Jabber, email, the works! It's all patched together right now with a crude mix of pam, maintenance scripts, and just plain not working. The only common service that I have been able to find is LDAP. PAM is really promising but a bunch of services, like Samba, do a challenge type auth so the passwords have to be decryptable rather then a straight hash.
And all-in-all, setting LDAP as a n00b is really confusing. I just hope this all works out in the end and we'll have world peace and a fair distribution of wealth.
Wednesday, 7 September 2005
Computers are glorified paperweights.
A handful of changes at skyhook. I finally dumped Ubuntu off Friday in favour of Debian. Basically, to be able to run a functional 64b environment was really cool. All the FOSS stuff ran great. Just really amazing. The one hang-up I had was that you can load 32b plugins from 64b applications. So generally, most things worked but a couple things I usually like to use didn't. So push came to shove and it turns out I'm not a good early-adopter so I went back to 32b land. Still, I was really happy with the system for the 3/4 months I ran in 64b GNU/Linux. But now it's back to 32b for me.
During all the excitement, the Windows XP took a dump. That piece of crap was a pain in the ass from the moment I tried to install it until the moment of its demise about a month later. Our best guess is that one of our guests used IE or some other MS program and got a virus. The virus just sat there eating system resources quietly for a while until I installed Debian. During that time, I swapped network cards. When the card was pulled, the virus crashed and took the system with it. In summary: fuck Windows.
Now Debian, on the other hand, is a real treat.
apt-get install gnome fluxbox xserver-xfree86
Need I say more?
There are a couple cool tricks that I tought the box, specifically GDM. So it turns out that "fast user switching" is the name for allowing multiple users to login and swap use of the workstation without closing their programs. With GDM, you just run gdmflexiserv (or click "New Login" under gnome) and it will prompt you. The trick there is that all this spawning and quitting of xservers makes GDM a little flaky so I added to inittab from which it can respawn if ever it tries to crash. Works like a charm.
The other fun thing to was that I added a user called "kiosk" which will login automatically if nobody else does after 60 seconds. Handy for letting house guests use the computer and not get the computer infected with a virus (I'm talking about you, Windows).
And for the last trick, I kick the UW pop and imap servers off Siona in favour of Dovecot. Dovecot, I must admit, is pretty cool. The migration itself was a little tricky. Various file permission issues plus pop clients might have all gotten duplicate messages. All-in-all, the dovecot stuff is more manageable and more extensible then the basic UW packages. The other nice thing too was that it was trivial to tell Dovecot to run IMAPS and POP3S alone and so now we only run encrypted services for mail on Siona. Pretty neat!
During all the excitement, the Windows XP took a dump. That piece of crap was a pain in the ass from the moment I tried to install it until the moment of its demise about a month later. Our best guess is that one of our guests used IE or some other MS program and got a virus. The virus just sat there eating system resources quietly for a while until I installed Debian. During that time, I swapped network cards. When the card was pulled, the virus crashed and took the system with it. In summary: fuck Windows.
Now Debian, on the other hand, is a real treat.
apt-get install gnome fluxbox xserver-xfree86
Need I say more?
There are a couple cool tricks that I tought the box, specifically GDM. So it turns out that "fast user switching" is the name for allowing multiple users to login and swap use of the workstation without closing their programs. With GDM, you just run gdmflexiserv (or click "New Login" under gnome) and it will prompt you. The trick there is that all this spawning and quitting of xservers makes GDM a little flaky so I added to inittab from which it can respawn if ever it tries to crash. Works like a charm.
The other fun thing to was that I added a user called "kiosk" which will login automatically if nobody else does after 60 seconds. Handy for letting house guests use the computer and not get the computer infected with a virus (I'm talking about you, Windows).
And for the last trick, I kick the UW pop and imap servers off Siona in favour of Dovecot. Dovecot, I must admit, is pretty cool. The migration itself was a little tricky. Various file permission issues plus pop clients might have all gotten duplicate messages. All-in-all, the dovecot stuff is more manageable and more extensible then the basic UW packages. The other nice thing too was that it was trivial to tell Dovecot to run IMAPS and POP3S alone and so now we only run encrypted services for mail on Siona. Pretty neat!
Thursday, 21 July 2005
Needs RAM!
Well, it's been 5 weeks since putting in the new video card in Friday and nothing is blown. I declare this system finally fucking fixed! Goddammit, it had better stay fixed for a long time.
Now it's time to give Chevette some upgrades. Working display is a must. Probably just a messed-up latch so that should be fine. If that works out, then I'll get that fixed and dump some more RAM in her. As much as she can take. Well, I'll aim for a half gig but even 256MB would be a passable upgrade. We shall see.
Now it's time to give Chevette some upgrades. Working display is a must. Probably just a messed-up latch so that should be fine. If that works out, then I'll get that fixed and dump some more RAM in her. As much as she can take. Well, I'll aim for a half gig but even 256MB would be a passable upgrade. We shall see.
Saturday, 9 July 2005
Tweaks and Filters
Been poking at Friday this week. I was getting a USB extension cord for work so I picked up one that glows red and hooked that up to Friday. It's sweet! And then the old plain one went to work. I also poked at GDM until I figured out how to change the login screen for Friday. My login screen now proudly displays the MDM flag! Heh, it's nice.
The other thing I dug up was firewall rules to block those stupid SSH dictionary attacks that keep flying around. Basically, a compromised host on the Internet attempts to login via SSH using a large number of common user names and presumably either no password or some guessable password (like "password"). If you check your logs you'll find that the attacks come in a big burst and generally all within 5-10 seconds.
So it turns out that the simple way to deal with this in a fairly effective manner is to rate-limit the number of new SSH connections accepted by the host with iptables. The rate-limiting allows a minimal number of malicious login attempts and also has a minimal likelyhood that it can be used for a DoS attack. The rules I use allow a burst of 5 (the default) and then a maximum rate of 10 logins per minute. The effect is that the attacker gets 5 login attempts then the rest get dropped until 6 seconds have elapsed and then the attacker gets 1 more login attempt every 6 seconds. During this time, a legitimate user may get rejected but they just have to wait a minute and things will be back to normal.
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/min -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
I've been using the above rules on both Siona and Nikita for a week or so now and it's been very effective and mitigating those attacks. It's NICE!
The other thing I dug up was firewall rules to block those stupid SSH dictionary attacks that keep flying around. Basically, a compromised host on the Internet attempts to login via SSH using a large number of common user names and presumably either no password or some guessable password (like "password"). If you check your logs you'll find that the attacks come in a big burst and generally all within 5-10 seconds.
So it turns out that the simple way to deal with this in a fairly effective manner is to rate-limit the number of new SSH connections accepted by the host with iptables. The rate-limiting allows a minimal number of malicious login attempts and also has a minimal likelyhood that it can be used for a DoS attack. The rules I use allow a burst of 5 (the default) and then a maximum rate of 10 logins per minute. The effect is that the attacker gets 5 login attempts then the rest get dropped until 6 seconds have elapsed and then the attacker gets 1 more login attempt every 6 seconds. During this time, a legitimate user may get rejected but they just have to wait a minute and things will be back to normal.
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/min -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
I've been using the above rules on both Siona and Nikita for a week or so now and it's been very effective and mitigating those attacks. It's NICE!
Sunday, 3 July 2005
Mmm Mac!
Heh I gots to twiddle with some peeps Macs on the weekend. An iBook and iMac (14" w/ G4 and 17" w/ G5 respectively). They were cool. From the iBook, we played around with the neighbour's wireless router settings. The thing didn't have a password so we were just trying different channels and stuff to see if we could get a better signal. Not a lot of luck though. Seems that channel 6 was no less noisy then the others. Oh well, them's the breaks. Now I just need a wireless doodad for Friday...
Subscribe to:
Comments (Atom)