Friday, 22 May 2009

Hardening a RHEL5 Box and the NSA

Hardening a server takes two general activities: Reducing the number of services that can be attacked and protecting any services that are still required.

There are a lot of discussions on how to do this for various operating systems including RedHat Linux. RedHat's Deployement Guide is a good resource.

The NSA also has documents on securing your operating system. However, they're a little hard to get. I tried searching for RHEL5 on their site and had some difficulty access the documents in the search results:

NSA Site Search for RHEL5

Now it's a little hard to access the documents on the NSA's E drive, but I was able to eventually find them by getting in another way ;) ;) ... Okay, I didn't breakin to the NSA to get on their E drive, I found the page that actually good links: NSA/CSS Operating Systems.

There's a longer document (about 170 pages) and also a short reference (2 pages) which gives lots of good things to secure.

There are a lot of other good resources Online as well, so I won't ramble further. Just turn off anything you don't need, update what you do need frequently, and secure your system with a firewall, and other security tools (PortSentry, fail2ban, DenyHosts, anti-virus software, rootkit detection, etc, etc, etc).

- Arch
Posted by at No comments:
Labels: , , , ,

Wednesday, 20 May 2009

Virtual Host Debugging

I just came across this obscure feature of apache2ctl / httpd:


# apache2ctl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  webmail.nibble.bz (/etc/apache2/sites-enabled/webmail.nibble.bz:3)
*:80                   is a NameVirtualHost
         default server alia.dl.nibble.bz (/etc/apache2/sites-enabled/000-default:2)
         port 80 namevhost alia.dl.nibble.bz (/etc/apache2/sites-enabled/000-default:2)
         port 80 namevhost blog.nibble.bz (/etc/apache2/sites-enabled/blog.nibble.bz:3)
         port 80 namevhost www.nibble.bz (/etc/apache2/sites-enabled/blog.nibble.bz:17)
         port 80 namevhost forums.thenibble.org (/etc/apache2/sites-enabled/forums.thenibble.org:2)
         port 80 namevhost lists.thenibble.org (/etc/apache2/sites-enabled/lists.thenibble.org:10)
         port 80 namevhost siona.nibble.bz (/etc/apache2/sites-enabled/siona.nibble.bz:1)
         port 80 namevhost uro.mine.nu (/etc/apache2/sites-enabled/uro.mine.nu:2)
         port 80 namevhost webmail.nibble.bz (/etc/apache2/sites-enabled/webmail.nibble.bz:51)
         port 80 namevhost www.thenibble.org (/etc/apache2/sites-enabled/www.thenibble.org:3)
         port 80 namevhost thenibble.org (/etc/apache2/sites-enabled/www.thenibble.org:15)
Syntax OK


"man apache2ctl" doesn't give the switch parameters but merely alludes to the presence of them:


SYNOPSIS
When acting in pass-through mode, apachectl can take all the arguments available for the httpd binary.

apachectl [ httpd-argument ]


And on my system (Ubuntu 8.04), "man httpd" doesn't report diddly. It is in a manpage *somewhere* so I found it Online:

http://www.manpagez.com/man/8/httpd/

And what it says is:


-S Show the settings as parsed from the config file (currently only
shows the virtualhost settings).


So there you go. Hidden away in the documentation "somewhere" is possibly the most useful virtual host diagnostic tool.

- Arch
Posted by at No comments:
Labels: , , , , , , , ,

Sunday, 19 April 2009

Retiring the old hand-made blog

On the weekend I finally decided to shutdown my old blog (it was under http://dl.nibble.bz/~archangel). I'd started in in early 2003 and sortof just build my own code. Needless to say, it was very simple with basic "categories" features for links and I built my own archives system, syndication, everything. Well, WordPress also started in 2003 and it now has all these features and they work better and are richer. And their code is maintained.

Moving to WordPress is certainly simple. It imports blogs from many different formats including RSS 2.0 which is a widely accepted standard for blog syndication. Since I'd already built a feed for my blog, but in Atom, I simply had to covert my code to generate RSS 2.0 and then have it pit out all my posts (about 200) into a single RSS 2.0 file.

For the switch to RSS 2.0, I just pulled an RSS 2.0 feed from WordPress. I then used the old copy & paste coding to make a syndication script which produced similar output. Then I debugged by running my output through the W3C Feed Validation Service.

Once my RSS 2.0 was validating, I made the script spit out the full content for all my posts rather than the usual 20, went into WP and just imported it and it took them all just fine.

And now, here we are!

- Arch
Posted by at No comments:
Labels: , , , , , ,

Tuesday, 7 April 2009

Renaming Wordpress Blogs

Under Debian (Ubuntu), there's a helper script which does a lot of the work for adding a new blog. You need to create a hostname, add it as an alias in your apache config, and a database. Then use this helper script to setup the database and config:

/usr/share/doc/wordpress/examples/setup-mysql

Now if you want rename your blog say from "inaction.example.com" to "takeaction.example.com", it's pretty simple.

  1. Create the new hostname in DNS,

  2. Add it as an alias to your apache config,
    3. <
  3. Create a soft-link to the current config using the new name,

  4. Edit the settings for your blog and give the new URL.



Edit: You can easily change the settings (from the last step) in the the db. If something goes terribly wrong, just poke around in there and update anything with the wrong URL.

- Arch
Posted by at No comments:
Labels: , , , ,

Sunday, 1 March 2009

Retired virtual server

This actually a ret-con repost since I managed to mung my database again (hooray)... Anyhow, some time last month I finally did get everything moved off of Jessica (a VirtualBox VM) and onto Alia (actual hardware). It's all good.
Posted by at No comments:

Sunday, 30 March 2008

Deleting Data and Wireless Bridge

This is my lesson to you: When cleaning up one's database, don't delete your data. As you may be able to infer, the last backup I have on-hand for this database is from July 2007... Stinks! I know there's a better backup around *somewhere*, probably the "off-site" backup, so hopefully I'll get more of my db back.

So, don't delete your data, and test your backups, or at least verify you've got a recent one handy before deleting the data.

In other news, I finally snagged a new wireless router for home. I already had one, so this one, I've used to create a wireless bridge the eliminating the need to have a ratty old 10m network cable running from my dinning room to my living room. And it was easy!
Just flashed on DD-WRT,
  • changed the router's IP address (to not conflict with the existing router),

  • "scanned" the available wireless networks and "joined" the existing network,

  • Set the WEP password for the wireless "security",

  • And changed to "client bridged" mode.


    • Presto Magico! A total pain in the ass that the firmware provided by Linksys with their routers is so shitty, but it really is pretty easy to replace it with DD-WRT (just do a "firmware upgrade"). You do, however, have to get a WRT54GL router for it to be that easy. Their other routers have very little memory and it is *slightly* harder to upgrade those to DD-WRT and even then you're stuck on the "Micro" version which has less functionality. The WRT54GL model router (instead of the plain G) is normally about 10$ more (60$ instead of 50$), but I got it on sale from NCIX for 55$, so there you go.

    Fun!
    Posted by at No comments:

    Sunday, 11 November 2007

    Using Procmail to Notify Senders of a Change of Address

    Here is a procmail recipe that auto-responds to email messages addressed to an email address that is going to be removed. It's totally simple, it just avoids looping and auto-responding to mail daemons. This can just go at the end of your .procmailrc file (in your home directory).

    Basically, the lines starting with * are the conditions so it reads do not match FROM_DAEMON, FROM_MAILER or our X-Loop headers, and only take messages addressed To: (including CC:) . Then the line starting with | is the action which is to use formail to send a reply, insert our X-Loop header then use a file (or two in this case) for the message body.

    The one thing to point out is that if you want to setup this reply for many email addresses at once just put a | between them. This is a "regex" pattern so you can do fancier matching criteria if you want.

    # bounce messages addressed to archangel@uro.mine.nu
    :0
    * !^FROM_DAEMON
    * !^FROM_MAILER
    * !^X-Loop: email-dsn
    * ^TO_(archangel@uro.mine.nu)
    | (formail -rt -A"Precendence: junk (autoreply)"\
    -A"X-Loop: email-dsn" ; \
    cat $HOME/.procmail/change-of-address.txt $HOME/.signature) | $SENDMAIL -t
    Posted by at No comments:
    Labels:
    Subscribe to: Comments (Atom)

    Popular Posts

    • Processing Deferred Messages in Postfix
      For anyone who's had to cleanup some mail problems with Postfix configuration (or more often with other things, like anti-spam, tied in ...
    • Cache in Openfire
      In the course of troubleshooting the office Jabber server the other day, I came across some interesting info about the various caches that O...
    • Cron scheduling for first Sunday of the month
      For everyone who uses cron, you are familiar with the job schedule form: min hr day-of-month month day-of-week <command> A problem...