I've been running Fedora 11 (x64) on my workstation at work and running Windows XP (32b) in a VMware virtual machine. It was a VM I'd created with server so all I needed to run it was the free VMware Player.
First, installing VMware Player was a bit of a problem. The install from RPM didn't work, it hosed initially. Then the install from the bundle also failed... Much like it does for many users Online it turned out so there was a community-created patch which worked just fine.
Then there was running the VM. Initially, it seemed great. I was running Windows XP full-screen on my right-screen and had my Fedora desktop / apps on my left screen. But it was pretty wonky about mouse control so I got to the point where I was firing up the Windows VM only when I needed it and then not in full-screen mode.
But I discovered that VMware's Unity mode helps bridge the gap. It pulls you out of console mode and launches any apps from the guest VM in their own windows in your desktop environment. This is especially useful for say, running MSIE or MS Outlook. It's still a little weird because the apps *look* like they should be running natively yet the responsiveness is clearly far behind local apps, but the only real gap is that I can't Shift+Right-Click -> Run As... on tools like Active Directory Users and Computers (which I need). I tried switch back to the console, doing the Run As... and then switching back to Unity, but the escalated app doesn't show up.
Well, it's great and closes the gap some, but for now I'll just keep updating Player and Tools and see if eventually that full-screen mode just gets fixed and works transparently.
- Arch
Wednesday, 15 July 2009
Tuesday, 30 June 2009
SpamAssassin
On previous mail server setups, I've tried to pass all mail coming into the server through SpamAssassin (The Fight Against Spam) and it's a bit of a struggle to get it working sometimes so I've had nothing setup for a while other than some SMTP restrictions and a couple of the RBLs. So since SpamAssassin is generally geared to being run / configured per-user, I figured, what the hell, I'll try that. And it is way easier. All I did was plop this in my .procmailrc:
So now, SA happily tags all my possibly spammy mail and then for actual spam, it dumps it in the Junk folder and it actually strips the content replacing it with all the reasons why the message was identified as spam (the original message is attached).
So far so good!
- Arch
# SpamAssassin
:0fw: spamassassin.lock
| /usr/bin/spamassassin
:0:
* ^X-Spam-Status: Yes
JunkSo now, SA happily tags all my possibly spammy mail and then for actual spam, it dumps it in the Junk folder and it actually strips the content replacing it with all the reasons why the message was identified as spam (the original message is attached).
So far so good!
- Arch
Monday, 15 June 2009
Using proc to force a reboot
So we just had this little discussion on IRC and I figured I'd save it for posterity here:
So there you go. Want to reboot without waiting for all those nasty processes to finish or phyiscally pressing the power button? That's your way out.
Thanks, toddz :D
- Arch
[11:37:36] to force a 'hard' reboot (if reboot is not working) - equivalent to pulling the power cable:
[11:37:44] echo 1 > /proc/sys/kernel/sysrq; echo b > /proc/sysrq-trigger
[11:40:45] come on dom, you know you want to try it.
[11:41:21] heh
[11:42:29] what's this do? what's this do? what's it do???
[11:43:13] you tell us
[11:47:09] yeah, that's awesome
[11:47:24] it just tells BIOS to reboot
[11:47:35] (or something like that anyhow)
[11:47:58] so, immediate reboot in other words?
[11:47:58] system just goes *blip* and starts posting So there you go. Want to reboot without waiting for all those nasty processes to finish or phyiscally pressing the power button? That's your way out.
Thanks, toddz :D
- Arch
Tuesday, 9 June 2009
Apache and LDAP users
Requisites:
Apache 2.2
mod_authnz_ldap (and enabled with a2enmod authnz_ldap under Debian+Ubuntu)
In your httpd.conf or your htaccess file, add the following:
This example is for connecting to an MS Active Directory server. For an OpenLDAP server, you may find that you don't need the BindDN/Pass options and you need uid instead of sAMAccountName (or possibly just "ldap://localhost/DC=domain,DC=tld").
If you look at other sites online, you'll find that a lot of users say they have to fiddle the config to get it working. Some of the common things I saw were:
... As you can see there can be a lot of tweaking for specific sites. But all-in-all, the basic configuration is quite simple. If your LDAP server allows anonymous searches, you really only need the AuthLDAPURL line and it can be as simple as "ldap://localhost/DC=example,DC=com".
- Arch
Apache 2.2
mod_authnz_ldap (and enabled with a2enmod authnz_ldap under Debian+Ubuntu)
In your httpd.conf or your htaccess file, add the following:
# Access control for this directory
AuthBasicProvider ldap
AuthType Basic
AuthName "Password Required"
AuthLDAPURL "ldap://localhost:389/OU=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN readonly@example.com
AuthLDAPBindPassword plaintextpassword
Require ldap-group CN=somegroup,OU=someou,OU=Groups,DC=example,DC=com
This example is for connecting to an MS Active Directory server. For an OpenLDAP server, you may find that you don't need the BindDN/Pass options and you need uid instead of sAMAccountName (or possibly just "ldap://localhost/DC=domain,DC=tld").
If you look at other sites online, you'll find that a lot of users say they have to fiddle the config to get it working. Some of the common things I saw were:
- Setting "AuthzLDAPAuthoritative off"
- Specifying at least one container under the base DN (as in my example)
- Tweaking the GroupAttribute and GroupIsDN options
- Using a DN for the AuthLDAPBindDN (UPN used in my example)
- Enabling SSL or TLS
- Multiple domain controllers (simply specify them separated by spaces in your URL)
- Filters with "Require ldap-filter"
... As you can see there can be a lot of tweaking for specific sites. But all-in-all, the basic configuration is quite simple. If your LDAP server allows anonymous searches, you really only need the AuthLDAPURL line and it can be as simple as "ldap://localhost/DC=example,DC=com".
- Arch
Saturday, 6 June 2009
Google Apps
One of the cool services that Google offers is the hosting of various services for your domain. Basically, you can brand Google with your own domain including mail, calendar, chat, docs, sites and "mobile" (I haven't used "mobile", but it includes sync services). The service is called Google Apps.
The "standard edition" is pretty much the standard services and limits you to 50 user accounts. And 50 people is quite a few for a personal domain or even a small business. Once you need more features or more accounts, its $50 / year per account. Which, truth be told, is pretty cheap since even just paying for anti-spam/anti-virus filtering is about $30 / year for pretty basic service from Symantec of whomever.
At any rate, I found it a bit confusing at first but mostly because I was setting this up in a sub-domain (dl.thenibble.org) on GoDaddy. But once I got in, it's pretty easy. You get this dashboard which shows you which services are activated and you can just click on whichever ones you want and if DNS changes are required, it will tell you and give you pretty specific instructions. But there's a lot. You have to do one just to activate the domain, add aliases for all your services (unless you want to use google.com/apps/mydomain or whatever), and then for email, there's 5 MX records and for chat there's about 10 SRV records.
But now that it's all setup, it's pretty fancy. You can create email groups, use docs, publish calendars, etc. I tried poking around a bit and really all that Google does for stuff like "sites" when you create an alias under your domain is it just redirects the user to sites.google.com/domain/whatever ... So it won't be a replacement for having a web host. But for email, it will just accept mail at your domain so it's a full email service.
And standard edition is free. Did I mention that? Yeah, it's ad-supported, but otherwise free.
Fun!
- Arch
The "standard edition" is pretty much the standard services and limits you to 50 user accounts. And 50 people is quite a few for a personal domain or even a small business. Once you need more features or more accounts, its $50 / year per account. Which, truth be told, is pretty cheap since even just paying for anti-spam/anti-virus filtering is about $30 / year for pretty basic service from Symantec of whomever.
At any rate, I found it a bit confusing at first but mostly because I was setting this up in a sub-domain (dl.thenibble.org) on GoDaddy. But once I got in, it's pretty easy. You get this dashboard which shows you which services are activated and you can just click on whichever ones you want and if DNS changes are required, it will tell you and give you pretty specific instructions. But there's a lot. You have to do one just to activate the domain, add aliases for all your services (unless you want to use google.com/apps/mydomain or whatever), and then for email, there's 5 MX records and for chat there's about 10 SRV records.
But now that it's all setup, it's pretty fancy. You can create email groups, use docs, publish calendars, etc. I tried poking around a bit and really all that Google does for stuff like "sites" when you create an alias under your domain is it just redirects the user to sites.google.com/domain/whatever ... So it won't be a replacement for having a web host. But for email, it will just accept mail at your domain so it's a full email service.
And standard edition is free. Did I mention that? Yeah, it's ad-supported, but otherwise free.
Fun!
- Arch
Friday, 22 May 2009
Hardening a RHEL5 Box and the NSA
Hardening a server takes two general activities: Reducing the number of services that can be attacked and protecting any services that are still required.
There are a lot of discussions on how to do this for various operating systems including RedHat Linux. RedHat's Deployement Guide is a good resource.
The NSA also has documents on securing your operating system. However, they're a little hard to get. I tried searching for RHEL5 on their site and had some difficulty access the documents in the search results:
Now it's a little hard to access the documents on the NSA's E drive, but I was able to eventually find them by getting in another way ;) ;) ... Okay, I didn't breakin to the NSA to get on their E drive, I found the page that actually good links: NSA/CSS Operating Systems.
There's a longer document (about 170 pages) and also a short reference (2 pages) which gives lots of good things to secure.
There are a lot of other good resources Online as well, so I won't ramble further. Just turn off anything you don't need, update what you do need frequently, and secure your system with a firewall, and other security tools (PortSentry, fail2ban, DenyHosts, anti-virus software, rootkit detection, etc, etc, etc).
- Arch
There are a lot of discussions on how to do this for various operating systems including RedHat Linux. RedHat's Deployement Guide is a good resource.
The NSA also has documents on securing your operating system. However, they're a little hard to get. I tried searching for RHEL5 on their site and had some difficulty access the documents in the search results:
Now it's a little hard to access the documents on the NSA's E drive, but I was able to eventually find them by getting in another way ;) ;) ... Okay, I didn't breakin to the NSA to get on their E drive, I found the page that actually good links: NSA/CSS Operating Systems.
There's a longer document (about 170 pages) and also a short reference (2 pages) which gives lots of good things to secure.
There are a lot of other good resources Online as well, so I won't ramble further. Just turn off anything you don't need, update what you do need frequently, and secure your system with a firewall, and other security tools (PortSentry, fail2ban, DenyHosts, anti-virus software, rootkit detection, etc, etc, etc).
- Arch
Wednesday, 20 May 2009
Virtual Host Debugging
I just came across this obscure feature of apache2ctl / httpd:
"man apache2ctl" doesn't give the switch parameters but merely alludes to the presence of them:
And on my system (Ubuntu 8.04), "man httpd" doesn't report diddly. It is in a manpage *somewhere* so I found it Online:
http://www.manpagez.com/man/8/httpd/
And what it says is:
So there you go. Hidden away in the documentation "somewhere" is possibly the most useful virtual host diagnostic tool.
- Arch
# apache2ctl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 webmail.nibble.bz (/etc/apache2/sites-enabled/webmail.nibble.bz:3)
*:80 is a NameVirtualHost
default server alia.dl.nibble.bz (/etc/apache2/sites-enabled/000-default:2)
port 80 namevhost alia.dl.nibble.bz (/etc/apache2/sites-enabled/000-default:2)
port 80 namevhost blog.nibble.bz (/etc/apache2/sites-enabled/blog.nibble.bz:3)
port 80 namevhost www.nibble.bz (/etc/apache2/sites-enabled/blog.nibble.bz:17)
port 80 namevhost forums.thenibble.org (/etc/apache2/sites-enabled/forums.thenibble.org:2)
port 80 namevhost lists.thenibble.org (/etc/apache2/sites-enabled/lists.thenibble.org:10)
port 80 namevhost siona.nibble.bz (/etc/apache2/sites-enabled/siona.nibble.bz:1)
port 80 namevhost uro.mine.nu (/etc/apache2/sites-enabled/uro.mine.nu:2)
port 80 namevhost webmail.nibble.bz (/etc/apache2/sites-enabled/webmail.nibble.bz:51)
port 80 namevhost www.thenibble.org (/etc/apache2/sites-enabled/www.thenibble.org:3)
port 80 namevhost thenibble.org (/etc/apache2/sites-enabled/www.thenibble.org:15)
Syntax OK
"man apache2ctl" doesn't give the switch parameters but merely alludes to the presence of them:
SYNOPSIS
When acting in pass-through mode, apachectl can take all the arguments available for the httpd binary.
apachectl [ httpd-argument ]
And on my system (Ubuntu 8.04), "man httpd" doesn't report diddly. It is in a manpage *somewhere* so I found it Online:
http://www.manpagez.com/man/8/httpd/
And what it says is:
-S Show the settings as parsed from the config file (currently only
shows the virtualhost settings).
So there you go. Hidden away in the documentation "somewhere" is possibly the most useful virtual host diagnostic tool.
- Arch
Subscribe to:
Comments (Atom)