Wednesday, November 13, 2013

sudo on Debian Etch

While Debian Etch is horribly out of date, I still have a couple of servers that I administer that require Debian 4.0 aka Etch. One unfortunate bit is that it seems that the version of sudo (1.6.8p12-4) packaged for Etch is horribly broken. Specifically, it does not seem to prompt for a password to give elevated privs. Even when modifying the sudoers file to specifically say authentication is required (via the authenticate Defaults and the PASSWD tag) allows passwordless entry. The fix that I have applied is compiling the sudo package from Lenny sudo source package. The source package is available at Lenny sudo (1.6.9p17-3)

Monday, October 21, 2013

Find and Time

I have never been particularly good at remembering find's arguments related to times/dates/etc. So this is going to be a bit of a cheat sheet for myself. Find *~ files modified older than today:
find . -name \*~ ! -newermt `date +%F -s yesterday`
Find *~ files modified newer than yesterday:
find . -name \*~ -newermt `date +%F -s yesterday`
Find *~ files between certain days:
find . -name \*~ -newermt `date +%F -s '14 days ago'` ! -newermt `date +%F -s '7 days ago'`

Sunday, September 29, 2013

Multiple Samba Instances on Separate Interfaces

I didn't find a lot of information on how to have multiple different samba instances running on the same machine, and what I did find didn't seem all inclusive.  So the various configuration directives I needed to set are:


#
#Specify the Interfaces that this instance will listen on for smbd
interfaces = eth0 
#Specify the IP that nmbd will use
socket address = 192.168.1.1
#Only bind the above
bind interfaces only = yes

#The following line may be needed to clear up some connection issues with older clients, and possibly it should be 139 445
smb ports = 139

#
# On at least one instance, the directories for state/cache/locks/etc will need to be changed
state directory = /var/lib/samba-eth3
private dir = /var/lib/samba-eth3
lock directory = /var/run/samba-eth3
pid directory = /var/run/samba-eth3
cache directory = /var/cache/samba-eth3

#
# Logging
# Make sure to fix the log file directive
# log file = /var/log/samba-eth3/log.%m

#
# Authentication
# May need to update passdb backend line to keep separate
passdb backend = tdbsam:/var/lib/samba-eth3/passdb.tdb

Additionally, a startup script will need to be created adding the specific configuration to the commandline for smbd/nmbd. The commandline will be something like:
/usr/sbin/nmbd -D -s /etc/samba-eth3/smb.conf -l /var/log/samba-eth3/
/usr/sbin/smbd -D -s /etc/samba-eth3/smb.conf -l /var/log/samba-eth3/

Monday, August 12, 2013

Do you need Anti-virus on Linux?

I will freely admit I was a naysayer for anti-virus on Linux.  That said, it is a good security policy so I setup and run periodic scans on the linux boxes I admin.  Until today, I had only ever seen Windows viruses sitting in peoples old mbox mailboxes, and given I would need to delete all of their email to address this nothing happened.

Today, that changed.  I was reviewing system messages from over the weekend and I saw an email from the clamscan cronjob I have setup on many servers.  It went a little like:
/tmp/openx-2.8.10/etc/plugins/openXVideoAds.zip: Backdoor.OpenX.CVE_2013_4211 FOUND
..../openads/plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js: Backdoor.OpenX.CVE_2013_4211 FOUND
..../openads/plugins/plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js: Backdoor.OpenX.CVE_2013_4211 FOUND
..../openads/etc/plugins/openXVideoAds.zip: Backdoor.OpenX.CVE_2013_4211 FOUND

A quick google turned up a link to Packet Storm.  http://packetstormsecurity.com/files/cve/CVE-2013-4211

Where CVE-2013-4211 became an exploit candidate 3 days ago.  I see some other mentions from a few days earlier, but definitely not too long ago.  Since that time, clamav has updated it's definitions, freshclam downloaded them, and I got notified that I had an active backdoor on one of my servers because of maintaining a good anti-virus policy on Linux.

So ends the lesson.

Friday, June 21, 2013

Using ssh's ProxyCommand and netcat to access Servers with no Public IP

It is not unusual to have servers with no public IP address.  In some cases you can access these servers via VPN, or utilize alternate ports for SSH, but sometimes that is just inconvenient and you need to hop through another server.  This can be accomplished using the ssh ProxyCommand configuration directive in ~/.ssh/config, and netcat.

For example, if I can ssh to 'machine-a' and from machine-a can ssh to 'machine-b' I could add the following into my ~/.ssh/config file

Host machine-b
ProxyCommand ssh -q machine-a nc -q0 machine-b 22

I then would use 'ssh machine-b' from the commandline to tunnel through machine-a.

Friday, June 7, 2013

Verifying that a SSL Certificate matches a Key

When configuring SSL under apache, if an error is made, Apache is unlikely to start. This can be a bit of a problem. So when a non-technical person provides you with CRT/KEY and you are expected to install that pair into Apache, while incurring minimal downtime, it can be useful to check the pairs validity before starting. The relevant portion of the key/crt pair is the modulus. It can be checked using the commandline openssl tools.
openssl x509 -in filename.crt -modulus -noout | openssl md5
openssl rsa -in filename.key -modulus -noout | openssl md5

If you want to be ambitious, verify the certificates date ranges as well
openssl x509 -in filename.crt -dates -noout

Tuesday, June 4, 2013

Hardware Tokens Followup

I was contacted by someone trying to get a Gemalto Ezio Time Token to work with Google Authenticator. It looks like it would be a slightly better solution than the Gooze token because it uses the correct step window (The pam lib wouldn't require being patched). Unfortunately, the only place I can find to purchase them (For use with AWS by Amazon) doesn't provide the seed/key, so no dice. Hopefully they become available with the seed, because they look like nice devices.

Monday, June 3, 2013

Sending File Attachments from the Shell

There is bad news and more bad news on this subject.  The first bad news is there is no simple, standard, default tool that will allow you to do this on the commandline.  The second bad news is that the old standard way to do this seems to have been stopped as a security problem in Outlook.  Specifically, you used to be able to use the 'uuencode' tool piped to 'mail' to accomplish this, but Outlook no longer interprets that as an attachment (probably to fight the spread of viruses).

The old way of doing it
uuencode filename.csv filename.csv | mail -s 'Subject of email' recipient@domain.com
'uuencode' was a fairly common tool and was packaged for most Linux variants and was even installed by default on some.  Now we have to scavenge a bit, but the tool I have used most is 'mpack'.  It is packaged for both Debian and Ubuntu by the distribution, and you can find pre-rolled versions for Redhat/CentOS/etc.  Once you get it installed, using it is easy.

The new way of doing it
mpack -s 'Subject of email' filename.csv recipient@domain.com
echo
Hopefully the target doesn't move again.

Friday, May 31, 2013

Space, I need space

This is nothing new, but it bears repeating so here we are.  Spaces in filenames under Linux are an annoyance, but one that isn't that hard to deal with.  How do I deal with them?

In one offs, the \.  So `ls Annoying\ File\ With\ Spaces`

How to kill the space?
rename 's/ /_/' *
will replace spaces with _ for all files/dirs in the current directory.

How to deal with spaces while using find?
find . -name \*wav -print0 | xargs -0 ls
This terminates files with the null character instead of a space. Both xargs and find need to do this.

Tuesday, April 16, 2013

ionice is Pretty Darn Nice on IO

I have not often used 'ionice' but I really should be. 'ionice' does for disk IO on linux what standard 'nice' does for processor load. The standard implementation of ionice under linux allows for 3 settings, "Best Effort" "Idle" and "Real Time". The Best Effort setting is the default setting for new processes. Real Time grants priority access above Best Effort. And "Idle" is granted disk access only when another process is not trying to access disk. In this case, we are interested in Idle.

Class:
0 = 2 = None = Best Effort (Medium Priority)
1 = Real Time (High Priority)
3 = Idle (Low Priority)

A standard example would be:
ionice -c3 aide.wrapper --update

This can be used in combination with standard 'nice' to create a uber nice process

ionice -c3 nice -n 19 aide.wrapper --update

References:
Fried CPU
switch-sched.txt in Kernel Source

Friday, April 12, 2013

Getting Medieval on Linux Shutdown

Until today, I had never run into a circumstance where I couldn't reboot a linux box with the 'reboot -f' command.  A reboot this way is definitely not recommended, as it bypasses the system shutdown, doesn't unmount disks, etc.  So always try to use your typical 'shutdown -r now' type of reboot first.

If your machine has a disk error, it is possible that 'shutdown -r now' will never complete.  That is when you can try 'reboot -f'.  If that doesn't complete you have to kick it up a notch and utilize Magic SysRq.

First enable Magic SysRq:
echo 1 > /proc/sys/kernel/sysrq

Then use it remotely to reboot the machine at a very low level:
echo b > /proc/sysrq-trigger

No guarantee you will be able to remotely access that machine again, but it will be going down.

Thanks to http://blog.mohammadzadeh.info/index.php/howto-force-a-immediate-reboot

Tuesday, April 2, 2013

Windows 8 and Office 2013

I wrote the following for my works intranet forum.  I figured it would serve decently here as well


Having had an opportunity to play with both Windows 8 and Office 2013, I figured I would create a topic here to allow people to see some comments about them.


When you first login to Windows 8, you are presented with a start screen that looks like the Windows Phone, a full screened tiled view that has various tiles to launch apps, software, view news, etc.  One of those tiles is "Desktop"

Once you are at the Desktop, it will look similar to Windows 7, but with a couple of major caveates.
1) No Start button.  There are various third party start button applications, including a decent (if a bit ugly) one that is distributed via Ninite.com.  This fails in my opinion in a business environment where change can be difficult for some people to deal with.
2) It's hip to be square.  There are no rounded corners and curves in Windows 8.  It is designed for full screen on a tablet not on monitors, so the asthetic is that everything be full screen.  This fails in my opinion in a business  environment, where you are more likely to have large monitors and multiples.
Because Microsoft is turning your desktop into a glorified handset, they are pushing "Apps"  Apps are a different paradism than software in how you purchase, maintain, how much they cost, etc etc.  But the big thing is it seems that apps are updated through the MS App Store, not through Microsoft Update which still handles the Operating System, and core software from Microsoft.  Again a big fail for business in my opinion.

Anti-virus is built in to Windows 8 by default.  This is something they should have done 15 years ago, but now it is actually not a great thing for businesses because it conflicts with managed anti-virus.  Specifically, we have no way to have an integrated control panel where we can view the anti-virus status of all the machines under our care with it.  We need to use third party AV, and that can't be installed until Windows Defender is disabled.

Office 2013:
The good:  Multiple windows are back, so you can easily put one spreadsheet on one monitor and a different on the other and work efficiently.

The bad:
Visually I think Office 2013 is awful.  It has inherited the squareness of Windows 8, it also has a terrible color scheme.  These two things added together get rid of all the visual queues I used to tell the end of one window and start of another.  Some of this may be the fact that I am color blind, but there is a decent populace of color blind people.

How emails are visually identified as unread changes, and again I find it less visual obvious than earlier versions.



I guess those are my initial comments, feel free to chime in and disagree with me, tell me how smart I am, etc etc.

Monday, March 11, 2013

An Issue of Resolve

Running ISC's bind can be liberating, allowing you to do interesting things, but it can also be frustrating.  I don't know that this is actually an issue with Bind, or with DNS in general.  But definitely, you can see the issues with bind.  The two most common weird issues I have run into relate to IPv6 and eDNS.  Well and primarily IPv6 and eDNS in networks not fully prepared for either (shame on me).

For IPv6 issues, really the simple answer is to turn off IPv6 on your name server.  Debian's more recent versions of bind allow for the addition of a '-4' command line flag, most easily facilitated by editing /etc/default/bind9 to add that commandline option.  You can also turn off IPv6 on the machine in question.  Or *gasp* get yourself fully on IPv6.

If the problem isn't that you are resolving IPv6 addresses that are going no where, the next likely culprit is eDNS.  eDNS and it's ilk cause larger than normal DNS response packets.  Large enough that some routers, firewalls, NAT devices, etc. don't know how to handle those packets and DNS resolution breaks.  If you have effective logging you will see messages like "success resolving 'www.facebook.com/A' (in 'facebook.com'?) after reducing the advertised EDNS UDP packet size to 512 octets"

To test where eDNS is going amiss, you can use the following commands:
dig +norec +dnssec example.com @a.root-servers.net
dig +dnssec +norec +ignore dnskey se @A.NS.se

The first tests if eDNS packets larger than 512 bytes work, while the second tests if everything can handle IP fragmentation.  If the first fails, you need to disable edns.  If the first succeeds and the second fails, you need to limit the edns packet size to prevent fragmentation.  The bind option edns-udp-size can help with both:
edns-udp-size 512; or
edns-udp-size 1460;

Friday, March 8, 2013

Linux Cheatsheet

It can be very useful to have a cheat sheet of information about a command or system you don't often use.  I have created my own cheat sheets for things like mdadm, exim, sendmail, etc.  But today on LifeHacker, a general Linux Cheat Sheet was covered.  The person who wrote it, did a great job, it is meant to be saved in your home dir and viewed via either Emacs or Vi.  Of course, you can just use more/less and it works just as well.  So onto the brilliance:

https://github.com/WilliamHackmore/linuxgems/blob/master/cheat_sheet.org.sh

Wednesday, February 13, 2013

Generate Self Signed Certificate on IIS7 with custom CommonName


It appears that generating a self signed certificate for use with IIS7 is trivial, utilizing the IIS->Server Certificates->Create Self-Signed Certificate wizard. Unfortunately, that wizard will only create a certificate with a CN of the computers FQDN according to Windows. To create on with an alternate CN:

Download the IIS 6.0 Resource Kit.
Run the installer and select to install only the SelfSSL Tool.
Look up the IIS Site ID by clicking Sites in IIS Manager
Open a command prompt and change directory into "C:\Program Files (x86)\IIS Resources\SelfSSL
Execute: SelfSSL.exe /N:CN=fqdn.com /V:1000 /S:SiteID

Verify certificate exists in IIS Manager->IIS->Server Certificates

Bind to appropriate Site.

Note: Error 0x80092023 indicates you followed other directions that stated the commandline as /N:CN:fqdn.com instead of /N:CN=fqdn.com
Expect to receive an error 0x80040154, it can be ignored.

Monday, February 4, 2013

Stupid Android Tricks

My work has an internal forum with a WYSIWYG editor. That is a step up from what it previously was, but it had Web 2.0 menus which would prevent a long hold to paste on the android. After much frustration I found out if you long hold on something instead of empty space the paste button does come up. So type a random character and press on that.

Thursday, January 17, 2013

Computer Maintenance for the "Normal" person

If you are a regular computer user, you most likely have been impacted by a computer virus and/or computer failure.  So what should you be doing to prevent that?  The two things that will help the most are keeping your computer updated and backing your computer up.

Backup is the most troubling for me personally on desktop machines.  On computers I manage at work, we use Acronis imaging software, and I am partial to that.  Of course, that software isn't free.  I now use cloud services like Google Drive and Dropbox for my personal any docs and spreadsheets I utilize outside of work, but that leaves a gaping hole for other types of data that doesn't easily fit in free cloud services.  The things I worry about are Pictures, Music, and eBooks.  For these, I manually back them up periodically, but even I have gotten burned on not remembering to do that often enough.

For software updates, there is a slightly better story.  My recommendations are mutli-pronged:

Make sure you have Windows automatic updates enabled to install new updates when needed.  Also that Microsoft Updates are checked, to update any other Microsoft products you are using.

The other major component is Ninite.com.  Ninite allows you to select various programs and do a single silent install for all of them.  While that is pretty cool by itself, it is even cooler for updates because you just keep the installer you create and every couple of weeks doubleclick on it, it will then install any updates for those pieces of software.

The Windows Update/Ninite combination will take care of about 90+% of software updates that the normal person needs to run.

Monday, January 14, 2013

ifconfig.me

Sometimes you just need an easy way to get what your external dynamic IP address is from the commandline, possibly to utilize in a script.  I have used a variety of websites that have provided this information but today I looked at ifconfig.me and it impressed me.  Not only does it provide some nice information in the default view, it provides alternate URLs for specific information.  Do you want your IP as plaintext, no html, well `curl ifconfig.me/ip`

Saturday, January 5, 2013

Wordpress JetPack Carousel Comments Cause Load

While the Wordpress Jetpack Carousel looks awesome, it just killed my site. Digging into things, the issue was caused by changing formerly static cached pages into pages that made AJAX calls to PHP to see if there were comments available.

I posted on the issues forum for Wordpress and didn't meet with much success. You can see the one response I got here.

 The AJAX calls are actually generated by javascript from the file ./wp-content/plugins/jetpack/modules/carousel/jetpack-carousel.js. The easiest way to disable comments from causing server load is to edit the file by finding the lines:
                getComments: function( args ) {
                        if ( 'object' != typeof args )
and change them to
                getComments: function( args ) {
                    return;
                        if ( 'object' != typeof args )
which effectively disables the getComments function.

Friday, January 4, 2013

Bash Completion and ssh

The bash tab completions I use most are the ssh suite of completions, primarily hostname expansion. I also use other tab completions based off of the ssh suite, such as ping, telnet, etc. Hostname completion is primarily accomplished by reading the users ~/.ssh/known_hosts, but this is hampered by the current default configuration of the .ssh client, specifically hostnames are masked because the 'HashKnownHosts' option is set to yes. The default for 'HashKnownHosts' is set to yes to limit the usefulness of a compromised shell. A list of hosts that a particular use connects to can be utilized to exploit further machines that allow key based login or similar passwords. To change the default, edit ~/.ssh/config and add the following line:
HashKnownHosts no
This will not convert host entries to have plaintext hostnames, you may need to delete out entries and recreate them. To delete these individually, 'ssh-keygen' can be used:
ssh-keygen -f ~/.ssh/known_hosts -R <hostname>