![Where Does Google Make Its Money? [ infographic ]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tjqSTOZFlF_3yx7q9mGtvq5ZWp8RlYIz4bBnjgCaisqzNyIZdRa2Sfnjsx9tsuSSgw__vJ5Z_GsdIfTGSPp9Cr9Ooz645pLYjjaOZEXtXOPYqUpAfE6uE_Q4tImDzBkq3_88GGTuVk=s0-d)
© 2011 WordStream, Inc.
Wednesday, 20 July 2011
Friday, 15 July 2011
Google+ invites available
I've got a few Google+ invites, anyone who wants one?
Just comment, including your email and I will send you the invite.
Cheers all!
Just comment, including your email and I will send you the invite.
Cheers all!
Monday, 25 April 2011
My SELinux Quick Reference
tested for RHEL/Centos 5
Check status of selinux
List security context of file and/or directories
List security context of a/processes
Change security context for a file/dir
Restore security contect of a file/dir
Allow access to a port, eg.
Toggling SELinux policies with boolean commands;
When you are hitting a security restriction in your server that's being enforced by SELinux (in enforcing mode) You can troubleshoot such issues by first setting selinux to permissive and check the audited security context breaches.
If SELinux (in permissive mode) is complaining about a specific process' access to files(/var/log/audit/audit.log), we can resolve these issues by reviewing what SELinux would have wanted inorder to allow access. e.g for snmpd:
If the results look reasonable, then make custom policy module to allow the actions;
and then load the module
then check if module is loaded correctly
Monitor the audit.log to see if issue is resolved. If all looks ok, then revert your SELinux to enforcing
Check status of selinux
sestatus
List security context of file and/or directories
ls -Z /dir
List security context of a/processes
ps axZ | proc
Change security context for a file/dir
chcon -Rv --type=proc_sys_content_t /dir (reboot persistent)
semanage fcontext -a -t proc_sys_content_t "/dir(/.*)?" (filesystem relable persistent)
Restore security contect of a file/dir
restorecon -Rv /dir/subdir
Allow access to a port, eg.
semanage port -a -t http_port_t -p tcp 81
Toggling SELinux policies with boolean commands;
see this wiki
When you are hitting a security restriction in your server that's being enforced by SELinux (in enforcing mode) You can troubleshoot such issues by first setting selinux to permissive and check the audited security context breaches.
setenforce 0
If SELinux (in permissive mode) is complaining about a specific process' access to files(/var/log/audit/audit.log), we can resolve these issues by reviewing what SELinux would have wanted inorder to allow access. e.g for snmpd:
grep snmpd_t /var/log/audit/audit.log | audit2allow -r
If the results look reasonable, then make custom policy module to allow the actions;
grep snmpd_t /var/log/audit/audit.log | audit2allow -M snmpdlocal
and then load the module
semodule -i snmpdlocal.pp
then check if module is loaded correctly
semodule -l
Monitor the audit.log to see if issue is resolved. If all looks ok, then revert your SELinux to enforcing
setenforce 1
Tuesday, 1 February 2011
Configuring squid proxy for ldap authentication
This article is intended for someone with prior knowledge of how squid proxy server works. It seeks to summarise and simplify the process of configuring squid to authenticate against an ldap directory and possibly setup access controls to web resources against ldap groups.
Note that you probably need kernel-devel openldap-devel packages on your system.
Make sure that your squid is compiled with ldap support. If not already so, you can reconfigure your squid by re-running './configure' as follows:
Then in your squid.conf you should configure authentication by modifying the auth paragraph/directives
To be able to filter users with ldap groups, you need to configure external acl like:
On the acls, you specify the handle for your auth
Then finally on the http_access section:
Here, you should remember that squid access rules are read sequencially top-down and when a match is found, processing stops. so the order of your access/deny directives matter very much.
The above statement matches all users in subnet1 who are successfully authenticated and belong to ldap group 'mygroup'
Test your setup to see if auth is working ok, On the command prompt run:
and supply a username 'space' password
If it returns 'OK' then your auth is setup ok. Make sure there is only a single space between username and password
As a bonus: you may consider immunising your squid conf
This has been tested against Centos 5.3 squid-3.0.STABLE12 installed from source.
Note that you probably need kernel-devel openldap-devel packages on your system.
Make sure that your squid is compiled with ldap support. If not already so, you can reconfigure your squid by re-running './configure' as follows:
]# ./configure --sysconfdir=/etc/squid --bindir=/usr/sbin --includedir=/usr/include --localstatedir=/var --with-logdir=/var/log/squid --datadir=/usr/share --libexecdir=/usr/lib/squid --enable-basic-auth-helpers="LDAP MSNT NCSA" --enable-external-acl-helpers="ip_user ldap_group unix_group wbinfo_group"
Then in your squid.conf you should configure authentication by modifying the auth paragraph/directives
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "ou=yourou,o=yourorg" -f "uid=%s" -h your_ldap_server.domain.com
auth_param basic children 10
auth_param basic realm "Domain.Org Proxy-Cache"
auth_param basic credentialsttl 5 minutes
To be able to filter users with ldap groups, you need to configure external acl like:
external_acl_type ldap_groups %LOGIN /usr/lib/squid/squid_ldap_group -b "ou=your_ou,o=your_org" -f "(&(cn=%g)(memberUid=%u))" -h your_ldap_server.domain.com
On the acls, you specify the handle for your auth
acl ldap_authenticated proxy_auth REQUIRED
acl allowed_groups external ldap_groups mygroup
acl subnet1 src 10.0.0.0/255.255.0.0
Then finally on the http_access section:
http_access allow subnet1 ldap_authenticated allowed_groups
Here, you should remember that squid access rules are read sequencially top-down and when a match is found, processing stops. so the order of your access/deny directives matter very much.
The above statement matches all users in subnet1 who are successfully authenticated and belong to ldap group 'mygroup'
Test your setup to see if auth is working ok, On the command prompt run:
/usr/lib/squid/squid_ldap_auth -b "ou=yourou,o=yourorg" -f "uid=%s" -h your_ldap_server.domain.com
and supply a username 'space' password
If it returns 'OK' then your auth is setup ok. Make sure there is only a single space between username and password
As a bonus: you may consider immunising your squid conf
]# chattr +i /etc/squid/squid.conf
This has been tested against Centos 5.3 squid-3.0.STABLE12 installed from source.
Wednesday, 20 October 2010
HTTP Rewrite
Someone may find this useful. If you have configured your site for https access, and you want anyone who tries to acess it using normal http to automatically redirect to https, you can use rewrite in this fashion:
# This rewrites all hits on port 80 to port 443
<>VirtualHost *:80>
RewriteEngine On
RewriteCond ^{HTTPS} !on
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,QSA,L]
<>/VirtualHost>
On the ssl configuration, you may want to:
<>VirtualHost *:443>
...
RewriteEngine On
# Now send everyone to your https base(document root)
RewriteRule ^/(.*) http://your_https_site/$1 [L,P]
<>/VirtualHost>
For help with the flags used, check http://borkweb.com/story/apache-rewrite-cheatsheet. Of course you need mod_rewrite in your apache.
# This rewrites all hits on port 80 to port 443
<>VirtualHost *:80>
RewriteEngine On
RewriteCond ^{HTTPS} !on
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,QSA,L]
<>/VirtualHost>
On the ssl configuration, you may want to:
<>VirtualHost *:443>
...
RewriteEngine On
# Now send everyone to your https base(document root)
RewriteRule ^/(.*) http://your_https_site/$1 [L,P]
<>/VirtualHost>
For help with the flags used, check http://borkweb.com/story/apache-rewrite-cheatsheet. Of course you need mod_rewrite in your apache.
Wednesday, 11 August 2010
[zenoss] employ ping down dependency to suppress other events
sum = str(evt.summary)
if getattr(evt, 'severity', 0) > 0 \
and getattr(evt, 'eventClass', '/Unknown') != '/Status/Ping' \
and device and device.getPingStatus() > 0:
evt._action = "drop"
if (sum.find("Command timed out")>=0) \
or (sum.find("Socket timeout")>=0) \
or (sum.find("Unable to read")>=0) \
or (sum.find("Process not running")>=0) \
or (sum.find("SNMP agent down")>=0) \
or (sum.find("No response from")>=0):
if device.getPingStatus() <= 0:
time.sleep(8)
if device.getPingStatus() > 0:
evt._action = "drop"
else:
evt._action = "drop"
if getattr(evt, 'prodState', 99)<400:
evt._action = "drop"
Wednesday, 26 May 2010
Monitoring a Fedora Directory Server based LDAP service (FDS, CDS, RHDS) with Zenoss
I am publishing a new Zenpack to monitor an FDS LDAP service. The Zenpack greatly extends the LDAPMonitor (you may want to remove it completely if you were using it to monitor FDS)
The Zenpack provides:
* FDS-LDAPserver Template which provides:
*The zenpack utilises both command and snmp datasources
The zenpack is extensible and one can incoporate other snmp datasources or modify the graphs that can be generated from them.
The Zenpack provides:
* FDS-LDAPserver Template which provides:
- Monitoring for ldap and ldaps ports
- Monitors the ssl certificate validityfor your server
- LDAP operations, binds and failure stats/graphs for your FDS server
- An implementation of the MADMAN mib for monitoring LDAP/CLDAP and X.500 directories described in RFC 2788 and 2789
*The zenpack utilises both command and snmp datasources
The zenpack is extensible and one can incoporate other snmp datasources or modify the graphs that can be generated from them.
Subscribe to:
Comments (Atom)
