Category Archives: system administration

by

Google (GMail team specifically) randomly decides to enforce strict SSL for external POP3/IMAP accounts

After Google announced it was doing away with personal (or was it trial?) Google Apps accounts, I’m getting the impression they want to get rid of freeloaders (like me). I have a free GMail account, which I’ve setup to retrieve messages using POP3S from my e-mail server at home. This allows me to get better spam and phishing filtering, and also get e-mail addressed to my personal account (@moldvan.com). This was a great setup until…

On December 12th (or around there; the official announcement was vague), the GMail team decided to flip the switch to do strict SSL certificate checking. What this means is if there is any problem with an SSL cert, the connection will be rejected and boom you’ve got no e-mail anymore.

The above was done without any warning, and I just thought things were quiet until I logged into my GMail account Sunday evening and saw “Error synchronizing account (account name)”. Digging through the error, I found that the certificate had expired (I was using the default Dovecot SSL config).

Aaaanyway, special thanks to Sergiy Dzysyak at http://site4fast.blogspot.com/2011/10/dovecot-ssl-how-to.html, who put together a good document on getting the SSL part of DoveCot working okay.

The first mistake I made was adding the ssl_cert_file and ssl_key_file to /etc/dovecot/dovecot.conf, instead of /etc/dovecot/10-ssl.conf. The config in 10-ssl.conf overrode the other one, and I didn’t know I had e-mail sitting lonely on my GX260 at home for a few nights.

I got a free SSL cert a while back from StartSSL.com, but they don’t support subdomains, so mail.moldvan.com wasn’t going to work anymore. I quickly changed my MX records to point to www.moldvan.com (the CN of the SSL cert I got for free), and changed up the config mentioned above, and all was well again. :D

by

DNSMasq breaks DNSBL! Fixed…

Steven Bowen liked this post

So this was driving me nuts, and was effectively stopping me from turning off GMail and using my own e-mail server with RoundCube/ZPush. Basically, I get a ton of spam. One of the reasons I’d been using GMail is because the spam detection is great.

To block spammers, there are RDNSBLs (Reverse DNS Black Lists) that when performing a reverse DNS lookup return something in the 127.0.0.0/8 range if someone is on the “bad list”, and your MTA can be configured to block senders based on these responses.

At home, I have Tomato installed on my wireless router. I’m all set to use that as a DNS server to speed up and cache DNS lookups, but there is one problem: when a response comes back as 127.0.0.x from a DNS lookup, DNSMasq doesn’t like this and simply drops it. This is very bad for a RDNSBL, as it relies on exactly those type of responses.

I’ve been tinkering with getting this working forever, and tcpdump again helped me debug an application that wasn’t giving me much info. On my web/e-mail server, I watched the output of tcpdump for port 53, and waited a while until a spam message came through. I saw that Sendmail was doing the lookup, however each time it was simply letting the “bigger boobs” or whatever spam message through. I couldn’t for the life of me figure out why even my manual lookups were failing:

[root@webl001t mail]# nslookup 45.83.75.187.zen.spamhaus.org.
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
*** Can't find 45.83.75.187.zen.spamhaus.org.: No answer

<<< Note >>>: Repeat the above ad nauseam for about a month, on and off of course

Finally, I decided it was Sendmail that was the pain in the ass, and had to be my router. Just as a hunch, I unchecked “Use internal DNS”, and after a “service network restart” on the server, now the same DNS lookups were working!

[root@webl001t mail]# nslookup 45.83.75.187.zen.spamhaus.org.
Server:
Address:

Non-authoritative answer:
Name: 45.83.75.187.zen.spamhaus.org
Address: 127.0.0.4
Name: 45.83.75.187.zen.spamhaus.org
Address: 127.0.0.11

This, however, wasn’t the best solution as I’d rather not use my ISPs DNS servers if possible. But, I was finally on to something. Googling “DNSMasq DNSBL” came up with a lot of hits, and this discussion finally got me the answer.

After I added the below to my Tomato configuration under Advanced -> DNS/DHCP, I was finally good to go, still using my own DNS and also able to lookup domains with 127.0.0.0/8s in the response.

rebind-domain-ok=/rfc-ignorant.org/
rebind-domain-ok=/sorbs.net/
rebind-domain-ok=/uribl.com/
rebind-domain-ok=/surbl.org/
rebind-domain-ok=/dnswl.org/
rebind-domain-ok=/njabl.org/

[root@webl001t log]# nslookup 45.83.75.187.zen.spamhaus.org.
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: 45.83.75.187.zen.spamhaus.org
Address: 127.0.0.4
Name: 45.83.75.187.zen.spamhaus.org
Address: 127.0.0.11

by

Coming to you live from moldvan.com … also, WTFPL

Well, sort of live anyway. I purchased moldvan.com to make my e-mail addresses shorter and set up the forwards in Sendmail, so that works okay now. Since the changes to my A records haven’t propagated yet, moldvan.com on the web side still forwards to matthewmoldvan.com. Oh well.

Another funny thing I found while digging through the imapsync source for work is the following:

imapsync is free, open source but not always gratis software cover by
the Do What The Fuck You Want To Public License (WTFPL).
See COPYING file included in the distribution or the web site
http://sam.zoy.org/wtfpl/COPYING

Opening that URL gives the following:

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
                    Version 2, December 2004

 Copyright (C) 2004 Sam Hocevar 

 Everyone is permitted to copy and distribute verbatim or modified
 copies of this license document, and changing it is allowed as long
 as the name is changed.

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. You just DO WHAT THE FUCK YOU WANT TO.

Well said, sir.

by

Mounting an NFS share on the Seagate BlackArmor NAS 110

I had a hell of a time using the NFS options on the Seagate BlackArmor NAS, mostly because of the lack of documentation from Seagate regarding the options necessary to actually use the damn thing as an NFS share. In my mount options, I kept getting the error:
"Connecting to NAS volume:
Unable to connect to NAS volume : NFS Error: Unable to Mount filesystem: The mount request was denied by the NFS server. Check that the export exists and that the client is permitted to mount it".

This is of course because I was specifying the wrong path to the NFS share (because of the lack of documentation on the correct path). Well, after a couple few guesses, I finally figured out what was wrong and was able to mount the device as a data store in ESX 3.5. Basically the share name was :/nas/.

Of course they don’t tell you this anywhere in the documentation, nor did I find any forum posts or other results on the web about it.

So, hopefully this helps someone out there.

by

WHY IS OUR WEBAPP SO SLOW? SSL Client certs and JBoss 4.2.3

Today we had a problem after enabling client certificate authentication in JBoss 4.2.3. At first, I googled the problem and found that a potential JBoss speedup was to specify a different SSLRandomSeed option to point to /dev/urandom instead of the default “builtin”. Basically since the SSL parts were using /dev/random, which depended on entropy to generate “uniquely random” output. By pointing to /dev/urandom, which weren’t blocked by a lack of entropy (such as mouse movement, keyboard input, etc), the thought was that the initial SSL client handshake would be quicker.

From WikiPedia:

When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.[3] The intent is to serve as a cryptographically secure pseudorandom number generator, delivering output with entropy as large as possible. This is suggested for use in generating cryptographic keys for high-value or long-term protection.

Slightly problematic was the fact that /dev/random should be used for more “secure” applications, as opposed to /dev/urandom.

Anyway, long story short, the /dev/random thing didn’t fix our issue. The actual problem was that DNS lookups from the server to the outside world were blocked (the server was probably trying to do name lookups for the FQDNs of the certs/etc), and this was causing the initial connection to go VERY slowly (8 seconds or so until the DNS lookup timed out).

The simple(r) fix was to open up the firewall from that server to the world, and all was right. In the end, I did end up learning a bit more about entropy and JBoss, so I consider it a win. :D

by

I’m done with cars, they are just too complicated. (satire of ZDNet’s “Done with Linux, going back to Windows”)

Thanks to Michael Hall, who wrote a very funny article titled “If Linux was a car (Hater’s edition)” as a follow up to the almost comical ZDNet article by David Gewirtz titled “Why I’ve finally had it with my Linux server and I’m moving back to Windows“.

In the comments I’ve noticed the author doesn’t mind republishing with source, so here is the full story:

There have been several humorous variations of the “If Linux was a car…” theme, but a recent rant against Linux made me wonder, what would the stereotypical hater’s opinion be on our modern automobiles? Here is how I imagine it would go:

I’m giving up on cars. Every few years I test-drive a car, to see if they’ve reached the point where they are usable to every day people, and every time I am disappointed. Sure, maybe coverall-wearing mechanics and uber-elite NASCAR drivers can figure out how to operate them, but they’re just too damned complicated for your average joe.

To start off, there are literally hundreds of different kinds of cars, and they’re all different. How do car makers expect a non-expert to be able to select one? Most manufacturers even make different “models” of their car, so it’s not enough to just say you want a Ford, now you have to decide which Ford you want. I don’t know ahead of time whether I’m going to want to move furniture, go off-roading or cruise the Autobahn, why should I have to pick one? Why can’t they just make one car that does everything?

And once you finally do pick a car, it’s nearly impossible to maintain. You can’t even replace the air filter without opening the hood! My Grandma isn’t going to open the hood. Even regular maintenance can ruin your car if it’s not done in exactly, EXACTLY, the right frickin’ way. After test-driving the latest version of some Toyota, a light came on telling me it needed more fuel. Okay, I thought, there’s a fueling station right down the block, this should be easy enough. But no. First of all, I don’t even know what side of the car the fuel opening is on, so I pull up to a pump only to discover it’s on the other side! (I later found out that there’s a nearly hidden message on the dash indicating what side it’s on, but it’s certainly not made abundantly clear). After pulling around to another pump, I’m greeted by not one, not two, but four different kinds of fuel. At this point I probably should have spent an hour reading the car’s manual to discover which of these mystery liquids is the right one, but I just want to drive, I don’t want to become a freakin’ mechanic! So I pick the one with the nicest looking handle (a pretty green one called “Diesel”), and don’t you know it, the stupid thing doesn’t even fit my car! Luckily the convenience store sells fuel containers, so I can at least pump five gallons at a time into that, then pour it into my car. It’s a horrible user experience and an lot of work, but at least now I have a full tank right? Well not so fast, evidently this fuel sucks, or my car sucks, or something, but it’s making an awful lot of smoke and driving slow. Who’d have thought that something as simple as refueling could wreck this thing?

So that car is a lost cause, but I want to finish my review of automobiles, so I borrow one from a colleague who is always telling me that his works just fine. Luckily for me it has a full tank already, so I don’t have to try and navigate that minefield again. His car runs fairly well, but it doesn’t have much “bling” if you know what I mean. I decided to install some features that I’ve seen on other cars, so I go to my nearest big-box store and immediately I’m hit with another huge list of options. Seriously, how many different CD players do we need? I just want one that plays music. I don’t really know which one is best, so I just grab the cheapest one they have only to discover that, yet again, it doesn’t “Just fit”. This thing is about an inch too tall for my co-workers dashboard. This time I consult The Google, and find a video tutorials for installing this thing. So I grab my Sawzall and some plywood, and follow along. The end result isn’t pretty, and it has a faint burning-plastic smell when I turn the volume up, but at least I got something working.

So now I am cruising around town with my Katy Perry blasting and the windows down (because that darn burning plastic smell makes me dizzy), only to be stopped by the “traffic police”. What nobody bothered to tell me when I was looking at using a car was that evidently there are rules you have to follow. There are so many rules, I later learned, that there’s an entire manual devoted to them. And a test too! Do people really expect that their parents will be able to remember all of these crazy rules? Any why does my car even have the ability to go 120 MPH if I’m not even allowed to do it?

So that’s it, I’m giving up. Cars are just too damn complicated for normal people to use. There are too many choices, most of which will end up breaking your car. There are too many rules, and by the time you follow them all driving it’s even fun anymore. To top it all off, my brand new CD player ended up causing a small fire even though I followed every single one of the YouTube video’s instructions. So I returned this smoldering pile of junk to my co-worker, and as he was muttering something about “theft” and “pressing charges”, I promised myself that from that point on I was sticking to my good old trustworthy horse and buggy.

by

Bash script to wait for a file to become unchanged after x seconds

Use case: You’re writing a shell script to stop/start a system service, but only want to do so when there is no activity in the server log. Change the FILE variable below to point to that log file, and modify the actions below under DONE=1 to what is needed.

Of course this assumes there is a file called “test-file” in the same directory as the script, but that can be changed easily. The file could also be modified to accept parameters on how long to wait, but that’s left up to the reader if the functionality is required.

#!/bin/bash
FILE=test-file
if [ ! -f ${FILE} ]; then
	echo 'file dont be there'
	exit 1
fi
DONE=0
CHANGED=0
while [ "$DONE" != "1" ]; do
	THEN=`tail -1 $FILE`
	for i in `seq 1 10`; do
		NOW=`tail -1 $FILE`
		if [ "$NOW" == "$THEN" ]; then
			CHANGED="0"
			# DEBUGGING # echo 'no change'
		else
			CHANGED="1"
			break;
		fi
		sleep 1
	done
	# DEBUGGING # set -x
	if [ "$CHANGED" == "0" ]; then
		DONE="1"
	fi
	# DEBUGGING # echo "Done is $DONE"
	# DEBUGGING # echo "Changed is $CHANGED"
	sleep 1
	# DEBUGGING # set +x
done

by

TIL – Linux – getting around “operation not permitted”

Today we had a strange corrupted file end up on one of our backup servers, and was not allowing any kind of chown or rm operations. We couldn’t take ownership through a chown, could not do chmod, rm -f, etc. A stat of the directory (“tulip” in our case) showed some ridiculous timestamps (last accessed was 1988 and changed was 2040), a sign of an obviously corrupt file.

First, to view the file attributes, do the following:

lsattr

This will show you the file attributes on all files in the directory, look for anything without a bunch of dashes (most files will have a set of dashes like below).


-------------e- ./kb-logo.gif
-------------e- ./Firefox_wallpaper.png
----------I--e- ./Downloads
-------------e- ./navPrimeRight3.png
-------------e- ./3_sync_db.sh
-------------e- ./Desktop

To remove the attributes, try the following (of course replace filename with the filename or directory you’re having trouble with):


for i in a c d i t u A D S T; do chattr -${i} ; done

Later we searched for other files that might have the same issue with (replace “.” with your directory name). Note in my case I’m throwing out the error stream from the initial lsattr command…


find . -exec lsattr 2>/dev/null {} \; | awk '!/\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-/ {print $1 $NF}'

From the chattr man page:

The letters `acdeijstuADST' select the new attributes for the files:
append only (a), compressed (c), no dump (d), extent format (e),
immutable (i), data journalling (j), secure deletion (s), no tail-merg‐
ing (t), undeletable (u), no atime updates (A), synchronous directory
updates (D), synchronous updates (S), and top of directory hierarchy
(T).

by

Automation Alley Event – Matt Moldvan, Global Manufacturing Cloud Security Lead

Ok, so that’s not my “real” title. But recently I was asked to present in place of my company’s President, and this was the title bestowed to me by a marketing individual. In the press release, my title was listed as “Global Manufacturing Cloud Security Lead”. After I regained my composure from laughing hysterically at this misnomer, I replied-all to the message (which also included the President and the CFO in the message) jokingly requesting a raise and corner office.

All jokes aside, I will be presenting on October 11th, 2011 at Automation Alley in Troy at the event titled “A Day in the Clouds: Cloud Computing as a Growth Catalyst” on Secure Cloud Utilization Strategies. I’ll be discussing types of cloud security models, potential security issues, and how to mitigate those risks in the cloud.

Below is a link to the event on Automation Alley’s website, as well as some others that have picked up the story. If all goes well perhaps a video recording of the event will also be made available.

Media mentions of the event so far:

  • Automation Alley event page
  • Local Fox News mention by Murray Feldman in the Business events portion of the broadcast
  • WJR on-air live – Frank Beckmann
  • Great Lakes IT Report
  • Royal Oak Tribune and Patch on-line newspapers

From the Automation Alley site (modified to include my name):

Speakers:

  • Scott Caulk, VP Product Management, IDV Solutions
    Turbulence in the Cloud: Designing Business Intelligence Software Fit for the Firmament
  • Greg Frazier, Owner, Marsnet Software
    Cloud Computing Enabling Elastic Growth
  • Tatiana Melnik, Attorney, Dickinson Wright PLLC
    Cloud Computing and the Law: Concerns and Best Practices
  • Paul Czarnik, Chief Technology Officer, Compuware
    Cloud Performance: What Cloud Application Performance Means to the Business
  • Paul Miner (note: substituting is Matt Moldvan), Chief Technology Officer, Security Inspection Inc.
    Secure Cloud Utilization Strategies: How to Leverage Capabilities and Maximize Cost Savings

Agenda:
8:30 – 9:00 a.m. Registration and networking
9:00 a.m. – noon Program

Cost:
Members – Pre-registration: $20; At the door: $30
Non-members – Pre-registration: $40; At the door: $50
Pre-registration closes October 7, 2011 at close of business.

by

TIL – Run As in Microsoft Server 2008

Long story short, there is only a “Run as Administrator” option in Server 2008, unless you hold down “Shift” before you right click.

Run as is a great tool to test password changes, permissions, and so on. Recently during a customer visit, we changed the Administrator password to something ridiculously long and had to be absolutely sure we could authenticate using the new password before logging out and back in. A decent test of this was creating a shortcut to “cmd.exe” on the desktop, then doing a “Run as” the user with the new password to test.

Source