Fedora Core 4

I finished my second upgrade to Fedora Core 4. Not everything is ironed out yet with the build of course. But one thing is for sure a lot has happened to the RedHat I knew before.

I must say of all the changes, for me the nicest addition is the new SELinux extensions. For deep background on the reasons for and theory of SELinux read, The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments

The more I work with SELinux the more I realize I need to know about it, and how exactly it does all its stuff. It certainly changes things relating to users, directories and access. As I am starting to learn it, I'm sure I'm doing things the hard-way. :)

The major difference, so far for me, in Red Hat's SELinux is the way ftp is handled. vsftpd is still the server which is great. However, it seems to be designed to run as a daemon rather than invoked via xinet.d. If you grab a working copy of the xinet.d file for vsftpd you can invoke it via xinet.d wrapper. I did my first server upgrade in this manner. The current one I am trying as a daemon. I certainly think I will miss some of the features that the xinet.d wrapper brings, and may yet return to it.

Of all the issues I saw most notable is if you want to enable chroot directory's outside of the normal /home/xxx vsftpd. These will fail with a

500 OOPS: cannot change directory: /mnt/xxxxx

I was able to use ftp if I logged in with an account with a directory in /home, but once I set a user account to have a home drive outside of /home (in this case on a mounted secondary disk) vsftpd barfs the above.

I found information at the NSA that indicates you can disable SELinux protection of the ftp daemon.

setsebool -P ftpd_disable_trans 1

This seems a bit drastic. It certainly works for now though.

I think ultimately the issue resides with policies, but as SELinux policies are new to me, it will take time before it all gets sorted out. As I spend time with the new SELinux extensions in Fedora Core 4 I will keep you updated on my thoughts and configuration lessons.

Till Next Time,

Sean Riley
President, DogRiley

Node-Runner Network Monitoring

I had been using a quick and dirty perl based network monitor called penemo for some of my clients sites. Now mind you this is not mission critical Tivoli type monitoring and correlation, just a way for me to stay ahead of my clients. Recently the penemo developers site has lapsed so I thought I would try a new project.

I was looking for something new, and came across node-runner. It is php based, has web based configuration and reporting screens, and uses MySQL as a back end.

The installation scripts did not work for me, but the README and INSTALL files have all of the manual steps to handle the work. I found that when installing node-runner it is best to keep the basic file structure intact in a /usr/local/node-runner directory. This means keep etc, include, contribs, sql all under here.

I had tried to split the stc stuff into /usr/local/etc, but never got that running right.

Then you move the web files to the server, and create a cron job for the php polling application, edit the conf files with the proper path locations and you should be good to go.

The application seems to be running well, php strict generates a bunch of errors about variables that are not initialized but nothing that halts operation.

It has options for mailing groups for outage notifications, options to add users, and the ability to check servers using ICMP, TCP, UDP, HTTP, and SNMP. I have only tried HTTP, ICMP, and TCP to date, but have had no issues.

I will keep you updated.

Till Next Time,

Sean Riley
President, DogRiley

Spam, sp4m, sp@m, $p@m, and amspay

Top spammer obfuscated words: (-from sophos)

1. cialis

2. orgasms

3. viagra

LOL, made me laugh, Daily we deal with large volumes of the stuff, and dealing with spam is messy business, but spamassassin can make it easier. The Bayesian filter with a little training on good mail (HAM) and bad mail (SPAM) does awesome work.

I still laugh when I read some of the messages, I just have a hard time believing anyone able to work a computer would be taken by such obvious flim flam.

Anyway,

Enjoy

Clam AntiVirus FSG File Processing Overflow

Don't worry, not turning this into a security bulletin blog :) But there is an issue with clamav.

We do use ClamAV on a bunch of our systems. I have found it to work great, and we use it as a first line of defense in many client situations, allowing us to drop virus laden E-mail's early in the incoming mail route.

If you haven't run it, I would recommend it, the virus list is large, response times for new signatures is tops, and freshclam will ensure that your definitions stay up to date. It allows you to submit viruses easily, and even add your own (there is a good tutorial in pdf found from antionline.com).

If anything interesting comes during the patching I will surely let you know.

Till next time:
Sean Riley
President, DogRiley

RedHat up2date and Plesk

We run Plesk on our hosting servers at DogRiley. We chose it because the interface it offers our clients for managing aspects of their domains is quite nice. While Plesk has a nice interface upgrades to the base OS and to Plesk itself can be challenging and problematic. Unfortunately, due to the nature of the business, security updates for operating systems are something that cannot be avoided and we take them seriously.

So......

During a recent up2date session I learned a few tricks about how to better deal with the interaction of Plesk and RedHat, and thought I would cover them here, in case someone else can learn from them.

When running a normal up2date session I like to always test the environment by doing a dry run:

up2date –dry-run

it is a good way to get a feeling for any challenges you may be facing. Pay close attention to any dependency problems. Up2date is good, but sometimes it doesn't solve all your dependencies. When running up2date make sure that you have configured the pkgSkipList to exclude packages. Run

up2date –configure

and option 9 will allow you to add to the skip list. Normally for servers I have kernel* in there to prevent kernel upgrades. These I will do at seperate times and based on security issues that demand an upgrade, not just because a new kernel is out.

On our last up2date run we discovered 2 issues with the upgrade that affected our operations. The first was with the rpm packages. When rpm and its associated packages rpm, rpm-python, rpm-devel, rpm-libs and rpm-build get upgraded you run into an issue with Plesk 7. After the upgrad Plesk will no longer accept any logins to the control panel, it will complain about

“Unable to exec utility packagemng: packagemng: Unable to open rpm db: cannot open Packages using db3 - (-30982) “

A short term fix I found was to delete the __db.00* files that reside in /var/lib/rpm.

rm -f /var/lib/rpm/__db*

This allows Plesk logins again, but it causes an issue with rpm or up2date, they are unable to read the rpm database. To fix this issue you can delete the __db.00* files again and run

rpm –rebuilddb

You can then run up2date and rpm, but you cannot log into Plesk. I eventually found that by returning to an older revision of the rpm programs rpm-4.2.3-10 I was able to resolve this issue, and run both Plesk and up2date without any problems. So we now have excluded rpm* with up2date –config on all of our Plesk hosting servers.

The second issue I found with Plesk is that during the update process suexec was upgraded to a newer version. This in itself didn't present a problem until a client who uses FrontPage extensions called. It turns out that Plesk is fussy about suexec, and uses a special version called psa-suexec, when pas-suexec and suexec get out of sync a symptom is that FrontPage extensions stop working. Simply copy suexec to another file like suexec.original and then copy the existings psa-suexec to suexec.

cp /usr/sbin/psa-suexec /usr/sbin/suexec

This restores all of the necessary functionality for FrontPage extensions to work fine.

We will soon be doing the Plesk upgrade from Plesk 7 to Plesk Reloaded, I have read that there are some challenges with this, and of course will share what we learn with you all.

Till next time:
Sean Riley
President, DogRiley

Exchange Server and Extended Server Usage Report

I have had some issues with the default reporting that Microsoft provides with Small Business Server 2003. The Extended Reports have often shown unusually high numbers of messages sent at my various clients. After a talk with an employee at a client site regarding a very unusually high number of messages sent (over 6K) I decided to nail it.

Recently I spent some time looking into the issue. I became concerned that maybe the servers or SMTP server was being compromised. First I looked into relay, and tested to make sure that relay's were disabled. I can never remember the syntax for the telnet session to the mail server so I keep this page book marked. That yielded no results which was a good sign, I then tried to authenticate and send, thinking maybe the server was allowing authenticated remote connections, and we had a compromised password. Again nope.

After these fairly quick checks it was time to play the goggle game. After a few searches and refining terms I found that there is a know bug in usage reporting tool, and how it counts E-mails. A single message to 4 recipients in 4 different domains ends up being counted as 16 outgoing mail messages (scratches head on that).

Anyway, hopefully this will help those out there who are seeing the same results in their reports.

You are reviewing your server reports right ?

Till next time:
Sean Riley
President, DogRiley

Calendar

Well Thuderbird is doing great !

However, I just realized though that all of my calendar entries needed to be moved over from Outlook. Ugghhh.

Got to whip out the Outlook disk, and reinstall Outlook. After this I look into the import to Calendar, and it wants a delimited text file from Outlook. No problem. I go into Outlook, set it as default again (it really isn't happy unless it is number 1) attach my old pst files. I hit File - Import and Export - Choose Export to File (Windows) and lo and behold a translator is not installed. Whip out the disks again, and install the translator. This enables me to get my calendar out to a CSV file, thinking my tasks will be needed too I export them as well.

When importing to Calendar I get a strange javascript error, but then things look OK, it asks me to map fields from Outlook to Calendar it seems to guess right, when I import all looks well.

I tried the import of tasks and would advise against it. It drops the entries in as calendar events which isn't very helpful. Mozilla mentions that Outport exists, but I didn't have enough tasks and the inclination at this time to play with it.

Till next time:
Sean Riley
President, DogRiley

Outlook and Thunderbird:

I needed access to my E-mail from my failed laptop hard drive, and Thunderbird could import from Outlook, so I thought I was good to go.

Well, if you have ever needed to recover outlook messages you will know that you can't if you don't have Outlook. Even Outlook Express needs Outlook's MAPI files to access the address book and e-mail folders under Outlook. Thunderbird complained there was no Outlook on my machine to import from. So I was stuck, kind of. I needed access to Outlook, but I didn't have a license on the running machine.

So I bent the rules. I installed Outlook on my new desktop, created my profile, and then attached the old pst files via: File - Data File Management. Outlook gives you 50 starts without registration so you don't have to worry about that nightmare. Once attached Thunderbird was able to import the contents of my address book, and all mail folder fine. Woohoo !

Now all that was left was to remove Outlook from my machine.

I started using Thunderbird, and frankly liked the interface, options and controls. But I got a call from a client and suddenly I needed to make an appointment in my calendar.....

But there was not a calendar. So I hit mozilla.org and started looking around. Boy they have a bunch of cool extensions. But no obvious calendar. The have all the calendar stuff here. You need to download the calendar code for Thunderbird and then include it using the Tools – Extensions menu. Then add it to the tool bar so it is handy ( View Toolbar – Customize )

So I'm off and running, Thunderbird as default mail client, and Calendar for my schedule and To Do lists.

Till next time:
Sean Riley
President, DogRiley

The push over the edge

It finally happened......

I got back late from a long weekend, flipped open my laptop and proceeded to check my mail. Its startup was strange, first the CPU fan came on hard, no post beep and none of the normal startup light sequences. Hmmm... taking a deep breath, I held the on button until it shut down and tried it again.

This time the startup proceeded normally, I got to log into Windows XP and started Outlook. As soon as Outlook loaded the display went crazy, and all I could see was multicolored vertical lines. I played with it some more (holding my breath) but results were poor.

It finally happened, my 3 year old Gateway Laptop was toast.

This thing served me well, it goes everywhere with me, and although it has suffered no abuse, it's life has not been cushy. The folks at Gateway were nice on the phone, for a reasonable cost they are replacing the motherboard in the unit, and will get it back to me sometime in the next 10-15 business days....... yikes....

I had foreseen this event happening, and bought a new desktop for Christmas to handle Quickbooks and other crucial parts of my business, so luckily I had a machine. I was also able to pick up a small 2.5” drive housing that I could put the Laptop's hard drive in while the system was repaired, so my data was available to me. But what about applications ?

Well applications are the problem aren't they. They tend to add the most expense to any computer system these days, and so on the new desktop I had opted out of the expensive Microsoft Office Suite, and had been using Open Office whenever I needed to touch a spreadsheet or word processing document. Which to this point was rare. But so far I have produced a few documents and spreadsheets this week, and have exchanged them with clients without incident.

Probably the thorniest issue I had to work through was E-mail. Having used Outlook exclusively for the last 3 years I had a considerable about of important stuff in Outlook pst files. Well Thunderbird to the rescue (sort of)........

Next post I'll cover my Outlook -> Thunderbird issues and solutions. And will continue to post about my experiences with Open Office as my time w/o MS Office continues.

Till next time:
Sean Riley
President, DogRiley

More Large company antics

First Post.........

Feeling like chattel today. I used to be an AT&T wireless customer. We all know they were bought by Cingular a while ago. So after dealing with the issues of my company plan not mapping directly to the new Cingular billing system, and resulting overages (which is a whole other story) I run into this....

I come to find out recently that my pager service at xxxxxxxxx@mobile.att.net stopped working. It worked fine for a while after the merger, and then suddenly stopped. I use this service in business so equipment at client sites can contact me where there is a problem. So I finally get the time to call Cingular and traverse the voice mail jail to get to customer service to find out what my new address is. 3 calls, involving 2 random disconnects, and I get an answer to my simple question "What is my new pager address for E-mail delivery?" Silly me not to try it with the rep on the phone. Turns out it is the wrong answer. Another call through voice mail jail and finally I get and test the correct answer. For those who care: xxxxxxxxxx@mmode.com is the correct answer.

So why is it that 2 super large telecommunications companies can't set up a simple E-mail forwarding for addresses on the AT&T system mapping to new Cingular addresses? Or transfer the mobile.att.net domain to Cingular until all AT&T customers contracts run out? It doesn't seem technically challenging, and would be great transparent customer service. It seems that 4 calls from tons of subscribers to technical support is easier. It took close to an hour of my time to deal with getting a simple answer. And a bunch of time and effort on theirs to provide the support.

My customers would never accept this type of technical snafu, but we the consumer are growing more and more like chattel that are sold, bartered, and traded. We moo our way through the voice mail mazes to our slaughter.

Till next time:
Sean Riley
President, DogRiley