Categories

July 24, 2008

Kaminsky DNS Exploit released!

Filed under: Throughout the Web - baudizm @ 2:26 pm

This is the first time that I’m going to be posting an article about the DNS issue found by Dan Kaminsky came about. Not because of the severity of this problem, nor is it about how prolific Kaminsky and his skills about hacking is. This post is about how fast something develops within the Internet.

The DNS problem found by Kaminsky, and featured all over the web caused tremendous concern among a lot of security experts, and administrators. Read more to get an idea about DNS and what it does.

In just 2 days since Halvar Flake posted his “speculation” on how Dan Kaminsky can perform a massively successful DNS cache poisoning attack, CaughQ’s Druid and Metasploit’s HD Moore joined efforts in delivering what appears to be the first exploit code specifically targetted at Dan Kaminsky’s DNS bug which Dan happened to be trying to keep hush-hush since its discovery.

The exploit was released and announced at Full Disclosure today at around 3AM local time (11AM Manila Time). Here’s a portion of the mail header for the sent time.

Received: from cpe-24-28-73-141.austin.res.rr.com (HELO ?10.3.3.33?)
(druid@24.28.73.141)
by mail.caughq.org with SMTP; 24 Jul 2008 03:08:35 -0000

Druid and HDMoore’s exploit code, coded on Ruby, appeared to have taken details from Halvar Flake’s “speculation” to implement the attack. Although a lot of people believed that Halvar Flake’s speculation may have been a little off, but it appeared that Halvar may have almost nailed it on the head thus prompting CaughQ and Metasploit to take a look, thus arriving at the latest exploit code.

Disclosure header received at Full Disclosure:


____ ____ __ __
/ \ / \ | | | |
----====####/ /\__\##/ /\ \##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======######\ \/ /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/

Computer Academic Underground
http://www.caughq.org
Exploit Code

===============/========================================================
Exploit ID: CAU-EX-2008-0003
Release Date: 2008.07.23
Title: bailiwicked_domain.rb
Description: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL: ------ removed -------
Author/Email: I)ruid
H D Moore
===============/========================================================

Description
===========

This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious nameserver
entry into the target nameserver which replaces the legitimate
nameservers for the target domain. By causing the target nameserver to
query for random hostnames at the target domain, the attacker can spoof
a response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache. This insertion completely replaces the original nameserver
records for the target domain.

Quoting Dan Kaminsky, “the cat is out of the bag.” Sorry Dan, I don’t think you can stop this now. And I think you know who to blame for this, that is if he/she/they/it can really be blamed?

The rate/speed of development is just truly amazing. The extent?

TechnoratiTechnorati , , , , ,
Site Search Tags: , , , , ,

June 5, 2008

Retrieving LVM volume data with Ubuntu and backup to NFS server

Filed under: Hard and Soft, Linux, Tips and Tricks - baudizm @ 3:08 pm

It’s just a really weird problem that we have today. A perfectly fine Fedora box just suddenly will not boot. When it does not get to initiate booting, GRUB fails saying that the hard drive just cannot be read. The box is somewhat critical and we need to have it running back up (pun intended) since it’s our backup server for most of the managed sites. I guess i’ts not a healthy box as we have been believing.

A little history, it’s an Intel P4-based box on an ASUS P5DR1-VM mobo, on 1GB of RAM. Yeah, it’s not a hefty box. Fedora 8 was installed by a colleague without any issues. Until recently.

It was running fine the other day, then yesterday it just stopped. Checking what happened, the primary hard drive, a Maxtor 80GB PATA, is being bitchy. I rebooted the box and went CMOS. The Maxtor HDD is being identified alright so I proceed to reboot again and see if it will boot up. Again, GRUB stops and cries error reading the drive. “Hmmm.. That’s not right.” I said. I left it overnight and returned to it in the morning.

Another thing that worried me was what if the data on the second hard drive, a Seagate Barracuda 250GB SATA, was also affected? and another thing is that both the Maxtor and the SATA are on LVM!

Aaaarrggghhh!

Crossing fingers, I tried to boot to Fedora 8 install disc and proceeded to use Rescue System. But to no avail… Rescue System wasn’t able to identify a valid Fedora install. “What-the-eff!” Wasting no time, I rebooted and went back to CMOS, all the while feeling the Maxtor hard drive with my hand for any indication that the drive is spinning. Sure enough, CMOS tells me Maxtor’s not there, and the drive isn’t spinning. “Gotcha!” I powered down the box, swapped the hard drive data cable (ribbon cable with new one) and used another Molex power connector (the PSU still has extras) and powered the box up. Checked the CMOS, and voila! Maxtor’s back on the drive list, and the drive is spinning. So far so good. A few things left for me to do — make sure the data is intact, and that I can do backup of the backup (get it?)

This time, I’m using Ubuntu 8.04 Hardy Live CD as my recovery disk. Ubuntu booted smoothly and proceeded to open the Terminal as root. Then tried to check if I’ll be able to see the LVM volumes:

root@linux:~# vgscan
The program 'vgscan' is currently not installed. You can install it by typing:
apt-get install lvm2
bash: vgscan: command not found

Ok, fine. So I proceeded and install lvm2:

root@linux:~# apt-get install lvm2
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
dmsetup
The following NEW packages will be installed:
dmsetup lvm2
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 365kB of archives.
After this operation, 1065kB of additional disk space will be used.
Do you want to continue [Y/n]? y

After installing the required package, I proceed to vgscan again, and saw the LVM volume group - in my case VolGroup00. Before I can proceed, I had to do ‘modprobe dm-mod’ first. I leave it up to you as an assignment what this does =) . I then proceeded and typed ‘lvs’ in the terminal. And then proceeded with the magic incantations:

root@linux:~# mkdir /mnt/myLVM
root@linux:~# vgscan
root@linux:~# modprobe dm-mod
root@linux:~# vgchange -ay VolGroup00
root@linux:~# lvs
root@linux:~# mount /dev/VolGroup00/LogVol00 /mnt/myLVM

And there you have it! I got my LVM mounted, and I was able to copy the data I need from it. Whew!

However, my problem is not yet over. I have no clean destination drive to store the would-be-retrieved data. Hmmm, alright. I’m putting it to our shiny Sun Microsystems X2100 M2 server which currently has 500GB of disk space. Fine, fine. It’s running SLES so setting up the NFS server is a no brainer. However, mounting the NFS share into Ubuntu might be challenging. You wish! It’s not that hard. Back to the magic incantations (Ubuntu side):


root@linux:~# apt-get install nfs-common
root@linux:~# mount myNFSserver:/mysharedfolder/subfolder /mnt/myNFSlocal

Bam! NFS share is now mounted locally, and my LVM is reachable as usual. I now start copying my data to the remote machine, and still coyping as of press time. The data is quite huge you know. But I’m happy. But I just don’t want this to happen again.

TechnoratiTechnorati , , , , ,
Site Search Tags: , , , , ,

May 23, 2008

Add a Samba Domain User to Local XP Admin Group

Filed under: General OpenSource, Linux, Tips and Tricks - baudizm @ 4:35 pm

I’ve somehow finished implementing Samba as primary domain controller (PDC) with OpenLDAP working as authentication backend both running on top of SuSE Linux Enterprise Server. Workstations and users are being added properly into Samba and OpenLDAP and users are able to authenticate seamlessly. However, I just ran into a snag. Some users need to be Administrators in their own computer, while being common users in the domain.

It really is no sweat implementing Samba and OpenLDAP on SLES since it already includes both packages stabilized and ready to run. Novell engineers already did the grunt work of tweaking and hardening both packages plus with the help of YAST, I don’t have to use the smbldap tools to synchronize accounts on Samba and OpenLDAP. No sweat eh?

What I had trouble was how can I select only specific users from Samba PDC/OpenLDAP and make them Administrators to their own machines. I’ve looked for solutions however many of them were not fitting to what I want. So I decided to use KiXtart and CPAU instead.

In a nutshell, KiXtart replaces your standard batch file logon script and give you more flexibility and power than you normally get from batch files. CPAU on the other hand replaces the traditional Run As command on Windows. The main difference is that although Run As allows you to run a command as another user (or admin), however, you will be prompted with that user’s password in the same manner that you use SU on Linux/Unix. CPAU allows you to speficy the user and password inline giving you more flexibility with your scripts.

So to add users to the local machine’s Administrators group, I put the KiXtart binary (WKiX32.exe) and CPAU.EXE in Samba’s NETLOGON folder and modified smb.conf to reflect the following:

logon script = logon.bat

In logon.bat, put the line:

%0\..\wkix32.exe %0\..\kixtart.kix

The next part does all the grunt work in identifying the user’s domain group, and checking if the user is a part of the local machine’s Administrators group.

kixtart.kix

Break on

$loffmsg = "Hello "+@USERID+CHR(10)+"This is your first time to logon to the domain."+CHR(10)+"Since @WKSTA is your own computer, you will be added immediately to the local"+CHR(10)+"Administrator group."+CHR(10)+"You will need to log on again afterwards."+CHR(10)+CHR(10)+"Username: "+@USERID+CHR(10)+"Host: "+@WKSTA+CHR(10)+"Group: "+@PRIMARYGROUP

; Check user domain group membership

IF INGROUP("Domain Admins")=1

; Check user local group membership

IF INGROUP("\\"+@WKSTA+"\Administrators")

; Do nothing.
MessageBox("Hello "+@USERID,"Greetings!",,)

ELSE
; Hide the console KiXtart is running on

SETCONSOLE("HIDE")=1

; Run CPAU tool with admin priv to add user to local admin group
MessageBox($loffmsg,"Reminder",64,)

shell '\\MYPDC\netlogon\cpau -u administrator -p admin-password -ex "net localgroup Administrators /add DOMAIN\@USERID" -lwop'
; If there's error, show it.

IF @ERROR MessageBox(@ERROR+@USERID,"Error!") ENDIF

;Force the user to logoff after being added so the change will take effect next log on.
LogOff(1)
ENDIF
ELSE
ENDIF

Further development
I’m still far from done with this little project. I still have to modify the script, or add some more subscripts, to be able to check if the local machine is the user’s own machine. I will need to implement that the user will only be admin on his own machine and none other. And yes, you can also use KiXtart to modify the registry if you need to.

Security? You can compile your kixtart script into an EXE executable using the KiX2EXE tool.

I’m just glad that I get to make Windows XP machines play nicely with Samba and OpenLDAP.

Resources:
KiXtart Online Manual
KiX2EXE Tool Homepage

TechnoratiTechnorati , , , , , , ,
Site Search Tags: , , , , , , ,

Looking forward to The Philippine Open Source Summit

Filed under: General OpenSource - baudizm @ 9:05 am

After much wait, the Philippine Open Source Summit has been finally announced and will be held at the Cebu International Convention Center on June 23 and 24, 2008. This is truly significant and very timely for me because this is going to be the largest convention that I will be able to witness, and I’m already working in Cebu using opensource tools on the job.

What’s to look forward to?
Doh! This is “TEH” biggest opensource event to happen in the Philippines. Plus Apache Software Foundation is going to be there with VP Ken Coar speaking about opensource communities. There’s also opensource blogger Matt Asay to talk about opensource business models, and Danese Cooper of OSI talking about opensource deployments.

Philippine Open Source Summit

And yes, exhibitions abound and some breakout sessions on SugarCRM, Adempiere, Pentaho, Drupal, RoR, Eclipse, Maven, Tomcat/Jetty, and MySQL. It’s also going to be the initiation of the Open Source Association and the Philippine Open Source Center. I’m also pretty sure that Dr. Alvin Marcelo and Dr. Francis Sarmiento, both with IOSN will be there and I’d love to meet them.

It’s going to be the best venue to meet and get to know more about the people behind opensource in the Philippines. I’d say I’m not excited. I’m thrilled!

TechnoratiTechnorati , , , ,
Site Search Tags: , , , ,

May 19, 2008

The Human Aspect of Going OpenSource

Filed under: General OpenSource - baudizm @ 12:03 am

OpenSource has been in existence for quite a long time. It has been known by so many names with various differences in how licenses take effect on certain products. Some of the widely-known opensource licenses to date are GNU’s own GPL and LGPL licenses, BSD’s own license, the Apache licenses, Mozilla Public License, the PHP license, among many others. These licenses are under the stewardship of the OpenSource Initiative (OSI) who accepts applications by individuals or groups and reviews or approves candidate licenses. Discussing the differences between each opensource license is a different matter however, one may visit the OSI site for more information.

“The software I’m using works fine. I paid for it and I don’t see the need to tinker with it’s programming. Why bother?”
Sure, if you’re happy with the proprietary product that you are using then I’m glad for you. However, there may be questions that you would want to be answered. Some of these questions might be listed in the following list:

  1. Do you know how your software works internally?
  2. Can the software you bought be customized according to your need?
  3. Does it fit your need at all?
  4. If it can be customized, how much did it cost for you (or the developer) to modify the software?
  5. Are there security issues that you have encountered while using that software?
  6. How often does the developer/vendor issue software fixes and patches to resolve certain usability and security issues?
  7. How much did the software cost?
  8. Are you satisfied with the support provided by the vendor?
  9. Do you feel like you’ve been swindled when you purchased/commissioned the software?
If you answered NO to questions 1,2,3,8 and yes to questions 5 and 9, it’s time for you to consider choosing an opensource solution.

“Is going opensource painful?”
The answer is “it depends“. It depends on the type of project or solution that you want to implement, if what you need can be remedied by an opensource solution, and how willing or how committed you are to totally using opensource solutions. Chances are, around 65% of your requirements may have an opensource solution readily available. Over the years, the opensource movement is very active and have been filling some niches already. Currently it is slowly creeping into areas like healthcare, utilities, and management. With the plethora of opensource projects available, you may be able to implement from 65% to possibly 95 or 100% of your requirements fulfilled using opensource.

“If OpenSource is really that great, why hadn’t my friend Joe choose this path?”
Again, it depends. The projects that your friend Joe were working on at that time might not have an available opensource solution yet, or that his projects were very very sensitive enough that opensource is not yet advisable. We’d have to always bear in mind that opensource is not a magic pill that you can take and all your problems will go away. It requires a lot of the human factor in order for it to work. And that is what I truly appreciate with it. It brought back the feeling of responsibility, of being aware of what you are doing, of being totally conscious of what you are deploying and how the system totally behaves. It requires constant vigilance, of bug hunting and fixing. Yet, despite the daunting work, you will be backed by a dedicated community who are willing to spare some time to help you out. The countless mailing lists, forums, and support groups dedicated to specific projects are available 24x7 to help you out. It’s totally different from the 1-800 number that you’re asked to dial whenever you encounter problems, then answered by incompetent call center agents who actually did not try out the solutions that they are asking you to perform. How’s that for a reason?

Was I able to mention that you have full access to documentation and source code? Now you know.

“Ok, ok, I’m with you there. But I don’t know where to start.”
As in any endeavor, you’d have to know what you need in order for you to be able to know how to proceed. It would be better to list down your requirements. For example, you are an administrator and you manage a small network for a local business. You have to first ask yourself the following questions:

  1. How many users do I have?
  2. What operating systems am I currently using?
  3. What network services do I need?
  4. What services do the users need?
  5. What type of hardware am I currently using?
  6. What software applications are my users currently using?
  7. What do I want to implement within 3 years?
  8. What are my current skill sets?
After identifying and listing your answers, you can then start to plot out the solutions that you already know to fulfill your need. And I’m sure those require software to be purchased. Then you can start searching for the opensource equivalents.

The easiest place to start will be from Google. However, you may also skip over to Sourceforge for the latest opensource projects. You’d have to wade through countless opensource projects with stages ranging from Alpha, Beta, Release Candidates (RC), and Stable or Production grade. I suggest you stay away from Alphas or even Betas as these are still no where near complete and go for the Stable/Productions. RC’s are almost done, but not quite for they still have some fixing to be done.

“Since you’re so keen on brainwashing me, have you actually used OpenSource software?”
The answer is a big YES. I’ve been using and advocating OpenSource for years. My desktop runs Ubuntu Linux currently on 8.04 “Hardy Heron”. The servers I manage run on SuSE Linux Enterprise Server. Our firewall runs on PFSense, which is a BSD distribution based on Monowall and FreeBSD. I have implemented an opensource inventory and asset management solution using OCS Inventory NG and GLPI Asset Management. The company’s domain runs on Samba as primary domain controller authenticating to OpenLDAP since we still had to support existing Windows XP boxen, and some Linux desktops running a mix of Mandriva, Ubuntu, and Fedora.

Had we used proprietary solutions as opposed to what we had now? It would have costed the company millions for the same functionality that we got from opensource which costed us nothing but time and a little guts and dedication.

TechnoratiTechnorati ,
Site Search Tags: ,

May 11, 2008

Meetup with CeGNULUG and being in Cebu

Filed under: General OpenSource, Linux - baudizm @ 1:13 am

Wow, what a very eventful week. A little update for the readers.

1. I’m now in Cebu working for a multinational BPO company doing what I love — server, Linux, security, networks. Nothing beats.
2. Just hooked up with some members of Cebu’s very own local LUG — CeGNULUG last Thursday, May 8.

The Meetup

Yup I was able to attend the CeGNULUG meetup which was hosted by Vince Corning and his staff at MyLinuxSupport.com . The turn-out was great. I went to the meetup with jackalmurdoc and jongpals who I work with, and joshuarpf who currently works for Triterion LLC (but works at home). We were able to meet people from Infoweapons, the Cebu-based hacks who are into xBSDs (replace x with any BSD variant), Mark Buenconsejo and his Ruby guys at SimpleTeq, as well as some other list members and teams as well. Beer and pizza was way beyond what we can consume in a night but the conversations were fun yet informative. It was a first time touch base for us Cagayan de Oro guys who are now working here in Cebu and we are really looking forward to more meetups soon and can’t wait to talk with these guys in the future.

A free and open mind will definitely reach places.

EDIT 5/23/2008: “Vince Corning”, not “Vince Isles”. “Vince Isles” is his blog. Sorry about that Vince! See you at the Summit.

Technorati Tags: , , ,
Site Search Tags:,,,

March 10, 2008

Postfix and Dovecot Authentication through LDAP to eDirectory LDAP

Filed under: Linux, Tips and Tricks, Netware - baudizm @ 10:16 pm

We have been using eDirectory for quite a while on Linux now and the time has come that a client would like to use eDirectory to authenticate other Linux services through LDAP to eDirectory. We have been tasked to integrate the authentication of Postfix, Dovecot, Squid, and SquirrelMail via LDAP to Novell’s eDirectory.

The approach that we have decided to use for Postfix was to do virtual email hosting, while letting Postfix pull user accounts from LDAP, and store the emails on virtual mailboxes in the Linux machine. Dovecot will also do a password lookup, while using a global user account on Linux that will have exclusive access to the “home” directory of virtual email users. Squid will do direct LDAP access via the squid_ldap_auth helper. SquirrelMail on the other hand will just pull off authentication via Dovecot.

I will only be providing the steps on how to authenticate Postfix and Dovecot to eDirectory via LDAP. In order to perform the following outlined steps, it will be helpful to already have Novell eDirectory/NDS running on one server. It must listen on either port 389 or 636 by default. However, if you’ve modified the ports, make sure you take note of them for later use. Also on the eDirectory/NDS, we will need to have one user that will act as a proxy user for LDAP lookups. Though this can also be achieved by assigning [Public] as a Trustee with “browse” rights to the root of your tree (eg. “o=your-context” ). How to install eDirectory on Linux is beyond the scope of this article. Feel free to visit the Novell Documentation.

We have used SuSE Linux Enterprise Server 10 SP 1 to perform all of the steps. It doesn’t matter though which Linux distribution you’ll be using or if you’ll be accessing NDS on Netware, as long as the backend LDAP server will be eDirectory/NDS.

POSTFIX CONFIGURATION

A. main.cf
Postfix already comes with SLES10 SP1 built-in. It only requires a little tweaking to allow it to authenticate to eDirectory via LDAP. We will then throw in virtual email hosting configuration for good measure.

If you need to compile Postfix, configure and compile it as standard. However in the main.cf, we will be adding a couple of parameters to make Postfix work with LDAP. The following parameters are what we need. The rest not included here are standard Postfix configs, including restrictions and UCEs.

inet_protocols = all
inet_interfaces = all
biff = no
mail_spool_directory = /var/spool/mail
myhostname = your-server-hostname
mydomain = put-a-dummy-domain-here.
mydestination = localhost.$mydomain,localhost,$mydomain,$myhostname
mynetworks = 192.168.100.0/24 127.0.0.1
mynetworks_style = subnet

Modify myhostname and mynetworks to reflect your own settings. Put a dummy domain name in mydomain. We will put our real domain in the virtual_mailbox_domains parameter.


local_recipient_maps = ldap:/etc/postfix/ldap-user-auth.cf
local_transport = virtual
virtual_mailbox_domains = your-real-domain-here
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailboxes
virtual_minimum_uid = 106
virtual_uid_maps = static:106
virtual_gid_maps = static:12

local_recipient_maps will point to our LDAP authentication routines contained in ldap-user-auth.cf. virtual_mailbox_domains will have our real domain since we will be using virtual email users that will be pulled off from eDirectory via LDAP later. virtual_mailbox_maps will point to our hash file which is actually a mapping of email addresses to their associated virtual mail boxes relative to the default directory assigned in virtual_mailbox_base.

virtual_uid_maps and virtual_gid_maps will point to the only mail-related user in the entire SLES10 system — the global user which will be used by Postfix and Dovecot to drop emails to the mailboxes of our virtual email users. The global user, in our case is called “vmail” as assigned a uid of 106 and a gid of 12 (mail). It was created using the terminal by typing the following as root:

useradd -u 106 -g 12 -d /var/spool/vmail -s /bin/bash vmail

You will also need to create /var/spool/vmail and change ownership (chown) to vmail:mail.

smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Enable SASL authentication by setting smtpd_sasl_auth_enable = yes. We will be using Dovecot SASL therefore, we will need to set smtpd_sasl_type = dovecot and smtpd_sasl_path = private/auth.

B. ldap-user-auth.cf
Here are the things we need to put for LDAP authentication for Postfix.

server_host = your-LDAP-server-ip
search_base = o=context
version = 3
query_filter = (&(objectClass=Person)(uid=%s))
result_attribute = uid

bind = yes
bind_dn = cn=ProxyLDAPUser.o=context
scope = sub

C. virtual_mailboxes
Since Postfix will be looking for “real” users, we will need to map email addresses to actual directory locations for each user using the virtual_mailboxes mapping. Arguments for the mapping will take the form of:

email address username/Maildir

Example:
user1@mydummydomain.com user1/Maildir
user2@mydummydomain.com user2/Maildir
:

Save the file, and generate the Postfix database by running postmap virtual_mailboxes in the terminal.

DOVECOT CONFIGURATION (pertinent only)

A. dovecot.conf
Dovecot can be compiled off the bat using ./configure, and then following it with make and make install respectively. However, since we will be letting Dovecot authenticate through LDAP, we will need to compile it with LDAP support therefore do this by typing ./configure --with-ldap and proceed as usual.

Here are the pertinent parameters that we will need to declare in dovecot.conf to enable it to work with LDAP. The rest of the configs (not shown) are standard Dovecot config.

mail_location = maildir:/var/spool/vmail/%u/Maildir
first_valid_uid = 106
last_valid_uid = 106
auth_username_format = %Lu

auth default {
mechanisms = plain login

passdb ldap {
args = /etc/dovecot/dovecot-ldap_passdb.conf
}

userdb static {
args = uid=106 gid=12 home=/var/spool/vmail/%u
}

socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
}

client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = mail
}
}
}

B. dovecot-ldap_passdb.conf

hosts = LDAP-server-ip
base = o=context
ldap_version = 3
scope = subtree

#for LDAP Bind
auth_bind = yes
pass_filter = (&(objectClass=Person)(uid=%u))

Replace LDAP-server-ip with the server ip of the eDirectory server. Replace o=context with your eDirectory context.

VALIDATING
Run Postfix by typing rcpostfix start and run Dovecot by typing /usr/local/sbin/dovecot. You will then be able to try and connect via telnet on port 25, 143 and/or 110 to test Postfix and Dovecot. You can test Dovecot if the user can authenticate by going:

telnet server-ip 143

You will then receive the server header/reply. You can proceed to initiate authentication by going:

1 login user password

If you’ll receive an OK message, congratulations!

You can monitor Postfix by looking at /var/log/mail using the command tail -f /var/log/mail.

Feel free to post your questions and comments. Good Luck!

Technorati technorati tags: , , , , , , , ,

February 12, 2008

ASUS Eee PC exploitable out of the box

Filed under: Throughout the Web, Linux - baudizm @ 4:12 pm

RISE Security has posted a blog entry announcing that the ASUS Eee PC running Xandros is vulnerable out of the box.

Read the article at the RISE Securite website.

As always, ASUS Eee PC users running Xandros will need to update or patch the bundled Samba. Better yet, install updated Ubuntu versions instead.

Bottomline, relying on a product out of the box is not good for your health or your boxen.

Technorati Tags: , , , , , ,
Site Search Tags: , , , , , ,


Get free blog up and running in minutes with Blogsome | Theme designs available here


74% Geek