Hello once again! First, I wanna apologize for the lack of updates (again). I have been so busy with new and exciting work and the possibilities and new skills have been really pouring in. Regardless, I wanna thank everyone for your continued support and finding this blog’s articles useful. My sincerest gratitudes. Anyways, I am sharing another really good solution for all of you guys out there.

Have you deployed Nagios and installed the NRPE plugin on your local and remote servers? Have you by any chance encountered, and was not quite able to solve, this error?

CHECK_NRPE: Socket timeout after 10 seconds

Actually this has also bugged our team a lot and we were really sure (or so we thought) that we have configured Nagios and the NRPE plugin correctly.

We thought it might be a problem with Nagios or the NRPE plugin and we haven’t been able to dedicate a lot of time to find out the problem due to other pressing tasks. But recently, I was able to find the time to diagnose the issue and now I am sharing with you the fix. And yes, it was really really straight forward and so damn simple! DOH!

On your remote machine, make sure that you have installed the NRPE plugin correctly. You can download the NRPE plugin documentation at http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf.

Once, you’ve configured your remote machine’s NRPE already, do local checking first.

# /usr/local/nagios/libexec/check_nrpe -H localhost
NRPE v2.8


If you get a response with a version of your NRPE, then you’re all set.

And do not forget to open port 5666 on your firewall (iptables or other wise). Refer to the NRPE documentation for more details.

On your monitoring machine, where Nagios was installed, install the NRPE plugin as well. Then do the remote NRPE check.

# /usr/local/nagios/libexec/check_nrpe -H
CHECK_NRPE: Socket timeout after 10 seconds.


Now, don’t be surprised if you get the CHECK_NRPE: Socket timeout error. We now need to make sure that our monitoring machine allows incoming and outgoing connections via port 5666.

To do just that, we open up our IPTables by doing:

# /sbin/iptables -A INPUT -s -p tcp -m tcp –dport 5666 -j ACCEPT
# /sbin/iptables -A OUTPUT -p tcp -m tcp –dport 5666 -j ACCEPT

The first command will allow our monitoring box to accept incoming connections from our remote_host via port 5666 and no other hosts and the second command will allow our remote machine to initiate connection via port 5666 to any remote machine. Of course we can make it tighter by specifying the destination box, but I don’t see the need for the meantime.

After adding the rules, make sure to save your new IPTables rules by doing

# /sbin/iptables-save > /etc/sysconfig/iptables

That’s it!

Try out some of these combinations to your remote host and see what the outputs are.

# /usr/local/nagios/libexec/check_nrpe -H -c check_load -t 120
#/usr/local/nagios/libexec/check_nrpe -H -c check_users
#/usr/local/nagios/libexec/check_nrpe -H -c check_zombie_procs

Enjoy!

Technorati linux, nagios, nrpe, monitoring
Site Search Tags: linux, nagios, nrpe, monitoring

You now have your nice PFSense firewall connected to the net and your users are happily connected then you decided to put up publicly-accessible network services like a web server. But horror starts to creep in when you found out that your users (or your developers) cannot access your public server using their workstations within your local network.

You tried everything in vain and suddenly felt the urge to scream with all your might.

AAAARRGGGHHH!!!!

As far as you’re concerned, you’ve setup PFSense correctly. You have enabled port forwarding quite perfectly. The web server is running without a hitch. You have your DNS working perfectly. But your users cannot seem to access your internal server using your public IP address or domain..

..then you raised your limp hands in resignation.

Dont despair. It’s really simple.

1. Open your PFSense web gui.

2. Move your mouse over to System, and click Advanced.

3. Scroll down, and look at the Disable NAT Reflection field. Make sure that it is unchecked.

4. Click on Save.

That’s all there is to it! Enjoy!

Technorati PFSense, NAT, reflection
Site Search Tags: PFSense, NAT, reflection

Microsoft announced last December 15 of yet another major flaw in version 7 of its Internet Explorer browser which allows remote code execution on the target computer (as if the others do not already).

Dubbed as Microsoft Security Advisory (961051), the advisory went on to discuss the issue as follows:

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

It appears also that its not only IE7 that’s affected. It affects versions up to IE8 also. Even the BBC has snatched this issue as well.

What was weird for me was that the Full Disclosure community did not make any reaction to this disclosure by Microsoft. Or it might be too early as the secinfo experts and enthusiasts are scrambling to verify this if at all.

My take on this is - what’s new? Honestly, I’m not surprised at all.

Technorati browser, internet, explorer, IE, major, flaw, microsoft, security
Site Search Tags: browser, internet, explorer, IE, major, flaw, microsoft, security

With Google doing a public beta test of Google Chrome I’ve taken a few steps further to see what it can do. However, sadly for me, GC is currently on a Windows-only build so no dice for native Linux version. So I had to resort to “drastic” measures - try to see if it runs on Wine.

So I got the offline installer here and installed on top of Wine. The installation went ok, with Wine adding a desktop shortcut and menu entries. I tried to run GC and bam, a browser with rounder corners and blue header pops up. So far so good.

Then I noticed that the address bar is all black. Though I can type a URL, it doesn’t open the site I wan’t to visit. Tried it a couple of times, still no dice. Looking at the log I prepped, seems there are some components not working properly. So I ended up firing a report to WineHQ and see what can be done.

Nope, I currently don’t have the time to find the bug for GC on Wine. I’m making the Google Chrome team do that. At least with the WineHQ notified, I can expect to have a working GC on Wine.

Or not.

UPDATE:

Google Chrome now works on Wine 1.1.3. However, additional parameters must be added when you invoke wine on the command line. And sorry, HTTPS access is not yet available/foolproof.

Just fire up Wine in the terminal like so:

env WINEPREFIX=”/home/anakin/.wine” wine “C:\windows\profiles\anakin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe” –new-http –in-process-plugins

You have to also make sure that you have Riched20 and Riched30 installed using Winetricks (thanks Roy Shea at WineHQ!).

This method was further confirmed at UbuntuForums, and also confirmed by “nelson”. A good how-to is also available recently at HowToDude.

UPDATE 2:

Filed another bug report with WineHQ regarding HTTPS access on Google Chrome on Wine 1.1.3.

Related:

Wine AppDB page for Chrome (thanks to Dan Kegel) - added 9/6/2008
WineHQ Bug Report 15106
WineHQ Bug Report 15107
WineHQ Bug Report 15119

Technorati Google, Chrome, beta, browser, Wine, Linux
Site Search Tags: Google, Chrome, beta, browser, Wine, Linux

It’s just a really weird problem that we have today. A perfectly fine Fedora box just suddenly will not boot. When it does not get to initiate booting, GRUB fails saying that the hard drive just cannot be read. The box is somewhat critical and we need to have it running back up (pun intended) since it’s our backup server for most of the managed sites. I guess i’ts not a healthy box as we have been believing.

A little history, it’s an Intel P4-based box on an ASUS P5DR1-VM mobo, on 1GB of RAM. Yeah, it’s not a hefty box. Fedora 8 was installed by a colleague without any issues. Until recently.

It was running fine the other day, then yesterday it just stopped. Checking what happened, the primary hard drive, a Maxtor 80GB PATA, is being bitchy. I rebooted the box and went CMOS. The Maxtor HDD is being identified alright so I proceed to reboot again and see if it will boot up. Again, GRUB stops and cries error reading the drive. “Hmmm.. That’s not right.” I said. I left it overnight and returned to it in the morning.

Another thing that worried me was what if the data on the second hard drive, a Seagate Barracuda 250GB SATA, was also affected? and another thing is that both the Maxtor and the SATA are on LVM!

Aaaarrggghhh!

Crossing fingers, I tried to boot to Fedora 8 install disc and proceeded to use Rescue System. But to no avail… Rescue System wasn’t able to identify a valid Fedora install. “What-the-eff!” Wasting no time, I rebooted and went back to CMOS, all the while feeling the Maxtor hard drive with my hand for any indication that the drive is spinning. Sure enough, CMOS tells me Maxtor’s not there, and the drive isn’t spinning. “Gotcha!” I powered down the box, swapped the hard drive data cable (ribbon cable with new one) and used another Molex power connector (the PSU still has extras) and powered the box up. Checked the CMOS, and voila! Maxtor’s back on the drive list, and the drive is spinning. So far so good. A few things left for me to do — make sure the data is intact, and that I can do backup of the backup (get it?)

This time, I’m using Ubuntu 8.04 Hardy Live CD as my recovery disk. Ubuntu booted smoothly and proceeded to open the Terminal as root. Then tried to check if I’ll be able to see the LVM volumes:

root@linux:~# vgscan
The program 'vgscan' is currently not installed. You can install it by typing:
apt-get install lvm2
bash: vgscan: command not found


Ok, fine. So I proceeded and install lvm2:

root@linux:~# apt-get install lvm2
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
dmsetup
The following NEW packages will be installed:
dmsetup lvm2
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 365kB of archives.
After this operation, 1065kB of additional disk space will be used.
Do you want to continue [Y/n]? y


After installing the required package, I proceed to vgscan again, and saw the LVM volume group - in my case VolGroup00. Before I can proceed, I had to do ‘modprobe dm-mod’ first. I leave it up to you as an assignment what this does =) . I then proceeded and typed ‘lvs’ in the terminal. And then proceeded with the magic incantations:

root@linux:~# mkdir /mnt/myLVM
root@linux:~# vgscan
root@linux:~# modprobe dm-mod
root@linux:~# vgchange -ay VolGroup00
root@linux:~# lvs
root@linux:~# mount /dev/VolGroup00/LogVol00 /mnt/myLVM

And there you have it! I got my LVM mounted, and I was able to copy the data I need from it. Whew!

However, my problem is not yet over. I have no clean destination drive to store the would-be-retrieved data. Hmmm, alright. I’m putting it to our shiny Sun Microsystems X2100 M2 server which currently has 500GB of disk space. Fine, fine. It’s running SLES so setting up the NFS server is a no brainer. However, mounting the NFS share into Ubuntu might be challenging. You wish! It’s not that hard. Back to the magic incantations (Ubuntu side):


root@linux:~# apt-get install nfs-common
root@linux:~# mount myNFSserver:/mysharedfolder/subfolder /mnt/myNFSlocal

Bam! NFS share is now mounted locally, and my LVM is reachable as usual. I now start copying my data to the remote machine, and still coyping as of press time. The data is quite huge you know. But I’m happy. But I just don’t want this to happen again.

Technorati ubuntu, linux, lvm, nfs, recovery, backup
Site Search Tags: ubuntu, linux, lvm, nfs, recovery, backup

After much wait, the Philippine Open Source Summit has been finally announced and will be held at the Cebu International Convention Center on June 23 and 24, 2008. This is truly significant and very timely for me because this is going to be the largest convention that I will be able to witness, and I’m already working in Cebu using opensource tools on the job.

What’s to look forward to?
Doh! This is “TEH” biggest opensource event to happen in the Philippines. Plus Apache Software Foundation is going to be there with VP Ken Coar speaking about opensource communities. There’s also opensource blogger Matt Asay to talk about opensource business models, and Danese Cooper of OSI talking about opensource deployments.

And yes, exhibitions abound and some breakout sessions on SugarCRM, Adempiere, Pentaho, Drupal, RoR, Eclipse, Maven, Tomcat/Jetty, and MySQL. It’s also going to be the initiation of the Open Source Association and the Philippine Open Source Center. I’m also pretty sure that Dr. Alvin Marcelo and Dr. Francis Sarmiento, both with IOSN will be there and I’d love to meet them.

It’s going to be the best venue to meet and get to know more about the people behind opensource in the Philippines. I’d say I’m not excited. I’m thrilled!

Technorati opensource, summit, convention, events, philippines
Site Search Tags: opensource, summit, convention, events, philippines

Wow, what a very eventful week. A little update for the readers.

1. I’m now in Cebu working for a multinational BPO company doing what I love — server, Linux, security, networks. Nothing beats.
2. Just hooked up with some members of Cebu’s very own local LUG — CeGNULUG last Thursday, May 8.

The Meetup

Yup I was able to attend the CeGNULUG meetup which was hosted by Vince Corning and his staff at MyLinuxSupport.com . The turn-out was great. I went to the meetup with jackalmurdoc and jongpals who I work with, and joshuarpf who currently works for Triterion LLC (but works at home). We were able to meet people from Infoweapons, the Cebu-based hacks who are into xBSDs (replace x with any BSD variant), Mark Buenconsejo and his Ruby guys at SimpleTeq, as well as some other list members and teams as well. Beer and pizza was way beyond what we can consume in a night but the conversations were fun yet informative. It was a first time touch base for us Cagayan de Oro guys who are now working here in Cebu and we are really looking forward to more meetups soon and can’t wait to talk with these guys in the future.

A free and open mind will definitely reach places.

EDIT 5/23/2008: “Vince Corning”, not “Vince Isles”. “Vince Isles” is his blog. Sorry about that Vince! See you at the Summit.

Technorati Tags: linux, community, meetup, cegnulug
Site Search Tags:linux,community,meetup,cegnulug

We have been using eDirectory for quite a while on Linux now and the time has come that a client would like to use eDirectory to authenticate other Linux services through LDAP to eDirectory. We have been tasked to integrate the authentication of Postfix, Dovecot, Squid, and SquirrelMail via LDAP to Novell’s eDirectory.

The approach that we have decided to use for Postfix was to do virtual email hosting, while letting Postfix pull user accounts from LDAP, and store the emails on virtual mailboxes in the Linux machine. Dovecot will also do a password lookup, while using a global user account on Linux that will have exclusive access to the “home” directory of virtual email users. Squid will do direct LDAP access via the squid_ldap_auth helper. SquirrelMail on the other hand will just pull off authentication via Dovecot.

I will only be providing the steps on how to authenticate Postfix and Dovecot to eDirectory via LDAP. In order to perform the following outlined steps, it will be helpful to already have Novell eDirectory/NDS running on one server. It must listen on either port 389 or 636 by default. However, if you’ve modified the ports, make sure you take note of them for later use. Also on the eDirectory/NDS, we will need to have one user that will act as a proxy user for LDAP lookups. Though this can also be achieved by assigning [Public] as a Trustee with “browse” rights to the root of your tree (eg. “o=your-context” ). How to install eDirectory on Linux is beyond the scope of this article. Feel free to visit the Novell Documentation.

We have used SuSE Linux Enterprise Server 10 SP 1 to perform all of the steps. It doesn’t matter though which Linux distribution you’ll be using or if you’ll be accessing NDS on Netware, as long as the backend LDAP server will be eDirectory/NDS.

POSTFIX CONFIGURATION

A. main.cf
Postfix already comes with SLES10 SP1 built-in. It only requires a little tweaking to allow it to authenticate to eDirectory via LDAP. We will then throw in virtual email hosting configuration for good measure.

If you need to compile Postfix, configure and compile it as standard. However in the main.cf, we will be adding a couple of parameters to make Postfix work with LDAP. The following parameters are what we need. The rest not included here are standard Postfix configs, including restrictions and UCEs.

inet_protocols = all
inet_interfaces = all
biff = no
mail_spool_directory = /var/spool/mail
myhostname = your-server-hostname
mydomain = put-a-dummy-domain-here.
mydestination = localhost.$mydomain,localhost,$mydomain,$myhostname
mynetworks = 192.168.100.0/24 127.0.0.1
mynetworks_style = subnet

Modify myhostname and mynetworks to reflect your own settings. Put a dummy domain name in mydomain. We will put our real domain in the virtual_mailbox_domains parameter.


local_recipient_maps = ldap:/etc/postfix/ldap-user-auth.cf
local_transport = virtual
virtual_mailbox_domains = your-real-domain-here
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailboxes
virtual_minimum_uid = 106
virtual_uid_maps = static:106
virtual_gid_maps = static:12

local_recipient_maps will point to our LDAP authentication routines contained in ldap-user-auth.cf. virtual_mailbox_domains will have our real domain since we will be using virtual email users that will be pulled off from eDirectory via LDAP later. virtual_mailbox_maps will point to our hash file which is actually a mapping of email addresses to their associated virtual mail boxes relative to the default directory assigned in virtual_mailbox_base.

virtual_uid_maps and virtual_gid_maps will point to the only mail-related user in the entire SLES10 system — the global user which will be used by Postfix and Dovecot to drop emails to the mailboxes of our virtual email users. The global user, in our case is called “vmail” as assigned a uid of 106 and a gid of 12 (mail). It was created using the terminal by typing the following as root:

useradd -u 106 -g 12 -d /var/spool/vmail -s /bin/bash vmail

You will also need to create /var/spool/vmail and change ownership (chown) to vmail:mail.

smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth


Enable SASL authentication by setting smtpd_sasl_auth_enable = yes. We will be using Dovecot SASL therefore, we will need to set smtpd_sasl_type = dovecot and smtpd_sasl_path = private/auth.

B. ldap-user-auth.cf
Here are the things we need to put for LDAP authentication for Postfix.

server_host = your-LDAP-server-ip
search_base = o=context
version = 3
query_filter = (&(objectClass=Person)(uid=%s))
result_attribute = uid

bind = yes
bind_dn = cn=ProxyLDAPUser.o=context
scope = sub

C. virtual_mailboxes
Since Postfix will be looking for “real” users, we will need to map email addresses to actual directory locations for each user using the virtual_mailboxes mapping. Arguments for the mapping will take the form of:

email address username/Maildir

Example:
user1@mydummydomain.com user1/Maildir
user2@mydummydomain.com user2/Maildir
:

Save the file, and generate the Postfix database by running postmap virtual_mailboxes in the terminal.

DOVECOT CONFIGURATION (pertinent only)

A. dovecot.conf
Dovecot can be compiled off the bat using ./configure, and then following it with make and make install respectively. However, since we will be letting Dovecot authenticate through LDAP, we will need to compile it with LDAP support therefore do this by typing ./configure --with-ldap and proceed as usual.

Here are the pertinent parameters that we will need to declare in dovecot.conf to enable it to work with LDAP. The rest of the configs (not shown) are standard Dovecot config.

mail_location = maildir:/var/spool/vmail/%u/Maildir
first_valid_uid = 106
last_valid_uid = 106
auth_username_format = %Lu

auth default {
mechanisms = plain login

passdb ldap {
args = /etc/dovecot/dovecot-ldap_passdb.conf
}

userdb static {
args = uid=106 gid=12 home=/var/spool/vmail/%u
}

socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
}

client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = mail
}
}
}

B. dovecot-ldap_passdb.conf

hosts = LDAP-server-ip
base = o=context
ldap_version = 3
scope = subtree

#for LDAP Bind
auth_bind = yes
pass_filter = (&(objectClass=Person)(uid=%u))

Replace LDAP-server-ip with the server ip of the eDirectory server. Replace o=context with your eDirectory context.

VALIDATING
Run Postfix by typing rcpostfix start and run Dovecot by typing /usr/local/sbin/dovecot. You will then be able to try and connect via telnet on port 25, 143 and/or 110 to test Postfix and Dovecot. You can test Dovecot if the user can authenticate by going:

telnet server-ip 143

You will then receive the server header/reply. You can proceed to initiate authentication by going:

1 login user password

If you’ll receive an OK message, congratulations!

You can monitor Postfix by looking at /var/log/mail using the command tail -f /var/log/mail.

Feel free to post your questions and comments. Good Luck!

technorati tags: Postfix, Dovecot, eDirectory, LDAP, authentication, Linux, Novell, SLES10, Netware