I needed only one Apache HTTPD server visible over the Internet, and subdomains provided by internal webservers. I proceeded with mod_proxy.

On SLES10, go to /etc/apache2 and create a file named proxy.conf:

# Sample configs
# by hardwyrd
# 05/22/2009
#
# Disclaimer:
# Use at your own risk. It works for me, it might not work for you.
# If you decide to use or follow this config, you agree that I am not responsible for the damage
# to your system.

# Listen on internal interface only. Only mod_proxy uses this.

Listen 192.168.10.1:8080

# Set the user for mod_proxy
User nobody
Group nobody

# Turn on proxy requests
ProxyRequests On

Order deny,allow
Deny from all

# Declare your subdomain rechable from the internet.

Order deny,allow
Deny from all

# Allow only from specific IP addresses or allow all if this is accessible from the net.
Allow from all

# You can add as many
declarations as you can.

Create a virtual host on the public-facing Apache server. In SLES10, the config is at /etc/apache2/vhosts.d:

# Sample configs
# by hardwyrd
# 05/22/2009
#
# Disclaimer:
# Use at your own risk. It works for me, it might not work for you.
# If you decide to use or follow this config, you agree that I am not responsible for the damage
# to your system.

# A virtual host config is needed so that we can redirect the subdomain requests coming in at port 80 to the internal Apache server.
# Create equivalent virtual host entries for every
declaration in the proxy.conf .


ServerName your-subdomain.your-domain.tld
ServerAlias your-subdomain.your-domain.tld
ProxyPass / http://your-subdomain.your-domain.tld/
ProxyPassReverse / http://rspace.focusoutsourcing.com/


To enable the public Apache server forward the requests to the proper internal Apache server, you can use an internal DNS server with the correct A record for the domain pointing to the IP of the internal Apache server. Or, the quickest way is to add the subdomain to the hosts file (/etc/hosts).

#/etc/hosts
192.168.10.22 your-subdomain.your-domain.tld

On the internal Apache server, create a standard virtual host for the subdomain.

That’s it! Only one apache server will be visible to the public, and yet serve multiple subdomains, spread among various internal Apache servers.

Enjoy!

Technorati : apache, mod_proxy, web+server, linux
Site Search Tags: apache, mod_proxy, web+server, linux

Funny as it may seem, I fell for it (yet again perhaps?). I’ve installed CentOS5 on top of VirtualBox 2.2.2 on my Ubuntu Hardy 8.04 for the sole purpose of testing out ASP.NET hosting using Mono, XSP, and Apache. And I was in for a surprise that I could not access my virtual machine’s Apache web server instance.

I was able to install VirtualBox 2.2.2 vanilla (not the official Ubuntu package) without any problems. I followed it up by installing CentOS5 as a virtual machine. I then proceeded and configured the network interface for the virtual machine on the VirtualBox Management panel, and set it up to use “Bridged” networking.

I proceeded by booting the virtual machine and watched every boot message zip by without a hitch. I then logged into the virtual machine as root and configured the IP address for the network interface. After which, I pinged the IP address and got the reply I want. I then tried to log in via SSH, ang was able to get in. “Hmm… everything seems to be in order. Might as well continue.” I said to myself. Boy was I in for a surprise.

I proceeded and configured the web server, enabling name-based virtual hosting, started Apache and tried to browse the test page. And then… nothing! ACCKK!!! I checked the IPTables rules if there’s something a-miss. So far everything seems to be in order (really?) . Tried a couple more times, and still get a failure from Firefox. Hmmm.. what could it be. Pondering for hours what could have been missed. A colleague suggested to flush the entire set of IPTables rules, which I did and tried accessing the web server. What do you know! I was able to browse the basic landing page. “Hmmm.. there must be something wrong with the IPTables rules” I said whispering.

I proceeded and checked again /etc/sysconfig/iptables and sure enough, I found the culprit. I mistakenly added the IPTables rule that opens port 80 AFTER the reject rule! No wonder port 80 doesn’t open up. I edited the /etc/sysconfig/iptables again, and place the port 80 rule on top of the reject rule, which will then allow it to take effect first, before the reject rule is activated. And then everything worked as it should.

Lesson? Sometimes the obvious things are really hard to find and double checking definitely will prevent the unnecessary debugging for when your system goes to production. I’m just glad this is a simulation system and not production.

I think it was stupid of me not to notice the order of the rules in the iptables file. What do you think?

Technorati linux, virtualization, virtualbox, centos5, apache, webserver, iptables
Site Search Tags: linux, virtualization, virtualbox, centos5, apache, webserver, iptables

We needed a helpdesk and a knowledgebase system and we prefer that it be opensource. We have found OneOrZero HelpDesk and KnowledgeBase to be a good candidate. We decided to take a look at it and see for ourselves. Installation was tad easy. All you need is an Apache server, PHP, and MySQL and voila! We have been running it using MySQL for sometime but we didn’t as of yet let users use the system.

We have been mulling over the idea of integrating OneOrZero HelpDesk and KnowledgeBase authentication with our existing LDAP server which also authenticates our Windows domain users via our Samba PDC. OneOrZero is pretty much convenient for us since it already has LDAP authentication capability. Or so we thought.

Setting up LDAP for OneOrZero HelpDesk, required us to modify its settings. You can do this using its own control panel, by logging in as an administrator, or you can go brute it out by going to where the OneOrZero configuration files are located. In my case it is in

/srv/www/onezero/configuration/website_settings.php

Please note that the location may not be the same in your case, depending on where you extracted your files, and where your Apache DocumentRoot is located. Make the necessary adjustments.

After locating the file, make a copy first of the existing file (you dont want to lose working settings do you? then edit website_settings.php by opening your favorite text editor - which in my case is VI.

vi website_settings.php

Navigate your way down towards near the end of the file, and review the LDAP-related parameters. Please note, I’ll be using my own LDAP parameters as examples and yours might be different depending on your LDAP server flavor (AD, OpenLDAP, Netware/OES/others).

# Enable LDAP authentication. This is DB by default.
auth_method = "LDAP"

# IP address of your LDAP server
ldap_host = "192.168.10.10"

# If you are using AD, specify the domain name. I'm using OpenLDAP so, I ignored this.
ldap_domain = ""

# Specify the user that will be used to bind to your LDAP server. Not needed if anonymous bind is allowed
ldap_binddn = "cn=ldapbinder,dc=mydomain,dc=com"

# Specify the password for the binding user
ldap_bindpwd = "secret"

# Set the location in your LDAP schema where the search will start from. In my case, I have an OU called "Users"
ldap_rootdn = "ou=Users,dc=mydomain,dc=com"

# Provide here the search attributes. Note though that this might be different on your particular flavor of LDAP.
# Use an LDAP browser utility to double check.
ldap_searchattr = "uid"
ldap_fname = "givenname"
ldap_lname = "sn"
ldap_uname = "uid"
ldap_email_add = "mail"
ldap_office = "l"
ldap_phone = "telephonenumber"
ldap_context = "dn"


Save your file after editing.

We then tried logging in using our LDAP accounts, however it seems that OneOrZero cannot find our accounts, or rather LDAP cannot find the accounts passed by OneOrZero to it. So, I then looked at the LDAP log and checked what the problem is. Sure enough, I found the culprit.

Jan 14 11:18:15 x2100 slapd[4044]: conn=5857 op=1 SRCH base="ou=Users,dc=mydomain,dc=com" scope=2 deref=0 filter=”(uid=minime)”

No wonder LDAP cannot locate the user. Even though it is searching on the right section of the LDAP tree, it doesn’t know which one to pick up. Remember, we use our LDAP server as authentication for our Windows users via Samba as well. Heck, we even authenticate our SSH users via LDAP also.

Another challenge!

How do I hack the filter in OneOrZero so that it works for my LDAP server ? (GOD I LOVE THIS WORK!)

Simple, I have to locate the filter string deep in the vowels of OneOrZero’s source code and insert my own filter or manipulate it so that the output filter will meet what my LDAP server really needs.

OK OK! Enough suspense, how did I do it? Simple.

Navigate yourself to where you extracted OneOrZero - in my case /srv/www/onezero/common , and edit the file common.php . When you open the file, navigate yourself towards line 164 . There you will find the $filter variable which receives the value from the LDAP search attribute that was set in website_settings.php .

When you locate the $filter variable, comment the existing one, and replace it so that it looks like this:

// $filter = "($ldap_searchattr=$name)"; //This is the default filter string

$filter = "(&(objectClass=posixAccount)($ldap_searchattr=$name))" // This is my new filter string to fit my LDAP server.

Save the file and do a test login. That’s it!

If you still have trouble setting it up (which I doubt), feel free to look at the Administration guide at http://www.oneorzero.com/wiki/index.php?title=OneOrZero_Settings

Enjoy!

Technorati : oneorzero, helpdesk, linux, ldap, authentication
Site Search Tags: oneorzero, helpdesk, linux, ldap, authentication

JSON is a trivial package feature and the extension already comes built-in with PHP 5.2.x so this is not so much a problem for users of the latest PHP build. However, if you are using SLES10 SP1 and below, and haven’t updated PHP and still uses 5.1.x then you’ll be in for a surprise. JSON isn’t available in the default install, let alone a package that you can get from YAST, unless you have updated your Installation Sources.

The quickest and simplest way is not to depend on vanilla sources but rather to use PEAR since it is already in SLES10.

1. Open YAST.

2. In Software Management, search for php-devel and install it. php-devel provides phpize which PEAR will be using later on to install the JSON package.

3. Open Terminal, and run the command as root:

pear5 channel-update pear.php.net

4. In Terminal still, follow it up with:

pear5 install pecl/json

This will install the latest JSON package.

After installing JSON, locate your php.ini , and add the line in the Dynamic Extensions section.

extension=json.so

Save php.ini and restart Apache.

Congratulations! Enjoy.

Technorati php, json, apache, linux, sles10
Site Search Tags: php, json, apache, linux, sles10

After much wait, the Philippine Open Source Summit has been finally announced and will be held at the Cebu International Convention Center on June 23 and 24, 2008. This is truly significant and very timely for me because this is going to be the largest convention that I will be able to witness, and I’m already working in Cebu using opensource tools on the job.

What’s to look forward to?
Doh! This is “TEH” biggest opensource event to happen in the Philippines. Plus Apache Software Foundation is going to be there with VP Ken Coar speaking about opensource communities. There’s also opensource blogger Matt Asay to talk about opensource business models, and Danese Cooper of OSI talking about opensource deployments.

And yes, exhibitions abound and some breakout sessions on SugarCRM, Adempiere, Pentaho, Drupal, RoR, Eclipse, Maven, Tomcat/Jetty, and MySQL. It’s also going to be the initiation of the Open Source Association and the Philippine Open Source Center. I’m also pretty sure that Dr. Alvin Marcelo and Dr. Francis Sarmiento, both with IOSN will be there and I’d love to meet them.

It’s going to be the best venue to meet and get to know more about the people behind opensource in the Philippines. I’d say I’m not excited. I’m thrilled!

Technorati opensource, summit, convention, events, philippines
Site Search Tags: opensource, summit, convention, events, philippines

OpenSource has been in existence for quite a long time. It has been known by so many names with various differences in how licenses take effect on certain products. Some of the widely-known opensource licenses to date are GNU’s own GPL and LGPL licenses, BSD’s own license, the Apache licenses, Mozilla Public License, the PHP license, among many others. These licenses are under the stewardship of the OpenSource Initiative (OSI) who accepts applications by individuals or groups and reviews or approves candidate licenses. Discussing the differences between each opensource license is a different matter however, one may visit the OSI site for more information.

“The software I’m using works fine. I paid for it and I don’t see the need to tinker with it’s programming. Why bother?”
Sure, if you’re happy with the proprietary product that you are using then I’m glad for you. However, there may be questions that you would want to be answered. Some of these questions might be listed in the following list:

1. Do you know how your software works internally?
2. Can the software you bought be customized according to your need?
3. Does it fit your need at all?
4. If it can be customized, how much did it cost for you (or the developer) to modify the software?
5. Are there security issues that you have encountered while using that software?
6. How often does the developer/vendor issue software fixes and patches to resolve certain usability and security issues?
7. How much did the software cost?
8. Are you satisfied with the support provided by the vendor?
9. Do you feel like you’ve been swindled when you purchased/commissioned the software?

If you answered NO to questions 1,2,3,8 and yes to questions 5 and 9, it’s time for you to consider choosing an opensource solution.

“Is going opensource painful?”
The answer is “it depends“. It depends on the type of project or solution that you want to implement, if what you need can be remedied by an opensource solution, and how willing or how committed you are to totally using opensource solutions. Chances are, around 65% of your requirements may have an opensource solution readily available. Over the years, the opensource movement is very active and have been filling some niches already. Currently it is slowly creeping into areas like healthcare, utilities, and management. With the plethora of opensource projects available, you may be able to implement from 65% to possibly 95 or 100% of your requirements fulfilled using opensource.

“If OpenSource is really that great, why hadn’t my friend Joe choose this path?”
Again, it depends. The projects that your friend Joe were working on at that time might not have an available opensource solution yet, or that his projects were very very sensitive enough that opensource is not yet advisable. We’d have to always bear in mind that opensource is not a magic pill that you can take and all your problems will go away. It requires a lot of the human factor in order for it to work. And that is what I truly appreciate with it. It brought back the feeling of responsibility, of being aware of what you are doing, of being totally conscious of what you are deploying and how the system totally behaves. It requires constant vigilance, of bug hunting and fixing. Yet, despite the daunting work, you will be backed by a dedicated community who are willing to spare some time to help you out. The countless mailing lists, forums, and support groups dedicated to specific projects are available 24x7 to help you out. It’s totally different from the 1-800 number that you’re asked to dial whenever you encounter problems, then answered by incompetent call center agents who actually did not try out the solutions that they are asking you to perform. How’s that for a reason?

Was I able to mention that you have full access to documentation and source code? Now you know.

“Ok, ok, I’m with you there. But I don’t know where to start.”
As in any endeavor, you’d have to know what you need in order for you to be able to know how to proceed. It would be better to list down your requirements. For example, you are an administrator and you manage a small network for a local business. You have to first ask yourself the following questions:

1. How many users do I have?
2. What operating systems am I currently using?
3. What network services do I need?
4. What services do the users need?
5. What type of hardware am I currently using?
6. What software applications are my users currently using?
7. What do I want to implement within 3 years?
8. What are my current skill sets?

After identifying and listing your answers, you can then start to plot out the solutions that you already know to fulfill your need. And I’m sure those require software to be purchased. Then you can start searching for the opensource equivalents.

The easiest place to start will be from Google. However, you may also skip over to Sourceforge for the latest opensource projects. You’d have to wade through countless opensource projects with stages ranging from Alpha, Beta, Release Candidates (RC), and Stable or Production grade. I suggest you stay away from Alphas or even Betas as these are still no where near complete and go for the Stable/Productions. RC’s are almost done, but not quite for they still have some fixing to be done.

“Since you’re so keen on brainwashing me, have you actually used OpenSource software?”
The answer is a big YES. I’ve been using and advocating OpenSource for years. My desktop runs Ubuntu Linux currently on 8.04 “Hardy Heron”. The servers I manage run on SuSE Linux Enterprise Server. Our firewall runs on PFSense, which is a BSD distribution based on Monowall and FreeBSD. I have implemented an opensource inventory and asset management solution using OCS Inventory NG and GLPI Asset Management. The company’s domain runs on Samba as primary domain controller authenticating to OpenLDAP since we still had to support existing Windows XP boxen, and some Linux desktops running a mix of Mandriva, Ubuntu, and Fedora.

Had we used proprietary solutions as opposed to what we had now? It would have costed the company millions for the same functionality that we got from opensource which costed us nothing but time and a little guts and dedication.

Technorati opensource, advocacy
Site Search Tags: opensource, advocacy

Covered OS versions:

- Netware 5, 5.5, 6, 6.5
- Open Enterprise Server (OES) Netware Kernel 6.5

iManager versions:

- iManager 2.5
- iManager 2.6
- iManager 2.7

Issue:

You have installed Netware, and iManager on your server box. Suddenly, when you tried to access iManager from your browser, you’re greeted with the “Error 503: Service Unavailable” notification.

This is related to how Novell LDAP (NLDAP) and Netware’s server certificates, and how iManager authenticates through LDAP via Apache Tomcat. There’s a possibility that the server certificates are corrupted or the changes that took place for the server certificates were not propagated to the services that need them. Yes, Netware does suffer corruption every now and then due to the nature of the file system it currently uses. It still uses FAT/FAT16/FAT32. This could be resolved by moving to OES-Linux kernel instead of using pure Netware or OES-Netware kernel.

Solution:

We will need to stop Tomcat, Apache web server, and Java. We will then need to rebuild our server certificates. After which we will need to restart our services.

Actual Commands:
On the Netware command line, type the following commands:

NETWARE: tc4stop
(Terminate Tomcat. For Tomcat 5.0, use tc5stop instead.)

NETWARE: ap2webdn
(Shutdown the Apache web server.)

NETWARE: java -exit
(Shutdown Java.)

NETWARE: pkidiag
(This will open the PKI wizard for detecting and repairing public key infrastructure in Netware. Follow the menu items namely 4, 5, 6, 0)

NETWARE: tckeygen
(Restore LDAP connectivity for Tomcat.)

After a few minutes, start the services.

NETWARE: tomcat
(You may also use /tomcat/5.0/bin/startup start to start Tomcat 5.0.)

NETWARE: ap2webup
(Start up the Apache web server.)

Try opening your iManager again and login (http://ip_of_your_server/nps/iManager.html)

If you found anything erroneous in this tip, feel free to post a comment.

Technorati Tags: Netware, iManager, OES, LDAP, Apache, Tomcat, Novell, Error,503
Site Search Tags: Netware, iManager, OES, LDAP, Apache, Tomcat, Novell, Error, 503

This problem appeared early on sometime around November 25, 2007. To put it simply, its a malware propagation scheme that takes advantage of vulnerabilities of the web servers, CMS, cPanel, some framework, as well as the machines that visit the infected sites. Yes, the magnitude of this exploit is quite huge. What’s more, it infects machines irrespective of operating system platform.

So what is this “problem” really? Its a propagation “framework” if you must — that uses good old Javascript and more of it. It also includes a dash of rogue .htaccess in your Apache server for good measure. How ingenius this is? Well, to put it simply, when you visit an infected site, you’re treated to the sweet taste of Javascript. Except that you’re not seeing anything obvious. Everything is transparent and oblivious to the visitor. You wont feel a thing when this bugger hits your browser. And the icing on the cake on this bugger is that each iteration of the Javascript that will be thrown at your browser will only be once per IP. And no, you cannot wget again using the same IP you’re using now. Once you try and wget the same JS script file, you’d get 404 outright. Once you’re infected, you’ll be deluged with requests from the other infected sites begging your machine to download their own randomly generated versions of the same JS script.

For a more deep down penetration, it scans the visiting machine for vulnerabilities that can be exploited. Yes, your favorite iTunes cuddles with this bugger too along with some of your favorite applications. On Win-machines, ActiveX is the main culprit. However on the server side, whitehats are still continually looking for ways to neutralize this silent threat. The mystery is not on the infection. Its how the servers were compromised and made them host to the rogue code. And most of the detailed discussions were hidden from public view for fear of feeding the kiddies further. Good bet is that automated exploit tools were used to compromise the sheer number of servers in record time. Probably a mutated variant of Metasploit running on various hosts on a botnet simultaneously doing their rounds randomly until an unwitting, seldomly patched server is encountered. And then the carnage starts again until a good number of machines are “droned”. Then when the visits come trickling into the sites, there’s no turning back.

Its already 2008 and this critter is still happily frolicking under the virtual sun. You might have an updated AV (Kaspersky and AVG were known to catch this), however, its a matter of time before you too will be assimilated.

No I won’t give more details about this. Google might give the answer but not me. I’m already busy.

---

Technorati Tags: Javascript+worm, security, exploit, hacking, penetration, Apache, Linux,
Site Search Tags: Javascript+worm, security, exploit, hacking, penetration, Apache, Linux,