With this sponsored post, I'm pleased to talk about AskReaMaor.com, which is a Computer related blog. I'm a nerd and I enjoy the presence of other nerds. Almost all of my 'real' (non-virtual) friends are nerds as well. Being around nerds is great for getting great dialog, and overall really helps me become a better programmer and administrator.
Rea's blog is great and offers a nice balance of human spirit along with heavy tech talk, so nerds and non-nerds will be able to enjoy it. I'm also impressed with the overall design of his WordPress application. It's clean and easy on the eyes. His categories are diverse and provide a good overall view of technology. Obviously, I jumped right to 'Linux and Unix'.
With this sponsored post, I'm excited to talk about a company that I'm stoked about as well as having an interesting hot product! The company is AVS4You.com. Now, I've been using the AVS Video Converter for years on web development projects where I needed to convert .AVI to .WMV, etc. What I like about their products, simply put, their software is clean, simple and just works. That is a hard demand now-a-days, but they definitely deliver. They currently only support Windows (minus Vista at this time).
This company is one of the kings of multimedia software and provides fantastic tools to help manage and convert media files. The hot product I want to talk about is AVS iDevice Explorer . It allows you to exchange audio and video files between your computer and portable devices (mobile phones, portable video and music players).
Portage has official made mod_security (http://www.modsecurity.org) 2.1.1 stable! This is great since the official releases of 2.x have been out for a long, long time. With this jump, there are some issues to contend with. Jumping from 1.x to 2.x releases involves some major configuration modification, but is aided with a conversion matrix document. Basically every rule and configuration option have changed with this release. I'll be documenting my upgrade procedures in the next mod_security blog post. I want to verify that changes are working correctly first before posting.
For those that do not know what mod_security is or what mod_security can offer you, here is a rough interpretation of what mod_security does. Mod_security is basically a application firewall that sits in front of Apache requests. It analyzes every request to Apache and depending on rules (defined using regular expressions) certain handling can happen. You can block requests and present a 403 (or other error code), or you can let it pass but log the request. Mod_security has fantastic logging with it's audit_log (now modsec_audit.log) where all payload and packet information is stored about the request.
With this Sponsored Post, I wanted to talk about an interesting product. As most of you know, my world is Gentoo Linux, but as a web programmer, I do an insane amount of work on Windows. I like to make sure that I'm using operating systems from Linux to Windows to MacOSX to keep in touch with clients and other IT professionals.
The product, which is Apis Ceratina by Mavrsoft (visit their web site at: http://www.mavrsoft.com/product.html) is a great macro tool for Windows to perform repetitive tasks quickly. With Apis Ceratina (man, that's a hard name to remember | say | type), you can record clicks and keystrokes, and then replay them. When I heard this, I was wondering, "what's the point?". But in their demonstration they illustrated it very nicely.
As another weapon in my anti-spam arsenal, I wanted to give policyd-weight a shot within my existing postfix setups. Policyd-weight is a great daemon that sits between postfix's authentication and data delivery phases. After handling SMTP authentication, etc it will hand over the headers to policyd-weight before the data transmission. This is great, since this will aide in bandwidth usage and processing time.
Policyd-weight then begins some basic checks to determine some 'shadey' behaviour. For example it sees if helo matches hostname, checks against various RBLs and verifies it has a valid MX just to name a few.
Here is a thorough howto on how I built a chrooted apache using mod_chroot. Along with chroot, I'm using mod_security for basic filtering and the suhosin PHP extension for adding additional security to the core of PHP on the server.
As some of you know, adding additional security, you often take away functionality and usability. These techniques won't be for everyone, and the learning curve is slight steep for debugging the initial problems. Once you learn what to look for and how to correct them, thing become much easier.
Currently, I'm working on a hardened server using mod_chroot, mod_security and the suhosin extension. I was installing an app that was using fsockopen to check for updates (it's open source package). Everytime, I would check for updates, I would get an unexpected error displayed to me.
Hoping to find more information I took a look in the error_log. Unfortunately nothing was there. Following the PHP code path, I isolated the problem to the fsockopen()
$fp=@fsockopen($server, $port,$this->errno, $this->errstr, $timeout);
I took out the error suppression and received the following error:
Warning: fsockopen() [function.fsockopen]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /var/www/www.domain.net/htdocs/libraries/lib-xmlrpc.inc.php on line 1041
Warning: fsockopen() [function.fsockopen]: unable to connect to sync.openads.org:80 in /var/www/www.domain.net/htdocs/libraries/lib-xmlrpc.inc.php on line 1041
This article is about getting saslauthd working in a chroot'd postfix, but I'll explain how I got here to start with.
I was working on a Gentoo box that has been a slight nightmare for me (actually, complete nightmare). It was built outside of Gentoo portage (basically image'd from another Gentoo box). Because of this, world is all broken and the server basically doesn't know what it has installed, so updates are a bear, and I was lucky enough to inherit this machine.
The real problem was the original admin liked qmail... so if any of you are qmail fans.. stop reading now.
Me being a noob of qmail systems, and was not part of the initial configuration I felt it was a steep climb to a spot where I could see what is going on and more importantly what is going wrong. What I do know, is that's it's hard to understand what is going wrong with it. Sure the service is secure, but the logging is crap (which I'm sure is a misconfiguration on debug level or something on my part, so I'll definitely take some blame, since I'm sure someone will email me on this).
During the recent upgrade to 2.6.19 kernel, I ran into a problem with SATA drives. Looks like these options have been brought into a new area of the .config. Not a problem, simple search in the Gentoo forums pointed me in the area where they're located and I was quickly back in action.
But, it got me to to think about a way to roll back the kernel in case of kernel panics. I have several remote servers where this error would have hurt me badly. Assuming that I could have had a tech reboot the machine and manually select the old kernel I could have been down for hours (not good).