- Mike

Useful Links:

* UTOSC 2012 Page: http://conference.utos.org

Something that I thought I would share though is what I did with the SSL certs to get it to work. One of the things that you might not expect is that ejabberd uses a single SSL cert file.

Why does that matter?

When a client and server perform the SSL samba of love, part of the process is the exchange of the server certs and the intermediate CA certs. This is the process that allows a client to look at the server cert, the CA cert that the client should already have, and make the intermediate steps, using the intermediate CA cert, to validate the CA signed the server cert.

If you choose to use a self signed cert this process obviously may not be the same.

The quirk here is that I first had to define the SSL Cert file location in the ejabberd.cfg file:

{5222, ejabberd_c2s, [

%%
%% If TLS is compiled in and you installed a SSL
%% certificate, specify the full path to the
%% file and uncomment this line:
%%
{certfile, "/etc/ejabberd/mydomain.pem"}, starttls_required,

{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
]}

There isn’t any other place to define additional certs, including the intermediate certs or the key file. In order to be able to do this you have to combine the files: the OpenSSL private key, the signed PEM from the CA, and the intermediate CA cert from the CA (I like StartCom!)

cat /etc/pki/tls/private/mydomain.key >> /etc/ejabberd/mydomain.pem
cat /etc/pki/tls/certs/mydomain.signed.pem >> /etc/ejabberd/mydomain.pem
cat /etc/pki/tls/certs/intermidate.CA.pem >> /etc/ejabberd/mydomain.pem

Once that is done you simply need to restart the ejabberd service and you should not see any errors.

I tried to verify the connection using the following openssl command on Fedora 13:

openssl s_client -connect server.mydomain.org:5222 -starttls xmpp

For some reason it doesn’t seem to be able to actually do it (Even with the use of -starttls xmpp) so I went with a secondary plan. I launched wireshark and watched the connection to see if it was leaking things like the private key.

It doesn’t appear too.

Still I wish it wouldn’t require the use of the private key in the same file as the server and intermediate CA certs. It makes me wonder how it handles those things in the background.

Anyways, I hope this helps.

- Mike

Useful pages:

* Installing the StartCom SSL certificate in ejabberd — http://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/
* ejabberd — http://www.process-one.net/en/ejabberd
* StartCom Free SSL Certificate Authority — http://cert.startcom.org/

I did stumble upon some green I didn’t expect: a “green” drinking fountain at O’Hare International Airport.

Chicago Goes Green poster describing filtered water bottle filling station and drinking fountains

What makes this drinking fountain better then others?

Personally I think the filtration alone makes it fantastic! It is the touchless water bottle filler that makes things so green.

Two green drinking fountains that provide filtered water and bottle filling.

One thing about filling water bottles at the airport is the surprising difficulty of the task. Now that I have a clever little collapsible bottle it is even harder. Having a proper way to fill up makes things more hygienic and easier.

Action shot of a collapseable water bottle being filled from filtered water bottle filling station

Along with ease and hygiene is preservation of precious resources. Ideally people would recycle their plastic bottles together rather then toss them; unfortunately that doesn’t always happen. To help show what a difference such a system can make it would be nice to see some sort of numbers..

Numbers from the kid fountain/filling station.

Numbers from the adult fountain/filling station.

The numbers appear to be based solely on the number of “fills” performed. I don’t believe it considers the occasional mishap when people move in and out of the sensors range while filling. Still the idea that we are preventing so much plastic from being purchased and tossed is a good thing.

Overhead shot of the fountain / filling station at ORD

Overall the system is pretty straightforward and easy to use. In fact I had to sneak in and out of people to get the photos. Everyone seemed to be more then happy to fill a bottle, even if that was refilling a plastic Fiji water bottle. :-)

Time to get to the plane and enjoy the water during take off. Safe travels all.

- Mike

A few useful things:

Enabling IPv6 on the OS Level

Enabling IPv6 was easy to do with CentOS 5.

The following files were edited:

/etc/sysconfig/network:
* Added:

NETWORKING_IPV6=yes

/etc/sysconfig/ifcfg-eth0:
* Added:

IPV6INIT=yes
IPV6_AUTOCONF=yes

Ensuring Services Listen to IPv6

Since most services automatically bind to IPv6 ports as well as IPv4, or in some cases like Apache httpd bind only to IPv6, by default almost all services came back when restarted.

There were only three services that actually needed modification to also bind to IPv6: Dovecot, Sendmail and BIND.

Dovecot

/etc/dovecot.conf:
* Added:

listen=[::]

Sendmail

/etc/mail/sendmail.mc:
* Added:

DAEMON_OPTIONS(`Port=smtp,Addr=2600:dead:beef::f03c:1234:feed:c011, Name=MTA-v6, Family=inet6')dnl
DAEMON_OPTIONS(`Port=smtps,Addr=2600:dead:beef::f03c:1234:feed:c011, Name=MTA-v6, Family=inet6')dnl

BIND

/var/named/chroot/etc/named.conf:
* Changed:

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        listen-on-v6 port 53 { any; };

Useful Tools to Verify IPv6 Binding

There are two commands that I like to use that services have bound to an IPv6 socket:

1. lsof

[root@mail ~]# lsof -i :465
COMMAND    PID USER   FD   TYPE DEVICE SIZE NODE NAME
sendmail 20751 root    7u  IPv6 395812       TCP [2600:dead:beef::f03c:1234:feed:c011]:smtps (LISTEN)
sendmail 20751 root    8u  IPv4 395813       TCP *:smtps (LISTEN)

2. netstat

For TCP based serivices:

[root@mail ~]# netstat -tapn | grep mail
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      20751/sendmail: acc
tcp        0      0 192.168.1.53:25           0.0.0.0:*                   LISTEN      20751/sendmail: acc
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      20751/sendmail: acc
tcp        0      0 2600:dead:beef::f03c:1234:feed:465 :::*                        LISTEN      20751/sendmail: acc
tcp        0      0 2600:dead:beef::f03c:1234:feed:25 :::*                        LISTEN      20751/sendmail: acc

And for UDP based services:

[root@mail ~]# netstat -uapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
udp        0      0 192.168.1.53:53           0.0.0.0:*                               2752/named
udp        0      0 127.0.0.1:53                0.0.0.0:*                               2752/named

And further down..

udp        0      0 :::53                       :::*                                    25092/named
udp        0      0 ::1:123                     :::*                                    3160/ntpd
udp        0      0 fe80::f03c:1234:feed:c01:123 :::*                                    3160/ntpd
udp        0      0 2600:dead:beef::f03c:1234:feed:123 :::*                                    3160/ntpd

Securing the System with Netfilter

To secure the system I used my IPv4 iptables settings. There were a couple interesting items there:

1. There is no NAT filter table.
   In fact this causes an error when using the ip6tables service as it tries to unload the nat ip6table module, which doesn’t exist.
2. I had to provide an exception for the ICMPv6 protocol.
   The autoconf works beautifully and uses ICMPv6 messages for the router solicitation.

Other then that everything seems to be working like a charm. I haven’t had a chance to test it yet, but I think I might have to get another SSL cert.

Beyond that, enjoy the new IPv6 site!

- Mike

So you can imagine my surprise, after a pleasant, if chilly, day yesterday I see pouring rain this morning. D’oh! And my umbrella died in a gusty rainstorm two weeks ago in Baltimore and I haven’t replaced it yet. Double D’oh!

No worries, I have my complimentary USA Today with me!

Over the years I have developed a routine at hotels that quietly slip a USA Today under my room door whilst I sleep. When I go to leave the room, I bend over and pick up the paper just before leaving the room.

I know, that doesn’t seem that special. Considering that most places will give you a 75¢ credit not to take it at the room, well it seems almost silly. You can still pick up the paper in the Lobby for free too. Truthfully it doesn’t matter too much if I grab one at the room door or in the hotel lobby.

Right about know there may be some question as to why this matters. Perhaps it is the feel of the paper? The well crafted articles and graphics? Maybe the ability to swat the nose of ravaging zombie dogs?

No, no and perhaps to the zombie dogs…

The reason I grab the USA Today is two fold (pun intended):

• It provides a nifty temporary “folder” to protect important documents.
• It acts as a small shield for the rain/snow/hail/frogs/whatever.

This morning the paper performed double duty. Oh sure I could have tucked the paper (Yes, singular) into a folder in my backpack, slapped on the Boston Redsox hat and dashed for the rental. That would have taken more time then was necessary and my lovely hair cut would have been damaged! (Just kidding, it isn’t a lovely haircut, but it still would have resulted in “hat hair”.)

Placing the paper(s) inside the center of the USA Today allows the papers to be protected from moisture and from folding. As the paper(s) is/are tucked cosily in amongst its kind, it is less likely to be accidentally creased or folded. Bent a little? Sure! It pops right back to natural form though. This is probably the number one reason that I like the USA Today paper.

The other reason is the obvious rain shield that it is so good at.

OH! And the articles. I don’t mind the articles for reading on the plane and throw away before landing.

I hope that helps someone out.

- Mike

PS

Okay, I confess, I like it for the graphics! USA Today has some of the best graphs (as in pie charts and bar graphs) in the business and usually one is very humorous.

If you say honey, well your partially right. Say about 7 percent right, according to the lower right hand corner of the packet the golden sauce poised in the photo above contains “7% REAL HONEY”. This little gem of information is posted just below a cartoon image of a happy and delightful southern gentlemen with a string tie wearing glasses and an apron.

Yeah, you know the one I mean…

I have lived a good portion of my life near the First Kentucky Fried Chicken (Note: This is the first franchise location) and have gone to it time and time again over the years. I actually have some fond memories of that rather shabby and small restaurant. I am less a fan by the remodel they did a few years ago turning it into the same chain as everywhere else.

But lets ignore that for a moment and focus on the “Honey Sauce” that I go the other day. At least the name is accurate. This is a honey influenced sauce. Although I think the label should have been “High Fructose Corn Syrup Sauce”, since that is the man ingredient.

The ingredients list for the “High Fructose Corn Syrup” a.k.a KFC Honey Sauce, is:

1. High Fructose Corn Syrup
2. Corn Syrup
3. Sugar
4. Honey
5. Fructose
6. Contains less then 2% of:
7. Caramel Color
8. Molasses
9. Water
10. Citric Acid
11. Natural and Artificial Flavor
12. Malic Acid

And here I thought I was just getting Honey?!?!?!

I can see two reasons why KFC (Or is that KGC now?) has elected to distribute “Honey Sauce” to its franchise locations:

1) It is cheaper.

Livestrong.com quotes Beverage watch for an average price 20 cents a pound for HFCS (High Fructose Corn Syrup) in 2010. The National Honey Board provides an average bulk cost of $1.50 a pound for imported honey in 2010. Wholesale honey costs averaged around $3.50 that year.

2) It is more consistent in its, well, consistency.

The sad truth is that you will probably never even think about it, but when I was younger the real honey packets.. Well… I told myself I wouldn’t cry… *sniffle* *sniffle* It was so good! I never even thought that they would change it.

Believe me when I say that this is an abomination compared to the way I remember the honey packets. They were so good!

I guess the only solution then is try and find some honey packets for those biscuits on the way home. You could try Starbucks. It seems that tea drinkers are much pickier about honey then biscuit eaters.

- Mike

Useful links:

http://www.livestrong.com/article/289220-pure-cane-sugar-vs-high-fructose-corn-syrup/
http://www.honey.com/nhb/industry/industry-statistics/
http://www.ers.usda.gov/AmberWaves/February08/Findings/HighFructose.htm

Clint presenting to the Provo Linux User Group about GoOSe.

To view Clint’s posting about the “upcoming” meeting go here:

http://sexysexypenguins.com/2012/01/10/presenting-at-plug-tomorrow-goose-linux-rebuilding-enterprise-linux-the-community-way/

Updates:

2012.01.31: Added link to Clint’s post at http://sexysexypenguins.com

Just a quick shot at a local coffee shop patio of a tourist loaded trolley.

While ClamAV certainly has the capability of monitoring and protecting entire corporate networks I don’t have that scale of need. Oh sure theadamsresidence.net provides email access for anyone in the family that wants it and some provide lots of exercise opportunities for the little clam. But that isn’t going to be something to focus on in this particular post.

In this particular post I am going to focus on the use of ClamAV for command line analysis of files and possibly infected thumb drives. I do this so that I can conduct my little Hotel Virus.

At this point you may be wondering why I am not using a standard client installed program like McAfee, AVG or even the online scanning tool Housecall form TrendMicro (http://housecall.trendmicro.com).

Well that is simple: I rarely ever run windows but instead Linux(typically Fedora). Most of the clients that can be installed are Windows based. While I could boot into Windows, install/update the client and then try a scan I also run the risk of infection. I don’t have a license to run Windows in a VM either (It seems to have become a popular choice to use a Windows VM for this type of thing and then destroy the VM after the fact).

So I have installed ClamAV on the server that handles theadamsresidence.net and will instead be transporting an image of the thumb drive to the remote system. I will later implement the ClamAV milter to scan emails for potential virus/malware/spyware.

Getting the drive image to the remote side

To transport the drive I create a PGP/GPG encrypted copy of the drive image. I can then safely transport the file across the network to my remote server. A typical command would look something like this:

gpg -a -r bob@bob.com -o /tmp/drive.gpg.asc -e /dev/sdb

This will create a GPG/PGP ASCII armoured encrypted copy of the drive that can be safely transported and recovered on the remote side. Why the ASCII armouring? ASCII armour really is nothing more then the use of Base64 encoding of the binary content that was generated by the GPG/PGP algorithm. ASCII transports very well and provides an additional layer to protect against corruption on the remote side.

Once the drive image is created I am going to transport the image to the remote side and decrypt it in one quick move:

cat /tmp/drive.gpg.asc | ssh -XC bob@bob.com " gpg -d -o /tmp/drive"

This will stream the content through the SSH session and pipe it to the gpg command that will decode it and write it to /tmp/mydrivetransport on the remote host. In order for this to work I generated the GPG/PGP key on the remote host, exported, transferred the key to the local host and then imported and locally signed the key.

Using the drive image on the remote host

Once I have the image on the remote host I have to make it accessible to the ClamAV tool. The best option for this is going to be a mount command with the loop option:

# mount -o loop /tmp/drive /mnt/

While I could have asked ClamAV to dig through the file directly it would not have been able to read the files as it expects. Performing a loop mount makes the file system directly available.

Performing the actual scan

The scan filesystem scan itself is very easy to run on an up to date system using the clamscan command:

# clamscan -r /mnt
/mnt/bp.pdf: OK

…snip…

/mnt/someother.pdf: OK

----------- SCAN SUMMARY -----------
Known viruses: 1095323
Engine version: 0.97.3
Scanned directories: 1
Scanned files: 10
Infected files: 0
Data scanned: 3.85 MB
Data read: 1402.10 MB (ratio 0.00:1)
Time: 6.344 sec (0 m 6 s)

I elected to use the -r (recursive) option even though there were no subdirectories to worry about. The actual scan only took a few moments before reporting the data. While I suspect it may be much slower with larger data it has worked very well so far. Now that it is done I can safely unmount /mnt and then remove the drive image file or store it for later reference.

I don’t know if these helps anyone out there but then again, maybe it does. ;-)

- Mike

Useful websites/URLs:

http://www.clamav.net
http://housecall.trendmicro.com
http://www.barracudanetworks.com/
http://www.barracudanetworks.com/ns/downloads/White_Papers/BarracudaNetworks_WP_Anti_Virus_Technology.pdf

Updates:

2011.12.18: Changed filename in gpg/ssh example to shorten example that didn’t render correctly.

Unfortunately it appears more and more that I, and most of the GoOSe project people in Utah, won’t be able to attend. In scratching our heads over the process we think we have an interesting plan: We are thinking about setting up a virtual presentation.

So we have been looking around at various solutions. We haven’t presented this option to the user group yet but if this works then we might keep this method in our back pocket for future presentation. It could be a very useful thing, we might be able to repeat this for other user groups around the country or even world.

So far we have looked at Google+ hangouts. I think there might be some better solutions out there at the moment though.

To make this work the presentation tool should allow the presenters to provide visual and audio data. It should also allow for the presentation of the slides and ideally a few real life examples of doing things like submitting packages for repos and submitting packages to the GoOSe koji server(s).

The presentation solution should allow the use of Linux systems (Yeah, we all probably run Linux as our primary operating system) and work over relatively low bandwidth, since most of the time presenters may be using a congested hotel wifi service.

I find this to be an intriguing and potentially useful project.

Hopefully we will find a good solution soon!

- Mike

Useful websites:

http://gooseproject.github.com
https://fedorahosted.org/koji/
http://www.google.com/support/plus/bin/answer.py?answer=1215275 — Google+ Hangout