Ubuntu grows into the Enterprise

February 11, 2008

Matt Asay writes about an Alfresco’s Open Source Barometer survey which shows that Ubuntu is the fastest-growing Linux distribution. I won’t repeat the exact values here – read the original blog entry.
What I want to talk about it is that normally (K)Ubuntu is thought to be strong in the end-user desktop market, but Alfresco has mostly enterprise customers, which leads to the conclusion that Ubuntu has also an impact on enterprise level. I’ve started deploying Ubuntu Servers side by side with Debian on servers and specially on desktops with the first Ubuntu LTS release, but I thought thats just me. But it seems I was wrong – some other guys are also installing it the enterprise ;-).

I like that move as Ubuntu provides the same distribution for free and with a support contract. With RHEL I need to choose a clone like Centos, which at least in the past did not provide every package RHEL provided, for some less important servers. With Ubuntu I can use the same setup and maintenance process for all of my servers and that is specially important as I use OpenVZ a lot, which leads to many installed Ubuntu systems. Now I only hope that even more Linux systems get deployed in the enterprise and that Ubuntu takes a fair share of that piece of the market.

Govware: New name for a special kind of Malware

February 9, 2008

In the last weeks and months I increasingly started hearing more and more the new word Govware, which is a special kind of Malware. I though that this is interesting and informative for some of my readers, which leaded to the point that you read this post now ;-). But first things first – what is Malware? Wikepedia defines it this way:

Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. It is a portmanteau of the words “malicious” and “software”. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Govware is Malware which is used by governmental entities to extract information from computers without the knowledge of the user. Govware is a portmanteau of the words “government” and “software”. In Germany Govware is often called “Bundestrojaner”, but the term which is “winning” in the security sector seems to be Govware. I think that this name is coming more from Europe than from the US, but it is really easy and logical – so I think it will stick on both sides of the Atlantic.

One is a coincidence, two are suspicious but three or even four are no coincidence!

February 6, 2008

What I’m talking about? About the four underwater cables in the Middle East and India which stopped working. On the 30.1.2008 the underwater cables “Fiber-Optic Link Around the Globe (FLAG)” and “SEA-ME-WE 4” got cut before Egypt. First everyone was talking about ships which possible cut the cables, but now the Egypt ministry of telecommunication went public with the information that there were no ships within 12 hours in that area.

On the 1.2.2008 the Indian telecommunication company Reliance Communications reported an error with its cable Falcon before the coast of the Emirates. And now last weekend there was an other incident with an under water cable from the Qatar Telecom (Qtel) between the islands Haloul and Das, but this time it seems at least to be a power supply problem.

Anyway quite unstable the underwater cables today …..

Now why I’m posting this? It should show you that the internet can be attacked physically. Most people think the Internet was made for a nuclear war, and it is not possible to damage it to a large degree. Even as this is a myths it had some trues in the past but now everything is driven by the need to be economical. This leads to the point that the backbone of the internet is only provided by a new physical connections / organizations.

But this leads also to the point that I don’t think that this 4 incidents where related ….. or better call it coordinated, as an attacker could do better – or it was a lame attacker. But it should show us that the internet is an not that hard target even for guys which don’t know anything about computers. You need only to know which lines run where find the spots you need to hit at the same time to cripple the internet in a region.

It should be therefore in the strategic interest of most countries to increase the number of physical connections and organizations handling the internet backbone. But I’m aware that this is not that easy – at least the number of organizations and connections should not go down further. With every fusion of backbone providers some manager will look at 2 cables going from A to B will remove one as its more economical. With this attitude we are on the way to a non-failure tolerant internet on which our whole economy builds. I can’t think about a better target to damage a modern economy.

Backup of Appliances: Login and Download

February 5, 2008

I have sometimes the problem that I want to backup a device which has only a web interface (e.g. an appliance). Most of them provide a possibility for this, after a successful login you need only to click in the browser onto the backup link/button to get a file with the backup. So why I’m writing a whole post about this topic?

It is because I don’t want to do it by myself, I want it automatically done every night – now it is not that trivial anymore. Why should I want a backup every night? You say, I just could make a backup every time I change something. I don’t think that this is a good idea, beside that I’m too lazy for this.

I use normally cURL for this task, which I will illustrate with a backup script for a Vlines appliance (an Asterisk server appliance). Take a look at the source:


#!/bin/bash
url=https://xxx.xxx.xxx.xxx
cookieFile=/tmp/vlines_cookie.jar
configFile=accessvoip.vlines
#-----------
curl -d "username=XXX&passwort=XXXX" -c $cookieFile $url/index.php
curl -s -S -b $cookieFile $url/save.php > $configFile
curl -s -S -b $cookieFile $url/logout.php
rm $cookieFile

As you see, it is really easy. cURL has the ability to store cookies which is used by this appliance to store a user session and the login credentials are provided as parameters to the server. After a successful login we just want to get the backup file and log out.

As you see I use a fixed filename for storage – this is because this script is called by rsnapshot which does compare the output of the script with the last run and provides hardlink based snapshots. rsnapshot also sends me a mail if anything within the script provided an output (= indicating an error).

This script should be easily adapted to your device/appliance like access point, router, environment monitor, …. have fund and be secure.

ovpnCNcheck — an OpenVPN tls-verify script

February 2, 2008

If you’ve running an OpenVPN server you may have asked yourself how you can decide which clients can connect even if they got signed by the same CA. A common case would arises if you provide more than one OpenVPN server but not all clients should be able to connect to every one. Sure it would be possible to use a separate CA for each server but that would not be flexible. The clients would need more than one certificate/key pair and if you want to enable/disable access to a certain server for a client you need to generate/revoke the client certificate. Not a good idea!

I’ve therefore written two scripts with solve this problem. These scripts check if the peer is in the allowed user list by checking the CN (common name) of the X.509 certificate against a provided text file. For example in OpenVPN, you could use the directive:

tls-verify "/usr/local/sbin/ovpnCNcheck.py /etc/openvpn/userlist.txt"

This would cause the connection to be dropped unless the client common name is within the userlist.txt. The bash script will just check if a common name is in one of the lines (one CN per line) and the python version parses the provided regular expressions. Every line should hold one regular expression in this case which can also be just one common name (don’t forget to escape stuff like .?^()[]\ with a \). Empty lines or ones which start with a # are ignored. The bash version works also on a “out of the box” OpenWRT installation.

Python version: ovpncncheck.py
Bash version: ovpncncheck.sh

Hope it helps you!

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 63 queries. 0.249 seconds.