tag:blogger.com,1999:blog-21714815143822257192024-03-12T22:18:43.015-05:00The Fat PenguinRandom nuggets, tips and pitfalls of the trade from a frazzled Linux adminAllen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.comBlogger43110tag:blogger.com,1999:blog-2171481514382225719.post-16569248796976459802015-10-15T15:48:00.000-05:002015-10-19T11:22:56.099-05:00SSL Certs and SHA-1 Weak Encryption<div class="zemanta-img" style="text-align: right;">
<div class="zemanta-img">
<a href="http://commons.wikipedia.org/wiki/File:Standard-lock-key.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="English: An example of a standard key used for..." border="0" class="zemanta-img-inserted zemanta-img-configured" height="142" src="//upload.wikimedia.org/wikipedia/commons/thumb/a/a2/Standard-lock-key.jpg/350px-Standard-lock-key.jpg" style="border: none; font-size: 0.8em;" width="320" /></a></div>
</div>
Not too long ago, some browsers took it upon themselves to deem certain sites "authoritatively weak" due to the use of SHA-1 ciphers in the certificate chain presented by the server. While the reasoning behind this move is sound, it is still a headache for server admins who may not have had to renew their certs yet and still have old ciphers in use. If you find yourself in this position, it is fairly easy to resolve. If you're not sure if this applies to you, you can check your web site at <a href="https://shaaaaaaaaaaaaa.com/" target="_blank">shaaaaaaaaaaaaa.com</a>. The online tool will tell you if any of the certs in your certificate chain employ SHA-1 weak ciphers.<br />
<br />
If you come up on the naughty list, there are two way to resolve the issue. If it is close to your cert's expiration date, then renewing the cert will most likely fix the issue provided that your CA is using SHA-2 ciphers. If they are not, then you will just get another cert issues with the same issue. This is unlikely, as most CA's have been using SHA-2 ciphers for some time now. If your expiration date is too far off to make renewing your cert feasible, simply request a reissue from your CA.<br />
<br />
In either case, be sure to update appropriate revocation lists if necessary and most importantly, update your entire certificate chain for presentation to clients.Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0tag:blogger.com,1999:blog-2171481514382225719.post-31061871821066371562015-05-15T11:33:00.000-05:002015-05-25T19:36:06.830-05:00How can your disk be full when df shows otherwise? "Inode" the answer!Sorry, I just couldn't resist. That's probably the only time I'll ever get to use that joke. I had a situation recently where I had a system that kept giving errors that the root volume was full, yet <span style="font-family: Courier New, Courier, monospace;">df -h</span> showed plenty of available space. After doing a bit of digging, I found that there were hordes of tiny files chewing up inodes far faster than the space on the drive. Essentially, this would be like filling a file cabinet full of folders with only a post-it note inside each folder. The majority of the volume of the cabinet would be taken up with folders rather than "data."<br />
<br />
I could detail how to diagnose and fix this issue, but someone has already written an excellent blog post on how to do just that.<br />
<br />
<a href="http://www.ivankuznetsov.com/2010/02/no-space-left-on-device-running-out-of-inodes.html" target="_blank">No space left on device – running out of Inodes</a><br />
<br />
Thanks to Ivan Kuznetsov for taking the time to post his tutorial!Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0tag:blogger.com,1999:blog-2171481514382225719.post-23060732619428358152015-05-13T11:54:00.000-05:002015-05-13T11:54:57.542-05:00Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters | ZDNetIf you've gone the virtual route, take note:<br />
<br />
<a href="http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/">Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters | ZDNet</a>Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0tag:blogger.com,1999:blog-2171481514382225719.post-78179810809838276872015-04-16T11:52:00.001-05:002015-04-16T11:52:30.808-05:00Virtualization is cool... literally <p dir="ltr">I happened to notice that removing yet another rack of equipment that our ambient temperature in the data room has dropped even more. It doesn't seem like that long ago when we would struggle with keeping the temp under 85. Going the VM route sure took care of that issue.</p>
<div class="separator" style="clear: both; text-align: center;"> <a href="http://lh5.ggpht.com/-Y0LIgaJNqe4/VS_oy8Ta9BI/AAAAAAAAEK8/c7KP-bJ0eDk/s1600/1429202875828.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"> <img border="0" src="http://lh5.ggpht.com/-Y0LIgaJNqe4/VS_oy8Ta9BI/AAAAAAAAEK8/c7KP-bJ0eDk/s640/1429202875828.jpg"> </a> </div>Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0tag:blogger.com,1999:blog-2171481514382225719.post-85130754749147925902015-01-05T12:03:00.000-06:002015-01-05T12:03:14.417-06:00Remmina won't connect to Windows machines?If you're like me, you still have to deal with Windows servers in your environment. I typically RDP over to the ones in my environment with <a href="http://remmina.sourceforge.net/" target="_blank">Remmina</a>. Every so often I run into an issue where a saved RDP connection will stop working and I have to blow it away and recreate it. I finally had my fill and looked for a solution today. Apparently the fix is to just change the security method from 'Negotiate' to 'TLS'. Amazing what you can find when your annoyance level exceeds your laziness level.<br />
<br />
Take a look at the <a href="http://www.bauer-power.net/2013/10/unable-to-connect-to-rdp-server-in.html#.VKrPK83d_Nk" target="_blank">original post</a> where I found the fix over at <a href="http://www.bauer-power.net/" target="_blank">Bauer-Power.net</a>.Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0tag:blogger.com,1999:blog-2171481514382225719.post-4456777444652796302014-11-06T11:50:00.003-06:002014-11-06T11:51:16.614-06:00Microsoft's next surprise is free Office for iPad, iPhone, and Android | The Verge<a href="http://3.bp.blogspot.com/-VK9nKeUpQhA/VFu0rf3IZvI/AAAAAAAAA5g/2Qr99FiLMng/s1600/office.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-VK9nKeUpQhA/VFu0rf3IZvI/AAAAAAAAA5g/2Qr99FiLMng/s1600/office.png" height="200" width="200" /></a>Microsoft announced today that non-commercial users of their mobile Office apps will no longer require an active Office365 subscription in order to edit documents. By "non-commercial," they mean anything not stored on OneDrive for business or Dropbox for business. For anyone that has had to look into licensing their Office365 product, this should come as no surprise. Why anyone would pay their exorbitant licensing fees simply to have edit functionality in a mobile app when there are plenty of free and low-cost solutions out there simply mystifies me. I could see the argument for some desktop users, but who is really going to work on a complex spreadsheet or powerpoint on a mobile device?<br />
<br />
<a href="http://www.theverge.com/2014/11/6/7163789/microsoft-office-free-for-ipad-iphone-android">Microsoft's next surprise is free Office for iPad, iPhone, and Android | The Verge</a>Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0tag:blogger.com,1999:blog-2171481514382225719.post-29020952739416278042014-11-06T09:21:00.000-06:002014-11-06T09:22:50.181-06:00Serious Linux/UNIX FTP Flaw Allows Command Execution - Darknet - The DarksideAlright boys and girls, it's time for another installment of <i>Vulnerability of the Day!</i><br />
<br />
<a href="http://www.darknet.org.uk/2014/10/serious-linuxunix-ftp-flaw-allows-command-execution/">Serious Linux/UNIX FTP Flaw Allows Command Execution - Darknet - The Darkside</a>Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0tag:blogger.com,1999:blog-2171481514382225719.post-68640974803577374562014-11-06T00:47:00.000-06:002014-11-06T01:01:05.896-06:00StartSSL - Can a free SSL cert be trusted?<a href="https://www.startssl.com/img/corner.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://www.startssl.com/img/corner.gif" /></a>During the course of renewing my SSL certs for another term, I happened upon an advertisement for a company called StartSSL who offers free SSL certificates. My curiosity got the better of me and I had to click to find out more.<br />
<br />
<a href="http://www.startssl.com/" target="_blank">StartSSL</a> offers several products ranging from extremely basic <a href="https://www.startssl.com/?app=1" target="_blank">free certificates</a> all the way to <a href="https://www.startssl.com/?app=30" target="_blank">extended validation (EV) certs</a>. <br />
<br /><a name='more'></a>One indicator of a Certificate Authority's reputation is whether or not it is included as a trusted authority in major browsers and OS distributions. According to their web site, StartSSL (also known as StartCom Ltd.) certs are supported by all major browsers and platforms. Upon checking the default trusted certificate authorities in Chrome, Firefox and a Windows VM, I found that statement to be true. <br />
<br />
As to the claim of a free SSL cert, they are quite clear that the offering is a "low assurance" certificate. I decided to give it a try, and for a completely automated free process, it works quite well. The only information that is included in the certificate is that which can be verified. In the case of the free offering, that is either an email address or a domain name. Once you prove that you control the address or domain, the cert is issued. One must note that this does not prove identity or ownership of the email address or domain; only control of such. Based on this premise, "low assurance" adequately describes the product. This is basically one step above a self-signed certificate as it does require validation, albeit at a very low level.<br />
<br />
StartSSL also offers what they refer to as a Class 2 and Class 3 certificate, which requires the validation steps one would expect of any reputable certificate authority. These certs, as well as the extended validation product, are fairly inexpensive yet still appear to require the same level of documentation that any other cert authority would require for such a certificate. <br />
<br />
Based on what I have seen, StartSSL may very well warrant a second look the next time I need to purchase or renew an SSL certificate.<br />
<br />
<a href="https://www.startssl.com/?app=0" target="_blank">StartSSL PKI</a>Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0tag:blogger.com,1999:blog-2171481514382225719.post-6905155992921973792014-11-01T12:57:00.000-05:002014-11-01T12:57:35.093-05:00Three Sysadmin Rules You Can’t (And Shouldn’t) BreakSaw this posted on the local LUG mailing list, and it's a must read! I think I may have to print this out and put a laminated copy on the wall at work. <br />
<br />
<a href="http://www.thegeekstuff.com/2010/07/three-sysadmin-rules/comment-page-1/#comment-2699180">Three Sysadmin Rules You Can’t (And Shouldn’t) Break</a>Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0tag:blogger.com,1999:blog-2171481514382225719.post-68017092281638366522014-10-29T23:51:00.000-05:002014-11-01T12:58:10.532-05:00Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict - Defense OneEverybody get your tin foil hats ready!<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container zemanta-img" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="http://en.wikipedia.org/wiki/File:Tin_foil_hat_2.png" imageanchor="1" style="margin-bottom: 1em; margin-left: auto; margin-right: auto; text-align: clear:right;"><img alt="Tin foil hat 2" border="0" class="zemanta-img-inserted zemanta-img-configured" src="http://upload.wikimedia.org/wikipedia/en/f/f0/Tin_foil_hat_2.png" height="191" style="border: none; font-size: 0.8em;" width="200" /></a></td></tr>
<tr><td class="tr-caption zemanta-img-attribution" style="text-align: center; width: 249px;">(Photo credit: <a href="http://en.wikipedia.org/wiki/File:Tin_foil_hat_2.png" target="_blank">Wikipedia</a>)</td></tr>
</tbody></table>
<br />
<a href="http://www.defenseone.com/threats/2014/10/cyber-attack-will-cause-significant-loss-life-2025-experts-predict/97688/?oref=d-mostread">Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict - Defense One</a><br />
<br />
Somehow I get the feeling that no matter how many dire predictions of an inevitable large scale cyber attack are made, there will still be a lot of folks completely caught by surprise.Allen Minixhttp://www.blogger.com/profile/12543613395695616722noreply@blogger.com0