SSL Certs and SHA-1 Weak Encryption

Not too long ago, some browsers took it upon themselves to deem certain sites "authoritatively weak" due to the use of SHA-1 ciphers in the certificate chain presented by the server.  While the reasoning behind this move is sound, it is still a headache for server admins who may not have had to renew their certs yet and still have old ciphers in use.  If you find yourself in this position, it is fairly easy to resolve.  If you're not sure if this applies to you, you can check your web site at shaaaaaaaaaaaaa.com.  The online tool will tell you if any of the certs in your certificate chain employ SHA-1 weak ciphers.

If you come up on the naughty list, there are two way to resolve the issue.  If it is close to your cert's expiration date, then renewing the cert will most likely fix the issue provided that your CA is using SHA-2 ciphers.  If they are not, then you will just get another cert issues with the same issue.  This is unlikely, as most CA's have been using SHA-2 ciphers for some time now.  If your expiration date is too far off to make renewing your cert feasible, simply request a reissue from your CA.

In either case, be sure to update appropriate revocation lists if necessary and most importantly, update your entire certificate chain for presentation to clients.

How can your disk be full when df shows otherwise? "Inode" the answer!

Sorry, I just couldn't resist.  That's probably the only time I'll ever get to use that joke.  I had a situation recently where I had a system that kept giving errors that the root volume was full, yet df -h showed plenty of available space.  After doing a bit of digging, I found that there were hordes of tiny files chewing up inodes far faster than the space on the drive.  Essentially, this would be like filling a file cabinet full of folders with only a post-it note inside each folder.  The majority of the volume of the cabinet would be taken up with folders rather than "data."

I could detail how to diagnose and fix this issue, but someone has already written an excellent blog post on how to do just that.

No space left on device – running out of Inodes

Thanks to Ivan Kuznetsov for taking the time to post his tutorial!

Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters | ZDNet

If you've gone the virtual route, take note:

Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters | ZDNet

Virtualization is cool... literally

I happened to notice that removing yet another rack of equipment  that our ambient temperature in the data room has dropped even more.  It doesn't seem like that long ago when we would struggle with keeping the temp under 85.  Going the VM route sure took care of that issue.

Remmina won't connect to Windows machines?

If you're like me, you still have to deal with Windows servers in your environment.  I typically RDP over to the ones in my environment with Remmina.  Every so often I run into an issue where a saved RDP connection will stop working and I have to blow it away and recreate it.  I finally had my fill and looked for a solution today.  Apparently the fix is to just change the security method from 'Negotiate' to 'TLS'.  Amazing what you can find when your annoyance level exceeds your laziness level.

Take a look at the original post where I found the fix over at Bauer-Power.net.

Microsoft's next surprise is free Office for iPad, iPhone, and Android | The Verge

Microsoft announced today that non-commercial users of their mobile Office apps will no longer require an active Office365 subscription in order to edit documents.  By "non-commercial," they mean anything not stored on OneDrive for business or Dropbox for business.  For anyone that has had to look into licensing their Office365 product, this should come as no surprise.  Why anyone would pay their exorbitant licensing fees simply to have edit functionality in a mobile app when there are plenty of free and low-cost solutions out there simply mystifies me.  I could see the argument for some desktop users, but who is really going to work on a complex spreadsheet or powerpoint on a mobile device?

Microsoft's next surprise is free Office for iPad, iPhone, and Android | The Verge

Serious Linux/UNIX FTP Flaw Allows Command Execution - Darknet - The Darkside

Alright boys and girls, it's time for another installment of Vulnerability of the Day!

Serious Linux/UNIX FTP Flaw Allows Command Execution - Darknet - The Darkside

StartSSL - Can a free SSL cert be trusted?

During the course of renewing my SSL certs for another term, I happened upon an advertisement for a company called StartSSL who offers free SSL certificates.  My curiosity got the better of me and I had to click to find out more.

StartSSL offers several products ranging from extremely basic free certificates all the way to extended validation (EV) certs.

Three Sysadmin Rules You Can’t (And Shouldn’t) Break

Saw this posted on the local LUG mailing list, and it's a must read!  I think I may have to print this out and put a laminated copy on the wall at work.

Three Sysadmin Rules You Can’t (And Shouldn’t) Break

Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict - Defense One

Everybody get your tin foil hats ready!

(Photo credit: Wikipedia)

Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict - Defense One

Somehow I get the feeling that no matter how many dire predictions of an inevitable large scale cyber attack are made, there will still be a lot of folks completely caught by surprise.

Dude, where's my A record?

I ran into something a bit odd today while setting up a couple of new CentOS 6.5 virtual machines.  The VM's were both set to receive IP addresses via Windows DHCP, which was working except for one small bit.  That particular DHCP scope is set to dynamically create both forward (A) and reverse (PTR) records when a lease is obtained.  Oddly, this was not happening.  Being a Linux admin, I immediately thought, "must be Windows!"

After digging into the Windows side of the house, I was left scratching my head.  All of the settings for both DHCP and DNS were as they should be.  I set up a packet capture and sent a few DHCP requests from the VM's which revealed the issue.  The default behavior for dhclient in CentOS now is to not pass the hostname in the request.  Adding one simple parameter in the /etc/sysconfig/network-scripts/ifcfg-eth0 file solved everything.  If you run into this issue, simply add the following to the file for the affected interface:

DHCP_HOSTNAME=`hostname -s`

 By including this line, you are telling dhclient to pass the hostname to the DHCP server in the request.  

SplunkLive: Reflections from Nashville

SplunkLive recently came to Nashville, Tennessee for the first time.  Although it was somewhat of a strain to make it due to the current load at work, I was determined not to miss it.  Coming away from the day long event, I was stoked from the info presented as well as from meeting and talking with other Splunk users.  If you use Splunk, or are just considering doing so, you should definitely make it to SplunkLive if it comes your way.

I know a lot of folks may look at such an event as a day long sales pitch, but this was not the case.  Granted, Splunk sales is there should you want more info, but the whole point of SplunkLive is getting current Splunk users more bang for the buck.  Multiple breakouts are held covering different topics aimed at different users of varying experience, but all have one thing in common - making Splunk do amazing things that you never thought possible.

If you are scratching your head wondering what Splunk is, let me sum it up this way.  If you ever have the need for pulling a needle out of a haystack of logs (or any kind of machine data for that matter), you seriously need to check out Splunk.  You can even run it for free, indexing up to 500MB of data per day.

Back to SplunkLive - as I said before, if it comes to your town, GO!  You will get a lot of great info and best of all, it's free!

Ubuntu 14.10 - Much ado about nothing?

I really hate to pile on to all of the lukewarm reviews for Ubuntu 14.10 (Utopic Unicorn), but I'm going to anyway.  There has been a lot of buzz about this release, being that it is the 10th anniversary of the distributions initial release.  Unfortunately it's more of a maintenance release than anything.  While stability and security updates are a good thing, I guess we just all expected something flashy or innovative with this release.  As always, update servers are slammed, so I wouldn't worry too much if you aren't one of the first ones to upgrade.  You're not missing much.

When MySQL joins become disjointed

I honestly don't know how I've managed to avoid this until now, but I ran into an issue today where I could not get a SQL query with a join to execute properly.  I kept getting errors saying that I had referenced an unknown column.  After rewriting the query several times and questioning my sanity, I decided to do a quick search online.  Much to my surprise, I quickly found the answer.  The way joins are handled changed ever so slightly in MySQL 5.0, such that they are now more closely aligned with ANSI SQL standards.  By tweaking the query and adding parentheses in the from clause, all worked perfectly.

Many thanks to jbrinkmann for his excellent article on the subject at MySQLjoin.com.

The Benevolence of Microsoft

I really must hand it to Microsoft.  For all of the bad publicity and general ill will that a lot of people harbor toward them, they still want to help the little guy out - even when that little guy is running Linux.

(Just for clarification, this does not involve the real Microsoft.)

A few minutes ago I received a call to my cell phone from a rather nice, if somewhat hard to understand, gentleman who informed me that Microsoft had received highly unusual traffic from my computer.

 "How did they get my number," I thought to myself.  "Must be some lucrative agreement with the NSA."

Directing my attention back to the kind soul on the other end of the line, no doubt a descendant of those long oppressed by the British Empire in their search for the perfect curry blend, I asked for more information.  He went on to say that the insidious network traffic was being sent as we spoke.

Who let the dogs out?

Here we go again - yet another "major" security vulnerability.  This time it is SSL 3.0 (why is anyone even using this anymore?) that has fallen victim.  Read more about the POODLE exploit at US-CERT.

Edit: The plot thickens!  This might be a good thing...

After reading a bit more on the subject, I realized that there might be a silver lining to this dark dog-shaped cloud after all.  All modern browsers support TLS and only fall back to SSL as a failsafe, so disabling SSL should not present an issue.  Notice that I said modern.  How many web developers out there consider IE6 and its nearly fossilized users to be thorn in their side?  Yes, there are some entities that insist on maintaining compatibility with this dinosaur of a browser.  Guess what IE6 does not support?  You guessed it... TLS!  What better reason to justify discontinuing support for IE6?

sed 's/WINDOWS XP/INTERNET EXPLORER 6/'

Are you patched?

I'm sure by now you've heard of the Bash vulnerability Shellshock.  Not going to beat a dead horse, but if you haven't patched yet, stop reading this and do it now!  After you're done, check out shellshocker.net and see if you're still vulnerable.

The future of IT

Ran across this amazing video the other day where the self-described "NextGenHacker101" graciously shares his expertise in network forensic techniques:

Poor kid should stick to a Mac.

Get your bugles ready - it's Taps for WInamp

Now before you say anything, I know Winamp isn't native to Linux (and yes, you can run it under Wine), but like most Linux users our there, you've probably had to run either a dual boot or dual systems with Windows boxen at some point.  Back in the 90's I did just that.  I spent many hours listening to tunes served up off of a Slackware box to my desktop using Winamp.  Granted, I haven't used Winamp in years, but I was still sad to read today that it's going the way of the dodo.  Apparently AOL (yes, they are still around, too!) managed to foul something else up and drove them into the ground.  I think the only positive thing that AOL will ever be remembered for was their endless supply of free floppy disks and beer coasters.

After 15 years of llama-whipping, AOL shuts down Winamp for good

What happened to the SourceForge that we used to know?

One can't mention open source software and not think of SourceForge, the once de facto haven for almost any major FOSS project.  There are others that have sprung up over time and lured developers away whether due to better features or the lack of an ever increasing onslaught of ads, but SF has still managed to survive.  Now there is another nail in the slowly creaking coffin  - bundled "crapware."  Take a look at this article from The Register.

GIMP flees SourceForge over dodgy ads and installer