My new storage dilemma, resolved.

 Linux, Tech  1 Response »
Jul 262011
 

So I’ve recently been blessed with another addition to my family, and with a new baby comes thousands of videos, pictures, wav files, text documents, pdf scans… well, you get the idea. At any rate, traditional spindle storage is far too unreliable for assets of this importance. I looked into buying a tape backup solution of sorts, but the ones I wanted are way too expensive and since I’m on a budget I decided to go with a combination of storage solutions:

1. Local storage. On the workstation that I pull the images off of the various cameras on, I store the media locally. This provides easy access, but sadly no redundancy in case of a hard drive failure. My hard drive on that computer is almost new, so I do have some sense of reliability.
2. Fileserver with ZFS storage (OpenIndiana). I have a fileserver that I use for media and various data storage needs that has a large ZFS RAID on it (raidz). It’s basically RAID-5 across five 1TB SATA hard drives. This provides insurance in that if one of the drives fail, I’ll still be able to get at the data.
3. Cloud storage. The cloud storage provider I chose to use is SpiderOak. This gives me 100GB of offsite, cloud storage for $8/mo.

So to explain my SpiderOak choice, I found that it provides a good subset of features/security/space for price. There are many other places that offer offsite cloud storage at a comparable or better price, but for the compatibility with Linux and so many glowing reviews, I thought I’d give these guys a shot.

For you guys who are going to say “Use Dropbox!” I say no. Heres why.

No Linux Support – This is big for me. Linux is a huge player in the home/small business market and to not have a client for it shows either that the company is too poor to hire a few Linux developers, or they just don’t care. Either reason is good enough for me to not use it. And yes, I know I can fudge it by having the dropbox client on a windows box, and then sharing the dropbox folder on the network, and then copy the files from the fileserver to the dropbox folder over the network. You know the problem with that? I have to rely on windows. With patch tuesday, and OS failures on days ending with ‘y’, I figure that wasn’t such a good idea for data I actually care about. (Yes, it’s Windows 7. Yes, I have an 6.4 experience index rating). It’s simple file backups. I should be able to do it on an 486DX with 32MB of RAM.

And I can.

With Linux.

Just sayin’

 Posted by Derek at 8:41 pm

Drupal and mod_security : Part 2

 Linux  No Responses »
Feb 272010
 

Hi all,

I’ve gotten quite a few emails regarding my last post about Drupal and mod_security, and what those rules I’m removing actually do. Well, I’ll explain.

First Rule: 960010
SecRule REQUEST_METHOD “!^(?:get|head|propfind|options)$” \
“chain, t:lowercase, deny,log,auditlog,status:401,msg:’Request content type
is not allowed by policy’,,id:’960010′,severity:’4′”
SecRule REQUEST_HEADERS:Content-Type “!(?:^(?:application\/x-www-form-urlencoded
(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)”

This rule basically only allows certain content-type headers to be passed with the request methods listed in REQUEST_METHOD. Apparently, Drupal doesn’t respect this rule in posts.

Next, 960015
SecRule &REQUEST_HEADERS:Accept “@eq 0″ \
“chain,skip:1,log,auditlog,msg:’Request Missing an Accept Header’, severity:’2′,,id:’960015′,”
SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”
SecRule REQUEST_HEADERS:Accept “^$” \
“chain,log,auditlog,msg:’Request Missing an Accept Header’, severity:’2′,,id:’960015′,”
SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”

This basically says, any request other than an OPTIONS request, *must* have an Accept header sent with it.

Next, 960032:
SecRule REQUEST_METHOD “!^((?:(?:POS|GE)T|OPTIONS|HEAD))$” \
“phase:2,log,auditlog,status:401,msg:’Method is not allowed by policy’, severity:’2′,,id:’960032′,”

This says any methods other than POST, GET, OPTIONS or HEAD aren’t allowed. While generally this is true, and I don’t know why Drupal will occasionally hit this rule, I just remove it out of completeness.

And Lastly,

Rule 950107:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer “@validateUrlEncoding” \
“chain, deny,log,auditlog,status:400,msg:’URL Encoding Abuse Attack Attempt’,,id:’950107′,severity:’4′”
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer “\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})”

This rule merely checks the URL encoding on a URL. I say merely, but this rule is also matched almost _all of the time_.

I haven’t actually run through the Drupal code and figured out why these are completely necessary, however I do know that they’ve fixed quite a few peoples problems.

Anyway, hope that clarifies some things for people.

 Posted by Derek at 4:29 pm  Tagged with: , ,

Lynis security scanner = Neat.

 Linux, Tech  No Responses »
Apr 132009
 

Just checked out lynis from rootkit.nl. Lynis is:

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.

It’s pretty cool, actually. I wont include all of the scanning output here, but I will show the results of a scan from a (somewhat) default CentOS 5 install. Take a look if all of this magic security stuff interests you.


================================================================================

-[ Lynis 1.2.6 Results ]-

Tests performed: 134
Warnings:
----------------------------
- [20:46:34] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]
- [20:46:50] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L]
- [20:46:55] Warning: No MySQL root password set [test:DBS-1816] [impact:H]
- [20:46:55] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
- [20:47:00] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]

Suggestions:
----------------------------
- [20:46:34] Suggestion: Run grub-md5-crypt and create a hashed password. After that, add a line below the line saying timeout=: password --md5 [test:BOOT-5121]
- [20:46:49] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [test:PKGS-7384]
- [20:46:50] Suggestion: Check your resolv.conf file and connectivity to your nameservers [test:NETW-2705]
- [20:46:55] Suggestion: Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD) [test:DBS-1816]
- [20:46:55] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
- [20:46:55] Suggestion: Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP [test:PHP-2374]
- [20:46:55] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = no, to disable downloads via PHP [test:PHP-2376]
- [20:46:57] Suggestion: Enable logging to an external logging host for archiving purposes and additional protection [test:LOGG-2154]
- [20:47:00] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
- [20:47:02] Suggestion: Confirm that freshclam is properly configured and keeps updating the ClamAV database [test:MALW-3286]
- [20:47:02] Suggestion: Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230]
================================================================================
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Hardening index : [49] [######### ]
================================================================================
Lynis 1.2.6
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
================================================================================

 Posted by Derek at 8:58 pm  Tagged with: , ,

Linux tip of the day: Super fast SCP file copies.

 Linux  4 Responses »
Jan 112009
 

SCP is a great way to copy files from somewhere to somewhere else, but as we all know it can be slower than (insert slow metaphor here). Here’s a way you can get way speedier(really a word?) transfers using scp.

scp -c arcfour -C sourcefile desthost:

Yay! I posted.

 Posted by Derek at 2:53 pm  Tagged with: ,

Charging your Blackberry Pearl in Linux

 Linux, Uncategorized  1 Response »
Jan 032009
 

Recently, I was looking for a way to charge my Pearl under Linux, and stumbled across this project: Barry .. Well thats nice and all  (as a matter of fact I may install it when I get home to sync my BB), but right now, I just want to charge it! Barry has a small app included called bcharge that sets your USB port to 500mA (the power level that the BB expects when you plug it in).

I’ve repackaged the bcharge app and the headers, and you can get it here: bcharge.tgz

To compile, make sure you’ve got at least g++ and libusb installed, and then do:

tar xvzf bcharge.tgz
g++ -o bcharge bcharge.cc -lusb

And then just run bcharge a la: ./bcharge  and your Blackberry should be off and charging!

 Posted by Derek at 3:43 pm  Tagged with: , ,

Wow, never would’ve guessed this.

 Linux, Tech  No Responses »
Oct 042008
 

Never would have guessed that on-disk temporary tables are that bad for performance. Peter over at the MySQL Performance Blog shows otherwise.

 Posted by Derek at 4:23 am  Tagged with: , ,

mod_security and Drupal 6.2 issues.

 Linux, Tech  6 Responses »
Oct 022008
 

If you’re going to be using Drupal with mod_security, making the following changes will probably save you some frustration later :) .

<LocationMatch “/”>
SecRuleRemoveById 960010
SecRuleRemoveById 960015
SecRuleRemoveById 960032
SecRuleRemoveById 950107
</LocationMatch>

Also, set SecResponseBodyLimit and SecRequestBodyInMemoryLimit to something like 51200000 and 12288000 respectively. They may seem a bit high, but if you’re managing a lot of Drupal users and permissions I’ve run into problems with them.

Happy Drupal-ing.

 Posted by Derek at 4:25 am  Tagged with: , , ,

Firefox 3: The Next Generation

 Linux  No Responses »
Sep 072008
 

Don’t get me wrong, I love the Firefox web browser. It’s the greatest thing since tacos. But Firefox 2 has some of the worst performance problems I have ever seen! On Linux, if I leave one tab open with a flash movie playing, the Firefox process will eventually grow to enormous proportions. Yes, I know this seems like a Flash plugin problem, and it very well may be. But I do know that if I open the same page with Firefox 3b5, the memory usage stays constant the entire time.

 Posted by Derek at 6:55 am  Tagged with: , ,
© 2011 ConvolutedTheory Suffusion theme by Sayontan Sinha
  • About
  • NetXfer on Linux HOWTO
  • Security Related
  • Gaming
  • General
  • Tech
  • Uncategorized
  • 2011
  • 2010
  • 2009
  • 2008