bsd.b3ta.org
Yet another *nix admin blog

On my previous post, I encountered problem with ssl-cert in chrooted environment. By installing ssl-cert via apt-get, these processes were triggered.

root 27799 0.0 0.4 4676 2256 pts/2 Ss+ 04:33 0:00 /usr/bin/dpkg --status-fd 13 --configure ssl-cert
root 27800 0.4 1.3 10016 7132 pts/2 S+ 04:33 0:00 /usr/bin/perl -w /usr/share/debconf/frontend /var/lib/dpkg/info/ssl-cert.postinst configure
root 27806 0.0 0.2 3804 1192 pts/2 S+ 04:33 0:00 /bin/sh -e /var/lib/dpkg/info/ssl-cert.postinst configure
root 27808 0.0 0.2 3820 1280 pts/2 S+ 04:33 0:00 /bin/bash -e /usr/sbin/make-ssl-cert generate-default-snakeoil
root 27812 0.0 0.2 3780 1448 pts/2 S+ 04:33 0:00 openssl req -config /tmp/tmp.OXerK27810 -new -x509 -days 3650 -nodes -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key


Further investigation showed that process 27812 stuck. Running the openssl command manually brings up:

27830:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 5


The error message is exactly same as what Michael Prokop has found out.

The content of /tmp/tmp.OXerK27810 is:

#
# SSLeay example configuration file.
#

[ req_distinguished_name ]
commonName = myshinnybox


DIRTY SOLUTION
As I’m only interested to get packages such as Postfix, Postgresql Apache mod SSL to install, killed the “apt-get install ssl-cert” process and fired up vi and removed the line RANDFILE = $ENV::RANDFILE from /tmp/tmp.OXerK27810.


# openssl req -config /tmp/tmp.OXerK27810 -new -x509 -days 3650 -nodes -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key
Generating a 1024 bit RSA private key
................................................++++++
.......++++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
# apt-get install ssl-cert
Reading package lists... Done
Building dependency tree
Reading state information... Done
ssl-cert is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0B of additional disk space will be used.
Setting up ssl-cert (1.0.15) ...
#


I don’t understand why the package ssl-cert exist in the first place when user can just use “openssl” command to generate ssl certificate. Yet making the situation worst, ssl-cert was added as dependency to many packages. Duh! In additional, chroot seems to be buggy under Linux.

Ran into some issues with ssl-cert 1.0.15 installation on Debian chroot environment. But looks like I’m not alone. The issue was reported by Michael Prokop.


molecule:/# apt-get install ssl-cert
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ssl-cert
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/7938B of archives.
After this operation, 90.1kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package ssl-cert.
(Reading database ... 27065 files and directories currently installed.)
Unpacking ssl-cert (from .../ssl-cert_1.0.15_all.deb) ...
Setting up ssl-cert (1.0.15) ...

……took forever……

make-ssl-cert generate-default-snakeoil took forever. So it looks like no fun with ssl-cert in chroot’ed environment. Any solution out there? Buzz me. Thanks.

As Linux kernel vmsplice local root exploit in the wild and the Debian boxes in my office is vulnerable to the exploit, I have decided to upgrade their kernels. It’s sad to see rock-solid Linux boxes went down for the 1st time after running stable nearly 8 months.

17:01:25 up 230 days, 9:59, 3 users, load average: 0.00, 0.00, 0.02


17:02:31 up 231 days, 7:02, 1 user, load average: 0.18, 0.38, 0.18

After upgrade

chflags@mzimyklosb03:~$ ./c
———————————–
Linux vmsplice Local Root Exploit
By qaaz
———————————–
[+] mmap: 0×0 .. 0×1000
[+] page: 0×0
[+] page: 0×20
[+] mmap: 0×4000 .. 0×5000
[+] page: 0×4000
[+] page: 0×4020
[+] mmap: 0×1000 .. 0×2000
[+] page: 0×1000
[+] mmap: 0xb7e64000 .. 0xb7e96000
[-] vmsplice: Bad address
chflags@mzimyklosb03:~$ uname -smr
Linux 2.6.24.2 i686

This a just a short note for my own reference.

1) Install postfix
# yum install postfix

2) Set default MTA to Postix via this command
# alternatives –set mta /usr/sbin/sendmail.postfix

3) Autostart Postfix (Optional but you really want to do it)
# chkconfig –levels 235 sendmail off
# chkconfig –levels 235 postfix on
# /etc/init.d/sendmail stop
# /etc/init.d/postfix start

Well, it seems like people like to mess around with Ubuntu logo. Some of them are creative, hilarious, and offensive in the eyes of Ubuntu users. PLEASE PARDON THE PUN. DON’T HIT ME! Especially Ubuntu-my meetup is just around the corner. Please don’t ask me for the author of those images. These are just some of the images that I came across on the net.

WARNING!

Rated 18SX: The images might contain non-excessive sexual element and they are only for viewers of age of 18 years old and above. :p

Click to view.
(more…)

Another way of fighting images spam is by Realtime Black List lookup. This tactic is probably one of method which is inexpensive to server resource.

With postfix, you could just add reject_rbl_client images.rbl.msrbl.net to smtpd_client_restrictions section of postfix’s main.cf.

For instance:

smtpd_client_restrictions = permit_mynetworks,
    reject_rbl_client images.rbl.msrbl.net,
    ….

For qmail, you could just add -r images.rbl.msrbl.net as tcpserver option of your qmail smtp startup script.

Note : images.rbl.msrbl.net - Hosts found sending mail contaning spam images. Check out MSRBL for more info.

On my previous post, I have discussed some of the anti image/PDF spam. I have tried clamav with Sanesecurity’s phishing and scam signatures.

On FreeBSD, I downloaded update shell script by Dan Larsson and made a slight modification as I do not wish to install/use rsync on production servers just to download signature files. I have added these two lines to update shell script under “http_source_urls” and commented out “rsync_source_urls“.

http://download.mirror.msrbl.com/MSRBL-Images.hdb

http://download.mirror.msrbl.com/MSRBL-SPAM.ndb

http_source_urls="
   http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
   http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz
   http://clamav.securiteinfo.com/vx.hdb.gz
   http://download.mirror.msrbl.com/MSRBL-SPAM.ndb
   http://download.mirror.msrbl.com/MSRBL-Images.hdb
   http://www.malware.com.br/cgi/submit?action=list_clamav,fetch_interval=86400,target_file=mbl.db

"#rsync_source_urls="
#   rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb
#   rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb
#"

(more…)

A lot of spam image/PDFs were slipping through my office MXs since this spamming technique has gained its popularity and it was getting really out of hands. I have decided to put an end to this madness and experimented various tactics to curb image/PDF spam. Generally, this can be achieved with spam scoring from SpamAssassin or clamav via Sanesecurity’s Phishing and Scam Signatures for ClamAV.

On this post, I will share some of the tactics that I have tried with SpamAssassin. With SpamAssassin, fighting image/PDF spam was trivial.

(more…)

Previously on my post on pidgin msn switch error, a lot of pidgin users were affected by the bug/defect. However, there are simple workaround suggested.

1. edit your msn account information

2. click on the advanced tab

3. clear “use HTTP method”

4. make proxy type: no proxy.

Well, it works for me. This won’t help in corporate network environment though. (Outgoing connection on port 1836 is not commonly allowed).

In case you are using Pidgin and using “HTTP method” (In fact that is the only way to get connected to MSN), you might find that you are not able to send message to your friends. You will always get this error message whenever you try to send them message. “Message could not be sent because a connection error occurred:“.

Guess have to wait for next update of pidgin. There is an open ticket on this issue 4 days ago.

White Papers for Success
The free web hosting services may not be able to provide the best email hosting, but they certainly deliver the job. For effective web hosting, ignoring such flaws is important. With the advent of wireless internet, everyone is claiming to provide dedicated hosting, and it is up to us to pick up the best service.