My IT and development musings.

+menu-


  • Category Archives Security

  • Debmon on Debian 6 (squeeze)

    Posted on by John Comment

    I wanted to try out the latest revision of Icinga and decided that Debmon would be the fastest. I thought that, anyway, until I wasted two hours trying to get aptitude to play nice with Debmon.

    In an effort to save someone else some time, here are my notes for installing Debmon on Debian 6 (squeeze)…

    Be sure that the server timezone is set to UTC. Use dpkg-reconfigure tzdata to change it as necessary

    nano /etc/apt/sources.list

    deb http://ftp.us.debian.org/debian stable main
deb-src http://ftp.us.debian.org/debian stable main
deb http://ftp.debian.org/debian/ squeeze-updates main
deb-src http://ftp.debian.org/debian/ squeeze-updates main
deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main
deb http://backports.debian.org/debian-backports squeeze-backports main
deb http://debmon.org/debmon debmon-squeeze main

    Command line:

    gpg --keyserver pgpkeys.mit.edu --recv-key DC0EE15A29D662D2
gpg -a --export DC0EE15A29D662D2 | apt-key add -
apt-get update
apt-get upgrade
apt-get install mysql-server
apt-get install icinga-web icinga-phpapi icinga-web-pnp

    After this follow the Debmon write-up at http://debmon.org/IcingaIdoutilsIcingaWebInstallation

    For PNP, use https://wiki.icinga.org/display/howtos/Setting+up+PNP+with+Icinga#SettingupPNPwithIcinga-RRDToolandPerlBindings

    This entry was posted in Debian, Security, Server administration. Bookmark the permalink.

  • Openfire 3.7.1 authenticating with an Active Directory global catalog server

    Posted on by John 2 Comments

    As in my previous post for 3.7.0 (link), I’ve created a patch for Openfire to authenticate against the entire global catalog. The actual changes and even the line numbers are identical:

    Index: LdapManager.java
===================================================================
--- LdapManager.java    (revision 1)
+++ LdapManager.java    (revision 2)
@@ -622,7 +622,11 @@
            * the secure connection has been established. */
            if (!(startTlsEnabled && !sslEnabled)) {
                env.put(Context.SECURITY_AUTHENTICATION, "simple");
+           if (baseDN == null || baseDN.trim().isEmpty()) {
+               env.put(Context.SECURITY_PRINCIPAL, userDN);
+           } else {
                env.put(Context.SECURITY_PRINCIPAL, userDN + "," + baseDN);
+           }
                env.put(Context.SECURITY_CREDENTIALS, password);
            } else {
                if (followReferrals)

    This has been up and stable for several months now with no issues.

    To download the compiled openfire.jar, please click here.

    This entry was posted in Development, Security and tagged , , . Bookmark the permalink.

  • Use of Snort in conjunction with your head end router

    Posted on by John Comment

    Following repeated reports of inappropriate intranet port scans, we implemented a vanilla installation of Snort. To be honest, I needed to change out my adult diaper after looking at the raw, unfiltered data.

    As some background, we’ve installed Snort on a rather old HP DL180 G1 with 4GB of RAM and a pair of dual core processors. And to be fair, directing the network traffic of 350+ machines at a five year old server may not have been the kindest thing I’ve done in a while, but it did hold the load.

    After building rudimentary filters in BASE (Basic Analysis and Security Engine) and analyzing less than 24 hours worth of data, I was able to easily pick out a dozen workstations and a server that needed immediate attention from the IT team. I am looking forward to integrating Snort with iTop for a more complete network management solution, and hopefully I have more to share on this topic soon.

    This entry was posted in Security. Bookmark the permalink.