stdout

Fri, 29 Mar 2013

Switched to nginx

Redid all the etla.org web stuff to be hosted on nginx. Let me know if you see any problems.

[20:58] | [] | Switched to nginx

Fri, 21 Sep 2012

Accidental spamming

Looks like ceres.etla.org has been sending spam out for a few days. As far as I can tell someone cracked my SMTP AUTH password. Investigating.

[11:46] | [] | Accidental spamming

Mon, 23 Apr 2012

Filtering ports by user

You can filter ports on the local machine by user with iptables using something like this:

iptables -A OUTPUT -p tcp --dport 1234 -d localhost -m owner ! --uid-owner root -j REJECT

Will restrict port 1234 on localhost to only be accessible by root.

Found at Paranoid Penguin: Using iptables for Local Security.

[11:18] | [] | Filtering ports by user

Thu, 01 Mar 2012

Playing with SSHFP

Playing with setting up sshfp on etla.org.

Should make things a little bit more secure, although I really need to do dnssec as well.

[22:12] | [] | Playing with SSHFP

Mon, 31 Jan 2011

OTP Tokens

Recently discovered gooze and their interesting variety of cryptographic products.

I bought one of their OTP C100 one-time-password tokens to play with. They seem to implement the OATH standards, which works nicely with a variety of software.

I decided to try to get this working on debian with PAM as an authentication method.

So far the software I've tried to do this is oath-toolkit, which provides a convenient pam_oath PAM module to use. I've got this working on a home debian machine for testing, requiring a one-time-password from the dongle every time I login.

Rough steps to setup:

  1. Install oath-toolkit as usual. You probably want to install from source or download the supplied debs, the latest version seems to be the thing to get.
  2. Run ldconfig - this is one thing that's not mentioned in the instructions but was needed before my machine would see the new PAM module.
  3. Put this in /etc/pam.d/common-auth:
    # this bit restricts oath checking to the specified user                        
    # you could use a group or whatever if you had more than 1 token                
    auth [default=1 success=ignore] pam_succeed_if.so quiet user = useryouwanttoauth
    auth requisite pam_oath.so usersfile=/etc/users.oath window=20 digits=6
    
    You should have created the users.oath file in the normal course of installing oath-toolkit.
  4. sshd_config should have:
    ChallengeResponseAuthentication yes                                             
    PasswordAuthentication yes                                    
    

After that, things seem to work with at least sshd and su, but I'm still testing. Annoyingly, if there's a ssh authorized_key, it seems to override password authentication totally. Ideally I'd like to combine ssh keys and OTP, but I haven't worked that out yet.

I've also got one of the gooze OTP C200 tokens, which looks very nice, and uses time based passwords, which I'd really rather use, but it's not supported by oath-toolkit yet.

[21:23] | [] | OTP Tokens

Thu, 20 Jan 2011

The Great IPv4 Countdown

There's not much IPv4 left, it should be an interesting transition.

[15:34] | [] | The Great IPv4 Countdown

Wed, 07 Apr 2010

Linux is so great

I love Linux, it's so great. Output from the mount command...

//server.example.com/mstevens on /export/mstevens type cifs (rw,mand)
//server.example.com/mstevens on /export/mstevens type cifs (rw,mand)
//server.example.com/mstevens on /export/mstevens type cifs (rw,mand)
//server.example.com/mstevens on /export/mstevens type cifs (rw,mand)
//server.example.com/mstevens on /export/mstevens type cifs (rw,mand)

[09:59] | [] | Linux is so great

Mon, 28 Dec 2009

Eris setup

Started the setup on the new etla.org server, now to be called eris.etla.org. Hoping to get people and services moved over in the next week or two.

[16:12] | [] | Eris setup

Sat, 01 Aug 2009

Spam filtering

Had to stop using the spam filtering service I was using for etla.org, so I now expect to get drowned in the stuff.

[20:27] | [] | Spam filtering

Sat, 06 Dec 2008

Webmail

After thinking about doing it for ages, webmail on etla.org should be working again.

[14:13] | [] | Webmail

Mon, 26 Feb 2007

Gnash

Thought I'd try out gnash at the weekend (it's a free-software flash implementation). It seems to be really pretty bad - it hasn't crashed Firefox or anything, but the best I got was some bits of a flash movie barely working. I have high hopes for the project though, and it is still alpha.

[10:53] | [] | Gnash

Sun, 18 Feb 2007

Now greylisting

saigo.etla.org is now doing greylisting, based on the Greylisting with pf tutorial. Let me know if this causes you problems.

[15:47] | [] | Now greylisting

Wed, 25 Oct 2006

UTF-8

For a while I've been trying to use UTF-8 in my desktop locale on debian. I've fought with various setup issues, like the stable version of zsh not supporting multibyte locales at all, and thought I had it more or less working.

Only, today, I discovered that the weird font problems I've been having for a while on my debian testing machine are traceable to the UTF-8 thing - it seems that, for some reason, on my setup, fonts would just be entirely missing in a number of apps. Going back to ISO-8859-1 fixed it. So I've given up on the UTF-8 experiment - unix just isn't ready.

[14:54] | [] | UTF-8

< March 2013
SuMoTuWeThFrSa
      1 2
3 4 5 6 7 8 9
10111213141516
17181920212223
24252627282930
31      

Contact: Michael Stevens <mstevens@etla.org>

RSS: RSS feed

Atom: Atom feed

Valid XHTML 1.0!

Valid CSS!