Golang: Determine a device major/minor number
While working on a monitoring agent for a service we will be introducing soon. I needed a way to determine the Major/Minor numbers for a device (e.g. /dev/mapper/datavg-srvlv).
It is actually much easier than I though. My first version as a gist.
But a much simpler solution exists, without using cgo.
stat := syscall.Stat_t{}
_ := syscall.Stat("/dev/sda", &stat)
fmt.Println("Major:",uint64(stat.Rdev/256), "Minor:",uint64(stat.Rdev%256))
Amusing a Sysadmin
As most geek discussions go.. we like to push the envelope — to see what is possible!
As we discussed using chattr to protect a file from being overwritten, it occurred to me that we might perform a weak form of “Inception” on chattr!
So I ran:
Read more
Blocking WordPress Brute Force Attacks against wp-login.php
We had a support request recently that indicated a server was under heavy load due to a wordpress wp-login.php brute force login attack. This attack was impacting 3 customer servers from more than 500 different IP addresses. We needed a solution fast.
Others on the internet have reported tens of thousands of unique IPs involved in this attack.
There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.[1]
mod_security seemed like the perfect fit for this type of problem, and we came across a great blog post: http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/.
A few minor tweaks were required based on different mod_security versions, this seemed to work unless the attacker is only using a single IP address every few hours:
Read more
Develop your Puppet Modules Inside of a Sandbox
When you want to develop a new Puppet module, it’s best to work outside of your production environment. You could use Puppet’s built-in environments feature to slice up your site, but there are a handful of caveats and it’s not always the most convenient. Enter Puppet Sandbox…
Puppet Sandbox is a multi-VM Vagrant-based Puppet development environment that can be used for creating and testing new modules independent from your production servers. It’s also a great way to get your feet wet if you’re new to the whole world of Puppet and automated configuration management software. While you could manually configure this type of development environment yourself, Puppet Sandbox makes the whole process trivial, reproducible, and fast!
Ideally, you would first develop your modules using Puppet Sandbox, then move them to a staging environment where they would be applied to a limited number of real hosts, and then finally you would put the modules into production. This type of development cycle will provide confidence that your modules will work as expected, when you need them to.
Here’s a short screencast to give you an overview of how the project works:
Puppet Sandbox is open source, and available on GitHub: https://github.com/elasticdog/puppet-sandbox
Postfix Dovecot User Admin Script
While working on a postfix/dovecot non-mysql virtual domain configuration, I needed a simple admin script to add new users. The script below is what I came up with after about 30 minutes.
I was unable to find something that met my needs on the interweb, so I hope this post finds someone else in need!
Please submit bugs/suggestions to: nick.wilkens@mnxsolutions.com
Terabytes on a budget – 106TB for $8788
When working with a client, we were discussing storage for an application they have developed. Storage price was a key component for success of this product. I read the BackBlaze posts here, and here — but I wanted a mix of cost savings, off the shelf parts, and hot-swappable drives.
Two Factor SSH Authentication with Duo Security
As is probably obvious from our blog posts on Yubikey SSH/WordPress two factor authentication and Google Authenticator SSH two factor authentication, we at MNX Solutions are big proponents of multi-factor authentication schemes to add security to infrastructure. On the other side of things, though, we have to be agile system administrators in order to offer customers efficient and timely service when a problem occurs. While we still really enjoy our Yubikeys (especially for WordPress), we’ve found that the offering from Ann Arbor, MI based Duo Security is the one for us.
Read more
Designing for failure with Amazon Web Services
Avoid single points of failure. You can and should assume everything will fail.
Start by listing all major points of your architecture, then break it down further, and then maybe one more level. Now review each of these points and consider what would happen if any of these failed.
Read more
Securing SSH and WordPress with two factor authentication
I wrote a post about using Google Authenticator for SSH a month ago. After writing this post, I started looking at other solutions in the space for two factor authentication.
Yubikeys are USB based, and require no device drivers. They work with Mac, Linux, or Windows and are priced starting at $25 each. Compared to the security gained — Yubikeys are inexpensive.
If your going to be at the Indiana Linux Fest this coming weekend (March 25-27th 2011), stop by and visit us — we have extra Yubikeys to spare.
Read more
Safari providing an SSL error “client certificate rejected” when other browsers work
If you’re receiving an error message such as:
Safari can’t open the page “https://example.com”. The error was: “client certificate rejected” (NSURLErrorDomain:-1205) Please choose Report Bug to Apple from the Safari menu, note the error number, and describe what you did before you saw this message.
It’s likely because the web server you are connecting to has Apache configured for “SSLVerifyClient optional”. It appears that with Safari 5 (or perhaps even earlier) the browser will negotiate client certificates improperly with the web server. While other browsers like Google Chrome and Firefox will not have an issue, Safari is rendered incapable of connecting to these sites without a server-side change.
Once you alter the Apache configuration to ‘none’ rather than ‘optional’, the browser will once again be able to connect as expected.
If anyone has experienced this issue or knows of a work-around for the Safari side of the equation, please comment!
