вторник, октомври 30, 2012

Grub - Grub2 upgrade

Поради факта, че съм явно доста глуповат и не можах да се оправя в конзолата Божията Милост се спусна над мен недостойният във вид на Ubuntu Secure Remix / Boot Repair с чиято помощ успях да си запаля тъпият сървър със строшеният mdadm и недоклатеният cryptoLVM.
Силно препоръчителни тулчета с глуповато-мързеливи (като мен) с проблеми с MBR / BootLoader / OS boot (като мен)

неделя, октомври 28, 2012

сряда, октомври 24, 2012

DoS via SquirrelMail (webmail)

Схемата е Baracuda Mail Firewall - LinuxBox (postfix,courier,SquirrelMail)
Някой някъде са му хакнали РС-то/browser-a където най-вероятно и имал save-ната user/pass за достъп дo webmail-a и през тази дупка почва да изпраща хиляди спам писма към хиляди дестинации със source 127.0.0.1 (в логовете на postfix-a така ги пише...)
Squirrel Logger Restrict Senders + добавка към fail2ban да чете от лог-файла на Squirrel Logger-a когато CAPTCHA plugin-a е неудачно да се ползва

вторник, октомври 16, 2012

Policy routing mikrotik

Config lines:

/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "RED path" disabled=no new-routing-mark=RED passthrough=no src-address=10.10.10.2-10.10.10.254
add action=mark-routing chain=output comment="mark with RED local address" disabled=no \
    new-routing-mark=RED passthrough=no src-address=10.10.10.1
add action=mark-routing chain=prerouting comment="BLUE path" \
    disabled=no new-routing-mark=BLUE passthrough=no src-address=20.20.20.2-20.20.20.254
add action=mark-routing chain=output comment="mark with BLUE local address" disabled=\
    no new-routing-mark=clients passthrough=no src-address=20.20.20.1

    /ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=RED scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.1 routing-mark=BLUE scope=30 target-scope=10

add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=1.1.1.1,2.2.2.1 \
comment="1:1 load-balance [default route] for all other traffic from/through router"
   
ToDo: same achievment but with translated config for Cisco, Juniper, Vayata and/or Linux


неделя, октомври 14, 2012

Redmine integration with MS AD

What we've done at this point:
  • A running Redmine v2.1.2 installation using Apache Passenger
  • Working authentication with Redmine's built-in database

Authentication against Active Directory

Redmine web interface - Administration - LDAP-Authentication - + New authentication mode
  • Name: informational parameter (enter something descriptive)
  • Host: IP address or FQDN of a domain controler
  • Port: 389
  • Account: DN of the user that can authenticate against the Active Directory e.g binding user. Recommendations are to create a dedicated user account with no special permissions (simple Domain User) except login into domain
domain: company.ltd
user: redmine.ldap
OU: Domain Users
Entered account should be: CN=redmine.ldap, OU=Domain Users, DC=company, DC=ltd
(Sysinternals ADExplorer is a perfect tool to find distinguished names)

  • Base DN: Start point where Redmine tries to find users. In this case - users under OU Domain Users will be checked. 
  • LDAP Filter: Valid filter for finding users. Example: (&(objectClass=user)(objectCategory=person)).
Attributes:
  • member name: sAMAccountName
  • first name: givenname
  • surname: sn
  • E-Mail: mail
Probably this mean: User can use any valid of above listed attributes to fill Log-in form and authenticate himself with MS AD password but not checked by me (I've checked only member name)

If we have redmine-local-users and their user-names match these from MS AD, local users has precedence
For example: if we have Redmine local user: red.u with password: red.u and MS AD user: red.u with password: ms.red.u and we trying to log-in into Redmine WEB interface with red.u/ms.red.u we'll receive "Wrong username or password".
To fix this we can :
1. delete local user (and loose all issues,pages,posts,etc created by him )
2. Under Administration-Users-(select needed user)-Authentication method --> descriptive NAME entered above