Stuff I'm Up To

Technical Ramblings

Bye, bye, Percona — May 25, 2017

Bye, bye, Percona

For quite a few years we’d been running Percona on our Nagios server with no issues. So no reason to change, until sometime over the past few days the repository’s public key expired and automated updates were failing.

I tried to update the key, searching key servers and eventually gave up. I resorted to removing the repo’s from my apt sources.list. Then I just installed the MySQL apt repo and installed MySQL. As it installs it warns you about having a backup as data already exists and may be lost after the install. However, for me it simply removed Percona for me, installed MySQL and was up and running without any issue.

So it maintained all my users, schemas and tables and performed as expected.

Not that there’s anything wrong with Percona, just that I took the easy option of going with what the majority of our install base uses.

 

Owncloud Upgrade and Maintenance Mode — May 22, 2017
Sophos UTM Up2date CLI — April 4, 2017

Sophos UTM Up2date CLI

After buying some replacement UTM430’s to replace the UTM525’s the new 430’s came in with some ancient firmware. As I’ve not got them plugged into the network right now I want to get them up to the same firmware as the current 525’s.

In our case the shipped firmware was 9.311 and the current 525’s was 9.411. There’s quite a few updates between those releases!

Continue reading

CVE – Security Vunerability Datasource — March 18, 2017
STIG — March 17, 2017
How to use vSphere 6.x Certificate Manager — March 10, 2017
OpenVPN Create User Keys — March 3, 2017

OpenVPN Create User Keys

As I’d forgotten how to create a new OpenVPN user, it’s not something I do every day, I thought I put here a reminder of the process used.

To get a private key and a signed public key the easiest way is to use the Easy-RSA program that came with openvpn. Change to the directory, set the variables and run the script like this:

$ cd /etc/openvpn/easy-rsa
$ sudo source ./vars
$ sudo ./build-key-pass [USERNAME]

This creates the necessary CSR and submits it and generates the key and certificate in /etc/openvpn/easy-rsa/keys

I then wrote a script than turns the key and certificate into a single .ovpn file I can just give to the user along with the key password.

Continue reading

OpenSSL Ciphers — March 1, 2017

OpenSSL Ciphers

OpenSSL is a very handy tool. Both on Linux and Windows. On both you can do all kinds of conversions and creations,  but equally of use you can view cipher details that are supported.

On Linux systems OpenSSL will look for /usr/local/ssl/openssl.cnf, or on some flavours /etc/ssl/openssl.cnf or even /usr/lib/ssl/openssl.cnf and on windows it will show a warning.

WARNING: can't open config file: /usr/local/ssl/openssl.cnf

Continue reading

SSH Logon with Private Key —
Installing / Updating Webmin —

Installing / Updating Webmin

We’ve got webmin installed on a number of our Debian Linux boxes. In our environment many of these servers don’t have full and open access to the internet so aren’t capable of going out and updating from the webmin site.

To get our updates we must download the .deb file using a client system from the webmin download page and then copy it to the server using scp.

$ scp webmin_[VERSION]_all.deb [SERVER]:~/

Then just ssh onto the server and install the update using:

$ sudo dpkg -i ~/webmin_[VERSION]_all.deb
(Reading database ... 53365 files and directories currently installed.)
Preparing to replace webmin VERSION (using webmin_VERSION_all.deb) ...
Unpacking replacement webmin ...
Setting up webmin (VERSION) ...
Webmin install complete. You can now login to https://SERVER:10000/
as root with your root password, or as any user who can use sudo
to run commands as root.

This does a straightforward update if it exists, or a new install if it doesn’t.

Teradici PCOIP MC Upgrade —

Teradici PCOIP MC Upgrade

Following the upgrade of the Management Console I noticed that none of the terminals were actually connecting to the Management Console. They connected through our 802.1x onto the production VLAN, but if you look in the console – none of them are reporting back.

So I picked one at random that I found that was online (even though the management console says it is, it might not be). I logged into the terminals web GUI and looked at the Management config.

Management > Config

Continue reading

SSL/TLS as a Server Admin — February 28, 2017

SSL/TLS as a Server Admin

I’m not an encryption expert by any means. I’ve no great understanding of the mathematics involved in the encryption process and the ciphers used. What I do understand is what that means from the point of view of a server admin.

One thing to state right now is that SSL/TLS are the same thing. SSL was simply renamed TLS, but the underlying principles are the same, the mechanisms and ciphers change, but the concept is the same – and despite the change it’s still mostly referred to as SSL.

The basic process of SSL is that in order to engage in a secure conversation between systems both systems must share a level of trust with a common 3rd party.

I don’t trust you just because we can encrypt data together. I need to trust you based on a 3rd party we both trust telling me that you are who you say you are.

Continue reading