Thursday, January 29, 2009

Modifications to stock CUPS server

I've been tasked with setting up a Unix print server, since the current one runs unmanaged on a PC beneath someone's desk. Since we use RHEL4 for our servers, obviously this is going to be using CUPS. Setting up CUPS isn't too painful. The web interface is pretty easy to use. My concern though is when you click on the Administration link and log in, it continues to use plain-text HTTP to pass the credentials.

Here are the few things I've changed to make me feel a little bit less uneasy.

First, I created a self-signed SSL certificate and copied the key and crt to /etc/cups/ssl.

Then, I enabled the following in cupsd.conf

ServerCertificate /etc/cups/ssl/server.crt
ServerKey /etc/cups/ssl/server.key
SSLPort 443


I still have the stock port 631 listening as well.

Finally, I modified the index HTML page for the CUPS service. I found this located in /usr/share/cups/doc/index.html. I edited the two hyperlinks for administrator so that it pointed to "https://print.example.com/admin". I know this won't stop people from using "http://print.example.com:631/admin", but at least if they are just clicky-clicky, it will have them log into the administrative interface using HTTPS. I'm not sure how to force users to use HTTPS when accessing the administrative page in CUPS, but at least this is a start.

Now, I don't feel like my usernames and passwords are floating around in the clear when it comes to CUPS.

Friday, January 16, 2009

Thought on malware spreading through known vulnerabilities

The BBC has an article today about the spreading of an Internet worm to millions of PC's (aka Conficker, Downadup, or Kido). Interesting enough, this vulnerability was addressed by Microsoft in MS08-067 on October 23, 2008. The BBC article then obviously states "users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch." What I found interesting was the estimated top locations of infections.

China 38,277
Brazil 34,814
Russia 24,526
India 16,497
Ukraine 14,767
Italy 13,115
Argentina 11,675
Korea 11,117
Romania 8,861
United States 3,958
United Kingdom 1,789

I wonder how this ranking compares to the total number of pirated/unsupported instances of the operating system running in each country, as in "not recognized as a 'Genuine' license to Microsoft and therefore unable to apply patches from Windows Update." I'm wondering if the spread of malware like this that targets personal PC's or office workstations would be significantly reduced if Microsoft either opened up their Windows Update service to non-verified owners, or changed their pricing to be more affordable for its worldwide users.

Monday, January 12, 2009

Deleting a Solaris RAID created with Volume Manager

It seems most of my "howto" posts recently have been Solaris related. The main reason for that is that my Solaris admin knowledge is weak, requiring me to look up Solaris-specifc tasks. And when I learn how to do something, I like to share with others the answer, just in case they didn't either.

We have a Solaris 10 host in the lab that we do software tests on, and I somehow have been tapped to admin and be in charge of its OS. The production hosts we create for clients use RAID-1 with two disks, so the orignal install steps specified using the Sun Volume Manager using the different "meta" commands (metadb, metainit, metattach). Without much warning, they've gone and changed the install steps to use the simpler "raidctl" command. My problem now is that I have to reinstall the lab test host, and setting up the RAID with raidctl. However, I have no idea how to delete the previous RAID configuration. Thankfully, I came across this. It appears all I had to do was run "metaclear -a".

Tuesday, January 6, 2009

My take on "Which Unix to learn"

I came across this post on TaoSecurity today, with Richard Bejtlich's suggestions for an "Introduction to Unix." Like text editors, the discussion about which distribution of Unix to learn can be considered a "religious" argument. If you're a regular reader of his blog, it's no surprise he suggests FreeBSD. He does clarify and say if you're running a server, he suggests FreeBSD; and if you're running a desktop, he now prefers Ubuntu. And if you're still adamant about running Linux as a server, he suggests Debian.

My opinion differs, depending mainly on "why do you want to learn Unix?" If the answer is related to increasing your work/resume skill sets, I would have to disagree about using FreeBSD or any of its other BSD derivatives (Net, Open, etc.). In my experiences of being an admin or some other support role, I have yet to encounter a *BSD server. I'd encourage someone to use a distribution that they would encounter in a corporate environment. The Unix server OS's I've had to support have been Red Hat (now Fedora), Red Hat Enterprise Linux (also known as RHEL), and Sun Solaris. To avoid having to pay licensing fees, you could substitute CentOS for RHEL.

If I were asked the question, I would suggest a "major" Linux distribution or Solaris/Open Solaris instead. I would think their device names, software packages, and file system organization would help with familiarity when trying to translate the knowledge learned to a corporate environment. Although this may be an unfounded opinion, I also think that there are more support options and supported software using them, rather than using *BSD. I do agree with Bejtlich that if you want to run a Unix distribution on the desktop, to stick with Ubuntu, since it seems to "just work" when installed and there are less configuration headaches. Or you can just use a Mac if you want a Unix desktop (troll... and yes Mac could be considered a BSD variant).

Monday, January 5, 2009

Managing "To Do" items for work

I'm trying to decide the best way to manage my tasks, projects, and "mini-projects". I define mini-project as something larger than a task, but I'm my own manager and don't need to submit a project plan. Maybe I should've asked for Tim Limoncelli's "Time Management for System Administrators" as a Christmas gift.

The options I know of are:

"Remember the Milk" - Pros: Seems very extensible, geeky, multiple ways to manage, etc. Cons: I doubt my company would like me storing information with a third party.

Using "Tasks" in Outlook - Pros: This would be stored and backed up at work. Cons: I like to keep my interaction with Outlook at a minimum. I just don't like the interface for it, anyways.

Creating tickets in a case management system - Pros: I've done this at previous jobs creating cases assigned to myself for tasks and mini-projects. Cons: My employer takes its case tracking statistics seriously.

Personal Wiki - Pros: Uses a web browser to edit. Some Wiki's have version control and search capabilities. Cons: Some wiki's require running on a server and using heavyweight services (is that overkill?). Is it really the best tool for the job?

Right now, I'm using TiddlyWiki. I feel the interface is a little clunky, but does a lot of what I want it to do. For instance; it's lightweight (does not require a server or a database), can be portable (it's just files), only requires a web browser and access to its files, and has some searching capability.

I'd be interested to know what other people are using to manage their tasks and other assignments that are not necessarily part of the "everyday routine."