Quick Links

PNP4Nagios with SElinux on CentOS / RHEL 6

PNP4Nagios is commonly used to add performance graphs to a Nagios installation.

For additional security, SElinux is enabled on the monitoring host. There is no standard SElinux policy for applications like PNP4Nagios, so we need to develop a custom policy. This sounds harder than it actually is:

Run the software as you normally would (SElinux will interfere, so prepare for errors)
Extract audit messages and use them to create or update a local SElinux policy for the software
Repeat until everything works

In this example, I am running Nagios 3.2.3 with PNP4Nagios 0.6.16 on EL6, 64-bit.

After configuring Nagios and PNP4Nagios integration in Synchronous Mode (see [...]

Continue reading PNP4Nagios with SElinux on CentOS / RHEL 6

February 13th, 2012 | Tags: , , , , , | Category: Work | Comments are closed

Tip: Encrypted passwords, just add salt

You can generate encrypted password strings (hashes) using the openssl utility.

You need to supply both a “salt” string and the password you wish to encrypt:

# openssl passwd -1 -salt MoreSalt ThePassword
$1$MoreSalt$Cvu.5MdMq1BjAsFp1oc.f/

The following command line generates a random 8-character salt string:

# openssl rand -base64 6

Combine these into a single command line that uses a different random salt on each invocation:

# openssl passwd -1 -salt $(openssl rand -base64 6) ThePassword
$1$XpOpurgQ$41bulzoCV8viFy37EX6jk.

Read on for a comparison between old crypt()-style passwords and the current md5-style shadow passwords.

March 29th, 2011 | Tags: , , | Category: Work | Comments are closed

Annoyed by phpMyAdmin scans? Set up a tarpit with mod_security!

Note: Rho’s excellent blog post pointed me in the right direction – credit where credit is due.

On my websites, I’ve seen a lot of scanning for vulnerable phpMyAdmin installations.

As a matter of policy, I don’t run phpMyAdmin on any Internet-facing web server. The scans won’t find anything, but the log entries are annoying so I decided to take action.

Some information about the attacks:

The scans originate from a variety of sources, so an IP-address block will not work.
The scans typically probe IP-addresses (not hostnames) for phpMyAdmin installations. We will use this to our advantage.

The scans cannot be prevented, but at least [...]

Continue reading Annoyed by phpMyAdmin scans? Set up a tarpit with mod_security!

August 14th, 2010 | Tags: , | Category: Work | One comment - (Comments are closed)

Dropbox Tip: 1Password Sync

I’m a great fan of both 1Password and Dropbox, so what’s better than combining the goodness of both?

If you have multiple computers running 1Password, you’ll love how easy it is to set up password syncing using Dropbox. The 1Password team recommends Dropbox over MobileMe or iDisk, so I decided to follow their lead.

As an extra feature, you’ll even get “1PasswordAnywhere”…

July 5th, 2010 | Tags: , , , | Category: Work | Comments are closed

Configuring SELinux for WordPress

I recently installed WordPress 2.9.2 on my webservers.

Since these servers are obviously connected to the Internet, they run with SELinux enabled. This means that you cannot use the standard FTP functionality in the WordPress admin panel to manage your themes and plugins.

If you configure SELinux properly, you can enjoy the comforts of WordPress without compromising security.

June 23rd, 2010 | Tags: , , | Category: Work | Comments are closed
 
  Older Entries »