Mitigating Poodle SSLv3 vulnerability

New vulneranility was announced in archaic SSLv3 protocol. You can defend your server by disabling usage of SSLv3 protocol. But take in mind that according to rumors Windows XP with IE6 still use it to, so basically disabling SSLv3 means cutting off old WinXP users from your services

On the bottom of page you can also find tips to disable SSLv3 in Firefox and Chrome

 

Disabling SSLv3

apache

Add/modify line in /etc/httpd/conf.d/ssl.conf so it looks like this:

SSLProtocol all -SSLv2 -SSLv3

restart apache:

service httpd restart

postfix

Add to file /etc/postfix/main.cf:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

restart postfix

service postfix restart

dovecot  before v2.1

to get dovecot version use:

[root@vps dovecot]# dovecot --version
2.0.9

File /etc/dovecot/conf.d/10-ssl.conf
add/modify line

ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3

dovecot v 2.1 and newer

File /etc/dovecot/dovecot.conf add/modify line :

ssl_protocols = !SSLv2 !SSLv3

restart dovecot:

service dovecot restart

 

 Firefox

in URL line, type about:config, search for security.tls.version.min and set value to 1

 

Chrome

Unlike in FF you can't set it permanantly somewhere in configuration, so you have to start Chrome everytime with parameter –ssl-version-min=tls1

Bash tips

How to convert string to array of strings

#1st declare our separator
IFS=";"
#define our string we want to split
NAMES="Linus Benedict Torvalds;James Bond;Franta Novak"
#try this one:
AR_N=($NAMES)
#OR this one (if previous not working):
read -a AR_N <<<"$NAMES"
#remove our previously defined separator
unset IFS

variable AR_N not contains our separated strings, 1st item in array is AR_N[0]


Convert small letters to big ones

echo abcd | tr [:lower:] [:upper:]

Convert hexadecimal number to decimal

echo "ibase=16; `echo 2f194| tr [:lower:] [:upper:]`" | bc

 

VIM editor

vim editor is very popular among linux/unix admins. On of cool feature is syntax highlighting. Did u know what you can disable this highlighting or change color scheme ?

To enable/disable syntax highlighting  type:

:syntax on/off

To change color cheme in vim :

:colo SCHEME

where SCHEME can be eg. delek, desert, morning

To make this options permanent just create/modify file "~/.vimrc" eg

colo desert
syntax on

AIX tips

Adding user to group

please take in mind that in AIX u cant add new group to existing ones by single command/parameter like in RHEL/SUSE, so be carefull using -G parameter

USER=jamesbond; NEWGROUP=wheel; usermod -G `id -nG $USER | tr " " ","`,$NEWGROUP $USER

Extending FS on AIX

1) we are interrested in mountpoint /sapmnt/sap
2) we need to know volume name => volume name is lv4
3) lslv lv4 -> i need to find volume group name => d4dvg
4) lsvg d4dvg => we need to know available free space we can use for extending "FREE PPs:"
5) ok, we can extend for maximum of 1GB: chfs -a size=+1G <mount point>

opr879@udv:/home/opr879 $ df -sk
Filesystem   1024-blocks     Free* %Used    Iused %Iused Mounted on
/dev/hd4     327680    181520   45%     3225     8% /
/dev/lv4     9043968    329432   97%  1277966    95% /sapmnt/sap

server:/ # lslv lv4
LOGICAL VOLUME:     lv4               VOLUME GROUP:   d4dvg
LV IDENTIFIER:      00ca3fcd00004c000000011ecfc6c298.10 PERMISSION:     read/write
VG STATE:           active/complete        LV STATE:       opened/syncd
TYPE:               jfs2                   WRITE VERIFY:   off
MAX LPs:            512                    PP SIZE:        64 megabyte(s)
COPIES:             1                      SCHED POLICY:   parallel
LPs:                138                    PPs:            138
STALE PPs:          0                      BB POLICY:      relocatable
INTER-POLICY:       minimum                RELOCATABLE:    yes
INTRA-POLICY:       middle                 UPPER BOUND:    128
MOUNT POINT:        /sapmnt/sap            LABEL:          /sapmnt/sap
MIRROR WRITE CONSISTENCY: on/ACTIVE                              
EACH LP COPY ON A SEPARATE PV ?: yes                                    
Serialize IO ?:     NO                                     

server:/ # lsvg d4dvg
VOLUME GROUP:       d4dvg                    VG IDENTIFIER:  00ca3fcd00004c000000011ecfc6c298
VG STATE:           active                   PP SIZE:        64 megabyte(s)
VG PERMISSION:      read/write               TOTAL PPs:      3258 (208512 megabytes)
MAX LVs:            512                      FREE PPs:       16 (1024 megabytes)
LVs:                13                       USED PPs:       3242 (207488 megabytes)
OPEN LVs:           12                       QUORUM:         4 (Enabled)
TOTAL PVs:          6                        VG DESCRIPTORS: 6
STALE PVs:          0                        STALE PPs:      0
ACTIVE PVs:         6                        AUTO ON:        yes
MAX PPs per VG:     130048                                    
MAX PPs per PV:     1016                     MAX PVs:        128
LTG size (Dynamic): 128 kilobyte(s)          AUTO SYNC:      no
HOT SPARE:          no                       BB POLICY:      relocatable


server:/ #chfs -a size=+1G /dev/lv4

Sometimes attempt to extend FS failes because number of LPs is approaching to MAX LPs:

root@server2:/ # lslv lv5
LOGICAL VOLUME:     lv5              VOLUME GROUP:   edi01vg
LV IDENTIFIER:      005a6c5a00004c00000000f66adb3cb4.3 PERMISSION:     read/write
VG STATE:           active/complete        LV STATE:       opened/syncd
TYPE:               jfs2                   WRITE VERIFY:   off
MAX LPs:            2048                 PP SIZE:        64 megabyte(s)
COPIES:             1                      SCHED POLICY:   parallel
LPs:                1994                PPs:            1994
STALE PPs:          0                      BB POLICY:      relocatable
INTER-POLICY:       minimum                RELOCATABLE:    yes
INTRA-POLICY:       middle                 UPPER BOUND:    32
MOUNT POINT:        /e                 LABEL:          /e
MIRROR WRITE CONSISTENCY: on/ACTIVE                             
EACH LP COPY ON A SEPARATE PV ?: yes                                   
Serialize IO ?:     NO    

if this is the issue we can increase MAX LPs

chlv -x 3000 <log.vol>

and then we can try to extend FS again

Check if all mountpoints are in read-write mode

If you work with servers  that use SAN storages yo uprobably know this scenario – one or more paths got temporarily offline. After all paths are online again you need to be sure that all filesystems are accessible and are still in read-write mode. You can easily check it using commands below:
 

Linux

FILE=readwrite.check; for i in `mount | awk ' $5!~/(proc|sysfs|devpts|tmpfs|debugfs|usbfs|subfs|binfmt_misc|rpc_pipefs|nfsd|vxodmfs|securityfs|fusectl|oracleasmfs)/ {print $3}'`; do echo "======== $i ========"; echo "Objects in folder: $(ls -la $i | wc -l)"; echo "rw check" > $i/$FILE; ls -la $i/$FILE; rm -f $i/$FILE; echo; done;
 

AIX

FILE=readwrite.check; for i in `mount | awk '$3 !~/procfs/ {print $2}'`; do echo "======== $i ========"; echo "Objects in folder: $(ls -la $i | wc -l)"; echo "rw check" > $i/$FILE; ls -la $i/$FILE; rm -f $i/$FILE; echo; done
 

Solaris

FILE=readwrite.check; for i in `mount | awk ' $3!~/(fd|ctfs|sharefs|objfs|mnttab|devices|proc|sharetab)/ {print $1}'`; do echo "======== $i ========"; echo "Objects in folder: $(ls -la $i | wc -l)"; echo "rw check" > $i/$FILE; ls -la $i/$FILE; rm -f $i/$FILE; echo; done
 

OpenSSL heartbleed bug

New vulnerability in widely used OpenSSL was detected. Vulnerability is know as Heartbleed bug. OpenSSL 1.0.1 before 1.0.1g are vulnerable. Thanks to good work of people in RedHat (special thank you goes to Tomas Mraz, Senior programmer in RedHat) and CentOS community, quick workaround was published for commonly used OpenSSL 1.0.1e. We are looking forward for release of OpenSSL 1.0.1g.

Don't hesitate to patch your servers….