Coredump

This is my after-travel report for my attendance to the Philippine Open Source Conference: With open source moving towards the mainstream of information technology, the Philippine Open Source Conference 2004 was a fitting event to highlight viable and relevant solutions not only for technology-inclined individuals, but for enterprise applications as well. Organized by Media G8way Corporation and Imperium Technology, Inc., the Open Source Conference, held from August 17 to 19 at the Shangri-la Edsa Plaza, featured seminar tracks on business applications; telecommunications, networking and security; and programming and advocacy. Open source experts and advocates discussed topics and issues on enterprise Linux, open source migration, interoperability, mobile solutions like virtual private networks and SMS, and high availability and clustering. Open source, in a nutshell, is a philosophy and a movement that puts forward the premise that software should be free for use, to be modified, and ...

Get staging-server to connect to the test LAN segments. Install the following services: Proxy with LDAP authentication LDAP with connection to Active Directory Samba for file sharing and LDAP authentication Jabber IM with LDAP authentication Install Nagios to monitor the servers. Test Kannel on leila for SMS and SMS-to-email gateways. Work on the intranet, Open Academy, and corporate CMS. Wash laundry on weekends.

You know, the one in Sesame Street where a small doll contains a smaller doll, and so on, ad nauseam. I'm talking about the dependencies chain in RPM installation, of course. For example, as I was about to upgrade Webmin, Maui complained that the package depended on several Perl modules, which in turn, needed some other Perl modules. It was doubly harder because I still couldn't make the problem of Maui not resolving FQDNs properly, so I had to rely on the IP addresses of the RPM repositories in doing wget s -- a tedious process, I tell you. But, I finally made it work: upgraded Webmin to version 1.5, and added SSL functionality for additional security; but only for almost a day of scrounging the web for the correct and compatible RPMs (Net::SSLeay, Mon::client and Convert::BER, just to name a few). I also had to rebuild the index file for the SARG to reflect the previous month. It still does not make weekly and monthly reports, though. I probably forgot to add cron entries ...

Investigate the logs on the Squid authentication admin interface error (a blank error page on nauth_edit.cgi ). Try out bridging on the network reconfiguration testbed. Seems to me this one will work. We have managed to create an Active Directory setup that authenticates hosts on different subnets. Problem is, the hosts themselves cannot "see" each other on the network. I would have loved to implement a Samba PDC + OpenLDAP on this one, if only we could solve the requirement for the existing apps that need domain authentication. Look further into Maui's resolution problem: she still can't resolve hostnames, and yet the DNS lookups work. Had to resort to placing raw IPs on her yum.conf and wget s. Research on network acceptable use policies -- something that's tenable and open for the academe culture here. Read up on advance IP routing. The deadline for the load-balancing multiple-leased-line scheme is fast approaching, and I haven't done anything substantial ...

It was one of those days. The night before I went off to the Open Source Conference, I finished getting the FC2 torrent from The Linux Mirror Project , and had it burned along with a Linux router live CD and a Gentoo universal live CD (v2004.2, I think). My plan was to set up a real Linux box at the workplace, as I had to resort a Damn Small Linux CD. Well, I did get it to install, but I missed KDE and Gnome. =D So there: by the I went back to the office and filed a back-to-office log, I promptly went on installing FC2 on the desktop. Wait a moment: Your system does not support long mode, use a 32-bit mode instead. WTF!? ... Turns out the torrent I downloaded was x86_64! Gawd! Back to the torrents. (On a side note, I can't seem to get through the firewall for the BitTorrent client here at the office... will have to search the docs for that one.) Anyway: so FC2 was no go. In came the Gentoo live CD. Created a copy for Portage, there. Hey, what's that: no space left on the parti...

Finally, after almost a month of waiting, PLDT has replaced my ailing router, which was prone to reverting to its default config every now and then. The glaring fact that it took them nearly a month to diagnose my problem, and subsequently just replace the router is another post in itself -- a rant versus PLDT and their DSL, maybe. Anyway: the new router, a Zyxel Prestige 600 series ADSL router, came with a starter CD from the provider. The starter CD contains the installation manual for the router, as well as an installation wizard. The wizard runs through the configuration process that checks for LAN connection, the DSL link and the PPPoE link. Installation was, in a nutshell,"plug-and-play". To be able to connect to the internet, the user only has to power up the router. That was for Windows. My Linux box failed to bring up ppp0 after the new router was installed. Turns out I had to set up eth0 , on which the router was connected via a cross-cable, to DHCP. There was no m...

I'm off to the Philippine Open Source Conference 2004 at the Shangri-la Edsa Plaza tomorrow. It's a one-of-a-kind event, and a great chance to meet other open source advocates and experts, and exchange views and ideas on the Open Souce movement. My objective is two-pronged: to "network" with colleagues in the field, and to "steal" ideas for several projects here in the workplace. I've set my sights on some interesting topics: network management, VoIP and wireless communications, SMS gateways, high-availability and clustering, and open source migration. It would be fun.

Recent logs on the proxy server suggest that some users have been sharing their passwords, and apparently abusing their internet access privileges: browsing questionable sites, hogging much needed bandwidth, even flagrantly violating other's right to privacy and that of data integrity. The original purpose of internet access -- and of the local area network in general -- in the workplace was to promote openness; and while it was made clear that connection to the network and its services was a privilege, that privilege was left open to cultivate a network culture. That philosophy, however, has been turned on its head by some who thought that they can abuse it with impunity. Hence, several restrictions have been put in place, including stricter and more clear-cut network policies that specifically curtail some privileges. It was hard on the part of the network management to impose such policies, but to ensure the security and integrity of the network, it had to be done. This meant on...

Recent logs on Maui suggest that some users have been sharing their passwords, and apparently abusing their internet access privileges: browsing questionable sites, hogging much needed bandwidth, even flagrantly violating other's right to privacy and that of data integrity. The original purpose of internet access -- and of the local area network in general -- in the workplace was to promote openness; and while it was made clear that connection to the network and its services was a privilege, that privilege was left open to cultivate a network culture. That philosophy, however, has been turned on its head by some who thought that they can abuse it with impunity. Hence, several restrictions have been put in place, including stricter and more clear-cut network policies that specifically curtail some privileges. It was hard on the part of the network management to impose such policies, but to ensure the security and integrity of the network, it had to be done. This meant one thing: tha...

We have eight available telephone lines for dial-in. My predecessor has configured two lines going through a Cisco 2500 router configured for TACACS. The remaining problem now is to fabricate RS232 interfaces for the other six modems. (Another problem, I suppose, is that he did not leave any documentation on how he configured the TACACS and NAS. Emailed him on that already.) I'm not very familiar with Cisco routers -- mostly just basic IOS stuff -- so I'm trying to cram as much knowledge on TACACS as possible. Seems fairly easy, with the online documentation available. Yeah, right: easier said than done. I'm also having problems with Maui. Again. Seems like she can't resolve FQDNs. But dig is running fine. Nothing unusual in the logs. So I had to edit the /etc/yum.conf file to include just the IP addresses for the yum repositories. It's a hack, I know, but it worked. I'm not sure, but I think her TCP/IP stack is whacked up a bit. She's humming softly, thou...

We've just received an internal memo from the Boss, directing us to follow a "weekly output cycle" for our work. Well, for one, this keeps us in our toes. For another, from an administrative point of view, this allows us to keep track of our progress. Done, then. Weekly output cycle, it is. My response: my own work blog. Here, I will detail my daily work output -- what I intended to do for the day, what transpired in the course of my work, other teenie-weenie details that might get out of my grasp if I delay documenting it. No big deal, really, this one. It's my usual practice to keep a daily log. A co-worker would say that I'm being my O.C. (obsessive-compulsive) self again, but hey, this way, I can keep tabs on my, eherm, accomplishments. So off we go. (Of course, I'll still maintain my rants and raves -- tech stuff will be there still; this is for posterity and, uh, productivity.)

Again, this has been done -- better -- by others. But I've recently been asked by the head of our IT division to put up the statistics on internet usage as generated by SARG in a protected directory on the website, and I have to do some quick-and-dirty stuff. This is for *my* documentation purposes only. YMMV. Create the directory, e.g. /var/www/html/reports . In httpd.conf , add the following directives: Alias /reports /var/www/html/reports <Directory /var/www/html/reports>    AllowOverride All    DirectoryIndex index.html </Directory> This lets the local .htaccess to override the global directives. Inside the /var/www/html/reports , create a .htaccess file with the following directives: AuthName "Internet Access Statistics" AuthType Basic AuthUserFile /var/www/secret/.htpasswd <Limit GET> require user username </Limit> Make sure that the .htaccess file is owned by the effective user and group as specified in httpd.conf , which,...

I've made myself a logotype. Nothing fancy:

We've finally completed cutover for Maui, with the IPtables in place. SARG is still doing its stuff. Time to retask my workplan, to include the proposed reconfiguration of the network. My timetable is set up to the end of September. I've also helped in the inventory of the server farm: Ligaya is a PDC running Windows NT. Leila is the SMS server. She will be retooled to include a MySQL database. Elvie is the corporate Web server. Strongarm is the AV gate running Symantec AV with SMTP filtering. Network-mngnt is for AV syncing of LAN hosts. Leila3 runs Postfix+CourierIMAP+HordeIMP. Sabel is the primary DNS. Opapa runs the web and email services for the Farmer's Internet.

Hacking is. That's what Judith Milhon, one of the first female hackers, said. Unfortunately today, partly due to uneducated films and unwarranted media travesties, hacking has been equated to break-ins into computers and networks, not much higher in filthiness to criminal breaking-and-entering. In one recent incident in the workplace, where several days worth of work had been maliciously deleted by someone who used an unsecured workstation to get into the (also unsecured) target host, the term "hacker" lived up to its infamous, albeit undeserved, progeny. How the files were deleted (which were contained in a network share protected by a blank password) or how the intruder got in (the targetting computer was shared among several employees, with only an administrative acccount and no password) were never part of the office buzz. In the simplest of terms, it was this: "hackers did it." The loose talk even pointed dirty fingers to the IT custodians, with claims that...

The cutover to the PREGINET link is complete. However, my attempts to configure iptables for Maui had so far failed miserably. I had to rethink my strategy: Flush all tables. Set default policies for INPUT , FORWARD , and OUTPUT to DROP . Accept DNS, HTTP, and SSH. Accept connections to Squid from the LAN, and drop from anywhere else. Since Maui is now effectively exposed, do some NAT. I've also installed yum on Maui.

Okay, so I'm not that good in iptables . So what? I could probably wing it, what with the phlethora of information available on the Internet. Nothing to it. Phoeey! Not. After successfully cutting over from a slowly degrading 256kbps leased line connection to a slightly more robust 512kbps one, I've been tasked to implement an iptables firewall on a soon-to-be-deployed public proxy server. The requirement was for it to accept only proxy requests from the existing firewall, along with DNS and SSH access. Fairly easy, I suppose. Not quite. As soon as I got home, I tried accessing the net through the proxy, and indeed, it was open. I had SSH access to it, so off I went writing my script. Of course, first things first: flush the existing rules. Done. Set default policy to drop all INPUT , FORWARD and OUTPUT chains. Done. Oh, just try accepting proxy requests from the firewall, and denying everyone else: iptables -A INPUT -s $FW_IP -p tcp --dport squid -j ACCEPT iptables -A INPUT...

About to set up a staging server for a Samba PDC deployment. Installed FC1 on the box, which has two 40GB SATA disks. Cut over the proxy link from AFRDIS to PREGINET. That meant exposing the proxy in the WAN. (The firewall appliance, Sonicwall, has only one WAN interface and it can't accomodate the PREGINET link.) Reconfigured Maui to have a cache parent. To do: harden Maui, and prevent access to the Squid port from the outside. Time to brush up on iptables .

Awake Shake dreams from your hair, my pretty child, my sweet one Choose the day, and choose the sign of your day, The day's divinity, first thing you see. A vast radiant beach and cool jewelled moon Couples naked race down by its quiet side And we laugh like soft, mad children, Smugged in the woolly cotton brains of infancy. The music and voices with all around us. Choose, they croon, the ancient ones, the time has come again. Choose now, they croon, beneath the moon, beside an ancient lake. Enter again the sweet forest. Enter the hot dream, come with us. Everything is broken up and dances. Indian scattered on dawn's highway bleeding. Ghosts crowd the young child's fragile eggshelled mind. We have assembled inside this ancient and insane theatre To propagate our lust for life and flee the swarm of wisdom's restraints. The barns are stormed, the windows kept And only one of all the rest Can dance and save us from the divine mockery of words. Music inflames temperament. O...

Been informed of security incidents in the network, where files were deleted by users running on remote hosts. Discussed security measures for the network, involving a redesign of the logical structure, migration from the Windows NT domain to Active Directory, separating the web applications cluster from the rest of the LAN, and instituting stricter network policies. The Boss is concerned with the proliferation of Windows XP machines. Would have to assure him that with Active Directory, administering Windows XP is a lot easier than Windows 98.

Directly accessed opapa in the NOC, and found some more failed login attempts using the same M.O. Traced back the hosts with KR, CN and HU ccTLDs. Met with my predecessor, who briefed me on the SMS and web servers, and the other apps that are suppposed to run on the servers.