Yearly Archives: 2012

Checkpoint, Gaia, TACACS – two lines of config

If you have a checkpoint firewall, you probably know about Gaia… and if you have more than one firewall admin, you probably want to individually authenticate them to the operating system (as apposed to a encrypted file of usernames & passwords which get’s passed around the office)

 add rba role TACP-0 domain-type System all-features
 set aaa tacacs-servers authentication server 10.10.10.10 key mysecretkey

What you need to know about the above…

  • If a user can successfully authenticate by TACACS they become a super user, if you need different roles read up on “role based administration”, TACP-15 and the enable_tacacs command.
  • The config has been tested on Cisco ACS 5.4, the default TACACS “default device administration” profile works with no changes.
  • This is tacacs authentication only, authorization is handled by the local RBA.

My affiliate experiment – the.NoFrillsShop.com

In June MoneySavingExpert (MSE) was sold for mega-bucks, what makes this interesting is that MSE is not a social-network or “Cool” start-up site, it’s a straight forward consumer information site where the cherry on top is a large user base in the form of a Community Forum.

What I’ve always wondered is, how does a free site support such a large user base? (Given the lack of obvious advertising.) I’ve had a quick poke about and have concluded that the site was funded by both deep pockets from Martin Lewis (Probably funded by Interviews,Consultancy,etc) and affiliates. A lot of the links point to an “internal” redirection pages, with the large user base tracking how many users exit the site for a particular deal could be a nice little cash earner.

So here I am working on my own little affiliate experiment, if I can “attract” some web traffic, perhaps a user base to “attract” some pocket money? … or maybe get rich quick :)

Using technology i.e. some simple SEO, a bit of optimisation and luck can I make an affiliate system work?

Continue reading

ipv6 ready

I’ve been testing the AAAA records for linickx.com, I’m supprised how easy it was!

The cloud servers over at rackspace (where this is hosted) come ipv6 ready – i.e. with a native ipv6 address attached to the internet. I’m using CentOS 6 so your experience may vary :)

ifconfig showed the IP address in my network stack, a good start! The first thing is that there are two iptables config files /etc/sysconfig/iptables & /etc/sysconfig/ip6tables, it should be obvious which is which! I’m not sure I agree with Redhat’s decision to have two config files but they are configured the same it is only the IPs that need to be different, therefore I can have the same statement in each to open up access to apache:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

By default --dport 22 (SSH) is open on a RHEL/CentOS box, therefore I recommend you change that as appropriate – yes you need to think about ACLs on IPv6 as well as IPv4!

Since there are two config files for iptables there are also two services, you will need to restart the service to load up a new config:

[nick@toad ~]$sudo service ip6tables restart

The apache config file is /etc/httpd/conf/httpd.conf, by default there is a Listen 80 statement, assuming you haven’t changed that apache should be already listening on ipv6 port 80!

[nick@toad ~]$ sudo netstat -nap --inet6 | grep 80
tcp        0      0 :::80                       :::*                        LISTEN      6878/httpd          
[nick@toad ~]$

What happens now when you hit up your server will happen depend now on your config, check you VirtualHost statement, if you have an IPv4 address you want to remove it, so you have something like:

<VirtualHost *:80>
  ServerName localhost
  ServerAdmin root@localhost
  DocumentRoot /var/www/html
</VirtualHost>

If you use a NameVirtualHost *:80 then your ServerName statements will start working when you published AAAA records.

To publish an AAAA record use whatever method you use for ipv4 A records, they’re the same thing :) … I used my rsdns util … kick of a test and watch your access log, all things being equal you should see ipv6 source addresses!

…OK, I have assumed you have an ipv6 source to test with; the quickest method is http://ipv6-test.com/validate.php, the more involved method is to setup a 6in4 tunnel with tunnelbroker.net.

If it all works you can get yourself a cool badge like this one!

ipv6 ready

OpenShift – PHP, APC & hotdeploy

If you are using apc caching on openshift you may have noticed that your cache gets binned each time you git push, the reason for this is that the push restarts your gear’s apache process. To keep the same process, thus keep the cache you can enable hot deployment.

$ touch .openshift/markers/hot_deploy
$ git add .openshift/markers/hot_deploy
$ git commit -m “enabling hot_deploy”

Now you can push as many times as you like without invalidating the cache… of course if you now need to clear the cache or restart the process you have to do it manually with

$rhc app restart -a myapp

HTH!

OpenShift – Backup and Restore

The free plan over at openshift only allows 3 “gears” which you know is a bit of a problem if you have more than 3 apps to test… don’t sweat it tho, simply backup your gear, delete it and re-use the free slot for something else … if you need the gear back as long as you re-create the app with the same name you can restore the snapshot..

To backup your application code, data, logs and configuration, you run:

$rhc app snapshot save -a {appName}

To restore your application, you run:

$rhc app snapshot restore -a {appName} -f {/path/to/snapshot/appName.tar.gz}

REF: KB-E1047

Enjoy!

sourcefire virtual sensor system requirements

I don’t know why but the system requirements for sourcefire‘s virtual sensor is burried in the wording of their datasheets… anyway saved here so ease of reference :)

Sensor

VMware ESX/ESXi 4.1/5.0 or Xen 3.3.2/3.4.2
at least one CPU
min 1GB RAM

Defence Centre

VMware ESX/ESXi 4.1/5.0 or Xen 3.3.2/3.4.2
at lest two CPU
min 2GB RAM

…hum, I wonder if they’re boot in virtualbox? ;)

[UPDATE]
The sensor provisions 50Gb of disk, and the manager 250Gb, the OVF supports thin disk provisioning so you don’t need all that storage on day1.