Category Archives: security

Astaro ASG as OpenVPN Access Server client

Just about four weeks ago I posted about the resurrection of the .ovpn to .apc converter script. In the meantime Alois told me in the comments that while this was nice it didn’t work for current versions of the OpenVPN Access Server and the .ovpn files it creates.

Well, since there’s been nothing much else to do I did some more work on the script and I can now happily say that it now also converts the new .ovpn format to an .apc the Astaro can understand. Unfortunately, there’s a little catch: the OpenVPN Access Server relies on ‘tls-auth’ for client connections and the Astaro neither knows of that concept not provides a method to import the needed key file. So I had to do some creative manipulation to make the Astaro do my bidding to include the necessary config statements. In addition, you will need to manually copy the key file to the Astaro to make everything work as expected. To make things as easy as possible, the script will tell you what to do.

If you’re interested, check out the latest version of ovpn-to-apc.sh on Gitorious. If it works for you, let me know. If it doesn’t, let me know, too.

.ovpn to .apc Converter Revisited

The Astaro Security Gateway (ASG) is a great firewall and remote access solution. The only flaw of it being that Astaro, too, tries to build a walled garden around their suite of products. One major drawback here is that while the ASG has outstanding capabilities as a remote access server, there’s no easy way to use it as a client to connect to an OpenVPN SSL server. The main show stopper is that the ASG expects to get all it’s connection information from a .apc file while OpenVPN at best provides a .ovpn file which has a completely different structure.
Back in 2009 Patrick Schneider provided a simple bash script that would convert .ovpn files together with the needed certificates and key files into a .apc file the ASG could read. Unfortunately the script stopped working with newer ASG releases. Since I needed the functionality for a current project, I resurrected the code, polished and updated it a bit. The result can now be found on Gitorious: the new OVPN-to-APC converter script. Feel free to clone and enhance.

Update: Just pushed a new version to Gitorious that now handles the new .ovpn format provided by the OpenVPN Access Server as well.

Weltfrieden

Vorhin rief ‘ne Kundin an, ob ich Passwort weiß.
Ich merke mir Passwörter eigentlich nie.
Aber an weltfrieden konnte ich mich in der Tat erinnern.

Wäre mir wohl ähnlich gegangen.

It comes by night and sucks the essence from your computers

Today, after some intensive initial beta testing by Jan-Piet I decided to release Bacula 3.0.2 for ReadyNAS NV/NV+/Duo/1100/X6.

For those of you who don’t know Bacula and what it does: The headline says it all. Or to quote the website:

Bacula is a set of Open Source, enterprise ready, computer programs that permit you to manage backup, recovery, and verification of computer data across a network of computers of different kinds. In technical terms, it is an Open Source, enterprise ready, network based backup program.

That said, you should know that’s it’s not a snap to configure, so be sure to read the documentation or at least have a look at the quick walk-through provided by Jan-Piet.

{openx:6}

Move it, move it (a.k.a. “Screw it up the IBM way”)

I work with web sites for a living. I give them a place to live, I trash them when they’re no longer needed and I also move them. And believe me, moving a site is the trickiest of the jobs. But in all of my professional life, I’ve never ever seen a blunder like this (output shortened for brevity):

crow:~$ dig developer.lotus.com
; < <>> DiG 9.6.0-APPLE-P2 < <>> developer.lotus.com
;; QUESTION SECTION:
;developer.lotus.com.		IN	A

;; ANSWER SECTION:
developer.lotus.com.	127	IN	CNAME	192.147.106.27.
192.147.106.27.		0	IN	A	67.215.65.132

Really. Did they outsource the last thinking person in their networking department? Ok, maybe they fixed it and the change just hasn’t trickled down. So let’s try a different approach (again, shortened:)

Continue reading

Real Internet Gaming

An attack by a Chinese online game provider meant to cripple the servers of its rivals ballooned to cause an Internet outage in much of the country in May.

[ More &#187 ]

PEAR broken in PHP 5.2.10

While trying to upgrade a customers installation to PHP 5.2.10 I learned that hard way that PEAR is broken in this release. This isn’t specific to any OS as the bug reports show but rather seems to be a general problem that slipped Q&A (who is laughing there?). All you’ll get is

"Cannot use a scalar value as an array in
phar://install-pear-nozlib.phar/PEAR/ChannelFile.php on line 1391"

when trying to install PEAR.
So, for the time being, better not upgrade to PHP 5.2.10 if you need to use PEAR.

{openx:6}

Safari 4 Privacy Issues

As C. Harwick found out, Safari 4 leaves a messy trail of what it did. Or, to be more precise, of what you did while using Safari 4.

Those of you who’ve been trying out the new Safari 4 beta – at least on the Mac, though I imagine you could find similar data trails on the Windows version too – have no doubt been impressed at its shiny new features. But if you’re a stickler for disk space like I am, or a stickler for privacy (or, heaven help you, both), Safari’s poor housekeeping is quite alarming.

{openx:6}

[ Full Story » ]

Astaro PostgreSQL Fix

For some months now my Astaro firewall was unable to start the PostgreSQL service on boot. Since this didn’t seem to have any real impact on function or performance, I started some feeble attempts at fixing it but never succeeded until today.

Continue reading

Nagios forged: Icinga proposes to do better

icinga_logoNow it happened to Nagios: Users and parts of the original development team have formed a forge of the original code. The new project is named ICINGA (ugh, all caps) Icinga.
Now, why the fork. That’s what the people behind the fork say:

Continue reading

Security: Why locking out users is a really bad idea

In his article over at NetworkWorld, Mich Kabay gives a nice example of how the theory of security in networked systems tends to clash with reality:

“Locking out an account after only a few failed attempts has a significant impact on legitimate users and tends to cause them to choose simpler passwords or store their passwords insecurely, thus weakening security.”

Even more details about why you just shouldn’t lock out users can be found in the whole article “Locking out users gives attackers a tool for denial of service”.

{openx:6}