tOMPSON’s blog

There are a lot of sites around the web that inform us about the “OpenSSL debacle” in the Debian based Linux systems. A piece of code that was committed “accidentally” about two years ago limited the amount of possible SSH keys to about 32000. This means brute force hacking attempts based on the list of possible keys could easily lead to success.

When I read this about a week ago I reacted immediately and updated my system with:

aptitude update
aptitude dis-upgrade

The OpenSSL wiki page describes what has to be done for the various installed packages that use OpenSSL certificates. The tool dowkd.pl allows you to check if there are vulnerable keys on your system.

I use PuTTY a lot in combination with keys created by PuTTYgen - these keys stored on my various systems are of course not affected by this problem.

As I wrote in my post about my mail server configuration I am using postfix as MTA for my emails. This week a friend had problems to send me an email containing some attachments. He got the following error message from my server:

SMTP error from remote mail server after MAIL FROM:<anyone@anywhere.com>
SIZE=16282613:
host example.net [87.230.24.156]: 552 5.3.4 Message size exceeds fixed limit

I was a bit confused because I did not set any limit. After checking the postfix manual and running the following commands

postconf -d (showing the default settings)
postconf -n (showing explicitly configured settings)

I found out that the default maximum message size is configured like

message_size_limit = 10240000

which means about 10MB. I ran the following commands to adjust the limit:

postconf -e "message_size_limit = 102400000"

Now I am able to receive mails with a maximum size of about 100 megs. Additionally I change the maximum mailbox size with the following command:

postconf -e "mailbox_size_limit = 512000000"
postconf -e "virtual_mailbox_limit = 512000000"

Some months ago I wrote this post about Setting up subversion on Debian etch. I mentioned that you could use the AuthzSVNAccessFile directive to add more detailed access control for your subversion repositories. That time I did not need it and I did not look into the detailed documentation. Today I needed to setup another repository for a new user group so I wanted to define which users has access to which repository.

The whole process was simpler than I thought it would be. I just had to add the following line to my Location in the apache virtual host that points to my repository:

AuthzSVNAccessFile /path/to/access/file

Then I created the file I pointed out with the directive. There I added entries like

[main:/]
tom = rw

[other:/]
tom = rw
frank = rw

With this entries I defined which users have access to the two repositories main and other. It is as easy as this. The modules configured per default for svn in Debian etch already have loaded the authz_svn module. For more details see the svn documentation.

I am running my own mail server now for over five years. There are a lot of good free email services out there but I am not satisfied with their spam filters. I am getting about 300 spam mails a day and with my current solution only one of them makes it into my inbox per month.

The second reason is that I do not want to delete or archive my mails to often and I want to have access to them anywhere at any time. Therefor I need an IMAP server with a lot of storage. Most free mail services provide this nowadays but did not five years ago. I thought about using GMAIL lately but I am not completely happy with storing all my mails on Google servers.

First I used an old PC that ran in my home office day and night. My home internet connection always had a high enough upload bandwidth to allow that. The mail server was no dedicated mail server for my domain. I used fetchmail to receive my emails from multiple POP3 servers.

About six months ago I configured a VPS machine to act as the dedicated mail server for my domains. I host multiple mail accounts for my family and friends on it. This post explains what I did to configure my perfect personal mail server.
Read the rest of this entry »

Sometimes you have to accomplish work on a windows PC where you do not have administrator privileges. This can be quite frustrating if you are a power user and you are used to your shortcuts and tools. Here are some tips to get rid of useless limitations some system administrators may have configured to your workstation.

To adapt the system to your needs you have to use two tools:

1. The group policy editor. To open it run gpedit.msc from the command line.

2. The Registry editor which may be started by executing regedit from the command line. If you get the message that you are not allowed to change registry keys you first have to use the Group Policy editor to set the value of "Prevent access to registry editing tools" under User Configuration -> Administrative Templates -> System to Disabled.

Most of the following changes can be done by using the Group Policy editor or the registry editor, choose your preferred method.

• No “Run…” entry in your start menu - I do not ask myself why this should be disabled but all you have to do is to open the registry and go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. There change the value of NoRun to 0. In the group policy editor you have to set "Remove Run menu from Start Menu" under User Configuration -> Administrative Templates -> Start Menu and Taskbar to Disabled.

• One of my favorite keyboard shortcut is Windows-Key + E to launch the Windows Explorer. I found out that it not work if the Control Panel is not shown in the Start Menu. To enable the shortcut go to User Configuration -> Administrative Templates -> Control Panel in the Group Policy editor and disable “Prohibit access to the Control Panel”

• To allow you to configure the Internet Explorer if you need it for testing web applications you can enable the Internet Options dialog under User Configuration -> Administrative Templates -> Windwos Components -> Internet Explorer -> Internet Control Panel

Today a version of KeePass was released that works on BlackBerry devices. KeePass is a free, OpenSource password manager. It comes with a desktop client and (thats the best part) can be synchronized with the BlackBerry.

I am currently using MiniSafe Desktop which I purchased two years ago for 29 USD from Handango. I am satisfied with it but I will give KeePass a try because it looks like it has all the features of MiniSafe Desktop but comes for free. I had to reactivate it every time I switched my BlackBerry (which was three times in two years) and it took three days every time to get a new key.

Today I upgraded Wordpress, the system I use to host this blog. The current version is 2.3 - the upgrade was nice and smooth, just as described . Nothing more to say than: I am happy to have some security issues fixed.

Ten days ago I installed my new Linksys Router WRT45G router and set up a wireless bridge for my home network. I had some problems with getting everything working like I wanted it to - see my post.

Today I took another attempt and was successful. Now I got a secure wireless connection in bridge mode. I wanted WPA because it is much more secure than WEP and in bridge mode it is easier to reach all my devices. Here is my configuration:

nvram set wl0_mode=wet
nvram set lan_ifnames="vlan0 eth1"
nvram set wan_ifname=vlan1
lan_gateway=192.168.1.254
lan_dns=112.23.54.5

ifdown wan
nvram set wl0_ssid=MYSSID
nvram set wl0_channel=7
nvram set wl0_akm=psk
nvram set wl0_crypto=aes
nvram set wl0_wpa_psk=WPAKEY
nvram set wl0_auth=0
ifup wan; /sbin/wifi

nvram commit;

For more information about the parameters see the OpenWRT wiki.

While installing the MySQL database for my blog I found out that securing a MySQL installation got much easier. I remember setting the password for root and removing the anonymous login manually but there is a script to do this, just call mysql_secure_installation answer some questions.

See MySQL documentation for more.

Lately I experienced problems with some bugzilla installations. For example when users tried to receive their password they got the error message

Insecure dependency in exec while running with -T switch at
/usr/lib/perl5/site_perl/5.8.3/Mail/Mailer/sendmail.pm line 17.

It seems that this problem has something to do with conversation between different encodings used in special language templates (german, spanish, …) as this bug entry describes. There are patches and workarounds listed in the comments of this bug entry which resolve the problem.