ISSC System Administraiton - Team LISA 2013-02-05T17:36:56Z tag:mblog.lib.umich.edu,2013:/lisa/9791 Movable Type Copyright (c) 2013, cdgrieb Changing Java keystore passwords... 2013-02-05T17:36:56Z 2013-02-05T17:32:24Z tag:mblog.lib.umich.edu,2013:/lisa/9791.66047 2013-02-05T17:32:24Z Sometimes you need to update a KeyStore password - use the following method to complete the process. First, locate the keystore that you need to modify: [root@swift cdgrieb]# ls /usr/share/certs/certs/pact.hf.mcarepartners.org.p12 /usr/share/certs/certs/pact.hf.mcarepartners.org.p12 Next, issue the password update command: [root@swift cdgrieb]# keytool... cdgrieb web page cdgrieb@umich.edu Web Sometimes you need to update a KeyStore password - use the following method to complete the process.

First, locate the keystore that you need to modify:
[root@swift cdgrieb]# ls /usr/share/certs/certs/pact.hf.mcarepartners.org.p12
/usr/share/certs/certs/pact.hf.mcarepartners.org.p12

Next, issue the password update command:
[root@swift cdgrieb]# keytool -storepasswd -keystore /usr/share/certs/certs/pact.hf.mcarepartners.org.p12 -storetype pkcs12
Enter keystore password:
New keystore password:
Re-enter new keystore password:

Note: remember to specific the keystore type (wit the -storetype pkcs12 switch), unless you're using the standard format. Otherwise, it'll fail.

]]> Enumerate protocols and ciphers for Tomcat 2013-01-24T19:49:38Z 2013-01-24T18:19:45Z tag:mblog.lib.umich.edu,2013:/lisa/9791.65973 2013-01-24T18:19:45Z By default, Tomcat instances configured for SSL will accept pretty much any secured cipher, which, obvously, this not always optimal. Use the following method to insure AES 128 or AES 256. First, insure that a protocol is specified within the... cdgrieb web page cdgrieb@umich.edu Web By default, Tomcat instances configured for SSL will accept pretty much any secured cipher, which, obvously, this not always optimal. Use the following method to insure AES 128 or AES 256.

First, insure that a protocol is specified within the connector block, for example:
sslProtocol="TLS"

Next, add your cipher specifications:
ciphers="TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA"

Finally, restart Tomcat. You should have enforced AES 128/256.

]]> Agent based system monitoring vs external monitoring... 2013-01-08T14:05:35Z 2013-01-08T13:32:35Z tag:mblog.lib.umich.edu,2013:/lisa/9791.65870 2013-01-08T13:32:35Z Some of the drawbacks associated with external monitoring (basically, pointing a monitor at a server and attempting to extract data) are lack of monitor consolidation and inability to pull detailed system information. Agent-based monitoring solves the above listed issues by... cdgrieb web page cdgrieb@umich.edu Administration Some of the drawbacks associated with external monitoring (basically, pointing a monitor at a server and attempting to extract data) are lack of monitor consolidation and inability to pull detailed system information. Agent-based monitoring solves the above listed issues by relying on an internal system agent that retains the ability to pull detailed system data. A few agent based monitoring systems including Monitor.us and Nagios.

]]> System Administration - monitoring and Manage Engine... 2013-01-08T13:31:31Z 2013-01-08T13:16:37Z tag:mblog.lib.umich.edu,2013:/lisa/9791.65869 2013-01-08T13:16:37Z There are a lot of really nice components associated with Appmanager, including highly detailed SNMP monitoring, web traffic analysis, and extensive notification options. However, the service is still managed locally, and is susceptible data center availability. As a result, the... cdgrieb web page cdgrieb@umich.edu Administration There are a lot of really nice components associated with Appmanager, including highly detailed SNMP monitoring, web traffic analysis, and extensive notification options. However, the service is still managed locally, and is susceptible data center availability. As a result, the SA team is exploring the possibility of cloud based, agent monitoring options such as Monitor.us.

]]> iptables: redirecting ports 2012-12-11T18:29:26Z 2012-12-11T17:08:45Z tag:mblog.lib.umich.edu,2012:/lisa/9791.65762 2012-12-11T17:08:45Z Generally, the preferred method to redirect in-bound traffic on port 80 to port 8080 is to utilize NAT/firewall rules (iptables, specifically). Use the following method to complete the process... IPTABLES=`which iptables` $IPTABLES --flush $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT... cdgrieb web page cdgrieb@umich.edu Linux Generally, the preferred method to redirect in-bound traffic on port 80 to port 8080 is to utilize NAT/firewall rules (iptables, specifically). Use the following method to complete the process...

IPTABLES=`which iptables`
$IPTABLES --flush
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept everything from the local interface
$IPTABLES -A INPUT -i lo -j ACCEPT

# Accept traffic on port 80
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# Accept traffic on port 8080
$IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT
# Accept ssh traffice
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

# Local redirect
$IPTABLES -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
# Actual 80 to 8080 redirect
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

# Save the configuration
IPTABLES_SAVE=`which iptables-save`
if [ -d "/etc/sysconfig" ]
then
$IPTABLES_SAVE > /etc/sysconfig/iptables
fi

]]> iptables: method to simply block Ping requests... 2012-09-07T14:46:11Z 2012-09-07T14:31:31Z tag:mblog.lib.umich.edu,2012:/lisa/9791.65001 2012-09-07T14:31:31Z Sometimes a system administrator would simply like to block out all incoming ping requests - issue the following command in order to adjust iptables for this functionality: /sbin/iptables -I INPUT -j DROP -p icmp --icmp-type echo-request (this reads drop all... cdgrieb web page cdgrieb@umich.edu Linux Sometimes a system administrator would simply like to block out all incoming ping requests - issue the following command in order to adjust iptables for this functionality:

/sbin/iptables -I INPUT -j DROP -p icmp --icmp-type echo-request

(this reads drop all input of protocol type icmp, specifically echo-request).

Then to drop the rule, simply obtain the index number of the iptables rule:


/sbin/iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP icmp -- anywhere anywhere icmp echo-request

(the block ICMP request in number 1)

Drop the entry:

/sbin/iptables -D INPUT 1

]]> Apache - multiple virtual hosts on *80 2012-08-08T15:04:13Z 2012-08-08T14:59:36Z tag:mblog.lib.umich.edu,2012:/lisa/9791.64911 2012-08-08T14:59:36Z When you have multiple virtual hosts on port *80, you need to specific a virtual host name, for example, at the very top of your virtual host configuration file, add an entry that states: NameVirtualHost *:80 Otherwise, you'll receive the... cdgrieb web page cdgrieb@umich.edu Web When you have multiple virtual hosts on port *80, you need to specific a virtual host name, for example, at the very top of your virtual host configuration file, add an entry that states:
NameVirtualHost *:80

Otherwise, you'll receive the following warning:
"[warn] _default_ VirtualHost overlap on port 80, the first has precedence"

]]> SA Lisa morning meetings - 07-13-2012 2012-07-13T21:28:25Z 2012-07-13T21:25:15Z tag:mblog.lib.umich.edu,2012:/lisa/9791.64834 2012-07-13T21:25:15Z Meeting notes from the weekly Lisa group meeting are listed in the link below: https://wiki.umms.med.umich.edu/x/WgSTBw Highlights include: - Finalizing personal goals - Training - VM checklists for Linux... cdgrieb web page cdgrieb@umich.edu Administration Meeting notes from the weekly Lisa group meeting are listed in the link below:
https://wiki.umms.med.umich.edu/x/WgSTBw

Highlights include:
- Finalizing personal goals
- Training
- VM checklists for Linux

]]> Setting the default umask for web-content... 2012-07-13T15:22:49Z 2012-07-13T15:14:23Z tag:mblog.lib.umich.edu,2012:/lisa/9791.64833 2012-07-13T15:14:23Z One of the issues we've had with multiple users managing web-content and directory permissions is related to properly setting umask, specifically modifying the default RHEL6 umask value of 022 (022 only allows for group reading) - this causes significant problems... cdgrieb web page cdgrieb@umich.edu Linux One of the issues we've had with multiple users managing web-content and directory permissions is related to properly setting umask, specifically modifying the default RHEL6 umask value of 022 (022 only allows for group reading) - this causes significant problems when multiple individuals are managing content. We've side-stepped this problem by simply setting default umask values within the various login shell profiles, for example:

[root@winterberry /home]# vim /home/cdgrieb/.cshrc
umask 002

(for bash)
[root@winterberry /home]# vim /home/cdgrieb/.bash_profile
umask 002

A default value of 002 allows for owner/group reading/writing, which makes managing multiple web-based users significantly easier to deal with.

]]> SA Lisa Team communications standards *UPDATED* 2012-07-11T21:24:37Z 2012-07-11T21:23:06Z tag:mblog.lib.umich.edu,2012:/lisa/9791.64826 2012-07-11T21:23:06Z We've updated the SA Lisa Team communication standards document, which can be located here: https://wiki.umms.med.umich.edu/x/xJiABw... cdgrieb web page cdgrieb@umich.edu Administration We've updated the SA Lisa Team communication standards document, which can be located here: https://wiki.umms.med.umich.edu/x/xJiABw

]]> SA Lisa - VM deployment checklist Linux 2012-07-11T02:37:57Z 2012-07-10T21:35:05Z tag:mblog.lib.umich.edu,2012:/lisa/9791.64825 2012-07-10T21:35:05Z We started the process of creating our VM deployment check-list, including insurance of documentation creation, RHN registering, and account management, with the eventual goal of automating the entire process. More information soon! Link:https://wiki.umms.med.umich.edu/x/EReTBw... cdgrieb web page cdgrieb@umich.edu Linux We started the process of creating our VM deployment check-list, including insurance of documentation creation, RHN registering, and account management, with the eventual goal of automating the entire process. More information soon!

Link:https://wiki.umms.med.umich.edu/x/EReTBw

]]> Virtual CORE stand alone image 2012-06-27T14:14:57Z 2012-06-27T14:05:20Z tag:mblog.lib.umich.edu,2012:/lisa/9791.64778 2012-06-27T14:05:20Z I've created a stand alone virtual CORE image that can be used in VM Fusion. All the details can be found here on this confluence page, https://wiki.umms.med.umich.edu/x/8wuTBw... jlwalsh web page jlwalsh@umich.edu Windows I've created a stand alone virtual CORE image that can be used in VM Fusion. All the details can be found here on this confluence page, https://wiki.umms.med.umich.edu/x/8wuTBw

]]> Apache - disabling HTTP TRACE / TRACK 2012-06-25T16:54:14Z 2012-06-25T16:52:05Z tag:mblog.lib.umich.edu,2012:/lisa/9791.64771 2012-06-25T16:52:05Z In order to resolve trace / track security issued related to Apache, simply append the following Rewrite rule to the Apache configuration file: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] and restart the server. Done.... cdgrieb web page cdgrieb@umich.edu Web In order to resolve trace / track security issued related to Apache, simply append the following Rewrite rule to the Apache configuration file:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

and restart the server. Done.

]]> Managing WordPress blogs 2012-06-22T21:09:09Z 2012-06-22T20:46:26Z tag:mblog.lib.umich.edu,2012:/lisa/9791.64759 2012-06-22T20:46:26Z Currently, ISSC hosts a number of WordPress-based blogs for various organizations, including EVPMA, MICHR, etc. One of the numerous issues we've encountered with hosting these blogs including managing plugins, themes, access, and blog migrations. In order to resolve this issue,... cdgrieb web page cdgrieb@umich.edu Web Currently, ISSC hosts a number of WordPress-based blogs for various organizations, including EVPMA, MICHR, etc. One of the numerous issues we've encountered with hosting these blogs including managing plugins, themes, access, and blog migrations. In order to resolve this issue, we've started looking into various blog management tools, including RHN, in-house development tools (scripts, etc), and cloud-based utilities. One example of a WordPress tool we've looked into is https://managewp.com - currently, we have a dedicated system administrator researching functionality, etc. More information soon!

]]> SA Lisa Team Goals interation 2 2012-06-22T20:20:53Z 2012-06-22T20:13:13Z tag:mblog.lib.umich.edu,2012:/lisa/9791.64758 2012-06-22T20:13:13Z We've started the second phase of the Lisa team goals, which include the following ideas/concepts: - Internal presentations - Assistance with other ISSC groups - Continued training We'll have updates when other Lisa members have contributed to the effort. In... cdgrieb web page cdgrieb@umich.edu Administration We've started the second phase of the Lisa team goals, which include the following ideas/concepts:
- Internal presentations
- Assistance with other ISSC groups
- Continued training
We'll have updates when other Lisa members have contributed to the effort. In the meantime, feel free to have a look at our existing page that lists our goals: https://wiki.umms.med.umich.edu/x/sJCABw

]]>