| Navigate Spew | Show Archives |
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
Close Archives
| Aromatherapy (55) | [RSS] |
| Bullshit (69) | [RSS] |
| Day to Day (214) | [RSS] |
| Journeys (13) | [RSS] |
| Projects (35) | [RSS] |
| Software (163) | [RSS] |
| Squirrel Thursday (52) | [RSS] |
| Technology (119) | [RSS] |
Web Syndication
About Spew
My education is in Computer Network Technologies. I use my free thought, when any thoughts are present, to write and produce content in a wide spectrum format flow. One day I may explain a method for accomplishing a task on a BSD operating system, or spewing about my latest Sandalwood acquisition, and other times I will keep my thoughts I put to the screen more personal and opinionated with my current gush of text in relation to my tempered mood.
BLOGS & Friends Pages
Cache Mania
Andean Trekker
Nature's Gift Blog
EINSTEIN@HOME FreeBSD
Team FreeBSD HOME
Team FreeBSD Stats Page
Join Team FreeBSD
Interesting Web Sites
Geo Join
Geocaching Web Chat
Geocaching Podcast
PodCacher Podcast
Cache-A-Maniacs Podcast
Journeys
Journeys Photos
Geocaching Album
My Cache Stats
Links Visited Daily
Woot!
Hot Links
Worse Than Failure
Forever Geek
Neatorama
Engadget
Boing Boing
Gizmodo
Hack a Day
My Content and Media
Receive One
Cache Blogs
My NTP Pool Contribution
My BOINC Statistics
Love Ale?
Geeky, Funny & Strange
Wish List
eAccelerator FAM/GAMIN
Flash on FreeBSD
Current & Updating Webalizer Search Engine List
02 February, 2012 06:40 CST6CDT
as of 2012-02-02
The Webalizer is a HTTP server log analyzer that generates HTML visual output statistics with graphs about Internet websites and its visitors. One of the many features of The Webalizer is its search engine query (keywords) referral logging. Each search engine uses a URL parameter that contains the search query the Internet party or person used to be directed to a resource on you web server. Webalizer uses the search query keywords to generate one of several reports that may be viewed and referenced.
This article contains a current list of search engines and parameters for Webalizer's SearchEngine parameter. Feel free to add or modify a search engine (SearchEngine) for The Webalizer search engine query parsing in the comments.
SearchEngine aolsearch. q=
SearchEngine ask.com q=
SearchEngine bingj. q=
SearchEngine bing. q=
SearchEngine facebook. q=
SearchEngine google. q=
SearchEngine image.youdao.com q=
SearchEngine kvasir.no q=
SearchEngine m.yahoo. p=
SearchEngine search.alot. q=
SearchEngine search.aol. q=
SearchEngine search.aol. query=
SearchEngine search.comcast.net q=
SearchEngine search.conduit. q=
SearchEngine search.lycos. query=
SearchEngine search.pro q=
SearchEngine search.yahoo. p=
SearchEngine webcache.googleusercontent.com q=
SearchEngine altavista.com q=
SearchEngine eureka.com q=
SearchEngine hotbot.com MT=
SearchEngine msn.com MT=
SearchEngine infoseek.com qt=
SearchEngine webcrawler searchText=
SearchEngine excite search=
SearchEngine netscape.com search=
SearchEngine mamma.com query=
SearchEngine alltheweb.com query=
SearchEngine northernlight.com qr=
SearchEngine sensis.com.au find=
Postfix TLS Fingerprints for MTA to MTA Identification
28 January, 2012 06:39 CST6CDT
edited 2012-01-28 11:30:43
I have a home mail server with a Linux operating system & Postfix that is the primary mail exchange (MX) for its domain. In addition to the primary MTA, I have a static secondary relay mail server with a FreeBSD operating system & Postfix in the case my home connection were to go down. I was looking for a way that my secondary or primary MTA (mail transport agent) could relay e-mail to my legitimate dynamic IP address if my home mail server were to go down by doing a verification that my dynamic domain name IP address with an open port 25 was truly its relay destination.
I accomplished simple MTA to MTA verification using Postfix, which is installed on both servers, and my home TLS certificate's fingerprint. When my backup mail exchange server receives mail, it will relay it to my dynamic home server when it becomes available, though will only be delivered if my home TLS MD5 certificate fingerprint is valid. If the MD5 fingerprint expected does not match, it is deferred, re-queued, and repeats indefinitely until it is safe to deliver.
The first step is to do a MD5 fingerprint on your home, dynamic Postfix server's TLS PEM file defined in the Postfix main.cf configuration file with the variable smtpd_tls_cert_file=/path/to/ssl-cert.pem using the openssl command:
openssl x509 -noout -in /path/to/ssl-cert.pem -fingerprint -md5
Let's assume the MD5 fingerprint output is: d5:68:da:c4:cd:ee:0d:ba:3a:bc:dd:b6:7b:67:51:88 and our dynamic domain name is domain.not. Let's also assume the home mail server is setup and ready to receive e-mail for this domain and your users.
On your secondary and static backup MX server, make sure that domain.not is defined in the following parameters:
- relay_domains=domain.not
- relay_recipient_maps = hash:${config_directory}/relay_recipient_maps.cf
The configuration file relay_recipient_maps.cf contains a table of your recipients and may look like the following:
first.last@domain.not first.last@domain.not
Make sure to execute: postmap /etc/postfix/relay_recipient_maps.cf or replace /etc/postfix with your configuration directory.
Your "transport_maps=" may look something like the following:
domain.not smtp:[domain.not]
If your ISP blocks port 25, you may use the following for port 26, or any upper number port that is open and available:
domain.not smtp:[domain.not]:26
Now that we have the MD5 fingerprint of our home server and the static backup server knows what e-mail to accept and where to deliver it when your home server is up, we may now define in Postfix to only deliver mail if when requested the home Postfix server shows its certificate, and the MD5 fingerprint of the certificate matches.
First tell Postfix to use MD5 hashes for TLS policies: smtp_tls_fingerprint_digest = md5 Next, define your TLS policy configuration file, smtp_tls_policy_maps = hash:${config_directory}/tls_policy.cf
Here is an example SMTP TLS policy map:
[domain.not] fingerprint
match=d5:68:da:c4:cd:ee:0d:ba:3a:bc:dd:b6:7b:67:51:88
In the above TLS policy, domain.not requires TLS and the MD5 fingerprint of the certificate must match, match= Be sure to postmap the tls_policy.cf file, reload postfix, and you will now be using simple, low level MTA to MTA identification.
Software Projects Article & Comments
Firefox Now Does a Rapid Release (Backport) on Ubuntu
27 January, 2012 16:42 CST6CDT
This morning I noticed APT had a new version of Firefox waiting to be updated. Firefox 9.0.1 was a welcomed update for my 10.04 LTS Xubuntu installation. Ubuntu will now be releasing the browser upgrades as Mozilla rolls out it's web browser application with the next generation of Internet technology, such as enhanced HTML5 support, and security enhancements.
"The upstream Mozilla Firefox web browser has moved to a rapid release cycle. New Firefox versions are being released every six weeks and contain new features and security enhancements. Until now, Ubuntu 10.04 LTS and Ubuntu 10.10 have been getting 3.6 point releases of Firefox. As such, users have not been benefiting from new features, support for new web technologies, security enhancements, and performance improvements. Firefox 3.6 will be reaching its end of life soon, so we need to migrate users to rapid release so that they will continue to receive security updates in a timely fashion."
The roll-out was announced to start January 17th, though I thought from the start it was to be the 27th - and it turned out to be so, for me. Ubuntu 10.04 LTS and Ubuntu 10.10 installations are now on a rapid release cycle as is the latest Ubuntu distribution sets available. I am sure it is relieving a lot of stress now not having to patch Firefox 3.6 as security issues arise, as this is the default and once permanent version of these older maintained Ubuntu distribution sets.
APT repository add-ons for the previous Ubuntu Firefox branded version will be migrated to the new Firefox version through Mozilla's add-on service, addons.mozilla.org.
Day to Day Software Article & Comments
Are you ready for SOPA? - January 18th!
17 January, 2012 16:38 CST6CDT
The Stop On-line Piracy Act (SOPA) is in a full forced backlash from Internet giants such as WikipediA and our beloved BoingBoing whom are participating in the SOPA Strike, a 12 hour period in which volunteer domain owners will turn the electric off to their sites. The SOPA Strike page link above provides several parked pages to point your domains to among information on how to contact your congressional representatives to voice your opinion.
"January 18th is going to be amazing. Sites are striking in all different ways, but they are united by this: do the biggest thing you possibly can, and drive contacts to Congress. Put this on your site or automate it by putting this JS into your header (the Javascript link is available @ http://sopastrike.com/), which will start the blackout at 8AM EST and end at 8PM EST." - http://sopastrike.com/
The SOPA Strike website contains a list of validated participants along with a list of unfiltered participants of the Internet Blackout. I will not be participating in the blackout, however I wish to make this unfetchable downfall of our existence on the Internet - to be voted on by Congress January 24th (SOPA), and PIPA which is currently in discussion in the Senate, stop DEAD with help from those that this post may help. Also see: Internet Blacklist for a video and in depth information in relation to SOPA and PIPA.
"On Jan 24th, Congress will vote to pass Internet censorship in the Senate, even though the vast majority of Americans are opposed. We need to kill the bill - PIPA in the Senate and SOPA in the House - to protect our rights to free speech, privacy, and prosperity. We need Internet companies to follow Reddit's lead and stand up for the web, as we Internet users are doing every day." - http://sopastrike.com/
Here is a small list of 3rd party templates and the official sopastrike.com web page and Javascript code available and ready to use during the protest tomorrow:
- Black out your website for 12 hours with this page's HTML, or by putting this Javascript into your site's theme (the Javascript link is available @ http://sopastrike.com/). Tucows is doing this and so is BoingBoing.
- Other people have made tools to strike. Some other ways to strike:
- Zachary Johnson's blackout page
- ProtestSOPA.org
- CloudFlare's Stop Censorship app
- SOPA Strike Wordpress Plugin
- Did you make something? Tweet it to #StrikeTools
A year ago I was writing...
Packers Game, CSS Modifications, & Verizon HooplaVerizon Admits iPhone Network Hiccups
freenode New Year's Chat Room Channel Logs (#freenode-newyears) 2011
Technology Software Article & Comments
A FreeBSD Christmas Advisory
25 December, 2011 12:26 CST6CDT
On December 23rd, 2011 FreeBSD administrators were blessed with 5 high severity security advisories. With some humor of a very unusual increase in fear on a single day, 5 security advisories total, the FreeBSD foundation sent out a follow-up after the advisories posted:
Hi all,
--
No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories.
The timing, to put it bluntly, sucks. We normally aim to release advisories on Wednesdays in order to maximize the number of system administrators who will be at work already; and we try very hard to avoid issuing advisories any time close to holidays for the same reason. The start of the Christmas weekend -- in some parts of the world it's already Saturday -- is absolutely not when we want to be releasing security advisories.
Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) is a remote root vulnerability which is being actively exploited in the wild; bugs really don't come any worse than this. On the positive side, most people have moved past telnet and on to SSH by now; but this is still not an issue we could postpone until a more convenient time.
While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a rather messy fix involving adding a new interface to libc; this has the awkward side effect of causing the sizes of some "symbols" (aka. functions) in libc to change, resulting in cascading changes into many binaries. The long list of updated files is irritating, but isn't a sign that anything in freebsd-update went wrong.
Colin Percival
The first security advisory is a remote denial of service in the Bind DNS server affecting all maintained versions of FreeBSD. If Bind were able to cache an invalid DNS record, a DOS is possible if a local user could be tricked into querying the record in an inappropriate way through browsing an external web page in which a resource for the domain is needed, for example, or by self purpose. If Bind is an open DNS resolver, any external specially crafted query would also blow Bind 9 up. Authoritative only Bind 9 DNS servers do not 'seem' to be affected. A freebsd-update or a ports update to bind96-9.6.3.1.ESV.R5.1 should mitigate the security vulnerability.
Second security advisory (affecting all maintained versions of FreeBSD): if ftpd uses a chroot environment and nsdispatch. nsdispatch has the ability to reload its configuration on demand, and nsdispatch has no ability to notify itself if it is running in a chrooted environment allowing an ftpd user to gain elevated privileges, being that nsdispatch does not know the paths where configuration files and libraries are untrustworthy. Elevated ("root") privileges is possible.
The workaround is a mess as it adds a new API, __FreeBSD_libc_enter_restricted_mode() to the C library (libc). A freebsd-update should scare you sufficiently.
The third security advisory is telnetd (affecting all maintained versions of FreeBSD), not kidding:
II. Problem Description
When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer.
III. Impact
An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser).
On to the fourth security advisory (affecting all maintained versions of FreeBSD): if your SSH server (secure shell server) uses the pam_ssh authentication module, non encrypted SSH private keys, SSH inappropriately grants user access. "By default, the pam_ssh module rejects SSH private keys with no pass-phrase. A "nullok" option exists to allow these keys." The SSH PAM module is not enabled in default FreeBSD installations and SSH is not affected unless PAM authentication is explicitly enabled.
Holiday cheer security advisory number 5: pam_start() does not validate service names (affecting all maintained versions of FreeBSD) - users are able to define PAM policies with a path relative to /etc/pam.d or /usr/local/etc/pam.d, allowing the user define out of scope policies and execute their own modules. "If an application that runs with root privileges allows the user to specify the name of the PAM policy to load, users who are permitted to run that application will be able to execute arbitrary code with root privileges."
Software Article & Comments