There are many resources on the Internet for correctly securing apache web sites with X.509 client certificate authentication. This isn’t one of them. What follows is a three step guide to the fastest, easiest method for setting up self-signed server and client certificates. You are advised not to run any of the commands below in a production environment, they are presented only as an aid for those who learn kinesthetically.
A good solution applied with vigor now is better than a perfect solution applied ten minutes later.
- General George Smith Patton III (source)
Read more…
In most cases, Ubuntu desktop systems will automatically detect and mount removable media, and this is largely done with software that is part of the X Windows system; for server systems without X Windows however, this sort of thing requires a bit of work.
Now some may ask, “Why automount removable media at all?” It is unwise to remove an active device, such as unplugging a USB drive without first unmounting it, and automounting may encourage this sort of recklessness. I don’t contend this, but if one runs a server using an external USB drive, there are two words which should spark an immediate interest in automatic mounts: power failure.
Read more…
Sound problems fall in to three basic categories, and the first thing you want to do is determine which one you’re dealing with. The easiest thing you can do is test your speakers with something else, using the same cable. If your speakers and cable are confirmed to be in good working order, then the problem must be either: Read more…
prerequisite concepts: prelude, basic config., port fwd, proxy conn.
I don’t often have the opportunity to experiment on computers running Windows, but every 
once in a long while it simply cannot be avoided. I recently found myself wanting to look up a password in Revelation, a password manager for the Gnome Desktop on Linux; I have previously written about using OpenSSH’s ProxyCommand directive to tunnel through a firewall and forward X11 (GUI) applications remotely from a an isolated workstation on a private LAN, the difference here was that I needed to forward that application to a Windows workstation.
Read more…
AppArmor, introduced to Ubuntu with Gutsy, is yet another security tool unleashed upon the infosphere. In part, AppArmor is intended as an alternative to SELinux, which can easily be seen as daunting to configure; unfortunately, many such projects are daunting for those admins forced to walk the plank of unfamiliarity above a sea of expectations. Despite a troubled history, the project seems to be here to stay so it is likely only a matter of time before audit messages crop up in one’s kernel log. For those who find AppArmor unnecessary, unpalatable, or just untimely, herein lies a quick-and-dirty guide for telling AppArmor where to stick its audit complaints. Read more…
Shortly after I last upgraded my mail server, one user reported that his mail client was failing to connect with the message:
"Unable to connect to your IMAP server. You may have exceeded the maximum number of connections to this server..."
He was the only one known to be having this issue, so after a cursory check of the server with no obvious problems, I suggested that this might be an error on his end, such as connecting to the secure IMAP port without using SSL/TLS. Occam’s Razor suggests that a server error is more likely than a client error which just happens to coincide with a server upgrade, so I eventually decided to dig up some infrequently used commands and perform a thorough analysis. Read more…
I have resisted the urge to display caller id on my MythTV 
as somewhat obvious. I’m always looking for ways to demonstrate the freedom which comes from using open source software, but I prefer the zesty freshness of an original idea rather than anything that’s been done, redone, and done again. My wife, however, thought that Myth caller id sounded like a great idea and asked me to set it up. What follows is how I did this with the least possible effort. Read more…
While I was cooking last night’s dinner, I made the mistake of leaving my laptop running, open, and unattended. Because ours is primarily a Linux household (my wife is a Mac user), 
I normally don’t worry much about the computers. The servers, devices, and desktops tend to chug along without needing anything more than an occasional `aptitude update && aptitude upgrade`. Laptops, however, are an entirely different story. As you can see in the photo, we live with a creature that is essentially a heat seeking missle bent on killing laptop computers. Sure it was funny the first couple times, but amusement quickly turned to horror when I saw that she can actually crash Linux. All my base are belong to her.
Some time ago I enabled recipient delimiters (e.g. user+foo@host.tld) as a convenient way to know if shady web forms are 
contributing to my spam folder. The idea is that when House Depot requires me to have an account before I can see if they have loose screws in stock locally, I can sign up with garrison+housedepot@codefix.net instead of my usual e-mail. With recipient delimiters enabled, postfix will try to deliver any incoming mail to garrison+housedepot but when it finds no such user, it will try garrison and I get my mail. The problem arises when I discover that House Depot’s broken web form rejects any e-mail addresses with “+” in the user name as invalid. I’m already using garrison+foo style addresses elsewhere so I don’t want to change the recipient delimiter, but neither do I trust my real address to a company that can’t even create a proper web form. Read more…
S.A.R.E. Ninjas are the folks over at SpamAssassin Rules Emporium who act as sort of an arms dealer in the Spam War: they publish custom rules and plugins for SpamAssassin, the Open Source world’s powerful anti-spam software. This article is about an imminent software release that promises big trouble for spammers. Read more…
