Smokes your problems, coughs fresh air.

Author: halfgaar (Page 1 of 26)

Halfgaar is Wiebe. Wiebe is a contributing author on this weblog. He also has a lot of stuff (such as long, in-depth articles) on his personal website.

Wiebe works at YTEC, where he is a senior developer of customer-specific tailor-made software ("klantspecifieke maatwerk software") for clients in a few select markets: wholesale, printing and healthcare.

Verification of salt-archive-keyring.gpg fingerprints

Because a hacked website can easily replace GPG keys, I wanted to write down for myself what the verified fingerprints of the Salt archive keyring are:

# sha256sum /usr/share/keyrings/salt-archive-keyring.gpg
ea38e0cdbd8dc53e1af154a8d711a2a321a69f81188062dc5cde9d54df2b8c47  /usr/share/keyrings/salt-archive-keyring.gpg
 
 
# gpg /usr/share/keyrings/salt-archive-keyring.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2014-06-24 [SC]
      754A1A7AE731F165D5E6D4BD0E08A149DE57BFBE
uid           SaltStack Packaging Team <packaging@saltstack.com>
sub   rsa2048 2014-06-24 [E]

FlashMQ version 0.8.0

Just released FlashMQ version 0.8.0, a multi-threaded (multi-core) lightweight MQTT server. The latest new feature is a native authentication plugin interface for easy implementation of custom authentication and authorization.

Gitlab ‘Your password expired. Please access GitLab from a web browser to update your password.’

I just fixed a very obscure error in Gitlab of ‘Your password expired. Please access GitLab from a web browser to update your password.’ This error would appear during SSH operations, and in various log files in /var/log/gitlab. Also XHR requests to the server got that response.

Nowhere in the GUI was it visible that anything expired. It’s about a gitlab that linked to a Windows Active Directory.

It turned out that in Postgres table ‘users’, of hundreds of users, 5 had ‘password_expires_at’ set to somewhere in 2014. I guess in a recent update they started checking that field.

To fix it, I did:

sudo -u gitlab-psql /opt/gitlab/embedded/bin/psql -h /var/opt/gitlab/postgresql -d gitlabhq_production
update users set password_expires_at = null where password_expires_at is not null;

Setting up a Zimbra authenticated proxy

On March 18th, Synacor posted about a critical Zimbra security vulnerability (CVE 2019 9670), which was quick to be exploited in the wild, and subsequently evolved to be harder to erradicate.

I’ve always had a weariness of authentication implementations by hosted applications, so I decided to block the Zimbra web mail interface using iptables (firewall), and only allow access through a separately hosted HTTP proxy which requires authentication. This way, no stray requests to API endpoints accidentally left open will be allowed. That is, almost none: I had to add exceptions to allow webdav traffic for contact and calendar synchronization. If you don’t use that, the exceptions can be left out.

Below is an example Apache configuration. Apache requires several modules to be enabled, which is an exercise left to the reader. Also, a similar proxy is easily implemented in Nginx; I just happened to have a spare Apache server.

Note that it’s best to not make the proxy the default virtual host on the web server. This avoids it being seen by IP probes. If set up properly, there is no trace visible from the outside that you’re using this proxy, and if you make it such that access to it requires the actual domain name (like mywebmail.example.net), it’s very hard for bots to see it (especially if you make the domain name a bit more unguessable).

When you access the web mail page, first you have to authenticate using old style HTTP authentication:

zimbra-pre-login

Anyway, here’s the proxy config:

<VirtualHost *:80>
        RewriteEngine on
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]
        ServerName webmail.example.net
</VirtualHost>
 
<VirtualHost *:443>
        ServerName webmail.example.net
        ServerAdmin webmaster@localhost
 
        SSLEngine on
        SSLCertificateFile    /etc/letsencrypt/live/webmail.example.net/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/webmail.example.net/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/webmail.example.net/chain.pem
 
        SSLProxyEngine On
        ProxyPass        / https://mail.example.net/
        ProxyPassReverse / https://mail.example.net/
 
        # For Webdav/carddav/caldav
        <Location /dav>
                Satisfy any
                Require all granted
        </Location>
 
        # For Let's Encrypt
        <Location /.well-known/>
                Satisfy any
                Require all granted
        </Location>
 
        # For Webdav/carddav/caldav
        <Location /principals/>
                Satisfy any
                Require all granted
        </Location>
 
        # For Webdav/carddav/caldav
        <Location /SOGo/>
                Satisfy any
                Require all granted
        </Location>
 
        # For Webdav/carddav/caldav
        <Location /groupdav.php>
                Satisfy any
                Require all granted
        </Location>
 
        <Location />
                AuthType Basic
                AuthName "Zimbra webmail pre-login"
                AuthUserFile /etc/apache2/htpasswd/webmail
                Require valid-user
 
                # Exception IPs: no auth needed (for monitoring for instance)
                Require ip 1.2.3.4
        </Location>
 
        ErrorLog ${APACHE_LOG_DIR}/webmail.example.net/error.log
        CustomLog ${APACHE_LOG_DIR}/webmail.example.net/access.log combined
</VirtualHost>

« Older posts

© 2022 BigSmoke

Theme by Anders NorenUp ↑