Art on the Hill
Friday, June 12, 2009 6:00 p.m. to 10:00 p.m.
Tobin Hill is a growing hub of creative activity and home to many local artists. Join your friends, neighbors and art lovers from around the city for a walking tour of Tobin Hill art galleries and art studios featuring local San Antonio artists.
Galleries will have refreshments and music for visitors to enjoy and local artists will be on hand to talk with you about their work. Admission to all galleries is free.
Come enjoy a relaxed evening focused on the arts and creativity, then take a stroll to the new Riverwalk extension a few blocks away at the Pearl Brewery. For more information call 210 785 0743
Participating Galleries include
1 High Wire Art Gallery
326 W Josephine
*- Toni Richardson
- Thom Ricks
- Elva Salinas
- Rebecca De Leon Almazan
- Cindy Palmer
2 Josephine Theatre
339 W Josephine
-
- Ben Mata
- Enrico Gomez
- Vanessa Puente
3 M4 Dance Studio
2300 N St Marys
*- Brother Cletus
- Raquel Beechner
- Richard Hernandez
- Rebecca Flores
- Donna Bland
4 621 Screen Printing
2300 N St Marys
*- Daniel Garcia
5 La Casa Rosa Art Studio
527 E Dewey Place
*- Henry Cardenas
- James Wyatt Hendricks – sculpture installation
- Luis Lopez
- Gail Weitzenkorn
- Robert Wilkens
- Bernice Williams
6 G2Design
corner E Dewey Place at Kendall
*- Larry Graeber – sculpture installation
Postfix SPF
This article is to ouline the specifics for implementing SPF policy framework for Postfix provided in Redhat Enterprise Linux (es4/es5).
1.) First install all the necessary perl modules via RPM that you will require:
http://dag.wieers.com/rpm/packages/perl-Net-Address-IPv4-Local/ http://dag.wieers.com/rpm/packages/perl-NetAddr-IP/ http://dag.wieers.com/rpm/packages/perl-Mail-SPF/
(additional RPMs may be required) I would recommend that you refrain from installing via CPAN as a mix of RPM installed and CPAN installed modules can lead to issues in the future.
2.) Obtain and install the SPF perl scriptcd /usr/src wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.001.tar.gz tar xvfz postfix-policyd-spf-perl-2.001.tar.gz cd postfix-policyd-spf-perl-2.001 cp postfix-policyd-spf-perl /usr/libexec/postfix/postfix-policyd-spf-perl chomd o+x /usr/libexec/postfix/postfix-policyd-spf-perlEnsure that you set the script to executable, or errors such as these are recieved
warning: command /usr/bin/perl exit status 2 postfix/smtpd: warning: premature end-of-input on private/policy while reading input attribute name3.)Next, edit the postfix configuration file ’/etc/postfix/master.cf’ This line should be appended to the end of the configuration.
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl
4.)Next open /etc/postfix/main.cf and find the directive “smtpd_recipient_restrictions” You should have reject_unauth_destination in that directive, and right after reject_unauth_destination add ‘check_policy_service unix:private/policy’
smtpd_recipient_restrictions =permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policyimportant ensure that you specify “check_policy_service” AFTER “reject_unauth_destination” or else you will have an open relay!
Plesk TLS
openssl s_client -connect 127.0.0.1:25 -starttls smtp -debug
Your mileage will vary
EXT3 online resize
Introduction of an additional drive into a RAID array to expand capacity requires additional steps in the OS to expand the partition without data loss.
First, fdisk the device and delete the “EXTENDED” partition that you are looking to resize, in this instance partition 4.
[root@app1 ~]# fdisk /dev/sda The number of cylinders for this disk is set to 53309. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): p Disk /dev/sda: 438.4 GB, 438489317376 bytes 255 heads, 63 sectors/track, 53309 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 13 104391 83 Linux /dev/sda2 14 274 2096482+ 83 Linux /dev/sda3 275 405 1052257+ 82 Linux swap /dev/sda4 406 35539 282213855 5 Extended /dev/sda5 406 35539 282213823+ 83 Linux Command (m for help): d Partition number (1-5): 4 Command (m for help): p Disk /dev/sda: 438.4 GB, 438489317376 bytes 255 heads, 63 sectors/track, 53309 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 13 104391 83 Linux /dev/sda2 14 274 2096482+ 83 Linux /dev/sda3 275 405 1052257+ 82 Linux swapOnce this has been removed the partition should be re-created as extended, then a primary partition introduced
Command (m for help): n Command action e extended p primary partition (1-4) e Selected partition 4 First cylinder (406-53309, default 406): Using default value 406 Last cylinder or +size or +sizeM or +sizeK (406-53309, default 53309): Using default value 53309 Command (m for help): p Disk /dev/sda: 438.4 GB, 438489317376 bytes 255 heads, 63 sectors/track, 53309 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 13 104391 83 Linux /dev/sda2 14 274 2096482+ 83 Linux /dev/sda3 275 405 1052257+ 82 Linux swap /dev/sda4 406 53309 424951380 5 ExtendedNow introduce a primary partition on the extended NOTICE- The cylinder in use of the removed partition should be noted as the subsequent introduction of the new partition will require this detail in order to preserve the data
Command (m for help): n First cylinder (406-53309, default 406): Using default value 406 Last cylinder or +size or +sizeM or +sizeK (406-53309, default 53309): Using default value 53309 Command (m for help): p Disk /dev/sda: 438.4 GB, 438489317376 bytes 255 heads, 63 sectors/track, 53309 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 13 104391 83 Linux /dev/sda2 14 274 2096482+ 83 Linux /dev/sda3 275 405 1052257+ 82 Linux swap /dev/sda4 406 53309 424951380 5 Extended /dev/sda5 406 53309 424951348+ 83 Linuxwrite the changes and exit
Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: Re-reading the partition table failed with error 16: Device or resource busy. The kernel still uses the old table. The new table will be used at the next reboot. Syncing disks.A reboot of the system is required. The final step is ‘ext2online’ of ’/’
[root@app1 ~]# ext2online / ext2online v1.1.18 - 2001/03/18 for EXT2FS 0.5bPartition expanded from this:
[root@app1 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda5 265G 256G 9.9G 97% / /dev/sda1 99M 12M 82M 13% /boot none 2.0G 0 2.0G 0% /dev/shm /dev/sda2 2.0G 53M 1.9G 3% /tmpto this
[root@app1 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda5 399G 227G 173G 57% / /dev/sda1 99M 12M 82M 13% /boot none 2.0G 0 2.0G 0% /dev/shm /dev/sda2 2.0G 52M 1.9G 3% /tmp
IPTables and libwrap
Secruing Services
NOTE choose the easiest otions first such as TCPwrappers to control service connections.
/etc/hosts.allow /etc/hosts.deny
man page syntax identical:
basic syntax is :sshd: 192.168.2.200
These files are parse in the following order:
| /etc/hosts.allow | If the configuration of this file permits the requested connection, the connection is immediately allowed |
| /etc/hosts.deny | If the configuration of this file does not permit the requested connection, the connection is immediately refused. |
TCP wrappers can only be run on packages compiled agains libwrap. ldd can be used to check if it has been compiled against libwrap.
example for checking with ‘ldd’
[root@station home]# ldd /usr/sbin/sendmail.sendmail |grep wrap
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x006a8000)
portmap is another service , but it is a bit convoluted:
[root@station home]# strings /sbin/portmap |grep hosts hosts_access_verbose hosts_allow_table hosts_deny_table /etc/hosts.allow /etc/hosts.deny
here are others configured against libwrap:
ssh,sendmail,xinetd,vsftpd,stunnel
-
Two choices when configuring hosts.allow|deny in the following example.
permit connections for vsftp from 10.1.1.1, but block from
10.0.0.0/255.0.0.0
you can make seperate entries in both:
hosts.deny
vsftpd: 10.0.0.0/255.0.0.0
hosts.allow
vsftpd: 10.1.1.1
Or you can add this to just the deny file as suggested with the keyword
‘EXCEPT’
# hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! #vsftpd: 10.0.0.0/255.0.0.0 vsftpd: 10.0.0.0/255.0.0.0 EXCEPT 10.1.1.1
‘ALL’ can be used in the config as the service or the connecting source:
ALL:ALL EXCEPT 192.168.1.1
In /etc/hosts.deny to block all service affected by libwrap, but open to the one source or
ALL:ALLIn hosts.deny, with explicit service permissions in /etc/hosts.allow.
‘DenyHosts is a script from sourceforge that you can run from cron to parse /var/log/secure to review those that have attempted multiple brute force attacks’ (‘swatch’-‘pamABL’ are similar scripts, but modify iptables)
IPTables
Permits packet filterring at the kernel level. Netfilter is the kernel module that does the dirty work, iptables helps define the rules/chains to permit/deny through the kernels ip stack.
| INPUT | responsible for inbound destined for the server |
| OUTPUT | responsible for outbound traffic leaving the server |
| FORWARD | across the servers interfaces |
iptables -L
lists or prints the current rules in place
iptables -L -n -v -t nat
iptables-save writes to /etc/sysconfig/iptables. (keeping rules persistent,they must be apart of this file)
Configuration parsed from top to bottom. IPTables will response based on the first match. If there is no specific match, the chain policy will apply.
IPtables uses targets to determine what action will be taken if traffic matches an existing rule.
| DROP | will drop package and send no info to the user |
| REJECT | will send a connection refused notice back to the sender |
| ACCEPT | will permit the connection |
| LOG | will log the connection attempt |
IPTables syntax rule formulation help:-
What chain will the rule apply to?
-A INPUTWhat patterns(s) would you like to check for?
-s 192.168.2.100
To make the rule active, you can add the following info to /etc/sysconfig/iptables
-A INPUT -s 192.168.2.100 -j REJECT
You can also configure the rule from CLI with
iptables -A INPUT -s 192.168.2.100 -j REJECT
What should IPTables do when a matching pattern is found?
-j REJECT
You can also match on the following criteria:
| -i | incoming interface |
| -p | protocol |
| -s | source ip address |
| -d | destination ip address |
| -dport | destination port |
Saving the rules service iptables-save
iptables -D INPUT 3
This command will delete the third rule in the INPUT CHAIN A quick means of identifying line number is:
iptables -L --line-numbers
iptables -D INPUT <rule>
This command will delete the specific rule from the INPUT chain.
iptables -F
This command will flush the IPTables rulesets
system-config-securitylevel utility used to create the following config
[root@station sysconfig]# cat iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT ---(permit the loopback) -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT ---(for ipsec) -A RH-Firewall-1-INPUT -p 51 -j ACCEPT ---(for ipsec) -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT ---(multicast/Avahi) -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT ---(for cups) -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT ---(for cups) -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 837 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMITcreated the following chain to apply the rules in /etc/sysconfig/iptables:
RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUTThis and the allowed outlined rules above where automagically put in place. Considered a mostly closed configuration based on the ‘ACCEPT’ policy. If you need to use the rulesets generated by ‘system’ utlities comment out the last rule to keep from failing the test
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedservice iptables panic changes to a default drop policy
[root@station sysconfig]# service iptables panic Flushing firewall rules: [ OK ] Setting chains to policy DROP: filter [ OK ] [root@station13 sysconfig]# iptables -L -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destinationPut these back in place to permit connections
[root@station sysconfig]# iptables -P INPUT ACCEPT [root@station sysconfig]# iptables -P OUTPUT ACCEPT
[root@station sysconfig]# iptables -L -v Chain INPUT (policy ACCEPT 1 packets, 78 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
configure your mail server not to accept connections from the 192.168.1.0/24 network, EXCEPT for the 192.168.1.2 host:
iptables example
[root@station etc]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT all -- 10.0.0.0/8 anywhere reject-with icmp-port-unreachable ACCEPT tcp -- 192.168.1.2 anywhere tcp dpt:smtp REJECT tcp -- 192.168.1.0/24 anywhere tcp dpt:smtp reject-with icmp-port-unreachable Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@station etc]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.3.5 on Thu Aug 9 16:08:07 2007 *filter :INPUT ACCEPT [134:32679] :FORWARD DROP [0:0] :OUTPUT ACCEPT [47:4569] -A INPUT -s 10.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
tcp wrapper example ( since this said sendmail, it must be the MTA running, not postfix, as postfix is not compiled against libwrap)
alternatives—config mta
then /etc/hosts.deny:
[root@station etc]# cat /etc/hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! #vsftpd: 10.0.0.0/255.0.0.0 #vsftpd: 10.0.0.0/255.0.0.0 EXCEPT 10.1.1.1 sendmail: 192.168.1.0/24 EXCEPT 192.168.1.2followed with rules for governing port 110/143:
[root@station etc]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.3.5 on Thu Aug 9 16:08:07 2007 *filter :INPUT ACCEPT [134:32679] :FORWARD DROP [0:0] :OUTPUT ACCEPT [47:4569] -A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 143 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 993 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 995 -j REJECT --reject-with icmp-port-unreachable