Firmware update on an APC AP9630 NMC2

Posted on Sat 02 September 2017 in Tech • Tagged with Tech

I've spent a little while working with the APC Network Management Cards now, and firmware updates are a total pain.

The biggest issue is that the UPS power outlets need to be powered off in order to flash the firmware, otherwise there's a terrifyingly-high chance that the NMC (a ~$700 card) will completely shit itself, and die permanently. Aside from that, I've never managed to get updates working properly from the web interface.

Fortunately, the card is hot-pluggable, so if you have a spare UPS hanging around, you can unplug …


Continue reading

Respecting Amavis' "Banned Extensions" setting

Posted on Sun 13 August 2017 in Tech • Tagged with Tech, Security, Linux, Mail

I've been dabbling a little bit with iRedMail, mostly just to have a play with a mail server, but also to see what's involved in mail security. iRedMail is a package that pulls together Postfix as an MTA, Dovecot as a POP3 & IMAP server, SOGo for ActiveSync, Roundcube for Webmail, SpamAssassin for spam protection, and ClamAV for virus scanning.

Okay I have no idea why I have to write this, but apparently it's a thing.

Amavis has a list of banned file extensions. In Debian, they live in /etc/amavis …


Continue reading

Making Amavis work with ESET Antivirus

Posted on Sat 12 August 2017 in Tech • Tagged with Tech, Security, Linux, Mail

I've been dabbling a little bit with iRedMail, mostly just to have a play with a mail server, but also to see what's involved in mail security. iRedMail is a package that pulls together Postfix as an MTA, Dovecot as a POP3 & IMAP server, SOGo for ActiveSync, Roundcube for Webmail, SpamAssassin for spam protection, and ClamAV for virus scanning.

But of course, ClamAV has shown disappointing performance, and it would be really nice to use something more... commercially suitable.

To tie together mail receipt and scanning, iRedMail uses Amavis (strictly …


Continue reading

Wireguard - Part Three (Troubleshooting)

Posted on Mon 12 June 2017 in Tech • Tagged with Tech, Security, Wireguard, Networking, Linux

This is part of my brief series on Wireguard. I'm pretty enamoured with Wireguard and the way it works, but there were a couple slightly curly bits that I needed to get my head around. This troubleshooting guide is a rough dump of the issues I had, and how I fixed them.

Gotten Stuck?

At this stage, there are actually a few ways that this can go wrong, even though we haven't done much. Think through all the bits:

  • Installed Wireguard at both ends
  • Set up your NAT rule on …

Continue reading

Wireguard - Part Two (VPN routing)

Posted on Sun 11 June 2017 in Tech • Tagged with Tech, Security, Wireguard, Networking, Linux

This is a continuation of my brief series on the new Wireguard VPN. Part One was about the simple building-blocks to get Wireguard working between two endpoints. Now that we've got a couple machines able to ping each other by IP address, we can carry on a bit deeper into the inter-LAN routing stuff.

Extending on from the IP addresses in Part One, instead of JUST connecting to the remote machine, I want to actually have access to everything on the whole 10.20.0.0/16 network; even the …


Continue reading

Wireguard - Part One (Installation)

Posted on Sat 03 June 2017 in Tech • Tagged with Tech, Security, Wireguard, Networking, Linux

Wireguard is the most excellent VPN stack around. It's really fast, the concept of Cryptokey Routing is awesome, and I love the speed and simplicity benefits that come from opionionated cryptography. The protocol is so simple - expressed in a mere 4k lines of code - that it's auditable by anyone.

But.

With my initial naive approach, I found myself using HTTPS, over ports forwarded over SSH tunnels, connected over Wireguard. Although it was straightforward to get Wireguard working between two endpoints, I ended up in nested-crypto hell.

So, this brief series …


Continue reading

HP Procurve's warn-and-disable

Posted on Sun 30 April 2017 in Tech • Tagged with Tech, Networking

Since mid-2016, I've been working as a Network and Security Administrator. While I'd done a fair amount of networking previously, most of my experience had been with either unmanaged switches, or in a pre-built Cisco environment. Stepping into the world of managed networking was new for me, as was stepping into the world of HP Switches.

We were having recurring issues with a certain business unit looping ports on a switch. We had loop-protect running, but it was only set to disable the port after 5 seconds, and only for …


Continue reading

Making Lektor work with grsecurity

Posted on Sat 29 October 2016 in Tech • Tagged with Security, Tech, Linux

I started using grsecurity on my servers in 2015, and there's always a bit of tuning required.

I was recently playing with Lektor (before I swapped to Pelican), and I had a bit of trouble with my grsec kernel. In particular, Lektor and Pelican are both run within a virtualenv Python environment, and grsec eats it like popcorn in two different ways:

1) TPE (Trusted Path Execution) throws a wobbly:

[253241.370019] grsec: From {ssh-origin-ip}: denied untrusted exec (due to file in world-writable directory) of /tmp/#50 by /usr/local …


Continue reading

Broken log times in APC's PCNS Appliance 4.1

Posted on Thu 27 October 2016 in Tech • Tagged with Tech, Linux

Schneider Electric's PowerChute Network Shutdown is a piece of software which communicates with your local UPS, and initiates system shutdown if the UPS battery is unable to continue providing power. This helps to preserve file integrity in the event of a prolonged power failure.

Previously, you had to install the PCNS client separately on each virtual machine. Since then though, APC have released a PCNS VMware Appliance which is installed directly into vCenter, and initiates shutdown on all the VMware guests through a single Virtual Machine. This is a much …


Continue reading

Updating the modem and radio firmware on a Samsung Galaxy 5 (G900I)

Posted on Thu 27 October 2016 in Tech • Tagged with Android, Security, Linux

A couple months ago, Check Point revealed their discovery of the Quadrooter vulnerability affecting the Qualcomm chipsets in oodles of Android phones.

I use CyanogenMod on a Samsung Galaxy S5, so thankfully I received patches for three of the four vulnerabilities in only a few days.

However, that last vulnerability was part of a proprietary binary blob for controlling the Qualcomm LTE chipset, only patchable by Samsung themselves. It took a while for the Samsung updates to roll out, and then I got distracted for a while, but I finally …


Continue reading