VulcanRidr in the wild

I was a guest on the Fresh Ubunutu Podcast this week. It was great chatting with Peter and Harlem. Peter’s been trying to get me on there for over a year.

I did get to give a short tech segment on a tool called cfengine. I started working with it a couple of months ago, and it is amazing. If you are a system administrator, you should look in to setting up an app of this type. It can, with judicious use, simplify your administration tasks. The premise is that regardless of how many *nix boxes you have, there is some level of convergence between them. Things that converge, from simple things like ntp and ssh configuration to more complex system configuration tasks. You can build these configuration tasks into cfengine and effectively automate them. You can also make sure apps are installed, check file and directory permissions, do security (I am working on a NIST SP800-53 configuration for cfengine). The only limit is your imagination. If you are more into python, then check out Puppet. They are great packages, and they will ease your administration.

I have deployed it to my home network, and am now adding items that cfengine controls. Currently, it is doing ntp and ssh, but I am adding several others like email configs, stunnel, snmp, and whatever else I can come up with.

I’m back…

Contrary to popular belief, I am still alive and well. I have been uber busy over the past year that the train (wreck?) that is Armored Penguin jumped the tracks.

So let’s see…What have I been doing? In a word, commuting. I got laid off from my job at Swisscom in April…Not their fault, but the hospitality industry (hotels, etc)…I went to a really miserable job at the US Dep’t of Justice. Got laid off from there in November, and I am now building and administering Linux resources, including clusters (!) at the US National Institutes of Health.

I’ve been playing with a lot of cool stuff, things like cluster software (which is vastly improved since the last time I played with it 11 years ago), and  cfengine. I am considering a podcast on the security features you can implement using cfengine. Its a great package, once you get your head around it.

Let’s see…What else? My home network has grown. I’m up around 20 machines now, including several firewall, mailserver, openvz boxes, wiki, CMS, log server, cfengine server workstations, netbook, and my trusty N810.

I have stopped using VMware, since their Linux support seems to be merely lip service. I upgraded Debian on my vmware server box for the first time in over a year (for this very reason), then spent two days trying combinations of aftermarket patches and sacrificing animals to get the modules to compile in any of the kernels I had installed (it wouldn’t even come up with the old kernel, 2.6.29). Once I got the modules working and vmware back up, the web interface wouldn’t work. So I migrated all of my VMs from VMware to openvz. I tried to use VirtualBox, however, it doesn’t have the functionality of a server like VMware. I now have two OpenVZ boxes, giving me the option of doing live migration.

I’ll try to be more prolific in my blogging…

Current projects

Its been crazy as ever, I know I still need to upload the armoredpenguin virtual machine. I am also working on episode 3, which will focus on authentication, passwords and passphrases.

I also have a couple of projects going on which I thought I would document here.

The main one is that we got my daughter an Acer Aspire One, which I changed over from the Fedora-based Linpus Linux to Debian/sid. It has an 8GB internal storage as well as an 8GB SD card. I went with sid because I generally do, and sid is as stable as stable, only more modern. (which is why I can’t understand why people say that Debian is “too old.”) You don’t have to upgrade daily.

In any case, I got her Acer (which has wireless) set up and she loves it. I also recently got a Nokia N810 Interweb tablet…Which replaced my Sharp Zaurus SL5500. With those two and my laptop, I am needing to get up to speed with wireless technology, which I have until now managed to avoid.

The other side of the project is to set up a wireless bridge for a friend. Here is my plan for configuring it:

I have (or will have) two Linksys WRT54GS/GLs (thanks to Paul Asadoorian of PaulDotCom Security weekly for the donation of the GL) which I would like to bridge using WPA2, meaning the wireless devices will need to speak WPA2 as well.

The wireless access point in the house is connected to the DMZ interface of the firewall, and will then route everything to the Internet, with the exception of traffic over openvpn, which will be the only way to talk to the internal network from the wireless segment.

I will try to document how things go here with it.

Initial information is that the WRT54TGS is version 7.2 (Serial starts with CGNE), and I am having trouble finding current information on it. I don’t think it has enough memory or flash to effectively run OpenWRT (my preference). I don’t want to run Sveasoft or dd-wrt (which is based on Svea, as I understand it. The lack of information stems from the fact that Linksys tries to muddy the waters by changing firmware and hardware more often than I change socks. Its rather annoying.

In any case, I will try to post as I work through all of this.

Episode 2, Reasonably Secure Builds – MP3

With only a few minutes left in 2008, I am posting episode 2. It is a little longer than the previous episodes. I hope you enjoy it and find it useful.

And here are the show notes.

Happy new year to you all.

 

 Armored Penguin Episode 2 - MP3: Play Now | Play in Popup | Download

Episode 2, Reasonably Secure Builds – OGG

With only a few minutes left in 2008, I am posting episode 2. It is a little longer than the previous episodes. I hope you enjoy it and find it useful.

And here are the show notes.

Happy new year to you all.

 

 Armored Penguin Episode 2 - Ogg Vorbis: Play Now | Play in Popup | Download

Delays

I know, its a recurring theme. I’m working on episode 2, but work has been keeping me hopping. We are in the final stages of the SAP deployment at work, and we have all been working extra hours trying to stay on top of the SAP deployment plus our normal maintenance and upgrades.

Please bear with me, I will try to get it out before Christmas.

Episode 2…Coming soon.

Episode 2 is recorded and I am in process of editing. It is probably going to be something around an hour, with 17 pages of show notes. I will be working on it this weekend and hopefully get it out the first part of next week.

Mini podcaster meet-up

I am in Chicago for the last of my SAP training. I finally got to meet (and had dinner with) Mr. and Mrs. Verbal. They were a great couple…And apparently Mrs. Verbal thinks Verbal and I were twins separated at birth… A big thanks to the Verbals for taking the time to have dinner with me. It was a highlight of the visit to Chicago.

Episode 2 will be released next week. The review (and rewrite) of the information took longer than anticipated because of travel (Lisbon and Chicago this time) and illness.

Upgrades upgrades upgrades

VMware has finally released version 2.0.0 of their free server product. Since I am running a total of four VMware servers (one for testing on my laptop, one semi-test on my workstation, which also stores my template images, and two “production” servers), I have been going through the Waltz of the Upgrade. I upgraded defiant, danube and prometheus, but decided that lexington, my backup- and sole remaining 1.0.x vmware server, needed a little extra love. I set this box up almost 3 years ago, before disk encryption was available easily in Linux. I went back and encrypted /var/lib/backuppc directory, so the backups were encrypted, but never got around to encrypting the rest of the system.

Since I am working on getting Reasonably Secure Builds together and will be walking through a Debian build with an encrypted filesystem, and since I needed to upgrade vmware, I decided to do the full upgrade on lexington and get it up to scratch. I actually used the latest Lenny daily build of the Netinst CD, and it was nice. It is basically the same as I have always done, except for the fact that they have replaced the lilo command line prompt on the burst page with a dialog-like menu to give you your options.

I really want to get it running again, so that I can play with Untangle. It looks like a very cool product, and lexington has enough filesystem space for me to evaluate it.

More on my progress with Untangle. In fact, if things work out with it, expect an AP episode on it, somewhere in the firewalling eposodes.

Linux Podcasters Unite!

A new project is taking shape, an aggregator for Linux podcasts. Currently there are two sections…One for blog posts and one for podcasts. Check them out at

http://www.linuxplanet.org/casts/

http://www.linuxplanet.org/blogs/