Tuesday, July 30, 2013

pfSense e-mail alerts sent to multiple recipients

pfSense is an all-in-one UTM appliance for firewall, security and network management purposes.



Since my lab doesn't allow a static IP assigned to my pfSense box so I sticked on to DHCP IP address which may be varying along the time. The fact is that I don't own the DHCP server myself so I can't even assign a fixed LAN IP address to this box. Each time something has changed, I need to get back to pfSense console and find out it's WAN IP address myself. That means I can't find out IP address remotely at home whenever DHCP server changes its IP address.

The latest version of pfSense is v2.2.2 at the time of writing.

pfSense comes with various kinds of installable packages whereas one of the useful one would be "mailreport".

To install this mailreport, just get in pfSense web console and click [System]->[packages], then choose to install mailreport.

Once finished, you can open it up by clicking [Status]->[Email Reports] option.

In there, you can create new email report. Just remember to add one new item under "Report Commands" Section. This can be a simple Unix command like ifconfig which shows current IP address of the pfSense box. I personally set it to send out email report once per day in the morning so I get the latest information I need before starting to work.

To configure email alert setting, click [System]->[Advanced] and then [Notifications] tab. Fill in correct SMTP information under Section SMTP E-mail.

But, hang on! There was a problem with the field "Notification E-mail Address" that it only takes one email address ONLY. That should be enough for solely test purposes.



However, I get my colleagues working with me so I would like to send email alerts to all members within my group. The pfSense web console is actually produced by PHP code, so we might need to have a little change inside the PHP source code itself.

Here are the changes we need to make for sending E-mail alerts to multiple recipients:

/etc/inc/mail_reports.inc


...
$mail->ContentType = 'text/html';
$mail->IsHTML(true);
$mail->AddReplyTo($config['notifications']['smtp']['fromaddress'], "Firewall Email Report");
$mail->SetFrom($config['notifications']['smtp']['fromaddress'], "Firewall Email Report");
$address = $config['notifications']['smtp']['notifyemailaddress'];
/* New lines start here */
    $addr_array = preg_split("/[\s,]*(\,|\;|\:)[\s]*/", $address);
    foreach($addr_array as $addr){
           $mail->AddAddress($addr, "Report Recipient ".($addr_count++));
    }
/* New lines end here */

/* Comment out the line below */
//$mail->AddAddress($address, "Report Recipient");
$mail->Subject = "{$config['system']['hostname']}.{$config['system']['domain']} Email Report: {$headertext}";
$mail->Body .= "This is a periodic report from your firewall, {$config['system']['hostname']}.{$config['system']['domain']}.

Current report: {$headertext}
\n
\n";
...

After the changes to the PHP file, you can test it by entering email addresses into the field  "Notification E-mail Address" with coma separator, like "recipient1@a.little.test.co,recipient2@a.little.test.co,recipient3@a.little.test.co". Just make sure no space is used between the email addresses and all those guys should receive the test messages immediately.

Fingers crossed;-)



Thursday, July 18, 2013

Compiling mod_auth_mysql.so under Mountain Lion OSX 10.8 with XAMPP for Mac (Apache v2.4)



First thing first! Install your favourite Bitnami XAMPP for Mac package:

http://www.apachefriends.org/en/xampp-macosx.html

At the time of writing, the latest version is v1.8.2 which includes newest Apache v2.4 as web server. This is where the problem is and we are going to sort this out and compile new mod_auth_mysql.so.

Make sure you setup XAMPP properly with appropriate passwords created for Apache and MySQL and so on…

!!!REMIND!!!
Before your spiritual work, make sure you stop Apache server so nothing should be affected during the compiling process.

The source code of mod_auth_mysql is a bit old to support Apache v2.4 web server whereas a little bit of extra work is required to get APXS compiling working.

Download C source code of mod_auth_mysql:

http://sourceforge.net/projects/modauthmysql/files/modauthmysql/3.0.0/mod_auth_mysql-3.0.0.tar.gz

Extract the mod_auth_mysql-3.0.0.tar.gz file which gives you a folder called "mod_auth_mysql-3.0.0".

Using Terminal command:

$ cd mod_auth_mysql-3.0.0


You will see the source file named "mod_auth_mysql.c" and we are going to work on it.

Download a patch file within the folder and patch it right there as follows:

$
$ curl http://www.zoosau.de/wp-content/uploads/mod_auth_mysql-300-apache-22.patch


$
$ patch < mod_auth_mysql-300-apache-22.patch


The patch fixes some problems for APXS compiling. For Apache v2.4, we have to do some more editing in the file "mod_auth_mysql.c".

Open up editor for the file "mod_auth_mysql.c":

$ open -e mod_auth_mysql.c


Modify the lines as described below:

==========================================================
LINE 908:
  return r->connection->remote_ip;

Changed to:
  return r->connection->client_ip;
==========================================================
LINE 1273:
const apr_array_header_t *reqs_arr = ap_requires(r);

Changed to:
const apr_array_header_t *reqs_arr = NULL;
==========================================================
LINE 1275:
const array_header *reqs_arr = ap_requires(r);

Changed to:
const array_header *reqs_arr = NULL;
==========================================================

Explanation:

It's a bit technical and requires you to read Apache manual first about new Apache 2.4 which explicitly takes ap_requires() function completely out of core services.

Looking through those forums and finally get something closed to that problem. A possible fix:

http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg313889.html

As function ap_requires() is removed from Apache v2.4 API, we can set related reference pointer to NULL in order to skip that problem in mod_auth_mysql.c file.

For the solution of LINE 908, thanks to the blogger on http://cootos.sinaapp.com/?p=94 .

Now comes the actual compiling work.

Reference is here:
http://www.nilspreusker.de/?s=mod_auth_mysql

But we need to modify the paths to port them to those paths in XAMPP for Mac package.

Using Terminal command as follows:

$
$
$ sudo /Applications/XAMPP/bin/apxs -c -i -a -D -lmysqlclient \
 -lm -lz -I/Applications/XAMPP/XAMPPfiles/include/ \
 -L/Applications/XAMPP/XAMPPfiles/include/ \
 -Wc,"-arch x86_64" -Wl,"-arch x86_64" mod_auth_mysql.c


It's a long command which I spilt it into four lines so you may have to recombine them in the text editor before you issue the actual command.

If things are going well, you should see the following output generated by the above command:

/Applications/XAMPP/xamppfiles/build/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic -I/Applications/XAMPP/xamppfiles/include/c-client -I/Applications/XAMPP/xamppfiles/include/libpng -I/Applications/XAMPP/xamppfiles/include/freetype2 -O3 -L/Applications/XAMPP/xamppfiles/lib -I/Applications/XAMPP/xamppfiles/include -I/Applications/XAMPP/xamppfiles/include/ncurses -arch x86_64  -DDARWIN -DSIGPROCMASK_SETS_THREAD_MASK -no-cpp-precomp -DDARWIN_10  -I/Applications/XAMPP/xamppfiles/include  -I/Applications/XAMPP/xamppfiles/include/apr-1   -I/Applications/XAMPP/xamppfiles/include/apr-1 -I/Applications/XAMPP/xamppfiles/include -arch x86_64 -I/Applications/XAMPP/XAMPPfiles/include/  -c -o mod_auth_mysql.lo mod_auth_mysql.c && touch mod_auth_mysql.slo
mod_auth_mysql.c: In function 'str_format':
mod_auth_mysql.c:891: warning: format '%d' expects type 'int', but argument 8 has type 'long int'
/Applications/XAMPP/xamppfiles/build/libtool --silent --mode=link gcc -std=gnu99 -Wl,-rpath -Wl,/Applications/XAMPP/xamppfiles/lib -L/Applications/XAMPP/xamppfiles/lib -I/Applications/XAMPP/xamppfiles/include -arch x86_64 -L/Applications/XAMPP/xamppfiles/lib -L/Applications/XAMPP/xamppfiles   -o mod_auth_mysql.la -arch x86_64  -L/Applications/XAMPP/XAMPPfiles/include/ -lmysqlclient -lm -lz -rpath /Applications/XAMPP/xamppfiles/modules -module -avoid-version    mod_auth_mysql.lo
/Applications/XAMPP/xamppfiles/build/instdso.sh SH_LIBTOOL='/Applications/XAMPP/xamppfiles/build/libtool' mod_auth_mysql.la /Applications/XAMPP/xamppfiles/modules
/Applications/XAMPP/xamppfiles/build/libtool --mode=install install mod_auth_mysql.la /Applications/XAMPP/xamppfiles/modules/
libtool: install: install .libs/mod_auth_mysql.so /Applications/XAMPP/xamppfiles/modules/mod_auth_mysql.so
libtool: install: install .libs/mod_auth_mysql.lai /Applications/XAMPP/xamppfiles/modules/mod_auth_mysql.la
libtool: install: install .libs/mod_auth_mysql.a /Applications/XAMPP/xamppfiles/modules/mod_auth_mysql.a
libtool: install: chmod 644 /Applications/XAMPP/xamppfiles/modules/mod_auth_mysql.a
libtool: install: ranlib /Applications/XAMPP/xamppfiles/modules/mod_auth_mysql.a
chmod 755 /Applications/XAMPP/xamppfiles/modules/mod_auth_mysql.so

Now it's time to modify a working https.conf for Apache v2.4.

In httpd.conf, find those lines with LoadModule * statements and add the following two statements at the bottom of that section:

#
#
#
LoadModule apreq_module modules/mod_apreq2.so
LoadModule mysql_auth_module modules/mod_auth_mysql.so
#


This make sure the target libraries are called up when Apache starts.

Before you start Apache server again to test if it runs or not, you have one more thing to do. In my experience, Apache server may not start because of libmyqlclient error. This is the case when we have no other MySQL client setup on the Mac before.

All you have to do is creating new symbolic link to let Apache v2.4 find the right library:

$
$ sudo ln -s /Applications/XAMPP/xamppfiles/lib/libmysqlclient.18.dylib \
 /usr/lib/libmysqlclient.18.dylib
$



Now start your Apache v2.4 web server and see if it's running properly. If yes, you are ready to use mod_auth_mysql module again!

Happy coding!!!

PS: Additionally you'll need to make sure PHP Session is working.
In /Applications/XAMPP/xamppfiles/etc/php.ini, you need to uncomment a line like this:
session.save_path = "/tmp"


This should do the trick;-)







Thursday, June 13, 2013

Setup Cygwin CRON service on Windows platform


Assuming we are going to run a Batch File containing those scripts for daily operations, Windows Scheduled Tasks feature offers useful scheduling capability for backup and cleaning operations on Windows server. However, you never get what you want when you want it on Windows platform.

It takes extra steps in configuring Local Policy to allow the user to have a permission of "Log on as Batch Job" in order to add a scheduled task successfully. That might not always happen in a SysAdmin point of view. This always remind me of the useful tools Cygwin which run linux program within Windows. Of course, you can also call Windows program from there. Combined with Cron in Cygwin, you can schedule daily tasks from Cygwin like Windows Scheduled Tasks.


To install cygwin, please refer to the following article:
http://docs.oracle.com/cd/E24628_01/install.121/e22624/preinstall_req_cygwin_ssh.htm

*Reminder:

  • You might need to install extra package for cron within cygwin setup.
  • During Cygwin setup, please make sure you have also selected cron by entering 'cron' in search field and mark it as INSTALL.
  • Please install Cygwin to the root directory of local drive to get rid of those annoying restrictions.


Once you've got Cygwin setup properly on Windows, you can start installing Cron service on Windows.

Here's the command to install new cron service:
#
#Within Command Prompt Terminal
C:\>cd c:\cygwin\bin
C:\cygwin\bin>cygrunsrv -I Cygwin_CRON_JOBS -p /usr/sbin/cron -a -n
#


On Windows desktop, open Control Panel -> Administrative tasks -> Services.
Then look up a service name "Cygwin_CRON_JOBS" which we specified as above.
Make sure this service is started and running properly.

For local user, we might just define the scheduled tasks like this:
#
# Within normal opening Cygwin Terminal
$ crontab -e
# Minute   Hour   Day of Month       Month          Day of Week        Command  
# (0-59)  (0-23)     (1-31)    (1-12 or Jan-Dec)  (0-6 or Sun-Sat)              
    0        2          12             *               0,6           /cygdrive/c/somewhere/something.bat
#

However, this doesn't work in most cases whereas we haven't got sufficient permissions to run CRON tasks in Windows.
For domain user, some extra work needs to be done:
#
# Open Cygwin Terminal by right clicking the icon and selecting [run as Administrator]
# Within Cygwin Terminal ~
$ touch /etc/crontab
# Take ownership for SYSTEM user on this file
$ chown SYSTEM /etc/crontab
# To avoid famous BAD FILE MODE error in Cygwin, try chmod command
# Cron stops working on world editable file due to security reason
# To stop error message, let's make it editable ONLY to the file owner
$ chmod 0644 /etc/crontab
$ crontab -e
# Minute   Hour   Day of Month       Month          Day of Week        Command  
# (0-59)  (0-23)     (1-31)    (1-12 or Jan-Dec)  (0-6 or Sun-Sat)              
    0        2          12             *               0,6           /cygdrive/c/somewhere/something.bat
#

To run Windows program within crontab, you can start from the following path:
/cygdrive/c/...
/cygdrive/d/...

which points to the root directory of the local drives where your favourite commands and batch files are locating.
Make sure the path is correct by listing them like:
#
# Within Cygwin Terminal
$ ls -l /cygdrive/c/Windows
#


For additional information about user account created for cron Windows service, please read here:
http://www.davidjnice.com/articles/cygwin_cron-service.html

Hope you can run your favourite tasks in Cron now.

Friday, June 7, 2013

Convert .p12 bundle to server certificate and key files for Nginx

SSL certificate is a must for nowadays e-commerce site whereas newly emerged web server like Nginx has gained so much attention due to its performance when dealing with heavy traffic to the web site. Why do those people choose Nginx?

Nginx's unique architecture makes it easy to handle large number of concurrent connections at one time with low CPU and memory consumption, compared with IIS and Apache.

Nginx has also taken the place as the front-end proxy server for traditional web servers like IIS and Apache.

Now, back to the topic we are facing today.

Assuming you have received .p12 file from your trust provider, you might need to know more about what a .p12 file is.

According to wiki, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

This means a .p12/.pfx file contains everything we need to provide SSL services, like server certificates, CA root certificate, intermediate chain certificates and server private key.

Unlike .pem file, .p12/.pfx file is in binary form so we cannot copy and paste those blocks for use in a human readable format. It needs a conversion tool like openssl to extract necessary files for the web server like Nginx.

Nginx is also sensitive to the order of server certificate and other CA root and chain certificates in a bundle .pem file so it may not start up properly with a .pem file which has been tempered with no proper knowledge.

Here're the two commands to generate necessary certificate bundle and server key files from a .p12/.pfx bundle file which is supposed to be directly imported into IIS web erver.

#
#
#Generate certificates bundle file
> openssl pkcs12 -nokeys -in server-cert-key-bundle.p12 -out server-ca-cert-bundle.pem
#
#
#Generate server key file
> openssl pkcs12 -nocerts -nodes -in server-cert-key-bundle.p12 -out server.key
#
#

whereas you might be asked to input the password which was included in .p12 file during the creation.

In Niginx.conf, we can include these two files for SSL connection:
#
#
server {
        listen   443 default ssl;
        server_name  localhost ...;

        ssl                  on;
        ssl_certificate      /some_where/ssl_cert/server-ca-cert-bundle.pem;
        ssl_certificate_key  /some_where/ssl_cert/server.key;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;
    
#...  
#


After that, Nginx should start up properly with HTTPS protocol ready for the web site.







Monday, February 25, 2013

Auto start Nginx on Linux reboot

After compiling Nginx from the source on older release of Ubuntu server, there are some steps to be performed in order to let Nginx service start automatically after a system reboot.

A startup script can be obtained here:
https://github.com/JasonGiedymin/nginx-init-ubuntu/blob/master/nginx

This script will be saved to /etc/init.d/nginx

However, there are additional changes on this script file in order to make it running properly.

For the existing version of Nginx v1.2.7, a couple of changes are required for pointing to the correct path of related files as follows:




# processname: nginx
# config:      /usr/local/nginx/conf/nginx.conf
# pidfile:     /usr/local/nginx/logs/nginx.pid
# Provides:    nginx


PATH=/usr/local/nginx/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/nginx/sbin/nginx

NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"




Once the changes are saved successfully, it'll be ready to add Nginx to the list of startup service on the server.

First, change the file permission as follows:

sudo chmod +x /etc/init.d/nginx


Second, use the following command to update the default run level of the startup script:

sudo /usr/sbin/update-rc.d -f nginx defaults 



After these, Nginx service will be started by itself during next system reboot.

You can also perform various tasks manually via the following command syntax:

sudo /etc/init.d/nginx (start|stop|reload|status)