hit counter
   
 

Random ramblings of a paranoid git
"The question is not if you are paranoid, it is if you are paranoid enough."


All | Security | Work | Wine & Dine | Leisure

   
« Previous month (Nov 2008) | Main | Next month (Jan 2009) »
   
20081213 Saturday December 13, 2008
A new Solaris security book on the way
Permalink | | 2008-12-13 07:30

For the last few months I've been spending my evenings tapping away on the keyboard - but not producing code or managing Solaris servers like I usually do. I've been writing two chapters for an upcoming Solaris security book! It has been fun, but it has also been hard - not hard because I didn't know what to write, but hard to constrain myself from wanting to include too much.

The book is not intended to cover every nitty gritty detail of every security feature in Solaris - that would make it a real brick of a book! So I've had to think hard about what to include, and the level of detail of the included parts.

Parts of the book is already available on Safari Rough Cuts for review before we publish. Please leave comments about on the Safari site so that nothing gets lost.

The chapter about File System Security is mine, and I've also authored the chapter about auditing (not very surprising), though it hasn't been processed for publication yet, but when it is - I'll post a blog entry with a link to it.

   
 
   
20081211 Thursday December 11, 2008
Sendmail, may I introduce Alteon to you?
Permalink | | 2008-12-11 05:10

Yesterday we started using an Alteon VIP to load balance SMTP traffic to our two mail servers, and everything was fine and dandy, but when I took a look in /var/log/syslog I found loads of entries like this: 

Dec 11 18:17:14 prod-git1 sendmail[20899]: [ID 801593 mail.info] j93FHDNX020899: alteon1.sun.com [192.168.10.1]
did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

The Alteon health check connects and then just issue a QUIT which sendmail finds suspicious, and hence feels obliged to let me know about it. This becomes very annoying when you have two Alteons doing the check every other second!

After scratching my head for a while and searching for a solution, I came across this patch to sendmail, which lets you select systems which shouldn't generate the above log entry. The only caveat was that I'd have to build my own sendmail, and I really don't want to roll my own stuff as it require more job to support, so I continued to look for a another solution.

I finally figured out (after reading the sendmail sourcode) that if I in /etc/mail/sendmail.cf set 

O PrivacyOption=authwarnings,needexpnhelo,needvrfyhelo

sendmail would be quiet if the Alteon changed the health check to doing the equivalent of this: 

mconnect localhost
connecting to host localhost (127.0.0.1), port 25
connection open
220 prod-git1.sun.com ESMTP Sendmail 8.13.8+Sun/8.13.8; Thu, 11 Dec 2008 13:58:48 +0100 (CET)
VRFY root
503 5.0.0 I demand that you introduce yourself first
QUIT
221 2.0.0 prod-git1.sun.com closing connection

So we changed the health check from being smtp to a custom script (note that you need the double backslashes): 

open 25,tcp
expect "ESMTP"
send "VRFY root\\n"
expect "503"
send "QUIT\\n"
expect "221"
close

And after pushing this change out, sendmail stopped filling the log with messages I don't want to see.
   
 
   
XML
« December 2008 »
SunMonTueWedThuFriSat
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
   
       
Today

Old entries

Bloggtoppen.se
OpenSolaris: Love at First Boot