All posts by urly

Protect your postfix/dovecot mail server against the DROWN attack

DROWN is vulnerability that affects HTTPS and other services that rely on SSL and TLS.
In order to protect your postfix/dovecot mail server, you should disable SSLv2.

The following lines shoud be added to the postfix configuration file (main.cf):


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_eecdh_grade = ultra

 
And the following lines should be added to dovecot SSL configuration file:


ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_protocols = !SSLv2 !SSLv3

 
This also disables SSLv3 which has it’s own issues (POODLE, BEAST).

More info about the DROWN attack: https://drownattack.com

Monitoring UPS connected to the Synology DiskStation via Zabbix

If you have an UPS which is connected to the Synology DiskStation (NAS) via USB and it’s compatible with the Synology NAS, you can monitor some of the UPS performance parameters using the SNMP.

I’m using Zabbix for the SNMP monitoring, which also means I can get some nice graphs from the collected data.

Configuring Zabbix to collect the SNMP data from the Synology NAS should be a very simple task. All you need to do is to create the SNMP items with the proper OIDs and afterwards create the graphs which present the collected data. But…

…when I created the SNMP items, Zabbix was unable to retrieve the SNMP values. In the Zabbix server logs there was an error “Value has unknown type 0x78”. I tried with the different item settings, I also tried deleting and recreating the items – nothing resolved my issue.

Since retrieving the SNMP values worked without a problem when using snmpget command, I configured the “User Parameters” in the Zabbix agent configuration on the Zabbix server as a workaround.

If you’re having the same issue, these are the lines you can add to your zabbix_agentd.conf file:

UserParameter=synology_upsBatteryChargeValue,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.3.1.1.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsInputFrequencyValue,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.4.6.1.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsInputVoltageValue,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.4.1.1.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsInputVoltageFault,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.4.1.6.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsInfoLoadValue,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.2.12.1.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsBatteryVoltageHigh,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.3.2.4.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsBatteryVoltageLow,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.3.2.3.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsBatteryVoltageNominal,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.3.2.2.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsInputCurrentNominal,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.4.5.2.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsInputFrequencyNominal,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.4.6.2.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsInputVoltageNominal,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.4.1.4.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsOutputVoltageValue,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.5.1.1.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"
UserParameter=synology_upsBatteryVoltageValue,snmpget -v 2c -c public 192.168.1.4 1.3.6.1.4.1.6574.4.3.2.1.0 | sed -e "s/\(.*Float\:\ \)\(.*\)/\2/g"

Once you add these lines to the configuration file, you need to restart the agent and configure the items in Zabbix (Type: Zabbix Agent).

Sample UPS performance graphs:
Battery Charge

UPS Load

Input voltage

Battery voltage

Android VPN Tethering

By default you’re not able to do VPN tethering via WiFi hotspot on Android devices. However, if you have root access to your device, you can change this by configuring a few iptables rules.

The easiest way to do this is to create a script file on your device and add the following lines to the file:

#!/system/bin/sh
/system/bin/iptables --flush
/system/bin/iptables -A POSTROUTING -o tun0 -j MASQUERADE -t nat
/system/bin/iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j RETURN
/system/bin/iptables -A FORWARD -i wlan0 -o tun0 -m state --state INVALID -j DROP
/system/bin/iptables -A FORWARD -i wlan0 -o tun0 -j RETURN

Then you can use the Script manager application to run the script manually or to configure the script to run at boot (iptables changes are not permanent and need to be reapplied after the device is restarted).

Script manager configuration screen:
Smanager

Terms

Disclamer

This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Cookies

Cookies are small files placed on your computer which can log certain information about your visit.

This site uses Google Analytics tracking cookies to collect information about the use of this website – for example, how many pages people visit, what browser and operating systems they use, and how long they spent on each page. The information is anonymous, and is only used to help improve the site. The information is stored by Google according to their privacy policy.

You can find out how to manage and delete cookies at www.aboutcookies.org.

XenServer – Power on VM automatically when host starts

To set the autopower-on parameter of the VM, you need its uuid. Execute the following command on the XenServer host:


# xe vm-list
uuid ( RO) : 488u9986-f5g5-56jk-6678-223dc455hmd0
name-label ( RW): VM-Box1
power-state ( RO): running

 
Once you retreive the uuid of the VM, set the auto_poweron parameter of the virtual machine to true by executing (with your own VM uuid):


# xe vm-param-set uuid=488u9986-f5g5-56jk-6678-223dc455hmd0 other-config:auto_poweron=true

 
That’s all.

Getting started with the Zabbix API – Java example

Zabbix provides an API which can be used to automate routine task, integrate Zabbix functionality into your internal apps or you may even write your own client application.

The API is based on JSON-RPC so you need to use the JSON encoded commands to communicate with the API.

In the following example we will authenticate with the Zabbix server (get the authentication token), which is mandatory before making any other API calls.

All other API calls are done in a similar way, so I guess this example is enough to get started.

The example uses DavidWebb HTTP-Client (with dependecies) which makes JSON REST calls very simple.

import org.json.JSONObject;
import org.json.JSONException;
import com.goebl.david.Webb;

public class ZabbixAPIExample {

   public static void main(String[] args) {

     try {

       JSONObject mainJObj = new JSONObject();
       JSONObject paramJObj = new JSONObject();

       mainJObj.put("jsonrpc", "2.0");
       mainJObj.put("method", "user.login");

       paramJObj.put("user", "Zabbix_username");
       paramJObj.put("password", "Zabbix_user_password");

       mainJObj.put("params", paramJObj);
       mainJObj.put("id", "1");

       Webb webb = Webb.create();

       System.out.println("Data to send: " + mainJObj.toString());

       JSONObject result = webb.post("http://zabbix_server_url/api_jsonrpc.php")
                                    .header("Content-Type", "application/json")
                                    .useCaches(false)
                                    .body(mainJObj)
                                    .ensureSuccess()
                                    .asJsonObject()
                                    .getBody();

       System.out.println("Authentication token: " + result.getString("result"));

     } catch (JSONException je) {

       System.out.println("Error creating JSON request to Zabbix API..." + je.getMessage());

     }

  }

}

Cleaning up the Zabbix database

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database.

Looking at the database tables, the biggest one was history_uint, which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up.

Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the history_uint table and then just replace the old table with a new one.

Since this is not an offical procedure, use it at your own risk.

Environment:
Zabbix v2.2
MySql 5.1 – InnoDB with innodb_file_per_table=ON

Step 1 – Stop the Zabbix server
Step 2 – Open your favourite MySQL client and create a new table

CREATE TABLE history_uint_new LIKE history_uint

Step 3 – Insert the latest records from the history_uint table to the history_uint_new table

First you need to decide how many records you need to keep. Please note, that the history data in graphs will still be available since trends data is stored in a different table.

I decided to keep the data for the last 3 weeks. The event time is in UNIX-time (aka POSIX-time or Epoch time) format, so you need to calculate the date and time of the event you will start with.

There is a tool available to do this calculation for you – Epoch Converter.

For example, if you decide to keep all the events from the 1st of May 2014 00:00:00 (GMT) on, the Epoch time would be 1398902400.

Now that we have our Epoch timestamp, we can copy the records to the new table:

INSERT INTO history_uint_new SELECT * FROM history_uint WHERE clock > '1398902400'

Step 4 – Rename the history_uint and history_uint_new tables

ALTER TABLE history_uint RENAME history_uint_old
ALTER TABLE history_uint_new RENAME history_uint

Step 5 – Start the Zabbix server

Start the Zabbix server and check if everything is ok and if you’re happy…

Step 6 – Drop the old table and save some disk space

DROP TABLE history_uint_old

Additionally you can update the items table and set the item history table record to a fewer days, so Zabbix will do the automatic clean up before the table size gets too big.

UPDATE items SET history = '15' WHERE history > '30'