Using Let's Encrypt with OpenShift
Pip Oomen

When installing OpenShift, the default certificates that are being installed are self-certified. Although this gives you functional encryption, this is in no way best practice and is especially annoying for the route being exposed for the Hawkular metrics, which is integrated within the Web console.

Luckily there is a relatively easy (and did I mention it is free?) solution: use Let’s Encrypt as your certificate authority.

Installing Let’s Encrypt

Let’s Encrypt is an automated and open certificate ... [continue reading]

Using ssh_config(5) and FoxyProxy for fun and profit
Bjørn Ove Grødal Wærås

The other day, as I just had updated my workstation to Fedora 27, I realized maybe the Include statement in ssh_config(5) had been implemented. And indeed it had.

So it’s time to reorganize my ssh-config-generate script, FoxyProxy browser plugin for tunneling web traffic through SSH, and maybe even setting up systemd so I don’t have to manually initiate the SSH sessions!

Now why would I need this? Consider the following problem: I need to connect to the web interface of ... [continue reading]

iPXE and automated provisioning
Jónas Helgi Pálsson

Provisioning of new servers can be a daunting experience. Back in days it meant booting the machine with a CD or a DVD and doing manual choices. Automation of the installation process makes the process faster and less prone to human errors.

Network installation helps the process, but you still need to know the hardware to be able to automate provisioning.

When dealing with Virtual Machines, you decide the parameters for the hardware so the machines can be defined by ... [continue reading]

Care and feeding of SMTP honeypots
Bjørn Ruberg

In parallel with an SSH/telnet honeypot, I’m also running an SMTP honeypot using INetSim. The SMTP honeypot is only one of many functions of INetSim; this article will cover the SMTP component only.

The SMTP part of INetSim has been configured with the following settings in inetsim.conf:

start_service smtp smtp_bind_port 25 smtp_fqdn_hostname darkstar.example.org smtp_banner "SMTP Mailer ready." smtp_helo_required yes smtp_extended_smtp ... [continue reading]
Allow backup sysadmins to gain access through a
Tobias Brox

I want backup sysadmins to have login access to some systems, with said access rarely (if ever) used. To prevent abuse I’d like strong audit logging, logging that stands out from the rest of all the logging, logging that cannot be tampered with, and that can easily be followed up in case of abuse. I’ve been fixing a working setup through PAM, sending emails or instant messaging through third-parties. Jump down to the last section (“Specific complete examples”) to find ... [continue reading]

Running Jekyll with Docker and OpenShift
Lars Olafsen

OpenShift is currently en vogue in the company. The ease of use and scalability found in a container based system allows us to automate the build and deployment steps of containers through software like Kubernetes/OpenShift.

Jekyll

We have visited Jekyll in several previous blog posts. Our techblog and the SysAdvent calendar (decomissioned as per 2023) utilize the Jekyll software to produce a static site from markdown content. The content and templates is stored in Git repositories on an ... [continue reading]

A quick look at Thruk
Andre Bergei

Thruk comes natively with Naemon, and is a free and open source full drop in replacement web interface for Nagios, Icinga and Shinken. These are flexible tools for alerting us when something goes horribly wrong, and Thruk adds a few tricks for even better monitoring.

With this blog entry I will highlight some of Thruk’s nicer features, and show how easy it is to get get up and running in a couple of steps.

Introduction

Thruk is ... [continue reading]

Reduce disk bloat in PostgreSQL
Knut Ingvald Dietzel

Lately I have been working a bit with the monitoring platform Zabbix, and the instance in question is backed by the PostgreSQL RDBMS.

SQL and time-series

Apart from data regarding such as hosts, services and checks, a significant amount of the data in the RDMS is historical time-series data aggregated for over a year back in time.

There are several data-stores optimised for time-series data to choose from, as SQL is not the best choice for this, ... [continue reading]

fail2ban: To SSH and beyond
Bjørn Ruberg

fail2ban is one of several tools designed to protect other services by blocking unwanted and possibly repeating activities. Its most common use case is probably protecting the SSH server from brute-force attacks, where repeatedly failed login attempts will be generously rewarded with an iptables firewall ban or some other variant of blocking or null routing.

By monitoring the correct set of log files and applying regular expression patterns to the observations, fail2ban will extract and remember offending IP addresses. After ... [continue reading]

Getting started with OpenShift – The OpenShift all-in-one cluster
Pip Oomen

OpenShift Container Platform (OCP) builds on Docker for container-technology and Kubernetes for orchestration of those containers. OpenShift solves the network annoyances in Kubernetes and adds features like authentication and authorization, multi-tenancy, source-to-image (S2I) and templating of applications.

To easily get started with OpenShift development, the OpenShift client (oc) includes an all-in-one cluster that provides a seamless way to get up-and-running with a local OpenShift installation. The prerequisites are: