I have been working with various Cisco devices for many years now. Even though I hold a valid CCNP, I didn’t had the chance to work during the past months with Cisco devices as much as I was when I was actively working in the ISP field. Sill, from time to time I take on small consulting Cisco related projects. This post will show how to overcome the frustration on the top line Cisco ASA firewalls not supporting interface ip aliases.

Cisco PIX firewalls have been around for many years and I was aware of the stupid limitation they had about not being able to add ip aliases on their interfaces. Again this was many years ago… Today when I had to configure a small Cisco ASA 5505 device, I didn’t even thought that the fanciest line of Cisco firewalls still has this limitation. You could say that the 5505 is the cheapest models and this is the reason for the limitation. Well, it costs much more than any other similar hardware firewall and honestly every other box I have seen support this (I can’t even call it feature)… I can’t be certain as I don’t have such a device to test out, but from what I can tell, all the ASA product line has the same issue, including the higher level 5550 and 5580.

Read the rest of this entry »

Last week RedHat released RHEL5.2 on the 21st, and probably most people running Centos 5 are wandering when they will get the updated Centos5.2 release as well. From past releases I have noticed that this takes a couple of weeks, close to a month, but didn’t really track the exact time lag between the releases.

Reading from Tim Verhoeven’s explanation:

“For some background information, why does it take 3,5 weeks ? First we need to remove all the logos and trademarks of Upstream. Secondly we need to build everything from source and this for both i386 and x86_64. Then everything that gets build goes past the QA team that verify that everything works as it should. From all the build packages install media will be created and these also need to be tested by the QA team. For each release a set of release notes are created and these are translated in different languages (12 for 5.1). Finally all the packages and media need to be uploaded in distributed to the mirror network so you can download it.”

we learn that we should expect Centos 5.2 released sometimes around June 14th 2008 (sooner or later).

Earlier this week I’ve read this article: “Defragmentation of Linux Filesystems“. The title and the headline made me interested enough, to go ahead and read it and see if there was something there to show me that linux filesystems do need defragmentation. The result was that I was not convinced at all, and on a quick check on some of my most used systems I could not see any defragmentation issues.

Still the reason for this post is not a technical one, but a human one. Let’s see what was my reaction to this particular article:

• I noticed it somehow, doesn’t matter how, and decided to read it
• I didn’t agree with the author and what have I done? well since I am extremely busy I have obviously moved quickly away to something else, without even looking back…
• But what if I did had some time to kill? What could I do? Well if I had a useful addition to the post I could have added my opinion. But what if I didn’t had anything useful to add? and nothing to do… Should I start an injury comment and crush the author? Who would benefit from this? This is what I am trying to respond in this post… just check out the comments and you will see what i mean.

Read the rest of this entry »

eAccelerator has released on 2008/05/18 its latest stable version 0.9.5.3 that brings the following changes (from the changelog):

“Changes in this version (from 0.9.5.2):

• Add patch from ticket 232: removes an unlock that isn’t needed there.”

Here is the full release information and download link: http://eaccelerator.net/wiki/Release-0.9.5.3

Earlier this week, RedHat has announced the second minor update to Red Hat Enterprise Linux 5: RHEL5.2. I was not able to update the rhel5 systems I manage until Friday, when this has become available in the update channels:
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Red Hat Enterprise Linux 5.2 enhancements are primarily focused in six areas:

• Virtualization
• Laptop and Desktop improvements
• Encryption and Security
• Cluster & Storage Enhancements
• Networking & IPv6 Enablement
• Serviceability

“Update brings broad refresh of hardware support and improved quality, combined with new features and enhancements in areas such as virtualization, desktop, networking, storage & clustering and security”

For full details check out the redhat press release.

Hopefully by now most debian sysadmins have updated their systems and regenerated any weak openssl keys found. After the disclosure from last week, the debian team has done a great job to identify any possible affected program and any type of key, and for sure there are many .
Special pages were created to help peoples migrate their keys and also to identify if their keys are weak or not. In my previous post I have discussed howto indentify and regenerate the ssh vulnerable keys, obviously the most targeted by attacks against this issue. This post will answer the questions I have received on email on how you can identify and regenerate apache PEM keys (SSL certificates).

Read the rest of this entry »

Yesterday, 13 May 2008, was a really bad day for the Debian project, probably one of the worst days in the history of Debian. Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

Systems which are running any of the following releases are affected :

• Debian 4.0 (etch):
  http://www.debian.org/security/2008/dsa-1571
• Ubuntu 7.04 (Feisty), 7.10 (Gutsy), 8.04 LTS (Hardy):
  http://www.ubuntu.com/usn/usn-612-1
• and other debian etch based distros.

Read the rest of this entry »