• Are you where you want to be?
• Are you who you want to be?

• The getting lost was worth the coming home. 

• What I fear, I can create.  We must be willing to let go of the life we planned, so as to have the life that is waiting for us.

Great article by Pete Freitag on Securing Apache Web Servers
(20 ways to Secure your Apache Configuration)

Here are 20 things you can do to make your apache configuration more secure.

Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don’t think your server is necessarily secure after following these suggestions.

Additionally some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.

First, make sure you’ve installed latest security patches

There is no sense in putting locks on the windows, if your door is wide open. As such, if you’re not patched up there isn’t really much point in continuing any longer on this list.

Hide the Apache Version number, and other sensitive information.

By default many Apache installations tell the world what version of Apache you’re running, what operating system/version you’re running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.

There are two directives that you need to add, or edit in your httpd.conf file:

ServerSignature Off
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

If you’re super paranoid you could change this to something other than “Apache” by editing the source code, or by using mod_security (see below).

Make sure apache is running under its own user account and group

Several apache installations have it run as the user nobody. So suppose both Apache, and your mail server were running as nobody an attack through Apache may allow the mail server to also be compromised, and vise versa.

User apache
Group apache

Ensure that files outside the web root are not served

We don’t want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory (we will call this /web), you would set it up as follows:

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>
<Directory /web>
  Order Allow,Deny
  Allow from all
</Directory>

Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.

Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Options -Indexes

Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -Includes

Turn off CGI execution

If you’re not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Options -ExecCGI

Don’t allow apache to follow symbolic links

This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks

Options -FollowSymLinks

Turning off multiple Options

If you want to turn off all Options simply use:

Options None

If you only want to turn off some separate each option with a space in your Options directive:

Options -ExecCGI -FollowSymLinks -Indexes

Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

AllowOverride None

If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:

AccessFileName .httpdoverride
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

Run mod_security

mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O’Reilly press.

You can do the following with mod_security:

• Simple filtering
• Regular Expression based filtering
• URL Encoding Validation
• Unicode Encoding Validation
• Auditing
• Null byte attack prevention
• Upload memory limits
• Server identity masking
• Built in Chroot support
• And more

Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does. Many times you will find that you don’t need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line. To search for modules run:

grep LoadModule httpd.conf

Here are some modules that are typically enabled but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.

Make sure only root has read access to apache’s config and binaries

This can be done assuming your apache installation is located at /usr/local/apache as follows:

chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

Lower the Timeout value

By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.

Timeout 45

Limiting large requests

Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.

A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:

LimitRequestBody 1048576

If you’re not allowing file uploads you can set it even smaller.

Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine. These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs. See the documentation for more info.

Limiting the size of an XML Body

If you’re running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. The LimitXMLRequestBody directive is only available on Apache 2, and its default value is 1 million bytes (approx 1mb). Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you’re using WebDAV to upload large files, but if you’re simply using it for source control, you can probably get away with setting an upper bound, such as 10mb:

LimitXMLRequestBody 10485760

Limiting Concurrency

Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn’t have enough memory to handle a large number of concurrent requests.

Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads are important to adjust to match your operating system, and hardware.

Restricting Access by IP

If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 176.16 network:

Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

Or by IP:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Adjusting KeepAlive settings

According to the Apache documentation using HTTP Keep Alive’s can improve client performance by as much as 50%, so be careful before changing these settings, you will be trading performance for a slight denial of service mitigation.

KeepAlive’s are turned on by default and you should leave them on, but you may consider changing the MaxKeepAliveRequests which defaults to 100, and the KeepAliveTimeout which defaults to 15. Analyze your log files to determine the appropriate values.

Run Apache in a Chroot environment

chroot allows you to run a program in its own isolated jail. This prevents a break in on one service from being able to effect anything else on the server.

It can be fairly tricky to set this up using chroot due to library dependencies. I mentioned above that the mod_security module has built in chroot support. It makes the process as simple as adding a mod_security directive to your configuration:

SecChrootDir /chroot/apache

There are however some caveats however, so check out the docs for more info.

Acknowledgments

I have found the book Apache Security to be a highly valuable resource for securing an apache web server. Some of the suggestions listed above were inspired by this book.

From HP headlines:

Imagine setting out on a journey without a map and signposts. That’s what it would be like if you tried to do your job without feedback from customers, partners, members of your team, and other key stakeholders, said Piau-Phang (PP) Foo, managing director and senior vice president of Global Sales, Asia Pacific and Japan (APJ), in a recent Leading Ideas webcast.

Feedback can be a powerful tool to foster learning and drive better performance. “When executed well and on a consistent basis, it helps get people on track,” said Foo. “It serves as a guide to assist people to know how they are doing and how others perceive their performance.”

Foo cited research that shows that companies that provide frequent feedback energize and motivate their workforce to better performance. They have higher levels of customer satisfaction, hire and retain the best talent, and have better business outcomes.

But giving and receiving feedback, which Foo said is “an objective message about behavior and consequences,” can be challenging. And if you’re like many others, you’ve likely had at least one negative experience when feedback degraded into a verbal wrestling match, an argument about who’s right and wrong.

It doesn’t have to be this way, said Foo. With a little bit of knowledge and preparation, all of us can get better at giving and receiving feedback.

Ten tips for giving feedback

In his webcast, Foo offered HP leaders a range of practical and inspiring ideas for making feedback a competitive advantage, starting with giving feedback:

1. Set expectations.When someone new joins his team, Foo lets that person know that he typically offers prompt feedback. At the same time, he invites the new employee (and everyone else on his team) to give him prompt feedback, as well.
2. Make it informal.Foo tries to make feedback a regular occurrence. “Feedback works best if it is a continual process and not something you do only once or twice a year in a formal session,” he said. “Sometimes, I say to one of my subordinates, ‘Hey, let’s grab a quick lunch so I can give you some feedback.’”
3. Stay focused.Foo says that it is important to focus on just one or two topics at a time—maybe three at the most—so the person receiving feedback is not overwhelmed.
4. Discuss actions, not attributes.People tend to be more open to practical ideas and suggestions that could enhance their job performance than they are to feedback related to aspects of their personality.
5. Be specific.Convey the facts in an objective way, said Foo. For example, describe how an employee’s actions have had an impact on a customer or another member of the team. Avoid expressing emotions and feelings, which can put the other person on the defensive.
6. Check your assumptions.If you plan to give feedback based on something you’ve heard, be sure to investigate the situation for yourself so you can understand the bigger picture and have more empathy. Careless feedback can harm a relationship. “Whatever feedback you give, make sure it’s correct,” Foo said.
7. Be aware of your motivation.People sometimes use “feedback” as a way to get even with or belittle someone. But that’s not true feedback, said Foo. If you are upset about something, take a time out. “Cool down a little bit. Don’t overreact,” he advised.
8. Be balanced.Don’t just focus on the negative. Take a look over a period of time and give specific examples of what the person receiving feedback has done well. Acknowledge his or her contributions to customers and the team.
9. Suggest ways to improve.It’s easy to say that something’s wrong, but the person giving feedback should spend time in advance thinking about ways to improve. “It’s not up to you to come up with all the solutions, but you can start the process,” said Foo.
10. Agree on a time to follow up. Following up can help make feedback stick, but rather than imposing a timeframe, Foo suggests asking the person receiving feedback when he or she would like to talk about the matter again.

Five tips for receiving feedback

Foo also offered practical insights for receiving feedback:

1. Go beyond welcoming feedback; ask for it.If you really want to benefit from feedback, seek it, Foo advised. “Make an effort. It can be as simple as sending a quick email to a colleague and saying, ‘How did I do?’”
2. Manage your emotions.Many of us find it easy to receive feedback when it is positive, but the moment we hear something challenging, we tend to get defensive. “You really need to manage your emotions,” said Foo. “Evaluate the situation before you respond.”
3. Don’t argue, deny, or try to justify.If the feedback you receive catches you by surprise, try to understand the other person’s point of view before you react. Ask for specific examples. For instance, you could say, “When did you see me doing that?”
4. Keep the proper perspective.Feedback usually relates to a specific area of your life, and now you have the opportunity to do something about it. Remember that it’s not about your entire life or you as a person.
5. Take action. After receiving feedback, you have to make a choice: Are you going to act on it, or are you going to ignore it? “I think we have to take action,” said Foo. “If people are willing to give us feedback and we make an effort, it makes an impression.”

Creating a culture of feedback

Feedback can help us learn, grow, and be more fulfilled in our jobs. It can help our team reach higher levels of performance. For these reasons, Foo suggests letting others know that you are open to receiving feedback. Those who might offer you helpful suggestions include people on your team, others in HP, partners and customers.

“Feedback is one of the cheapest, most flexible, yet most powerful tools available to everybody for personal and business success,” said Foo. “It is also perhaps the most underused tool that we have to facilitate learning. I would encourage everybody to use it more often.”

Production site is www.networkforensics.us (or www.pomeroy.us)
Development site is dev.networkforensics.us (or dev.pomeroy.us)

Assumptions:
- webserver root directory is /var/web
- production node is called prod
- development node is called dev
- WordPress database is called wpdb

Procedure to copy production WordPress instance to the development node:
1. Copy webserver www root dir via a tarball
tar czf prod-20110909.tgz /var/web

2. Dump the WordPress database to a MySQL dmp file:
mysqldump -u$mysqluser -p$mysqlpass wpdb | \
 gzip -c > prod-20110909.dmp.gz

3. Copy these two backup files to the dev node:
scp prod-20110909* user@dev:.

On the development node:
4. Unpack the webserver tarball:
mv /var/web /var/web.previous
cd /
tar xzvf prod-20110909.tgz

5. Drop the WordPress database and restore the new version:
mysql> drop database wpdb;
mysql> create database wpdp;
$ gunzip prod-20110909.dmp.gz
$ mysql -u$mysqluser -p wpdb < prod-20110909.dmp

6. Update the WordPress 'siteurl' and 'home' options to point to the development node:
update wp_options set option_value='http://dev.pomeroy.us' where option_name='siteurl';
update wp_options set option_value='http://dev.pomeroy.us' where option_name='home';

Should be all done!

Ok, next time we’re in Indianapolis to see the Colts, we’re checking out these places:

Zest
1134 E. 54th St.
Indianapolis, IN 46220
(317) 466-1853
www.zestexcitingfood.com/

MySQL Command Line and Configuration Notes

Drop tables with wildcard:

There are multiple ways to specify MySQL credentials, this is not the best, but simply an example of how to drop tables using a wildcard pattern. In this case, command line history such as .bash_history will store your MySQL username and password plaintext, and an extended process listing will also reveal both username and password. When run from the command line like this, the SQL commands and the credentials are not stored in the MySQL history file (.mysql_history).  On closed (private) systems, the risk is low, especially if you clean up after these maintenance activities by purging the command histories.

mysql -u user -p password database -e "show tables" | grep "table_pattern_to_drop_" | awk '{print "drop table " $1 ";"}' | mysql -u user -p password database

There are times when moving or copying WordPress blogs from one server to another, the owner may want to update the URL associated with the specific site.

A simple MySQL update can match the WordPress blog to a new site URL:

mysql> select option_value from wp_options where option_name = 'siteurl';

+--------------------------------+
| option_value                   |
+--------------------------------+
| http://www.example.com |
+--------------------------------+
1 row in set (0.00 sec)

mysql> select option_value from wp_options where option_name = 'home';

+--------------------------------+
| option_value                   |
+--------------------------------+
| http://www.example.com |
+--------------------------------+
1 row in set (0.00 sec)

mysql> update wp_options set option_value='http://server.newsite.com' where option_name='siteurl';

Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> update wp_options set option_value='http://server.newsite.com' where option_name='home';

Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0
 

Jan Pomeroy passed away in May 2010. This is what some of her family had to say at her memorial:

John:

Mom was the quiet strength behind our family.

We grew up in a very busy household, first on the Acreage then at Vicary Place. The activities that we participated in while growing up, be it; academic, sport or social were facilitated by Mom.

Throughout my life friends have expressed surprise when they learn that I can cook dinner, wash the dishes, clean the bathroom, iron my shirts, and take out the trash. Of course I can, Mom would not have had it any other way.

I started mountaineering when I was young. Dad introduced it as one of the many activities the 31^St Tiger Scout Troup was involved in. Climbing became a passion of mine, for many years I spent weekends and the summers climbing at Alpine Club camps or with a few friends. It was Mom that made sure that it was all possible, she made gorpe for breakfasts, she made biscuit and meat bars for my lunches, and she dehydrated everything required for suppers. Mom arranged transportation until I was old enough to drive, she then gave up her own car until I had my own.

The winters where for skiing, again it was Mom that made all the parts come together. Mom sewed gaiters for us. She then taught us to operate the sewing machine so we could make our down jackets and pants.

Mom had that ability to keep all of us kids under her protective umbrella while living a very busy and rich life herself.

It was not until a little later in life when I truly appreciated just how special Mom was. Mom rarely showed or gave voice to her fears about our life style choices. Although it did poke its head up a few times. Once, I was very late coming down off a particular climb on Yamnuska because we got had gotten off the route, a little lost. When the two of us were sitting behind the car taking off our climbing boots a RCMP cruiser pulled up, the constable rolled down his window and asked “Are you Pomeroy” I said “Yes”, and I got told “Call your Mother”.

Whatever I did in life Mom supported it, both the failures as well as the successes.

I consider myself very blessed to have been Janet Pomeroy’s son. I feel like I will always be under her umbrella as I continue through the journey that is my life.

I am very grateful that I was able to return a little bit of that protective care as Mom needed it.

Good Bye Mom.

Allen:

People say that parents set the value and moral goal posts and hope their kids develop the ability to make judgment decisions that would make the parents proud. Jan did it.

Mom could cook. The whole gamut. For example .. Fresh bread right out of the oven; the kids slicing the heel off both sides of the loaf (before we got caught) .. of course smothered in butter and sometimes, brown sugar. Her famous Pomeroy family chili. The chili was just another example of Mom’s consideration for others. If the dinner table included guests that didn’t appreciate the Pomeroy level of spice, she made both Family and Company chili. Jan just did it.

Mom exhibited traits that we kids wanted to emulate .. humour, kindness, loyalty, class, complexity and yes .. clairvoyance. She almost always anticipated what was troubling us or what kind of trouble we got into. Mom’s really do have eyes in the back of their heads .. or maybe they are just very good at reading child behavior. As it turns out, sometimes those forensics really didn’t have to very good .. she just had to look for the abnormally clean house to know there was a party while the parents were away. Then Jan really did it.

Mom really knew how to do things. Whether it was her kids or her long time friends asking for help or advice on how to tackle a particular problem, we all thought: “Jan will know”. Of course. Jan’s done it.

Mom was the organizational glue that held the family and her friends together whether it was camping, skiing, hiking, making wine, or just keeping all of the kids in line, Jan did it.

Mom could make all of us kids (including Dad) and her friends succeed by quietly and gracefully supporting and encouraging us to do the right things. Jan just did it.

Mom will be missed, but she leaves a rich legacy: her kids and grandkids can cook, hike, camp, make beer, build houses and companies, perform forensics, engineer, and continually strive for more education and growth. I know her family and friends are richer because of her influence.

Now we all do it.

I would like to take this chance to extend a deep thank you to all the out-of-town travelers, our in-town friends and family, as well as the skilled and caring staff at EMS, Foothills Medical Centre Unit 100 and Chinook Hospice.

Here’s some notable CLI entries that I refer to occassionally. You can also select the Notes category and you’ll get more specific topics such as Linux LVM and Mac OS X commands.

Mac OS X:

sudo /usr/sbin/sysctl -w net.inet.ip.fw.enable=1
sudo /sbin/ipfw -q /etc/firewall.conf
sudo ifconfig en0 lladdr 00:1e:c2:0f:86:10
sudo ifconfig en1 alias 192.168.0.10 netmask 255.255.255.0
sudo ifconfig en1 -alias 192.168.0.10
sudo route add -net 10.2.1.0/24 10.3.1.1


Linux:
rpm commands:
List files in an rpm file
rpm -qlp package-name.rpm

List files associated with an already installed package
rpm --query –-filesbypkg package-name


Find all the AD groups a particular user belongs to:
dsquery user -samid username | dsget user -memberof

Find all members of an AD group:
dsquery group -samid groupname | dsget group -members

Find all inactive users:
dsquery  user -disabled -inactive 12