Security

This post appeared on the Rackspace Blog last week and I copied it here so that readers of this blog will see it.

Getting started with LXC is a bit awkward and I’ve assembled this guide for anyone who wants to begin experimenting with LXC containers in Fedora 20.

The openssl heartbleed bug has made the rounds today and there are two new testing builds or openssl out for Fedora 19 and 20:

I’ve received some very sophisticated phishing emails lately and I was showing some of them to my coworkers.

I stumbled upon this video earlier today via Tripwire’s Twitter feed:

I’ve made posts about the DevOps Weekly mailing list before.

Keeping an eye out for the DevOps Weekly email is something I’ve enjoyed since it started at the end of 2010.

Going to the dark side.

I stumbled upon a helpful guide to securing an apache server via Reddit’s /r/netsec subreddit.

I spent two days last week in a class called “Accounting and Finance for Non-Financial Managers” at UT Austin’s Texas Executive Education program.

The confined user support in SELinux is handy for ensuring that users aren’t able to do something that they shouldn’t.

It’s been a little while since I last posted about installing Xen on Fedora, so I figured that Fedora 19’s beta release was as good a time as any to write a new post.

While rolling through my RSS feeds, I found a great presentation by David Quigley titled “Demystifying SELinux”.

Changing my ssh port from the default port (22) has been one of my standard processes for quite some time when I build new servers or virtual machines.

A coworker heard me grumbling about Linux system administration standards and recommended that I review the CIS Security Benchmarks.

The wheel group exists for a critical purpose and Wikipedia has a concise definition:

This article appeared in SC Magazine and I’ve posted it here as well.

After many discussions with fellow Linux users, I’ve come to realize that most seem to disable SELinux rather than understand why it’s denying access.

I’m in the process of moving back to a postfix/dovecot setup for hosting my own mail and I wanted a way to remove the more sensitive email headers that are normally generated when I send mail.

It’s no secret that Google Reader is a popular way to keep up with your RSS feeds, but it’s getting shelved later this year.

This year’s RSA Conference was full of very useful content but the most useful session for me was a peer to peer discussion regarding BYOD on mobile devices.

I’ve been a big fan of the GPGTools suite for Mac for quite a while but I discovered some neat features when right-clicking on a file in Finder today.

My new role has caused me to look at information security in a different way.

Automating package updates in CentOS 6 is a quick process and it ensures that your system receives the latest available security patches, bugfixes and enhancements.

After a recent issue I had with some users in the Puppy Linux forums, I thought it might be prudent to write a post about how to monitor and protect your reputation online.

If you install vpnc via MacPorts on OS X, you’ll find that you have no openssl support after it’s built:

This problem came up in conversation earlier this week and I realized that I’d never written a post about it.

If you try to run Xen without libvirt on Fedora 17 with SELinux in enforcing mode, you’ll be butting heads with SELinux in no time.

Kristóf Kovács has a fantastic post about some lesser-known Linux tools that can really come in handy in different situations.

One of the handiest tools in the OpenSSL toolbox is s_client.

As promised in my earlier post entitled Kerberos for haters, I’ve assembled the simplest possible guide to get Kerberos up an running on two CentOS 5 servers.

Scientific Linux installations have a package called yum-autoupdate by default and the package contains two files:

I’ll be the first one to admit that Kerberos drives me a little insane.

I used to be one of those folks who would install Fedora, CentOS, Scientific Linux, or Red Hat and disable SELinux during the installation.

If you want to forward e-mail from root to another user, you can usually place a .

When you install Scientific Linux, it will keep you on the same point release that you installed.

SELinux isn’t a technology that’s easy to tackle for newcomers.

I’m using SELinux more often now on my Fedora 15 installations and I came up against a peculiar issue today on a new server.

There are few things which will rattle systems administrators more than a compromised server.

Diagram: OpenVPN to Rackspace Cloud Servers and Slicehost

One of the most common questions that I see in my favorite IRC channel is: “How can I secure sshd on my server?

After I wrote a recent post on best practices for iptables, I noticed that I forgot to mention comments for iptables rules.

Regardless of the type of hosting you’re using - dedicated or cloud - it’s important to take network interface security seriously.

If you want your iptables rules automatically loaded every time your networking comes up on your Debian or Ubuntu server, you can follow these easy steps.

Sometimes we find ourselves in places where we don’t trust the network that we’re using.

I spoke with a customer last week who was curious about enabling encrypted partitions on a DAS connected to their server.

MySQL has quite a few cryptic error messages, and this one is one of the best:

UPDATE: The TRACE/TRACK methods are disabled in Plesk 8.

Create a strong CSR and private key

Here’s a pretty weird kernel panic that I came across the other day: