Would you like some cheese with your whine?
Archive for the ‘Administrivia’ Category.
Well it’s that time again… my favorite OS came out with an update and, well, I updated.
This one brought us new versions of MySQL and PHP as well as a bunch of other goodies and the whole thing went relatively flawlessly, so that’s nice.
Wow, I must be some kind of special… all of a sudden I started getting scads of “trackback spam”. Yep, them spammers found me, I’ve arrived.
Freakin’ losers.
So I’ve disabled trackbacks… all is good once again.
So I brought up an IPv6 tunnel from the fine people at Hurricane Electric. It’s kinda cool in it’s way. I can now see the the dancing kame, can you?
The gateway configuration was pretty straight foreward as HE has docs for configuring a gaggle of OSes. The client configuration was simply a snap. My OpenBSD boxen required only two config changes to autoconfigure on IPv6 and my work’s Windows lappy required just adding the IPv6 protocol to the network interface. Best of all the OS X 10.4 Macs just worked.
The harder part was handling such niceties as firewalling and DNS. My home network, like most, uses NAT to cram my home rfc1918 IP addresses into one IP address on the outside. There’s no need for this with IPv6 so now everything suddenly became both visible and accessable if you knew it’s 128bit IPv6 IP address.
Which brings us to DNS, which had similar issues. No longer were there such things as “internal addresses” and “external addresses” we’re all on the same friendly internet now. This took a few days to get right (and in fact am STILL tweaking on it) but it seems to be where I like it.
The only remaining issues is web serving over IPv6. OpenBSD’s Apache web server doesn’t support IPv6 out of the box, so if I want web services on IPv6 it’s www/lighttpd from ports.
Welp, I upgraded my blogging software, WordPress, to version 1.5.2 that among other things “addresses all of the security issues that have been circulating the past few days”.
Yeah, that’s nice. I looked and, at least the exploits I’ve seen, all seem to require 'register_globals' turned on in your php.ini file. In this day and age who actually leaves that setting on? I sure don’t.
Here’s the thing though, I still upgraded. Why? Because it’s a good idea to. In fact, it’s a freaking no brainer.
Interestingly last week I was researching vulnerabilities on the two main blogging packages my employer (oh c’mon, you didn’t think I’d miss a chance to pick on my employer, did you?) uses. I discovered several that were quite serious and when I pointed them out, I got the run around.
To be fair (well, a little fair anyway) my direct employer was much more open to updating and understood the seriousness (perhaps because they’ve already been 0wn3d once through the crappy forum software they use). That they don’t have the knowledgable assets on staff to do the upgrade is an issue for someone else to address :).
Anyway, from the more remote operation, I got the same old excuses:
Which, of couse can all be addressed, in order, with:
Once upon a time I’d just exploit their offending server and forward the results to senior directors. I’ve done that before and it generally nets results :). Of course while everyone is soooooo thankful for me pointing out their fly is open, folks are quick to qualify their thanks with nuggets like “…in the future…” and “…a little more professional…”.
So now I just rant on my blog about it. Would you like some cheese with your whine?.
Nice.
I updated the server to OpenBSD 3.7 last night (up from 3.5). It never goes exactly as planned.
The upgrade itself went smoothly but then I decided to rebuild all the installed ports. Not a big deal because I use a custom Makefile set up similarly to a ports subdir Makefile with only the ports I want. Of course actually having kept it up-to-date might have helped a bit :). Anyway, it took a while, but now we’re at PHP 5 now and a few other updates too.
I also redid my pf.conf firewall config, updating it for 3.7. That mostly consisted of converting macros into tables and minor clean up. I did have an issue with the new synproxy option breaking my email for a bit. I had to back that out :(.