To setup this you need an existing host that contains a mirror of Centos (you can get away without a mirror but syncing a mirror is so much faster than going out onto the internet to download all the necessary patches that may be required). If you do setup a mirror allocate about 150Gb of Diskspace to the mirror and sync it every evening using rsync.

On the host execute the following command:

yum install syslinux tftp tftp-server -y

Once the server is installed execute the following command:

chkconfig xinetd on
service xinetd restart

To copy the files to enable the clients to boot execute the following commands:

cd /var/lib/tftpboot
cp /usr/share/syslinux/menu.c32 .
cp /usr/share/syslinux/pxelinux.0 .
cp /opt/mirror/centos/6.3/os/x86_64/images/pxeboot/initrd.img .
cp /opt/mirror/centos/6.3/os/x86_64/images/pxeboot/vmlinuz .

NOTE: TFTP does not seem to work with symlinks so the files need to be copied.

When the server boots it will attempt to use it’s MAC address to determine what boot configuration it would use and will fall back onto a configration called “default”:

mkdir -p /var/lib/tftpboot/pxelinux.cfg
vi /var/lib/tftpboot/pxelinux.cfg/default

Enter the following information into the file and save it:

timeout 100
default menu.c32
 
menu title ########## JustNudge Boot Menu ##########
label 1
   menu label ^1) Install CentOS 6
   kernel vmlinuz
   append initrd=initrd.img devfs=nomount ks=http://nas.justnudge.com/centos6.ks
 
label 2
   menu label ^2) Boot from local drive
   localboot

The above example will automatically install Centos using a kickstart file that configures it as per our build standards.

To ensure that the above is picked up, add the following line to your dnsmasq configuration file:

dhcp-boot=pxelinux.0,nas.justnudge.com,192.168.1.50

Where the PXE server is nas.justnudge.com with an IP address of 192.168.1.50.

When started the VM will look like the following:

When I saw that Amazon had integrated it into AWS it got me thinking that we could use it to secure some of our perimeter Centos hosts using an SSH PAM module.  A little bit of searching showed that this was possible and this post details how it was done.

Installation

Install Centos 6.2.

Run “yum install make pam-devel -y”

Download the source for the PAM module here.

Unpack the installation running the following command:

[root@JNC6NET0004 install]# tar xfvj libpam-google-authenticator-1.0-source.tar.bz2
libpam-google-authenticator-1.0/base32.c
libpam-google-authenticator-1.0/demo.c
libpam-google-authenticator-1.0/google-authenticator.c
libpam-google-authenticator-1.0/hmac.c
libpam-google-authenticator-1.0/pam_google_authenticator.c
libpam-google-authenticator-1.0/pam_google_authenticator_unittest.c
libpam-google-authenticator-1.0/sha1.c
libpam-google-authenticator-1.0/base32.h
libpam-google-authenticator-1.0/hmac.h
libpam-google-authenticator-1.0/sha1.h
libpam-google-authenticator-1.0/totp.html
libpam-google-authenticator-1.0/Makefile
libpam-google-authenticator-1.0/FILEFORMAT
libpam-google-authenticator-1.0/README
libpam-google-authenticator-1.0/utc-time/
libpam-google-authenticator-1.0/utc-time/app.yaml
libpam-google-authenticator-1.0/utc-time/utc-time.py

Change to the extracted directory and execute the command “make install”:

[root@JNC6NET0004 libpam-google-authenticator-1.0]# make install
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o demo.o demo.c
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_demo.o pam_google_authenticator.c
gcc -g   -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o  -ldl
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden        \
              -o pam_google_authenticator_testing.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
gcc -g   -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc  -ldl
cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin
[root@JNC6NET0004 libpam-google-authenticator-1.0]#

Installing the PAM module

Backup the file “/etc/pam.d/sshd” and add the following lines to it:

auth required pam_google_authenticator.so

Backup the file “/etc/ssh/sshd_config” and ensure the following lines are present:

PermitRootLogin no
ChallengeResponseAuthentication yes

Once these changes have been made restart SSH by executing the following command:

service sshd restart

Setting up the key for a user

su to the user that you want generate the token for:

[root@JNC6NET0004 libpam-google-authenticator-1.0]# su - mransley
[mransley@JNC6NET0004 ~]$

Execute the following commands:

[mransley@JNC6NET0004 ~]$ google-authenticator
 
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/mransley@JNC6NET0004%3Fsecret%3DXXXXXX
Your new secret key is: XXXXXXXXXXX
Your verification code is XXXXXXX
Your emergency scratch codes are:
  XXXXXXXX
  XXXXXXXX
  XXXXXXXX
  XXXXXXXX
  XXXXXXXX
 
Do you want me to update your "/home/mransley/.google_authenticator" file (y/n) y
 
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
 
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
 
If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
[mransley@JNC6NET0004 ~]$

You will notice above that it displayed a secret key and a URL, open the URL and it will show you 3D barcode.

Open the authenticator application and click the “Scan Barcode” button and scan the barcode from your screen.

You should then see the counter for the application.

Testing

Open up a new SSH terminal (such as Putty) to the host and login as the user that created the token above.

Enter the verification code from the Google authenticator.

Enter the user’s password.

All being well you should be able to login as shown below:

Looking at this from a technical point of view, the link directs users to the following on facebook:

Now unfortunately, this looks pretty legitimate except that if this was real the login would be an oauth login rather than prompting me for a username and password.  Also, the fact that is wrapped around facebook makes it look even more legitimate (the URL is a facebook URL).  When you submit the information into the page it sends the information to a server in France, although the hostname is owned by a lady in LA.

I have informed facebook that the application is inappropriate and hopefully it will be taken down shortly.  My suggestion is that facebook need to start looking at a vetting applications that are put onto their infrastructure to ensure that they are appropriate because this application clearly does things that are not nice (take a lesson from Apple here).

If you happened to receive a message from me, I do apologise – if you responded to it then please change your password as soon as possible or the same thing will happen to you.

My thoughts after 2 years of use are:

• I like the home screen and the ability to drop widgets onto the home screen.  This would be a great addition to the iPhone but given all the patent issues that have been happening between Android and iPhone this may not happen.
• The iPhone was a nicer device physically and appeared more durable, over time this has proven to be the case.  While both phones are showing signs of wear the Android is definitely suffering the most.
• The Android store is not as good as the iTunes store, in two years I never purchased an application on Android, although I used a number of free ones and the kids showed no interest in using the phone.

My main complaint with the Android is that the ecosystem is too fragmented.  This leads to the following problems:

• Applications sometimes don’t work on some phones.
• Because there are so many devices the vendors are less likely to update previously released phones.  My Android phone is telling me that I have no patches available for it and it is running Gingerbread so I have missed out on both Ice cream sandwich and Jelly Bean.  I could patch the iPhone to iOS 6 right now if I wanted to.  Strangely, if they supported my previous phone better I would be more likely to have purchased another one.  But my experience with Android is that when you buy it then that is pretty much it, you won’t get many changes over the contract.
• My Android came installed with a whole lot of junk applications that the phone company installed and I couldn’t get rid of, I could have rooted the device but I couldn’t really be bothered, but it was annoying none the less.

The outcome of this is that I am going to upgrade both phones to be iPhone 5′s.  My feeling is that Apple is interested in me keeping a iPhone for a long time and releases their phones in such a way that I miss an upgrade each time but will still be able to use the latest software.  I shall probably not get an iPhone 5S (released this time next year) but will probably be in the market for an iPhone 6 (or whatever) in two years.

Log into the machine and execute the following command:

cd /opt/IBM/HTTPServer/bin
./ikeyman

This displays the iKeyman utility:

Create the keystore

Select “Key Database File” and then choose the “New” option and enter the details for the new keystore that you are creating.  I tend to save the keystores in the same directory as the httpd.conf file but the choice is yours:

When you click OK, you will be prompted for a password for the keystore.  Also, ensure that you save the stash of the keystore as we will use this configuration later.

Create the key

Once you have created the keystore, we can create our key to go into it.  This is done by selecting the “New Self Signed” button in the bottom right hand corner of the iKeyman window.  Click on this window displays the following information:

You will note in the above image that only three fields have been filled out (the drop box values are defaults).  This is the common name (which defaults to the hostname of the machine), the key label (which I always make the same as the common name) and the validity (which I always make 10 years).  Clicking OK will create the certificate.  Once this is done you can exit iKeyman.

Modify IBM HTTP Server

We have created our keystore, now we need to add it into the IBM HTTP Server configuration.  This is done by adding the following information to the bottom of the httpd.conf file:

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
 
<IfModule mod_ibm_ssl.c>
  Listen 0.0.0.0:443
  <VirtualHost *:443>
    ServerName connection4.justnudge.com
    SSLEnable
  </VirtualHost>
</IfModule>
 
SSLDisable
Keyfile "/opt/IBM/HTTPServer/conf/key.kdb"
SSLStashFile "/opt/IBM/HTTPServer/conf/key.sth"

Test

Once this has been done, restart your HTTP Server and then test it in a browser.  In chrome you will get the red screen indicating that the certificate is untrusted:

And on examination of the certificate you can see it is the certificate that we created earlier:

Your IBM HTTP Server will now server “secure” content.  NOTE: You should not use this certificate for an external facing website.

AdminApp.edit('Activities', '[ -MapRolesToUsers [[ admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('Blogs', '[ -MapRolesToUsers [[ admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('Communities', '[ -MapRolesToUsers [[ admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('Files', '[ -MapRolesToUsers [[ org-admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('Forums', '[ -MapRolesToUsers [[ admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('Forums', '[ -MapRolesToUsers [[ search-public-admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('Homepage', '[ -MapRolesToUsers [[ admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('Mobile Administration', '[ -MapRolesToUsers [[ administrator AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('News', '[ -MapRolesToUsers [[ admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('News', '[ -MapRolesToUsers [[ widget-admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('Search', '[ -MapRolesToUsers [[ search-admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('WidgetContainer', '[ -MapRolesToUsers [[ admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminApp.edit('Wikis', '[ -MapRolesToUsers [[ admin AppDeploymentOption.No AppDeploymentOption.No wadmin "" AppDeploymentOption.No user:jnRealm/uid=wadmin,ou=users,o=justnudge "" ]]]' )
AdminConfig.save()

You will need to adjust the script for your administration username, my administration user is called wadmin and has a distinguished name in LDAP of uid=wadmin,ou=users,o=justnudge. Running the script can be done by executing the following command from your WebSphere bin directory:

cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
./wsadmin.sh -lang jython -f connections-security.py

• Source control – I currently use a hosted subversion repository so don’t need to back that up.
• Virtual Machine Templates – I have templates for different operating systems to support my clients.
• Software – I store all my software on disks, I dislike DVD’s.
• Documents
• Virtual Machines
• Mail and Calendar – I use a cloud service for this so don’t need to back this up

Now breaking this down, each virtual machine template is about 6Gb, while a configured virtual machine can be up to 50Gb (IBM Connections for instance).  My software is about 140 Gb (various installers) and sits on a NAS VM running Centos 5.  Most of my virtual machines are Centos – I can build them very quickly (about 15 minutes) using kickstart files.

I have decided that none of the virtual machines require a complete backup.  Instead what I do is perform backups of core components (such as database backups) and in the event that I need to restore I will instead rebuild as I have detailed information on rebuilding each of my VM’s.  That said, I do have the ESX disks mirrored onto a separate machine incase of hardware failure.

This brings me to the point of the entire post, I believe that I am now OK in terms of a failure in relation to a single hardware failure.  The real problem is that what happens if I have a disaster (i.e. my primary and backup machines are destroyed/stolen).  Obviously using cloud storage is the best option, but there are a number of options out there.  I did some research on the best options and have come up with the following table:

Now, the service that initially sparked my interest in this was the announcement of Amazon Glacier. The service sounded like it was designed for my requirement, largely static data and in large files (my average file size is at least 1Gb). The service has two problems as far as I can see:

• There are very few clients for it, but this is a new service so not surprised here and in six months this point will be mute.
• Transfers in are free but transfers need to be factored in and make the $0.01 per GB per month charge look slightly less appealing. According to some calculations restoring 1 TB could cost you $1800

So after my disappointment with Glacier – I can see that Glacier has its great points (i.e. being a log retention service), but I believe that for me the best service is Google Drive. Would be keen to hear from anyone else about other online backup services that they use.

RT @mashable Angry Birds: 30 Million Daily Active Users and 300 Million Minutes of Gameplay Per Day - good for them, sad for society.

October 18, 2011 23:00 via HTC PeepReplyRetweetFavorite

@michaelransley

Michael Ransley

While all congratulations should go to the makers of the game, but not much mention has been made in the press as to what that figure 300 million minutes worth of gameplay actually means globally or more important to our society.  To break it down, this is:

• 5,000,000 hours – to put this figure into perspective, the average Australian’s life expectancy is 81.7 years (US and UK are slightly lower) or 711,984 hours.  This means that the equivalent of 7 lives every day are spent playing angry birds.
• If we assume time is money and instead of playing the game we gave money to charity at the rate of $10 per hour we would raise $50,000,000 per day, that’s $18.2 billion per year.  If we use the calculations that were used for Kim Kardashian’s wedding (which reportedly cost $17 million), the annual play time from angry birds could buy:
• 2 Billion new born child kits.
• 275 million girl’s educations.
• 481 million mosquito nets.

Now, you may read this and say ‘So what is your point?’  My point is that today we have access to tools and resources like never before in history and what are we doing with them?  Are we using it to better our community, nation or world – or are using these tools to…. well… waste time?

If we instead, all collectively, decided to spend just 10 minutes of our ‘game’ time each day to:

• Give someone a compliment
• Help someone we know in need
• Spend 10 minutes of quality time with loved ones
• Educated ourselves on some of the needs happening in the world

Suddenly we could be using 300 million minutes to impact our world.  Spending our time doing things that have greater significance or influence which has a higher sense of value.  It puts more bounce in your step and day.

We choose each day who we want to be and what kind of world we want to create.

As a husband and wife team, we decided we wanted to bring a different perspective to the Apple app store and we created an app called Abundantly.

Our goal with Abundantly is simply to help people from all walks of life to remember to live life each day abundantly. Our dream is to use social media to mobilise people all over the world, and joining together we can make our world a better place.

Aside from helping users enrich their own lives, we wanted to help charities. 10% of all the app’s profits are donated to selected charities monthly.

This widget uses a profile extension to allow the user to populate their twitter username using the edit profile functionality of IBM Connections.

For a limited time, Just Nudge is releasing this widget to the IBM Connections community free of charge.  To get the widget see our Twitter widget product page.  If you require any further information please contact us via email at sales@justnudge.com.

1

LCConfigService.checkOutConfig("/temp", "foo01Cell01")

The cell name is often hard to remember and differs between environments.  To run the command without having to specify the cell name, run the command as follows:

1

LCConfigService.checkOutConfig("/temp", AdminControl.getCell())