Saturday, December 31, 2011

How to disable SSLv2 and Weak Cipers and enable SSLv3 on Linux

In order to be Payment Card Industry Data Security Standard PCI-DSS) Compliance v1.2, we are required to use “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

Secure Socket Layer (SSL) version 2 is considered weak cryptography in this aspect. To disabled SSLv2 and enable SSLv3. Assuming you already have OpenSSL installed, you can use another remote server to test the https connections

# openssl s_client -ssl2 -connect remote_server:443

If your server does not support SSLv2, you should receive the following error
CONNECTED(00000003)
22255:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

If your server is enabled to supports SSLv2 connections, the connection will be accepting input
CONNECTED(00000003)

 To use SSLv3 and TLSv1, you have to modify the following at SSLCipherSuite directive in the httpd.conf or /etc/httpd/conf.d/ssl.conf file. In the example, you can do the following
#SSLProtocol all -SSLv2
SSLProtocol -all +SSLv3 +TLSv1
On my /etc/httpd/conf.d/ssl.conf
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For more information,see
  1. How to Disable SSLv2 and Weak Ciphers(PCI Compliance (http://almamunbd.blogspot.com)
  2. How to Disable SSLv2 and Weak Ciphers(PCI Compliance (http://www.srcnix.com)


Friday, December 30, 2011

Important Apache (httpd) security Update

An important security update for httpd and solution for
  1. 'Devastating' Apache bug leaves servers exposed
  2. Apache released 2nd workaround for Devastating' Apache bug


Description of the bugs can be found at CVE-2011-3192

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.

Solution:

# yum update httpd

Monday, December 19, 2011

Upgrading of Broadcom Drivers to resolve eth0 NIC SerDES Link is Down

If the post Encountering eth0 NIC SerDES Link is Down did not resolve your issue and you are still encountering "eth0 NIC SerDES Link" issues, do upgrade the Broadcom Drivers from your vendor site and it will eliminate your issue immediately. Since my vendor is IBM, so I downloaded the Broadcom BNX2 Drivers
Broadcom BNX2 driver version bnx2-2.0.23b for RHEL 5 - IBM System x and BladeCenter

If you are not sure what is your version of drivers, you can do a
# ethtool -i eth0

The version 2.0.8 and above should resolve the above issue

Oh yes, if you are using IBM Products and the above drivers from IBM, after unpacking the drivers from IBM and ensuring you have the necessary prerequistics, just do a

If you are using the Free Clone of Redhat which includes CentOS or Scientific Linux, you may want to temporarily modify the /etc/redhat-release information to simulate a real RHEL Distribution. Vendor patches often requires RHEL distribution

#CentOS release 5.4 (Final)
Red Hat Enterprise Linux AS release 5


# mkdir brcm
# cd brcm
# tar -zxvf brcm_dd_nic_netxtreme2-2.0.23b_1.62.15_rhel5_32-64.tgz
# ./install.pl --update 

 INSTALL_OPTIONS --yes --update


        Drivers will be installed/migrated to 2.6.18-164 version

----------------------------------------------------------------------
Checking kmod-brcm-netxtreme2-6.2.23-1.x86_64.rpm
WARNING: Non Whitelist symbol detected
----------------------------------------------------------------------
kmod-brcm-netxtreme2-6.2.23-1.x86_64.rpm installed successfully
SUCCESS

Saturday, December 17, 2011

sys_copy and scp -rpb error captured on pbs_mom logs

I was encountering an interesting scp error on my log file regarding pbs_mom

.......pbs_mom: LOG_ERROR::sys_copy, 
command '/usr/bin/scp -rpB  2014.Head-Node.OU 
userid@headnode:/home/xxx' failed with status=1, 
giving up after 4 attempts

It seems that the error may be due to default MaxStartups 10 setting in the /etc/ssh/sshd_config which is too low a value and scp may be overwhelm

According to manual page
MaxStartups - Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon.  Additional connections will be dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10.


Try increasing the MaxStartups to 100 at /etc/ssh/sshd_config
MaxStartups 100 

Friday, December 16, 2011

Blade hangs on boot and "FW/BIOS, firmware progress (ABR Status) FW/BIOS ROM corruption

2 of my Blade got hang on boot and suffered this "FW/BIOS, firmware progress (ABR Status) FW/BIOS ROM corruption". For more information on the resolution, do look at Blade hangs on boot and "FW/BIOS, firmware progress (ABR Status) FW/BIOS ROM corruption" message in AMM - IBM BladeCenter HS22, HS22V

From the site,


Symptom
When booting BladeCenter HS22 or HS22V with Integrated Management Module (IMM) build yuoo84c installed, the blade may hang at the "UEFI Platform Initializing" screen. The hang will be accompanied by the following event in the chassis Advanced Management Module (AMM) log:
   

FW/BIOS, firmware progress (ABR Status) FW/BIOS ROM corruption



Solution
This behavior is corrected in IMM firmware release yuoo91e and newer.
The file is or will be available by selecting the appropriate machine type on the 'Product View' of IBM Support's Fix Central web page, at the following URL:
http://www.ibm.com/support/fixcentral/systemx/groupView?query.productGroup=ibm%2FBladeCenter




Workaround
This failure may be reduced by disabling Internet Protocol Version 6 (IPv6) support for the IMM. This can be done via the following steps:
1. Boot the blade to the F1 Unified Extensible Firmware Interface (UEFI) setup screen.
2. Select "System Settings" and press Enter
3. Select "Integrated Management Module" and press Enter
4. Select "Network Configuration" and press Enter
5. Change "IP6" setting to "Disable"

Occasionally, the failure can be recovered by restarting the IMM. If this is not successful, then it is necessary to reseat the blade in the chassis to recover. After a reseat, the blade will boot normally.

Thursday, December 15, 2011

Unable to edit fstab as it is a read only file during repair

I unwittingly changed the label for a partition for the /etc/fstab and was was presented with bootup to bash.
When I tried to revert back to the correct label for the partition, the vi just could not save the newly edited settings, instead it will have the error message "Error writing fstab: Read-only file system"

To solve the issue, you have to remount

mount -n -o remount / 
which work fine for me.

Or
mount -n -o remount -t ext2 /dev/hda2 / 

Wednesday, December 14, 2011

Checking Torque Queue Attributes

If you wish to check Queue Attributes fully, you can use the command
qstat -f -Q  queuename

The output will be
Queue: dqueue
    queue_type = Execution
    total_jobs = 0
    state_count = Transit:0 Queued:0 Held:0 Waiting:0 Running:0 Exiting:0
    resources_default.neednodes = starfruit
    mtime = 1323678795
    resources_assigned.nodect = 0
    enabled = True
    started = True

Tuesday, December 13, 2011

Using vim editor to find and replace effectively

Taken from this excellent article Vi and Vim Editor: 12 Powerful Find and Replace Examples

Here is a few examples that I love to use. You can see that this entry is a notepad for me.

Scenario 1: Replace all occurrences of a text with another text in the whole file
:%s/old-text/new-text/g
%s - specifies all lines. Specifying the range as ‘%’ means do substitution in the entire file.
g flag– specifies all occurrences in the line. With the ‘g’ flag , you can make the whole line to be substituted. If this ‘g’ flag is not used then only first occurrence in the line only will be substituted.

 Scenario 2: Replace of a text with another text within a range of lines
:1,10s/old-text/new-text/gi
1-10 - Do substitution from line 1 to 10
i flag - Make the substitute search text to be case insensitive.


Scenario 3:  Replacing of a text with another text for a the 1st X number of lines
From the current position of the cursor, the command will replace according to the number of count. For example, do substitution in 10 lines from the current line.
:s/old-text/new-text/g 10

Scenario 4: Substitute only the whole word and not partial match
If you wish to change the whole word "text" to "new-text"
Original Text: old to text
:s/\<text\>/new-text/
Translated Text: old to new-text


Sunday, December 11, 2011

How to associate compute nodes with a queue name with Torque

If you wish to use a queue that is locked to a selected group of nodes and wish to allow certain users to run, you may want to take a look at one of the contributor to a Rock-Discussion
[Rocks-Discuss] [Torque roll] How to associate 10 compute nodeswith a queue name ?

In his write-up

========
qmgr -c "create queue vision queue_type=execution"
qmgr -c "set queue vision resources_default.neednodes = vision"
qmgr -c "set queue vision acl_hosts=c2-0-20+c2-0-21+c2-0-22+c2-0-27+c2-0-28+c2-0-29"
qmgr -c "set queue vision acl_host_enable = false"
qmgr -c "set queue vision acl_users=user1"
qmgr -c "set queue vision acl_users+=user2"
qmgr -c "set queue vision acl_users+=user3"
qmgr -c "set queue vision acl_user_enable=true"
qmgr -c "set queue vision enabled = True"
qmgr -c "set queue vision started = True"

qmgr -c "set queue default resources_default.neednodes = general"

for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 23 24 25 26 30 31 32 33; 
do 
        /opt/torque/bin/qmgr -c "set node c2-0-${i} properties = general"; 
done

for i in 20 21 22 27 28 29 ; 
do 
        /opt/torque/bin/qmgr -c "set node c2-0-${i} properties = vision"; 
done
========
 
For more information, do also read up on
  1. 4.1 Queue Configuration (From Cluster Resources)
  2. Cluster Node-Locking with Torque and Maui (Wednesday, October 22, 2008)

Thursday, December 8, 2011

Configuration error when compiling octave with BLAS and LAPACK libraries

Do take a look at the Compiling Octave from Source on CentOS 5. However you make face an error such as
" configure: error: You are required to have BLAS and LAPACK libraries ".

This is due to the missing link. For more information on this error, you may want to take some hints from 
Cannot find -llapack when doing /usr/bin/ld on CentOS 5

In other words, just go to /usr/lib64 and do a softlink for the lapack library
ln -s /usr/lib64/liblapack.so.3 /usr/lib64/liblapack.so
 

Friday, December 2, 2011

Encountering eth0 NIC SerDES Link is Down

I was noticing this error on my HS22 Blade log files occasionally and on one occasion the NFS which was relying on the ethernet connection got disconnected and hang when the load is exceedingly high. The problem is that it is very hard to reproduce the problem as it is quite random

My Server is using the Broadcom chipset bnx2 and my version of my CentOS is 5.4 or kernel  version is 2.6.18-164.el5

After a bit of searching, this particular Red Hat Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=520888) reflects the problem and workaround very well. I encourage you to take a closer look. If you are not planning to upgrade your RHEL or CentOS to 5.6 ( http://rhn.redhat.com/errata/RHSA-2011-0017.html ) and above yet, you may want to consider the workaround as mentioned in the bugzilla



 From Comments 14

"Configuring IRQ SMP affinity has no effect on some devices that use message signalled interrupts (MSI) with no MSI per-vector masking capability. Examples of such devices include Broadcom NetXtreme Ethernet devices that use the bnx2 driver. 

If you need to configure IRQ affinity for such a device, disable MSI by creating a file in /etc/modprobe.d/ containing the following line: 

options bnx2 disable_msi=1 

Alternatively, you can disable MSI completely using the kernel boot parameter pci=nomsi. (BZ#432451)

" http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Technical_Notes/Known_Issues-kernel.html

To Check whether you are still having issues, you can use the command
# dmesg |grep bnx2
I guess the best way is to update your broadcom drivers. For latest update on this "NIC SerDES Link is Down", see my writeup on Upgrading of Broadcom Drivers to resolve eth0 NIC SerDES Link is Down

Thursday, December 1, 2011

Using stunnel to generate to create a self-signed certificate for SL 6 and CentOS 6

 The stunnel Program allows administrator to create self-signed certification using external OpenSSL Libraries included with RHEL and its clone to provide strong cryptography and protect connection. For more information on the installation and setup, see Using stunnel to generate to create a self-signed certificate for SL 6 and CentOS 6