Monday, January 25, 2010

working harder not smarter with redhat backporting apache

http://www.redhat.com/security/updates/backporting/?sc_cid=3093

use mod proxy ajp

(12:44:41 PM) The topic for #rhel is: Red Hat Enterprise Linux (RHEL) Discussion | Stable: 5.4, 4.8, 3.9 | EOL: 6.2E, 2.1 | pastebin: http://fpaste.org | related channels: #fedora, #centos, #rhn, #rhn-satellite, #spacewalk. Non RH extra package sites are http://fedoraproject.org/wiki/EPEL, http://rpmrepo.org/RPMforge/, http://rpmfusion.org and of course http://elrepo.org | Due to spamming only registered have voice
(12:45:03 PM) gws: yum says zlib is installed, and httpd complains it can;t find zlib
(12:45:10 PM) gws: during compile
(12:45:13 PM) gws: ;)
(12:45:23 PM) Evolution: gws: 'yum install httpd' works fine
(12:45:34 PM) Evolution: gws: having said that, zlib isn't the same as zlib-devel
(12:45:43 PM) gws: nope security scan says 2.2.8+ and redaht 4 has not that
(12:45:52 PM) rigeld2: gws: learn about backporting
(12:46:07 PM) gws: plus ill be damned if i can get tomcat connectors and opensslk+ too
(12:46:08 PM) rigeld2: gws: http://www.redhat.com/security/updates/backporting/?sc_cid=3093
(12:46:10 PM) gws: for damn sec scan
(12:46:20 PM) Evolution: gws: your security scan is relying on version numbers. which is idiotic at best.
(12:46:30 PM) gws: yep corporate in texas is stupid
(12:46:59 PM) bip left the room (quit: "Lost terminal").
(12:47:15 PM) rigeld2: gws: Debateable :) I know an ex-corporate security guy (worked for Liondel) and they didn't use version numbers.
(12:47:26 PM) rigeld2: gws: Simple fix - don't report version numbers to scanners.
(12:47:46 PM) gws: oow, how do I do that?
(12:48:03 PM) rigeld2: gws: in apache? trying to remember the string inhttpd.conf
(12:48:24 PM) gws: ok I was able to compile apache on another redhat 4 box, I just did yum isntall zlib-devel, should apache pick itup now?
(12:48:37 PM) delhage: ServerTokens Prod
(12:48:42 PM) gws: I thought it was an apachectl option or something
(12:48:43 PM) gws: hm
(12:48:49 PM) rigeld2: delhage++
(12:48:59 PM) aitrus: ServerTokens
(12:49:03 PM) aitrus: damnit, bork
(12:49:04 PM) rigeld2: gws: Change your ServerTokens line in httpd.conf, reload httpd and win
(12:49:22 PM) gws: looking..
(12:50:07 PM) makfinsky: rigeld2: Thanks for link!
(12:50:19 PM) rigeld2: makfinsky: ... which link? :p
(12:50:29 PM) gws: ah hah!
(12:50:33 PM) gws: now set to Full
(12:50:43 PM) makfinsky: The backporting one. Explaining that is a pita.
(12:50:48 PM) rigeld2: makfinsky: Ah.
(12:51:03 PM) rigeld2: makfinsky: I'd lmgtfy but no going to :p
(12:51:34 PM) makfinsky: Hehehe.
(12:51:54 PM) makfinsky: I had been using riel's presentation re: kernel patches from last year's summit.
(12:52:42 PM) makfinsky: However, the jump from kernel to apache was too great for some customers...
(12:53:20 PM) gws: wow you guys are good it was zlib-devel
(12:53:24 PM) gws: now apache compiling
(12:53:42 PM) rigeld2: gws: But you don't need to compile apache...
(12:53:46 PM) gws: well concept of backporting yes but betting managment to BELIEVE it ya
(12:53:52 PM) Evolution: gws: seriously. that's the wrong way to go about fixing security issues.
(12:53:57 PM) makfinsky: Some folks like to re-invent the wheel.
(12:54:09 PM) rigeld2: gws: Have fun managing keeping up with updates for all the packages you compile
(12:54:12 PM) gws: ok so what should I do then?
(12:54:15 PM) rigeld2: gws: Oh, and what they break.
(12:54:17 PM) makfinsky: gws: They are paying for it already.
(12:54:17 PM) rigeld2: gws: Con'
(12:54:22 PM) aitrus: get a list of CVEs that they are concerned about
(12:54:32 PM) rigeld2: gws: Don't compile shit, check CVE
(12:54:33 PM) aitrus: and match those up with RH annoucements
(12:54:38 PM) gws: yeah well I got it working on our other int environment, but it did take compile openssl, then apache, then compiel modjk
(12:54:43 PM) rigeld2: 's with redhat, and watch RHbackport the fixes.
(12:54:48 PM) gws: cve?
(12:54:59 PM) ***Evolution facepalms
(12:55:02 PM) gws: oh vulnetability report?
(12:55:06 PM) gws: ok ok I being to see
(12:55:06 PM) Evolution: yes.
(12:55:09 PM) makfinsky: Evolution: Cluebat?
(12:55:14 PM) Evolution: makfinsky: yesplease.
(12:55:15 PM) nirik: http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
(12:55:18 PM) rigeld2: gws: Yeah, well, thats the wrong way to do it. Unless, like I said, you like managing all those packages.
(12:55:21 PM) riel: makfinsky: many security folks are beratungsresistent
(12:55:38 PM) gws: coporate got some outfit, than did scan and gave us big spreadsheet
(12:55:44 PM) makfinsky: riel: :) I know.
(12:55:55 PM) crobinso [n=crobinso@c-24-62-100-20.hsd1.ma.comcast.net] entered the room.
(12:56:00 PM) makfinsky: That outfit wasn't worth the money they got paid.
(12:56:12 PM) Evolution: gws: yep. that's how it generally works. then you produce your own, point by point telling them why they need to go pound sand up their ass.
(12:56:15 PM) gws: as are msot things our texas masters do, and they wonder why stock under 1$
(12:56:23 PM) makfinsky: I've educated all the security folks I know if they didn't already understand it.
(12:56:29 PM) Evolution: security audits are loads of fun.
(12:56:49 PM) gws: ok cool so I should 1 install apache binary 2 install openssl binary? 3 isntall mod jk?
(12:56:53 PM) riel: gws: even more fun if you do your analysis and ask the security folks if they can come up with a list of CVEs :)
(12:57:11 PM) gws: if I do so.....does redhat have backported openssl and modjk?
(12:57:14 PM) riel: chances are half of the security consultants out there won't have any idea what you talk about when you ask for CVEs
(12:57:15 PM) maxamillion: rigeld2: bleh, I was about to leave for class and then I get a jabber message from norma
(12:57:15 PM) gws: LOL
(12:57:18 PM) rigeld2: gws: If the security report doesn't include CVEs, its a lot more annoying, but you can take the CVE's, match to RH fixes, and tell them its fixed
(12:57:21 PM) Evolution: gws: mod_jk is ancient. prxy_ajp is the new hotness.
(12:57:22 PM) rigeld2: gws: ... Yes.
(12:57:30 PM) rigeld2: maxamillion: go to class
(12:57:41 PM) rigeld2: gws: Seriously, read the damn backporting page.
(12:57:43 PM) Evolution: gws: you can also query the bot here for particular CVEs
(12:57:43 PM) gws: I know but no one at work in dev uses proxy ajp and if I do that, then I gota make it work.
(12:57:59 PM) maxamillion: rigeld2: in a sec, I still got like 2 and a half minutes
(12:57:59 PM) gws: I myself would like to use mod_proxy_ajp
(12:58:12 PM) Zathrus: gws: we've been over this with you before.
(12:58:30 PM) gws: also in production [yay at at&t managed services!] the modjk is used so boss says make ti look as prod
(12:58:30 PM) rigeld2: Make sure I'm not retarded - importing a pem file into a java keystore is the wrong way to go about things, isn't it?
(12:58:31 PM) ***Zathrus thought the nick was familiar.
(12:59:05 PM) Evolution: rigeld2: I didn't think so.
(12:59:09 PM) gws: ok I will setup side environemtna nd do it with binaris and mod_proxy_ajp
(12:59:10 PM) Evolution: why would that be bad?
(12:59:14 PM) makfinsky: gws: Getting support of rmod_jk requires RH App Stack which is $7k per system per year. proxy_ajp is included in RHEL.
(12:59:44 PM) gws: oh no shit, I can just yum it?
(12:59:44 PM) rigeld2: Evolution: ... trying to figure out why I keep getting "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" on my tomcat box, when all the involved certs are in the keystore
(12:59:55 PM) gws: I am doing thing hardway
(12:59:59 PM) rigeld2: gws: ... read the damn backporting document
(1:00:07 PM) gws: ok
(1:00:08 PM) rigeld2: gws: No shit sherlok. Thats what we've been saying
(1:00:27 PM) aitrus: hahahahaahhaha
(1:00:47 PM) aitrus: rigeld2: are the CA certs in the truststore?
(1:00:58 PM) rigeld2: aitrus: ... keystore != truststore?
(1:01:03 PM) aitrus: right
(1:01:13 PM) Evolution: gws: you're also doing it in a fashion that's going to add immense overhead to your life later on for updates.
(1:01:23 PM) aitrus: keystore holds client / server certs, truststore holds CA certs
(1:01:24 PM) Evolution: gws: this is EXACTLY the reason people use RHEL.
(1:01:31 PM) Evolution: the hard work is done for them by other people.

No comments: