[ClearOS_6] Make ldap service listen to all IP

In ClearOS We can set Ldap service listen to all interface by setting Publish Policy option to All Networks, but maybe for security concern the service was not for ldap but ldaps (SSL ldap protocol) which listen in port 636.

Because the application that will be using ClearOS ldap as authentication backend cannot using ldaps (as it’s been hardcoded from the vendor) so we need to force ldap (port 389) service to listen in all IP.

So here’s the steps.

  • Edit init service for slapd
vi /etc/init.d/slapd
  • Go to line number 72 then add following lines.
for ip in $AUTOMAGIC_LANIPS; do
      harg="$harg ldap://$ip"
done
  • Save and exit, then restart slapd service to apply the changes
service slapd restart
  • Make sure the modified file will not replaced if there is update for package openldap-servers (do as your own risk)
vi /etc/yum.conf
  • Under section [main] add following line
exclude=openldap-servers
  • make sure ldap service port are listening to all available IP.
netstat -tnap | grep LISTEN | grep 389

 

Advertisements

[ZIMBRA] Prevent User Customizing “FROM” header

Background

Some of our Zimbra customers are complaining for authenticated user can customizing FROM header which can lead to fraud email. this issue can be reproduce by using thunderbird once compose an email as following picture.

customize_from_header.png

or by using this script, change variables username, password, fake_from and to_addr based on your environment.

 

Solution

I created customized milter engine using python milter library for my workaroud with following features:

Continue reading “[ZIMBRA] Prevent User Customizing “FROM” header”

Enhance ClearOS 6 Password Policy

Background

Our customer using ClearOS 6 (professional edition) to store user password and almost all applications using it as external authentication so user only has to remember one password and Zimbra is one of the application.

Recently the public IP that used as mail outgoing traffic being listed in RBL and by our check in server we found there are some user account has been hijacked so it’s sending spam email to outside domain (gmail.com, outlook.com, etc) then i set suspected status to close in zimbra also reset it’s password randomly  but it’s happen quite frequently.

Then i created simple php script using clearOS API to scan weak password (based on list), surprisingly there are bunch of user using weak password such as “Passwd11”, “Paasword88”, etc. so i conclude the builtin password policy in ClearOS is not good enough to prevent it.

Solution

Based on my experience create and modifying ClearOS module (as it’s just a PHP code) i modified ClearOS user module. to increase password policy by following criteria:

  • Maximum length
  • Minimum length
  • Minimum uppercase
  • Minimum numeric character
  • Minimum punctuation character
  • Forbid user to use username within password
  • Forbid user to use password that listed in weak password list.

Continue reading “Enhance ClearOS 6 Password Policy”

Icinga2 ido-mysql schema issue

I use icinga2 version 2.4 in my testing environment but unfortunately it doesn’t include with several several feature that i need to RnD one of them is InfluxDB Writer. so by just adding icinga2 PPA the latest version has been installed (2.6), but icinga2 cannot running with following error message in log file

critical/IdoMysqlConnection: Schema version ‘1.14.0’ does not match the required version ‘1.14.2’ (or newer
Context:
(0) Reconnecting to MySQL IDO database ‘ido-mysql’
icinga2.service: Main process exited, code=exited, status=1/FAILURE

So the root cause of this issue is different db schema between icinga2 version 2.4 and 2.6 in ido-mysql. then i apply new schema for 2.5 to 2.6 (must be sequentially).

for 2.5
mysql -uroot icinga2 < /usr/share/icinga2-ido-mysql/schema/upgrade/2.5.0.sql

then 2.6
mysql -uroot icinga2 < /usr/share/icinga2-ido-mysql/schema/upgrade/2.6.0.sql

Then restarting icinga2 service
# systemctl restart icinga2