Roachys Weblog

We’ve been having problems with Microsoft Office Format files opening as read only from our NAS here on Fedora 10 clients. OpenOffice 3 creates file locks on opening the file, resulting in users being unable to save files.

On doing some reading, this can be alleviated by mounting the share using cifs rather than smbfs. On the client machines we have created a folder in media called N (mkdir /media/N), then mounted using the following:

mount -t cifs //10.204.6.5/N /media/N -o username=<username>,password=<password>,rw,iocharset=utf8,nobrl,nounix,sfu,file_mode=0777,dir_mode=0777

note the nounix option – this prevents the file locks from causing problems within OpenOffice.  The sfu option preserves the date and time modifcation values.

The Network-Manager pptp client in F10 just wasn’t working for me.  Nothing in the logs, not output….just nothing at all. The pptpconfig client is  a far better solution – it’s available from : http://pptpclient.sourceforge.net.  Unfortunately there are no installation documents available for F10 – it is easy to install though:

#rpm -Uvh http://pptpclient.sourceforge.net/yum/stable/fc10/pptp-release-current.noarch.rpm

# yum –enablerepo=pptp-stable install pptpconfig

# pptpconfig

….enter the details of your PPTP account and connect.  Add additional routes if required

Well, the time has come to say goodbye to Ubuntu.  It’s been a fun relationship, but alas it’s time for it to end.  That’s not to say that the problem I have is with Ubuntu – it’s actually with a variety of circumstances that have caused me a MAJOR headache.

The problem lay within Debian and the OpenSSL project.  It seems that the package maintainers for Debian fixed a bug in OpenSSL without passing the fix upstream to the OpenSSL maintainers to check.  This fix has resulted in a major insecurity in a vast number of packages that depend on OpenSSL for any distribution that sits downstream of Debian.

http://www.technologyreview.com/Infotech/20801/

While there is now an official resolution for this problem, it’s shaken my confidence in the way the Debian package maintainers apply bugfixes in their haste to get new releases out the door.

For those interested, the official resolution page on the Debian site is here.

Bear in mind that I run 5 Ubuntu machines (desktops and servers, work and home) each running some of the affected programs…..it’s a phenomenal headache for me.  Now picture those with hundreds (even thousands) of servers and workstations.   I can’t begin to imagine the trauma they are going through….

It’s because of this break of confidence that I have decided to cease using Ubuntu.  If the Debian package maintainers have disregarded policy in order to add value to their distribution in this case, where else have they fixed issues that may or may not have significant consequences…

I’ve played with Fedora previously – quite liked it as a distro, but preferred the user friendliness of Ubuntu – easy to use, but with all the benefits associated with most other Linux distributions.  I could do a Ubuntu install in 15 minutes that would be suitable for most people, with full hardware support – but for more intensive server applications, all the boxes were ticked too.

So, I’m now in the process of my Fedora migration….starting with this laptop.

The Project

Having now got my head around working with Linux, I’ll be putting what I know to the test with a large(r) project.

I have a Dell Poweredge 1600SC server left over from a former enterprise at home – this currently runs Windows Server 2003, with Exchange 2003. It has a 73Gb RAID 5 array with SCSI disks and has dual NICS. It also hosts a couple of websites and has a Quantum DLT 80/160 drive I’ve been toying with the idea of selling it (all licences are legit, OEM and included), but I’m now leaning towards integrating it into this project. I also run a knackered old P75 with IPCop.

The scope of the project is to bring the server functionality and firewall under the same box. Yes this is less effective from a security perspective (particularly when you consider I’ve done nothing on this scale on Linux before, and therefore am likely to create a couple of vulnerabilities inadvertently), but it’s a learning curve and I’m keen to try my hand at something like this. I’m fully aware that there are some open source projects that include a lot of these features “out-of-the-box”, such as Ebox but I want to have a go at this as a project to test what I’ve learned over the last year or so…

The server will need to do the following:

a) Security -Firewalling
b) Mail Server supporting IMAP (and possibly Pop3)
c) File Server – Limited number of files, but will need to be accessible from Linux/Windows machines
d) Webmail – so mail can be collected from externally

in addition to this, I would like some extra functionality, but this is not a necessity.

e) IDS
f) Traffic Shaping/monitoring
g) Some fom of VPN server
h) Calendar server…..this might be useful for Linda managing her appointments

The Plan

Job number one of course is to back up data. This mainly constitutes Exchange Mailboxes so I’ll be exmerging data out into .pst files to start with. Migrating the mailboxes (as there aren’t many) can be done throughThunderbird or even in an Outlook client!

Next I’ll be grabbing a list of all hardware – i’ll need appropriate modules to manage my Raid 5 array, so controller details are essentialTo start with my base system will be Fedora Core 8 – I’ve been using Fedora as my work box, and I like the feel of it and have kind of got used to it. Plus Fedora seems very stable, the repositories contain most of the items i’ll need and the package management is really straightforward. As soon as the core system is on there and SSH is up and running, the box will be headless as well, so it’ll be shell acess only. I’ll be starting with an absolute minimal install to ensure reasonable security steps.

At this stage, additional packages will be:

Security/IDS – IPTables, Netfilter, TCPDump, libpcap, Snort
Mail Server – Dovecot(or Courier – not sure yet), Qmail, Squirrelmail web interface, ClamAV, Spamassasin
File Server – Samba, NFS
Calendar – Using WebDAV
Web server – Apache
Monitoring – ntop, logs for each package
VPN – Openswan, OpenVPN

Thats the list so far – if anyone has any comments or advice, I’m open to suggestion…..