osCmax and Templates, Responsive, CSS, and frameworks

A few years back I was working up a site in osCmax (osCommerce fork) and while the templating system was good it left a lot of issues with cross browser compatibility. I blogged several posts and some lengthy commentary on how I set it up with Blueprint, a CSS framework.

Revisiting osCmax recently I am now looking again at templates or themes and I have noted that Blueprint has not been updated since 2011 only a short while after my last efforts into my Blueprint for osCmax efforts.

As a result, I am doing more reading, and particularly on the more recent Responsive frameworks. Blueprint may well have atrophied simply due to the rapid increase in mobility issues for web design.

I’d observe that in some cases I expect that I do not need a responsive website and unless I know that I am working to a market that has a prevalence of mobile visits, then what is the point ? I have a particular site that I manage and I know from its’ stats over 10 years or more of views, that even today 80% of users are PC based and the 20% tend to be more unknowns than emphatically mobile. Further, even if the 20% were all mobile users, they may well be ok with the existing CSS styles that still present the site in a usable fashion on a tablet. Phone and small screen users may also be ok, and even if I ‘ask the audience’ do I get a response that I can use?

At this stage I am thinking that if I do deploy a responsive framework, then I will do so as a backend ‘good idea’ to maybe future-proof the site for an advent of a mobile tipping point. And to achieve that I should review the possible frameworks, just not from a ‘mobile-first’ perspective.

 

 

Debian Linux openvpn connect to Watchguard VPN

I have a Debian Server that I wanted to connect to a Watchguard VPN.

OpenVPN is the tool that I used and the following is based on JoKi’s excellent blog entry with my own adjustments to address the issues that I found.

To start you do need to install and run a connection using the Watchguard MobileVPN on your Windows box to get the configuration files in

C:Usersyour_user_name_hereAppDataRoamingWatchGuardMobile VPN

It took me a while to work out that I had to run it to get the config files created, installing alone is not enough.

Installation in Debian is straightforward

#apt-get install openvpn

Once that is done go to the newly created /etc/openvpn and copy the files from the abovementioned Watchguard directory to it.

ca.crt
client.crt
client.ovpn
client.pem

Now it should all be good to go.

#openvpn --config client.ovpn

Except that I was getting all sorts of errors and warnings……

Wed Nov 12 12:16:50 2014 VERIFY X509NAME ERROR: /O=watchguard_technologies/0.0=f ireware/CN=fireware_sslvpn_server, must be /O=watchguard_technologies/ITU-T=fire ware/CN=fireware_sslvpn_server
Wed Nov 12 12:16:50 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:140 90086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Nov 12 12:16:50 2014 TLS Error: TLS object -> incoming plaintext read error
Wed Nov 12 12:16:50 2014 TLS Error: TLS handshake failed
Wed Nov 12 12:16:50 2014 Fatal TLS error (check_tls_errors_co), restarting
Wed Nov 12 12:16:50 2014 SIGUSR1[soft,tls-error] received, process restarting
Wed Nov 12 12:16:50 2014 Restart pause, 5 second(s)

Everything I read said that the certificate files would be the issue, but that was not logical to me as they were direct from the Watchguard device and not ones I was creating.

But I checked them anyway with

#openssl verify -CAfile ca.crt client.crt

Next I tried addressing the verify X509 Name error by changing the client.ovpn file entry changing

tls-remote

to

verify-x509-name

and messed around with that for a while until in disgust I commented the line out to try and confirm that it was triggering the error.

Of course, it worked first time !!!  Argghhhh!!

So the answer to the above is to remove the tls-remote line completely from the configuration file.

tls-remote “/O=watchguard_technologies/ITU-T=fireware/CN=fireware_sslvpn_server”

Either comment it with # at the start of the line or delete it.

Once that was sorted I had a working connection all that remained was to

#mv client.ovpn client.conf

create an auth.txt file with

myusername
mysecretpassword

#chmod to 0600 auth.txt

Edit the client.conf file to have

auth-user-pass auth.txt

and finally start it as a service
#service openvpn start client

and the last bit of the puzzle, to add it as a service to automatically start

#update-rc.d openvpn enable

Thanks to JoKi for getting me started.

Synology installation of ipkg DSM yum or apt-get equivalent

The reference for the first part is at http://swwiki.e-dschungel.de/synology but is in German.

First up we need a package installer, ipkg

Check the Synology device for which cpu it has,

[text]
#cat /proc/cpuinfo | grep cpu
[/text]

Then select the appropriate script

CPU Bootstrap Script
ARM (armv5tejl) http://ipkg.nslu2-linux.org/feeds/optware/syno-x07/cross/unstable/syno-x07-bootstrap_1.2-7_arm.xsh
PowerPC (ppc_6xx) http://ipkg.nslu2-linux.org/feeds/optware/ds101g/cross/unstable/ds101-bootstrap_1.0-4_powerpc.xsh
PowerPC (ppc_85xx, e500v?) http://ipkg.nslu2-linux.org/feeds/optware/syno-e500/cross/unstable/syno-e500-bootstrap_1.2-7_powerpc.xsh
Marvell Kirkwood 88F6281, 88F6282, 88FR131 (ARMv5TE Feroceon) http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/stable/syno-mvkw-bootstrap_1.2-7_arm.xsh
Intel Atom http://ipkg.nslu2-linux.org/feeds/optware/syno-i686/cross/unstable/syno-i686-bootstrap_1.2-7_i686.xsh

and get it with

[text]
#wget http://your_selected_cpu_bootstrap_script_here
[/text]

then run it with

[text]
#sh your_selected_cpu_bootstrap_script_here
[/text]

This install ipkg, but it is not in the path for the Synology system. To add it to the path:

1. check the path

[text]
#cat /etc/profile
[/text]

and this should be there

[text]
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin export PATH
[/text]

extend the path to include our /opt directories with two command lines

[text]
# PATH=/opt/bin:/opt/sbin:$PATH
# export PATH
[/text]

Then we can test that ipkg is installed and will run from anywhere with

[text]
# ipkg -v
[/text]

Should respond with something like

[text]
# ipkg version 0.99.163
[/text]

If you now try to install a package, you will get an error

[text]
#ipkg install mc
Nothing to be done
An error ocurred, return value: 4.
[/text]

Which is ok, this is expected because the new install does not yet know where to look for ‘mc’

Note: ‘mc’ is just a favourite package of mine, (midnight commander, with the excellent mcedit editor) but you could try any packge you want like ‘nano’, etc.

The final step for installing ipkg is to update the repositories

[text]
# ipkg update
[/text]

Then try again and as ipkg now has a repository to call on, it should find the install package and install it.

Much Later: Corrected a couple of text errors, thanks to all who pointed them out!

Shellshock BASH Vulnerability: Debian, CentOS, Synology Busybox

Ok, so Heartbleed did as it said, and Shellshock is about to do the same.

I manage some CentOS, some Redhat, some Debian, and other servers. From what I have found so far, and assuming that the patches applied to the latest release of BASH are sufficient, then most servers and devices can be patched / fixed so that they are not vulnerable quite easily.

According to most sources, the test for a vulnerable BASH environment is the following line of code:

[text]
env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
[/text]

So I quickly hit one of each server / Linux flavour I could think of and these are the results:

SME Server / CentOS based

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
vulnerable
this is a test
[/text]

so I ran

[text]
# yum update
[/text]

which updates a number of tools including bash-3.2-33.el5.1.i386.rpm which appears to be the correct update version and re-testing after updating the server (includes other updates as well) gives the ‘not vulnerable’ response.

CPanel on CentOS

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
#
[/text]

which appears to tell me that it is not vulnerable.

I also had a similar message but without the warning from a second CPanel / CentOS server which is configured slightly differently:

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
this is a test
#
[/text]

The lack of a warning in the above appears to indicate that it is not vulnerable.

Debian

Some of my Debian servers have not been upgraded from stable Squeeze, which I should be updating to Wheezy. I found different responses depending on which version of Debian existed on the server.

To check the Debian version use:
[text]
# cat /etc/debian_version
# 6.0.6
[/text]

Checking the Debian version just as a confirmation of what patch release the server is using.

Debian Squeeze 6.0.6

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
vulnerable
this is a test
#
[/text]

Vulnerable, so update BASH

[text]
# apt-get update
# apt-get install bash
[/text]

A second test shows:

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
#

<h2>Debian Squeeze 6.0.10</h2>

This one is a work in progress……

<h2>Debian Squeeze 7.4</h2>

This version of Debian was straightforward and

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
vulnerable
this is a test
#
[/text]

Oops!

[text]
# apt-get update
# apt-get install bash
[/text]

A second test shows:

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
this is a test
#

<h2>Synology Busybox</h2>

Synology Busybox uses ASH not BASH but testing can still be done

[text]
# env x='() { :;}; echo vulnerable’ ash -c "echo this is a test"
[/text]

Gave an all clear message on my recently updated Synology unit.