While reading through my daily BLOG roll, I came across a link to a well written document on converting RC scripts to SMF manifests. I plan to use this as a guide when adding dependencies to the manifests I am developing.
I made some major enhancements to ssl-cert-check, and released a new version to the daemons.net web server. The new version no longer requires GNU date, which should make it a bit more portable. If you have never used ssl-cert-check before, you can start by reviewing the available options with the “-h” (help) option:
$ ssl-cert-check -h
Usage: ssl-cert-check {[ -c certificate file ]} || {[ -b ] && [ -f cert_file ]} || {[ -s common_name ] && [ -p port]}}
[ -e email ] [ -x expir_days ] [ -q ] [ -a ] [ -h ]
-a : Send a warning message through email
-b : Print the expiration date for all certificates in cert_file (batch mode)
-c cert file : Print the expiration date for a PEM formatted certificate passed as an option
-e email address : Email address to send expiration notices
-f cert file : File with a list of common names and ports (eg., blatch.com 443)
-h : Print this screen
-p port : Port to connect to (interactive mode)
-s commmon name : Server to connect to (interactive mode)
-q : Don't print anything on the console
-x days : Certificate expiration interval (eg. if cert_date < days)
If you wish to view the expiration date for a PEM encoded X.509 certificate, ssl-cert-check can be invoked with the “-c” (certificate file to process) option and a certificate file to process:
$ ssl-cert-check -c /etc/ca/cacert.pem
Host Status Expires Days Left
FILE:/etc/ca/cacert.pem Valid Jan 2 2008 815
To check when an SSL-enabled server’s certificate will expire, ssl-cert-check can be executed with the “-s” (server name) and “-p” (TCP port to use) options:
$ ssl-cert-check -s mail.daemons.net -p 443
Host Status Expires Days Left
mail.daemons.net:443 Valid Jun 20 2006 254
If you manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run ssl-cert-check against that file:
$ cat ssldomains
www.daemons.com 443
mail.daemons.net 443
gmail.google.com 443
www.sun.com 443
www.spotch.com 443
$ ssl-cert-check -b -f ssldomains
Host Status Expires Days Left
www.daemons.com:443 Valid May 23 2006 226
mail.daemons.net:443 Valid Jun 20 2006 254
gmail.google.com:443 Valid Jun 7 2006 241
www.sun.com:443 Valid May 11 2009 1310
www.spotch.com:443 Connection refused ? ?
ssl-cert-check can also be used to provide automated alerts when certificates are about to expire. The following example uses ssl-cert-check’s “-q” (quiet – don’t write anything to the terminal), “-a” (automated alerts) and “-e” (e-mail address to send alert to) options to send an e-mail to admin@daemons.net if a certificate will expire in the next 60-days:
$ ssl-cert-check -a -f ssldomains -x 60 -b -q -e admin@daemons.net
The automated alert option can also be used with the batch processing mode, and will trigger one automated notification per problematic certificate. Send me an e-mail if you run into any issues.
IP Filter is a stateful packet inspecting firewall that ships with FreeBSD and Solaris 10. Stateful packet inspecting firewalls use a state table to maintain established connections, which allows packets to traverse the firewall if they are part of an existing established connection. IP filter comes with the ipfstat(1m) utility, which can be used to print connection statistics, rule definitions, and active connection. When ipfstat(1m) is invoked with the “-t” (Show the state table in a way similar to the way the Unix utility, top, shows the process table) option, a text-based graphical representation of the firewall is continuosly displayed:
$ ipfstat -t
sparky - IP Filter: v4.0.2 - state top 10:47:32
Src = 0.0.0.0 Dest = 0.0.0.0 Proto = any Sorted by = # bytes
Source IP Destination IP ST PR #pkts #bytes ttl
12.6.4.12,32776 1.2.5.4,22 B/7 tcp 140 10112 0:00
12.6.4.12,32775 1.2.5.3,22 B/7 tcp 134 9872 0:00
To adjust the refresh interval, an integer value can be passed to ipfstat’s “-T” (Specifies how often the state top display should be updated) option:
$ ipfstat -t -T 10
sparky - IP Filter: v4.0.2 - state top 10:47:32
Src = 0.0.0.0 Dest = 0.0.0.0 Proto = any Sorted by = # bytes
Source IP Destination IP ST PR #pkts #bytes ttl
12.6.4.12,32776 1.2.5.4,22 B/7 tcp 140 10112 0:00
12.6.4.12,32775 1.2.5.3,22 B/7 tcp 134 9872 0:00
If you are using the PF firewall, you can use pftop(8) to get a text-based graphical representation of the PF state table:
$ pftop
pfTop: Up State 1-3/3, View: default, Order: none, Cache: 10000 09:37:53
PR DIR SRC DEST STATE AGE EXP PKTS BYTES
tcp Out 192.168.1.8:49359 66.102.15.101:80 ESTABLISHED:ESTABLISHED 19:29:55 04:30:08 5 676
To adjust pftop(8)‘s refresh interval, an integer value can be passed to pftop(8)‘s “-s” (Set the delay between display updates to time seconds) option:
$ pftop -t -T 10
pfTop: Up State 1-3/3, View: default, Order: none, Cache: 10000 09:37:53
PR DIR SRC DEST STATE AGE EXP PKTS BYTES
tcp Out 192.168.1.8:49359 66.102.15.101:80 ESTABLISHED:ESTABLISHED 19:29:55 04:30:08 5 676
I find myself frequently using these utilities, and find them super useful!
I came across the following article on blocking sites with DNS while perusing the OpenBSD technical mailing list. I use Mike’s Ad block Host file to silently blackhole ad sites, but never bothered to fix this permanetly in DNS. When I covert from BIND to DJBDNS, I will make sure to test this out.
While creating a few setlists today, I came up with the following alternative and hard rock set list:
Stereolith – Save me Jerry Cantrell – Hellbound Motley Crue – If I die tomorrow Alice in Chains – Man in the box Nirvana – Rape me Metallica – Nothing else matters 7th Fall – Hollow Staind / Fred Durst – Outside from family values tour Godsmack – Voodoo Dropkick Murphy’s – Sunshine Highway Social Distortion – Reach for the sky Jerry Cantrell – My Song L.A. Guns – No Mercy 10 Years – Paralyzing Kings Smashing Pumpkins – Disarm
I really dig the tunes, and the set list flows well (I like alternative and hard rock – so this is a given)!