almost effortless

I'm happy to announce that I've made my latest side-project open source. It's called KZAK. It's a simple web-based jukebox that you can use to share and listen to music with your friends.

The feature set is pretty limited right, but I hope to continue to improve things over time. I'm already encouraged by how quickly some of my friends have taken to the app, and I think you'll enjoy it - even in this early form.

So far you can:

• Invite people to use the site via email
• Upload mp3, mp4, and m4a (iTunes) tracks with an upload queue and progress
• Listen to the uploaded music as a playlist, even in an inactive browser tab

Like I said, it's pretty basic (invite, upload, listen) but surprisingly functional. Plus, I'm using all kinds of interesting stuff behind the scenes, which is why I really wanted to share the code ;)

To begin with, we've got a Rails app that's using the latest and greatest in user authentication technology: Devise. If you're using something like restful_authentication or Authlogic, I implore you to take a look at Devise. It's a phenomenal improvement from these other two popular options, and it's being actively supported by José Valim, the latest Rails committer. Essentially, it's a Rails Engine that sits on top of Warden - a generalized Rack authentication framework. This combination is extraordinarily flexible and easy to use. It's opinionated (in a good way) while simultaneously doing a good job of staying out of the way. It introduces very little code into your application, and the source is well documented, well tested, and easy to follow. A++ highly recommended.

To handle the file uploads, I've switched from Paperclip to CarrierWave. While Paperclip has (and continues) to serve me well in many applications I work with, I really appreciate the modular approach that CarrierWave takes. It's agnostic as to which of the popular S3 clients you use, supporting both aws/s3 and right_aws. It's also ORM agnostic and not tightly coupled to Active Record. The tight coupling of Paperclip has caused us some grief at work, and I'm also confused about the state of Paperclip's support for aws/s3 and right_aws. So, I was happy to find this new project, and the maintainer Jonas Nicklas seems to be an extremely responsive and helpful dude, which is always good thing. The code looks great, and I've had an easy time working with this library so far.

In concert with CarrierWave, I'm also using the venerable SWFUpload to support upload queues and progress meters. I'm absolutely baffled as to why this kind of thing isn't easy/possible to support without Flash, but here we are. Of course, I have a fallback "regular upload form" that still uses some ajax to make things a little easier. There are a few blog posts and tutorial applications around on GitHub that helped me get SWFUpload working with Rails and jQuery, and I'm happy to put back out an example application that other people can refer to if they're interested in supporting upload queues and/or upload progress meters.

Next, to support audio playback while I work on supporting html5 properly, I'm using the extremely awesome SoundManager 2. Unfortunately, this is another part of the infrastructure using Flash, but the features and functionality of SoundManager are really something special. I've only scratched the surface of what this library can do, but I'm already enjoying it quite a bit. If you're working with jQuery and SoundManager, you may find the KZAK source code worth perusing. You might also take a look at Adrien Gibrat's plugin, which is a cool jQuery plugin that packs a lot of functionality.

Also running in the background of KZAK is a Twitter-style following/unfollowing system that I haven't exposed much of yet. It's basically the same system that's powering Flowcoder. You can check out this example app I made if you're interested in seeing that on its own. Currently, all users in the system follow (and are followed by) all of the other users. I plan to allow for "unfollowing" users some time soon, which will allow for some healthy splintering of the community in the case that you're not interested in everything that everyone is uploading.

Finally - and perhaps best of all - KZAK is fully compatible with and easy to install on Heroku. All you need is an S3 account and you're ready to get started with a web-based jukebox for you and your friends for free.

http://github.com/trevorturk/kzak

Anyway, please feel free to dig around the source code if you're interested in any of this. I think there's a lot of good stuff in there, especially considering that the Ruby portion of the app is clocking in at under ~250 LOC right now. Thanks, open source community ;)

Amazon's CloudFront is a phenomenal addition to their S3 file-hosting service.

Amazon CloudFront is a web service for content delivery. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end users with low latency, high data transfer speeds, and no commitments.

Amazon CloudFront delivers your static and streaming content using a global network of edge locations. Requests for your objects are automatically routed to the nearest edge location, so content is delivered with the best possible performance. Amazon CloudFront works seamlessly with Amazon Simple Storage Service (Amazon S3) which durably stores the original, definitive versions of your files. Like other Amazon Web Services, there are no contracts or monthly commitments for using Amazon CloudFront – you pay only for as much or as little content as you actually deliver through the service.

If you're using S3 and you're not using CloudFront, you should take a moment to check it out. You'll be surprised at how little work it takes to set up, how much it speeds up your assets serving, and how little it costs.

CloudFront is a part of the Amazon Console now, so it's very easy to set up. All you need to do is to create a distribution, which means enabling CloudFront for a specific S3 bucket and choosing a CNAME that you'll serve your assets from. Then, you need to set up the CNAME in your DNS configuration on GoDaddy and you're done.

The following two screenshots illustrate the process.

Step one is to creating the distribution in Amazon's Console:

Note the Domain Name and CNAMEs sections in the lower half of the screen. I've chosen the CNAME of "s3.kzak.org" because I want my S3 bucket to be aliased such that URLs will look like this:

http://s3.kzak.org/example.jpg

CloudFront has provided me with the domain name that I need to provide to GoDaddy. Since I'm using their "Total DNS" option, all I have to do is add the CNAME like so:

Notice that the CNAME of "s3" is set to the domain name that CloudFront provided me.

These changes seem to take about 30 minutes to percolate through the internets, but that's all it takes to get started with CloudFront.

For bonus points, you may want to read up about using multiple asset hosts in Rails and apply this technique in your applications for additional throughput.

I just realized that I never posts about our entry into the Rails Rumble last year.

Flowcoder: An Evolution of the Code Snippet Site

Coded and designed by @gbuesing, @scottymac, and @trevorturk for @railsrumble in 2009.

Flowcoder has what you would expect from a code snippet side: multiple language support, raw code view, and support for embedding on other sites.

What was missing for us and what we really wanted was a site that featured not just the code, but the people creating the code. Just as we glean interesting tidbits about people's lives from Twitter, we wanted to learn from our favorite coders by being able to follow the kind of code snippets they create. We wanted to share our own code snippets and have others refactoring them: to fix, optimize, and make them better, and learn in the process. And we wanted to be kept informed: when your code is refactored on Flowcoder, you'll see an @reply from @flowcoderbot with some information and a link. This closes the loop in a casual, low bandwidth fashion and highlights the advantage of using Twitter as both an identity and notification system.

I'm pleased to present my submission to the CodeRack contest: no-www.

This middleware catches requests that begin with “www” and redirects them to the more reasonable "non-www" address.

For example: http://www.example.com -> http://example.com

While such redirects might better be performed from within an Apache or nginx config, some hosts (i.e. Heroku) don't give you access to configure the server as such.

If you're unfamiliar with the no-www movement, the philosophy is simple. Websites should have a canonical address. This address shouldn’t begin with “www” because the use of "www" is unnecessary and wasteful. See http://no-www.org/ for details.

And, without further ado:

If you know what Rack is, you problably already know how to use this. Still, an example usage for a Rails app wouldn't hurt. Start by copying the above middleware into lib/no_www.rb. Then, configure your application to use the middleware by placing the following in config/environment.rb:

 
Rails::Initializer.run do |config|
  config.middleware.use “NoWWW” if RAILS_ENV == ‘production’
end

No more www.

I'm pleased to announce the immediate availability of http://pygments.appspot.com. It's an unofficial API for the Pygments syntax highlighting library. It's designed to provide syntax highlighting for web applications that don't have Python installed. You can think of it as an HTTP interface for Pygments.

To use it, simply POST to http://pygments.appspot.com with "lang" and "code" parameters in the body. You'll receive pygmentized HTML back, which you can store for later display on your site.

I'm using it so that I can host Flowcoder on Heroku. I was really impressed with the ease of getting this Pygments app running on Google App Engine. GAE is very much like a Python version of Heroku, which means it's awesome.

I'm hoping that this little project will spike my interest in learning a bit more about Python, which actually doesn't seem as evil as all my Ruby friends have made it out to be :P

The source code is on github, in case you're curious about how this all works.

Enjoy!

http://pygments.appspot.com

File this one under "hacks". Cross-list it under "more basic administrative tasks you can't do on Windows".

Here's the situation: you're the admin of a Windows domain where the Domain Controller is a Linux box serving Samba. Your problem, other than the fact that you're surrounded by Windows users, is that you've got a user who's password you don't know and, for whatever reason, you need to log onto your Windows domain as that user: a simple RUNAS won't cut it this time.

Normally, you'd just nuke his password, change it to "password" (or whatever), log on as him, do your dirty, sinful business, log off, expire his password and then send him an email telling him that his password has been changed to "password" and that he'll be prompted to change it at his next log on.

But what if that wasn't an option? What if you needed to log on to your domain as that user and it was important that he be none the wiser?

Grab the Hashes

First, use your favorite smbldap-type tool to get the current password info on the user you're fixin' to use:

frances:~# smbldap-usershow toconnell
dn: uid=toconnell,ou=Users,dc=domain,dc=com
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: toconnell
sn: toconnell
givenName: toconnell
uid: toconnell
uidNumber: 1007
[...]
sambaPwdCanChange: 1202398556
sambaPwdMustChange: 9223372036854775807
sambaLMPassword: BE41CD009FF0812C718CCFD7D98A52AA
sambaNTPassword: 9454453CBC8A48DEF442F6B0A10B3EAA
sambaPwdLastSet: 1202398556
userPassword: {SSHA}baSDvXS6C6DSBNkJGyEYplprZ3wslAa/

Copy everything that's bolded and stick it somewhere safe. That dn information is going to be necessary later on, as it contains the ldap tags that you'll need to specify the record you want to modify; those hashes at the bottom are the user's original passwords and, when you want to cover your tracks later on, you'll need that info.

Now that you've got those hashes, you're free to nuke the user's password (again, using your favorite smbldap-type-tool or however else you like to reset passwords), log in as him, do whatever you have to do, and then log out:

frances:~# smbldap-passwd toconnell
Changing UNIX and samba passwords for toconnell
New password:
Retype new password:

Once you're out, you're going to want to set his password back to what it once was. This is where ldapmodify comes into play.

Kerberos

Before you can do that, however, you'll need to get a kerberos ticket. This is because you'll need to be kerberos-authenticated to make your ldap modifications stick. So, first things first, get yourself an admin kerberos ticket:

frances:~# kinit toconnell/admin
Password for toconnell/admin@DOMAIN.COM:
frances:~# 

ldapmodify

A quick glance at the man page for ldapmodify shows that the most convenient way to make changes to an ldap entry is to use the -f flag and an input file. The example in the man page for how to construct the input file is this:

 dn: cn=Modify Me,dc=example,dc=com
           changetype: modify
           replace: mail
           mail: modme@example.com
           -
           add: title
           title: Grand Pooba

So, using the data we got above, we're going to make a similar file containing the original hashes from our target user in order to change his password back to what it used to be:

dn: uid=toconnell,ou=Users,dc=domain,dc=com
changetype: modify
replace: sambaLMPassword
sambaLMPassword: BE41CD009FF0812C718CCFD7D98A52AA
-
replace: sambaNTPassword
sambaNTPassword: 9454453CBC8A48DEF442F6B0A10B3EAA
-
replace: userPassword
userPassword: {SSHA}abSDvXS6C6DSBNkJGyEYplprZ3wslAa/

Remember to include those "-" characters and to give them their own line: if you fail to do that, you'll get mystery errors about unknown types, etc.

Once you've got your file, fire off your changes like this:

ldapmodify -f /path/to/file

And that's all you've got to do. When the original user attempts to log in with his old password, everything will look perfectly normal to him: you never saw his password in plaintext and, as far as he's concerned, none of this ever happened.

Due to recent events involving some computers I administer, I've become very interested in security. Basically, I've dodged enough bullets thanks to little more than beginner's luck and I figure that it's about time to take responsibility for the safety and security of my computers.

Since I was interested in hardening up two Debian boxes running Lenny, I started off by taking a look at the Securing Debian Manual, this very helpful page on LQ and the results of a tiger audit.

Do this to generate a tiger audit of your server:

# aptitude install tiger
tiger -E

The "-E" gets you what's called an "explanation report", which will be useful in helping you understand what can be some fairly cryptic output.

Additionally, the package version of tiger comes with some nice default settings for the main executable and for tigercron, which, as you might imagine, runs some minor scans on a pre-defined schedule.

At any rate, once I had my audit and had picked up a few bright ideas from the SDM, I made a number of changes to all of my web-facing production machines. What follows are some things that you might want to consider doing on your Debian Lenny servers:

Users and Permissions

1. Password Audit: first, I decided to get to know my user accounts a little better. This meant running john (formerly "john the ripper", a password cracker that reads hashed passwords and tries to decipher them) against my /etc/shadow to see who was using dictionary-based passwords and who was using other types of insecure passwords:

   # aptitude install john
   # john /etc/shadow 

   This took a while to run--a little over a day, but I had it niced pretty high--but of the 10 user accounts it cracked, it was good to know which ones were using hilariously insecure passwords and which ones probably weren't going to cracked by your garden variety brute force password cracker.

NB: if you run john against your /etc/shadow and realize that you've got a problem child on your hands, there's always chroot. Here is a really good how-to on chroot-jailing a user.

2. The Prunening: odds are, if you've been living on a system for more than a few months, you've accumulated some users (either from software that you've installed and then removed or by meeting user/developer needs, etc.) that aren't doing anything. One of the basic tenets of server security is having the smallest amount of users with the least amount of access to the smallest number of programs possible.

   In some environments, you've simply got to have a bunch of users in your /etc/passwd. In most situations, however, it makes good sense to just hit all the derelicts with a userdel and only having to worry about angry users not having enough access (rather than having to worry about unauthorized users having too much access).

Keeping Script Kiddies Under Control

In my (admittedly limited) experience, the most trouble you're going to run into from script kiddies are anonymous, unfocused attacks that attempt to gain access to your machine via either a.) the /tmp directory, b.) DoS-based exploints or c.) application attacks like SQL injections, XSS or directory traversal attacks.

Since guarding against application attacks is something that programmers are supposed to be handling, I decided to focus on stopping /tmp abuse and trying to stymie DoS attacks.

1. Mounting /tmp with noexec: in this age of VPSes and shared hosting, it's more often the case than not that you won't get to decide how your machine is partitioned. If, like me, you live on Slicehost and you're running Debian, your partition scheme looks like this:

   lana:/# df -h
   Filesystem            Size  Used Avail Use% Mounted on
   /dev/sda1              19G  9.0G  8.9G  51% /
   tmpfs                 256M     0  256M   0% /lib/init/rw
   udev                  256M   20K  256M   1% /dev

   What this means is that you've got your /tmp directory on your / partition. Which partition is, by necessity, allows files to be executable.

   And that, as I have learned (the hard way), is bad news. What this means is that, you've got a directory on your / partition--the partition where all your apps and data probably live--that is writable/readable by every Li, Ivan and Harry from Taipei to Yaktusk. And if one of the thousands of bots who knocks on your door every month knows how to write to /tmp and you don't catch him right away, it's pretty much game over for your TLD or your IP Address: one day, you'll wake up and find that your info is on every spam list on the Internet because your server has been under remote control via IRC for the last three weeks and now your full time job is trying to get your info off of those lists while planning a full OS re-install.

   Ideally, you would be able /tmp its own partition and mount that partition with noexec. And while it would be optimal, it sometimes isn't an option if you're a part of the VPS set.

   And if you can't control your installation or maybe you just can't take down a production server, what you can do is warn your users/developers that you're about to cause a little temporary chaos (get it? temporary chaos?), move your existing /tmp to some place else and create a small filesystem that you can mount noexec to use as /tmp. On Debian Lenny, that would look approximately like this:

   gonzo:/# mv /tmp /old_tmp
   # dd if=/dev/zero of=/.tmpfs bs=1024 count=1000000
   1000000+0 records in
   1000000+0 records out
   1024000000 bytes (1.0 GB) copied, 29.1302 s, 35.2 MB/s
   gonzo:/# mkfs.ext3 -j .tmpfs
   [...]
   gonzo:/# mount -o loop,noexec,nosuid,rw /.tmpfs /tmp/
   gonzo:/# mv /old_tmp/* /tmp/.

   Et voila! You've got a 1GB "drive" that's mounted noexec at /tmp that's ready to roll out. Any attempts to execute anything on that partition will result in a bad interpreter error. Check it:

   gonzo:/# ls -l tmp/
   total 20
   -rwxr-xr-x 1 root root    37 2009-05-15 14:54 executeMe.py
   drwx------ 2 root root 16384 2009-05-15 14:51 lost+found
   gonzo:/# test/executeMe.py
   bash: test/executeMe.py: /usr/bin/env: bad interpreter: Permission denied

   All you've got to do now is add that mount info to your fstab and you're ready to start sleeping at night again:

   /.tmpfs           /tmp            ext3    loop,nosuid,noexec,rw  0      0

   NB: don't forget that /tmp wants to have the sticky bit turned on (i.e. be chmoded to 1777). Also don't forget to make /var/tmp a symlink that points to /tmp.
   Also: props to Vincent Danen's post on /tmp at TechRepublic for the idea.

2. mod_evasive to Prevent DoS: after a recent DoS experience, I decided to install Apache mod_evasive to reduce the risk of getting flat-lined/broad-sided by DoS/DDoS attacks:

   # aptitude install libapache2-mod-evasive

   The beauty of using packaged software is that that's really all you have to do: apt will copy the files, create the symbolic links and restart apache for you. Nice.

3. sysctl real-time kernel Modifications: Additionally, you might also want to use a slightly obscure command called sysctl (which modifies kernel perameters while the kernel is running, so consider yourself warned) to take a precaution against a DoS tactic called "syn flooding":

   # sysctl -w net.ipv4.tcp_syncookies=1

   This is a sort of controversial measure--apparently it defies some RFC docs for TCP/IP--but setting tcp_syncookies to False has yet to have affected any of my computers.

   There are a number of additional security features you can activate with this command; Google it and prepared to be awed by some of the features of your OS you can control in real-time with sysctl.

For the Tin-foil Hat Crowd

What follows are non-specific countermeasures and settings that, while obscure and probably unlikely to save you from becoming an unwitting member of some Russian bot master's herd, might help you feel more secure in the knowledge that even if someone does get non-root shell access, he's probably not going to be able to do too much damage.

1. Add /usr/bin/mesg n to root's .bashrc File:
   executing mesg n on log in, prevents an admittedly rare exploit through which other users can execute arbitrary code as root by sending messages to his terminal.
2. Modify /etc/inittab to Prevent Non-root Users from Rebooting the System with ctrl+alt+del. In the stock /etc/inititab on Debian Lenny, you've got this line:

   # What to do when CTRL-ALT-DEL is pressed.
   ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

   Which is hardly optimal: this lets pretty much anyone who figures out a way to execute programs in /etc/sbin reboot the system. I changed it to:

   ca:12345:ctrlaltdel:/bin/false

3. SMTPD Settings If you run postfix, you should probably check up on your relay settings and update your external blacklist providers if you haven't done it in a while. Your mail server is the world's first line of defense against everything from phishing/spear-phishing to headline-making super worms:

   smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
     reject_unauth_destination,
     reject_unauth_pipelining,
     reject_invalid_hostname,
     reject_rbl_client sbl-xbl.spamhaus.org,
     reject_rbl_client cbl.abuseat.org,
     reject_rbl_client bl.spamcop.net,
     reject_rbl_client zen.spamhaus.org
   smtpd_helo_required = yes
   disable_vrfy_command = yes
   
   smtpd_data_restrictions =
               reject_unauth_pipelining,
               permit
   

   That smtpd_help_required line might not seem like anything special, but I have a script that parses /var/log/mail.log output and, when you do get a spammer that responds to the helo request, a lot of times he'll come back with his actual domain.

   It's fun for research/study/personal amusement reasons, basically.

While some people might say that the above is overkill--that it's just not worth the time and effort to audit and harden at this level--but I'd say that this level of focus on security isn't so much "overkill" as it is "a pretty good start."

Because my thinking is that if you've got the root password, you're probably already the anxious type. And at the very least, being a little bit OCD about security on your all-important, mission-critical application servers might help you feel a little less anxious. Which is definitely worth the effort.

There's a great episode of MASH in which the over-zealous paranoid-schizophrenic Colonel Flagg, in an attempt to coerce the impossibly calm and notoriously imperturbable Dr Stanley Freedman into collusion with one or another of his hare-brained schemes, asks the psychiatrist: "You wanna do your self a favor?"

"Why Not?" replies the doc. "Who deserves one more?"

If you've got a Debian Lenny box out in the wild serving your email with postfix and you're not using spamassassin as a filter, you really ought to consider doing yourself a favor and throwing that spamassassin piece into the mix: it only takes a second, it will increase security for your users-- hardening up your network little bit--and make the world a slightly better place for everyone.

1. If you're OK with letting aptitude resolve your dependencies and manage your packages, all you need to do is install a single package:

   # aptitude install spamassassin

2. Once that's done, crack open /etc/default/spamassassin with your favorite editor and enable it to run as a daemon and update itself automatically:

   # Change to one to enable spamd
   #ENABLED=0
   ENABLED=1
   
   # Cronjob
   # Set to anything but 0 to enable the cron job to automatically update
   # spamassassin's rules on a nightly basis
   #CRON=0
   CRON=1

   (spamd is an old name for spamassassin: you'll notice a lot of the RHEL/CentOS/Fedora boxes out there running spamd.

3. Take a look at /etc/spamassassin/local.cf: there are some fun options that you can uncomment and enable in there. My personal favorite one is:

   rewrite_header Subject *****SPAM*****

   This does what it sounds like it does and rewrites the headers of suspicious emails: you can then easily configure your email client to recognize these headers and filter accordingly. Pretty sweet.

4. Start spamassassin:

   # /etc/init.d/spamassassin start

5. At this point, we're going to edit some postfix conf files, but we need to check on something first. Make sure SA is running, spawning children and listening on the right port:

   # netstat -anp |grep spam
   tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      11724/spamd.pid
   unix  2      [ ACC ]     STREAM     LISTENING     9096119  1717/master         private/spamassassin
   unix  3      [ ]         STREAM     CONNECTED     9757173  30093/spamd child
   unix  3      [ ]         STREAM     CONNECTED     9757172  11724/spamd.pid  

6. Noting that SA is listening on 783, tack the following on to the bottom of your /etc/postfix/master.cf:

   spamassassin unix -     n       n       -       -       pipe
           user=nobody argv=/usr/bin/spamc -f -e
           /usr/sbin/sendmail -oi -f ${sender} ${recipient}

7. Now find the SMTP/SMTPS lines in your /etc/postfix/master.cf and add the following option:

   -o content_filter=spamassassin

   Assuming you're doing SMTP and SMTPS, you'll have something like this at the top of your /etc/postfix/master.cf:

   smtp      inet  n       -       -       -       -       smtpd     -o content_filter=spamassassin
   smtps     inet  n       -       -       -       -       smtpd     -o content_filter=spamassassin

8. Reload Postfix:

   # postfix reload

And that's it: you're done.

If you can bear in mind that no spam-detection scheme is perfect, my guess is that you'll be pleased with your decision to set up SA: some spam will make it through, of course, but most of makes it through will come a.) as plaintext with escaped characters and b.) a lengthy disclaimer and an itemized spam "score":

Spam detection software, running on the system "molly", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Having trouble viewing this email? Click here! pharmacy medicine
   cabinet FSA home medical vitamins personal care diet & fitness men's SALE
   Get 80% Discount TODAY: This email was sent to you by drugstore.com. To ensure
   delivery to your inbox (not junk folders), please add drugstore@e.drugstore.com
   to your address book. [...] 

Content analysis details:   (13.5 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: lewdozed.cn]
 0.5 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d

...and so on.

So go ahead: do yourself a favor.

Security audits are a necessity.

Unfortunately, due to the constantly changing array of exploits and threats coming at your Internet-facing server from all over the world, there's no best practices manual for a security audit. This is because no one knows exactly what level of openness is appropriate/optimal on a given application server.

But you gotta start somewhere. Because if you're just blithely running an un-hardened *nix server with stock configurations for service apps like Apache and ssh, you're pretty much giving away the store.

What follows is a short how-to dealing with how to get started, security-auditing-wise. It is by no means comprehensive and is only intended to provide a "leg up" for those who feel like they ought to be auditing their servers but aren't sure where to start. I'll be using Debian systems running the current stable release (i.e. Lenny) to demonstrate the techniques, but I'll try to keep things as OS agnostic as possible: most of the packaged software I describe below can be found in your generic, mainstream fedora repo.

The methodology will be to start from the outside and work inward. I recently saw a Linux Journal article that described doing things the opposite way (or at least that's the impression with which I was left), and that doesn't make much sense to me. From where I'm standing, it seems that if you're conducting a security audit, you ought to start out by looking at your server the same way everyone else does.

Accordingly, we'll begin from the outside and from as basic a perspective as possible: scanning ports and checking for known vulnerabilities and obvious mis-configurations. Once we've got a little perspective on how our server looks to the script kiddies and botnets of the world, we'll do some web-server specific scanning to attempt to detect vulnerable plugins, apache mis-configurations and application-level security holes. After that, we'll finish by checking for rootkits and doing some internal auditing.

OpenVAS: Port Probe and All-purpose scan
The first thing to do is to scan your ports.

The odds are good that if you've got a server out there on the Internet (in the DMZ of your intranet or in a hosting company's rack, for example) that it's got a bunch of open ports. You've probably got one or two listening for HTTP requests, one or two listening for SSH requests and so on. What you probably haven't got is a good idea of how those ports look to the world.

So the first part of any security audit is the portscan. In olden times, you'd use a combination of telnet and nmap for this: nmap would handle the port scanning and tell you which ports were listening/open and then you'd use your expert knowledge of various network protocols to use a telnet-like program to check out those ports and see what sort of access and information they were offering to the world.

There are, fortunately, labor-saving apps that will do the scanning and auditing for you. A few months back, you would have been using nessus, as it was the big name in F/OSS auditing. nessus, however, has gone commercial (proprietary and closed) and a new, open project (GPL) called OpenVAS has taken its place.

For anything other than security auditing, using commercial software is probably OK. At the very least it's not always counter-productive to use non-F/OSS for non-security-related tasks. In the case of security-related apps, however, it just doesn't make any sense to take a chance on using software that isn't available for public scrutiny.

At any rate, if you're familiar with the way that nessus works, you'll be happy to know that the big ideas and the general methodology/procedure behind using OpenVAS are essentially the same. If you're unfamilar with programs like nessus and OpenVAS, here's how they work, from an administrator/auditor's perspective:

1. Set up a server
2. Use a client to tell the server to probe the target site
3. View the audit report on the client

At present, if you're using the stock stable/unstable Debian repositories, you haven't got access to the packaged version of the OpenVAS server. That being the case, we're going to go ahead and get a little bit heroic here and do this the Cowboy Way (i.e. from source).

1. Dependencies and Source Files

Make sure that you've got the following packages (some of which the openvas developers list as dependencies, some of which you'll need to compile anything from source) before proceeding:
molluska:/opt/# aptitude install libgnutls-dev libpcap-dev libgpgme11 libgpgme11-dev libglib2.0 libglib2.0-dev build-essential bison

Now that that's handled, there are four "modules" that are required to run an OpenVAS server. The openvas developers say that you've got to install the modules in the following order:

1. openvas-libraries
2. openvas-libnasl
3. openvas-server
4. openvas-plugins

So that's what wer're going to do. I like to do this sort of thing in/opt, but it really doesn't matter where this happens.

Get the files:
molluska:/opt/openvas# wget http://wald.intevation.org/frs/download.php/572/openvas-libraries-2.0.2.tar.gz
molluska:/opt/openvas# wget http://wald.intevation.org/frs/download.php/561/openvas-libnasl-2.0.1.tar.gz
molluska:/opt/openvas# wget http://wald.intevation.org/frs/download.php/562/openvas-server-2.0.1.tar.gz
molluska:/opt/openvas# wget http://wald.intevation.org/frs/download.php/576/openvas-plugins-1.0.6.tar.gz
NB: these URL's are for the version that was current when this was written--no guarantees that they'll be there two hours from now.

2. ./configure && make && make install

Now, we start the compilation process which, thanks to our having resolved the dependencies enumerated above, should go off without a hitch:
molluska:/opt/openvas# tar -zxvf openvas-libraries-2.0.2.tar.gz
[...]
molluska:/opt/openvas# cd openvas-libraries-2.0.2
molluska:/opt/openvas/openvas-libraries-2.0.2# ./configure
[...]
molluska:/opt/openvas/openvas-libraries-2.0.2# make
[...]
molluska:/opt/openvas/openvas-libraries-2.0.2# make install

Once you've successfully installed the openvas libraries, you'll be prompted to modify /etc/ld.so.conf by adding the line "/usr/local/lib" to it and running ldconfig to update your linker. Do that, and then repeat the steps described above (untar, configure, make, make install) in the other three folders to finish installing the OpenVAS modules.

3. Add a User and Generate an SSL Cert

Once you've got everything installed, you'll need to create two things: an OpenVAS user and an SSL certificate. Fortunately, both of these tasks have been nearly fully automated and all you'll have do to get the job done is execute a couple of binaries (which should be on your path, now that you've installed everything according to the above instructions) and follow some on-screen prompts:

molluska:/opt/openvas# openvas-adduser
[...]
molluska:/opt/openvas# openvas-mkcert
[...]

And that's it. Make a note of the paths that the openvas-mkcert program gives you at the end of the certificate creation (as you might need to specify them at some later time; you won't need them again to follow these instructions).

4. Fire it up

Once you've got all your modules installed, your certificate created and your user added, it's time to fire up the server/daemon. The smartest way to do this is to pseudo-daemonize it and tail its output while it loads plugins:molluska:/# nohup openvasd &
[1] 4508
molluska:/# nohup: ignoring input and appending output to `nohup.out'
molluska:/# tail -f nohup.out

Should get you something like this:tail -f nohup.out
Loading the plugins... 714 (out of 10558)

...and so on. Once the plugins are all the way loaded, fire off a quick ps to make sure that the server is running and maybe a quick netstat to make sure you know what port it's listening at, and that's it: you're done with the server side of things and ready to move on to the client and auditing part.

molluska:/opt/openvas# ps aux |grep openvas
root     26129  1.1  0.2  16296    76 ?        S    06:29   1:46 openvasd: waiting for incoming connections
molluska:/opt/openvas# netstat -anp |grep openvas
tcp        0      0 0.0.0.0:9390            0.0.0.0:*               LISTEN      26129/openvasd: wai

Installing the OpenVas client is much easier.

While there is a packaged version of the OpenVAS client app, we're going to install one from source (mostly so our version of the server matches with our version of the client; this is mostly me being OCD, however, and you can probably get away with using the packaged version). To install the client, we'll follow the same steps as above, but on a different machine:

gonzo:/opt/openvas-client# wget http://wald.intevation.org/frs/download.php/575/openvas-client-2.0.3.tar.gz
[...]
gonzo:/opt/openvas-client# tar -zxvf openvas-client-2.0.3.tar.gz
[...]
gonzo:/opt/openvas-client# cd openvas-client-2.0.3
gonzo:/opt/openvas-client/openvas-client-2.0.3# ./configure
[...]
gonzo:/opt/openvas-client/openvas-client-2.0.3# make
[...]
gonzo:/opt/openvas-client/openvas-client-2.0.3# make install

NB: you may, depending on your client system, have to resolve some GTK dependencies and other build/compiler dependencies like the ones listed above: libgtk2.0-dev should solve most of your gtk problems, if you're running Debian Lenny.

Once the GUI client is installed, start it up:

toconnell@gonzo:~$ sudo aptitude install openvas-client
[...]
toconnell@gonzo:/opt/openvas-client/openvas-client-2.0.3/bin$ ./OpenVAS-Client &

Connection Screen, OpenVAS GUI Client

Once your client is connected with your server, you're ready to fill in the blanks and start your first round of tests. This is fairly self-explanatory and, honestly, you wouldn't be reading this if you couldn't figure out simple GUI interfaces: specify your target (i.e. the server you're auditing), make sure that all the plugins are enabled and then click the life preserver to start the "Scan Assistant" and execute the scan. Follow the on-screen prompts: easy as apple pie.

The best thing to do, once your scan starts, is probably to go do something else and come back in a little bit: in my experience these scans can take anywhere from 15 to 45 minutes, depending on your server and your pipe: my server is an old Linksys NSLU2 and my pipe is a consumer-grade Speakeasy residential connection, so I'm used to waiting close to an hour for the scan to finish. Using corporate resources will result in less idle time.

OpenVAS scan results report

Once the scan is done, you're treated to a report view. This is what we've been after all long. In it, you'll see a full run-down of what ports on your server are open and what open ports are listening for what. Additionally, you'll be treated to helpful recommendations about how to close security holes. And while closing those holes is beyond the scope of this article, I will say that almost every recommendation I've gotten from an OpenVAS report has been sane, been sensible and lead to a harder server.

nikto: Web-server Specific Auditing
The second thing to do, in order to perform a robust audit of your system, is to hit it with nikto (http://www.cirt.net/nikto2).

nikto, unlike OpenVAS doesn't require a server/client hook-up: just install the client with apt and fire off some tests, writing the output from those tests to plaintext files:

molluska:/# aptitude install nikto
molluska:/# nikto -h newathens.org -p 80 -output nikto_na80 && nikto -h newathens.org -p 443 -output nikto_na443

You'll get helpful output that points you towards an obvious solution like this:

+ mod_ssl/2.2.9 appears to be outdated (current is at least 2.8.30) (may depend on server version)

And you'll also get put on notice if you've got paths/folders/files with names that automatic exploiters and scripts tend to look for:

+ OSVDB-3092: GET /login/ : This might be interesting...

...to script kiddies and Chinese botnets.

You'll also get put on notice if you've got too much of your software's installation defaults hanging out in the open:

+ OSVDB-3233: GET /icons/README : Apache default file found.

Server-side Checks

chkrootkit
There are a few utilities that allow you to perform quick server-side audits of your security situation. Some of them, like rkhunter will run daily (like logwatch or apticron) and tell you if they've identified any new chinks in your armor. The first one to install and run is chkrootkit.

molly:/# aptitude install chkrootkit
[...]
molly:/# chkrootkit

This is a great place to start your internal audit because it'll tell you if you've picked up any known bugs and whether anything weird, filesystem-wise, appears to be going on with your computer.

The best use for this app is to give you a very quick idea of what sort of shape you're in. If you've got a system littered with suspicious files, odd-looking binaries, etc., you know exactly where to start plugging holes.

rkhunter
While we're on the subject of checking for root kits, let's do rkhunter:

molly:/# aptitude install rkhunter
[...]
molly:/# rkhunter --update
molly:/# rkhunter --check

This gets you a quick check of all your important binaries (to make sure they look like they're supposed to look, i.e. that they haven't been replaced by scripted exploits or an intruder with something that opens a back door) and a quick scan for known exploits of the rootkit variety. You'll also be told whether you're running inetd/xinetd (which tends to open ports in a manner whose security can be less than "ironclad") and other fun facts about potential vulnerabilities.

The best thing to do with this report is think long and hard about what ports/resources/pathways you actually want to make available to the Internet and then start disabling services. Once you've spent some time with that, you're pretty well on your way to having an idea of exactly how hard your server is and how much work you've got to do to keep it safe.

If anyone has any ideas about other utilities or techniques for security auditing, please feel encouraged to share them in the comments.

Generally speaking, I'm a Debian guy.

Sure, I'll mess around on the CentOS box under my desk on the production RHEL servers at work a little bit, but Red Hat is largely terra incognita for me and Debian is where I'm comfortable doing my admin thing and managing packages. I know apt. I am comfortable with apt. And while I wouldn't describe using yum as something that makes me uncomfortable, when I do have to use it, I find myself spending more time Googling and forum-searching than I'd like.

I'm beginning to accept that this is no one's fault but my own.

And so the purpose of this article, therefore, is not a.) to point fingers, b.) to compare apt to yum or c.) to explain yum from the perspective of someone who is accustomed to doing things the Debian way. The Internet is littered with stuff like that like the intersection of Paradise and Tropicana are littered with advertisements for escorts.

In this post you'll find some novice-level trouble-shooting tips, reminders and pointers for the casual yum user that are intended to help reduce the occurrence of forehead-slaps and to decrease the amount of time spent tailing logs and Googling obscure error messages.

1. Preemptive Troubleshooting.

It's not in the documentation, but I have noticed that a lot of dependency issues and version consistency problems are resolved by tossing off the following yum command and then trying again:

 # yum clean packages

It has become my general practice to do this before I do anything else. It's a nice preemptive step.

I've noticed that it's generally not the advice of performance-minded (read: impatient) admins to do the more scorched-Earth yum clean all, as this empties caches, dbcaches (i.e. sqlite files) and can causes longer check-update times.

2. filelists.xml.gz Download Times out.

Let's say you're doing a yum update or a yum upgrade and you get some output like this:

filelists.xml.gz          100% |=========================| 1.4 MB    00:01
filelists.xml.gz          100% |=========================| 1.3 MB    01:48
http://apt.sw.be/redhat/el5/en/i386/dag/repodata/filelists.xml.gz: [Errno 4] Socket Error: timed out
Trying other mirror.

There are good odds, especially if you're using non-standard repositories, that you copied/pasted some text into your yum.conf from somewhere out there on the Internets. If you did, there are even better odds that the text you copied includes something about using GPG to authenticate the repo. If you've got lines like that, you'll need the repository's key.

Generally speaking, you can navigate to a repository's http site and find the URL for their public key. Once you've got that, all it takes to import it is one of these:

# rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt

3. Know your repositories

You can save a lot of backtracking/head-scratching time if, before searching for a package on a machine you don't visit that often, you toss off a quick yum repolist. This handy feature will spit out the names and statuses of all of the repositories in all the files in your /etc/yum.repos.d/ directory and prevent you from doing that thing where you don't realize that you've only got the default CentOS repositories enabled but can't seem to figure out why the eff your yum search for htop just turned up a big goose-egg.

4. Automatic Notifications

If, like me, you're coming at yum from a Debian perspective, one of the first things you'll do when you start administering an RPM-based system is to install the apticron-equivalent known as yum-updatesd (# yum install yum-updatesd.noarch). Something you might forget, however, is that the default behavior of yum-updatesd is to not send emails.

Don't forget to edit /etc/yum/yum-updatesd.conf such that

mit_via = dbus

looks like

mit_via = email

or you won't get those all-important package update emails.

And that's about all that's coming to mind right now.

If anyone else can think of some things that you consistently forget--and then suddenly remember, 20 minutes later--to do when you're working with yum, feel free to leave a comment.

This blog is going to end with a question that I have been unable, after countless minutes of Googling, to answer satisfactorily. It will start, however, with some givens.

I already know that if you want to alter the default settings for all profiles that will be created by a given Firefox installation in the future, you add the line for the preference that you want to effect those profiles to the file FIREFOX_ROOT/defaults/profile/prefs.js.

Similarly, I already also know that if you want to push a preference to all currently existing users on the machine, you add the line for that preference to FIREFOX_ROOT/deftauls/pref/firefox.js.

The caveat there, of course, is that if the user of the profile have already changed a preference in his personal prefs.js (i.e. the one in HOMEDIR/.mozilla/firefox/RANDOMALPHANUMERICS.USERNAME/prefs.js) and it conflicts with your preference in the (global) firefox.js, then you (the admin) are SOL, because the program will defer to the user's personal prefs.js file.

Which brings us to the question: is there a way (short of writing a script to parse individual user's personal prefs.js files and modify them as needed) to push a preference to all users of a given Firefox installation?

Full disclosure: I'm posing this question for two reasons. The first reason is that I'm sort of passive-aggressive with Firefox: ours is a very love-hate relationship. The second reason is that I honestly don't think that what I'm describing--i.e. adding a preference to one, "master" preferences file that effects all users of a given installation, regardless of their personal prefs.js file--can be done.

Am I missing something? Maybe even something truly forehead-slap-worthy that's at the top of all the documentation? Or is this a real limitation of the program?

Nick explains CLICK.

I helped out with the clicking backend for the site. It's a disgusting mess of PHP and MySQL, or else I'd share the code... :P

It's amazing to think that this thing just under 3 million clicks!

We've caught a few people cheating, and sparked some debate on Hacker News. Still, it looks like a lot of people really love to click the stupid thing. There's just something about it...

Nick has been doing some awesome screencasts about productivity and some other stuff... You should go check them out if you're into GTD or Merlin Mann.

After you watch the video - GO CLICK THAT BUTTON!

I was recently doing some server hardening on the computer that serves my email when, upon attempting to check my admin account, I got the following completely unhelpful, vanilla "encryption protocol" error from Thunderbird:

Thunderbird can't connect securely to because the site uses a security protocol which isn't enabled.

So, naturally, I whipped out T-bird's about:config, grepped the list for "ssl" and made sure that most of the contemporary ciphers were enabled (i.e. set to true). And once I was satisfied that things were on the up and up with my client, I decided to go have a look at the server.

Tailing mail.log, I noted this sort of thing happening over and over:

Mar 10 13:06:31 lana postfix/postfix-script[18701]: starting the Postfix mail system
Mar 10 13:06:31 lana postfix/master[18702]: daemon started -- version 2.5.5, configuration /etc/postfix
Mar 10 13:07:27 lana imapd-ssl: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This message sort of blew my mind: I was essentially being told that my client, a Debian (Lenny) workstation running Thunderbird, shared no openssl ciphers with my email server, a Debian (Lenny) box out in the wild.

Not being the sort to ignore log warnings, I decided to verify. From the client:

gonzo:/# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

A fairly robust list. From the server:

lana:/# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

Same cot-damn list.

"So what gives?"

I Googled around a bit and learned about "s_client", an argument for the openssl tool that lets you debug an SSL exchange. I ran the following on my client:

gonzo:/# openssl s_client -connect mail.XXXXXXX.com:993 -ssl3

It showed me that the port was open, but that there were handshake problems:

26282:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
26282:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

From that cryptic output, I decided that it was time to dig into the SSL conf files over on the server.

After a little preliminary troubleshooting--a quick scan of /etc/postfix/main.cf and /etc/postfix/master.cf to check for obvious shenanigans--I decided to have a look at /etc/courier/imapd-ssl and found the source of my new SSL auth problem: I had, in my recent efforts beef up security, managed to overwrite my previous /etc/courier/imapd-ssl with a vanilla version of that conf file that had a big 'ol she in front of the argument that determines exactly which ciphers the IMAP daemon will use to authenticate requests: TLS_PROTOCOL was commented completely out, as was TLS_STARTTLS_PROTOCOL.

I took a quick look at the surrounding comments in the conf file and set both of them to "SSL23":

TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=SSL23

I then reloaded postfix, attempted to connect with my client and, to my dismay, saw this roll up in the mail.log:

Mar 10 13:55:34 lana imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

This message, while cryptic enough to send me off to scratch my head and pore over comments on OsDir and the Ubuntu fora, was one that I eventually figured out. It turns out that those two TLS protocol directives do not want to be identical.

So I chaged the file thus:

TLS_STARTTLS_PROTOCOL=TLS1

And, once I had reloaded the IMAP daemon and postfix, voila: a clean log-in!

Mar 10 13:56:52 lana imapd-ssl: Connection, ip=[::ffff:XX.XXX.XXX.XXX]
Mar 10 13:56:52 lana imapd-ssl: LOGIN, user=admin, ip=[::ffff:XX.XXX.XXX.XXX], port=[42130], protocol=IMAP

A recent LifeHacker article got me interested in anki, a cross-platform Simple Repetition System (SRS) or flash-card app.

anki allows users to create or import modular "decks" of "cards" that they can use to study whatever it is that they want to study. Which is, in and of itself, pretty great: as soon as I learned about this, I got excited. My enthusiasm went on the wane, however, when I discovered that there was no deck for ancient Latin (the casual study of which has long been a hobby of mine).

So I decided to create one by scraping the Latin dictionary at http://classicsunveiled.com/. The details of the scrape and the import of the entries into a Postgres database are relatively uninteresting: there are also hundreds of good tutorial on BeautifulSoup and psycopg2 out there and the world obviously has no use for another one from a self-proclaimed n00b like me.

What the world might find useful, however, is the ancient Latin deck I created. Here's a step-by-step* on how to get it going:

1. Download the .txt file from my personal blog: http://demongin.orghttp://s3.amazonaws.com/almosteffortless/ankiLatin.txt
2. Start anki.
3. Click "File" -> "Import"
4. Click "Choose file..." and browse for ankiLatin.txt.
5. Once you've selected the file, everything should be ready to go: click "Import" (to the right of the "Field mapping" controls), give the program a second to import the deck, select close and get busy.

* NB: these instructions are based on the Debian package version of anki (i.e. 0.9.9.4).

I work mostly on Debian systems (workstations and servers). Recently, during a lull, I decided to throw caution to the wind and go ahead with a reasonably large (<= 1000MB worth of new and upgrade packages) dist upgrade on my personal workstation at the office. Everything went pretty well (as well as could be expected, anyway) and my post-upgrade reboot was mostly uneventful.

OpenVPN, however, did not start. And, not to besmirch the character of its developers or its package maintainers ("it's not you; it's me"), I wasn't exactly surprised. OpenVPN is definitely on my "usual suspects" list. And if you run Debian testing or sid, it should be on yours as well.

And if it's going to be on your "usual suspects" list and be one of the first apps that you expect to fail, you ought to have a trouble-shooting routine. Or at least an idea of where to start.

Generally speaking, when my OpenVPN fails to initialize and connect during boot, I see the following when I tail /var/log/openvpn.log:

Mon Jan 12 11:33:31 2009 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Mon Jan 12 11:33:31 2009 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Mon Jan 12 11:33:31 2009 Cannot allocate TUN/TAP dev dynamically
Mon Jan 12 11:33:31 2009 Exiting

And, honestly, this is the error you're most likely to receive following an kernel upgrade: something will go "kablooie" as the various new modules are initialized, your dev node won't be created and you'll end up without support for the virtual device that will allow you to create your tunnels.

First things first, stop and start OpenVPN with its init script and tail the logs, just to eliminate the possibility that cosmic rays struck your machine during boot and the failure was a fluke:

gonzo:/etc/openvpn# /etc/init.d/openvpn stop
Stopping virtual private network daemon:/etc/init.d/openvpn: line 68: kill: (3047) - No such process
 client.
gonzo:/etc/openvpn# /etc/init.d/openvpn start
Starting virtual private network daemon: client.

If you wind up with the same failure message, it's time to look for modules.Do one of these:

# lsmod |grep tun

If you don't see something like the following, odds are good that your module just plain didn't get initialized:

tun                     8292  1

You'll want to double-check that, of course, by grepping your dmesg. If you don't see something like the following in your dmesg boot log, then it's probably time to take the action recommended below:

gonzo:/etc/openvpn# dmesg |grep tun
[   19.292084] hda: host max PIO4 wanted PIO255(auto-tune) selected PIO4
[   19.292466] hdb: host max PIO4 wanted PIO255(auto-tune) selected PIO4
[   20.700088] hdc: host max PIO4 wanted PIO255(auto-tune) selected PIO4
[  492.481978] tun: Universal TUN/TAP device driver, 1.6
[  492.481989] tun: (C) 1999-2004 Max Krasnyansky 

If this is the case, you might considering adding the string "tun" to your /etc/modules file and trying a manual initialization of the module:

# modprobe tun

If, however, module initialization isn't your problem, you might be experiencing some shenanigans with the population of your /dev directory. If the "tun" module appears to have been initialized successfully, go ahead and ls -l for the node:

# ls -l /dev/net/tun

If this comes back "No such file or directory" your best bet for a quick fix is (assuming that /dev/net already exists) to handle the situation cowboy style and make the dev node yourself:

# mknod /dev/net/tun c 10 200

That should get you a node that looks like this:

crw-r--r-- 1 root root 10, 200 2009-01-12 11:37 /dev/net/tun

And once you've got that, issue a quick stop and start of OpenVPN via init script and tail that /var/log/openvpn.log file one more time; you should be past the tunnel creation process.

...and on to the next catastrophic failure.