Untangle 6.1 Beta Now Available

The biggest change in 6.1 is it’s now based on Debian Lenny (kernel 2.6.26).  Here’s the full changelog.  You can download the beta here.

Untangle Network Gateway

Another great open source software. 

Untangle is basically a Unified Threat Management (UTM) solution designed for SMBs (up to about 300 users, although there are people who have successfully deployed it in much bigger environments, like this one, for example, with 1600+ users).  Untangle packaged all these great open source security software together and then provided a really nice and very intuitive user interface for them simplifying installation and management.  They also have commercial add-ons and provide live support for a fee.

Here’s the product overview.

Open Source and Free

• Firewall - Just like most firewalls, nothing really special.  You can add a description to each rule (yes, I had to mention this because our current SonicWALL firewall at work doesn’t have this option!!!).
• Web Filter - 14 categories.  Uses a local database with data downloaded from URLBlacklist.com.  I asked in the forums how often it gets updated and someone mentioned he thinks it’s every 6 hours but I haven’t confirmed it.
• Spam Blocker - Uses SpamAssassin.  Gets updated every hour.
• Phish Blocker - Based on ClamAV engine and phish signature database which gets updated every hour.
• Spyware Blocker - I really like this one.  Seems to be blocking a lot of stuff.  Sometimes you’ll see websites with just a big white section somewhere where an ad used to be :).
• Virus Blocker - Based on ClamAV.  Signature gets updated every hour.
• Protocol Control - Uses “L7-Filter Netfilters to classify protocols based on OSI layer 7 data, regardless of port or port-hopping.”  Let’s say you want to block AIM, but AIM has the option use a different port, like port 80 for example, so blocking just the default AIM port on the firewall won’t work.  With Protocol Control, it doesn’t matter which port AIM is using, it can detect it based on its signature.
• Intrusion Prevention System - Uses Snort signatures.
• Attack Blocker - Blocks attacks :).  This prevents DoS attacks.
• OpenVPN - Well, just like what the name says, it uses OpenVPN.  They made it really easy to set up.  You can also control which network to give a user access to and override DNS settings.
• Untangle Reports - I love this one.  Gives you  a nice summarized and detailed report (Daily, Weekly, and Monthly).

Commercial Add-ons

• Active Directory Connector - Uses a logon script that tells the server what IP a user is using.
• Policy Manager - Lets you create multiple custom racks and assign them to certain users or IP addresses.
• Branding Manager - Lets you change the look of the block pages.
• eSoft Web Filter - A better web filter with 53 categories.  It also allows you to block https.  It’s a bit pricey though.
• Kaspersky Virus Blocker - Adds another layer of protection.
• PC Remote
• Remote Access Portal

You can deploy Untangle as a router, a transparent bridge, or a re-router.  I’ve been using it at home in router mode (virtual machine) for over a month now (I started with v5.4 and I just upgraded today to v6.0.2) and it’s great so far.  Very stable and seems to be doing its job.  You can manage everything using the web interface (Java is no longer required starting with v6.0).

We’re actually planning on using this at work to replace our old SonicWALL firewall (which we’ve been planning on replacing since last year but kept getting pushed back due to budget cuts) and this would save us thousands of dollars from buying a commercial UTM appliance.

New version of P4A (3.2.0) finally released!

Wow, it’s been a while since the developers updated this framework.  I thought this project was about to die because it used to be very active.  We’re actually still using v2.0 at work (which is working very well) but with the changes in this release, I think it’s time to upgrade :).

Here are the major changes (from the developer’s website, the one I’m most excited about is the P4A_Grid widget):

1. P4A is now released under LGPL 3. This means more flexibility for developers and customers.
2. A new widget, the P4A_Grid, has been added to fast table data editing.
3. P4A_Simple_Edit_Mask has been added to quickly create a simple mask to edit a database table.

You can view the entire changelog here.

Download P4A 3.2 from here: http://sourceforge.net/project/showfiles.php?group_id=98294&package_id=105252&release_id=647599

Should you switch to open source software?

Here’s an interesting article from CIO.com explaining the benefits of switching to open source solutions.

As IT costs grow and the economic crisis puts pressure on global IT budgets, open source becomes irresistibly attractive to developers and IT decision makers who are being asked to do more with a whole lot less. Meanwhile, proprietary vendors react by increasing license fees by 15 percent to 45 percent, they continue to lock-in their customers, and they take away independence regarding choice and flexibility across the enterprise technology infrastructure.

How to send syslog messages to a remote syslog server in Fedora 9

I have a virtual machine set up running Fedora 9 on my home network which I mainly use for SSH tunneling and I just realized that this version of Fedora now uses rsyslog as its default syslog daemon.

I wanted to send a copy of the syslog messages for SSH to my central syslog server so I can easily keep track of login attempts to my server from the outside.

Here are the steps:

1. Open /etc/rsyslog.conf and  add this line:

   • authpriv.* @remote_server_ip_address

2. Restart the rsyslog service: /etc/init.d/rsyslog restart

Change “authpriv.*” to “*.*” if you wish to send a copy of all the syslog messages to the remote server.

MindTouch Deki

I’ve been playing with this open source collaboration/wiki/mashup software for a couple of weeks now and I have to say that I’m very impressed with it so far.

I set up a wiki website at work almost two years ago using the MediaWiki engine mainly for sharing documentations, which works fine but it could have been much better if certain features came built-in with it.

MindTouch Deki has all these features that I wanted and a lot more.  It’s really designed for enterprise use and that’s why I’m migrating our wiki to this:

• Active Directory/LDAP authentication with SSL/TLS support. There is an LDAP authentication extension for MediaWiki as well which works pretty well but with MindTouch Deki it’s built-in and easier to set up.  It also supports groups.
• Access Control. MindTouch Deki lets you set permissions for each page.  It uses hierarchical pages so if you set a permission on a page, for example, new pages created under it will automatically inherit its permissions.  There’s also a checkbox when setting up the permissions that lets you apply the permissions to all the children pages.  Very easy to do and works with LDAP/Active Directory users and groups.  MediaWiki on the other hand was not designed for this so the access control extensions you’ll find for it will most likely have flaws.
• WYSIWYG editor. There is an FCKEditor extension for MediaWiki but I find it buggy.  The one with MindTouch Deki works really well and you can even copy and paste from Microsoft Word or from another website to it.  I also like how the toolbar follows you when you scroll down while editing a page.
• Easily attach files and images. There’s a button to quickly attach files/images to each page.  Each page also has a separate section for files and images.  You can attach multiple files/images at the same time and MindTouch Deki will automatically detect which are images.  The images section gives you a preview of the images.  You can also add a description for each file/image.
• Search inside file attachments. By default, MindTouch Deki indexes .doc, .docx, .ppt, .pptx, .xls, .pdf, .odt, .opt, html, and text files.
• Lots of extensions, here’s a few of them:
  • MySQL - Retrieve data from an external MySQL database as a value, table, list, record, or recordlist and use it in your page.  The table is also sortable, by the way.  You can also use the retrieved values as inputs to other extensions, like Google maps for example.
  • Flickr
  • Dapper
  • Twitter
  • Windows Live (contacts, map, etc.)
  • Google (search, map, calendar, spreadsheet, etc.) - Requires Google API key.
  • Yahoo!
  • AccuWeather
  • Atom/RSS feeds
  • Media
  • Here’s the entire list: MindTouch Deki Extensions

There are still a lot of things for me to play with, so I’m gonna be pretty busy for a while :).

Here’s the link to download the open source edition: http://wiki.developer.mindtouch.com/MindTouch_Deki/Download

FreeNAS

Here’s a pretty cool open source software that you can install on an old machine to use as a network-attached storage (NAS).  It runs on FreeBSD and you can even install it on flash drives (installation including the FreeBSD OS is less than 64MB).

It supports popular services such as CIFS/SMB, FTP, SSH, NFS, iTunes/DAAP, and UPnP.  It even has a BitTorrent client!  All of these can be managed from a web interface.

I haven’t tried all the services but those that I have seem to work pretty well (CIFS, FTP, SSH, UPnP, and BitTorrent).  There is also an option for Active Directory authentication but after I enabled it, it seems to give access to the shares to everyone when using CIFS/SMB, including computers not in the domain I specified (I’m using version 0.69b4).  So I ended up just using Local User Authentication instead.  I created an account with the same username and password as my domain account so I don’t get prompted for credentials when I try to access it.

The UPnP service also worked great with my PS3 and very simple to set up.  Just enable it, add the content you wish to share, select one of the preconfigured profiles or choose custom, enable transcoding and select the temporary directory for transcoded files and that’s pretty much it.

I also really like the BitTorrent client.  Very nice and simple web interface.

I’m running it as a virtual machine on my home network using VMware ESXi.  Installation is pretty straightforward: create a new virtual machine, create a virtual disk for the OS and the FreeNAS software (I allocated 100MB which is more than enough), create an additional virtual disk to store your files, map the FreeNAS ISO image to your virtual CD-ROM drive (connect at power on) and power on the the virtual machine.  Once the ISO image is loaded, choose the option to install FreeNAS to disk.  After that, choose the option to set the LAN IP address and once that’s set just open your browser, point it to that IP address and you can manage everything from here.

Default login is admin/freenas.

Website:  http://www.freenas.org

Apache: Redirecting http to https using a .htaccess file

To redirect http traffic to https in Apache, create a .htaccess file with the following content:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Place the .htaccess file in your website directory and that should be it.

NOTE: The rewrite module in Apache must be enabled for this to work. To check whether it is enabled, open your httpd.conf and make sure the line below is not commented:

LoadModule rewrite_module modules/mod_rewrite.so

If you’re running Apache on Windows, you won’t be able to create a file with a filename that starts with “.” so you will have to tell Apache to look for another file. To do so, simply open your httpd.conf and change the line:

AccessFileName .htaccess

to

AccessFileName ht.acl .htaccess

Instead of naming the file .htaccess, name it ht.acl. Restart Apache and it should work.