| wtfnom | web proxy? | 00:14 |
|---|---|---|
| wtfnom | is it standard http protocol? | 00:14 |
| wtfnom | im assuming so since http requests redirect to 443? | 00:15 |
| joevano | wtfnom: redirect to 443? | 00:45 |
| joevano | you only need port 80 and it is just standard http requests | 00:46 |
| nowen_away | wtfnom: yes, you can use apache or squid, for example, if you want that in your dmz instead of your WiKID server. | 01:05 |
| *** nowen_away has quit (Quit: Leaving.) | 01:05 | |
| *** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid | 12:04 | |
| *** Troy (4b47ae94@gateway/web/freenode/ip.75.71.174.148) has joined #wikid | 14:30 | |
| nowen | morning Troy | 14:31 |
| nowen | testing a few things for you | 14:31 |
| Troy | good morning Nick | 14:31 |
| Troy | ok.. so far we are still up this morning | 14:31 |
| nowen | how many users do you have so far? | 14:32 |
| Troy | let me check.. hold a sec | 14:32 |
| *** Mark_ (470e15da@gateway/web/freenode/ip.71.14.21.218) has joined #wikid | 14:34 | |
| Mark_ | Any updates? | 14:34 |
| nowen | morning Mark_ | 14:34 |
| nowen | testing some things for you | 14:35 |
| Mark_ | good morning | 14:35 |
| Troy | We are up to 150 users this morning | 14:35 |
| Troy | we expect that number to grow quite a bit the next few weeks | 14:35 |
| Mark_ | Nick on the admin console | 14:53 |
| Mark_ | is it all or nothing | 14:53 |
| nowen | Mark_: what do you mean? | 14:53 |
| Mark_ | on the admin console is there a way to limit the admin accounts? | 14:54 |
| nowen | oh, no, not really. you can create management consoles using the api with the example.jsp as a base | 14:54 |
| Mark_ | ok | 14:54 |
| laszlof | ACL's would be useful for the admin area, IMO | 14:56 |
| laszlof | that being said, I'd rather you guys make more API functions :) | 14:57 |
| nowen | hehe | 14:57 |
| *** Mark_ has quit (Ping timeout: 245 seconds) | 15:05 | |
| nowen | Troy: email on the way - I have to head out for my daughter's 8th grade graduation. email me if you need me ;) | 15:11 |
| Troy | ok.. thank you | 15:12 |
| nowen | got to tar up the file. your gateway bounced | 15:13 |
| Troy | ok | 15:13 |
| nowen | so, just untar that file and drop it into /opt/WiKID/bin replacing the existing one | 15:14 |
| *** nowen has quit (Quit: Leaving.) | 15:14 | |
| Troy | ok.. | 15:14 |
| *** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid | 15:17 | |
| nowen | Troy: | 15:17 |
| nowen | download the file from here: http://www.wikidsystems.com/webdemo/usogres | 15:17 |
| nowen | and drop it into /opt/WiKID/bin | 15:18 |
| *** nowen has quit (Client Quit) | 15:19 | |
| *** Troy has quit (Ping timeout: 245 seconds) | 16:15 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 18:13 | |
| *** Troy_ (4b47ae94@gateway/web/freenode/ip.75.71.174.148) has joined #wikid | 19:10 | |
| Troy_ | @nowen - I just updated both servers with the new replication file, usogres and restarted | 19:20 |
| Troy_ | so far so good | 19:20 |
| nowen | Troy_: ok - good to know | 19:28 |
| nowen | we will keep banging on it next week. Let us do a bit more testing before you roll anything out, ok? | 19:29 |
| Troy_ | i noticed the file was quite a bit smaller than the previous version | 19:29 |
| Troy_ | ok.. let us know what you find | 19:30 |
| nowen | ok - will do. Gotta go guys! | 19:30 |
| nowen | have a great weekend! | 19:31 |
| *** nowen has quit (Quit: Leaving.) | 19:31 | |
| *** Troy_ has parted #wikid (None) | 19:37 | |
| *** SEJeff (~jeff__@209.160.81.1) has joined #wikid | 21:35 | |
| SEJeff | Anyone around who can help with a wikid q? | 21:35 |
| wtfnom | hey | 21:55 |
| wtfnom | whats the Q | 21:55 |
| SEJeff | I recently just rebooted the VM running my wikid server | 22:00 |
| SEJeff | which has ran for a year or two flawlessly | 22:00 |
| *** wtfnom has quit () | 22:00 | |
| *** wtfnom (~wtfnom@66.150.156.1) has joined #wikid | 22:00 | |
| wtfnom | hey | 22:00 |
| SEJeff | Now when my users try to go to the ADRegister.jsp page to register their own new tokens, they get... | 22:00 |
| SEJeff | https://2fa.madisontyler.com/wikid/ADRegister/ADRegister2.jsp | 22:00 |
| wtfnom | you started to finally write something as i left. | 22:00 |
| SEJeff | ha | 22:00 |
| SEJeff | <SEJeff> I recently just rebooted the VM running my wikid server | 22:01 |
| SEJeff | <SEJeff> which has ran for a year or two flawlessly | 22:01 |
| SEJeff | * wtfnom has quit () | 22:01 |
| SEJeff | * wtfnom (~wtfnom@66.150.156.1) has joined #wikid | 22:01 |
| SEJeff | <wtfnom> hey | 22:01 |
| SEJeff | <SEJeff> Now when my users try to go to the ADRegister.jsp page to register their own new tokens, they get... | 22:01 |
| SEJeff | <SEJeff> https://2fa.madisontyler.com/wikid/ADRegister/ADRegister2.jsp | 22:01 |
| SEJeff | <wtfnom> you started to finally write something as i left. | 22:01 |
| SEJeff | <SEJeff> ha | 22:01 |
| SEJeff | There you go :) | 22:01 |
| SEJeff | Gah, didn't mean to post the url | 22:01 |
| SEJeff | but I think it is internal anyways | 22:01 |
| wtfnom | it isnt | 22:02 |
| wtfnom | ttps://2fa.madisontyler.com/wikid/ADRegister/ADRegister2.jsp | 22:02 |
| wtfnom | The wClient connection to the server was NOT successfully established | 22:02 |
| wtfnom | lol | 22:02 |
| wtfnom | but its irrelevant. | 22:02 |
| wtfnom | so is that error they receive? | 22:02 |
| SEJeff | Yes | 22:02 |
| SEJeff | So how do I troubleshoot that? | 22:03 |
| wtfnom | and all of a sudden it started to cause you problems? | 22:04 |
| SEJeff | After the vm was rebooted, yes | 22:04 |
| wtfnom | did you update the wikid code, or the server modules? | 22:04 |
| SEJeff | I ran wikidctl start and users can get token | 22:04 |
| SEJeff | *s | 22:04 |
| SEJeff | I just rebooted the vm | 22:04 |
| SEJeff | and had to manually start wikid via wikidctl start | 22:04 |
| wtfnom | what os are you running | 22:05 |
| SEJeff | CentOS 5 | 22:05 |
| SEJeff | for the wikid vm | 22:05 |
| wtfnom | and do you have autoupdates enabled for centos? | 22:05 |
| wtfnom | do a uname -a | 22:05 |
| SEJeff | Nope | 22:05 |
| wtfnom | oh | 22:05 |
| wtfnom | hmm | 22:05 |
| wtfnom | sounds suspicious enough. | 22:05 |
| SEJeff | 2.6.18-194.3.1.el5xen | 22:05 |
| SEJeff | I think this is a config or wikid problem | 22:05 |
| SEJeff | I just don't know how/where to troubleshoot it | 22:05 |
| wtfnom | hang on, theres a debug page to hit up for some testing.... nick mentioned it to me once. | 22:06 |
| SEJeff | Thanks | 22:06 |
| SEJeff | Actually I just found wauth.log | 22:06 |
| SEJeff | tailed it, hit that page, and got this: http://hastebin.com/sesuqarucu.vbs | 22:06 |
| wtfnom | ah ha. | 22:07 |
| wtfnom | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 22:07 |
| wtfnom | you seen this one? | 22:07 |
| SEJeff | Well I can get tokens from it no problem | 22:07 |
| SEJeff | Oh nice | 22:07 |
| SEJeff | I'll check that out | 22:07 |
| wtfnom | yeah buddy. | 22:07 |
| wtfnom | try that out | 22:07 |
| wtfnom | sorry, i dont work for wikid | 22:08 |
| wtfnom | lol | 22:08 |
| wtfnom | just another lost guy like yourself. | 22:08 |
| wtfnom | but that seems similar to your prob | 22:08 |
| wtfnom | gluck! | 22:08 |
| SEJeff | I appreciate it :) | 22:09 |
| SEJeff | The wClient connection to the server was NOT successfully established | 22:09 |
| SEJeff | Thats what example.jsp says | 22:09 |
| SEJeff | Oh but it isn't setup right, let me try | 22:10 |
| wtfnom | yeah ;-) | 22:11 |
| *** mark_ (470e15da@gateway/web/freenode/ip.71.14.21.218) has joined #wikid | 22:21 | |
| *** mark_ has quit (Ping timeout: 245 seconds) | 22:25 | |
| SEJeff | wtfnom, nowen responded to an email and asked me to check the cert validity with keytool | 22:44 |
| SEJeff | sure enough, it is expired. Luckily, that is easy to re-create from the webui | 22:44 |
| SEJeff | Using this page to troubleshoot: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-know-if-my-certificate-is-valid | 22:46 |
| wtfnom | cool | 23:25 |
| wtfnom | glad you figured it out. | 23:25 |
| wtfnom | btw, im assuming that the server test link would have eventually pointed you to the cert issue as well | 23:25 |
| wtfnom | if cert is expired then the server test is going to be expired as well | 23:25 |
| wtfnom | btw, why did you open 443 up to the internet? | 23:25 |
| wtfnom | seems like a possible exploit waiting to happen | 23:26 |
| wtfnom | nick was telling me only port 80 was req | 23:26 |
| joevano | yeah, everything for wikid happens on 80 only | 23:26 |
| SEJeff | wtfnom, So users can register their tokens at starbucks | 23:27 |
| SEJeff | and not worry about them being compromised | 23:27 |
| SEJeff | via open wifi | 23:27 |
| SEJeff | A sourcefire IPS sits in front of it though, so if it sees any malicious traffic, it will just drop the packets on the floor | 23:28 |
| SEJeff | And we'll know about it :) | 23:28 |
| wtfnom | you went with sourcefire? | 23:32 |
| wtfnom | hehe | 23:32 |
| wtfnom | i guess i see why | 23:32 |
| wtfnom | the entire ips market right now is pseudo lame. | 23:32 |
| wtfnom | why would you allow users to randomly register their tokens at starbucks though? | 23:33 |
| SEJeff | wtfnom, If our CEO gets a new laptop / phone and wants to vpn into work | 23:36 |
| SEJeff | We hacked up that page though, so we get emails when users do that and can check to make sure it is legit | 23:36 |
| SEJeff | So long as it is audited, which it is heavily... we don't mind | 23:36 |
| SEJeff | Oh and secure | 23:36 |
| SEJeff | But in IPS, you can't go wrong with snort aka sourcefire | 23:37 |
| SEJeff | I mean they were one of the first real IPSs out there | 23:37 |
| wtfnom | heh .. i think ISS/IBM might disagree with that comment :-P | 23:40 |
| wtfnom | you headed over to blackhat this year? | 23:41 |
| SEJeff | Very likely | 23:41 |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!