m0u    Archive    Feed

OTRS 5 AvailabilityCheck Error

After updating to OTRS 5 i got an error from the AvailabilityCheck multiple times a day.

e.g.

There was an error executing Execute() in Kernel::System::Console::Command::Maint::OTRSBusiness::AvailabilityCheck: ERROR: OTRS-otrs.Console.pl-Maint::OTRSBusiness::AvailabilityCheck-67 Perl: 5.20.2 OS: linux Time: Sat Dec 12 08:20:24 2015

Can’t perform POST on https://cloud.otrs.com/otrs/public.pl: 500 read timeout To get rid of this just add this two lines in the ‘Kernel/Config.pm’ just after the ‘insert your own config settings “here”’ Block.

delete $Self->{"Daemon::SchedulerCronTaskManager::Task"}->{"OTRSBusinessAvailabilityCheck"};
delete $Self->{"Daemon::SchedulerCronTaskManager::Task"}->{"OTRSBusinessEntitlementCheck"};

And restart the Daemon afterwards.

sudo -u otrs bin/otrs.Daemon.pl stop
sudo -u otrs bin/otrs.Daemon.pl start

Getting A+ rating on SSLLabs with Nginx

Same as for Apache2 you need a 4096 Key to get everything to 100.

A+ on SSLLabs

Setps

1. append intermediate

cat /etc/ssl/lets-encrypt-x1-cross-signed.pem >> /etc/ssl/ssl_cert.pem

2. Certificate

server {
  listen  443;
  root /var/www/example;

  ssl    on;
  ssl_certificate           /etc/ssl/ssl_cert.pem;
  ssl_certificate_key       /etc/ssl/ssl_private_key.pem;
}

Just this settings gets you a C and leaves you vulnerable to some attacks.

3. Protocol Support

To get 100 on the Protocol support we need to limit the supported protocols.

So we add this to our config:

ssl_protocols TLSv1.2;

4. Cipher Strength

Now we need to limit the supported ciphers used

ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;

5. Key Exchange

To get the key exchange to 100 we need dhparams >= 4096 bits and ECDH params >= 384 bits.

Generate dhparams

openssl dhparam -out /etc/ssl/dhparams.pem 4096

Config:

ssl_dhparam /etc/ssl/dhparams.pem;
ssl_ecdh_curve secp384r1;

Now we have an A and 100 on every category.

6. A+

To get A+ we need to set the Strict-Transport-Security headers.

Add to config

add_header Strict-Transport-Security max-age=15724800;

Complete Config for A+ 100/100/100/100

server {
  listen  443;
  root /var/www/example;

  ssl    on;
  ssl_protocols TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
  ssl_certificate           /etc/ssl/ssl_cert.pem;
  ssl_certificate_key       /etc/ssl/ssl_private_key.pem;
  ssl_dhparam /etc/ssl/dhparams.pem;
  ssl_ecdh_curve secp384r1;
  add_header Strict-Transport-Security max-age=15724800;
}

My config

A 2048 Key is enough.

server {
  listen  443;
  root /var/www/example;

  ssl    on;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
  ssl_certificate           /etc/ssl/ssl_cert.pem;
  ssl_certificate_key       /etc/ssl/ssl_private_key.pem;
  ssl_dhparam /etc/ssl/dhparams.pem;
  add_header Strict-Transport-Security max-age=15724800;
}

A+ on SSLLabs without 100 on every category

You can find some recommended configurations on here.

Getting A+ rating on SSLLabs with Apache2

To get an A+ rating on SSLLabs SSL Server Test you need to follow some steps. Be aware that not getting 100 in every category doesn’t mean your webserver is unsecured. So i am posting a config for 100 in every category and my preferred one.

A+ on SSLLabs

Setps

1. enable ssl

a2enmod ssl

2. Certificate

To get started you need a certificate with a RSA key size of at least 4096 bits. A certificate from Let’s Encrypt will do just fine. Don’t forget the intermediate.

<VirtualHost *:443>
  DocumentRoot /var/www/example

  SSLEngine on
  SSLCertificateFile    /etc/ssl/ssl_cert.pem
  SSLCertificateKeyFile /etc/ssl/ssl_private_key.pem
  SSLCertificateChainFile /etc/ssl/lets-encrypt-x1-cross-signed.pem
</VirtualHost>

Just this settings gets you a C and leaves you vulnerable to some attacks.

3. Protocol Support

To get 100 on the Protocol support we need to limit the supported protocols.

So we add this to our config:

SSLProtocol -all +TLSv1.2

4. Cipher Strength

Now we need to limit the supported ciphers used

SSLHonorCipherOrder On
SSLCipherSuite 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'

5. Key Exchange

To get the key exchange to 100 we need ECDH params >= 384 bits.

Generate ECDH params.

openssl ecparam -name secp384r1 -out ecparam.key -genkey

And append them to the certificate

cat ecparam.key >> ssl_cert.pem

Now we have an A and 100 on every category.

6. A+

To get A+ we need to set the Strict-Transport-Security headers.

Enable headers mod:

a2enmod headers

And add to the config:

Header always set Strict-Transport-Security "max-age=15724800"

Complete Config for A+ 100/100/100/100

<VirtualHost *:443>
  DocumentRoot /var/www/example

  SSLEngine on
  SSLProtocol -all +TLSv1.2
  SSLHonorCipherOrder On
  SSLCipherSuite 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'
  SSLCertificateFile    /etc/ssl/ssl_cert.pem
  SSLCertificateKeyFile /etc/ssl/ssl_private_key.pem
  SSLCertificateChainFile /etc/ssl/lets-encrypt-x1-cross-signed.pem
  Header always set Strict-Transport-Security "max-age=15724800"
</VirtualHost>

My config

Getting 100 in every category has the downside of only supporting modern clients leaving behind some older ones. Enabling some weaker ciphers and older TLS version doesn’t make it unsecure. So here is my config which still gets an A+.

A 2048 Key is enough and you don’t need to add the ECDH params.

<VirtualHost *:443>
  DocumentRoot /var/www/example

  SSLEngine on
  SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
  SSLHonorCipherOrder On
  SSLCipherSuite 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'
  SSLCertificateFile    /etc/ssl/ssl_cert.pem
  SSLCertificateKeyFile /etc/ssl/ssl_private_key.pem
  SSLCertificateChainFile /etc/ssl/lets-encrypt-x1-cross-signed.pem
  Header always set Strict-Transport-Security "max-age=15724800"
</VirtualHost>

A+ on SSLLabs without 100 on every category

You can find some recommended configurations on here.

Freeradius proxy.conf

Note to self: Freeradius (2.1.10) does not reload the proxy.conf if you do a

/etc/init.d/freeradius reload

it needs a

/etc/init.d/freeradius restart

SlackCleaner

On Slacks free plan you can only search and browse the 10k most recent messages. When you have noisy channels where you don’t care about the history, you can setup a cronjob to delete messages older than a specific time.

You can use SlackCleaner for that task. Just pass a list of the channels to clean up, your admin api token and optionally a time to it.

Post OTRS tickets to Slack

I wrote a script to post OTRS tickets to slack. It is called otrs2slack and you can find it here.

OTRS has the ability to call a command on certain events. If an event triggers it passes the Ticket-Number and the Ticket-ID to that command. So the script needs to query the database to get the sender and title of the ticket.

To setup the script you need to add your OTRS hostname, the Slack Incoming Webhook URL and the SQL credentials to access the otrs database.

After that you can add it as a CMD in a GenericAgent in the Admin settings of our OTRS.

OTRS 5 pipe with Postfix

OTRS supports piping mails directly into OTRS. So you don’t need to wait for the cronjob to run.

To set up Postfix to pipe mails, follow these steps:

The ‘nobody’ user used by Postfix needs sudo permissions for the piping script. We need to add this to the sudoers file (e.g. /etc/sudoers.d/otrs)

nobody  ALL=(ALL) NOPASSWD: /opt/otrs/bin/otrs.Console.pl *

The script needs to be run as the ‘otrs’ user and is defined in the alias file set in postfix/main.cf.

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

/etc/aliases

otrs: "|sudo -u otrs /opt/otrs/bin/otrs.Console.pl Maint::PostMaster::Read"

Don’t forget to run ‘newaliases’ after changing the aliases file.

To add a message directly to a queue you can pass the queue as parameter to the script

bugs: "|sudo -u otrs /opt/otrs/bin/otrs.Console.pl Maint::PostMaster::Read --target-queue=bugs"
contact: "|sudo -u otrs /opt/otrs/bin/otrs.Console.pl Maint::PostMaster::Read --target-queue=contact"

Now messages send to bugs@hostname get piped into the queue ‘bugs’ and message to contact@hostname get into the queue ‘contact’.