Nagios : arfore dot com

My last two posts, Starting NRPE via launchd and Nagios NRPE on OS X Server 10.5, concerned getting NRPE to run on OS X Server 10.5 and having it startup at system boot.

However, this is only part of the battle.  Once you have Nagios monitoring setup on your server you also need to have some nice options for checking the availability of your running services.

Tim Wilson from the Savvy Technologist, wrote an NRPE plugin that helps out with this.  The plugin check_osx_services does an excellent job of checking on the status for many services running on 10.5 Server.

The documentation on the plugin at the NagiosExchange site is pretty thorough.  One thing that is not mentioned is that you will need to run the check_osx_services script as superuser since it calls the system level command serveradmin which must be run as root.

Last week I posted on how to setup NRPE on Mac OS X Server.  Here is what you need to do to make it start up at system boot.

On a Linux or Solaris machine you can just include the call to the daemon in an init script like rc.local and it will be started when the OS boots.  Unfortunately, Apple has made this a little more difficult on Mac OS X with Tiger and Leopard.  The standard startup processes (cron, inetd, xinetd, etc.) have been rolled into a single process known as launchd.

Read more

Recently I was tasked to install the Nagios add-on NRPE on two OS X 10.5 servers.

I read a little on the ‘net about it, but no one actually had much in the way of a walkthrough, so I thought I would fill the void.

The basic steps involve compiling the NRPE source, but doing so involves altering some of the code.

Read more

PHP : arfore dot com

So in the process of applying the new SSL cert here at work, I discovered an issue with the reCAPTCHA service.

The problem was that I was getting errors saying that my forms were only partially encrypted.  This was due to my use of the reCAPTCHA library, which by default doesn’t use an SSL connection to grab the challenge HTML.

The documentation at the reCaptcha site has a section on this.  Specifically it says:

In order to avoid getting browser warnings, if you use reCAPTCHA on an SSL site, you should replace http://api.recaptcha.net with https://api-secure.recaptcha.net.

Ref: http://recaptcha.net/apidocs/captcha/client.html

The example it uses shows how to change the Javascript itself.  While this was nice to know it really didn’t help too much in my particular case. To solve this when using the reCAPTCHA PHP library, all you need to do is change the value of a single variable.  In the file recaptchalib.php look for the function recaptcha_get_html then change the declaration to read as follows:

function recaptcha_get_html ($pubkey, $error = null, $use_ssl = true)

This will force all calls to be transmitted over an SSL connection, thus eliminating the dialog box in Internet Explorer and the slashed-lock in Firefox.

However since I am not encrypting the entire site by default, yet due to an issue with our website editing/management system, Adobe Contribute, I had to do a bit more than just updating the boolean variable.  Since some of my forms are encrypted and some are not, I added the following code to the function referenced above:

if ($_SERVER['SERVER_PORT'] = 443) { $use_ssl = true;

}

This needs to be added just above the check for the value of the variable use_ssl in the function recaptcha_get_html.  Once you do this you can use the same copy of the recpatchalib.php file for both secure and non-secure forms.

Mac OS X Server : arfore dot com

My last two posts, Starting NRPE via launchd and Nagios NRPE on OS X Server 10.5, concerned getting NRPE to run on OS X Server 10.5 and having it startup at system boot.

However, this is only part of the battle.  Once you have Nagios monitoring setup on your server you also need to have some nice options for checking the availability of your running services.

Tim Wilson from the Savvy Technologist, wrote an NRPE plugin that helps out with this.  The plugin check_osx_services does an excellent job of checking on the status for many services running on 10.5 Server.

The documentation on the plugin at the NagiosExchange site is pretty thorough.  One thing that is not mentioned is that you will need to run the check_osx_services script as superuser since it calls the system level command serveradmin which must be run as root.

Last week I posted on how to setup NRPE on Mac OS X Server.  Here is what you need to do to make it start up at system boot.

On a Linux or Solaris machine you can just include the call to the daemon in an init script like rc.local and it will be started when the OS boots.  Unfortunately, Apple has made this a little more difficult on Mac OS X with Tiger and Leopard.  The standard startup processes (cron, inetd, xinetd, etc.) have been rolled into a single process known as launchd.

Read more

Recently I was tasked to install the Nagios add-on NRPE on two OS X 10.5 servers.

I read a little on the ‘net about it, but no one actually had much in the way of a walkthrough, so I thought I would fill the void.

The basic steps involve compiling the NRPE source, but doing so involves altering some of the code.

Read more

Web Apps : arfore dot com

So in the process of applying the new SSL cert here at work, I discovered an issue with the reCAPTCHA service.

The problem was that I was getting errors saying that my forms were only partially encrypted.  This was due to my use of the reCAPTCHA library, which by default doesn’t use an SSL connection to grab the challenge HTML.

The documentation at the reCaptcha site has a section on this.  Specifically it says:

In order to avoid getting browser warnings, if you use reCAPTCHA on an SSL site, you should replace http://api.recaptcha.net with https://api-secure.recaptcha.net.

Ref: http://recaptcha.net/apidocs/captcha/client.html

The example it uses shows how to change the Javascript itself.  While this was nice to know it really didn’t help too much in my particular case. To solve this when using the reCAPTCHA PHP library, all you need to do is change the value of a single variable.  In the file recaptchalib.php look for the function recaptcha_get_html then change the declaration to read as follows:

function recaptcha_get_html ($pubkey, $error = null, $use_ssl = true)

This will force all calls to be transmitted over an SSL connection, thus eliminating the dialog box in Internet Explorer and the slashed-lock in Firefox.

However since I am not encrypting the entire site by default, yet due to an issue with our website editing/management system, Adobe Contribute, I had to do a bit more than just updating the boolean variable.  Since some of my forms are encrypted and some are not, I added the following code to the function referenced above:

if ($_SERVER['SERVER_PORT'] = 443) { $use_ssl = true;

}

This needs to be added just above the check for the value of the variable use_ssl in the function recaptcha_get_html.  Once you do this you can use the same copy of the recpatchalib.php file for both secure and non-secure forms.

There are many really nice web apps out there now. Some of them are designed for pure entertainment, others are designed for tracking personal information, and still others serve a clear design purpose.

Here are a couple that I like:

  • My Mile Marker – a nice app that helps you track your car’s mpg over time.
  • Wufoo – an online html form builder. They have a number of pre-designed templates that you can choose from and alter.
  • Typetester – an online font comparison app that helps you see what your online content will look like in various fonts.

What web apps are out there that you use or find particularly interesting?

Sungevity is a company that does residential solar panel installations. They have this cool web app that lets you enter you address and then determines how much energy you will need. They use satellite imagery to help design the system.

When you’re ready to see how much solar your home needs, Sungevity makes it easy. Simply enter your address, and we’ll design a system for your roof remotely, using satellite images. We’ll get back to you with the systems that will fit on your roof – all online and free.

Pretty cool, but unfortunately it is for California residents only.

Software : arfore dot com

My last two posts, Starting NRPE via launchd and Nagios NRPE on OS X Server 10.5, concerned getting NRPE to run on OS X Server 10.5 and having it startup at system boot.

However, this is only part of the battle.  Once you have Nagios monitoring setup on your server you also need to have some nice options for checking the availability of your running services.

Tim Wilson from the Savvy Technologist, wrote an NRPE plugin that helps out with this.  The plugin check_osx_services does an excellent job of checking on the status for many services running on 10.5 Server.

The documentation on the plugin at the NagiosExchange site is pretty thorough.  One thing that is not mentioned is that you will need to run the check_osx_services script as superuser since it calls the system level command serveradmin which must be run as root.

Last week I posted on how to setup NRPE on Mac OS X Server.  Here is what you need to do to make it start up at system boot.

On a Linux or Solaris machine you can just include the call to the daemon in an init script like rc.local and it will be started when the OS boots.  Unfortunately, Apple has made this a little more difficult on Mac OS X with Tiger and Leopard.  The standard startup processes (cron, inetd, xinetd, etc.) have been rolled into a single process known as launchd.

Read more

Recently I was tasked to install the Nagios add-on NRPE on two OS X 10.5 servers.

I read a little on the ‘net about it, but no one actually had much in the way of a walkthrough, so I thought I would fill the void.

The basic steps involve compiling the NRPE source, but doing so involves altering some of the code.

Read more

At work we run the WebCT Vista course management system by Blackboard.

Recently I was requested to figure out how to import the security certificate from the command line so that we could add this to the login script used for our campus computers. The main reason behind this was to eliminate the need for the user to have to manually agree to the security certificate when browsing to the CMS.

Normally when you want to create a Java keystore, you would use the keytool program located in $JAVA_HOME/bin. If you run this program to import a certificate without specifying a location for the keystore it tries to create one named .keystore in the user profile home directory.

However, when the JRE actually imports a certificate it doesn’t put it in this file. After some investigation, it turns out that the JRE imports certificates into a file named trusted.certs which is located in the following directory

C:\Documents and Settings\USERNAME\Application Data\Sun\Java\Deployment\security\

In order to import a certificate into a keystore you need to vital pieces of information:

  1. the keystore name
  2. the keystore password

The problem here is that this keystore is being automatically created by the JRE. It turns out that this keystore has a password that is an empty string. What this means is that when you import a certificate you have to specify the password by using the storepass parameter with a value “”.

For example if the certificate that you want to import has a name and path of

c:\Blackboard.cer

the command to import the certificate for the user jdoe would be

keytool.exe -import -noprompt -keystore C:\Documents and Settings\jdoe\Application Data\Sun\Java\Deployment\security\trusted.certs -storepass "" -file c:\Blackboard.cer

Update 2008-04-09:

I have also found how to do this on Mac OS X. According to the developer documents, the JVM on Mac OS X uses the user’s default keychain to store this type of certificate instead of using a file-based keystore like the other OS.

In order to store the certificate in the user’s login keychain you can import it via the command line tool certtool that is installed on the OS.

The command to import this certificate from the command line is

certtool i path/to/cert/file k=~/Library/Keychains/login.keychain

If you want to have this happen at login for each user who might login, then you could implement this via a login hook. For more on this, take a gander at the article 301446 in the Apple knowledgebase.

At work I am in charge of running our Macromedia Adobe Contribute Publishing Server.

Since I like to duplicate my work environment on my laptop for local development, I needed to install JBoss 4.0.5.GA.  I won’t go into why we are running such an old version, that’s all Adobe’s fault.

Installing JBoss

  1. Download the JEMS installer for 4.0.5.GA from the JEMS Installer Downloads page at jboss.org.
  2. Execute the installer:
    java -jar jems-installer-1.2.0.GA.jar
  3. If you get asked to allow java to talk through the firewall, choose Allow.
  4. The default installation location is: /Applications/jboss-4.0.5.GA

    It will create the directory if it doesn’t exist already.

  5. During the install process choose the Advanced install method.  This allows you to pick your database environment, as well as making the process of securing the JMX Console and JBoss Web Console much easier.

Starting JBoss

  1. Open a terminal
  2. Goto the install location binary directory (I used the default)
    /Applications/jboss-4.0.5.GA/bin/
  3. execute run.sh
    ./run.sh -b 127.0.0.1 &
  4. You will see the output of the startup process show up in the terminal window.

Stopping JBoss

  1. Open a terminal
  2. Goto the install location binary directory
    cd /Applications/jboss-4.0.5.GA/bin
  3. Run the shutdown script (don’t forget to authenticate!)
    ./shutdown.sh –server=localhost:1099 –shutdown -u admin -p password

Notes

  • The default port for the HTTP connector is 8080
  • The SSL connector is disabled by default

Next Page »

Security : arfore dot com

So in the process of applying the new SSL cert here at work, I discovered an issue with the reCAPTCHA service.

The problem was that I was getting errors saying that my forms were only partially encrypted.  This was due to my use of the reCAPTCHA library, which by default doesn’t use an SSL connection to grab the challenge HTML.

The documentation at the reCaptcha site has a section on this.  Specifically it says:

In order to avoid getting browser warnings, if you use reCAPTCHA on an SSL site, you should replace http://api.recaptcha.net with https://api-secure.recaptcha.net.

Ref: http://recaptcha.net/apidocs/captcha/client.html

The example it uses shows how to change the Javascript itself.  While this was nice to know it really didn’t help too much in my particular case. To solve this when using the reCAPTCHA PHP library, all you need to do is change the value of a single variable.  In the file recaptchalib.php look for the function recaptcha_get_html then change the declaration to read as follows:

function recaptcha_get_html ($pubkey, $error = null, $use_ssl = true)

This will force all calls to be transmitted over an SSL connection, thus eliminating the dialog box in Internet Explorer and the slashed-lock in Firefox.

However since I am not encrypting the entire site by default, yet due to an issue with our website editing/management system, Adobe Contribute, I had to do a bit more than just updating the boolean variable.  Since some of my forms are encrypted and some are not, I added the following code to the function referenced above:

if ($_SERVER['SERVER_PORT'] = 443) { $use_ssl = true;

}

This needs to be added just above the check for the value of the variable use_ssl in the function recaptcha_get_html.  Once you do this you can use the same copy of the recpatchalib.php file for both secure and non-secure forms.

So, a friend of mine was setting up a Linksys WRE54G Range Extender on her wireless network to eliminate a dead spot in her house.

She had issues with the Windows-based setup utility because it hardcodes the TCP/IP settings on the computer due to the fact it assumes that your network won’t be setup to work with the device out of the box.  After that failed, and spending a while on the phone with a hapless Linksys tech support person, we finally got it configured via the web interface.

So everything is going fine until she notices that the MAC filter that was configured on the WRT54G was no longer effective.

It turns out that when you setup the WRE54G to work it invalidates the purpose of your MAC filtering.  All traffic sent through the range extender is automatically flagged as OK.

From a Linksys forum post:

As a result, Wireless MAC Filtering on the main wireless router or access point will have no effect on clients connecting through a WRE54G Range Expander.

You have to wonder who makes the decisions on options with stuff like this.  The Linksys tech I was chatting with online about this said that the best solution would be to enable WPA security, but their user guide for device specifically recommends doing MAC address filtering in addition to the encryption, except for the fact that you can’t.

Good game Linksys.

At work we run the WebCT Vista course management system by Blackboard.

Recently I was requested to figure out how to import the security certificate from the command line so that we could add this to the login script used for our campus computers. The main reason behind this was to eliminate the need for the user to have to manually agree to the security certificate when browsing to the CMS.

Normally when you want to create a Java keystore, you would use the keytool program located in $JAVA_HOME/bin. If you run this program to import a certificate without specifying a location for the keystore it tries to create one named .keystore in the user profile home directory.

However, when the JRE actually imports a certificate it doesn’t put it in this file. After some investigation, it turns out that the JRE imports certificates into a file named trusted.certs which is located in the following directory

C:\Documents and Settings\USERNAME\Application Data\Sun\Java\Deployment\security\

In order to import a certificate into a keystore you need to vital pieces of information:

  1. the keystore name
  2. the keystore password

The problem here is that this keystore is being automatically created by the JRE. It turns out that this keystore has a password that is an empty string. What this means is that when you import a certificate you have to specify the password by using the storepass parameter with a value “”.

For example if the certificate that you want to import has a name and path of

c:\Blackboard.cer

the command to import the certificate for the user jdoe would be

keytool.exe -import -noprompt -keystore C:\Documents and Settings\jdoe\Application Data\Sun\Java\Deployment\security\trusted.certs -storepass "" -file c:\Blackboard.cer

Update 2008-04-09:

I have also found how to do this on Mac OS X. According to the developer documents, the JVM on Mac OS X uses the user’s default keychain to store this type of certificate instead of using a file-based keystore like the other OS.

In order to store the certificate in the user’s login keychain you can import it via the command line tool certtool that is installed on the OS.

The command to import this certificate from the command line is

certtool i path/to/cert/file k=~/Library/Keychains/login.keychain

If you want to have this happen at login for each user who might login, then you could implement this via a login hook. For more on this, take a gander at the article 301446 in the Apple knowledgebase.

So, PayPal has thrown down the gauntlet on the safe browser war.  According to an InfoWorld article, they have declined to add Apple’s Safari browser to their list of safe browsers due to the lack of native anti-phishing technology.

I find it interesting that one of the features they explicitly mention in the InfoWorld article as being a reason behind this is the use (or lack thereof) of the Extended Validation Certificate (EV).

Firefox 2 does not currently support this, however the possibility of having the browser warn you to a possible phishing attack is apparently enough for PayPal. According to the Mozilla developer’s, FireFox 3 will support the EV technology.

Personally I think that the automated protection schemes are great, when they work.  One of the first things I did when installing IE7 on my virtual machine was to disable the anti-phishing filter.  It is nice to have the automated systems, but there is nothing like a little user education to make the world a safer place.  According to a NetworkWorld article:

In one study, three groups of 14 participants each received e-mail messages that included spam and phishing attacks as well as legitimate mail. Two of the groups were presented with educational material about how to prevent being phished; but only one group received the material after having fallen for the phishing e-mails and entered personal information into a fraudulent Web site.

The group that was given educational materials but hadn’t been phished were no better at spotting phishing attacks that the third group, which received no educational materials at all, researchers say.

Besides, who is to be the arbiter of whether or not the site really deserves being declared a phishing site?  Sure sometimes it is patently obvious, like when the site is dressed up to look like Citibank, but the URL is really something like “www.citibank.secure.orangecrush.cz”.  However, there is no such thing as a perfect system, and we don’t need to train the users to rely completely on the built-in safeguards.

I you have read my previous post, GPG Best Practices, you will know that I am a fan of setting expiration dates on my GPG keys.

This has not always been the case. As with many computer users I tend towards the lazy, and if I can keep from having to re-learn a password by never changing it, then I have been guilty of doing so.

Recently, however, I have decided that this is not the best thing to do when it comes to computer security. So while restoring my computer this weekend after a rebuild of the OS to get rid of some cruft that had built up, I decided I needed to add expiration dates to all of my GPG keys.

Now I had already established one for my work e-mail at the time I created the key, but now I needed to go back and add ones to my personal keys. After reading the man page on GPG, it looked pretty easy. Just go into edit mode for the key I wanted to change, the add an expiration date. Simple enough, right? Wrong.

Turns out the what I wanted to do was feasible, just not readily apparent. I didn’t just want to set a date relative to the current date in day, months, weeks, or years. What I wanted to do was use a specific date.

Well, after some diligent searching on Google, I found the following in a post on the gnupg-users list:

>>Is it possible to set an explicit date (e.g. 31 Dec) rather than a >>duration? I suppose I could compute the number of days, but that’s

>>annoying.

Problem solved, mission accomplished.

Next Page »

Technology : arfore dot com

This next week the Senate is expected to vote on legislation to delay the transition of broadcast television in the United States from analog signals to digital signals.

The initial deadline was to have been February 17, 2009, however some in Congress as well as President Obama claim that more time is needed due to the fact that evidence has shown that consumers are not prepared. The new legislation sets a deadline for the switch to June 12, 2009, however broadcasters can switch over to digital prior to that deadline if they so choose.

Read more

Just like a car’s VIN number, a cell phone has a number or two that contain interesting information about the device.

There’s the IMEI number, the SIM card number and the phone number itself.  Ever wonder what pieces of information are related to those numbers?  If you go to the International Numbering Plans website you can enter those numbers in and see what you get.

So, a friend of mine was setting up a Linksys WRE54G Range Extender on her wireless network to eliminate a dead spot in her house.

She had issues with the Windows-based setup utility because it hardcodes the TCP/IP settings on the computer due to the fact it assumes that your network won’t be setup to work with the device out of the box.  After that failed, and spending a while on the phone with a hapless Linksys tech support person, we finally got it configured via the web interface.

So everything is going fine until she notices that the MAC filter that was configured on the WRT54G was no longer effective.

It turns out that when you setup the WRE54G to work it invalidates the purpose of your MAC filtering.  All traffic sent through the range extender is automatically flagged as OK.

From a Linksys forum post:

As a result, Wireless MAC Filtering on the main wireless router or access point will have no effect on clients connecting through a WRE54G Range Expander.

You have to wonder who makes the decisions on options with stuff like this.  The Linksys tech I was chatting with online about this said that the best solution would be to enable WPA security, but their user guide for device specifically recommends doing MAC address filtering in addition to the encryption, except for the fact that you can’t.

Good game Linksys.

There are many really nice web apps out there now. Some of them are designed for pure entertainment, others are designed for tracking personal information, and still others serve a clear design purpose.

Here are a couple that I like:

  • My Mile Marker – a nice app that helps you track your car’s mpg over time.
  • Wufoo – an online html form builder. They have a number of pre-designed templates that you can choose from and alter.
  • Typetester – an online font comparison app that helps you see what your online content will look like in various fonts.

What web apps are out there that you use or find particularly interesting?

Over the past several years I have begun to wonder if the trend towards all things new, online and electronic is really better than the non-electronic analog.

There are many areas where the electronic version has eclipsed the original analog format, and others where the electronic version is making serious attempts to usurp the existing analog.

I decided that I would write a series of articles discussing this trend and my personal take on various changes that  have occurred.  I call these articles the New Tech Series, since they will generally be pitting a new technology version against the traditional analog.

Getting Xnest for Leopard : arfore dot com

In the application selection process for 10.5, the X11 maintainers elected not to include Xnest.

While most users will probably not need this, since you can export X11 application through a SSH connection, sometimes it is quite handy to have the entire gui session available from a remote server.

I use this when managing some of my Solaris servers. With X11 on 10.4 this was readily available, but after installing 10.5 I found that it had not been included. Initially I just copied the binary from my 10.4 install into the expected location and tried to use it. However, as I expected, the results were not particularly satisfactory, given that the binary was built against a different X11 source tree.

After posting some of my compile issues to the X11-Users mailing list (archives are here), the code maintainer released a patch to the xorg code that fixed the symbol issues that had reared their ugly heads.
For those who are interested in making it work here’s what you need to do:

  1. Follow the first seven lines under the section Source installation on the XDarwin wiki page
  2. Change the configure instruction line to be as follows:
    ./configure --prefix=/usr/X11 --enable-xnest=yes --with-mesa-source=`pwd`/../Mesa-6.5.2
  3. Continue with the rest of the source instructions as posted in the wiki page
  4. After copying the new Xquartz binary over, copy the Xnest binary as well:
    sudo cp hw/xnest/Xnest /usr/X11/bin/
  5. Don’t forget the manpage:
    sudo cp hw/xnest/Xnest.1 /usr/share/man/man1/

Now you have a nicely patched install of the latest fixes for Xquartz as well as the Xnest binary.

If only compiling Xpehyr was working now…sigh.

Resources:

  • Applications supplied with the default X11 install on 10.5

ReCaptcha, SSL, and PHP : arfore dot com

So in the process of applying the new SSL cert here at work, I discovered an issue with the reCAPTCHA service.

The problem was that I was getting errors saying that my forms were only partially encrypted.  This was due to my use of the reCAPTCHA library, which by default doesn’t use an SSL connection to grab the challenge HTML.

The documentation at the reCaptcha site has a section on this.  Specifically it says:

In order to avoid getting browser warnings, if you use reCAPTCHA on an SSL site, you should replace http://api.recaptcha.net with https://api-secure.recaptcha.net.

Ref: http://recaptcha.net/apidocs/captcha/client.html

The example it uses shows how to change the Javascript itself.  While this was nice to know it really didn’t help too much in my particular case. To solve this when using the reCAPTCHA PHP library, all you need to do is change the value of a single variable.  In the file recaptchalib.php look for the function recaptcha_get_html then change the declaration to read as follows:

function recaptcha_get_html ($pubkey, $error = null, $use_ssl = true)

This will force all calls to be transmitted over an SSL connection, thus eliminating the dialog box in Internet Explorer and the slashed-lock in Firefox.

However since I am not encrypting the entire site by default, yet due to an issue with our website editing/management system, Adobe Contribute, I had to do a bit more than just updating the boolean variable.  Since some of my forms are encrypted and some are not, I added the following code to the function referenced above:

if ($_SERVER['SERVER_PORT'] = 443) { $use_ssl = true;

}

This needs to be added just above the check for the value of the variable use_ssl in the function recaptcha_get_html.  Once you do this you can use the same copy of the recpatchalib.php file for both secure and non-secure forms.

Migrating WordPress : arfore dot com

As some of you might have noticed, I have just recently moved my WordPress installation into a subdirectory of arfore.com.

There are several reasons for this, the main one being that I would like for my blog to become a component of my website rather than the blog being the entire site.

Moving the WordPress installation itself was quite simple, and there are many pages out there describing the process as well as the pitfalls of doing it incorrectly, so I won’t repeat them here.

What was less easy to find was the proper changes to put in the .htaccess file to ensure that any existing links would get redirected to the proper location in the moved WordPress setup.

I have my permalinks configured to create a URL like follows:

http://arfore.com/blog/2008/10/12/foo-bar-baz/

In order to add the subdirectory blog to the front of the URL I used the following rule in my .htaccess file:

RewriteRule ^([0-9](.*))$ http://arfore.com/blog/$1 [R=301,L]

Similarly, to redirect the categories I used the following:

RewriteRule ^category/(.*)$ http://arfore.com/blog/category/$1 [R=301,L]

Now this may not be the most correct method to accomplish the goal, so if it needs correcting by all means let me know.