gushi: (Default)

Okay, so I have a redhat 9 box in new york, with a whopping ten gigs of hard drive space. It's a cobalt raq3, and it's basically a spare DNS server, and Nagios box for me.

I recently discovered something ugly. There was no "postmaster" user on this system. Which is fine. /etc/aliases usually redirects that to root.

Except...there was no aliases file.

Picture this for a moment. "Postmaster" is the user that gets a notification whenever there's a delivery failure. Even when there's a failure delivering to "postmaster". Which in turn causes a failure...which causes postmaster to get a notification that that failed.

Yeah, headache, that.

So I try to rebuild the aliases file, and I get newaliases: no database format defined

Apparently, this version of sendmail doesn't actually link against an installed database engine.

So I go, attempt to download a new clean version of BerkeleyDB...only to find that a) the oracle site is down and not responding. I trace down another location for the file, and then I get to have FUN trying to get sendmail to notice that these libraries exist.

Apparently, a good number of the howto's out there are dead fucking wrong about this.

Also, couple this with the fact that Sendmail doesn't use your standard configure, make, make install procedure. It has a shell script in there called "Build". With no clear documentation. And once you run it, it magically holds on to your settings that you've run it with. There's no "make clean" option. Every time it didn't work, I got to blow away and reinstall the fucking thing.

I'm kind of where I want to be now -- although I'm kind of spoiled by BSD, and the ability to have my .mc file in /etc/mail and a nice makefile that just does anything I need it to.

I'd probably like to get StartTLS working on this thing, just so I can say I can....but I'm just happy to get the shit working.

Next: Building a new BIND. Headdesk

gushi: (Default)
Fucking laptop is reformatted, service packed, with all the stupid sony stuff installed. My screen now dims when I yank power (to save battery). Was that so much to ask?

I've got drivers reinstalled for the USB serial port and the bluetooth -- again.

I still have a stuck HDD LED, which has to be something hitting ground or something, but I don't really care.

Wifi card is still acting a little odd, but I don't really care about that either. I think that's a firmware issue -- I'm updating now and seeing if the fucking thing behaves (I won't call it "stable" until it behaves like overnight or better).

Beyond that? All appears happy. I still need to reinstall knoppix, but getting to knoppix is as simple as "boot into dos and run a batch file". I still need to do the HD install but that's minor.

Now, on to all this work I need to actually do.

Hrmmm, dinner isn't a bad idea either.
gushi: (Default)
Okay, new annoyances.

Apparently my HD LED is now permanenly stuck on. Whether this is a BIOS bug, orsomething else, it stays on full time, even in DOS. Even in linux. Even while in the bios.

And the knoppix installer for some reason spawns qtparted, which has to be the worst disk editor I've ever seen. It temporarily ate my windows partition (although truth be told, windows shares the blame on that. You have one primary partition, you tell windows to create a second, and it says "okay, extended partition" WHY?

And it wouldn't boot because it was expecting windows to be on the SECOND partition. Grr.

Ah well, looks like Knoppix is up enough to be usable. Still have a bunch of tweaking to do on it...honestly, it's slower than I'm comfortable with under 128 megs of ram. Much as it pains me to admit that windows runs more smoothly...it does.

My Bootmenu:

The Good
The Bad
The Ugly

*annoyed*

Jul. 4th, 2005 09:24 pm
gushi: (Default)
So I've followed my prvious plan, and have installed a 2g dos partition, and then for D, win2k.

In going to download the drivers from sony, I see random files failing to extract. I take winzip and crack open the "installshield" files. Where I find cab files that Winzip vomits on.

Okay, fine.

I do a little more research, I find that apparently Installshield IGNORES the microsoft standard for cab files, and uses its own. I get my hands on i6comp, a command line utility to extract THOSE cab files. And there I find them. Batch files.


INSTALL C:\WINNT\Driver\something.sys


Well, that ain't going to work, is it? My winnt folder is on D.

Frustrated, I just go into device manager and say "hey, the driver's over there", and point them at the folder I extracted everything to.

That worked for a couple things.

Of course, once I got to anything that deals with the uniqueness of this thing as a laptop (the battery util, the keyboard hotkeys, the setup utility), there's an asinine procedure you have to follow:


Before installing this utility, you must first install the following Core Driver components in the order listed below:


Sony Notebook Control Device Utility
Sony Programmable I/O Control Device (only for the PCG-C1XS, PCG-F370/F390, PCG-F420/F430/F450/F480/F490, PCG-N505VE, PCG-N505VX, PCG-XG9, PCG-XG18/XG19, PCG-Z505HE/Z505HS)
Sony Utility Dynamic Link Library
Sony Extended BIOS Dynamic Link Library


All of those are separate installers. All of them want reboots in between.

And naturally, since I have no way of knowing which installers are going to have badly written batch files in them, this is a shitload of trial and error.

On my most recent attempt, windows found a new device "SYSTEM", and asks me for a driver. I give it one, and it bluescreens on me. I've rerun SFC to make sure everything is okay, and at this point I wonder if I really *need* those hotkeys. I think it's a necessary thing, considering I can't tweak screen brightness without it. I'm going to give it one more try in a bit.

At this point, I'm downloading the Knoppix ISO. I still need to install all the GPRS stuff for my phone, and the drivers for the USB-Serial adapter, and all the other crap you need when you work on routers.
gushi: (Default)
Guys,

phpBB 2.0.16 is out. Mass upgrades will be ensuing tonight. If you don't want this, upgrade on your own.

-Dan
gushi: (Default)
Some people ask what I do about system security on prime. I'm interested in sharing.

I've seen a lot of posts that say "don't give out ssh access". I think that's bullshit. Anyone who wants to can upload a CGI/PHP script that will allow them the equivalent of shell access almost instantly. Given, there are a class of users on the system who can do NOTHING but email, and they have no SSH/CGI/FTP access. Similarly, setting someone's shell to /bin/date (which will allow ftp, but not ftp won't stop them from uploading a script.

Security is a layered thing. I certainly don't know everything about it, and I don't believe anyone can. I know what I need to, and always try to learn.

I run Webmin. I run it behind SSL, and I run it on a non-standard port. In the event of a compromise, lockout, or fat-fingered root password, webmin is a convenient back door. Additionally, it's proven an invaluable tool for certain things, like MySQL. I exchange about one email a month with the author about possible improvements.

I run aide. Aide basically takes a checksum of important binaries on your system (in my case, anything in *bin (/bin, /sbin, /usr/bin, /usr/sbin, /usr/local/sbin, /usr/local/bin), and checks everything nightly. The checksum database resides on (get this), a write protected floppy sitting in the floppy drive. Good luck hacking that.

I have no qualms about running webmin, although there have been holes discovered in the past, because I run it someplace different from usual. How do I know people won't find it on a portscan? Simple. My open ports list is like a minefield. If you connect to any of 60 commonly-exploited ports, prime will defend itself and firewall itself against you. Permanently. You won't be able to connect to it at all. The ports list is scattered enough that it's hard to hit by accident.

I have a logfile parser that runs once an hour, that goes through all my logfiles and emails me if it finds anything unusual or out of the blue (failed logins, possible attacks, etc).

Additionally, there's also a system in place that keeps track of when people FIRST log in, as well as when they log in from an unusual suffix, cross-checked against a list of country codes. (i.e. if Joe logs in from Venezuela).

I run MRTG, which normally is used to graph traffic, but I use it to graph things like system load, the number of logged in (and unique) users, and the number of active processes.

This is all stuff to protect the server. Part 2 will be the stuff I do to protect the user.
gushi: (Default)
So I was tapped a few minutes ago to head into the city to replace a piece of equipment at one of the NYC telecom hotels. Writing this on the train now, will post later I guess since this laptop can't talk to the phone.

Well, that's a misnomer actually -- the phone itself can make LJ posts, and the phone itself has an SSH client. And since both speak IR, I could beam this whole post over to the phone and then upload it.

But that's overkill, ne?

Anyway, I've looked into the SSH key thing I mentioned before. And I've decided it's absolutely stupid.

Basically, publishing the keys in NORMAL dns isn't enough. You have to be using the DNSSEC secured DNS extensions. What this means is every time I changed the gushi.org zone, I would have to generate a signature (nothing inherently hard about that, everything's scripted anyway). I would have to publish that signature in my DNS. And then, what's worse, is that everyone else, has to be using a DNS client that UNDERSTANDS the security enhancements, and passes on the "yes, this is secure" data to the end user. Worse still, each of those DNS servers has to accept, and TRUST my DNS public key. So if you're a user on a dynamic comcast IP (and presumably using the comcast DNS servers), Comcast would have to accept my key and include it into their system. AND, they think you should be running some encrypted protocol between yourself and comcast's DNS servers, like IPSEC.

Now, why the hell I can't just take my GeoTrust certificate that says "Yes, we've certified that this person runs gushi.org", and stuff THAT into my zonefile (this is how Sendmail, Apache, ProFTPd, Webmin, Usermin ALL work)...and then comcast would say "we believe in GeoTrust, and they say to trust you, therefore everything seems to be in order".

Of course, the system outlined above seems to be a replacement for caching the keys locally, which is even more stupid. All I'd like to see is something like this.

shell#ssh danm@prime.gushi.org
checking dns for prime.gushi.org...
key found in DNS...

the ssh key coming from prime.gushi.org, id aa.aa.aa.aa.aa.aa.aa is not known,
HOWEVER, it *does* match the key found in DNS, as retrieved from ns2.gushi.org

Would you like to continue connecting? (y/n)



From there, it would be business as usual. The key caches would still be used, instead of relying purely on DNS. SSH would still check the key cache, and would still bitch heavily if the connecting public key didn't match the one in the cache. Period. This would only serve as a method of distributing the key that makes more sense than "just type yes".

I suppose, optionally, that this kind of thing could be checked *every time*...but the cache would still be preferred.

Now, it's assumed that someone with enough brains to spoof a man-in-the-middle attack would also be able to spoof the DNS query that grabs my key (that's why the guys were talking about DNSSEC).

The other thing I'd love to see, as an optional "comment" field in the key, is a how-to-verify field.

The ssh key aa.aa.aa.aa.aa.aa.aa.aa is not known, however, the creator of this key has stated that this key may be verified in any or all of the following way(s):

NOTE: You should personally check as many of the following as you feel are necessary to verify that this id is authentic.

"see url: http://www.gushi.org/keyinfo.txt"
"if in doubt, call Gushi at 1-866-LI-GUSHI, dial option 12"
"Check http://www.livejournal.com/userinfo.bml?user=gushisystems"
"Key fingerprint should be sent out in the footer of signup e-mails"
"fingerprint is printed on the back of Gushi's business card"

Now, of course, those methods are easily compromisable too...but security is a layered thing, but it's assumed that if someone is running a man-in-the-middle attack against prime.gushi.org, that they won't be able to gafutz with ALL those methods.

Doing the first bit, the DNS lookup, could be tweaked with only patching to the SSH code...right now, the spec states:

2.4 Authentication

   A public key verified using this method MUST NOT be trusted if the
   SSHFP resource record (RR) used for verification was not
   authenticated by a trusted SIG RR.

   Clients that do validate the DNSSEC signatures themselves SHOULD use
   standard DNSSEC validation procedures.

   Clients that do not validate the DNSSEC signatures themselves MUST
   use a secure transport, e.g. TSIG [9], SIG(0) [10] or IPsec [8],
   between themselves and the entity performing the signature
   validation.


Of course, the spec (http://www.snailbook.com/docs/dns-fingerprints.txt) also states "Expires March 5, 2004" so I'm not sure how real this is. I think I could make a serious motion toward getting this made real.

The sourceforge SSH servers got whacked a while ago, and a lot of people wound up revealing their sourceforge ssh passwords to the thing. The hackers were then able to log into the sourceforge shell accounts, and use the STORED KEYS that people had there to jump to other places. People actually VERIFYING KEYS would help this a lot.

As for the second part, the key "extensions", those would probably lead to widespread breakage, and we'd probably have to wait for the widespread adoption of ssh3 (which I'm not even sure is a draft yet).
gushi: (Default)
Here's some programming languages and how they would apply if computers were cars.

If You KnowYou would be able to do this with a car
C++Rebuild the engine
AssemblyRebuild the engine, and transmission, machining any needed parts by hand
PerlRewire the radio, gauges, cruise control, and most onboard electronics to tailor the car to your exact feel, including installing cool aftermarket editions like TVs, GPS systems and such
PythonInstall some of the above, but with a less limited scope
PHPGlue on Japanese characters, fart-pipes, and fake hood-pins
Shell ScriptingDetail and customize the interior deco and fabrics
VBScriptManage to lock your keys in the car with your windows open in a bad neighborhood
gushi: (Default)
So I'm really digging on Knoppix, and I've basically decided that it's going to be my desktop OS (I'll still multiboot into windows occasionally for games and the like, but plan to disable the NIC under that OS). Alternatively, I've toyed with the idea of forcing ALL traffic through a SOCKS proxy.

Anyway, so I try and use the knoppix installer to install it to the HD. I install LILO to the MBR.

I reboot, and I'm looking at the BSD bootloader.



F1: Linux
F2: ??



Okat, that's odd. I boot up a FreeBSD CD, rewrite a "clean" MBR, and reboot again.

I find myself staring at a Grub prompt.

Jesus christ, how many bootloaders are on this goddamned harddrive?

I'm now smacking the drive with DBAN (http://dban.sf.net).

After that, we'll try again.
gushi: (Default)
So I'm really digging on Knoppix, and I've basically decided that it's going to be my desktop OS (I'll still multiboot into windows occasionally for games and the like, but plan to disable the NIC under that OS). Alternatively, I've toyed with the idea of forcing ALL traffic through a SOCKS proxy.

Anyway, so I try and use the knoppix installer to install it to the HD. I install LILO to the MBR.

I reboot, and I'm looking at the BSD bootloader.



F1: Linux
F2: ??



Okat, that's odd. I boot up a FreeBSD CD, rewrite a "clean" MBR, and reboot again.

I find myself staring at a Grub prompt.

Jesus christ, how many bootloaders are on this goddamned harddrive?

I'm now smacking the drive with DBAN (http://dban.sf.net).

After that, we'll try again.
gushi: (Default)
Anyone have any idea what would cause an ext3 system to just not want to journal anymore?

EXT3-fs error (device ide0(3,3)) in ext3_setattr: Journal has aborted

This is the *only* kind of error I'm seeing. No other corruption at all, and never with hda1.

Something is afoul.

*UPDATE*

In case anyone ever wonders...this was solved by swapping an IDE cable.
gushi: (Default)
Anyone have any idea what would cause an ext3 system to just not want to journal anymore?

EXT3-fs error (device ide0(3,3)) in ext3_setattr: Journal has aborted

This is the *only* kind of error I'm seeing. No other corruption at all, and never with hda1.

Something is afoul.

*UPDATE*

In case anyone ever wonders...this was solved by swapping an IDE cable.
gushi: (Default)
Wow, I sound like [livejournal.com profile] xial.

I had a brand new, fully patched win2k3 server machine sitting at the office. Fully patched. Every possible service pack.

Fully fucking patched.

It got some worm and flooded.

Fuck you Microsoft. You've been making OSes for what? 25 years now? And you still don't know the fucking rules of "don't run a listening process if you ain't got cause to listen?"

I futzed with FreeBSD as a desktop OS. I'm dismally disappointed by it:

1) Their installer doesn't even *do* the X config anymore. You're dropped at a prompt and left to assume everything about the complexities of how X works. By the way, there's no automatic hardware detection for *shit*. You have to guess at EVERYTHING. I locked the machine up several times making assumptions about what chipset I thought my video "card" (it's onboard) used.

2) After everything, I got twm, the default window manager running. For those who don't really understand X, all you need to know is that the LAST program you run from your startup files is your "window manager". Meaning you end that process, and you're logged out. X still was under the impression that my desktop was about 30 pixels wider than my screen. All the basic everything (keyboard, mouse, video, monitor) is configured by either running an archaic-looking X-based utility (i.e. log out of everything else, and run JUST that) or editing a text file. And there's no NOTHING installed by default. It's like windows 3.1. No start button. No menus. Just one screen, and run what you like. The idea being hopefully, run something that makes it pretty.

3) www.enlightenment.org. They all look impressive. It's bullshit, at least under BSD.

4) fluxbox.sf.net. Better, but the font support was so fucking blurry it gave me a splitting headache. Literally unreadable to know that you can't in the default screen font know the difference between an "f" and an "l". And most of the screen fonts (supposedly truetype, mind you) had the lower pixel clipped.

5) I am using an LCD monitor. REFRESH RATES SHOULD NOT MATTER. THIS MONITOR HAS EXACTLY 1280 x 1024 pixels. Fucking USE THAT.

FreeBSD makes no bones about being a server OS -- it still bothers me that their ports system tries to build X as a dependency when I go to build ghostscript or something. (I have to set a makefile option -- this is nowhere NEAR the tangles web of RPM-annoyance that is Redhat, by the way).

So, I've booted into Knoppix.

By comparison, I'm in love. It found my (shit) sound "card" (again, onboard). And works. Plays internet playlists, and mp3s. (The music player redhat gives you will not, btw). Took all of ten minutes to scan the network and find the network printer. Was able to log into other machines via remote desktop. Resolution is crisp, clean, and responsive (ESPECIALLY considering I'm running a CD-based OS). Everything is easily configurable (and savable to a floppy, or a hard drive if you have one handy). About my only annoyance at the moment is that it includes Mozilla, rather than firefox -- although if I copy it off to a hard drive, I think that and stepmania may be the only things I need to install. Copy and paste work consistently between apps. It's all good.

I think I've found my new desktop OS. I almost wonder how this would run on my vaio.
gushi: (Default)

%top

19:49:20 up 6 days, 2:25, 2 users, load average: 0.00, 0.00, 0.00
51 processes: 50 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: 1.5% user 0.3% system 0.0% nice 0.0% iowait 98.0% idle
Mem: 61604k av, 59052k used, 2552k free, 0k shrd, 1160k buff
17948k actv, 3736k in_d, 4124k in_c
Swap: 131032k av, 18444k used, 112588k free 14712k cached

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
2240 root 14 0 1032 1032 852 R 0.7 1.6 0:00 0 top
1003 root 12 0 688 548 504 S 0.1 0.8 1:27 0 sshd
1 root 0 0 320 292 272 S 0.0 0.4 0:11 0 init
2 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 keventd
3 root 19 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd_CPU0
4 root 9 0 0 0 0 SW 0.0 0.0 0:20 0 kswapd
5 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 bdflush
6 root 9 0 0 0 0 SW 0.0 0.0 0:01 0 kupdated
7 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 pagebufd
8 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 pagebuf_io_CPU0
9 root 18446744073709551615 -20 0 0 0 SW< 0.0 0.0 0:00 0 mdrecoveryd
886 root 9 0 380 336 320 S 0.0 0.5 0:00 0 syslogd
890 root 9 0 284 232 232 S 0.0 0.3 0:00 0 klogd
903 rpc 9 0 276 208 208 S 0.0 0.3 0:00 0 portmap
922 rpcuser 9 0 340 264 264 S 0.0 0.4 0:00 0 rpc.statd
1017 root 9 0 420 276 276 S 0.0 0.4 0:00 0 xinetd


Anyone, anyone?
gushi: (Default)

%top

19:49:20 up 6 days, 2:25, 2 users, load average: 0.00, 0.00, 0.00
51 processes: 50 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: 1.5% user 0.3% system 0.0% nice 0.0% iowait 98.0% idle
Mem: 61604k av, 59052k used, 2552k free, 0k shrd, 1160k buff
17948k actv, 3736k in_d, 4124k in_c
Swap: 131032k av, 18444k used, 112588k free 14712k cached

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
2240 root 14 0 1032 1032 852 R 0.7 1.6 0:00 0 top
1003 root 12 0 688 548 504 S 0.1 0.8 1:27 0 sshd
1 root 0 0 320 292 272 S 0.0 0.4 0:11 0 init
2 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 keventd
3 root 19 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd_CPU0
4 root 9 0 0 0 0 SW 0.0 0.0 0:20 0 kswapd
5 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 bdflush
6 root 9 0 0 0 0 SW 0.0 0.0 0:01 0 kupdated
7 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 pagebufd
8 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 pagebuf_io_CPU0
9 root 18446744073709551615 -20 0 0 0 SW< 0.0 0.0 0:00 0 mdrecoveryd
886 root 9 0 380 336 320 S 0.0 0.5 0:00 0 syslogd
890 root 9 0 284 232 232 S 0.0 0.3 0:00 0 klogd
903 rpc 9 0 276 208 208 S 0.0 0.3 0:00 0 portmap
922 rpcuser 9 0 340 264 264 S 0.0 0.4 0:00 0 rpc.statd
1017 root 9 0 420 276 276 S 0.0 0.4 0:00 0 xinetd


Anyone, anyone?

May 2017

S M T W T F S
  123456
78910111213
14151617181920
21222324252627
28293031   

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 22nd, 2017 04:51 pm
Powered by Dreamwidth Studios