From sometime I’m invetigation into the OpenBSD’s pf here. In that manner of thoughts I found two good reading.The first one is located here and is a sort of step by stepintroduction to pf and it’s capabilities+examples while the other one is just a good security doccalled “The Six Dumbest Ideas in the Computer Security” read it here END—–
Archive for February, 2008
Here it goes:In one of the Indian islands, the inhabitants of a state agreed that each year they would appoint a stranger as their ruler. When his year was over, they would banish him, and he would return to the status he had prior to his appointment. Once they appointed over them a fool, who was unaware of their secret plan for him. He accumulated much money, built palaces which he fortified, but he sent nothing out of the country. On the contrary, whatever he had abroad – his money, his wife and children – he brought into the country. When his year was over, the citizens sent him out, stripped of everything and deprived of all that he had build or acquired from the beginning of his term until its end, so that when he left he had nothing of all that had been his inside the city and outside of it. He regretted and grieved for the trouble he had gone to and the effort he had expended in building and accumulating what was then passed on to another.Then, the people decided to appoint as their ruler a stranger who was wise and discerning. When appointed, he chose one man among them, showed him favor, and asked him about the customs of the people and their laws [which had formed the basis of their relationship] with his predecessors. This man revealed to him their scheme, what they intended to do to him.Once he knew this, he devoted himself to none of the pursuits that had preoccupied his predecessor. Rather he labored and strove to take everything that was valuable in the state to another state; all that was precious and dear to him he put in a different place. He placed no trust in the adulation and honor that they showed him. He fluctuated between grief and joy the whole time that he was in the country. He grieved that he was soon to depart, and that the precious things he had managed to take out were few. For if he could have stayed longer, he would have been able to bring out more. But he was glad that he would soon leave and settle in the place where he had secured his valuables, where he would be able to use them and enjoy their various benefits and pleasures with people of mind, confidents spirit, and without interruption.When his year had ended he was not troubled at leaving, but hastened to it with heartfelt joy and calm, applauding [himself for] his action and efforts. He went on to abounding good, great honor, and continuing joy. So he had happiness in both situations, and attained his wishes in both places.The mind: You have just given, in the parable you related, a picture of your state in this world and shown that your condition in it is like that of the kings you mentioned. It is now clear to you that you are a stranger [here] and will soon depart. You should therefore act as the wise and discerning ruler did, so that your condition may be like his. Should you deviate from this course, my worlds will be of no use to you, my fine language will bring you no advantage.The soul: If I had no desire in this matter, I would not have troubled to investigate what is hidden from me of [the nature of] my being.END—–
Today I helped my cousing to fix his internet connection on a laptop.
The laptop was running Vista. A real nightmare, this OS is really heavy and even messier than Windows XP.
What else I’m trying to cope with life. Life is tough. What I can say….
Also I started a vsftp server on a FreeBSD box it took me some time because of configuration issues.
Right now I’mtrying to run a snort server still unsuccessfully for some reason the snort daemon does not start.
In the college everything is going in the old manner, except we have started studying Marketing II and another subject I forgot the name it is supposed to be something like statistics. The day was quiet with a bit of work.
In Saturday I went to Bergon. To help with the install and configuration of a FreeBSD 7 system to Static and Kiril(e.g. Arkadietz).The install went smoothly. Then I csupped following the handbook canonical way for rebuild world and kernel and stuff.Also I get to know personally the Bergon’s ISP owner and administrator Drago btw he looks like really good man.We spoke about the GDBOP actions when some times ago GDBOP agents break into a server room next to the office and tookBergon’s storage servers for users http://free-zone.cc (An FTP for Users). He said the GDBOP IT specialists doesn’t know evenelementary unix commands like “df” and “du” and he had to tell them what to type. We walked through the server’s room.He had some interesting servers I also observed the fiber optics and stuff. After setupping the newly installed serverto the server room. We went to the place “Seasons” and we drinked “Stolichno Tymno” and we ate Pizza on drago’s account.The idea of this FreeBSD installation was to make the machine hera.bergon.net a freeshell machine for local Bergon users assecure as possible. To achieve that I have set this sysctl settings:security.bsd.see_other_uids=0security.bsd.see_other_gids=0net.inet.tcp.msl=7500net.inet.tcp.blackhole=2net.inet.udp.blackhole=1net.inet.icmp.icmplim=50kern.ipc.somaxconn=32768Also I have installed AIDA . Also I have setupped jail with the ideato add the users into jail unfortunately. After running the jail I experienced problems with setupping multiple ips into thejail so I asked for help in ##freebsd in freenode it turned out that by default FreeBSD jail doesn’t support virtual IPs but thereis a patch to enable that unfortunately the patch is for still for FreeBSD 5,6 or 6.2 none available for 7. After somediscussion in ##freebsd I found out there is something that would do the work but it’s not still stable enough it’s calledVIMAGE, VIMAGE looks promising but will be ready maybe in FreeBSD 8 check it out here .The only think which left from the FreeBSD configuration is to setup firewall I intend to make a firewall based on “PF” but I have to spend some time reading for PF. Also I’ve upgraded the kernel at home to:FreeBSD jericho.pcfreak 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE #0: Mon Feb 18 14:12:03 EET 2008 email@example.com:/usr/obj/usr/src/sys/GENERIC i386Apart from the geek stuff, yesterday I was to the fountain with Narf, today I had a walk in the Central park with Damqncho. Yesterday and today were quiet days thanks ofcourse to God almighty 🙂 Also Our Heavenly Father gives me peace through our Lord and Saviour Jesus Christ day after day through the Power of the Holy spirit 🙂 Unfortunately still I’m not too much of a healthy. But I still say The Lord is my rock I won’t be in use! Today in the college we had a business Meeting on the topic of “A New Product” I was the Personnel Manager, the last time meeting I wasa head of sales. After school and going out for a walk I went to my grandma and grandpa Georgi and Dimitrichka, after that I went to see my other grandma which is so a cool grandma (I love her much). Another good news even though they’re old ones are that my grandmother decided to give me 150$ more for buying the laptop. The only thing left is to choose the right laptop :). In USA thinkpads T series are so cheap starting from (around 950$), a good model costs something like 1150$ the same models here cost almost 1800$ pff… To end this post I would say I thank The Lord for giving me quiteful and peaceful days and blessing me in my work and in my studies. Hope he will continue to bless me in the future too.END—–
A new exploit is out vmsplice Local root exploit. All Linux users are advised to update. Debian has released a new package fixing the issue. http://www.securityfocus.com/archive/1/487876A friends of mine static informed me that the exploit Doesn’t rewt an updated CentOS. My debian system has proved vulnerable. I was pretty much surprisedwhen a friend of mine called and said hey man try logging with your user “hipo” :). I suspected something is wrongmaybe he have changed my username pass. Luckily he hasn’t although later I was not able to login :). He just testedthe new exploit below on pc-freak. Luckily I have such friends to remind me of a problems very early.I guess this exploit is going to put a lot of havoc in the Linux world. But yeash that’s life. Today Plamenkothe guitarist came home and was my guest. We have downloaded some of hi (mountain clips) and put them on DVDs.Later I drinked a coffee with arkadietz and static. They were in an euphoria because of this exploit.I advice everybody there to patch as fast as possible or expect surprises :)END—–
In the morning I stand up somewhere around 8:40 I went to a Liturgy as always. It’s such a joy to be in the House of the LORD! :)Right after the Church going I, nomen and Sha’nar (e.g. Niki) had to go to a Cisco Course. It was a sort of boring as usual. After the course we went to a Coffee called central (I and Niki ate spaghetti with vegetables). Just after that I saw Lily. I’m really sad that her parents treat her bad just like mine treat me sometimes. But I believe and hopeGod would solve everything very soon. After that in home I have to make the Cisco Assessment Tests for Chapter 6 6/7 in CCNA 1. On some of the questions I cheated because I was pretty lazy to search in the Cisco docs about to figure out the answers by myself here is the site where answers to CCNA 1 are available CCNA Answers . Towards the evening Damqncho called and I went to see him and later, three of us went to a coffee. I have to note that my “inancial status” is not in too good conditions Nomen tipped all the time for which I’m largely thankful :). Also I have to share my joy from yesterday because my grand parents (My father ones) decided to make me a present and give me a sum of 1000 lv. to buy a laptop. Actually having a laptop is a dream of mine for years. Also what I have to note is this is a direct response to a prayer. Few times ago I mentioned in my prayers that I need a laptop what can I say. I guess God heard my prayers. So Glory be to him for being so merciful to me and the whole earth! Be blessed oh God Lord of Hosts ! 🙂 Yesterday was a pretty funny day too I met Hellpain a friend of mine who works in Sofia but temporary he is on a official trip in Varna. So I spend almost 3 great hours with this great guy! 🙂 At Friday Night I and Alex drinked wine in the central park (again good spned time). What should be noted is that friday is a celebrity called “Trifon Zarezan” or said in a simple english The Alcohol lover’s day :). It’s a tradition for a long time on this day for a close friends to gather together and drink heavily.I haven’t had so much fun for a lot of time. So thanks and Glory to God who grant me with all this 🙂 I can see a great blessing with a good guys friends in my life. So anywayz I have to say again Thanks to God for all his mercies to me the sinner :)END—–
One more week passed without serious server problems. Yesterday after upgrade to debian 4.0rc2 with
apt-get dist-upgrade and reboot the pc-freak box became unbootable.
I wasn’t able to fix it until today because the machine’s box seemed not to read cds well.The problem was consisted of this that after the boot process of the linux kernel has started the machine the boot up was interrupted with a message saying
/sbin/init is missing
and I was dropped to a busybox without being able to read nothing from my filesystem.Thankfully nomen came to Dobrich for the weekend and today he bring me his cdrom-drive I booted with the debian.
Using Debian’s linux rescue I mounted the partition to check what’s wrong. I suspected something is terribly wrong with the lilo’s conf.
Looking closely to it I saw it’s the lilo conf file it was setupped to load a initrd for the older kernel. changing the line to thenew initrd in /etc/lilo.conf and rereading the lilo; /sbin/lilo -C; /sbin/lilo;
fixed the mess and pc-freak booted succesfully! 🙂
Yesterday I had to do something kinky. It was requested from a client to have access to a mysql service of one of the company servers,the problem was that the client didn’t have static IP so I didn’t have a good way to put into the current firewall.
Everytime the adsl they use got restarted a new absolutely random IP from all the BTC IP ranges was assigned.
The solution was to make a port redirect to a non-standard mysql port (XXXXX) which pointed to the standard 3306 service. I had to tell the firewall not to check the coming IPs on the non-standard port (XXXXX) against the 3306 service fwall rules.
Thanks to the help of a guy inirc.freenode.net #iptables jengelh I figured out the solution.
To complete the requested task it was needed to mark all packagescoming into port (XXXXX) using the iptables mangle option and to add a rule to ACCEPT all marked packages.
The rules looked like this
/sbin/iptables -t mangle -A PREROUTING -p tcp –dport XXXXX -j MARK –set-mark 123456/sbin/iptables -t nat -A PREROUTING -d EXTERNAL_IP -i eth0 -p tcp –dport XXXXX -j DNAT –to-destination EXTERNAL_IP:3306
/sbin/iptables -t filter -A INPUT -p tcp –dport 3306 -m mark –mark 123456 -j ACCEPT .
Something I wondered a bit was should /proc/sys/net/ipv4/ip_forward in order for the above redirect to be working, in case you’re wondering too well it doesn’t 🙂 The working week was a sort of quiteful no serious problems with servers and work no serious problems at school (although I see me and my collegues become more and more unserious) at studying. My grand parentsdecided to make me a gift and give me money to buy a laptop and I’m pretty happy for this 🙂 All that is left is to choose a good machine with hardware supported both by FreeBSD and Linux.