syscall table

/usr/src/linux-2.6.20/arch/i386/kernel/syscall_table.S

There are many times I am stumped as to what an interupt is doing.  This is of course specified in the eax regisrter.  A good starting point is the above file.  More research will probably specify what the other registers are doing.

Bash Bomb

So my buddy Greg pointed me to what he called a ‘bash bomb’.  It looks like:

:(){ :|:& };:

Anyway, all it does is recursively fork.  http://www.cyberciti.biz/faq/understanding-bash-fork-bomb/ gives a good explanation.  I do like it, because of its simplicity and obscurity. I have to deal with recursively forking things all the time (thanks operating system class with students experimenting with fork for the first time).

A simple pam hard limit on the number of processes can mitigate against this.  Put it in /etc/security/limits.conf.

My applicable limits are (fairly liberal):

*               soft    nproc           225
*               hard    nproc          300

So far, nothing has crashed the system with these, but I keep having to tweak them, so I may restrict them further in the future.

chkrootkit

chkrootkit operates sort of like a virus scanners for windows in a way – in that it looks for infected files from signatures.

From the man page:

chkrootkit examines certain elements of the target system and determines whether they have been tampered with. Some tools which chkrootkit applies while analyzing binaries and log file  can be found  at  /usr/lib/chkrootkit.

I installed using apt-get.

By default, it logs to a file. I like to check my logs over email every morning, so I changed the cron job to reflect this. I added the MAILTO: root line, and the /usr/bin/chkrootkit at the end (the standard output is what gets mailed).  The following entry is /etc/cron.daily/chkrootkit.  So it gets logged and mailed.

#!/bin/sh -e

CHKROOTKIT=/usr/sbin/chkrootkit
CF=/etc/chkrootkit.conf
LOG_DIR=/var/cache/chkrootkit
MAILTO=root

if [ ! -x $CHKROOTKIT ]; then
exit 0
fi

if [ -f $CF ]; then
. $CF
fi

if [ "$RUN_DAILY" = "true" ]; then
  if [ "$DIFF_MODE" = "true" ]; then
    $CHKROOTKIT $RUN_DAILY_OPTS > $LOG_DIR/log.new 2>&1
    if [ ! -f $LOG_DIR/log.old ] \
      || ! diff -q $LOG_DIR/log.old $LOG_DIR/log.new > /dev/null 2>&1; then
      cat $LOG_DIR/log.new
    fi
    mv $LOG_DIR/log.new $LOG_DIR/log.old
  else
    $CHKROOTKIT $RUN_DAILY_OPTS
  fi
fi
/usr/sbin/chkrootkit

chkrootkit seems like it has quite a bit of promise.  I use chkrootkit with tripwire, selinux, iptables, fail2ban, and good service configuration for a functional system that is still fairly secure.

Build a Bridge and Get Over it

In my environment, the best kind of firewall is the bridge kind of firewall. Meaning: a transparent kind of firewall. Here’s how I generally set them up.

So, I don’t have control of the gateway routers. I have IP addresses all over the place in my little IP pool. For example I have one little server room with a 134.50.7.24 a 134.50.7.88 and a 134.50.7.244. What I want is a firewall complete with IDP to limit access to stuff in a centralized way. BTW, I also tend to have firewalls on every machine, I guess for the double layer of protection. Firewalls are sort of like condoms. Double layering doesn’t seem to help that much, but it couldn’t hurt. And either way, once you’re penetrated, you’re fucked.

To clarify, what I want is something completely invisible to the outside. As far as the outside is concerned, there is nothing there. In fact, this could be the case as far as the inside is concerned. However, you may want to give the bridge an IP address and let something through so you can ssh in to fix whatever problems.

So:

Network —– Bridge ——switch —Internal Network of various IPs

The cool thing about a bridge is you can stick it anywhere and it won’t change how any of your other hosts are hooked up.

For this task, I chose everyone’s favorite os, Linux. I also chose a minimalist version of Ubuntu since I heart ubuntu. This is actually a pretty trivial thing to set up.

# apt-get install bridge-utils

Then you want to create a new bridge device and add your ethx to it. Your ethx will obviously probably be eth0, eth1, eth2 or whatever network devices you want on the bridge.

# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# ip link set br0 up

Now guess what. You’ve now turned your $300 machine into a $10 hub.

Next if you want to give your bridge an ip address and a route:

# ip addr add x.x.x.x/x brd + dev br0
# route add default gw x.x.x.x dev br0

Where x is your ip and your subnet and gateway.

I find as I’m writing this I’m just repeating what else is out there. Go and read http://www.linuxjournal.com/article/8172 and it will show you the way.

Now that you’ve got your bridge working you can filter traffic using ebtables (on the hardware level) and iptables (on the ip level) and snort and whatever. There are tons of examples of this online, so I won’t bore you here. Awesome.

Put all this in rc.local or whatever boot up script so that your system remembers everything and you’re golden! To all those people who say “just use smoothwall and don’t worry about iptables” in your face! smoothwall/ipcop/monowall are all pretty cool, but being a transparent bridge isn’t one of the things they are capable of out of the box. They are mostly meant to be gateways or whatever.

add some color to your man

How to colorize the man page. Disclaimer, only works in X.

Edit/Uncomment/Create these lines with your favorite colors in /etc/X11/app-defaults/Xterm (or possibly) /usr/share/X11/app-defaults/Xterm or if you just want to do it for your user copy this file to ~/.XDefaults and edit it there.

*VT100*colorULMode: on
*VT100*colorUL: <color>
!*VT100*italicULMode: on
*VT100*underLine: off
! Uncomment this to use color for the bold attribute
*VT100*colorBDMode: on
*VT100*colorBD: <color2>

Broadcom Wireless and Linux

Here is the “straightforward” way

see (http://ndiswrapper.sourceforge.net/mediawiki/index.php)
for more info.

  • Download this windows driver
  • unzip the file you downloaded.
  • run “ndiswrapper -i FILE” on any .inf files you downloaded.
  • run “ndiswrapper -l” and it should say “driver present hardware present” if not, there is a problem.

type:

depmod -a
modprobe ndiswrapper

try “ethq wlan0 scan” if it worked, this should do something.

Troubleshooting

With Ubuntu for some reason it loads a bad driver you should blacklist. This issue is covered a bit better here: http://ubuntuforums.org/showthread.php?t=285809

Here’s another issue with Edgy. I got this email from a friend. My Wireless stopped working because the latest version was bad. Probably not an issue now, but if you’re having problems you may want to give it a shot.

hey rich
Speaking of the devil, yeah, i just figured that out like 3 minutes ago. From what i can tell, it seems like the new version of ndiswrapper (like 1.7?) screws things up. Or something. So i just downloaded and installed an older version of ndiswrapper. I got ndwiswrapper-1.27. i just downloaded and extracted the file, didn’t use apt-get. after that:

1. cd to the extracted directory of ndiswrapper-1.27
2. sudo make uninstall (ur supposed to do this until there are no errors…)
3. sudo make
4. sudo make install
5. then just do sudo ndiswrapper -i filename.inf for your driver.

Now mine works again, yay. The problem i had thought was i didn’t have the kernel headers so it wouldn’t compile ndiswrapper. i (eventually) did a sudo apt-get install linux-headers-2.6.17-10-386. Now if you’re running a different version of the kernel, then replace that last string with ur version. the command to get ur exact kernel is “uname -r”. so yeah….do that, then do the make uninstall, make, make install, and then it should work again. I don’t have the link for that 1.27 version download, but google should find it pretty quick.

So in summary, the best solution is probably to get rid of piece of shit broadcom chips :)

Hanging mount (not the way you like it)

Symptom: trying

$ mount -t nfs 10.0.0.1:/whatever /whatever

is just hanging there.

Troubleshooting: rpcinfo -p servername is fast and responsive. A lot of times when rpc fails nfs will fall on a backup protocol that is fairly slow. With rpcinfo -p, you can rule this out as being your problem.

portmapper is running. According to lord google, this has been the cause of the problem many a time. Not my problem though.

The server logs don’t say crapola.

What do you do?

Solution: You may just have bad syntax. Try

$ mount -t nfs 10.0.0.1:/whatever/ /whatever/

Yes, this took me hours to figure out. Stupid slash.

From #islug (I kept the last bit because I like to talk about fscking whenever I get a chance).

<mop> Have you ever spent all day stressed out about a problem, then you figure out that it’s all just because you left a trailing front slash?
<mop> Reminds me of my first days programming and missing semi-colons, the bastards.
<twinprism> yes. :)
<TomHung> echo $iknowyourfeeling
<bradmw> mop: what language?
<mop> Today: just mounting an nfs file share (around 2 hours debugging to find out its because I mounted /whatever instead of /whatever/)
<mop> Back in the day: C
<bradmw> does linux have a scandisk type program to check floppies for bad sectors?
<mop> you can fsck a floppy
<mop> just like an apple pie
* TomHung <= fsck up
<TomHung> FSCK U & TH3 HORSE U R0DE IN ON
<bradmw> let me unmount my sheep first
<mop> common mistake. umount.
<mop> ;)
<TomHung> mount /dev/usb /home/sheep

Believe it or not I’ve done basically the same thing with grep -R…

Follow

Get every new post delivered to your Inbox.

Join 39 other followers