Colored Hat Stuff. New post about once a month
January 13, 2008 1 Comment
/usr/src/linux-2.6.20/arch/i386/kernel/syscall_table.S
There are many times I am stumped as to what an interupt is doing. This is of course specified in the eax regisrter. A good starting point is the above file. More research will probably specify what the other registers are doing.
January 10, 2008 Leave a comment
So my buddy Greg pointed me to what he called a ‘bash bomb’. It looks like:
:(){ :|:& };:
Anyway, all it does is recursively fork. http://www.cyberciti.biz/faq/understanding-bash-fork-bomb/ gives a good explanation. I do like it, because of its simplicity and obscurity. I have to deal with recursively forking things all the time (thanks operating system class with students experimenting with fork for the first time).
A simple pam hard limit on the number of processes can mitigate against this. Put it in /etc/security/limits.conf.
My applicable limits are (fairly liberal):
* soft nproc 225
* hard nproc 300
So far, nothing has crashed the system with these, but I keep having to tweak them, so I may restrict them further in the future.
November 26, 2007 Leave a comment
chkrootkit operates sort of like a virus scanners for windows in a way – in that it looks for infected files from signatures.
From the man page:
chkrootkit examines certain elements of the target system and determines whether they have been tampered with. Some tools which chkrootkit applies while analyzing binaries and log file can be found at /usr/lib/chkrootkit.
I installed using apt-get.
By default, it logs to a file. I like to check my logs over email every morning, so I changed the cron job to reflect this. I added the MAILTO: root line, and the /usr/bin/chkrootkit at the end (the standard output is what gets mailed). The following entry is /etc/cron.daily/chkrootkit. So it gets logged and mailed.
#!/bin/sh -e
CHKROOTKIT=/usr/sbin/chkrootkit
CF=/etc/chkrootkit.conf
LOG_DIR=/var/cache/chkrootkit
MAILTO=root
if [ ! -x $CHKROOTKIT ]; then
exit 0
fi
if [ -f $CF ]; then
. $CF
fi
if [ "$RUN_DAILY" = "true" ]; then
if [ "$DIFF_MODE" = "true" ]; then
$CHKROOTKIT $RUN_DAILY_OPTS > $LOG_DIR/log.new 2>&1
if [ ! -f $LOG_DIR/log.old ] \
|| ! diff -q $LOG_DIR/log.old $LOG_DIR/log.new > /dev/null 2>&1; then
cat $LOG_DIR/log.new
fi
mv $LOG_DIR/log.new $LOG_DIR/log.old
else
$CHKROOTKIT $RUN_DAILY_OPTS
fi
fi
/usr/sbin/chkrootkit
chkrootkit seems like it has quite a bit of promise. I use chkrootkit with tripwire, selinux, iptables, fail2ban, and good service configuration for a functional system that is still fairly secure.
November 6, 2007 Leave a comment
In my environment, the best kind of firewall is the bridge kind of firewall. Meaning: a transparent kind of firewall. Here’s how I generally set them up.
So, I don’t have control of the gateway routers. I have IP addresses all over the place in my little IP pool. For example I have one little server room with a 134.50.7.24 a 134.50.7.88 and a 134.50.7.244. What I want is a firewall complete with IDP to limit access to stuff in a centralized way. BTW, I also tend to have firewalls on every machine, I guess for the double layer of protection. Firewalls are sort of like condoms. Double layering doesn’t seem to help that much, but it couldn’t hurt. And either way, once you’re penetrated, you’re fucked.
To clarify, what I want is something completely invisible to the outside. As far as the outside is concerned, there is nothing there. In fact, this could be the case as far as the inside is concerned. However, you may want to give the bridge an IP address and let something through so you can ssh in to fix whatever problems.
So:
Network —– Bridge ——switch —Internal Network of various IPs
The cool thing about a bridge is you can stick it anywhere and it won’t change how any of your other hosts are hooked up.
For this task, I chose everyone’s favorite os, Linux. I also chose a minimalist version of Ubuntu since I heart ubuntu. This is actually a pretty trivial thing to set up.
# apt-get install bridge-utils
Then you want to create a new bridge device and add your ethx to it. Your ethx will obviously probably be eth0, eth1, eth2 or whatever network devices you want on the bridge.
# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# ip link set br0 up
Now guess what. You’ve now turned your $300 machine into a $10 hub.
Next if you want to give your bridge an ip address and a route:
# ip addr add x.x.x.x/x brd + dev br0
# route add default gw x.x.x.x dev br0
Where x is your ip and your subnet and gateway.
I find as I’m writing this I’m just repeating what else is out there. Go and read http://www.linuxjournal.com/article/8172 and it will show you the way.
Now that you’ve got your bridge working you can filter traffic using ebtables (on the hardware level) and iptables (on the ip level) and snort and whatever. There are tons of examples of this online, so I won’t bore you here. Awesome.
Put all this in rc.local or whatever boot up script so that your system remembers everything and you’re golden! To all those people who say “just use smoothwall and don’t worry about iptables” in your face! smoothwall/ipcop/monowall are all pretty cool, but being a transparent bridge isn’t one of the things they are capable of out of the box. They are mostly meant to be gateways or whatever.
July 15, 2007 Leave a comment
How to colorize the man page. Disclaimer, only works in X.
Edit/Uncomment/Create these lines with your favorite colors in /etc/X11/app-defaults/Xterm (or possibly) /usr/share/X11/app-defaults/Xterm or if you just want to do it for your user copy this file to ~/.XDefaults and edit it there.
*VT100*colorULMode: on
*VT100*colorUL: <color>
!*VT100*italicULMode: on
*VT100*underLine: off
! Uncomment this to use color for the bold attribute
*VT100*colorBDMode: on
*VT100*colorBD: <color2>
WebstersProdigy 