Wow
13 Feb 2003My prayers are answered. Submitted this as a story, but got rejected; in case it doesn't show up, have a look: SpamAssassin for Windows, Perl Artistic License, easy to set up. Just trying it out now. Slow so far, but it's in beta.
My prayers are answered. Submitted this as a story, but got rejected; in case it doesn't show up, have a look: SpamAssassin for Windows, Perl Artistic License, easy to set up. Just trying it out now. Slow so far, but it's in beta.
Maybe someone else can use this:
http://www.redhat.com/about/careers/raleigh/index.html#raleigh2
Tags: work
So here it is, 8.30pm, and I'm restoring a Cobalt Raq 4 to something approaching virginity. It belongs to a colo'd customer, and it got cracked; we offered, for a modest cost, to restore it, and here I am.
It's Linux under the hood of course -- Red Hat, or at least they use RPM --and it's interesting to see what's been done with it. The management page is pretty slick, though it always leaves me wanting to log on. To do that, I need to telnet -- shudder -- and of course the cust. hasn't got SSH on it. (Confirmation that we had a cracker was nmap showing lots of open ports that responded with an SSH banner. Seems weird to me that a cracker would install ssh, but oh well.) But all the web functionality seems to be there, and it seems pretty and easy to use.
The cust. kept up to date with the patches from Sun (part of what I'm reinstalling right now), but I think there's still a few holes; I'm pretty sure there's an old version of Apache, for instance. And would it kill them to have OpenSSH? Or firewalling tools?
Anyhow, it's the first time I've worked with an automatic patch installer that wasn't Windows, and I must admit I'm impressed. Download the patch -- which is a tarball of script + rpms + patches -- clicky-click install on the web interface, and away you go. I'm sure it's not news for most of you, but it's neat for me. The only thing is that it reboots between a lot of them -- c'mon guys, I thought this was Linux! :-)
Random idea for a program: I'm hooked up to this thing by a crossover cable to another Linux box, just to keep it off the 'net while it's having everything reinstalled. I telnet in occasionally to make sure things are working, but the damn prompt always takes so long to come up. It's the Raq doing a reverse lookup on my DNS, of course, but because it's just on an Xover cable it sits there until the queries time out. We're talking a minute or so to time out, which is unacceptable. I'm an important man, after all.
So my idea is to have a program listening for queries like that and answering them, masquerading as whatever DNS server the query was directed at. Basically, just fake 'em out with whatever info they want. In cases like this (which I can see coming up, oh, at least once a year), it'd speed things up immensely. Anyone heard of anything like this, or is it just full of Crak(tm)?
...urghh. Just rebooted for a patch that alleges fixing Apache and OpenSSL problems. Why the hell does this need a reboot?
Didn't think it was ever going to happen, but I finally got spam today on my [spider-trap address|SlashdotJournal_21November2002]. Helen Baker, who appears to be pretty active, emailed me today. About time, too. Can't believe I posted that back in November.
They're located in [San Jose|http://www.coolstats.com/helpdesk/contactus.html], though their servers appear to be in China (surprise). Sadly, the California Attorney General's office is only interested in spam that, among other things, is received by California residents. Fair enough, I guess.
Now if only Ms Helen had a Slashdot account and I could mod her down. Heh...wonder if there are any spammers w/accounts on Slashdot. That'd make for an interesting time...
Tags: spam
Writing this on RH8.0. And oh, the difference.
I started using Unix five years ago with Slackware when I bought my first computer (486, oh yeah) over the Internet (I had been thinking about Win9x but was worried about viruses); moved to Debian after reading CmdrTaco's raves; moved to FreeBSD after getting a job at an ISP that used (uses) FreeBSD pretty much exclusively; and now I've downloaded all five ISOs of RedHat 8.0, and I'm going to do my best to use it exclusively, at least at home.
I'm doing this because I'd like to take the RHCE exam. I've read about it, and it seems like a really good qualification -- I'm particularly taken w/the hands-on exam. As far as job qualifications go, I've got a fair amount of experience (enough to get me a junior position, if I had to look), but no certification; as I want a job as a sysadmin, this seems a bit of a lack. Becoming an RHCE seems the best way to fill that gap.
I must admit, I've forgotten what it's like not to have the packaging system do the thinking for you. One of the big reasons I moved to Debian was for the ease of installing new programs; I was sick to death of downloading a cool program, only to find that it depended on six separate libraries, each of which had four separate dependencies. It's such a thrill to just apt-get install foo or cd /usr/ports/devel/foo && make install distclean and then walk away. Trying to do that sort of thinking again is like...I don't know, forgetting how to walk and having to do the math by hand.
For example, I tried to install IceWM over the last couple of nights, and I couldn't get it to work. It depended on libdb3-1, but using RPMFind and FreshRPMs.net I was only able to find 3.3. Maybe not a show-stopper -- I didn't try forcing the installion and seeing -- but I didn't want to risk it; the current install is about the fourth in as many weeks (don't install Linux after !}fmt FreeBSD after Linux, kids!), and I didn't want to bother w/YARI. I gave up in the end, compiled from source (which, while surely part of The Linux Way doesn't seem to be part of The Reddat Way. Got it installed no problem, but then came the problem of how to start it up.
I went through a fairly default install of RH8.0, including selecting Gnome for a default environment (though installing KDE as well). That meant the default runlevel was 5, and so GDM started up. I found /etc/sysconfig/desktop, but setting DESKTOP to icewm or /usr/local/bin/icewm just didn't work. I gave up -- I was getting sick and tired of a) GNOME not working w/a home directory mounted over NFS (grr) and b) KDE trying to grab URLS whenever I highlighted something and c) both environments slowness (I've got a 450MHz celeron, 384MB ram, and d) both steal too many cycles for my liking) and lack of a terminal screen in easy and close and prominent proximity -- and set runlevel to 3. I rebooted, changed .xinitrc, typed startx and breathed a sign of relief. Cheating, sure, but I'd really like to have a working desktop before the year is out.
So now I get to learn about rpm. And hopefully I can put RHCE after my name (no, not really) within a year or so. That'd be nice.
Tags: slashdot
Just for fun, a couple days ago I added a link to the index page of my website to a hidden page. On that page was a mailto: link with a throwaway address for my domain. I wanted to see how quickly it would get picked up, and how quickly I would get spam for it.
Well, the first bit has happened. I created the page at 6.41am local time on November 19; at 2.07pm that same day, it was spidered, then again at 2.40am this morning (Nov. 21).
The first spidering appears to have been done by [Thunderstone|http://www.thunderstone.com/], so I don't think there's too much to worry about there. I'll have to set up a robots.txt file to keep the nice spiders out. The second, however, is from a NY ISP, so I'm guessing something will come of that.
It would be interesting to figure out the average time-to-live of a published email address: how long it can be on a webpage before it gets spammed (and will therefore be spammed unto the end of time, yea, and beyond). This would be like Lance Spitzer's research into the TTL of an unpatched Win98 system on the Internet (Dammit -- all I could find was [this link|http://amsterdam.nettime.org/Lists-Archives/nettime-l-0106/msg00126.html], but I know I've seen the original paper somewhere...), or the idea of mailpings mentioned in this excellent book (track email delivery time to a given address to monitor performance/health).
Tags: spam
So update time on the not-so-new-anymore mail server.
SpamAssassin has been working out just ducky. I had the threshold set to 14, then 10, and I just lowered it to 9 yesterday. I'm keeping an eye on it as I go, because there are legitimate messages (mainly newsletters from Real Companies[tm]) that piss off SA -- "click here to unsubscribe", "you're getting this because", etc. -- and we need to whitelist 'em as we find 'em. Only, w/tens of thousands of messages being caught every day, that's a lot to look through...so it's taking a while.
As far as stats go, at threshold 10 we caught ~ 28k messages in 24 hours. In the 14 hours since I lowered it to 9, we've caught ~ 35k. Fuck me...
We've had one weird hardware problem. At 4am on Saturday morning I got a page (ugh) saying that the server was down. Tried pinging it, and yup, no response. I put our backup mail server on the front end and went back to sleep.
In the morning I went to check it out, and it seemed to be just frozen. Last log message sez:
xl0: watchdog timeout
WTF? Rebooted, saw a lot of "Stray IRQ" messages, and it seemed happy. Put it back on the front end, but let the backup server stay there too.
Dave the SysAdmin found this message on the FreeBSD mailing lists. It suggested that the problem might be because of a couple PCI slots sharing an IRQ; when the guy moved his network card to a slot that didn't share an IRQ, the problem went away. I checked the manual for the mobo (Gigabyte VR7XP), and it looks like the slot the card was in didn't share an IRQ. However, I took a few minutes, shut down the machine, and moved the card (3Com fill-in-the-blank-here) over a slot anyway.
While I was there, I checked out the BIOS and found something moderately interesting: APM was turned off, but in the options it had different IRQs it could wake upon. One of the four that were turned on was IRQ 7, which was the stray one that the box had been complaining about. I turned 'em all off. Bad me for not turning off all that in the first place.
It's held up fine after that last reboot, and now it's the only one on the front-end again. (Good thing, too; the backup mail server doesn't have SA installed, as it's also a webmail + web server.)
Tags: slashdot
title: Again with the mail server, why not? date: 6:57 Wednesday 09 October 2002 Tag: slashdot
So Monday afternoon the new mail server started to slow down. I'd been getting worried over the weekend about the fact that the MRTG graphs were showing big timeouts, and was thinking that if I had to do it over again I'd not use vinum so much: the disk access was just really slow. (True story: during the install I'd noticed this, and tried untarring a file (600kb or so). It took 17 seconds, nearly all disk access. Tried it on my box at home for comparison (450MHz Celeron, random cheap disk drives) and it took 6 seconds. Hrm...) On Monday it got to the point where it was refusing connections...arghh. So I swapped in the old co-front-end server (no filtering) that I'd taken off to let the new one handle the load, stopped Sendmail, tried not to panic and thought about what to do. Talked it over w/co-workers/people who know better, and came to the conclusion that the box really did need to be rebuilt.
(ObDisclaimer: I really, really wish I was certain I know what I'm talking about here.)
Vinum was set up like this: three separate partions on each of four drives made up three separate vinum devices (one for /tmp, one for /var, and one for /usr). I've been told since that you can split up one big vinum device into diff. partitions/slices, so that was a waste. As well, the four drives were all on two controllers (did I mention they're IDE?). Plus, in the vinum conf. file I just put everything in order: /dev/ad0s1, /dev/ad1s1, /dev/ad2s1, /dev/ad3s1. Again, I've been told since that that means vinum will end up writing to them in that order, which slows down writes even more.
Decided that we didn't really need to worry about keeping the spam we caught in the event of a disk failure, but the mail queue would be a nice thing to have (even though, at any given moment, it's 99% mutli-thousand returns to spammer mail servers that aren't accepting any mail...gotta do something about that). So I set up /usr, / and /var to live on the onboard Promise mirror array; 40GB total. One drive each went on each of the two vanilla IDE controllers left; one is for /var/procmail, and one for /var/procmail/spamassassin. It seems like such a waste to have 40GB for each of those directories (!), but I can't do much about that now.
Stayed late on Monday to set it up. Took about four hours, what with figuring out why I wasn't able to mount partitions via NFS (whoops-a-daisy). If I were to do it again, I could probably do it in two if everything went right. Put it back on the front end about quarter to ten, went home and slept, then took the other, older mail server off the front end the next day. Disk access is much better now, and hopefully it'll stay that way.
God it was fun, though. This is exactly the sort of thing I want to do, and while the mistakes are painful the learning experience is great. (Part of the reason I'm putting all this up here is so that it might be useful to someone else, a la the excellent FreeBSD Diary page. The other part, of course, is sheer ego. And for prospective employers to find...shudder. :-))
So to learn: more about vinum. More about Sendmail: got the O'Reilly book at work; made it through all the LHS/RHS chapters only to get to where it said "But of course no one uses that. Now we'll talk about .mc files." Arghh! Plus, started reading about m4 and nearly threw the book across the room in disgust. I'm sure there is a Very Good Reason for yet another scripting language, but I'll be damned if I can figure out what it might be at this point in my young life. (Given the age of Sendmail, I'm guessing it was easier to write one rather than wait for perl/python/Turing machines to be invented.) God, m4 is hairy. I know, I know, plug away at it, but still.
Back on topic: more about NFS. I figured out how to install a kernel from a read-only NFS-mounted partition, but I've yet to figure out how to install ports from a read-only NFS-mounted /usr/ports. (Li'l help?)
Other news: bought a 486 (SX!) laptop on eBay for $21 US. As it turns out, should be easy enough to install Linux or FreeBSD on here, which'll mean a cool li'l email/diagnostic toy^Hol (you know, for all those times I debugging raw Ethernet frames onsite). Should be in next week or so.
Tags:
SpamAssassin is set up now on our new front-end mail server, and it pretty much rox. Got it going this afternoon, and it hasn't fallen over or anything. We even took the other front-end box out of round-robin dns, and the new box has held up perfectly well.
For the record, we've got a 1.4GHz Athlon w/512MB RAM doing about 100 messages a minute right now (in + out), and sending 'em all through SpamAssassin via spamd/spamc. Threshold is set to 15; not as aggressive as I run it at home (8) or as it runs out of the box (5), but we have had some false positives in the first little while (only a few). Load is noticeably up, but not obnoxious by any means.
We've caught about 6500 messages since turning it on at noon, which is a little -- no, wait, just fired up bc -- a lot better than our previous average. (Please note that this graph will now be hopelessly messed up until I get it set up again to monitor spamcatchin' on the new server.)
Tired. Enough for now.
Tags: spam
date: 28 September 2002
So the new mail server is up and running. It looks, though, like I missed some fairly important things, and at least one critically important thing.
I was working on it from home last night around 8pm, and alla sudden it wasn't responding to ssh or pings. It came back up, and sure enough it had panicked and crashed. Fortunately the sysadmin (Hi Dave!) was there and was able to look at it and figure out what was wrong. My first thought was there were problems w/vinum and the promise controller again, but no: not enough file descriptors. Given that it's a moderate-to-fairly busy mail server that gets lots of spam, this was a pretty big fuckup.
Second, I'd set up vinum to make a bunch of separate raid5...um, partitions out of separate disk slices on each of four hard disks. Turns out you can divide one big vinum raid5 partition into separate slice-like entities (I'm still learning all this; forgive the imprecision of what I'm writing).
Third, I'd set MAXUSERS too low: 32, which seemed reasonable given that hardly anyone would be logging on to it. Of course, this setting controls lots of other resources, so I hadn't really thought that through. The SA set it to 0, which means FreeBSD will adjust it on the fly.
Fourth, he's got FreeBSD-stable (I think it's stable) built weekly on a box there, and I should've installed & mounted everything via NFS rather than installing from CDROM and putting everything on the disks.
All in all, I'm feeling a bunch humbler this morning. I did almost all of this on my own and thought I was doing pretty damned well, but I stil have an awful lot to learn -- plus, my first idea of what happened was completely wrong (not that I wouldn't have been able to figure it out eventually, probably, but that's not good). I'm starting to think I should set up some of the boxen I have at home here as a test lab -- I haven't really done much since setting up one as a honeypot -- and fuck around w/stuff like this: set up one as a mail server, set up the other one to hammer it w/a million messages, that sort of thing, and see where the bottleneck is. Plus NFS, plus all sorts of stuff. Plus buying Michael Lucas' excellent book and reading it cover to cover. Plus actually trying to understand Sendmail. Plus plus plus plus plus.
Sigh. On the other hand, the new mail server appears to be doing really well since Dave rebuilt the kernel last night, and the load on the back-end server (which customers use to send/receive mail) is dramatically lower -- only a half dozen big load spikes overnight, as opposed to one very half hour or less.
Tags: slashdotjournal
So now the new mail server is up, though not accepting mail. I played around w/vinum last night and this morning from home (Let's hear it for OpenSSH!), and broke it -- but figured out what to do next.
The problem came in the way I'd laid out disk space w/the first install. Okay, so four drives; 128M for /, the rest for vinum. Only instead of setting up all the partitions on all the drives as I wanted them to be in the end (equal in size for raid5), I'd made a big /usr partition, then hoped I could juggle /usr over to a raid partition, re-disklabel the first drive to make the partitions the way I wanted them, add another subdisk/partition/slice each to the existing raid5 drives -- gah. No wonder it fell apart. The obvious solution was to make the /usr partition smaller (didn't need it as big as I'd originally set it), and go from there.
Got excited at this realization, so went into work an hour early (such a geek) and worked on it all day. Got it into the server room, up and running, even set up Sendmail for the first time (tested it for relaying, hands sweating), and got it all up and ready for tomorrow.
One weird thing was that I couldn't figure out how to get FreeBSD's port of net-snmpd (formerly ucd-snmpd) to work w/tcp wrappers and hosts.allow -- it would only allow connections with ALL : allow ; anything else would just refuse connections. Weird. I'll have to figure it out tomorrow.
Tags: slashdot
Update time.
I got into work today and found that the mail server had just come up after *half a fucking hour* of being down because of the insane load placed on it by spam -- just spam -- coming in. The owner of the company couldn't send email. I started setting up the new mail server.
And it was nice. I got to go away, away from the help desk, sit down and figure out how to make it work. FreeBSD's vinum + Promise raid controller == kernel panic (details later on). Finally got vinum figured out -- I've only worked w/it once before -- and before I was grabbed back to help desk had the disk setup about 80% done.
So some more details: there's 4 x 40GB maxtor IDE drives. (Yeah yeah yeah SCSI.) We've got an onboard Promise controller chip; I'll put in the mobo tomorrow and make this all seamless. First it turns out we've got the Promise Lite (Less Filling!) BIOS, which means we can only have one (1) array of two disks; the other two disks can be single arrays on their own, which is useful in some alternate universe I'm sure. So okay, try setting up one mirrored (Raid 1? 0? I can't keep 'em straight) array, and we'll use vinum to tie it together with the other single drives...
Only as soon as I try using vinum to do _anything_ with the Promise'd arrays, BANG: kernel panic. This is 4.6, not the latest (4.7RC1 as I type), but still. Arghh. Doesn't matter whether vinum tries raid 0, 1 or 5 -- just panics right away. If I had more time and a box of my own to fool around with, I'd try [Michael Lucas'|http://www.oreillynet.com/pub/a/bsd/2002/03/21/Big_Scary_Daemons.html] SlashdotJournal_25September2002-02 (Buy his book!) and contribute something useful to the FreeBSD folk. Alas, it's not my box or my time, and if I were to post this message to freebsd-hackers-important-vinum-people tomorrow I'd (deservedly) get laughed at so hard I'd feel it over the ether.
Anyway. Point is I can't get vinum to play nice w/the Promise'd chip even as an IDE controller. The BIOS of the box allows you to turn the Promise chip on, off, or to ATA/IDE; but even set to the latter, it panics once vinum touches /dev/ar*. You have been warned.
So get vinum using the four drives on the first two IDE channels, and that works fine once I learn the intricacies of disklabel (set type to vinum, kids!) and vinum init (and that takes a long time w/3*35GB partitions^H^H^H^H^H^H^H^H^subsooperplexen). 1 5m 5o 133t!
OT: One of my side notes was going to be about how I'm posting this w/Lynx 'cos Mozilla won't let me use vi, editor of the Elder Gods, as an editor. Then I realized I could have just fired up a shell and used vi in there. Sigh. Rumours of my cleverness have been exaggerated.
ARGHHH...
I work at a small ISP, and among other things I help out the sysadmin w/the mail servers and the spam filtering we do (procmail-based, but we're trying to get SpamAssassin installed Real Soon Now). Yesterday I noticed that one of our front-end mail servers, which should also have been doing secondary DNS, was not doing secondary DNS. Turns out the /var partition was filled beyond capacity because of the fucking HUGE maillog generated because of the waves of spam we've been getting lately.
Admittedly, it's Not A Good Thing to have DNS + SMTP all on the same box; we've got a new mail server in [very hibby: half gig ram, 4x40GB drives, 2GHz or some-such P4] and we're trying to get it up, at which point the small box that crapped out can do just secondary DNS. But still.
And so but took a look at the queue, and took out 26,000 messages that were just bounces back to spamming mail servers refusing connections. 26k! We use both OR-something-or-other (ORDB died, I think...can't be bothered to look it up now, but we use whatever took up the mantle) and SpamCop's BL, and the fuckers still make it through. Arghhhhhhh.
As I said, it's a small ISP...which means that my official title is HelpDeskSuperHero (tm), which means that I get calls about all this, and have to talk people down off the ledge w/all the spam they're getting recently. It's the same talk every time, sometimes to people at the same office, and it's frustrating because a) I don't have the One Magic Wand they think I do, b) well, I might have the Magic Wand in a while, but not yet, and c) I keep having to explain why filtering out Naughty Words is really not the best idea.
Heh...not being terribly coherent right now; I'm usually better than this, but I'm still waking up and this all just makes me mad. Spammers fill up our mail queue, put the load on our mail servers through the roof, and anything I can do at the moment comes after the fact: it does nothing to prevent it, and very little to make things better. Sometimes for fun I tail /var/log/procmail.log and it's just insane: there is no possible way I can catch everything, or even react fast enough to catch what's coming in right now.
I realize none of this is News, but it's crazy to me how...how fucking crazy this is: we're spending our time, money and brainpower in what seems like a constantly losing race against a small number of people with the ability to ruin email. Spammers have power far out of proportion to their numbers, and it seems like it's enough to swamp us, and maybe lots of other people too.
On the subject of SpamAssassin: God it's good. I use it at home (FreeBSD + Procmail) and it fucking ROX. I dearly wish that there was a Windows version for Outlook Express, preferably free, that I could point our customers to, but nowt luck there: DeerSoft (kudos to them) have a version for Outlook, but not OExpress. Ah well.
Sigh. /me takes deep breath. Soon we will have SpamAssassin installed, I hope, and then everything will be better.
Tags: slashdot
I promised a month ago (!) to put up the firewall rules I'd come up with for FreeBSD; here we are at last. With any luck this'll be useful for someone.
By way of background, I had the honeypot, a default server install of Redhat 6.2, sitting behind my main box running FreeBSD; the FreeBSD box had one external card (cable internet), one internal card for my LAN (yes, I was using my LAN while this was all going on...) and one internal card dedicated to the honeypot.
This is a fairly restrictive ruleset, but I didn't want to fuck up and risk letting Bad Packets (tm) out. As related earlier, I had to shut it all down about five minutes after I got cracked anyhow, so it was a moot point.
Oh, almost forgot: the funky part is not just the firewall rules below, but running the natd daemon w/the right options:
natd -t 10.0.1.1 -interface xl0
From man natd:
-t | -target_address address
Set the target address. When an incoming packet not associated
with any pre-existing link arrives at the host machine, it will be
sent to the specified address.
That made it a great deal easier to pass traffic initiated from the outside to the honepot. I'm sure there's a way to do this in Linux, but it's been long enough since I worked w/Linux firewall rules that I wouldn't know what that is.
Anyhow, w/o further ado:
#!/bin/sh
IPFW="/sbin/ipfw"
PRIVATE_LAN="10.0.0.0/24"
HONEYPOT_LAN="10.0.1.0/24"
HONEYPOT="10.0.1.1"
EXTERNAL_NIC="xl0"
INTERNAL_NIC="ep0"
HONEYPOT_NIC="ep2"
MY_HONEYPOT_IP="10.0.2.2"
PUBLIC_IP=`ifconfig $EXTERNAL_NIC | awk '/inet / {print $2}'`
$IPFW -f flush
$IPFW add 100 pass all from any to any via lo0
$IPFW add 200 deny all from any to 127.0.0.0/8
$IPFW add 300 deny ip from 127.0.0.0/8 to any
$IPFW add divert natd all from any to any via $EXTERNAL_NIC
$IPFW add check-state
$IPFW add skipto 40000 all from any to any via $INTERNAL_NIC
# Honeypot rules...be very careful!
# Logging.
$IPFW add allow log udp from $HONEYPOT to $MY_HONEYPOT_IP syslog
via $HONEYPOT_NIC
# Allow in from outside world. Remember, natd will be passing
these
# packets on. Keep traffic from own network out.
$IPFW add allow log tcp from not $PRIVATE_LAN to $HONEYPOT via
$HONEYPOT_NIC
$IPFW add allow log tcp from not $PRIVATE_LAN to $HONEYPOT via
$HONEYPOT_NIC
$IPFW add allow log udp from not $PRIVATE_LAN to $HONEYPOT via
$HONEYPOT_NIC keep-state
$IPFW add allow icmp from not $PRIVATE_LAN to $HONEYPOT icmptypes
0,3,8,11,12,13,14 out via $HONEYPOT_NIC keep-state
# Allow replies from ftp, ssh, pop and web...put in mainly for ftp
replies. NO SMTP!
$IPFW add allow log tcp from $HONEYPOT 20,21,22,110,80 to not
$PRIVATE_LAN via $HONEYPOT_NIC
# Do we need this?
$IPFW add allow log tcp from any to $HONEYPOT in via $EXTERNAL_NIC
$IPFW add allow log udp from any to $HONEYPOT in via $EXTERNAL_NIC
$IPFW add allow log icmp from any to $HONEYPOT icmptypes
0,3,8,11,12,13,14 in via $EXTERNAL_NIC
# What we allow out: established, mail, ftp, web, domain, selected
ICMP.
$IPFW add allow log tcp from $HONEYPOT to not $PRIVATE_LAN
established via $HONEYPOT_NIC
$IPFW add allow log tcp from $HONEYPOT to not $PRIVATE_LAN
20,21,22,25,80,110 via $HONEYPOT_NIC
$IPFW add allow log tcp from $HONEYPOT 20,21,22,110,80 to not
$PRIVATE_LAN via $HONEYPOT_NIC
$IPFW add allow log udp from $HONEYPOT to not $PRIVATE_LAN domain
via $HONEYPOT_NIC keep-state
$IPFW add allow log icmp from $HONEYPOT to not $PRIVATE_LAN
icmptypes 0,3,8,11,12,13,14 via $HONEYPOT_NIC
# Deny the rest
$IPFW add deny log all from $HONEYPOT to any
# Should this be in or via?
$IPFW add deny log all from any to any in recv $HONEYPOT_NIC
$IPFW add deny log all from any to any via $HONEYPOT_NIC
#add allow udp from any to any keep-state
$IPFW add 40000 allow udp from $PRIVATE_LAN to any keep-state
$IPFW add 40100 allow udp from $PUBLIC_IP to any keep-state
$IPFW add 40200 allow tcp from any to any established
$IPFW add 40300 allow tcp from any to $PUBLIC_IP 22,8000
$IPFW add 40400 allow all from any to any out via $EXTERNAL_NIC
$IPFW add 40500 allow all from any to any in via $INTERNAL_NIC
$IPFW add 40600 allow all from any to any out via $INTERNAL_NIC
#add allow all from any to ${PUBLIC_IP} 22, 8000 via ep0
$IPFW add 40700 allow all from localhost to 25 via lo0
$IPFW add 40700 allow icmp from any to any icmptypes 0,3,8,11,12,13,14
$IPFW add 40900 deny log all from any to any
Tags: slashdot
So I set up a honeypot here at home, to try and learn a bit about computer security. I don't know a whole lot about security beyond the obvious (strong passwords, ssh, turn off services, firewall), so I figured this would be a good way to learn. I took an old Pentium, installed Red Hat 6.2, and away I went.
Welp, as the good folks at Project Honeynet suggested, the first while was spent making mistakes and learning from them. First, I went for the default workstation install -- which meant no services running. After a day, I took it down and installed a default server install. Next, I watched as there were a million probes for NetBIOS or IIS (there's a guy at work with a Win98 box at home on cable w/no firewall...I should show him the logs), and then...aha! SunRPC probes! Whee! ...only I was firewalling the replies. D'oh!
That was last weekend. I didn't want to leave it running w/o me being around to keep an eye on it, so I left it 'til this weekend to turn it back on. Friday night I booted and watched.
...and then it happened: inside of *ten seconds* the cracker detected the ftp server and rooted me. I was agog; all of a sudden I was watching commands being typed in by the cracker, who had logged in with the new user ID he'd just added for himself.
Unfortunately, the timing was bad (silly cracker!). My wife's company was having a [boat cruise|http://www.konawindscharters.com/] that afternoon, and he got in literally ten minutes before I had to leave. I watched for a little while, then shut everything down and ran out the door. (Not that I was sad to go. The boat cruise took us up Indian Arm and it was absolutely amazing: beautiful weather, free food and Bheer...a gorgeous day.)
I'll add more on my honeypot later, but it was pretty stock: RH6.2, firewall, tcpdump, Bash patch to log commands, logging offsite. The one thing I forgot to do was run tripwire.
Music: such a cliched thing to add to something like this (can't even bring myself to say "weblog" or "journal entry"), but: Harry Belafonte and Kate Bush. Old Harry Belafonte is so very much fun; Kate Bush's "Running Up That Hill" is incredible.
Tags: spam
So I just moved into a new place with my wife: main floor suite of a house, tons more space than the one bedroom apartment we had. Went to Ikea today and got a new desk: The Jerker (no, really). And is this baby ever sweet!
It's $144 (Canadian), which was one of the cheapest desks around, and it's absolutely perfect for my needs. For a start, it's rock fucking solid. Even putting it together, when I only had the uprights and one crosspiece bolted together, it wasn't wobbly in the least. For another, it's got a huge expanse of desk area, both wide and deep; this is nice, since I've got a big-assed 21" monitor (free, but another story). Third, it's got a shelf above for books and dippin'. Fourth, it's all adjustable: you bolt the shelf and desk plank (what the hell's the right word? Top, I suppose) into holes in the uprights, spaced at 1" intervals.
The only thing this is missing is a hole for cables, but that's a minor complaint. Also, there's no drawers or cd holders included, but that's all good for me; I hate 'em.
Tags: hardware
title: Why Unix Rocks date: 23 July 2002 7:58pm
(Original entry here.)
I work on the helpdesk at a small ISP, and we just started selling ADSL. I volunteered to be in charge; I thought it would be lots of geeky fun -- you know, cables and programming modems and ATM cels and stuff. It's turned out to be a huge amount of paperwork instead, but that's another story.
Anyway, we've got these external 3Com 3CP3647 modems that we program with a serial cable and Minicom/Hyperterminal -- basically set up with a password and SNMP so we can track traffic (metered service, I'm afraid). The 3Coms are great, but they're expensive, so we looked at the (also external) GNet BB030 to see how they would work. Everything seemed fine, so we ordered one. It was my job to figure out how to program them.
It came with a pretty explicit manual, which was nice, but it didn't cover everything -- it was a reference, not a tutorial. Eventually I hit a wall and couldn't go any further, so I decided to call tech support. I got as far as "So I wanna figure out how to configure the IP address on the bridge interface --" when the guy on the phone said, "Why not just use the configuration program on the CD?" Well, good point. So I did.
Now, this config program only runs on windows, of course. I use Linux on my desktop at work (the only thing I really need from Windows is the billing software we use; I've got pretty much everything else I need from Windows memorized [ie, about 6 tabs in the control panel], and most of our other work is done on our various FreeBSD servers), and while I can boot into Windows it takes a while, it's a pain in the ass, and I don't like it on general principles. Didn't seem like I had much choice though, so away I went.
The configuration program worked perfectly; it set up everything I wanted. It even kept the commands in a text configuration file -- but when I looked at it, it seemed like it had commands for every possible situation (bridge, routing, NAT; G.Lite, Multi-Mode; SNMP, no SNMP) and it would have taken a lot of head-scratching to figure out which were applicable. "If only," I wailed, "there were some way to just eavesdrop on what's going out over that serial cable!" And then I had a flash.
We've got a FreeBSD box (Pentium, few gigs of HD, I think 48 MB of ram) that we have on ADSL for testing & diagnosing purposes. I took a male-to-male serial cable and ran it from Com 1 on a Windows box w/the config tool to Com 1 on the FreeBSD box. I took a male-to-female serial cable and hooked up Com 2 on the FreeBSD box to the modem. And on the FreeBSD box I typed:
# cat /dev/cuaa0 > /dev/cuaa1 # cat /dev/cuaa1 | tee /dev/cuaa0 > script
And then I ran the configuration tool. FreeBSD handily forwarded Com 1 to Com 2 and Com 2 to Com 1 (forgive my Windows terms and non-zero counting), and kept a copy of what got forwarded in a text file. I was able to see the commands sent by the config tool, and all the responses the modem made.
Now, I have to admit I was pretty damn impressed with how clever I was. It was a hell of a lot easier to do this, and let the configuration tool do its work, than to try and figure it out from the manual. Lookin at the script, I was able to see both that the manual didn't document everything, and that it would be simple to change what we needed to in the script to make it suit our purposes.
But as clever as I was (I bought myself the King-sized Hero Biscuit as a reward), it was really Unix (as represented by its daughter, FreeBSD) that deserved the credit. Such simple ideas:
And yet these ideas allowed me to save myself so much effort.
I wasn't able to fire up HyperTerminal on the Windows box, and tell it to eavesdrop on what was going out of Com 1; it just said the port was busy. I can't imagine what would be involved in programming something to eavesdrop on Com 1, on the Windows box; I know only enough programming for sysadmin and CGI purposes, and only on Unix -- I've never programmed using the Windows API. But all I had to know to make it work in Unix was a few simple concepts, and a few simple commands, and I was able to fit them together to do what I wanted. I was enraptured by the power it gave me; I still am.
(If I was more ambitious, I'd compare Unix with the plain Lego blocks that you can make anything with, and Windows with the special Lego kits you use to make one thing by following the directions. But I've got to go to work shortly, and anyway even my hubris has limits.)
Tags: