The day started a bit normal. I did my morning excercise, then I prayed. I spoke with Dzemil (A macedonian colleague of mine) and we set up a meeting for 12:30, I ate. I received few calls from the office with requests to do few little things. At 12:30 I met Dzemil at the College restaurant. We spend some time talking with him and another turkish colleague. Then we went to speak with Bozhidar Bozhkov about the applications for Holland, what is the procedure of transfering from the college here to Arnhem Business School etc. Laters I went home and did some work on the servers and red and did my fourth cisco test. I went to my cousin and after that went to Javor, we went out with Ina and Javor for a coffee to Kukla. Afterwards I went home and played with Dynamips. For all that wonder what the hack Dynamips is. Well Dynamics is a Cisco emulator just like VMWare is an OS emulator with the exception that Dynamics is builded to run only Cisco’s IOS. I found that nice Video tutorial Cisco Router Emulation Software Dynamips Video Tutorial, check it out here Here . Since I needed a Cisco IOS image and I’m not a Cisco customer I used torrents to download a collection of Cisco ISO’s and used one of the isos to make it work on my Windows Vista. I have problems running it because of lack of permissions, caused by the famous UAC ( User Access Control ). The solution for me was to use a privileged command prompt and start, both the Dynamips sever and my custom configured simple1.net which connected to the server and loaded the cisco image. There is also a very nice and extended tutorial on the topic of Dynamips it’s located Here . Alto today tested the previously installed Wireshark. Wireshark is a very nice substitute for iptraf for windows it has a nice and easy to use graphical interface, supports capturing and has lot of traffic analysis possibilities I strongly recommend it to anyone coming from a Linux/BSD background like me and searching for a nice Windows substitute for iptraf. Check out wireshark on the following URL . Now I’m going to change the topic and say a few words for my spiritual state. Today it was a hard day. I was tempted by the devil to think bad thoughts and did sinned for which I search forgiveness. Life it so hard I realize it more and more day by day. Very often old spirits which tormented me for a long time are trying to come back. I haven’t smoked today also and again thanks for that should fly to God who delived me from this terrible vice. As a conclusion I should say that for everything I should thanks to God and pray for him to forgive my unfaithfulness. END—–
Posts Tagged ‘work’
The day, Today
Tuesday, May 20th, 2008How to Secure Apache on FreeBSD and CentOS against Range: header DoS attack (affecting Apache 1.3/2.x)
Thursday, June 30th, 2011
Recently has become publicly known for the serious hole found in all Apache webserver versions 1.3.x and 2.0.x and 2.2.x. The info is to be found inside the security CVE-2011-3192 – https://issues.apache.org/bugzilla/show_bug.cgi?id=51714
Apache remote denial of service is already publicly cirtuculating, since about a week and is probably to be used even more heavily in the 3 months to come. The exploit can be obtained from exploit-db.com a mirror copy of #Apache httpd Remote Denial of Service (memory exhaustion) is for download here
The DoS script is known in the wild under the name killapache.pl
killapache.pl PoC depends on perl ForkManager and thus in order to be properly run on FreeBSD, its necessery to install p5-Parallel-ForkManager bsd port :
freebsd# cd /usr/ports/devel/p5-Parallel-ForkManager
freebsd# make install && make install clean
...
Here is an example of the exploit running against an Apache webserver host.
freebsd# perl httpd_dos.pl www.targethost.com 50
host seems vuln
ATTACKING www.targethost.com [using 50 forks]
:pPpPpppPpPPppPpppPp
ATTACKING www.targethost.com [using 50 forks]
:pPpPpppPpPPppPpppPp
...
In about 30 seconds to 1 minute time the DoS attack with only 50 simultaneous connections is capable of overloading any vulnerable Apache server.
It causes the webserver to consume all the machine memory and memory swap and consequently makes the server to crash in most cases.
During the Denial of Service attack is in action access the websites hosted on the webserver becomes either hell slow or completely absent.
The DoS attack is quite a shock as it is based on an Apache range problem which started in year 2007.
Today, Debian has issued a new versions of Apache deb package for Debian 5 Lenny and Debian 6, the new packages are said to have fixed the issue.
I assume that Ubuntu and most of the rest Debian distrubtions will have the apache's range header DoS patched versions either today or in the coming few days.
Therefore work around the issue on debian based servers can easily be done with the usual apt-get update && apt-get upgrade
On other Linux systems as well as FreeBSD there are work arounds pointed out, which can be implemented to close temporary the Apache DoS hole.
1. Limiting large number of range requests
The first suggested solution is to limit the lenght of range header requests Apache can serve. To implement this work raround its necessery to put at the end of httpd.conf config:
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range
2. Reject Range requests for more than 5 ranges in Range: header
Once again to implement this work around paste in Apache config file:
This DoS solution is not recommended (in my view), as it uses mod_rewrite to implement th efix and might be additionally another open window for DoS attack as mod_rewrite is generally CPU consuming.
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$)
# RewriteCond %{HTTP:request-range} !(bytes=[^,]+(?:,[^,]+){0,4}$|^$)
RewriteRule .* - [F]
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
3. Limit the size of Range request fields to few hundreds
To do so put in httpd.conf:
LimitRequestFieldSize 200
4. Dis-allow completely Range headers: via mod_headers Apache module
In httpd.conf put:
RequestHeader unset Range
RequestHeader unset Request-Range
This work around could create problems on some websites, which are made in a way that the Request-Range is used.
5. Deploy a tiny Apache module to count the number of Range Requests and drop connections in case of high number of Range: requests
This solution in my view is the best one, I've tested it and I can confirm on FreeBSD works like a charm.
To secure FreeBSD host Apache, against the Range Request: DoS using mod_rangecnt, one can literally follow the methodology explained in mod_rangecnt.c header:
freebsd# wget http://people.apache.org/~dirkx/mod_rangecnt.c
..
# compile the mod_rangecnt modulefreebsd# /usr/local/sbin/apxs -c mod_rangecnt.c
...
# install mod_rangecnt module to Apachefreebsd# /usr/local/sbin/apxs -i -a mod_rangecnt.la
...
Finally to load the newly installed mod_rangecnt, Apache restart is required:
freebsd# /usr/local/etc/rc.d/apache2 restart
...
I've tested the module on i386 FreeBSD install, so I can't confirm this steps works fine on 64 bit FreeBSD install, I would be glad if I can hear from someone if mod_rangecnt is properly compiled and installed fine also on 6 bit BSD arch.
Deploying the mod_rangecnt.c Range: Header to prevent against the Apache DoS on 64 bit x86_amd64 CentOS 5.6 Final is also done without any pitfalls.
[root@centos ~]# uname -a;
Linux centos 2.6.18-194.11.3.el5 #1 SMP Mon Aug 30 16:19:16 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root@centos ~]# /usr/sbin/apxs -c mod_rangecnt.c
...
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o mod_rangecnt.la -rpath /usr/lib64/httpd/modules -module -avoid-version mod_rangecnt.lo
[root@centos ~]# /usr/sbin/apxs -i -a mod_rangecnt.la
...
Libraries have been installed in: /usr/lib64/httpd/modules
...
[root@centos ~]# /etc/init.d/httpd configtest
Syntax OK
[root@centos ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
After applying the mod_rangecnt patch if all is fine the memory exhaustion perl DoS script's output should be like so:
freebsd# perl httpd_dos.pl www.patched-apache-host.com 50
Host does not seem vulnerable
All of the above pointed work-arounds are only a temporary solution to these Grave Apache DoS byterange vulnerability , a few days after the original vulnerability emerged and some of the up-pointed work arounds were pointed. There was information, that still, there are ways that the vulnerability can be exploited.
Hopefully in the coming few weeks Apache dev team should be ready with rock solid work around to the severe problem.
In 2 years duration these is the second serious Apache Denial of Service vulnerability after before a one and a half year the so called Slowloris Denial of Service attack was capable to DoS most of the Apache installations on the Net.
Slowloris, has never received the publicity of the Range Header DoS as it was not that critical as the mod_range, however this is a good indicator that the code quality of Apache is slowly decreasing and might need a serious security evaluation.
Fix to GNOME Pulseaudio server crappy sound on Debian GNU / Linux – PulseAudio Debian Workaround
Sunday, January 8th, 2012I've faced some issues with crappy sound in some of the games I'm playing on my Debian . Also I ometimes, have issues with sound while watching movies with VLC or Totem... Sound issues with Skype are also seldomly occuring during skype calls etc. etc.
Recently I've realized many of this crappy sound issues origins from PulseAudio – the sound server GNOME desktop env uses to manage all sound just before passing it through ALSA.
I've found on the internet many suggested ways on how to workaround these issues. Many of the things suggested as workarounds, however was outdated and referred to old versions of GNOME / Pulseaudio and therefore was unusable on my Debian 6 Squeeze….
What I found most helpful is fixes and workarounds for pulseaudio list compiled by people in the Fedora community on fedorasolved.org's website – http://fedorasolved.org/Members/fenris02/pulseaudio-fixes-and-workarounds
Some of the fixes and work arounds suggeted on the above link, I have already applied, others was not applicable for Debian.
Anyways the things which I found most important and I believe many people who runs Debian need to implement from the list to solve pulseaudio crappy sound issues is concluded in the below 5 steps.
1. Install few packages related to pulseaudio
apt-get install paman padevchooser paprefs pulseaudio pulseaudio-esound-compat pulseaudio-module-x11 pulseaudio-module-zeroconf pulseaudio-utils
2. Edit ~/.asoundrc and include
pcm.pulse { type pulse }
ctl.pulse { type pulse }
Quickest way is by issuing:
echo 'pcm.pulse { type pulse }' >> ~/.asoundrc
echo 'ctl.pulse { type pulse }' >> ~/.asoundrc
3. Change in the pulseaudio server configuration file ( /etc/pulse/daemon.conf ):
debian:~# vim /etc/pulse/daemon.conf
Look up for the lines:
; default-fragments = 4
; default-fragment-size-msec = 25
Substitute this two lines with:
default-fragments = 8
default-fragment-size-msec = 5
4. Enable Simultaneous Output in PulseAudio preferences
Navigate to the GNOME menus:
System -> PulseAudio Preferences
Choose the "Simultaneous Output" tab and select:
Add virtual output device for simultaneous output on all local sound cards
5. Log Off Gnome and restart PulseAudio
To load the new changed settings in /etc/pulse/daemon.conf restart of pulseaudio server is required, right after a Logoff from the current opened gnome session;
To do so LogOff with the trivial:
System -> Log Out
Login as root in console;
Press CTRL+ALT+F1, login with root and issue:
debian:~# /etc/init.d/pulseaudio restart
...
N.B.; In some cases it might be necessery to do some adjustments are made in gstreamer properties , to change settings there launch:
Tampering with gstreamer-properties used to fix for me some problems with ALSA and PulseAudio in the past, so it might be worthy to check it out and experiment a bit with it as well.
debian:~$ gstreamer-properties
Now many of the crappy sound games or applications should start working just fine. Enjoy 😉
How to exclude sorbs.net for a particular IP address in Qmail Mail server install / Fix to Thunderbird mail sent error (Exploitable Server See: http://www.sorbs.net/lookup.shtml?xx.xx.xx.xx) error
Tuesday, November 1st, 2011In the office, some of my colleagues has started receiving error messages, while trying to send mail with Thunderbird and Outlook Express
The exact error they handed to me reads like this:
An error occured while sending mail. The mail server responded: Exploitable Server See:
http://www.sorbs.net/lookup?xx.xx.xx.xx. Please check the message recipient
Here is also a screenshot, I’ve been sent via Skype with the error poping up on a Thunderbird installed on Windows host.
Typing the url http://www.sorbs.net/lookup?xx.xx.xx.xx lead me to sorbs.net to a page saying that the IP address of the mail client which is trying to send mail is blacklisted . This is not strange at all condireng that many of the office computers are running Windows and periodically get infected with Viruses and Spyware which does sent a number of Unsolicated Mail (SPAM).
The sorbs.net record for the IP seems to be an old one, since at the present time the office network was reported to be clear from malicious SMTP traffic.
The error sorbs.net disallowing the mail clients to send from the office continued for already 3 days, so something had to be done.
We asked the ISP to change the blacklisted IP address of xx.xx.xx.xx , to another one but they said it will take some time and they can’t do it in a good timely matter, hence to make mail sending work again with POP3 and IMAP protocols from the blacklisted IPs I had to set in the Qmail install to not check the xx.xx.xx.xx IP against mail blacklisting databases.
On qmail install disabling an IP check in RBLSMTPD is done through editting /etc/tcp.smtp and following recreate of /etc/tcp.smtp.cdb – red by qmailctl script start.
The exact line I put in the end of /etc/tcp.smtp to disable the RBLSMTPD check is:
xx.xx.xx.xx:allow,RBLSMTPD="",RELAYCLIENT="",QS_SPAMASSASSIN="0"
Further on to recreate /etc/tcp.smtp.cdb and reload the new cdb db records:
qmail:~# qmailctl cdb
qmail:~# qmailctl restart
...
Onwards, the sorbs.net IP blacklist issue was solved and all office computers from xx.xx.xx.xx succeeded in sending mails via SMTP.
How to fix upside-down / inverted web camera laptop Asus K51AC issue on Ubuntu Linux and Debian GNU / Linux
Monday, February 13th, 2012
Does your camera show video correctly in cheese but shows captured video upside-down (inverted) in skype ?
This is an issue a friend of mine experienced on his Asus K51AC-SX037D laptop on both Ubuntu and Debian Linux.
As you can see in the picture above it is funny as with this bug the person looks like a batman 😉
As the webcam upside-down issue was present on both latest Ubuntu 11.10 and latest stable Debian Squeeze 6.02, my guess was other GNU / Linux rpm based distro like Fedora might have applied a fix to this weird Skype inverted video (bat human like) issue.
Unfortunately testing the webcam with Skype on latest both Fedora 16 and Linux Mint 12 appeared to produce the same webcam bug.
A bit of research for the issue online and try outs of a number of suggested methods to resolve the issue led finally to a work around, thanks to this post
Here is few steps to follow to make the webcam show video like it should:
1. Install libv4l-0 package
root@linux:~# apt-get --yes install libv4-0
...
Onwards to start skype directly from terminal and test the camera type:
hipo@linux:~$ LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so skype
This is the work around for 32 bit Linux install, most people however will probably have installed 64 bit Linux, for 64bit Linux installs the above command should be little different:
hipo@linux:~$ LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so skype
Once skype is launched test the camera and see if the camera capture is now uninverted, through menus:
S -> Options -> Video Devices -> Test
2. Create a skype Wrapper script Launcher
To make skype launch everytime with exported shell variable:
LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
A new skype wrapper bash shell script should be created in /usr/local/bin/skype , the file should contain:
#!/bin/sh
LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
/usr/bin/skype
To create the script with echo in a root terminal issue;
root@linux:~# echo '#!/bin/sh' >> /usr/local/bin/skype
root@linux:~# echo 'LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so' >> /usr/local/bin/skype
root@linux:~# echo '/usr/bin/skype' >> /usr/local/bin/skype
root@linux:~# chmod +x /usr/local/bin/skype
3. Edit the Skype gnome menu to substitute /usr/bin/skype Skype Launcher with /usr/local/bin/skype
Gnome 2 has a handy menu launcher, allowing to edit and add new menus and submenus (menus and items) to the Application menu, to launch the editor one has to click over Applications with last mouse button (right button) and choose Edit Menus
The menu editor like the one in the below screenshot will appear:
In the preceeding Launcher properties window, Command: skype has to be substituted with:
Command: /usr/local/bin/skype
For console freaks who doesn't want to bother in editting Skype Launcher via GUI /usr/share/applications/skype.desktop file can be editted in terminal. Inside skype.desktop substitute:
Exec=skype
with
Exec=/usr/local/bin/skype
As one can imagine the upside-down video image in Skype is not a problem because of Linux, but rather another bug in Skype (non-free) software program.
By the way everyone, who is using his computer with Free Software operating system FreeBSD, Linux etc. knows pretty well by experience, that Skype is a very problematic software; It is often a cause for system unexpected increased system loads, problems with (microphone not capturing), camera issues, issues with pulseaudio, problem with audio playbacks … Besides the long list of bugs there are unexpected display bugs in skype tray icon, bugs in skype messanger windows and at some rare occasions the program completely hangs and had to be killed with kill command and re-launched again.
Another worrying fact is Skype's versions available for GNU / Linux and BSD is completely out of date with its "competitor" operating systems MS Windows, MacOS X etc.
For people like me and my friend who want to use free operating system the latest available skype version is not even stable … current version fod download from skype's website is (Skype 2.2Beta)!
On FreeBSD the skype situation is even worser, freebsd have only option to run Skype ver 1.3 or v. 2.0 at best, as far as I know skype 2.2 and 2.2beta is not there.
Just as matter of comparison the latest Skype version on Windows is 5.x. Windows release is ages ahead its Linux and BSD ver. From a functional point of view the difference between Linux's 2.x and Windows 5.x is not that much different, what makes difference is is the amount of bugs which Linux and BSD skype versions contain…
Skype was about 6 months ago bought by Microsoft, therefore the prognosis for Skype Linux support in future is probably even darker. Microsoft will not probably bother to release new version of Skype for their competitor free as in freedom OSes.
I would like to thank my friend and brother in Christ Stelian for supplying me with the Skype screenshots, as well as for being kind to share how he fixed his camera with me.
Reasons Why People Who Work with Computers seem to have a lot of spare time
Saturday, February 11th, 2012
While I was digging through some of my old data, I've found this funny caricature.
Here is the same picture in better 1178 x 975 pixels resolution
Enjoy 😉
Linux then and Now statistics diagram on GNU/Linux use grow 1994 – 2011
Tuesday, January 31st, 2012
In above graphics you see development of GNU/Linux through the years startingfrom 1992 to 2010. You see for the past 18 years the number of kernel developers has rasised from 100 to 1000 (10 times). The number of super computers based on GNU / Linux operating system was only 1, while in 2011 they were already 413. Just for information Top 10 Super computers in terms of CPU power are running on top of some Linux + GNU environment based operating system.
You see the number of Patented software increased approximate 3 times for 16 years … PC shipped with Linux all oer the world increased almost 10 times.
A survey was run among the biggest Linux convention LinuxCon aiming to find out the share difference between users using different distros, as well as a survey to answer the question where is Linux mostly used. Obviously even though the Ubuntu desktop boom this years Linux is still mostly used in work location, home desktop / notebook users are almost 3 times less.
The survey show the sad results, the Linux in school and academic communities is less used than for professional purposes. On the desktop things has slightly changed, for the last 5-7 years. From the position of being a Linux Desktop leading OS, Fedora went into the shadows in favour of the "less free" (in terms of Freedom) Ubuntu.
All system administrators knows well Linux is a very common choice for building small or middle enterprise business information systems. Hugest platforms which are the web backbone today like Google, Facebook, Twitter, Stock Exchanges, Mail services, various technical equipment etc. runs on top of Linux. Even though the huge number of adoption Linux and free software is though to not be legally assured this is well known among free software and open source evangelist under the term FUD.
Android found its way also in Samsung Galaxy and a number of tablet devices running Linux based kernel OS was shipped in 2011.
With the raise of Android which (base is mostly Linux kernel and less GNU tools based). The spread of Linux has seen a huge raise on the mobile (smart phones) market as well. You see in above chart as of 2011 Android sells had the highest market share with 37%.
The year 2011 was not among the best Linux users anywas, as Unity does turned away many users to become Linux converts. The big GNOME 3 mess, which was called by Linus Toravlds a "holy mess" , along with the kernel.org's security break in does also contributed that year 2011 ended up as a bad one for free software.
As of August 2011, the global Linux market approximate market share is about 3% of all the installed OSes currently existing in the world. And compared to 5 years ago there is a little decline in the share. I believe the 2012 will be a better year for both development and adoption of free software and Linux.
