Showing posts from December, 2003

Administering Servers with Webmin

I've been trying Webmin on FreeBSD, Solaris 8, and HP-UX 11i today. Once I repatriate my AIX box from my employer, I intend to install Webmin on it as well. For FreeBSD, I installed the package provided by the FreeBSD project. For Solaris, I used the package provided by Webmin. For HP-UX, I downloaded the tarball and installed from source. I tried the version packaged by HP with their port of Apache and Tomcat, but couldn't get it to install on its own. Webmin uses its own "" so Apache is not needed. Webmin is a Web-based, cross-platform system administration tool. Although I'm not a huge fan of Web-based interfaces , Webmin is slick. I recommend installing the Swelltech theme , which is cleaner than the default. Using Webmin I successfully installed the lsof package for FreeBSD and Solaris . I didn't have any luck with the same package for HP-UX . Webmin allows you to run commands through the Web browser, so once lsof was installed

Security 101 Book

Today I was asked for my recommendation for a "security 101" book. I hadn't given the subject much thought, although I think Ed Skoudis' Counter-Hack is a great place to start. I looked around my office and found a book Addison-Wesley sent me last year: Internet Site Security by Erik Schetina, Ken Green, Jacob Carlson. After thumbing through the book, I've decided it's excellent. I won't review it on, since my policy is to only review books I've read. Still, a mention here is worthwhile. This book is so solid I adopted its "assess -> protect -> detect -> respond" security process model to replace the "plan -> prevent -> detect -> respond" version in my own book, just to avoid reinventing the wheel. They also correct state the risk equation as "risk = threat X vulnerability X asset value." If you're looking to get your feet wet in security, or if you're a manager who needs to

Using Sysmon to Detect Faulty Hardware

No sooner had I posted the entry on Sysmon than it detected a network problem. Two of my systems were unreachable. They both sat of a DMZ leg of my gateway. After troubleshooting at various layers I narrowed the issue down to a faulty NIC in the gateway. How often does that happen? Unfortunately the bad NIC is a Intel PRO/100+ Dual Port Server Adapter (PILA8472) . When trying to ping out from the NIC to the DMZ, here's the sort of traffic the NIC generated: 00:39:18.628691 > icmp: echo request 00:39:19.638731 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=80 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 00:39:20.648696 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=

FreeBSD on Laptops

I thought the best I could do for help running FreeBSD on laptops was Linux on Laptops , until I learned of the FreeBSD Laptop Compatibility List . This site even had an entry for my Thinkpad a20p . There's an article at and another database of information also available. I've had various versions of FreeBSD running on this laptop since I tried installing FreeBSD 4.1.1 . I plan to install FreeBSD 5.2 REL once issues in the todo list are solved.

Understanding Snort DNS TTL Alerts

While reading a recent Network Computing magazine article, I noticed an interesting discussion of "DNS-based route optimizers." These sounded like the products which confused IDS operators four years ago. I read about it in an earlier NWC article . This December 2003 article states: "Handling external Web requests... is accomplished by advertising a low DNS TTL of about 10 seconds. This forces the end user's DNS server to request an updated IP address every 10 seconds... the device will provide the external IP address that will provide the best path through the network." The whole idea with DNS-based systems is to trick clients into visiting the server that's "closest" to them in Internet space. By "closest" I mean the one offering the lowest latency. It's a performance enhancement for visitors. NWC's graphic does a nice job explaining the system. Notice the mention of "probes." The review mentions ICMP and TCP-b

Ways to Install FreeBSD

While perusing the newgroups at , I learned a new way to get FreeBSD. The FreeBSD Project publishes .iso images of its release software, like 4.9 REL or 5.1 REL. Easy enough. Mirrors for these distributions are available at FreeBSD mirrors . However, I discovered the FreeBSD Snapshots site offers .iso images of the latest version of each tree, e.g., 4-stable and 5-current. You can download the .iso and finish with a system running the newest FreeBSD, assuming they work on your hardware. If you're more conservative, they maintain a "security release" of the 4.8 distribution as well, which right now is 4.8-RELEASE-p13. You can even finger their server to learn the newest builds available there: finger [] FreeBSD/i386: The latest version of FreeBSD -CURRENT is: 5.2-CURRENT-20031227-JPSNAP The latest version of FreeBSD 4-STABLE is: 4.9-STABLE-20031202-JPSNAP FreeBSD/alpha: The latest version of FreeB

Adding a New Disk in NetBSD

People complain about FreeBSD's '/stand/sysinstall' program, but I wish I could have used it yesterday when adding an 8 GB HDD to my NetBSD box. I loosely followed the official documentation but laughed when I read "Now we create some disklabel partitions, editing the tempfile as already explained. The result is...", followed by a disklabel output created from scratch! This reminded me of the "intuitively obvious" phrase from my college calculus books. Here's how I did it. This is what the disk looked in dmesg output: wd1 at pciide0 channel 0 drive 1: wd1: drive supports 16-sector PIO transfers, LBA addressing wd1: 8063 MB, 16383 cyl, 16 head, 63 sec, 512 bytes/sect x 16514064 sectors wd1: 32-bit data port wd1: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2 (Ultra/33) wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA data transfers) First I ran fdisk. Notice the BIOS never seems to get the HDD geometry corre

Installing Packages on NetBSD and OpenBSD

Last month I wrote about installing packages on FreeBSD. This entry covers my NetBSD and OpenBSD experiences. First, a few differences between NetBSD and OpenBSD. Root's default shell in NetBSD is /bin/sh, while OpenBSD uses /bin/csh. This means environment variables can be set in .profile for NetBSD and .cshrc for OpenBSD. FreeBSD gives users the chance to automatically retrieve packages and dependencies remotely, e.g., 'pkg_add -r mtr'. FreeBSD makes its remote retrieval decisions based on the installed OS. NetBSD and OpenBSD allow the same, but you must specify the OS in an environment variable. For NetBSD, add the following to .profile: export PKG_PATH= For OpenBSD, add this to .cshrc: setenv PKG_PATH These additions make automatic package retrieval easier. I'll install the GTK version of MTR to demonstrate the process on each OS. For NetBSD

Review of Open Source Network Administration Posted

Image just posted my four star review of Open Source Network Administration . It's been nearly two months since my last review. I've been extremely busy writing The Tao of Network Security Monitoring , so reading has taken a back seat. From the review: "Open source is the wave of the future, and James Kretchmar's Open Source Network Administration (OSNA) catches that wave in fine form. Although the book is only 238 pages, it contains several gems. I read the book specifically for its coverage of the Multi Router Traffic Grapher (MRTG), OSU's Flow Tools, and Sysmon. By following Kretchmar's instructions, I easily installed these three applications."

Simple Network Health Performance Monitoring with Sysmon

Do you need a simple Web-based application to check if your systems and/or applications are alive? I learned about Sysmon when reading Open Source Network Administration . Once I wrote my own configuration file to watch my systems, I followed the book's instructions to complete the Sysmon installation. The result is the small screen shot at left. Since you don't need to spend a lot of time checking out the details of my network, you can get the idea by reviewing this image. The green systems are all up. The yellow ones just became unreachable. I forgot to return on one of them to service after working on it. Since it's a bridging firewall for the second box, both are listed in yellow. The orange/reddish entry is a missing box. I lent it to my office for a case, and when it returns the record will be green again! Sysmon is a good alternative to Nagios or the Network Management Information System (NMIS) if you only need to do simple monitoring of 10-100 systems.

Cisco Icons Online

Do you need networking icons for presentations or papers? Check out the completely free, non-copyrighted Cisco collection . I learned about it after reading a tip in Cisco's Packet magazine. Besides having the icons for use in OpenOffice , the zipped .pdf of conceptual icons is handy. It helps you decode Cisco diagrams by recognizing what certain symbols mean.

Learning To Install Open Source Software on Solaris and HP-UX

This summer I bought an Ultra 30 workstation and an HP Visualize B2000 workstation to learn Solaris on SPARC and HP-UX on PA-RISC, respectively. Today I worked on installing open source software on each. Starting with the Sun box running Solaris 8 on SPARC, I visited Sun Freeware , an absolutely incredible site providing free compiled binary packages of key open source software. Here's a sample installation: 1. FTP to the Sunfreeware site to retrieve the package for bash 2. Unzip the package with 'gzip -d' 3. Install the package with 'pkgadd -d' I later installed wget, which made step one much easier. I was even able to install OpenSSH using the site's instructions, which outlined step-by-step the actions needed to install a necessary Solaris patch, then grab the required packages, create keys, and so forth. I made my own startup script using ideas from the instructions: #!/bin/sh # # Simple OpenSSH start script by Richard Bejtlich SSHCONF=/usr/local/etc

Verisign Acquires Guardent for $140 Million

Big news from the managed security services space. Consolidation continues, as big companies looking for growth opportunities acquire the small fries. Today Verisign announced it bought Guardent (yes, the Guardent URL spells the company's name incorrectly) for $140 million in stock and cash. Guardent currently employees about 150 people. Update : Here's eWeek 's analysis.

Getting Your FreeBSD Box to Speak 802.1q Trunks with a Cisco Switch

I have the following setup on my home LAN: cable modem - cisco router - freebsd fw/gw - cisco switch - clients < The client boxes are in two separate VLANs with different address spaces. I needed a way for them to be able to talk to the FreeBSD 4.9 REL firewall/gateway without wasting two interfaces on the fw/gw. Here's how I set this up. I'm no Cisco guru so excuse my lack of shortcuts. I got some help from this how-to , this thread , and this Cisco guide . First, on the switch, I created my VLANs: gruden#conf term Enter configuration commands, one per line. End with CNTL/Z. gruden(config)#vlan 20 gruden(config-vlan)#name green gruden(config-vlan)#end gruden#conf term Enter configuration commands, one per line. End with CNTL/Z. gruden(config)#vlan 10 gruden(config-vlan)#name yellow gruden(config-vlan)#end Next I created my trunk port to speak to the FreeBSD box: gruden#conf term Enter configuration commands, one per line. End with CNTL/Z. gruden(config)#int fa0/24 g

MRTG with FreeBSD and a Cisco Router

It doesn't get much easier than this. I wanted to add the Multi Router Traffic Grapher (MRTG) to my NSM tool collection. Based on the instructions provided by Open Source Network Administration and Cisco , here's how I did it. bourque is the name of my FreeBSD 4.9 REL NSM sensor and is my Cisco router. First I enabled the SNMP server on the router. Replace 'public' and 'private' with other community strings, like I did. (These are examples.) gill(config)#snmp-server community public RO gill(config)#snmp-server community private RW Make sure you set up an access list on interfaces where you don't want people accessing the SNMP service on your router: access-list 101 deny udp any any eq snmp log Next install an Apache Web server on the system which will hold MRTG's output: bourque# pkg_add -r packages-4-stable/All/apache+mod_ssl-1.3.29+2.8.16.tgz Fetching

CAIDA to the Rescue

Kudos to CAIDA for applying real research to the issue of whether the SCO Web site was hit by a DoS attack or not. CAIDA used its Network Telescopes to watch backscatter from SCO servers and confirmed SCO Web and FTP servers were indeed flooded : "At 3:20 AM PST on Wednesday, December 10, 2003, the UCSD Network Telescope began to receive backscatter traffic indicating a distributed denial-of-service attack against the SCO Group. Early in the attack, unknown perpetrators targeted SCO's web servers with a SYN flood of approximately 34,000 packets per second... Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together and experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout

Creating Fake Interfaces and Bonding Them

In June I posted a way to bond two FreeBSD interfaces to a third unused interface for purposes of combining tap outputs and sniffing the result. This method used ng_one2many and was based on advice from Andrew Fleming . In July I corresponded with John Bradberry who shared his method of using ng_fec, the man-page-less Fast Ether Channel netgraph (4) module. Two months ago John posted his method, which looks like the email he sent me in July. I finally got a chance to try it, and can report that it works. Here's what's required on a stock FreeBSD 4.9 REL system where sf2 and sf3 see the tap outputs. First, build the ng_fec kernel module: cd /usr/src/sys/modules/netgraph/fec make make install Next, create the virtual fec0 interface which will see traffic from sf2 and sf3 simultaneously. Note the use of single quote and double quote around the interface names. ngctl mkpeer fec dummy fec ngctl msg fec0: add_iface '"sf2"' ngctl msg fec0: add_iface '&q

Bruce Schneier on Northeast Blackout

Bruce Schneier wrote about the possible role of MSBlaster in the 14 August 2003 northeast electrical blackout. He reports on the November interim report ( .pdf ) by a joint US-Canadian taskforce: "The coincidence is too obvious to ignore. At 2:14 p.m. EDT, the MSBlast worm was dropping systems all across North America. The report doesn't explain why so many computers--both primary and backup systems--at FirstEnergy were failing at around the same time. But MSBlast is certainly a reasonable suspect. Unfortunately, the report doesn't directly address the MSBlast worm and its effects on FirstEnergy's computers. The closest I could find is this paragraph, on page 99: "Although there were a number of worms and viruses impacting the Internet and Internet connected systems and networks in North America before and during the outage, the SWG's preliminary analysis provides no indication that worm/virus activity had a significant effect on the power generation and de

US Government Security Report Card

Yesterday Congressman Putnam of the US House Committee on Government Reform announced the federal government's computer security report card ( .pdf ). FCW summarized the results. For the first time two agencies scored above 90%: the Nuclear Regulatory Commission earned top honors with an A, and the National Science Foundation received an A-. The grades were based for the first time in the four-year program on the Federal Information Security Management Act ( .pdf ) reportedly an improvement over the Government Information Security Reform Act (GISRA) ( .pdf ). I found it amusing that after the press NASA received for working with SANS to patch systems in 2001 ( .pdf ), NASA's score has consistently dropped. NASA scored a C- in 2001 , a D+ in 2002 and now a D- in 2003. In 2001 NASA was lauded as a "poster child" for their "vulnerability-focused approach to eliminate security problems." Apparently SANS no longer thinks addressing vulnerabilities i

Creative Commons

After reading why Microsoft Word is not a document exchange format , I found myself at the Creative Common Web site. Their goal is "to build a layer of reasonable, flexible copyright in the face of increasingly restrictive default rules." I found their license builder interesting.

Spammers Target Cambridgeshire Police Force

I learned of this scam via this Sophos report. Spammers are sending messages which appear to be receipts for £399.99 Apple iPods. The message lists the phone number of the Cambridgeshire Police Force in the UK as the point of contact for complaints. This sounds more like a prank than a structured attack, but the concept is sound. I imagine we'll see more of this in the future. Here's what the email looks like: Subject: Transaction Receipt (UKCards) From: "UKCards" ------------------ Please note: All charges to your statement will appear in the name "UKCARDS LIMITED". Order Information Amount: £399.95 Currency: GBP Merchant Name: HUNTINGDON MAIL ORDER Description: iPod Music Player 40GB Customer Service Telephone: 01480 456111 Email: N/A Delivery Address 47 Silver Street, London, NW1 5TR If you have any questions on the delivery of this order or product details please contact the merchant directly using the above details.
I commend the Debian project for detailing the exact timetable and methodology associated with their recent compromise. They posted a detailed report on the incident Tuesday. I found several points noteworthy. First, notice how they detected the intrusion. Sharp admins knew something was amiss, and a host-based IDS detected file changes: "On the evening (GMT) of Thursday, November 20th, the admin team noticed several kernel oopses on master. Since that system was running without problems for a long time, the system was about to be taken into maintenance for deeper investigation of potential hardware problems. However, at the same time, a second machine, murphy, was experiencing exactly the same problems, which made the admins suspicious. Also, klecker, murphy and gluck have Advanced Intrusion Detection Environment (package aide) installed to monitor filesystem changes and at around the same time it started warning that /sbin/init had been replaced and that the mtime and

1500 Helpful Review Votes at

I'd like to thank everyone who's voted my reviews to be "helpful" over the last 3+ years. I started seriously reviewing books with Radia Perlman's Interconnections, 2nd Ed in May 2000. Since then I've written reviews of 116 books on security and computing topics. Some reviews of poor books caused quite a stir. Several were pulled only to have me resubmit "just the facts" in the form of direct quotes. Others caused me to argue with certain members of the community who praised books they should not have. Either they didn't read the book or they were too out of touch to realize printing 250 pages of C code did nothing to teach the reader about "hacking." Every month I received many books to review. I only read those on my reading list or those that surprise me with their originality. I don't review books I've skimmed, unless the reason I've stopped reading was disappointment with content. As a result, ma

Exploiting Cisco Routers Article

SecurityFocus published the sequel to an article on exploiting Cisco routers. This has been happening for a while but this article spells out the details.

Quirks of NetBSD

Exactly two months ago I reported installing FreeBSD, NetBSD, OpenBSD, and Debian on my laptop for test purposes. Yesterday I tried to upgrade a different box from FreeBSD 5.1 RELEASE to FreeBSD 5.1 CURRENT. I've had no luck getting my SMC 2632W or 2602W wireless NICs, or an Orinoco Gold wireless NIC, to work in any modern version of FreeBSD. (I had the 2632W working with FreeBSD 4.5 and earlier using this hack .) I thought trying CURRENT might be a good idea but the install failed. Wireless support is my biggest grievance with FreeBSD. I used a wireless NIC on OpenBSD 3.3 fine yesterday. So, I decided to replace the failed FreeBSD install with NetBSD 1.6.1. I got the OS installed but found it to be quirky. It works fine, but it's got its own peculiarities that separates it from FreeBSD. For example, I installed "everything," but OpenSSH was not installed by default. In fact, nothing was listening by default. What is this, OpenBSD? Not even OpenBSD is s