Saturday, June 27, 2009

GCC Update Problem

So after running emerge --update --deep --newuse world, and then emerge --depclean, somehow I lost Firefox, my gentoo sources (used to compile/recompile the kernel), and I could no longer compile any emerged packages... Somehow the update shot GCC. I googled the problem, and found this forum post about my very problem, so I unset GCC_SPECS and reemerged gcc (which takes forever to compile), and was able to reinstall firefox and install gtk+, to play with some Gnome eye-candy later...

Alas, I still can't recompile my kernel to enable extra CIFS support required to use Windows WINS names. Everytime I try running make menuconfig, I get


make: *** No rule to make target `menuconfig'. Stop.


and when I try to reemerge gentoo sources, I get


* Messages for package sys-kernel/gentoo-sources-2.6.29-r5:

* If you are upgrading from a previous kernel, you may be interested
* in the following document:
* - General upgrade guide: http://www.gentoo.org/doc/en/kernel-upgrade.xml
>>> Auto-cleaning packages...

>>> No outdated packages were found on your system.

* GNU info directory index is up-to-date.

even though my kernel is a few minor revisions behind (2.6.24-r8)... I looked in /usr/src and saw that the /usr/src/linux symlink was still pointing to 2.6.24-r8, and not the new minor revision... portage did pull down the newer kernel, but didn't update the symlink (duh).

I went back and modularized CIFS support, with the following options:


CIFS support (advanced network filesystem, SMBFS successor) │ │
│ │ [*] CIFS statistics │ │
│ │ [*] Extended statistics │ │
│ │ [ ] Support legacy servers which use weaker LANMAN security (NEW) │ │
│ │ [ ] Kerberos/SPNEGO advanced session setup (NEW) │ │
│ │ [*] CIFS extended attributes │ │
│ │ [*] CIFS POSIX Extensions │ │
│ │ [*] Enable additional CIFS debugging routines │ │
│ │ [ ] CIFS Experimental Features (EXPERIMENTAL) (NEW)

Currently I'm compiling the new kernel and will deploy it when it finishes. As of right now, I can mount the Windows share using mount -t cifs, but only using the IP address, and not the host name. I can also see my workgroup and computers in nautilus, but still can't access the Windows shares.

Hopefully the added CIFS support (namesly CIFS extneded attributes and CIFS statistics) will get me working all the way.
Posted by at No comments:

Sunday, June 21, 2009

FreeBSD

Got bored waiting for the Gentoo box to emerge and compile all the new packages, so...





Now I just need to familiarize myself with the different file structure, and get Gnome running faster. Install was comparatively painless, it did most of the hard part for me. First adjustment: no /etc/init.d, this is true blue Unix, so I'm looking at /etc/rc.d and /usr/local/etc/rc.d
Posted by at No comments:
Labels: , ,

Repositories

So I've got Samba server running flawlessly on my Gentoo box, but I'm still struggling to get the server to see my Vista machine's shares. I've approached this problem from two angles, the first trying to get nautilus to recognize smb:// shares and the second using smbclient to browser shares. I ensured that cifs support was enabled in the kernel (I think I'm going to go back and modularize it...) and after a little googling, I made sure that gnome-base/gnome-vfs was emerged. Even after that, and restarting X, I could not get nautilus to browser netwrok shares. I next moved on to try smbclient (smbclient -L ). To aid in the process, I've set up a Ubuntu VM to test smbclient between the two *nixes, to ensure that the problem does not lie within the server's configuration.

The Ubuntu VM is able to access both the shares on the Gentoo machine and the Vista machine using nautilus, although accessing the Vista share is definitely cumbersome and seems to work inconsistently and I'm not entirely sure why. When using smbclient from the console on the Ubuntu box, I am able to scan the shares on the Gentoo box, however I first had to enable lanman auth and client lanman auth in the Ubuntu VM's smb.conf to connect to the server. I'm not really sure why the server is requesting lanman authentication, although maybe some sort of authentication/encryption is required by samba to connect to shares that don't use user-level security. Theoretically, no authentication should be necessary using smbclient since guests are allowed. I'm still digging to find the answer...

In the process, I definitely had one big *duh* moment. After changing my USE flags in /etc/make.conf to add samba, I wanted to ensure all packages now would support samba (particularly gnome). I ran emerge --update --deep --newuse world, only to get stopped immediately with a "masked package error," as well as an error stating that I needed to update portage. So I updated portage and ran emerge --update --deep --newuse world again, only to hit a brick wall trying to update /sys-lib/timezone-data. Portage could not find timezone-data-2008c. This seemed a bit odd to me, as obviously, its now 2009, so why is portage trying to find a package marked 2008? So after a minute of twiddling my thumbs, I recalled having to always run 'apt-get update' on my Ubuntu laptop to update the repository tree... and I hadn't been doing the same on my gentoo machine with portage. AHA! Well a simple emerge --sync should do the trick, and I should be home free!

Well about this time, Charter decided to throw the Internet switch from "working" to "broken," for my router and I couldn't pull down the new portage tree, at least not within a reasonable amount of time. After a failed rsync, I tried again (I was still getting about 40% of my packets through, and I really wasn't in the mood to call Charter), and got responses from the rsync server... all of which were 404. So instead of giving in, and just calling Charter, I tried switching my SYNC parameter within etc/make.conf to a different server, first to Georgia Tech's (biting my tongue... I'm a UGA grad) with no success. After having a near aneurysm due to frustration, I figured out that I needed to emerge mirrorselect and run mirrorselect -r -i to find a new server. I managed to find a new rsync server, but finally gave in and decided it was about time to call Charter, as I was now experience around 80% packet loss *grrr.

So I dialed up the dreaded 1-888 number, I repeatedly hit '0' and was patched right through to a representative who was very helpful, and in fact got a technician out to me in a matter of two hours (unprecedented for Charter!), who came out and checked my levels, reran a cable, and swapped out my dying Motorola Surfboard modem, and got me back on my feet- he didn't even bitch about me using a router!

So now I was able to successfully sync portage, and again, ran emerge --update --deep --newuse world only to get another error that I needed to add a USE flag to do that...

So I just did it the quick, temporary way USE="###" emerge --update --deep --newuse world and it worked... until I got smacked with another error <sys-apps/man-pages-3 ("<sys-apps/man-pages-3" is blocking sys-apps/man-pages-posix-2003a). this forum post which seemed to the trick...

So that's where I am now, running a deep update with new use flags, hopefully not fruitlessly, currently on package 49 of 391. I guess at the very least, my server will be all up to date! More to come later....
Posted by at No comments:
Labels: , , , ,

Friday, June 19, 2009

Slowloris DoS

This looks like it could be some fun... and some trouble. As of yet, Apache has no patch. Too bad it doesn't work for IIS, however given my personal experience, IIS doesn't need a DoS attack to be brought down, just let it run for an hour, and it'll eventually crash
Posted by at No comments:
Labels: , ,

45 Seconds

The time it takes for my Gentoo box to cold boot.

I still need to time my Vista machine, but I imagine it won't be anywhere close!
Posted by at No comments:
Labels: ,

Wednesday, June 17, 2009

POP vs IMAP

E-mail infrastructure has always been one of those things that I've never really taken the time to think about. You set up your client to use POP, or IMAP, or Exchange, and don't think twice about it. I've always been more familiar with how POP (post office protocol) works, as it is one of the oldest methods of e-mail retrieval, but IMAP has always been a bit more obscure to me, simply because I never really needed to use it because I always just used POP.

Well after reviewing this article, I've learned that IMAP may in fact be the superior protocol, at least for my purposes. IMAP, unlike traditional POP, supports online processing, using a more interactive client-server model. The obvious advantage to IMAP is that it allows users to access their email from different machines at different times (similar to just using a web mail client), wheras the POP paradigm is best suited for individuals that use only one client computer all the time.

So next time, given the choice, I will opt for IMAP over POP.
Posted by at No comments:

SAMBA

So after completing my iptables exercise, I proceeded to work on configuring SAMBA, only to find that it was already configured how I wanted. I had forgotten that shortly after I finished installing Gentoo, I went ahead and used this Gentoo wiki article as well as this quick Gentoo how-to . I really only need a simple share between my Vista machine and my Gentoo box, as I don't have any printers installed on the gentoo machine, and I don't need granular permissions for the share as it within my LAN.

One thing I did not do was learn how to effectively use CIFS and smbclient, so I'll have to familiarize myself with both and figure out how to mount and search samba shares.

On another note, I spoke with our web designer at work, and he shared with me that I should check out Inkscape, a free/open source vector graphics editor, similar to Adobe Illustrator. I really do need to familiarize myself with software such as this, as when it comes to web design, I am lacking most in creating and manipulating images.

He also pointed me to click2try.com, a pretty cool site with a bunch of hosted VMs, allowing users to try open source software for free, without having to install anything on the user's machine.
Posted by at No comments:
Labels: , , , ,

Monday, June 8, 2009

iptables complete

So after a weekend primarily away from my computer (probably for the better :-) I had the chance to sit down and work out iptables. Although the Gentoo Wiki article was helpful in getting the kernel configured correctly, I did not want to write an iptables start script- after all, iptables is a service, so why not utilize it as such? Instead, I used Linux Home Networking's tutorial to create my own firewall script, complete with logging. I was also fortunate to reference a pre-built firewall script, authored by a friend and coworker, that he uses as a standard template for all of his RHEL5 servers at UGA.

I created three chains, LOG_DROP, LOG_ACCEPT, and LOG_REJECT, to log packets when needed. I did not use LOG_DROP, nor LOG_REJECT (maybe in the future?), and instead am just using REJECT with --reject-with tcp-reset for TCP packets and icmp-port-unreachable for UDP packets to help mask the fact that I'm using a firewall. If the packets are simply dropped, it'd be pretty easy for an intruder to realize that I'm running a firewall because his packets would not result in the standard --tcp-reset or icmp-port-unreachable to indicate a nonexistent service. In the future, I may consider logging some of the rejected packets.

Right now the only services I am logging when accepted are SSH & SFTP (both use port 22), as logging every http request is impractical.

Unlogged accepts include http (port 80) and SAMBA (netbios-ssn, microsoft-ds, UDP 137 & 138). One key problem I had was allowing SAMBA to continue to work with the firewall enabled. With iptables running, I could only access my SAMBA shares by using the machine's IP, and not its hostname. While this problem was frustrating, it forced me to better manage my system by ensuring that samba was configured correctly (/etc/samba/smb.conf), my hostnames were set properly (it was not- only localhost was set in /etc/hosts), as well as resolv.conf (/etc/resolv.conf). This forum post eventually led me to realize that I needed to accept traffic on ports 137 & 138 on top of netbios-ssn (UDP 139), and microsoft-ds (TCP 445).

Further securing SAMBA, I specified the allowed source IPs on my network, both within smb.conf and iptables. If there's anything I've learned, its that redundancy in terms of security is never a bad idea.

Below is a (modified) iptables firewall script:

#!/bin/bash

# Stateful firewall for hostname

########################
# Ethernet Information #
########################

# Device: lo
# IP: 127.0.0.1
# Hostname: localhost

# Device: eth0
# IP: 192.168.2.3
# Hostname: hostname

# Flush all tables
iptables -F

# Remove all non-default cahins
iptables -X

#+-------------------------------+
#| Setup Firewall Process chains |
#+-------------------------------+

# Create a LOG_DROP chain for dropped incoming requests to be logged
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-level info --log-prefix "Firewall-LOG_DROP: "
iptables -A LOG_DROP -j DROP

# Create a LOG_REJECT chain for rejected incoming requests to be logged
iptables -N LOG_REJECT
iptables -A LOG_REJECT -j LOG --log-level info --log-prefix "Firewall-LOG_REJECT: "
iptables -A LOG_REJECT -j REJECT

# Create a LOG_ACCEPT chain for accepted incoming requests to be logged
iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-level info --log-prefix "Firewall-LOG_ACCEPT: "
iptables -A LOG_ACCEPT -j ACCEPT


# Accept all connections from localhost
iptables -A INPUT -i lo -j ACCEPT

# Accept reply packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept PING requests
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#+-----------------------------------+
#| Accepted services that ARE Logged |
#+-----------------------------------+

#SSH & SFTP (TCP)
iptables -A INPUT -p tcp --dport ssh -j LOG_ACCEPT

#+---------------------------------------+
#| Accepted services that are NOT Logged |
#+---------------------------------------+
# HTTP (TCP)
iptables -A INPUT -p tcp --dport http -j ACCEPT

# HTTPS (TCP)
#iptables -A INPUT -p tcp --dport https -j ACCEPT

# TOMCAT (TCP)
#iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# If we're only using TOMCAT (no apache), we can forward traffic to 8080
#iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 8080
#iptables -t nat -A OUTPUT -d hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080
#iptables -t nat -A PREROUTING -d hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080

# RAILS (TCP)
#iptables -A INPUT -p tcp --dport 3000

# netbios-ssn (UDP)
#iptables -A INPUT -p udp --dport netbios-ssn -j ACCEPT
iptables -A INPUT -p udp --source 192.168.2.0/24 --dport netbios-ssn -j ACCEPT

# netbios-ssn (TCP)
#iptables -A INPUT -p tcp --dport netbios-ssn -j ACCEPT
iptables -A INPUT -p tcp --source 192.168.2.0/24 --dport netbios-ssn -j ACCEPT

# microsoft-ds (TCP)
#iptables -A INPUT -p tcp --dport microsoft-ds -j ACCEPT
iptables -A INPUT -p tcp --source 192.168.2.0/24 --dport microsoft-ds -j ACCEPT

# microsoft-ds (UDP)
#iptables -A INPUT -p udp --dport microsoft-ds -j ACCEPT
iptables -A INPUT -p udp --source 192.168.2.0/24 --dport microsoft-ds -j ACCEPT

# nmbd (UDP) required for SAMBA to send requests via broadcasting
iptables -A INPUT -p udp --source 192.168.2.0/24 --dport 137:138 -j ACCEPT
#iptables -A OUTPUT -p udp --dport 137:138 -j ACCEPT

# LOG & Drop malicious IPs
#iptables -A INPUT --source xxx.xxx.xxx.xxx -j LOG_DROP

# Reject remaining packets, do so with tcp-reset and icmp-port-unreachable
# so hackers don't know we're running a firewall
iptables -A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i eth0 -j REJECT --reject-with icmp-port-unreachable


I really enjoyed this project and learned a lot. After getting my basic firewall set up, I feel confident that I could do it again, now that I understand most of the iptables flags and commands
NAT translation and masquerading may be a project for a different day, but at least now I'm familiar with what they are and how they work.

Furthermore, I think this project will serve as a good segway into my next one, which is better learning SAMBA and how to configure it.
Posted by at No comments:
Labels: , , , ,

Wednesday, June 3, 2009

IPTables

It is high time I really sat down and figured out IPTables. Similar to my experience with SAMBA, I've used IPTables in the past, though I was more just shooting in the dark than masterfully configuring my ever-important firewall.

I think I'll get started on this first, as it is 1.) interesting 2.) important, and 3.) something I should have done a long time ago.

So, my initial project line-up as of right now is as follows:

1.) Learn how to properly and diligently manage ip tables
2.) Explore SAMBA further and get it working pristinely at my home set up
3.) Set up SSHFS and figure out how to use keys instead of tunneled clear-text passwords

Some useful links to aid me in my quest:
Gentoo-Wiki HOWTO_IPtables_and_stateful_firewalls
IP Tables Tutorial
Posted by at No comments:
Labels: , , ,

SSHFS

This looks like something that could be useful. Looks like it is easier to set up than NFS or SAMBA, maintains a secure connection over SSL, and is cross-platform compatible (though could be tricky with Windows). I've always wrestled with getting SMB to work correctly at home, there are just so many configurable options, and I've never really taken the time to sit down and learn what all can be accomplished. Maybe that'll be a future blog post...

I'll have to put this on my Gentoo box when I get home to test it out with a Ubuntu VM. The challenge will be figuring out how to script it to use keys instead of passwords so it automatically starts every time the OS starts, although LinuxJournal seems to have a nice tutorial on how to do this.

Thanks to Michael H for the tip and links
Posted by at No comments:
Labels: , ,

Tuesday, June 2, 2009

Up to Speed

So over a year after my last post, I figured it may be time to reinvigorate this blog. For whatever poor soul happens to stumble across this blog, I apologize in advance for its discontinuity, potential esoteric jargon perhaps only discernible to myself (I tend to occasionally make up words), and its unscientific approach. Honestly, I am using this blog more for my own personal benefit than anything else, as any other intended use seems fruitless and narcissistic.

That being said, this past year I've been keeping busy finishing up school, work, and side projects. As hinted by the title, I've been monkeying around with a bunch of different projects since the end of that MIST directed study in Adobe Air. Some of the projects I've undertaken, finished, or abandoned in the past year are as follow:
  • Built a new Desktop at home after my crappy video card crapped out (who'da thunk)
    • AMD Athlon 64 X2 Brisbane Dual Core 2.7GHz
    • Gigabyte GA-MA78GM-S2HP AM2+/AM2 780G HDMI Micro ATX Motherboard
    • 4GB DDR2 800 (PC6400) Dual Channel RAM
    • RAIDMAX Hybrid 2 RX-530SS Power Supply CrossFire ready
    • WD 500GB SATA II HD 7200RPM
    • WD 320GB SATA II HD 7200RPM
    • NEC 16x DVD-RW
    • ROSEWILL CD-RW/DVD-R
    • ATI TV WONDER ELITE
    • Windows Vista Professional Yeah, yeah, I know...

  • Installed Gentoo Linux Kernel 2.6.24 on Dell Optiplex GX270
    • Apache 2.2.1 compiled from source
    • MySQL 8.42 compiled from source
    • PostgreSQL 8.3.3 compiled from source
    • PHP 5.2.6 compiled from source
    • Gnome 2.20.3
  • Reengineered SMIS web site
  • Reengineering Atlantatrains web site
  • Learned well-formed DOM manipulation with AJAX (no more innerHTML!)
  • Update of UGA Franklin College OIT Project Log Tool
  • Using pdftk to generate and fill PDFs
  • Using AutoSuggest for AJAX autocompleting forms
  • Projects completed for CSCI 4300 Web Programming Course:
    • XSL style formatting
    • XML Schema and DTD
    • Created a simple ticketing system in Ruby on Rails
    • Created a simple bulletin board using Java servlets and MVC
    • Basic ANT build file syntax and usage
  • Scriptaculous sortable
  • Prototype AJAX handling
  • Set up and experimented with Subversion and TortoiseSVN on RHEL5
  • iDeneb OSX dual boot abandoned

Future projects that I hope to document using this blog include (but are not limited to):
  • Setting up OSX within VMWare Workstation (I hear its a doozy)
  • Playing with netBSD, freeBSD, and freeBSD jail within Vmware
  • Installing Oracle Express within a VM
  • Monkeying around with Sun's VirtualBox
  • Potential Projects Courtesy of Microsoft DreamSpark:
    • MS SQL Server 2008
    • MS Virtual PC
    • MS Windows Server 2008
  • Java servlets and Struts
  • Apache Modrewrite
  • Continue learning Regex!
Only time will tell how disciplined I'll be in documenting these projects, but hopefully I will be!
Posted by at No comments:
Labels: , , ,
Subscribe to: Comments (Atom)