Linux Coaching

Going SSL With Evolution

2010-03-27T18:39:59Z

You may have followed my advice I gave in an earlier posting to set up a secure email server that will allow clients to fetch their email from the server only if they present a valid SSL certificate in addition to the usual password for the mailbox user. The most appealing aspect of this approach is that once the system had been set up, the client user, who has already stored his certificate on his local laptop will just have to provide the password as usual. This solution comes with no additional burden, and at the same time ensures that the email travels encrypted from the email server to the laptop. A clear boost of security, fine.

The only problem is that the email client software must be capable of establishing a SSL connection using the users certificate. Unfortunately not every prominent email software is able to do that. In my case I fetch my email from the server with fetchmail as I'm interested to archive all incoming email.
But email software usually tends to fetch the email on its own account. So the lack of being able to establish a SSL connection could clearly ruin the new approach.

What's Written On The Tin?

As a consequence I was very surprised to learn that Evolution, generally being celebrated as the Outlook killer software, actually is one of those culprits. Googling towards a solution I came across some well-intended advice "just" to upload the my certificate using the pertinent buttons in Evolution. This is good advice although it requires a little bit of openssl hacking to beat the two separate cert and key files in shape to form a p12 file, but it doesn't solve the problem at all. Evolution uses uploaded certificates to sign messages a user sends to other people, but it still refuses to use such a certificate to establish a SSL connection to the mail server. Strange, but true.

Let The Expert Do The Connecting

Fortunately there is a small but powerful piece of software that is rapidly becoming my favorite tool in such situations, called STUNNEL. Its primary goal is to read data from one port and to connect to an entirely different port on a different computer, initiating a clean SSL connection with the certs and key provided in a single configuration file. From the remote server's perspective it looks like some SSL capable software had connected to the server, while indeed any dumb non-SSL-aware code is using stunnel to do the hard work. This code could as well be Evolution, right? Let's have a look at the simple config file for stunnel:

debug = 7
output = /secure/stunnel/logfile
pid = /securestunnel/stunnel.pid

[imaps]
accept = laptop.kerrylinux.ie:143
connect = mail.kerrylinux.ie:993
CAfile = /etc/pki/tls/cert.pem
cert = /secure/stunnel/joe@kerrylinux.ie.cert
key = /secure/stunnel/joe@kerrylinux.ie.key
CRLfile = /secure/stunnel/CRL.pem
client = yes

Essentially, the "normal" IMAP port 143 on the laptop is wired as a secure IMAPS mail server to be used by Evolution. All certs and keys are stored in a secure place on the laptop.

Getting Evolution To Use The Tunnel

The remote mail server mail.kerrylinux.ie would usually be listed as the server in the settings for "Receiving Email". Now you just have to replace this entry with the local laptop's name and make sure that "no encryption" is selected. Remember it is STUNNEL's job to perform the SSL encryption not Evolution's. "Yes, but it should be evolution's", I can hear you say. You're right, but even if the evolution team decides to sex up their software in future, this solution will work for every other non-SSL capable email client as well, and that's the reason why I told you how to do it.

Tracking Down A Suspected "Backdoor"

2010-01-29T08:08:49Z

After having installed an open source online-shop software on a VPS I had to suffer a hefty delay following the login as administrator until eventually the control panel appeared on the screen. Despite of this admin login problem the software ran fast and responsive, but the admin login, which would normally only take 2 seconds, took more than two minutes to complete.

Possible causes for this problem are manifold, some misplaced configuration option, a software bug, a missing software component, many things are conceivable.

What raised my suspicion was the fact that this problem seems to occur only at the administrator login, well, I hadn't created new users by now.

It is likely that the problem occurs for new users as well.

The Hunt

Actually there were two separate delays that cropped up after I typed the admin password, with a little bit of activity in between. It looked like a time-out, so I shut down the VPN's firewall and the problem was gone. At this point it was clear that some network activity took place which normally was blocked by the firewall. To find out what was going on I engaged a wonderful network analysing tool called wireshark or tshark to capture the network packets after login. It turned out that the VPN initiated a http and a second https connection to a server within the domain of the online-shop's original vendor.

I know it's only me who tends to think of a possible backdoor, a software "calling home" to report something, in such a case. But at this point I wanted to find out what was going on behind the scenes. Out of sheer curiosity I started to poke into the source code to find more informative evidence. As you may imagine, looking for "http" in the source code revealed tons of references that were mostly inactive links to the vendor's homepage. More extensive filtering brought a function "load_xml_file" to light that was used to download a file that contained only innocent version information in XML format that could as well be part of the distribution and stored locally.

Benefits of Open Source

The vendor had decided to download this file to make sure that the online-shop software will automatically become aware of a new version once it is released. Of course this is a legitimate intention, but it would force the shop user to open outgoing connections on the server machine to avoid the timeout penalty which could open up another can of worms for other applications. I decided to change the source code to load the information from local files instead of the vendor's homepage and turned on my restrictive firewall again.

This is exactly the flexibility and reliability one gets with using open source software which would never, ever be possible if you used proprietary solutions instead. People often say, nobody looks at the source code, which is true for many open source programs, but with proprietary products you would not even have the chance to take the approach described above, because you are at the vendor's mercy to accept what the program is actually doing.

The freedom to change the code is a benefit that could possibly not be overestimated.

Celebrating Expiration Day

2010-01-02T16:53:16Z

On the last day of the year my email stopped coming in. You may have read about my approach to fetch my email using a secure tunnel that uses SSL certificates in addition to a password to access my email. Well, on the last day of the year my ROOT CERTIFICATE, which I use for Kerry Linux, had expired after five years. Time flies by.

As I had other plans for the days ahead I thought just to renew the root certificate to buy time, but it seemed that my attempts to renew my root certificate did not result in a new usable certificate to replace the old one. My user certs, which are not up for expiration yet could not be reanimated with a quick fix like that.

After a while I thought, there is a reason for that and I began to think about root certificates more thoroughly. In the past five years we've definitively seen the crackdown of MD5 and SHA-1 is not invincible, too. Would it not be prudent to increase the key length and to use a more secure (i.e longer) hash and go through the trouble of creating a new root key and issue new user certs? I decided to go along that route and created a fresh new CA root key with 4096 bits for the Kerry Linux Certification Center. Although my openssl software does only permit using SHA-1, which is a pity, I felt content and everything was up and running for me in an hour or so.

Re-Animation of the old ROOT KEY

After a while I began to wonder if it was possible to reanimate the old key and out of curiosity tried to explore the way to do it in more detail. I googled and found this nice posting from Arsen Hayrapetyan which led me to success. My former attempts to recreate the old certificate always led me to the following error message when I tried to verify a user's certificate::

openssl verify -verbose -CAfile KLCC-2010.pem support@kerrylinux.ie.cert

support@kerrylinux.ie.cert:
/C=IE/ST=Ireland/L=Kerry/O=Kerry Linux/CN=support@kerrylinux.ie/emailAddress=support@kerrylinux.ie
error 20 at 0 depth lookup:unable to get local issuer certificate

Unable to get the issuer certificate? I supplied it in the command, but it didn't work out as planned.

So I followed Arsen's hints and created a testbed for an experiment, where I set the serial number back to 00 and emptied the file "index.txt" so that my new certificate could inherit the properties of the old one including its serial number. Then I created a new certificate request based on the old root certificate "cacert.cert" and used this new request to sign it with the old key.

openssl x509 -x509toreq -in cacert.cert -signkey private/cakey.pem \
-out certreq.csr

openssl ca -config KLCC.cnf -in certreq.csr -out cacert_renewed.pem \
-keyfile private/cakey.pem -cert cacert.cert -extensions v3_ca

The result was a new root certificate "cacert_renewed.pem" that verified my old user certs perfectly.

openssl verify -verbose -CAfile cacert_renewed.pem \
support@kerrylinux.ie.cert
support@kerrylinux.ie.cert: OK

It's good to have an alternative, isn't it?

Using Big Files As Hard Disks

2009-12-01T06:34:10Z

The XEN hypervisor uses big files (a couple of gigabytes) as filesystem images for virtual machines. Unlike other virtualisation solutions XEN does not impose its own internal structure on the image file. The big file simply has to contain an ordinary ext3 filesystem and, optionally, a partition table just as if it were a real hard disk. The ability to use big files as hard disks comes in handy if you are running short of space on your main hard disk. With an external hard disk you should be well prepared to run a number of virtual machines as big files. However, having the filesystem of a virtual machine in a big file raises the question of how to boot the virtual machine. Essentially there are two options to do that:

Provide the VM's kernel and the init-ramdisk, which are usually stored inside the filesystem (in the /boot directory), as separate files together with the big file, and modify the VM's configuration to use them.
leave the kernel and the init-ramdisk in the big file and provide a working boot sector that accesses the kernel inside the big file, using the native XEN pygrub bootloader to start the virtual machine.

Both options require that the big file must be associated with a real, special device file (i.e /dev/loop0) in order to create a filesystem on the big file. While for the first option it is sufficient to simply connect the big file with the loop device, using the "losetup /dev/loop0 bigfile" command, the second option is much more complex, as the big file has to be partitioned like an ordinary hard disk before the filesystem can be created.

For the rest of this article we will focus on the second option which is much more appealing as everything is kept inside the big file. I will show you how exactly the big file is turned into a virtual hard disk and how you can access and modify the information stored in the virtual machine's own filesystem.

Getting Partitions And Filesystem Sizes Sorted

Our journey through the big file's internal structure naturally begins with the creation of the big file.

dd if=/dev/zero of=bigfile bs=1M count=3950

As a second step we use this chunk of 4141875200 bytes to act as a hard disk and try to partition the bigfile as usual:

losetup /dev/loop0 bigfile
fdisk /dev/loop0

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel. Changes will remain in memory only,
until you decide to write them. After that, of course, the previous
content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help):

As expected, the fdisk program throws a number of error messages at us, because we have given a big file instead of a real hard disk to the program. But let's see how the fdisk program recognizes our new hard disk in detail
.

Disk /dev/loop0: 4141 MB, 4141875200 bytes
255 heads, 63 sectors/track, 503 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

Obviously there is no partition table yet, but the program assumes that the big file represents a hard disk with 255 heads and 63 sectors of 512 bytes data each. Every cylinder of our virtual hard disk is made of 255 x 63 x 512 bytes = 8225280 bytes which represents the units in which we can chop the hard disk space into partitions now. All in all there are 503 cylinders in our virtual hard disk which makes a total of 503 x 8225280 bytes = 4137315840 bytes to spend on partitions.

But wait, didn't we create 4141875200 bytes in the first place? That's 4559360 bytes less than what we had originally. Well, this loss is due to the fact that for the 504th cylinder we'd need 8225280 bytes which we don't have, so this loss is inevitable. But the important consequence of this reduction of space is that we cannot create a filesystem on the whole bunch of data we supplied. At the moment the size of our filesystem is not determined at all. The next step is to create a new primary partition inside our big file using all the space we have:

Disk /dev/loop0: 4141 MB, 4141875200 bytes
255 heads, 63 sectors/track, 503 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System /dev/loop0p1 1 503 4040316 83 Linux

After having written the partition table to the big file, have you checked for the new device file /dev/loop0p1? Don't worry, it does not exist! Adding p1 to the disk label is fdisk's way to denote partitions, that does not mean that you'll find such a thing in the /dev directory.

Poking Inside The Big File

From the partition table you can see that 4040316 blocks have been allocated for the new partition. With each block storing 1024 bytes we now know our first partition size, it's 4040316 x 1024 bytes = 4137283584 bytes. This is another number we never saw before! After having written off some 4.5 megabytes because we cannot use half a cylinder, we now face another loss of exactly 4137315840 - 4137283584 = 32256 bytes.

Of course these 32256 bytes at the beginning of the big file are there for a purpose, which is to store the partition table. Our first partition begins right after this amount of data, at an offset of 32256 inside the big file. The amount of 32256 bytes results from the fact that one track (63 sectors of 512 bytes for one head) are put away for the partition table. Now it's time to use a second loop device (/dev/loop1) to poke inside the big file at exactly the point where our first partition begins and create a new filesystem there:

losetup -o 32256 /dev/loop1 bigfile
mkfs -t ext3 -c /dev/loop1 4040316

It's essential that we supply the number of blocks as a parameter to the mkfs command to ensure, that our new filesystem on the first partition fits exactly in the space we have allocated. Without this parameter our filesystem would become too big, as the 4.5 megabytes after the first partition would be used for the filesystem too, and when the virtual machine is going to use the filesystem its actual size would conflict with the numbers in the partition table. Either the partition table or the filesystem's superblock is lying, which will cause distress for the virtual machine that expects a consistent filesystem to operate.

Writing The Master Boot Record

You can fill up the filesystem with whatever carefully selected quality open source software you can find on the planet, but in the end we need to write the new virtual disk's master boot record to boot the jewel. There is one step of preparation to be done before we can use the grub shell to write the MBR. We have to make a symbolic link named /dev/loop to the device that points to the master boot record, that is to the beginning of the big file, /dev/loop0 in the example above.

grub> device (hd0) /dev/loop
grub> root (hd0,0)
grub> setup (hd0)
grub> quit

Now your spick-and-span virtual hard disk is ready to boot.

Fetch Your Email Through A Secure Tunnel

2009-11-09T11:04:26Z

Current Phishing Attacks

In early October when news came up that quite a lot of Hotmail and Gmail accounts had been compromised by phishers who tricked users into using a faked login page the general advice for scared users was: "change your email password immediately". Although nobody really knew how the email passwords published on the internet were gathered, it became common knowledge that only those users who had used the phishing sites to log into their email accounts were vulnerable. Everybody else whose account was not blocked by the email providers started to feel safe again.

The fundamental problem with email is that access to the mail account is only protected by a password, and that every time a user fetches his email from the internet service provider (ISP), his password is transmitted to the mail server in clear text. To improve the situation email service providers are beginning to use opportunistic TLS, a method to encrypt traffic between mail servers. In this cases encryption is used if the mail server provides it, and in a perfect world mail would always travel encrypted to the user's mail server. But opportunistic TLS does not solve the user's problem as almost all email software he actually uses do rely on a password only to access an email account.

The Perfect Mail Server

In fact, what we have to do is to make sure that email is properly encrypted while the user fetches it from his email account, and that the mail server establishes a connection only if the person trying to get the mail is able to present more information than a password. This configuration would not only protect the email content and the password during transmission, it would as well ensure that someone only knowing the password would never be able to establish a connection to the mail server.

Fortunately this can be achieved without an additional burden on the user, because we only need a careful setup on the server side and provide the user with the additional information (a secret key) which has to be stored safely on the computer that initiates the mail transfer for her.

Setting Up A Secured Mail Domain

Let's start with the mail server configuration, which in my case is dovecot 1.0.7 on a CentOS server. I will show you how to configure dovecot to provide the mailbox of system users in a secure way. I assume that the firewall on the mail server is open for incoming mail on port 25 and that the mail server uses port 993 for outgoing secure IMAP traffic.

This is the essential part of the "dovecot.conf" file I use for secure IMAP access:
(I discuss the relevant parts of the configuration only)

protocols = imaps pop3s
listen = [::]

ssl_disable = no
verbose_ssl = yes

ssl_cert_file = /kx/dovecot/mail.kerrylinux.ie.cert
ssl_key_file = /kx/dovecot/mail.kerrylinux.ie.key
ssl_ca_file = /kx/dovecot/kxCAcrl-bundle
ssl_verify_client_cert = yes

mail_location = mbox:~/mail:INBOX=/var/spool/mail/%n

auth default {
  mechanisms = plain
  passdb passwd-file {
      args = /kx/dovecot/%d/imap.shadow
  }
  userdb passwd-file {
      args = /kx/dovecot/%d/imap.passwd
  }
  ssl_require_client_cert = yes
}

First of all, by restricting the protocols to imaps and pop3s dovecot releases port 143 and 110 which could safely be blocked now. There are three certificate files which have to be in pem format. While the first file contains the public certificate for the mail server, the second must hold the unencrypted secret key. The file permissions on the later have to be restricted to read access for the root user as the key is read by the dovecot process before dropping permissions to the dovecot user.

The third file does not only contain the RootCA's certificate but also a valid Certificate Revocation List in pem format appended to the RootCA certificate with a newline in between. Without the CRL in this file the user's certificate cannot be validated and the connection will not be established. It is extremely important to keep an eye on this CRL, as the time frame for replacing a CRL is usually only a few days long. If you miss to keep the CRL part up-to-date you'll risk that the perfect mail server setup expires in a few days, leaving your users with no access to their email. You can create long-living CRLs with the openssl crl command as you like, but bear in mind that the expiration date of your CRL does determine the ability of your users to get at their mail in the same way as does the expiration date of the user's certificate.

You may have noticed that in the authentication section everything is disabled except the use of two files which serve as a static user and password database. Only system users listed here are able to access their mailboxes. The two files "imap.passwd" and "imap.shadow" are exact copies of their system analogies, limited to the lines of valid email users. Just make sure that both are stored in a directory with the name of the email domain you use, which is shown as %d in the configuration file above.

Finally, the last line "ssl_require_client_cert = yes" determines that the mail server shuts down the connection if the user's email client is unable to present a client certificate, that the mail server can validate based on the content of the CA certificate file in the configuration.

By now we have made access to our mailboxes as difficult as possible, it's time to make it accessible for the user in a way that does not hurt. Please read on.

Supplementing The Mail Password With SSL Certificates

What the user needs is a certificate, a public key, which is signed by the RootCA used by the mail server and a corresponding secret key. And, of course, a software that uses this information to download the email from the user's mailbox to the local machine over an encrypted tunnel. With another careful setup on the client's computer this is automatically done by the fetchmail process that can be run via cron in certain intervals. So the users receive their mail without bothering about the encryption process at all. They can read their internet email just like they read their local email.

Fetchmail uses a config file ".fetchmailrc" which has to be protected carefully (read access for the root user only) as it contains all the user's email passwords. It looks like this:

poll mail.kerrylinux.ie protocol POP3

  user joe@kerrylinux.ie password PASXXXXXX is joe here
     ssl sslcertck sslcert /secure/certs/joe@kerrylinux.ie.cert
     sslkey /secure/certs/joe@kerrylinux.ie.key

  user patrick@kerrylinux.ie password PASXXXXXX2 is paddy here
     ssl sslcertck sslcert /secure/certs/patrick@kerrylinux.ie.cert
     sslkey /secure/certs/patrick@kerrylinux.ie.key

For the client to establish the SSL connection it is not enough to present the public certificate to the mail server, it is also necessary to be able to use the secret key. And this is what the attacker who may have learned the email password will not posses and what will keep him out of our mailboxes.

If you have trouble creating those certificates, please drop me an email and I will see what I can do for you.

WEP Is Dead, Long Live WPA

2009-09-28T17:54:23Z

The Final Nail in WEP's Coffin

I have to admit it, this is old news, very old news. WEP is dead, and the final nail had been driven into WEP's coffin some three years ago. But many WiFi networks still use WEP today, although a much more secure alternative, WPA-2, has been available for a long time.

People tend to believe that any encryption is better than none and don't bother to use high-grade security methods instead of broken ones like WEP. Obviously the publication of research papers does have a limited effect on the ordinary user's willingness to change habits or consciousness of the problem. Unless the weak methods disappear from the router's firmware menu, we'll see people using it.

Switching Over to WPA

It's fairly easy to dump WEP and to use WPA-2 instead, because WPA-2 can use a pre-shared key, a secret that must be available both in the router or access point and in the client machine that is about to establish a secure wireless connection. There is clearly no need to add further complexity (like Radius servers and the like) just to replace WEP for a simple wireless link.

In a first step you have to change the security settings of the access point / router to WPA2-PSK and select a new long secret key for encryption. As WEP-2 uses the advanced encryption standard (AES) with a 256 bit key, the new secret key ought to have as much entropy as possible. You can use the following command to get a reasonably long random secret (of 160 bit entropy) for use by the router and the client.

#> dd if=/dev/random bs=1 count=200 | sha1sum

After that your wireless client is cut off, as the router makes use of a different, and more secure, access method. It's prudent to use a new secret key as your encryption has been weak in the past and the old one might have been compromised long ago, you'll never know for sure.

In order to re-establish the wireless link the client machine will use a daemon software called wpa_supplicant that has to be started just before the wireless network adapter starts to reach out for the access point or router. Of course the wpa_supplicant will need at least two pieces of information, the name of the wireless network (its SSID) and the secret encryption key, we've already stored in the router. Please double-check that the daemon's config file has minimal permissions (root read access only) to protect the wireless secret key and add something like the following lines to your config file "/etc/wpa_supplicant/wpa_supplicant.conf":

network={
ssid="your-wireless-network-name"
scan_ssid=0
key_mgmt=WPA-PSK
psk="420320d9c0fa8e6cc635381f4717090224385965"
}

The only thing you need to ensure is, that the daemon is started whenever you use your wireless adapter, and that the firewall recognizes your new link. Yes, it's that easy to dump WEP for good. Finally.

Booting a CD Without a CD Drive

2009-08-31T07:04:47Z

ISO Files

Most Linux distributions and a number of CD utilities like Clonezilla or GPARTED-Live come as iso-images, ready to be burned to a CD medium, to start an installation or running a live session for some useful purpose. But all these iso files are supposed to be booted inside an ordinary CD drive. What if you just don't have a CD burner at hand or if your CD drive is damaged or missing all together, because you are testing the shiny new motherboard without a CD drive?

Don't think you are stuck, there's help around the corner that will lead you into a habit of booting your iso files in a much more creative fashion.

"Stop for a moment, could I not simply put the iso file on a USB key using the dd command? Most modern BIOSes are perfectly capable of booting USB keys and surely there is a USB slot on your new motherboard you can use."

Of course you could do that, the iso file contains a valid iso9660 filesystem together with the bootloader for CDs. And the dd command will transfer the file to your USB key without adding any other structure. But, don't expect the new USB key to boot like a CD, because after you have changed your BIOS settings to allow booting from a USB hard disk, the BISO will expect the structure of a hard disk not that of an iso-filesystem. It will look for a MasterBootRecord (MBR) in sector 0 in the same way as if it would boot your ordinary hard disk. And an iso-filesystem doesn't have a MBR and a partition table where the BIOS expects it to be. So forget booting iso files directly.

"Ok, seems as if there is no way around putting a bootloader like grub on the USB key, and ... , wait, there is a file called iso9660_stage1_5 in the grub directory. It looks like grub has iso9660 support already. Can we use this to boot the iso file?"

Well, unfortunately no. The iso9660 support built into grub can be used to create a bootable CD with grub as the bootloader. Your file is being used when a new iso file containing your grub bootloader is created. What we need instead is the ability to read the kernel and the initramdisk inside the iso-filesystem at boot time when no filesystem is mounted.

"Sounds as if we need a loop device to get at the files inside the iso filesystem. Does grub support mounting a iso-filesystem using a loop device?"

The New Grub

Yes and no. The traditional grub (version 1) that everyone uses does not have this loopback support, but the grub development team has been working on grub2 for a number of years now, which has loopback support already. The new grub2 is still under development, so it's not yet ready to replace the legacy grub version 1, but grub2 is exactly what we need to boot our iso files directly.

A Word Of Caution

So we are about to prepare a USB key to boot iso files with the grub2 bootloader written into the key's master boot record. Writing MBRs on a Linux system usually raises blood pressure a bit, as we have to be extra cautious not to ruin our running Linux system. If you want to follow me from here, please make sure that you do not perform the grub2 installation on your company's production server and double-check everything before issuing commands, to be on the safe side. And for those of you, who hesitate to write MBRs at all, I have an offer for you at the end of this posting, read on.

Preparing The USB Boot Key

Like any other software grub2 can be installed using the distros repositories, at least with Fedora 11 that I use now. The installation will not replace our legacy grub software we are using to boot our computer, as the new files go into a directory "/boot/grub2" without changing anything of the current grub setup unless grub2 is deliberately used to overwrite the MBR. And this is the only thing we have to avoid. But for now, our objective is to get the grub2 software onto our USB key, writing the key's MBR will then be the crowning event before we start testing the key.

For preparing the boot key it is absolutely essential that you know how the Linux kernel recognizes your USB key. To find out, you can observe the log file "/var/log/messages" while you plug your key into the computer. For now I assume that you have one hard disk in your computer (/dev/sda) and your USB key will probably show up as /dev/sdb. First we re-partition the key and create two Linux partitions, a small one of 10 MBytes for the grub2 software and a larger one where all our iso files can be stored:

#> umount /dev/sdb1
#> fdisk /dev/sdb
#> mkfs -t ext3 -c /dev/sdb1 ; tune2fs -L usbboot /dev/sdb1
#> mkfs -t ext3 -c /dev/sdb2 ; tune2fs -L isos /dev/sdb2

You can now mount the second partition and copy all the iso files you wish to boot into this location. Writing the MBR now requires that the first partition is mounted on a well know mount point like /mnt, because we will use this directory to write the grub2 software to the key with the following command:

#> grub2-install --root-directory=/mnt /dev/sdb

Please double-check that your key is mounted and is called /dev/sdb before you use this command, which populates the directory /mnt/boot/grub2 with grub2 modules and writes the MBR into /dev/sdb.

As you may know there is one task still left before we can start testing our boot key, we need to create a menu list, which is called "/boot/grub2/grub.cfg" now. A number of changes have been made to the config file compared to the old grub, so let's have a look at the new configuration:

set timeout=5
set default=0

menuentry "ISOLINUX" {
loopback loop (hd0,2)/centos.iso
set root=(loop)
linux /isolinux/vmlinuz
initrd /isolinux/initrd.img
}

The most remarkable change is the numbering of partitions which has become more natural as the first partition now is (hd0,1), while hard disks still start with number 0. Then the old title entry is replaced by menuentry and loading the kernel is now done with the linux command. Apart from all these cosmetics we can now create a new device called (loop) that will replace a real partition like (hd0,2) to access files inside the iso-filesystem, once we have connected the iso file with this new device using the loopback command.

It is even possible to list the files that grub2 can see on the (loop) device using the grub2 command line:

grub2> set root (loop)
grub2> ls /

Now it's time to check if the ISOLINUX menuentry works. Reboot and see your new boot key fire up the CentOS netinstall process. Voila.

Download Your Bootable USB Key

I have prepared an image of my boot key for you that you can download, if you want to create a boot key without the hassle of following the steps above. The small 32 MByte image file contains all the magic and can be copied to your USB key with the dd command. Please send me an email and I will give you a download link with the necessary instructions. Once you have your key working, you can delete and re-create the second partition to make space for all your live CD iso files on the key. All you need to edit is the config file.

That way you can carry all your distros on one key and boot them all from the grub2 menu without having to change the Linux system on your hard disk.

Hardcore Virtualisation - Learn To Love XEN

2009-08-17T08:29:20Z

A few weeks ago I happened to install CentOS-5.3 on a HP blade server, and while scrolling through the software selection dialog, I ticked everything that had to do with Virtualisation and Clustering. Consequently, the new system came up with a shiny Xen kernel and displayed a new icon in the system tools menu, the "Virtual Machine Manager".

Everything else was still pretty normal, but the XEN kernel was constantly reminding me to use it for what it's for, starting a virtual machine. As you may know Xen is not the easiest way to get such a virtual system in place even thought there is a graphical frontend for Xen as well. But there is one advantage of Xen that makes up for all the trouble you are having to get the thing going and that is speed.

Unlike other virtualisation software like VirtualBox that are designed to run unmodified operating systems within an application environment that emulates everything, Xen aims at running on bare hardware as directly as possible. Xen promises to achieve near native performance by putting a kernel software called hypervisor between the hardware and the guest operating system. The hypervisor occupies the privileged part of the CPU driving the guests away into the non-privileged areas of the CPU, but offering to execute privileged code on behalf of the guests whenever they need to use privileged code. It is this design, that speeds up performance but on the other hand makes it necessary that the guests find their way to the hypervisor by using a special Xen-enabled kernel themselves. So operating systems that cannot be modified to have a Xen kernel (like Microsoft Windows) cannot run in the speedy paravirtualized mode.

Beware Of Using Defaults

In my experience, what makes Xen very tricky to use at first, is that the default values after a fresh installation can easily break your network connection, leaving you with plenty new network interfaces but without a working local network, let alone the internet. On boot there are two services that are being started for the Xen system, the libvirtd and the xend daemons. These services read a single, very short configuration file "/etc/xen/xend-config.sxp" which consists of only nine lines:

(xend-unix-server yes)
(xend-unix-path /var/lib/xend/xend-socket)
(xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')
(network-script network-bridge)
(vif-script vif-bridge)
(dom0-min-mem 1024)
(dom0-cpus 0)
(vnc-listen '0.0.0.0')
(vncpasswd '')

And line no. 4 is the culprit that renames a working ethernet interface, recreates it and introduces two bridge interfaces leaving a mess in which nothing does work any more. I strongly suspect that this is not what defaults are for. Fortunately a small modification gets Xen on track again. Simply don't use the script "network-bridge" and replace it by /bin/true, problem solved. It seems to me that the Xen defaults are striving to isolate the new virtual machines from the ethernet as much as possible, while someone starting to use Xen might want the virtual machine to use the already working internet adapter with a new fixed IP address in the LAN.

Use Your Own Bridge

If you are after a new virtual machine on the same LAN you can create a config file for a bridge (br0) that replaces your ethernet interface and connect your ethernet interface to that bridge. All firewall settings for your host can remain the same as your new bridge takes over the old fixed IP address and nothing seems to have changed for the LAN. Once your virtual machine is ready to run, just use the new bridge br0 as network interface in the config file and you can assign an unused IP for the guest on the LAN with the default gateway for internet access, and everything works well.

/etc/xen/xend-config.sxp

...
vif = [ "mac=00:16:3e:27:84:7a,bridge=br0" ]

/etc/sysconfig/network-scripts/ifcfg-br0

DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
ONBOOT=yes
DELAY=0
IPADDR=192.168.2.188 # your host's LAN IP may be different
NETMASK=255.255.255.0
GATEWAY=192.168.2.1 # adapt IP here

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth1
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
BRIDGE=br0
GATEWAY=192.168.2.1

Try it, and you are beginning to love Xen!

Just Linux Everywhere

2009-07-18T09:21:42Z

Finally I've started to develop Linux virtual machines for people that simply want to run Linux on Windows or Mac OS-X without the need to touch their hard disk or to engage in installation or troubleshooting at all.

Just Linux Everywhere is a virtual machine that you can run on almost every operating system including Windows XP/Vista, Mac OS-X and of course Linux itself. As it is based on Sun Microsystem's VirtualBox Software you will be able to run a fully fledged Linux inside a window just like another application inside Windows or Mac OS-X. No fundamental changes like overwriting the Master Boot Record are being made to your hard disk to run Linux, which is entirely confined to two or three big files on your computer that come with the Kerry Linux DVDs.

Essentially there are two different versions of Just Linux Everywhere, a compact version of 4.7 gigabytes (JULIE) that contains the prominent software packages like Firefox, OpenOffice and Evolution and more, which fits on one single DVD and a lager one, JULIEplus that strives for providing all the very best of Linux software available at the moment.

Both versions are fully configured, thoroughly tested and ready to run within minutes, once you have installed the VirtualBox software in your operating system. There is simply no easier way to get Linux running on Windows and Mac without the hassle of installation and testing.

And there are more options to avail of, as JULIEplus can be set up to store 1 gigabyte (or more) of user data online on a server on the internet encrypted using an automatic backup solution. You can use this option anytime, because JULIE is prepared to use the Kerry Linux Support Server on your request to provide remote administration of your virtual machine by Kerry Linux if you like to entrust me to manage your system remotely.

These are the options that are available for you at the moment:

	JULIE	JULIEplus
Requirements	Sun VirtualBox	Sun VirtualBox
Size	one DVD, 4.7 GByte	two DVDs, 8 GByte
Kerry Linux Support Option	available	available
Online Backup Option	NO	YES
Delivery by mail	included	included
Price	25 Euro	35 Euro

Improve Your VirtualBox Experience

2009-06-29T18:41:50Z

Maybe you have followed my guide to easy virtualisation with Sun's VirtualBox software and you are familiar with the basics of running a virtual machine inside your normal Windows or Linux system by now. I hope that you enjoy the many features of your new virtual machine as most devices used by the virtual machine just work out of the box. Reading CDs and using the audio device for playback should work right away and setting up a printer via the network connection is a matter of few clicks.

But the one problem you have certainly run into by now is the low display resolution which defaults to 800x600 pixels, considerably impeding your freedom on the screen. Two simple steps will sort out this problem forever. First select a suitable "Monitor Type" in the Administration - Display dialog and save the setting. Then edit the file "/etc/X11/xorg.conf" and add something like the following in the SubSection "Display" part:

       SubSection "Display"
                Viewport   0 0
                Depth     24
                Modes "1024x768"  "800x600"
       EndSubSection

After logging out and restarting the X server again you should have a much bigger screen that almost covers the whole display if you switch into FULLSCREEN mod with F.

Guest Extensions pave the way for a seamless desktop experience

During the installation of VirtualBox a custom kernel module was being built that enables the host system to manage the guest, but the guest system runs without any consciousness of the fact that it is only a virtual machine. To ensure a better integration between the host and the guest, SUN have developed a package called "Guest Extensions" that must be installed inside the guest to make it VBox-aware. The installation of Guest Extensions culminate in compiling another kernel module that is being used by the guest to improve communications with the host and to make additional features like shared folders available.

Before we can use these desired features we still have to prepare the guest system to compile kernel modules, that means we have to install a full development stack inside the guest system for kernel modules first, and then install the Guest Extensions. Use the following yum command to prepare the CentOS/Fedora host:

yum update kernel kernel-headers kernel-devel dkms

The Guest Extensions come as an iso-file "VBoxGuestAdditions.iso" that could be found in the directory "/usr/share/virtualbox". Make sure that this iso file is available as a CD-iso-image to the guest system by adding it to the appropriate section in the Virtual Media Manager menu. Restart your virtual machine to make sure the new, updated kernel is actually running and start the setup script "VBox LinuxAdditions-x86.run" on the CD image after you have mounted the iso-file from within the guest system. After rebooting the virtual machine the new kernel module for the guest becomes active and the extensions are ready to use. The first thing you'll notice ist that the mouse pointer is no longer confined to the guest window, you can click on everything that is visible on the screen, no matter if it is a host or a guest window. And, of course, you now can copy and paste text between the host and the guest as you like it. A much more important change took place behind the curtain, your access to the hard disk is faster now. Let's have a look at the following table which gives an overview over transfer rates measured on my laptop.

Action	CentOS 5.2 HOST	Fedora 10 GUEST WITH Guest Extensions	Fedora 10 GUEST without Guest Extensions
creating files with zeroes	27.1 MByte/sec	21.8 MByte/sec	14.1 MByte/sec
copying files	12.47 MByte/sec	11.96 MByte/sec	N/A
writing to network shares	12.26 MByte/sec	5.6 MByte/sec	5.4 MByte/sec
writing to shared folders	18.0 MByte/sec	6.7 MByte/sec	not available

As you can see the performance has considerably improved for writing files to disk and is almost the same for writing normal files while there is still a huge difference when network attached storage is used to extend the usually poor disk space of the virtual machine. But the use of virtual folders at least enables the host system to write data to the guest's file system rather quickly, while the guest does not really gain any speed doing the reverse operation.

Anyway, installing SUN's Guest Extension truly polishes your virtual guest machine and lets it shine brighter than before.

Clone Your Hard Disk Today - With Clonezilla

2009-06-06T15:35:52Z

I know, you are one of those people who know that it is absolutely essential to make regular backups of your system's hard disk. There is no excuse not to make regular backups, but as we all know, we don't really do that. Or is it just me?

No, you have to admit that even though the reasons to make backups are indisputable, something strange always - no, not always, but many times - keeps you from doing the necessary, updating your backups and securely storing them away. Making backups is not fun, but that's not the reason why we don't do it regularly. I suspect that you as well as I simply don't have the right tool yet, to initiate an automatic process that boils down to getting a reliable backup complete and safe to restore, which does not require much attention while assembling the data for us.

Fortunately this situation is going to change dramatically for you, today. I've run into a backup solution that is just that, an automatic process that does not require user intervention when started to do the right thing. It's called CLONECILLA and is essentially a Live Linux system, optimised for backup and recovery.

Clonezilla - Your bootable backup CD

Clonezilla can be downloaded here as an ISO-file of 106 megabytes.. This file contains everything that makes up a bootable Linux system, so be careful to write this downloaded iso-file to your CD in raw-mode. Because it's of no use to have the iso-file on a CD in another file system, the iso-file is the file system and it is the only thing that has to be on the CD.

Did I mention that Clonezilla is a backup solution that covers all sorts of partition types, so that our windows-using friends could use it, too? Clonezilla has the ability to clone a complete hard disk no matter what kind of partition your disk comprises of. It even backs up the master boot record and the partition table, you will get a complete set of data from which all or any part will be recoverable when you need it. And all data is created as zipped files of max. 2 gigabytes size so that everything can be burned to DVDs, if needed.

Setting Clonezilla on the right track

As we are now heading for a complete backup of your laptop's hard disk, one thing is to be considered before we start, where will all the backup data be stored? Fortunately Clonezilla offers a number of possible storage media ranging from an additional (plugable) local disk, a SSH server or a SAMBA server to the traditional NFS server. I assume that you have a portable USB hard disk on which you will store the backup. Please ensure that the free space on this disk is about half of the size of what you are going to backup, and add a little bit of a buffer, too.

I have found that a second thing is important before you start letting Clonezilla create the backup, make sure that all partitions of your hard disk can be mounted. Best practice would be to perform a file system check on all partitions before starting the Clonezilla boot CD.

The following few steps are all you need to initiate a full backup of your laptop's hard disk and you will see that once you've selected a few things the rest is going in a jiffy.

Step 1 Boot your Clonezilla backup CD, select language and keymap, then select "Start Clonezilla"

Step 2 After selecting the backup media (local_dev) power on your USB disk and allow a few seconds for the system to recognize your new hard disk on which the backup will be stored. Clonezilla creates a directory on the USB disk derived from the date and time of the backup. You can choose where to store this directory on the disk.
You can always switch to another terminal using F2 to see that the USB disk is now mounted on /home/partimag. All files go into this directory.

Step 3 Select "savedisk" to ensure that the whole hard disk is backed up. When the partition information is read in Clonezilla will start the backup process automatically.

Step 4 Depending on the size of your hard disk, you can now relax and let Clonezilla compose your backup for you. Check the backup directory in the meantime to see it filling up with data.

The performance of creating the backup is very good, it took 47 minutes for a 30 gigabyte data partition on my three year old laptop. The whole disk (120 gigabyte) was ready after two and a half hours time leaving me a total of 66 gigabytes of compressed data.

Try Clonezilla today, it takes very little time to be secure. No excuses!

Virtualisation - The Easy Way

2009-05-15T15:32:50Z

Virtualisation is one of the big next things to become mainstream technology. But it's a complex technology as there are many different software solutions available that differ greatly in terms of usability, flexibility and performance. As always there is a trade-off between ease-of-use and the performance of the guest system on your hardware. This time we will try to get a virtual machine up and running with a minimum of possible obstacles on our way to success, and we will try to install a cutting-edge Linux OS, Fedora-11-Preview, which will finally be released in about two weeks, today!

After all, trying out a new Linux distribution without the risk of making a mess of your hard disk is one of the most attractive features of virtualisation. What makes creating a guest virtual machine easy is the graphical user interface of VirtualBox from Sun Microsystems, that will guide us through the process in an intuitive way. Nevertheless the downside of this software is that even though it's open source, it's not entirely free. According to Sun's "VirtualBox Personal Use and Evaluation License (PUEL)" the software is free to use for personal and educational purposes as well as for product evaluation:

Sun grants you a personal, non-exclusive, non-transferable, limited license without fees to reproduce, install, execute, and use internally the Product a Host Computer for your Personal Use, Educational Use, or Evaluation. "Personal Use" requires that you use the Product on the same Host Computer where you installed it yourself and that no more than one client connect to that Host Computer at a time for the purpose of displaying Guest Computers remotely. "Educational use" is any use in an academic institution (schools, colleges and universities, by teachers and students). "Evaluation" means testing the Product for a reasonable period (that is, normally for a few weeks); after expiry of that term, you are no longer permitted to evaluate the Product.

But even though you'll need a commercial license from SUN to use VBox after evaluation, the download is free of charge and the PUEL allows for intense testing and is practicable for a number of non-commercial environments.

Getting VirtualBox for Your Linux Distribution

As we are going to install a new Fedora 11 as a guest on top of your current Linux system, the host, the first step is obviously to get VirtualBox for your host system and install it there. Fortunately SUN has prepared binaries for a number of different Linux distributions for download, so go to Sun's download page here and choose your package. Binaries are available in rpm or deb format, so your system's native installation tool should do the job. Just bear in mind to install the kernel headers and the gcc compiler first, to enable VirtualBox to compile a kernel module that will be loaded on boot after installation.

Unlike XEN which changes the way your usual Linux system works fundamentally, VirtualBox is just another application that runs inside your normal environment without changing anything on your host, except that it relies on the new kernel module created on installation.

Preparing VirtualBox for Installation of Fedora

Do you have two hours to burn? Let's get going.

To get to the point where we can start to install Fedora, we basically have to prepare a virtual disk and attach a boot medium to the virtual machine.

By now you will have found the VirtualBox GUI in the System Tools menu and have started to create a new virtual machine.

First, we have to give it a name and select the OS type.

Adjust the memory slider to at least 512 MB or even more if you can afford it. The more memory you assign to the virtual machine the faster it will run eventually.

In a second step we need to create a virtual hard disk in a file. During installation of the guest system this file will be used as the device "/dev/sda". All formatting and partitioning is being performed inside this file although it seems to be a normal block device for the guest system to use.

Later, when Fedora uses its hard disk you will be asked to erase all your data on the device "/dev/sda". I can see the sweat on your face when you click the OK button for the first time. Your real hard disk, called /dev/sda as well, will survive this procedure, believe me.

You have to choose the final size of your filesystem for the Fedora installation here, so think twice how much space you will need.

As you can see I have only spent 4 Gigabytes for my Fedora test system, enough to finish a default installation. But your mileage may vary, you know, and it's not easy to expand your virtual disk after finishing the installation.

Initialising the file that represents your virtual disk will take a while.

Check that the correct vdi-file is selected and finish this part of the job.

Before you can start the new virtual machine (to install Fedora) some minor changes to the default settings have to be made.

First of all I would recommend to change the network configuration.

Usually the VirtualBox GUI selects NAT, but I think it's more straightforward to configure the network interface to share the physical host interface with the new guest system.

I don't know whether or not this is really necessary in your situation, but it does not hurt anyway.

As a last step we need to tell VirtualBox where to find the installation media.

If you have a download of the Fedora packages at hand stored in ISO format, you can use it here.

For the sake of simplicity I would like to go a different route and would ask you to download the 166 MB netinstall.iso file from the Fedora downloads page. This file could be burned to a CD making up for a nice boot CD, but we can use the downloaded iso-file here as the requested "Image File".

The only problem is, that we did not attach the file to the virtual machine yet.

To make it available we have to go back to the "Virtual Media Manager" in the File menu and choose the downloaded iso-file as a CD/DVD image.

I hope you have come this far and I'd like to encourage you to start your new virtual machine to go ahead with the installation. Once you've hit the start button again, you should be greeted with the Fedora installation window, and from this point onwards everything should work as if you had inserted a real CD and tried to install on bare hardware. In the course of installation you will inevitably reach the point where the hard disk has to be formatted, so keep an eye on the size of your install disk, it is exactly the size of your vdi-file. It does not matter that your real hard disk is also referenced by /dev/sda, your new /dev/sda is entirely separate, so dont't hesitate to repartition it to your hearts content. And you can safely install the GRUB boot loader in the master boot record, your original one will not be overwritten by the new installation. That's the magic of virtualisation.

After finishing your Fedora installation, there is one thing to remember, you have to remove the installation media before booting (the virtual machine) again. Well, you know how we had attached the iso-file to the machine, simply untick the box to detach it, then power off the virtual machine and start it again. Congratulations to your new Fedora 11 almost two weeks ahead of schedule.

Hosting Virtual Users

2009-05-04T09:16:13Z

Normally, a user is someone listed in the system's database file /etc/passwd. There is no need for a flesh-and-bone user equipped with a password and ready to log in. Many users listed in the system database are simply immaterial daemon users, like mysql, listed for the operating system to be able to assign a name (especially a UID in the form of a number) to a running process.

But at least these daemon users own processes, i.e. the mysql database server, and of course, real objects like files and directories are owned by those users. In a well run environment these users do not have a password, so their account cannot be abused by somebody else, and almost always the shell that would be started if someone could log into this account is the binary /sbin/nologin, which does exactly what's on the tin, denying login.

And then there is another breed of users that seem to be ordinary fellows in the system and still do not exist as a user in the normal sense. These virtual users do have the ability to run certain programs, they all have a mailbox in which their private messages arrive and they all need a password to access their home directory, in which all their assets are being stored, but strangely enough there is no trace of them in the system's user base and password file.

One can argue that because the virtual users don't have a valid number (UID) they are no users, and in a strict sense this is certainly true.

But how can they own files and use a mailbox, just like other users do?

Hunting down the virtual users

We all know that in order to have a mailbox, there has to be a mailbox file (usually in /var/spool/mail) that is owned by the user respectively. And if someone is attempting to read this mailbox, there has to be some kind of authentication, so the password must be stored somewhere. At this point a real (daemon) user comes into play, the postman Tom, who of course has a valid UID listed in the file /etc/passwd, which is in fact 555 on my system.

Tom works at the heart of the mail delivery process, managing the virtual user's home directories and their mailboxes, and he is the only real user necessary to serve hundreds of virtual users on the system.

Virtual home directories and mailboxes

For every virtual user Tom creates a home directory that is used by IMAP to store the virtual user's inbox and various index and logfiles individually.

-bash-3.2# ls -laR /kx/dovecot/home
total 16
drwx------ 4 postman root 4096 Nov 16 16:56 .
drwxr-xr-x 5 root root 4096 Dec 1 15:10 ..
drwx------ 3 postman postman 4096 Nov 16 15:41 alice
drwx------ 3 postman postman 4096 Nov 16 15:19 ron
...
/kx/dovecot/home/alice/mail:
total 24
drwx------ 3 postman postman 4096 Nov 16 15:44 .
drwx------ 3 postman postman 4096 Nov 16 15:41 ..
drwx------ 4 postman postman 4096 Nov 16 15:44 .imap
-rw------- 1 postman postman 10 Nov 16 15:44 .subscriptions
-rw------- 1 postman postman 5318 Dec 11 18:34 sent-mail

All these files have been created by Tom for each of the virtual users. In order to provide this infrastructure, we have to make sure that Tom is able to use the virtual user's password when needed, and most importantly to handle the authentication process for them as well. The following lines of code show how the configuration of DOVECOT has to be changed for Virtual Domains.

##### VIRTUAL DOMAIN USERS #######
mail_location = mbox:~/mail:INBOX=/kx/dovecot/mail/%n
auth default {
userdb static {
args = uid=postman gid=postman home=/kx/dovecot/home/%n
}

passdb passwd-file {
args = /kx/horde/htpasswd
}
user = apache
}

All passwords are stored in the file /kx/horde/htpasswd in the usual way required by the apache web server. This is important for two reasons, because the dovecot process can use this file to authenticate virtual users by changing permissions to apache for authentication, and simultaneously this file allows other web-based software to access the virtual user's homes with the same password. We will have a look at this later.

ron:hLILWelxS7E82
alice:ildPSIfh7EkT2

Getting all email in the right direction

By now we have managed to install mailbox access for virtual users via IMAP without the need of registration of all these users in the system's database. What we do not have in place is a mechanism to fill up the virtual user's mailboxes with incoming mail.

As you may suspect another important part of the mail delivery process has to be adjusted to ensure that the virtual users who can have totally different email-addresses will receive their mail without hassle. This time we need to add a few lines to the POSTFIX configuration file and we have to create a mapping between the email addresses and the (real) virtual users, who are supposed to read the mail.

virtual_mailbox_domains = linuxcoaching.eu, somedomain.ie
virtual_mailbox_base = /kx/dovecot/mail
virtual_mailbox_maps = hash:/kx/dovecot/virtual_mailbox_map
virtual_uid_maps = static:555
virtual_gid_maps = static:555

The pivotal point here is the text file "kx/dovecot/virtual_mailbox_map" in which each email address is followed by the virtual user's name. But before postfix can use this database to deliver mail it has to be hashed, i.e converted into a database file "kx/dovecot/virtual_mailbox_map.db" with the postmap command below.

ron@linuxcoaching.eu ron
alice@somedomain.ie alice

/usr/sbin/postmap /kx/dovecot/virtual_mailbox_map

Extending our infrastructure

The most important benefit of this system is not to have virtual users in the system's user database and being able to treat them as ordinary users at the same time. As some users tend to choose a weak password this will help to limit the damage that can be done to the system considerably. But once virtual users are established with an email address and password in the manner I have described, it seems to be an obvious idea to use these credentials for another purpose, to organise a file system-like structure for virtual users, to store their data as well. Fortunately such a file storage can be easily set up using the HORDE framework, and in particular the gollem module, that can be configured to use the file system or a MySQL database to store the virtual user's files while making them available for upload and download via a browser-enabled interface.

Getting Outahere - Explained

2009-04-22T17:23:39Z

How do I connect to the Internet?

By putting a network cable into the DSL router, well, most of the time, yes. But sometimes my laptop needs to establish the connection to the Internet using a wireless data modem. Obviously this will change a few things on the machine that are not entirely clear to someone starting on this track for the first time.

In this article we will look behind the curtain to understand the process of dialling into the Internet via a wireless modem.

Let's begin with the basic differences. In using the modem, we have decided that the laptop itself will become part of the Internet, while it was only part of the local area network up to now. First of all, that would require to run a firewall on the laptop if you did not already have set up a firewall before. Protecting your machine while connected to the Internet is indispensable, and you have to make sure, that your firewall is not disabled entirely. Check your firewall rules with the following command:

/sbin/iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

The output above shows, that there is no protection and you have to solve this problem first. Anyway, firewall configuration will be covered in a separate post.

Where do all these packets go?

As long as your machine had been using the router an IP number belonging to the router was listed in the laptop's routing table. More precisely, the ethernet adaptor would send every data packet destined for the Internet to the machine with this default address, and for the laptop to be able to establish its own connection, the old default route to the DSL router has to be removed from the network setting. Nowadays we simply click through the network dialog and delete the "default gateway address" there. But if you like to know where to check that setting, please examine the file "ifcfg-eth0" in a directory called "/etc/sysconfig/network-scripts", there should be no GATEWAY line.

It is one of the tasks performed by a process called "pppd" to set up a new default route when the connection to the Internet is successfully installed using the modem and a new network interface "ppp0". Getting the Point-To-Point-Protocol-Daemon (pppd) up and running will be the most important thing to get right, but then, fortunately it is the only thing to do. There was no need for a pppd as long as we had the router, but now this process working in the background is responsible for shovelling all packets back and forth into the Internet for us.

Chatting up the PPP Daemon

Given that everything is well prepared, starting the pppd process is as easy as the following

/usr/sbin/pppd file three.options connect '/usr/sbin/chat -v -f three.chat ' /dev/ttyUSB0

As I am using a THREE data modem there are two files that determine the process of dialling into the Internet, an options file and the chat-script. The last parameter the pppd process depends on is the device file for the hardware used. In most cases running the pppd fails because this special file that represents the wireless modem does not exist. Look around if your Linux system lists the device file, and if not, we cannot proceed unless the hardware is actually accessible through the kernel. The kernel module that is responsible to make the wireless modem visible to the kernel is called "usbserial" and it has to be used with two pieces of information, the vendor-id and the product-id, which are different for every modem you use. For my wireless modem I have to use this command.

/sbin/modprobe usbserial vendor=0x19d2 product=0x0001

You have to check your actual hardware and find out which values are correct for your hardware, using the "lsusb" command for further information.
Now that the hardware is available through the device file "/dev/ttyUSB0" we can define a few options the pppd process should honour while starting up.

460800
noipdefault
defaultroute
persist
noauth
updetach
novj
novjccomp
nopcomp nodeflate
holdoff 5

Apart from requesting the desired baud rate the process tries to get a remote IP address from the ISP's login server (noipdefault), does not require the ISP's end point to authenticate itself (noauth) and establishes the default route in the routing table after setting up the connection.

During this process the pppd process exchanges some information with the ISP's login server on the Internet to get the required IP address. The details of this conversation are lay down in the chat-script.

ABORT BUSY
ABORT VOICE
ABORT "NO CARRIER"
ABORT "NO DIALTONE"
ABORT "NO DIAL TONE"
"" ATZ
OK ATE0V1&D2&C1S0=0+IFC=2,2
OK AT+CGDCONT=1,"IP","3ireland.ie"
OK ATDT*99#
CONNECT ""

This file lists two corresponding pieces of information each line. While reading the modem input the process waits for the appearance of the first part being sent by the server, responding with the second part which is, in most cases of course, an old-fashioned modem AT command. You can watch this conversation between the modem and the ISP's access machine in detail if you display the tail of the logfile "/var/log/messages".

/tail -f /var/log/messages

Finally, when the remote IP address is obtained, the interface "ppp0" can be used.

Get a decent Name Service - And Enjoy!

Of course you should be able to surf the web using the new network connection as the default route should be created by the now running pppd process. If you still don't get your Internet applications running there is a last hurdle to overcome. The domain name service (or DNS for short) is always been used by our applications. No matter what kind of program you use, the first step is always the substitution of a domain name by the correct IP address. Because of the fact that this substitution has to be done many times, one or more name servers must be in easy reach for your laptop. I have found some nameservers that work for me and are reliable and fast, but depending on your location, different ones may be better. Try to find the ones that perform best for you and finally record their IP addresses in the file "/etc/resolv.conf" to make sure, that your internet connection is performing well.

Now, this is how I connect to the Internet! The following excerpt is taken from the usual suspect file "/var/log/messages"

Apr 15 22:15:45 mosel pppd[8859]: pppd 2.4.4 started by root, uid 0 Apr 15 22:15:46 mosel chat[8860]: abort on (BUSY) Apr 15 22:15:46 mosel chat[8860]: abort on (VOICE) Apr 15 22:15:46 mosel chat[8860]: abort on (NO CARRIER) Apr 15 22:15:46 mosel chat[8860]: abort on (NO DIALTONE) Apr 15 22:15:46 mosel chat[8860]: abort on (NO DIAL TONE) Apr 15 22:15:46 mosel chat[8860]: send (ATZ^M) Apr 15 22:15:46 mosel chat[8860]: expect (OK) Apr 15 22:15:46 mosel chat[8860]: ^M Apr 15 22:15:46 mosel chat[8860]: +ZUSIMR:2^M Apr 15 22:15:46 mosel chat[8860]: ^M Apr 15 22:15:46 mosel chat[8860]: OK Apr 15 22:15:46 mosel chat[8860]: -- got it Apr 15 22:15:46 mosel chat[8860]: send (ATE0V1&D2&C1S0=0+IFC=2,2^M Apr 15 22:15:46 mosel chat[8860]: expect (OK) Apr 15 22:15:46 mosel chat[8860]: ^M Apr 15 22:15:46 mosel chat[8860]: ATE0V1&D2 Apr 15 22:15:46 mosel chat[8860]: +ZUSIMR:2^M Apr 15 22:15:46 mosel chat[8860]: 1S0=0+IFC=2,2^M^M Apr 15 22:15:46 mosel chat[8860]: OK Apr 15 22:15:46 mosel chat[8860]: -- got it Apr 15 22:15:46 mosel chat[8860]: send (AT+CGDCONT=1,"IP","3ireland.ie"^M) Apr 15 22:15:46 mosel chat[8860]: expect (OK) Apr 15 22:15:46 mosel chat[8860]: ^M Apr 15 22:15:46 mosel chat[8860]: ^M Apr 15 22:15:46 mosel chat[8860]: OK Apr 15 22:15:46 mosel chat[8860]: -- got it Apr 15 22:15:46 mosel chat[8860]: send (ATDT*99#^M) Apr 15 22:15:46 mosel chat[8860]: expect (CONNECT) Apr 15 22:15:46 mosel chat[8860]: ^M Apr 15 22:15:46 mosel chat[8860]: ^M Apr 15 22:15:46 mosel chat[8860]: CONNECT Apr 15 22:15:46 mosel chat[8860]: -- got it Apr 15 22:15:46 mosel chat[8860]: send (^M) Apr 15 22:15:46 mosel pppd[8859]: Serial connection established. Apr 15 22:15:46 mosel pppd[8859]: Using interface ppp0 Apr 15 22:15:46 mosel pppd[8859]: Connect: ppp0 <--> /dev/ttyUSB0 Apr 15 22:15:49 mosel pppd[8859]: Could not determine remote IP address: defaulting to 10.64.64.64 Apr 15 22:15:49 mosel pppd[8859]: local IP address 10.214.138.131 Apr 15 22:15:49 mosel pppd[8859]: remote IP address 10.64.64.64

Learn to Frustrate the Intruders

2009-04-16T17:32:12Z

Have you ever listened to someone who had been fallen victim to a burglary, someone whose home had been broken into by a criminal, entirely ignoring his privacy, snooping around in his personal belongings and making a total mess of everything coming across his way? It is nearly impossible not to feel the pain yourself this person has been through.

And in the online world things are not that different. After all the effort you've put in to getting a Virtual Private (!) Server going, and after furnishing it with something you think is valuable and worth protecting, you can easily get into a similar rage about people starting to break into your VPS the minute you have finished to make it a venerable target for those careless and often thoughtless digital scumbags on the Internet.

A brief look at the file "/var/log/security" shows how your virtual home is under attack right at the moment.

[skipped earier lines ...]
Apr 15 13:25:40 vm829 sshd[15230]: Invalid user admin from 58.151.115.9
Apr 15 12:25:40 vm829 sshd[15231]: input_userauth_request: invalid user admin
Apr 15 12:25:41 vm829 sshd[15231]: Received disconnect from 58.151.115.9: 11: Bye Bye
Apr 15 14:46:01 vm829 sshd[15816]: Did not receive identification string from 210.4.143.55
Apr 15 15:00:28 vm829 sshd[15910]: reverse mapping checking getaddrinfo for 210-4-143-55.inter.net.th failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 14:00:28 vm829 sshd[15911]: Received disconnect from 210.4.143.55: 11: Bye Bye
Apr 15 15:00:34 vm829 sshd[15915]: Invalid user fluffy from 210.4.143.55
Apr 15 15:00:34 vm829 sshd[15915]: reverse mapping checking getaddrinfo for 210-4-143-55.inter.net.th failed - POSSIBLE BREAK-IN ATTEMPT!
[skipped following lines ...]

I sincerely welcome any and all attempts possible to counter the disgusting actions of those, who in most cases are not even remotely aware of or capable to understand, what the software does they are (ab)using.

Statistics of a Break-In Attack

Let's have a look at such an attempt to abuse the ssh service at my VPS. It is recorded in the very first hours this machine became visible on the Internet.

Creation of the VPS    Dec 9, 15:00

Begin of Attack    Dec 10, 20:24

End of Attack    Dec 10, 21:12

Duration of Attack    38 minutes

Attacker's IP    58.213.125.25

Number of Break-In Attempts    583

Attempts to login as root    474 (81.3 %)

Valid user names tried    postscript (5) , mysql (2)

Invalid user names tried    102

Usernames tried multiple times    admin (8), george (3), gnax (6), test (2)

Selection of other invalid names    anita, asterisk, dj, email, foo, gv, joe,

   kateroselmau, mythtv, ruby, sales, windywang, wwang

During the best part of an hour the attacker had tried 583 passwords to break into my digital home, nearly every 4 seconds a failed ssh connection was recorded in my logfiles, not unsurprisingly targeting the root account. As it turned out, the IP address was not bound to a registered domain name, so it could even be a innocent user's PC taken-over by the attacker.

Counter-Measures

Some people have suggested trying to play "hide and seek" with the culprits by switching the native port 22 which is used by SSH to something like 51679. Even though that may reduce the rate of attacks, it surely won't deter those who use port scanners to find the port used for SSH.

Others rely on periodically updating their "/etc/hosts.deny" file blocking access from IP-addresses that have proven to be suspicious. This may solve the problem for those attacks that always start at the same hosts, but attackers changing their base frequently will still enjoy an open door, once they are using a freshly taken-over host machine.

I have been taking a different approach, namely to change the response of my firewall to incoming ssh requests. I changed the rules so that only 3 attempts per 2 minute period are being served. This reduced my server's susceptibility greatly, as the automated attacks tend to break off after very few tries and don't return.

The following lines added to my firewall script did the job:

/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP

Step 1	Boot your Clonezilla backup CD, select language and keymap, then select "Start Clonezilla"
Step 2	After selecting the backup media (local_dev) power on your USB disk and allow a few seconds for the system to recognize your new hard disk on which the backup will be stored. Clonezilla creates a directory on the USB disk derived from the date and time of the backup. You can choose where to store this directory on the disk. You can always switch to another terminal using F2 to see that the USB disk is now mounted on /home/partimag. All files go into this directory.
Step 3	Select "savedisk" to ensure that the whole hard disk is backed up. When the partition information is read in Clonezilla will start the backup process automatically.
Step 4	Depending on the size of your hard disk, you can now relax and let Clonezilla compose your backup for you. Check the backup directory in the meantime to see it filling up with data.

Creation of the VPS		Dec 9, 15:00
Begin of Attack		Dec 10, 20:24
End of Attack		Dec 10, 21:12
Duration of Attack		38 minutes
Attacker's IP		58.213.125.25
Number of Break-In Attempts		583
Attempts to login as root		474 (81.3 %)
Valid user names tried		postscript (5) , mysql (2)
Invalid user names tried		102
Usernames tried multiple times		admin (8), george (3), gnax (6), test (2)
Selection of other invalid names		anita, asterisk, dj, email, foo, gv, joe,
		kateroselmau, mythtv, ruby, sales, windywang, wwang