TechBait

Have you ever wanted to communicate somewhat securely over a public network, like the Internet, in order to exchange confidential or sensitive information, passwords, or other data?  You need a VPN to connect you from one point to another over the insecure public medium.  This secure connection is the VPN, or Virtual Private Network.  The VPN, whether purely software or by utilizing a VPN appliance device containing it’s own software, uses encryption software to construct a tunnel between the two points, thus allowing the user to exchange confidential information or sensitive login information between two points.  VPN’s can also be useful for simply contacting your private network remotely, since you don’t want unknown entities to see your internal network infrastructure, hosts, or to sniff out your passwords.

On a similarly related line of thought, if you use UNIX or Linux, a good way to access your home network over the Internet from a remote point is to set up an SSH tunnel, where the Secure Shell is used to contruct a tunnel.  You login to the remote UNIX or Linux host via SSH, and then you can launch graphical Xwindows applications using an SSH tunnel.  You can do this from a Windows client by using the Cygwin or other software which allows one to run POSIX, GNU, and UNIX/Linux utilities on a Windows machine.  You can do this from work if your network allows this sort of Internet access.  It is handy to be able to access your home UNIX/Linux server over an SSH tunnel.

$ ssh -X u...@server.homenetwork.com
$ ssh -X user@<public ip address of server>

You can requests compression of all data to improve up user experience (good for a low speed link such as wan link) using -c option:

$ ssh -c -X user@<public ip address of server>

You can then run any Xwindows application on the remote xterm by simply typing the program executable name followed by the ampersand to spin it off into it’s own process ID.  You can also run an entire desktop like KDE, Gnome, or the default Xwindows desktop with the startx command.

In computer networking parlance, ARP stand for Address Resolution Protocol.  Well, this tells us that computer addresses are being resolved via some sort of lookup table.  The ARP cache is what translates IP (Internet Protocol) addresses to hardware MAC (Media Access Control) addresses within a TCP/IP network.  ARP replies can be spoofed easily if one of your network;s systems are compromised.  The compromised system can spoof other systems on the network.  The spoofing is when the target machine receives faulty information linking an unsafe MAC address to a local IP address.  The preventative measure (UNIX and *NIX) is a list of trusted systems that is hard coded into the /etc/ethers (or equivalent) file where the true MAC addresses are mapped to the true IP address, preventing the ARP protocol from overriding this information.  The file needs to be updated if a network card is changed since every networked device must have a unique MAC address.

I was trying to install CentOS Linux 5.4 on an old Dell 2400 server and I opted for the netinstall to avoid having to burn 6 CD iso images.  I get to the part where you enter the remote web server and directory where the install images are and it keeps putting an extra slash in the URL string thus preventing the thing from working.  I searched on it and found a thread out there claiming that this happens when you hit Enter in the text fields to proceed, but I didn’t and it still happens.  I guess I am going to have to burn those ISO’s to CDR after all.  Sigh.

The order in which Linux starts system services is governed by what runlevel is assigned to the service in question. Some runlevels will boot or halt the system itself, while others control regular system services or even programs that the administrator installs and wants started at a particular time in the boot cycle. These runlevels are controlled with scripts that are defined by runlevel named directories in which they reside. The default runlevel for the system is set in the /etc/inittab file, but it can be overridden from the GRUB boot loader menu. Redhat Enterprise Linux has six runlevels.
Runlevel 0: Halt the system. When the system is sent to this runlevel, everything shuts down and the system is completely halted. If the computer’s BIOS supports it, the machine is powered off at the end of the process.

Runlevel 1: This is single user mode. In single user mode an admininstrator can do all sorts of maintenance, like backups, restores, and repairs. This is useful because no other users can be logged in and the system is not prone to having others change things, which is important when this sort of work is being done. Networking is not enabled so the network interfaces and infrastructure are offline.

Runlevel 2: In this runlevel, multiuser functionality is enabled with only some networking services enabled.

Runlevel3: Multiuser mode is enabled with full networking functionality.

Runlevel 4: This runlevel is currently not used.

Runlevel 5: The X Windows graphical user interface system is enabled and the user is brought to a graphical login screen. After logging in, the user is taken to their graphical desktop as in all of the popular operating systems of today. Networking is fully enabled.

Runlevel 6: This is the reboot runlevel. It does what it says and reboots the system. You should never set the /etc/inittab default runlevel to number 6 for obvious reasons. Your system would be in an endless reboot loop.

Each runlevel has a bunch of scripts associated with it. Runlevel 3 scripts are located in the /etc/rc.d/rc3.d directory. The runlevel directories are rc0.d through rc6.d, and they are all located under the /etc/rc.d directory. Whatever the default runlevel is set to in the /etc/inittab file, the system will look in the appropriate runlevel directory and execute the scripts in numeric order, starting and killing services according to the scripts. The start scripts start with an “S” and the kill scripts with a “K”. The scripts in the runlevel directories are really just symbolic links to the real script files in the /etc/rc.d/init.d directory. The /etc/rc.d/ rc(number).d directory is hard linked to /etc/rc(number).d directory, so you can use the shorter one to get to the same place.

Knowing about Linux runlevels is an important part about knowing how to handle a Linux system, and the knowledge translates to UNIX systems as well. There will be minor and subtle differences, such as varying directory names and different boot loaders, but it is essentially the same framework.

A network DMZ, or demilitarized zone, is a place between the Internet and an entity’s internal network. It is a place where a server can be set up on a different protected network segment. It provides a service to the outside, like FTP file hosting access for customers, a mail server for offsite personnel, webservers, or proxy servers, and shares this data internally through a protected funnel. This is desirable since if the DMZ server is compromised by a malicious person out on the Internet, they won’t have access to the rest of the internal network and it gives the internal IT people time to sever the external connection and fix the problem, clean the system, or rebuild the system without fear that he or she has already moved on to wreak havoc on the rest of the internal network.

You can set this up by using either a single or dual firewall approach. A single firewall approach requires the DMZ host to have at least 3 network cards. One card goes to the Internet Service Provider, the other goes to the DMZ host, and the third to the internal network router. The firewall needs to have enough computing power and memory to be able to handle the traffic and all associated filtering to and from the 2 network cards. A dual firewall approach is more secure and consists of 2 firewall computers or devices. One goes from the ISP to the DMZ machine or segment, while the second is on the back end and sits between the DMZ machine or segment and the internal network router. The IT staff can further mix things up by using different firewall vendors for each firewall so that neither has the same vulnerabilities and it can slow down and hamper attackers which could use the same methods to defeat both firewalls if they are identical.

Buffer overflow attacks are legendary in computer security. Programmers write lots of software which expects some sort of user input. This inputted data needs to be assigned an area of memory, called a buffer. The size of the buffer is assigned in anticipation of how much data will be provided to the input query. If the programmer hasn’t added checks to verify the size of the input data, then an attacker can provide so much data that it causes an overflow. In some cases the program just fails, but in other cases commands can be sent in with the overflow that are executed with the permissions of the host program, which can in many cases be root level access. This is why system services running as root are targeted by this sort of attack.

Code audits can sniff out vulnerabilities that would otherwise make this sort of attack easier. This is a case of an ounce of prevention being worth more than a pound of cure. In reality it is more than an ounce of prevention and is rarely done. The next best course of action is to regularly check system logs for suspicious activity. Filesystem integrity checking tools can assist in identifying if a system has already been breached by showing which files have been modified. The chroot jail could have prevented this because by running the service this way the attacker wouldn’t have had full filesystem access and most of the critical files would have been insulted from the attack. Many server programs now come with native chroot functionality.

Linux contains kernel modules which help to defend against this type of attack.

The chroot command is a shortened form of the two words, “change root”. What this command does is it allowes a sysadmin to rope off a section of the filesystem for users to play in. this is sometimes called a “chroot jail”, and I have heard it referred to as a “sandbox” or “user sandbox”. If a user logs in and it is set up to send them here, this area appears to them as the entire filesystem, but in reality it is really just a branch off the real filesystem. It contains only tose commands are directories that the sysadmin wants them to see and have access to. This allows a prudent and careful sysadmin to allow system access while not relying solely on the UNIX permissions model. It is another level of system defense. Think of it as allowing access in a “ned to know” way. They only see parts of the system that they “need to know”.

System services can be run in chroot mode since if a system service were to be the target of a buffer overflow attack, it could compromise the entire system of the perpetrator of the attack were then able to have access to the entire system sans the security that the attack immobilized. Had the attack succeeded and the service was not restricted to the chroot jail, the attacker would have a shell into the system which inherited the service’s permissions, which in many cases is root level access. If the attacker’s shell were limited to the chroot jail, their access to the system is very limited and the damage they can do is minimized. perhaps if they realized this they would just go away and look for a juicer unprotected target.

The UNIX sudo command allows the administrator to limit what commands a user may run under root (administrator) privileges on the system. The /etc/sudoers file contains entries which affect what commands are allowed to be run in this manner. Different users can be allowed to have different levels of access, and the true root, or administrator, password never has to be divulged.

Sudo will also log all of the attempted accesses of every command that it runs, thus leaving an audit trail that a suspicious administrator can check on in case an attempted system breach is suspected.

I guess that you never know, but I think that i4i is going after Microsoft because they are a deep pockets company, and frankly if I had a patent that I thought was being unfairly taken advantage of by a behemoth like Microsoft then I might sue as well.  Maybe the company founder(s) want to lure Microsoft into a lucrative acquisition deal and spend the rest of their days checking email via satellite wireless from some private island somewhere?   It would be a shame if they went after OpenOffice, especially since OpenOffice has a small market share and couldn’t possibly be threatening this i4i’s business.  I wonder how valid their patent claim really is?  There is not a great track record of for profit software companies suing open source software providers.  I recall the famous SCO vs Linux debacle.   Anyone even hear of SCO lately?