The Stack Clash
— Permalien
As anticipated in public comments, the Linux Foundation is already beginning a campaign to rewrite history and mislead Linux users. Their latest PR release can be found at: https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features, which I encourage you to read so you can see the spin and misleading (and just plain factually incorrect) information presented. If you've read any of our blog posts before or are familiar with our work, you'll know we always say "the details matter" and are very careful not to exaggerate claims about features beyond their realistic security expectations (see for instance our discussion of access control systems in the grsecurity wiki). In a few weeks I will be keynoting at the SSTIC conference in France, where a theme of my keynote involves how little critical thinking occurs in this industry and how that results in companies and users making poor security decisions. So let's take a critical eye to this latest PR spin and actually educate about the "security improvements" to Linux 4.6.
— Permalien
Part of the iproute2 command suite, ip neighbor provides a command line interface to display the neighbor table (ARP cache), insert permanent entries, remove specific entries and remove a large number of entries. For peculiarities and commonalities of the iproute2 tools, refer to Section H.2, “Some general remarks about iproute2 tools”.
The more commonly used analog to ip neighbor show, arp -n displays the ARP cache in a possibly more recognizable format.
— Permalien
Packet-journey (pktj) permet à des opérateurs réseau de monter des routeurs logiciels faciles à configurer et capables de monter en échelle. Pour ce faire, l'applicatif se base sur les bibliothèques et drivers de DPDK et utilise des fonctionnalités natives du noyau Linux, faisant le pont entre fast-forwarding et routage logiciel souple.
— Permalien
Lire aussi :
Grsecurity Developer Spender's Feelings on the State of Linux Security
https://news.ycombinator.com/item?id=10518480
Kernel Self Protection Project
http://openwall.com/lists/kernel-hardening/2015/11/05/1
« I'm organizing a community of people to work on the various kernel
self-protection technologies (most of which are found in PaX and
Grsecurity). I'm building on the presentation I gave at Kernel Summit
where I sought to convince the other upstream Linux kernel developers
that security is more than fixing bugs, and that we need to bring in
proactive defenses:
http://lwn.net/Articles/662219/
This is especially highlighted by the Washington Post article today:
The kernel of the argument
Fast, flexible and free, Linux is taking over the online world. But there is growing unease about security weaknesses.
http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
Between the companies that recognize the critical nature of this work,
and with Linux Foundation's Core Infrastructure Initiative happy to
start funding specific work in this area, I think we can really make a
dent.
Let's start the work. I've built some wiki pages around my slides,
where we can take notes, list examples, and coordinate:
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf
— Permalien
RouteFlow is an open source project to provide virtualized IP routing services over OpenFlow enabled hardware.
A typical RouteFlow use scenario is composed by an OpenFlow controller application (RFProxy), an independent RouteFlow server (RFServer), and a virtual network environment that reproduces the connectivity of a physical infrastructure and runs IP routing engines (e.g. Quagga).
The routing engines generate the forwarding information base (FIB) into the Linux routing tables according to the configured routing protocols (e.g., OSPF, BGP). In turn, the Linux IP and ARP tables are collected by RouteFlow client (RFClient) processes and then translated into OpenFlow tuples that are finally installed in the associated OpenFlow-enabled devices in the forwarding plane.
Download https://github.com/routeflow/RouteFlow
— Permalien
For over 5 years, and perhaps even longer, servers around the world running Linux and BSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. || ArsTechnica: http://arstechnica.com/security/2015/04/30/spam-blasting-malware-infects-thousands-of-linux-and-freebsd-servers/ || Whitepaper http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf
— Permalien
aujourd'hui, les logiciels libres sont une véritable alternative et permettent à n'importe quel jeune africain de prototyper son application SMS avec des technologies libres et sur une infrastructure délocalisée qu'il pourrait monter à son domicile.
— Permalien
As discussed in a previous post, multi-factor authentication really makes things more secure. Let’s see how we can secure services like SSH and the Gnome desktop with multi-factor authentication.
The Google Authenticator project provides a PAM module than can be integrated with your Linux server or desktop. This PAM module is designed for for home and other small environments. There is no central management of keys, and the configuration is saved in each users home folder. I’ve successfully deployed this on my home server (a Raspberry Pi) and on my work laptop.
— Permalien
C'est avec peine et regret que j'ai pris la décision de suspendre pour une durée indéterminée tous les liens de téléchargement de siproxd_orange, ainsi que l'accès à son dépôt BitBucket.
Je fais en effet l'objet de pressions de la part d'Orange visant à me faire cesser le développement et la diffusion de siproxd_orange. Après avoir consulté plusieurs personnes dont un avocat spécialisé en droit d'auteur, j'ai estimé plus prudent d'abandonner la diffusion de ce projet.
Je tiens d'abord à remercier toutes les personnes qui ont manifesté leur intérêt pour siproxd_orange, que ce soit en le téléchargeant, en postant des liens vers ce blog sur d'autres sites, en commentant sur les nombreux billets à ce sujet ou en rapportant des bugs. Mais je tiens aussi à ajouter que cela ne signifie aucunement la fin de l'aventure.
— Permalien
stresslinux is a minimal linux distribution running from a bootable cdrom, usb, vmware or via PXE (wip). stresslinux makes use of some utitlities available on the net like: stress, cpuburn, hddtemp, lm_sensors ... stresslinux is dedicated to users who want to test their system(s) entirely on high load and monitoring the health.
— Permalien
100Gb network adapters are coming, said Jesper Brouer in his talk at the LCA 2015 kernel miniconference (slides [PDF]). Driving such adapters at their full wire speed is going to be a significant challenge for the Linux kernel; meeting that challenge is the subject of his current and future work. The good news is that Linux networking has gotten quite a bit faster as a result — even if there are still problems to be solved.
— Permalien
We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
— Permalien
Awk is a tiny programming language and a command line tool. It's particularly appropriate for log parsing on servers, mostly because Awk will operate on files, usually structured in lines of human-readable text.
I say it's useful on servers because log files, dump files, or whatever text format servers end up dumping to disk will tend to grow large, and you'll have many of them per server. If you ever get into the situation where you have to analyze gigabytes of files from 50 different servers without tools like Splunk or its equivalents, it would feel fairly bad to have and download all these files locally to then drive some forensics on them.
This personally happens to me when some Erlang nodes tend to die and leave a crash dump of 700MB to 4GB behind, or on smaller individual servers (say a VPS) where I need to quickly go through logs, looking for a common pattern.
In any case, Awk does more than finding data (otherwise, grep or ack would be enough) — it also lets you process the data and transform it.
— Permalien
At the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported by the MalwareMustDie! group. The post mentioned the initial intrusion of SSH connection, static properties of related Linux executable and encryption methods used. Later, we realized that the installation process is customized to a victim’s Linux environment for the sake of running an additional rootkit component. In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands.
— Permalien
So, are you curious about how the system call interface works in Linux? Do you want to learn how to trace system calls and what useful things you can do by tracing them? Are you curious which system calls are worth watching and why? || cheatsheet http://www.digilife.be/quickreferences/qrc/linux%20system%20call%20quick%20reference.pdf
— Permalien
The USB Armory is full-blown computer (800MHz ARM® processor, 512MB RAM) in a tiny form factor (65mm x 19mm x 6mm USB stick) designed from the ground up with information security applications in mind. Not only does the USB Armory have native support for many Linux distributions, it also has a completely open hardware design and a breakout prototyping header, making it a great platform on which to build other hardware.
— Permalien
Who are you?!
We are Veteran Unix Admins and we are concerned about what is happening to Debian GNU/Linux to the point of considering a fork of the project.
And why would you do that?
Some of us are upstream developers, some professional sysadmins: we are all concerned peers interacting with Debian and derivatives on a daily basis.
We don't want to be forced to use systemd in substitution to the traditional UNIX sysvinit init, because systemd betrays the UNIX philosophy.
We contemplate adopting more recent alternatives to sysvinit, but not those undermining the basic design principles of "do one thing and do it well" with a complex collection of dozens of tightly coupled binaries and opaque logs.
— Permalien
So, there was a lot of fuzz about a recent talk by Karsten Nohl et al. at BlackHat about the the unsecurity of current USB implementations (on the computer side) which happily load drivers for all kinds of devices as soon as a (potentially malicious) USB stick is connected.
https://www.kernel.org/doc/Documentation/usb/authorization.txt
https://www.kernel.org/doc/Documentation/ABI/stable/sysfs-bus-usb
— Permalien
VPNDemon monitors your VPN connection and kills a target program upon disconnect. It's the safest and easiest way to help prevent DNS leaks and enhance your security while connected over a VPN.
— Permalien
Mbox is a lightweight sandboxing mechanism that any user can use without special privileges in commodity operating systems.
TL;DR
$ mbox -- wget google.com
...
Network Summary:
]]>[11279] -> 173.194.43.51:80
[11279] Create socket(PF_INET,...)
[11279] -> a00::2607:f8b0:4006:803:0
...
Sandbox Root:
/tmp/sandbox-11275
N:/tmp/index.html
[c]ommit, [i]gnore, [d]iff, [l]ist, [s]hell, [q]uit ?>
— Permalien
Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. Debian, Ubuntu, Mint, OpenSUSE, and Fedora packages are provided. An Arch Linux package is maintained in AUR.
— Permalien
I call this the unofficial bash strict mode. This causes bash to behave in a way that makes many classes of subtle bugs impossible. You'll spend much less time debugging, and also avoid having unexpected complications in production.
There is a short-term downside: these settings make certain common bash idioms harder to work with. They all have simple workarounds, detailed below
— Permalien
System calls are the primary mechanism by which user-space programs interact with the Linux kernel. Given their importance, it's not surprising to discover that the kernel includes a wide variety of mechanisms to ensure that system calls can be implemented generically across architectures, and can be made available to user space in an efficient and consistent way.
— Permalien
The getrandom(2) system call was requested by the LibreSSL Portable developers. It is analoguous to the getentropy(2) system call in OpenBSD.
The rationale of this system call is to provide resiliance against file descriptor exhaustion attacks, where the attacker consumes all available file descriptors, forcing the use of the fallback code where /dev/[u]random is not available. Since the fallback code is often not well-tested, it is better to eliminate this potential failure mode entirely.
— Permalien
Amis du retrocomputing nous cherchons à nous brancher sur une connection Free dégroupée à l'aide d'un bon vieux modem USB Sagem F@st 800 (ici, un de ceux qui étaient fournis par Wanadoo). Il faut se munir de l'IP de la ligne que l'on peut récupérer sur l'interface de gestion chez free.fr. Ensuite il faudra vérifier que le matériel est bien détecté par le kernel ce qui devrait être le cas par défaut avec un noyau récent qui a été compilé avec ueagle-atm (c'est le cas sous Slackware en tout cas avec le 3.2.29-smp). Pour configurer le modem, nous allons utiliser linux-atm aussi connu sous le nom de atm-tools chez Debian. Si vous avez cela dans vos dépôts de distribution, alors installez ce paquet (qui devrait avoir comme dépendance libatm1), sinon il faudra le compiler. Une fois installé, il faudra créer l'interface atm0, la configurer, ajouter un route et modifier resolv.conf.
— Permalien
There is always a set of standard metrics that are universally monitored (Disk Usage, Memory Usage, Load, Pings, etc). Beyond that, there are a lot of lessons that we’ve learned from operating our production systems that have helped shape the breadth of monitoring that we perform at bitly.
— Permalien
It's with great pleasure that the LXC team is announcing the release of LXC 1.0!
This release is a significant milestone for us as it marks the first release we consider to be production ready. It features a wide variety of improvements to container security, a consistent set of tools, updated documentation and an API with multiple bindings.
— Permalien
Bible mutt mail unix
— Permalien
This is a follow-up post on my previous post "Four Linux server moniting tools" which ended up on the frontpage of Hacker News for a pretty long time, and got a lot of great activity from a lot of people in the Hacker News community, and even people who has been developing on the mentioned tools.
http://aarvik.dk/four-linux-server-monitoring-and-management-tools/
— Permalien
Underwear is a library for easily deploying any Python-powered web application to one or more Linux servers. Underwear is configurable by a YAML template and takes care of installing packages, configuring web/WSGI servers, and securing the server.
What Problem Does Underwear Solve?
Despite the advent of configuration management tools such as Puppet, Chef, Ansible, and Salt, it remains difficult to deploy a web application because you have to first learn one of those tools and then write scripts in the tool’s domain-specific language.
Underwear makes deploying to a traditional Linux server stack as easy as deploying to Heroku by providing a pre-packaged, easily configurable library. Deployments can be executed simply by installing Underwear with pip, specifying the IP addresses of the server(s) to deploy to, then running a couple of commands.
— Permalien
On peut aujourd'hui largement envisager d'héberger un ou plusieurs services sur son serveur à domicile, et des mouvements comme auto-hebergement.fr l'on bien illustré. Reste le problème de la bande passante en upload, qui bien que largement suffisante pour héberger des serveurs web, email, jabber ou autre, reste à utiliser intelligemment..
Linux fournit cette intelligence, sous forme d'un scheduler de paquets nommé Traffic Control (TC, pour les intimes), et l'objectif de cet article est de présenter cette technologie et sa mise en place dans un cas d'étude d'hébergement Web, DNS et même BitTorrent. Notons au passage que bon nombre de scripts et programmes existent pour simplifier la mise en place de la QoS (Quality of Service). Citons Wondershaper, Shorewall, ADSL-Optimizer par exemple. Cet article n'en parlera pas, car l'objectif est ici de faire mais aussi de comprendre comment ça marche sous le capot, et pour ça, il faut démonter le moteur et mettre les mains dans le cambouis.
— Permalien
Traffic control encompasses the sets of mechanisms and operations by which packets are queued for transmission/reception on a network interface. The operations include enqueuing, policing, classifying, scheduling, shaping and dropping. This HOWTO provides an introduction and overview of the capabilities and implementation of traffic control under Linux.
— Permalien
I implemented a new feature for LUKS in order to allow for emergency deletion of all LUKS key material. I've finished the implementation and submitted it to Clemens Fruhwirth for merging it into the next version of LUKS.
— Permalien
Programme linux.conf.au Systems Administration Miniconf
— Permalien
LXC 1.0: Your first Ubuntu container [1/10]
LXC 1.0: Your second container [2/10]
LXC 1.0: Advanced container usage [3/10]
LXC 1.0: Some more advanced container usage [4/10]
LXC 1.0: Container storage [5/10]
LXC 1.0: Security features [6/10]
LXC 1.0: Unprivileged containers [7/10]
LXC 1.0: Scripting with the API [8/10]
LXC 1.0: GUI in containers [9/10]
LXC 1.0: Troubleshooting and debugging [10/10]
— Permalien
Le blog de Kmandla consacré aux applis CLI (ancien blog http://kmandla.wordpress.com/) et wiki (http://kmandla.wikispaces.com/). Méthodique gros classement à chacun de trier et faire son choix.
— Permalien
Zram has lived in staging for a LONG LONG time and have been fixed/improved by many contributors so code is clean and stable now. Of
course, there are lots of product using zram in real practice.
— Permalien
If you're just starting out with Docker, it's super easy to follow the examples, get started and run a few things. However, moving to the next step, making your own Dockerfiles, can be a bit confusing. One of the more common points of confusion seems to be:
Where are my Docker images stored?
]]>When diagnosing anomalous behavior on a network, a system administrator
has two separate areas to focus on: the packets traveling over the
network (i.e., the network view), and the information contained on the
individual hosts connected to the network (i.e., the host view). The
network view provides a glimpse into the overall communication activity
of the network, but it does not reveal what processes are causing this
activity. On the other hand, the host view contains details on the
processes producing the network traffic, but it does not contain
information on which packets are associated with which process. This
inability to correlate packets with their associated process is a
fundamental (although intentional) shortcoming of the modern network
stack. To bridge this gap we introduce the Hone (Host-network)
correlator, an open-source tool that correlates packets to processes to
diagnose problems seen on a network.
While the idea of correlating packets to processes is a simple one, the
implementation requires kernel modifications that alter the way the
network stack works. Perhaps this complication is responsible for the
fact that no other tool takes this approach. While there have been
several tools that have come close to the packet-process correlation
approach taken here, they differ from Hone in fundamental ways.
— Permalien
Synopsis
Linux Containers (LXC) are an operating system-level virtualization method for running multiple isolated server installs (containers) on a single control host. LXC does not provide a virtual machine, but rather provides a virtual environment that has its own process and network space. It is similar to a chroot, but offers much more isolation.
— Permalien
Table of Contents
Researchers have discovered a Linux worm capable of infecting a wide range of home routers, set-top boxes, security cameras, and other consumer devices that are increasingly equipped with an Internet connection.
— Permalien
In my article detailing the command line utilities available for configuring and troubleshooting network properties on Windows and Linux, I mentioned some Linux tools that, while still included and functional in many Linux distributions, are actually considered deprecated and therefore should be phased out in favor of more modern replacements.
Specifically, the deprecated Linux networking commands in question are: arp, ifconfig, iptunnel, iwconfig, nameif, netstat, and route. These programs (except iwconfig) are included in the net-tools package that has been unmaintained for years. The functionality provided by several of these utilities has been reproduced and improved in the new iproute2 suite, primarily by using its new ip command. The iproute2 software code is available from Kernel.org. Iproute2 documentation is available from the Linux Foundation and PolicyRouting.org.
— Permalien
«Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.»
A lire aussi : http://exploitability.blogspot.fr/2013/10/badbios-phpnet-et-la-grehack.html
— Permalien
nsecurities in the Linux /dev/random
New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs.
Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model involves an internal state that is refreshed with a (potentially biased) external random source, and a cryptographic function that outputs random numbers from the continually internal state. In this work we extend the BH model to also include a new security property capturing how it should accumulate the entropy of the input data into the internal state after state compromise. This property states that a good PRNG should be able to eventually recover from compromise even if the entropy is injected into the system at a very slow pace, and expresses the real-life expected behavior of existing PRNG designs. Unfortunately, we show that neither the model nor the specific PRNG construction proposed by Barak and Halevi meet this new property, despite meeting a weaker robustness notion introduced by BH. From a practical side, we also give a precise assessment of the security of the two Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs. These attacks against the Linux PRNG show that it does not satisfy the "robustness" notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice. Finally, we propose a simple and very efficient PRNG construction that is provably robust in our new and stronger adversarial model. We present benchmarks between this construction and the Linux PRNG that show that this construction is on average more efficient when recovering from a compromised internal state and when generating cryptographic keys. We therefore recommend to use this construction whenever a PRNG with input is used for cryptography.
]]>"NFTables is queued up for merging into the Linux 3.13 kernel. NFTables is a four-year-old project by the creators of Netfilter to write a new packet filtering / firewall engine for the Linux kernel to deprecate iptables (though it now offers an iptables compatibility layer too). NFTables promises to be more powerful, simpler, reduce code complication, improve error reporting, and provide more efficient handling of packet filter rules. The code was merged into net-next for the Linux 3.13 kernel. Iptables will still be present until NFTables is finished, but it is possible to try it out now. LWN also has a writeup on NFTables."
https://home.regit.org/netfilter-en/nftables-quick-howto/
http://lwn.net/Articles/324989/
— Permalien
Zeal is a simple offline API documentation browser inspired by Dash (OS X app), available for Linux and Windows.
Quickly search documentation using Alt+Space (or customised) hotkey to display Zeal from any place in your workspace.
Search in multiple sets of documentation at once.
Don't be dependend on your internet connection.
]]>