Archive for February, 2006

Blonde Joke : are you game?

Sunday, February 26th, 2006

Well… I dont want to put any joke on my side, but I guess this is a good one and will - -help ya to think.

Yokay… whats ya hair color?

# .

…i’ve to look back when i heard a gong! i could only see a huge cobweb and its shining, just got wonder, whats the time it was…

February

Monday, February 20th, 2006

I am confused; the name sounds innocent but what’s wrong with this month? I don’t mind its inconsistency…I think this preborn shortY should come as the last child of the year instead of lovely December… I just like the months December and January except its cold… I guess I am loosing the sunlight…so I am walking back.

Well…. I was choked for two days and I couldn’t go anywhere…and exactly one year before on the same month I was hospitalized for the similar kind of symptoms what I am up to now. I am happy this time because I am getting Kanji (I don’t want to give much explanation for Kanji, In short I say “Rice Soup?) and Pickle too. I am not going to hospital so any medicine :)

Last year…Uff…here in a hospital, I asked her “Sister…? Today, I would like to have Kanji for my dinner and can you just arrange it for me.? She is from my State and replied “Oh Vipin, I don’t think that I could find it and no Kerala hotels out here? …good smiles!

I said…Okay, but….

In an hour, I was pretty happy with my dinner…She came with a bowl of hot Kanji and lemon pickle….

Later I came to know (she told me), she made it with a portion of her own dinner (well cooked rice) and served to me.

Has she done her blessed job? I forget her name but never the smile.

Go away or I will replace you with a simple shell script

Saturday, February 18th, 2006

Hey ya unknown coward… you are Killed !!
….go away or I will replace you with a simple shell script…
Yes, I found a simple snip to do that without yelling it out :)

mongoose # ps -aux | grep [usrname] | awk ‘{print $2}’ | sort -g | xargs kill -9

This simple snip kill all the process invoked by the user in an order of last process, die first so the user too.

R-I-P

The Evolution of a Programmer

Wednesday, February 15th, 2006

I am not a coder, just for giggles I found “The Evolution of a Programmer.? The Darwin of this code is here.


High School/Jr.High

10 PRINT “HELLO WORLD”
20 END


First Year in College

program Hello(input, output)
begin
writeln(’Hello World’)
end.


Senior Year in College

(defun hello
(print
(cons ‘Hello (list ‘World))))

New Professional

#include
void main(void)
{
char *message[] = {”Hello “, “World”};
int i;
for(i = 0; i < 2; ++i)
printf("%s", message[i]);
printf("\n");
}

–>

How To Become A Hacker

Sunday, February 12th, 2006

When The Open Source rules the world…there will not be any traditional nomenclature for the kingdom other than Hacker, Geek, Guru, Nerd… and its different status….

So do ya wanna be a hacker…. or wanna know how to become a hacker…? or ya gotta a Q..?

Q: How can I get the password for someone else’s account?
A: This is cracking. Go away, idiot.

esr [ Eric Steven Raymond ]
….if you had watch the movie, “Revolution OS” probably no chance to forget his facial expression when he narrates about the incident happened inside a lift
(mnky..mnky)…I’ll be your worst nightmare…

That was my first time I came across to know about him in a Linux meet where they played the movie and later on I have read some of his essays from The C&B [ The Cathedral and the Bazaar ] and its worth.

Know Yourself

Friday, February 10th, 2006

Over the surf…I found many interested things…some stuffs I have packed…and others get vanished… Here I found a speculation to know yourself [ …thats what we all trying to get through in our life…(winks) ] So I gave a try to know the output; never gonna go for a second try….

What Type of Weather Are You?


You Are Lightning


Beautiful yet dangerous
People will stop and watch you when you appear
Even though you’re capable of random violence

You are best known for: your power

Your dominant state: performing

What’s Your Religious Philosophy?

I respect all religions, their saints and prophets.


You are an Atheist


When it comes to religion, you’re a non-believer (simple as that).
You prefer to think about what’s known and proven.
You don’t need religion to solve life’s problems.
Instead, you tend to work things out with logic and philosophy.

What Element Is Your Love?


Your Love Element Is Water


In love, you connect deeply and commit totally.
For you, love is all about taking risks and moving into unknown territory.

You attract others with courage and confidence.
Your flirting style is defined by your flexibility and ability to adapt.

Nurturing and shared learning are the cornerstones of your love life.
And while you may jump in to love too quickly, you always come out the wiser for it.

You connect best with: Metal

Avoid: Earth

You And another Water element: will pull each other down into a dark place

Setting Up A Gateway With Linux

Wednesday, February 8th, 2006

This was another workaround I have done to set-up a gateway between the internal and external network to access the internal resource from outside.

Yes, there is no change, it’s a dedicated Linux machine for the Gateway installed with RedHat Advanced Server-4.

Setting Up The Gateway

I will just brief the set-up before I start into the configuration part.
Well… The machine has two NIC and configured accordingly:

eth0: 192.168.1.1/24 connecting to internal network.
Gateway: 192.168.1.254

eth1: 10.1.0.1/28 Connected to a Layer-3 switch(WAN Connection) and then it terminate at the users end whom gonna access the internal resource.
Gateway: 10.1.0.3.
The resource is in 192.168.2.0/24 network. Note not on the same network.

Yes.. thats a Q..! Dude why don’t you set it up on the Layer-3 Switch ?

hmmm… I don’t have the access to the CPE and that is dealt by the Service Provider. (We should always keep an alternate way to run out of the heck….) and moreover its a temporary set-up for a short period of time.

Next step enable the IP_forwarding between the NIC.

camel # vi /etc/sysctl.conf
net.ipv4.ip_forward = 0 # change this 0 to 1

You have done with the IP_forwarding and now the beauty; restart the system to apply the change…

?hey…I don’t wanna restart my system…?

Oho..really, then please talk to the kernel.

To pass the information to the kernel on the fly without restarting
camel # echo “1″ > /proc/sys/net/ipv4/ip_forward
or more easily by updating the sysctl by
camel # /sbin/sysctl -p

And now keep talking to the kernel about the routing table.

camel # netstat -nr shows the current kernel routing table.

I configured in the following

camel # route del default
camel # route add -net 192.168.2.0/24 gw 192.168.1.254
#now kernel knows all the request to the destination192.168.2.0 network should go via192.168.1.254 and the rest will taken care by internal routing table.
camel # route add default gw 10.1.0.3 #anythin else should go via 10.1.0.3

Now the external people has the access only to the 192.168.2.0 network after they logged into the gateway and get authenticated, thats the Security Hardening part. Yes.. the rest of the hardening part is coming right away…

Hardening The Linux BoX

Wednesday, February 8th, 2006

After setting up the Gateway, the next Q was how could I H4RD3N this machine ?

Hardening A Linux Machine…huhh… You can write a book for that. Securing a Linux system called hardening can be done using both manual methods and open source security solutions. So I ask some Q to
myself:

0. What am I supposed to do with the system.
It should act as a gateway to access my resources from outside (dedicated) networks.

1. Does it has any wild connection to meet up any unknown people.
No; so far it is not connected to the Internet

2. How about users.
I am going to provide a common usrname and passwd, yeah…but I don’t know them personaly.

3. Should I allow the users to play with the system and keep their files.
NO, not even the execute permission. Please, no junk/bulky files.

4. After all, how do I monitor this box.
iptraf [its just a breeze]
…so my hardening process focuses on the operating system than any extra powerful tools.

STEPS TAKEN TO HARDENED THE LINUX BOX (GATEWAY)

0. The message before get authenticated.
Access to this computer system is restricted to personnel of the
[your wish is my command]. All connections are logged.
By attempting connection without permission, you are in violation of law and ethics.

1.a Edited /etc/motd
ACCESS RESTRICTED TO AUTHORIZED USERS ONLY

1. No: of users to access the system
a) root
b) admin (enable sudo)
c) Let there be users :)
2. Iptables and TCP wrappers enabled ( Allow access to SSH and HTTPD)

/etc/hosts.deny
sshd:ALL EXCEPT 10. 192.168.
httpd:ALL EXCEPT 10. 192.168.

3. Disable remote ssh as root; only console access.
4. ssh service enabled only for usr xxx and local networks.

Changes done on /etc/ssh/sshd_config
Protocol 2 restriction [Protocol 2]
PermitRootLogin no
Banner /etc/warn.txt [The file which contains the message,
that displays before get authenticated]
RhostsAuthentication no
IgnoreRhosts yes
RhostsRSAAuthentication no

5. Disable creating an executables, a device or a set-uid executables in /home directory

Changes done on /etc/fstab
LABEL=/home /home ext3 noexec,nodev,nosuid,usrquota 1 2
6. Set-up quota for usr xxx.
Soft limit 200MB and can be used 250MB maximum (grace period for 50 MB is 7 days)

7. Disable GCC for normal users; including Admin :) chmod 750

7-5-0 2 root root 94800 Feb 30 2004 /usr/bin/gcc

8. Disable all un-wanted service.

camel # chkconfig –list | grep on
camel # chkconfig –list | awk ‘/xinetd based services/,/”"/’
9. enable syslog service and configure iptraf
10. Keep updated with latest security news and watch weekly advisories were issued by vendors.
11. Rule of Thumb: click OO here
12. Reference - 0

UNIX System Hardening Checklist

SELinux
Unix Articles
Reference +1
Linux System Security: The Administrator’s Guide to Open Source Security Tools [ I own this book]

Linux Performance Analysis

Wednesday, February 1st, 2006

Since I am a shadowman certified; all my testing and workout happening with my x-86 workstation loaded with RedHat Advanced Server-4 (2.6.9-5)

Well… before start off the session; I want to share one thing which I have read on a Performance Tuning book (System Performance Tuning-second edition by Gian Paolo & Mike). The book says five rules that we should keep in mind before going for the analysis.

0. Understand Your Environment
1. TANSTAAFL :- There is Ain’t No Such Thing As A Free Lunch
2. Throughput vs Latencey
3. Do Not Over Utilize A Resource *
4. Design Test Carefully

*Over Utilization is a dangerous thing. As a general rule of thumb, something should be not greater than 70% busy or consumed at any given time : this will provide a margin of safety before serious degradation occures.

So give your own thought to know how well the above rule gonna gel with the Performance Analysis.

Talking about performance on a Linux box mainly deals with its Processor/CPU, Main Memory, Block Device (I/O) and Network etc…

Here I am trying to use some of the basic commands which help to know where the performance gone wrong.

0. Processor/CPU

command $ vmstat 5

proc

(r) - The number of process in runnable and un-interruptable state
(b) - The number of process in blocking or sleep state

memory

swapd - Amount of memory swpped
free - Amount of free memory
buff - used for buffers
cache - used for filesystem cache

swap

Si - Amount of memory swapped in
So - swapped out

io

bi - Blocks of data received (in) from a block device/sec
bo - sent (out) to a block device/sec

System

in - Number of interrupts/sec
cs - Number of context switches/sec

cpu

us - The percentage of cpu time spent in user space
sy - The percentage of cpu time spent in Kernel space
wa - waiting for I/O
id - Idle time

++ In the case of multiple cpu; the command “vmstat” shows the average and if it is not accurate (when a single threaded heavy process is running)

command $ mpstat -P ALL 5
can be used to show the cpus statistics on an aggregated and on a per cpu basis.

1. Main Memory

Adding more memory to the system may help ya out, if the system shows high availability of Swap Memory but free and cache memory values shows low. To make sure, have a look into swap-in (So) and swap-out (So) numbers.

2. Block Device

If the Block Device is the culprit for the systems performance, you may see many processes are in blocking state (b), the cpu wait (wa) times are high and I/O numbers (bi/bo) are consistently high.

The commands ” iostat -x 5 ” or “lostat -x ” help us to dig more into the I/O details

%util - The percentage of cpu time used to issue the requests to the device.
await - The average time (request) taken to complete the result; including the time spent in the queue.
svctm - Service Access Time, the time which the device takes to service the requests.

The high in numbers for the above parameters tells the device is too dump for the current load.

3. Network

command $ netstat -ci

The output of the command shows the traffic in each interface. The first set of result shows the aggregate total since the last system boot and the subsequent ones are deltas/sec.

The switches
-i : Interface
-c : Continuous
-s : Display summary statistics for each protocol
-r : Kernel routing table

4. Hard Drive Access Tuning

command # hdparm (Hard Disk Parameters)

The following techniques can be applied to (E) IDE drives to utilize 32 bit I/O and DMA more effectively but carefully.

# hdparm /dev/hda for a breif info.
#hdparm -I /dev/hda for a detailed info.
#hdparm -tT /dev/hda for the testing and reading the speed.

[-t] : Timing buffered disk reads; xxMB/sec
[-T] : Timing buffered-cache reads; xxMB/sec (Results normally in 02 seconds)

To increase the speed :-

#hdparm -d1 -c3 -u1 /dev/hda

-d1 : Turn on DMA [ 0 for OFF]
-c3 : IDE chipset support [0 - DISABLE, 1 - ENABLE, 3 - 32 BIT TRANSFER]
-u1 : Get/set interrupt ‘umask’. Drive ignores other interrupts during processing of interrupts [0 - OFF]

file : /etc/sysconfig/harddisk

switches:
[-r] : Get/set read-only flag for device.
[-R] : Register an IDE device {careful} (expected hwif-ctrl).
[-U] : Un-register an IDE device {careful}
[-C] : Check the current IDE power mode status, normally “active/idle”
[-S] : Set standby (spindown) timeout for the drive. The value is used by the drive to determine, how long to wait (with no disk activity) before turnig off the spindle motor to save the power.
[-Y] : Force to “sleep mode” (soft/hard reset needed but not for linux IDE HDD).
[-y] : Force to “standby mode” (spind down).

5. Kerenel Level

If you still hanging on Linux kernel-2.2, changing the ‘min_percent’ variable may help you to some extend. This variable represents the system memory available for caching.

#cat /proc/sys/vm/buffermem

2 10 60

To change the default value

# echo “5 10 60″ > /proc/sys/vm/buffermem

5 – min-percent.
10 – max-percent.
60 – borrow-percent.

Its always acceptable, have a try. I tried it and I know there are much more powerful tools to workaround.