Marian Marinov/HackMan

I’m going to FOSDEM 2010. This will be my first visit of the event but I’m sure I’ll like it.

I proposed 2 talks for the conference so it is also possible that I will also speak there

Yesterday I bout AzBox Premium HD Satellite receiver. The receiver is very nice, you can watch YouTube directly from it. You have a web browser, e-mail client and I can watch all of our movies directly from the storage. It has a HDD bay and WiFi. You can record shows from the TV to the local disk or to a remote storage very easily. I’m happy with most of its functionality, but the most funny thing is that I can not watch satellite TV because it is amazingly hard to configure the CCcam client on this device. It took me and my brother the better part of the day to install and configure the client on this receiver.

So it is a very nice receiver, but if you use it with shared card, be prepared for problems and headaches

If for some reason, anyone who is reading is unfortunate enough to have cPanel on some of his servers you have to know that /scripts/mysqlup doesn’t upgrade the mysql database to the new format offered by 5.0.X.
What this means is that, even if you have mysql 5.0.x running, you can not make use of stored procedures or views.

Since we have migrated around 30 servers to mysql 5.0.x I want to share with you how you can fix the problem without even restarting the MySQL:

Here are the queries which will update your mysql database to the new standard for MySQL 5.0.x:

ALTER TABLE mysql.user ADD `Create_view_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.user ADD `Show_view_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.user ADD `Create_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.user ADD `Alter_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.user ADD `Create_user_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.user ADD `max_user_connections` int(11) unsigned NOT NULL default 0;

ALTER TABLE mysql.user MODIFY Create_view_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL AFTER Repl_client_priv;
ALTER TABLE mysql.user MODIFY Show_view_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL AFTER Create_view_priv;
ALTER TABLE mysql.user MODIFY Create_routine_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL AFTER Show_view_priv;
ALTER TABLE mysql.user MODIFY Alter_routine_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL AFTER Create_routine_priv;
ALTER TABLE mysql.user MODIFY Create_user_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL AFTER Alter_routine_priv;

UPDATE mysql.user SET Create_user_priv='Y', Create_view_priv='Y', Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y' WHERE User='root';

ALTER TABLE mysql.host ADD `Create_view_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.host ADD `Show_view_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.host ADD `Create_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.host ADD `Alter_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.host ADD `Execute_priv` enum('N','Y') character set utf8 NOT NULL default 'N';

ALTER TABLE mysql.db ADD `Create_view_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.db ADD `Show_view_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.db ADD `Create_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.db ADD `Alter_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N';
ALTER TABLE mysql.db ADD `Execute_priv` enum('N','Y') character set utf8 NOT NULL default 'N';

FLUSH PRIVILEGES;


Keep in mind that you have to use this exact sequence. If you change the order of any of the columns and you will not achieve the desired result. In fact if you change the order of the columns of any of the tables in the mysql database you will probably have big problems, as MySQL is not using column names internally, only column numbers

For the past few days I’m implementing various attacks related to the TCP protocol.

I just finished a TCP connection flooder which can bring almost any service to complete stop with as little as 75Kbit/s and 12 packets per second.

This is for one service only. But if you combine this with a second service, for example the SSH. You can render almost any server with some of its services down without raising any alarms on the network traffic monitoring systems. The flood is with small packets and not very intensive so if the administrators didn’t protected the ssh service on the machine, they would not be able to connect to the machine without serial or kvm console.

Attackers can use such techniques to disrupt all kinds of services.

There are a few more things I like to test and maybe I’ll include these attacks in the next Network Security course in FMI.

I was really glad that I didn’t had to write all of my DoS scripts in C. Actually Net::RawIP and Net::Pcap a perfect modules to write small network things in Perl.

I’ll do some benchmarks to see how good perl is in generating packets and how it compares with the C packet generators I have written.

Finally we got our Christmas tree. We had an argument with Toni about the tree. I wanted a normal natural tree and she wanted an artificial(plastic one). So I agreed with her, but the new tree has a bug. The top part of the tree doesn’t clip with the bottom, but since it was after 11pm I decided to fix the problem tomorrow, the problem was that I have to use the hammer to fix the stupid pipe

I can’t understand one thing, almost 20 years ago Stevens wrote the books for Unix network programing, which I consider to be the Bibles of network programing. And there are still people that don’t understand why they should do a full implementation with all the checks required when they are writing network applications.

And the most frightening thing is that almost all of the students graduating in CS majors don’t even know how to implement a network daemon without introducing a big security hole in the system.

The results from the first exam of Linux System Administration course are ready and are uploaded at http://training.iseca.org

What is interesting is that even with almost half of the questions not answered you can still get almost 20 point out of 50.

And one disappointing thing is that this year the girls have a slightly lower average results then previous years. Usually the girls have a lot higher grades then males.

Here are the stats:
Maximum points: 47
Minimum points: 18
Avarage points: 34.3

Male average points: 34.4
Female average points: 34.2

Average points per course:
—+——
1 | 37.5
2 | 38.7
3 | 33.0
4 | 35.0

While some people are changing the styles of their blogs to more clean and simple themes I decided that I will go with my favorite color and some nice picture
The main reason that made me change the looks of the blog is that many of the new posts are using the PRE tag and this causes the text to overlap with the right column.

I hope that this new theme will solve at lease some of these problems.

One of the problems when you are migrating a server is actually migrating the traffic from the old IPs to the new IPs.

Since we were doing that fairly often for some of our server I have used one very common trick, which was to use DNAT + SNAT to move the traffic from the old server to the new server, and from the new server back to the client.

However this presents one big issue, all clients are now coming from the IP address of the old server. This is a big problem for systems that authenticate by including the remote IP in connection with the user/password pair.

So I set out to find a way I can move all traffic for whatever TCP service I decide with keeping the source IPs.

The solution was fairly simple and this is what I’ll try to describe here.

So here is our setup:

• server A with IP: 112.0.0.15
• server B with IP: 213.0.0.12

In order to direct all web traffic going to server A we have to use two DNAT rules:

# iptables -t nat -I PREROUTING -j DNAT -d 112.0.0.15 -p tcp --dport 80 --to 213.0.0.12:80
# iptables -t nat -I PREROUTING -j DNAT -d 112.0.0.15 -p tcp --dport 443 --to 213.0.0.12:443

This is all we need to do on sever A. Most of the work is done on server B.

So, after the traffic has reached server B why we have problem?
The problem is because the DNAT from server A only changed the destination IP and so the source of the packet is still the IP of the client and not the IP of server A. So in order for the answering packet to be accepted on the client, the packet should be with source IP, the IP of server A, not the ip of server B. But after the packet is received on server B. The response is send directly to the client and here is where the problems begin.

Here is one of my solutions to this problem. You should build a tunnel between server A and B. I used OpenVPN for that tunnel and used tap devices in order to have full bridge functionality(this is very important since the packets that would be received from server B come from all kinds of IP ranges).
After we have the tunnel setup we should have some private network between A and B, for example:

• server A: 10.0.0.1
• server B: 10.0.0.2

What you should do now, on server B is simple:

1. Mark all the traffic coming from the tunnel interface with some mark, for example 4
2. Restore the marks of all packets as they exit the process and before the first routing decision
3. Move all packets to a separate routing table so their default gateway is now the VPN IP of server A and not the default gw of server B

How are all of these steps done:

1. Creating the routing table:
   # echo '250 forward' >> /etc/iproute2/rt_tables
2. Adding entries to the routing table:
   
# ip r a 213.0.0.12 dev eth0 t forward
# ip r a 127/8 dev lo t forward
# ip r a 0/0 via 10.0.0.1 t forward

3. Make all packets marked with mark 4 to go trough the routing table:
   # ip ru a fwmark 4 t forward
4. Mark all incoming web packets from the VPN with mark 4:
   
# iptables -t mangle -A PREROUTING -j CONNMARK -i tap0 -p tcp --dport 80 --set-mark 4
# iptables -t mangle -A PREROUTING -j CONNMARK -i tap0 -p tcp --dport 443 --set-mark 4

5. Restore all packet marks as they leave the processes:
   # iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

And that should be it.
After this, you should receive all web traffic to server A as it was directly coming to server B.

For me, this book was more like a manual then a true in depth learning. It is a very good and easy to read book. One of the best things was that while reading the book it was actually making me to read more and more. I actually finished it in less then three or four days which is not normal for me, even for a topic in which I’m not novice. This is my first book from the Pragmatic series, but it seams like the best idea for learning the basics in some topic.

I have been using Git for more then a year before reading this book. I have made manuals and trainings within our company about Git. But this book opened my eyes and made me understand more than what I have learned with the online manuals. I think that the book organization was one of the main things that really guided my experience while reading the book. What I found after reading the book was, that even thou you can work without most of the information in the book, all that it describes makes your work easier, faster and smoother.

And the one thing that I really missed in this book was how to work and organize your project with some of the GUI applications available for Git.