18 Oct 09 Installing and Configuring Xen with guests

Installing and Configuring Xen on a Debian Lenny machine is pretty easy. Firstly, install the system:

apt-get install xen-tools xen-utils-3.2-1 xen-linux-system-2.6.26-2-xen-686

xen-linux-system-2.6.26-2-xen-686 comes with the Xen kernel that you’ll need. It should install a new kernel as the default, and therefore you’ll now need to reboot.

Once rebooted, issue uname -a to ensure that your new Xen kernel is running:

You now have Xen installed! Now, you’ll need to make a few changes. Firstly, none of my new guest VMs had working console, apparently this is a known issue in Lenny with Lenny guests. The work around is to change the inittab on the guest. I wanted to create guests without modifications, so in this case, I edited /etc/xen-tools/xen-tools.conf and uncommented:

#serial_device = hvc0 #default

It’s listed as the default, but uncommenting this seemed to solve my issues.

Now, you’re ready to create your first guest:
(more…)

Tags: apt-get, debian, lenny, Linux, uname, xen, xm

14 Oct 09 Xen, LVM and friends

I’m going to write 3 articles next, the first on installing Xen on a Debian Lenny host (Dom0) with Debian Lenny guests (DomU) on a regular loopback filesystem. Next I’m going to write about setting up LVM and some basic working examples, and then finally how to move your Xen over to LVM once you realise that you don’t want loopback. This is the same order in which I performed my installation, and covers Xen setup, LVM setup and migration from loopback to LVM which is a valid upgrade path. My Xen installation is entirely automated. Watch this space..

Tags: debian, lenny, Linux, lvm, xen

11 Oct 09 Linux Consultant – How to recover a compromised server

As a security consultant I often have to deal with machines that are already compromised. The ‘official’ standpoint is always to wipe the machine alltogether, reinstall your OS, and restore your data and configurations from the backups that you obviously have.

The above not always being possible, and as a second best alternative, you’ll have to recover the machine.

The first thing to do is compare each command line utility to that of a known good identical system before using it, so you can rely on the results that it returns. A hacker will often drop a modified ‘ls’, ‘lsmod’, ‘ps’ and various other tools onto your system to hide the various other things that he may have installed.

You’ll need to use md5sum and ls to check the size and checksum of each utility before you use it, although of course, md5sum and ls themselves could be hardcoded with predefined responses. You could also use ’strings’ to check the ASCII contents of those tools, although the ’strings’ could just as easily be rigged. If you’re that paranoid, you’ve got no choice but to wipe the machine alltogether.

So firstly, check the integrity, of each of your core utilities. If your Debian 5.0 with the latest updates installed system was compromised, you’ll need to check against another Debian 5.0 system with the same updates and tools installed. Or, if you can find a listing online somewhere of what binaries should be what sizes and have what MD5s then you should be fine.

Once you have confirmed your ‘md5sum’ utility, you should be able to just start comparing MD5s and not worrying about file sizes and strings. Check your package management utilities and check that you’re happy with them, then apt-get install rkhunter this will check a number of issues. There are other ‘root kit hunters’ that you can use as well if you wish. Once this has been run, check your ps utility and ensure that it is as you expect. Then once done just run ps auxw and check each running process in the same way. Assuming that all of that is done and has not shown up anything, all is good so far. If something has been found and one of your binaries is compromised. Assuming your package manager is in good order, dpkg -P <package> and reinstall. If it is a core package that can not be removed/purged without affecting the rest of the system, then just scp over a new binary. Check again that the libc6 version and package version is IDENTICAL, and check of course that scp itself is in good order.

At this point, we can assume that your binaries themselves are in good order. Check for any new SUID utilities with find / -perm +4000 and once done, firstly make sure that everything on that list is as expected, and secondly, double check your md5sums of each and everyone of those.

This all being OK, continue to check by looking at your /etc/passwd, /etc/group and /etc/shadow files checking for user accounts that you don’t recognise. Then check syslog, wtmp, lastlog, etc, and check the IPs and last logins of each account. Also check directories such as /tmp/ especially with ls -al to check for directories beginning with a ‘.’ which would otherwise be hidden.

If everything above returns success, then it’s unlikely that your system was directly compromised. There is always the chance that your web application or database was compromised, but then that’s outside of the scope of this article. In short though, check your webserver log files as that should give you the information on what was compromised, and how it was done. Obviously ensure that any 3rd party software that you may be using such as wordpress, vBulletin, etc, etc are always up to the latest version.

Edit/Addition:
In response to a reader’s comments, I would add that should you be able to remove the network connection to the compromised machine and still access it, then do. Your login and anything you type could be being sent to an attacker without you even realising it.

Additionally, there is no point in simply recovering a hacked server without knowing how it was compromised in the first place. Arguably you should have worked it out though by following the steps above.

Tags: apt-get, compromised, debian, dpkg, find, hacker, lsmod, md5, md5sum, ps, rkhunter, Security Consultant, strings, tools

19 Sep 09 Installing Linux on the Embedded PPC50 Touchscreen

I personally really like this touch screen PC! I’ve installed Debian (of course), graphical interface, and configured the HUAWEI data card along with the TSCOM touchscreen drivers.

I also modified the boot up to log in and start the graphical interface automatically. Using xvkbd for a virtual keyboard works really well, and I might just have to carry this around in the car along with the datacard for those emergency situations.

It’s a simple x86 with 1GB diskspace and 1GB RAM. The device takes a simple 12V/6A input and therefore wiring it up to a car, battery, or other portable power supply shouldn’t be a problem!

Any ideas what next?

Tags: datacard, debian, embedded, Huawei, Linux, ppc50, touchscreen, tscom, x86, xvkbd

18 Aug 09 Multithreaded TCP Proxy Tunnel Code

Further to my earlier article, I went ahead and developed this application. Here’s a beta!

File: tcp_tun.c
Version: 0.3-beta
Title: TCP reassembling client-server application
Date: 17 Aug 09
Author: Adam Palmer <adam [AT] adamsinfo [DOT] com>
URL: http://www.adamsinfo.com/
(more…)

Tags: C, code, debian, gcc, Linux, multithread, tcp, tcp proxy, tcp tunnel

05 Aug 09 Using the Phidget Interface Kit under Linux

Further to a comment I received http://www.adamsinfo.com/the-robot-phidgets-usb-interface-board-kit-works/comment-page-1/#comment-490 I thought that it might be a good idea to write a quick high level overview of getting the USB Phidget Interface Kit working under Linux. In my case I am of course using 32bit Debian, however these instructions should mostly be portable to any other Linux based OS

(more…)

Tags: debian, gcc, Linux, phidget, phidget interface kit, usb

25 Mar 09 An idea – cPanel like host management

Recently for various reasons, specifically our acquisition of nxserve.net I have loathedly had to start working with cPanel which is what the users manage their accounts with. It’s a bit like installing some Windows based GUI on top of a Linux system. You can point and click your way around and actually get a surprising amount done, however as soon as something doesn’t workas expected, you’re absolutely stuck. Further to that, should you decide to log in to the console and make modifications as you would usually, you will either find that the entire system catastrophically fails, or that your configuration is simply overwritten by cPanel again. That said, whether or not I like it, cPanel is actually a fantastic system. How else would you successfully manage 1000+ user hosting accounts on a single server whereby you can just set up a logon and give it to the user, and he can do anything he should need? Installation is also incredibly easy. Install base CentOS and just ’sh ./latest’ which you download from cPanel. The rest is done for you.

As much as everything within me opposes something like this, I actually love it. It’s a fantastic idea and it works so well. So much so, that I’m interested to know if there is any demand or even desire for anything like this.
(more…)

Tags: cpanel, debian, host management

14 Mar 09 Linux SCREEN Command

To start with, apt-get install screen on your favorite Debian server.

For the purposes of this tutorial (and throughout the site), ‘^C’ refers to Ctrl+C, ‘^A’ to Ctrl+A etc.

Now run screen with: screen

You are now within a virtual terminal. Typing exit will close your virtual terminal, and as it is the only virtual terminal open, also terminate the screen command.

Run screen again. Now within the screen type watch -n 1 ps aux – although outside the scope of this screen tutorial, this command will issue ‘ps aux’ to show the running process list every second. Let’s assume that we want to leave this running. Now type ^A, D – this will detach from your screen and you should see “[detached]” on your terminal. You are now back to your terminal, with screen still running.

Type screen -x to reconnect back to your screen session, and you will notice that your watch/ps processes are still running.

Type ^A, C and you will create a new ‘window’ within your same screen session. You can create as many windows as you wish, and the type exit to close them.

You can use ^A, 0 where 0 is your window number to switch between windows within your screen. When your last window is closed, screen will terminate.

—
Contributed by Reader Phil:

* CTRL + A + p for previous screen
* CTRL + A + n for next screen
* CTRL + A + A to name screen
* CTRL + a + S split screen
* CTRL + a + TAB change screen
* CTRL + a + q close split screen

And you also can modify your .screenrc to add a status bar:
hardstatus alwayslastline
hardstatus string ‘%{= kG}[ %{G}%H %{g}][%= %{=kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{B}%Y-%m-%d %{W}%c %{g}]‘

—

I hope you’ve found this helpful

Tags: apt-get, debian, exit, Linux, ps aux, screen, virtual terminal, watch

03 Mar 09 bc – Linux command line calculator

bc is a great command line calculator for Linux. Under Debian based distributions just:

(more…)

Tags: apt-get, bc, debian, Linux, stdin

02 Mar 09 How to upgrade from Debian Etch to Lenny

Debian Lenny is now stable, so here is a quick guide to upgrading. I would recommend taking backups before doing this, and not performing this upgrade on a live/production machine.
(more…)

Tags: apt-get, debian, dpkg, etch, lenny, Linux, upgrade