Showing posts with label linux. Show all posts
Showing posts with label linux. Show all posts

Friday, October 3, 2014

Shellshock Bash Vulnerability

System vulnerable to Shellshock


What type of systems are vulnerable? "Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells"

Quick test to see if your system is vulnerable:
env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

Example:
[root@testvm ~]# env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash is vulnerable!
bash: FUNCTION(): line 0: syntax error near unexpected token `)'
bash: FUNCTION(): line 0: `FUNCTION() () { :;}; echo Bash is vulnerable!'
bash: error importing function definition for `FUNCTION'
Bash Test

To test if your web server is vulnerable, you can use the 'ShellShock' Bash Vulnerability Test Tool.

To secure your system, simply upgrade the Bash package (should be available on most distributions):
$  ## Debian Based
$ sudo apt-get update && sudo apt-get install --only-upgrade bash

$  ## RedHat Based
$ sudo yum update bash

References:




Wednesday, October 1, 2014

Invalid Argument When Trying to Write Direct I/O to a 4K Native Sector Size Device


Direct I/O Invalid Argument


When trying to write Direct I/O to a particular block device, I ran into this ugly error:

# dd if=/dev/zero of=/dev/sdb oflag=direct
dd: writing to ‘/dev/sdb’: Invalid argument
1+0 records in
0+0 records out
0 bytes (0 B) copied, 0.000202393 s, 0.0 kB/s

After some investigation, it turns out the cause was the device was actually configured and low level formatted to the newer 4K Native Sector Size (aka 4Kn Advanced Format). Older devices are all 512 byte sector size.

The problem is that the default block size for many applications is still 512 bytes. The solution is easy, once you know the cause. You just simply write blocks in 4K byte size.

# dd if=/dev/zero of=/dev/sdb oflag=direct bs=4k
^C
73063+0 records in
73063+0 records out
299266048 bytes (299 MB) copied, 4.83917 s, 61.8 MB/s

Is My Device 4K Sector Size?


Many newer storage devices may be configured for 512, 512e or 4K.  So how can you tell if you have a disk device that is in 4K native sector size? There are several options:

1) fdisk will tell you:

# fdisk /dev/sdb
Note: sector size is 4096 (not 512)
...

2) blockdev can tell you:

# blockdev --help
 --getss                   get logical block (sector) size
 --getpbsz                 get physical block (sector) size

# ## 512 mode:
# blockdev --getss /dev/sda
512
# blockdev --getpbsz /dev/sda
512

# ## 4Kn mode:
# blockdev --getss /dev/sdb
4096
# blockdev --getpbsz /dev/sdb
4096

# ## 512e mode:
# blockdev --getss /dev/sdc
512
# blockdev --getpbsz /dev/sdc
4096

3) Your storage vendor's tools should tell you.  Many times the storage vendor will also provide tools to low level format to either 512, 512e or 4K

Why 4Kn?


So why are some storage vendors providing newer storage devices in 4K sector size?  Efficiency, and Data Integrity.

"Larger sectors use the storage surface area more efficiently for large files but less efficiently for smaller files, and enable the integration of stronger error correction algorithms to maintain data integrity at higher storage densities." (source)

Summary:

  • Greater storage efficiency for larger files (but less efficient for smaller files)
    • Better bandwidth performance (large block read/writes), but IOPS (small block read/writes) will suffer
  • Improved error correction algorithms to maintain data integrity at higher storage densities


512e Alternative?


For Operating Systems and applications that may not support 4K native sector size, vendors may also provide a 512e mode (512 emulation). 512e mode is a 512 byte local sector size front-end emulation with 4K byte physical sector size back-end.

The Operating System would hand down a 512 byte request as usual, but then the storage controller would convert the request to a 4K byte request. This provides the efficiency and data integrity benefits for the physical storage, but may come with a performance hit, due to the emulation and conversion required (especially if not aligned properly).

This mode also allows a stepping stone for storage vendors to move forward with 4K technology, while still supporting older Operating Systems and applications.



Sunday, July 6, 2014

Switch to Linux - UberGeek

Swith to Linux - UberGeek.tv

This is an oldie, but still makes me smile

Transcript:
"We were negotiating with the Pentagon. We had a blue screen of death. That was the last straw.
When you're holding the Moon for ransom, you value stability in an application. Linux gives us the power we need to crush those who oppose us.
It's compatible with our orbiting brain lasers.
I've got a Beowulf cluster of atomic supermen.
I have more friends now.
Genetically engineered cyber-goats. Henchmen with bad teeth. Gorgeous fembots with a penchant for evil.
I mean, Linux runs on anything.
I'm all about: Open Source. Just changed my love life.
You've got to config it. And then you have to write some shell scripts. Update your RPMs. You have to partition your drives. And patch your kernel. Compile your binaries. Check your version dependencies. Probably do that once or twice.
It's just so easy. And so simple. I don't know why everyone doesn't run Linux.
Thank God they don't, or then they would all be supervillains, wouldn't they? Heh heh.
I'm Steve, and I'm a supervillain."

See also:




Saturday, February 22, 2014

Plex Media Server



Plex Media Server (http://plex.tv/) "bridges the gap between your computer and your home theater, doing so with a visually appealing user interface that provides instant access to your media."

Plex allows you to play your collection of movies, music and photos from a variety of devices, such as a computer, Smart TV, Roku, cell phones, tablets and others.  Through the online Plex Service you can also share your media collection with friends and family.

Plex has a server download for Windows, Linux and Mac.  I have had the best results (least issues) with the Linux 64bit version.



Plex Installation

Plex is really easy to install.  Plex can be downloaded from https://plex.tv/downloads

For Windows, you run the simple installer executable.

For Linux, you download the appropriate rpm/deb.  The following example works for Fedora 14 or CentOS 6 (or newer) 64bit

# as the root user...

wget http://downloads.plexapp.com/plex-media-server/0.9.8.18.290-11b7fdd/plexmediaserver-0.9.8.18.290-11b7fdd.x86_64.rpm

rpm -Uvh plexmediaserver-0.9.8.18.290-11b7fdd.x86_64.rpm

service plexmediaserver restart

To access the Plex web interface visit http://127.0.0.1:32400/web/

To use the online Plex Service you will need to open up port 32400 on your firewall.

Friday, January 24, 2014

PLUG - Regular Expressions

PLUG - 1/21/2014 - David Oswald - "Regular Expressions" 
Provo Linux Users Group's (PLUG) David Oswald presents on Regular Expressions, for the January 21, 2014 meeting.  The saved YouTube video presentation is 55 minutes.  The examples are in Perl, but the concepts are universal.  Covers rxrx "RegEx Doctor", backtracking and NFA concepts.

"What is backtracking? How do character classes work? What is the "Little Engine that Could(n't)"?"






Notes


Definitions:
  • Literal Characters: abcd... ABC... 123...
  • Operators: m// (match), s/// (substitute), =~ or !~ (bind)
  • Meta-characters: \ | ( ) [ { ^ $ * + ? .
  • Meta symbols: \b \D \t \3 etc...
Example:
$string = "hello world";
say "Match" if $string =~ m/hello/;

Syntactic Shortcuts:
$_ = "hello world";
say "match" if /hello/;

DFA / NFA / Hybrid Engines - (Deterministic Finite Automata) DFAs and (Non-deterministic Finite Automata) NFAs have exactly the same capabilities and limitations. The only difference is notation convenience.
  • DFA: simpler, text-directed match, no backtracking, more limited, awk/egrep
  • NFA: regex-directed match, backtracking, more flexible semantics, grep/less/sed/more/Perl/PHP/Python
Focus for this presentation: Non-Deterministic Finite Automata (NFA) Engines

Two big NFA rules:
  1. The match that begins earliest wins.
  2. The standard quantifiers are greedy.
rxrx - Excellent RegEx debugging tool ("RegEx Doctor") :
  • rxrx - command-line REPL and wrapper for Regexp::Debugger
Quick rxrx overview:
Install:
 cpan Regexp::Debugger

Usage:
 rxrx
 perl -MRegexp::Debugger -E 'Regexp::Debugger::rxrx(@ARGV)'

To set the regex:
 /[SOMETHING]/

To set the string:
 '[SOMETHING]'

To start match engine: 'm'

To quit: 'q'

Commands:
      / : Enter a pattern
      ' : Enter a new literal string
      " : Enter a new double-quoted string
      m : Match current string against current pattern
 q or x : quit debugger and exit
      h : help

Match Commands:
       - : back step
 [enter] : forward step
       c : proceed visually quickly to the end

Backtracking - When partial match fails, the engine backtracks to try an alternative path.  Where the greatest performance hit comes from.

Example of large backtracking out of control:
# fails in 218 steps
/(a*)*[^Bb]$/
'aaaaaab'

Backtracking can be put under control by using "possessive quantifiers": (*+, ++, ?+, {n,m}+)
# fails in 79 steps
/(a*)*+[^Bb]$/

Possessive quantifiers - change the "greedy" quantifiers to "lazy" quantifiers that attempt to match the minimal amount.  Greedy quantifiers attempt to match the greatest left most match.  Lazy quantifiers attempt to match the least left most match.
/.*foo/   # Greedy ; backtrack backwards.
/.*?foo/  # Lazy; backtrack forward.

More NFA rules:
  1. Matches occur as far left as possible.
  2. Alternation has left-to-right precedence.
  3. Alternative matches if every item listed in the alternative matches sequentially.
  4. Backtracking occurs to try higher-pecking-order assertions.
  5. Quantifiers must be satisfied within their permissible range.
  6. Each atom matches according to its designated semantics.
Shorter segments are often easier:
if( /Brian/ && /John/ ) { ... }
# vs
if( /Brian.*John|John.*Brian/ ) { ... }

Progressive matching - starting where the previous pattern starts off

Extended Bracketed Character Classes - Character classes can now have set semantics (intersections, unions, subtraction, symmetric difference, complement)

When to use RegExes:

RegExes are for matching patters, not for things that have a parser, like HTML and JSON.  Should also not be used for Email Addresses.

"Regexes optimal for small HTML parsing problems, pessimal for large ones" -- Tom Christiansesn

Appropriate Alternatives:

  • Complex grammars - use parsing classes
  • Fixed-width fields - use unpack, substr
  • Comma Separated Values - use CSV libraries
  • Uncomplicated, predictable data - Regular Expressions!


Sunday, December 29, 2013

Koding - Online Development and Social Coding

http://koding.com/
Stumbled across this koding.com site today.  Koding is an online development environment with social coding aspects.  Included with your free account is a personal web server Linux VM, with root SSH access.  Pretty nifty idea.  Programming languages naively supported are Python, Java, Perl, Node.js, Ruby, C, C++, PHP, and Go.  With root access, you could probably get anything else you want running as well.

"Koding is a developer community and cloud development environment where developers come together and code in the browser – with a real development server to run their code. Developers can work, collaborate, write and run apps without jumping through hoops and spending unnecessary money."

Sunday, November 24, 2013

Force a Kernel Panic


Have you ever wanted to generate a kernel panic, for kernel testing purposes?

A few ways to generate a kernel panic, a kernel oops and reboots:
# echo 1 > /proc/sys/kernel/panic
# dd if=/dev/random of=/dev/port
# cat /dev/port
# cat /dev/zero > /dev/mem
Forcing an Alt-SysReq-c command from the console:
# echo c > /proc/sysrq-trigger

To generate a kernel panic from source code, we will need to compile a kernel module from the kernel source: (source)
// source: force_panic.c
#ifdef __KERNEL__

/* Makefile :
obj-m := force_panic.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)

default:
 $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
*/

#include <linux/module.h>
#include <linux/kernel.h>

static int __init panic_init(void) {
  panic("force-panic");
  return 0;
}

static void __exit panic_exit(void) {
}

module_init(panic_init);
module_exit(panic_exit);

#endif
Generate a kernel oops: (source)
static int crash_module_init(void) {
     printf("crash module starting\n");
     int *p = 0;

     printk("%d\n", *p);

     return 0;
}

static void crash_module_exit(void) {
    printf("crash module exiting\n");
}

module_init(crash_module_init);
module_exit(crash_module_exit);