Cloudweavers » opensource

Couples of stats/facts.

pascal.charest — Sat, 10 Oct 2009 14:15:07 +0000

As I look over 6 very interesting projects overview on my desk, I’m forced to do a bit of thinking about how the last year went by. A year is a lot of time, and so much plans finally came to fruition that I can’t think of listing them all here today. Which is kinda a good sign for me and my enterprise ;-)

Most of my readers doesn’t really know who I am, even when you take into account that I blog under my real name. Most don’t know that I bought a condo in Hull (now part of Gatineau, near Ottawa – the capital of Canada), that I still have a rent in Montreal, that I proposed to my girlfriend (she said “Yes!”), that I own a dog (greatest experience of forcing a regular schedule I ever had), that my greatest motivation in life is to be able to go where I want, whenever I want. My dream is going back to Yosemite, California… and bring hiking gear.

Another big aspect of my life is my business, Les Laboratoires Phoenix. I’ve been working full time at it for the last 9 months and its been a great experience. Over those months : I’ve worked with clients from 7 countries, contributed to 3 major open source projects, went to the “Free Software Foundation” Libre Planet confrence in Boston, went to the DefCon in Las Vegas, I’ve been named SME for {Zabbix, Zimbra, Asterisk, OpenLDAP, extended LAMP Stack, Mailman, GlusterFS, Lustre, MySQL, Cloud Computing, …}, 3 of my articles have been published (>40K prints), and I’m involved in a book project (from a major publisher)…

And, even thinking about all those achievements, I still look for the future of Les Laboratoires Phoenix. I guess that working with startups influenced me a lot : those 6 projects are all different from each others, they represent good revenue potential (clear business plan) and require low capital input to be started. So, I guess I’ll stop speaking about them and work ;-). Btw, two of those projects would be online services (SAAS) for well known parts of Internet infrastructure (not webserver). Another is a cloud computing infrastructure services based in Montreal (this one if almost finished! & I got an hardware provider)… A lot of fun to be had.

More news to come.

Security @ DEFCON 17

pascal.charest — Mon, 17 Aug 2009 17:16:44 +0000

Survived! Well my laptop did – I’m exhausted and work was waiting for me in Montreal, but – let be honest, I can’t really complain.

For those who don’t know, the DEFCON is one of the leading hacker conference with over 8k attendees getting together in Las Vegas to share knowledge on hacking, cracking, social engineering, lock picking and similar discipline. Peoples come from all social group – 14y old video gamer to senior security specialist for the gov, going through consultant, programmer, developer and hobbyist. Fun crowd.

While my trip was flanked by 2 series of 4 vacation days (before and after), I was @DEFCON as the owner of Les Laboratoires Phoenix – my free software consulting firm – and as such, I was confronted to this dichotomy:

* I need Internet access to answer clients requests
* Connecting to Internet at DEFCON is professional suicide if your not up to it

Let me explain this second point a bit: first, the Wall of Sheep, an inline filter tracking unencrypted connections and broadcasting users credentials (including a partially obscured password) on a big screen in the lounge. Generally, the flow is quasi non-stop.

If you think that it’s not that bad, the password being garbled… think again : Wall of Death. It’s an inline switch, freely available, where the 7 ports broadcast a mirror of everything the firewall see (which is.. everything). Live, un-garbled, un-modified feed of everything in the pipe. In other words, if you are on the Wall of Sheep, then someone from the Wall of Death got your credential.

And then, this is only using the standard infrastructure. I am not mentioning peer attack, wireless impersonation and so on.

So, how to survive in such hostile environment ? Here’s a few rules (which should also be taken as golden rules if you work from your client’s office).

1) ‘netstat -lntp‘ ; this command (an output of incoming listing ports on your system) should return nothing. There is no need to have any listening services if you are ‘mobile’.

2) iptables -L -n -v ; this command give you your firewall rules. INPUT should be restricted to established and related connection with a default policy of DROP. OUTPUT, when in a ‘not-so-friendly’ environment, should defaulted to DROP with allowed outgoing on secure protocol only (http:443, ssh:22, …). If you need to connect to an un-encrypted destination, at least forward through a ssh-tunnel/proxy.

3) never auto-connect to unencrypted network. This is exactly what causes the wall of sheep to be full of iPhone user’s credentials. This cute little device can auto-connect to the unprotected network (such as DEFCON) and start sending security credential (un-encrypted) to twitter, facebook, myspace…

4) Do not take anything for granted. PREPARATION is the key. Before the trip, start collecting all your ssh-key fingerprint on your system, this can become really handy if someone tries some ‘not-so-great’ men-in-the-middle attack against you.

Well, thinking about it, number 4 is the best advice. DO NOT TAKE ANYTHING FOR GRANTED. In the last 2 years, there have been 2 attack against the SSL infrastructure disclosed at DEFCON. Btw, this is for GNU/Linux system. If you are using a Microsoft operating system at the DEFCON, you better… well… just don’t use it.

Using TOR for anonymity

pascal.charest — Thu, 18 Jun 2009 16:01:21 +0000

In the last couples of day, I’ve seen my fair share of privacy infringement from all kind of service provider. I am a ‘free web’ militant but I’m also a free software consultant and as such, my professional self is often called to deploy network management tools in ISP or servers hosting facility. Most of these tools can be used to maintain the integrity of the network and enhance performance, however, they can also be used in questionable behaviors such as wire tapping. Today, I’ll be installing/presenting TOR, an anonymity program, on a GNU/Linux workstation to hide web browsing request.

Let it be known that TOR is not the ultimate solution. This software should not be used as a way to ‘secure’ transactions/requests. Its very usage is to proxy tcp requests to a series of hosts all around the world. In other words, it will scramble the source IP of every request.

Installing TOR for anonymity

TOR is :

[...] a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.
Source: TOR official website

Privacy is the keyword. Another important fact is that peer-to-peer applications will not work well with proxy relaying (so forget forwarding your bit-torrent traffic inside the ‘tor cloud’).

Installation process (GNU/Linux)

Installing dependencies

# apt-get install libssl-dev libevent-dev

Installing TOR

# download latest sources in repository.
# tar zxf tor-0.2.0.34.tar.gz
# cd tor-0.2.0.34 ; ./configure ; make ; sudo make install

Installing privoxy

# download lastest sources in repository.
# apt-get install autoconf
# adduser privoxy
# tar zxf privoxy-3.0.13-beta-src.tar.gz
# cd privoxy-3.0.13-beta
# autoheader ; autoconf ; ./configure ; make ; make install

Start applications

# /etc/init.d/privoxy start
# tor

Installing TORbutton add-ons for Firefox.

# https://addons.mozilla.org/en-US/firefox/addon/2275
# click add to firefox.

There you go. Click on the ‘tor disabled’ in the lower right corner and test by going at https://check.torproject.org/. You willl be able to browse the web while hiding the source IP of your request (this is only for http, for other protocol, you’ll have to forward them through a sock4 connection)…

SFLC vs Cisco

pascal.charest — Tue, 19 May 2009 13:21:48 +0000

The SFLC (Software Freedom Law Center, the ‘legal arm’ of the FSF) lawsuit against Cisco Systems (nasdaq:csco) has been settled . The details are not yet available.

Related:
December 11, 2008: SFLC files lawsuit against Cisco Systems on the behalf of FSF. The complain is available as PDF
December 11, 2008: FSF publish a press release.
May 12, 2009: recap of the settlement on PROSKAUER ROSE NewMedia law blog.

ensim & php :’premature end of script’ ; php-script’

pascal.charest — Wed, 13 May 2009 19:40:18 +0000

I had an installation of phpForms [1] to complete on a client server where Ensim was already installed and configured. installed. I’ve learn a couple of things:

1.
Recovering the root MySQL password is ‘really, really easy’ if Ensim is installed on the server – maybe a bit too much:

# ensim-python -c “import sys;sys.path.append(\”/usr/lib/opcenter/mysql\”);import mysqlbe;print mysqlbe.read_mysqlpass()”

2.
./phpforms/install.php script fail with a 500 error (application error) when viewed with a web browser but output valid code when viewed through a CLI. In a direct relation, the apache error-log is complaining :
‘premature end of script’ ; php-script’

This error is directly related to Ensim’s security setting. Try lowering them: when logged as server-administrator, edit the site setting, and set a ‘low-security-setting’.

[1]. http://phpforms.net/ – PHP Scripts to auto-magically create web forms using database backend.

Libre Planet 2009 = little road trip

pascal.charest — Mon, 09 Mar 2009 03:12:47 +0000

Kind of missed this one earlier,

FSF annual meeting (Libre Planet 2009 Conference) will be held at Harvard Science Center, Cambridge, MA – in 2 weeks! (21-22 March 2009).

Since I’ve been working in the free software domain for quite a few years, I’ll be going to the “conference”. Right now, we got a driver (my girlfriend), a geek (Yannick Gingras) and maybe a tech… Sound like a nice little road trip…

Evidently, I’ll be live blogging from there. Some pretty interesting presentations are lined-up – one from our local “Evan”, of Identi.ca fame.

top sysadmin stuff

pascal.charest — Sat, 07 Mar 2009 13:45:37 +0000

Being challenged everyday to augment my productivity, here is a few quick tricks/software helping system administrator.

1. BlackBerry

Yeah, I know. It was an easy one – and easy to expect since I’ve bought a Storm. Employees get to hate them (since they are always hooked to the business) but as owner of a small business, I NEED to be informed of everything going on. The ability of answering my email / instant messanging while in route between Montreal & Ottawa is of prime importance. My clients doesn’t need to know where I am or what I am doing, they know I’m ready to help them.

The BlackBerry by itself is not as feature-complete as the iPhone seem to be. Using the pre-loaded email client with gmail just doesn’t cut it. It’s using IMAP and discarding all your filter/labels for incoming messages. There is an alternative : gmail mobile application. Available from the central mobile application repository of Google. Using a customized alert setting, you can be informed when you have new mail (in your inbox), while preserving your filter/label configuration. While you are there, you should also install the maps application, can always be handy.

Another “must-have” app. for sysadmin is MidpSSH. Which, as its name make it pretty clear, is a SSH/Telnet client. There have been a few reports of incompatibility between Storm and midpssh – yet, with an up-to-date OS/taking into account that your device often capitalize the first letter (of a username)/openssh is case-sensitive, you should not have any problems to connect to GNU/Linux systems.

2. Monitoring software

A good monitoring system watching over your network is a life saver and all the difference between you informing your client of a system failure or the other way around. Nagios is pretty well known and getting help is very easy since the community is so dynamic. Another software doing the same job is Zabbix. I do have some predisposition toward it, being a certified expert. Both are free softwares and are easy to install/configure. Zabbix does have a cuter interface though – can become handy if your client require access.

Both software allows sysadmins to run remote command. Personally, I find those systems to be way too complicated to setup when Monit is easily available. Its configuration allow a syntax very similar to : if load > 5 for 10 minutes, then stop postfix-delivery. Another life saver when you don’t expect your remote monitoring agent to be able to launch a command. I use it for limits like (if load>80 for 2 minutes, then stop {httpd,mysqld}). If your system is badly losing interactivity, your normal remote monitoring software will never be able to save your system (ssh will timeout).

3. Log/Security software

While Zabbix/nagios can do some checksum on important files (such as /etc/passwd, /etc/shadow, …), they are not ready as IDS (Intrusion Detection System) yet. For such system, I recommend OSSEC. Following the online documentation, you will have a log-analysis system created in no time – using thousand of rules given with the software. Customization can also be done pretty quickly. The ‘action’ following a trigger can be email-alert or a command. The system come with a pre-built interface to iptables… port-scanning and brute force password testing are no more.

Add to all these tools a svn repository for your code, an Puppet system for global configuration and some wiki for documentation and you should have a pretty strong backbone to deal with anything your clients throws at you.

drbd_selector.sh

pascal.charest — Wed, 14 Jan 2009 16:29:39 +0000

Here is a quick bash code snippet. It allows the execution of code/scripts on a server with a Primary drbd array.

It does not take into account that there can be more than one array, or that split-brain scenario exist, or that the script might be not-executable, or …

I’m really posting that because I get to use it quite often and always forget ‘how I did it last time’… the search function on this blog is kinda nice ;-).

if [ $(grep st:Primary /proc/drbd | wc -l) = 1 ] ;
then $@ ;
fi

get mysqld-server configure options

pascal.charest — Fri, 12 Dec 2008 22:13:36 +0000

Quick question that was posted on mysql general discussion list by a random user on Internet :

I was wondering how can I view the “./configure … …” string with which a mysql server installation was compiled with.
Source: email

Here is my answer which might be of interest to some reader.

grep ^CONFIGURE_LINE $(which mysqlbug)

[labsphoenix] Untangling the “Untangle” installation

pascal.charest — Fri, 21 Nov 2008 19:39:55 +0000

Another technical post : Untangle installation in router mode.

Untangle is an all inclusive, statefull, packet router. It can deal with virus analysis, spam filtering, intrusion detection, firewall, nating, vpn server, remote access portal and much, much more. It comes as a live knoppix cdrom of 400mb offering an intuitive installation wizard (note: will wipe your HD). It does seem to support a lot of hardware configuration ‘out-of-the-box’ since it installed on a DELL 4600 (dual xeon 2.4ghz) with an old raid controller (perc/3) with only some small difficulties concerning the USB controller (keyboard interface, not the mouse) which was easily fixed by switching to PS/2 devices. I was unable to see the error since the keyboard was automatically deactivated by the hardware detection process and “alt-f2″ (to show boot process) was unavailable.

The installation process is very straight forward. You don’t even need the online documentation (wiki, UserGuide, QuickStart) : even the admin password is defined by the user in the first boot process. There is one ‘must-known’ thought : the post-installation process (configuration of the ‘rack’, a list of software affecting inbound connection) require an internet access and an access to untangle ‘web-store’. This isn’t very fun if you want to replace a live router or if you are installing behind a proxy.

While it is a great product, Untangle allows a fallback to console/terminal for advanced tech guys, I’ve had quite a few troubles with this error: cannot start a transaction within a transaction. Untangle uses SQLite databases which easily goes into deadlocks when 2 operations are committed at the same time (like 2 hits on “save”). The best advice I can give you : if you see this error, immediately go through the computer restart procedure. Seem an harsh solution, but it work and will prevent your database of queuing requests that will, anyway, never be completed.

Conclusion : good GUI for an easy to configure router, easy to fallback to GNU/Linux and modify the system. Available as a vmware image, windows installer (re-router) or downloadable iso. It’s a recommendation.