Wednesday, October 04, 2006

Chapter 3 from Extrusion Online

In addition to Chapter 18 from Tao, I noticed Chapter 3 from my third book, Extrusion Detection: Security Monitoring for Internal Intrusions is also online at SearchSecurityChannel.com.

This book has been getting some attention because it starts with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 premise that your internal network is compromised. Given that assumption, how do you detect, contain, and eradicate intruders on your network? The model applies well to insider and outsider threats.

I consider Extrusion to be a companion volume to Tao, and as such I recommend reading Tao first and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n Extrusion. Real Digital Forensics is a book where network security monitoring, network incident response, and network forensics are intergrated with host- and memory-centric security operations.

Bejtlich in Australia in May 2007

I mentioned earlier that I was invited to speak at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. The conference takes place Sunday 20 May - Friday 25 May 2007.

I accepted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 invitation, and I will probably deliver a short presentation and a longer (half-day or day-long) tutorial. After AusCERT, I plan to teach one or two-day classes in Brisbane and/or Sydney. I will probably teach condensed versions of my training classes Network Security Operations and TCP/IP Weapons School.

As I develop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plans for all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se classes I will post details here and at TaoSecurity.com. If you would like me to keep you informed via email please write me: training [at] taosecurity [dot] com. Thank you.

Chapter 18 from Tao Online

With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 launch of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new SearchSecurityChannel.com site, I can report that chapter 18 of my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection is now available online. Chapter 18 is "Tactics for Attacking Network Security Monitoring." It outlines technical means attackers may degrade or deny operations to detect and respond to intrusions.

Keep an eye on SearchSecurityChannel.com. I am working with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 editor on a plan to contribute regular content for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site.

Recovering from Bad FreeBSD Packages

Recently I've encountered problems with some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packages built by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD team. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case I described earlier, libtclx8.4.so and libmysqltcl.so.3 were somehow damaged in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .tbz packages I installed on one of my systems. I recovered by using good copies from anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r system.

Yesterday I ran into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following error after I upgraded my packages.

orr:/home/richard$ firefox
/libexec/ld-elf.so.1: /usr/local/lib/libplds4.so.1:
Undefined symbol "gethostbyname_r"

orr:/home/richard$ thunderbird
/libexec/ld-elf.so.1: /usr/local/lib/libplds4.so.1:
Undefined symbol "gethostbyname_r"

Uh oh. Email I can live without, but it's difficult to troubleshoot a problem without a Web browser. I had to turn to anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r laptop running Windows (for shame) to search for clues. I found one post on a Chinese Website with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same errors, but nothing else.

I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pkg-plist for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 linux-firefox and linux-thunderbird ports contained this entry:

lib/%%APP_NAME%%/libplds4.so

so it appeared cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem was one in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 package for Firefox and Thunderbird.

I don't run eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r app on ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r computers, so I decided to try recovering by building new packages myself. I built cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m on anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r system, poweredge.

poweredge:/usr/ports/www/firefox# make package-recursive BATCH=1

I used "BATCH=1" to accept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defaults, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby avoiding problems where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 build process stops while waiting for me to select various options. I used package-recursive so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end result would include all packages needed for Firefox, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event I needed to do a wholesale replacement of packages on my primary system.

When done I compared cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 libraries on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 broken and package building systems.

orr:/home/richard$ ls -al /usr/local/lib/libpld*
-rw-r--r-- 1 root wheel 8960 Sep 24 02:59 /usr/local/lib/libplds4.a
lrwxr-xr-x 1 root wheel 13 Sep 24 02:59 /usr/local/lib/libplds4.so
-> libplds4.so.1
-rwxr-xr-x 1 root wheel 184784 Sep 24 02:59 /usr/local/lib/libplds4.so.1

poweredge:/home/richard$ ls -al /usr/local/lib/libpld*
-rw-r--r-- 1 root wheel 8960 Oct 3 17:32 /usr/local/lib/libplds4.a
lrwxr-xr-x 1 root wheel 13 Oct 3 17:32 /usr/local/lib/libplds4.so
-> libplds4.so.1
-rwxr-xr-x 1 root wheel 185062 Oct 3 17:32 /usr/local/lib/libplds4.so.1

The sizes are certainly different -- no need to hash cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n copied over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 185062 file from poweredge and moved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 184784 version on orr out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way. Sure enough, I was able to start Firefox and Thunderbird without any problems with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new libplds4.so.1 in place.

Tuesday, October 03, 2006

FreeBSD Update with IPv6

Is it possible to use FreeBSD Update with a host running FreeBSD in an IPv6 only scenario? It's not acceptable to leave it unpatched. The system in question is also extremely slow (P200, 32 MB RAM) so building via CVS is not a good option.

Maybe FreeBSD Update is hosted on an IPv6 dual-stack system?

p200:/root# freebsd-update fetch
Fetching updates signature...
fetch: http://update.daemonology.net/i386/6.1/updates.sig: Network is unreachable

Shoot. Well, I can reach a host (we'll call it "dualstack") that has both IPv4 and IPv6 addresses. dualstack can also reach my Squid proxy on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPv4 network. I'll use SSH to port forward traffic needed by FreeBSD Update.

p200:/home/richard$ ssh -p 22022 -L 3128:squidproxy:3128 user@dualstack

In a new window I'll set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate proxy environment variable.

p200:/root# setenv HTTP_PROXY http://localhost:3128

Now I run FreeBSD Update.

p200:/root# freebsd-update fetch
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/etc/ssh/ssh_config...
...truncated...

It works very well. SSH port forwarding is only one solution to this problem, but it worked well enough here.

Essential FreeBSD Ports

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spirit of documenting my FreeBSD system administration practices, I thought I would mention cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FreeBSD ports I install on every system -- regardless of function. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future you may see some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se migrate into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 base installation, as happening with Portsnap. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs are well-established but have stayed out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 base system for various reasons.

  • security/freebsd-update: described here as a tool to update a GENERIC kernel and userland, destined to move into FreeBSD 6.2

  • sysutils/portupgrade: described here as a tool to keep ports/packages up-to-date

  • security/portaudit: described here as a tool to find ports/packages with security vulnerabilities

  • sysutils/pkg_cutleaves: described here as a tool to remove packages and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir dependencies

  • shells/bash: this is a legacy of my time using Linux, where Bash is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default shell


You can read a summary of many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se tools here as well.

Installing Screen Port with Remote FreeBSD Ports Tree

I don't like to keep ports trees on all of my FreeBSD systems. I prefer to install packages whenever possible. Upgrading those packages requires cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree, however. To use Portupgrade I NFS mount /usr/ports from a single system that keeps an up-to-date ports tree.

The major problem with this plan involves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sysutils/screen port. No package is created, and you can't build one yourself.

poweredge:/usr/ports/sysutils/screen# make package
===> screen-4.0.2_4 may not be packaged: Tends to loop using 100% CPU when used from
package - perhaps it hard-codes information about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 build host.

Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re a way to build Screen without installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree?

First I tried just NFS mounting /usr/ports and trying to build cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port. Here, poweredge is th box with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree and mwmicro needs to run screen.

mwmicro:/root# mount
/dev/ad0s1a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/ad0s1f on /home (ufs, local, soft-updates)
/dev/ad0s1g on /tmp (ufs, local, soft-updates)
/dev/ad0s1d on /usr (ufs, local, soft-updates)
/dev/ad0s1e on /var (ufs, local, soft-updates)
10.1.13.2:/usr/ports on /usr/ports (nfs)

Note that poweredge already installed Screen using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree.

mwmicro:/usr/ports/sysutils/screen# make
mwmicro:/usr/ports/sysutils/screen# make install
mwmicro:/usr/ports/sysutils/screen# which screen
screen: Command not found.

That didn't work. Why? It's because poweredge, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box exporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree, already installed Screen. There's a "work" directory already built. I can't issue a "make clean" command here.

mwmicro:/usr/ports/sysutils/screen# make clean
===> Cleaning for screen-4.0.2_4
===> /usr/ports/sysutils/screen/work not writable, skipping

Ok, maybe I can issue "make clean" on poweredge and continue?

poweredge:/usr/ports/sysutils/screen# make clean
===> Cleaning for screen-4.0.2_4

Now back to mwmicro:

mwmicro:/usr/ports/sysutils/screen# make
===> Vulnerability check disabled, database not found
===> Extracting for screen-4.0.2_4
=> MD5 Checksum OK for screen-4.0.2.tar.gz.
=> SHA256 Checksum OK for screen-4.0.2.tar.gz.
mkdir: /usr/ports/sysutils/screen/work: Permission denied
*** Error code 1

Stop in /usr/ports/sysutils/screen.

Oh, that's right. /usr/ports is mounting read-only. I probably don't want to overwrite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree anyway by exporting it read-write. Luckily I read FreeBSD Handbook after fzzzt in #freebsd suggested changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work directory. I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directive to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 location of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work directory and used it thus:

mwmicro:/usr/ports/sysutils/screen# make WRKDIRPREFIX=/tmp
===> Vulnerability check disabled, database not found
===> Extracting for screen-4.0.2_4
=> MD5 Checksum OK for screen-4.0.2.tar.gz.
=> SHA256 Checksum OK for screen-4.0.2.tar.gz.
===> Patching for screen-4.0.2_4
===> Applying FreeBSD patches for screen-4.0.2_4
===> Configuring for screen-4.0.2_4
configure: WARNING: you should use --build, --host, --target
this is screen version 4.0.2
checking for i386-portbld-freebsd6.1-gcc... cc
checking for C compiler default output... a.out
...edited...
mwmicro:/usr/ports/sysutils/screen# make install WRKDIRPREFIX=/tmp
===> Installing for screen-4.0.2_4
===> Generating temporary packing list
...edited...
mwmicro:/usr/ports/sysutils/screen# rehash
mwmicro:/usr/ports/sysutils/screen# which screen
/usr/local/bin/screen

Note that I used WRKDIRPREFIX=/tmp for both make and make install. Using that directive automatically made appropriate directories in /tmp:

mwmicro:/tmp/usr/ports/sysutils/screen/work# ls
.PLIST.flattened .configure_done.screen._usr_local
.PLIST.mktmp .extract_done.screen._usr_local
.PLIST.objdump .install_done.screen._usr_local
.PLIST.setuid .patch_done.screen._usr_local
.PLIST.writable screen-4.0.2
.build_done.screen._usr_local

I plan to use this system whenever I need to build an application using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ports tree and cannot make a package to share on ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r systems.

Update: If you try to build from a remote ports tree but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 distfile for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desired port hasn't been downloaded, use 'make fetch' on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NFS server:

poweredge:/usr/ports/sysutils/screen# make fetch
=> screen-4.0.3.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from ftp://ftp.uni-erlangen.de/pub/utilities/screen/.
fetch: ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-4.0.3.tar.gz:
Service not available, closing control connection
=> Attempting to fetch from http://komquats.com/distfiles/.
screen-4.0.3.tar.gz 100% of 820 kB 52 kBps 00m00s

The continue with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steps shown above.