SysAdmin Blog

SysAdmin Blog

28c3, day 1

Alexander Bochmann Wednesday 28 of December, 2011
So it's that time of the year again...

Feels somewhat different from last time over (25C3, has it really been three years?):
  • Less crowded. Maybe just because it's day one, but most things run smoothly (exception: trying to get a r0ket, I think 50% of the attendands were in that queue). No probelm to find place with a free power socket.
  • Less laptops in the lectures. The desks in Saal1 have been removed, and I have the impression that the same happened to lots of wall sockets. Ok, people switched to tablets and smartphones, but even that seems at a reduced level.

I'm not going to write summaries of speeches, but I noticed that the topic of (OSI) layer boundary violations came up twice - once in the session on PHY attacks on wireless devices, and when Dan Kaminsky mentioned something in the line of "applications built on top of TCP assume reliability" (and that assumption can be broken). It seems there's some surprises still waiting in that direction.

Cory Doctorow was good for a host of quotes, but I was hit by his description of networked activism, and why it seems so disparate without being desolate, which went something like this: Earlier on, the main work was actually organizing the activist movement, and so people agreed on common goals first and then went on organizing around that ("2% figuring out what to do, 98% stuffing envelopes"). Nowadays, organization comes mostly for free, and it's easy to form up around a topic, start discussing things, and maybe move off in different directions without losing touch. Which is exactly what confuses people about the pirate party in germany, for example (or Anonymous, or Occupy). Now that maybe oversimplified, but it rings true in principle.

His talk is here on youtube: http://youtu.be/OyNmUmmQ0kI

Nebenbei scheinen in Sachsen manche Dinge anders zu funktionieren als anderswo: http://youtu.be/Cz22Vx1MRzM

Checkpoint SmartView Monitor R70.x script error

Alexander Bochmann Sunday 11 of December, 2011
I've now seen several installations of an Checkpoint R70 management GUI where the details pane in SmartView Monitor doesn't work because of Javascript errors like "'statSection' is undefined" or similar. The URL usually is "file:///C:/Program%20Files/CheckPoint/SmartConsole/R70.40/PROGRAM/data/htdocs/overview.html?", as in the following screenshot (german version):

checkpoint SmartView Monitor script error

I've found several references to this problem on the Checkpoint support forums and elsewhere, but none with a conclusive solution.

Obviously, this error occurs because SmartView Monitor can't find several files in PROGRAM/data/htdocs.

I have a somewhat convoluted workaround for this:
  1. There are two .tar files in PROGRAM/data which contain the required files, namely SmartViewMonitor.tar and SmartViewTracker.tar.
  2. For some reason it's impossible to untar those two files directly in the data folder, even as Administrator - I have the impression that a htdocs directory already exists, but is invisible or has very strange access restrictions (have found no way to make it visible).
  3. So copy the two files to somewhere else, and untar them using either an archiver like 7-Zip, or with the gtar.exe that's included in PROGRAM/util with any SmartDashboard installation.
  4. Move the resulting htdocs folder back to PROGRAM/data within the Checkpoint GUI directory. You'll need administrative privileges, and force overwriting any existing files.
  5. Never see script errors again.

Diaspora mit Apache als Reverse-Proxy und mod_rewrite

Alexander Bochmann Monday 25 of April, 2011
Dieses Wochenende habe ich versucht, einen eigenen Diaspora (cache) pod entsprechend der Anleitung im Diaspora-Wiki zusammenzubasteln. (Läuft auch, zumindest wenn die Kiste gerade an ist: https://diaspora.infra.de/people/2)

Nachdem mein Reverse-Proxy - Setup mit Apache zuerst nicht ganz so richtig funktioniert hat, habe ich einen entsprechenden Post von Bernd Eckenfels dazu gefunden.

Das hat geholfen, allerdings sieht es bei mir trotz der Alias-Definitionen nicht so aus, als ob die statischen Dokumente direkt vom Apache ausgeliefert werden.

Ich habe das dann nochmal ein bischen umgebastelt und stattdessen mod_rewrite verwendet. Der Vhost hat bei mir direkt das Diaspora public - Verzeichnis als Root, so dass die Dateien direkt von dort ausgeliefert werden können.

Die Konfiguration sieht jetzt so aus:

RewriteRules für Diaspora
# use diaspora public directory as document root
        DocumentRoot /data/diaspora/public
        <Directory /data/diaspora/public>
            Allow from all
            Options -MultiViews

        RewriteEngine On

# don't proxy when URLs with static content are hit
        RewriteCond %{REQUEST_URI} ^/(images|uploads|stylesheets|javascripts)/.*
        RewriteRule ^/.* - [PT,L]
# run everything else through mod_proxy
        RewriteRule ^/(.*) http://localhost:3000/$1 [P]

        ProxyPassReverse / http://localhost:3000/

Das Rewriting kann man bestimmt noch intelligenter machen - ich bin da etwas außer Übung. Funktionieren tut es aber.

tcpdump pnd update (and mtr)

Alexander Bochmann Tuesday 15 of March, 2011
So I've learned some new things since yesterday... Instead of awkward terminal hacks, I'm now using Zenity to collect the command line, and gksu to elevate privileges. It's all still not polished, but looks slightly better.

Also I've quickly packaged the curses version of MTR (My Traceroute) in a similar way. GTK-detection fails with a crosscompiler setup, and I couldn't yet convince the configure script to work around that...

tcpdump: http://web.gxis.de/pnd/tcpdump.pnd
mtr-curses: http://web.gxis.de/pnd/mtr.pnd

my first PND

Alexander Bochmann Sunday 13 of March, 2011
The OpenPandora (cache) uses a special application package format, called PND. It allows running programs from an SD card, without cluttering the system's (limited) NAND flash space that holds Pandora's firmware (a Linux distribution based on Angström (cache)).

The firmware doesn't have a whole lot of networking tools, so I started trying to build some things I might need. First off, tcpdump.

I'm using sebt3's Yet an other Cross-compiling Toolchain (cache) in a Debian VM, which currently seems the easiest way to a working cross-compiler setup with all required libraries.

Building libpcap and tcpdump was quite easy, besides the small problem that "ac_cv_linux_vers=2" needs to be set manually for the configure script to work when cross-building for a Linux system.

There's not currently a standard way to integrate command-line tools with the PND system. My current workaround is to start an XFCE Terminal and ask for the commandline, and then run tcpdump in that same window. That's badly hacked up though and prone to errors, so it definitively needs improvement.

In the meantime, a copy of tcpdump for the Pandora can be found here: http://web.gxis.de/pnd/tcpdump.pnd.

spam vs. greylisting - what happened in Oct 2010?

Alexander Bochmann Saturday 05 of February, 2011
I've been following the various reports on spam volume in January (especially about the massive drop between the years), and I have tried to compare them with my own data.

Now my view is very limited in comparison to the global services - all I'm running here is an MX for two .de domains (though one of them has been on the net since 1995, and should be on about every spam list out there). Also, my main metric differs from what I've seen elsewhere: I'm counting the number of hosts in my greylisting database (using the spamdb munin plugin I hacked up last year). So I don't see the volume of spam, but how many hosts have tried connecting to my system to deliver mail.

Let's start with two graphs - the first is my greylist summary, the second a spam volume count taken from the Symantec MessageLabs Intelligence Report for January 2011. I've resized the Symantec graph to roughly line up with mine.

spamdb report
Symantec spam volume

That doesn't seem very useful: Apart from the marked drop after christmas, there's little to no similarity. At least the dark blue line for greylist entries could show some some correlation - it's the total count of sender / recipient address combinations that's been fed to my system by spammers.

In addition, I can't see a positive effect from events like the shutdown of Spamit (as reported by Brian Krebs) or the decline of Rustock traffic starting from October 2010: To the contrary, the number of distinct hosts connecting to my system (light blue line) almost doubles in that time frame.

The other observation that doesn't fit into anything is the bump in whitelisted hosts (green line): Obviously this means that a group of spammers has successfully defeated greylisting as a counter measure, a fact that can be verified by looking at the volume of mail that has gone through to sendmail on the same system:


Have I been hit with something that has gone under the radar elsewhere? When comparing with M86's "spambot activity over time" graph in Krebs' "taking stock of rustock" article, linked above, there seems to be an activity spike from one of the bots around that date. I just can't make out which one it is from the legend, even using a colour picker.

Now I'm left wondering why that effective spam weapon has gone out of use at the end of October... Maybe it just wasn't worth the hassle after all, as most of the hosts that managed to pass greylisting turned out to be blacklisted. Unfortunately I've been blinded by my disinterest in spamfighting over the past year: I don't have any logs that reach back into October to find out more.

Maybe anyone else has some useful information in this regard?

remapping mouse buttons under X11

Alexander Bochmann Wednesday 01 of December, 2010
Ever since I bought an Evoluent VerticalMouse, having the middle mouse button on the scroll wheel felt kind of awkward. Since it already has three buttons on the right hand side, I'm now using the actual middle button, and the one on the bottom as right button. Remapping is done vie a custom script in /etc/X11/Xsession.d (only works if the mouse is connected when X is starting up, but that's good enough for me).

# if a vertical mouse is connected, remap it's keys

xinput list | grep "Kingsis Peripherals  Evoluent VerticalMouse 3" >/dev/null
if [ $? -eq 0 ]; then
        # this probably only works for me :)
        ID=`xinput list | awk '/VerticalMouse/ { print $8 }' | sed 's/id=//'`
        # remap VerticalMouse buttons (middle click away from scroll wheel)
        xinput set-button-map $ID 1 0 2 4 5 6 7 3 9 10 11 12 13

(Under Windows, I'm using X-Mouse button control (cache) for the same task.)

installing GRML to an USB stick from Windows using UNetbootin...

Alexander Bochmann Monday 01 of November, 2010
...there's actually nothing to it, although GRML is not one of the supported Linux distributions in UNetbootin.

Task: Install a live Linux distribution to a FAT-formatted USB stick without losing all the data that's already on it (which rules out the "rawrite2 ISO Image to USB stick" option).

GRML (cache) is a Linux live CD (based on Debian) with all the useful sysadmin tools (and a huge boot menu with alternate stuff that's also on the CD, like a FreeDOS boot image).
UNetbootin (cache) creates bootable USB sticks from predefined plugins, from ISO files, or disk images.

So, download GRML, download UNetbootin, start UNetbootin, select "ISO Image" option and the GRML ISO file (I used grml-small), press OK, wait.

That's it.

Xubuntu suddenly starts metacity...

Alexander Bochmann Monday 19 of July, 2010
Today I logged into my workstation and things looked different than before the weekend. Starting window manager settings from the XFCE4 settings manager didn't work either.

After some headscratching (and running xfwm4-settings from the command line to get it's messages) I found out that Ubuntu had decided to run metacity instead of xfwm as window manager - no idea why.

To get rid of it, the hard way:

aptitude purge metacity gnome-session
update-alternatives --set x-session-manager /usr/bin/xfce4-session


Alexander Bochmann Sunday 23 of May, 2010
Recently I've been installing Ubuntu 10.04 on an old laptop with just about 160MB RAM (and a 300MHz Celeron CPU)...

After some tweaking the system runs quite nice with LXDE (cache) as desktop environment, and Opera works good as a web browser (as long as I don't access any extremely JavaScript-heavy sites). Just having to use NetworkManager with all it's GNOME dependencies for easy wireless setup was somewhat of a pain.

A post on the LXDE forums mentioned wicd (cache) as an alternative. The version included with Ubuntu just works, although the dialogs are somewhat clunky on an 800x600 display. But then there's also a cli and a curses version of the frontend. Doesn't seem as if I'm going to look back to NetworkManager...

Things I did to save some memory (besides removing anything GNOME-ish):
  • remove all the Landscape tools
  • remove AppArmor
  • use mrxvt instead of the LXDE Terminal (yeah I know, dropping LXDE completely would help a lot more)
  • purge ureadahead (cache) because of (probably) bug 543230 (cache).
  • blacklist all filesystem modules I don't use so the kernel doesn't load them
  • some more stuff I'll add as soon as I remember what it was