When your computer or server has access to multiple LAN segments with different address spaces and different gateways to the Internet, there’s a nice feature called policy routing that allows you to use all of them simultaneously without having to re-configure your network topology. This is especially useful when you want to increase the bandwidth and resilience of a single computer or server without the burden of being an Autonomous System (BGP peering, Internet Registry bureaucracy, etc.).
Here are the steps to setup multiple uplinks through policy routing on Gentoo:
One way to receive up-to-date reports about vulnerability issues is subscribing to vulnerability RSS feeds: they update on demand, they don’t rely on your mail subsystem and they don’t fill up your mailbox. The only drawback is that you could miss alerts if you don’t sync your feeds for a long time, but if you’re a IT security manager, you don’t have a life, so how could it happen anyways?
Here’s the top feeds you should be subscribed to (CVE tags are reported in brackets):
Recently, I’ve browsed several how-to’s regarding the possibility of unlocking a LUKS root volume remotely using an SSH connection. For reference, the first of its kind is the one for Debian, published at Coulmann.de. Some of these how-to’s were posted to forums and mailing-lists and received many thankful comments from sysadmins wondering how to make their encrypted secure setup also easy to administrate.
The problem with their approach is simple: they asked how to fix their setup, but forgot to ask what they’re trying to protect. Having your root filesystem on an encrypted disk doesn’t protect you from remote exploitation or credential leaks. It just protects you from the risk of someone being able to access your machine locally and steal your data, or just steal the whole machine altogether. Now, if I were an attacker having access to your hardware locally, I could easily setup a trap for you in less than 5 minutes:
GNU screen is a nice utility that allows running multiple interactive shells from the same terminal session and allows you to detach from your terminal while keeping those shells alive. Later on, you can re-attach to your background screen to get back to your shells. It has a lot more features like automatic session logging and terminal window splitting. You can discover them all in the manual.
How many times did you start a long-running task like gcc compilation on a remote server and then suddenly needed to disconnect from your shell? Maybe you just needed to move to some other place with your laptop, but if you disconnected from your LAN, your ssh connection would go down. How many times you thought “Damn, if I had launched screen before this…”?
A few people on Earth still have a Windows 2000 machine laying around in their lab, mostly schools with severe budget cuts. Some time ago, one of these retro labs had a problem with roaming profiles: apparently Windows 2000 desktop machines refused to sync their profile on logoff. A collegue of mine asked my help to try and fix the issue, so I started debugging user environment using the classic procedure.
What I found out was that machines were configured to access netlogon share and run a VBScript script upon logon, to set a few things like printing shares and stuff like that. Unluckily, Windows 2000 has a problem with this, because if VBScript instantiates a WMI object and uses it to read registry keys, then WMI object is not released correctly and this locks the registry hive and therefore Windows logoff sync aborts after a long wait.
A common problem with Linux software RAID (aka md) happens when you try to use a disk that was previously part of some other disk array. Symptoms include: wrong volume size, unable to add device to raid, volume UUID mismatch. To fix the problem you need to use mdadm utility on the disk to cleanup:
# mdadm --zero-superblock devicepath
If you need to apply this fix on a system that doesn’t boot up (for instance when your root volume is on RAID), remember that mdadm and other disk administration utilities are available in Gentoo minimal installation disk.
Recently I replaced my mother’s PC, and I thought I could switch her to Linux. She was previously using Windows XP with several Open Source applications (Open Office, Firefox, Thunderbird, etc), so I decided to install Ubuntu 9.10, since it seems that it’s most devoted to non-expert users (she’s over-sixty and not inclined to change her computing habits).
The installation was straightforward and hardware support was really seamless (whew! ACPI works like a charm on new Dells), however I noticed that once the system is running, the “works with clueless user” claim (they call it “alternative to Windows“, but that’s the actual meaning) lasts only five minutes.
In the beginning, Linux was a free general purpose OS and it was not clear how Linux companies would generate profits out of it. In 1999 RedHat company went public and started to develop a real business plan. After a few years, in 2003, one of its main competitors, SuSE Linux, was acquired by Novell. Since then, both companies worked hard to reduce their involvement in desktop solutions and develop a segment known as “server market”.
One of the key technologies of enterprise server market is Storage Area Network: an infrastructure that abstracts storage resources. When Linux companies started to compete in server market, Linux had support for accessing SAN storages (Fibrechannel and iSCSI drivers), advanced disk partitioning support (LVM and EVMS), but no free shared-storage filesystem. So RedHat acquired Sistina’s GFS, a shared-storage filesystem, imported some work from OpenGFS developers, released it under Open Source license and evolved it to GFS2.
One of the best lessons you can learn from Gentoo is you can export most of its juice to other OSes. I’ve been using Gentoo as main Linux distro since 2001. Currently I have a few setups where drawbacks of migrating to Gentoo would exceed benefits, so I decided to increase affinity by adding some Gentoo look’n'feel. This week I will post some tips to setup Gentoo console colors on other operating systems.
According to this advisory written by Tavis Ormandy, Windows has been exposed to a vulnerability for over 15 years! Microsoft will only release a patch for supported products, so if you have any Windows 2000 or earlier in your lab, the only way to fix is disabling DOS and WOWEXEC.
