Saturday, August 26, 2006

Comments on "Involuntary Ubuntu"

There is an interesting article at tbray.org where Tim Bray recounts his recent experiences with Ubuntu. He discusses a few things I've talked about before - one, that apt-get is Debian/Ubuntu's main strength, and why something like it should be in Solaris:

You know, this has been said a lot, but it bears repeating: Apt-get is just so unreasonably fucking great. Why aren’t we using it for Solaris updates? I managed to pull together the whole witches’ brew of OSS that makes ongoing go without ever leaving Synaptic. Oops, not quite true, I cruised past CPAN to get DBI and DBD::MySQL, but I’m not sure I needed to, because when I got MySQL, I saw a lot of perl-related stuff go flying by.

He's right, he did not need to use CPAN for DBI/DBD. The package 'libdbd-mysql-perl' would have pulled it in for him. 'apt-cache search dbi mysql' would list relevant packages.

Technorati Tags: ,,,

Article Roundup

Ex-parrot brings us fun with wireless Internet access thieves. This one is really funny, a real-life "Revenge of the Nerds". Of course, someone who can fiddle fluently with iptables and Perl should be using some variant of WPA, but that would not be nearly as fun.

NeoBinaries lists Five very useful Firefox extensions.

Windows DRM is done, thanks to the program FairUse4WM. I don't think the DRM peddlers will ever learn - DRM doesn't work.

Red Hat vs. Ubuntu - My take - I don't think Red Hat is going under anytime soon - they have too much of a buy-in from the Fortune-500, the ex-proprietary Unix clients.

Information Week lists the best software ever written. The verdict? Unix is #1, of course.

A programmer's Bill of Rights. Yes, coding in noisy cubicle-land with an ancient PC sucks.

International crime rings are much more of a concern than the lone 'hacker'. No surprise there, really. Identity theft is too easy, too lucrative to ignore.

Sunday, August 13, 2006

Perl Script that Alerts on Clam Anti-Virus Errors

One of the reasons I like Perl so much is CPAN, and how easy it makes writing scripts for system administration. One of my clients uses Clam AV to screen incoming mail for viruses. The updater, called 'freshclam', runs periodically and updates the virus definitions database, and also checks to see that the installed version of Clam AV is not out-of-date with respect to the database. If it is, the freshclam log file fills with messages that start like this:

ClamAV update process started at Sat May 6 04:02:09 2006
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.88 Recommended version: 0.88.2

It turns out the messages also get returned by the Clam AV daemon when it is scanning mail. This isn't usually a big deal, but in this case, the client was using a home-grown mail system that died if the Clam AV daemon returned this error while scanning mail. As a temporary workaround (until the MTA could be fixed), to alert me whenever this happened, I put the following Perl script together and had it tested and installed within an hour. When run from the command line, it automatically daemonizes itself and scans the freshclam logfile for the above message. If found, it sends an email alert (most cell phones have an email-to-SMS gateway address, which is what I use to get text alerts sent to my cell phone). It does not need to be run as root (and shouldn't), it only needs enough permission to read the freshclam log file.

You will need to edit the variables 'logfile' and 'recipient' at the top of the script, and you probably want to add it to your target system's startup sequence. You can download it here:

Perl script to check for and alert on freshclam errors

It's worth mentioning that there are quite a few projects that handle parsing of logfiles for certain patterns (logcheck and swatch come to mind), but they are very general, and in this case I felt a targeted solution was preferable (and faster to implement).

#!/usr/bin/perl -wT # # $Id: clammon.pl,v 1.3 2006/08/13 17:19:42 dmaxwell Exp $ # # Parses the freshclam updater log, looking for messages like this # one: # # -------------------------------------- # ClamAV update process started at Sat May 6 04:02:09 2006 # WARNING: Your ClamAV installation is OUTDATED! # WARNING: Local version: 0.88 Recommended version: 0.88.2 # -------------------------------------- # # If found, it sends an alert via email. # # Copyright (c) 2006, Doug Maxwell # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 # USA # use strict; use File::Tail; use Mail::Mailer; use Proc::Daemon; use Unix::Syslog qw(:subs); use Unix::Syslog qw(:macros); # Fork Proc::Daemon::Init; # Clean up our environment for taint mode delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; $ENV{PATH} = "/bin:/usr/bin"; # The logfile we are monitoring my $logfile = "/var/log/clamav/freshclam.log"; # The regex we will test against each new line my $pattern = qr/Recommended version:/o; # Where to send alerts my $recipient = '8605551212@vtext.com'; my $file = File::Tail->new(name=>$logfile, maxinterval=>120, adjustafter=>3) or die; while (defined(my $line = $file->read)) { send_alert($recipient,$line) if ($line =~ /$pattern/); } sub send_alert { my ($recipient,$body) = @_; my $from = 'root@example.com'; my $subject = "Clam AV is outdated!"; my $mailer = Mail::Mailer->new("sendmail"); $mailer->open({ From => $from, To => $recipient, Subject => $subject, }) or log_error($!); print $mailer $body or log_error($!); $mailer->close( ); return; } sub log_error { my $text = shift; openlog ("clammon.pl", LOG_PERROR|LOG_CONS , LOG_LOCAL7); syslog (LOG_INFO, "$text"); closelog(); return; }
Technorati tags: , ,

Tuesday, August 08, 2006

Questions About the Legitimacy of the Lieberman Website Takedown

Being a CT resident, I'm taking some interest in the story of Joe Lieberman's "hacked" website. According to the Lieberman campaign, their website and email has been offline for about 18 hours now. They are also claiming that this is a DoS (Denial of Service) attack, and suggesting Ned Lamont supporters' involvement (Update: Now denied).

(Note: More updates below)

A few extra pieces of info you can glean from public databases, apart from what is in the linked post:

1) The hosting provider for joe2006.com (myhostcamp.com) has a /30 IP block assigned to them, meaning only two usable IP addresses, one of which is www.joe2006.com (69.56.129.130).

2) A hosting provider that has only a /30 assigned to them is not very big - most likely, they are using virtual hosting on one or two servers to provide websites for all their clients.

3) The assigned range of IP addresses, 69.56.129.128/30, is part of a much bigger range assigned to theplanet.com - a large hosting provider and hosting reseller.

4) www.myhostcamp.com - the website of the hosting provider - is offline as well, also redirecting to a 'suspended' page. This is the biggest clue to what happened.

Given the above, it looks like a small-time web hosting provider was overwhelmed on election eve/day by traffic to one of their hosted websites, namely joe2006.com. The hosting provider's (myhostcamp.com) bandwidth allocation was exceeded, causing the end provider (theplanet.com) to shut them down. Until some money is forthcoming from myhostcamp.com to theplanet.com, the site won't be back up (at least under the original hosting provider). We can't know for sure this is what happened, the facts just seem to point in that direction. It is certainly possible that a DoS attack took place last night/this AM, but has since stopped. It would only have needed to run for long enough to exhaust myhostcamp's monthly bandwidth quota.

Contrary to what others are saying, the Lieberman camp could probably still make updates to the site, since most hosting providers will use some sort of policy routing or QoS (quality-of-service) to restrict web bandwidth only. This would also explain why echo-requests (ICMP pings) sent the the IP address of www.joe2006.com have an RTT of 10ms or so - very fast in Internet terms. There must be very little traffic to that domain right now - only web traffic is being redirected to the suspended pages.

A few things are odd about all this:

1) Given that Senator Lieberman's website associated email have been offline for over 18 hours, on the eve of a contentious election, why has the Lieberman camp allowed this to continue? As the link above suggests, a competent sysadmin could get them back online with another provider in an hour or so.

2) Why is the website being handled by such a small operation, and why were no contingency plans put into place in a race that has had national interest? I'd say they got some very bad advice from their hosting provider/Internet consultant.

3) Email for joe2006.com is down because the email is handled by the same server as the web traffic - not something usually done with larger domains, precisely because it's a single point of failure for the domain. Again, it would be very simple to redirect mail to another server temporarily. Why wasn't this done?

Now, we have to be careful not to blame the victim - if joe2006.com was DoS'd, there is simply no excuse, and those responsible should pay. If not, the Lieberman campaign got some very bad hosting and capacity planning advice from their Internet consultant, and should not be pointing their collective fingers anywhere but at themselves.

UPDATES: An update from DailyKos, from someone who did even more digging...and here.

Technorati Tags: , , , ,