unixwiz

ZFS has been around for a while now.. I have used it for some data partitions, but when Sun added the ability to use it as the root filesystem, I was a little hesitant to start using it there. Part of it was because, I know if I get a root disk that crashes and it is on UFS, I can get in to it pretty well. ZFS was different and I was never really comfortable about using it for root, until last night. I have been looking for a way to keep a lot of Solaris machines up to date with the Recommended and Security patches and doing it with UFS seemed to be taking for ever. Part of the problem I had with keeping them updated with UFS was the shear downtime it required to install the cluster in single user mode. Multiply that by X number of machines and it is a never ending chore to update them.

This weekend I started looking at the PCA tool, since I have seen a lot of people mention good things about it. So off to my test machine and I installed a new VM with Solaris 10 10/09 ( update 8 ) in it. After the install was finished using a ZFS root, I decided to set up a PCA proxy server on another machine. The purpose of the PCA Proxy server is that it will be the one with access to the Internet to download the patches from sunsolve. It was extremely easy to do this, (in fact I have it running in a zone on my main server.)

1. Created a new plain zone (can be on anything, but I wanted to keep it seperate).
2. Configure the apache2 instance on the machine, by copying the /etc/apache2/httpd.conf-example to /etc/apache2/httpd.conf
3. Edit the httpd.conf and change the line that says “Timeout 300″ to be “Timeout 1800″. You need to make it at least 1800, if not more depending on the speed of your Internet connection. At 22Mb/s 1800 was ok for me.
4. Create a directory /var/apache2/htdocs/patches, make it owned by webservd:webservd and 755 as the permissions.
5. Download and save a copy of pca in /var/apache2/cgi-bin and call it pca-proxy.cgi. Make it owned by webservd:webservd and 755 as the permissions.
6. Create a file in /etc called pca-proxy.conf. In it place the following:
   xrefdir=/var/apache2/htdocs/patches
   patchdir=/var/apache2/htdocs/patches
   user=sunsolveusername
   passwd=sunsolvepassword
7. In order to make the proxy run a little faster on the first use, I decided to download and “cache” the latest security and recommended patch cluster. (You don’t need to do this, but if the patches are missing the pca proxy server will download them. Considering my machine needed 156 patches, this was faster…) Once the recommended and security patches were downloaded, I placed them in a temp place and unzipped the cluster. Once the cluster is unzipped, I needed to make zip files of each patch (so that the pca client can download the zip file). To do this, I went in to tmp/10_x86_Recommended/patches and ran the following:
   for i in `cat patch_order`
   do
   zip -r $i $i
   done
8. Once the zipping is done, move all the patch zip files in to the /var/apache2/htdocs/patches directory.
9. Start up the apache2 service “svcadm enable apache2″
10. Now it is time to configure the client, copy the pca script to the client machine and place it some place, I used /root.
11. Next create a config file /etc/pca.conf in it with the following:
    patchurl=http://pca-host/cgi-bin/pca-proxy.cgi
    xrefurl=http://pca-host/cgi-bin/pca-proxy.cgi
    syslog=local7
    safe=1

    The first two lines tells pca where to find the patches and the patchdiag.xref file. The syslog line tells it to log all activity to local7 syslog facaility. The last line “safe=1″ means: Safe patch installation. Checks all files for local modifications before installing a patch. A patch will not be installed if files with local modifications would be overwritten.

12. Now that the config file is created, make sure that syslog is set to handle local7 info, I have mine set to local7.info going to /var/adm/local7.log. PCA will log the patch installation stuff to that log (i.e.:
    Apr 11 17:10:50 zfstest2 pca: [ID 702911 local7.notice] Installed patch 124631-36 (SunOS 5.10_x86: System Administration Applications, Network, and C)
    Apr 11 19:07:04 zfstest2 pca: [ID 702911 local7.notice] Failed to install patch 118246-21 (comm_dssetup 6.4-5.05_x86: core patch) rc=15

Now comes the part that makes ZFS worth using… We are going to create a new “boot environment” and then patch that environment”

1. First we need to create a new BE;
   lucreate -n p20100411

   The p20100411 can be anything, I used today’s date since I patched the machine today.. Makes it easy to remember when the last time the machine was patched.

2. Now we need to mount it
   lumount p20100411 /.alt.root
3. Now we can start patching;
   pca -i -R /.alt.root
4. Because I cached most of the patches locally on my pca proxy, it should not take too long for it to download, unzip and install the patches in the alt root
5. Once the patching is done, it will give you a summary line telling you how many patches were downloaded and installed:
   Download Summary: 156 total, 156 successful, 0 skipped, 0 failed
   Install Summary : 156 total, 156 successful, 0 skipped, 0 failed
6. Now we need to unmount the alt root and activate it to boot:
   luumount p20100411
   luactivate p20100411
7. Now just reboot the machine. You MUST use init or shutdown, if you don’t then it won’t boot in to the new boot environment. I use
   shutdown -g0 -i6 -y
9. Depending on how long it takes for your machine to boot, when it comes back up it should be on the new ZFS file system:
   bash-3.00# df -h
   Filesystem             size   used  avail capacity  Mounted on
   rpool/ROOT/p20100411    49G   6.6G    38G    15%    /
10. Now you can run that new patched system for how ever long it takes to verify your patches didn’t break anything. Once you are sure everything is ok, then you can delete the old install, in my case:
    ludelete s10x_u8wos_08a

    This should let you recover a little bit of space. In my case it was about 1.5 gig.

The only thing left is to set up a bunch of scripts to do “pca -l” about once a month to see what patches need installed and to log that. PCA has a lot of other functions than I went over here, in a couple of words, it seems to be kick ass. On top of that it is free! The ability to create new BE’s will definitely hope any one with the right amount of disk space be able to keep their system up to date.

One Tip, make sure you watch the output of the luactivate command. This is what is displayed:

**********************************************************************

The target boot environment has been activated. It will be used when you
reboot. NOTE: You MUST NOT USE the reboot, halt, or uadmin commands. You
MUST USE either the init or the shutdown command when you reboot. If you
do not use either init or shutdown, the system will not boot using the
target BE.

**********************************************************************

In case of a failure while booting to the target BE, the following process
needs to be followed to fallback to the currently working boot environment:

1. Boot from Solaris failsafe or boot in single user mode from the Solaris
Install CD or Network.

2. Mount the Parent boot environment root slice to some directory (like
/mnt). You can use the following command to mount:

     mount -Fzfs /dev/dsk/c1t0d0s0 /mnt

3. Run  utility with out any arguments from the Parent boot
environment root slice, as shown below:

     /mnt/sbin/luactivate

4. luactivate, activates the previous working boot environment and
indicates the result.

5. Exit Single User mode and reboot the machine.

**********************************************************************

Security, Solaris, ZFS Patch Check Advanced, Patching, PCA, Solaris, UFS, ZFS

It seems that the new “thing” on the internet these days is port scanning for port 22 (aka SSH).  I was going through my firewall logs on my home router and over the last week or so, it is broken down as follows:

As a comparison, attempts that were blocked that weren’t ssh only totaled 1430. So are these bot’s or people looking for rogue iPhone’s or just trying to find new vulnerabilities in SSH? The interesting thing is it appears that each source IP tries 3 times. The second try is 3 seconds after the first and the third is 6 seconds after the second.

An interesting IP is 217.70.139.42, which has tried 303 times since the 14th. The IP is from Germany and also appears on several SSH dictionary attacks. So is it time to start running services on non-standard ports?

Security port scan, Security, ssh

Just released, another exploit to Internet Explorer 6 & 7, that allows “hackers” to install software on your machine… What do the major Antivirus people say:

“To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft,” Symantec said.

How many mom and pop’s out there even know how to disable java script, and only visit sites they trust? Let alone make sure their antivirus definitions are updated. I have seen some virus trick Symantec’s AV in to thinking the definitions were up to date, and then I go to find hundreds of virus’ on my parents computer. This is just another reason why building the web browser in to the OS is a bad thing and why it should be sandbox’d off in to its own little area.

M$ Winders, MacOSX, Random Stuff, Rant, Security IE, Rant, Security, WIndows

It seems that Apple finally released a patch for the iPhone about the security issue I wrote about back on May 1st (More Security Stuff)

From Apple’s Web Site:

WebKit

CVE-ID: CVE-2009-2797

Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0

Impact: User names and passwords in URLs may be disclosed to linked sites

Description: Safari includes the user name and password from the original URL in the referer header. This may lead to the disclosure of sensitive information. This update addresses the issue by not including user names and passwords in referer headers. Credit to James A. T. Rice of Jump Networks Ltd for reporting this issue.

Not sure when James reported it though. So I don’t know if I found it before him or not. Anyways, here is my suggestion, if you use an iPhone and have EVER logged in to a web site with a username and password, you need to change that password immediately and then apply the patch from Apple to your iPhone. I know there are some people who view my site that use an iPhone and are clicking on links from other websites, therefore sending your username and password to me as well.

Apple, Security Apple, CERT-US, iPhone, Security

I decided to see if I could get a VPN connection working between my laptop (running MacOSX) and my home server running Solaris 10. It turned out to be pretty easy to do a simple config. I am using OpenVPN. To compile the software on my Solaris box I needed to download 3 items:

1. Virtual Point-to-Point (Tun) and Ethernet (TAP) devices driver. I got the version 1.1 from http://vtun.sourceforge.net/tun/ in source code form.
2. LZO version 1.08 compression software from : http://www.oberhumer.com/opensource/lzo/download/LZO-v1/
3. OpenVPN software, I am using the version 2.1RC because I wanted the version to match what I am going to run on the Mac. It can be downloaded from http://openvpn.net/index.php/open-source/downloads.html

Once I got everything downloaded, just compile the LZO, Tun, and OpenVPN:
I decided to have everything related to the vpn installed in /opt/vpn. One thing to note, I tried using the new version 2.x of LZO, and OpenVPN would not find it, so I had to use Version 1 even though 2 is supposed to be supported. So I did the following to compile LZO:

Next was to compile TUN

Only issue with tun was that it did not use the –prefix, it puts everything where it needs to be in /usr/kernel/drv on solaris.

Next is openvpn:

Once that is installed I did the simple 1 to 1 vpn connection (static key) for just testing to see if it would work. So in the /opt/vpn/openvpn/sbin directory I did this:

I then copy that key to my client via some “secure” means

Then created a server.conf that looks like this:

dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
cipher AES-256-CBC
keepalive 10 120

On my client (MacOSX) I downloaded Tunnelblick from http://code.google.com/p/tunnelblick/downloads/list and installed it. Next I copied that static.key from the server to the client and put it in ~/Library/openvpn. I also created a openvpn.conf in that directory that looked like this:

remote a.b.c.d
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
cipher AES-256-CBC
route 10.0.0.0 255.255.255.0

In the above, a.b.c.d represents my public IP address for my solaris server.

Now when you start tunnelblick it will search that directory and find that config file and ask if you want to load it. But we are not quite ready to start yet. The next thing I had to do was forward port 1194 UDP off of my router to my OpenVPN server. I will leave this exercise to you. You will also need to make sure IP forwarding is enabled on the Solaris 10 server (because I only have 1 network card in it, but “two” different networks on the box. IP Forwarding will allow your remote machine to be able to see your local network. And since my OpenVPN server is not the router for the entire network, I had to add a static route on my router to say that 10.8.0.0 is available via the openvpn servers local network address, I.e. 10.0.0.1.

You should be able to start the openvpn server now:

Once it is started you can use tunnelblick to connect. Once you are connected, you should see that is is connected and the icon has changed from this:

to look like this:

You should also see a tun0 device show up:

You should now be able to see all your hosts on the “remote” network. Next up I am going to work on doing the pki infrastructure so I can hopefully link other clients both static and dynamic.

This make is really nice to be able to see your “home” network while you are away.

Security, Solaris, VPN LZO, MacOSX, OpenVPN, Solaris, TUN, Tunnelblick