Categories

Advert

ETBE Mon

ETBE Mon is my fork of the traditional Unix system and network monitoring system “Mon” by Jim Trocki. My aim with this fork is to take the best patches available for the existing Mon codebase and the best “contrib” monitoring scripts and include them in one package. I also aim to write all scripts necessary for typical Linux systems. I don’t believe that a working system should involve “mon”, “mon-contrib”, and searching the net for scripts, it should be just the etbemon package.

Support

The Mon mailing list is at https://lists.coker.com.au/cgi-bin/mailman/listinfo/etbemon [1] . Please use the list instead of mailing me directly so other people can benefit from the answers.

I have created a Wiki for documenting etbemon [2].

If you need commercial support for Mon that is available too. As a basic offer for $100US by Paypal I’ll write a basic monitor script for any Linux service or RFC standard service. If there’s any other commercial support you want then just ask.

Downloads

References

Bonnie++

This version starts the re-write of Bonnie++! I will make it totally threaded (the new code does not use fork()). It will also support testing with a specified number of threads doing the same test, this will allow you to reallythrash those RAID arrays!

The ports to OS/2 and NT are cancelled!

  • bonnie++-1.97.3.tgz – man page fixes, fixed symlink test, and CSS fix for bon_csv2html.
  • bonnie++-1.97.2.tgz – make it build with GCC-6 and fix some Debian bugs.
  • bonnie++-1.97.tgz – fixed a bunch of bugs including bad CSV output.
  • bonnie++-1.96.tgz – fixed a bunch of bugs and got the colors working correctly in the HTML output.
  • bonnie++-1.95.tgz – support direct IO and made some changes to the build process (including dropping NT and OS/2 support).
  • bonnie++-1.94.tgz – major improvements to zcav.
  • bonnie++-1.93d.tgz – added write support to ZCAV.
  • bonnie++-1.93c.tgz – added support for GCC 3.2.
  • bonnie++-1.93b.tgz – version 1.93b. Fixed an error in calculating seek time and added support for large numbers of directories for the file creation tests.
  • bonnie++-1.93a.tgz – version 1.93a. Better support of NT, better RPM packaging code, and a minor warning fix.
  • bonnie++-1.93.tgz – version 1.93. Added a new test program for per-char IO for the people on the linux-kernel mailing list. ;)
  • bonnie++1.92b.tgz – version 1.92b. Fixed a bunch of bugs in the random seed selection code.
  • bonnie++1.92a.tgz – version 1.92a. Added support for setting the seed for random numbers and fixed a few bugs.
  • bonnie++1.92.tgz – version 1.92. Changed the code to do per-char tests with read() and write() instead. Now reports much lower results for those tests which are more useful IMHO.
  • bonnie++1.91c.tgz – version 1.91c, it now compiles with namespace support in GCC 3.0 and fixed some minor bugs.
  • bonnie++1.91b.tgz – version 1.91b
  • bonnie++1.91a.tgz – version 1.91a, fixed zcav properly and fixed a bunch of minor bugs in Bonnie++.
  • bonnie++1.91.tgz – version 1.91, fixes all known bugs in the 1.90 series.
  • bonnie++1.90g.tgz – version 1.90g, now latency works properly and always gets parsed properly. Changed the -f option to allow tests of per-char IO for small amounts of data.
  • bonnie++1.90f.tgz – version 1.90f, more work on latency in bonnie++ and some slight changes for OS/2 and NT portability.
  • bonnie++1.90e.tgz – version 1.90e, better OS/2 and NT support.
  • bonnie++1.90d.tgz – version 1.90d, contains code from the OS/2 and NT ports, may break things for some versions of UNIX.
  • bonnie++1.90c.tgz – version 1.90c, produces better web pages (full color) with bon_csv2html.
  • bonnie++1.90b.tgz – version 1.90b, adds support for measuring latency.
  • bonnie++1.90a.tgz – version 1.90a, adds basic threading, changes the format of the CSV files, and updates the programs for managing CSV files (and the man pages).

DKIM and Mailing Lists

The Problem

DKIM is a standard for digitally signing mail to prove it’s authenticity and prove that it was not modified. In an ideal situation it can be used to reject corrupted or forged messages.

DMARC and ADSP are standards for indicating that mail from a domain should be signed. This prevents hostile parties from removing the DKIM signature and modifying the message. DKIM is only half as useful without them (it can still prove authenticity but it can’t prove that mail was forged and allow rejecting forged mail).

A mailing list is a software system that receives a message from one person and then generates messages to many people with the same content. A common setting of a mailing list is to insert “[listname]” at the start of the subject line of each message that goes through, this breaks the DKIM signature. Another common setting is to append a footer to the message giving information about the list, this breaks the DKIM signature unless the signature uses the “l=” flag (which Gmail doesn’t). When the “l=” flag is used a hostile party can append text to a message without the signature breaking which is often undesired. Mailman (one of the most common mailing list systems) parses and regenerates headers, so it can break DKIM signatures on messages with unexpected header formatting. Mailman also in some situations uses a different MIME encoding for the body which breaks DKIM signatures.

It seems almost impossible to reliably get all mail to go through a Mailman list without something happening to it that breaks DKIM signatures. The problem is that Mailman doesn’t just send the message through, it creates new messages with new headers (created from a parsed copy of the original headers not copying the original headers), and it sometimes parses and re-encodes the body. Even if you don’t choose to use the features for appending a message footer or changing the subject DKIM signatures will often be broken.

Stripping the Signatures

As there is no way to reliably (IE for every message from every sending domain that uses DKIM) pass through messages with DKIM signatures intact the only option is to strip them. To do that with Mailman edit /etc/mailman/mm_cfg.py, add the directive “REMOVE_DKIM_HEADERS = Yes“, and then restart Mailman. If none of the people who send to your list used DMARC or ADSP then that solves your problem.

However if there are senders who use DMARC or ADSP and recipients who check those features then mail will still be rejected and users will get unsubscribed. When DMARC or ADSP are in use the mailing list can’t send out list mail purporting to be from a list member, it must send out mail from it’s own domain.

A Legitimate From Field

In the web based configuration for Mailman there is a dmarc_moderation_action setting that can munge the From field on messages with a DMARC policy. One thing to note is that when one list uses the dmarc_moderation_action setting it causes DKIM users to configure DMARC which then makes more problems for the people who run lists with no settings for DKIM. Also that doesn’t solve things for ADSP messages or messages that don’t use either DMARC or ADSP. It’s not uncommon for people to have special configuration to prevent forged mail from their own domain, requiring a valid DKIM signature is one way of doing this. Finally many users of DKIM enabled mail servers don’t have the option of enabling DMARC.

If you use the from_is_list setting in the web based configuration for Mailman then all mail will have a From field which shows who the message is from as well as the fact that it came From a list server. This combined with REMOVE_DKIM_HEADERS will allow DKIM signed mail sent to the list to go through correctly in all cases.

If you run many lists then changing them all through the web interface can be tedious. Below is a sample of shell code that will use the Mailman config_list program to change the settings to use from_is_list. NB I haven’t actually run this on a Mailman server with lots of lists so check it before you use it, consider it pseudo-code.

for n in lista listb listc ; do
  config_list -o /tmp/$n $n
  sed -i -e "s/from_is_list = 0/from_is_list = 1/" /tmp/$n
  config_list -i /tmp/$n $n
done

The from_is_list setting makes a change like the following:
-From: Russell Coker <russell at coker.com.au>
+From: Russell Coker via linux-aus <linux-aus at lists.linux.org.au>

SPF

There are similar problems with SPF and other anti-forgery methods. The use of from_is_list solves them too.

Signing List Mail

An ideal list configuration has the list server checking DKIM signatures and DMARC settings before receiving mail. There is normally no reason for a mailing list to send mail to another mailing list so mail that the list server receives should pass all DKIM, DMARC, and ADSP checks. Then the list server should send mail out with it’s own DKIM signature.

When a user receives mail from the list they can verify that the DKIM signature is valid. Then if they know that the sender used DKIM (EG the mail originated from gmail.com or another domain that’s well known to use DKIM) then they know that it was verified at the list server and therefore as long as the list server was not compromised the message was not altered from what the sender wrote.

Resources

The Debian Wiki page about OpenDKIM is worth reading [1]. OpenDKIM is generally regarded as the best free software DKIM verification and signing daemon available. The Debian Wiki only documents how to install it with Postfix but the milter interface is used by other MTAs so it shouldn’t be too hard to get it working with other MTAs. Also the Debian Wiki documents the “relaxed” setting which will in some situations solve some of the problems with Mailman munging messages, but it doesn’t guarantee that they will all be solved. Also in most cases it’s not possible to get every user of your list to change the settings of their DKIM signing to “relaxed” for the convenience of the list admin.

The Mailman Wiki page about DMARC [2] and the Mailman Wiki page about DKIM [3] are both good resources. But this article summarises all you really need to know to get things working.

Here is an example of how to use SpamAssassin to score DKIM signatures and give a negative weight to mail from lists that are known to have problems [4]. Forcing list users to do this means more work overall than just having the list master configure the list server to pass DKIM checks.

RAM Speed according to Memtest86+

Here are some speed results for RAM according to Memtest86+ on some machines that I have run. Note that the reported speed varies between runs by a few percent.

Thinkpad 600e PentiumII 400Mhz PC-66 RAM (2 DIMMs) 174MB/s
Compaq P3-866MHz PC133 RAM (3 DIMMs, 2*128 + 256) 190MB/s
Compaq Athlon 1GHz PC133 RAM (3 DIMMs) 219MB/s
Compaq P3-800MHz PC133 RAM (1 DIMM) 270MB/s
Compaq P3-800MHz PC133 RAM (3 DIMMs, 2*128 + 256) 240MB/s
Compaq P4 1.5GHz PC133 RAM (3 DIMMs) 486MB/s
Compaq P4 1.5GHz PC133 RAM (1 or 2 DIMMs) 490MB/s
EeePC 701, DDR2-665 PC2-5300 running at DDR2-333 speed 798MB/s
HP Celeron 1.8GHz PC2100/DDR266 (1 DIMM) 824MB/s
HP Celeron 2.4GHz PC2100/DDR266 RAM (2 DIMMs) 984MB/s
Celeron D (32bit) 2.93GHz PC2400/DDR300 PC3200 RAM 1,140MB/s
HP Celeron 2.4GHz PC2700/DDR333 RAM (2 DIMMs) 1,027MB/s
HP Celeron 2.4GHz PC2700/DDR333 RAM (2 DIMMs) 1,375MB/s
Dell PowerEdge T105 Dual-core Opteron 1212 (2GHz) single DDR2-667 ECC RAM 1,670MB/s
Dell PowerEdge T105 Dual-core Opteron 1212 (2GHz) pair of DDR2-667 ECC RAM 1,826MB/s
NEC Pentium E2160 1.8GHz DDR663 (two mismatched DIMMs) 2,307MB/s
IBM Pentium E2160 1.8GHz DDR2-667 PC2-5300 (single DIMM) 2,371MB/s
IBM Pentium E2160 1.8GHz PC2-4200 (paired DIMMs) 2,436MB/s
NEC Pentium E4600 2.4GHz DDR2-667 PC2-5300 (single DIMM) 2,528MB/s
NEC Pentium D 2.8GHz DDR 533 (unpaired DIMMS) 1,600MB/s
NEC Pentium D 2.8GHz DDR 533 (paired DIMMS) 2,600MB/s
Thinkpad T61 DDR2-665 PC2-5300 (single DIMM) 2,023MB/s
Thinkpad T61 DDR2-665 PC2-5300 (paired or mismatched DIMMs) 2,823MB/s
Core Gen2 2492MHz 3,804MB/s
Core Gen2 2492MHz 2 DIMMs 3,930MB/s
Q8400 2*PC6400 4,830MB/s
Intel X3450 2.67GHz, DDR3-1066 (4 DIMMs) 10.0GB/s
i7-2600 3.4GHz, DDR3-1333 PC3-10600 (paired DIMMs) 16.6GB/s
Dell PowerEdge T110 Core i3-3220 3GHz, DDR3-1600 PC3-12800 (paired DIMMs) 17.9GB/s

The Wikipedia page on SDRAM lists the theoretical speeds and the various names of the different types of DDR RAM (each type seems to have at least two names).

DDR266 theoretically can do 2100MB/s, but I’ve only seen it do 984MB/s (with two DIMMs).

Mon

Here are the details of some Mon tests I run:

DNS

The following tests the local DNS cache. I didn’t use example.com in my real tests, I used the domain of a multi-national corporation that has a very short DNS timeout that seems related to their use of the Akamai CDN. I won’t tell people which company to use, but I’m sure that any company that can afford Akamai can afford a query from my server every 5 minutes. ;)

watch 127.0.0.1
  service dnscache
    description DNS caching
    interval 5m
    monitor dns.monitor -caching_only -query www.example.com
    period
    numalerts 1
    alert mailxmpp.alert -x russell@coker.com.au -m russell@coker.com.au
    upalert mailxmpp.alert -x russell@coker.com.au -m russell@coker.com.au

The following section of mon.cf.m4 monitors Google DNS for the validity of domains that I host on my name server. The aim of this is to catch the case where someone forgets to pay for zone renewal so that they can pay while the zone is locked before it becomes available for domain squatters. It uses M4 so it can be generated from the BIND configuration.

watch 8.8.8.8
  service myzones
    description check Google DNS has my zones
    interval 1h
    monitor dns.monitor -caching_only QUERYDOMAINS
    period
    numalerts 1
    alert mailxmpp.alert -x russell@coker.com.au -m russell@coker.com.au
    upalert mailxmpp.alert -x russell@coker.com.au -m russell@coker.com.au

The following Makefile generates a mon.cf file from the BIND configuration that monitors the www entries in zones and the first PTR entries in IPv6 reverse zones. Note that the spaces will need to be converted to a TAB if you want to cut/paste this.

all: mon.cf

mon.cf: mon.cf.m4 /etc/bind/named.conf.local Makefile
        m4 -DQUERYDOMAINS="$(shell for n in $$(grep zone /etc/bind/named.conf.local|sed -e s/^zone..// -e s/\"\ .$$//|grep -v ^//| grep -v arpa$$ ; for n in $$(grep zone.*ip6.arpa /etc/bind/named.conf.local|sed -e s/^zone..// -e s/\”\ .$$//|grep -v ^//) ; do echo -query 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.$$n:PTR ; done) ; do echo -query www.$$n ; done)" mon.cf.m4 > mon.cf
        /etc/init.d/mon restart

Debian Repositories

Here is a list of the Debian repositories I maintain. I include sources.list lines both directly and via a TOR Hidden Service (see Petter’s blog post about TOR and APT [1]).

All my repositories support i386 and amd64 architectures. Not all packages will be supported in both architectures. In the past I’ve had to rebuild lots of i386 packages to avoid execmem while amd64 packages needed no changes due in part to amd64 having more registers. But sometimes I just don’t need a package on an architecture for my own systems.

While I aim to make i386 and amd64 equally usable for everyone for SE Linux and WordPress the misc repository is mostly to suit my own needs.

Stretch

Currently the only repository I have for Stretch is for WordPress. I will probably have a SE Linux repository soon.

I am no longer updating the Jessie repository for WordPress, but I expect that the Stretch packages will work on Jessie without any problems. So you can use the Stretch repository if you are still running Jessie.

deb http://www.coker.com.au stretch wordpress

deb http://6kbiotdr2vvb7ftu.onion stretch wordpress

Jessie

The SE Linux repository has policy and various updates of Jessie packages for better support as well as backports from testing/unstable. The backport of systemd has no support for AppArmor as supporting that was inconvenient and it’s impossible to run both SE Linux and AppArmor at the same time.

The misc repository has random changes that aren’t liked by the Debian maintainer, backports, etc. Currently the only thing in there is a build of Sendmail that uses const more often in Milter headers.

The wordpress repository has lots of things that I haven’t added to Debian because of the difficulty in providing useful security support. Also the Jessie WordPress repository worked with a wheezy system last time I tested, it depends on the latest version of WordPress not on any other package.

deb http://www.coker.com.au jessie selinux
deb http://www.coker.com.au jessie misc
deb http://www.coker.com.au jessie wordpress

deb http://6kbiotdr2vvb7ftu.onion jessie selinux
deb http://6kbiotdr2vvb7ftu.onion jessie misc
deb http://6kbiotdr2vvb7ftu.onion jessie wordpress

Wheezy

The wheezy repositories for SE Linux, misc, and WordPress have much the same aims as the Jessie versions – but I’ve had more time to work on them. Note that I am no longer updating the WordPress repository.

The ZFS repository is only for amd64. I generally don’t recommend that people use it. Install ZFS from zfsonlinux.org. I created the wheezy repository before they created their repository. I’m not deleting it because it MIGHT be useful in some situation.

deb http://www.coker.com.au wheezy selinux
deb http://www.coker.com.au wheezy misc
deb http://www.coker.com.au wheezy wordpress
deb http://www.coker.com.au wheezy zfs

deb http://6kbiotdr2vvb7ftu.onion wheezy selinux
deb http://6kbiotdr2vvb7ftu.onion wheezy misc
deb http://6kbiotdr2vvb7ftu.onion wheezy wordpress
deb http://6kbiotdr2vvb7ftu.onion wheezy zfs

Squeeze

I’ve got a bunch of old Squeeze repositories. Apart from the SE Linux one I don’t think that any of them provide much benefit at this time. I’m not supporting Squeeze SE Linux nowadays except as a consulting service.

deb http://www.coker.com.au squeeze selinux
deb http://6kbiotdr2vvb7ftu.onion squeeze selinux

Free Educational Android Apps

This post has a list of educational apps for Android phones and tablets that I have discovered. I can’t claim that each app is the best for it’s purpose, but I’ve tested out each one and found it to be useful.

I am separating the lists into apps that have full functionality when offline and those which require Internet access. Sometimes it’s handy to be able to load up your phone with apps that you can use later when there’s no net access.

Quick Apps that Don’t Need Internet Access

Here are some apps that can be quickly used without much prior knowledge and without Internet access.

Quick Apps that Need Internet Access

Here are some apps that are easy to use but require Internet access.

More Complex Apps

Classes of Common Apps

There are some educational related categories of apps where there are many apps performing similar tasks, so instead of trying to find one app that could be claimed to be best I’ll just list what you can search for in the Android market. If you know of one particular app in some category that stands out then let me know.

  • “Wikipedia”. There are many apps that read Wikipedia online that work in different ways and none of them really satisfy me. But you need to have one of them.
  • “Conway’s Life” is the classic cellular automata game.
  • “Bridge construction” games are good for teaching some principles of engineering. There are many such games with slightly different features.
  • A “graphing” calculator. In the olden days a graphing calculator cost $100 or more, now there is a range of free apps to do it. Some apps only support a single graph, but apart from that they all seem OK.
  • “Fractal” generating programs can be educational, but only if you have some idea of the maths behind them.
  • “Stop motion” generation programs, also “gif creator” can find some good matches. I haven’t been really satisfied with any of the programs I’ve tried, but some have worked well enough for my needs. Let me know if you find a really good one.

Intellectual Android Games

Here is a list of Android games that involve thinking:

SE Linux Play Machine

Free root access on a SE Linux machine!

To access my Debian play machine ssh to zp7zwyd5t3aju57m.onion as root, the password is “SELINUX“.
I give no-one permission to distribute this password. If you want to share information on this machine you must give the URL to this web site. In some jurisdictions it would be considered a crime to distribute the password without my permission (IE without giving the URL to this web page).

Note that such machines require a lot of skill if you are to run them successfully. If you have to ask whether you should run one then the answer is “no“.

The aim of this is to demonstrate that all necessary security can be provided by SE Linux without any Unix permissions (however it is still recommended that you use Unix permissions as well for real servers). Also it gives you a chance to login to a SE machine and see what it’s like.

When you login to a SE Linux play machine make sure that you use the -x option to disable X11 forwarding or set ForwardX11 no in your /etc/ssh/ssh_config file before you login. Also make sure that you use the -a option to disable ssh agent forwarding or set ForwardAgent no in your /etc/ssh/ssh_config file before you login.

If you don’t correctly disable these settings then logging in to the play machine will put you at risk of being attacked through your SSH client.

There is an IRC channel for discussing this, it is #selinux on irc.freenode.net.

FAQ

  • Editing thanks.txt_append_only with vi won’t work, use cat or echo to append data to the file. The following commands will work:
    echo something >> thanks.txt_append_only_dont_edit_with_vi
    cat >> thanks.txt_append_only_dont_edit_with_vi
    
  • There is no harm in letting you see dmesg output for such a machine, security by obscurity isn’t much good anyway. For a serious server you would probably deny dmesg access, but this is a play machine. One of the purposes of the machine is to teach people about SE Linux, and you can learn a lot from the dmesg output.
  • This is not a simulated machine or honeypot. It’s a real Lenovo ThinkCenter desktop PC running Debian/Jessie (pre-release) SE Linux in a Xen DomU. You really have UID==0. The Xen configuration is a default Debian install with a standard Debian kernel. SE Linux does it’s own permission checks in addition to the Unix permission checks. If you don’t believe me you are free to write assembler programs to call getuid() etc. But it would be a lot easier for you to just install a recent version of Debian or Fedora, see how it works, and read the source if you wish.
  • I will provide instructions on installing such machines soon.
  • To administer a SE Linux machine you need to have sysadm_r (the SE Linux administrative role) and UID==0 (the regular Unix admin account). So there needs to be a UID==0 account. As in regular Linux the UID==0 account does not need to be named “root”. In the case of this machine the root account has UID 0, but it has few privs in SE Linux.
  • The default policy in Fedora is known as the targeted policy, it has no restrictions on user login sessions (so can never be used for such a machine). The policy I use for this machine is known as the strict policy. The default configuration of the strict policy does not support running in such a manner and requires some changes.
  • This machine is intentionally more permissive than some other play machines. I let you see the policy files so you can learn how to configure a machine in this way.
  • Regarding core-dumping bash to read the history. That’s nice work, but you could have just used cat, grep, or any of your favourite tools on /root/.bash_history with much less effort.
  • Some people have asked for ping, telnet, etc access. I would like to provide such access (and have provided it in the past). I removed ping access because some people were using ping with large packet sizes to attack machines with small network connections. I removed telnet access because people were running scripts to try and discover (and attack) hosts with broken telnetd’s. As for whether the machine is usable without such access, for it’s intended purpose (demonstrating what SE Linux can do) it is quite useful. As a general shell server it’s not very useful because you share your account with lots of people who may rm your files or kill your processes.
  • Some types of files and directories may not be stat’d by unprivileged users (this includes shadow_t for /etc/shadow). Such files and directories show up in flashing red in the output of “ls -l” because ls can’t even determine whether it’s a file or a directory.

Worthless Questions at Lectures

I’ve previously blogged about the productive length of questions at lectures [1]. But it seems to me that worthless questions can be recognised before the person asking even gets properly started. Here is a list of ways of recognising them:

  1. Appeal to authority. If someone tells you about their job or other qualifications before asking a question then the question is almost certain to be useless. If a question is good then it can be asked by someone with no special qualifications who has 20 seconds to ask.
  2. An introduction that shows that it’s not a question. Anything starting with a statement like “I just want to say” isn’t a question and has no place in a conference lecture hall. After a lecture the speaker will usually hang around and talk to delegates, anyone can make comments then or send email later. In this case it’s not just that statements are inappropriate for “question time” it’s that people who think that they are so important that their statement is more important than genuine questions probably aren’t going to have anything useful to say.
  3. A second question. Anyone who has more than one question wants a conversation – they can do that privately after question time. Again it’s people with an over-inflated opinion of their own importance who do this.
  4. A statement of “fact” that they want the speaker to address. Questions should mostly concern facts referenced by the speaker. “Facts” that are cited by the audience are often the sort of thing that can be easily disproved by Snopes or Wikipedia – but not in the amount of time available during a lecture. While it is possible to ask useful questions regarding facts that weren’t presented in the lecture my observation is that most such questions are worthless and the “facts” are false.

I think that for a serious lecture the MC should cut off such questions when they start. Once enough has been said to make it obvious that the question falls into one of the above categories I believe that the correct thing to do is to say “that’s probably a good thing to discuss after the lecture”, and then move on to the next question.

Please note that the above list isn’t comprehensive. Let me know if you have suggestions for any I missed.