Creating iso image in freebsd

Udgivet den juli 14, 2004 af mike

In order to write data to a CD, you first need to create an ISO image. This can be done with mkisofs. In my example, we’ll work from the /home/recording directory. In this directory, I created a subdirectory called files. Here is what it contains:

# ls -l files
total 5280
-rw-r–r– 1 root wheel 2174400 Dec 12 10:56 freebsddiary.tif
-rw-r–r– 1 root wheel 2239494 Dec 12 10:57 freshports.tgz
-rw-r–r– 1 root wheel 956533 Dec 12 10:56 mycvs.tgz

From these files, I will create an ISO image:

# mkisofs -J -L -R -o cdimage.raw files
Total translation table size: 0
Total rockridge attributes bytes: 471
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used a164
2649 extents written (5 Mb)

Thanks to mikem for helping me with the following options. I use these on each CD I write. Note: if you don’t use the -J option, you may have problems if you use the CD under Windows (I know, my first CDR didn’t use this option).

-J Generate Joliet directory records in addition to
regular iso9660 file names. This is primarily use-
ful when the discs are to be used on Windows-NT or
Windows-95 machines. The Joliet filenames are
specified in Unicode and each path component can be
up to 64 Unicode characters long.

-L Allow ISO9660 filenames to begin with a period.
Usually, a leading dot is replaced with an under-
score in order to maintain MS-DOS compatibility.
This violates the ISO9660 standard, but it happens
to work on many systems. Use with caution.

-P publisher_id
Specifies a text string that will be written into
the volume header. This should describe the pub-
lisher of the CDROM, usually with a mailing address
and phone number. There is space on the disc for
128 characters of information. This parameter can
also be set in the file .mkisofsrc with PUBL=. If
specified in both places, the command line version
is used.

-p preparer_id
Specifies a text string that will be written into
the volume header. This should describe the pre-
parer of the CDROM, usually with a mailing address
and phone number. There is space on the disc for
128 characters of information. This parameter can
also be set in the file .mkisofsrc with PREP=. If
specified in both places, the command line version
is used.

Udgivet i FreeBSD, Knowledge Base, Old Base | Skriv en kommentar

dansk locale setting i freebsd

Udgivet den juli 13, 2004 af black

for at sætte system standard til ISO-8859-1 og dk keyboard

i /etc/rc.conf:

keymap=”danish.iso”
font8x16=”iso-8×16″
font8x14=”iso-8×14″
font8x8=”iso-8×8″

i /etc/profile

LANG=da_DK.ISO8859-1
MM_CHARSET=ISO-8859-1
export LANG MM_CHARSET

for at sætte brugerklasse til dansk (ikke nødvendig hvis system standard er sat):
i /etc/login.conf

danish|Danish user accounts:\
:charset=ISO-8859-1:\
:lang=da_DK.ISO8859-1:

og sæt user class til ‘danish’

Udgivet i FreeBSD, Knowledge Base, Old Base | Skriv en kommentar

Recover broken mysql table

Udgivet den juli 12, 2004 af mike

mysql> repair table weblog use_frm;

+—————+——–+———-+—————————————–+
| Table | Op | Msg_type | Msg_text |
+—————+——–+———-+—————————————–+
| system.weblog | repair | warning | Number of rows changed from 0 to 666601 |
| system.weblog | repair | status | OK |
+—————+——–+———-+—————————————–+
2 rows in set (35.34 sec)

http://dev.mysql.com/doc/mysql/en/Repair.html

Udgivet i Knowledge Base, Old Base | Skriv en kommentar

ISO/OSI Network Model / TCP/IP Network Model

Udgivet den juli 12, 2004 af gurli

ISO/OSI Network Model
The standard model for networking protocols and distributed applications is the International Standard Organization’s Open System Interconnect (ISO/OSI) model. It defines seven network layers.

Layer 1 – Physical
Physical layer defines the cable or physical medium itself, e.g., thinnet, thicknet, unshielded twisted pairs (UTP). All media are functionally equivalent. The main difference is in convenience and cost of installation and maintenance. Converters from one media to another operate at this level.

Layer 2 – Data Link
Data Link layer defines the format of data on the network. A network data frame, aka packet, includes checksum, source and destination address, and data. The largest packet that can be sent through a data link layer defines the Maximum Transmission Unit (MTU). The data link layer handles the physical and logical connections to the packet’s destination, using a network interface. A host connected to an Ethernet would have an Ethernet interface to handle connections to the outside world, and a loopback interface to send packets to itself.

Ethernet addresses a host using a unique, 48-bit address called its Ethernet address or Media Access Control (MAC) address. MAC addresses are usually represented as six colon-separated pairs of hex digits, e.g., 8:0:20:11:ac:85. This number is unique and is associated with a particular Ethernet device. Hosts with multiple network interfaces should use the same MAC address on each. The data link layer’s protocol-specific header specifies the MAC address of the packet’s source and destination. When a packet is sent to all hosts (broadcast), a special MAC address (ff:ff:ff:ff:ff:ff) is used.

Layer 3 – Network
NFS uses Internetwork Protocol (IP) as its network layer interface. IP is responsible for routing, directing datagrams from one network to another. The network layer may have to break large datagrams, larger than MTU, into smaller packets and host receiving the packet will have to reassemble the fragmented datagram. The Internetwork Protocol identifies each host with a 32-bit IP address. IP addresses are written as four dot-separated decimal numbers between 0 and 255, e.g., 129.79.16.40. The leading 1-3 bytes of the IP identify the network and the remaining bytes identifies the host on that network. The network portion of the IP is assigned by InterNIC Registration Services, under the contract to the National Science Foundation, and the host portion of the IP is assigned by the local network administrators, locally by noc@indiana.edu. For large sites, usually subnetted like ours, the first two bytes represents the network portion of the IP, and the third and fourth bytes identify the subnet and host respectively.

Even though IP packets are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another. The Address Resolution Protocol (ARP) is used to map the IP address to it hardware address.

Layer 4 – Transport
Transport layer subdivides user-buffer into network-buffer sized datagrams and enforces desired transmission control. Two transport protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), sits at the transport layer. Reliability and speed are the primary difference between these two protocols. TCP establishes connections between two hosts on the network through ‘sockets’ which are determined by the IP address and port number. TCP keeps track of the packet delivery order and the packets that must be resent. Maintaining this information for each connection makes TCP a stateful protocol. UDP on the other hand provides a low overhead transmission service, but with less error checking. NFS is built on top of UDP because of its speed and statelessness. Statelessness simplifies the crash recovery.

Layer 5 – Session
The session protocol defines the format of the data sent over the connections. The NFS uses the Remote Procedure Call (RPC) for its session protocol. RPC may be built on either TCP or UDP. Login sessions uses TCP whereas NFS and broadcast use UDP.

Layer 6 – Presentation
External Data Representation (XDR) sits at the presentation level. It converts local representation of data to its canonical form and vice versa. The canonical uses a standard byte ordering and structure packing convention, independent of the host.

Layer 7 – Application
Provides network services to the end-users. Mail, ftp, telnet, DNS, NIS, NFS are examples of network applications.

TCP/IP Network Model
Although the OSI model is widely used and often cited as the standard, TCP/IP protocol has been used by most Unix workstation vendors. TCP/IP is designed around a simple four-layer scheme. It does omit some features found under the OSI model. Also it combines the features of some adjacent OSI layers and splits other layers apart. The four network layers defined by TCP/IP model are as follows.

Layer 1 – Link
This layer defines the network hardware and device drivers.

Layer 2 – Network
This layer is used for basic communication, addressing and routing. TCP/IP uses IP and ICMP protocols at the network layer.

Layer 3 – Transport
Handles communication among programs on a network. TCP and UDP falls within this layer.

Layer 4 – Application
End-user applications reside at this layer. Commonly used applications include NFS, DNS, arp, rlogin, talk, ftp, ntp and traceroute.

Udgivet i Knowledge Base, Networking, Old Base | Skriv en kommentar

FreeBSD – Installing MySQL

Udgivet den juli 11, 2004 af mike

cd /usr/ports/databases/mysql40-server
make DB_DIR=/data install
/usr/local/etc/rc.d/mysql-server.sh start
echo mysql_enable=yes > /etc/rc.conf

Udgivet i FreeBSD, Knowledge Base, Old Base | Skriv en kommentar

FreeBSD – Install/Update ports/Cvsup

Udgivet den juli 11, 2004 af mike

If no ports at all: pkg_add -r cvsup-without-gui

cd /usr/ports/net/cvsup-without-gui
make
make install
rehash
cd /usr/share/examples/cvsup
vi ports-supfile

————————————–
# listed at http://www.freebsd.org/handbook/mirrors.html.
*default host=CHANGE_THIS.FreeBSD.org
*default base=/usr
————————————-
Change to:
————————————–
# listed at http://www.freebsd.org/handbook/mirrors.html.
*default host=cvsup.dk.FreeBSD.org
*default base=/usr
————————————-

cvsup -g -L 2 ports-supfile

– System now updates port collection

Udgivet i FreeBSD, Knowledge Base, Old Base | Skriv en kommentar

FreeBSD : Install Webserver (ftp,http,php)

Udgivet den juli 11, 2004 af mike

# apache wants openssl
cd /usr/ports/security/openssl
make install

# and expat2
cd /usr/ports/textproc/expat2
make deinstall
make install

cd /usr/ports/www/apache2
make install
echo apache2_enable=YES >> /etc/rc.conf

cd /usr/ports/www/mod_php4
make install

– ncurses menu will come up, select wanted modules

echo AddType application/x-httpd-php .php >> /usr/local/etc/apache2/httpd.conf

Webdir is in : /usr/local/www/data-dist

/usr/local/etc/rc.d/apache2.sh restart

– FTP Deamon for lusers to upload shit

cd /usr/ports/pure-ftpd
make
– ncurses box will come up, select wanted (none)
make install
cd /usr/local/etc
cp pure-ftpd.conf.samlpe pure-ftpd.conf
pw useradd ftp
echo pureftpd_enable=”YES”>>/etc/rc.conf

Udgivet i FreeBSD, Knowledge Base, Old Base | Skriv en kommentar

using updatedb on freebsd – slocate

Udgivet den juli 10, 2004 af black

the updatedb program is named locate.updatedb

to fix:

cd /sbin
ln -s /usr/libexec/locate.updatedb updatedb
updatedb

Udgivet i FreeBSD, Knowledge Base, Old Base | Skriv en kommentar

Scan for rootkit

Udgivet den juli 10, 2004 af mike

Use chkrootkit to determine the extent of a compromise.

If you suspect that you have a compromised system, it is a good idea to check for root kits that the intruder may have installed. In short, a root kit is a collection of programs that intruders often install after they have compromised the root account of a system. These programs will help the intruders clean up their tracks, as well as provide access back into the system. Because of this, root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator’s knowledge. This means that some of the system’s binaries (like ps, ls, and netstat) will need to be modified by the root kit in order to not give away the backdoor processes that the intruder has put in place. Unfortunately, there are so many different root kits that it would be far too time-consuming to learn the intricacies of each one and look for them manually. Scripts like chkrootkit (http://www.chkrootkit.org) will do the job for you automatically.

In addition to detecting over 50 different root kits, chkrootkit will also detect network interfaces that are in promiscuous mode, altered lastlog files, and altered wtmp files. These files contain times and dates of when users have logged on and off the system, so if they have been altered, this is evidence of an intruder. In addition, chkrootkit will perform tests in order to detect kernel module-based root kits. C programs that are called by the main chkrootkit script perform all of these tests.

It isn’t a good idea to install chkrootkit on your system and simply run it periodically, since an attacker may simply find the installation and change it so that it doesn’t detect his presence. A better idea may be to compile it and put it on removable or read-only media. To compile chrootkit, download the source package and extract it. Then go into the directory that it created and type make sense.

Running chkrootkit is as simple as just typing ./chkrootkit from the directory it was built in. When you do this, it will print each test that it performs and the result of the test:

# ./chrootkit

ROOTDIR is `/’

Checking `amd’… not found

Checking `basename’… not infected

Checking `biff’… not found

Checking `chfn’… not infected

Checking `chsh’… not infected

Checking `cron’… not infected

Checking `date’… not infected

Checking `du’… not infected

Checking `dirname’… not infected

Checking `echo’… not infected

Checking `egrep’… not infected

Checking `env’… not infected

Checking `find’… not infected

Checking `fingerd’… not found

Checking `gpm’… not infected

Checking `grep’… not infected

Checking `hdparm’… not infected

Checking `su’… not infected

That’s not very interesting, since the machine hasn’t been infected (yet). chrootkit can also be run on disks mounted in another machine; just specify the mount point for the partition with the -r option, like this:

# ./chrootkit -r /mnt/hda2_image

Also, since chrootkit depends on several system binaries, you may want to verify them before running the script (using the Tripwire [Hack #97] or RPM [Hack #98] methods). These binaries are awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, and uname. However, if you have known good backup copies of these, you can specify the path to them by using the -p option. For instance, if you copied them to a CD-ROM and then mounted it under /mnt/cdrom, you would use a command like this:

# ./chrootkit -p /mnt/cdrom

You can also add multiple paths by separating each one with a :. Instead of maintaining a separate copy of each of these binaries, you could simply keep a statically compiled copy of BusyBox handy (http://www.busybox.net). Intended for embedded systems, BusyBox can perform the functions of over 200 common binaries, and does so using a very tiny binary with symlinks. A floppy, CD, or USB keychain (with the read-only switch enabled) with chkrootkit and a static BusyBox installed can be a quick and handy tool for checking the integrity of your system.

Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

Finding compromised packages with RPM

Udgivet den juli 10, 2004 af mike

Verify operating system installed files in an RPM-based distribution.

So you’ve had a compromise and need to figure out which files (if any) were modified by the intruder, but you didn’t install Tripwire? Well, all is not lost if your distribution uses RPM for its package management system. While not as powerful as Tripwire, RPM can be useful for finding to what degree a system has been compromised. RPM keeps MD5 signatures for all the files it has ever installed. We can use this functionality to check the packages on a system against its signature database. In addition to MD5 checksums, you can also check a file’s size, user, group, mode, and modification time against that which is stored in the system’s RPM database.

To verify a single package, run this:

rpm -V
package

If the intruder modified any binaries, it’s very likely that the ps command was one of them. Let’s check its signature:

# which ps

/bin/ps

# rpm -V `rpm -qf /bin/ps`

S.5….T /bin/ps

Here we see from the S, 5, and T that the file’s size, checksum, and modification time has changed from when it was installed—not good at all. Note that only files that do not match the information contained in the package database will result in output.

If we want to verify all packages on the system, we can use the usual rpm option that specifies all packages, -a:

# rpm -Va

S.5….T /bin/ps

S.5….T c /etc/pam.d/system-auth

S.5….T c /etc/security/access.conf

S.5….T c /etc/pam.d/login

S.5….T c /etc/rc.d/rc.local

S.5….T c /etc/sysconfig/pcmcia

…….T c /etc/libuser.conf

S.5….T c /etc/ldap.conf

…….T c /etc/mail/sendmail.cf

S.5….T c /etc/sysconfig/rhn/up2date-uuid

…….T c /etc/yp.conf

S.5….T /usr/bin/md5sum

…….T c /etc/krb5.conf

There are other options that can be used to limit what gets checked on each file. Some of the more useful ones are -nouser, -nogroup, -nomtime, and -nomode. These can be used to eliminate a lot of the output that results from configuration files that you’ve modified.

Note that you’ll probably want to redirect the output to a file, unless you narrow down what gets checked by using the command-line options. Running rpm -Va without any options can result in quite a lot of output resulting from modified configuration files and such.

This is all well and good, but ignores the possibility that someone has compromised key system binaries and that they may have compromised the RPM database as well. If this is the case, we can still use RPM, but we’ll need to obtain the file the package was installed from in order to verify the installed files against it.

The worst-case scenario is that the rpm binary itself has been compromised. It can be difficult to be certain of this unless you boot from an alternate media, as mentioned earlier. If this is the case, you should locate a safe rpm binary to use for verifying the packages.

First find the name of the package that owns the file. You can do this by running:

rpm -qf
filename

Then you can locate that package from your distribution media, or download it from the Internet. After doing so, you can verify the installed files against what’s in the package using this command:

rpm -Vp

package file

RPM can be used for quite a number of useful things, including verifying the integrity of system binaries. However, it should not be relied on for this purpose. If at all possible, something like Tripwire [Hack #97] or AIDE (http://sourceforge.net/projects/aide) should be used instead.

Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar