Developers Club geek daily blog

Virtual network interface

2 years, 11 months ago
It is well-known that Linux drivers are modules of a kernel. All drivers are modules, but not all modules — drivers. An example of one of such groups of the modules which are not drivers, and much more rare appearing in discussions, surge filters at the different levels of a network stack Linux are.

Sometimes, and it is even rather frequent, it would be desirable to have the network interface which could operate with a traffic of any other interface, but somehow in addition "color" this traffic. It can it is required for the additional analysis, either traffic observation, or its enciphering, …

The idea is extremely simple: to canalize a traffic of already existing network interface in the newly created interface with absolutely other characteristics (a name, IP, a mask, a subnet, …). We will also discuss one of methods of execution of such actions in the form of Linux kernel module (it not only, but we will discuss other methods separately another time).

Read more »


Multi-colored terminals

2 years, 11 months ago


In this publication I will tell about some tricks which will decorate everyday life of any Linux system administrator (and not only). All of them are connected with bash cover PS1 variable. The PS1 variable defines how the invitation for input of new commands will look. And each user can redefine it as will wish, for example, in the file ~ / .bashrc (which is executed at start of bash and is used for including for a configuration).

For a start we will consider simple option, my favourite format of the command line.

Read more »


Isolation of virtual servers in apache2 — ugidctl

2 years, 11 months ago
Some time ago I made for myself a solution which allows to isolate processes of apache2 effectively. Now he can process each request on behalf of the system user. Today I want to share this solution.

Here about what the speech:

<VirtualHost *:80>
    ServerName host1.example.com
    ServerAdmin webmaster1@example.com
    ServerUserGroup user1 group1
    DocumentRoot /var/www/host1
</VirtualHost>
<VirtualHost *:80>
    ServerName host2.example.com
    ServerAdmin webmaster2@example.com
    ServerUserGroup user2 group2
    DocumentRoot /var/www/host2
</VirtualHost>

At the same time root directories of virtual hosts can be available only to the corresponding users:

# ls -la /var/www
total 16
drwxr-xr-x   4 root  root   4096 Oct 26 16:10 .
drwxr-xr-x  21 root  root   4096 Oct 26 01:13 ..
drwxr-x---   2 user1 group1 4096 Oct 26 16:10 host1
drwxr-x---   2 user1 group2 4096 Oct 26 16:10 host2

These are not the next dances with a tambourine vogrug multithreadings, start of processes from a rue, etc. The main idea is in that process independently decided with what rights it needs to process request, took itself these rights, processed, and again returned itself the rights of the main user of apache.

Read more »


Manual editing of uboot-elf for the sake of DHCP and SSH

2 years, 12 months ago
Somehow time the piece of iron of AEWIN SCB-3240 which should nevermore have lodged in a server rack with the purpose forever fell of me into hands to touch it. It was going to use it not directly, and for the purpose of testing of our product. The Kaspersky Lab has a tradition — to let out anti-virus SDK for all imaginable platforms if only there was something there, capable to compile a code on C. Respectively, SDK are necessary anti-virus bases which in spite of the fact that they are uniform for all products, nevertheless should be tested — for an error case in SDK, or the loader of bases, or some features of a platform, or … Generally, one million reasons. And that we learned about problems a little earlier, than from new cases in support, tens of pieces of iron checking each set of anti-virus bases for working capacity stand the last line of defense.

That is, not possibilities of AEWIN on work with a network, and only its essence in the form of MIPS/Linux were of interest. The problem was that the piece of iron did not provide any adequate accession. All that was offered to me — console port, telnet and any dhcp.

Unfortunately, the most terrible concerns were not vain. The device had no permanent storage, and it lived only from inclusion before reset, every time developing a referensny image.

Total, that it was necessary for me. To teach to receive the address on DHCP, to teach her to accept connections on SSH and to try not to break on the road.

Read more »


To turn group of surveillance cameras into a botnet? There is nothing more simply

2 years, 12 months ago


Information security specialists say already long time that modern IoT of the device and system are poorly protected from intervention from the outside. Some of them are not protected at all and to crack a similar gadget or the whole system even the school student can. About a year ago specialists from Proofpoint found a botnet which basic elements were household "smart" appliances. As it appeared, TVs and even one refrigerator entered a botnet.

Cracking about which there is a speech was performed between between December 23, 2013 and on January 6, 2014. The gadgets making a botnet three times a day sent letters packets to 750 thousand for time from 100 thousand devices (yes, it was the big botnet) to the enterprises and individuals worldwide. But the easiest for malefactors as it appeared to use for creation of a botnet not the refrigerator and not the TV, but the safety camera connected to the Network.

At the same time cameras of safety are one of the most widespread IoT of devices. Reports according to which last year about 245 million surveillance cameras worked worldwide were already published in the Network. And it only those that are set professionally of which something is known. Except them, there are millions more of other cameras installed figuratively speaking housewives who know nothing about safety and, respectively, not using security settings for the devices.

Read more »


Archlinux for the smallest (Part 1)

2 years, 12 months ago


Preface


I want to tell about the remarkable Archlinux Linux-distribution kit and to spend you from an explanation of ideology of a distribution kit, before creation of a full-fledged working environment in it. In this, the first part, I on the example of Ubuntu will tell about merits and demerits of system and briefly I will tell about the basic concepts of a distribution kit and in the principles of its work. The rest — in the following parts.

This article means that you have an experience in work in Linux-systems as Archlinux rather difficult distribution kit for beginners. I will accompany all text with comparisons with the Ubuntu distribution kit. Ubuntu — because the most popular and the distribution kit differing from Archlinux most radically. I sacredly hope that it will help to acquire more simply information to the reader.

Read more »


The undocumented application in Thinstation

2 years, 12 months ago
In the publication it was noted that there is not enough intrigue, scandals and investigations, today them at me is …

Literally since morning on soap the request came to help with setup of a web booth for package firefox_lowmem a bit earlier, in process started search of the file of settings of a packet of Firefox — prefs.js and on level was mistaken the folder, i.e. looked for in the packages folder and came across this file in openkiosk packet.
As it appeared, since March, 2014 this packet is present at Thinstation, and about is mute anywhere nothing is written, it became interesting …

Read more »


HP Helion OpenStack Carrier Grade – cloud for telecommunications operators

3 years ago
We continue series the publication on family of solutions for creation of clouds of HP Helion OpenStack and we want to tell about recently let out packet of HP Helion OpenStack of operator class (Carrier Grade) or, in abbreviated form, HOS CG.

image

Read more »


4 ways to write to the secure page

3 years ago
Execution of record on hardware write-protected memory address in architecture of x86 means. And how it becomes in the Linux operating system. And, naturally, in Linux kernel mode because in user space, such tricks are prohibited. Happens, whether know, irresistible desire to write in the protected area … when you sit down to write virus or trojan …

Description of problem


… and if it is serious, the record problem in write-protected pages of random access memory arises from time to time when programming modules of kernel under Linux. For example, at modification of the selector table of system calls of sys_call_table for modification, embedding, implementation, substitutions, interception of system call — in different publications call this action on miscellaneous. But not only for these purposes … In very summary the situation looks so:

  • In architecture of x86 there is protection gear which in attempt of record in write-protected pages of memory leads to excitation of exception.
  • Access rights to the page (permission or prohibition of record) are described beaten _PAGE_BIT_RW (1) in the structure corresponding to this page like pte_t. Reset of this bit forbids record in the page.
  • From the processor control by protection of record the bit of X86_CR0_WP (16th) of the system managing register CR0 manages — at the set this bit attempt of record in the write-protected page excites exception of this processor.

Read more »


PXE loading of Thinstation depending on iron of the thin client

3 years ago
In the course of work systematically it is necessary to fill up park of thin clients and every time clients can differ on a configuration from previous and at one vendor. It is good if differences small and the client works at the previous assembly of Thinstation, in practice leaves that working assembly is not compatible to new computers.

By itself the first thought — to collect a universal image of loading, but not always it turns out — either an image very big, or modules or packets are incompatible. An output — to collect several images and to give them to the necessary clients when loading. Methods a little, here I will describe my darling.

Read more »