Thursday, 29 July 2010

FreeBSD - APACHE: Remote DoS bug in mod_cache and mod_dav.

In this part:

- daily maintenance
- upgrade APACHE and related issues
- portmaster + ports upgrade

I'm monitoring web-server with FreeBSD 6.4-STABLE.
Today I found warning in my mailbox thanks to "portaudit":

Affected package: apache-2.2.14_6
Type of problem: apache -- Remote DoS bug in mod_cache and mod_dav.

APACHE warnings are important for all administrators.

Portmaster is good as it upgrading all related packages. Sometimes I wish to use portupgrade - as it upgrade only given port.

root@server:/root/> portmaster apache-2.2.14_6

It asking for some details:

 Firstly it checks for dependencies

=== Starting check for build dependencies
=== Gathering dependency list for ...
=== Starting dependency check
=== Dependency check complete for databases/db42
        apache-2.2.14_6 >> devel/apr1 >> databases/db42

secondly it creating new binaries
c++ -c -I. -I./../dist/.. -D_THREAD_SAFE -O2 -fno-strict-aliasing -pipe ./../dist/../cxx/cxx_db.cpp  -fPIC -DPIC -o .libs/cxx_db.o /bin/sh ./libtool --mode=compile c++ -c -I. -I./../dist/..  -D_THREAD_SAFE -O2 -fno-strict-aliasing -pipe ./../dist/../cxx/cxx_dbc.cpp  c++ -c -I. -I./../dist/.. -D_THREAD_SAFE -O2 -fno-strict-a

Perl + Python has been upgraded.
=== Upgrade of perl-5.10.1_1 to perl-5.10.1_2 succeeded
=== Upgrade of python26-2.6.2_3 to python26-2.6.5_1 succeeded

...and, faux-pax:

Stop in /usr/ports/www/apache22.
*** Error code 1
=== Installation of apache-2.2.16 (www/apache22) failed
=== Aborting update

I found that problems are: libtool + apr1
Finaly the APACHE upgrade by successful way:

# cd /usr/local/bin; ll lib*; rm libtool
# cd /var/db/pkg; pkg_delete auto* libtool*
# cd /usr/local/bin; rm -rf auto* libtool*
# cd /usr/ports/devel/libtool22; make install clean
# cd /usr/ports/devel/apr1/
# make deinstall reinstall clean

# cd /usr/ports/www/apache22
# nice -19 make install clean
# /usr/local/etc/rc.d/apache22 graceful

References here
+ here.

Time: 2h

Wednesday, 28 July 2010

64-bit FreeBSD 8.1-RC2 (GENERIC) setup, part 2

In this part I'm going to:

- adding disk encryption with GBDE
- slightly altering kernel
- mount and test encrypted disks

Why encryption?
In real-world an attacker who has physical access to a computer may be able to access your disks and then attach it to another computer. It could be a troubled employee, mama and daddy, spies, CIA, Mafia, Police (identity theft)...
How many of us storing sensitive data (VISA cards, passwords, logins, scanned documents etc...) on unencrypted disks?

I wish to store my sensitive data therefore I decided to test gbde encryption.

64-bit FreeBSD disks encryption with gbde.

1. Add gbde(4) Support to the Kernel Configuration File

[root@server ~]# cd /usr/src/sys/amd64/conf && cp GENERIC MYBSD_BDE
[root@server /usr/src/sys/amd64/conf]# vi MYBSD_BDE
and add the following line to the kernel configuration file:
options GEOM_BDE

1.1 rebuild my Kernel MYBSD_BDE and restart

# cd /usr/src
# make buildkernel KERNCONF=MYBSD_BDE && make installkernel KERNCONF=MYBSD_BDE
# reboot
2. Create a Directory to Hold gbde Lock Files whatever in my case:
[root@server ~]# mkdir /etc/gbde

The gbde lock file contains information that gbde requires to access encrypted partitions. Without access to the lock file, gbde will not be able to decrypt the data contained in the encrypted partition without significant manual intervention which is not supported by the software. Each encrypted partition uses a separate lock file.

3. Initialize the gbde Partition

This initialization needs to be performed only once per device:

# gbde init /dev/ad2s1g -i -L /etc/gbde/ad2s1g.lock
Command opening editor and here are recomended values for UFS1 and UFS2
sector_size = 2048
number_of_keys = 2

BUT it complaints :
"/tmp/temp.WGLhhy415Y: 32 lines, 1136 characters.
gbde: sector_size not a proper number"
It is bit strange for now as one disk refusing any change but another I altered succesfully:

sector_size     =       1024
number_of_keys  =       2

save and we are asked for passphrase:
/tmp/temp.NytzBhD8QJ: 32 lines, 1135 characters.
Enter new passphrase:
Reenter new passphrase:

4. Attach an encrypted device:

[root@server ~]# gbde attach /dev/ad2s1g -l /etc/gbde/ad2s1g.lock
5. Create a File System on the Encrypted Device

# [root@server ~]# newfs -U -O2 /dev/ad2s1g.bde

/dev/ad2s1g.bde: 156203.3MB (319904448 sectors) block size 16384, fragment size 2048
        using 851 cylinder groups of 183.72MB, 11758 blks, 23552 inodes.
        with soft updates
super-block backups (for fsck -b #) at:
 160, 376416, 752672, 1128928, 1505184, 1881440, 2257696, 2633952,....
It starts printing numbers for a while... Its ok

# mount /dev/ad2s1g.bde /sys

6. Verify That the Encrypted File System is Available:

[root@server ~]# df -h
Filesystem         Size    Used   Avail Capacity  Mounted on
/dev/ad2s1a        989M    512M    398M    56%    /
devfs              1.0K    1.0K      0B   100%    /dev
/dev/ad2s1e        989M     18K    910M     0%    /tmp
/dev/ad2s1f         19G    2.4G     15G    14%    /usr
/dev/ad2s1d        4.8G    124M    4.3G     3%    /var
/dev/ad2s1g.bde    148G    4.0K    136G     0%    /sys
Same steps I did with second ATA HDD:
Quick look for HDDs:

[root@server ~]# dmesg -a | egrep "ad[0123]:"
ad2: 190781MB  at ata1-master UDMA100 
ad3: 76318MB  at ata1-slave UDMA100 
Create mountpoint somewhere, key first initialization, attach, format and mount:

[root@server ~]# mkdir -p /mnt/2uHR696q
[root@server ~]# gbde init /dev/ad3a -i -L /etc/gbde/ad3a.lock
[root@server ~]# gbde attach /dev/ad3a -l /etc/gbde/ad3a.lock   moj N.l.9.6
[root@server ~]# newfs -U -O2 /dev/ad3a.bde
[root@server ~]# mount /dev/ad3a.bde /mnt/2uHR696q/

Verify That the Encrypted File System(s) is (are) available:

[root@server ~]# df -h
Filesystem         Size    Used   Avail Capacity  Mounted on
/dev/ad2s1a        989M    512M    398M    56%    /
devfs              1.0K    1.0K      0B   100%    /dev
/dev/ad2s1e        989M     18K    910M     0%    /tmp
/dev/ad2s1f         19G    2.4G     15G    14%    /usr
/dev/ad2s1d        4.8G    124M    4.3G     3%    /var
/dev/ad2s1g.bde    148G    4.0K    136G     0%    /sys
/dev/ad3a.bde       70G    4.0K     64G     0%    /mnt/2uHR696q
Next steps later,
my server and me going to sleep,
[root@server ~]# umount /sys/ && umount /mnt/2uHR696q/
[root@server ~]# halt -p

Mounting Existing Encrypted File Systems, check and copy
Tests: power cut, reset, turn of, etc...

              ,        ,
             /(        )`
             \ \___   / |
             /- _  `-/  '
            (/\/ \ \   /\
            / /   | `    \
            O O   ) /    |
            `-^--'`<;     '
           (_.)  _  )   /
            `.___/`    /
              `-----' /
 <----.     __ / __   \
 <----|====O)))==) \) /====
 <----'    `--' `.__,' \
              |        |
               \       /       /\
          ______( (_  / \______/
        ,'  ,-----'   |

man gbde
handbook encripting
handbook disks adding
GBDE - GEOM Based Disk Encryption - BSDCon '03. San Mateo, CA, USA

Monday, 19 July 2010

64-bit FreeBSD 8.1-RC2 (GENERIC) setup, part 1

I decided to upgrade server from 32-bit version FreeBSD 6.4 to 64-bit FreeBSD 8.1

I am expecting more problems with 64-bit O

In this part:
- modify slices
- install Port Collection
- change shell
- install security vulnerabilities check
- install cvsup

The easiest way is always a clean installation. However the installation (standard) failed for first time. I was not successful to remote login. The problem I found was not enough space??? in first slice (/ ) - well probably I've done something nasty

1. BASIC INSTALLATION - modify slices similar way:
Filesystem     Size    Mounted on
/dev/ad2s1a    1.0G    /
/dev/ad2s1b    2.0G    swap
/dev/ad2s1d    5.2G    /var
/dev/ad2s1e    1.0G    /tmp
/dev/ad2s1f     21G    /usr< /dev/ad2s1g    164G    /sys

Now the problem with terminal (ssh) login has vanished.

So next useful steps could by:
2. Install the Ports Collection for first time:

server# portsnap fetch extract

3. Change shell:

I used pkg while I waited for portsnap...
server# pkg_add -r bash

4. I like system utilities, eg.: screen:
(suitable for bad connection + run more terminals in one window)

server# pkg_add -r screen

5. Change shell:

server# chpass -s bash
chpass: user information updated

- time to logout + login back with new shell

server# [Ctrl+D] = logout
$ su -
[root@server ~]# 

6. Try screen:

[root@server ~]# screen

7. Keep the Ports Collection up to date with CVSUP:

[root@server ~]# cd /usr/ports/net/cvsup-without-gui; make install clean

While waiting for CVSUP we can install

8. A security vulnerabilities check:

[root@server ~]# cd /usr/ports/ports-mgmt/portaudit; make install clean

9. Test cvsup servers which one is the fastest:

[root@server /usr/ports/sysutils/fastest_cvsup]# fastest_cvsup -c all
Speed Daemons:
    - 1st:    23.90 ms
    - 2st:    24.45 ms
    - 3st:    25.82 ms

10. Configure and run CVSUP:

Last two lines altered standard-supfile in order to keep ports and source code up to date

[root@server ~]# vi ports-supfile

# cvsup -g -L 2 ports-supfile
*default e.g.:
*default base=/var/db
*default prefix=/usr
*default release=cvs tag=.
*default delete use-rel-suffix
*default compress
ports-all tag=.

For the reason I left tag=. I upgraded kernel to FreeBSD 9.0-CURRENT

Now update source code and all SW collections

[root@server ~]# cvsup -g -L 2 ports-supfile