Nicholas and the Not So Stateful Firewall
by Nick on Dec.03, 2010, under Administration, Security, Virtualization
Maybe I’m in a children’s book mood while I wait for my daughter to be born, but that title popped into my head. It’s been awhile, sorry.
Anyways, I’ve got a semi-production set of virtual servers running on an ESXi machine, and I thought it was about time to firewall them off. One problem, firewalls are expensive. So I decided to set up a virtual firewall running pfSense.
Yo Dawg, I herd you like Hypervisors… (Lab 2.0)
by Nick on Aug.05, 2010, under Administration, Hardware, News, Software, Virtualization
So I put a hypervisor in your hypervisor, so you can virtualize while you virtualize.
Elastic Sky X (VMware vSphere Lab, pt. 2)
by Nick on Aug.03, 2010, under Administration, News, Software, Virtualization
Elastic Sky X. That’s what ESX stands for. Crazy, right?
Well, more playing means more caveats 
First, something I forgot to mention yesterday. To get ESX working in Ubuntu, Workstation needs to be able to put the vmnet interfaces into promiscuous mode. That requires allowing the user or group that you use to start Workstation to have read/write permissions over the vmnet devices in /dev. A simple chmod will do the trick.
Now, back to our story…
VMware vSphere Lab.
by Nick on Aug.02, 2010, under Administration, Hardware, News, Software, Virtualization
Requirements:
VMware vSphere, lots of RAM, a decent amount of disk space, a fairly recent copy of 64bit Windows (I used Server 2008 R2) ESX and vSphere Server iso and exe files. Iron will. Patience. Some sort of NAS distribution (I used FreeNAS.)
Sud’oh!
by Nick on Apr.16, 2010, under Administration, News, Security
“Sudo’s command matching routine expects actual commands to include one or more slash (‘/’) characters. The flaw is that sudo’s path resolution code did not add a “./” prefix to commands found in the current working directory. This creates an ambiguity between a “sudoedit” command found in the cwd and the “sudoedit” pseudo-command in the sudoers file. As a result, a user may be able to run an arbitrary command named “sudoedit” in the current working directory. For the attack to be successful, the PATH environment variable must include “.” and may not include any other directory that contains a “sudoedit” command.”
(From http://portaudit.FreeBSD.org/1a9f678d-48ca-11df-85f8-000c29a67389.html)
I actually read about this on Full Disclosure. This is very similar to an earlier exploit. Sudo is a great tool, but you always have to be *very* careful who you give sudo access to.
Let’s Try This.
by Nick on Feb.26, 2010, under Administration, E-Mail, News, UNIX 101
So, some of my users are avid World of Warcraft players. They’ve been complaining that they keep getting phishing schemes in their email accounts. Since Bayesian Filtering isn’t catching on, I think it’s time for custom SpamAssassin rules.
Bye-Bye Mr Technical Guy…
by Nick on Feb.10, 2010, under Administration, News
An unfortunately common trend across the IT world is this: Your IT infrastructure is running great and everyone is happy. The budget cuts have to happen and the boss looks around, and decides that their good, but expensive IT professional is no longer worth paying. So they replace him or her with someone cheaper, with less experience, and problems set in. Often major problems. Usually, at this point, the company goes back to their original IT professional with their hat in hand, or their IT offices start to resemble a by-the-hour hotel.
It’s easy to want to compare IT to Sales and Marketing. But those traditional roles have a direct correlation to performance and results. Sales does well, money comes through the door. Marketing does well, and your company is on the lips of Jane Q Public. If IT performs excellently, nothing happens.
Nothing.
It’s hard to justify nothing. Nothing doesn’t make the books.
So, the person in charge of the purse strings looks around, sees someone who apparently does nothing, and gets rid of him or her.
Then something happens. The network goes down. The un-patched server is compromised. Money starts flying out the door. Consultants are called, the emergency fixes is done. The new IT guy or gal is fired, and the boss goes looking for a better qualified IT professional. Lesson learned, right?
Unfortunately, not. Often, the new IT Professional comes on, gets everything working again, and what does the boss see? Nothing.
Wash, Rinse, Repeat.
There are really two ways a professional deals with this: 1) He or she rides out the cycle with his or her reputation intact, but has to deal with scrambling for a new job more often than not, or 2) He or she implements Operation Job Security.
Operation Job Security is a simple formula really. Implement arcane solutions that are fragile, and prone to break often, but not too often. Don’t document anything. And play the martyr whenever you have to fix anything.
The last time I talked to a small business owner who loved his IT guy, I was at a bar after work. The conversation went something like this:
“I love my IT guy,” he tells me, out of the blue. Well, not really. Our conversation went from the weather, to our jobs. The standard Midwestern small-talk. He owns a small manufacturing business, I do IT.
“Anytime anything breaks, my guy is there, 2 am, whenever. He’s amazing.”
“Oh?” I take a sip of my Guinness.
“How often do things break?” My question hangs in the air while he thinks about it.
“About once a quarter.” he says.
It doesn’t click. Yet.
“Reliably?” I ask him, with a touch of irony.
“Well, yeah…” There’s a moment of awkward silence. Realization sets in.
“Oh.” he says.
“Oh.” I say.
Oh is right. Mr “I love my IT Guy” is a victim of a master of Operation Job Security.
The word “victim” is right. I don’t blame IT Guys or Gals who implement Operation Job Security, we all have to eat and pay bills, but it *is* a con game.
Sabotage is not cool, it’s not professional, it’s not ethical, and ultimately, it gets you nowhere. It’s predatory, and violates the trust between a client and his or her paid professional. It breeds resentment, on both sides of the equation, and makes the whole industry look bad.
Take the high road. Take pride in your Nothings. Do it right.
Then again, that’s easy enough for me to say.
Request For Comments.
by Nick on Feb.04, 2010, under Administration, News, Software, UNIX 101
[Originally Appeared 02/04/2010 blogs.iphouse.net]
One of the many terms you’ll hear thrown around an internet service provider is Request For Comments, aka, RFC: “This isn’t per the RFC!” or “We follow the RFC!” or “Read the RFC!” So what is an RFC, and why do you want to know what it says.
“If thy webpage you wish me to O of SE, answer me these riddles three!”
by Nick on Feb.03, 2010, under Administration, News
I often get questions about SEO and what can be done to enhance a web page’s rankings. SEO is definitely something to be aware of, and there’s quite a bit “known” about the way certain web browsers rank their pages, but it’s hardly a system that you can easily or reasonably game. (Yes yes, there are some obvious holes, but don’t expect them to last.)
SEO is a knowledge based cottage industry, as such, it attracts two types of people. People who know what their doing, and bullsh*tters. It’s easy enough to spot the latter, people who “specialize” in SEO will at best inflate their importance, and at worse, sell you a bunch of hot air. People who give SEO advice in addition to other web design tips, tend to be legitimate.
Search Engine Optimization is an inexact science. Search Engine algorithms are not publicly known, and are prone to changing often. Now, information leaks, and people can compare notes, so a lot is known about how search engines seem to work, kinda. However, most of these SEO “tricks” are really common sense. Most things boil down to things like: Make sure you don’t have a ton of cross links, don’t have a bunch of throw away domains, have an older domain, get your stuff linked to from reputable communities and pages, etc.
All of this falls under the purview of web design.
A good web designer knows the basic SEO ins and outs, and can, you know, design a decent looking website. A good web designer will build a functional, well laid out, logical website that people will want to come to, and people will link to and recommend. A good web designer designs good websites. Designing good websites means that you keep an eye on the SEO stuff, because SEO more and more means “Best Practices.” Bad web designers make bad websites. Bad websites get bad page rankings.
So then next time someone claims to be a SEO “Expert” who will O you so hard with the SEs you’ll be crying, and will guarantee a top ten spot, kick’em to the curb. Because he or she is selling virtual snake oil.
In Defense of FreeBSD.
by Nick on Dec.18, 2009, under Administration, News, Software, UNIX 101
I recently read an article explaining why FreeBSD was not more popular. The conclusion of said article was that the installer was daunting, and archaic, and that it was too intimidating to utilize. So, basically, whoever wrote this article (I don’t like calling professionals out) didn’t get past installing the operating system. He assumes, that once it’s up and running, it’s the same as Linux. Nothing about the Ports system, nothing about administration. The sum total of his experience was that that installer was intimidating. He went on to state, and I am paraphrasing here, that only old, wizened Unix admins would use FreeBSD, sitting on high from their ivory corner of the office, replete with Star Trek posters, and choice snippets of their homemade 1994 BoFH day-by-day calendars strewn about their desks, as they are the only ones who would defend such a terrible installer. This is the type that would utilize an operating system that requires disk slices and network configuration. The rest of us “modern” geeks don’t want to bother with such incantations, abjurations and divinations. They just want an operating system that works out of the box. Point-and-click-and-go!
Well, that tells me that you don’t get it. I’m not wasting my time with my installer. You’re wasting your time with yours. And with your point-and-click Linux install, you’ve installed an “operating system” dedicated to wasting time.
It’s all about the futz factor. And you just declared “I live to futz!”
<Here comes the biography>
I am not a wizened UNIX admin. I’m a Macintosh kid. I grew up with GUI objects, and hypercard. I thought that the most efficient way to work with a computer was with a graphic interface. I did some work with DOS, and frankly, thought it archaic, and backwards. Setting base pages for memory, batch scripting, who needed it?
My first experience with UN*X was MKLinux on a Mac LC (the pizza box) I futzed and futzed with it until I got it to boot. No idea what to do with it. 2 years later, my uncle gave me a PII 200Mhz and I put Mandrake Linux on it, to use it as a NAT’ing router and I thought: Cool! Windows sneaked into my life in my late teens, as I could not resist the lure of Counterstrike, Duke Nuke’m and Quake. Still, I enjoyed futzing with Linux. Breaking things, trying to figure out how they were put together, tinker tinker tinker.
Time Devourer
Welcome to my blog. I'm sure it's just like any other blog except for one important difference, it's mine.
You can also subscribe by email by filling the field below:
Are you using IPv6?
Google Stats
3Unique
VisitorsPowered By
On Jabber?
