I.T. Security and Linux Administration


November 30, 2013  4:56 PM

Documentation: A Must

Eric Hansen Eric Hansen Profile: Eric Hansen

A lot of people during school learn that in IT documentation is without a doubt within the top 3 most important things you can do.  Whether it be writing down the traffic flow or detailed policy, to make your job easier in the long run its better to make your job worse in the short term.

Its the same as when writing code.  Commenting is stressed so you can look back at your code months from now and know what you were trying to accomplish.  Otherwise you’ll most likely be staring at a screen, pulling hair out and making weird noises that ressemble monkeys.

From a business stand point, I found it more useful to document everything that’s relevant to business than to guess on anything.  Even naming schemes as you never know how advanced they can get in the future.  That’s why the hostname of my netbook is “as-l-001-eric” (as-<location ID>-<machine ID>-<owner>).  Simple, effective, easy for me to find if need be compared to a hostname of “cars4tunnelU”.

November 30, 2013  4:32 PM

Your Phone Doesn’t Dictate You

Eric Hansen Eric Hansen Profile: Eric Hansen

For many years I’ve used Android (since 2.2 came out and was new).  At first I absolutely loved it.  It was new, it was fast, it offered a lot to me and my growing intents.  Heck, it was nice to have a phone that didn’t use WAP for browsing!

Now, though, Android has really turned me away from the platform.  Granted, my initial dislike was towards Google and their growing controlling attitude on everything.  It has also become apparent in their phones as well, though.

I don’t want Google TV or Google Music on my phone…heck, I’d rather YouTube be off of it as well.  I’d prefer to use the space for apps I actually use.  But, you can’t uninstall them.  Its like trying to uninstall IE from Windows.

To make a long story short Sprint’s upgrading their towers around where I live to support 4G, and all my calls drop.  Being in the position I am I couldn’t afford that so I decided to switch to T-Mobile.  Since I was switching carriers I figured I would switch phones too.

My main choice was the BlackBerry Z10 (it looks slick as hell), but the T-Mobile store I signed up at didn’t have it.  So, I went to my 2nd choice, Windows Phone 8.

Yes, I love Linux.  Yes, I don’t fancy Windows except for a gaming platform.  No, I don’t feel I’m a traitor.

My decision was made by the dislike of Google’s force and “live in the cloud” mentality.  While Microsoft offers both in their platform as well, you have a choice.

The phone comes with apps installed by default such as a music player.  But, guess what?  You can uninstall it!  It doesn’t just uninstall the updates and force you to reinstall them later like Android, it lets you actually uninstall it.

Overall the platform is nice, but the point of this is to state that the phone you use doesn’t dictate who you are.  I’d still be me if I used an iPhone, I just chose a platform I felt more comfortable with.


November 30, 2013  4:22 PM

KVM and Its Uses

Eric Hansen Eric Hansen Profile: Eric Hansen

If you’re looking ot have a true server without the added expenses of managing a physical server, then a KVM is right for you.

KVMs offer all the benefits of owning a physical server without the overhead of managing the resources.  Lots of hosting companies offer them and especially with it being the holiday season they are offering them at (greatly) discounted prices.

If you’ve ever owned a VPS then you’ll know what it feels like to be able to control a server without worrying about the drive failing and having to reconfigure RAID.  However, with a KVM you get complete control (i.e.: from boot to shutdown) where as with a VPS you can only control the server from login to shutdown.

The one downfall from what I’ve seen in regards to KVMs though is the price. With the added functionality and features given to you, you also have to pay a higher price.  Case in point, where I got my KVMs the specs are:

  • 256 MB RAM
  • 15 GB space
  • 1 TB bandwidth
  • 1x CPU core @ 2.0 GHz

This comes up normally to $10/m, however, I got it for $5/m as they were doing a launch-period special.

Keep in mind too though that every company is different.  Some will offer more for less and others offer less for more.


November 30, 2013  3:01 PM

The Linux Verisoning Issue

Eric Hansen Eric Hansen Profile: Eric Hansen

Linux 3.0 was a big deal in most peoples’ eyes.  For as long as I can remember using Linux (since 2004) the kernel was at 2.y.z.  3.0 was only released either last or this year, even.

Then Linus made the announcement that 3.0 wasn’t going to be anything more than a usual patch fix (i.e.: no new features to write home about).  His jsutification for this is “why not?”  Its his product, fine.  Not much anyone can do about that after all.

Now there’s talk of bringing out 4.0.  Again, nothing but a bunch of bug fixes.

While it’ll be nice for a short while to see that 4.0.z on my screen, I feel the “its my stuff so you can only look at it” mentality is running its course.  Nothing new is being done with the kernel, why keep changing hte major version number?

At this point just make the major version 42 and make all the geeks squirm with happiness.  Its just as effective now as actual versioning reasons where in the past.


November 30, 2013  2:53 PM

Are Certifications Worth It?

Eric Hansen Eric Hansen Profile: Eric Hansen

Back when I was going to ITT for my associates everyone stressed the importance of certifications.  When looking at the job market it made sense, too.  Most entry-level positions were asking for A+ or Net+, even some wanted CCNA (…no.)

Looking at the job market 5-ish years later a lot has apparently changed.  Very little postings are even asking for certifications, let alone even education.  While my belief is that a masters will be the bare minimum in the next 5-10 years, I wouldn’t be surprised to be completely wrong on that now.

Back to the question at hand, though.  A straight forward answer would be “depends.”  But, that doesn’t do you any good now, does it?

Best thing to do is review jobs in your area and see what various places are asking for.  There’s some that will demand you have certifications and others just care if you know what you’re doing.  It will give you a good idea what it’ll take to get a job where you want to work and if you’re lucky ask them at a job fair if they are there.

My personal belief is that they are pointless, though.  At this point the same as getting a bachelors, you can’t prove your worth by a piece of paper.

My ideal vision of when I build my business up high enough to be able to hire people is this simple process: give them a lab (probably through a VM so you can snapshot and restore).  They have various issuees they need to solve.  Basically keylog what they do (modifying the shell history is too easy) and determine from there.  You’ll have a good idea of what they do and how they solve problems that are directed toward your business.

Simple?  Probably too simple.  However, doing the job is what’s important, how they get the solution is only part of the issue.


November 30, 2013  2:45 PM

Linux is Linux

Eric Hansen Eric Hansen Profile: Eric Hansen

I’m not sure how the job market is everywhere else, but near Detroit where I live it is like trying to find a horse in a barn.  There’s jobs everywhere but everyone hiring is either a recruiter or nit picking on the details it seems.

Don’t get me wrong, recruiters can be the best tool anyone can have in finding a job.  The problem is that most don’t know IT terms or how they relate.  Case in point: Linux.

I don’t have much experience with Red Hat (sans back in the day when I got it from school plus Fedora and CentOS).  Most people seem to dismiss me right away for that fact alone.  What they fail to realize really is that most skills from one distro to another is transferable.

Every Linux system is going to have an init system, kernel, package manager, etc… heck, even man pages (if a system doesn’t have man pages then something is seriously wrong).

I don’t understand the justification behind telling a client they’re not worthy of a position just because they don’t have experience with one or two distro’s, even after explaining how what you know so far is transferable or at the very least adaptable.

I love Linux but it seems the one thing that hurts it the most for those who aren’t senior-level position people is the vast abundance of flavors out there.  It hurts us more than helps when we dedicate so much time in learning just how to work Linux in general to be thrown out because we used 10.04 instead of 10.10 of Ubuntu (not real life example but feeling is still there).


October 30, 2013  3:36 PM

Nagios: Should I Use It?

Eric Hansen Eric Hansen Profile: Eric Hansen

You can ask basically anyone who manages multiple Linux (and even Windows) servers what they use to monitor their systems and its a high possibility that they’ll say “Nagios” or a variant of it (i.e.: OpsView, Icinga, Centreon, etc…). There’s no doubt it has a strong hold in the market and there are plenty of positives to it, but is it for everyone?

Installation

Nagios requires the core itself installed on the main/master server as well as a daemon installed on every server to be monitored.  The core then parses config files and performs checks to make sure stats are correct.  While this isn’t painstaking the process of installing both can be troublesome, especially if you’re doing it by hand (not using an auto-installer script).

Configuration

Editing the configuration of Nagios (core or daemon) is a bit of a challenge.  While there is documentation, it would seem like trying to solve a rubic cube would be simpler until you really understand whats going on.  I can see it being very beneficial when Nagios was first starting out but now with it branching out so much into such a more sophisticated piece of software the configuration is convoluted.

Usability

Luckily Nagios is pretty much a set it and forget solution (unless you want to add more plugins to it).

Customization

This is my biggest gripe with Nagios personally: there’s virtually no customization.  The program itself is a compiled Perl/CGI script.  About the only thing you can customize are the plugins for monitoring.  While I can see some points for making it closed-source, given some of the obscure warnings it can spit out I think opening it up even a little bit would be far more beneficial.

Conclusion

This is a short list, but Nagios does what its supposed to do and doesn’t offer much fluff.  The web UI is pretty horrid (looks like its from 1990) but it presents information you need.  The alert system is nice but could be easier to work with, and while there are numerous frontend wrappers for it, they all still require Nagios itself.

The biggest compliment I can give it in the end is that it uses perf data to return information about a plugin, which is pretty universal as to how its formatted.


September 30, 2013  5:58 PM

Create Your Own Two-Factor Authentication System: Authenticating Tokens

Eric Hansen Eric Hansen Profile: Eric Hansen

Again an easy but essential requirement for our two-factor system. This will be another Flask web route and mostly database driven. Lets look at the flow of how things will transpire first for this project:

SMS: POST number to /sms -> URI generates token and sends to number via SMS -> User enters their number and token to website and submits -> Site POSTs number and token to /auth/#/token -> HTTP 200 for authenticated, 403 for failure

Voice: POST number to /who -> URI generates token and sends to number via call -> User enters their number and token to website and submits -> Site POSTs number and token to /auth/#/token -> HTTP 200 for authenticated, 403 for failure

The only difference between the two is how the user receives their token. We’ll use that to our advantage. Here is the auth URI:

@app.route("/auth//", methods=['GET','POST'])
def auth(number, token):
    valid = False
    
    up = phone.select(phone.id).where(phone.digits==number).get()
    records = SelectQuery(tokens).where((tokens.token==token) & (tokens.phone==up.id)).count()
    
    if records:
        valid = True
    
    if valid:
        tokens.update(token="").where(tokens.phone==up.id).execute()
        return make_response("", 200)
    
    return make_response("", 403)  

If you think its pretty simple that’s because it is. We get the phone ID by looking up the numbers and then check to see if there’s a token ready for the phone number (phone ID has to match as well as token). If the authentication is valid we set the token to “” so no one can use it again for that number (this is one reason why the generate_token method is flawed…its too easy to figure out), and return HTTP/200 (OK) to the user. Otherwise, we return HTTP/403 (Forbidden).

We can definitely make this more intricate, however, and I’ll showcase some of that next time. But this is a good start for anyone wanting to make their own two-factor authentication system.


September 30, 2013  5:35 PM

Create Your Own Two-Factor Authentication System: Saving Tokens

Eric Hansen Eric Hansen Profile: Eric Hansen

We’re almost there! Now we need to save the tokens we’ve generated as well as the phone number requesting it. While can be done anywhere I chose to plop it into the generate_token() method because we’d have to write the code twice otherwise. Luckily its a small fix, and we’ll finally be able to use our database stuff now.

Just before the “return token” line in the method add these lines:

    try:
        up = phone.select().where(phone.digits==number).get()
    except:
        up = phone.create(digits=number)
    
    records = SelectQuery(tokens).where(tokens.phone==up.id).count()
    
    if records:
        tokens.update(token=token).where(tokens.phone==up.id).execute()
    else:
        tokens.create(token=token,phone=up.id)

The first try/except block attempts to get the phone information from the database and creates a record of it instead if nothing exists. We then try to update the token for the phone number and if that doesn’t work then we create a new record of it. Very simple and easy but is also vital to our service.


September 30, 2013  5:10 PM

Create Your Own Two-Factor Authentication System: Block Incoming Calls

Eric Hansen Eric Hansen Profile: Eric Hansen

Every incoming and outgoing request to the number (voice and SMS) goes against your balance. Unfortunately there’s nothing you can do to stop people from trying to spam your SMS inbox. There is a silver lining though with voice calls.

On your Twilio dashboard click “Numbers” near the top, then click on your number. Here you’ll be presented with some options. The “Voice Request URL” is what we’re interested in. Remember our /voice URI? We’ll use that to make things fun. So change the URL to http://ipaddress/voice and change the method from POST to GET. Save and leave it be for a bit, we don’t need to change anything else there.

Now we will make a change to our voice method, which also extends what we learned while making outgoing calls. We will be using TwiML again. Replace your @app.route() to the end of the method with this:

@app.route("/voice")
def voice():
    resp = twiml.Response()
    resp.reject("rejected")
    
    return make_response(str(resp), 200)

Twilio has two methods of rejecting someone: “rejected” and “busy”. When reject() is set to “busy” a busy tone will be played, whereas when “rejected” is used a “this number is not in service” type of message is played.

Now, for the caveat. If resp.reject() is not called first in the line of creating TwiML, your account will be hit with usage. The only way to make it so when incoming calls don’t affect your usage is to call reject() first before any other. However, after reject() is handled via Twilio anything after that is ignored as well. Something else to keep in mind.

Save and now try to call your number. See what happens.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: