superMaru

Monthly Archives: January 2015

setfacl

Leave a comment / linux, security / , ,

This is a utility that sets Access Control Lists (ACLs) for files and directories for linux hosts.  I’m managing a Linux host on AWS and a design firm is working on the website itself. Even though the host itself is a sandbox webserver, I don’t want to give out root credentials – so we set ACLs.

Lets take a look at an example:

User ec2-user wants to read, write, and executable permissions on directory /home/web. 

This is how you set the permissions:

[ec2-user@sandbox html]$ sudo setfacl -m u:ec2-user:rwx /home/web

The -m option sets the ACL for the file or directory.

The u: option  specifies the user you wish to grant access

The option allows read access

The w option allows write access

The x option removes previous ACLs

You can look at more flags and read more on setfacl here: http://linux.die.net/man/1/setfacl

Two Factor Authentication for free

Leave a comment / security / , ,

Sounds cool! But what is it?

Lets start off on what its made of:

  • Knowledge based authentication.
  • Possession based authentication.

A good example of two-factor authentication is your ATM card. You know your PIN. Its something you made up. But that is something anyone can glimpse over and see. To safeguard that, you need your ATM card, which is something you posses and typically have in safe keeping. Requiring both increases the difficulty of providing false credentials.

Two factor authentication can be used for securing down email, social media accounts, etc. Today, we’ll focus on Google’s Authenticator app, available on iPhone and Android. This app is a software provides a six digit timed based one-time password (TOTP) that automatically regenerates within 30 seconds.

Want to try it out?

Here is instructions on how to install Google Authenticator with your gmail account. For corporate users, it is similar, but if you don’t have the option to enroll, check with your Systems Administrator.

Pros:

  • No need for a physical RSA key fob.
  • OTPs constantly change unlike your password, which is probably the same on your email, facebook, and computer for years.

Cons:

  • You’re phone has to be charged! You do have 10 static one time passwords (OTP) you can print out in case of emergency.
  • If your phone gets lost or stolen, access is near to impossible unless you have a print out of the static OTPs somewhere.
  • It can get annoying.

Setting it up on non-google accounts

Here is instructions on how to do it on Facebook :

Go to: Settings -> Security
Expand Code Generator and click “Set up”.

Screen Shot 2015-01-19 at 11.59.15 PM

On the Google Authenticator App, (on iPhone) tap the pencil icon on the top right then the + button to add an entry. You can either scan a QR barcode, or manually enter the shared key.

Don’t use gmail or Facebook? Its okay, you can lockdown Dropbox, AWS, OpenVPN, Microsoft Accounts, and even WordPress! There is a growing list of applications that is supported. Check out https://twofactorauth.org and look at the “software implementation” column.

Creating a bootable DOS image in Linux

Leave a comment / linux / , , ,

Today, our cellphones are more powerful than a vintage supercomputer that helped NASA bring astronauts to the moon in 1969. With all the advancement in technology, some hardware manufacturers require you to flash BIOS or firmware with DOS. Okay maybe the comparison from hardware in 1969 and 2015 is a bit extreme, but you get the point. Forget keeping a floppy USB drive, your limited to capacity. You can create bootable DOS USB drives, and they are great for one or two systems. But when you have a large quantity to upgrade at once, then having a ISO to mount like IPMI’s virtual media is perfect. You can do the upgrades from the comfort of your desk.Here is instructions on getting a DOS image created. I used Ubuntu Linux 14.04 LTS.

Head over to fdos.org and download and unzip FDOEMCD.builder.zip. You should now have a directory called “FDOEMCD“.

macky@maru-lx:~/Documents/bootable-dos$ ls
FDOEMCD FDOEMCD.builder.zip

Go ahead and go into FD0EMCD, which is what I’ll refer to as the working directory, then in CDROOT is where you can dump your *.exe files in. Once you are done, go back to the working directory and run the following:

mkisofs -o dos.iso -b isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -N -J -r \-c boot.catalog -hide boot.catalog -hide-joliet boot.catalog CDROOT

You should now have an a file called dos.iso created in the working directory. Here my output screen of a successful ISO creation:

macky@maru-lx:~/Documents/bootable-dos/FDOEMCD$ mkisofs -o dos.iso -b isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -N -J -r \-c boot.catalog -hide boot.catalog -hide-joliet boot.catalog CDROOT
Warning: creating filesystem that does not conform to ISO-9660.
I: -input-charset not specified, using utf-8 (detected in locale settings)
Size of boot image is 4 sectors -> No emulation
Total translation table size: 2048
Total rockridge attributes bytes: 1127
Total directory bytes: 2048
Path table size(bytes): 26
Max brk space used 0
388 extents written (0 MB)

Now that the ISO has been created, time to test this before I start playing with some real hardware. I have VMware Workstation 10 installed on my laptop, so lets mount the ISO to make sure I boot into a DOS environment.

I created a VM without installing an OS so and mount the ISO with the CD drive. Once you power on, you should be dropped into a blue screen prompting to boot.

dos-boot

Either wait 15 seconds or hit enter to see the DOS CLI

dos

 

Remember, you can drop your *.exe files in CDROOT and run the mkisofs command again to create a new image. Now you can mount it via virtual CDROM and upgrade stuff.

Debugging ESX boot medium issues

Leave a comment / ESXi, tips and tricks, VMware / , ,

With a lot of servers in my lab, I run into my fair share of ESX boot medium issues in the lab. Typically this exhibits weird issues where the ESX host is online, VMs are incredibly slow or completely hung and ping-able. The quickest way I would determine of the boot media (USB, SD card, etc) is bad is trying to read any log file and get an I/O error.

~ # less /var/log/vmkernel.log
/var/log/vmkernel.log: Input/output error

If you want to go further down the rabbit hole, you can verify this by looking at SCSI error commands. Since the boot media was spewing all over the logs, it was quite easy to find it.  You can refer here for a list of SCSI commands

~ # dmesg  | grep Cmd | awk '{print $5}' | sort -u | grep -v ,
0x1a -> Mode sense. Can ignore this.
0x28 -> Read errors. 
0x2a -> Write errors. 
0x85 -> ATA passthru. Can ignore this as well.

You can also look at the stats of the adapters by droping into VMware’s vsish utility (VMKernel Sys Info Shell)

/storage/scsifw/adapters/vmhba0/> cat stats
Statistics {
   Successful Commands:3190786
   Failed Commands:7025
   Blocks Read:147564437
   Failed Blocks Read:13112
   Blocks Written:138151007
   Failed Blocks Written:162368
   Read Operations:1707621
   Failed Read Operations:631
   Write Operations:1440350
   Failed Write Operations:5539
   Reserve Operations:1406
   Failed Reserve Operatiosn:0
   reservationConflicts:0

I’ll probably post more about finding slow iSCSI/NAS datastores sometime later.