CARP – Jupiter Broadcasting

Adventurous Build | Self-Hosted 53

Wes Payne — Fri, 10 Sep 2021 05:00:00 +0000

Show Notes: selfhosted.show/53

The post Adventurous Build | Self-Hosted 53 first appeared on Jupiter Broadcasting.

AirPorts & Packages | BSD Now 40

chris — Thu, 05 Jun 2014 13:12:25 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

On this week\’s episode, we\’ll be giving you an introductory guide on OpenBSD\’s ports and package system.

There\’s also a pretty fly interview with Karl Lehenbauer, about how they use FreeBSD at FlightAware.

Lots of interesting news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan 2014 talks and reports, part 2

More presentations and trip reports are still being uploaded
Ingo Schwarze, New Trends in mandoc
Vsevolod Stakhov, The Architecture of the New Solver in pkg
Julio Merino, The FreeBSD Test Suite
Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM
There\’s also a trip report from Michael Dexter and another (very long and detailed) trip report from our friend Warren Block that even gives us some linkage, thanks!

Beyond security, getting to know OpenBSD\’s real purpose

Michael W Lucas (who, we learn through this video, has been using BSD since 1986) gave a \”webcast\” last week, and the audio and slides are finally up
It clocks in at just over 30 minutes, managing to touch on a lot of OpenBSD topics
Some of those topics include: what is OpenBSD and why you should care, the philosophy of the project, how it serves as a \”pressure cooker for ideas,\” briefly touches on GPL vs BSDL, their \”do it right or don\’t do it at all\” attitude, their stance on NDAs and blobs, recent LibreSSL development, some of the security functions that OpenBSD enabled before anyone else (and the ripple effect that had) and, of course, their disturbing preference for comic sans
Here\’s a direct link to the slides
Great presentation if you\’d like to learn a bit about OpenBSD, but also contains a bit of information that long-time users might not know too

FreeBSD vs Linux, a comprehensive comparison

Another blog post covering something people seem to be obsessed with – FreeBSD vs Linux
This one was worth mentioning because it\’s very thorough in regards to how things are done behind the scenes, not just the usual technical differences
It highlights the concept of a \”core team\” and their role vs \”contributors\” and \”committers\” (similar to a presentation Kirk McKusick did not long ago)
While a lot of things will be the same on both platforms, you might still be asking \”which one is right for me?\” – this article weighs in with some points for both sides and different use cases
Pretty well-written and unbiased article that also mentions areas where Linux might be better, so don\’t hate us for linking it

Expand FreeNAS with plugins

One of the things people love the most about FreeNAS (other than ZFS) is their cool plugin framework
With these plugins, you can greatly expand the feature set of your NAS via third party programs
This page talks about a few of the more popular ones and how they can be used to improve your NAS or media box experience
Some examples include setting up an OwnCloud server, Bacula for backups, Maraschino for managing a home theater PC, Plex Media Server for an easy to use video experience and a few more
It then goes into more detail about each of them, how to actually install plugins and then how to set them up

Interview – Karl Lehenbauer – karl@flightaware.com / @flightaware

FreeBSD at FlightAware, BSD history, various topics

Tutorial

News Roundup

Code review culture meets FreeBSD

In most of the BSDs, changes need to be reviewed by more than one person before being committed to the tree
This article describes Phabricator, an open source code review system that we briefly mentioned last week
Instructions for using it are on the wiki
While not approved by the core team yet for anything official, it\’s in a testing phase and developers are encouraged to try it out and get their patches reviewed
Just look at that fancy interface!!

Michael Lucas\’ next tech books

Sneaky MWL somehow finds his way into both our headlines and the news roundup
He gives us an update on the next BSD books that he\’s planning to release
The plan is to release three (or so) books based on different aspects of FreeBSD\’s storage system(s) – GEOM, UFS, ZFS, etc.
This has the advantage of only requiring you to buy the one(s) you\’re specifically interested in
\”When will they be released? When I\’m done writing them. How much will they cost? Dunno.\”
It\’s not Absolute FreeBSD 3rd edition…

CARP failover and high availability on FreeBSD

If you\’re running a cluster or a group of servers, you should have some sort of failover in place
But the question comes up, \”how do you load balance the load balancers!?\”
This video goes through the process of giving more than one machine the same IP, how to set up CARP, securing it and demonstrates a node dying
Also mentions DNS-based load balancing as another option

PCBSD weekly digest

This time in PCBSD land, we\’re getting ready for the 10.0.2 release (ISOs here)
AppCafe got a good number of fixes, and now shows 10 random highlighted applications
EasyPBI added a \”bulk\” mode to create PBIs of an entire FreeBSD port category
Lumina, the new desktop environment, is still being worked on and got some bug fixes too

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you\’d like to see, let us know
Just a reminder, if you\’re using vnd (vnconfig) on OpenBSD for encryption, it\’s being retired for 5.7 – start planning to migrate your data to softraid
There were also some security advisories for FreeBSD recently, make sure you\’re all patched up
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post AirPorts & Packages | BSD Now 40 first appeared on Jupiter Broadcasting.

Ultimate Home Router | TechSNAP 23

chris — Thu, 15 Sep 2011 19:16:01 +0000

Exploits are in the wild that can take down critical infrastructure equipment, and some highly trusted sites were attacked this week and used against their own visitors.

Plus – We’ll tell you how to build the ultimate home router, that can do more than many Enterprise grade systems, with the press of a few buttons – and for FREE!

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Italian hacker publishes 10+ 0 day SCADA exploits with proof of concept code

SCADA (Supervisory Control and Data Acquisition) are Industrial control systems
The Stuxnet worm targeted the specific SCADA system used by the Iranian centrifuges
These exploits could cause serious disruption if the systems are not properly protected from external access
SCADA systems are used to control numerous important industrial systems including water and sewage treatment, dams and power plants, as well as manufacturing automation systems.
In January 2000, the remote compromised of a SCADA system was responsible for pumping sewage into a nearby park and contaminated an open surface-water drainage ditch.
News Article

Official uTorrent website compromised, users download spyware

On or before Tuesday September 13th, the Official uTorrent.com website was compromised, and on the 13th, the attackers replaced the download files with spyware.
Users who downloaded uTorrent on the 13th instead received a scareware fake anti-virus package called ‘Security Shield’
The scareware told them they were infected with malware and demanded payment to remove it
Any users who downloaded uTorrent between 12.20 and 14.10 BST likely received the malware instead of uTorrent.
In this case, the attack was fairly obvious, but a similar hack against popular software distribution points could have resulted in the stealth infection of 1000s of systems via the auto-update feature built in to most modern applications.
This is always the nightmare security situation, when legitimate trusted sites are compromised and start to distribute harmful content.

Funny Virus Pic – Google+

BIOS rootkit found in the wild

The virus can infect most any computer with an Award BIOS (very popular, used in most all Motherboards that I own).
The virus dumps a copy of the BIOS, and then adds an ISA ROM that will rewrite the MBR (Master Boot Record) on the hard drive at each bootup.
The MBR virus then rootkits winlogon.exe to take over control of the system
The rootkit then prevents modification of the MBR, making it harder to remove the virus
Even if the MBR is repaired, it is reinfected at the next boot by the BIOS portion of the virus
The rootkit also downloads a trojan and allows the system to be remotely controlled.
This attack is related to the attack we discussed in a previous episode of TechSNAP where a researcher was able to infect the battery in a MacBook with a virus. If the virus was similar to this one, it would add an additional layer of complexity, if the BIOS could be reinfected from the battery.
Details from Symantec

TWiT.tv compromised, malicious iframe injected, loads Java malware

The popular TWiT.tv page was compromised and a snippet of malicious code was added, an iframe that directed users’ browsers to a page that attempted to use Java and PDF exploits.
Google’s safe browsing started blocking the site. Firefox and Google Chrome users will be presented with a warning before visiting the site.

War Story:

At approximately 4:00 PM facility local time on Sunday, September 11, 2011, the Seattle 1 data center experienced an unexpected service interruption. It was determined that the cause of the issue was a malfunction in one of the edge routers servicing the facility.
The device was rebooted to correct the issue and we proceeded to work with the device manufacturers TAC (Technical Assistance Center) to determine the cause of the issue and proper resolution to avert any future problems.
At 6:20 PM facility local time, the same issue occurred again, and the device was again rebooted.
To prevent any future unexpected service interruptions, it was decided that the best course of action would be to replace the device with the standby device available at the facility.
At approximately 7:00 PM facility local time, we began the process of replacing the faulting device with a new one. The old device was removed and the new device was put in its place.
Once powered on the replacement device alerted us to a number of errors within the switch fabric modules that were causing inter-line card communication to not work properly.
We again contacted the device manufactures TAC, and at approximately 8:30 PM, we decided with the TAC that the best option was to replace the switch fabrics in the replacement device with the switch fabrics from the old device.
Once this was completed the device was restarted but produced the same errors.
The issue was then escalated to tier 2 support at the device manufactures TAC.
We concluded that the issue was likely a problem somewhere within the replacement device’s chassis, and proceeded to replace the chassis with the one from the old device.
Upon doing so, we began getting a different set of errors, this time with the management modules communication to the line cards.
At approximately 4:30 AM facility local time, the matter was escalated to tier 3 support at the device manufactures TAC. At this time, we also dispatched our head network technician to the facility from Phoenix with a spare device which is stored at our office in the event of issues such as this one.
At approximately 6:30 AM facility local time, the TAC tier 3 technician concluded that the likely cause of the issue was an electrical problem either within the switch fabric modules or the replacement device chassis which resulted in improper current being sent to various parts of the device and damaging several of the sensitive electronic components in the line card, forwarding engines and switch fabrics. Because the electrical subsystem within the device had potentially caused damage to all of the switch fabric modules that we had available at the facility, we were advised that we should power down both devices and not use either of them any further until a full diagnostic of the electrical sub-system could be completed by the manufacturer.
At approximately 12:00 PM our head network technician arrived at the Seattle airport, and by 1:00 PM was at the facility with the replacement device from our Phoenix office.
At approximately 2:00 PM our head network technician completed the installation of the replacement device from our Phoenix office and service was fully restored.
Total time offline: 19 hours 8 minutes.

Feedback:

A few questions about home servers
Q: crshbndct I’ve built a spare computer out of some spare parts and I want to use it as a home server. I’d like to use it as a router, a DNS server, a caching server, and maybe also throttle the usage of my servers. What should I use?
A: Chris and I both love pfSense, it is a FreeBSD based router appliance. You can basically turn any computer with 2 network cards into a Router/Firewall, with DHCP, DNS/DDNS, VPN (IPSec, PPTP, OpenVNP), VLANs, Captive Portal, Traffic Shaping and Graphing. It has a web interface similar but more expansive than what most people are already used to from a normal off the shelf home router.

Next Week: RAID types, what they are and some use cases for each.

Round-Up:

Bitcoin-Blaster:

Bitcoin Value: 34,196,260 USD

The post Ultimate Home Router | TechSNAP 23 first appeared on Jupiter Broadcasting.

Planning for Failures | TechSNAP 19

chris — Thu, 18 Aug 2011 22:05:43 +0000

The RSA leak exposes the dirty under-belly of the commercial security industry, it’s a story that sounds like it’s straight out of Hollywood.

Then – We’ve packed this episode full of Audience questions, and our answers. Find out how to plan for failure, start building a website….

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

News

EXCLUSIVE: Leaked “RSA dump” appears authentic

A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.
The dump claims the operation targets include private US defence firms.
The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China.
The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong.
HBGary codenamed the operation “Soysauce”.
the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target.
Pastebin Dump

Feedback

Q: (DreamsVoid) I have a server setup, and I am wondering what it would take to setup a backup server, that would automatically take over if the first server were to go down. What are some of the ways I could accomplish this?

A: This is a rather lengthy answer, so I will actually break it apart, and give one possible answer each week, for the next few weeks. The first possible solution, is to use something like BSD’s CARP (Common Address Redundancy Pool). With it you assign each server an IP address like normal, then on each, you create a virtual CARP interface, where you assign a shared IP between the servers in your CARP group. The servers will advertise their control of the shared IP address, whichever server does so first, will become the master for that IP. The way you configure multiple hosts to fail over in a specific order, is by setting and ‘advertisement skew’, of 100ms multiplied by the servers position in the pool. So the 3rd server will wait 200ms before advertising, and will only gain control over the IP address if the 1st and 2nd server are no longer advertising. This system basically moves the IP address of the service you are trying to keep up, to whatever machine in the pool is actually up. This CARP system requires that the servers have identical services and static copies of the content. Obviously, you don’t want to failover your webserver to your mail server, if your mail server is not running an HTTP server. CARP works best for ‘stateless’ protocols, one of the most common uses of CARP is for redundant routers. If you are using FreeBSD or a derivative such as pfSense, you can use CARP on the IP your DHCP server gives our as the default gateway, so that if one of your routers is down, the other automatically takes over. pfSense even includes a protocol to sync the NAT tables between the two routers so that open connections are not dropped. This type of setup can be important if the business running behind the router cannot afford downtime for such trivial things as OS upgrades on the routers, with CARP, you can take down one router at a time, upgrade it, and put it back in service, without effecting the end users and servers behind the routers. Another option in carp is called ‘preempt’, this causes CARP to take it’s interface offline is ANY interface on the machine goes offline, not just the one the CARP IP is on. This can be important if your routers are connected to different ISPs, if one of the links goes down, the router will take it self offline, causing traffic to be routed via the backup Internet connection.

Q: (Mattias) I have been using the NoScript addon for Firefox and have become aware of just how many sites use Google Analytics. Is it a good way for website admins track visitors, or just a way for google to track everyone?

A: Google Analytics is based on a product called Urchin that Google acquired. Google Analytics is basically just a cloud hosted version of this product. You can still buy a copy of Urchin, but they don’t mention host much it costs. Google Analytics just provides much richer detail than you get from just regular log file analyzers. One of the keys to the success of Google Analytics for e-Commerce is the integration with Adwords and other CPC/CPA sites. Google Analytics allows the store to pass good information about the purchases that are made, and Google correlates these with the keywords the user searched for, and how much was paid for the advertisement. This allow stores to optimize their bids to get the best return for their advertising.

While there are some privacy concerns about what google does with the collected data, they cannot infer all that much from it. Your personal data is never passed from the site you are visiting to Google, and only a small number of sites pass data about what you purchased back to Google, and they do this for the sales/conversion reporting, rather than for Google’s benefit. Usually, the data based back could just be an internal product id, and not provide google with any useful data about your purchase.

Find out who tracks you: Ghostery

Q: (Leon) Hi guys,

Thanks for answering my question last time.
I’ve set up a testbox here on my desk with FreeBSD to tinker with spamassassin/amavis. It’s been a long time since I did anything with FreeBSD but Allan/TechSNAP made me curious for it again.

My question: what’s the best way to keep your FreeBSD (ports) up to date? Just checking it manually/reading the security mailing lists or is there some kind of tool that Alan uses for automatically updating his servers?

Thanks again and thanks for the great show(s). The recent comment of Chris convinced me to support Jupiter with a monthly subscription.

Regards,
Leon

A: The built in tool for keeping your ports tree up to date is called portsnap. This tool will use the BSDiff algorithm to only download the changes to the ports tree since your last update, and supports a simple cron method, where it randomly sleeps before starting, so that everyone cron’ing portsnap won’t hit the server at the same time. Once your ports tree is updated, there are a number of tools that you can use to go about upgrading your various packages. The tool I use is called ‘portupgrade’, but there are also others such as ‘portmanager’ and ‘portmaster’. There are also services such as VuXML (Vulnerability and eXposure Markup Language) that provide information about vulnerable ports, and can be used to check against your installed packages, and packages you are about to install.

Q: (Dan) I was going to send this email to Chris, but since you guys are doing a Q&A session on Techsnap, I figured I might as well send it here. Do you have any recommendations on sources for building websites? I’ve got a career move pending on a creation of a website, and a deadline of next week. I haven’t done basic HTML for about 6 years, and this site will need a forum and a way to pay for a service. I’m not worried about the hosting, I will be hosting it on my home server until the site is approved and ready to hit the ‘tubes. Any suggestions or information you have would be greatly appreciated!

PS. Been watching for two years, he’s Honclbrif in the IRC Chat room!

A: There are a number of great Open Source CMS (Content Management System) platforms out there. Some of the most popular are WordPress, Drupal and Joomla, all of which have huge support communities, and 1000s upon 1000s of free design templates. They also feature rich plugin architectures that allow you to add functionality such as video embedding or e-commerce. WordPress is designed for a more ‘blog’ like website, and might not fit well depending on the type of site you are building. Drupal is very extensible, but their framework can be a bit frustrating at times. You might want to look at which platform has the plugins that best fit your needs, and then go from there.

Bitcoin Blaster:

The post Planning for Failures | TechSNAP 19 first appeared on Jupiter Broadcasting.