failover – Jupiter Broadcasting

Multipath Musings | TechSNAP 422

Wes Payne — Fri, 07 Feb 2020 00:15:00 +0000

Show Notes: techsnap.systems/422

The post Multipath Musings | TechSNAP 422 first appeared on Jupiter Broadcasting.

AirPorts & Packages | BSD Now 40

chris — Thu, 05 Jun 2014 13:12:25 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

On this week\’s episode, we\’ll be giving you an introductory guide on OpenBSD\’s ports and package system.

There\’s also a pretty fly interview with Karl Lehenbauer, about how they use FreeBSD at FlightAware.

Lots of interesting news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan 2014 talks and reports, part 2

More presentations and trip reports are still being uploaded
Ingo Schwarze, New Trends in mandoc
Vsevolod Stakhov, The Architecture of the New Solver in pkg
Julio Merino, The FreeBSD Test Suite
Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM
There\’s also a trip report from Michael Dexter and another (very long and detailed) trip report from our friend Warren Block that even gives us some linkage, thanks!

Beyond security, getting to know OpenBSD\’s real purpose

Michael W Lucas (who, we learn through this video, has been using BSD since 1986) gave a \”webcast\” last week, and the audio and slides are finally up
It clocks in at just over 30 minutes, managing to touch on a lot of OpenBSD topics
Some of those topics include: what is OpenBSD and why you should care, the philosophy of the project, how it serves as a \”pressure cooker for ideas,\” briefly touches on GPL vs BSDL, their \”do it right or don\’t do it at all\” attitude, their stance on NDAs and blobs, recent LibreSSL development, some of the security functions that OpenBSD enabled before anyone else (and the ripple effect that had) and, of course, their disturbing preference for comic sans
Here\’s a direct link to the slides
Great presentation if you\’d like to learn a bit about OpenBSD, but also contains a bit of information that long-time users might not know too

FreeBSD vs Linux, a comprehensive comparison

Another blog post covering something people seem to be obsessed with – FreeBSD vs Linux
This one was worth mentioning because it\’s very thorough in regards to how things are done behind the scenes, not just the usual technical differences
It highlights the concept of a \”core team\” and their role vs \”contributors\” and \”committers\” (similar to a presentation Kirk McKusick did not long ago)
While a lot of things will be the same on both platforms, you might still be asking \”which one is right for me?\” – this article weighs in with some points for both sides and different use cases
Pretty well-written and unbiased article that also mentions areas where Linux might be better, so don\’t hate us for linking it

Expand FreeNAS with plugins

One of the things people love the most about FreeNAS (other than ZFS) is their cool plugin framework
With these plugins, you can greatly expand the feature set of your NAS via third party programs
This page talks about a few of the more popular ones and how they can be used to improve your NAS or media box experience
Some examples include setting up an OwnCloud server, Bacula for backups, Maraschino for managing a home theater PC, Plex Media Server for an easy to use video experience and a few more
It then goes into more detail about each of them, how to actually install plugins and then how to set them up

Interview – Karl Lehenbauer – karl@flightaware.com / @flightaware

FreeBSD at FlightAware, BSD history, various topics

Tutorial

News Roundup

Code review culture meets FreeBSD

In most of the BSDs, changes need to be reviewed by more than one person before being committed to the tree
This article describes Phabricator, an open source code review system that we briefly mentioned last week
Instructions for using it are on the wiki
While not approved by the core team yet for anything official, it\’s in a testing phase and developers are encouraged to try it out and get their patches reviewed
Just look at that fancy interface!!

Michael Lucas\’ next tech books

Sneaky MWL somehow finds his way into both our headlines and the news roundup
He gives us an update on the next BSD books that he\’s planning to release
The plan is to release three (or so) books based on different aspects of FreeBSD\’s storage system(s) – GEOM, UFS, ZFS, etc.
This has the advantage of only requiring you to buy the one(s) you\’re specifically interested in
\”When will they be released? When I\’m done writing them. How much will they cost? Dunno.\”
It\’s not Absolute FreeBSD 3rd edition…

CARP failover and high availability on FreeBSD

If you\’re running a cluster or a group of servers, you should have some sort of failover in place
But the question comes up, \”how do you load balance the load balancers!?\”
This video goes through the process of giving more than one machine the same IP, how to set up CARP, securing it and demonstrates a node dying
Also mentions DNS-based load balancing as another option

PCBSD weekly digest

This time in PCBSD land, we\’re getting ready for the 10.0.2 release (ISOs here)
AppCafe got a good number of fixes, and now shows 10 random highlighted applications
EasyPBI added a \”bulk\” mode to create PBIs of an entire FreeBSD port category
Lumina, the new desktop environment, is still being worked on and got some bug fixes too

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you\’d like to see, let us know
Just a reminder, if you\’re using vnd (vnconfig) on OpenBSD for encryption, it\’s being retired for 5.7 – start planning to migrate your data to softraid
There were also some security advisories for FreeBSD recently, make sure you\’re all patched up
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post AirPorts & Packages | BSD Now 40 first appeared on Jupiter Broadcasting.

Faster GPU Cracking | TechSNAP 65

chris — Thu, 05 Jul 2012 16:45:55 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Everyone’s beloved password cracker has had a major update, and you won’t believe what it can do now!

The Aerospace industry has a new Advanced Persistent Threat, and a major Microsoft XML flaw already being exploited.

Plus we share some infrastructure wisdom in today’s feedback segment.

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code: 199tech
Expires: June 30, 2012

$3.99 .US domain!
Code: 399us4

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Fill out my Wufoo form!

Show Notes:

New version of John the Ripper targets slow hashes with GPUs

The new version focuses on adding GPU support, both CUDA (for nVidia) and OpenCL (for AMD and other cards)
Other interesting new additions:
Non-hash cracking support for:
- Mac OS X keychains
- KeePass 1.x files
- ODF and MS Office 2007/2010 files
- Mozilla Firefox/Thunderbird/etc master password files
- RAR -p and -hp encryption modes
- WPA-PSK
- VNC Challenge/response auth
- SIP challenge/response auth
- HMAC-SHA1/224/256/384/512
New hashes supported:
sha256crypt (CPU or CUDA)
sha512crypt (CPU/CUDA/OpenCL)
DragonFly BSD SHA256/512
Drupal 7 custom PHP SHA–256 hashes
Raw-SHA1-LinkedIn
Interestingly, bcrypt (OpenBSDs implementation of blowfish as a password hashing algorithm), even on an AMD 7970, is slower on a GPU than a CPU due to the nature of the algorithm
Full Release Announcement

Unpatched Microsoft XML exploit added to Blackhole toolkit

An exploit for the unpatched vulnerability is now included in recent versions of the blackhole exploit kit, sold to cyber criminals and installed on infected and compromised websites across the internet
Numerous attack vectors have been used to exploit this flaw in the Microsoft XML engine, including MS Office documents, Flash, and Internet Explorer it self
The flaw is present in versions 3, 4 and 6 of MS XML Core Services, and exploitable on all supported versions of windows (XP/Vista/7, 2003/2008/R2 Server)
Microsoft published the advisory about the flaw on June 12th, after it was already actively being exploited in the wild
At this time, there is still not a fix for ‘Microsoft XML Core Services’, however Microsoft offers a ‘Fix-It’ that is supposed to mitigate the flaw, but suggests that this may cause application compatibility issues
The Microsoft EMET Toolkit may prevent the exploitation of this vulnerability, but as discussed previously, is incompatible with AMD Video Drivers
CVE–2012–1889
Official Microsoft Announcement

New version of trojan used in highly targetted attack

The Sykipot trojan is not new, however the latest version is being used more successfully than before
Phishing emails and targeted web advertisements are being used to drive users to sites where they are infected by drive-by-downloading of the trojan using the MS XML exploit
This requires zero user interaction in order to become infected
Previous versions of Sykipot have relied on file format exploits (MS Office files, PDFs)
The latest attack seems to be targeting attendees to the IEEE’s Aerospace Conference (the International Conference for Aerospace Experts, Academics, Military Personnel, and Industry Leaders)
Researchers have found a Sykipot variant that was programmed to steal credentials from systems using ‘ActivIdentity’s ActivClient’, the smart card application used by the U.S. Department of Defense’s Common Access Card (CAC)
This could result in the compromise of such smart cards, allowing the attack to gain access to highly sensitive materials

A third of top UK Univerisities use weak SSL configurations

TechWeek Europe used the SSL Labs tool to test the SSL implementations used at the top Univertisities in the UK
Many of the schools received grades of C or D instead of the expected A
Such weakness in the implementation of SSL could allow an attacker to inject data into encrypted packets, in order to exploit the user’s machine while they are visiting a trusted site, or to hijack the session or compromise other private data
Many of the schools responded quickly with configuration changes to upgrade their scores, while others were hesitant to make configuration changes for fear of affecting accessibility for users
SSL Best Practices Guide
ScaleEngine.com ‘s Results

Feedback:

Aviad asks How to Scale VMs Fast
Dale asks If the password is in clear text, is everything?
Beep’s comment on Token Security

Round Up:

The post Faster GPU Cracking | TechSNAP 65 first appeared on Jupiter Broadcasting.

Keeping it Up | TechSNAP 20

chris — Thu, 25 Aug 2011 21:33:51 +0000

Apache and PHP have hooked up at the fail party, and we’ll share all the details to motivate you to patch your box!

Then Microsoft takes a stab at AES and we wrap it all up with a complete run down of Nagios, and how this amazing tool can alert you to a potential disaster!

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

All versions of the apache web server are vulnerable to a resource exhaustion DoS attack

A single attacker with a even a slow internet connection can entirely cripple a massive apache server
The attack uses the ‘Range’ header, requesting 1300 different segments of the file, causing the web server to create many separate memory allocations. The existing attack script defaults to running 50 concurrent threads of this attack, which will quickly exhaust all of the ram on the server and drive the server load very high.
Apache 1.3 is past it’s End Of Life and will not receive an official patch
A different aspect of this bug (using it to exhaust bandwidth) was pointed out by a Google security engineer over 4 years ago

PHP 5.3.7 contains a critical vulnerability in crypt()

Official Bug Report
The crypt() function used for hashing password received much attention in this latest version of php, and a bug was inadvertently introduced where when you hash a password with MD5, only the salt is returned. This means that when validating a login attempt, when the hash of the attempt is compared to the stored hash, only the salt will match, resulting in a failed login attempt. However if the user changes their password, or a new user registers, the stored hash will only be the salt, and in that case, any attempted password will result in a successful login attempt.
PHP 5.3.7’s headline bug fix was an issue with the way blowfish crypt() was implemented on linux (it worked correctly on BSD). Some passwords that contained invalid UTF-8 would result in very weak hashes
It seems that this error was caught by the PHP unit testing framework, so the fact that it made it in to a production release means that the unit testing was likely not properly completed before the release was made.
5.3.7 was released on August 18th. The release was pulled on August 22nd, and 5.3.8 was released on August 23rd

Researches have developed a new attack against AES

Researchers from a Belgian (Katholieke Universiteit Leuven) and a French (Ecole Normale Suprieure) University, working with Microsoft research have developed a new attack against AES that allows an encryption key to be recovered 3 to 5 times faster than all previous attacks
The attack would still take billions of years of CPU time with currently existing hardware
Full Paper with Details
Comments by Bruce Schneier
Additional Article

Feedback

Q: (DreamsVoid) I have a server setup, and I am wondering what it would take to setup a backup server, that would automatically take over if the first server were to go down. What are some of the ways I could accomplish this?

A: This is a rather lengthy answer, so I will actually break it apart, and give one possible answer each week, for the next few weeks. This weeks solution is to use DNS Failover. For this feature, I personally use a 3rd party DNS Service called DNS Made Easy . Once you are hosting your DNS with them, you can enable Monitoring and DNS Failover. This allows you to enter the IPs of more than one server for the DNS entry such as www.mysite.com. Only one IP will be used at a time, so it is not the same as a ‘Round Robin’ setup. This simplifies problems with sessions and other data that would need to be shared between all of the servers if they were used at the same time. DNSMadeEasy will monitor the website every minute from locations all over the world, and if the site is unreachable, it will automatically update your DNS record to point traffic to the next server on your list. It will successively fail over to each server on the list until it finds one that is up. When the primary server comes back, it can automatically switch back. We use this for the front page of ScaleEngine.com, if the site were ever down, it would fail over to a backup server we have at a different hosting provider. This backup copy of the site is still reliant of a connection to our centralized CMS (which also uses DNS Failover), and if that were down too, it fails over to a flat-HTML copy of our website that is updated once per day. This way, our website remains online even if both our primary and secondard hosting are offline, or if all 3 fail over servers for the CMS are down as well.

Q: (Al Reid) Nagios seems to be a very good open source and widely used network monitoring software solution, is it possible that you guys could discuss the topic of network monitoring for services, hosts, router, switches and other uses?

A: Nagios is an open source network monitoring system that can be used to monitor a number of different aspects of both the hosts (physical and virtual servers, routers) and the services of those hosts (programs like apache, mysql, etc). The most basic monitoring is just pinging the host, and entering an alert state if the host does not response, or if the latency or packet loss exceed a specific threshold. However the real power of a network monitoring system comes not only from alerting you (via email, text message, audible alarm) when something is down, but actually monitoring and graphing performance over time. For example, with my MySQL servers, nagios monitors not only that they are accessible, but graphs the number of queries per second, and the number of concurrent connections. This way, if I notice higher than expected load on one of the servers, I can pull of the graph and see that, yes, a few hours ago the number of queries per second jumped by 30%, and that is obviously what is causing the additional load. A huge number of things can be monitored using a combination of the nagios tools and the SNMP (Simple Network Management Protocol) interfaces exposed by many devices. For example, we monitor power utilization from our PDUs and traffic through each of our switch ports. Some of the main metrics we monitor on each server are: CPU load, load averages, CPU temperature, free memory, swap usage, number of running processes, uptime (alerts us when a device reboots unexpectedly), free disk space, etc. We also monitor our web servers closely, monitoring the number of connections, requests per second, number of requests waiting on read or write, etc. Nagios monitoring can be taken even further, more advanced SNMP daemons on servers can list the packages that are installed, and a nagios tool could be setup to alert you when a known vulnerable package is detected, prompting you to upgrade that package. Nagios can also monitor your SSL certificates and Domain Names, and alert you when they are nearing their expiration dates (Chris should have this so he doesn’t forget to renew JupiterBroadcasting.com every year). Nagios supports two different methods of monitoring. The first is ‘active’, which is the most commonly used, nagios connects to the server/service and checks that it is running, and gets the performance data, if any. However nagios can also support ‘passive’ data collection, where the server or service pushes performance data to nagios, and nagios can trigger an alert if an update is not received within a specific time frame, this can help solve a common issue we have discussed before, where the monitoring server is a weak point in the security of the network, a single host that is able to connect to even the most secure hosts in your network. With passive monitoring, you can have secure hosts or unroutable LAN hosts push their monitoring and performance data to nagios from behind the firewall, even when nagios cannot connec to that host. Other alternative to nagios are Zabbix, SpiceWorks or Cacti, but I have never used them.

Random SQL Injection Comic

Round Up:

Bitcoin Blaster:

The post Keeping it Up | TechSNAP 20 first appeared on Jupiter Broadcasting.