Results tagged “sysadmin” from Just Another Hacker

Tool review: Halberd

|
halberd-ss.png
Like most of my favourite tools halberd does one thing, and does it well. It tries to detect individual servers behind a load balancer. The idea behind it is not new, but this is the best put together tool that I have used. It even handles multiple A records right off the bat. It is a little short on documentation and the error messages could be better, but it's still a great reconnaissance/testing tools for pen testers and system administrators alike.

Grab your copy today from http://halberd.superadditive.com/

The reason behind the change is a simple one. They do not (currently) fudge NXDOMAIN records like openDNS do. This has a tendency to break RBL queries, openDNS "solves" this problem by making exceptions for known RBLs. As you can see from this OLD discussion on the openDNS forums this has been their policy for a long time.

The default RBL services used by the movable type spamlookup plugin are bsb.spamlookup.net and sc.surbl.org. I also use additional lookups like stopforumspam, spamhaus and others. As a result I was constantly experiencing false positives for comments and trackbacks. Changing to google solved all these problems. If you are using niche RBLs and openDNS I would recommend that you test these.

[OpenDNS]
$ host nopes.grrrr.bsb.spamlookup.net 208.67.222.222
nopes.grrrr.bsb.spamlookup.net	A	208.69.32.132
 !!! nopes.grrrr.bsb.spamlookup.net A record has zero ttl
$ host nopes.grrrr.bsb.empty.us 208.67.222.222 nopes.grrrr.bsb.empty.us A 208.69.32.132 !!! nopes.grrrr.bsb.empty.us A record has zero ttl
FAIL!

[Google]
$ host nopes.grrrr.bsb.spamlookup.net 8.8.8.8
nopes.grrrr.bsb.spamlookup.net does not exist at google-public-dns-a.google.com, try again
$ host nopes.grrrr.bsb.empty.us 8.8.8.8 nopes.grrrr.bsb.empty.us does not exist at google-public-dns-a.google.com, try again
WINNAR!

I have taken the liberty of reporting these two to openDNS as they are common for MT users, however there are several other RBLs that I use which aren't covered by openDNS. By changing to google public DNS I don't have to put up with false positives. It also saves me the hassle of having to verify and "fix" RBLs every time I make changes.

If you want to make the change you can find the details at: http://code.google.com/speed/public-dns/


The changes to package kit which allows non privileged users to install fedora signed packages without escalation privileges makes me glad I'm not a fedora user. There is just a crapton of potential for breakage and security abuse bundled in here and since I'm a reasonable fellow I will even supply some examples

Karmic annoyance

|
One of my pet hates about dist upgrades is the unknown that sits on the other side of the upgrade, especially when using binary drivers. To be honest, dist-upgrade is very usable these days. I usually only have to reconfigure x to use binary drivers after a dist-upgrade these days, whereas it did render the system inoperable in the past.

With my latest upgrade from jaunty jackalope to karmic koala (Ubuntu release names) I only experienced one VERY annoying issue. My speakers were constantly crackling, it was as if they were repeatedly initializing. Even when I plugged in headphones, both the speakers and the headphones were crackling. Adjusting the volume helped some as the crackling got muted, but did not stop the issue.

The solution as it turned out was to disable the power saver option for my sound card. I simply commented out the last line of /etc/modprobe.d/alsa-base.conf so it became;

# Power down HDA controllers after 10 idle seconds
#options snd-hda-intel power_save=8 power_save_controller=N

Multipacket three way handshake

|
Tod Beardsly over at breakingpoint labs has identified a rarely recognized section of RFC 793  that allows you to deviate from the normal three way handshake. Rather than doing
A ----syn-----> B
A <---synack--- B
A ----ack-----> B

Which is the "normal" way of doing the three way handshake you can instead do:
A ----syn-----> B
A <---syn------ B
A ----synack--> B
A <---ack------ B
The change in direction could allow you to bypass stateful firewalls, bypass intrusion detection or prevention devices and perhaps change the synflood or spoofing landscape. He has successfully tested this against the major OS's.

Read the full post, containing packet captures and more at http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie
Granted we are well into October by now, but what better time could there be to officially launch this blog?

There are several tweaks I would like to do to this blog, such as decide on a design I really like, but it can wait. There is no use in having a nice looking blog with no content, so I will worry about the design once I have a few posts to my name.

I don't wish to limit myself too much by writing a "what can you expect from this blog" post, so suffice to say I will try to keep it in the solution line, or perhaps better described as the 'If you're not part of the solution you are part of the problem" approach. I really don't think we need another outlet for security problems to be piled up with little or no hope for a fix being offered. So hence forth my goal is to publish two posts a week (more if I can) for as long as I can.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.