June 2003 Archives

ipfw2 supposed to be a complete replacement for original ipfw in FreeBSD. It is now being completely merged into the source tree and I still could not find documentation on its new features and changes. I just now there is an equal for cisco's "ip verify unicast reverse-path", as well as ability to handle layer2 traffic, keep alives and also enabling/disabling rules. ( my only source of information )

ipfw2 lets you to setup full featured firewall with least cost. Quality is not comparable to professional/commercial firewalls, but it works!

It doesn't matter how big or small is your network; the fact is that your network is always under attack. Spammers looking for SMTP relay or misconfigured http or socket proxies. Script Kiddies nmapping your hosts or innocent windows users propagating worms without even knowing what is a worm! Warez folks scanning for open ftp servers to upload their files.

chkrootkit is a useful trojan and rootkit checker for *nix operating systems.
In addition to rootkits and trojans, it also checked if your network interfaces are in promiscuous or not, and well as checking for log file and tmp wtmp deletion.
As time of this writing, it detects 52 diffrent worm and trojans and their variants.

Now it has a separate line for itself in my /etc/crontab file :)

p.s. Check out Related Links in chkrootkit homepage to find valuable resources on rootkit and trojans in Unix environment.

Cisco IOS has many hidden features which some of them are very useful.
A list of these commands can be found at following locations:

- Undoumencted IOS commands from Elemental Network Consulting
- Project DOTU
- Undocumented IOS commands from i-n-t.de
- Undocumented IOS and CatOS commands from Heinz Ulm

ifGraph is a set of perl scripts that fetch snmp counters from snmp enabled hosts and draws nice looking graphs. It is very easy to use, and utilizes RRDTool as database and graphing engine. It is fast, easy to use and reliable.

STG is another handy snmp graphing tool. Unlike other tools, this one is a small windows application that draws graphs like MRTG but not average graphs. STG is small and quick. It doesn't even need to be installed, no DLL hell. STG is suitable for drawing live traffic graphs while testing throughput of links.

Beware of SNMP security risks when you enable SNMP on your hosts. Even with access-lists in place, hosts are still vulnerable to different kind of attacks.

I've finished setting up an IDS box just to do some peneteration tests and see how an IDS detects various types of intrusion. As for test, the combination of FreeBSD 4.8-STABLE + Snort + Apache + MySQL + ACID worked great. Now it looks like a professional IDS box. The most exciting part was setting up ACID. It just took about 5 minutes to get ready. Of course without reading Keith Tokash's excellent how-to it would take much longer. Beside being a good how-to for IDS setup, it is also a good how-to for beginners to setup a secure FreeBSD box.

p.s. I like the way ACID shows packet structure.

B-O-K has asked me to put up some screenshots of FireBird 0.6 running on KDE 3.1.2 and FreeBSD 5.1.

Here you are:
» ScreenShot 1
» ScreenShot 2
» ScreenShot 3

After two weeks of using Firebird 0.6 in XP and FreeBSD seriously, I really feel comfortable now when I browse the web. It works smooth. I really like tabs, standard search dialog, CTRL+ENTER url completion and its smooth scrolling.
But there are still many important things missing:

• I could not find proper option to turn off password saving. It still works after turning off "Remember Passwords" in privacy options.
• Does not select text properly when selecting text in a multi-line text box.
• I don't like that old mozilla icon. It should be replaced with something better.
• I still have browsing problems with sites like Quarter Life Crisis. (try it with FireBird and you will find out what is wrong!)
• Some plug-ins are not supported as they supposed to be. (Unix version)
• No native binary is available for FreeBSD.

Avoiding all missing features, it performs very well as a full-featured light-weight browser.

I had this problem for a long time:

FreeBSD 5.0 on my laptop + KDE 3.1 (compiled from bleeding edge source code repository) + Windows TrueType fonts + Mozilla or FireBird (formerly known as Phoenix). Everything was working fine, except one thing. All PNG images were shown totally black!
Compiling mozilla and rebuilding PNG libraries didn't help. Searching newsgroups didn't help too. Seems like no one else had this problem. The annonying thing was that Konquerer was working fine! I taught they should be using the same libraries to show PNG images, so the PNG library should not be the source of this problem.
I was completely disappointed, until I saw Jeremy Zawdony's article on FireBird and Mozilla issues. So I decided to write an article on this issue, including screenshots, like he did.
Before getting ready to start writing, I decided to upgrade to FreeBSD 5.1-RELEASE. So I CVSUped to the latest source code, then "MAKE WORLD KERNEL" and mergemaster.
After rebooting and checking everything, I started X and fired up mozilla to take some screenshots for my blog. I can't say if I was happy or sad to see that the problem was completely gone!

Conclusion: Compiling kernel and OS source code will solve your PNG problem in Mozilla and Firebird. If you found this page while googling to find a solution for problem with PNG in Mozilla, the solution is rebuilding whole OS!

The good news is that FreeBSD 5.1 has released featuring new core improvements and hardware support. 5.1 means that a 5.x-STABLE is being realized.
I am running 5.0-RELEASE on my laptop for several months successfully and it really worked fine for me. But for servers, I will be sticking with 4.X-STABLE for at least next 6 months.

In my previous post, I've introduced fake email generators to fool spammer's email spider bots. But if I was the spammer, I would block these fake email generators easily. Number of them is limited, and also the name of CGI program is mostly the same. Anyhow they could be easily blocked, and it is why they are not effective enough.

The solution:

1- Make your own email generator. If you know perl or any other scripting language, it would be very easy.
2- Don't name your script email.pl or something like that. Choose a diffrent name. (preferably a meaningless name)
3- Generate variable length email addresses. Bots can understand if all email addresses in a page has equal size and may consider them as fake and ignore them.
4- Don't put words like "fake" on the page. The bot can easily guess this is an anti-spam page and will ignore it.
5- Don't link to known pages like "http://www.hostedscripts.com/scripts/antispam.html". I promise most of these known pages are already blocked by spider bots.
6- Rename your script after time to time. This would be useful if spammers put your URL in their blacklist.
7- Don't put a signature or fixed sign in your page.

Considering above hints, you'll have a better chance to fool email spider bots.

Dear Spammer, Please click here or here to find thousands of fresh email addresses.

This trick is an effective way to fill up spammers database with fake email addresses. Let's help spammers by linking to above pages.

EuroNOG or European Network Operators Group is a place for european network engineers to exchange technical information related to operational and engineering issue.
Unlinke NANOG, there is no mailing list traffic nor online resources.
I've been a member of all mailing lists for two weeks, but there was not even a single email traffic on the list. It seems european network engineers has no interest in communities like this or may be they are already busy with RIPE mailing lists.
I believe EuroNOG could be a good place to exchange information if people take it serious.