Evilcoder.org

Well well, All my services are migrated from the We-Dare colocated facilities to Germany, where I obtained a couple of accounts through hetzner.de, delivering me faster machines, more bandwidth, better agreements etc, for more or less the same price. I found myself a fool if I wasn’t going to persue this. So my personal colocated services and JR-Hosting colocated services moved over to Germany now, residing on dual core machines with a bit more ram then before, a lot more diskspace, and better bandwidth agreements.

Everything had been moved over now; so if you spot something interesting, please let me know so that I can fix it.

Sadly this will also call the end of the days for a couple of websites run by friends of mine, whom didn’t want to move over to Germany, so they will be resting in peace soon (since the contracts will be terminated at We-Dare), they are www.grunn.org, and www.elarial.com , with all attached subdomains with them. I think the three of us learned a lot with those mentioned websites, and I would like to thank HuMPie and Kees (Elarial founder) for their continues support and trust in me maintaining our shared colocated machine. I’ll post updates about the new machines soon (in the my machines list) and mark the soon to be dismantled onces as *A(rchived).

On a work related note: I obtained my CCSA exam today. I passed with 81% out of the required 70%, so this is a nice start of the weekend!

So, Saturday and today I spend a bit of time updating my honeynet check mirror application, which retrieves information from various mirrors to do an educated guess on when the mirrors did a last sync (all in perspective ofcourse because it doesn’t tell the actual status, but at least it’s a guide, and if properly done, we can see what happends).

That ofcourse doesn’t mean the tool is honeynet only, you can easily change it for your own needs to enlist several own mirrors etc. It’s just that I named it for the honeynet project: check_honeynet, one could argue to name it “evil-mirror-validator” or something (evil- are prefixes of most of my projects).

Anyway: back to the discussion: v1.7 has a new way of parsing configuration records which is rather straight forward. I will be implementing the same for 2.0 (which is actually just a continued development on top of 1.7). This makes use of the Config::Simple module, which enables me to write it all ini-style based (it was already like that, but then resolved more ugly then it is now).

If you browse to the downloads section, you will find it there, with a published web-frontend and so on. If you have any comments please let me know. From what I saw from my local tests this just works fine.

For 2.0 I will be issueing a seperated statistics file, which I will write ini based (from the application) to gather statistics about [ok] [bad] [banned] hosts. This way we can more selectively send messages to the bogus mirror, and even ban them (which could result in an automated removal from the main site for example) if they trigger the (adjustable) thresholds.

Hello,

It was a time ago already that I posted some updates to the site, I had been very busy with work and things around that, so E_NOTIME to bring in updates. Because I dont see that change anytime soon, I’ll stick with some Technical Contributions to the internet. I am playing a lot with Checkpoint at the moment, and I would like to document some trivial things, as well as some other things that are not as trivial as they seem. I know that others can use the information (hence even Elsevier contacted me recently to help write a book about Checkpoint NGX) so lets try to share and document it properly.

In the menubar you can see that I moved a lot of technical items to the “Technical” menu, I’ll place nice information there. I will probably bring in a seperated category for Checkpoint under the FAQ as well so that it’s even easier to spot.

I am also writing up more for FreeBSD in the near future (if time permits) and I am pondering in documenting a few PoC’s that I did recently.

So expect information back on the board soon, but not regarding my private life anymore, I just dont have enough time to do so.

Allthough I am a die-hard FreeBSD enthusiast, lets congratulate the NetBSD group with it’s 15th anniversary!

FreeBSD and NetBSD always have had a friendly competition with regards to implementing new technology, I hope we can both learn and adopt from that for at least the next 15 years

For more information about the NetBSD Operating System: www.netbsd.org
For more information about the FreeBSD Operating System: www.freebsd.org

There could be times that BGP is not being synchronised properly or something. First of all, check up the localnetmask on both routers. I have -seen- issues that the netmasks weren’t the same in the same network which prevented BGP from properly being exchanged. So, hint: Check netmasks / network information and make sure they are correct!

So, today I "updated" wordpress to match my digital camera. Why did I do this? Well easy! Currently wordpress supports thumbnails for uploaded pictures if the file is <= 3 megapixel in size. Not megabytes or something, megapixel.

I updated the wp-admin/includes/image.php file to be able to upload files (and thumbnail them) if they are bigger then that size. This way I can normally add my digital photos that were created by my Sony Alpha 100 camera.

What did I do?

Edit wp-admin/includes/image.php and search/replace the following line (at the moment of writing this is line 150 with wordpress 2.3.1)

with the following line:

EDIT: Please take notice that you might run into server errors, because of PHP running out of it's allowed memory size. You can set these values in ``php.ini``.

Today I was toying around with Eventia Reporter in order to generate some reports about the things I did with checkpoint etc. Since I build up a new environment from scratch I needed to import various logfiles. When you enter the GUI and start a recording session there ; you will find that you can only do this one log at a time. Which is time consuming and frustrating because the machines have time available to process logfiles instead of having free-cpu cylcles left. I couldnt find any usefull option last night when I tried to do this scriptified; but I found some information on the CPUG.org forum that could help you (original post here ).If you want to do this automatically you should do something like:
log_consolidator -R -e Yes -s ip-addr-of-logserver -x Yes -o No -t Specified_Log -l <logfile>.log -a Begin_of_Log -b <your connections table>

If you script that it would become something like (easy example on splat, use nohup to start the process or you will loose the script eventually due to automatic logouts):


#!/bin/sh

for LOG in `ls $LOGDIR/*<pattern if needed>*.log`
do
$APP -R -e Yes -s <loghost> -x Yes -o No -t Specified_Log -l $LOG -a Begin_of_Log -b <table>
done


Lately I have been attempting to upgrade several Checkpoint Smart Center stations from R60 to R65. Not without a glitch though. So I thought lets write a little bit of documentation about this.

Initially I needed to upgrade the old management station twice to get to R65 which already was a pitfall. But after that it started working properly.Next I downloaded the latest NGX utilties on the internet and performed a backup to prepare for an OS upgrade (changing OS from the company in Redmond to SPLAT).

So far everything went smooth and I felt really relaxed doing it.I rebuild one of the management stations with SPLAT R65 and copied over the huge file (2.5GB in size) which took a little and yeah it was finally there. I wanted to import the file, but sadly I got several errors stating that I could not copy the file etc. I ofcourse am ignorant so I tried to do this manually; and darn that works! Now extracting the file... also works. So why does "upgrade_import" cause problems? After a long struggle, even noticing (I posted forum posts) this on the internet I found the cause of the problem at least the problem for me.

My backups were huge because of database revisions being saved in it as well (as it should) I removed them after a tip from my support company (the tip was for something else but it lead to the solution) and remained with a 53MB file (yeah a bit smaller then before ;-)).

The moment that my support party told me that I could lower the size of the file so that we could analyze it together I got struck by lightning (well an idea struck me) What if the system does not allow files bigger then 2GB (Which is probably hardcoded because the manual copy went OK!) ? So now having the 53MB big backup file, I copied that over much quicker and imported that... it worked..

Symptoms:

DecompressImportedFile: Error >> Failed to copy /var/backups/xxxxx.tgz to /opt/CPsuiteR65/fw1/tmp/upgrade_temp_dirSolution:

Get rid of the database revision files (You can safely back them up and remove the contents of the repository directory and the fwdatabaserevision.dwb file (or something like that)) rerun the backup import on that specific backup and be done with it.

For long I used a little script called logtransfer, which is just a stupid script that scp's files over *2007-07-01* for example, but that wasn't very flexible anymore. I setup rsync with some modules that enable me to transfer the logfiles in an almost similiar setup as before, but now with partial filetransfer support (continue where the beast stopped, to prevent unneeded transfers), deletion support (that if files are gone, they are removed locally as well, I wont do that before I made backups on DVD ofcourse).

This generates much more flexibility for me, because filenames can change, things can get deleted by hand, etc and that is taken into account now (I realise that this is not something everyone want to persue, but I do :)).

Backups are now in quicker; more complete and more well, my stylish. No more need to maintain scripts myself; but just use standard tools already available that do the job very well.

(Oh, ofcourse I use rsync for much more then just my backups and logfiletransfers, I use it for the Honeynet project, mirroring my webtrees to an offsite location, making sure that my patches on the FreeBSD cluster are synchronised with my local tree etc).

Example rsync usage that I do  now:

/usr/local/bin/rsync --ignore-errors -av --partial --delete remotehost::modulename targetdirectory

Continue reading »