Evilcoder.org

Today is a big day, for me, for Ed Schouten and for FreeBSD (And it’s consumers ofcourse). Why? Ed Schouten today integrated his MultiProcessorSafe (MPSAFE) implementation of the TTY Layer for FreeBSD. From the beginning that I heared about the project, Ed and I had been in contact, both working at the same company (Snow B.V.), we flew to Canada together (Facilitated and sponsored by Snow B.V.), visited eachother, been in contact for ages (or at least it feels like ages, which is a positive point in this case). Ed also gratuated in the meantime by working on this TTY layer. So a lot of good things had been evolved because of this!

For FreeBSD this means that finally the TTY layer is GIANT-less. One more big obstacle removed to entirely getting rid of the GIANT lock ;-), as Poul-Henning Kamp mentioned at some point: This is one of the latest chapters that needed rewriting (since a long time as far as I know).

So I am really happy about this. Good Work Ed!!!

written by Remko \\ tags: FreeBSD, mpsafe, mpsafetty, Snow, tty

Today we learned that George Neville-Neil leaves the FreeBSD Security team due to lack of time. It’s sad that George leaves the team, but he leaves a lot of good work behind and he was a great asset to our Security Team. Therefor “Thank you for working with us George!”

written by Remko \\ tags: FreeBSD, FreeBSD Security Team, secteam, security

Recently I had started the translation of the FAQ, which is currently progressing well. Initially I will do a rough translation and finalize the bits later on. I already got some positive feedback from Ed Schouten (A friend and fellow FreeBSD Developer) which I incorporated. The FAQ had become worthwhile to translate thanks to the efforts of Gabor Pali, thanks for that mate!.

For more information regarding the faq, see the FreeBSD DOC NL page listed on the top, or have a look at http://www.freebsd-nl.org/faq. More updates to follow!

written by Remko \\ tags: docnl, FAQ, FreeBSD, translation

So, I had been very productive this weekend, not as productive as I hoped to be for FreeBSD (merging some changes that I had made recently for example) but productive nevertheless. We went to Plaswijckpark on friday with Luca, who had a very nice day there (and so did we). It was good to see him again and Denise as well ofcourse :-).

On saturday I started translating the Jail chapter and the FAQ (in parallel), which I inserted into the perforce repository, so have a look if you are interested, note that it’s very much work in progress!

Later that day I went to the cinema with Denise, The Strangers is a very nice horror movie!, I enjoyed being with Denise again and spending time together :-), oh and we are ofcourse still looking for our perfect house to start living together

After doing that I noticed an update from Rene Ladan who finalized the Virtualization chapter! Brilliant work! I checked it, and imported it into the FreeBSD Repository as well as updated the local perforce branches with it.

On sunday I watched Saw 4 with my dad, and bicycled towards the office I am currently working at to see how far that would be. It’s bit too far to bicycle every day, or actually it costs too much time to get there :-), but it was an impressive thing to do as a non-biker for soo long. I got around 24km/hr according to Robert.

After that I vacuum cleaned the car and continued working on some projects, now it’s getting dark while I am writing this blog entry..

I enjoyed this weekend, thanks to technology and ofcourse (the most important) Luca and Denise!

written by Remko \\ tags: docnl, FreeBSD, weekend

So, I picked up a lot of changes through Gabor Pali (pgj@) for the FAQ, and decided that I could easily start the initial translation. Most of the content so far is very readable and translatable (which isn’t always the case for the regular handbook, see for example the MAC chapter and the Audit ones, which I am trying to finish for the Dutch Project as well), and probably I’ll have a look at the jails chapter soon as well. Beyond that Rene is helping a lot with translations, which gives me a good feeling about being able to finalize the entire handbook at some point.

Back to the FAQ, I started the translation, and I progress not that fast, but fast enough to find it nice to do. I am now sitting in the sun translating the stuff, which is awesome if one can do this :-).

More updates will ofcourse follow..

written by Remko \\ tags: docnl, Documentation, FAQ, FreeBSD

While most people think that Securing your DNS server is practically impossible, I want to give a few hints and tricks to make sure that it’s possible to mitigate problems from DNS to your local server.

This setup should actually be followed by everyone that cares about his DNS Server!

There are a few options to protect your DNS server as much as possible.

• Split your DNS servers. The internal networks is most likely to do remote queries, the external network probably only serves your internet zone’s. Why have them in one instance? Split the machines where possible, or create different views, so that the internal people can only recurse and the external people can only lookup the domains you host. (SPLIT-DNS)
• Add ACL’s and limit recursion; if you cannot do the above, you should try the best as possible to limit the amount of people that can use your DNS server to do remote lookups. Is it really necessary that joe-next-door uses your dns server to visit www.triplexdomain.com ? ISP’s are here to service these DNS queries for him

  an Example of an ACL in named:

  acl your-acl-name { 10.0.0.0/8; };

  This matches any host in the 10/8 network.

  Limiting recursion through the ACL

  Add the following to the options {}; statement in named.conf:

  recursion yes;
  allow-recursion { your-acl-name; };

  Do note the semicolons and the brackets!

• Use random query ports. Whilst in the past people had been using static ports for doing remote DNS queries, to make it easily go through firewalls, that’s no longer an option. Recently ISC and CERT announced advisory’s to address static-query-ports. It makes you very vulnerable to be spoofed, and could mean that secure.yourimportantbusiness.com suddenly points to my evil.notsoimportanthost.com so that I can trick your users into submitting their data on my machine, which I can then use to do very nasty things (like having a free holiday to the bahama’s, I like it already!).

  In this case one should point out a DNS server, and tell that it can do queries from port 53 and >1024, I have been using this setup for ages, and I do know that a lot of larger companies also have similiar rules in their external firewalls. This allows the DNS server to pick a lot of random ports to do queries from.

  If you use a recursive DNS (because you are an ISP); then consider using only SSH and BIND on the machine (or whatever product you use). The machine does not need to be firewalled at all then , as long as you disable any unused applications. One could ofcourse filter away the SSH login, but having a stateful filter before a large DNS is just asking for problems (thanks Bjoern and Doug for this information!).

• Use DNS-SEC where possible. Currently not many TLD’s support this, but if there is the possibility, you can add a security layer by using it. Ofcourse this does not prevent it forever, but it makes it again harder to do. And security is all about making the barrier too high to try (if the barrier is low, one will try, if it requires too much time or money, people will not do it that easily, though there is always someone that is willing to put in the required resources, keep that in mind).
• Always use the latest available version from your vendor where possible. It’s sometimes a pain in your royal behind’s to update the services you host. But do realise that mostly by running the latest (stable) release from your vendor, you can close many known holes. Yet it leaves you open for things not yet found ofcourse (but isn’t that always the case): do plan these kind of actions and make sure you test such a setup first, or keeping the “old” machine alive till you are confident that everything works. You do not want to explain to some high-ranking boss that you didn’t test, or that you cannot return to the old situation. (Something I learned to do is; install a new machine, and it’s applications. Test whether the basic things that you expect it to do; still work. Unplug (yes do not power off!) the old machine and plugin the new one. If you worked through it for XX days, then you can backup the old machine (make sure you test the backup before really turning off the machine!) and turn it off.
• Ofcourse managers and people around you will complain that it will require a lot of resources; properly planning things will demand tme and money etc. But you can easily counter that by telling your boss or manager that in case something does go wrong, the damage is most likely higher. Point at your risk-index numbers that you periodically create (right!?) to show what kind of risk is involved.

The above are ofcourse a couple of open-doors, though we (Security People) see enough in the real world to know that the above isn’t followed most of the time. Most bigger companies have the resources etc to properly do this, and some indeed use this to do the new setup, but many many many smaller companies are not using these kind of things at all, because it costs too much money. Please try to openly discuss these things with your company if you hit this. You are better off in the end if you properly discussed this, got a “no” anyway, and then things go wrong.

Hopefully the above helps a bit. I wrote this information stream based upon the latest CERT advisory for BIND, and having a few discussions here and there on the FreeBSD-Security Lists. Thanks Doug Barton, Bjoern A Zeeb to give me some thoughts about this (they might not be aware of this yet).

written by Remko \\ tags: bind, dns, FreeBSD, mitigate, named, security

I am currently working on a lot of projects,

At work I am involved with Cisco/Netscreen’s and Fortigate’s,

I am preparing two different presentations
- one for EuroBSDCon together with Tom Scholten (who did most work so far)
- one for an upcoming BSD-event in the netherlands, on the 13th of december in Utrect, BE THERE :-)), - I am also trying to help with the BSD-event (assisting the organisers).

Personally:
- I am also working on writing an article that should help parents getting more insight in what their kids are doing online, and what simple grounds one can have to “Defend” the kid against nastiness on the internet (recently a topic was shown within the netherlands that certain people try to own webcam’s of kids so they can see them naked after showering. Horrible!),
- I am trying to write a firewall management environment (distributed) which can be used by pfSense and just regular BSD environments. I think that can really add up to the usage of *BSD related firewalls
- I am also continuesly developing the freebsd dutch documentation project
- Doc work, WWW work, Secteam work, secteam-secretary work (slacking there), src/ work and MFC’s
- I need to get some appointments going so that I have a better agenda again
- Doing an exam in the near future again..
- Making some nice pictures of flowers and things in the environment here
- Ranting about the political situation in the Netherlands, I’ll try to write an article about my view on what is happening (trying to get only facts and not my opinion, because that shouldn’t matter).
- Trying to see Denise and Luca as much as possible (ofcourse :D)

Life’s busy, but it keeps me going :-),

written by Remko \\ tags: Article, Firewall, FreeBSD, Management, Projects