Phat Site Blog

Sorry, the URL you’re looking for cannot be found on TheWHIR.com. Maybe you can find the story you’relooking for by going to our news section, blogs or articles. you may also try searching for the item you wish to read by using our search function:

If you’d like to report a missing URL, please contact us at your convenience. Thank you!

<a href="http://www.thewhir.com/web-hosting-news/090110_Ksplice_Uptrack_for_Fedora_Instantly_Updates_Kernel_Without_Having_to_Reboottag:news.google.com,2005:cluster=http://www.thewhir.com/web-hosting-news/090110_Ksplice_Uptrack_for_Fedora_Instantly_Updates_Kernel_Without_Having_to_RebootWed, 01 Sep 2010 18:43:52 GMT 00:00″>Ksplice Uptrack for Fedora Instantly Updates Kernel Without Having to Reboot

On 14/06/10 20:24, m.roth@5-cent.us wrote:It may be latest and greatest, but it is also hopefully the most stableversion as a lot of the development work done involves fixing bugs, andthat’s generally how software becomes more stable. if you’re gettingerrors, try reporting them upstream – in my experience they are veryswiftly fixed.All this started because JohnS and yourself were talking about the oldgspca driver that is deprecated, and over 4 years old now. All I’mtrying to say is if you need a driver for gspca, don’t use that (oldunsupported) one, use this (newer supported) one.There is no last stable version, releases or version numbers in much thesame way that the kernel has no version numbers for the vast majority ofindividual drivers it contains. People fix bugs and add features asnecessary on a continual basis. Rhetorical: What would you propose -every Monday at noon everything stops for an hour while they take asnapshot and call it “STABLE”. that is what I mean by rolling development.But as you run Enterprise Linux, and are rightly concerned withstability, rather than update your whole kernel to the latest andgreatest, ELRepo gives you the opportunity to retain your stableEnterprise Linux kernel and run *only* the updated hardware drivers thatyou need to support hardware that isn’t directly supported by yourstable Enterprise Linux kernel.

Yes, gspca is the driver for the webcam. the apps live in a separatebranch here:http://linuxtv.org/hg/dvb-apps/which you can build/package separately if you need them. ELRepo don’tbuild/offer them as they are not kernel drivers.

CentOS – 5.5 & gspca

fwknop is a tool used with the iptable to provide the single packet authentication.

I know the fwknop since i brought the bok Linux Firewalls by Michael Rash. he is the guy who created the fwknop, PSAD, fwsnort and etc security tools.

fwknop is a tool use to add the SSH service with specific IP into the iptables’ rule and it is just available for 30 seconds to connect to server. once time exceed, it will remove the rule from iptables, so that no one can connect to server.

For more information , please read the book Linux Firewalls and official website from Michael Rash http://www.cipherdyne.org/fwknop/

Now I have 2 boxes,

Node1 = 192.168.145.41 ( also known as server )

Node2 = 192.168.145.42 ( also known as client )

Node1 has been setup with firewall block the port 22

At, node2, now we do ssh to node1

1st, i scan the node1

[root@node2 ~]# nmap -P0 192.168.145.41 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-11-23 11:56 MYT

Interesting ports on node1 (192.168.145.41): Not shown: 1677 filtered ports

PORT STATE SERVICE

80/tcp open http

113/tcp closed auth

8080/tcp closed http-proxy

MAC Address: 00:0C:29:5E:8B:28 (VMware) Nmap finished: 1 IP address (1 host up) scanned in 22.151 seconds

2nd, i do ssh to node1

[root@node2 ~]# ssh 192.168.145.41

It has no return result.

At node1, let see the log

Nov 23 09:04:18 node1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:0c:29:5e:8b:28:00:0c:29:23:90:aa:08:00 SRC=192.168.145.42 DST=192.168.145.41 LEN=60 TOS=0×00 PREC=0×00 TTL=64 ID=32176 DF PROTO=TCP SPT=44194 DPT=22 WINDOW=5840 RES=0×00 SYN URGP=0

See, my firewall has blocked out the 192.168.145.42.

[root@node1 fwknop]# vi /etc/fwknop/fwknop.conf

EMAIL_ADDRESSES chenghui81@gmail.com;

[root@node1 fwknop]# vi /etc/fwknop/access.conf

SOURCE: ANY;

OPEN_PORTS: tcp/22; ### for ssh (change for access to other services)

KEY: a13xch0ng;

FW_ACCESS_TIMEOUT: 30;

start the fwknop service

[root@node1 fwknop]# /etc/init.d/fwknop start

Starting the fwknop daemons: [ OK ]

tail the log

[root@node1 fwknop]# tail -f /var/log/messages

Nov 23 10:03:29 node1 init: Trying to re-exec init

Nov 23 11:33:28 node1 fwknopd: starting fwknopd v1.9.9 (file revision: 1353)

Nov 23 11:33:28 node1 fwknopd: flushing existing iptables fwknop chains

Nov 23 11:33:29 node1 fwknopd: imported access directives (1 SOURCE definitions).

Nov 23 11:33:29 node1 fwknopd: imported previous tracking digests from disk cache: /var/log/fwknop/digest.cache

Nov 23 11:33:29 node1 kernel: device eth0 entered promiscuous mode

(see the service started with the promiscuous mode, that mean it is sniffing the packet thru interface eth0.

you will see such message when you running sniffer )

Node2, now we do the Single Packet Authentication by using fwknop client

[root@node2 ~]# fwknop -A tcp/22 -a 192.168.145.42 -k 192.168.145.41

( note:: tcp/22 is refer to the port you wanted to connect, -a is refer to your source IP, -k is refer to your destination IP )

[+] Starting fwknop client (SPA mode)…

[+] Enter an encryption key. This key must match a key in the file

/etc/fwknop/access.conf on the remote system.

Encryption Key:

(it is asking the encryption key, the key is referring to the key you setup in the server side )

[+] Building encrypted Single Packet Authorization (SPA) message…

[+] Packet fields:

Random data: 2421962114322037

Username: root

Timestamp: 1227411567

Version: 1.9.9

Type: 1 (access mode)

Access: 192.168.145.42,tcp/22

SHA256 digest: uBZSsbkeoAH/pA44IHxLGvHt3rC8F513ry4XCVKimkU

[+] Sending 182 byte message to 192.168.145.41 over udp/62201…

Once you see such message that mean you are successfully initiated the connection.

Node1: from the /var/log/messages

Nov 23 11:39:45 node1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:0c:29:5e:8b:28:00:0c:29:23:90:aa:08:00 SRC=192.168.145.42 DST=192.168.145.41 LEN=210 TOS=0×00 PREC=0×00 TTL=64 ID=43837 DF PROTO=UDP SPT=64210 DPT=62201 LEN=190

Nov 23 11:39:45 node1 fwknopd: received valid Rijndael encrypted packet from: 192.168.145.42, remote user: root, client version: 1.9.9 (SOURCE line num: 26)

Nov 23 11:39:45 node1 fwknopd: add FWKNOP_INPUT 192.168.145.42 -> 0.0.0.0/0(tcp/22) ACCEPT rule 30 sec

(note : see the last line that has added our IP to the iptables in order to let us connect the SSH in 30 seconds)

Node2 : I login the node1 asap

[root@node2 ~]# ssh 192.168.145.41 -l root

The authenticity of host ‘192.168.145.41 (192.168.145.41)’ can’t be established.

RSA key fingerprint is be:73:8b:27:48:96:ce:f5:16:7c:c5:0d:81:99:c7:3d.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.145.41′ (RSA) to the list of known hosts.

Address 192.168.145.41 maps to node1, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!

root@192.168.145.41’s password:

Last login: Sun Nov 23 07:04:39 2008 from 192.168.145.1

( note: yes, we connected to the server thru ssh )

See the cool things from node1 , /var/log/messages

Nov 23 11:40:56 node1 fwknopd: add FWKNOP_INPUT 192.168.145.42 -> 0.0.0.0/0(tcp/22) ACCEPT rule 30 sec

Nov 23 11:41:28 node1 fwknop(knoptm): removed iptables FWKNOP_INPUT ACCEPT rule for 192.168.145.42 -> 0.0.0.0/0(tcp/22), 30 sec timeout exceeded

See the last 2nd line that told you the iptables has added the new rules to allow IP 192.168.145.42 (aka node2) to login thru port 22 within 30 sec

See the last line that told you the iptables has removed the rules from the iptables which is ip192.168.145.32 port 22 after 30 seconds

Yet, my email, please take a look : -

see that 2 unread emails, one is telling you the IP has been added into the iptables and another is telling you the time is exceed and the rule has been removed from iptables

fwknop is designed used to prevent the 0 day exploit..

cause once they scan your server, there is no ssh port opening

so, no way they can access into your server thru ssh.

cool is it??

quickly implement into your server to make another security layer for ssh.

Little Unix Admin: fwknopd – Firewall Knock Operator aka SPA …