Archive for December, 2011

SBDavid

The init Daemon

The init Daemon

The init daemon is the system and service manager for Linux. It is the first true process Linux starts when it boots and as such, has a PID of 1 and is the ancestor of all processes. The init daemon has been around since the early days of UNIX, and many people have worked to improve it. The first Linux init daemon was based on the UNIX System V init daemon and is referred to as SysVinit (System V init daemon).

Because SysVinit does not deal well with modern hardware, including hotplug devices, USB hard and flash drives, and network-mounted filesystems, Fedora/RHEL recently replaced it with the Upstart init daemon (http://upstart.ubuntu.com/ and http://upstart.ubuntu.com/wiki). Fedora 15 has moved past Upstart to systemd init daemon.

strace - trace system calls and signals

In the simplest case strace runs the specified command until it exits.

It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.

strace is a useful diagnostic, instructional, and debugging tool. System administrators, diagnosticians and trouble-shooters will find it invaluable for solving problems with programs for which the source is not readily available since they do not need to be recompiled in order to trace them. Students, hackers and the overly-curious will find that a great deal can be learned about a system and its system calls by tracing even ordinary programs.

And pro?grammers will find that since system calls and signals are events that happen at the user/kernel interface, a close examination of this boundary is very useful for bug isolation, sanity checking and attempting to capture race conditions.

Example:

strace -p process-id
SBDavid

Server Name Indication

Server Name Indication

Server Name Indication (SNI) is a feature that extends the SSL and TLS protocols to indicate what hostname the client is attempting to connect to at the start of the handshaking process. By doing so it allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites to be served off the same IP address without requiring all those sites to use the same certificate.

Unfortunately to make use of SNI practical it is necessary that the vast majority of users are using web browsers that support it. Users whose browsers do not support SNI will be presented with a default certificate and hence are likely to receive certificate warnings. As of 2011 there are still many users of browsers that do not support SNI.

SBDavid

lfd Principles

lfd Principles

One of the best ways to protect the server from inbound attack against network daemons is to monitor their authentication logs. Invalid login attempts which happen in a short space of time from the same source can often mean someone is attempting to brute-force their way into the server, usually by guessing user names and passwords and therefore generating authentication and login failures.

lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and HTTP password protection. Unlike other applications, lfd is a daemon process that monitors logs continuously and so can react within seconds of detecting such attempts. It also monitors across protocols, so if attempts are made on different protocols in a short space of time, all those attempts will be counted against the threshold.

SBDavid

SSL/TLS Manage Certificate Sharing

SSL/TLS Manage Certificate Sharing

If you are the server administrator, you can choose to allow your customers to share your SSL certificate.

1. Click Change Certificate Sharing Permissions to begin.

2. On the Manage SSL Certificate Sharing screen, click Enable Sharing.

Click Disable Sharing if you want to disallow users from sharing your certificate.

3. Under the Certificate Linking heading, select a domain to see an accurate link example.

« Prev - Next »