BSD 02 2012 PDF
BSD 02 2012 PDF
BSD 02 2012 PDF
Dear Readers,
On page 6 we published the letter, which is addressed to all of you. Please, have a look and it and nd few minutes to answer the questions listed there. Knowing your opinion in that matter will help us to create the unique magazine, which will conquer the hards of whole BSD community. We aim nothing more and nothing less. In the March issue you will nd a lot of new topics, that wasnt yet described in BSD Magazine with a proper attention. There is a new series dedicated to BSD Certication. Where Dru Lavigne and other specialists will share with you their experiences and answer the most important questions. If there is something you would like to know about BSD Certication or you have some questions regarding this topic, send us an email and you will read the answers in the next issue. This is the opportunity for all, who consider taking these exams, to nd out more about it and prepare better to pass it. In Developers Corner apart from Kris Moore article: Customizing Your PC-BSD 9.0 Desktop we welcome a new contributor Lucas Holt with his article: mport: The MidnightBSD Package Management Tools. We hope you will like it and will be eager to nd out more about MidnightBSD, cause Lucas promised us to write soon one more article... In How To awaits you another surprise PostgreSQL: From Installation to PITR by Luca Ferrari, who is a truly enthusiast of PostgreSQL. Will he manage to affect you with his passion to this database? The time will show, cause its just the rst article of his series about PostgreSQL in BSD Magazine. FreeBSD users wont get bored as well. This time Rob Somerville in his series on security for admins prepared for you some exercisers. This part is denitely more practical comparing to the previous ones, so I recommend you to read it and practice a bit. Admins should also read the article: Data Classication Policy by Toby Richards, who claimed the he run out of ideas for articles, but it seems he was only teasing with us:) The issue ends with Counting Our Losses, where Sander Reiche listed the BSD world heros, who passed in 2011. Wish You enjoy reading! And dont forget to send us your feedback! Patrycja Przybyowicz & BSD Team
Contributing: Dru Lavigne, Toby Richards, Rob Sommerville, Luca Ferrari, Kris Moore, Lucas Holt, Sander Reiche, Guillaume Duale, Richard Batka
Special Thanks: Denise Ebery Dru Lavigne Art Director: Ireneusz Pogroszewski DTP: Ireneusz Pogroszewski Senior Consultant/Publisher: Pawe Marciniak pawel@software.com.pl CEO: Ewa Dudzic ewa.dudzic@software.com.pl Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Executive Ad Consultant: Ewa Dudzic ewa.dudzic@software.com.pl Advertising Sales: Patrycja Przybyowicz patrycja.przybylowicz@software.com.pl Publisher : Software Press Sp. z o.o. SK ul. Bokserska 1, 02-682 Warszawa Poland worldwide publishing tel: 1 917 338 36 31 www.bsdmag.org Software Press Sp z o.o. SK is looking for partners from all over the world. If you are interested in cooperation with us, please contact us via e-mail: editors@bsdmag.org All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. Mathematical formulas created by Design Science MathType.
02/2012
Contents
Developers Corner
Your PC-BSD 9.0 Desktop 08 Customizing By Kris Moore
One of the most important new features of PC-BSD 9.0 is the ability to customize your desktop with a variety of different FreeBSD packages, such as desktops, windowmanagers, servers, drivers and more. This is done through the new pc-metapkgmanager utility and its frontends, which allows users to quickly and easily select a bundle of packages, such as KDE or GNOME, to install.
This article is designed for Java developers who wants to have a good operating system for their works. You will learn how to setup SUN Java system and Netbeans on your OpenBSD desktop.This article is based on OpenBSD 5.0 version.
Admin
A good sysadmin realizes that security is more than firewalls, encryption, patching, and other technical considerations. One common saying is: The only secure computer is one thats not plugged into the network. Humbug! A clever intruder will easily trick the user into plugging that Ethernet cable back into its socket. The weakest point in any network is the human element.
By Lucas Holt
BSD Certification
Should I Become BSDA Certified? 12 Why By Dru Lavigne
If you are reading this magazine, you are interested in learning more about BSD systems. Perhaps you have seen this magazines ads for BSD Certification and want to learn more about this certification program or perhaps you think that certification is not for you. This article addresses some common misconceptions about certification and describes why you should be BSDA certified.
By Richard Batka
Security
of a FreeBSD Compromise 40 Anatomy (Part 3)
Continuing in our security series, we will look at the tools essential to securing and exploiting systems.In the previous articles, the author looked at the culture and processes behind hacking exploits, as well as some possible real-life examples.
How To
Cant You Do On The command16 What line?
Most of us have all grown accustomed to some form of true graphical interface to our computers. But theres always that group of so-called `geeks, which remain to work at a simple 80x24 console. But thats just for geeks, or is it?
By Rob Somerville
By Sander Reiche
Lets Talk
2011, a hefty year as they all say. Even Discovery Channel has specials on the events of this year. The devastating earthquake in Japan, the war on terrorism finally claimed their hard sought-after victim and even the untimely death of Steve Jobs has a special. But what about the real heroes? The heroes behind the screens, outside of popular media?
The most advanced open-source database available anywhere, this is the comment for the PostgreSQL package. PostgreSQL is an enterprise-level ORDBMS very stable and reliable, with a rich set of features that make it competing with well known commercial databases.
www.bsdmag.org
his is done through the new pc-metapkgmanager utility and its front-ends, which allows users to quickly and easily select a bundle of packages, such as KDE or GNOME, to install. This ability in effect allows a user to deploy a custom FreeBSD based desktop without the hassle of using the command-line and manually resolving dependency issues. Lets take a look at how this can be used in the new PC-BSD 9 desktop. When installing PC-BSD for the first time from a complete
media, such as DVD, Network, or USB-Full image, users will be presented with a screen allowing the selection of various meta-packages for the installed system. By checking the desired packages, the PC-BSD installer will customize the system installation to the users liking. More experience users who are curious about what set of FreeBSD packages are going to be installed may find them by right-clicking on a meta-package set and choosing View Packages. Below is a complete list of the meta-packages available in 9.0:
Desktops: GNOME Accessibility Games Net Utilities KDE Accessibility Artwork Education Games Graphics KOffice L10N (Translations) Multimedia Network PIM Drivers: HPLIP Handheld NVIDIA VMwareGuest VirtualBoxGuest Services: Database Servers Samba Web Servers Misc: I18N (Translations) Compiz MythTV XBMC Development: Debug Tools
02/2012
SDK Toys WebDevKit LXDE XFCE Plugins Awesome FVWM IceWM OpenBox ScrotWM Window Maker
After the PC-BSD system is installed it is still possible to customize the desktop by adding / removing meta-packages to the users liking. There are a couple possible ways to do this, starting with the easiest via the PC-BSD System Manager. To begin, open the PC-BSD Control Panel: Figure 2. Next Open the System Manager: Figure 3. Once the system manager is open, click the System Packages tab: Figure 4. Once at the System Packages tab, it is possible to simply check or un-check the respective meta-packages that you wish to add or remove. When installing new packages, the system manager will automatically download them from the currently selected mirror server, which can be changed via the Mirrors tab in the system manager. Should the user accidentally remove or otherwise break their graphical desktop, is it possible to fix the system metapackages via the command-line using the pc-metapkgmanager command. To begin using this command it is helpful to get a list of which meta-packages are available with:
Once a you have determined which meta-package you wish to install or remove, it is possible to do so with the following commands:
# pc-metapkgmanager add KDE ftp://mirrors.isc.org/pub/ # pc-metapkgmanager del KDE
pcbsd/9.0/amd64/netinstall/packages/
The mirror in the example above can be changed to your preferred server URL, taking care to select the correct PCBSD version / architecture being used. (I.E: 9.0/i386 or 9.0/ amd64) After changing the meta-packages, is is possible to confirm the status of a particular one via the status flag:
# pc-metapkgmanager status KDE
By using these new tools and utilities it becomes easier than ever to customize your new PC-BSD desktop to suit your unique computing needs. In addition this provides the ability to upgrade your system via the internet to newer versions of PC-BSD, such as 9.1, while selectively preserving and upgrading your selected meta-packages.
KRIS MOORE
Kris Moore is the founder and lead developer of PC-BSD. He lives with his wife and four children in East Tennessee (USA), and enjoys building custom PCs and gaming in his (limited) spare time. kris@pcbsd.org
www.bsdmag.org
mport:
The MidnightBSD Package Management Tools
One of the most tedious tasks in setting up and maintaining a personal computer is installing software applications. The BSD community has historically handled this by providing users a ports system to compile software and later some package management software.
What you will learn
the history of the mport tool and why it was written, basic usage of the mport tool to install and uninstall software, hints for power users to script or automate tasks.
his approach has worked well for power users. The Linux community has built some user friendly package management tools with command line and graphical user interfaces. In minutes, one can install a new web browser or word processor. When I started the MidnightBSD project, the goal was to bring the benefits of BSD to novice users. Three problems were identified: installing MidnightBSD, managing software, and setting up a graphical user interface. It was clear that package management was essential to solving these problems. Chris Rienhardt and I started working on these problems in 2007. We planned a new system which required changes to mports, our ports collection, and new tools to manage packages. Chris made the necessary changes to the mports system and started working on a new library to create and manage packages. The system uses SQLite3 to store information about available packages, currently installed software and a list of installed files. By the MidnightBSD 0.3-RELEASE, we had working programs to install and uninstall software from the ports system. The system still lacked a front-end management tool. I decided to develop a tool similar to apt-get, but built around libarchive, libmport, and SQLite3. This new tool will be available in the next release, 0.4 for end users and is available for testing in the development version of MidnightBSD, 0.4-CURRENT.
Using mport
Every task to be performed starts with mport followed by a command verb and optionally a software package name.
Installing Software
Searching for software, will check package titles and descriptions for matching phrases: mport search gzip. Learn about the software package, including if its currently installed, the version and the license: mport info gzip. If you know the name of the software package to install: mport install gzip. Dependencies required by the package are installed automatically.
Table 1. mport commands
Command Description
clean list info delete deleteall download install search update upgrade Clean up old packages and database List installed software Print information about a software package Delete a software package Delete all software packages currently installed Download a package, but do not install it Install software Search for software Update a single program Update all software installed on the system
10
02/2012
Removing Software
To uninstall a package, use mport delete gzip; note that this does not delete the package file from the system, it only uninstalls the software.
On the Web
List all software currently installed on the system: mport list. List installed software that is out of date: mport list updates.
Glossary
mport sqlite
Update Software
Update all software on the system: mport upgrade. Update a specific package, will download the package if necessary: mport update gzip.
Other Programs
Maintenance Tasks
Clean up old packages and compress the database with: mport clean. Packages will be removed from /usr/ mports/Packages. Consult the mport (1) manual for more information.
The mports collection makes use of several simple applications written for a specific task. For example, when a package is created using the package target in mports, the program /usr/libexec/mport.create is run to make the package followed by /usr/libexec/mport.install to install the package with the install target. Another useful program is /usr/libexec/mport.init as it creates a fresh master.db in the event that its been corrupted or deleted by mistake.
In addition to the mport command, power users can write custom scripts or programs to manipulate the package database. Files used by mport are stored in /var/db/mport. The master.db file contains all of the installed package data while index.db contains the list of available packages from the MidnightBSD package build cluster, magus. Users can open index files with the sqlite3 command line utility and run SQL queries. Installation logs are available in the logs table, and settings for mirrors to download packages from are stored in the settings table. A program to make it easy to run queries is available at /usr/libexec/ mport.query. C, C++ and Objective-C programmers can use libmport to write their own package tools. The source code is available in src/lib/libmport with public functions prefixed with MPORT_PUBLIC_API.
Listing 1. Example output from mport info command
mport info gzip gzip latest: 1.3.13 license: gpl3
Future Directions
Following the 0.4-RELEASE of MidnightBSD, I plan to write a graphical application to manage package installations. Further improvements to the system may include using xz for index downloads, improving documentation, fastest mirror selection and refining the upgrade logic. While mport and libmport were designed for the MidnightBSD mports collection, it could be used by other BSD projects.
Summary
mport is the package management solution for MidnightBSD that allows a user to install, update, and delete software packages. It is easy to use, but provides many extension mechanisms for power users to script or automate installations.
LUCAS HOLT
Lucas Holt is the founder of the MidnightBSD project and Programmer/Analyst for Mathematical Reviews in Ann Arbor, MI, USA.
www.bsdmag.org
11
BSD CERTIFICATION
If you are reading this magazine, you are interested in learning more about BSD systems. Perhaps you have seen this magazines ads for BSD Certification and want to learn more about this certification program or perhaps you think that certification is not for you. This article addresses some common misconceptions about certification and describes why you should be BSDA certified.
efore starting the BSD Certification Group in 2005, I already had nearly a decades worth of experience in both taking and teaching IT certifications. This experience gave me the opportunity to learn how various vendors handle their certification programs and how their training methods differ from academic programs. It also gave insight into the concerns raised by potential certificants. These concerns havent changed over the years and generally fall into the following statements: Certifications are a waste of time and not worth the paper they are written on. There arent any training materials available or the training materials are too expensive. Im already working so I dont need to be certified.
And the reason why can be summed up in one word: psychometrics. In a nutshell, psychometrics is the science of assessment. It is a requirement of any accredited academic program (think university or college diploma) and the hallmark of a good certification program, such as the BSDA. You can tell that a certification program is psychometrically valid if it provides the following benefits: exam objectives are the result of a Job Task Analysis (JTA): the first step in a psychometrically valid program is to use a JTA to determine what the certification will assess. As the name implies, a JTA is task-oriented. A good JTA will receive input from those already working in the field being assessed (for example, the BSDA assesses BSD system administration) as well as their employers. This ensures that the resulting exam objectives are based on the real world skills required in that field of employment. the exam questions must match the published exam objectives : psychometrics requires that the exam objectives are part of the blueprint used to create the exam questions. This means that the exam can not contain any content that is not specified in the objectives. The objectives themselves must be very specific as to what the testing candidate must know in order to pass the exam and become certified, making the objectives the definitive study reference. If you understand the content of the objectives, you are ready to pass the exam. the exam content must match the published domain percentages: the exams blueprint must also contain the percentages for each domain topic or category. For example, if the blueprint states that Security is worth
This article is the first in a two part series. The first article addresses the above concerns, with a focus on the BSDA certification program, and concludes with some additional resources. The second article will go into more detail on how to become BSDA certified.
Certifications are a Waste of Time and not Worth the Paper they are Written on
Unfortunately, this is true for some certification programs. Exam cram books that allow you to pass an exam without ever having to actually use the software being tested, websites and exam prep software that contain most of the exams questions and answers, terribly written exam questions that have nothing to do with the exams objectives or the reality of using the software all of these add up to give certifications a bad name. Fortunately, this is not true for most certification programs.
12
02/2012
20% of the exam and Networking is worth 10%, the exam can not contain more or less than 20% worth of security questions and 10% worth of networking questions. If there are multiple versions of the same exam, one version can not contain more or less security questions than the other versions of the exam. exam questions must be clear : the intent of a psychometrically valid exam is not to try to trick you, but to determine if you understand the material being tested. Additionally, if an English version of the examination is available in areas where English is not the native language, great care must be taken to ensure that the questions do not contain grammar or colloquialisms that are confusing to persons whose first language is not English. This means that you would not see the following types of questions on a psychometrically valid exam: a 3 page long question where you have to hunt for the question being asked as it is buried somewhere within all that extraneous information a question that contains double negatives or other confusing grammar correct or incorrect answers that are contextually obvious to someone who doesnt understand the material being tested exam questions must match the level of the intended audience: the exams blueprint must clearly state the intended audience of the exam and exam questions should not be too easy or too hard for the intended audience to answer. For example, the intended audience for the BSDA exam is described as follows: The BSDA certification is designed to be an entry-level certification on BSD Unix systems administration. Testing candidates with a general Unix background and at least six months of work experience as a BSD systems administrator, or who wish to obtain employment as a BSD systems administrator, will benefit most from this certification. Human resource departments should consider the successful BSDA certified applicant to be knowledgeable in the daily maintenance of existing BSD systems under the direction and supervision of a more senior administrator.
The Additional Resources section at the end of this article contains the URL to the blueprint for the BSDA examination as well as links to more information about psychometrics.
There arent any Training Materials Available or the Training Materials are too Expensive
Sadly, the perceived need for authorized training materials and expensive class instruction is a by-product of vendor certifications. Creating and maintaining a certification program
is expensive and training materials and official courseware are often used to create an additional revenue stream. Think of it this way: if someone is studying for a system administration certification, there is no training material or week of classroom instruction that can turn a novice into a system administrator. Training materials can tell you what will be on the exam, but this is redundant as the exam objectives already tell you this for free. And if the training materials tell you which questions and answers are on the exam, were back in the territory of certifications are a waste of time and not worth the paper they are written on. If a certification is psychometrically valid, it is assessing real world skills. And the only way to obtain real world skills is to sit down with the software being tested and to work your way through the exams objectives. Some skills you will already have. Some you will need to learn. This does not mean that you need to learn these skills in a vacuum or that training materials or classroom instruction are a bad thing. It means that you need to sit down and figure out which objectives you need to learn and which resources are available to help you learn the skills associated with those objectives. Some people just need a man page, a command prompt, and a bit of time to practice in order to figure out a new skill. To assist these types of learners, each BSDA exam objective contains the man pages associated with that skill and a downloadable Command Reference mapping the man pages to each BSD operating system. Some times the man pages are not enough and you need another person to demonstrate how to use a command or to explain that bit of knowledge that is alluding you. Often that person will be a co-worker or a knowledgeable friend. If these are in short supply, a question on an IRC channel or mailing list might do the trick. And, if there is a sysadmin, UNIX, BSD, or Linux user group in your area, youre quite likely to find someone who can assist you. If you are looking for reading materials, dont limit yourself to official courseware. Skim through system administration books to see if they provide walkthroughs for the skills that you need help with. A good system administration book makes a valuable reference on any administrators physical or digital bookshelf. If you are looking for a training course, ask for the trainers credentials as well as how many hours of supervised, hands-on lab work is provided during the course. If the course offers little lab time, save your money and buy a good book. A good trainer is worth their weight in gold as they can answer your questions, show you how to do something, and offer tips on how to do things better. A good trainer will have real world, hands-on experience in the field that they are teaching. If you do sign up for a
www.bsdmag.org
13
BSD CERTIFICATION
Additional Resources
BSDA Certication Website: http://www.bsdcertication.org/certication/associate.html BSDA blueprint (Certication Requirements Document): http://www.bsdcertication.org/downloads/pr_20051005_certreq_bsda_ en_en.pdf Psychometrics and Exam Construction: http://www.bsdcertication.org/downloads/psychometric.pdf How to Create a Psychometrically Valid Certication Examination: http://www.slideshare.net/dlavigne/eurobsdcon-2011 Playing the Certication Game: http://www.slideshare.net/dlavigne/lisa2011 Why Certication Exams Suck (series of 4): http://it.toolbox.com/blogs/bsd-guru/?page=30
course, write down the questions that you need to have answered, take them with you to the course, and make sure that they all get answered by the end of the course.
industry. Even if you already know all of the skills covered by the exam objectives and can easily pass the exam, becoming BSDA certified shows your support for the field of BSD system administration. It demonstrates to your employer that BSD is relevant and that other certified professionals are available should you become promoted or additional BSD systems are added to the companys infrastructure.
Conclusion
it allows you to fill in knowledge gaps : many system administration skills are learned on the job on an as-needed basis, are repetitive, and are limited to a particular operating system version. This means that you can get very good at the specific tasks required by your particular environment, but may not have the opportunity to learn a broader range of skills. Studying for a certification exam forces you to learn new skills and to determine which skills are considered important within an industry. Filling in these knowledge gaps allows you to widen your current skillset, and these new skills can be an asset in both your current work environment and future employment opportunities. Doing this while employed allows you to proactively increase your skillset without the additional stress of being unemployed and needing to find a job. it increases your value to your employer : certifications can provide a competitive advantage to an employer. It is reassuring to customers and partners to know that a company has certified professionals available to meet their needs. If your manager is smart, hell notice that you take that extra initiative to obtain certifications relevant to your industry and this could make a difference when it comes time for promotions or layoffs. it increases technology adoption: if you are already good at BSD system administration, youre probably interested in seeing it more widely used within the
This article outlined some of the benefits provided by a psychometrically valid certification program as well as some tips for learning the skills needed to pass a certification exam. Hopefully, it has piqued your interest in becoming BSDA certified. The next article will concentrate on the BSDA certification program: where to take the exam, how much it costs, what to do if a testing event is not available in your area, and how to become involved with the BSD certification community.
DRU LAVIGNE
Dru Lavigne is author of BSD Hacks, The Best of FreeBSD Basics, and The Denitive Guide to PC-BSD. As Director of Community Development for the PC-BSD Project, she leads the documentation team, assists new users, helps to nd and x bugs, and reaches out to the community to discover their needs. She is the former Managing Editor of the Open Source Business Resource, a free monthly publication covering open source and the commercialization of open source assets. She is founder and current Chair of the BSD Certication Group Inc., a non-prot organization with a mission to create the standard for certifying BSD system administrators, and serves on the Board of the FreeBSD Foundation.
14
02/2012
HOW TO
irst things first. There are downsides. Text-based browsing used to be a lot better, back in the days. With all the crazy techniques used on web pages out there these days and the lack of proper web design with graceful degradation back to pure and simple text, text-based browsing can mostly be done on older or simpler websites. But any day is a new day out there on the big Wide Web. Maybe your favourite site some day, out of the blue, supports text-based browsing a bit better than before. Never stop trying! And because the WWW today is more media than oldskool plain HTML, that brings us to media in general on the command-line. Except for music, the rest isnt really an option on the 80x24 terminal. If you do have X11 installed on your system, then a complete whole new world of possibilities open up, but I might get into that in another article.
Run this through groff(1) which outputs PostScript and note, ps2pdf(1) comes from ghostscript:
$ groff -ms example.ms | ps2pdf example.pdf
And yes, you need a graphical interface for that. You could, to escape the graphical interface, output the PostScript towards a PostScript-capable printer of course, but paper is expensive so viewing your draft PDFs on a X11 desktop might be better for your wallet. If that didnt already blow your mind, try the following example: Listing 2. Render the result using the following:
$ pic pictest | groff | ps2pdf 1.pdf
Writing
Using something which usually is installed on most of the *NIX systems, is a version or form of troff. Currently most will be distributing GNUs roff, groff(1). Most people will know it from the man-pages, but its so much more than that. You can write articles, papers and even whole books using troff. There will be a pretty steep learning curve and practice make perfect, but the results are simply awesome. Consider the following example: Listing 1.
So thats troff in a very, very small nutshell. Just consider the possibilities right there at your fingertips at this moment! For a far better read on the history of troff and
16
02/2012
Listing 1. example.ms
.\" Example of -ms macro runoff. This is a comment .RP no .P1 fontsizes and everything. .IP 1. 12 lists are always handy even unnumbered ones or .IP glossary style. .LP .FS .FE
.ds CH Center header .ds RF Right footer .TL .AU .AI This is a title S. Reiche ls-al.eu - public \s-2UNIX\[rg]\s0 Access .AB no .AE .LP .PP .XP .QP
Listing 2. pictest
.PS
We begin a nice paragraph all the way to the left. Then we have a indented starting paragraph. An exdented (yes) paragraph. And of course, we couldn't live without a quoting .NH 1 .NH 2 .SH .PP .B .I .R paragraph.
lineht = lineht / 2 box "\fIletter.tr\fP" arrow arrow arrow circle "tbl" Eqn: circle "eqn" Troff: circle "troff" arc cw arc cw left arrow arrow line down
Heading Subheading Unnumbered subheading And of course, we have some formatting .BI capabilities. Even .BX boxes or simple .LG .NL or .SM .NL .UL underlinings. LARGE
box "\fItmac.m\fP"
small
www.bsdmag.org
17
HOW TO
the incredible intricansies on it, get the free Hayden Book on troff at http://oreilly.com/openbook/utp/. A group of enthusiasts found Unix Text Processing such a great book, that theyve come together and transcribed the whole book so that theres a true troff source available to build the book yourself (http://home.windstream.net/kollar/utp/ ). XeTeX, LaTeX, TeTeX are all names for what is in the basis; TeX. TeX was created by Don Knuth, who we all love of course. I consider TeX to be troffs big brother, as it costs roughly about anything from half a gigabyte to multiple gigabytes of storage space on your machine, but it does produce extremely beautiful documents. The TeX Showcase (http://www.tug.org/texshowcase/) is a wonderful place to see what TeX is capable of and have a look at Knuths TeXbook (ISBN 0-201-13448-9) for which the source is also available to learn from. In time you will get crafty at producing PostScript documents, which youll probably just convert to PDF. But there are times where you can tinker around with the PostScript output itself. Remember, PostScript is a programming language so after producing something with troff or TeX, take a look at the PostScript, tinker around a bit and see what it does directly with gs(1) or convert the modified PS to PDF and then check it out.
You want to keep your friends on twitter in the loop as well, but lynx(1) or links(1) doesnt do a very good job at opening that site in all its interactive form. In comes ttyter (http://www.floodgap.com/software/ttytter/), a consolebased twitter client, based on perl.
Chat
Even more of your friends are reknowned idlers on IRC, so you fire up irssi(1) and connect to the IRC server to blab about your latest article. A plugin for irssi (http:// cybione.org/~irssi-xmpp/) can connect you to XMPP-style chatservices, like GoogleTalk. If you use bitlbee (http:// www.bitlbee.org/main.php/news.r.html) with that, you can open up even more chat protocols at the same time. A stand-alone jabber/xmpp console client is GNUs Freetalk which is in the ports tree. If youre more of a true MSN-type, then tmsnc is a nice console-based MSN-only client (http://tmsnc.sourceforge.net/).
Music
But wait! Youll need some background music to do your writing with, right? Im very fond of mpg123(1) because of its small size and very simplistic interface. But take a look at the others out there. For example in the OpenBSD ports tree; mpg321, mp3blaster, herrie (very nice one!) or shellfm for last.fm support. And theres lots more out there.
After a couple of days, you want to check if anyone reacted to your article by emailing you. If youre running your own or utilizing your ISPs mailserver, you can probably just use the normal ways of fetchmail to get to your mail. GMail usually presents somewhat of a challenge. Heres a couple of links to get the mail client of your choice working for GMail: POP/SSL GMail with fetchmail http://www.axllent.org/ docs/networking/gmail_pop3_with_fetchmail IMAP/SSL GMail with fetchmail http://www.daemon forums.org/showthread.php?t=5590 IMAP/SSL GMail with mutt http://shreevatsa.word press.com/2007/07/31/using-gmail-with-mutt-theminimal-way/ SMTP/SSL GMail with heirloom-mailx(nail) and msmtp http://ubuntuforums.org/showthread.php?t= 780509
Downloading
And you need something to write a funny article about. So you can start up the download for the newest Ubuntu with the well-known wget(1) or curl(1) but you could also be more community-friendly and use the wonderful console-based rtorrent to pull the latest iso image using the bittorrent protocol and share back to your Linux friends of course.
Weblog
Then youre finished with your article in PDF form and you want to publish it. You could go hardcore with vi in-hand and write the site yourself, but theres also something called blazeblogger (http://blaze.blackened.cz) which is a set of perl scripts which work out a wonderful CMS without the need for a whole database backend and/or PHP. Very simple interface though nicely intuitive for the console user. The end results are nice when using the defaults, but everything is customizable.
And dont forget Michael Hernandez awesome articles on mutt on OS X in BSDMag! So there you have it. A small introduction on what effectively still can be done, purely on a 80x24 terminal interface. I think its awesome and I rarely use X11 or something else window-y for my work and I think you could do your best to try the same as well!
SANDER REICHE
Sander Reiche is a PDP-11 fanatic and BSD/UNIX lover in his spare time, and a UNIX Systems Engineer on his day-job. Founder of the Veritable UNIX Systems Group. His web page is located at http://ls-al.eu/~reiche.
18
02/2012
HOW TO
PostgreSQL
From Installation to PITR
The most advanced open-source database available anywhere, this is the comment for the PostgreSQL package.
ostgreSQL is an enterprise-level ORDBMS very stable and reliable, with a rich set of features that make it competing with well known commercial databases. PostgreSQL is released under a BSD license, has a very comprehensive documentation and is maintained by a set of database experts around the planet. In this article you will learn how to install and set up a PostgreSQL cluster, how to interact with the system and how to make backups of your databases.
Concepts
PostgreSQL manages a cluster of databases: a single PostgreSQL instance can run and control a set of databases, all kept isolated, and all served through the same TCP/IP socket address (Unix domain sockets are also allowed). There is no limitation about how many PostgreSQL instances you can run, except of course for host system resource limits and TCP/IP sockets. The cluster is based on a process schema: the service starts a main process (historically called postmaster) which waits for incoming client connections. Once a connection is going to be accepted, the postmaster forks itself and the new process begins serving the client; such process is named backend. The choice of using a dedicated process to serve each client connection is due to the security and portability that the process API offers with regard to the thread one.
The cluster exploits the file system to keep all the databases and their data on mass storage: there is a main directory (per-cluster) called PGDATA which is organized into sub-directories, one per database, which in turn contain all the database objects (tables, sequences, and so on). It is also possible to escape from PGDATA keeping some stuff in another directory tree; this is done using the tablespace feature. PostgreSQL configuration is mainly done via a few text files that are usually contained withing PGDATA. From the above readers can see that in order to run different clusters on the same machine there must be for each instance: a different TCP/IP socket on which the postmaster can wait for client connections; a different PGDATA directory tree; a different set of configuration files (usually kept under PGDATA).
Basic Installation
It is possibleto install PostgreSQL on a FreeBSD machine using the ports tree: it is required to install the -server port that will install also the -client port used to access the cluster (i.e., connecting to backend processes). Optionally it is worth installing also the -contrib module that provides useful tools to better manage the PostgreSQL instance.
20
02/2012
Before begin installation you have to choose the right version. PostgreSQL version number is in the form mainstream.number.minor (e.g., 9.1.2). The combination of mainstream.number makes the major release number and versions with different major numbers usually requires a full database dump and reinitialization. Versions with different minor numbers do not break compatibility and therefore do not require a reinitialization.
Listing 1. Installing PostgreSQL from ports
# cd /usr/ports/databases/postgresql91-server/ # make install clean # cd /usr/ports/databases/postgresql91-contrib/ # make install clean ... # id pgsql uid=70(pgsql) gid=70(pgsql) groups=70(pgsql) # pkg_info -cs 'postgresql*' Comment: Information for postgresql-client-9.1.2: PostgreSQL database (client) Package Size: 7914 (1K-blocks)
Listing 1 shows the steps required to install a 9.1 database server (and client tools); as readers can see at the end of the installation both the client and server packages will be installed, as well as a pgsql user will be added to the system. Such user is used to run the server processes in an unprivileged mode. Once the database has been installed a new cluster must be created. In order to do that a new directory must be assigned as PostgreSQL PGDATA; creating
Information for postgresql-contrib-9.1.2: Comment: The contrib utilities from the PostgreSQL distribution Package Size: 1647 (1K-blocks)
Information for postgresql-server-9.1.2: Comment: The most advanced open-source database available anywhere Package Size: 14621 (1K-blocks)
www.bsdmag.org
21
HOW TO
a new directory does not suffice, the directory must be initialized with the initdb(1) command so that PostgreSQL can store into such directory basic data structures for the cluster to work. All the main cluster actions, including the initialization, start, stop and status of the cluster can be handled via the /usr/local/etc/ rc.d/postgresql rc script, which in turn calls the correct command (usually pg_ctl(1) or initdb(1)) through the pgsql unprivileged user. As for many other services, it is important to have the service enabled in the rc.conf file as well as the main cluster directory so that all the PostgreSQL tools can be executed without the need of specifying the PGDATA directory. Listing 2 shows the set-up of a default PostgreSQL installation using /etc/ rc.conf variables, while Listing 3 shows how the same
Listing 4. Starting PostgreSQL and getting the rst information
# service postgresql start # /usr/local/bin/psql -l -U pgsql Name | Owner | Encoding | Collate | | pgsql | UTF8 | | | C | C | | C List of databases Ctype
result can be achieved specifying the PGDATA directory as command line argument. With regard to the installation of the Listing 2 it is now time to start the service and to verify that it is running. Please note that no databases neither specific users have been created so far, so you will need to use the pgsql user to connect to the database (see Listing 4). The connection to the cluster (and to any of its databases) is performed through the psql(1) command, which can act as an interactive shell or can execute SQL statements as batch.
As shown in Listing 4 the cluster is not empty and two very important databases are ready: template1 and template0.
-----------+-------+----------+---------+-------------+------------------postgres template0 | pgsql | UTF8 template1 | pgsql | UTF8 | en_US.UTF-8 | | | en_US.UTF-8 | =c/pgsql | en_US.UTF-8 | =c/pgsql + +
| Access privileges
| pgsql=CTc/pgsql
name
setting
reset_val
| context | user
sourcefile
| sourceline 485 507 500 502 503 504 276 64 109 313 419
---------------------------+--------------------+--------------------+------------+--------------------------------------+-----------DateStyle default_text_search_config | pg_catalog.english | pg_catalog.english | user lc_messages lc_monetary lc_numeric lc_time log_destination max_connections shared_buffers silent_mode update_process_title | en_US.UTF-8 | en_US.UTF-8 | en_US.UTF-8 | en_US.UTF-8 | syslog | 40 | on | 3584 | off | en_US.UTF-8 | en_US.UTF-8 | en_US.UTF-8 | en_US.UTF-8 | syslog | 40 | on | 3584 | ISO, MDY | ISO, MDY | /postgresql/cluster1/postgresql.conf | | /postgresql/cluster1/postgresql.conf | | /postgresql/cluster1/postgresql.conf | | /postgresql/cluster1/postgresql.conf | | /postgresql/cluster1/postgresql.conf | | /postgresql/cluster1/postgresql.conf |
| off
22
02/2012
PGDATA entry
PG_VERSION postgresql.conf pg_hba.conf base pg_tblspc pg_clog pg_xlog global pg_ident.conf
Type
text le text le text le directory directory directory directory directory text le
Meaning
Contains the major number version of the cluster that owns PGDATA. Contains all the main options and conguration settings for the cluster. Host Based Access (HBA): species which hosts can connect to which databases. Contains cluster databases (one per directory). Contains links to external directories used to store database objects (tablespaces). Contains the transaction commits logs. Contains the Write Ahead Logs (WAL) required for proper cluster functioning and survival. Contains the cluster catalog. Allows a mapping of Operating System usernames to database usernames.
The two template databases act as a skeleton for other database that will be created in the future by the DBA; both the database are created during the initialization of the cluster (i.e., when initdb(1) runs). In particular each newly created database will be cloned starting from template1; template0 act as a backup copy of template1 just in case the latter is compromised. Please note also that both templates can be used as regular databases to which users can connect to. The PGDATA directory is owned exclusively by the psql user and contains configuration files for the whole cluster as well as data files; main entries are detailed in Table 1 and shown in the blue part of Figure 1. Please consider that doing a plain file system level backup of the PGDATA directory is not enough to restore or migrate a cluster; much complex procedures like Point In Time Recovery (more on this later) need to be applied. Each database object is identified by an unique number called OID (Object IDentifier); each object is then stored on the file system (under PGDATA) into a file named after the object OID. Each data file can grow to a maximum
Table 2. Main postgresql.conf conguration parameters
of 1 GB, after that the file is split into segments each numbered with the OID and a progressive counter.
Basic configuration
PostgreSQL configuration is based on key-value textual parameters. By default the parameters are stored in the postgresql.conf file, but can be accessed even through the database catalogues. Each parameter is tight to a specific context that define when the cluster will apply the setting change as follows: postmaster : the cluster must be restarted; sighup: the cluster must get a SIGHUP signal; backend : applied to all new client connections; [super]user : immediate if done by a [super]user.
Settings can be inspected and changed (unless in the postmaster context) from a connection to the database using respectively the commands SHOW, SET or querying the pg _settings catalogue view, which shows also the context to which the parameter is applied and from which
Parameter
listen_address port max_connections shared_buffers work_mem maintanance_work_mem log_destination log_directory log_lename
Meaning
The IP addresses on which the daemon accepts client connections. TCP/IP port on which the daemon listen for incoming connections. The max number of client connections that can be created. The overall memory used by all the PostgreSQL processes to keep data in memory and client connections (consider at least 400kB per connection). Memory used temporarly for re-ordering of data. Memory used by maintanance processes (vacuum, reindexing, etc.). Dene where daemon logs should be sent and stored (not WAL or commit logs).
log_min_duration_statement Sets a threshold that will cause the backend process to log a query that is executing for more seconds than the value of the settings (useful to log slow queries).
www.bsdmag.org
23
HOW TO
Enter password for new role: Shall the new role be a superuser? (y/n) y ~> createdb -O bsdmag bsdmagdb
bsdmagdb
bsdmag
192.168.200.0/24
md5
issuedon date, title text, UNIQUE(id) ); NOTICE: NOTICE: NOTICE: PRIMARY KEY(pk),
CREATE TABLE will create implicit sequence "magazine_pk_seq" for serial column "magazine.pk" CREATE TABLE / PRIMARY KEY will create implicit index "magazine_pkey" for table "magazine" CREATE TABLE / UNIQUE will create implicit index "magazine_id_key" for table "magazine"
CREATE TABLE
VALUES('2012-01', 1, '01/01/2012'::date, 'FreeBSD: Get Up To Date'); bsdmagdb=# INSERT INTO magazine(id, month, issuedon, title) INSERT 0 1
VALUES('2011-12', 12, '01/12/2011'::date, 'Rolling Your Own Kernel'); bsdmagdb=# INSERT INTO magazine(id, month, issuedon, title) INSERT 0 1
24
02/2012
configuration file it comes from (see Listing 5 for an example). An example minimal set of configuration parameters that should be review before starting the PostgreSQL instance is listed in Table 2. Beside those parameters the Host Based Access control list (contained into pg_ hba.conf) should be reviewed for every new created user or database.
For the example of this article a simple database for your favourite magazine will be created, so the bsdmagdb database and the bsdmag superuser will be the starting point. PostgreSQL allows you to create (and destroy) databases and users from either the database itself (e.g., when you are connected to the template1) or from the
Listing 10. File information
~> oid2name Oid
shell. Listing 6 shows how to create the superuser and the database from the shell prompt, while Listing 7 how to do the same from a database connection. Once the database and its user(s) are in place it is worth reviewing the Host Based Access rules contained in the pg_hba.conf. Such rules specifies which host can connect to the cluster and which users can connect to which database. Covering the syntax of the pg_hba.conf file is out of the scope of this article, it suffice to say that the rules in Listing 8 specifies that connections to database bsdmagdb are allowed only for user bsdmag from an host within the network 192.168.200.0/24. The md5 options force the user to be prompted for a password, while the keyword trust allows the user to connect even without providing a password. Therefore while user bsdmag is allowed to connect only to the
All databases:
Database Name
Tablespace
template0 template1
~> oid2name -H 192.168.200.2 -d bsdmagdb -U bsdmag -t magazine From database "bsdmagdb": ---------------------~> ls -l /postgresql/cluster1/base/16387/16390 -rw------1 pgsql pgsql 16390 magazine Filenode Table Name
Listing 11. Increasing the size of a table and seeing the space required on disk
bsdmagdb=# INSERT INTO magazine(id, month,issuedon, title) INSERT 0 100000
bsdmagdb-# VALUES( generate_series(1,100000), 0, '01/01/2009'::date, 'TEST'); bsdmagdb=# SELECT relname,relfilenode,relpages,reltuples bsdmagdb-# FROM pg_class WHERE relname = 'magazine'; ----------+-------------+----------+----------magazine | 16390 | 690 | 100003 relname | relfilenode | relpages | reltuples
www.bsdmag.org
25
HOW TO
bsdmagdb database from the local network and will be prompted for a password, the user pgsql can connect to any database without a password prompt through a local domain socket. It is time now to connect to the above bsdmagdb database and populate it with at least one table and a few tuples: Listing 9 shows the creation of a table to store heading information about magazine issues. Please consider that the psql command will prompt for the user password upon each new connection, but it is possible to avoid the password request. It does suffice to create the ~/.pgpass file (user readable) and store in such file an entry in the form
server-address:port:dbname:username:password
and, if found, will use such password. This can also be very convenient for scripts scheduled via cron(8) or periodic(8).
as for instance
192.168.200.2:5432:bsdmagdb:bsdmag:mypassword
so that before prompting for a password the psql command will search for a match in the ~/.pgpass file
As stated before PostgreSQL stores database objects, including tables (and their tuples) as files into the PGDATA directory (under base if no tablespace has been defined). Such files are named after the OID assigned to the object itself, even if a few maintenance commands can break this rule. The system administrator can find exactly which file correspond to which database object and vice versa using oid2name command that is available into the contrib module or querying the system catalogue. As Listing 10 shows the oid2name command can be used to see all the OIDs of the available databases (if invoked without arguments) and can provide also the OID of a specific table into a specific database. In the example of Listing 10 oid2name provides 16387 as OID for the database bsdmagdb and 16390 as OID for the table magazine. This means that under PGDATA/ base there must be a directory named 16387 (OID for bsdmagdb) which contains, among other files, a file named 16390 that contains the tuples of the magazine table. As readers can see, the ls(1) of such file shows a size of 8 KB even if only a few tuples have been stored into the table. This is the default size for PostgreSQL data page and means that each table is aligned to a 8 KB size. In order to see how the required size changes let generate ten thousand fake tuples using the special function generate_series() as shown in Listing 11. The size of the file on disk is now about 5.4 MB. Considering that each page is 8 KB in size, it means that the table contains
5652480 / ( 8 * 1024 ) = 690 pages
While PostgreSQL is very reliable and stable the DBA has to backup the cluster content to avoid data loss due to hardware failure, misconfiguration, application or human errors, and so on. There are several ways of doing backups which can be grouped mainly into logical
26
02/2012
---------------(1 row)
VALUES( generate_series(1, 200000), 'BATCH-1'); bsdmagdb=# INSERT INTO magazine(id, title) INSERT 0 200000
VALUES( generate_series(200001, 400000), 'BATCH-2'); bsdmagdb=# INSERT INTO magazine(id, title) INSERT 0 200000
VALUES( generate_series(400001, 600000), 'BATCH-3'); bsdmagdb=# INSERT INTO magazine(id, title) INSERT 0 400000
VALUES( generate_series(600001, 1000000), 'BATCH-4'); bsdmagdb=# SELECT ts::time, title FROM magazine GROUP BY ts,title ORDER BY title; -----------------+--------08:22:42.982515 | BATCH-1 08:22:51.401579 | BATCH-2 08:23:03.243077 | BATCH-3 (4 rows) 08:23:17.011491 | BATCH-4
www.bsdmag.org
27
HOW TO
backup and physical backup. Logical backup is a way of one-shot backup that is transaction consistent: the system extracts the data from the cluster and dumps it to a backup media respecting transaction boundaries; the DBA does not need to access the PGDATA directory. The physical backup requires the DBA to access the PGDATA directory and to archive each single data file. This of course does not respect transaction boundaries, and therefore the system will need to do a transactionreplay once started. To perform such transaction replay the database will need also the WALs, the logs its already uses to survive crashes. How the WALs are archived defines also the level of physical backup: it is possible to do an archiving only between two full logical backups, as well as do continuos archiving, as well as send logs to another machine that will replay them to act as a clone (this is in short the way replication works).
of both tools is similar and Listing 12 shows how to backup the example database. The installation from the ports also creates a script under /usr/local/etc/ periodic/daily which, when enabled, performs a pg_dump of all the databases available in the cluster (excluding template0). Physical Backup and Point in Time Recovery (PITR) PITR is an interesting backup technique developed in the 8 series that is based on physical backup and allows restoration at a specific time in the past. The idea behind PITR can be summarized as follows: the system keeps a track of the WALs that contain, at any point in time, the image of the database status. When the restore is required the daemon is stopped and restarted simulating a crash (i.e., a dirty status). The database then starts rolling the WALs in order to redo all the transactions for internal consistency. Specifying how many WALs must be rolled it is possible to control at which time in the past the instance must be restored. In order to see PITR in action we need a place to store WALs, so we create a directory /postgresql/pitr (see the red box in Figure 1) and configure the following options into postgresql.conf:
wal_level = archive archive_mode = on archive_command = cp -i %p /postgresql/pitr/%f
The standard way of doing logical backups using the pg_ dump(1) command which dumps a database content as an SQL text file (plain or compressed). The command pg_dump(1) has many options and can be used to dump only the data, only the database structure, a single table or object, or the whole content. There is also another tool named pg_dumpall(1) which is used to backup a whole cluster instead of a single database. The usage
Listing 14. Testing PITR
~> cat /etc/rc.conf | grep postgres postgresql_enable="YES" postgresql_data="/postgresql/cluster2"
restore_command = 'cp /postgresql/pitr/%f "%p"' recovery_target_time = '2012-01-20 08:23:18' ~> service postgresql start ts | title
~> psql -U bsdmag -c "SELECT ts::time, title, count(title) FROM magazine GROUP BY ts,title ORDER BY title;" bsdmagdb -----------------+---------+-------08:22:42.982515 | BATCH-1 | 200000 08:22:51.401579 | BATCH-2 | 200000 ~> cat /postgresql/cluster2/recovery.done 08:23:03.243077 | BATCH-3 | 200000 | count
28
02/2012
which inform the cluster when and how to archive the WALs. After having restarted the instance we can connect and simulate a workload. In order to better understand the example we modify the magazine table to keep timestamps associated to the tuples (see Listing 13). The first step to enable PITR is to have a physical copy of the PGDATA directory, excluding the pg_xlog content; please note that it is not important where and when the backup is done, as well as how much does it take to copy PGDATA, but the cluster must be informed that the copy is in progress, so we have to surround the copy process using the pg_start_backup() and pg_stop_backup() functions. As Listing 13 shows, to keep things simple, our copy is done onto a mirrored directory of PGDATA called / postgresql/cluster2 (see the red box in Figure 1). While the copy is in progress the cluster can continue to work (i.e., user connections are allowed). At the end of the backup we insert, using four batch statements, a million tuples with four different timestamps, and then we erase of all them (see Listing 13). This is the simulation of an application error, but other (more complex) disasters can be simulated. Now imagine we want to get back in time at 08:23:18 (the whole third batch done, the fourth not commited yet timestamps in Listing 13 are evaluated when the INSERT begins). In order to restore the system at that time we have to: stop the instance; change the PGDATA directory into /etc/rc.conf to point to our physical copy; create a recovery.conf file in the new PGDATA directory that will contain the position of the archived WALs as well as the time at which we want to restore the instance; start the instance and wait for the recovery to complete.
On The Web
PostgreSQL official Web Site: http://www.postgresql.org ITPUG official Web Site: http://www.itpug.org PostgreSQL 9.1 Documentation: http://www.postgresql.org/ docs/9.1/interactive/index.html
there is no limitation to the amount of time PITR can work, as well as the archiving method: it does suffice to have enough WAL archiving space and to use the right command (e.g., cp, scp, tar, etc) to be able to archive a whole database history and to recovery it at any time in the past.
The choice among the right backup strategy depends on the cluster workload. Logical backups are the simplest, and should be used each time taking one of it does not require too much time or space (or when, of course, you need a full backup dump). When it is required too much time (e.g., the database is huge) or keeping a set of logical backups requires too much space, physical backup should be take into account. You can even mix the logical and physical backup archiving WALs for PITR only in the time frame between two logical backups. This will give you an incremental backup up to the next full (logical) backup. Be sure to test that the backup strategy fits your needs and that it is working properly.
This article briefly covered the basis of PostgreSQL installation and usage. In the next article we continue exploring PostgreSQL glancing at MVCC and vacuum.
As Listing 14 shows, once the instance is restarted the content of the magazine table is switched back in time to only the third batch and all its tuples. It is worth noting that once the backup is completed the system moves the recovery.conf file to recovery.done and that another text file, backup_label, is moved to backup_ label.old. The latter file contains information about when the physical backup started, the label of the backup (as passed to pg_start_backup()) and the WAL information. Both files can be used as additional information to understand the status of the cluster. As readers can see, PITR is a cluster-wide backup technique and is very powerful. It is worth noting that
LUCA FERRARI
Luca Ferrari lives in Italy with his wife and son. He is an Adjunct Professor at Nipissing University, Canada, a co-founder and the vice-president of the Italian PostgreSQL Users Group (ITPUG). He simply loves the Open Source culture and refuses to login to non-Unix systems. He can be reached on line at http:// uca1978.blogspot.com.
www.bsdmag.org
29
HOW TO
Installing Ports
We need to install port in first time. With it, we will be able to build JAVA jre. Downloading:
ftp ftp://ftp.fr.openbsd.org/pub/OpenBSD/5.0/ports.tar.gz
Stock dependencies
Now we ready to download all dependencies needed to build SUN JAVA. But we need to stock it in the right place:
mkdir /usr/ports/distfiles cd /usr/ports/distfiles
Extraction:
tar zxvf ports.tar.gz -C /usr
Get dependencies
Ready? Downloading...
wget http://download.java.net/jdk6/6u3/promoted/b05/jdk6u3-fcs-src-b05-jrl-24_sep_2007.jar
We will add that we accept the SUN JAVA license in mk.conf. If we dont, we cant be able to build JAVA jre.
echo ACCEPT_JRL_LICENSE=Yes >> /etc/mk.conf
wget http://download.java.net/jdk6/6u3/promoted/b05/jdk6u3-fcs-bin-b05-jrl-24_sep_2007.jar
Dependencies
Firt we will export a varible, it contain the way to get OpenBSD packages.
export PKG_PATH=ftp://ftp.fr.openbsd.org/pub/OpenBSD/5.0/ packages/i386/
wget http://download.java.net/jdk6/6u3/promoted/b05/jdk6u3-fcs-mozilla_headers-b05-unix-24_sep_2007.jar
There are some dependencies that can not be downloaded by wget because of licence accepting. So get it by hand:
30
01/2012
Get the le
bsd-jdk16-patches-4.tar.bz2
via http://www.eyesbeyond.com/freebsddom/java/jdk16.html
Get the le
jdk-1_5_0_16-fcs-src-b02-jrl-28_may_2008.jar (JRL license)
Get the le
jdk-1_5_0_16-fcs-bin-b02-jrl-28_may_2008.jar
via http://download.java.net/tiger/tiger_u16/
Get the le
bsd-jdk15-patches-9.tar.bz2
via http://www.eyesbeyond.com/freebsddom/java/jdk15.html
Get the le
jdk-1_5_0_16-solaris-i586.tar.Z
Get the le
xalan-j_2_7_0-bin.tar.gz
Make JAVA
Install Netbeans
The installation of Netbeans is more easier than JAVA because Netbeans is packaged in OpenBSD. So install Netbeans easily with the classic:
pkg_add -iv netbeans
Conclusion
Congratulation you can now code code and code again with your favourite language on your favourite OS.
GUILLAUME DUAL
System Administrator; OpenBSD contributor. g.duale@otasc.org addict! And pfSense
www.bsdmag.org
ADMIN
s I poked around PC-BSD 9.0 in Virtualbox, I started to think about what I feel passionate about. What would I like to share with the readers of BSD Magazine? What would interest my audience? I realized that like me, the lions share of you are probably system administrators. A good sysadmin realizes that security is more than firewalls, encryption, patching, and other technical considerations. One common saying is: The only secure computer is one thats not plugged into the network. Humbug! A clever intruder will easily trick the user into plugging that Ethernet cable back into its socket. The weakest point in any network is the human element. I want to share with you my data classification policy. While it appears much different in this current form, I developed this policy by starting with the sample data classification policy in The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick (Author), William L. Simon (Author), and Steve Wozniak (Foreword). I then spent many weeks refining and simplifying that policy into what you see here. I highly recommend The Art of Deception: Controlling the Human Element of Security. It is an outstanding resource. My opinion: The book should not only be required reading for technical professionals; the book ought to be required reading for everyone. For a more in depth look at the technology scams that an intruder
may use to compromise security you will want to take a look at Stealing the Network: The Complete Series Collectors Edition, Final Chapter, and DVD by Johnny Long (author), Timothy Russel (author), and Timothy Mullen (author).
Introduction
Data classification is fundamental to the security of the Organizations information. Without explicit data classification, any decision about the sensitivity of information is left in the hands of individuals. This policy provides a framework for answering the questions: How should I handle my data? and Who can receive my data? Data classification is an important defense against social engineering.
Data Classification
Data shall be classified according to three categories: public, controlled, and secret. Managers of individual departments have complete authority and obligation to classify departmental specific data into one of these categories.
Applicable Rules
Depending on which category your data is classified as, there can be two rules that apply to how the data is handled. These rules are:
32
02/2012
The 3Q rule means that you may not share it or transmit it to anyone else, including other Organization employees, until you establish three attributes of the recipient: Identity: Is the recipient really who he says he is? Authority: Is the recipient authorized to have the data? Need to know: Does the recipient need the data?
is classified as secret and should be communicated in person or over the telephone only.
Inheritance Of Classifications
Any set of data shall inherit the strictest classification assigned to any subset of that data. For example, if social security numbers are classified as secret, and applications for employment contain social security numbers, then applications for employment must be classified as secret.
Encryption
The encryption rule means that you must encrypt the data if it leaves the protection of the Organizations production network and if the data is in a digital format. You may decrypt the data only while you are working on it. You may not decrypt the data while you are in any public place, such as a caf or airport. Example 1 You do not have to keep the data in a locked briefcase as you take it from your car to your home. Example 2 You may not bring the data into a caf unless you keep it in a locked briefcase. You may not read or work with the data while you are in the caf. Additionally, if the encryption rule applies to your data, then it must be destroyed if and when you dispose of it. Physical data must be shredded. Files can simply be deleted. CDROMs must be broken. Laptops, computers, and external drives must be securely erased by the IT department.
Default Classification
Possible Classifications
Public: No rules apply to this data. Controlled: Only the 3Q rule applies to this data. Secret: Both the 3Q and the encryption rule apply to this data.
Cryptography Standards
Acceptable cryptography standards include SSL or TLS for secured web sites: AES, Blowfish (or derivatives such as Twofish or Threefish) or 3DES encryption algorithms for the transmission of encrypted files. Certificate/key-pair based e-mail encryption is acceptable. The IT department can recommend and provide training for encryption procedures. Passwords are always classified as secret and should never be transmitted electronically. If you are sending someone encrypted data, then the decryption password
Individual departments must establish procedures for following the 3Q rule that have the best combination of maximizing security while minimizing the affect on workflow. The most difficult part of the 3Q rule is establishing identity. Remember that Caller ID is NOT a good method for establishing identity. Caller IDs can easily be spoofed. Here are some examples of methods for establishing identity: Callback: Look up internal requester in the Organization directory. Use 4-1-1, the Yellow Pages, or the White Pages to look up external requester. Call the requester back using the listed number to verify identity. If you use this practice, it will be helpful to have directories of external organizations you deal with frequently. Shared Secret: Use a shared secret that you have established with another person or organization. Digital Certificates: Request a digitally signed e-mail or certificate that is verified through a third party, such as VeriSign or Comodo. Comodo offers free personal SSL certificates for e-mail here: http://www.instantssl.com/sslcertificate-products/free-email-certificate.html. Personal Voice Recognition: This is one of the most secure methods for establishing identity. In Person with ID: Only government issued ID should be accepted. Student ID should not be accepted. Employer ID should not be accepted unless the employer is employed by this Organization, a partner, or well trusted vendor of this Organization.
www.bsdmag.org
33
ADMIN
No
X X X X
The Organization strongly recommends that every controlled and secret document incorporates a footer to remind employees of the documents classification. Recommended color coding is green for public (classification footers for public documents is optional), blue for controlled, and red for secret. Here are examples: Classification: Public Classification: Controlled Classification: Secret
but technical measures cannot protect the Organization from human mistakes. It is up to each department and work group to follow this guide. It is up to individual managers to decide how various files and data ought to be classified.
Another option is to print information of varying classifications on different colored paper. Example 1 In Iraq, the U.S. Marine Corps prints all information classified as secret on yellow paper. This is not an enforced rule, but a convenient practice for quickly identifying the classification of printed materials. Example 2 A work group might choose to print controlled information on light blue paper and secret information on pink paper. Work groups can set their own procedures for this.
TOBY RICHARDS
Toby Richards has been a network administrator since 1997. Each article comes straight from the notes that he takes when doing a new project with *BSD. Toby recommends bsdvm.com for your hosting needs because they provide console access to your virtual machine.
Conclusion
The IT Department takes every available technical measure to protect the Organizations confidential data,
34
02/2012
TIPS&TRICKS
Load Balancers
Enterprise Load & Service Availability
The world is a complex place. A term that means one thing to one person may mean something completely different to someone else.
What you will learn
Basic Load balancing Load balancing security considerations How to nd out if a website is using a Load Balancer Implementing a Load Balancing in an OpenBSD environment
ake Load Balancers for example. How many different Load Balancers can you think of? Types of Load Balancers:
Layer-2 Load Balancing (bonding) Layer-4 Load Balancing Layer-7 Load Balancing (reverse proxy) Hardware SSL acceleration or offload DNS Load Balancing Link Load Balancing Load Balancing Optimization / Compression, WAN Load Balancing Optimization SIP Load Balancing
Load Balancers handle load and people have been thinking about how to handle load as it relates to resource availability for a very long time. Frequently when people talk about Load Balancers today they are specifically thinking about how to handle web server traffic.
Fact
As web traffic patterns have become more unpredictable, the industry has demanded a way of scaling capacity to meet that demand (load). The single box solution has proven itself to be unacceptable regardless of how beefy the box is. Lets
Denitions
OpenBSD = A Unix-like OS descended from BSD LOAD = A measurement of the # of simultaneous requests for a service at a given point in time LOAD BALANCER = A software or hardware solution that helps you manage load CARP = Common Address Redundancy Protocol VRRP = Virtual Router Redundancy Protocol HSRP = Hot Standby Router Protocol VNIC- Virtual network interface PenTester = A security professional who evaluates corporate security and makes expert recommendations
Tools
You should become familiar with some of the tools mentioned in this article: ldb.sh Halberd 0.2.4
36
02/2012
Load Balancers
not even mention what happens when you add concepts like virality to the mix- you start dealing with tsunami level load.
environments will need this type of equipment to support hundreds of thousands of users trying to connect at the same time.
Current Issue
These days you have a bunch of smart business people who are spending a significant amount of time trying to design for virality with minimal consideration of the impact on network services/operations. Why do they do this? They do this because Virality = Money. What does this mean for you? Virality = DEPLOY LOAD BALANCERS.
Fact
Max Flexability
Problem
A large number of service requests to a web server at one time will knock over a typical server.
You can decide how the request is distributed. You can distribute based on load or on content. Maybe you want one of the servers to provide video, one server to provide the web page, and maybe even another server to provide images? You can decide exactly how to separate the load across all the servers.
Security
Load
When we talk about web hosting and load, load in this sense means the number of concurrent requests for services received by a host or cluster of hosts at a particular point in time.
This creates a huge security problem. You have all of these connections coming into the Load Balancer and being distributed across all of these servers so you will want to be sure that all of your servers have the very latest builds/patches/updates/security software running on them.
TIP
A Load Balancer is a device that decides where to send traffic requests. When you point your web browser to Microsoft.com or CNN.com, contrary to popular belief you are not going to a single server. You are hitting one of many servers. Organizations of any substantial size typically have thousands of web servers ready to handle your request.
Make sure that all hosts are running the very latest security software and that all programs are current and up to date.
Know Thyself
TIP
Make sure that you know the full extent of the Load Balancers security capability and associated vulnerabilities. Specifically make sure that there is no hijacking of cookies. TIP Determine what the known exploits are for the Load Balancer itself.
You have a lot of options when it comes to deciding how you will distribute load across different servers. Frequently a Load Balancer is deployed as a dedicated piece of hardware with multiple interface cards that can connect to multiple hosts.
Fact
How It Works
A Load Balancer receives the request from your computer (most commonly in the form of a request from your web browser). It evenly distributes the load across a group of servers. The Load Balancer is actually distributing the load across what is called a cluster of servers. The concept is that you dont care which server you are sent to because all the servers are the same.
When the Load Balancer is compromised an attacker can send traffic to another destination.
Proxy
The goal is to answer the request. You dont care which server answers the request. The largest types of
Folks frequently deploy proxy servers for extra protection. You can offer additional protection to your end users by introducing a Proxy server. This is a type of server or a series of servers that are designed to sit between the users and the Internet. Its job is to take any request that an in-house user sends out to a web server and stop it. Once it stops the requestit takes over the request and re-sends it on the users behalf.
www.bsdmag.org
37
TIPS&TRICKS
Fact
Reliability and compatibility are the most frequently overlooked elements of any Load Balancer / Proxy server deployment. The proxy server receives the response. The proxy server inspects the response and confirms that it does not contain any malicious malware or viruses. The proxy server can even check to see if the user has permission to go to that website. If everything checks out OK the proxy server will send the answer (results) back to the end user.
6. Run ./Halberd -v DomainName.com 7. You will want to use LBD. The LBD Load Balancing Detector 0.1 will check to see if a given domain is using load balancing. The program was written by Stefan Behte http://ge.mine.nu and is currently in a proof on concept state.
TIP
LBD checks for DNS-Load Balancing and then checks for HTTP Load Balancing. Returns the state. 8. Run .ldb.sh
www.DomainName.com
Fact
A proxy server represents an extra step between you and the internet. Clearly a Load Balancer and Proxy server become the new bottle necks so you will want to make sure that the hardware is scaled properly to handle the load going through the wire.
Fact
Load Balancers are expensive and while we all love f5, sometimes the budget just wont support that type of capital investment.
Frequently PenTesters (Penetration Testers) are very interested in knowing if a Load Balancer or Proxy is in place since they can be responsible for the incorrect results that todays security tools return. 1. First enable your browser to show you live HTTP header requests. 2. Retrieve public information about a domain/host by searching for the site name on searchdns.netcraft.com or DomainName.com 3. Take note of the operating system that is being used as it will be listed in the results from searchdns.netcraft.com 4. Learn how to use DIG to find additional information.
You can build your own basic Load Balancer with OpenBSD. Before you start, read up a bit on address pools and review the four methods for using address pools: Bitmask Random Source-Hash Round-Robin.
Open BSD will let you Load Balance incoming connections and Outgoing Traffic.
Tool: Dig
Achieving Load Balancing by using address pools is very straight forward. You distribute all inbound web server connection requests across a web server farm. The command will look something like this:
web_server = {10.0.0.10, 10.0.0.11, 10.0.0.13} match in on $ext_if_proto tcp to port 80 rdr-to $web_servers round-robin sticky-address
Dig is a tool for finding out additional information from DNS servers. Dig does a SND lookup and displays the answers that are returned from the name server. Dig is primarily a troubleshooting tool. 5. Find and use Halberd 0.2.4 (14-Aug-2010) (http:// pydoc.net/halberd/0.2.4/Halberd.version)
Every connection requests will be sent to a new web server in the group following- round-robin style. Additionally, in this scenario, a connection from the source server will continue to be sent to the same destination server.
CARP
CARP is also very popular with the Load Balancer Do It Yourself (LBDIY) community. CARP gives you the
38
02/2012
Load Balancers
ability to achieve system level redundancy which can be an important part of any enterprise Load Balancing plan. CARP stands for Common Address Redundancy Protocol and lets you have a bunch of hosts and share an IP address so that if one server fails, another server in the CARP group can answer the request. This provides a very basic level of redundancy at the server/host level. Additionally, you can share load between members of a CARP group.
Resources
Search www.SearchDNS.NetCraft.COM Halberd Load Balancer Detector www.pydoc.net/halberd/ 0.2.4/Halberd.version LBD by Stefan Behte http://ge.mine.nu
Fact
Summary
TIP
Use CARP to guarantee service availability and load sharing of/and between web servers. Historically speaking the OpenBSD folks wanted to distribute a free implementation of VRRP and HSRP but were unable to do so for patent violations. The OpenBSD team immediately went to work on a VRRP variant. Today, to deploy CARP the first thing you need to do is group several physical computers together under one or more virtual addresses. Since CARP is a multi-cast protocol, one of the systems will need to be the master and will be required to respond to all packets destined for the group. The other systems (backups) will just be in standby mode waiting for any abends /crashes/K.O. situations to take place. When the master gets knocked over, the other hosts in the CARP group begin to advertise. The host that is able to advertise the most frequently becomes the new master. Even if the original master comes back on-line right away it will only be allowed back into the group as a backup server.
When it comes to managing load the only thing you can count on is nothing. Work to be prepared for all types of unpredictable traffic events. Evaluate affordable hardware solutions that can give you best of breed functionality without sacrificing manageability and security. When confronted with price constraints evaluate Load Balancers that are software based. Be aware that the Load Balancer is a visible part of the network and will serve as a big bottleneck and an even bigger security target. Thank you for taking the time to read this article.
TIP
CARP only manages the VNIC- Virtual network interface. You will need to use pfsync or rsync to synchronize data at the application level.
CARP Setup
This is done via the sysctl and ifconfig commands. The syntax information is freely available on the Internet.
CARP provides two different methods for load balancing incoming network traffic among a set of CARP-enabled hosts: ARP balancing and IP balancing. Both methods require that you build a load balancing group.
www.bsdmag.org
39
SECURITY
Anatomy
of a FreeBSD Compromise (Part 3)
Continuing in our security series, we will look at the tools essential to securing and exploiting systems.
n the previous articles, the author looked at the culture and processes behind hacking exploits, as well as some possible real-life examples. In this article we will look at some of the tools used to penetrate, test and secure devices as well performing analysis and discovering vulnerabilities. While the examples here are non-destructive, it is recommended that these tests are carried out on a private test network and definitely not on the Internet or without your employers approval. To do so may well be in breach of your ISPs or employers Acceptable Use Policy and could lead to legal action against you.
Ethics
One of the long standing arguments on the Internet is what to do with traffic from hackers, spammers etc when it arrives on your network. As it is relatively easy to identify where your attack is coming from (once you have identified your incident and provided multiple attackers are not involved) there is great temptation to fire back at the lowlife that has abused your system. This is a very natural reaction, yet in the authors opinion this is not the best route to take. First of all, you are raising a flag to say that there is intelligent life at the end of the wire, so possibly opening yourself up to more attacks. Secondly, it has not been clarified in law (in the UK at least) that your response could not be construed as an aggressive
attack. This in effect means if you fire back in the eyes of the law you are just as guilty as the original offender. The situation is complicated by the fact that often while the device at the other end of the wire is compromised, the owner is blissfully unaware and the last thing on thing on their mind is to attack your web-server. The safest route is to drop suspect packets on the floor, rather than launching a full scale attack on the origin in the hope that you will bring fairness to the situation. If repeated incidents occur, pass the incident to the originators ISP or worst case to law enforcement. That said, I have included both sticky and non-sticky honeypots in the tools list as defenses I will leave the lawyers to work out whether or not tar-pitting an offensive packet can be considered an offensive act or not.
Requirements
For these series of tests the author will be using a combination of bridged Virtual Machine running on a desktop host connected to an internal LAN. Two FreeBSD boxes (One configured as a virtual machine and the other a live server) are available as well as other devices on the LAN, Border.merville.intranet and hacker.merville.intranet are the victim and attacker respectively. Border.merville.intranet is a copy of FreeBSD 6.1, with Apache, PHP, and MySql installed which was originally compromised but repaired,
40
02/2012
is FreeBSD 9.0 Release running TWM and our tools added via pkg_add as required. Various other servers and desktop machines will be used as targets in later exercises, but to cover the initial fundamentals 2 machines are sufficient. I am using a Cisco switch on my LAN, but a hub (or virtual LAN) will work as well if not better. Results will vary between a switch and a hub, depending on the configuration of the switch, as not all packets will be present on all ports whereas they will be on a hub. If a virtual LAN is used you may need to tweak the security settings of the virtual machines accordingly. The results from your network will vary considerably from the test LAN here depending on what devices etc. are present.
Hacker.merville.intranet
Tools
While there are a lot of command line tools available under *BSD that will help the administrator discover
Table 1. Common security and network tools
vulnerabilities, there are a number of bootable ISOs available that include collections of tools that are useful across software platforms. These are useful in that all the utilities are rolled together, and can be run discretely from a CDROM or bootable USB stick. The majority of these utilities are available in one form or another under *BSD, with the exception of the O/S specific tools (e.g. those that are are available on the Hirens BootCD) but will require further tweaking (installation of additional scripts/templates etc.) to tun under *BSD. Some require a commercial license or will benefit from commercial support. It is up to the system administrator to evaluate the best tool for the job, and sometimes it is prudent to enlist the help of specialists especially in the fast moving arena of systems security. Please refer to Table 1 common Security and Network Tools which covers the majority of popular security tools across the *BSD/ Windows platform. In the world of security, there is no
Name
Description
Category
Website
netstat, telnet, ping, dig, ps, netcat, top, tcpdump etc. Nmap / Nmapsi4 Ntop Nessus
General purpose administration and networking Application tools. Should be in every sys-admins armoury.
N/A
Port scanner. Checks for tcp enabled devices on networks and open ports Network traffic probe Vulnerability scanner. Using the professional feed will identify open ports, applications and their corresponding vulnerabilities Network protocol analyzer and packet sniffer Penetration testing software. Performs network discovery and vulnerability verication Intrusion detection system (IDS) Non-sticky honeypot used to lure attackers Sticky honeypot As above but sends them to a tar pit and slows down attacks General purpose tookit. Allows cloning of media over network, MS Windows password reset, deleted le recovery etc. Premier Linux distro tuned to the needs of the security professional. Just about every tool you will require in one ISO. The ninja hackers weapon of choice. Live distro with a large collection of security tools Live CD aimed at virus removal etc. mainly aimed at Microsoft desktops
BackTrack Linux
http://www.backtrack-linux.org
Bootable CD Bootable CD
http://s-t-d.org http://www.hiren.info
www.bsdmag.org
41
SECURITY
single application that covers all bases, so using a wide range of tools allows the system admin to examine the environment from many different angles. Anti-virus and firewall software has been omitted from the list these are platform specific and it is taken as read that the system administrator will have these systems in place.
Strategy
One of the reasons that bot-nets are highly effective is the analysis and gathering of repetitive data. In human terms, we need to drill down from the macro (general) to the the micro (specific). This is simplified in Figure 1 moving from the general to the specific. What networks have we access to? What devices are on this network? What ports are open on these devices? And finally, what exploits are available on these ports? If we do the math, there are 27 different types of webserver software alone currently available according to Wikipedia, and that is just one application running on port 80. Taking into account the 65536 TCP/IP ports and the possibility that the software has not been configured securely, patched or is just plain broken, this leaves a lot of ground to cover and that is just one server. Adopting the hacker mentality for a moment, a form of triage is required we need to identify the most vulnerable system. Our first task is therefore is to scan our network to see what potential targets are available.
NTOP is a great web based tool for monitoring traffic on the network, and
42
02/2012
the command line equivalent TCPDUMP. in combination with GREP is a good combination for quickly identifying packets on the wire. But what of that forgotten server that nobody uses? Unless it is requesting some service (e.g. ARP or DHCP etc.) it may well remain silent when the probe takes place and remain undetected. NMAP on the other hand can actively scan the whole network so there is little chance anything will remain hidden. NTOP will perform network asset discovery as well, and will provide traffic analysis beyond what NMAP is designed for. We will use all 3 methods to discover what devices are on our network. WIRESHARK is useful as well, especially if we want to examine what is on the wire, but without active (intrusive) tools such as NMAP, the hackers task would be much more convoluted. Whereas NTOP, WIRESHARK and TCPDUMP are passive out of the box, the best results are achieved through using a combination of both sniffing (passive) and probing (intrusive) strategies.
This forces NTOP to start in IPv4 rather than IPv6 mode. Reboot:
reboot
If you experience difficulties running NTOP, see man ntop for further details.
As root, install NMAP, NMAPSI4 and NTOP via the package system:
pkg_add -r nmap nmapsi4 ntop
TCPDUMP
If you do not have access to the Internet to install packages, a great tool for analyzing network traffic is
www.bsdmag.org
43
SECURITY
TCPDUMP. Used in conjunction with GREP and TELNET. On the attack machine, run the following command (You may need to throw an IFCONFIG to identify your network card type):
tcpdump -i em0
No
1 2 3 4 5
Hostname
Hacker Intel ? ? Border
IP Address
192.168.0.131 192.168.0.132 192.168.0.141 192.168.0.250 192.168.0.254
Discovered by
NTOP, TCPDUMP, NMAP NTOP, TCPDUMP, NMAP TCPDUMP NMAP NTOP, TCPDUMP, NMAP
You will be presented with a real time view of the traffic passing by the ethernet device em0 on the attack machine (Figure 5). Depending on the size of the network you are probing, the amount of traffic displayed may be impossible to read, so either filter the output through MORE (tcpdump -i em0|more) or GREP for the specific IP address, protocol, or as in the example below, search for Address Resolution Packets (ARP):
tcpdump -i em0 | grep ARP
This will result in the output similar to Figure 7 TCPDUMP ARP TRAFFIC. Press Ctrl C to kill the display. This qualifies the words of wisdom carried on the Backtrack Linux website The quieter you become the more you are able to hear. One of the key techniques
of the hacker is stealth hammering away at a network will quickly raise the suspicion of the firewall and any Intrusion Detection Software (IDS). Patience and just sitting listening over an extended period of time is a far better strategy, especially if you are cloaked or have taken measures to obfuscate your presence. TCPDUMP has now discovered our first anomaly, the device at 192.168.0.141 doesnt know who or where it is on the network! More interesting still, there was no indication of 192.168.0.141 on the network when we initially ran NTOP. This can easily be explained by the nature of ARP, which works at the link layer (Figure 6 ARP). ARP is used to translate between IP and MAC addresses, and is often cached locally on a device. The gratuitous arp packet from 192.168.0.141 would suggest
some form of router, as this method is used to force a refresh of the local ARP cache on network hosts. To see what your arp cache contains run:
arp -a
NMAP
Figure 12. 192.168.0.254 Lots of potential here
NMAP comes in two flavors, a command line utility and a GUI version which will run under any X11 window
44
02/2012
manager. For this exercise, we will use the CLI version as we want to capture the output to a file. As root, run the following in a directory that has sufficient disk space (root generally has a very small partition size):
nmap -sn 192.168.0.0/24 -oN SN_192.168.0.0.TXT
This will generate a text file SN _ 192.168.0.0.TXT which contains a list of discovered hosts in the range 192.168.0.0 192.168.0.255 (Figure 8). NMAP has many scan modes from brute force to stealth, and the
scan we are using is SN a simple ping scan without port discovery. This should flush out most of the devices on our network provided they will respond to an ICMP ping request. Using our combination of NTOP, TCPDUMP and NMAP we now know of the following potential victims on our network (Table 2 potential targets). Let us patiently see if we can detect what ports are open on 192.168.0.141 and 192.168.0.254 by running NMAP -Pn. This treat all hosts as online, and will fail if the device really doesnt exist. This scan will take some time. We can now tell that 192.168.0.141 really does exist but is filtering all of its ports (Figure 10). If the device did not exist, we would get a different response (Figure 11). Figure 12 shows what a 5 minute scan of 192.168.0.254 will reveal in the way of open TCP ports, Figure 13 shows the accumulated stats that NTOP managed to gather over a 4 hour 40 minute period, Finally, going back to command line tools let us not forget the humble TENET client. Looking at Figure 12, we can see that SQUID is running on port 3128 of 192.168.0.254. By typing in some garbage, we can get the daemon to reveal the version number, SQUID2.5STABLE14 (Figure 14):
telnet 192.168.0.254 3128
Conclusion
There are many ways of extracting valuable information from a network. We can listen over an extended period, scan devices using both brute force and stealth methods, and use tools like telnet to get daemons to reveal their identity.
Figure 13. NTOP updated after a few hours
ROB SOMERVILLE
Rob Somerville has been passionate about technology since his early teens. A keen advocate of open systems since the mid eighties, he has worked in many corporate sectors including nance, automotive, airlines, government and media in a variety of roles from technical support, system administrator, developer, systems integrator and IT manager. He has moved on from CP/M and nixie tubes but keeps a soldering iron handy just in case.
www.bsdmag.org
45
LETS TALK
So a large portion of the internet almost raged at the low level of media attention the demise of 70 year old Dennis MacAlistair Ritchie on October 12th of 2011 got, compared to that of Steve Jobs. Ritchie is one of the greater pioneers of the computing age. Steve Jobs probably couldnt have achieved what he had, without UNIX and thus Dennis Ritchie. Then again, Dennis probably wouldnt have written the C programming language for UNIX, because there might not have been a DEC PDP-7 lying in the corner at Bell Labs for Ken Thompson to pick up and write UNIX on, if it wasnt for Ken Olson and his Digital Equipment Corporation. Still UNIX and the C language had and still has a very pronounced presence in and on our current computing platforms. If you want close CPU programming for speed and accuracy, and dont want to fiddle with assembly, C is the way to go. And, as we all know, if you want something done the right way, you choose a UNIX variant. I think this is a very good ode to Dennis and his incredible work.
main() { printf("goodbye, dad.\n"; return 0;
46
02/2012
But Robert Morris made sure we all could login to a UNIX machine in a relatively secure manner. He wrote crypt, the bc programming language and the math library within UNIX. A cryptographer at heart, he probably has done a lot of stuff, which we will never learn. Next to a career at Bell Labs, he switched to the NSA for which you can read what led up to that switch, in the story from Dennis Ritchie Dabbling in the Cryptographic World. Roberts son, Robert Tappan wrote the infamous Morris Worm which almost destroyed 10 percent of the back then small Internet, consisting of about 60000 connected systems. I guess computer security ran in the family. Robert died 78 years of age on the 26th of June, 2011. Steve Jobs of course is a person whom will be missed, for sure. He was a weird man, but also a true visionary in my book. He was responsible for the Apple Computer of course, but also Pixar and NeXT. This article isnt big enough to describe his life in short, theres been enough in the magazines, papers and even books about him to read up on his crazy life. He died 56 years of age on the 5th of October, 2011. Jack, or Jacob E., Goldman died at the age of 90 on December the 20th, 2011. A true scientist, he did a lot of work for the Ford Scientific Lab. He was working on an electric car with a sodium-sulfur battery in the 1960s. But his main tribute to our world, was to hire Dr. George Pake to create Xerox Palo Alto Research Centre which went on to house companies and labs, and create stuff like laser printing, Ethernet, the GUI (which Jobs stole for Apple) and object-oriented programming to name a few. Maybe not basis-like as the guys mentioned before, but nevertheless technologies we now use daily and take for granted.
Another Great Man which passed away this year is John McCarthy. He lived to see the age of 84 before passing away on October the 24th, 2011. This man thought up and nearly invented what we know as A.I. or Artificial Intelligence. He created the Lisp machine which most programmers will have seen, touched or loved at one point or another in their lives. He has done lots more, mostly anticipating future technologies way before they became reality as the one we live in today. Start off by reading into this marvellously interesting person on his Wikipedia page. Paul Baran is credited with the invention of packet switching which is used in our networks and the internet today. While working on a report for the RAND Corporation, he had to come up with a network of some kind which could stand a nuclear attack. He used redundancy back in the early 60s to make that happen, which ended up through a series of distillations of the report into the packet switching basics which went on to be used in DARPA (The very beginning of the Internet). Later on he used the same principles to make new standards and products like ATM (Asynch Transfer Mode) and the discrete multi-tone modem which, in turn, is the basic for Orthogonal frequency-division muxing which is used in DSL modems. Paul passed away at the age of 84 on March the 26th of 2011.
On the 23rd of March, 2011, Jean Jennings Bartik, one of the six original ENIAC programmers, passed away. She also worked on the BINAC and the even more known UNIVAC 1 computer. Back in those days it was more of a womans job to program computers. Now look at the state of it today. She didnt receive that much respect later on in her life being laid off out of her career in the computer industry, by McGrawHill in 1985 when she was 61 years of age. A museum in her name is at the Northwest Missouri State University in Maryville, Missouri featuring ENIAC, BINAC and UNIVAC exhibits. Shes listed on the Women in Technology International Hall of Fame and was one of the three Fellow Award honorees 2008, along Bob Metcalfe and Linus Torvalds.
www.bsdmag.org
47
LETS TALK
Jack Wolf was responsible for a lot of theory from the 60s till around 2000 and has won a large amount of awards for those theories. You could wade through all those papers he published, but it simply comes down to all the problems they had when trying to get data from one point to the other without loosing anything. It still is used in everything we use today, like the hard disk drives, tape drives and more from the last 20 years or so. He was 76 years of age when he passed on May 12, 2011.
Then on April the 21st, marked the end of Max Mathews life. Even less known than the guys listed above, this man might have been the one which made it all possible for us to have complete orchestras inside our computers today. No later than 1957 Max had an IBM up running at Bell Labs, serving up 17 seconds of composition, purely made and synthesized on a computer! He was 84 years of age.
Anthony Edgar Tony Sale was a British electronic engineer and loved computer history. He was the man who built George the robot out of Meccano back in 1949, which was a big thing back then. He restarted George in 2011 after being stored in Tonys garage, with some oil in the bearings, new lithium batteries and George was alive again. Tony was a member of the British Computer Society, the Computer Conservation Society and a big man to Bletchley Park, where he also built the famous Colossus computer replica which can still decipher encrypted messages. He died at the age of 80 on August 30, 2011.
Tom West is probably best described by reading the book The Soul of a New Machine, which was written by Tracy Kidder, but Tom was the source of information for the book. Tom also created the Eclipse MV/8000, a 32-bits computer in the late 70s, which moved Data General up to the level of the big players. He seemed a very interesting man, of which not much is found. The piece written up at The Boston (http://www.boston.com/ bostonglobe/obituaries/articles/2011/05/22/tom_west_engineer_was_the_soul_of_data_generals_new_ machine/?page=full) seems to just lift the tip of the blanket of Toms life. He died on the 19th of May, 71 years of age.
Michael Stern Hart might not have been a true engineer at heart, but he was responsible for two things at least, which are pretty important for us today. The electronic book, or e-book and Project Gutenberg. He founded the Project and with that paved the way for a lot of electronic available books and texts. He was originally an author and his own books are all available from the Project. He had a knack for writing monospaced email messages of which each line was exactly the same length, pretty cool. He lived to experience the age of 64 when he passed on the 6th of September, 2011. May they all rest in peace.
SANDER REICHE
Sander Reiche is a PDP-11 fanatic and BSD/UNIX lover in his spare time, and a UNIX Systems Engineer on his day-job. Founder of the Veritable UNIX Systems Group. His web page is located at http://ls-al.eu/~reiche.
48
02/2012
In the next issue: Continuation of series: - BSD Certification by Dru - Anatomy of FreeBSD Compromise - More about PostgreSQL - and Other !