.:Computer Defense:.

*UPDATE*
Just wanted to let everyone know that I managed to throw $40.00 towards HFC, it wasn't much but I had forgotten PayPal fees and exchange rate (which is close to par but still affects $2k). Thanks again everyone!

I just wanted to let everyone know that I've reached my goal to cover my bandwidth costs. I want to thank the individuals who donated, it was definitely appreciated. I also want to thank SecurityCompass for making a donation. Additionally, I need to extend a big thank you to my employer. This is my personal blog and when I started with nCircle I pointed out that I blogged here and wouldn't stop. Even though we have our corporate blog, they were happy to allow me to bounce back and forth between the two rather than push me to blog only on blog.nCircle.com. So even though this blog is all mine, nCircle stepped up and offered me an advertising contract, featuring their logo and link on my website and in exchange they offered up cash to cover the remainder (total less donations) of my hosting fees, and in the end I believe I'm coming out slightly ahead, so I'm hoping to pass some money towards HFC (more on that once my 1and1 bill is actually paid). So once again thank you to everyone. You'll now see nCircle's logo on the page, and in the near future (once my transfer volume is straightened out) DVL will return with a nCircle sponsored download page.

**Update on this on another blog post -- fees have been paid in full, should anyone chose to donate at this point, I'll use it to pay future fees**

Every now and then I encounter websites that have donate buttons, especially if they provide a service. I've always wondered about this but figured "Hey, if people want to give money why not". I've decided today to become one of these "Cyber Pan Handlers"

For quite a while I've been hosting DamnVulnerableLinux without any problems. About 6 months ago, my transfer limit was exceeded due to DVL and I had to pay a bit extra. I decided that I would stop hosting DVL and it went to being only available via torrent. A couple of months later my hosting provider, 1and1, sent out an email stating that all hosting accounts had been upgraded to unlimited transfer, so I re-enabled my hosting of DVL. This month DVL appeared on Slashdot and what followed was a bill for a couple of thousand dollars. 1and1 is claiming that my account is a grandfathered account that no longer exists, and is therefore not eligible for the unlimited transfer. Yet they had still sent me the email and when I had checked at that time my account stated unlimited. I'm guessing that they made a mistake in their system when they initially implemented it and then silently fixed it. Either way, they are unwilling to honor the email they sent me and the DVL direct download has been removed. Should I come out of this, I will upgrade my account (which will increase my current monthly costs) and resume hosting DVL for download.

In the mean time, I'm going to ask for donations to help cover this large bill. During this push, there were over 30K downloads of DVL. I'm hoping that some of those downloaders (or anyone else) will realize the value they gained from the direct download and donate a few bucks to help cover costs. I just don't have the cash to cover it right now, and not only will the DVL direct download go away, a number of other things will as well:

• ComputerDefense.org blog, hosted web pages, mailing lists, and email addresses
• SSLFail.com blog, hosted web pages and email addresses
• Hosted DNS
• Shell Accounts
• SecurityBloggers.net domain name and associated email forwards / url redirects
• Hosted Domains

If you are someone affected by any of these services, maybe you want to donate too

As I said, once I manage to get this worked out, the DVL direct download will resume. Those who donate, I'm also willing to consider any requests you have for a shell account, dns hosting, email or whatever else. If any companies want to donate... Well, I'll add a banner with your logo to the top of CDO.org and SSLFail.com. Let's say for companies, every $20 buys you a month of banner

Anyways... that's it... figured I'd give this a try.... now for the lovely download button.

Thanks For Reading!
Tyler.

I experienced a ‘brief’ period of downtime ( ~24 hours) the other day on a server that I have hosted with 1and1. When I contacted them to find out about the outage, I was informed that my IP has been blackholed due to a DoS attack. I was surprised to discover that they hadn’t contacted me when they’d taken this action and, if I didn’t access my server daily, I wonder how long they would have continued to blackhole the IP. I asked for proof that my server was under attack and they sent me a snippet of the log:

12:57:25.528325 IP 64.233.180.94.53615 > 74.208.78.XXX.53:  5038 A? www.securitybloggers.net. (42)
12:57:25.586218 IP 64.233.180.94.38886 > 74.208.78.XXX.53:  27266 A? www.securitybloggers.net. (42)
12:57:25.606691 IP 64.233.180.94.50898 > 74.208.78.XXX.53:  5454 AAAA? www.securitybloggers.net. (42)
12:57:25.653284 IP 64.233.180.94.32922 > 74.208.78.XXX.53:  16830 A? www.securitybloggers.net. (42)

That IP, for those of you running to look it up, resolves to ni-out-f94.1e100.net. It turns out that 1e100.net is a Google domain. So, if I believe my hosting provider, I was DoSed by Google. I emailed 1and1 to point out that it was a Google domain and simply DNS traffic, and shortly after that my server was back up… at least in theory. In the end I had to reboot my server before it would respond… but at least I got it up at running.

Nothing exciting... just my latest pain.

***UPDATE***
For those wondering where DVL is, read this note here

********

I just got an email from my web host that I now have unlimited traffic, which means no worrying about overages and no worrying about extra fees. As a result... I've re-enabled the DVL mirror, DVL 1.5 is available here

You may have noticed that recent comments have disappeared. It appears that IntenseDebate.com is down, so I've disabled the plugin (otherwise my blog won't even load). This isn't the first issue I've had and I'm finally fed up. I don't get email notifications for all my comments, my site won't load when they are down and the site is slower to load because of their plugin. My only hope is that when their site comes back up I'll be able to dump the comments and import them into Wordpress.

The old site layout worked well for the last 2+ years, however I decided I needed something new. Certain lines were being cut off and I wanted to utilize page layout a little more.

Here's the result... using the iNove theme.

From the email:

We have the URLs for the new SBN site. You can access the site at http://www.securitybloggersnetwork.com or http://www.securitybloggers.net.  Right now the site is simple, but we will build it up over time.  Check it out and make sure your feed is displaying correctly -- but your blog title should be automatically generated by your RSS.  Also, please do your best to promote the new site and feed, as traffic to it helps us all!

---

I know I've been a little lazy when it comes to posting lately, but I plan on posting more going forward... hopefully anyways.

Howdy All,

My server has hit 2.5 days of uptime (I've had it for almost 2 weeks, and that's the most uptime it's had yet). I finally (after fighting with tech support) was able to get them to swap the hardware and I haven't had a segfault yet, even though they still insist it wasn't a hardware problem.

I was rather unimpresed with the quality of support I received (although it may finally be resolved), as I've always had great support from 1and1. This was my first time dealing with 'Dedicated Server' support and I wonder if it's a different group, because it was quite the different experience.

Anyways... not that it's up, I wanted to share something interesting that I'm seeing. I purchased a couple of extra IPs as some of my domains will use SSL and I've set this up using interface aliases on the server.

eth0 is the primary IP, and eth0:0 and eth0:1 are the secondary IPs. Here's where this gets to be interesting. eth0:0 is always used. If I specify an interface... it doesn't really matter because quite often that will be ignored.

Examples:

bind: listen-on was set to eth0, however my AXFR was occuring with eth0:0, I had to specify a transfer-source to solve the problem.

Wolfenstein Enemy Territory: I've specified the listen port as eth0:1, yet the only IP that you can connect to is the one assigned to eth0:0.

irssi: Regardless of the IP I specify with the -n flag, I still end up using eth0:0.

So... has anyone seen this before? I sure haven't and I can't find anything online. I'm wondering if there's a flag/setting somewhere that sets eth0:0 to be the primary interface... but I can't find it.

I had mentioned that there may be some downtime as I transitioned this site (and a number of my other sites) over to new servers. I'm starting to think that this will never happen. I mentioned the servers that I had ordered last week from 1and1 (a company who's service I've been impressed with for the past 5 years or so). The servers were prepared quicker than expected, one with CentOS 5 and one with Windows Server 2003. I began using CentOS 5, however I realized that I'm much more a fan of the Debian structure, so I requested a server reimaging with Debian 4.0. (1and1 has a reimage on command button with a wide range of images). I got my Debian server up and running and everything was going well.

Sudden, however, I couldn't SSH into it. I checked via console (you also get console access) and found that it was down. I rebooted and all was well. A day later the same thing happened. So now the server has crashed at least once every 24 hours, since I got it. On Friday I'd been going fine for a day and a half or so and suddenly it locked up again. Completely unresponsive. So I sent in a support ticket and received a response with the phone number for their 24 / 7 dedicated server support. I called and after a brief conversation was told that if my server had nothing important, they would have the hardware replaced and the machine reimaged. I'd have to reconfigure it again but that was all, so I said sure. A couple hours later I got an email saying it was ready to go, so I went through and configured it again Saturday morning. Saturday night, it hung yet again, so I decided their may be something wrong with their Debian system and went back to CentOS 5. I configured it (compiling nothing from source, and using only the yum repositories to ensure it wasn't software I installed). Yet this morning the server was down yet again. This time with libc related segfaults on the console during boot.

I called in and was rather unimpressed. I was told that since it wasn't hardware this wasn't the type of issue they deal with. I couldn't believe the response... it's their hardware, their image, their yum repository. I haven't obtained anything that they were not the source of, and they still wouldn't help. At this point, I'm pretty fed up... but at the same time I've received great customer service for so long. It's really disheartening. I recommend 1and1 to everyone I know and now it's blowing up in my face.

I've decided to give the server one more try (this time on Ubuntu -- my favourite Linux distro) and if it still fails then I'm going to walk away and start a letter writing campaign.

Hey All,

I just wanted to let everyone know that this website will be transitioning over the next few weeks (just in case their are any ups and downs along the way).

I was starting to hit the occasional database connection limit exceeded (the sole downside that I've found with my host is that connections are hardcoded at 18 and you can't pay to upgrade that limit). I also have a VPS, but I've found it just doesn't cut it for some of the shell related things that I want to do.

As a result I'm getting rid of the VPS and I picked up two servers, a 'Root Server' and a 'Windows Server'. I'm fairly happy that the costs are reasonable (compared with the other services that I looked at) and I liked the concept of one Windows, one Linux rather than 1 bigger server... Once I have all the software I want installed and everything configured, I plan on transitioning this blog to the 'Root Server'. Once there it will have it's own IP and associated SSL cert. I will also have a few test beds to play with.

Server Specs:
2.2Ghz AMD Athlon 64 3500+
1GB RAM
160GB w/ Software RAID 1
2TB Monthly Transfer (per server)