Kamis, 14 Maret 2013

Xathrya Sabertooth

Xathrya Sabertooth

Split and Join Files in Linux

Posted: 14 Mar 2013 12:50 AM PDT

Sometimes, we are in situation where a large file is too large to be stored on a single Flash Drive. Or maybe our file is too big to be and exceed file size limit. In these cases we need to split file into smaller files.

Fortunately, Linux has a built in utility to do split and join. And yes, it should be shipped default on your Linux distribution. Split and join is packed together in GNU Coreutils.

In this article, we will discuss about how to use Linux utilities to do split and join files, also discussing about backup process on Linux.

Split and Join

In this scenario, we have an iso file: slackware64-14.0-install-dvd.iso. The size is estimated as large as 2.2GB. We will split the file into some files with each chunk have maximum 450MB in size.

To do splitting, invoke this command:

  split -d -b 450m slackware64-14.0-install-dvd.iso slackware64-14.0-install-dvd.iso.part

At this point, we have six files. The generated file have extensions .partXX where XX is the part number. Five of them (from slackware64-14.0-install-dvd.iso.part00 to slackware64-14.0-install-dvd.iso.part04) has size 450MiB and the rest (slackware64-14.0-install-dvd.iso.part05) has size 48.9MiB

Now, how to recover the splitted files? Of course we need to join them altogether and form the original file. At this point I want to join the part and the join file will have filename slackware64-14.0-install-dvd-join.iso. To do so, we can invoke following command:

  cat slackware64-14.0-install-dvd.iso.part00 \  slackware64-14.0-install-dvd.iso.part01 slackware64-14.0-install-dvd.iso.part02 \  slackware64-14.0-install-dvd.iso.part03 slackware64-14.0-install-dvd.iso.part04 \  slackware64-14.0-install-dvd.iso.part05 > slackware64-14.0-install-dvd-join.iso

Another way to do so is using following command:

  cat slackware64-14.0-install-dvd.iso.part{00..05} > slackware64-14.0-install-dvd-join.iso

Where {00..05} is parts we want to join.

Linux Kernel Source & Versioning

Posted: 14 Mar 2013 12:10 AM PDT

Kernel Versioning

Anyone can build Linux kernel. Linux Kernel is provided freely on http://www.kernel.org/. From the earlier version until the latest version are available. Kernel is release regularly and use a versioning system to distinguish earlier and later kernel. To know Linux Kernel version, a simple command uname can be used. For example, I invoke this and got message

  # uname -r  3.7.8-gnx-z30a

At that command output, you can see dotted decimal string 3.7.8. This is the linux kernel version. In this dotted decimal string, the first value 3 denotes major relase number. Second number 7 denotes minor release and the third value 8 is called the revision number. The major release combined with minor release is called the kernel series. Thus, I use kernel 3.7

Another string after 3.7.8 is gnx-z30a. I’m using a self-compiled kernel and add -gnx-z30a as a signature of my kernel version. Some distribution also gives their signature after the kernel, such as Ubuntu, Fedore, Red Hat, etc.

An example of building kernel can be read at this article.

Kernel Source Exploration

For building the linux kernel , you will need latest or any other stable kernel sources . For example we have taken the sources of stable kernel release version 3.8.2 . Different versions of Linux Kernel sources can be found at  http://www.kernel.org . Get latest or any stable release of kernel sources from there.

Assuming you have download the stable kernel release source on your machine, extract the source and put it to /usr/src directory.

Most of the kernel source is written in C .It is organized in various directories and subdirectories . Each directory is named after what it contains .  Directory structure of kernel may look like the below diagram.

Linux Kernel Source

Know let’s dive more into each directories.

arch/

Linux kernel can be installed on a handheld device to huge servers. It supports intel, alpha, mips, arm, sparc processor architectures . This 'arch' directory further contains subdirectories for a specific processor architecture. Each subdirectory contains the architecture dependent code. For example , for a PC , code will be under arch/i386 directory , for arm processor , code will be under arch/arm/arm64 directory etc.

init/

LILO or linux loader loads the kernel into memory and then control is passed to an assembler routine, arch/x86/kernel/head_x.S. This routine is responsible for hardware initialization , and hence it is architecture specific. Once hardware initialization is done , control is passed to start_kernel() routine that is defined in init/main.c . This routine is analogous to main() function in any 'C' program , it's the starting point of kernel code . After the architecture specific setup is done , the kernel initialization starts and this kernel initialization code is kept under init directory. The code under this directory is responsible for proper kernel initialization that includes initialization of page addresses, scheduler, trap, irq, signals, timer, console etc.. The code under this directory is also responsible for processing the boot time command line arguments.

crypto/

This directory contains source code of different encryption algorithms , e.g. md5,sha1,blowfish,serpent and many more . All these algorithms are implemented as kernel modules . They can be loaded and unloaded at run time . We will talk about kernel modules in subsequent chapters.

documentation/

This directory contains documentation of kernel sources.

drivers/

If we understand the device driver code , it is splitted into two parts. One part communicates with user, takes commands from user , displays output to user etc. The other part communicates with the device, for example controlling the device , sending or receiving commands to and from the device etc. The part of the device driver that communicates with user is hardware independent and resides under this 'drivers' directory. This directory contains source code of various device drivers. Device drivers are implemented as kernel modules. As a matter of fact, majority of the linux kernel code is composed of the device drivers code , so majority of our discussion too will roam around device drivers.

This directory is further divided into subdirectories depending on the device's driver code it contains.

drivers/block/
contains drivers for block devices,e.g. hard disks.
drivers/cdrom/
contains drivers for proprietary cd-rom drives.
drivers/char/
contains drivers for character devices , e.g. – terminals, serial port, mouse etc.
drivers/isdn/
contains isdn drivers.
drivers/net/
contains drivers for network cards.
drivers/pci/
contains drivers for pci bus access and control.
drivers/scsi/
contains drivers for scsi devices.
drivers/ide/
contains drivers for ide devices
drivers/sound/
contains drivers for various soundcards.

Another part of a device driver, that communicates with the device is hardware dependent, more specifically bus dependent. It is dependent on the type of bus which device uses for the communication. This bus specific code resides under the arch/ directory

fs/

Linux has got support for lot of file systems, e.g. ext2,ext3, fat, vfat,ntfs, nfs,jffs and more. All the source code for these different file systems supported is given in this directory under file system specific sudirectory,e.g. fs/ext2, fs/ext3 etc.

Also, linux provides a virtual file system(VFS) that acts like a wrapper to these different file systems . Linux virtual file system interface enables the user to use different file systems under one single root ( '/') . Code for vfs also resides here. Data structures related to vfs are defined in include/linux/fs.h. Please take a note , it is very important header file for kernel development.

kernel/

This is one of the most important directories in kernel. This directory contains the generic code for kernel subsystem i.e. code for system calls , timers, schedulers, DMA , interrupt handling and signal handling. The architecture specific kernel code is kept under arch/*/kernel.

include/

Along with the kernel/ directory this include/ directory also is very important for kernel development .It includes generic kernel headers . This directory too contains many subdirectories . Each subdirectory contains the architecture specific header files .

ipc/

Code for all three System V IPCs(semaphores, shared memory, message queues) resides here.

lib/

Kernel's library code is kept under this directory. The architecture specific library's code resides under arch/*/lib.

mm/

This too is very important directory for kernel development perspective. It contains generic code for memory management and virtual memory subsystem. Again, the architecture specific code is in arch/*/mm/ directory. This part of kernel code is responsible for requesting/releasing memory, paging, page fault handling, memory mapping, different caches etc.

net/

The code for kernel's networking subsystem resides here. It includes code for various protocols like ,TCP/IP, ARP, Ethernet, ATM, Bluetooth etc. . It includes socket implementation too , quite interesting directory to look into for networking geeks.

scripts/

This directory includes kernel build and configuration subsystem. This directory has scripts and code that is used to configure and build kernel.

security/

This directory includes security functions and SELinux code, implemented as kernel modules.

sound/

This directory includes code for sound subsystem.

module/

When the kernel is compiled , lot of code is compiled as modules which will be added later to kernel image at runtime. This directory holds all those modules. It will be empty until the kernel is built at least once.

Apart from these important directories , also there are few files under the root of kernel sources.

  • COPYING – Copyright and licensing (GNU GPL v2).
  • CREDITS – partial credits-file of people that have contributed to the Linux project.
  • MAINTAINERS – List of maintainers who maintain kernel subsystems and drivers. It also describes how to submit kernel changes.
  • Makefile – Kernel's main or root makefile.
  • README – This is the release notes for linux kernel. it explains how to install and patch the kernel , and what to do if something goes wrong .

Documentation

We can use make documentation targets to generate linux kernel documentation. By running these targets, we can construct the documents in any of the formats like pdf, html,man page, psdocs etc.

For generating kernel documentation, give any of the commands from the root of your kernel sources.

  make pdfdocs  make htmldocs  make mandocs  make psdocs

Source Browsing

Browsing source code of a large project like linux kernel can be very tedious and time consuming . Unix systems have provided two tools, ctags and cscope for browsing the codebase of large projects. Source code browsing becomes very convenient using those tools. Linux kernel has built-in support for cscope.

Using cscope, we can:

  • Find all references of a symbol
  • Find function's definition
  • Find the caller graph of a function
  • Find a particular text string
  • Change the particular text string
  • Find a particular file
  • Find all the files that includes a particular file

Kernel Mode and Context

Posted: 13 Mar 2013 11:40 PM PDT

User Mode and Kernel Mode

In Linux, application / software is fall into two category: user programs and kernel. Linux kernel runs under a special privileged mode compared to user applications. In this mode, kernel runs in a protected memory space and has access to entire hardware. This memory space and privileged state collectively is known as kernel space or kernel mode.

On contrary, userapplications run under user-space and have limited access to resources and hardware. User space application can’t directly access hardware or kernel space memory, but kernel has access to entire memory space. To communicate with hardware, a user application need to do system call and ask service from kernel.

Different Contexts of Kernel Code

Entire kernel code can be divided into three categories.

  1. Process Context
  2. Interrupt Context
  3. Kernel Context

Process Context

User applications can’t access the kernel space directly but there is an interface using which user applications can call the functions defined in  the kernel space. This interface is known as system call. A user application can  request for kernel services using a system call.

read() , write() calls are examples of a system call. A user application calls read() / write() , that in turn invokes sys_read() / sys_write() in the kernel space . In this case kernel code executes the request of user space application. At this point, a kernel code that executes on the request or on behalf on a userapplications is called process context code. All system calls fall in this category.

Interrupt Context

Whenever a device wants to communicate with the kernel, it sends an interrupt signal to the kernel. The moment kernel receives an interrupt request from the hardware, it starts executing some routine in the response to that interrupt request. This response routine is called as interrupt service routine or an interrupt handler. Interrupt handler routine is said to execute in the interrupt context.

Kernel Context

There is some code in the linux kernel that is neither invoked by a user application nor it is invoked by an interrupt. This code is integral to the kernel and keeps on  running always . Memory management  , process management , I/O schedulers , all that code lies in  this category. This code is said to execute in the kernel context.

Introduction to HoneyPot and HoneyNet

Posted: 13 Mar 2013 11:21 PM PDT

Honeypot, some people might familiar with this term. Some people maybe even implement it to their network. But what is this Honepot exactly?

Literally, a honepot is a pot / jar / other container used to store honey. But in this case, honeypot is a metaphor. A honeypot, or some people refer it as honeytrap, in computer science terminology means a trap set to detect, deflect, or in some mannger counteract attempts at unauthorized use of information system.

Honeypot in general consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attacker.

Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient.

Usually, Honeypot and Honeynet implemented as parts of larger Network Intrusion Detection Systems.

So What are the Benefits to Us?

There are many. Here are some benefits we can get from honeypot:

Early Detection
Honeypot will notifies and alerts us when attacks occurred. At least when unauthorized access attempts to break our system, it gives us more times to prepare countermeasures.
Analyze the Threat
A trapped attacker on honeypot can be analyzed. By this, we can know newest threats and newest attacking vectors used by attacker in attempt of ‘privilege escalation’. This also gives use information about who the enemy is, what he did, and what methods.
Secure the System
This method trap the attacker and make him only do his break in to honeypot system only thus the real server still in good shape. The defense system will give better security as attacker won’t attack server directly. But there is no guarantee that our system will be absolutely secure.
Disrupting Attacker
Honeypot is a method to disrupt and make attacker confuse. With many alternative and virtual system in network system, at least attacker confuse for distinguishing the real and virtual system.

HoneyPot Components

Network Devices Hardware
Honeypot acts as part of network, of course we net network devices.
Monitoring or Logging Tools
A set of tools or components to monitor and log activities inside Honeypot.
Alert Mechanism
A message system to notify or give a warning if an attack detected.
Keystroke Logger
Logging information about what attacker do including keystroke origin from attacker.
Packet Analyzer
Giving information about packet in and out between honeypot and attacker.
Forensic Tools
Giving information about forensic system used by attacker against System.

Where Should Honeypot placed?

Honeypot can be placed on some place:

  1. Directly connected to internet without firewall
  2. Between firewall and internet connection
  3. Honeypot is on DMZ
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)