Linux Network Security Issues

Until now, as far as I know, there are at least three different levels of network security mechanism that affects the running of network processes, TCP Wrapper, Iptables firewall, SELinux.

TCP Wrapper and SELinux are host-based mechanism. According to a response to a network packet, TCP Wrapper and SELinux will decide if this packet can be processed by the specific running process. They will not block any network access from other hosts, however, they will limit the running process in the host from processing network messages.

Iptables, on the other hand, provides a network-based security mechanism. It inspects every network packet whenever a packet going into a host or leaving a host. A great amount of distinct functional rules can be set up in order to filter some specific packets. By this way, unwanted packet is forbidden outside of the host.

In my recent experiment, several problems are suffered in these two issues. I'd like to record them here for future reference:

1. In school's Fedora 11 system, snmp messages can not going out even if the corresponding port is opened by iptables firewall. When I was using tcpdump to inspect every packet of snmp protocol, I found that snmp request messages were able to go in the system. but there were never any packets coming out. I supposed that two possibilities: snmp crashed, or some other than iptables was keeping block the outgoing messages. Finally, after I searched almost the whole internet (joking, can I? but it is true that it is quite difficult to spot a specific rear problem on the internet.), I realised that I got half correct. There is something called TCP Wrapper which is used by Linux system to prevent some specific daemon processes from accessing from unwanted network hosts. In this case, all of the process other than several processes denoted in the file /etc/hosts.allow is allowed to be accessed in localhost host which means that only local access is allowed. This is right the reason why I was able to query snmp using localhost. In coming snmp messages from other hosts is not allowed to be processed by snmpd (so harsh!!). The solution is simple, just add the snmpd into hosts.allow file. 
2. The problem regarding to Iptables is a little foolish, but I learnt others when I modified the rules of Iptables. Actually, the reason of I can't transfer files to cspc020 is because I open the wrong port for tcp connection (don't believe the instructions on the webpage totally, this lessoned me). Just open tcp60000 is fine. During this process, i found that, always modify the iptables using iptables command line tools before modify the configuration file /etc/sysconfig/iptables, because the command line is temporary but effects at once. If there are some problems, I am able to resume it by restart computer and then the original configuration will be read. !!!! Good mechanism.

Strange SNMP problem in Ubuntu or other platform

Description of the problem:
After I have installed SNMPd in Ubuntu 9.04, I was trying to snmpwalk system to test the correction of the installation and deployment. However, I got a Time out message even though I did not get any firewall installed in Ubuntu. At the beginning, I thought that it is the firewall problem like in Fedora. The truth of no firewall installed in Ubuntu by default makes me realise that this is not in that case.

Solution:
Ubuntu is different from Fedora, there is a file to keep the default snmpd's running options, which is:
/etc/default/snmpd. In it, the options denote that only local host is able to snmpwalk the SNMP agent. In this case, I will not only need to change the snmpd.conf configure file, but I will also need to change some lines in the snmpd configure file mentioned above to make it work. The changing is like this:

#SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf

Discussion on Array size, String length.

This is an revision concentrating two functions, sizeof() and strlen().

There are several manners for a programmer to define a string in C/C++ programs.

1. char pointer: char *string; 
2. char array: char string[100];

In order to initialize them, the following steps work.

• define string immediately if we know what we want to define.

        char string[] = "This is what we want to defined";

        char *string = "This is what we want to defined";

• define string first and then give the specific number afterwards.

        char string[100];

        string = "This is what we want to defined";

            CAUTION:<<This is not allowed in C++, can not assign an array to another array>>
            INSTEAD: strcpy(string, "This is what we want to defined");

        char *string;

        string = "This is what we want to defined";

In the following part, I give some different defined strings in my code. The print out is the results of two functions, sizeof() and strlen.

Here is the code:

    char *test;

    char test2[100];

    test = "This is what we want to define";

    char buffer []= "This is what we want to define";

    strcpy(test2, "This is what we want to define");

   

    std::cout << "test sizeof " << sizeof(test) << "\n";

    std::cout << "test strlen " << strlen(test) << "\n";

   

    std::cout << "buffer sizeof " << sizeof(buffer) << "\n";

    std::cout << "buffer strlen " << strlen(buffer) << "\n";

   

    std::cout << "test2 sizeof " << sizeof (test2) << "\n";

    std::cout << "test2 strlen " << strlen(test2) << "\n";

The print out is:

   test sizeof 4

   test strlen 30

   buffer sizeof 31

   buffer strlen 30

   test2 sizeof 100

   test2 strlen 30

Another aspect of the difference between strlen() and sizeof() is that strlen needs a function call to determine the string length, however, sizeof is able to give the length during the compile process. The buffer's example demonstrates this argument quite well. But, the prerequisite is that the sizeof() is able to give rather correct string length. The string should be defined and initialized as buffer example dose. In this case, bear in mind that sizeof will include the '\0' but strlent will not.

Hopefully, this makes clear of the usage of string.

Coding works of the Experiment

Here is the TODO list for experiment coding: some of them have long time to achieve and may be implemented later on due to the current works.

  * How to monitor the network bandwidth: the rough idea is to sum the number of packets during a period of time and then to calculate the amount of data per second during this period. At this point, how fine of the records should be concerned.

  * How to write a daemon to let the program running background:

  * How to stop the experiment program at anytime: Investigate how to used signal to tell the experiment process to terminate. Using IPC (Inter process call)??? The main issue is how to used Nagios to spread this instruction across all of the experiment machine.

  * How to monitor the system resources usages:

  * How to use automake to compile my own code together with the shared library of chord or sfslite. For this task, I have get some progresses on nagios snmp plugins. change the Makefile.am in ./src directory and run autoreconf --install in package directory and then automake (not sure if this is required). Then configure it and make it. PROBLEMs to be consider: 1. where is configure.ac? Is it optional for autoconf?
    ANSWER: configure.ac was called configure.in before autoconf 2.50. It can still be found in Chord and nagios snmp plugins distributions. When you modified some places in Makefile.am files or Configure.ac files, don't do anything except make it. All of the .in files will be regenerated.

Parsing Long Options

Find this topic in DOCUMENT of GNU C library: libc

http://www.gnu.org/software/libc/manual/   From page 633

Here I conclude some useful tips:

== return values of getopt():

• successful
• a character (the option name without argument)
• a character (the option name), a pointer to char (char *optarg: argument)
• failed
• '?' (not included in options OR missing argument) (int optopt keeps the character)
• -1 complete

== return values of getopt_long ():

• successful
• short_options
• (same with getopt())
• long_options
• content of val (flag = NULL) (Tips, put corresponding short option char in val)
• 0 (flag != NULL, put content of val into *flag)
• (same with above two) (with argument are stored in optarg)
• failed
• (same with getopt())
• -1 complete

    PS: indexptr record the index of the options in array of struct option.

Linux GUI system configuration

In order to configure linux by provided GUI, some commands are essential such as "system-cofig-firewall" will open Fedora's GUI firewall configuration window. There are also some other similar command. Using tab to investigate all of them!!!

Dive into more details of sfslite which is used by Chord official implementation

I decided to give up the usage of Openchord because it is quite difficult to use. I will back to Chord Official implementation.

Here I refresh some knowledge of sfslite and provide some useful web pages to understanding its code.

[Main Page]: http://www.okws.org/doku.php?id=sfslite

[Overview of sfslite]: http://www.okws.org/doku.php?id=sfslite:overview

[Some examples of usage]: http://www.okws.org/doku.php?id=sfslite:qhash

http://www.okws.org/doku.php?id=sfslite:regexp

[async Tutorial]: http://pdos.csail.mit.edu/6.824-2004/async/

[Tips of using]: http://www.okws.org/doku.php?id=sfslite:tips

[Installation Guide]: http://www.okws.org/doku.php?id=sfslite:install

:
    One thing that is a little difficult to understand is in the Lesson 3: more than one callback are in the same procedure.
    Line 27 and 28 can be merged into "delaycb (1, 0, wrap(docallback, wrap(hello)));"
    I think I could understand it like this:
      each wrap() will produce a callback version of a function (type of callback::ref ).
      wrap(hello) provides a callback version of hello() method to function docallback( callcallback::ref ) as docallback(callback::ref)'s parameter.
      wrap(docallback, wrap(hello)) provides a callback version of docallback(callback::ref) to delaycb and asks delaycb() to register docallback(callback::ref) in event queue.

      ========Bear in mind, the return value of wrap() is callback::ref=========

      Here is the graphical expression of this mechanism:

      The usages of callback (callback::ref):

        (1). it can be passed into a callback function like docallback as its parameter and be invoked in this callback function cb();

        (2). it can be registered by a underlaying mechanism like delaycb.