Older blog entries for Mulad (starting at number 172)

The graph looks so weird now.

Hmm. Very tired. Need to eat something..

Interesting how some scary organizations can sometimes get it right. Well, ``get it right'' is not quite what I'm looking for, since the Taliban is still probably going to try to kill these folks. I dunno.. I just don't think that helping people should involve religion (well, a religious organization helping people who are of the same religion is fine, I guess). Gah.. Why don't I know if President Bush's ideas about Federal funds going to religious organizations went through or not? That was a Really Bad Idea in my book.

Oh well, I don't want to talk too much about that. I know how mentions of religion can cause flare-ups in here..

I was helping our LUG's mailing list dictator set up a default.ida script at his ISP. His server didn't have a compiler, so he couldn't build any new Perl modules. He did have PHP, though, and tried my script. I still haven't heard if any of these scripts for talking back to Code Red II work at all.

I guess I should really try to put one together that starts up Internet Explorer and points it at a page on my system (or probably just a redirect), just so I know if it works or not.

Contemplating how to get the wireless firewall going at work. I'm thinking of supporting two modes of operation.

In `Router' mode, the client system will obtain an IP address through DHCP. This will set up the client to have a default gateway of the firewall. Using IP Tables, all attempts to connect to port 80/tcp will be redirected to port 80 on the firewall. All DNS traffic to port 53 would also be directed to a caching DNS server, so if someone types in `www.yahoo.com', they'll actually get a response. A mini web server running there will only serve HTTP redirects to the secure web server running on port 443. This will present the user with a web page requesting authentication.

I'm still figuring out how to do authentication, but we can either use the local Lotus Notes user IDs, or the campus X.500 directory, both through LDAP (I think). Using the local IDs would only allow people who have e-mail accounts in the School to connect. Using X.500 would allow anyone who has a campus-wide account to get online.

Anyway, the authentication would require a valid username/password, and the request must come from an IP/MAC address combination that was served by the DHCP server. Authenticating would cause the IP/MAC combo to be added to a IP Tables chain, allowing all IP traffic to/from that host.

Nothing would be encrypted, unless it was done at the protocol(?) layer (I need to brush up on that Taco Bell 7-layer model). Therefore, at authentication time, there would be a warning in BIG RED LETTERS that the user is responsible for keeping data secure. We may actually restrict certain traffic to keep people from doing anything stupid, like preventing access to Lotus Notes servers unless data is going over SSL.

Cron jobs would run every 20 minutes or so to flush out the IP Tables entries for hosts that have been idle for a while. They'd probably also try to flag when strange things were happening, like tremendous amounts of traffic flowing to/from certain hosts.

In `Secure Gateway' mode, the clients would authenticate somehow (RADIUS?) and get a single-hop VPN tunnel set up. If I'm not mistaken, this requires two IP addresses per client box, which is really annoying.

Still working out how that would all work.

Strange that the default.ida PHP responder script I put up yesterday only works against Code Red II. Something about the way Code Red (I) works causes Apache to return a `400 Bad Request' error, so the script doesn't even get run against those hosts. Code Red II handles its HTTP connections differently and allows the script to be run.

Went to the campus net-people meeting yesterday. Always interesting. The first bit was obviously on Code Red. Considering the size of the U of MN, things have gone very well. They said they'd responded to about 40 incidents (probably more infections than that, if it hit a lab or something). Very small for a campus of 40,000+ people (well, when school is in session). They were very agressive about scanning for vulnerabilities when Code Red first popped up, and I think they had been looking for systems with the IDA vulnerability even before then.

Of course, I have no idea how things would have been if school was in session and students had their systems in the reshalls. Of course, the networking folks probably would have blocked port 80 to the dorms starting near the end of June.

Anyway, heard that the state of South Dakota went offline over the weekend due to Code Red II. Not sure if that means the entire actual state, or just state-run agencies like the universities, etc. -- the State of South Dakota.

Real-Time, the ISP that hosts the TCLUG website, was forced to block access to port 80 to most of their dialup, DSL, etc., customers. Their routers' CPUs were pegged at 100%, so they had to do it to save the infrastructure. They did notify their customers about what was going on, though.

I'm not weird for being worried about these worms! I think lots of routers were probably not designed to handle the heavy many-to-many traffic, instead tested for few-to-many or many-to-few.

Later

Hmm.. My thought processes are apparently cutting off in mid-sentence now..

Anyway, migrated our Netsaint/MRTG box from a P200/32MB to a PIII-600/256MB. Got a SCSI drive in the process, and we're ordering another processor. Of course, now that we have more horsepower, we'll be able to scan more systems -- the Novell and Windows systems. It also now has a 100Mbit ethernet card, so I think we'll have to enable 100Mbit speed on the etherjack soon.

default.ida

Yay! I got IPv6 routing going. Turned out that I just needed to add a route to 2000::/3 with `ip route add 2000::/3 dev sit1'.

Now I think I'm off to take a shower to see if I can wake up before 9:00..

Later

Installed Debian on a PPro 200. I think that machine is one of only two or three PPros I've ever touched. Rare beasts.

Anyway, it took very little time to install the stuff I needed, since it's just going to be a webserver. Right now, I think the Java development environments on there take up about half the used disk space ;-) I was contemplating using mod_dav, but I'm not sure how to use/secure it yet.

Installed Jakarta Tomcat on the system, and it seems to actually work with Blackdown's 1.3.1 Java 2 environment. Need to find where I'm supposed to put the files so I can actually test it.

I think I'm done watching my own logs for Code Red. I now have a script to do that for me ;-)

I'm not getting hit much by CRII, but my family's cable modem is getting hit once every few minutes, for a total now of nearly 2000. I read that CRII has a cutoff date: Oct. 1, 2002.

*sigh*

I need something in my life to change. I feel motivated for a few days, or maybe a few weeks, then I just start to drone on.

Later

Following is the policy for standardizing URLs. The purpose of standardizing our URLs is to create a logical URL system so the user can easily find the site they are seeking.

The Carlson School URL is www.CarlsonSchool.umn.edu The standard URL style for programs/departments/etc. is www.CarlsonSchool.umn.edu/xyz [or www.xyz.CarlsonSchool.umn.edu]

[snip]

Under no circumstance should Carlson School be abbreviated as csom or shortened to Carlson.

Dinks.. I like `csom.umn.edu' just the way it is..

Heh.. Google rocks

127 through the first 5 days (GMT)

expr $(cat /var/log/apache/access.log*|grep -c default.ida) - 127
20

Hmm.. Seems to be around 1/hour. Slowly getting more and more CodeRedII scans. Like I said before, I think it would have been better if a newer variant had just shut down IIS..

Posted a note regarding setting up IPv6. Got one response so far, which wasn't very clear. One thing was that I apparently need a usagi kernel. I think I'll try other stuff suggested first, as I don't really feel like compiling a new kernel..

I should really find some work to do..

Later

Wow. Some people are getting way more hits frome Code Red than I am. Glad I'm not on a cable modem, I guess. Strange how nearly all cable modems are in the 24.x.x.x block. Was that intentional? I live in the 206.blah range, which seems to be spread across a lot of varied stuff, and it appears to be very geographically separated as well.

Sounds like the power company wants people to start turning stuff off. Reminds me that we have the thermostat set pretty low at the apartment. At least one of my roommates likes it cold, which really bothers me. I don't exactly like it hot, but I can't stand it when when my fingers start to get chilled... I think we have finally found a spot that works okay for all of us, but it's still cooler than what I'd like to have it run at.

Of course, we're running it lower than we would if we were paying for electricity separately from our rent...

105 through the first four days (GMT)

expr $(cat /var/log/apache/access.log*|grep -c default.ida) - 105
22

I need to find some other form of entertainment..

Downloaded lxdoom and played it, since Doom apparently rates #1 in games for all time (so far). Unfortunately, it appears that not a whole lot of work has been put into making it work at higher resolutions. It was nearly unplayable at 1024x768 on my 1.3GHz Athlon (and I think it was only scaling the image, not even rendering at that resolution). Reminds me of what it was like on my 386sx/25. The mouse control seemed somewhat screwy too, but maybe it's all due to Xinerama..

Figure I'll put a post up to the LUG and ask if there are any ideas as to what I'm doing wrong with my IPv6 gateway.

Later

Went to Little T's in Uptown for supper tonight. When we were leaving, a few guys commented on my Penguin Computing ``Born to Frag'' t-shirt with Tux holding a rocket launcher from Quake III.

74 through the first three days (GMT)

expr $(grep -c default.ida /var/log/apache/access.log) - 74
31

Went to the TCLUG meeting today. Pretty good presentation on DNS. At the end, I asked about IPv6 stuff.. I hope there'll eventually be a meeting on that (even half a meeting would be really good).

Went to Annie's afterward for a really good hamburger. I had thought about getting a malt as well, but didn't. Maybe I'll have to drag some people over there again soon.

Had to drop back to a week-old version of Mozilla since recent versions have scrollbars that are only half as wide as they should be. Annoying.

Roommate's rent check arrived today. It's due by the 5th, which is tomorrow (Sunday). Not sure if he'll get stuck with a late fee or not.

Later

Trying to get an IPv6 gateway going with freenet6. Having some trouble. Everything seems to look right, and the other system on the network can properly autodetect my router, but nothing seems to be getting through..