Author Topic: x86 Down?!  (Read 14847 times)

0 Members and 2 Guests are viewing this topic.

Offline Furious

  • Hero Member
  • *****
  • Posts: 1833
  • I hate rabbits
    • View Profile
x86 Down?!
« on: December 03, 2006, 11:53:44 am »
What's going on lately?

Quote
[22:19] Mythix85: is x86 down yet?
[22:19] DaVe PwNz JoO: pft
[22:19] DaVe PwNz JoO: it's always down
[22:20] Mythix85: sometimes I think my girlfriend could take advice from the server.
[22:20] Mythix85: and go down more often.
[22:20] DaVe PwNz JoO: LOL

 :P
Quote
[23:04:34] <deadly7[x86]> Newby[x86]
[23:04:35] <deadly7[x86]> YOU ARE AN EMO
[23:04:39] <Newby[x86]> shush it woman

Quote
[17:53:31] InsaneJoey[e2] was banned by x86 (GO EAT A BAG OF FUCK ASSHOLE (randomban)).

Quote from: Ergot
Put it this way Joe... you're on my Buddy List... if there's no one else on an you're the only one, I'd rather talk to myself.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #1 on: December 03, 2006, 12:13:45 pm »
My ISP's been sketchy.  It's been happening ever since the temperature fell below -10, so maybe the switches just have to adapt to the cold.

Offline Furious

  • Hero Member
  • *****
  • Posts: 1833
  • I hate rabbits
    • View Profile
Re: x86 Down?!
« Reply #2 on: December 03, 2006, 12:46:17 pm »
My ISP's been sketchy.  It's been happening ever since the temperature fell below -10, so maybe the switches just have to adapt to the cold.

No biggie, I really just wanted to post the quote   :D
Quote
[23:04:34] <deadly7[x86]> Newby[x86]
[23:04:35] <deadly7[x86]> YOU ARE AN EMO
[23:04:39] <Newby[x86]> shush it woman

Quote
[17:53:31] InsaneJoey[e2] was banned by x86 (GO EAT A BAG OF FUCK ASSHOLE (randomban)).

Quote from: Ergot
Put it this way Joe... you're on my Buddy List... if there's no one else on an you're the only one, I'd rather talk to myself.

Offline CrAz3D

  • Hero Member
  • *****
  • Posts: 10184
    • View Profile
Re: x86 Down?!
« Reply #3 on: December 03, 2006, 04:42:07 pm »
My ISP's been sketchy.  It's been happening ever since the temperature fell below -10, so maybe the switches just have to adapt to the cold.
might want to give them a call.

Our temperature activated switch was OFF, they had to come turn it on

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #4 on: December 03, 2006, 11:56:02 pm »
I doubt it, since last winter we spent a week at -60.  If anything, it just had to adapt. 


Incidentally, this time (last couple hours) was different.  I think something's wrong with one of my routers, I unhooked everything and hooked it back up and it worked.  That's after lots of wire jiggling and a whol bunch of other troubleshooting.  So I don't really know :/


Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: x86 Down?!
« Reply #5 on: December 04, 2006, 12:05:41 am »
I say someone hosts some forums for those suffering x86 Withdrawls. vL just isn't fun-oriented enough anymore.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #6 on: December 04, 2006, 12:09:33 am »
I offered to host a mirror, but iago said it'd be too much work.  Plus, it's been established that he doesn't trust anyone enough with the database contents. :(

Offline AntiVirus

  • Legendary
  • x86
  • Hero Member
  • *****
  • Posts: 2521
  • Best
    • View Profile
Re: x86 Down?!
« Reply #7 on: December 04, 2006, 12:36:11 am »
I offered to host a mirror, but iago said it'd be too much work.  Plus, it's been established that he doesn't trust anyone enough with the database contents. :(
He would trust me.  I just don't want to host it! :P
The once grove of splendor,
Aforetime crowned by lilac and lily,
Lay now forevermore slender;
And all winds that liven
Silhouette a lone existence;
A leafless oak grasping at eternity.


"They say that I must learn to kill before I can feel safe, but I rather kill myself then turn into their slave."
- The Rasmus

Offline CrAz3D

  • Hero Member
  • *****
  • Posts: 10184
    • View Profile
Re: x86 Down?!
« Reply #8 on: December 04, 2006, 12:58:21 am »
I offered to host a mirror, but iago said it'd be too much work.  Plus, it's been established that he doesn't trust anyone enough with the database contents. :(
He would trust me.
Did you have to earn his trust?


LOL
(Team America refernce)

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #9 on: December 04, 2006, 09:34:55 am »
I'll host it if you want, at a real datacenter, and not on gay port 81 either!

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: x86 Down?!
« Reply #10 on: December 04, 2006, 11:29:41 am »
I offered to host a mirror, but iago said it'd be too much work.  Plus, it's been established that he doesn't trust anyone enough with the database contents. :(

He seems to trust newby, leaving about 100 copies of it laying around on his box. :P
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #11 on: December 04, 2006, 11:36:32 am »
He seems to trust newby, leaving about 100 copies of it laying around on his box. :P

I meant an account with access to the sql database, not dumps of the tables (though that's what I make it sound like).  It was an attempt to annoy iago.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #12 on: December 04, 2006, 12:44:41 pm »
I'll host it if you want, at a real datacenter, and not on gay port 81 either!
Nope, I'm not hosting it anywhere else.

The reason for the different port is two-fold:
- To keep it on the same ip/different server than x86labs.org's site
- To keep out Darkness

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #13 on: December 04, 2006, 06:39:56 pm »
I don't follow the logic :(

Offline ZeroX

  • Hero Member
  • *****
  • Posts: 1933
  • Pirating Your software since 1998
    • View Profile
    • Crap
Re: x86 Down?!
« Reply #14 on: December 04, 2006, 06:50:02 pm »
I don't follow the logic :(

Yeah join the club  ???
Zeroforce
Zeroforce
Zeroforce





Quote
mutsumibear: David's coming over Sunday so we can have mad sex all day.
zxdropoff: lucky you
mutsumibear: :D I know.
mutsumibear: I just pray I don't start my period before then.
zxdropoff: omfg
zxdropoff: stfu
zxdropoff: now please
mutsumibear: HAHA
mutsumibear: I love disturbing you.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #15 on: December 04, 2006, 07:13:44 pm »
I don't follow the logic :(

He wants to host the forums on the same server that the site is hosted on.  I think it can be mutually agreed upon that we'd rather not let just anyone host it.  Get it now?

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #16 on: December 04, 2006, 08:05:38 pm »
No, he said the site and forums are hosted on different servers.  Which really isn't necessary.

Even if it were he should do it the right way with directory-mapped load balancing/virtual hosting...
« Last Edit: December 04, 2006, 08:07:11 pm by Ersan »

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #17 on: December 04, 2006, 08:06:49 pm »
No, he said the site and forums are hosted on different servers.  Which really isn't necessary.

They're on the same physical server.  He does it for security reasons.  The setup he has is actually really nice.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #18 on: December 04, 2006, 08:07:27 pm »
That makes less than no sense.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #19 on: December 04, 2006, 08:07:53 pm »

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #20 on: December 04, 2006, 08:27:52 pm »
So as sidoh's explained it to me, iago is using (at least) 3 vmware instances on one computer to host the x86 website.  Apparently VMWare is more secure than the OS itself now?  I wish someone with a clue would justify this (iago?).

Offline Killer360

  • Hero Member
  • *****
  • Posts: 752
    • View Profile
Re: x86 Down?!
« Reply #21 on: December 04, 2006, 09:14:16 pm »
My ISP's been sketchy.  It's been happening ever since the temperature fell below -10, so maybe the switches just have to adapt to the cold.
No problems for me.   :D

Edit: I'm also having problems with my router. It just simply doesn't work. It says it's connected and everything, but I can't access anything.  :'(

Restarting the router and shutting down the computer has worked a few times, but it doesn't work anymore. :(
« Last Edit: December 04, 2006, 09:16:37 pm by Killer360 »

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: x86 Down?!
« Reply #22 on: December 04, 2006, 09:17:47 pm »
So as sidoh's explained it to me, iago is using (at least) 3 vmware instances on one computer to host the x86 website.  Apparently VMWare is more secure than the OS itself now?  I wish someone with a clue would justify this (iago?).
Its the same idea as having 2 different machines for your web server and say... your dns server.  It's more secure and one going down won't affect the other.  VMWare just makes virtual machines.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #23 on: December 04, 2006, 09:21:43 pm »
I know what vmware does, this just seems like a horribly inefficient way to handle things, without any significant security improvements.

I'm working on a managed hosting platform and I'd like to know if there's any legitimate reason to do this.  It seems like a lazy alternative to securing your server.

Its the same idea as having 2 different machines for your web server and say... your dns server.  It's more secure and one going down won't affect the other.  VMWare just makes virtual machines.
If one goes down, your website can't resolve, or you have no webserver, DNS servers are seperate from web servers so that if the web server goes down, dns will still operate for the OTHER domains on the server, as well as for performance and latency.  Security is as simple as operating them in different chroot's.  None of this is really relvant because they are all running on the same physical machine.
« Last Edit: December 05, 2006, 12:30:08 am by Ersan »

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: x86 Down?!
« Reply #24 on: December 05, 2006, 12:07:06 am »
the name won't resolve, no (unless there is a backup!  :P) but it is still up.  If it's mission critical it can still be accessed by IP.

You said its inefficient... more inefficient than what? Separate physical boxes? maybe... but certainly not more cost effective for a low traffic use like ours.  I don't have any experience with managed hosts so I can't make that comparison but it seems like the same idea, just virtualized on the web server level rather than the OS level.  Every host would still go down if the machine somehow managed to get a nasty virus, right?  That wouldn't happen if each site was isolated to its own OS instance.  If he further isolates them by restricting what instances can network with other instances (I'm guessing he uses the Red-Orange-Green model), the chances of one site's problems affecting another's are slim at best.  Probably something worth worrying about when he lets anyone in the clan work on the x86labs site, whereas the forums obviously have material that not everyone in the same group should be privy to.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #25 on: December 05, 2006, 12:19:15 am »
It's 'horribly inefficient' because you're running THREE virtual operating system instances (that don't share resources) for something you can accomplish with one.  More inefficient than pretty much any other configuration you can come up with.

If you know how to set permissions and actually use the OS, you can give everyone in the world a shell account without worrying about them hijacking the web server.  This is why I said it was a 'lazy alternative to securing your server'.  I guess this protects against some sort of virus or exploit, but who's to say someone can't exploit VMWare as well, and access the other virtual servers on the same physical system?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #26 on: December 05, 2006, 10:11:31 am »
- I give people (basically, anybody x86 member who wants it) access to x86labs.org's main server
- I don't give people access to x86labs.org:81's forum server
- I give restricted database access to many servers (including my laptop, the forum, the main server, and others that you don't especially need to know about)

Does that clear it up? 

In addition, the VMWare server also acts as a firewall.  The virtual servers are set up as a DMZ and my actual network is set up as a Trusted LAN.  Every incoming connection goes to the DMZ, no incoming connections can ever get to the Trusted LAN.  Within the DMZ, I have a decently set up network, with a database server, a couple web servers, and testing servers.  If I could run a DNS, I'd have a DNS server in there too.  So in addition to everything else, this lets me learn about setting up a network. 

In terms of speed, there's no noticeable loss.  Every server feels like it's the only one on the box while using it, except when they all boot at the same time.  I run ~7 or 8 servers at the same time, and it's rare for one of them to use a significant amount of CPU/RAM more than 1% of the time, so they get along nicely.  VMWare is quite good at freeing up resources when a system isn't using them.

Also, I'm not a hosting company, I'm a guy with a properly-configured home network. 

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: x86 Down?!
« Reply #27 on: December 05, 2006, 10:19:07 am »
It's 'horribly inefficient' because you're running THREE virtual operating system instances (that don't share resources) for something you can accomplish with one.  More inefficient than pretty much any other configuration you can come up with.

If you know how to set permissions and actually use the OS, you can give everyone in the world a shell account without worrying about them hijacking the web server.  This is why I said it was a 'lazy alternative to securing your server'.  I guess this protects against some sort of virus or exploit, but who's to say someone can't exploit VMWare as well, and access the other virtual servers on the same physical system?
I think you missed the part of my post about cost effectiveness and networking security ;)  You're arguing the part of my post that most agrees with you clown.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #28 on: December 05, 2006, 11:57:30 am »
I'm not satisfied, you can do what you want but I'd like to stress to anyone interested that this setup is a horrible and inefficient way to run a website, don't use it in any production application ever.

And if for some reason you do decide to use virtual machines in a production environment, do NOT use vmware, use virtuozzo or something similar.
« Last Edit: December 05, 2006, 12:01:04 pm by Ersan »

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #29 on: December 05, 2006, 12:39:21 pm »
Oh shut up.  Go whine elsewhere.  Just because there's a more efficient way to do something doesn't necessarily make it exceedingly better or even a better choice at all.  It may be more efficient to run everything on the same server without virtual machines, but that isn't what iago's trying to accomplish.  He's wanting to separate the server roles without buying more than one server.

If the site or the forums get hacked, it's unlikely that any of the other servers will be touched or even known about.

I totally agree that virtualizing server roles would be a terrible idea if the server had any sort of high traffic, but that isn't the case.  We have a few thousand posts a month, which doesn't allot to much usage.  Like he said, he's not trying to run a hosting company.  I think nearly everyone here is aware of the downfalls of this, but it seems that you're the only one that isn't embracing the benefits.

Now, until you're able to prove the cost effectiveness, security, speed, reliability and disaster potential of running all of these servers on the same machine with no virtualizing is noticeably better, I suggest you drop it.
« Last Edit: December 05, 2006, 12:49:37 pm by Sidoh »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #30 on: December 05, 2006, 02:38:37 pm »
I'm not satisfied, you can do what you want but I'd like to stress to anyone interested that this setup is a horrible and inefficient way to run a website, don't use it in any production application ever.

And if for some reason you do decide to use virtual machines in a production environment, do NOT use vmware, use virtuozzo or something similar.
Yeah, all these "DMZs" and stuff is just crazy.  What the hell were those security guys thinking when they explained the proper way to set up a firewall, anyways?  Obviously you know way more than years of security researchers. 

I know of many places where VMWare is used for hosting, the most important place being the Government of Manitoba's hosting centre.  It's used for security and separation of privilege.  And believe me, they wouldn't have spent $30,000 on virtualizing their environment for fun, getting the funding for it took over a year of research and testing (done by my peers).  But I'm sure you know more than they do.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #31 on: December 05, 2006, 02:40:22 pm »
I'd love to, but posting benchmarks of vmware is against the law, and every benchmark I've read about has been pulled under legal threats.  The overhead for vmware esx (i hope to god he's using esx) compared to virtuozzo and similar programs is notable at the least, anyone who's used both can tell you that...  Get some (any?) experience in this matter and then post your oh-so-valuable opinions...

Regardless of all this virtualization nonesense and back to the original point, he shouldn't be running the forum webserver on a different port, he should be load balancing/redirecting the traffic after it enters his network.

I don't even know or care where manitoba is on the globe much less how they run their network.

All I am concerned about is how this website is hosted, you can run your network however you want, I could care less.  I didn't say anything about not using a firewall, VMWare definitely isn't the only firewall out there...  Also, my post was strictly pertaining to web hosting, sorry I didn't mention that.
« Last Edit: December 05, 2006, 02:46:40 pm by Ersan »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #32 on: December 05, 2006, 02:45:25 pm »
I'd love to, but posting benchmarks of vmware is against the law,
Where's it say that?

The overhead for vmware esx (i hope to god he's using esx)
Why would I use an old, unsupported version?  I use "VMWare Server", which is the current version that deprecated ESX.


Regardless of all this virtualization nonesense and back to the original point, he shouldn't be running the forum webserver on a different port, he should be load balancing/redirecting the traffic after it enters his network.
How do you suggest I multiplex the traffic at the network level with a single IP?


I don't even know or care where manitoba is on the globe much less how they run their network.
You're obviously an idiot.  You shouldn't be proud of your ignorance. 

Offline Furious

  • Hero Member
  • *****
  • Posts: 1833
  • I hate rabbits
    • View Profile
Re: x86 Down?!
« Reply #33 on: December 05, 2006, 02:45:44 pm »
I'd love to, but posting benchmarks of vmware is against the law, and every benchmark I've read about has been pulled under legal threats.  The overhead for vmware esx (i hope to god he's using esx) compared to virtuozzo and similar programs is notable at the least, anyone who's used both can tell you that...  Get some (any?) experience in this matter and then post your oh-so-valuable opinions...

Regardless of all this virtualization nonesense and back to the original point, he shouldn't be running the forum webserver on a different port, he should be load balancing/redirecting the traffic after it enters his network.

I don't even know or care where manitoba is on the globe much less how they run their network.

It's in Canada der.
Quote
[23:04:34] <deadly7[x86]> Newby[x86]
[23:04:35] <deadly7[x86]> YOU ARE AN EMO
[23:04:39] <Newby[x86]> shush it woman

Quote
[17:53:31] InsaneJoey[e2] was banned by x86 (GO EAT A BAG OF FUCK ASSHOLE (randomban)).

Quote from: Ergot
Put it this way Joe... you're on my Buddy List... if there's no one else on an you're the only one, I'd rather talk to myself.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #34 on: December 05, 2006, 02:54:16 pm »
http://www.run-virtual.com/?p=123

How do you suggest I multiplex the traffic at the network level with a single IP?
virtual hosting, xml-rpc, load balancing, policy routing, transparent proxy, use your brain...
« Last Edit: December 05, 2006, 02:57:27 pm by Ersan »

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: x86 Down?!
« Reply #35 on: December 05, 2006, 04:28:53 pm »
Also, my post was strictly pertaining to web hosting, sorry I didn't mention that.
That's not even a fair restriction.  iago isn't using VMWare primarily as a web hosting solution...

Quote from: Ersan
http://www.run-virtual.com/?p=123
Here is the section that refers to in the current EULA of VMWare Server:

Quote
3.3   Restrictions.  You may not (i) sell, lease, license, sublicense, distribute or otherwise transfer in whole or in part the Software or the Software License Key to another party; (ii) provide, disclose, divulge or make available to, or permit use of the Software in whole or in part by, any third party (except Designated Administrative Access) without VMware’s prior written consent; or (iii) modify or create derivative works based upon the Software.  Except to the extent expressly permitted by applicable law, and to the extent that VMware is not permitted by that applicable law to exclude or limit the following rights, you may not decompile, disassemble, reverse engineer, or otherwise attempt to derive source code from the Software, in whole or in part.   You may use the Software to conduct internal performance testing and benchmarking studies, the results of which you (and not unauthorized third parties) may publish or publicly disseminate; provided that VMware has reviewed and approved of the methodology, assumptions and other parameters of the study.  Please contact VMware at benchmark@vmware.com to request such review.
Seems pretty obvious that it is ok as long as you use standard benchmarking techniques. You linking us to an authorized review is not the same as you (an unauthorized 3rd party) disseminating benchark results that you did not personally test.
« Last Edit: December 05, 2006, 04:32:05 pm by unTactical »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #36 on: December 05, 2006, 06:14:56 pm »
http://www.run-virtual.com/?p=123

How do you suggest I multiplex the traffic at the network level with a single IP?
virtual hosting, xml-rpc, load balancing, policy routing, transparent proxy, use your brain...
Virtual hosting lets you host more than one sites on the same machine.  That's not what I want to do,  I want them to be actually separated.

Could you explain how xml-rpc, load balancing, policy routing, and a transparent proxy will help me logically separate machines? They all sound to me like buzz-words that aren't going to solve my problem. 

I do do policy routing: port 80 = website, port 81 = forum.  What do you suggest?

Using my brain ... no, that's right out.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #37 on: December 05, 2006, 07:28:10 pm »
Transparent proxying is what most people would use in this situation, because it is the simplest.

You can use virtual hosting to forward requests to a different physical machine, running the same http server, in lighttpd you can even use directories for it (pcre), I believe apache is restricted to FQDN's (HTTP_HOST header), so it will work if you want to use forums.x86labs.org

XML-RPC will let you use a script to connect to another machine on the internal network and request data in the form of XML (i.e. the chunk of html that composes this page), this is only useful if you know PHP quite well.

Load Balancing is a term that pretty much encompasses all of these methods, as well as several I have not named.

Policy-based routing (and traffic shaping) can be a lot more complicated than just "this port goes here", we use it to examine mime headers and redirect traffic for certain file types, as well as requests with certain data in them, and direct outbound traffic to a specific interface.  We use pfSense for this, but I'm guessing that your router isn't that advanced and you have no plans to replace it.

As for transparent proxying: http://wiki.squid-cache.org/SquidFaq/ReverseProxy says it better than I can.

Here is the section that refers to in the current EULA of VMWare Server:
Yes, the article I posted summarizes this.  Prior to June of 2006 posting benchmarks at all was a violation of the EULA, now VMWare gets to censor benchmarks that aren't in their favor?  I fail to see how this is any better?  I couldn't find any authorized benchmarks, if you do let me know.
« Last Edit: December 05, 2006, 10:29:15 pm by Ersan »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #38 on: December 05, 2006, 10:20:12 pm »
I looked, and couldn't find a way to forward different virtual hosts to different systems on the network.  If you can figure out how to do that, then I have no problem running them on the same port. 

XML-RPC isn't at all what I'm trying to do.  But thanks for explaining XML to me, these new-fangled technologies are so difficult. 

From what I understand, load balancing is a network setup which ensures that different servers (mirrors) have similar loads by dividing requests between them.  I don't think that's got anything to do with anything.  But thanks for not listing others, you might have got poor ol' me all confused.

And you're right, my router isn't very advanced.  It's only worth about $1000.   I suppose you weren't reading it when I told you that my VMWare server also routes traffic?  I set up IPTables on it (I posted the script I wrote from scratch on the forum somewhere), which can do anything you're suggesting.  But I'd rather avoid having my firewall make decisions based on layer-7 data, I suppose you also missed it when I asked for a way to do it at the network layers. 

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #39 on: December 05, 2006, 10:59:03 pm »
You said nothing of using VMWare as a router, you said it was a firewall.  And no, any $1000 router isn't sufficient, advanced policy-based routing features that will do what you want are found more expensive routers like the M/T series from juniper and cost $2400 or more.

You obviously don't know how XML-RPC works or you would understand that it can do what I'm suggesting.

Quote
From what I understand, load balancing is a network setup which ensures that different servers (mirrors) have similar loads by dividing requests between them.
Then you have a very rudimentary understanding of how network load balancing works, while that may be the primary implementation of it, load balancing applications route traffic, which is what you're trying to accomplish, so generic load balancing techniques can be applied to this situation.  There isn't anything designed specifically to route a directory of a website to a different web server because that's pretty idiotic to begin with.

Use squid like I said, since you still insist on using multiple virtual servers, it's even more efficient than network-level routing because it dynamically cache's content.

Quote
I suppose you also missed it when I asked for a way to do it at the network layers.
Better policy routing.
« Last Edit: December 06, 2006, 12:55:06 am by Ersan »

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #40 on: December 05, 2006, 11:19:03 pm »
He's not setting up a server to sell off to clients.  It serves a single website.  I think his router setup is past sufficient.

Stop being condescending because you know of an alternative way to do something.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #41 on: December 05, 2006, 11:32:42 pm »
Yes, it serves a single website, and it takes 3 virtual servers to do so.

I really don't care how you guys host this site, you can make it as inefficient/insecure as you want.  Some people like to keep an open mind, and I don't want anyone new thinking this is the best way to do things, or even a good way.  I think I've made my point and I'm done with this thread, iago you can IM me if you want.

Sorry for being condescending/pompous/whatever, it's been a bad week.  I'll make an effort to be nicer in the future.
« Last Edit: December 06, 2006, 12:28:32 am by Ersan »

Offline Furious

  • Hero Member
  • *****
  • Posts: 1833
  • I hate rabbits
    • View Profile
Re: x86 Down?!
« Reply #42 on: December 06, 2006, 12:32:28 am »
It's just a discussion - stop taking it to heart.
Quote
[23:04:34] <deadly7[x86]> Newby[x86]
[23:04:35] <deadly7[x86]> YOU ARE AN EMO
[23:04:39] <Newby[x86]> shush it woman

Quote
[17:53:31] InsaneJoey[e2] was banned by x86 (GO EAT A BAG OF FUCK ASSHOLE (randomban)).

Quote from: Ergot
Put it this way Joe... you're on my Buddy List... if there's no one else on an you're the only one, I'd rather talk to myself.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #43 on: December 06, 2006, 09:25:04 am »
You said nothing of using VMWare as a router, you said it was a firewall.  And no, any $1000 router isn't sufficient, advanced policy-based routing features that will do what you want are found more expensive routers like the M/T series from juniper and cost $2400 or more.
It actually does both, a proper-configured firewall does route traffic.  And incidentally, a $2400 router is essentially a pretty interface over pretty much the same thing I'm using.

You obviously don't know how XML-RPC works or you would understand that it can do what I'm suggesting.
I did a project on it on my last year of University, but I still don't see how it'll solve my problem, unless I want to write a script on the first computer that queries the second computer.  In which case, I don't even need XML-RPC, I can just do it by downloading the remote site and displaying it.  And I considered doing it that way, but it wouldn't work out for things like images, so I decided against it.

Then you have a very rudimentary understanding of how network load balancing works, while that may be the primary implementation of it, load balancing applications route traffic, which is what you're trying to accomplish, so generic load balancing techniques can be applied to this situation.  There isn't anything designed specifically to route a directory of a website to a different web server because that's pretty idiotic to begin with.
They don't really route traffic, they divvy it up.  If you are making rules for certain applications/ports to be load-balanced to different places, then you aren't load balancing, you're routing.  And I don't care whether it's the directory or a subdomain, both work fine.

Use squid like I said, since you still insist on using multiple virtual servers, it's even more efficient than network-level routing because it dynamically cache's content.
Why would I want the forum cached?  And I still don't think using a proxy makes sense. 

Quote
I suppose you also missed it when I asked for a way to do it at the network layers.
Better policy routing.
All right, it looks like you know what you're doing here, so maybe you can explain this to me.  I have two different subdomains on x86labs.org, forum and www.  They run on the same port, 80, on different computers on my internal network.  The user sends a packet remotely, which arrives at my router.  It goes through some chains, eventually getting to the "prerouting" chain in the "nat" table, which is where the routing decision is made.  At the moment, I make the decisions like this:
Code: [Select]
        if($protoport =~ m/^([a-zA-Z]+)\/([0-9]*)$/)
        {
            my $protocol = $1;
            my $port = $2;
   
            my $ip = $DMZ_ALLOWED_INCOMING{$protoport};
   
            print "  -> NATing external port '$port' on '$protocol' to DMZ ip '$ip'\n";
            `$IPTABLES -t nat -A PREROUTING -p $protocol $FROM_INET --dport $port $LOG forwarded: `;
            `$IPTABLES -t nat -A PREROUTING -p $protocol $FROM_INET --dport $port -j DNAT --to-destination $ip`;
        }
As you can see, I'm identifying it by protocol and port, then making the routing decision (for my current set of firewall rules, written 100% by me, see rc.firewall).  Now, without layer-7 inspection, which I don't think can identify different domains anyways, how would you suggest I make the routing decision? 

Even in a general case: you're running some routing software, and those two sites are set up: what do you check to make the routing decision? 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #44 on: December 06, 2006, 09:29:28 am »
Yes, it serves a single website, and it takes 3 virtual servers to do so.
It only takes one special-purpose server: the forum.  I use the database server for other systems (like personal projects on my laptop), and I use the web server for other web sites. 

I really don't care how you guys host this site, you can make it as inefficient/insecure as you want.
You're an idiot. 

Like I said, none of my Linux systems use the CPU more than 5% of the time.  Each one thinks it's running on its own physical machine, and behaves that way.  There's no slow-down, and it's a hell of a lot cheaper than buying your own machines. 

And have you ever wondered why databases are servers?  I promise it's not to make things tricky, databases are designed to be run remotely.  In a properly set-up network, the databases for all servers is on one central server.  Why?  For security. 

Can you name ONE security flaw with my set up?  And if you were intent on breaking into my Trusted LAN (where the most important stuff is), how would you do it?  Feel free to browse my firewall rules in my last post to figure out how.


Some people like to keep an open mind, and I don't want anyone new thinking this is the best way to do things, or even a good way.
I'd be more worried if they listened to you.  At least I have a couple years experience with large-scale networking/security from working in government. 

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #45 on: December 06, 2006, 08:16:07 pm »
I don't know if you can do it without layer7 analysis, you can try -m string.  I don't use iptables.

Trying to discern the HTTP_HOST header before layer7 is probably impossible, which is why it shouldn't be handled at the network level.  You'd probably have to use -m layer7 if you want to use iptables.

As for defending myself, I decided to ask a few people to read this thread, several of them work for savvis, a couple work at softlayer, one at dreamhost, one at akamai (she did make fun of me for not knowing where mantioba was, though), and one at theplanet (not to mention I myself have more experience dealing with large-scale networks than you, since this is apparently a penis contest now...), all as network technicians, and they all came to the same conclusion, you're the idiot, not me.  Your approach gives no thought whatsoever to performance, and is overly paranoid, but also lacks understanding.  It isn't secure because you have systems on your private LAN and off your private LAN running on the same physical machine, and you trust VMWare implicitly.

Your network is a wonderful playground and all that, and actually can host websites effectively, but not on different servers, even if you had more than one IP it's just dumb.  You run one web server and learn how to chroot and manage permissions, you don't spawn a new virtual machine everytime you want to host a new website, it's a waste.  Database servers were meant to be run as servers for scalability and performance by separating them from the same physical machine as the applications using them, not security, they are all capable of using unix sockets too, you know.
« Last Edit: December 07, 2006, 06:38:11 am by Ersan »

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #46 on: December 07, 2006, 05:51:01 am »
How many times has he told you that introducing the structure he's using doesn't affect performance to any noticeable degree?

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #47 on: December 07, 2006, 05:58:08 am »
Right, running 8 operating systems on one physical system simultaneously doesn't adversely affect performance...  Maybe when pigs fly.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: x86 Down?!
« Reply #48 on: December 07, 2006, 06:02:57 am »
Right, running 8 operating systems on one physical system simultaneously doesn't adversely affect performance...  Maybe when pigs fly.

He's not hosting a high traffic website.  I think he (and others) have mentioned that several times as well.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: x86 Down?!
« Reply #49 on: December 07, 2006, 06:07:34 am »
Which is why I don't care how he runs it, I just don't want other people running theirs the same way.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #50 on: December 07, 2006, 12:25:29 pm »
Right, running 8 operating systems on one physical system simultaneously doesn't adversely affect performance...  Maybe when pigs fly.
Let's figure it out. 

8 operating systems, each of which use ~50mb of RAM.  I can verify that when I get home, but it's around there.  That's 400mb RAM.  I have 2gb.  That's safe.

Each of the operating systems use, on average, 0CPU, except when something is going on.  So they might use on average 1% CPU, but probably less than that.  That's 8% CPU usage. 

I have seen no adverse affects from it, other than when they all boot up simultaneously. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #51 on: December 07, 2006, 12:29:01 pm »
As for defending myself, I decided to ask a few people to read this thread, several of them work for savvis, a couple work at softlayer, one at dreamhost, one at akamai (she did make fun of me for not knowing where mantioba was, though), and one at theplanet (not to mention I myself have more experience dealing with large-scale networks than you, since this is apparently a penis contest now...), all as network technicians, and they all came to the same conclusion, you're the idiot, not me.  Your approach gives no thought whatsoever to performance, and is overly paranoid, but also lacks understanding.  It isn't secure because you have systems on your private LAN and off your private LAN running on the same physical machine, and you trust VMWare implicitly.

Your network is a wonderful playground and all that, and actually can host websites effectively, but not on different servers, even if you had more than one IP it's just dumb.  You run one web server and learn how to chroot and manage permissions, you don't spawn a new virtual machine everytime you want to host a new website, it's a waste.  Database servers were meant to be run as servers for scalability and performance by separating them from the same physical machine as the applications using them, not security, they are all capable of using unix sockets too, you know.
You obviously haven't read my reasoning.  And I'd be interested in talking to these people that you invented, they sound interesting.  Are they all out to get you, too?

I lack no understanding.  In fact, I used to run my server exactly how you suggested.  But I wanted to do it differently, for academic reasons and for security reasons.

I should point out that I am NOT doing hosting.  So get that out of your head.

There's no such thing as being too paranoid or too secure, either, as long as it's still usable.  And it is, haven't you noticed?  When have you ever had a problem with server performance (that wasn't caused by network failure)? 

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: x86 Down?!
« Reply #52 on: December 07, 2006, 01:17:11 pm »
As for defending myself, I decided to ask a few people to read this thread, several of them work for savvis, a couple work at softlayer, one at dreamhost, one at akamai (she did make fun of me for not knowing where mantioba was, though), and one at theplanet (not to mention I myself have more experience dealing with large-scale networks than you, since this is apparently a penis contest now...), all as network technicians, and they all came to the same conclusion, you're the idiot, not me.  Your approach gives no thought whatsoever to performance, and is overly paranoid, but also lacks understanding.  It isn't secure because you have systems on your private LAN and off your private LAN running on the same physical machine, and you trust VMWare implicitly.

Your network is a wonderful playground and all that, and actually can host websites effectively, but not on different servers, even if you had more than one IP it's just dumb.  You run one web server and learn how to chroot and manage permissions, you don't spawn a new virtual machine everytime you want to host a new website, it's a waste.  Database servers were meant to be run as servers for scalability and performance by separating them from the same physical machine as the applications using them, not security, they are all capable of using unix sockets too, you know.
You obviously haven't read my reasoning.  And I'd be interested in talking to these people that you invented, they sound interesting.  Are they all out to get you, too?

I lack no understanding.  In fact, I used to run my server exactly how you suggested.  But I wanted to do it differently, for academic reasons and for security reasons.

I should point out that I am NOT doing hosting.  So get that out of your head.

There's no such thing as being too paranoid or too secure, either, as long as it's still usable.  And it is, haven't you noticed?  When have you ever had a problem with server performance (that wasn't caused by network failure)? 


I'm not trying to defend Ersan ... I haven't even read the entire thread.  You mentioned that you can never be too secure or too paranoid.  If you believe that, then you most certainly shouldn't be hosting with VMWare, but instead with Linux's sandbox or BSD's jail.  These features are open, whereas VMWare is not. You also most certainly should NOT be using Linux.  You should be using OpenBSD or something like VMS.  OpenBSD has a proactive security auditing policy and a secure programming philosophy that Linux and even FreeBSD lack.  As for VMS, VMS was deemed "unhackable" at Defcon 9 and was asked not return to future Defcon conferences.  VMS is the type of system a bank might use and one that is most certainly behind lock and key, if not armed guards.  The problem with VMS is you need to get a license and a VAX, Alpha or Itanium machine to run it (you may also use simh).  The hobbyist license is free but you have to join a bunch of communities and such. 
Digressing, DEC, who made VMS, were the ones that did significant research in OS design and are responsible for things like SMP.  All these "new" features in Linux, BSD and Windows, such as SMP, VMS had 20 years ago.
To all those Microsoft zealots.  Sure Microsoft hired VMS guys to make NT ... but what they didn't tell you was DEC fired those guys. :)

Links:
http://www.openbsd.org/security.html
http://www.openvms.org/

EDIT:
Corroboration that you should NOT be using Linux.
http://sdf.lonestar.org/index.cgi?faq?MISC?03
Quote
03] HAS SDF EVER BEEN COMPROMISED?

     The first time was in 1991 when a person from France dialed in
     to our machine (then running SystemVr3.2 1.0) and was able to get
     root (administrative) access.  He promptly notified us.

     During our short lived stint of attempting to run SDF under 'linux' on
     IBM compatibles the system was compromised a number of times, but the
     individuals who did it were much more secretive and malicious.  For
     each case users were forced to change their passwords and patched
     software was installed (though this of course introduced other bugs
     that could be found later on)

     After dumping linux and x86 in favour of return to real computers, we
     have not had any major security issues.
  We are however, just as vigilant
     to be sure that your account here on SDF is safe and that any security
     issues are resolved quickly before public announcements (cert, et cetera)

     Please NOTE, an administrator will NEVER ask you for your password.
     Anyone impersonating an administrator is BREAKING THE LAW.  You can
     report them to your local authorities if you identify them.

SDF runs NetBSD now.
« Last Edit: December 07, 2006, 01:26:32 pm by nslay »
An adorable giant isopod!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #53 on: December 07, 2006, 01:39:25 pm »
I'm not trying to defend Ersan ... I haven't even read the entire thread.  You mentioned that you can never be too secure or too paranoid.  If you believe that, then you most certainly shouldn't be hosting with VMWare, but instead with Linux's sandbox or BSD's jail.  These features are open, whereas VMWare is not. You also most certainly should NOT be using Linux.  You should be using OpenBSD or something like VMS.  OpenBSD has a proactive security auditing policy and a secure programming philosophy that Linux and even FreeBSD lack.  As for VMS, VMS was deemed "unhackable" at Defcon 9 and was asked not return to future Defcon conferences.  VMS is the type of system a bank might use and one that is most certainly behind lock and key, if not armed guards.  The problem with VMS is you need to get a license and a VAX, Alpha or Itanium machine to run it (you may also use simh).  The hobbyist license is free but you have to join a bunch of communities and such. 
Digressing, DEC, who made VMS, were the ones that did significant research in OS design and are responsible for things like SMP.  All these "new" features in Linux, BSD and Windows, such as SMP, VMS had 20 years ago.
To all those Microsoft zealots.  Sure Microsoft hired VMS guys to make NT ... but what they didn't tell you was DEC fired those guys. :)

Links:
http://www.openbsd.org/security.html
http://www.openvms.org/

EDIT:
Corroboration that you should NOT be using Linux.
http://sdf.lonestar.org/index.cgi?faq?MISC?03
Quote
03] HAS SDF EVER BEEN COMPROMISED?

     The first time was in 1991 when a person from France dialed in
     to our machine (then running SystemVr3.2 1.0) and was able to get
     root (administrative) access.  He promptly notified us.

     During our short lived stint of attempting to run SDF under 'linux' on
     IBM compatibles the system was compromised a number of times, but the
     individuals who did it were much more secretive and malicious.  For
     each case users were forced to change their passwords and patched
     software was installed (though this of course introduced other bugs
     that could be found later on)

     After dumping linux and x86 in favour of return to real computers, we
     have not had any major security issues.
  We are however, just as vigilant
     to be sure that your account here on SDF is safe and that any security
     issues are resolved quickly before public announcements (cert, et cetera)

     Please NOTE, an administrator will NEVER ask you for your password.
     Anyone impersonating an administrator is BREAKING THE LAW.  You can
     report them to your local authorities if you identify them.

SDF runs NetBSD now.
Well, to answer part of your response: security is relative to the person using a system.  I am much more confident in my ability to administrate Linux and keep it secure than BSD.  I could easily open up a hole in BSD without realizing it, whereas I have a pretty keen understanding about what's going on with Linux.

But you're right -- I don't trust giving people local user accounts on Linux.  I think it's probably quite possible to break out of a user account and gain root.  That's a good argument right there for keeping systems on different virtual machines.

And in terms of VMWare -- I've never heard of an attack that would allow a user to break out of a VMWare session.  It would be a very interesting avenue to research, though, because I bet there's some way.  It'd be at a kernel/driver level, though, so it wouldn't be easy.  I'd be interested in researching that, though.

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: x86 Down?!
« Reply #54 on: December 07, 2006, 01:48:50 pm »
I'm not trying to defend Ersan ... I haven't even read the entire thread.  You mentioned that you can never be too secure or too paranoid.  If you believe that, then you most certainly shouldn't be hosting with VMWare, but instead with Linux's sandbox or BSD's jail.  These features are open, whereas VMWare is not. You also most certainly should NOT be using Linux.  You should be using OpenBSD or something like VMS.  OpenBSD has a proactive security auditing policy and a secure programming philosophy that Linux and even FreeBSD lack.  As for VMS, VMS was deemed "unhackable" at Defcon 9 and was asked not return to future Defcon conferences.  VMS is the type of system a bank might use and one that is most certainly behind lock and key, if not armed guards.  The problem with VMS is you need to get a license and a VAX, Alpha or Itanium machine to run it (you may also use simh).  The hobbyist license is free but you have to join a bunch of communities and such. 
Digressing, DEC, who made VMS, were the ones that did significant research in OS design and are responsible for things like SMP.  All these "new" features in Linux, BSD and Windows, such as SMP, VMS had 20 years ago.
To all those Microsoft zealots.  Sure Microsoft hired VMS guys to make NT ... but what they didn't tell you was DEC fired those guys. :)

Links:
http://www.openbsd.org/security.html
http://www.openvms.org/

EDIT:
Corroboration that you should NOT be using Linux.
http://sdf.lonestar.org/index.cgi?faq?MISC?03
Quote
03] HAS SDF EVER BEEN COMPROMISED?

     The first time was in 1991 when a person from France dialed in
     to our machine (then running SystemVr3.2 1.0) and was able to get
     root (administrative) access.  He promptly notified us.

     During our short lived stint of attempting to run SDF under 'linux' on
     IBM compatibles the system was compromised a number of times, but the
     individuals who did it were much more secretive and malicious.  For
     each case users were forced to change their passwords and patched
     software was installed (though this of course introduced other bugs
     that could be found later on)

     After dumping linux and x86 in favour of return to real computers, we
     have not had any major security issues.
  We are however, just as vigilant
     to be sure that your account here on SDF is safe and that any security
     issues are resolved quickly before public announcements (cert, et cetera)

     Please NOTE, an administrator will NEVER ask you for your password.
     Anyone impersonating an administrator is BREAKING THE LAW.  You can
     report them to your local authorities if you identify them.

SDF runs NetBSD now.
Well, to answer part of your response: security is relative to the person using a system.  I am much more confident in my ability to administrate Linux and keep it secure than BSD.  I could easily open up a hole in BSD without realizing it, whereas I have a pretty keen understanding about what's going on with Linux.

But you're right -- I don't trust giving people local user accounts on Linux.  I think it's probably quite possible to break out of a user account and gain root.  That's a good argument right there for keeping systems on different virtual machines.

And in terms of VMWare -- I've never heard of an attack that would allow a user to break out of a VMWare session.  It would be a very interesting avenue to research, though, because I bet there's some way.  It'd be at a kernel/driver level, though, so it wouldn't be easy.  I'd be interested in researching that, though.


As for BSD.  Yeah, you could easily open up a hole in FreeBSD if you're not careful about what ports you install.  Only a month ago I discovered the utility portaudit which checks the package database for vulnerable software ... and thats 2 years after I started using FreeBSD.  Speaking of security, check out this new feature coming in FreeBSD 6.2: Security Event Auditing
http://www.securityfocus.com/columnists/422
It treats logging as a stream that other software can patch into.  It is customizable to the point where you can pinpoint the exact action of the exact user that did something.  Also disallows root to tamper with the logging.

Yeah, I've always wondered how one might detect if an OS is jailed or not :)
An adorable giant isopod!

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: x86 Down?!
« Reply #55 on: December 07, 2006, 02:15:11 pm »
And in terms of VMWare -- I've never heard of an attack that would allow a user to break out of a VMWare session.  It would be a very interesting avenue to research, though, because I bet there's some way.  It'd be at a kernel/driver level, though, so it wouldn't be easy.  I'd be interested in researching that, though.

There has actually been some recent research into timing attacks that utilize the fact that processor resources are shared between high and low privileged components.  Specifically, attacks that allow a low privileged component to divine information about what a high privileged component might be doing (such as parts of a signing key for something like an ssh logon attempt).  You might look at this paper for more about that.  I would imagine that at this point the attack is more theoretical than practical, but the basic idea is that you can use the way that branch taken / branch not taken are cached for speculative execution in order to determine (with some margin of error) whether a program is taking or not taking a particular branch.  The authors of the linked paper used this and some knowledge of how OpenSSL works for performing RSA signing operations (actually, a deliberately modified version of OpenSSL's RSA functions for simplicity, but the basic idea is still applicable) to be able to determine which branches a program that signs a hash with an RSA key takes.  This turns out to be significant, because by counting the taken / not taken branches, you can derive a significant portion of the private key bits used to create the signature.

What this boils down to is a theoretical attack whereby someone who gains low privileged access to a single system (say as a limited user) or a shared system (say a VM on a machine that hosts other VMs or services) could attempt to steal cryptographic keys being used for signatures on processes (or VMs) that the malicious user doesn't have direct access to.  Assuming that these keys could be used to perform a logon to a more privileged system, this could be used to eventually escalate privileges after capturing keys that might be used to perform (or take over an existing session) of, say, a remote logon as root / an administrator.

I don't think that I would use this as a reason to declare using VMs for isolation purposes useless for security.  There are a number of practical barriers that I think would in practice make mounting such an attack successfully against a real life system very difficult.  Nonetheless, there are still theoretically ways to break out of things like VMs where access is controlled by some shared secret, and calculations / checking of that secret is performed using the same resources that an attacker might also be able to utilize for their own computations.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #56 on: December 07, 2006, 03:34:37 pm »
I've read a little about timing attacks before (mostly in the book "Silence on the Wire" by Zalewski), and they're a neat concept.  It's difficult enough to do it between processes, but doing it between VMWare sessions would be really tricky. 

I hadn't even considered the possibility of using it to glean information from other virtual machines, though, so thanks for bringing it up. It's not a fatal blow, but it's definitely an interesting case.

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: x86 Down?!
« Reply #57 on: December 07, 2006, 03:47:53 pm »
I've read a little about timing attacks before (mostly in the book "Silence on the Wire" by Zalewski), and they're a neat concept.  It's difficult enough to do it between processes, but doing it between VMWare sessions would be really tricky. 

I hadn't even considered the possibility of using it to glean information from other virtual machines, though, so thanks for bringing it up. It's not a fatal blow, but it's definitely an interesting case.
It should be noted, however, that the attack the paper proposes is significantly more practical than previous attacks (which have typically been based on timing memory latency to detect accesses that were already stored in the L1/L2 caches or have to go out to system memory) in that it has been successfully used to retrieve much more information about the secret key in question.  Although the circumstances described in the paper aren't exactly ordinary operating circumstances, the author managed to retrieve something on the order of 90% or so of the RSA key used for a signing operation in just a single signing operation being observed - orders of magnitude better than previous "side-channel" timing attacks.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: x86 Down?!
« Reply #58 on: December 07, 2006, 04:35:50 pm »
Wow, that's impressive.  I'm going to have to read through that paper.