CO NTENTS

NEXT M O NTH
Rapid W e b De ve l
opm e nt
De ve l
oping AJAX Appl ications
@ O3 Al ook atm od_ s e curity
Pos tgre SQL and m uch m ore ..
6 Editorial

8 Eve nts
SECURITY

9 Re port AppO S Se curity 11

AppO S a ne w upcom ing

Ente rpris e Linux dis tribution, ge t
INTERNET a firs tlook atits advance d
s e curity fe ature s .
Googl
e H one ypots 15

AbulAs im M . R. Qars h i l ook s at

W EB TECH
Googl e H ack H one ypots , and
h ow Googl e can re ve al Ligh ttpd Re vie w e d 18
proble m s w ith uns e cure s e rve rs .
M ath e w Burford l ook s at
Ligh ttpd 1.4.7, a l igh tw e igh tw e b
BUSINESS s e rve r w ith a focus on s pe e d,
com pl iance , s e curity and m ore ..
Intro to O pe n Source 23

Jam e s H ol l
ings h e ad provide s a NETW O RK ING
de taile d introduction to O pe n
Source , and tips for h aving a M ul
ti Laye r Sw itch ing 28
pos itive im pacton th e com m unity
Al ook atLISA and m ul til
aye r
s w itch ing fram e w ork s for Linux.
VO IP (Voice ove r IP)
W ifidog Captive Portal 36
O pe n Source Te l
e ph ony 32
Th e Link s ys W RT54G captive
Th e firs tpartin a s e rie s on portal
O pe n Source Te l e ph ony, s tarting
w ith an introduction to As te ris k , Intrus ion De te ction 40
th e be ne fits and m ore ...
Introduction to Snortand IDS.

O 3 M agaz ine /Nove m be r 2005

Page 4
EDITO RIAL
and s o itbe gins ...
RIGH T NO W YO UR CO M PETITO RS ARE PITCH ING LINUX
TO YO UR CUSTO M ERS , W H Y AREN'T YO U ?
BY JO H N BUSW ELL
h ank you for tak ing th e tim e
to re ad th rough our firstis s ue
of O 3 M agazine . O 3 is an
e lectronic publication
de dicate d to ope n s ource Ente rpris e
D ata Ne tw ork ing s olutions . Each
m onth O 3 w il llook atallas pe cts of
e nte rpris e data ne tw ork ing from
ne tw ork leve ls olutions s uch as
firew alls, route rs , s w itch ing to s e rve r
s ide applications s uch as Fre e R adius ,
O pe nLDAP and Apach e .
O ur goalatO 3 is to introduce
Ente rpris e D ata Ne tw ork ing
te ch nol ogie s to s m al land m e dium
s ize d bus ine s s e s , dis cus s ope n
s ource s olutions for providing th os e
te ch nol ogie s and to provide th e
te ch nicalinform ation on h ow to
de pl oy and m aintain th os e s olutions .
O 3 h ow eve r is notjusttarge te d at
s m alland m e dium s ize d bus ine s s ,
th e s olutions w e dis cus s are alre ady
de pl oye d in m ostlarge bus ine s s e s ,
gove rnm e ntage ncie s and
e ducationalinstitutions , not
ne ce s s aril y ope n s ource s olutions
th ough . CIO s , CTO s , IT
m anage m e ntand staff atlarge r
e ntitie s w il lbe ne fitfrom expos ure to
low e r costope n s ource alte rnative s .
I don'tpe rs onall y s e e th e pointof
prom oting ope n s ource s olutions if
you do notus e th e m yours e lf, as
s uch O 3 is de s igne d, deve lope d and
publ is h e d us ing ope n s ource
te ch nol ogy exclus ive l y. Eve ry article
in O 3, incl uding th is e ditorialis
w ritte n in O pe n O ffice
(w w w .ope noffice .org) unde r Linux,
th os e articles are th e n im porte d into
Scribus (w w w .s cribus .org.uk ), w h ile
graph ics artw ork is cre ate d w ith th e
Gim p. Scribus is us e d to exportth e
com plete d publication in PD F form at.
O 3 M agaz ine
Nove m be r 2005
Is s ue 1
EDITO R IN CH IEF
JO H BUSW ELL
N
Each m onth O 3 provide s a round EDITO R @ O 3M AGAZ INE .CO M
up of ope n s ource eve nts , as w e l las
an upcom ing eve ntcalende r, w e h ave EXECUTIVE EDITO R
done our be stto track dow n as m any
JAM ES H O LLINGSH EAD
m ajor eve nts as pos s ible, butif you
JAM ES @ O 3M AGAZ INE .CO M
h ave an eve nt, w h e th e r its a local
LUG m e e ting or a fulls cale trade
s h ow w e w ould lik e to h e ar aboutit. ARTW O RK
O 3 also provide s an “O pe n Source
Re port”, th is is a s h ortround up of JO H N BUSW ELL
inte re sting ope n s ource s oftw are th at
h as be e n re leas e d ove r th e past PRO O F READERS
m onth .
G REG JO RDAN
Each is s ue of O 3 fe ature s Se curity,
Inte rne t, W e b Te ch , Bus ine s s , S H AW N W ILSO N
Ne tw ork ing, VoIP, Ne tw ork FRANK BO YD
Applications and Ne tw ork Se curity S TEW BENEDICT
colum ns . Th is firstis s ue of O 3 is
m ore of an introductory is s ue ,
starting nextm onth (D e ce m be r) e ach SALES AND M ARKETING
is s ue w illh ave a particular th e m e . G REG JO RDAN
For D e ce m be r itis rapid w e b SALES @ O 3M AGAZ INE .CO M
application deve lopm e nt.
W e h ave an exciting line up for
2006, in th e firstq uarte r w e w il lbe SUBSCRIPTIO NS
look ing atLinux on th e zSe rie s O 3 M AGAZ INE IS DISTRIBUTED
m ainfram e , including a firstlook at ELECTRO NICALLY FREE O F CH ARGE
s om e new innovative Linux s olutions
for th e zSe rie s . A de tailed look at BY SPLICED NETW O RK S LLC. TO
ne tw ork ing te ch nologie s in Linux SUBSCRIBE VISIT
including O SPF, R IP and BGP, as W W W .O 3M AGAZ INE .CO M .
w e llas a look atproviding e nd to
e nd QoS s olutions w ith Linux. W e
w illw rap up Q1 2006 w ith a SO FTW ARE
de tailed look atO pe n Source SCRIBUS 1.3.1
Te leph ony. GIM P 2.0.5
Finall y, I w ould lik e to tak e a
O PENO FFICE 1.1.2
m om e ntto th ank our adve rtis e rs
w h o ve ry gracious l y putth e ir nam e s
on a brand new m agazine . Enjoy th e CO PYRIGH T (C) 2002-2005
is s ue and fe e lfre e to s e nd fe e dback . SPLICED NETW O RK S LLC
O 3 M agaz ine /Nove m be r 2005
Page 6
EVENTS

NO VEM BER EVENTS UPCO M ING EVENTS (DECEM BER )

O PEN S O URCE D EVELO PERS CO NFERENCE 2005

O PEN S O URCE D ATABASE CO NFERENCE DECEM BER 5 - 7 2005
NO VEM BER 8, 9 2005 M ELBO URNE , AUSTRALIA
H TTP://W W W .O SDC.CO M .AU
FRANK FURT, GERM ANY

H TTP://W W W .O PENDBCO N.NET

APACH E CO N 2005
DECEM BER 10 - 14 2005
SAN DIEGA, CALIFO RNIA, USA
LINUXW O RLD E XPO
H TTP://W W W .APACH ECO N.CO M
NO VEM BER 9 , 10 2005 (UTRECH T, NETH ERLANDS )

NO VEM BER 15 - 17 2005 (FRANK FURT, GERM ANY ) INTERO P

APRIL 3 - 6 2006 (BO STO N, UNITED STATES )
DECEM BER 12 - 16
NEW YO RK , USA
H TTP://W W W .LINUXW O RLDEXPO .CO M
H TTP://W W W .INTERO P.CO M

H AVE AN UPCO M ING EVENT?TELL US ABO UT IT, SEND

SC|05 (S UPERCO M PUTING CO NFERENCE )
EM AIL TO EVENTS @ O 3M AGAZ INE .CO M W ITH DETAILS .
NO VEM BER 12 - 18 2005
SEATTLE , W ASH INGTO N, USA FEATURED PAST EVENT
H TTP://SC05.SUPERCO M PUTING .O RG
O H IO LINUXFEST 2005
O CTO BER 1ST 2005
IP.4.IT CO LUM BUS , O H IO , USA
H TTP://W W W .O H IO LINUX.O RG
NO VEM BER 14 - 16 2005
LAS VEGAS , NEVADA, USA
O h io LinuxFe s tis a com m unity focus e d fre e e ve nt
H TTP://W W W .IP4IT.CO M th atis run by a vol unte e rs and funde d by
s pons ors . Th is ye ar k e y s pons ors ofth e e ve nt
w e re Nove l land Digium , additionals pons ors
GULEV incl ude d IBM , Spl ice d Ne tw ork s , Rock e tCalc,
NO VEM BER 17 - 19 2005 Sybas e , Pante k , Im age s tre am and m any oth e rs .
VERACRUZ , M EXICO
Th e e ve ntove ral lw as gre atfor both th e vis itors
H TTP://W W W .GULEV.O RG .M X
and th e s pons ors . Eve ry s pons or w e s pok e w ith
indicate d th e y w e re h appy w ith th e e ve ntand
FO SS.IN (INDIA'S PREM IER O PEN SO URCE EVENT)
w oul d re turn again ne xtye ar. O ve r 700 vis itors
atte nde d th e th ird annuale ve ntw h ich ran al lday
NO VEM BER 29 - DECEM BER 2ND and into th e e ve ning.
BANGALO RE PALACE , BANGALO RE , INDIA

H TTP://W W W .FO SS .IN

Th e q ual ity ofth e s pe ak e rs w as good, w ith
k e ynote s from Ch ris H ick s ofIBM , and Nove l l's
Je rry M ayfie ld. Som e ofth e s l ide s are availabl e
from th e e ve nt's w e bs ite .

O 3 M agaz ine /Nove m be r 2005

Page 8
REPO RT

NO VEM BER O PEN SO URCE REPO RT

W e lcom e to th e O pe n Source Re port. Th is is th e A STER ISK

s e ction of O 3 w h e re w e give a brie f run-dow n of th e h ttp://w w w .aste ris k .org/
m ajor applications w h ich m ade re leas e s during th e Re leas e : 1.2
m onth .
Th e 1.2 re leas e for Aste ris k include s im prove d
LINUX KER NEL voice m ailfe ature s , e as ie r configuration, im prove d
h ttp://w w w .k e rne l.org/ SIP s upport, new fe ature s for th e IAX protocol , us e
Re leas e : 2.6.14 of s ound files for native -on-h old m us ic, and
im prove m e nts to th e dialplan.
Th e late stre leas e of th e Linux k e rne lh as m any new
fe ature s incl uding H ostAP s upportto actas a
w ire les s acce s s point, a Linux portof th e plan9 9 P PR O FTPD
protocol,FUSE (w h ich allow s ful ly functional h ttp://w w w .proftpd.org/
files yste m s in a us e rs pace program ), lock -fre e file Re leas e : 1.3.0
de s criptor look up, and s eve ralnew drive rs .
A “tim ing attack ” prote ction m odule h as be e n
re leas e d to h e lp s ol
ve th e tim ing leak de s cribe d by
A PACH E Le on Juranic.
h ttp://w w w .apach e .org/
Re leas e : 2.0.55
LIGH TTPD
Th e late stre leas e of Apach e incl ude s s eve rals e curity h ttp://w w w .ligh ttpd.ne t/
fixe s , corre cts a few instance s of pos s ibl
e m e m ory Re leas e : 1.4.7
leak s and bad program be h avior and adds extra
logging capabilitie s . Ligh ttpd is cove re d by M ath ew Burford on page 18 of
th is is s ue .

M ANDR IVA
h ttp://w w w .m andrivalinux.com /
Re leas e : M and riva 2006
Th e 2006 re leas e of M andriva include s a de s k top
s e arch tool(Kat) w h ich allow s s e arch ing for both file
nam e s and file conte nt, and inte ractive firew al l,
officials upportfor Inte lCe ntrino m obile te ch nology,
inte gration of Sk ype , and an auto-installation s e rve r.
SCAPY
h ttp://w w w .s e cde v.org/proje cts /s capy/
Re leas e : 1.0.2
Scapy is a pow e rfulinte ractive pack e tm anipulation
program capable of forging or de coding pack e ts from
a w ide range of protocols. Scapy is an exce llenttool
for te sting and re produce com plex ne tw ork /ne tw ork
device problem s .

SNO R T NATSTAT
h ttp://w w w .s nort.org/ h ttp://s ve arik e .s yte s .ne t/natstat/
Re leas e : 2.4.3 Re leas e 0.0.11

Th e 2.4.3 re leas e of Snortfixe s a buffe r ove rflow Ne tw ork m onitoring toolproviding re altim e
vul ne rability w h ich existe d in th e Back O rifice inform ation bas e d on th e iptabl
e s configuration.
pre proce s s or.

O 3 M agaz ine /Nove m be r 2005

Page 9
SECURITY
Be h ind AppO S Se curity
DISCO VER TH E M ULTI- TIER SECURITY APPRO ACH BEH IND TH IS UPCO M ING
LINUX DISTRIBUTIO N FO CUSED O N RESH APING TH E DATACENTER
BY JO H N BUSW ELL
ppO S is a h igh l y s e cure Linux bas e d appliance
fram ew ork th atis de s igne d to l im itth e
dam age th atcan occur in th e eve ntth ata
s e rvice or appliance is com prom is e d by a
th ird party due to an un-patch e d or a previous l y nam e s e rve rs . Itis for th is re as on th atoutof band
unk now n vul ne rability. In m oste nte rpris e
e nvironm e nts , s om e of th e ne tw ork s e curity
te ch niq ue s e m ploye d by AppO S are al re ady in
production, s o m igrating to or adding AppO S into
th e data ce nte r is ofte n a trivialtas k . For s m aller
bus ine s s e s th e re m ay be s om e ne tw ork ch ange s
re q uire d in orde r to conform to th e AppO S
fram ew ork , particularl y th os e re late d to outof band
m anage m e ntand ne tw ork storage .
O UT O F BAND M ANAGEM ENT
AppO S utilize s outof band m anage m e ntand
storage ne tw ork s to provide an extra l aye r of s e curity.
O utof band m e ans th atth e m anage m e ntand storage
ne tw ork s are noton th e s am e ne tw ork as re gul ar
appl ication traffic (s uch as h ttp “w e b” traffic).
AppO S s upports outof band m anage m e ntin s eve ral
form s including ph ys icall y s e parate Eth e rne t
s e gm e nts , VPN bas e d m anage m e ntand th e us e of
802.1q VLANS. Ph ys icall y s e parate Eth e rne t
s e gm e nts are th e pre fe rre d m e th od of outof band
m anage m e nt. In th e eve ntan Inte rne tfacing inte rface
is D oS (D e nialof Se rvice ) attack e d, th e re m ay notbe
s ufficie ntbandw idth to re liabl y m anage th e device
re m ote ly. H e re a s e parate ph ys icalEth e rne tinte rface
on its ow n private s e gm e ntw illre m ain full y
acce s s ible unles s th e s e rve r its e lf h as cras h e d. A
s e parate ph ys icalinte rface e nables an adm inistrator
to dis able th e Inte rne tfacing inte rface w ith outl os ing
conne ctivity to th e s yste m . M anage m e nttraffic can
include traffic s uch as s ys log, s nm p, s s h , h ttps , and
eve n D NS. As ide from lim iting th e acce s s to th is
inform ation for s e curity purpos e s , outof band
m anage m e nte nables s ys log and s nm p trap traffic to
continue to w ork re l iably eve n if th e Inte rne tfacing
Eth e rne tports are conge ste d.
O 3 M agaz ine /Nove m be r 2005
Page 11
Anoth e r advantage to outof band m anage m e ntis th at
itfre e s up traffic on production ne tw ork s , e s pe ciall y
if you offload D NS traffic to th e m anage m e nt
ne tw ork to be h andled by s e cure /truste d cach ing
m anage m e ntcan as s istin im proving th e s calability of
eve n s m allne tw ork s .
An im portantpartof th e AppO S ne tw ork s e curity
fram ew ork is to place us e r data in outof band storage
ne tw ork s . Storage ne tw ork s can be as s im ple as a
gigabits w itch e d Eth e rne ts e gm e ntrunning a ne tw ork
file s e rve r us ing NFS or GFS be tw e e n th e file s e rve rs
and th e application s e rve rs on th e ne tw ork . Placing
us e r data on an outof band ne tw ork h as m any
advantage s including re ducing th e load on your
production “Inte rne tfacing” ne tw ork , th us im proving
s calability and e nabling a fine r acce s s controlove r
th e us e r data. In a w e b h osting e nvironm e ntfor
exam ple, a s m allnum be r of re stricte d acce s s s e rve rs
m ay h ave w rite acce s s to us e r data, m ak ing it
pos s ible for s e curity policie s to lim itacce s s to th at
infrastructure , w h ile allow ing for a l arge num be r of
publicl y acce s s ible w e b s e rve rs to s e rve data w ith
onl y re ad-onl y acce s s . In th e eve ntof a ze ro-day
s e curity vulne rability existing in your w e b s e rve r
s oftw are , th e publicl y acce s s ible w e b s e rve rs only
h ave re ad-onl y acce s s to th e data, preve nting
pote ntialm alicious us e rs from uploading code to
exe cute on th e s e rve r. Advance d acce s s controllists ,
m ountoptions and oth e r m e as ure s can be us e d to
preve ntexe cution of unapprove d exe cutabl e s on th e
publicl y acce s s ible w e b s e rve rs .
W h ile th is approach offe rs an extra de gre e of
s e curity itcan caus e problem s w ith legitim ate w e b
applications th atne e d to h ave th e capability to w rite
to us e r data. Typicall y, us e r data is w ritte n via
databas e trans actions , s uch as inform ation for e -
Com m e rce trans actions , cre ating accounts or ofte n
SECURITY
eve n uploading fil e s , th e AppO S approach to th is
problem is to tak e databas e trans actions outof band
and to pas s file upl oads th rough an outof band
ins pe ction s yste m be fore m ak ing th e files acce s s ibl
e.
W h ile th e approach can caus e problem s for existing
w e b appl ications w h e re s e curity m ay noth ave be e n
tak e n into account, th e e ffortinvol ve d to m igrate
s uch appl ications ofte n invol ve s justputting a good
s e curity and be stpractice s policy into place .
QO S
Th e finalpie ce of th e ne tw ork s e curity fram ew ork
in AppO S is to rate -lim itapplication traffic, e m pl oy
Quality of Se rvice (QoS), pack e tq ue uing te ch niq ue s
and provide h igh availability s olutions th rough
industry standard protocols s uch as VR R P (Virtual
Route r Re dundancy Protocol). Th e s e te ch niq ue s aid
in prote cting th e ne tw ork againsta varie ty of ne tw ork
bas e d attack s w h ile providing h igh availability.
LINUX IM AGE M ANAGEM ENT / BO O T SYSTEM (LIM BS)
AppO S provide s a h igh l y s e cure Linux bas e d
ope rating s yste m th atutilize s th e Linux Im age
M anage m e nt/BootSyste m (LIM BS). LIM BS,
e s s e ntial l
y runs a Linux bas e d O S from a s ingl e GR SECUR ITY, PAX, STACK SM ASH PR O TECTIO N AND PIE
im age fil e m ounte d via loop back on a ram dis k . Th e
s e curity com e s in th e type of file s yste m us e d in th e
im age fil e , us ing s om e th ing s uch as ext3 is onl y random num be r ge ne rators , privilege s e paration for
going to provide you w ith th e s am e de gre e of
s e curity as a norm alLinux s yste m , butus ing an
“unw ritable” fil e s yste m s uch as Sq uas h FS m e ans
th atin orde r to “w rite ” to th e fil e s yste m , th e e ntire
im age fil e h as to be re ge ne rate d and re place d.
AppO S w ork s by placing th e righ tfil e s on th e
Sq uas h FS file s yste m and th e righ tfiles on th e ram
dis k to ins ure prope r ope ration of th e Linux s yste m .
LIM BS, curre ntl y atre leas e 1.1.9 , is available unde r
th e GPL. LIM BS pe rform s s om e e rror de te ction and
e s s e ntial l
y s e ts up th e s yste m for booting by loading
th e appropriate O S im age . Th e fram ew ork th at
AppO S and LIM BS provide h as gre atpote ntialfor
booting diffe re ntk e rne ls (Linux, BSD , O pe nSolaris )
w h il e re taining th e s am e application im age s .
LIM BS h ands ove r controlto init, w h ich in an
AppO S bas e d s yste m w illh and ove r controlto
ExM S, th e m anage m e nts yste m .
O 3 M agaz ine /Nove m be r 2005
Page 12
APPLICATIO N IM AGES
AppO S place s a s pe cific application s uch as a D NS
s e rve r into s e parate application s pe cific im age called
an ASI. Th e ASI is us e d to ge ne rate s e parate file
s yste m im age s , one for configuration fil e s , and one
for exe cutables . Th e s e tw o files along w ith us e r data
are m ounte d into th re e dire ctorie s w ith in a ch root
e nvironm e ntw h ile files th e m s e lve s existouts ide of
th e ch roote nvironm e nt. Th e e nd re s ultis th atif your
D NS s e rve r h as a vulne rability, eve n if it's expl oite d
and th e attack gains rootacce s s w ith in th e ch root,
th ey cannot“bre ak out” of th e ch rootdue to
Grs e curity. Th ey cannotm odify th e configuration
due to th e factth ey are s itting on an unw ritable
Sq uas h FS file s yste m , and for th e s am e re as on th ey
cannotove rw rite or re place th e exe cutables , th e
Linux k e rne lh as no m e ans of w riting to th e file
s yste m and th e attack e r doe s noth ave acce s s to th e
im age files or th e tools to re ge ne rate th e m . If th e us e r
data is s e cure d th rough a re ad-onl y ne tw ork storage
fram ew ork as dis cus s e d e arlie r in th is articl e , th e n
th e attack e r cannotdo anyth ing;th ey cannoteve n
dis ruptth e s e rvice .
AppO S is Glibc bas e d, and utilize s Grs e curity, PaX,
Pos ition Inde pe nde ntExe cutabl e s (PIE), e nh ance d
dae m ons , Stack Sm as h ing Prote ctor, non-l azy
binding and re location re ad-onl y link ing. Th e latte r
tw o are now standard in binutils.
Grs e curity is an innovative ope n s ource proje ct
lice ns e d unde r th e GNU Public Lice ns e (GPL). It
tak e s a m ulti-laye r de te ction, preve ntion and
containm e ntapproach to s e curity. Grs e curity
provide s ch rooth arde ning, a robustRole-Bas e d
Acce s s Controls yste m , preve ntion of exploits re l ate d
to addre s s s pace bugs (th rough PaX), e nh ance d
random ne s s in th e Linux TCP/IP stack , re stricte d
acce s s to proce s s lists , advance d auditing and m any
oth e r fe ature s .
Stack s m as h ing prote ctor is an exte ns ion to th e
GNU Com piler Collection (GCC) for prote cting
applications from stack -s m as h ing attack s . Th e
prote ction is provide d by buffe r ove rfl ow de te ction
and a variable re orde ring fe ature to avoid corruption
SECURITY
of pointe rs . Th e prote ction is appl ie d w h e n AppO S is
built(atcom pile tim e ).
Binary exe cutabl e s contain m e m ory locations cal
virtualaddre s s e s , th e s e addre s s e s are ofte n us e fulfor
de bugging as th e s am e functions are locate d atth e
s am e m e m ory l ocation on any s yste m running th e
s am e binary. Unfortunate l y w h atm ak e s for e as ie r
de bugging also e nabl e s an attack e r to load up th e
s am e exe cutable l ocal ly to de te rm ine m e m ory
locations on a re m ote targe ts yste m . So if you're
running Apach e from Re d H at9 , and an attack e r
de te rm ine s th is by q ue rying your w e b s e rve r w ith a
standard H EAD /H TTPD /1.1 re q ue st, and ins pe cting
th e s e rve r tok e n. Th ey can s im pl y dow nload th e s am e
Re d H at9 apach e binarie s and de te rm ine w h at
m e m ory locations are be ing us e d by your s e rve r
be caus e itis running th e s am e exe cutable. Pos ition
Inde pe nde ntExe cutabl e s e s s e ntially m ak e e ach
s yste m diffe re nt, random izing th os e m e m ory
locations , m ak ing itm uch m ore difficultfor an
attack e r to de te rm ine th e addre s s .
CO NCLUSIO N
AppO S provide s state of th e artne tw ork and s yste m
s e curity th rough a m ulti-laye re d approach . By tak ing
s im ple ste ps s uch as im plem e nting m anage m e ntand
ne tw ork storage outof band, strong ne tw ork s e curity
pol icie s and be stpractice s itis pos s ibl e to tigh te n
controlove r your ne tw ork w h il e re taining
functionality and im proving s calability. AppO S
util ize s state of th e artope n s ource s e curity s olutions
s uch as Grs e curity/PaX, Stack s m as h ing prote ctor,
Pos ition Inde pe nde ntExe cutabl e s , e nh ance d
random ization and file s yste m acce s s controllists .
AppO S tak e s th e s e te ch nologie s a ste p furth e r by
im plem e nting applications in a s e cure ch root
e nvironm e ntw ith in a s yste m of unw ritable loop back
bas e d file s yste m s . Th us cre ating a s afe ty ne tin th e
eve nta te ch niq ue is deve lope d to circum ve ntth e s e
gre atope n s ource te ch nologie s de s igne d to prote ct
vul ne rable s oftw are .
Th e bottom line is th atAppO S provide s th e be st
avail able ze ro-day prote ction againstapplications
w h ich contain undis cove re d vul ne rabilitie s and
exploits .
O 3 M agaz ine /Nove m be r 2005
APPO S AVAILABILITY
Th e curre ntre leas e of AppO S is 1.0.0, w h ich s h ips
led on AppO S bas e d SN s e rie s appliance s . AppO S 2.0.0
is s ch e duled for re leas e on Jan 3rd 2006. A public
be ta of AppO S 2.0.0 s h allbe available from Splice d
Ne tw ork s LLC from Nove m be r 28th 2005.
FUR TH ER R EADING
grse curity
h ttp://w w w .grs e curity.ne t
PaX
h ttp://pax.grs e curity.ne t
Stack Sm ash ing Prote ctor
h ttp://w w w .trl.ibm .com /proje cts /s e curity/s s p/
Frand om
h ttp://frandom .s ource forge .ne t
Squash FS
h ttp://s q uas h fs .s ource forge .ne t
Disk /Sw ap Encryption
h ttp://w w w .s dc.org/~ leila/us b-dongle/re adm e .h tm l
Joh n Busw e l lis co-found e r and Ch ie f Te ch nol ogy
O ffice r of Spl ice d Ne tw ork s LLC. H e can b e
re ach e d by e m ail(joh nb @ spl ice d ne tw ork s.com ).
Spe cialth ank s to Sh aw n W il son (Tim e W arne r
Cab l e /R oad R unne r Busine ss Cincinnati), Stew
Be ne d ict(M and riva), Frank Boyd (Spl ice d
Ne tw ork s), R aja H am m ad (Spl ice d Ne tw ork s) and
M atBurford (Spl ice d Ne tw ork s) for provid ing
te ch nicalreview of th is articl e.
Page 13
INTERNET

O pe ning th e Jar on Googl

e H one ypots

GO O GLE PRO VIDES A PO W ERFUL SEARCH ENGINE H O W EVER AN UNINTENDED

USE H AS BEEN TH E ABILITY FO R M ALICIO US USERS TO SEARCH FO R VULNERABLE SERVERS

BY ABUL ASIM M .R . QARSH I

h e Inte rne t's h orizons h ave incre as e d

m as s ive ly ove r th e last10 ye ars . Now th e re
are billions of w e b page s containing conte nt
re late d to ne arl y eve ry as pe ctof pe rs onaland
bus ine s s inform ation. W ith th is grow th in th e
Inte rne t, a problem aros e : finding th e page w ith th e
inform ation you are actuall y look ing for. Th is is
w h e re s e arch e ngine s com e into play, allow ing
Inte rne tus e rs to find th e page th atth ey w ant.
H ow eve r, All th ew e b, AltaVista, Yah oo, M SN, e tc
w e re allgiving lim ite d s e arch functionality and none
of th e m took itas ch allenge and bus ine s s opportunity
untilGoogle cam e along.
Eve ry s e arch e ngine ve ndor w ants to be com e m ore
e ffe ctive , e fficie nt, and to find accurate re s ults in th e
leasttim e pos s ible. M osts e arch e ngine s index th e
page s to s e arch and rank th e m to m aintain accuracy.
To do th is , m osts e arch e ngine s’ bots or craw lers start
trave rs ing th e w e b by us ing link s th atappe ar on th e
page s .
Inform ation col le cte d by th e s e arch e ngine is m ostl
y
com pris e d of th e nam e , file type , url , e tc. Th e s e
s e arch e ngine s also index th e dynam ic page s bas e d
on ph p, s h tm l,e tc. for exam ple atM ountain View , Calif.-bas e d law firm Fe nw ick & W e stLLP,
h ttp://w w w .dom ain.com /?id=m yd "Th e ability of s e arch e ngine s to dis cove r a lotof inform ation
th atw as notne ce s s aril
y h idde n butw as a l otles s available
FILE SEAR CH previous ly is s cary."
M osts e arch e ngine s provide th e functionality to
s e arch files on th e Inte rne t. Th atm e ans th e s e arch SEAR CH ING PO W ER
botindexe s th e diffe re nttype s of “re adable” files . Se arch e ngine ve ndors , s pe cifically Googl e , h ave give n us
M osts e arch e ngine ve ndors cl aim th atth is w il l k eyw ords s uch as “info” “link ”, and “re late d” to incl ude in th e
incre as e th e pe rform ance of th e ir s yste m . For s e arch q ue ry w h ich re ctify and give us m ore accurate re s ul ts . Th e
exam ple, Google claim s th e be ne fitof s e arch ing non- com plete listof k eyw ords can be found at
h tm lfil e s is “a w ide r view of th e conte nts avail able h ttp://w w w .googleguide .com /advance d_ ope rators .h tm l
on th e W orld W ide W e b”.
W h ile Se arch Engine s index non-h tm lfil e type s Now w e w illanal yze s om e w e llcrafte d q ue rie s to find
s uch as PD F, doc, txte tc., th ey al s o index oth e r file appropriate re s ults . Firstof allw e are going to s e arch pe opl e’s
type s , s o be aw are th atyour pw d, h tacce s s , or any CVs . Place th e follow ing q ue ry in th e Google s e arch box, and
oth e r ve ry criticalfile th atcould m ak e your s yste m look atth e re s ult:
vul ne rable could also be found via Google. (file type :pd f O R file type :d oc O R file type :rtf) (intitl e :re sum e
According to M attKe s ne r, ch ie f te ch nology office r O R inurl :re sum e O R "m y re sum e ")(-appl y O R -sub m itO R -
b e ne fits O R -re cruite r O R -O pe nings)

O 3 M agaz ine /Nove m be r 2005

Page 15
INTERNET
Next, let's try to brow s e to a particular UR Lth atw e
k now is pas s w ord prote cte d. Th e s e rve r im m e diate l y
prom pts you for a us e rnam e and pas s w ord, but
de pe nding on th e UR L, you m igh tbe able to plug it
into Googl e , s e lectth e Cach e l
ink and re ad th e
pas s w ord prote cte d page . A good exam ple is
s e arch ing for conte ntw ith inurl :w e bstats or
inurl:acce s s w atch , or th e de faulturlof any oth e r
popul ar w e b stats program . M any of th e s e are
prote cte d by .h tacce s s files butplugging th e m into
Google reve als th e page w h e n fol low ing th e cach e
option. Google is able to do th is be caus e th e
adm inistrators of th e s e s e rve rs unw ittingl y h ave th e
s e rve rs m is configure d, butw ith Google, a cl eve r
m alicious us e r now h as acce s s to inform ation th atth e
adm inistrator be lieve s is h idde n.
VULNER ABLE SYSTEM DETECTIO N
To ge tinto any s yste m , a m alicious us e r ne e ds to
k now inform ation aboutth ats yste m , and s e arch
e ngine s provide an e as y toolto h e lp th e m de te ct
vul ne rabilitie s to exploit. For exam ple, Apach e can
be configure d to h ide ve rs ion inform ation us ing th e
Se rve rTok e ns dire ctive , butif an adm inistrator h as n't
re m ove d th e m anual s installed in th e h tdocs
dire ctory, a q uick s e arch can reve alth e re leas e
ve rs ion th e adm inistrator is us ing. Th e s am e s e arch
coul d be us e d to locate unconfigure d de fault
installations of Apach e on th e Inte rne t:
inurl
:"/m anual
/" + Apach e 1.3
Th e s e type s of q ue rie s are e as y to s e arch for de fault
files , m ak ing ite as y for m alicious us e rs to de te ct
s yste m s w h e re th e adm inistrator m ay h ave leftfiles
th ey've as s um e d are h idde n from th e public. If an
adm inistrator h as l e ftth e de faultfiles , itm igh tbe an
indication th ey are inexpe rie nce d and th us an e as ie r
targe t. Th e above q ue ry can e as il y be com e m ore
s pe cific by us ing s ite : ope rator w h ich w illre strictit
to any s pe cific dom ain.
Sim ilarl y a m alicious us e r can also find de fault
installations of particular applications s uch as
W e bM ailby s im pl y crafting th e q ue ry w ith
intitl e :"W e l com e to M ail traq W e b M ail " (M ailtraq
is a W e b bas e d Em ailClie nt). Such q ue rie s can ofte n
find te sts yste m s on live ne tw ork s th atadm inistrators
are us ing to te stoutnew and uns e cure d applications .
O 3 M agaz ine /Nove m be r 2005
Page 16
SEAR CH ING PASSW O R DS
If you h ave any re adable files th atcontain
pas s w ords uploade d on th e s e rve r, th e n it’s tim e for
s om e bad new s : h ack e rs can us e q ue rie s on s e arch
e ngine s to find pas s w ords . For exam ple,
inurl:pas s list.txtcan be us e d for th is purpos e .
PR EVENTIO N
To preve nts e arch e ngine bas e d attack s , a w e b s ite
adm inistrator can indicate w h ich parts of th e s ite
s h ould notbe vis ite d by a robotby providing a
s pe cially form atte d file on th e ir s ite in robots .txt. In
addition, a w e b auth or can indicate if a page m ay or
m ay notbe indexe d or anal yze d for link s th rough th e
us e of a s pe cialH TM LM ETA tag. For exam ple, a
<M ETA NAM E="Googlebot"
CO NTENT="nofollow "> tag in th e h e ade r can stop
Googlebotfrom indexing th e page s .
To Preve ntGooglebotfrom follow ing any particular
link on th e page th atm igh tlink to your criticalpage
or any s e cre tw e b s e rve r you can add re l=”nofol low ”
in th e h ype rlink . <a h re f=h ttp://w w w .exam ple.com /
re l="nofollow "> I can'tvouch for th is link </a> .
Note th atth e s e m e th ods re ly on coope ration from
th e robot, and are by no m e ans guarante e d to w ork
for eve ry robot. If you ne e d stronge r prote ction from
robots and oth e r age nts , you s h ould us e al te rnative
m e th ods s uch as pas s w ord prote ction.
GO O GLE H ACK H O NEYPO TS
Th e m e th ods dis cus s e d s o far in th is article are
called Google H ack s . Th e "Google H ack " H oneypot
proje cth ttp://gh h .s ource forge .ne tprovide s a m e ans
to obs e rve s e arch e ngine h ack e rs us ing Google
againstyour re s ource s by e m ulating a vul ne rable w eb
application, allow ing its e lf to be indexe d by s e arch
e ngine s . Th e trans pare ntlink m e th od us e d w ill
re duce false pos itive s and avoid m alicious us e rs
de te cting th e h oneypot.
Th e h oneypotth e n logs to a file inform ation about
th e atte m pte d attack s , th e s ource IP, re fe rral
inform ation and us e r age nt. Us ing th is inform ation,
th e adm inistrator can de te ctand m onitor attack e rs
pe rform ing re connais s ance againstth e ir re s ource s
and ge ta de tailed view of s pe cific attack e rs .
A BUL A SIM M .R Q AR SH I IS A NETW O R K SECUR ITY
SPECIALIST FO R SPLICED NETW O R K S LLC BASED O UT
O F PAKISTAN.
W EB TECH
Ligh ttpd 1.4.7 Re vie w
LIGH TTPD IS A LIGH TW EIGH T W EB SERVER W ITH A FO CUS O N
PERFO RM ANCE , SECURITY AND FLEXIBILITY W O RTH Y O F CO NSIDERATIO N IN TH E DATACENTER
BY M ATH EW J. BURFO RD
f your w e b s e rve r's pe rform ance is s uffe ring
due to h igh load th e n your s olution m ay be
h e re . Th e re is inte re stbrew ing in Ligh ttpd,
a re lative l y new w e b s e rve r deve lope d by Jan
Kne s ch k e e tal.In addition to claim s of a low
m e m ory footprint, its m ain w e bs ite w w w .ligh ttpd.ne t
boasts th atLigh ttpd h as s e curity, s pe e d, com pliance ,
flexibility and an advance d fe ature s e t. Ligh ttpd is a
"h igh load pe rform ance optim ize d" w e b s e rve r th atis
inte nde d to be us e d for w e b s e rve rs w h ich m usts e rve
lots of s m allfiles rapidl y and ph p s e rve rs w h ich are
place d unde r h igh load. D e s pite th is , Ligh ttpd s e e m s
to be us e fulin m any oth e r are as , s uch as an
e m be dde d s yste m w h ich h ave lim ite d re s ource s . Th is
article w il llook into Ligh ttpd's claim s and fe ature s
and dis cus s th e m .
I installed Ligh ttpd on a 1.7Gh z Pe ntium 4 w ith
775636Kbyte s D D R SD R AM running Ge ntoo Linux
(k e rne lve rs ion 2.6.11). For te sting purpos e s , Sie ge
(de s cribe d be low ) w as install e d on a 15” Pow e rbook
(1.5Gh z Pow e rPC G4 w ith 512M byte s D D R
SD R AM ) running M acO SX, ve rs ion 10.4.2. Both
m ach ine s w e re conne cte d to a Ne tge ar 54M bps
w ire les s route r (W GR 614 v4).
BASIC TESTING
Atfirstglance of Ligh ttpd, th e s ource dow nload
file of ve rs ion 1.3.16 cons iste d of 69 0 k byte s , ve ry
ligh tinde e d. Com pilation and installation us e d th e
typical'configure /m ak e /m ak e instal l's yste m . I w as
pleas e d to find th e re w as m inim alcom pl exity ge tting
th e w e bs e rve r up. Th e us ualexam ple configuration
file is s h ippe d w ith Ligh ttpd, w h ich follow s th e
"include onl y if you ne e d" ph ilos oph y. H e nce itw as
ve ry s m all,w e llcom m e nte d and e as y to fol low .
Surpris ingl y, in 10 m inute s Ligh ttpd w as up and
running and s e rving static fil e s w ith a bas ic
configuration. Th e installation dire ctory w as 2688k b
in s ize . Th is include d various unus e d m odules and
random docs . Th e Ligh ttpd exe cutable file s ize is
9 25Kbyte s .W h e n running, th e m e m ory us age
O 3 M agaz ine /Nove m be r 2005
Page 18
for Ligh ttpd w as 418Kbyte s . O ve rall,itappe ars to be
q uite a ve ry com pactprogram . For Ge ntoo us e rs , th e
installcan be s im plifie d to 'e m e rge w w w -
s e rve rs /Ligh ttpd'. You m igh th ave to s e tan unstable
flag to dow nload th e late stve rs ion. Th is autom ate s
th e installation, butalso s e ts up a Ligh ttpd account
for th e s e rve r to run w ith in and various oth e r th ings
to ge titw ork ing fast.
I w as e age r to te stth e bas e instal lof Ligh ttpd. I
dow nloade d th e late stve rs ion (2.63) of Sie ge , an h ttp
w e b s e rve r be nch m ark ing tool ,
(fre s h m e at.ne t/proje cts /s ie ge /) from fre s h m e atand
installed it. I h ad to be care fulw ith s ie ge , as it
s e e m e d to us e a lotof re s ource s . O n m y M acO SX
Pow e rbook , I us e d Sie ge to s im ulate 15 us e rs , and I
re com m e nd you do th is for yours e lf th rough your
ow n ne tw ork s o th atyou can com pare itw ith your
curre ntw e b s e rve r's pe rform ance . Ch oos e a
docum e ntto s e rve w h ich w illus e th e fe ature s th at
your w e b s e rve r typicall y s e rve s .
Afte r te sting w ith 1000+ concurre nts im ulate d
us e rs , I w as floode d w ith e rrors w h ich indicate d th at
I h ad run outof file de s criptors and as a re s ult
re q ue sts to th e s e rve r w e re be ing de nie d. Th e
Ligh ttpd w e bs ite docum e ntation
(w w w .ligh ttpd.ne t/docum e ntation/pe rform ance .h tm l)
h as a fix for th is if you find you are h aving trouble
h e re . Th e s olution invol ve s low e ring th e de faults of
H TTP Ke e p Alive s o th atfile de s criptors are n'th e ld
on to as long. O th e rw is e you can s im pl y incre as e th e
file de s criptors w ith a q uick
% e ch o 76680 > /proc/s ys /fs /file-m ax
PER FO R M ANCE ENH ANCEM ENTS
W h ile th e Ligh ttpd w e bs ite provide s a good am ount
of docum e ntation, in m y opinion th e docum e ntation
is stillunde rdeve lope d and m uch of w h atis th e re
ne e ds revis ion. Th is is m ostl ik e l
y due to th e proje ct
stillbe ing in its e arly stage s , s o th is w illce rtainl
y
im prove .
W EB TECH

O ne inte re sting s e ction is pe rform ance Te s t2 Te s t3 Te s t2 Te s t3

(w w w .l igh ttpd.ne t/docum e ntation/pe rform ance .h tm l), 's e l
e ct' 's e l
e ct' 'e poll' 'e poll'
w h ich state s th atLigh ttpd can be configure d s o th at
itus e s th e native 'eve nth andler' provide d by th e th e
ope rating s yste m . For Linux k e rne l2.6.* th is s h ould
Trans actions 71210 779 50 73074 7339 9
(h its )
be 'e poll'and w ould re q uire a l ine lik e th is to be
adde d to th e Ligh ttpd config fil e:
Availabil
ity 100.00% 100.00% 100.00% 100.00%
s e rve r.eve nt-h andl
e r = "linux-s ys e poll" (% )

Th e advantage of us ing 'e poll'ove r th e de faul t

's e lect' is th ats e lectis lim ite d to FD _ SETSIZ E
El aps e d 60.36 59 .9 1 59 .67 60.44
Tim e
h andl e s . Th is is h ard code d in, and note as il y (s e conds )
ch ange d, us ing 'e poll ' h ow eve r ove rcom e s th is
problem . I w ould re com m e nd you s e tth is e s pe ciall y Data 176.16 19 2.84 180.77 181.58
if your s e rve r te nds to s e rve a l arge num be r of Trans fe rre d
clie nts . For m ore inform ation on th is topic s e e (M B)
w w w .k e gal.com /c10k .h tm l.
Re s pons e 0.00 0.01 0.01 0.01
Tim e
EVENT H ANDLER TESTING R ESULTS
Th e s e te sts are notide al,buts h ow a ge ne ral (s e conds )
anal ys is of th e s e rve r w h e n th e 'e poll's yste m is us e d. Trans action 1179 .75 1301.12 1224.62 1214.41
Itdoe s note ffe ctive l y te stth e fe ature s of 'e poll'. Rate
Be low are th e re s ults w h e n s im ulating 15 us e rs (trans actions
pe r s e cond)
abnorm all y flooding th e s e rve r w ith re q ue sts . Note : 3
te sts w e re run w ith th e firstte stw as cons ide re d a
Th rough put 2.9 2 3.22 3.03 3.00
(M B/s e c)
s e rve r 'w arm -up' s o is notliste d. Th is com m and w as
us e d to starts ie ge :
Concurre ncy 5.83 12.84 7.47 7.05
% ./s ie ge w w w .m ys e rve r.ne t-b -t1M > /dev/null

Th is instructs s ie ge to conne ctto w w w .m ys e rve r.ne t

and re ady 15 us e rs . Th e -b option e nables
Succe s s ful 71210 779 50 73074 7339 9
trans actions
be nch m ark ing of th rough putand -t1M instructs th e
s im ulation to run for 1 m inute . Th e lasts e ction (>
/dev/nul l) w illforw ard unne ce s s ary output(w h ich Failed 0 0 0 0
s low s th e te st) to /dev/null.D uring al lth e te sts be low trans actions
I m onitore d th e CPU us age us ing th e 'top' utility.
CPU us age ave rage d about35% and varie d about
10%.
Longe s t 0.51 0.52 0.51 0.51
trans action

Th e te stre s ul ts oppos ite s ugge stth atth e re is little (s e conds )

pe rform ance diffe re nce in us ing e pollove r s e l e ct, s o Sh ore s t 0.00 0.00 0.00 0.00
w h y us e it?W e l l,as I m e ntione d be fore , e poll trans action
ove rcom e s ce rtain re strictions of s e lect. Inte re stingl y, (s e conds )
th e re s ults of 'e poll'deviate d m uch l e s s th an th os e of
's e lect' w h ich s ugge sts m ore re liability.
Ligh ttpd 1.4.7 1.4.7 1.4.7 1.4.7
ve rs ion
te s te d

O 3 M agaz ine /Nove m be r 2005

Page 19
W EB TECH
SECUR ITY SUPPO R T
Th e aim h e re is to preve ntLigh ttpd be ing us e d as a
pointof attack againstth e s yste m . O ne m e th od w h ich
lim its th e dam age an intrude r can pe rform is to run
th e Ligh ttpd dae m on in a ch rootjail.Ch rooting w il l % te lne tlocalh ost80
lim itLigh ttpd to a s ub dire ctory of th e files yste m ,
w h ich Ligh ttpd w il ls e e as root. Ligh ttpd s upports
be ing run in a ch rootjailand itis h igh l y
re com m e nde d to do s o as itis also notove rl y Trying 127.0.0.1...
com plex to s e tone up. Th e Ligh ttpd w e bs ite h as a
link w h ich w illguide you th rough m uch of th e
proce s s (h ttp://w w w .ligh ttpd.ne t/docum e ntation).
In ge ne ralitis a bad ide a to run Ligh ttpd w ith root
privilege s , as be fore th e aim is to lim itany dam age
an intrude r can pe rform . Anoth e r s upporte d m e th od
is to drop root-privilege s and run Ligh ttpd as a l ow -
privilege us e r. Th is is trivialand e ffe ctive . First
cre ate a us e r called 'Ligh ttpd' by adding a l ine s im ilar
to th e line be low to your /e tc/pas s w d fil e.
ligh ttpd:x:100:400:ligh ttpd:/w w w /page s /:/bin/false
Next, you s h oul d add a line s im ilar to th e l
ine be low
to your /e tc/group file w h ile m ak ing s ure th atth e
num be rs 100 and 400 are nottak e n by any oth e r
e ntrie s in th e s e files .
ligh ttpd:x:400:
To s e tLigh ttpd to run as th is non-privilege
us e r/group s im pl y m odify th e configuration fil
e to
contain th e s e s e ttings :
## ch ange uid to <uid> (de fault: don'tcare )
s e rve r.us e rnam e = "ligh ttpd"
## ch ange uid to <uid> (de fault: don'tcare )
s e rve r.groupnam e = "ligh ttpd"
Itis al s o im portantth atyour s e rve r doe s note as il y h e ade r from th e s e rve r and you s h ould h ave m odifie d
give its e lf aw ay to us e rs . O ne m e th od attack e rs m ay
us e to gain inform ation abouta s yste m is to s im pl y
re ad th e h tm lh e ade r. Th is is trivialto counte r in
Ligh ttpd, as de s cribe d be low .
O 3 M agaz ine /Nove m be r 2005
Page 20
Firstyou m igh tlik e to s e e w h atinform ation th e w e b
s e rve r is giving out. As s um ing you h ave te lne t
installed th is can be done by e nte ring th e com m and:
You s h ould re ce ive a prom ptas be low :
Conne cte d to localh ost.
Es cape ch aracte r is '^]'.
You s h ould now e nte r th e be low H TTP com m and,
follow e d by tw o e nte r k eystrok e s :
H EAD /H TTP/1.0
(h ite nte r tw ice )
You s h ould re ce ive s om e th ing s im ilar to th is :
H TTP/1.0 200 O K
Conne ction: clos e
Conte nt-Le ngth : 80
D ate : Th u, 11 Aug 2005 20:47:04 GM T
Last-M odifie d: W e d, 10 Aug 2005 12:14:49 GM T
ETag: "-1257421618"
Acce pt-R ange s : byte s
Conte nt-Type : te xt/h tm l
Se rve r: ligh ttpd/1.3.16
As you can s e e , th e s e rve r by de faults e nds outits
nam e and ve rs ion num be r. Th is provide s an attack e r
w ith e nough inform ation to look up w e ak ne s s e s in
your particular s oftw are and ve rs ion. I re com m e nd
for th e s e s e curity re as ons th atyou s e tth is to
s om e th ing non-h e lpful.To ch ange th is tag, again
m odify th e configuration file to contain a line s im il ar
to th is :
s e rve r.tag = "h ttpd"
Afte r re starting your s e rve r, you m ay re trieve th e
th attag:
W EB TECH
H TTP/1.0 200 O K
Conne ction: clos e
Conte nt-Le ngth : 80
D ate : Th u, 11 Aug 2005 20:49 :30 GM T
Last-M odifie d: W e d, 10 Aug 2005 12:14:49 GM T
ETag: "-1257421618"
Acce pt-R ange s : byte s
Conte nt-Type : te xt/h tm l
Se rve r: h ttpd
H e re you h ave be e n introduce d to s om e bas ic
as pe cts of Ligh ttpd's h igh configurablil ity. For m ore
options , s e e th e docum e ntation provide d w ith
Ligh ttpd or l ook atth e copie s available on th e ir
w e bs ite : (h ttp://w w w .ligh ttpd.ne t/docum e ntation/).
FEATUR ES
O ne of th e bigge sts e l ling points of Ligh ttpd is its
rich listof fe ature s . Be l ow I look atFastCGI and
M ySQLbas e d VirtualH osting, tw o of th e m ore
popul ar fe ature s . Ligh ttpd h ow eve r h as a ve ry clear
cutstate e ngine and plugin inte rface , w h ich m ak e s
Ligh ttpd ve ry e as y to m odify s h ould you ne e d to
ins e rts pe cialize d capabilitie s into th is s m allh ttpd.
FASTCGI
Th e aim of FastCGI is to re m ove a lotof th e
pe rform ance is s ue s pos e d by CGI program s . Support
for th is is provide d by th e m odule m od_ fastcgi and
can be e nabled by uncom m e nting th e appropriate
line in your configuration file, found unde r
s e rve r.m odules . FastCGI allow s fastand exte ns ive
ph p s upportfor Ligh ttpd, For m ore inform ation s e e
(w w w .ligh ttpd.ne t/docum e ntation/fastcgi.h tm l).
M YSQL BASED VIR TUAL H O STING
Th e re are a tw o vh ostm odules available for
Ligh ttpd. An inte re sting one is m od_ m ys q l _ vh ost,
w h ich allow s you to provide virtualh osts us ing a
M ySQLtable. Ligh ttpd re com m e nds notto m ix
vh ostm odules as onl y one is s uppos e d to be active at
any give n pointin tim e . M ySQLvh ostallow s you to
place docrootand dom ain pairs in a tabl e , th e n
ligh ttpd w illq ue ry th e M ySQLs e rve r to locate th e
docroot.
O 3 M agaz ine /Nove m be r 2005
Page 21
O TH ER FEATUR ES
I fe ltth atitw as im portantto m e ntion s om e of th e
oth e r fe ature s in Ligh ttpd. SSLs upportis inte grate d
into Ligh ttpd, and bas ic rate lim iting s upporte ith e r
on a pe r conne ction or s e rve r (al lconne ctions ) bas is .
Lik e Apach e its upports com pre s s ion, th e standard
gzip com pre s s ion w h ich is s upporte d on th e m ajority
of w e b brow s e rs can de cre as e w e b s e rve r bandw idth
utilization, Ligh ttpd also s upports de flate and bzip2.
O th e r inte re sting fe ature s include an rrdtoolm odule
for outputing bandw idth and load util ization, SCGI
w h ich is bas e d h e avil y on FastCGI and is prim aril y
us e d for Pyth on + W SGI. Som e anti-h otlink ing
fe ature s including trigge r b4 dow nload round out
s om e of Ligh ttpds uniq ue fe ature s e t.
EXPANDING LIGH TTPD
Ligh ttpd h as be e n docum e nte d ve ry clearl y and in
gre atde tailby th e Ligh ttpd deve lopm e ntte am . Th e
docum e ntation l ink off th e ir m ain w e b page h as full
state m ach ine inform ation for both FastCGI and th e
h ttpd state m ach ine . Th e docum e ntation eve n
include s th e function nam e s w h e re th e proce s s ing
occurs . Th is m ak e s Ligh ttpd, al ong w ith its s ize a
ve ry te m pting s olution for deve lope rs w h o ne e d
uniq ue fe ature s or proce s s ing. Itw ouldn'ttak e m uch
to m odify th e Ligh ttpd code by ins e rting your ow n
additionalproce s s ing to pe rform custom UR Lor
oth e r m odifications beyond th os e s upporte d in
m od_ rew rite . Ligh ttpd also incl ude s ve ry us e ful
plugin docum e ntation.
CO NCLUSIO N
Ligh ttpd is an exciting proje ctw h ich rais e s th e
expe ctations of s m allfootprintw e b s e rve rs . As its
us e rbas e incre as e s , m uch m ore docum e ntation w ill
be available. Th is s e rve r is h igh l y configurabl e in a
non-com plicate d w ay, w h ich e nables new us e rs to
q uick l y ge tth e ir w e b s e rve r running w ith little
trouble. Ligh ttpd is a com pe titive option to oth e r
popular w e b s e rve rs , and m ay be run alongs ide oth e r
w e bs e rve rs , s uch as tom cator apach e , to tak e
advantage of th e be ne fits offe re d by e ach . Itw illbe
inte re sting to s e e th e dire ction Ligh ttpd tak e s on th e
Inte rne tas itm ature s .
M ATH EW BUR FO R D IS AN A PPLICATIO N D EVELO PER
FO R SPLICED NETW O R K S LLC BASED O UT O F
W O LLO NGO NG, AUSTR ALIA .
BUSINESS
An Introduction to Linux and O pe n Source for Bus ine s s
LINUX AND O PEN SO URCE M IGH T BE TERM S YO U H AVE H EARD BUT ARE NO T QUITE FAM ILIAR W ITH
LINUX AND O PEN SO URCE CAN BENEFIT BUSINESSES O F ANY SIZ E ... AND NO IT IS NO T JUST FO R BANK S ...
BY JAM ES H O LLINGSH EAD
pe n s ource . It's am azing h ow m uch confus ion
and m ixe d fe e lings th os e tw o little w ords can
caus e . W h atis it?H ow doe s itw ork ?Is itfor
our bus ine s s ?
Th is article is an atte m ptto ans w e r your q ue stions
and give a brie f ove rview of w h atope n s ource is ,
h ow itcan h e lp you and your bus ine s s , and w h atyou
can do to h e lp. Since itis a h uge s ubje ctand
ans w e ring eve ryone 's q ue stions w ould tak e e ntire
book s , th is is re all
y justa fairl y h igh leve llook at
ope n s ource arrange d as a s ortof q ue stion and
ans w e r s e s s ion.
W H AT IS TH IS " O PEN SO UR CE " TH ING I KEEP H EAR ING
ABO UT?
Th at's a ve ry s im ple q ue stion to w h ich th e re are a
num be r of ans w e rs . Atth e m ostbas ic leve l,ope n
s ource is th e s oftw are deve lopm e ntcom m unity and
bus ine s s e s w ork ing toge th e r in orde r to m ak e q uality
s oftw are th atanyone can us e . It's a w ay for groups
and individual s to contribute according to th e ir s k ill
s e ts on proje cts th atth ey find inte re sting s o th at
eve ryone can com e outah e ad.
It's re alde fining points are th e lice ns e th atth e
s oftw are is re leas e d unde r and th e factth atth e
program is distribute d fre e of ch arge . Th e re are q uite
a few l ice ns e s th atare cons ide re d to be ope n s ource
by th e O pe n Source Initiative (w w w .ope ns ource .org),
th e non-profitorganization w h ich k e e ps track of and
prom ote s ope n s ource lice ns e s .
W h atm ostof th e acce pte d lice ns e s boildow n to is
th atth e s ource code for th e s oftw are is ope n for th e
w orl d to s e e , m odify, contribute to, and us e . Ce rtain
lice ns e s re q uire th atyou re leas e allch ange s you
m ak e w h ile oth e rs justre q uire you to give th e m
cre ditfor h aving code in your proje ct.
I H EAR D TH AT LINUX IS H AR D TO SETUP AND USE IS
TH AT TR UE ?
If you h ad as k e d m e th atq ue stion in 19 9 8 w h e n I
firsttrie d to installLinux on a new de s k top th at
O 3 M agaz ine /Nove m be r 2005
Page 23
I bough t, I w ould h ave s aid itw as a nigh tm are to ge t
running. Now , h ow eve r, it's a gre atde albe tte r and is
actuall y re ady for a lotof h om e and bus ine s s us e s .
M any of th e applications now h ave graph ic
inte rface s th atare justas good as w h atyou are us e d
to now and h ave th e functionality th atyou've com e to
expe ctfrom your bus ine s s apps . Th at's notto s ay th at
th e re is n'ta little bitof a learning curve , butitre all y
is a pre tty s ligh tone .
O n top of th is , Linux is now a bre e ze to instal lon
m osth ardw are . To give you an ide a, I re ce ntl y
installed Linux on m y laptop. Anyone w h o h as
installed W indow s on a laptop w illte l lyou aboutth e
fun th atyou're in for. Ittak e s a stack of cds , m ostof
th e day, and constantl y babys itting th e laptop to
ans w e r q ue stions and s w itch outdis k s . O n top of
th at, you h ave to provide th e righ tvide o, audio, and
ne tw ork drive rs and th e n you h ave to run s e curity
update s and installs e rvice pack s .
W ith Linux, ittook four cds , a ne tw ork conne ction,
and aboutth re e h ours to installth e ope rating s yste m ,
m ostof th e s oftw are th atI us e , and to update th e
e ntire s yste m . Eth e rne tw ork e d outof th e box;s o did
th e vide o. To installth e lasttw o program s th atI
w ante d to us e re q uire d tw o ve ry s h ortcom m ands and
updating th e e ntire laptop re q uire d one m ore . M ostof
th e tim e th atw as s pe ntinstall ing Linux w as us e d to
do oth e r th ings w h ile m y laptop w ork e d q uie tly in th e
oth e r room w ith outne e ding m e to babys itit.
It's com e th atfar.
IF I W ANT TO USE O PEN SO UR CE SO FTW AR E , DO I H AVE
TO R UN LINUX?
W h ile m osts oftw are re leas e d for Linux is ope n
s ource , notallope n s ource s oftw are is Linux-onl y (or
eve n runs on Linux). Itis pos s ible to h ave ope n
s ource proje cts on oth e r platform s , s uch as W indow s
and O SX, and inde e d m any popular proje cts , s uch as
th e Fire fox w e b brow s e r and th e Eclips e
program m ing e nvironm e ntfor Java, are re leas e d on a
w ide varie ty of platform s .
BUSINESS
Th e deve lope rs and com panie s be h ind th e proje cts
re alize th atnoteve ryone can standardize on a s ingl e th e re . If you're inte re ste d in look ing for ope n s ource
platform , s o th ey ofte n do th e ir be stto provide
s olutions w h e re th ey m ak e s e ns e .
W H AT SO R T O F O PEN SO UR CE SO FTW AR E IS TH ER E ?
O pe n s ource s oftw are exists acros s th e s pe ctrum of
applications .
• For ope rating s yste m s , you h ave various form s
of Linux and BSD , w h ich are al lUnix-lik e
ope rating s yste m s . W h il
e th ey allow fine control
of practicall y eve ryth ing th atyou could w antto
do w ith your com pute r from a functionality and
s e curity standpoint, th ey also h ave rath e r nice
graph ic inte rface s , allow ing both cas ualus e rs
and th e m ore expe rie nce d to us e th e m w ith e as e .
• Th e popular w e b brow s e r, Fire fox, is a pie ce of
ope n s ource s oftw are th atgrew outof th e old
Ne ts cape brow s e r. Italso h as s ibl
ing program s
Th unde rbird for e m ailand Bugzill a, a bug
track ing s oftw are pack age us e d by m any
deve lope rs . Allof th e s e program s m ay be found
atw w w .m ozilla.org
• O pe n O ffice (w w w .ope noffice .org) is a popular
ope n s ource s uite th atinclude s w ord proce s s or,
s pre ads h e e t, and pre s e ntation s oftw are and is
available on both Linux and W indow s .
• GIM P (w w w .gim p.org) is an ope n s ource
graph ics program w h ich is available both on
Linux and W indow s and is us e d by th is
m agazine .
• M any program m ing e nvironm e nts s uch as
Eclips e (w w w .e clips e .org) are ope n s ource as
are th e s ource controltool s Subve rs ion
(h ttp://s ubve rs ion.tigris .org) and CVS
(w w w .nongnu.org/cvs ).
• Th e re are eve n s eve ralve ry good ope n s ource
databas e s outth e re s uch as M ySQL
(w w w .m ys q l.com ) and Postgre SQL
(w w w .postgre s q l.org).
O 3 M agaz ine /Nove m be r 2005
Page 24
Th e re are m any oth e r ope n s ource offe rings out
applications , a good place to startis Th e O pe n CD
proje ct(w w w .th e ope ncd.org), w h ich l ists applications
for W indow s , butalso link s back to w e bs ite s for th e
proje cts s o you can ge tve rs ions for diffe re nt
platform s .
BUT IF IT'S FR EE , H O W DO W E M AKE M O NEY O N IT?
Th at's a ve ry good q ue stion. Th e ans w e r is th at, just
lik e eve ryth ing e lse in bus ine s s , m ak ing your proje ct
ope n s ource is n'tfor eve ryone . H ow eve r, th e re are
s eve ralfairl y standard w ays th atcom panie s are
m ak ing m oney w ith ope n s ource proje cts .
• Support– com panie s lik e Re dh at
(w w w .re dh at.com ), m aintaine rs of a popular
Linux distribution, ch arge m oney for providing
profe s s ionalte ch nicals upport.
• Se l lh ard w are – com panie s lik e D igium
(w w w .digium .com ), th e m ak e rs of Aste ris k , an
ope n s ource PBX s oftw are , m ak e a gre atde alof
th e ir m oney s e lling pre -m ade PBX s olutions
w h ile also providing th e s oftw are to th e ge ne ral
public for th os e w h o fe e ladve nturous .
• Training – m any pie ce s of s oftw are , w h e th e r
ope n or clos e d, re ally be ne fitfrom pe ople be ing
able to go to clas s e s in orde r to learn h ow to ge t
th e m ostus e outof th e m . W h o be tte r to provide
th e training th an th e com pany w h o m ak e s th e
product?
• Custom b uil d s – no s oftw are w illdo
eve ryth ing th ateve ryone w ants itto do, be caus e
th e re are s o m any th ings th atits cre ators neve r
th ough tof. In s om e cas e s , bus ine s s e s m ay w ant
functionality adde d to th e program s th atyou
m ak e w h ich th ey are w ill ing to pay for.
Th e re are m any oth e r w ays th atcom panie s are
m ak ing m oney on ope n s ource s oftw are , butw h atit
allcom e s dow n to is w h e re you expe ctto m ak e your
m oney. If you justplan to s e llyour s oftw are , th e n
ope n s ourcing your proje ctprobabl y is n'tfor you.
Th e re are exce ptions to th is . M ySQL, a popular ope n
s ource databas e , offe rs its s oftw are for fre e if itis
us e d in-h ous e and as k s th atyou pay a m ode stfe e
BUSINESS
if you include itin a com m e rcialproduct. H ow eve r, if
your re alm oney com e s from s om ew h e re e l
s e , th e n
you h ave a de ce ntch ance of m ak ing a s ucce s s ful
bus ine s s .
W H AT DO I GET O UT O F M AK ING M Y SO FTW AR E O PEN
SO UR CE ?
By m ak ing your s oftw are proje ctope n s ource , you
gain pote ntialacce s s to th e profe s s ionaldeve lopm e nt
com m unity atlarge . As I s aid be fore , m any m ajor
ope n s ource proje cts are staffe d partiall y by
deve lope rs be ing paid by te ch nicalcom panie s in
orde r to add th e fe ature s and functionality th atth e ir
e m ploye rs w ant. H ow eve r, m any profe s s ional
deve lope rs w ork on ope n s ource proje cts on th e ir
ow n tim e as w e llfor a num be r of re as ons incl uding
to k e e p th e ir s k ills s h arp, to add new s k ills, and eve n
justbe caus e th e proje ctinte re sts th e m .
Th is m e ans s eve ralth ings to anyone w h o w ants to
h ave a s ucce s s fuls oftw are proje ct:
• Acce ss to outsid e sk il ls - Eve ryone w h o starts a
pie ce of s oftw are w ants th e pe ople w ork ing on it
to be th e be st. Unfortunate l y, your budge tofte n
doe s n'tallow to you h ire th e m and k e e p th e m
fulltim e . W ith ope n s ource , you can h ave acce s s
to pe ople (e ith e r on a contractbas is or, in s om e
cas e s , justbe caus e th ey're inte re ste d in your
proje ct) th atyou oth e rw is e w oul dn'tbe able to
h ire .
• R e d uce d d eve lopm e nttim e - W ith th e
pos s ibility of m ore pe ople w ork ing on your
proje ctth an you could oth e rw is e afford, th e re is
a good ch ance th atitw il ltak e l
e s s tim e to
com plete your proje ct. For exam ple, W indow s
Vista (form e rl y code nam e d Longh orn) w as
announce d ye ars ago and is n'ts uppos e d to be
de live re d untils om e tim e in 2006. By contrast,
Fe dora, Re dh at's non-bus ine s s Linux
distribution, h as gone from ve rs ion 1 to ve rs ion
4 s ince I firststarte d us ing itin 2003, and e ach
new ve rs ion h as be e n a m ark e d im prove m e nt
ove r th e previous one .
• Diffe re ntpoints of view - Th e re are alw ays
us e fulfe ature s or us e s for your s oftw are th at
you didn'toriginall y th ink of. W ith m e m be rs of
th e s oftw are deve lope r com m unity at-large
O 3 M agaz ine /Nove m be r 2005
Page 25
look ing at(and w ork ing on) your proje ct, you
m ay e nd up w ith functionality th atyou neve r
cons ide re d be fore .
• M any eye s l ook ing atyour proje ct- Th e m ore
pe ople w h o review th e s ource code of your
proje ct, th e gre ate r th e ch ance th atbugs and
s e curity flaw s w illbe caugh t, allow ing th e m to
be fixe d s oone r.
• Com m unity good w il l- Neve r unde re stim ate
th e pow e r of fre e adve rtis ing. If your proje ct
be com e s popular w ith in th e te ch nical
com m unity, lik e Linux h as , th atpopularity can
s pillove r into th e bus ine s s are na.
W H Y W O ULD PEO PLE W ANT TO VO LUNTEER TO W O R K
O N M Y PR O JECT?
W e deve lope rs (ye s , I am one of th e m ) are strange
pe ople. W e lik e to w ork on proje cts th atw e find
inte re sting or th atch allenge us . It's a ch ance to gain
expe rie nce th atw e can pointto w h e n l ook ing for a
new job. It's also a w ay to ge tre cognize d by th e
com m unity as a capable deve lope r. O n top of allof
th os e th ings , it's a ch ance for us to give s om e th ing
back to th e pe ople w h o h ave h e lpe d us outal ong th e
w ay and to h e lp oth e rs w h o m ay notbe s o fortunate .
Som e of us th ink of itas a form of voluntary
com m unity s e rvice .
IF EVER YO NE CAN LO O K AT M Y SO FTW AR E , W H AT'S TO
STO P TH EM FR O M JUST TAK ING IT?
Th at's a ve ry good q ue stion, and one th atI h e ar
q uite ofte n. Th e ans w e r is itallcom e s dow n to th e
lice ns e th atyou ch oos e to re leas e your w ork unde r.
Th e re are a lotof acce pte d ope n s ource l ice ns e s , s o I
am onl y going to give a brie f de s cription of a few of
th e m ore popular one s .
• BSD – Th e pe rs on w h o m odifie s th e proje ct
m ay ch oos e w h e th e r or notto ope n s ource th e ir
de rivative , butth e copyrigh tnotice for th e
originalproje ctm ustbe include d w ith th e
docum e ntation (if th e de rivative w ork is clos e d)
or in th e code (if th e de rivative w ork is ope n).
Bas icall y, unde r th is lice ns e , anyone can do
anyth ing w ith th e code th atth ey w antas long as
th ey s ay th atth e code is in th e re .
BUSINESS
• Apach e – If a s oftw are deve l opm e ntproje ct
contains code re leas e d unde r th e Apach e
lice ns e , th e ir copyrigh tnotice and dis claim e r
m ustbe include d in th e docum e ntation and th e
s ource is al low e d to be e ith e r ope n or clos e d.
• GPLv2 – If th e proje ctth atcontains code
lice ns e d unde r th e GPLv2 is re leas e d, all
ch ange s to th e code m ustalso be re leas e d unde r
th e GPL. Th is is th e lice ns e us e d by m any ope n
s ource proje cts including th e Linux k e rne l.
LET M E GET TH IS STR AIGH T. IF I USE CO DE LICENSED
UNDER TH E GPL, I H AVE TO R ELEASE W H AT I M AKE
W ITH IT TH E SAM E W AY ?
If you re leas e th e proje ctth atyou incorporate th e
GPL'e d code in, th e n ye s , you h ave to ope n s ource
your proje ctas w e ll.If, on th e oth e r h and, you just
us e th e s oftw are you m ak e in-h ous e , you don'th ave
to publ is h your code . H ow eve r, eve n if itis justin-
h ous e , you s h ould th ink aboutw h e th e r th e re is
actuall y anyth ing to be gaine d by k e e ping pe opl e for an Inte rne tcafe on th e w e stcoastof Ire land.
from s e e ing it. If th e ans w e r is notre all
y, th e n
cons ide r ope ning itup anyw ay.
I LIKE TH E IDEA O F TH E GPL, BUT DO I H AVE TO
ACCEPT EVER YTH ING TH AT SO M EO NE O FFER S M Y
PR O JECT?
W h ile th e GPLh as a gre atde alof be ne fits th at
com e from acce pting contributions to your proje ct
(functionality and bug fixe s am ong th e big one s ), at
th e e nd of th e day, you're th e one in controlof th e
proje ctand can de cide w h o you w antto be able to
contribute th ings to it. You don'th ave to acce pt
anyth ing s us pe ctor th atyou don'tw antto if you're in
controlof th e proje ct.
H O W DO I JO IN TH E CO M M UNITY ?
Th e e as ie stw ay is to contribute . Starta proje ctor
w ork on an existing one by adding functionality or
s ubm itting patch e s . Source forge
(w w w .s ource forge .ne t) is an exce llentpl ace to find or
startproje cts . You can also join th e m ailing listfor
th e proje ctth atinte re sts you in orde r to com m unicate
w ith th e oth e r pe ople w h o are w ork ing on th e
proje ct. As tim e goe s on, you w illbe abl e to tak e on
m ore re s pons ibility on th atproje ct, and th us in
O 3 M agaz ine /Nove m be r 2005
Page 26
th e com m unity, if you w ant.
I h ope th is article h e lpe d ans w e r m ostof th e
q ue stions th atyou h ad conce rning ope n s ource for
your bus ine s s . As I s aid atth e be ginning, th is w as
justa brie f ove rview of w h atope n s ource is and h ow
itcan w ork for you. If you h ave m ore q ue stions , th e re
are a gre atde alof place s th atyou can turn to. O ne of
th e be stof th e s e is your localLinux Us e r's Group,
m any of w h ich can be found via Linux.org's listof
us e r's groups locate d atw w w .linux.org/groups /.
JAM ES H O LLINGSH EAD IS TH E EXECUTIVE EDITO R FO R
O 3 M AGAZ INE . JAM ES IS BASED O UT O F
CH ILLICO TH E , O H IO . JAM ES CAN BE R EACH ED VIA
EM AIL AT JAM ES@ O 3M AGAZ INE .CO M .
"... LINUX, ISN'T TH AT FO R BANK S?I DO N'T NEED TH AT
KIND O F SECUR ITY !" -- INTER NET CAFE O W NER
Seve ralye ars ago I w as as k e d to puttoge th e r a q uote
Seve rallocaland nationalcom pute r re tail e rs h ad
alre ady q uote d butw e re too h igh for th is ve ry s m al l
startup run by a bus ine s s l ady w h o h ad no com pute r
expe rie nce atall.
Th e ow ne r w as conce rne d aboutW indow s and
conne cting W indow s to th e Inte rne tbe caus e of
s e curity. I puttoge th e r tw o q uote s , one for Linux
de s k tops and one for justs e curing th e W indow s
de s k tops w ith a Linux bas e d firew al l/route r.
W h atw as inte re sting aboutth is particular expe rie nce
w as th atth e bus ine s s ow ne r didn'tw antanyth ing to do
w ith Linux, notbe caus e it"l ook s diffe re nt" but
be caus e itw as "too s e cure ". Sh e fe ltth ats h e didn't
ne e d th atleve lof s e curity and th atLinux s olutions
w e re re ally for bank s .
Five ye ars l ate r, th is particular individualgotin
contactw ith m e th rough one of m y previous
e m ploye rs . H e r ne tw ork of W indow s de s k tops w e re
be ing constantl y com prom is e d by both l ocalstude nts
and re m ote us e rs .
Turns outth ata nationalcom pute r com pany s ales re p
told h e r Linux w as for bank s , th is type of s ales re p
FUD re s ul te d in a s ol ution th ats costm ore and in th e
long run fail e d. -- Com m e nts from th e Ed itor
NETW O RK ING

M ul
tiLaye r Sw itch ing in Linux

LINUX H AS H AD SO M E FO RM O F BRIDGING AND VLAN SUPPO RT IN IT FO R AW H ILE

M ULTILAYER SW ITCH ING , SPANNING TREE AND O TH ER ADVANCED SW ITCH ING FEATURES ARE NO W PO SSIBLE

BY JO H N BUSW ELL

tfirstglance LISA, th e Linux Sw itch ing h ard-code d, s o you h ave to m odify th e path to th e
Appl iance proje ctlook s l ik e a ve ry inte re sting Linux h e ade r files in e ach M ak e file, and w ith
proje ct, providing Laye r 2/3 pack e ts w itch ing ch ange s to th e s k b code in 2.6.14, you w illne e d to
s upportto Linux. O riginall y w e planne d to m odify th e calls to de live r_ s k b() and oth e r pos s ibl
y
w rite an article s pe cificall y on LISA, unfortunate l y, oth e r s k b routine s th atth e s w itch ing code us e s .
w e q uick l y dis cove re d th atLISA is stil lve ry m uch in O ve rall,LISA h as a good de alof pote ntial,w h e th e r
a deve lopm e ntalstage , s o th is articl e h as be e n its curre ntdeve lope rs plan to continue deve lopm e nt
expande d to cove r th e w ide r range of s w itch ing beyond Unive rs ity re m ains to be s e e n. LISA can be
s olutions for Linux. Th is is an introductory article, obtaine d from h ttp://lis a.ine s .ro/.
ove r th e com ing m onth s th e NETW O R KING
s e gm e ntof O 3 w il lgo into de tailon im plem e nting SPANNING TR EE PR O TO CO L (802.1D )
various ne tw ork ing s olutions in Linux and us ing M oste nte rpris e laye r 2 s w itch e s s upportIEEE
ope n s ource proje cts to te stand exte nd th e s e curity of 802.1d “Spanning Tre e Protocol”, w h il e LISA its e l
f
traditionalne tw ork protocols. doe s n'tprovide STP, th e Linux bridging s uite
W e te ste d LISA unde r Linux 2.6.10, itcons ists of a (h ttp://bridge .s ource forge .ne t) doe s provide good
k e rne lpatch providing th e “Eth e rne tSw itch ” m odul e STP s upport. STP allow s m ultiple bridge s to w ork
unde r Ne tw ork ing O ptions and a coupl e of us e rs pace
tool s . Th e proje ctprovide s a m ini-distribution,
h ow eve r al lyou re all y ne e d is th e patch e d k e rne land
th e s w ctlus e rs pace toolth atis provide d by th e
proje ct.
Th e s w ctltoolallow s you to add/re m ove inte rface s
from th e s w itch , add/re m ove vl ans from th e vl an
databas e , cre ate trunk s and cre ate virtualinte rface s
for a give n vlan. W e te ste d its laye r 2/3 s w itch ing
capabilitie s , pe rform ance w as pre tty good and th e
s w itch e s forw arding databas e w ork e d as expe cte d.
Inte rope rabil ity w ith oth e r VLAN s pe ak ing device s
s e e m e d to w ork w e ll,w e te ste d LISA conne cte d to
Cis co Catal yst5505 and Norte l3408 Appl ication
Sw itch e s , laye r 2 and laye r 3 conne ctivity ove r th e
VLANs , and VLAN routing w ork e d.
Th e dow ns ide to th is proje ctis clearl y its future , th e
lastre leas e w as back in June 2005, and itlook s lik e a
finalye ar proje ctfor tw o Rom anian stude nts . If you
plan to s e rious l y cons ide r us ing LISA, de s pite th e
s pons ors , I w oul d w aitand s e e if th e proje ct
continue s deve lopm e ntunles s you plan to m aintain
th e code yours e lf. Atth e tim e th is article w as w ritte n
th e late stre leas e of LISA re q uire s s om e patch ing to STP.1 EXAM PLE SPANNING TR EE NETW O R K
w ork w ith Linux 2.6.14. Th e us e rs pace tools are

O 3 M agaz ine /Nove m be r 2005

Page 28
NETW O RK ING

toge th e r by providing path re dundancy w h ile

e lim inating loops in th e ne tw ork , itis a Laye r 2
protocol.STP w ork s by s e nding outa s pe cialpack e t
called a BPD U (bridge pack e tdata unit)
com m unicating w ith oth e r bridge s to dis cove r h ow
e ach is inte rconne cte d. Th e exch ange of BPD Us
re s ults in th e e lection of a rootbridge . Th is is call ed
s panning tre e conve rge nce . O nce an STP h as
conve rge d, e ach bridge s e ts a l ink to e ith e r a
FO RW AR D ING or a BLO CKED state . Itis th is
de te rm ination of BLO CKED or FO RW AR D ING
w h e n m ultiple active path s existbe tw e e n bridge s th at
preve nts loops in th e ne tw ork . Spanning tre e loops
are nota good th ing, th ey can flood th e ne tw ork , and
m ore ofte n th an notlead to ne tw ork failure . Th e be st
w ay to de s cribe th e BLO CKED state is th atitis an
active l ink s itting in standby
In diagram stp.1 w e h ave 5 s w itch e s , during
conve rge nce a “rootbridge ” is e l e cte d th rough th e
exch ange of BPD Us as m e ntione d above . O nce th e
rootbridge is s e lecte d, alll ink s notre q uire d to re ach
STP.2 SW ITCH 2 AS R O O T BR IDGE /CO NVER GENCE CO M PLETED
th e rootbridge are pl ace d into a BLO CKED state . In
our diagram , s w itch 2 is be stcandidate for be com ing ofte n called rapid s panning tre e , fasts panning tre e or
th e roots w itch . You can s e e h ow conve rge nce plays fastconve rge nce . 802.1w be com e s im portantin
outin th ats ituation in th e s e cond diagram stp.2. large r m ore com plex s w itch e d e nvironm e nts w h e re
Spanning tre e doe s noth ave any auth e ntication, and traditionals panning tre e conve rge nce can tak e a
a de gre e of trustm ustbe as s um e d for e ach longe r pe riod of tim e due to th e com plexity of th e
bridge /s w itch participating in th e s panning tre e . ne tw ork . 802.1w s upportis planne d for th e Linux
W h ile th is is typicall y a non-is s ue for s w itch e d bridging s uite , and an R STP library and s im ul ator
e nvironm e nts , w h e n cons ide ring th e us e of STP existove r ath ttp://rstplib.s ource forge .ne t.
s upporton a Linux s yste m th rough th e bridging
s uite , you ne e d to m ak e s ure th atyou don'tcre ate th e LAYER 2 FILTER ING, EBTABLES, VLANS AND VM PS
capability of a re m ote attack e r inje cting STP BPD Us An im portantpartof th e bridge s uite is e btables ,
into your ne tw ork e ith e r by com prom is ing th e bridge e btables is e s s e ntially th e iptables for th e l aye r 2
or th e bridge s im pl y forw arding pack e ts re ce ive d, w orld. e btables can filte r e th e rne tprotocols, m ac
th is is e s pe cially im portantw h e n bridging be tw e e n a addre s s e s , s im ple IP h e ade rs , arp h e ade rs , 802.1q ,
private ne tw ork and th e Inte rne tor public W iFi inte rface s . Itcan also pe rform M AC addre s s
ne tw ork . STP filte ring is pos s ible w ith e btables trans lation, logging, fram e counte rs , m ark and m atch
(h ttp://e btables .s ource forge .ne t) as partof th e fram e s .
bridging s uite . Anoth e r im portantpartto Eth e rne ts w itch ing is
Th e re are tw o “exte ns ions ” to Spanning Tre e th at VLAN s upport. Linux h as de ce nt802.1Q s upport.
are typical ly of inte re stth e s e are 802.1w and 802.1s . VLAN (VirtualLAN) cre ate s a logicalEth e rne t
802.1s is m ultiple s panning tre e s and im pl e m e nts broadcastdom ain, th is e nables a s w itch for exam ple
s panning tre e groups . A num be r of com panie s offe r to h ave m ultiple device s in diffe re ntne tw ork s
Laye r 2 /Laye r 3 s w itch ing s olutions as proprie tary plugge d into th e s am e s w itch , and be h ave as if you
s olutions th atw ork unde r Linux, one s uch com pany h ad a s e parate s w itch for e ach ne tw ork .VLANs in
is ipinfus ion (w w w .ipinfus ion.com ). Atth e tim e of Linux are re lative l y e as y to s e tup, you justm ark th e
th is article, no ope n s ource 802.1s proje ctw as found. inte rface (e g. e th 0) as up, th e n us e th e vconfig utility
802.1w is th e rapid re configuration of s panning tre e , to add th e inte rface to a particular vlan. Linux s e e s

O 3 M agaz ine /Nove m be r 2005

Page 29
NETW O RK ING
th e vlan as a typicalne tw ork inte rface , you can
as s ign an IP to itand s o forth . Som e ne tw ork drive rs
in Linux ne e d s pe cific patch e s to m ak e th e m w ork
w ith 802.1Q.
VLAN M anage m e ntPolicy Se rve r (VM PS) us e s a
s pe cialprotocolcalled VQP (VLAN Que ry Protocol ) LAYER
to autom aticall y de te rm ine VLAN m e m be rs h ip bas e d
on th e M AC addre s s of th e device conne cting to th e
ne tw ork . VM PS is s upporte d on Cis co Catal yst
s w itch e s , and th e O pe nVM PS proje ct
(h ttp://vm ps .s ource forge .ne t) provide s an ope n s ource
im plem e ntation.
M ULTIPR O TO CO L LABEL SW ITCH ING (M PLS)
Anoth e r type of s w itch ing is M PLS, M ultiprotocol
Labe lSw itch ing. M PLS w ork s by h aving a “l abe l
e dge route r” as s ign a labe lto incom ing pack e ts .
Pack e ts are forw arde d along a “labe ls w itch path
(LSP)” w h e re e ach labe ls w itch route r (LSR ) m ak e s
forw arding de cis ions bas e d s olely on th e conte nts of
th e labe l.Ate ach h op, th e LSR re m ove s th e existing
labe land applie s a new labe lw h ich te l ls th e nexth op
h ow to forw ard th e pack e t. LSPs provide a varie ty of
s olutions s uch as pe rform ance guarante e s , routing
around ne tw ork conge stion or to cre ate IP tunne ls for
ne tw ork bas e d VPNs .
Linux h as exce llentM PLS s upport, th e re is an
M PLS forw arding plane for th e 2.6.x k e rne l,and an
im plem e ntion of LD P (R FC3036). Th e M PLS
proje ctcan be found ath ttp://m pls-
linux.s ource forge .ne tand h ttp://w w w .m plsrc.com is
an exce llents ource of inform ation on M PLS if you
are inte re ste d in learning m ore aboutM PLS.
TESTING LAYER 2 NETW O R K SECUR ITY
Ye rs inia is a ne tw ork s e curity toolde s igne d to tak e
advantage of w e ak ne s s e s in s eve ralprotocols
including Spanning Tre e Protocol , Cis co D is cove ry
Protocol , D ynam ic Trunk ing Protocol,D H CP, H SR P,
802.1q , Inte r-Sw itch Link Protocol(ISL) and VLAN
Trunk ing Protocol . Ye rs inia is an ope n s ource proje ct
and can be found ath ttp://ye rs inia.s ource forge .ne t.
Nextis s ue , w e w il ltak e an in-de pth look atYe rs inia,
and th e attack s us e d againstne tw ork protocols m ost
e nte rpris e s h ave de ploye d in th e ir production
ne tw ork s .
Ye rs inia provide s an im portanttool,e s pe ciall y for
large r com panie s th atm aintain l ab dupl icate
e nvironm e nts of th e ir production ne tw ork . for
O 3 M agaz ine /Nove m be r 2005
Page 30
te sting and unde rstanding h ow your ne tw ork w ill
re s pond to a particular attack , as w e llas to te stnew
fe ature s provide d by ve ndors de s igne d to preve ntor
re duce th e im pactof s pe cific attack s .
4 SW ITCH ING W ITH LINUX VIR TUAL SER VER
Laye r 4 s w itch ing, m ore com m onl y re fe rre d to as IP
load balancing, is th e proce s s of inte ll ige ntl y
s w itch ing pack e ts de stine d for a s pe cific IP and port
(TCP/UD P) to a diffe re ntIP and/or ports . Es s e ntiall y
itis a fancy form of NAT and addre s s trans lation
w h e re th e de stination is s e lecte d dynam icall y bas e d
on s pe cific crite ria, s uch as load balancing m e trics ,
QoS or th e h e alth of th e propos e d de stination. Th e
device be tw e e n th e s ource and th e targe tm aintains
state . Th e Linux VirtualSe rve r proje ct
(h ttp://w w w .linuxvirtualse rve r.org) provide s an O pe n
Source s olution for Laye r 4 s w itch ing.
For h igh capacity, portde ns ity or m is s ion critical
applications w h e re h igh e r s e s s ion capability,
advance d fe ature s and pe rform ance are a k ey factor,
th e n proprie tary s olutions s uch as Norte lAppl ication
Sw itch e s (form e rl y Alte on), Cis co, F5, Foundry
Ne tw ork s and R adw are alloffe r Laye r 4 - Laye r 7
s olutions .
FUR TH ER R EADING
Linux h as a good s e lection of proje cts for
im plem e nting m ultilaye r s w itch ing. Be low are a
couple of us e fullink s th atw e re valid atth e tim e th is
article w as w ritte n, if you are inte re ste d in learning
m ore abouts om e of th e conce pts dis cus s e d in th is
article.
DYNAM IC VLANS
h ttp://w w w .ne tcrafts m e n.ne t/w e lch e r/pape rs /s w itch vm
ps .h tm l
UNDER STANDING SPANNING TR EE PR O TO CO L
h ttp://w w w .cis co.com /unive rcd/cc/td/doc/product/rtrm
gm t/s w _ ntm an/cw s im ain/cw s i2/cw s iug2/vlan2/stpapp.
h tm
LAYER 4-7 SW ITCH ING PR IM ER
h ttp://w w w .norte l.com /s olutions /e nte rpris e /e nabling_ t
e ch /laye r4-7/
VO IP
O pe n Source Te l
e ph ony
O PEN SO URCE TELEPH O NY IS RELATIVELY EASY TO SETUP AND CAN SAVE YO UR BUSINESS TH O USANDS
SM ALL BUSINESSES CAN NO W DEPLO Y ADVANCED VO ICE SO LUTIO NS W H EN TH EY W ERE PREVIO USLY CO ST PRO H IBITIVE
BY JO H N BUSW ELL
h e Private Branch Exch ange (PBX) is a
criticalcom pone ntfor any bus ine s s re gardles s
of s ize . Th e PBX provide s a private , com pany
ow ne d te leph one exch ange w h ich can
drastical ly re duce th e costof s e rvice s re q uire d from
th e te le ph one com pany. Traditionall y, PBX s yste m s
h ave be e n expe ns ive and re q uire d s pe cial ize d
te ch nicians to de ploy. H ow eve r, th ath as ch ange d
w ith th e daw n of O pe n Source Te leph ony and th e
digitalPBX. Th e PBX tak e s a lim ite d num be r of
trunk l ine s from th e bus ine s s to th e ph one com pany's
ce ntraloffice (localexch ange ), and e nables th e m to
be s h are d am ong th e ph one e q uipm e ntw ith in th e
com pany. Th rough th e us e of IP te leph ony and
VirtualPrivate Ne tw ork s (VPN) itis pos s ible to
conne ctand s h are PBX s olutions atdiffe re nt
com pany office s . Th is article w illintroduce you
brie fl y to s om e of th e te rm s , dis cus s a s olution, th e
costs aving be ne fits and various ope n s ource proje cts .
T1, E 1, J1, FXO AND FXS
Conne cting your PBX to th e public ph one s yste m
w ille ith e r involve a re gular R J11/PSTN (ph one jack )
conne cte d to an FXO port, or s om e form of
ch anne lize d trunk from th e ph one com pany. In North
Am e rica th e s e trunk s are called T1, th e e q uival e ntof
24 ph one line s (ch anne ls). In Europe th ey are called
E1 (32 ch anne ls) and in Japan J1 (24 ch anne ls). An
FXS portis a porton your PBX th atyou w ould
conne cta re gular analog ph one to. Th e FXS port
ge ne rate s th e voltage on th e w ire to ope rate th e
analog ph one .
VO IP
Voice ove r IP is anal og audio (ph one ) conve rte d to a
digitalform atand distribute d ove r an IP ne tw ork to a
de stination. Th e re are a num be r of diffe re ntprotocols
th atcan be us e d to ach ieve VoIP;for th e m ostpart
w e w illfocus on SIP (Se s s ion Initiation Protocol ) and
IAX (Inte r Aste ris k Exch ange ) in our VoIP s e rie s .
Cis co h as a proprie tary protocolcalled SCCP
O 3 M agaz ine /Nove m be r 2005
Page 32
(Sk inny) and th e re is also H .323. M ostCis co IP
ph one s s upportSIP, h ow eve r th ey are typicall
y
s h ippe d w ith SCCP s oftw are loade d.
H AR DW AR E
D igium (h ttp://w w w .digium .com ), th e com pany
be h ind th e m ostpopular ope n s ource PBX s oftw are ,
Aste ris k (h ttp://w w w .aste ris k .org), provide s a
num be r of h ardw are options for conne cting your
ope n s ource PBX to th e ph one com pany. If you are a
s m allbus ine s s w ith outth e ne e d for too m any line s ,
th e n th e TD M 400 is a nice m odular card th atallow s
you to m ix and m atch up to four m odules (FXS or
FXO ) pe r card to m e e tyour ne e ds . Th ey al s o s upply
T1/E1/J1 cards , s ingle, dualand q uad portcards . In
addition to D igium , Sangom a Te ch nologie s
(h ttp://w w w .s angom a.com ) also s e l ls s eve ralAste ris k
com patible ch anne lize d cards . Us ing th e TD M 400
cards you can also conne ctre gular anal og te le ph one s
to your PBX. Alte rnative l y, you can us e m any of th e
available VoIP ph one s or ATA units on th e m ark e t
today. ATA (Analog Te leph one Adapte r) is
e s s e ntiall
y a s m alle m be dde d device th atconve rts
VoIP to analog, s im ilar to h aving a s m alls yste m
running aste ris k and a TD M 400 w ith FXS ports to
drive your analog ph one s from a VoIP ne tw ork . You
w illalso ne e d a s e rve r to actas your PBX w ith th e
appropriate h ardw are (dis cus s e d above ) to conne ctto
th e ph one com pany, as w e llas th e appropriate
h ardw are to conne cte ith e r to your VoIP ne tw ork or
your analog ph one s .
ASTER ISK
Atth e h e artof th e O pe n Source PBX, w e h ave
Aste ris k . Aste ris k is a full y fe ature d PBX, providing
allth e fe ature s of traditionalPBX s yste m s , s uch as
callq ue uing, confe re nce bridging, voice m ailand
m uch m ore . Th e re is a fulllistof fe ature s available
on th e Aste ris k s ite
(h ttp://w w w .aste ris k .org/fe ature s /). If you are us ing
th e D igium h ardw are you ne e d to dow nload th e
VO IP

zapte ls uite as w e llas aste ris k . Th e zapte ls uite office in D ublin (localcall), now h as th e ir callroute d
provide s k e rne ldrive rs for th e D igium h ardw are . upon s e lecting th e s upportoption ove r th e Inte rne tto
Com piling aste ris k is re lative e as y. O nce th e Cincinnati s upportq ue ue . Now th e com pany can
uncom pre s s e d, itonl y re q uire s a s im ple m ak e ;m ak e be ne fitfrom th e expe rtis e ith as e stablis h e d locall
y in
install.Itis im portantto re ad th rough th e s e curity Cincinnati are a to its D ublin custom e rs , w ith out
m ate rialon Aste ris k . Notonl y do you h ave to focus re q uiring th e custom e rs to calllong distance .
on th e s e curity of th e s e rve r on w h ich Aste ris k In addition, staff atth e D ublin office can call,
re s ide s , butyou m ustal s o cons ide r th e s e curity of confe re nce and pe rform a w ide range of oth e r tas k s
Aste ris k its e lf, and to m ak e s ure th atinbound dialers as if th e Cincinnati location w as local,and vice
(or re stricte d outbound dialers ) don'th ave th e ve rs a.
capability to m ak e tollcalls or oth e rw is e acce s s parts Th e exam ple s h ow s a re m ote w ork e r. Th is m igh tbe
of Aste ris k via th e ph one s yste m th atw ould be an on callte ch nicals upporte ngine e r to cove r th e
unde s irable. Configuring Aste ris k is an invol ve d e arl y m orning bus ine s s h ours in Europe from th e ir
proce s s , w e llbeyond th e s cope of th is article. O 3 w ill h om e . H e re th e e ngine e r conne cts to th e Cincinnati
look atconfiguring Aste ris k in de pth in few is s ue s . office via VPN, and h as a firew allin place to prote ct
th e ir localne tw ork . Th e firew al lis also running a SIP
EXAM PLE DEPLO YM ENT Proxy, w h ich allow s th e SIP /s oftph one to re giste r
In th e figure oppos ite , w e h ave a s am ple w ith th e Aste ris k PBX w h ile re m aining be h ind its
de pl oym e ntcons isting of tw o office locations and a firew all.
re m ote te lecom m ute r. Th e firsts ite is bas e d in
Cincinnati, O h io in th e Unite d State s , w h il e th e SIP PR O XY
s e cond s ite is locate d in D ublin, Ire land. Th e firsts ite Siproxd (h ttp://s iproxd.s ource forge .ne t) and
is conne cte d via a T1 trunk (24 ch anne ls) to th e local PartySIP (h ttp://w w w .nongnu.org/partys ip/) are tw o
513 are a code , w h il e th e s e cond s ite is conne cte d via ope n s ource SIP proxie s . A SIP proxy h andles
four standard PSTN line s to th e localexch ange in re gistration of SIP clie nts on a private ne tw ork and
D ublin. Both s ite s are us ing Linux s e rve rs running pe rform s rew rite s on th e SIP m e s s age s to m ak e
Aste ris k and are conne cte d to th e Inte rne tvia a h igh
s pe e d broadband conne ction.
For th e s ak e of th is exam ple, lets s ay th atth e D ublin
office is a s ales office , w h ile th e Cincinnati office
contains te ch nicals upportstaff. Th e com pany w is h e s
to provide te ch nicals upportfrom th e Cincinnati
office to custom e rs in th e D ublin are a. Th is w oul d be
an expe ns ive proje ctto com pl e te us ing traditional
te ch nol ogy, h ow eve r w ith Aste ris k and O pe n Source
te ch nol ogie s itis pos s ible to im pl e m e ntth is w ith
re lative ly low costs to th e com pany.
Th e tw o office s can be conne cte d toge th e r us ing
O pe nVPN (h ttp://w w w .ope nvpn.ne t), providing a
s e cure trans portfor th e com m unication be tw e e n th e
tw o PBX s yste m s . Aste ris k com e s w ith its ow n
exch ange protocolcal led IAX;al te rnative ly you can
run SIP as w e l l.W h ile IAX2 doe s h ave PKI style
auth e ntication and trunk ing, itw on'tprote ctth e
conte nts of your call s from be ing s niffe d off th e w ire ,
s o utilizing a VPN te ch nology w h e n routing private
calls be tw e e n office s ove r th e Inte rne tis your be st
be t.
O nce configure d corre ctl y, a cl ie ntcalling th e l ocal

O 3 M agaz ine /Nove m be r 2005

Page 33
VO IP
SIP conne ctions pos s ible th rough a firew all
providing NAT (Ne tw ork Addre s s Trans lation). SIP
(Se s s ion Initiation Protocol) is de fine d by R FC 3261
and is one of th e protocols us e d by s oftw are and
VoIP ph one s . Th e alte rnative approach is a m e th od
called STUN w h ich e nabl e s a SIP clie ntto de te rm ine
th e public IP addre s s , butfor th is to w ork a w ide
range of ports m ustbe ope ne d on th e firew all.
Inste ad, proje cts s uch as s iproxd actuall y pe rform
laye r 7 pack e tins pe ction and rew rite on th e SIP
pack e ts s e ntth rough th e proxy.
ASTLINUX
AstLinux (h ttp://w w w .astlinux.org) is a custom
Linux distribution ce nte re d around aste ris k .
AstLinux provide s an outof th e box s olution w ith a
w ide range of fe ature s , m ak ing ita us e fuls olution for
a q uick e m be dde d or com m e rcialAste ris k
installation. W ith a little e ffort, itcan be e as il
y D UND i provide s a s olution th ate nables th e cre ation
m odifie d to fitalm ostany s ituation. Th e proje ct
provide s a num be r of us e fulim age s , incl uding a
bootable ISO im age . Th e proje ctis ge are d tow ards
us ing olde r Pe ntium -M M X, and e m be dde d s olutions
s uch as th e Soe k ris l
ine of e m be dde d device s . If
you're look ing to provide a large s ol ution w ith
m ultiple T1 line s , m ultiple IAX trunk s and l arge
am ounts of s pace for IVR /Voice m ails olutions ,
s e lecting your favorite e nte rpris e Linux distribution
and install ing Aste ris k from s ource m igh tbe a be tte r
approach .
ASTER ISK @ H O M E
Aste ris k @ H om e , w h ich can be found onl ine at
h ttp://aste ris k ath om e .s ource forge .ne tis a fastand
s im ple s olution for ge tting Aste ris k up and running
q uick ly. Aste ris k @ H om e is a Linux distribution th at
util ize s Ce ntO S (w w w .ce ntos .org) and provide s a
w e b bas e d inte rface for configuring and m anaging
Aste ris k . Th e s olution include s anoth e r proje ctAM P
(Aste ris k M anage m e ntPortal) w h ich can be found at
h ttp://coales ce nts yste m s .ca/inde x.ph p. AM P is w e b
bas e d w ith a flas h ope rator pane l.Itprovide s a w ide
range of m anage m e nttas k s . If you w antto ge t
Aste ris k running q uick l y w ith outgoing in-de pth ,
Aste ris k @ H om e is a gre ats olution.
ENUM , E .164 AND DUNDI
ENUM is e s s e ntially D NS for your te leph one
num be r. E.164 is an inte rnationalte leph one
O 3 M agaz ine /Nove m be r 2005
Page 34
num be ring plan adm iniste re d by th e ITU, w h ich
provide s th e form at, structure and adm inistrative
h ie rarch y of te leph one num be rs . A ful ly q ualifie d
E.164 num be r contains th e country code (e g. + 353
for Ire land), are a code and ph one num be r for th e
de stination. ENUM provide s e s s e ntiall y reve rs e D NS
m apping on th e ph one num be r, to conve rtth at
num be r to an IP addre s s th atw ould typical l
y be able
to h andle callrouting to th atnum be r (e g. a SIP proxy
run by th e ph one com pany th atprovide s PSTN
s e rvice to th e particular are a code in th atcountry).
D UND i is a distribute d pe e r to pe e r s yste m for
locating Inte rne tgatew ays to ph one s e rvice s . D UND i
is a distribute d s olution w ith no ce ntral ize d auth ority
as w ith ENUM . D UND i is a routing protocols o th at
s e rvice s m aybe route d and acce s s e d us ing industry
standard VoIP te ch nologie s s uch as IAX, SIP or
H .323.
of h igh l y available e nte rpris e PBX s olutions , w h e re
no one PBX cre ate s a ce ntralpointof failure . D UND i
also provide s an Inte rne tbas e d E.164 pe e ring s yste m ,
for m ore de tails review th e docum e ntation and
m e m be rs ath ttp://w w w .dundi.com .
SIPX
s ipX (h ttp://w w w .s ipfoundry.org/s ipX/s ipXus e r/) is
an O pe n Source PBX s olution bas e d on SIP. s ipX
provide s m any of th e PBX capabilitie s of aste ris k
s uch as D ID , H untgroups , Callforw arding, voice
m ailand s o on. s ipX doe s n'tprovide any gatew ay
capabilitie s w ith th e PSTN, itis a pure SIP IP PBX
s olution. Ith as s om e inte re sting fe ature s s uch as
XM Lbas e d callrouting and th e ability to configure
attach e d ph one s and gatew ays .
SIP EXPR ESS R O UTER
Th e SIP Expre s s Route r, is a h igh pe rform ance
configurable fre e SIP s e rve r w h ich can actas a
proxy, re dire ctor re gistrar s e rve r ch e ck itoutat
h ttp://w w w .ipte l.org/s e r/. Th e re is also th e O pe nSER
proje ctath ttp://w w w .ope ns e r.org/.
R UBY O N R AILS INTEGR ATIO N
Nextis s ue a look atw e b inte gration w ith Aste ris k
us ing ragi (h ttp://ragi.s ource forge .ne t).
D UND i, IAX and Aste ris k are trade m ark s of D igium
Inc. (h ttp://w w w .digium .com ).
NETW O RK APPLICATIO NS

De pl
oying W ifidog -- Th e e m be dde d Captive Portal

W IFIDO G IS A C BASED CAPTIVE PO RTAL DESIGN FO R TH E LINK SYS W RT54G BUT RUNS

O N ANY LINUX PLATFO RM . IT PRO VIDES ACCESS CO NTRO L, BANDW IDTH ACCO UNTING AND M UCH M O RE

BY JO H N BUSW ELL

ifidog is a ligh tw e igh tcaptive portals olution
de s igne d to run on e m be dde d device s s uch as
th e Link Sys W RT54G. Th e Link Sys W RT54G
and W RT54GS are low costw ire l e s s route rs
from Link Sys th atrun Linux. Th e s e device s can run
alte rnative firm w are , be care fulbe caus e running s uch
firm w are w il lVO ID YO UR W AR R ANTY. H ow eve r
m ostre tailoutl e ts h ave th e s e route rs for unde r $70,
s o itis nottoo m uch to ris k .
O pe nW RT is th e alte rnative firm w are ch oice for
running ope n s ource applications on th e W RT54G,
from th is pointon I'l lre fe r to th e W RT54G/GS as AP
(acce s s point). Building O pe nW RT is re lative l y e as y,
you s im pl y dow nload th e late stre leas e from
w w w .ope nw rt.org, uncom pre s s , run m ak e
m e nuconfig, run th rough th e m e nu options to s uit
your ne e ds , th e n run m ak e . From th atpointon its
pre tty m uch autom ate d, you w illne e d an Inte rne t
conne ction, broadband is re com m e nde d due to s om e
large r dow nl oads s uch as th e Linux k e rne l.
W h y w ould you w antto ris k your w arranty ove r
s om e fre e s oftw are , s ure l y Link s ys h as th e be st
firm w are ?W e llLink s ys h ave th e productde s igne d
for your ave rage us e r, w h ich w ork s gre at, butth e
h ardw are platform is extre m e l y flexible running
O pe nW RT. O nce you h ave O pe nW RT on th e re you
are fre e to upload al m ostany ope n s ource application
th atw illcom pile and fiton th e h ardw are . You m igh t
w antto run a SIP ph one be h ind th e w ire les s route r,
w el lw ith O pe nW RT you can l oad s iproxd onto th e
Link s ys along w ith iptables and th ats it. As you start
to us e O pe nW RT m ore , you'lls e e exactl y h ow
flexible and h ow gre atitis to be abl e to add new
capabilitie s to your ne tw ork .
ne tw ork as th e ir privilege s al low . Th e us e r doe s n't
h ave to k now a particular addre s s , w h e n th ey atte m pt
to us e th e ir brow s e r th ey are trans pare ntly re dire cte d
to th e auth e ntication page .
W ifidog is inte re sting in th atitis l igh tw e igh t
e nough to run dire ctl y on low costw ire les s h ardw are
s uch as th e AP, and ch e ck s ne tw ork activity rath e r
th an us ing a javas criptw indow . Th us allow ing PDA,
Ce llph one s and Sony PSPs to utilize th e re s ource s .
H O W DO ES W IFIDO G W O R K ?
Th e s olution w ork s by us ing firew allrul e s to
controltraffic th rough th e route r. W h e n a new us e r
atte m pts to acce s s a w e b s ite , th e w ifidog com pone nt
on th e AP w illtrans pare ntl y re dire ctth e us e r to th e
auth s e rve r w h e re th ey can e ith e r log in or s ign up.
Th e auth s e rve r and th e w ifidog com pone nton th e
AP w illne gotiate h ow to h andle th e clie nt, w h e th e r
to pe rm itor de ny ce rtain ne tw ork acce s s . Th e AP
talks to th e auth s e rve r pe riodicall y to update
statistics s uch as uptim e , load, traffic pe r cl ie ntand
to actas a h e artbe at.
Th e flow diagram be low illustrate s th e proce s s th at
W ifidog utilize s (courte s y of il e s ans fil
(w w w .w ifidog.org)).

W H AT IS A CAPTIVE PO R TAL
A captive portalis e s s e ntiall y a m e ans to preve nta
us e r from acce s s ing ne tw ork re s ource s (m ainly th e
Inte rne t) untilth ey h ave auth e nticate d w ith a s e rve r.
Typicall y a captive portalis us e d atw ire les s h ots pots ,
allow ing th e us e r to log in, auth e nticate and us e th e

O 3 M agaz ine /Nove m be r 2005

Page 36
NETW O RK APPLICATIO NS
Th e clie ntdoe s h is initialre q ue st, as if h e w as
alre ady conne cte d, (e .g.: h ttp://w w w .google.ca)
• Th e Gatew ay's firew allrules m angle th e re q ue stto
re dire ctitto a localporton th e Gatew ay. W h e n
th at's th e done , th e Gatew ay provide s an H TTP
Re dire ctre pl y th atcontains th e Gatew ay ID ,
Gatew ay FQD N and oth e r inform ations
• Th e Cl ie ntdoe s h is re q ue stto th e Auth Se rve r as
s pe cifie d by th e Gatew ay
• Th e Gatew ay re plie s w ith a (pote ntial
ly custom )
s plas h (login) page
• Th e Cl ie ntprovide s h is ide ntification inform ations
(us e rnam e and pas s w ord)
• Upon s ucce s fulauth e ntication, th e clie ntge ts an
H TTP Re dire ctto th e Gatew ay's ow n w e b s e rve r
w ith h is auth e ntication proof (a one -tim e tok e n)
• Th e Cl ie ntth e n conne cts to th e Gatew ay and th us
give s ith is tok e n
• Th e Gatew ay re q ue sts val
idation of th e tok e n from
th e Auth Se rve r
• Th e Auth Se rve r confirm s th e tok e n
• Th e Gatew ay th e n s e nds a re dire ctto th e Clie ntto
obtain th e Succe s s Page from th e Auth Se rve r
• Th e Auth Se rve r notifie s th e Clie ntth ath is re q ue st
w as s ucce s s ful
GETTING O PENW R T O N TH E W R T54G/GS
O pe nW RT tak e s s om e tim e to com pil e , once itis
done , if you h ave n'trun O pe nW RT previous l y you
ne e d to do s om e w ork on your route r first. Th e AP by
de faultstarts outon 19 2.168.1.1/24. Th e e as ie stw ay
to configure th e route r is if you h ave a s e cond
e th e rne tinte rface in your Linux w ork station, conne ct
th e AP on port1 to th e s e cond e th e rne tinte rface , and
us e ip l ink se te th 1 up ;ip ad d r ad d
19 2.168.1.10/24 d eve th 1 to configure it. Nextdo a
q uick ping 19 2.168.1.1 to m ak e s ure th atyou can s e e
th e AP. Now s im pl y pointa brow s e r at
h ttp://19 2.168.1.1 and us e adm in/adm in as th e
O 3 M agaz ine /Nove m be r 2005
Page 37
us e rnam e /pas s w ord. Th is is th e de faultfor th e AP.
Th e firstth ing you ne e d to do is ch e ck th e firm w are
ve rs ion, th is is dis playe d in th e uppe r righ th and
corne r. For th e AP w e us e d th e ve rs ion w as 3.37.7
butw e ne e de d 3.37.2 to e nable th e boot_ w aitoption
on th e AP to installO pe nW RT. A q uick dow nload
from Link Sys , th e n follow th e Adm inistration ->
Firm w are upgrade option. Unzip th e file from
Link Sys , and in th is cas e w e us e d
W RT54GS_ 3.37.2_ US_ code .bin to dow ngrade th e
route r. Sim pl y s e lectbrow s e , s e lectth e file and s e lect
upgrade .
Click continue once itcom plete s , now you s h oul d
s e e 3.37.2 (or 3.01.3 if you are us ing a W RT54G
v3.0). Re fe r to th e O pe nW RT docum e ntation for
de tails and s pe cific ve rs ion num be rs as th ey te nd to
ch ange pe riodicall y.
In orde r for th e O pe nW RT instal lation to proce e d
w e h ave to e nable th e boot_ w aitoption in th e
firm w are , th is te lls th e AP to ch e ck for TFTP prior to
loading th e actualfirm w are , w h ich give s us th e
opportunity to fe e d th e AP, a O pe nW RT im age . Th e
h ack is re lative ly s im ple, justpaste e ach line in turn
be low and s e lectth e ping button afte r e ach paste in
th e addre s s partof th e ping w e b toolin th e Link Sys
firm w are . If you did itcorre ctl y, you'lls e e an output
of NVR AM atth e e nd of th e l astping. You m ust
configure a static IP addre s s on th e Inte rne tinte rface
be fore trying th is , oth e rw is e itw on'tw ork . You don't
ne e d link up, justa configure d IP on th e Inte rne t
(W AN) inte rface .
;cp${IFS}*/*/nvram ${IFS}/tm p/n
;*/n${IFS}se t${IFS}b oot_ w ait=on
;*/n${IFS}com m it
;*/n${IFS}sh ow >tm p/ping.l
og
W h e n O pe nW RT com plete s its build, th e im age s are
store d in bin/. Sim pl y figure outth e corre ctone for
your h ardw are , th e n us e tftp to trans fe r it. Re m ove
th e pow e r from th e AP, th e n is s ue :
tftp 19 2.168.1.1
tftp> binary
tftp> re xm t1
tftp> tim e out60
NETW O RK APPLICATIO NS

tftp> trace on Auth Se rve r {

tftp> putope nw rt-ve rs ion.bin H ostnam e auth .m ydom ain.com
SSLAvailable ye s
[ Now Pow e r Up th e Link Sys W R T54GS ] Path /
}

Give ita few m inute s , as O pe nW RT h as to go Ch e ck Inte rval60

th rough a few h oops be fore th e AP w il lre s pond to Clie ntTim e out5
pings . Now te lne tto 19 2.168.1.1 once itre s ponds to
pings and you s h oul d s e e th e O pe nW RT banne r. If ...
you us e th e s q uas h fs im age , you ne e d to follow th e
com m ands in th e O pe nW RT docs to re m ove th e Le ave th e firew allrules to th e de fault. Nextconfigure
/e tc/ipk g.conf s ym link and copy th e actualfil e from th e Auth Se rve r, and th e n startw ifidog on th e AP.
rom . You m ay also ne e d to us e th e nvram com m and
to s e tth e w an_ ipaddr and w an_ gatew ay options in AUTH SER VER
th e firm w are . Re m oving /e tc/re s ol v.conf and cre ating Postgre SQL, Apach e and PH P 5 are re q uire d to ge t
th e file m anuall y w il lal s o be re q uire d. th e Auth Se rve r running. You installth is on a local
Linux box (notth e AP). Sim pl y dow nload th e auth
GETTING W IFIDO G O N TH E W R T54G/GS s e rve r, m ak e s ure you h ave allth e pre re q uis ite s liste d
Nextto dow nload and installw ifidog s im pl
y: in th e INSTALLfile available, copy th e w ifidog
dire ctory to your w e b s e rve r, plug th e urlinto your
cd /tm p brow s e r (e .g.
w ge t h ttp://w ifidog.m ycom pany.com /w ifidog/install.ph p)
h ttp://old .il
e sansfil
.org/d ist/w ifid og/w ifid og_ 1.1.1_ and go th rough th e ste ps .
m ipse l.ipk
TESTING
ipk g installw ifid og_ 1.1.1_ m ipse l
.ipk -force - Now s im pl y conne cta W iFi device to th e AP, try to
ove rw rite brow s e s om ew h e re and if you corre ctly configure d
w ifidog you'llbe pre s e nte d w ith th e captive portal
Th e -force -ove rw rite is re q uire d if you are running a s ign-up /login page .
late r ve rs ion of O pe nW RT w ith iptables as w ifidog
trie s to installtw o iptexte ns ions th atiptables h as FUR TH ER R EADING
alre ady installed.
Now th e w ifidog clie ntis installed on th e AP. Edit O pe nW R T
/e tc/w ifidog.conf, and run w ifidog -f -d 7 (de bug h ttp://w w w .ope nw rt.org
m ode ). Th e configuration file is w e lldocum e nte d
and s e lf explanatory. W ifid og
h ttp://w w w .w ifidog.org
W IFIDO G QUICKSTAR T CO NFIG
Th is is notinte nde d to provide a production NoCat
configuration, buta q uick startguide on w h atto h ttp://w w w .nocat.ne t
s e tup in th e config, bare m inim um to ge tw ifidog
running. Editth e Gatew ayID to m atch your Auth Link Sys
Se rve r configuration h ttp://w w w .link s ys .com

Exte rnalInte rface vlan 1

Gatew ayInte rface br0

O 3 M agaz ine /Nove m be r 2005

Page 38
NETW O RK SECURITY
Intrus ion De te ction
INTRUSIO N DETECTIO N SYSTEM S (IDS ) M AKE UP AN IM PO RTANT PART O F ANY NETW O RK SECURITY PO LICY
W H Y DO YO U NEED IDS , W H ERE DO YO U PUT IDS AND H O W DO YO U DEPLO Y IT?
BY JO H N BUSW ELL
n Intrus ion is unauth orize d ne tw ork or s yste m
activity on your s e rve rs or ne tw ork s . Intrus ion
D e te ction is th e artof de te cting th is
unauth orize d activity am ongstlegitim ate
ne tw ork traffic by s ifting th rough th e data flow ing
acros s your ne tw ork . Th is article focus e s on Ne tw ork
Intrus ion D e te ction Syste m s (NID S), anoth e r form of
ID S is H ostIntrus ion D e te ction Syste m s (H ID S).
Th e diffe re nce is prim aril y th atth e latte r focus e s on
th e prote ction of justone s yste m . Th e re are advance d
s olutions s uch as distribute d ID S and ID S load
bal ancing, th e s e w illbe dis cus s e d in de dicate d
articles l ate r in th is s e rie s on ID S.
Som e bus ine s s e s fe e lth atcom plex ID S s olutions
are ove rk il lbe caus e th ey ope rate a s m allbus ine s s
th atnobody is going to be conce rne d w ith . H ow eve r,
th e s e days , itis th e com puting re s ource s and your
bandw idth to th e Inte rne tth atattack e rs w ant, not
ne ce s s arily your inte l lectualprope rty or to dis rupt
your bus ine s s . Th ink of attack e rs as ne tw ork “car-
jack e rs ”, th ey don'tcare w h o you are , th ey justw ant
your “car”. An ID S s olution w illh e lp de te cts igns
th ats om e one is look ing or trying s pe cific exploits
againstyour infrastructure in an atte m ptto gain
furth e r inform ation or acce s s .
Th e re is one as pe ctof ID S th atis ofte n ove rlook e d
by te ch nicalstaff and th atis th e legalitie s of
pe rform ing Ne tw ork ID S. In m any countrie s th e re
are strictw ire -tapping l aw s and re gul ations , if you do
notalre ady h ave an ID S in place , e s pe cial ly for s m all
and m e dium s ize d bus ine s s e s itis alw ays w orth
cons ulting w ith a legalexpe rtto de te rm ine w h atlaw s
and re gulations you m ustabide by, as th is m ay
de te rm ine w h atyou m ustdis clos e to e m ploye e s ,
custom e rs and h ow ID S inform ation is re porte d.
Snortis th e de facto standard for intrus ion de te ction
/preve ntion s yste m s . Snortutilize s a rule-drive n
language , w h ich com bine s th e be ne fits of s ignature ,
protocoland anom al y bas e d ins pe ction m e th ods .
Snortis th e m ostw ide l y de ploye d ID S te ch nol ogy in
th e w orld. If you w antto do ne tw ork ID S, th e n Snort
O 3 M agaz ine /Nove m be r 2005
Page 40
is th e w ay to go. Snorts upports IP de fragm e ntation,
TCP stre am re as s e m bl y and state fulprotocol
anal ys is . Th is article is going to brie fl
y introduce
Snortto you, h ow to attach itto your ne tw ork and
w h e re to look next. As th e s e rie s progre s s e s , w e w il
l
look atadvance d te ch niq ue s s uch as de fragm e ntation,
custom rules and m uch m ore .
ATTACH ING SNO R T TO YO UR NETW O R K S
Be fore going into com piling and configuring s nort,
itis im portantto unde rstand th atSnort, lik e oth e r
Ne tw ork ID S s olutions m ustbe attach e d to your
ne tw ork atth e corre ctlocation, oth e rw is e th e
e ffe ctive ne s s of th e ID S s olution is re duce d.
Typicall y th e be stlocation for s m alland m e dium
s ize d bus ine s s e s is to m onitor link s to/from th e
Inte rne t. In a s w itch e d e nvironm e ntth e route r(s ) to
th e Inte rne tare conne cte d to a s w itch portor VLAN,
m oste nte rpris e grade s w itch e s s upportw h ats called
portm irroring, or for Cis co us e rs “SPAN”. Th is
allow s you to configure th e s w itch to tak e portor
vlan traffic and duplicate itouta m irroring port. Th e
dow ns ide to portm irroring is th aton s om e s w itch e s
unde r h e avy load you can s e rious l y im pactth e
pe rform ance of th e s w itch , also if th e traffic you are
trying to m onitor exce e ds th e capabilitie s of th e
m irroring port, you w illnotbe able to m irror all
pack e ts ath igh ne tw ork utilization.
Anoth e r option is to ins e rta h ub in-line , and attach
th e ID S to th e h ub, allow ing norm altraffic to fl ow
acros s th e h ub. Th e dow ns ide to th is m e th od is th at
data los s occurs due to collis ions ath igh bandw idth
utilization, itcre ate s an additionals ingl e pointof
failure and you w illlos e full-duplex capabilitie s . A
m ore expe ns ive option is to us e ne tw ork taps , taps
are dis cus s e d in length at
h ttp://w w w .s nort.org/docs /#de ploy. Cost, m ultipl e
NICs and s ligh tl y m ore com plex installation due to
th e addition of ch anne lbonding in orde r to do
state fulanal ys is are th e dow ns ide s to us ing ne tw ork
taps .
NETW O RK SECURITY
For a typicals m al lor m e dium bus ine s s ne tw ork ,
w h e re LAN bandw idth utilization is low , and th e ID S
is focus e d on low -bandw idth Inte rne tlink s , a s w itch
capabl e of portm irroring s h ould be s ufficie nt. W ith
large r ne tw ork s th e costof a tap is les s cost
proh ibitive .
GETTING SNO R T
Th e late stve rs ion of s nortatth e tim e th is article
w as w ritte n is 2.4.3. Be fore instal ling s nort, you m ay
h ave to installpcre (Pe rlCom patible Re gular
Expre s s ions ) re q uire d by s nort. Both pcre and s nort
s upportth e us ualPO SIX ./configure ;m ak e & &
m ak e install. If you're notbuilding from s ource ,
you'l lne e d to ch e ck if s nortis available for your
Linux distribution.
O nce buil tand installed, w e can do a couple of
ch e ck te sts of s nortin s niffe r m ode . Running ./s nort-
vde s h oul d dum p re altim e pack e tdate outto th e
localte rm inal,h itctrl+ c to stop it, and s crol lup to
m ak e s ure its w ork ing. Snortw il lal so log pack e tdata
for you, ./s nort-l/tm p/te stlog -b (as s um ing you h ave
cre ate d a /tm p/te stl og dire ctory) w illlog th e pack e ts ,
w h ich can th e n be re ad back via Eth e re alor s nort
its e lf us ing ./s nort-dv-r pack e t.log.
SNO R T IN- LINE
Snorts upports inte grate d intrus ion preve ntion
s yste m capabilitie s w ith th e s nort_ inline fe ature . Th is
fe ature re ce ive s pack e ts from iptables inste ad of
libpcap and th e n appl ie s rules to h e lp iptables acce pt
or drop pack e ts bas e d on Snortrules . W e w illlook at
Snort's IPS fe ature s in a future article.
CO NFIGUR ING SNO R T
Since th e purpos e of th is article is to introduce s nort.
Th e config fil e for s nortis locate d in /e tc/s nort.conf
if you installed from s ource , you'l lne e d to copy it
from ./e tc/s nort.conf in th e s ource tre e . Th e
configuration file is fairl y straigh tforw ard, to ge t
running s im pl y configure th e H O M E_ NET to m atch
your localne tw ork , you m ay al s o w antto tw e ak th e
rules e ts de pe nding on th e rules you are us ing.
M odify RULE_ PATH to /e tc/rules or your ow n
custom ize d path . In addition to s nort.conf, you w ill
ne e d to copy cl as s ification.conf, re fe re nce .conf and
unicode .m ap to /e tc. Th e s e are allin th e ./e tc
dire ctory in th e s ource tre e .
O 3 M agaz ine /Nove m be r 2005
Page 41
R ULES
Atth e h e artof s nortare th e rules . W ith outth e rules
Snortbe com e s q uick l y outdate d and is l e s s e ffe ctive .
Th e re are four diffe re nts e ts of rul e s distribute d for
Snort. Th e Com m unity Rules are avail able for fre e
and are distribute d unde r th e GPL. Th e oth e r th re e
s e ts are variations of th e Source fire VRT Ce rtifie d
Rules – unre giste re d, re giste re d and s ubs cription.
Th e unre giste re d rules are update d w ith e ach m ajor
re leas e of Snort, m aybe once a q uarte r. Th e
re giste re d rules re q uire agre e ing to a lice ns ing
agre e m e nt, and are re leas e d 5 days afte r th ey are
m ade available to s ubs cribe rs . Subs cribe rs pay a
m ode stfe e for re al-tim e acce s s to new rules . O nce
you h ave your rules , copy th e rul e s /conte nts ove r to
/e tc/rules unles s you ch ange d th e path in th e
s nort.conf.
R UNTIM E
Snortis now re ady to go, to startitup s im pl
y
exe cute :
m k dir -p /tm p/te stlog
./s nort-d -l/tm p/te stlog/-c /e tc/s nort.conf
Th e /tm p/te stlog dire ctory is w h e re s nortw illstore
its log files , you w illw antto m onitor th e alertlog.
Now th atyou are up and running, you w illne e d to go
back ove r th e configuration files in de tail,look atth e
Snortdocum e ntation on h ow to w rite your ow n rules ,
and tw e ak th e rules e ts to be sts uityour ne e ds .
FUR TH ER R EADING
Th e s nort.org w e bs ite h as a cons ide rabl
e am ountof
docum e ntation, pape rs and articles th atgo into m any
diffe re ntas pe cts of s nortand intrus ion de te ction. If
you are inte re ste d in a book , Snort2.1 Intrus ion
D e te ction by Syngre s s is a good w ay to ge tstarte d
q uick ly w ith s nort, butdoe s n'tcove r th e Intrus ion
Preve ntion fe ature s in 2.3.0 and late r.
Th e Pre lude ID S fram ew ork for inte grating diffe re nt
ID S s ource s is w orth a look , th e proje cts ite is
available ath ttp://w w w .pre lude -ids .org.
NEXT
Th e nextID S article w illlook atte sting th e Snort
installation, autom ate d rule update s , barnyard and
Snortfronte nds .