Friday, January 18, 2013

PSAD and signature updates

Is it true that the creators of PSAD haven't updated the PSAD signatures since 2007???

Line 29 of my /etc/psad/signatures file:

# $Id: signatures 2129 2007-12-12 04:56:10Z mbr $

As well, at http://www.cipherdyne.org/psad/signatures, it is on line 28.

Dead project?  Not sure, but the signatures are old as hell!  While I don't think it's a usage deal-breaker, I'm rather surprised.  Does it need updated signatures?  Probably not, but every little bit helps, especially nowadays.  I'd much rather a developer (and package maintainer) be up-front about such things.

Monday, January 14, 2013

PSAD - DoS'd my Linode and my G-mail account


Yes, I DoS'd myself.

How?

I was tuning my firewall so that PSAD wouldn't alert on traffic from my static IP.  This was caused by me using a half-baked firewall policy (ie, the firewall was allowing too much and not blocking what it should've).  So, while making the policy more secure, I ended up blocking some of DNS, which the firewall blocked via the clean-up rule (deny by default policy on all chains).  

I didn't double-check my work, and 24 hours later, I was checking the server via the admin console and saw that the disk I/O was extremely high when looking at the system graphs.  CPU utilization was also wayyy up.  

I initially couldn't figure out what was going on, until I used Webmin to access the server and found that it was taking forever for the server to resolve the domain address.  As well, there were like 30,000 e-mails in the Postfix e-mail queue.  I was basically spamming the hell out of Gmail and DShield.  I'd begun to wipe out all the Gmail notifications, but I soon realized that I wasn't making any headway, so I killed PSAD, cleared ALL the mail in the queue, then restarted PSAD.  It was still generating e-mails, though, so I turned off e-mail notifications, as well as syslog notifications.  I also killed my DShield log feed.  THEN I fixed DNS by just rolling back to a known good policy...then I told PSAD to not log on port 53/UDP (no real need to log that traffic anyways, unless it hits the catch-all rule, but that wouldn't happen now since I fixed DNS within the policy).

It took quite awhile for Gmail to finish processing the e-mails (the ones that I couldn't kill via Postfix).

I just now re-enabled syslogging and the DShield log feed, but may have to reach out to the SANS team to see if they can remove all DNS traffic that was logged by my static IPs.

I think I've everything fixed now.

Game Console Hard Drives

Back in 2005, I bought an Xbox 360 that had a 20GB hard disk.  A few years after purchase, I bought a refurbished 120GB drive from Microcenter.com for $90...it was a nice upgrade.  I swapped out the little drive for the bigger one and continued to play my games (putting the 20GB drive in my parts bin...I never throw anything away when it comes to computer parts).

Later, the Xbox 360 experienced the Red Ring of Death (RRD).  I took it apart with the idea that maybe the CPU needed new thermal paste.  It did, as the old paste was pretty much done.  I removed the old and put on some new paste, but this didn't solve the issue.  I think by the time it experienced the RRD, the CPU was cooked.  So I bought a new hard drive.

I transferred my data from the old drive to the new drive and put the 120GB into the parts bin.

Around the RRD issue, the PS3 also died.  It was an original PS3 (80GB drive version).  The Blu-Ray stopped reading, which meant that I couldn't play any games, since it couldn't read disks.  We put the system to the side and bought a new one.  Well, maybe 2 months ago, I decided to trash the system (removed the drive for privacy reasons).  I've decided to keep the drive.

So, I've three (3) hard drives from 3 different gaming systems.  The 20GB is probably next to useless, but I'll  probably end up using it somewhere (somehow).  I might be able to use the 160GB drive (a WD unit) in my Macbook, since it only has an 80GB drive and I keep maxing it out.  Or, I can use it as a backup drive instead.  Same with the 80GB Seagate that was in the PS3.

Now, did you see what I just stated?  Did you notice that I stated in the first paragraph that the Xbox 360 had a 120GB drive and in the paragraph above, I stated that it was a 160GB drive?  Well, surprise.  I opened the HDD case, which was labeled "120GB HDD", and found that the drive is actually 160GB in size!  It has model WD16000BEVT on the label, and a big "160GB" in bold.

I just need to find out which cabling I need to turn these into external drives, which means I'll need some external HDD cases, as well.

I love my toys.  :)