Slackware Box Stopped Working - Upgaded It and Now Slackware Won't Run

A few months ago, my Slackware box died.  It would no longer boot up (no error messages...no POST beeps, no BIOS bootup screen).  The system fans wouldn't even activate as they normally would.

I thought it was the power supply, so I replaced it.  Afterward, the system would begin the bootup process, I could hear the fans, but still couldn't see the BIOS bootup messages or access the setup screen.  I then replaced the motherboard.

It was previously running a Pentinum D 820 and Intel-based motherboard.  I replaced it with a spare, an Asus M4N98TD EVO running an AMD Phenom II X6 X1100T.

After then swap of the motherboards, I was able to get to the BIOS but the system would no longer boot up it's instance of Slackware (v14.1).  It would attempt to boot up Slackware but would run into a kernel panic condition:

slackware 14.1 kernel panic - not syncing: VFS: Unable to mount root fs on unknown block (8,3)

Instead of troubleshooting, I figured that I'd just do an install on that same system's spare hard drive.  I installed onto that drive and ran into the same message.

I then wiped both drives and focused on installing on just one drive.  I did this twice.  I ended up with the same error message both times.

 I then decided to do some research, as this was something I have never experienced in the past.

This page describes what I'm experiencing.  I'll highlight the relevant details:

In case your kernel does not include the driver for your root filesystem, or a driver for your SATA bus, or other stuff that is only built as modules, your kernel will panic if it boots and can not access the necessary disks, partitions and/or files. Typically, this looks like

VFS: Cannot open root device "802" or unknown-block (8,2)
Please append a correct "root=" boot option
Kernel Panic-not syncing: VFS: unable to mount root fs on unknown block(8,2)

and this means you will have to build an initrd or “Initial Ram Disk” containing the required modules. The location of the initrd is then added in the appropriate section of /etc/lilo.conf so that the kernel can find it when it boots, and is able to load the drivers it needs to access your disks.

The problem is, I can't follow the described steps because the system can't mount the drive, so I can't use the necessary tools to build an initrd, and can't edit the /etc/lilo.conf file (it's on the partition that won't mount).  mkinitrd is not on the install/rescue disk (well, it's not accessible as a command).

I'm to the point that I'm about to ask for assistance at LQ.org, but will try to run Slackware 14.1 in VMware to see if I can build the files and put them on the partition I can access on the physical Slackware machine.  I'd still run into the problem of being able to edit /etc/lilo.conf, though (that file resides on the / partition, which can't be accessed until I'm able to fix the issue.  Or, I can find a Slackware-based live CD that'll have the proper files and drivers that will mount the partitions and allow me to make the needed fixes.

Hopefully I'll be able to fix this issue without too much hoop-jumping.

UPDATE:  It is working now.  It's been up the last few days with no load.  I'm still trying to find out why it wasn't working, but it certainly has to do with the partition layout I opted to use, which is weird because I was using the same partition scheme I've been using for years (a /boot partiton, a swap partition, and a / partition).  I ended up using a swap partition and / partition (no dedicated /boot since it appears that may've been the issue...I may be able to add it after the fact).

Installing Slackware 14.1

Awhile back, I bought a bunch of 500GB SATA drives so that I could experiment with Linux and RAID.  The plan was to use the drives as one gigantic drive.  The setup was somewhat easy to do, but I could never finish the configuration because I kept getting errors when trying to use lilo and grub, so I stopped.

Today, I picked up again, giving up on RAID and just using a conventional setup.  I'm trying to install Slackware 14.1, but for some reason, the machine won't boot up after installation.  I created a USB boot drive and for some weird reason, it's not readable, although I didn't get any errors when creating it.  I also opted to boot from the MBR, and initially had issues getting the system booted up, until I looked in the BIOS settings and saw that the system was trying to boot from one of the other unused disks.  Once I fixed that, it booted up without issue.  I still may try to recreate the USB boot disk, but I'll do that later.

So far I've done the standard things:  created a regular user (immediately), added the regular user to the wheel group and edited the sudoers file to accept root commands from the wheel group.  The system also has two NICs and when installing Slackware, the install used the motherboard's NIC and not the extra NIC I installed (this wasn't a huge issue, but had me wondering why I couldn't get an internet connection).

I'm currently using XFCE as a desktop environment.  I wanted to use KDE but for some reason, it's not working.  It's something to look into later.

I've been without Slackware for quite awhile (the last 4-5 years).  I'm also not so Slackware-savvy, but I'm so familiar with installing Slack that I had no issues getting it up and running.  I know that Slack has many new and enhanced features.  The challenge is to get familiar again.  I'll do this without relying on IRC (the days of IRCing are over for me).

I did apply some of the tips listed here, though.

Refreshing My Slackware Box

I have been trying to refresh my lab a bit.  My Slackware machine hasn't been used in a few years and has 4 older hard drives.  I decided to replace the older drives (4 drives - 60-, 80-, 160-, and 60-GB, 3 IDE drives and one SATA drive) and invest in 4 newer drives (4 x 500-GB SATA III).

I want to set up 2 x 500-GB in RAID 0, if possible (software RAID, if possible, hardware RAID if not).  I've never set up a RAID array before, and if I can set up 2 x 500-GB in RAID 0, I'll essentially have a 1-TB drive.

I ran into a problem, though.  My system seems to not want to always detect the CD drive anymore.  Initially, it did, but stopped when I tried to install Slackware 14.1 last night.  I got as far as selection of the source drive, even though it detected the CD drive when booting the install CD.  I changed the jumper on the back of the drive but it did nothing, and now it won't see the install CD at all.  So I decided to try using a USB flash drive as an install source.  I also just now noticed that the .iso I'm trying to use is 64-bit, which is the wrong arch.  :(  I'll download the proper image right now.

I tried using my Alienware system to set up a Slackware install USB flash drive...it was a mess!  I ended up just going to my Ubuntu machine and giving it a shot...it is far less confusing.  Part of the confusion is that I don't see flushed-out documentation on how to do this in Windows.  Most people are either using Unetbootin but the Windows tool for that wasn't detecting the USB flash drive, for some reason.  Then, when I tried to use manual instructions, most of the HOWTOs I found weren't clear enough and were a bit vague (trust me...I know how to follow instructions and I've written HOWTOs before).

Hopefully, I can get this working so I can push myself into using Slackware again.

UPDATE --

Just as I finished this post, 'dd' finished.  Here's what I did:

ron@Ubuntu1:~$ isohybrid slackware64-14.1-install-dvd.iso
isohybrid: Warning: more than 1024 cylinders: 2326
isohybrid: Not all BIOSes will be able to boot this device
ron@Ubuntu1:~$

ron@Ubuntu1:~$
ron@Ubuntu1:~$ sudo dd if=slackware64-14.1-install-dvd.iso of=/dev/sdb
4763648+0 records in
4763648+0 records out
2438987776 bytes (2.4 GB) copied, 1150.13 s, 2.1 MB/s

This took maybe 10 minutes to do.  Again, I have the wrong image, so I'll have to do this all over again...shouldn't be an issue, though.

UPDATE 2 --

Annnnddd...after 2 days of trying getting CDs to be read by the CD reader, I swapped it out with a known working reader.  It worked and I threw out the non-working reader.  The swapped reader  worked for a bit then stopped working too.  I then swapped out the IDE cable (yep...no SATA reader in this particular system).  It started working again.  So, it was the cable and not the readers.  Oh, and I went to the trash can and reclaimed the trashed CD reader.  :)  Slackware 14.1 is now installing, although I still need to read the RAID HOWTO to see what's needed to set that up.

UPDATE 3 --

About that CD reader...it ain't the reader(s).  The one I swapped in is intermittent as well, even when paired with known working cabling.  It has to be the motherboard that's acting flakey.  As well, LILO won't install on my RAID 5 setup...it keeps erroring out and telling me to use another bootup method or to fix the issue (issue has to do with using  "--metadata=0.90" on my boot partition setup...I've tried it without setting this particular metadata configuration and it flat-out won't boot).  I'd use an alternative boot-up method but the damned motherboard is so old that it doesn't support removable drives such as flash drives as boot-up options.  And since the BIOS update utility for this motherboard requires a Windows OS to be installed (and I'm not going to install Windows on this system just to update the BIOS, which might not even fix what I'm complaining about).  I'm thinking of just upgrading the motherboard, but if I do that, I'm going to upgrade the CPU as well...gonna go Intel Core i5 and Gigabyte GA-Z87-HD3, more than likely...and if I do that, I'm just going to use it as my main desktop gaming rig, which means I won't be using it as a Linux machine.  That might be ideal, since I've a gaming rig that is acting up (its a 6-core AMD CPU system that keeps powering down)...I can relegate that machine to Linux duty after also upgrading it's motherboard and CPU (going Intel i5 as well).  I have some decisions to make, I guess.

Postfix Install, OSSIM, Slack 14, Ubuntu, and VPNs

This isn't really a technical post, but I did want to share that I have Postfix running on my server.  I'd never had the need to run my own mail server until I moved my wigglit.com domain.  It was initially hosted at 1and1.com, but I got fed up with their service (or lack thereof).  I had several e-mail accounts set up there and still needed them to stay active, so I was pretty much forced to migrate the accounts as well as the domain.  The domain migration was pretty simple.  The Postfix install was much more difficult, even when using Webmin to set it up.  I used a Ubuntu tutorial (searched on 'webmin', 'ubuntu', 'postfix', and 'configuration') and used it exclusively to set up the server.  I think I have it tuned  pretty well so far, only I found some bounced e-mails going back maybe a month or so...I fixed those today.  Those weren't actually related to Postfix, though.  When I stood up the new server and domain, I forgot to adjust the scripts that kicked off the e-mails (cronjobs).  I'll double-check tomorrow, but I think I've fixed those (was able to test the cronjob successfully...generated a test e-mail).  I've since been editing the main.cf file to make configuration changes (and restarting the mail server afterward).

I've also been trying to use OSSIM, but I think I need a dedicated machine.  I tried to use an install of it within VirtualBox, with very limited success.  It seems it needs considerable resources and doesn't run well on a virtual instance with limited CPU/memory resources.  I ran VirtualBox on my M17xR3...that machine definitely has enough horsepower, but only has 8GB of RAM...it may need a bit more so that I can give OSSIM ample memory.  As well, my RAID 0 drive set may be hindering OSSIM.  I got a taste of it, though, and like it much better than Aanval.  Unfortunately, I don't have a good spare box at the moment, otherwise I'd be running it already.  That was my first time using VirtualBox, also...it's not that much different than VMware...much simpler, though.

So, Slackware v14.0 was released not long ago.  I took the liberty of installing it within VirtualBox.  It runs very nice!  I'm in the process of evaluating it and will soon upgrade my two v12.0 machines.  No, I'm not using Slackware on my public server.  I opted to use Ubuntu (v12.04) instead.  While I love Slack, I needed something less high-maintenance on the public server.  No complaints so far and it's been about a year since I flushed it and gave Ubuntu a try...no complaints whatsoever.  KISS is where it's at.

Lastly, since I've had success with Postfix, I plan to eventually start evaluating security tools again.  I've been out of the loop for awhile and need to push myself to continue to be familiar with Linux and security.  I've never used any of the VPN software before, so I plan to establish a VPN conduit between my LAN and my public server.  We'll see how that goes soon.

BSD machine fixed!

So, I swapped a known working motherboard into the BSD machine.  It now works.  I also decided to use a quad core AMD AM2+ CPU that I had sitting around.  That's all I changed.

I'd originally thought the problem was related to the hard disk.  So, I decided the night before to disconnect the drives (it has two SATA drives), to determine if it were the real issue.  It still experienced the same symptoms after boot-up attempts, which told me it wasn't a hard disk issue.  I also swapped out the RAM with a known working chip with the same results when trying to boot-up.

So, either the the old CPU (a dual-core AMD...I forget the model) died or something on the motherboard died (or maybe there was a short somewhere?).  I left it running a live instance of Linux Mint, just to see if it stays stable over the next 24 hours.

Next, I need to reinstall FreeBSD (wondering if I should try some others as well, such as OpenBSD or Mint).  I wiped the drive, thinking that there was some corruption issue...shouldn't have done that.

BSD machine still not fixed; Slackware bullet-proof as usual...

So, I've had some time to play with my Slackware install.  I should actually upgrade to the latest, but I think I might try to get that BSD system back up this weekend.  I did upgrade firefox on the Slack machine, though...it was running a VERY old version (v2.x.x, I believe).  I'm running v12.0 now via my regular user account.

I'm tempted to install phpBB3 onto this machine (that's why I want to get into that BSD box...I'd just installed phpBB3 and had a very nice site that contained all my system and sysadmin notes that I've collected over the years...been using that software as a data repository since 2003 or so, on a very old system that runs phpBB2).

I've no real plans this weekend or maybe even the next (no autocross scheduled until next weekend and I'm opting out of that).  That should give me time to delve into the BSD issue as well as wiping the replacement system and installing the latest Slack.

Slackware Reunited!

Well, I'm back to using Slackware.  I don't know if that's actually proper to say, since I still use Slackware as an IDS for my LAN, but that box is pretty much just monitoring the network...nothing else.  I had an issue with my new FreeBSD box (it won't boot properly) and I needed another box, so I powered up an old machine that had Slackware v12 on it.  Yes, I'll upgrade to the latest as soon as I can, since everything seems to be out-of-date, such as my browsers and such.

I was able to get onto irc.freenode.net (was previously logging in via Xchat-aqua using my Macbook), but had a problem with D-bus:

ron@slackbox:~$ xchat
process 7948: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/usr/local/var/lib/dbus/machine-id": No such file or directory
See the manual page for dbus-uuidgen to correct this issue.
  D-Bus not built with -rdynamic so unable to print a backtrace
Aborted

No, I don't use irssi or BitchX (I used to, awhile back).  Found that I could kickstart D-bus with the following command:

dbus-uuidgen --ensure

Dunno why this was an issue, since I didn't have the issue before I powered off the machine...maybe something broke during the power-down cycle of that last shutdown?  Dunno.

I'm glad to be delving in Slackware again...I love tinkering with different environments, but I'm pretty spread thin with Windows 7 (necessary evil to do my hardcore gaming), FreeBSD, Ubuntu (my colo server), and now Slackware...been meaning to reactivate an old box with OpenBSD on it also.  We'll see how I can cope with with all this.  :)

Missing me some Slackware...

I haven't played with Slackware in quite awhile.  I still run a server through Linode.com but I no longer have Slackware installed as an OS (I'm using Ubuntu for ease of use...yes, it is easier to maintain compared to Slackware and I've not run into any 'gotchas' yet).  I run one machine that has Slackware installed (it's sorely in need of an update, though) and it is being used as a NIDS system.  I've another machine with Slack on it that hasn't been turned on in months (it's OS version is even older than the other system).  I'll probably turn on this system and begin to use it again, but it is in very sore need of cleaning (it has 4-5 hard disks with data ALL over the place).

I'm trying to resist the urge to run Slackware in a VM on my Alienware system.  It will require me to probably get more RAM (I'm trying to resist that idea for now).  I do not want to attempt a native install, as I don't feel like experimenting to get Slack to work on that system.  The integrated and dedicated GPUs will probably be an immediate issue, as well as the fact that my system is running two 750GB drives in RAID0.  And, that is also my gaming system.  There's no real need for me to install Slackware natively on my system.  But, I will definitely install Cygwin, since I can leverage it's tools (such as GnuPG) without having to open a shell and have an internet connection.  Cygwin is the less complicated of the aforementioned options.

But I am missing using Slackware, which is why I've been trying to be more active at ##slackware on irc.freenode.net.  The thing is, I also have a fetish for Open- and FreeBSD, so I've been focusing on both of those the past few years.

Been awhile...

So, what am I doing currently?

I've been having an issue getting a print server (Linksys PSUS4) to work with anything other than Windows.

I've two Macs in the house that do NOT like this print server. I've yet to test it in Linux but my wife is one of the people that uses the Macs heavily, so the Linux alternative won't work for her.

For now, I'm attempting to utilize my main Linux machine, 'slackbox' as a print server by using CUPS. The version of Slackware that this machine is using is v12.0. I've found that there is HPLIP support for Slackware v12.0 but I'll need to update the HPLIP version (it is currently at v1.7.4). So, I've the option of attempting to patch the current install to the latest version (no, I've not been keeping up with patches), or compile the latest version from sources and install it to the Slackware machine.

Another thing I've found is that http://packages.slackware.it/ has been down since at least this past October. I didn't realise how crucial this Slackware service was, but I'm hoping that this gets fixed soon or that Pat V. eventually addresses the issue by standing up his own service. As much as I agree with the manual approach to Linux, there will come a time to where some things may have to become simplified...this is one of those things, I think.

Anyways, I'll update this post with any notes as I continue to work around the print server issue (so that my wife can quit nagging me and making bad assumptions about things she doesn't understand).

Firekeeper, an IDPS system (plugin) for Firefox

http://isc.sans.org/diary.html?storyid=2403 explains Firekeeper, an IDS/IPS Firefox browser plugin.

I'm running it on two machines that run Slackware (versions 11.0 and 12.0). I may throw it on my work machine (which runs Windows XP), but that may be a bit daring.

Firekeeper's homepage is at http://firekeeper.mozdev.org/installation.html

Please share your experiences with this plugin...this is a great idea and may be a Holy Grail for malware that infects via browsers.

Also, I've found what may be a good security site, http://www.megasecurity.org/Main.html. It may take me awhile to read, as it has tons of data, it seems.

Kernel vulnerabilities affecting Linux machines

Whenever there's some kernel-level vulnerability, it seems that the whole community goes ape-crap over something that should be a no-brainer.

The recent vulnerability is documented here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0600

So, what's the big deal? It is a locally exploitable vulnerability. Everyone is acting like its the end of the world. Why? Are people actually giving people access to their systems that they don't trust? Why am I not worried? Because I want to learn things about security. Think about this for a second: in an enterprise environment, you're not going to be able to always apply kernel patches to production machines. You're not always going to be able to test by standing up a development environment. There is not always going to be one distribution used and not every platform will share the same hardware. What's readily apparent is that security should always be applied in layers. This means that no one should be accessing machines on your local network that you can't trust. If someone is not trustworthy, you should always be worrying about what they're doing on the network, instead of only when kernel-level vulnerabilities are discovered.

Does that lessen the responsibility of the system admins? No, but if everyone thought less of patching applications and more as a security administrator, the workload of the system administrator would probably be less. What I'm seeing in chatrooms and forums is this: "Oh shit...this exploit gives local root access...I have to apply this patch NOW!!" Someone said something similar in an IRC channel that I frequent:

SiegeX - I dunno, having a local root exploit (which ive tested with existing code) on a box that runs any sort of service would worry the hell out of me
W|GGL|T - SiegeX: in all actuality, you could have root exploits locally all over the place and you'd not know about it
SiegeX - and I probably do, but its no excuse for not patching the ones I do
W|GGL|T - security is more than just patching....in a corporate scenario, you have to balance out if you can even apply the patch....you bet your ass we're not going to take down a production system that has a localized vulnerability if it is indeed only local
SiegeX - heh, step 1) su root 2) cat /etc/shadow 3) ??? 4) profit
W|GGL|T - its called mitigation
W|GGL|T - if security is applied in layers, certain risks are lessened
SiegeX - W|GGL|T: why wouldnt you apply the patch on a production clone for testing purposes and do regression testing on that to make sure everything is a-ok before moving it over ?
W|GGL|T - SiegeX: if the corporate network has 10 different security layers, the need for immediate patching is small. sure, we'd patch but we'd do it in a sane manner
SiegeX - W|GGL|T: since you're into the corp security let me ask you if there was a solid way for a corp to not allow outbound tunnels while still allowing https?
SiegeX - s/was/is
W|GGL|T - SiegeX: nope, but then again, those who don't follow corporate policy need to be fired
SiegeX - afaik, if you tunnel over https, not even a L7 filter will look at it funny since the connection setup looks legit. Only thing i can think of is traffic analysis
W|GGL|T - there are always checks and balances
W|GGL|T - SiegeX: hrmm....there is IDS
W|GGL|T - and there is also a concept called behavioral analysis

The conversation dies shortly thereafter. I do think SiegeX was thinking in a sane manner. What he's worried about is someone either breaking into the machine or someone from inside tunneling and somehow letting an unauthorized user into the network. Layered security addresses both of those concerns. You lock down your firewall to only allow certain traffic in/out of the network. You set up either an IDS or an IPS to either log suspicious traffic or actively log and block unusual traffic. Yes, IDS/IPS can detect layer-7 traffic anomalies (but only if there are rules patterned after the unwanted traffic). Those people that tunnel out of the corporate network can be either reprimanded or handed their walking papers...that problem can be solved rather quickly.

I take it that SiegeX didn't want to deal with traffic analysis. That's the only way ANYONE is going to see stuff. Think about it. When you look at firewall logs, you're looking at logged traffic. If you're looking at your system logs (for instance, /var/log/secure, /var/log/faillog, or /var/log/messages (which may contain snort log and/or firewall log entries)), you're pretty much conducting traffic analysis. This should be within the realm of every system admin.

The easier way would be to address the kernel vulnerability, but I've also seen places that will NOT update a kernel unless absolutely necessary. The train-of-thought is that they wanted absolute stability and that stability overruled patch updating. What type of organization would think in this manner? Think of organizations that deal in national flight systems.

So, when am I going to apply a patched kernel? I don't know...my LAN is so layered with security that its not a hot priority for me to apply this patch.

Lastly, here's a Secunia link of the vulnerabilities in question: http://secunia.com/advisories/28835/

58 Cool Hacks...and more

Here are fifty-eight (58) cool hacks that are posted on the Linux Format Wiki. Some of these are actually cool and insightful. I plan on attemtping to regularly use a few of them. I'll let you know a bit later which ones they are and how well my implementation and usage goes.

Here is another good link. It describes in detail how to build your own distribution (build, not create, as you will build from a pre-existing Linux ISO file). If I'd enough time to do this, I would...maybe during my next holiday, I'll begin this, with the idea of making a seriously light yet secure distro.

This one is a good one, but I've only skimmed it so far. It is LinuxFormat's Slackware documentation. Since I know they are a bit biased in their views of Slackware (they seem to think that apt-get-like package management is a requirement and that the distribution is a bit 'behind the times'), I know I need to read this part of their wiki with some attention to detail.

Slack v12.0 on a old rackmount

My Dell Precision 220 that I had NetBSD installed on has a CPU fan that is dying (bearing failure which is pretty damn noisy). I've turned off the machine but needed a temporary replacement, so I took an old rackmount (no-name brand that was pretty much hand-built) and installed Slackware v12.0 on it. It was previously running Astaro Linux but I needed something that had a bunch of installed NICs. This machine has 4 NICs. I need three of them, one for the management interface and two for connections to an ethernet tap (I'm sniffing traffic before my firewall).

I'd thought this would be a huge exercise in hunting down how to bind the two interfaces that were plugged into the tap ports of the tap, but it was easier than in NetBSD.

After installing Slackware v12.0 and then Snort (2.6.1.5), I then used 'brctl' to establish an ethernet bridge across two different physical interfaces:

root@suna:~# brctl
Usage: brctl [commands]
commands:
addbr add bridge
delbr delete bridge
addif add interface to bridge
delif delete interface from bridge
setageing set ageing time
setbridgeprio set bridge priority
setfd set bridge forward delay
sethello set hello time
setmaxage set max message age
setpathcost set path cost
setportprio set port priority
show show a list of bridges
showmacs show a list of mac addrs
showstp show bridge stp info
stp {on|off} turn stp on/off
root@suna:~#
root@suna:~# brctl addbr br0
root@suna:~#
root@suna:~#
root@suna:~# ifconfig br0
br0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

root@suna:~# ifconfig eth2 up
root@suna:~# ifconfig eth3 up
root@suna:~# brctl addif br0 eth2
root@suna:~# brctl addif br0 eth3
root@suna:~# ifconfig br0 up
root@suna:~# tcpdump -ivv br0
tcpdump: SIOCGIFHWADDR: No such device
root@suna:~# tcpdump -vvi br0
tcpdump: WARNING: br0: no IPv4 address assigned
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
23:44:41.166720 IP (tos 0x0, ttl 54, id 47678, offset 0, flags [DF], proto: TCP (6), length: 129) 64.161.255.20.ircd > pool-71-178-10-160.washdc.fios.verizon.net.49197: P 692786612:692786689(77) ack 97899523 win 98
23:44:41.167554 IP (tos 0x0, ttl 63, id 17743, offset 0, flags [DF], proto: TCP (6), length: 52) pool-71-178-10-160.washdc.fios.verizon.net.49197 > 64.161.255.20.ircd: ., cksum 0x501f (correct), 1:1(0) ack 77 win 1002
23:44:41.175972 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 72) pool-71-178-10-160.washdc.fios.verizon.net.1024 > nsrest01.verizon.net.domain: [udp sum ok] 19732+ PTR? 20.255.161.64.in-addr.arpa. (44)
23:44:41.481742 IP (tos 0x0, ttl 249, id 47959, offset 0, flags [DF], proto: UDP (17), length: 123) nsrest01.verizon.net.domain > pool-71-178-10-160.washdc.fios.verizon.net.1024: 19732 NXDomain q: PTR? 20.255.161.64.in-addr.arpa. 0/1/0 ns: 255.161.64.in-addr.arpa. (95)

4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@suna:~# ifconfig br0
br0 Link encap:Ethernet HWaddr 00:D0:B7:85:78:D6
inet6 addr: fe80::2d0:b7ff:fe85:78d6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1108 (1.0 KiB) TX bytes:468 (468.0 b)

After setting up the br0 interface, I could then use Snort to sniff the br0 device (and see the traffic of the interfaces bridged to br0):

root@suna:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.00d0b78578d6 no eth2
eth3
root@suna:~# ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:D0:B7:85:78:D6
inet6 addr: fe80::2d0:b7ff:fe85:78d6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:49363 errors:0 dropped:0 overruns:0 frame:0
TX packets:41805 errors:0 dropped:0 overruns:0 carrier:10
collisions:1202 txqueuelen:1000
RX bytes:41520086 (39.5 MiB) TX bytes:5730882 (5.4 MiB)
Interrupt:5

root@suna:~# ifconfig eth3
eth3 Link encap:Ethernet HWaddr 00:D0:B7:85:8A:B4
inet6 addr: fe80::2d0:b7ff:fe85:8ab4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41860 errors:0 dropped:0 overruns:0 frame:0
TX packets:49312 errors:0 dropped:0 overruns:0 carrier:940
collisions:959 txqueuelen:1000
RX bytes:5771456 (5.5 MiB) TX bytes:41483624 (39.5 MiB)
Interrupt:10

root@suna:~# ethtool eth2
Settings for eth2:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Half
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Current message level: 0x000020c1 (8385)
Link detected: yes

root@suna:~# ethtool eth3
Settings for eth3:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Half
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Current message level: 0x000020c1 (8385)
Link detected: yes
root@suna:~#

At this point, it can get snort to run, but it dies not long after starting the process. I can also use tcpdump to sniff traffic from the br0 device. I'm seeing normal traffic. There's nothing in the logs to indicate any problems. I'm also able to telnet to port 3306 (Snort is reporting events/alerts to a database). I've also tested my snort.conf and it appears sane (no reported errors) and will connect to the MySQL database without errors.

Hrmmm...looks like it will be a busy weekend...

Edit - 11/10/2007:

I had to revert to Snort v2.4.4 for now, as v2.6.1.5 was causing serious memory issues. Using the -M switch, Snort wasn't telling me why it was dying. 'dmesg' or cat'ing the /var/log/messages file wasn't showing why it was dying either. The only hint was me watching the process via 'top'. Within 5 min, the process would hog all 512MB of physical RAM and commence to using all virtual RAM (1GB). The process would die less than an hour after start. I began trimming the snort.conf file to lessen memory usage, but began to tire of doing this. I decided to fall back a version until I could figure out why v2.6 wasn't working.

Posted: Snort init script

Here it is!

#!/bin/sh
# Start/stop/restart snort.

# 8/30/2007 - The snort_restart function wasn't working, but an investigation ferretted out the problem: the "sleep" parameter was adjusted from "1" to "5" to give the process time to stop before starting the snort process again.

# Start snort:
snort_start() {
if [ -x /usr/local/bin/snort ]; then
echo "Starting snort daemon: /usr/local/bin/snort -devXz -c /home/snort/snort-2.6.1.1/snort.conf -i eth0"
/usr/local/bin/snort -devXz -c /home/snort/snort-2.6.1.1/snort.conf -i eth0 -D
fi
}

# Stop snort:
snort_stop() {
echo "Stopping snort daemon"
killall snort
}

# Restart snort:
snort_restart() {
snort_stop
sleep 5
snort_start
}

case "$1" in
'start')
snort_start
;;
'stop')
snort_stop
;;
'restart')
snort_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

I Created some scripts for Snort

I've created (well, modified) a Snort initialization, restart, and shutdown script for Slackware and OpenBSD. They are linked below.

The OpenBSD script works solidly.

The Slackware script works sporadically and I've no idea how to debug it (although I haven't tried 'strace' yet). It appears to work manually every time, but when run as a cron job, it's sometimes, seemingly randomly, doesn't restart. The cron job runs every hours but because it sometimes doesn't start, I now have holes in my website's IDS coverage.

Note that I didn't HAVE to create start/stop scripts for Snort, as I could've started Snort by utilizing the rc.local file, but I'd have still had to manually kill the Snort process whenever I wanted to stop Snort. Having an init script do this is much cleaner.

The fact that I've gotten it working on the OpenBSD machine hints that I've a minor issue with the Slackware script that I have yet to account for, but its frustrating me, so I'll throw it online to see if someone can help with debugging. Yeah, I'd searched for help via Google but didn't see much of Snort init scripts for Slackware (although I may find something if I look at any scripts for other distributions).

I also got Snortalog to process my Snort raw logs into a statistical report, although I had to import 6.2MB of flat files to my FreeBSD box (which Snortalog is installed on), then have Snortalog crunch that data into a HUGE (3.9MB) HTML file! Needless to say, that HTML file takes almost 5 minutes to load into a browser. I've got to filter the logs and only have it crunch certain dates to make the file less bulky.

Snortalog definitely highlights that I could do some tuning, as it shows a very high amount of MS-SQL worm attempts (MS Blaster) hitting my server, amongst other things. This is a good tool that I'd previously used (and had forgotten) at a prior place of employment. It would be nice if I could figure out how to get it to crunch my IPF FW logs.

Another oldie but goddie is SnortSnarf. It is a perl script, as is Snortalog, that parses Snort files (the alert file and the payload files) into readable HTML pages, which is a bit better at searching via command-line. It is not as handy as ACID/BASE is, though, but has lower overhead. Sadly, SnortSnarf's home page is gone, but I've linked Snort.org's archive.

EDIT --

I've found my 'error'. What happened was that I had line 34 commented out and line 35 uncommented. Line 35 is specifically for usage with OpenBSD. Line 34 is specifically for Slackware. I rectified this by uncommenting line 34 and commenting line 35. I'll also put commentary explaining this. Consider this issue solved!

Edited 8/30/2007:

Revised Script that works! *yes, click here*

Pidgin and Slackware relationship ended

http://www.linuxquestions.org/questions/showthread.php?t=553262

Total B.S. A good read, especially if you're a Slacker! I'm backing Pat totally on this one.

Did some ##slackware log archiving...

Yeah, I had to do some archiving of the logs, as diskspace usage was at 96%. I didn't just archive the channel logs, but also archived my snort and web logs. About the only thing I haven't archived yet are the modsecurity logs (will do that sometime this weekend). Currently, the host's drive space is currently at 74%. The channel logs are still in place, but I've crunched the logs into monthly tar.bz2 files. This renders the logs unsearchable by google (yeah, this sucks), but I had to compromise...they are still downloadable, just not searchable. So, if you need them, they are there for download. Once you download them, you can grep each tar.bz2 after uncompressing them. Hopefully, Google still has the logs cached so that a person searching for an item can still see the cached files. Maybe I'll purchase more drive space so that I can host the logs in an untarred and uncompressed format in the near future.

Speaking of the channel, there has again been some ruckus about someone being banned 'unduly'. People have to recognize that moderating a channel does come at a price. One of these prices is the fact that people can't visit their frustrations on the channel. An individual visited the channel highly upset that Pat froze Slackware-current relating to issues with both the 2.4 and 2.6 kernel. Instead of following advice to follow up with Pat, he continues to vent on the channel, causing a rather heated flame war over something trivial. He was +q'd (meaning his speech was removed), but he evaded +q. He was then "removed" (meaning he was booted, not kicked, from the channel), but came back in the channel with the same attitude. He was then banned for 30 days. Anyone who evades moderation will automatically get a ban. Why 30 and not 7 days? Because, behind the scenes, in private message, the individual was very argumentive and I didn't feel like dealing with him 2 days later for the same offense. After reading the logs, someone had the gall to mention in the channel that the ban was unwarranted...this person thought that the individual was banned because of his views...WRONG. Read the channel guidelines. It states specifically that any +q/ban evasion will be dealt with in a rather harsh manner. Many people do not realize that the ops will never be able to please every single person's views in the channel. I've been doing this a LONG time (4+ years) and no matter if I just sit there and let the channel run itself or if I step in and boot someone, someone ALWAYS complains. It's a no-brainer for me: moderation is what it is. You can take it or leave it. There aren't too many channels on Freenode that aren't moderated. By nature, moderation pretty much means you can't state everything you feel, especially when it ruins the continuity of the channel chat. Is this an oxymoron, especially since Freenode is inhabited mostly by coders and free-thinkers? Every discussion, whether its in real-life in a conference or in someone's home or online on a forum or in a chat room/channel, will have some type of moderation. So, going forward, I'll not be including comments to the ban messages, as this adds confusion to why the person was banned. Really, the channel doesn't need to know why said person was banned after the fact. The ban messages are for the person being banned and it was designed that way by the people who set up the IRC specifications. If you want to know why someone was banned, speak with them directly or read the logs. I've no time to hold some lengthly dialog with someone who thinks that everyone should join an IRC channel and unload their frustrations. I try to think as objectively as possible on anything that goes on in the channel and to be quite honest, there's been a ton of bitching about the ops lately. When I see the non-ops quit pushing the ops' buttons, I'll take them more seriously and get more active in seeing to their needs...but the bellyaching has to stop first. Seriously, its usually the same people bitching about their rights being violated, and if its not the same people, there's usually some association.

MySQL database corruption: fix

When I upgraded my main tower to Slack v11.0, I had also upgraded MySQL to v5.0.24a (I don't know what version I was using before this). Soon after the upgrade, I noticed that I couldn't access my local PHPBB and PHPMyAdmin installs.

I was receiving the following error using the MySQL client:

bash-3.1$ mysql -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

The MySQL error logs looked like this:

061227 03:08:12 mysqld started
061227 3:08:12 [Warning] No argument was provided to --log-bin, and --log-bin-index was not used; so replication may break when this MySQL server acts as a master and has his hostname changed!! Please use '--log-bin=slackbox-bin' to avoid this problem.
061227 3:08:12 InnoDB: Started; log sequence number 0 4066534
061227 3:08:12 [Warning] Found invalid password for user: 'root @% '; Ignoring user
061227 3:08:12 [Note] /usr/libexec/mysqld: ready for connections.
Version: '5.0.24a-log' socket: '/tmp/mysql.sock' port: 0 Source distribution
061227 13:13:11 [Note] /usr/libexec/mysqld: Normal shutdown

Even after restarting the MySQL service, skipping grant tables, and reseting the password, the above still showed. So, I ran the following (after restarting the MySQL service using the init script):

bash-3.1$ mysql_fix_privilege_tables --verbose
This script updates all the mysql privilege tables to be usable by
MySQL 4.0 and above.

This is needed if you want to use the new GRANT functions,
CREATE AGGREGATE FUNCTION, stored procedures, or
more secure passwords in 4.1

You can safely ignore all 'Duplicate column' and 'Unknown column' errors
because these just mean that your tables are already up to date.
This script is safe to run even if your tables are already up to date!

ERROR 1060 (42S21) at line 22: Duplicate column name 'File_priv'
ERROR 1060 (42S21) at line 28: Duplicate column name 'Grant_priv'
ERROR 1060 (42S21) at line 29: Duplicate column name 'Grant_priv'
ERROR 1060 (42S21) at line 30: Duplicate column name 'Grant_priv'
ERROR 1060 (42S21) at line 41: Duplicate column name 'ssl_type'
ERROR 1146 (42S02) at line 67: Table 'mysql.procs_priv' doesn't exist
ERROR 1146 (42S02) at line 68: Table 'mysql.procs_priv' doesn't exist
ERROR 1146 (42S02) at line 70: Table 'mysql.procs_priv' doesn't exist
ERROR 1146 (42S02) at line 72: Table 'mysql.procs_priv' doesn't exist
ERROR 1054 (42S22) at line 94: Unknown column 'Type' in 'columns_priv'
ERROR 1060 (42S21) at line 100: Duplicate column name 'type'
ERROR 1060 (42S21) at line 110: Duplicate column name 'Show_db_priv'
ERROR 1060 (42S21) at line 127: Duplicate column name 'max_questions'
ERROR 1060 (42S21) at line 137: Duplicate column name 'Create_tmp_table_priv'
ERROR 1060 (42S21) at line 140: Duplicate column name 'Create_tmp_table_priv'
ERROR 1061 (42000) at line 145: Duplicate key name 'Grantor'
ERROR 1054 (42S22) at line 247: Unknown column 'Create_view_priv' in 'where clause'
ERROR 1054 (42S22) at line 277: Unknown column 'Create_routine_priv' in 'where clause'
ERROR 1054 (42S22) at line 313: Unknown column 'Create_user_priv' in 'where clause'
done
bash-3.1$

After that, I was able to access the databases using the root MySQL account:

bash-3.1$ mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
bash-3.1$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.24a-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> quit
Bye
bash-3.1$

The issue? Apparently, there were three duplicates of the "Grant_priv" column, which I don't think was the REAL issue. Per the script notes, duplicates don't appear to break anything, but looking at where the script notes state, "This script updates all the mysql privilege tables to be usable by MySQL 4.0 and above," I wonder if that's all I needed to do (because I upgraded to a higher version).

I sometimes become so reliant upon PHPMyAdmin that I don't always know how to fix underlying issues. It looks like I'll be delving into MySQL commandline more often, just to understand MySQL at a base level before utilizing front-end tools, or at least reference PHPMyAdmin's SQL query statements a bit more (which is a very cool feature, as the front-end puts what its doing into commandline structure).

I'm betting some of you are wondering why I'm using PHPBB on my LAN. I use it as a note-taking tool. Whatever machine I'm on in my LAN, I can reference important notes or create notes that are in a central location. Even if I'm at work or at a coffee shop, I can tunnel into my LAN and view all my notes. The only thing I have to remember is to back up my databases religiously so I don't lose very important data that will hinder my work at home (and somewhat at my workplace). Yeah, I know that there may be better ways to take notes, but my notes sometimes tend to be lengthy and when I'm troubleshooting, it's easy to create a thread of trial-and-error posts so I can keep track of what I need to do, what I've already done, or what I shouldn't do. There aren't too many tools that can organize and store data like a CMS can. :)

Happy Holidays!!

Using a PCMCIA Wifi Card On Your Laptop - Closed-source Chipsets

I've got my WPC54GS Linksys wifi card, which uses a closed-source chipset (Broadcom), working with Slackware 10.2 installed on a Dell Inspiron 8500. I've posted the process to get this working before at slackwiki.org.

I've scripted this process. You can grab the script from here. Edit it as you see fit. Many people actually use the tools that come with Slackware (the wireless configs in /etc/rc.d, I believe). I script my own, as I've many different wifi cards that I often swap out for different needs.

Anyways, give it a shot.

My next task is getting WPA working with the card (wpa_supplicant, I believe).

Ever Wonder How to Use A Mouse & Touchpad in X?

I remember, awhile back, I got a USB mouse and touchpad working in X on my first laptop (using Suse). Many people still ask this question in ##slackware.

All you do is ensure you have the following within your xorg.conf file:


Section "ServerLayout"
Identifier "X.org Configured"
Screen 0 "Screen0" 0 0
InputDevice "Mouse0" "CorePointer"
InputDevice "Mouse1" "SendCoreEvents"
InputDevice "Keyboard0" "CoreKeyboard"

.
.
.

Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "auto"
Option "Device" "/dev/mouse"
EndSection

Section "InputDevice"
Driver "mouse"
Identifier "Mouse1"
Option "Device" "/dev/input/mice"
Option "Name" "Autodetection"
Option "Protocol" "imps/2"
Option "Vendor" "Logitech"
EndSection

You'll notice that the bold print is the print that you have to add to your pre-existing configuration.

The whole file is here.

Give it a whirl...and good luck!