Venom Patched

     Even though we don’t have any guests with emulated floppies, I’ve applied the Venom patches to kvm, qemu, and xen, provided by Centos.  Just on the off chance we some day want to emulate a floppy.  That isn’t likely to happen unless they get Sparc emulation working on a distribution so we can emulate our old SS-10 and be done with the hardware.

Apache mod_session_crypto

     I’ve added the module “mod_session_crypto” for session encrypting to our Apache 2.4.12 web server.

     I added because I am working on some new features that will involve authenticating on the web against your existing Linux username and password, much as the current web mail does. I wanted this as an additional tool to secure sessions.  It is also available for your use in web applications.

     If there are other Apache features that you might need for an application, please e-mail  If it is doable without compromising security, I will add them.

Venom Vulnerability

     If you’ve read about the venom vulnerability, you need not be concerned with respect to our virtual machines here as we do not use a floppy disk emulation in any of the virtual machines.  A floppy drive isn’t included in the default configuration of the virtual machines provided by any modern version of Linux that I am aware of.

     Beyond that, the network connections are provided by the virtual machine, if you were able to crash them you wouldn’t have a network connection to them any more.  And since it’s crashed, any changes you made won’t be written to the virtual disk.

     There aren’t many uses for floppy drives on physical hardware these days let alone a need to emulate one.  Since network connections are lost upon crashes it makes it not a real useful remote exploit.  I suspect these are the reasons there are no known cases of this particular vulnerability being exploited even though it has existed since 2004.

Co-Lo Provider Network Maintenance May 21st

     Our co-location provider, Isomedia, where our servers are located, will be performing network maintenance that may result in brief outages:

May 21, 2015 12:01am to 2:00am PDT

ISOMEDIA will be performing network maintenance on our core network. During
this maintenance event customers may expect multiple brief outages. We
apologize in advance for any inconvenience caused during this maintenance.

Please ensure that your Internet equipment is performing no critical
updates, backups, or other activities over your connection during this time
frame. All outage times are estimates based on expected outcomes of the work
being performed and previous experience performing the same or similar work.
There is always the possibility of some unforeseen bug, or problem, that
could extend the outage time.

Ubuntu 15.04

     Just a heads up to anyone contemplating an upgrade.  I would recommend not putting Ubuntu 15.04 on a server just yet, not sufficiently stable.  It has a few things like occasionally DNS doesn’t come up after a boot, audio doesn’t work if connecting via x2go, sometimes locks up when you attempt to shut it down, sometimes processes get stuck.  None of these things were an issue with 14.04 LTS.  Just getting a basic desktop up eats a bit more memory than 14.04.  Part of this is that it starts a lot of unnecessary junk.   With Mate desktop, it starts Abiword when you login for reasons nobody seems to be able to explain.

     A few pluses with 15.04, if you’ve got an Nvidia card, the nvidia drivers from the distribution work now.  No need to grab them directly from the Nvidia site and manually install, in fact that, on 15.04, now fails. There is a build for Blackberry.  No idea if it actually works since I don’t have one to flash and potentially brick to try. In general there are some new toys and more documentation than in 14.04 LTS or 14.10.

Reverting Ubuntu to 14.04LTS

     I am reverting to version 14.04 LTS.  I can not get sound to work with 15.04 at this time.  It works on both my workstation computers but apparently not over the network.  I’ve pretty much tried everything I can find online and then some.

Isomedia – Steve Milton – Thank you

     When we were down Saturday morning I was having a bit of a problem getting help through normal channels, in part because I couldn’t get to my servers where I had the information stored.

     I had the cell phone of one of the co-founders of Isomedia, Steve Milton, and gave him a call and he got someone who could and did help in touch which helped us get back in service.

     There aren’t many big companies where you have a rats chance in hell of contacting one of the founders, let alone actually getting help from them, so I felt this should be made known to anyone looking for co-lo.  They’ve been very good to Eskimo and myself personally.

Firewall Rules Still Being Adjusted

     I am still fine tuning firewall rules.  I ran some port scans last night and things are still more open than I want them to be so I am making additional changes to minimize an attackers ability to see potentially exploitable targets and attack them.  Essentially, I am trying to block any and all traffic that doesn’t have a legitimate function.

     I’ve made a few typos along the way and unintentionally blocked legitimate services for a short time frame.  If you notice anything broken, please e-mail or call 206-812-0051.

     Thank you for your patience.

Firewall Rules Restructured

     I have to totally restructured firewall rules in response to yesterdays Denial of Service attack.  Now all filtering is done on the incoming side of the interface cards.  This prevents the hostile packets from crossing the main bus and eating CPU.  Yesterdays attack consisted of a large number of small packets that exhausted CPU.  These changes will address exactly this type of attack.  The interface cards are intelligent and perform filtering actions without requiring the routers main processors to be involved.

     It also simplified the filtering by eliminating the necessity to allow local exceptions for local machine communications between subnets.

     In addition I have blocked access to all router interfaces and broadcast addresses from the outside which will prevent certain types of abuse.