issue #53: RHEL 7.3, fpm, kpatch, sshesame, Minoca OS, Lynis & many more!November 6, 2016 - Mattias Geniar
Welcome to cron.weekly issue #53 for Sunday, November 6th, 2016!
The vim editor turned 25 years, we’ve got Docker horror stories and plenty of SSH honeypots to collect interesting hacking attempts. Surely enough to keep you all occupied for today, tomorrow & the week to come.
Perhaps not so much news as an interesting vulnerability: the Gentoo package manager doesn’t validate any GPG keys, making it trivial to set up a man-in-the-middle proxy to intercept any packages served to the package manager.
I’m not an emacs user myself, but I liked this story: since Emacs is so old, it couldn’t/didn’t use standards related to displaying windows/text. Only just now did it implement methods for smooth scrolling & displays. The joys of ancient software!
As of Debian 9, there won’t be any support for the powerpc architecture anymore.
If you like the free TLS certificates from Let’s Encrypt, now’s the time to show your support: the Let’s Encrypt team needs help filling the last donations to cover running costs. Embarrassingly, it only had ~600 backers in 4 days. For the world’s biggest Certificate Authority (or close to it), that should be a lot more!
Quite an accomplishment, Vi-IMproved!
Tools & Projects
Get real-time, integrated statistics on your entire infrastructure: from Amazon stats on your servers to detailed numbers of your PostgreSQL, Elasticsearch, Node & other applications – all from a single, easy to use, interface. Sign up for a free trial to discover a better way to monitor your stack! (Sponsored)
Effing package management! Build packages for multiple platforms (deb, rpm, etc) with great ease and sanity.
HTTP logging middleware especially useful to unwind concurrent operations without losing the request context: log HTTP requests/responses separately, visualize their concurrency and report logs/errors.
A modified sudo binary that allows authentication via the new TouchID on Apple Macbooks.
“Yet Another Zone Validation Script”: yazvs.pl is one of the utilities that Verisign uses daily to validate new versions of the root and arpa DNS zones before they are published to the distribution masters.
This is a bit older already, but still sounds interesting: Chronos is the Airbnb replacement for cron. It is a distributed and fault-tolerant scheduler which runs on top of Mesos.
kpatch is a Linux dynamic kernel patching infrastructure which allows you to patch a running kernel without rebooting or restarting any processes.
Lots of attention for this project last week: Minoca OS is a general purpose operating system written completely from the ground up. It’s intended for devices looking to conserve power, memory, and storage.
Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
A fake SSH server that lets everyone in and logs their activity (aka: an SSH honeypot).
This is essentially a “per-application VPN”, instead of a system-wide VPN: ocproxy is a user-level SOCKS and port forwarding proxy for OpenConnect based on lwIP. When using ocproxy, OpenConnect only handles network activity that the user specifically asks to proxy, so the VPN interface no longer “hijacks” all network traffic on the host.
Snoopy is a tiny library that logs all executed commands (+ arguments) on your system.
Darling is a translation layer that allows you to run unmodified macOS binaries on Linux. In its nature, it is similar to the well-known Wine project.
BearSSL is an implementation of the SSL/TLS protocol written in C.
Portainer is an open-source lightweight management UI which allows you to easily manage your Docker host or Swarm cluster.
Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless and installation is optional.
Plenty of new features in this systemd release: ther’s now support for dynamically created users for the lifetime of a service, improved container support, cgroup limitations for swap usage, the introduction of systemd-mount & much more.
Red Hat Enterprise Linux 7.3 has been released, which means we should see CentOS 7.3 soonish too: lots of package updates, many stability & security improvements.
Guides & Tutorials
Since you need a recent version of OpenSSL to support HTTP/2 for browsers like Chrome, running an HTTP/2 enabled proxy in a Docker makes sense. This guide covers an Nginx TLs proxy running inside Docker to support HTTP/2.
At Stripe, they’re heavy users of consul. This post gives lots of insights to how it works at scale, how it got introduced and what it’s doing today.
A good tip on using a script in /etc/rc.d/rc3.d/ to run commands on system shutdown.
This post is a good reminder on what NTP is and does, how it works and how to configure it.
For heavy traffic network servers, like proxy servers or load balancers, you may need to increase the networking port range to create more source/destination ports for new TCP connections.
A very good introduction post to Ansible inventory, the current state and shortcomings and how those could be addresses in the future.
This is somewhere between a rant and a precautionary tale: beware of running Docker in production, learn from these folks.