I’d wager that many people have heard of Snort, and what it does. For those who aren’t familiar with it, it’s an open source intrusion detection system (IDS)/intrusion prevention system (IPS). In a normal configuration, Snort monitors traffic and alerts based on predefined rules for such things as port scans and maliciously-crafted HTTP requests. It’s an extremely powerful tool that is also highly configurable, and with an excellent community that provide custom rules for a wide variety of situations. But alerting is one thing – being able to make sense of those alerts is something else.

Prelude

Prelude is a security information management (or SIM) system – that is, it’s designed to aggregate and correlate events from tools like Snort and provide a centralised place to manage those events. On its own, this is useful, but coupled with a few additional tools it really becomes something else.

The main prerequisite for our setup is to MySQL, so if you don’t already have it installed, go ahead and do so. Most Linux distributions include Prelude in their repositories, so installing it should be pretty straightforward. I use Debian, so once MySQL is installed and working, installing the manager is a case of running the following:-

root@dev-vm-lnxd-01:~# apt-get install prelude-manager

Follow the on-screen debconf prompts regarding the database – one thing to note that I discovered on squeeze is that if I let debconf generate a password for the prelude database user, that password wasn’t written to the prelude configuration. Since debconf doesn’t output the password it’s generated, this means you’ll have no idea of the password. Therefore, I recommend picking a password yourself.

Next, it will generate a 2048-bit RSA key for the manager. This can take a while, and on a quiet server will take a few minutes at least. Generating disk I/O is how I usually increase the amount of entropy for the key generation – running find / >/dev/null works well in this situation I’ve found.

By default, prelude-manager will refuse to start, because it’s disabled in /etc/default/prelude-manager. Edit it, and change RUN=no to RUN=yes. Next make sure that the database configuration in /etc/prelude-manager/prelude-manager.conf is correct – especially regarding my note earlier about auto-generated passwords.

When you’re happy the configuration is correct, start prelude-manager:-

root@dev-vm-lnxd-01:~# /etc/init.d/prelude-manager start

If everything is okay, prelude-manager will start.

Putting it to work

We now have a running prelude-manager instance. But on its own, this is pretty useless – no events are being sent to it, so there’s nothing for it to do. Let’s fix that by installing a sensor – Snort.

Again, installing Snort should be straightforward:-

root@dev-vm-lnxd-01:~# apt-get install snort

As before, follow the debconf prompts. Unlike prelude-manager, snort will be started automatically after install. A quick glance at /var/log/snort will reveal a file named alert and possibly a number of tcpdump.log files. This is how Snort by default saves alerts, with the tcpdump.log files being captures associated with those alerts. But since we’re talking about Prelude, let’s get the alerts sent there.

The first step is to register Snort with prelude-manager, so that prelude-manager knows about it. We can do this with the prelude-admin command:-

root@dev-vm-lnxd-01:~# prelude-admin register "snort" "idmef:w" 127.0.0.1 --uid 106 --gid 106

You’ll notice that I passed the UID and GID of the snort to prelude-admin. By default, the snort has both a UID and GID of 106, but do check this before running it. The other options are the name of the agent (“snort”), the permissions (“idmef:w”) and the IP address of the server running prelude-manager. The name can be anything, as long as this matches the name used in the Snort configuration, and the ‘idmef:w’ refers to the Intrusion Detection Message Exchange Format, and that we want to give Snort write permissions. Finally, because we’re running Snort on the same server as the one running prelude-manager, we use 127.0.0.1 as the host.

root@dev-vm-lnxd-01:~# prelude-admin register "snort" "idmef:w" 127.0.0.1 --uid 106 --gid 106
Generating 2048 bits RSA private key... This might take a very long time.
[Increasing system activity will speed-up the process].
Generation in progress... X..+++++O.+++++O

You now need to start "prelude-admin" registration-server on 127.0.0.1:
example: "prelude-admin registration-server prelude-manager"

Enter the one-shot password provided on 127.0.0.1:

Once again, an RSA key is generated, but this time for the sensor, so now might be a good time to go and make a cuppa. Once the key has been generated, you’ll be prompted (as above) for a ‘one-shot password’ to authenticate it to prelude-manager. At this point, open a new session to the server running prelude-manager and run prelude-manager as directed by the above:-

root@dev-vm-lnxd-01:~# prelude-admin registration-server prelude-manager
The "8qovmgff" password will be requested by "prelude-admin register"
in order to connect. Please remove the quotes before using it.

Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 0.0.0.0:5553...
Waiting for peers install request on :::5553...

Make a note of the password (in our example, 8qovmgff), switch back to our first session, and provide it at the prompt:-

Enter the one-shot password provided on 127.0.0.1: 8qovmgff
Confirm the one-shot password provided on 127.0.0.1: 8qovmgff

Connecting to registration server (127.0.0.1:5553)... Authentication succeeded.

Switch again to the second session, and accept the registration:-

Connection from 127.0.0.1:40123...
Registration request for analyzerID="2783582516549275" permission="idmef:w".
Approve registration? [y/n]: y
127.0.0.1:40123 successfully registered.

Snort is now registered as an sensor with prelude-manager.

The next step is to tell Snort to send its output to Prelude. Edit /etc/snort/snort.conf, and look for the following line:-

# output alert_prelude: profile=snort-profile-name

Uncomment it, and change the profile name to snort:-

output alert_prelude: profile=snort

Save the config, and restart snort:-

root@dev-vm-lnxd-01:~# /etc/init.d/snort restart
Stopping Network Intrusion Detection System : snort (eth0 ...done).
Starting Network Intrusion Detection System : snort (eth0 using /etc/snort/snort.conf ...done).

Making sense of it all

All being well, Snort should now be sending events to Prelude. But we still don’t have any visibility of these alerts… which is where Prewikka comes in.

Prewikka is a graphical front-end to Prelude – more specifically, to the database that prelude-manager uses. Again, there’s a package in Debian for this, so go ahead and install it:-

root@dev-vm-lnxd-01:~# apt-get install prewikka

As with prelude-manager, follow the debconf prompts regarding database setup. Once completed, Prewikka will have its own database, but you’ll also need to give it the details for prelude-manager’s database. Edit /etc/prewikka/prewikka.conf, and edit the settings under the [idmef_database] section. Save and exit the config, and start Prewikka:-

root@dev-vm-lnxd-01:~# prewikka-httpd &

By default, Prewikka listens on port 8000, so point your browser at http://<server>:8000/. The default username and password is admin and admin, so go ahead and log in. You’ll then be presented with the main event viewer, which should be similar to the screenshot to the right.

Running Prewikka in this way uses its own built-in webserver, but within the package a prewikka.cgi file is provided, which can be served by your favourite webserver of choice as a traditional CGI executable.

Now, before taking the screenshot to the right I cheated a little. I ran a quick nmap against the server to generate some events as an example, but in the absence of any events you can still check that snort is communicating with prelude-manager. Click on the Agents link in the menu, and there should be an entry for the server. Click on it once to expand it, and then on the Total box to expand the sensors. If everything is configured correctly, Snort should appear in the listing:-

Prewikka allows you to filter and sort the events displayed, so now would be a good time to have a play about with it. Clicking on an alert will let you view the details of that alert, and because the events at the moment are from Snort, all the relevant alert information that Snort would have logged to /var/log/snort/alert should be available.

Add logs, and sprinkle in a bit of correlation

So now we have working Prelude and Snort installs, with the two working together and a nice front-end to view them through. While nice to look at, we’re missing one of the things that all good IDS tools have, which is correlation.

Before going any further, let’s install two more Prelude packages – prelude-lml (Prelude Log Agent) and prelude-correlator:-

root@dev-vm-lnxd-01:~# apt-get install prelude-lml prelude-correlator

On my squeeze install, the post-install script for prelude-lml exits with an error because the service is initially disabled. This is fixed in a later version, but it’s something to look out for. For now, ignore the error – after we’ve configured it we can pacify dpkg…

Because prelude-lml and prelude-correlator are sensors themselves, we’ll need to register them with prelude-manager in the same way that we did for Snort with the prelude-admin command:-

root@dev-vm-lnxd-01:~# prelude-admin register "prelude-lml" "idmef:w" 127.0.0.1 --uid 0 --gid 0
...output from prelude-admin...
root@dev-vm-lnxd-01:~# prelude-admin register "prelude-correlator" "idmef:rw" 127.0.0.1 --uid 0 --gid 0
...output from prelude-admin...

As before, you’ll need to run prelude-admin registration-server prelude-manager in a second session for both sensors. Also, make sure that you correctly give prelude-correlator the ‘idmef:rw’ permissions – this is because it needs to both read and write events. Then, enable prelude-correlator in the same way as prelude-manager by changing RUN=no to RUN=yes in /etc/default/prelude-correlator. Finally, start prelude-correlator:-

root@dev-vm-lnxd-01:/etc/prelude/profile# /etc/init.d/prelude-correlator start
Starting prelude-correlator : prelude-correlator21 Jan 03:06:57 prelude-correlator (process:22339) INFO: [FirewallPlugin]: disabled on user request
21 Jan 03:06:57 prelude-correlator (process:22339) WARNING: SpamhausDropPlugin = PreludeCorrelator.plugins.spamhausdrop:SpamhausDropPlugin: No module named netaddr
21 Jan 03:06:57 prelude-correlator (process:22339) INFO: [BusinessHourPlugin]: disabled on user request
21 Jan 03:06:57 prelude-correlator (process:22339) INFO: 7 plugin have been loaded.
.

A word of warning at this point – initially, prelude-correlator failed to start for me. If this happens, make sure that /etc/prelude/prelude-correlator, /var/spool/prelude/prelude-correlator and /var/lib/prelude-correlator (plus any subdirectories) are owned by the prelude-correlator user, and then again try to start prelude-correlator.

If you had problems earlier with the dpkg post-install script for prelude-lml, running apt-get -f install here will tidy that up and start prelude-lml. If you didn’t, then start prelude-lml manually:-

root@dev-vm-lnxd-01:/etc/prelude/profile# /etc/init.d/prelude-lml start
Starting Prelude LML: prelude-lml.

Going back to our Prewikka browser window, if we click again on Agents and expand the nodes and sensors, we should see entries for prelude-lml and prelude-correlator.

To demonstrate what prelude-lml and prelude-correlator can do, let’s first add an iptables entry to log all TCP connection attempts on port 22:-

root@dev-vm-lnxd-01:~# iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j LOG

Opening another SSH connection to the server should result in a log message in /var/log/messages similar to the following:-

Jan 21 03:17:08 dev-vm-lnxd-01 kernel: [ 7981.313741] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.xxx.aaa DST=192.168.xxx.yyy LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=1313 DF PROTO=TCP SPT=56168 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

Next, purposefully fail an attempt to log into the server – for example, with an incorrect password. Then, check the events again:-

There’s a few things here, but the main thing to notice is that there are a number of new sensors listed in the Analyzer column. PAM, sshd, and netfilter have all been picked up by prelude-lml from the logfiles it monitors, and in the case of the first event, prelude-correlator has correctly identified – from the prelude-lml events – that a brute-force attack has occurred. In my example above, it’s also picked up that there was a successful login – this was me logging in with the correct password, but if this was a production system this may well be indicative of a brute-force attack resulting in a correctly-guessed password!

Where now?

This is just a quick overview of what’s possible with open-source IDS software. All the tools I’ve written about in this post are extremely configurable – prelude-lml for example can monitor many different types of logfile and can be configured with custom regular expressions to look for specific things. Many similar tools can be configured to send events to Prelude, which prelude-correlator can correlate as above. One thing I’ve not covered here is auditd, which has (via the audispd multiplexor) the ability to send to Prelude – something which I’ll cover in a future post.

]]> http://andys.org.uk/bits/2012/01/21/a-prelude-to-better-things-open-source-and-ids/feed/ 0 http://andys.org.uk/bits/2012/01/20/not-dead-just-sleeping/ http://andys.org.uk/bits/2012/01/20/not-dead-just-sleeping/#comments Fri, 20 Jan 2012 18:43:38 +0000 Andy Smith http://andys.org.uk/bits/?p=134 It’s been a while since I posted on here. It’s been a busy year – for reasons both good and not-so-good – but I’ve got a few ideas that I’ll be posting about over the next week or two.

For those interested in amateur radio (or wonder what it’s all about) – I also have http://m0vkg.org.uk/, which is where I post all my amateur radio-related thoughts and activities.

Luckily, it’s really easy to fix.

On RedHat-based systems, it’s a case of editing /etc/sysconfig/nfs. In there, by default you’ll find quite a few <service>_PORT=<port> entries, but they’re hashed out. For example:-

# Port rpc.statd should listen on.
#STATD_PORT=662

You can go ahead and uncomment the line, or if you wish you can change the port. Repeat this for the other <service>_PORT entries as required – you’ll want to do LOCKD_TCPPORT (if you’re using TCP), LOCKD_UDPPORT (if you’re using UDP), MOUNTD_PORT and STATD_PORT.

Once you’re happy, restart the services:-

/sbin/service portmap restart
/sbin/service nfs restart

Running rpcinfo -p should show the various NFS services now running on the ports specified in /etc/sysconfig/nfs:-

[root@nfs-server ~]# rpcinfo -p
program vers proto   port
100000    2   tcp    111  portmapper
100000    2   udp    111  portmapper
100011    1   udp    875  rquotad
100011    2   udp    875  rquotad
100011    1   tcp    875  rquotad
100011    2   tcp    875  rquotad
100003    2   udp   2049  nfs
100003    3   udp   2049  nfs
100003    4   udp   2049  nfs
100021    1   udp  32769  nlockmgr
100021    3   udp  32769  nlockmgr
100021    4   udp  32769  nlockmgr
100021    1   tcp  32803  nlockmgr
100021    3   tcp  32803  nlockmgr
100021    4   tcp  32803  nlockmgr
100003    2   tcp   2049  nfs
100003    3   tcp   2049  nfs
100003    4   tcp   2049  nfs
100005    1   udp    892  mountd
100005    1   tcp    892  mountd
100005    2   udp    892  mountd
100005    2   tcp    892  mountd
100005    3   udp    892  mountd
100005    3   tcp    892  mountd

Firewall rules should be somewhat easier to manage now.

For Debian and Ubuntu systems, you might find this link useful.

There’s plenty of free electronics simulators (such as gEDA), and some not-so-free (Multisim), but the learning curve for them is perhaps a bit too steep for the absolute beginner.

A few weeks ago I stumbled across the personal site of Paul Falstad, and his amazing array of maths and physics Java applets. Covering acoustics, signals processing, electrodynamics and even quantum mechanics, there’s bound to be something there to keep your entertained for far longer than is probably appropriate.

The Analogue Circuit Simulator (warning: Java applet will start straight away) is the one that’s sucked up most of my time – it’s full of features and examples, and is easy to use. It allows you to see the voltages and currents at all parts of the circuit, and even has scopes so you can watch values change over time.

As well as that, I’ve also found the 2D Electrodynamics applet useful for visualising how electromagnetic waves propagate.

Give them a try, although I’m not responsible for the amount of time you’ll inevitably lose doing so…

(Update (12.06.2009): I’ve had an email from Toby Foster’s brother, who’s pointed out that where I originally transcripted Toby as saying “About right”, he actually says “Well that’s bright”. I’ve updated the transcript to that effect)

Today is Doncaster’s brand-spanking-new Mayor‘s first day on the job, and his first engagement of the day was an interview with BBC Radio Sheffield‘s Toby Foster. I hope Mayor Davies didn’t think he was in for an easy ride for his first official interview, because that’s not what he got.

Over the course of seven and a half minutes, Toby Foster took Mr Davies’ election manifesto and pulled it apart, pointing out that he doesn’t know what ‘PC jobs’ there are in the council (Mr Davies’ reply being “the things that are usually advertised in the [...] Guardian”), that he can’t cut translation services for non-English speakers (Toby Foster: “It’s more than likely illegal, isn’t it?”. Peter Davies: “I dunno”), and that he hasn’t even though of the possible benefits of funding minority events such as the Gay Pride march (when asked how much money went to funding it, he replies “Haven’t got a clue, I haven’t looked into… I haven’t got the details”). On top of this, he admits that his cuts will mean job losses – which I’m sure the electorate of Doncaster will be happy to hear.

Click here for BBC’s Listen Again (at about the 1hr 57min mark), or here for just the interview (which I hope the BBC won’t mind me putting here). For those who can’t listen to the interview, I’ve transcribed the whole thing below.

(from BBC Radio Sheffield, 8th June 2009)

Toby Foster (BBC Radio Sheffield): Thanks very much for joining us. I said that we didn’t see it coming – did you see it coming? Did you expect to win?

Peter Davies: Well, well not really. A great friend of mine told me the night before I was going to get a great shock, and that I would win. I was thinking of saving the deposit at the time.

TF: I can imagine. What was it you think that made people vote for you?

PD: Well we were the only party who gave a distinctive agenda to the electorate. All the others talked waffle. I looked at all the leaflets, I couldn’t make anything of them all, they were all the same.

TF: You did give a distinctive agenda, you’re absolutely right, you made some real points on that. Let’s just have a look – let’s have a look at them shall we? The first one of course I think’s an easy one – you’re going to cut the mayor’s salary.

PD: That’s the first thing this morning

TF: Down to £30,000 a year. Now, some people could look at that Peter and say, well, you get more than that for running a supermarket these days. Surely a council deserves… a bit more respect?

PD: No, the council deserves somebody who’s going to run it properly, and it deserves somebody who’s prepared to give their services partly free, in a sense – at one time all local government councillors did all the free, er, it’s become a gravy train and I’m not prepared to be part of that.

TF: So what about the people who work for you? The deputy mayor, other people in the departments – are you cutting their wages as well?

PD: Er, well, I’ve discussed that with-, well not- not the people in the departments, I can’t- I’ve no control over what they’ve been given, but the deputy mayor and the rest of the cabinet will discuss that at, at the earliest opportunity.

TF: Well, you say you’ve no control over people in the departments, one of the big things on your campaign was that you’re going to cut ‘PC jobs’.

PD: Oh yeah, that’s a different thing altogether, er-

TF: Which jobs are those?

PD: Well, er, I’m going to look into that. Things like Diversity Officers, er, the things that are usually advertised in the Manchester-, well, it’s not the Manchester Guardian now – in the Guardian…

TF: Right, so have-, so, so hang on, so so there are politically…

PD: I mean, I can’t give you a full list at the moment, but I will…

TF: But that’s what you put on your manifesto – you must have had an idea on your manifesto what you were talking about?

PD: Yeah, yeah, all these people who are, sort of, controlling thought processes and this sort of thing, and er, erm… every department is riddled with this sort of nonsense these days.

TF: So currently then, this morning, Doncaster Council is riddled with people who are, who are doing this kind of nonsense, ah… and they’re on notice, are they? People are going to lose their jobs?

PD: Er, very likely.

TF: But we don’t know who they are, yeah? But certainly Diversity Officers…

PD: Obviously I… I’m… well, that sort of thing, yes.

TF: So, the Diversity Officer who’s getting ready for work this morning at Doncaster might as well not bother?

PD: Well, he’s… he’s in employment at the moment…

TF: But he won’t be for long?

PD: …I think, I think we ought to be talking about what we’re going to do sort of, er, now and, er, what I’ve discovered – that might be a more fruitful discussion.

TF: Well, I mean… these are the reasons people voted for you. Very bold points, as you said. Er, you’re going to cut translation services for non-English speakers – that’s a very bold point. It’s more than likely illegal, isn’t it?

PD: I dunno… again, I’ve got to find this out. It’s-

TF: Well it is – let me tell you it is, under the European Court of Human Rights it’s illegal.

PD: -Well, well, well let… we’ll look into this – we’re getting council’s opinion on what I can do and what I can’t do, and that’s…

TF: No, no, you said in your manifesto you would definitely do it.

PD: Yeah, well, I… well, I, er, if, if somebody comes in the way and stops me doing these things, then that is an insult to democracy.

TF: So what was the point of your manifesto? You might as well have said you were going to fly to the moon if you’re just going to say now that you can’t do it.

PD: No, look… I’m going to do my best to do it. If I can’t, I shall tell the electorate why I’ve not been able to do it, and who’s stood in the way of it. The-

TF: Well, the law’s standing in the way of it.

PD: -Just a minute, just a minute. The electorate clearly want me to do that. The law needs changing, then, doesn’t it?

TF: Well, you say the law needs changing-

PD: If we get a new government, then we might get rid of some of this ludicrous legislation, and be able to run our own country again.

TF: Okay, now you’re going to cut the number of councillors from 60 to 20.

PD: That is another difficulty, and the first-

TF: Can’t do it, can you?

PD: Er, well, we can appeal to their moral consciences-

TF: So you can’t do it, can you?

PD: Look, you keep telling me what I can’t do. I’ll find out what I can’t do, and if I can’t do-

TF: You are finding out now, I’m telling you, Peter, you can’t do it. You’d have thought you’d have thought of this before you started.

PD: This is quite a pointless discussion. Completely pointless.

TF: Why?

PD: Well – I’m sitting here telling you what I want to do, you’re telling me I can’t do it. I’ll find out – not from you, from other people – if I can do it or not.

TF: Why didn’t you look at to see-

PD: That’s where we go. And then we tell the electorate what’s going on.

TF: Why didn’t you look to see if you could do it before you asked people to vote on it?

PD: Because people want this to happen. And it’s time we-

TF: We all want free speech, Peter, but why didn’t you look into it to see if it could happen before you asked 14,000 people to vote on it? You know what’s going to happen – they got upset with the political processes in Doncaster before, they disliked Martin Winter. You’ve come along, you’ve waved this flag, knowing you can’t back any of it up and they’ve voted for you. How are they going to feel when they realise they’ve been hoodwinked?

PD: They’ve not been hoodwinked, I’m a man of my word, and I shall do everything that I can to put this into practice. And that is something that Doncaster’s not had before.

TF: You’re going to cut the Gay Pride funding.

PD: Yep.

TF: Erm, how much did Doncaster Council fund Gay Pride?

PD: Haven’t got a clue, I haven’t looked into… I haven’t got the details, I… I haven’t even started-

TF: Well that’s bright, isn’t it? So how much did… how much was it worth to Doncaster?

PD: How…er, what?

TF: The Gay Pride march. 8,000 people in town for a day.

PD: I don’t know. They can still come. There’s nobody stopping them coming.

TF: So you don’t know what it costs, you don’t know what it earns, but you’re banning it?

PD: I’m saying that… hard-pressed taxpayers money should not be spent on promoting any type of sexuality whether it’s straight or gay.

TF: But for all you-, but for all you know it could be making a fortune for the town – you don’t know, you’ve not even looked at it.

PD: Well, it, er… it may, it may or it may not, I’m telling you what I’m not doing, and again it was on the manifesto, it was quite clear people appeared to like what I was saying.

TF: Yeah, but the stuff on the manifesto we’ve already realised – you can’t do anything about it.

PD: I think it’s time we finished this interview, it’s quite pointless. I’ve… I… It’s really wasted… I wanted to say a few things this morning that might have been-

TF: Tell me what you want to say.

PD: …that people might have wanted to listen to.

TF: Tell me what you want to say.

PD: Well, I wanted to point out that this morning I was going to, er, see that two social workers were returned to the childrens hospital, er, which were taken away some time ago for some unaccountable reason. I was going to say we’re getting rid of Doncaster News at the earliest opportunity, and I also wanted to point out that this very weekend I’ve discovered that Doncaster is twinned with nine separate towns, er, that the Mayor… the ex-Mayor had a car, for what reason I don’t know. It’s quite reasonable that the Civic Mayor has a car, but why the elected Mayor has one, God only knows, er, and it looks to me like a Daily Telegraph moment, where I shall be discovering things every day that, er, can be got rid of.

TF: Okay… none of that really means anything, does it? Let’s have a look at Doncaster News. You’re getting rid of Doncaster News, that’s a, er, flyer… er, paper that goes to every home in the borough isn’t it, to tell them what you’re doing?

PD: Well, it was to distort… er, what Mayor Winter was doing, yes.

TF: So now you’re stopping communication with the people of Doncaster?

PD: No – communication will be through the Doncaster Free Press, though Radio Sheffield if we can get some sensible interviews-

TF: Heh.

PD: -and, er, the free newspapers.

TF: So the people who work on Doncaster News, then, are they out of work as well?

PD: I don’t know, I don’t… I, I, don’t know what their full… I’ve… I… I’ve not even got… been in the office yet, I’ve… I’ve not even-

TF: This is the problem, isn’t it-

PD: -had the briefing from the Chief Executive-

TF: You actually don’t understand the laws, you don’t understand-

PD: Okay, I’m stopping this interview, it’s a complete waste of time, er, you’re not asking any sensible questions, and er, I really don’t want to continue.

TF: Peter, all I’m asking is how you’re going to deliver on your election manifesto?

>Silence<

TF: Well, I can assure you, that’s going to be one of the easiest he gets.

The fun never stops in Doncaster, and today is no different – the Audit Commission has published the results of their snap Corporate Governance Inspection, carried out over the first few months of this year. It’s a frank assessment of the state of Doncaster Metropolitan Borough Council, and it’s not pretty.

Following well-publicised failings in the borough’s Children’s Services department, a complete lack of improvement in other areas and a history of poor governance – amongst other things – the Audit Commission made the decision to begin a Corporate Governance Inspection. This looks at how the Council is run, how the elected members (i.e., the mayor and the councillors) work and how the Council is providing services to the people of Doncaster. The report itself (warning: PDF) runs to around 40 pages, so I won’t go into detail, but here’s a summary:-

• Almost nobody escapes blame
• The Mayor – Peter Davies – is criticised, along with his cabinet, for not providing the leadership required of his office
• The rest of the councillors are taken to task for seeking to obstruct the Mayor and his cabinet from implementing their policies
• Some chief officers (i.e. paid, non-elected, non-political senior staff) are unable to effectively work together

There are a number of themes throughout the report, but the main one is that the Mayor and the remainder of the Council are constantly at loggerheads with each other, with some senior, long-standing elected members actively putting personal political ambitions before that of the people of Doncaster – the very people who elected them.

I’m personally no fan of Peter Davies – I don’t like him and that’s probably an understatement. Being a left-wing type, I disagree with virtually all of his policies and opinions, but in this case he doesn’t deserve most of the blame, despite even the report noting that his style and attitude do nothing to help matters. It’s the actions of a number of the councillors that are the crux of the problem, and the report suggests that although the majority of them are Labour councillors, it’s by no means limited to them.

So what next? Well, the Audit Commission has recommended that John Denham, the Communities Secretary, use the powers given to him by Section 15 of the Local Government Act 1999 – a recommendation that within minutes of the report’s publication he said he would be taking. This means that he could order the establishment of an ‘Improvement Board’ to drive improvements within the council, or put in measures to ensure the mayor and the councillors behave in a proper manner. This sounds a bit toothless, so the best bit is this: He can suspend some or all of the functions of the Executive and the Council, replacing them with commissioners appointed to carry out the suspended functions. That means (albeit temporarily) no mayor, no cabinet, and in theory no councillors.

Interestingly – although not surprising – just 22% of people in the recent Place Survey believed they could influence the decisions of Doncaster Metropolitan Borough Council. It’s obvious that the elected members have lost the faith of the electorate – if indeed they had it to start with. With the impending General Election, the people of Doncaster will also be voting for a candidate for their council ward, which means that 33% of the Council is up for re-election. In my opinion, to show that they understand how they’ve utterly failed the people of Doncaster, they should all step down immediately and let the people make the choices they deserve.

It’s often the case that there’s no easy way of installing a machine that doesn’t have any removable media. For instance, I have an old Compaq Deskpro EN that’s too old to support booting from USB, so using something like UNetbootin is out of the question. Luckily, there’s an an alternative, which is to PXE boot an installer over the network.

PXE (or Preboot eXecution Environment) is a means of booting a machine over a network,which conveniently removes any requirement for anything special on the machine that’s to be installed other than an network card. PXE boot (or network boot) support tends to be available in older machines that don’t support booting from USB, so it’s a very useful feature to be able to use.

There’s a very useful article on Debian Administration that covers configuring a Debian machine to act as a PXE boot server to serve out an etch installer. I personally run squeeze, so I’ve used the article as a basis for setting up a Debian squeeze machine to serve out a squeeze installer.

Installing the prerequisites

To start with, we need a TFTP server and a DHCP server. You might already have one (or both) of these installed already, but for the purposes of this we’ll assume that you haven’t. So, to get started, install the tftpd-hpa and dhcp3-server packages:-

apt-get install tftpd-hpa dhcp3-server

Configuring DHCPd

First, make sure that the tftpboot directory exists. This used to be /var/lib/tftpboot, but Debian now uses /srv/tftpboot. The installer should have created it, but just in case, check it exists and if create it if not.

The next step is to add a subnet declaration to /etc/dhcp3/dhcpd.conf for your network. A simple one will be something like this:-

subnet 192.168.51.0 netmask 255.255.255.0 {
       range 192.168.51.64 192.168.51.80;
       filename "pxelinux.0";
       next-server 192.168.51.1;
       option routers 192.168.51.1;
}

If you’ve already got DHCPd installed and configured, the two lines highlighted in green are the ones you need to add to your existing subnet declaration. The filename option tells PXE clients which file they need to request via TFTP, and the next-server option tells the clients the TFTP server they should use to get it.

Creating the PXE boot environment

Before we pull down any of the installer files, we need to create somewhere for those files to go, along with the PXE boot configuration. So, create the pxelinux.cfg and debian/squeeze/i386 directories:-

mkdir -pv /srv/tftpboot/pxelinux.cfg
mkdir -pv /srv/tftpboot/debian/squeeze/i386

Next, create the config for pxelinux in pxelinux.cfg/default:-

DISPLAY boot.txt

DEFAULT squeeze_i386_install

LABEL squeeze_i386_install
     kernel debian/squeeze/i386/linux
     append vga=normal initrd=debian/squeeze/i386/initrd.gz  --
LABEL squeeze_i386_linux
     kernel debian/squeeze/i386/linux
     append vga=normal initrd=debian/squeeze/i386/initrd.gz  --
LABEL squeeze_i386_expert
     kernel debian/squeeze/i386/linux
     append priority=low vga=normal initrd=debian/squeeze/i386/initrd.gz  --
LABEL squeeze_i386_rescue
     kernel debian/squeeze/i386/linux
     append vga=normal initrd=debian/squeeze/i386/initrd.gz  rescue/enable=true --
PROMPT 1
TIMEOUT 0

Then, create boot.txt in pxelinux.cfg, which is our boot menu:-

- Boot Menu -
=============

squeeze_i386_install
squeeze_i386_linux
squeeze_i386_expert
squeeze_i386_rescue

Finally, download the installer parts from the Debian FTP mirror:-

cd /srv/tftpboot/
wget http://ftp.uk.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/debian-installer/i386/pxelinux.0
cd /srv/tftpboot/debian/squeeze/i386
wget http://ftp.uk.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/debian-installer/i386/linux
wget http://ftp.uk.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/debian-installer/i386/initrd.gz

Final steps

Make sure that tftpd-hpa and dhcp3-server are running:-

service tftpd-hpa restart
service dhcp3-server restart

You should now be able to network boot machines into the Debian squeeze installer.

I’ve also put this on the Bits Wiki as a guide – feel free to have a look and add any notes you feel may be useful!

Yeah, that’s me, on my way out to work. I’ll ignore any comments about my shirt…

iproute2 is a suite of tools developed to unify the functions provided by the traditional tools in one place under the ip command. Interface configuration, routing and tunnelling can now all be configured and managed using the ip command.

Interface configuration

Historically, interfaces are managed using the ifconfig command, and to get an overview of the interfaces you’d type ifconfig -a. With iproute2, interfaces addressing is managed through the address subcommand – which, like the rest of the subcommands for iproute2 can be shortened Cisco IOS-style, as long as it’s unique. In theory this means you can use ip a, but the manual page refers to it as ip addr, which I’ll use here for clarity. So, the equivalent of ifconfig -a is the self-explanatory ip addr show, which if we’re not specifying a specific interface can be shortened to simply ip addr:-

[root@example ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
      pfifo_fast state DOWN qlen 1000
    link/ether 00:d0:b7:2d:ce:cf brd ff:ff:ff:ff:ff:ff
    inet 192.0.2.1/24 brd 192.0.2.255 scope global eth0

Most of this should be self-explanatory, and everything you would see with ifconfig -a you’ll see with ip addr.

Bringing up eth0 on a Linux box would usually consist of doing the following:-

[root@example ~]# ifconfig eth0 up
[root@example ~]# ifconfig eth0 192.0.2.1 netmask 255.255.255.0

With iproute2, control of interfaces themselves – both physical and logical – is through the link subcommand. Bringing up eth0 can be done with:-

[root@example ~]# ip link set eth0 up

Managing the addresses on an interface is through the aforementioned addr subcommand, so using our example again, we’d do something like this to add an IP to eth0:-

[root@example ~]# ip addr add 192.0.2.1/24 dev eth0

I’ve used CIDR notation in this example, but you can use the normal dotted quad format for the netmask if you wish.

This also makes adding multiple IP addresses to interfaces really easy. To add 192.0.2.2 to our example eth0 interface, you’d just do:-

[root@example ~]# ip addr add 192.0.2.2/24 dev eth0

Showing the addresses on our eth0 interface only will show that both the addresses are now there:-

[root@example ~]# ip addr show dev eth0
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
      pfifo_fast state DOWN qlen 1000
    link/ether 00:d0:b7:2d:ce:cf brd ff:ff:ff:ff:ff:ff
    inet 192.0.2.1/24 brd 192.0.2.255 scope global eth1
    inet 192.0.2.2/24 scope global secondary eth1

Removing an IP from an interface is also straightforward:-

[root@example ~#] ip addr del 192.0.2.2/24 dev eth0

Querying the interface again shows that 192.0.2.2 is no longer assigned to eth0:-

[root@example ~]# ip addr show dev eth0
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
      pfifo_fast state DOWN qlen 1000
    link/ether 00:d0:b7:2d:ce:cf brd ff:ff:ff:ff:ff:ff
    inet 192.0.2.1/24 brd 192.0.2.255 scope global eth1

Routing

Using netstat -rn is pretty much burned into the brains of most UNIX engineers, but luckily the iproute2 method is just as snappy. Routing management is handled with the route subcommand, and in line with addr and link, it can be shortened – ip r will work, but I usually settle for ip ro. The full command for showing the routing table is ip route show, but as with ip addr you can drop the show if you want to show the entire routing table:-

[root@example ~]# ip ro
192.0.2.0/24 dev eth0  proto kernel  scope link  src 192.0.2.1
default via 192.0.2.254 dev eth0

Adding and removing routes is accomplished with ip ro add and ip ro del respectively:-

[root@example ~]# ip ro add 10.0.0.0/16 via 192.0.2.253
[root@example ~]# ip ro del 10.0.0.0/16 via 192.0.2.253

One useful feature of ip route is the get function, which we can use to query the routing table for a particular network or address. In our example, querying for an address not on our local network shows that the route to it goes via our default gateway:-

[root@example ~]# ip ro get 1.2.3.4
1.2.3.4 via 192.0.2.254 dev eth0  src 192.0.2.1
    cache  mtu 1500 advmss 1460 hoplimit 64

Neighbours

arp -na is the traditional way you’d query the ARP table on a UNIX machine. You can accomplish this with iproute2 using ip neighbor (or ip neighbour for us not from the US), with ip n being the shortened extreme:-

[root@example ~]# ip neigh
192.0.2.3 dev eth0 lladdr 00:02:a5:1f:cb:2d REACHABLE
192.0.2.254 dev eth0 lladdr 00:09:43:bc:aa:80 REACHABLE

I’ll skip the example for this, but needless to say you can add and remove entries with ip neigh add and ip neigh del respectively.

A little helping hand

If you’re stuck, then the help argument can come in handy. If you specify help as an argument to ip itself, or to one of the subcommands, it’ll give you a quick overview of the options available. For example, for ip neighbor:-

[root@example ~]# ip neigh help
Usage: ip neigh { add | del | change | replace } { ADDR [ lladdr
          LLADDR ] [ nud { permanent | noarp | stale |
          reachable } ] | proxy ADDR } [ dev DEV ]
       ip neigh {show|flush} [ to PREFIX ] [ dev DEV ] [ nud STATE ]

Not forgetting IPv6…

I’ve purposely neglected to show any configuration of IPv6 addresses in this post, not because iproute2 can’t handle it, but for the exact opposite reason – the iproute2 suite will handle IPv6 addresses in exactly the same way as IPv4 addresses. All the commands used above can be used for both IPv4 and IPv6 configuration without any issues.

If there’s a reason you want to force the behaviour one way or the other, you can use the -4 and -6 switches. This isn’t needed normally, because when adding or removing an address, for example, iproute2 will happily recognise an IPv6 address instead of an IPv4 one. Where it does come in useful is if you want to limit the data returned in a query to just IPv6, or just IPv4. A real-world example of this is on one of my Linux machines, where ip -6 ro shows:-

[root@daedalus ~]# ip -6 ro
2001:470:XXXX:1::/64 dev eth0  proto kernel  metric 256  mtu 1500
  advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440
  hoplimit 0
default via 2001:470:XXXX:1::1 dev eth0  metric 1  mtu 1500 advmss
  1440 hoplimit 0

…which comes in handy if you’re only interested in the IPv6 routing table.

What next?

This post only really scratches the surface of iproute2 – I’ve just covered the iproute2 equivalents of the most-used commands. It’s capable of much, much more, such as setting up tunnels, managing multiple routing tables and configuring interfaces for multicast to name a few. I’ll be covering some of these in more depth in future posts.

Further reading

• The Linux Advanced Routing & Traffic Control HOWTO, which is probably the definitive guide when it comes to iproute2
• iproute2 on Wikipedia
• The Linux Foundation’s iproute2 page