Java Zero Day Flaw Under Attack

Taken from  Experts Suggest Disabling Java after Zero-Day Flaw Discovery

Security firm FireEye released information yesterday on a Java flaw that has been seen in targeted attacks in the wild, and has been tested to work on most major Web browsers for both Mac and PC.

According to researchers, all versions of Java (including the Java 7 Update 6) are susceptible to attack, and can lead to the installation of malware on a system.

The hole is due to an issue in how the "setSecurityManager()" function in Java is called. Attackers can exploit this issue and set its own privileges on a targeted system, allowing the downloading and execution of malicious software. 

Read on for more information.........

Proposed workaround:

1. Read US-CERT Vulnerability Note VU#636312

Other Information:

1.  Warning: Java Zero Day Flaw Under Attack

Persistent VNC Session for users for CentOS

If you are intending to setup a persistent VNC Session for selected users, you can edit the global settings at /etc/sysconfig/vncservers.

# vim /etc/sysconfig/vncservers 

# The VNCSERVERS variable is a list of display:user pairs.
#
# Uncomment the lines below to start a VNC server on display :2
# as my 'myusername' (adjust this to your own).  You will also
# need to set a VNC password; run 'man vncpasswd' to see how
# to do that.
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, see this URL:
# http://kbase.redhat.com/faq/docs/DOC-7028

# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.

# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel.  See the "-via" option in the
# `man vncviewer' manual page.

# VNCSERVERS="2:myusername"
# VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -localhost"

VNCSERVERS="2:user1"
VNCSERVERS="3:user2"
VNCSERVERARGS[2]="-geometry 1280x800 -depth 16"
VNCSERVERARGS[3]="-geometry 1024x768"

Once done, you just restart the vncserver services

# service vncserver restart

Changing the screen size of vnc client using command line

If you are using vnc client like Real VNC, you can easily change the size of the vnc screen by clicking scale to window size, something like the screen shot below.

But if you wish to use the command line to determine the size, you can set the screen by specifying

# vncserver -geometry 1280x800

You can verify the size by using the command by using the command

# xdpinfo -display :display_number

  dimensions:    1280x800 pixels (325x203 millimeters)
  resolution:    100x100 dots per inch
  depths (7):    1, 4, 8, 16, 24, 32, 16

  root window id:    0x3a
  depth of root window:    16 planes
  number of colormaps:    minimum 1, maximum 1
  default colormap:    0x20
  default number of colormap cells:    64
  preallocated pixels:    black 0, white 65535
  options:    backing-store YES, save-unders YES
  largest cursor:    1280x800...
   ...
   ...
   ...

Installing and compiling LimitCPU

LimitCPU is a program to throttle the CPU cycles used by other applications. LimitCPU will monitor a process and make sure its CPU usage stays at or below a given percentage......

Compiling and Installing is not difficult. Do look at the README

# cd cpulimit-1.7
# make
# make install

To remove the installation, do

# make deinstall

Common Usage
With Reference to LimitCPU README

1. For  example, if you wish to cap the cpu usage to 50% for processor 12345

# cpulimit -p 12345 -l 50

2. If you wish to run LimitCPU in the background

# cpulimit -p 12345 -l 50 -b

3. If you wish to limit running processes based on their name instead of their process ID. The below example will keep an eye on "bigexe" and, if the application quits and another program called "bigexe" is run, LimitCPU will monitor the new process too. Pretty cool eh

# cpulimit --exe /usr/bin/bigexe --limit 50

4. If you wish to only track the first program and then exit

# cpulimit --exec /usr/bin/bigexe --limit 50 -z

Installing GPFS 3.4 Packages on a Linux Client

In this work-in-progress tutorial, I will write how to install the General Parallel File System (GPFS) packages and compile portability layer (gpfs.gplbin) for each kernel or  architecture. For more information, see Installing GPFS 3.4 Packages on a Client

Do read Adding nodes to a GPFS cluster

Adding Nodes to a GPFS Cluster

I fumbling how to setup a GPFS Cluster and has written a simple tutorial from my experimentation. See Adding Nodes to a GPFS Cluster.

runmmfs: Unable to verify kernel/module configuration.

Taken from GPFS Determination Guide

If you are running General Parallel File System, you may encounter the error found at/var/adm/ras/mmfs.log.latest

 This problems occurs if:

1. The portability layer is not built.
2. The GPFS kernel modules, mmfslinux and tracedev, are built with a kernel version that differs from that of the currently running Linux kernel. This situation can occur if the modules are built on another node with a different kernel version and copied to this node, or if the node is rebooted using a kernel with a different version.

Mon Mar 26 20:56:30 EDT 2012: runmmfs starting
Removing old /var/adm/ras/mmfs.log.* files:
Unloading modules from /lib/modules/2.6.32.12-0.6-ppc64/extra
runmmfs: The /lib/modules/2.6.32.12-0.6-ppc64/extra/mmfslinux.ko kernel extension does not exist.
runmmfs: Unable to verify kernel/module configuration.
Loading modules from /lib/modules/2.6.32.12-0.6-ppc64/extra
runmmfs: The /lib/modules/2.6.32.12-0.6-ppc64/extra/mmfslinux.ko kernel extension does not exist.
runmmfs: Unable to verify kernel/module configuration.
Mon Mar 26 20:56:30 EDT 2012 runmmfs: error in loading or unloading the mmfs kernel extension
Mon Mar 26 20:56:30 EDT 2012 runmmfs: stopping GPFS

Tiny Green PC - Fit PC3 Pro

Tiny Green PC has come up with a range of incredibly minature, fanless computers that claimed to run 24 x 7 and the price is fantastic!

Look at the Fit PC3 specification and picture below

1. AMD G-Series @1.65GHz
2. Radeon HD 6320 GPU
3. Up to 8GB DDR3
4. 250GB HDD + eSATA x2
5. HDMI + DisplayPort, 2560x1600
6. 12V supply, 7-15W
7. WiFi 802.11b/g/n + BT 3.0
8. 1000Mb Ethernet
9. USB3.0 x2 + USB2.0 x6
10. Audio I/O
11. RS232 + IR
12. FACE Modules expansion
13. Price (Look at website for latest pricing)

Look at their Intense PC

1. Intel Core CPU @1.7GHz
2. Intel HD Graphics GPU
3. Up to 16GB DDR3
4. 500GB HDD + eSATA x2
5. HDMI + DisplayPort, 2560x1600
6. 12V supply, 9-26W
7. WiFi 802.11b/g/n + BT 3.0
8. 1000Mb Ethernet x2
9. USB3.0 x2 + USB2.0 x6
10. Audio I/O
11. RS232
12. FACE Modules expansion
13. Price (Look at site for latest pricing)

Finding yum install for rpmlibs

If you are looking to install rpmlibs, you can do

# yum install rpm-devel

=======================================================================================
 Package         Arch        Version                                Repository    Size
=======================================================================================
Updating:
 rpm-devel       i386        4.4.2.3-28.el5_8                       updates      1.2 M
 rpm-devel       x86_64      4.4.2.3-28.el5_8                       updates      1.3 M
Installing for dependencies:
 xz              x86_64      4.999.9-0.3.beta.20091007git.el5       base         146 k
 xz-libs         x86_64      4.999.9-0.3.beta.20091007git.el5       base          95 k
Updating for dependencies:
 popt            i386        1.10.2.3-28.el5_8                      updates       76 k
 popt            x86_64      1.10.2.3-28.el5_8                      updates       78 k
 rpm             x86_64      4.4.2.3-28.el5_8                       updates      1.2 M
 rpm-build       x86_64      4.4.2.3-28.el5_8                       updates      303 k
 rpm-libs        i386        4.4.2.3-28.el5_8                       updates      929 k
 rpm-libs        x86_64      4.4.2.3-28.el5_8                       updates      925 k
 rpm-python      x86_64      4.4.2.3-28.el5_8                       updates       64 k

Transaction Summary
=======================================================================================
Install      2 Package(s)
Update       9 Package(s)
Remove       0 Package(s)

Total download size: 6.3 M
Is this ok [y/N]:

Importance of configuring ifcfg-ethX properly to resolve DNS

I have an interesting problem today. I have configured my compute nodes to access the public network via the head node as the gateway. A good tutorial can be found from
Using iptables to allow compute nodes to access public network from Linux Cluster Blog.


Occasionally, 1 or 2 nodes will not be able to resolve even though /etc/resolv.conf is configured correctly. It seems that only after putting in the localised DNS at /etc/sysconfig/network-script/ifcfg-ethX at the compute node, it was able to resolve.

DEVICE=eth0
BOOTPROTO=static
HWADDR=E4:1F:13:CC:51:54
ONBOOT=yes
HOTPLUG=no
IPADDR=192.168.5.17
NETMASK=255.255.255.0
GATEWAY=192.168.5.1
DNS1=155.1.1.2
DNS2=155.1.1.3
PEERDNS=yes

I suspect it could be due to the multiple NIC with multiple network segment issues and localised DNS resolution at network level.

Take a look at  Redhat Document 8.2 Interface Configuration Files

Programmable Data Centre

This is an interesting article on programmable data centre titled "The Rise of the Programmable Data Center". To quote the aricle

In order to address these issues, there’s a movement afoot to create the “programmable data center,” where an IT administrator can more holistically manage servers, storage, and networking components. While still in its relative infancy, a number of vendors have expressed interest in the movement’s underlying concepts, all but ensuring its growth in coming years

Do read up.

libimf.so: cannot open shared object file: No such file or directory

If you are encounter a problem

mpicc: error while loading shared libraries: libimf.so: cannot open shared object file: No such file or directory.

 The solution can be easily solved by the following:

# touch /etc/ld.so.conf.d/intel.conf

# vim /etc/ld.so.conf.d/intel.conf  

Inside /etc/ld.so.conf.d/intel.conf

/opt/intel/lib/intel64

Tunable TCP/IP kernel options

Linux has placed each of the tunable kernel variable into the /proc virtual filesystem. The networking variables are in /proc/sys/net/ipv4. Here are some of the trimmed list.

# cd /proc/sys/net/ipv4

# ls -F

......... 

tcp_abc                           tcp_keepalive_time    tcp_sack
tcp_abort_on_overflow             tcp_low_latency       tcp_slow_start_after_idle
tcp_adv_win_scale                 tcp_max_orphans       tcp_stdurg
tcp_allowed_congestion_control    tcp_max_ssthresh      tcp_synack_retries
tcp_app_win                       tcp_max_syn_backlog   tcp_syncookies
tcp_available_congestion_control  tcp_max_tw_buckets    tcp_syn_retries
tcp_base_mss                      tcp_mem               tcp_thin_dupack
tcp_congestion_control            tcp_moderate_rcvbuf   tcp_thin_linear_timeouts
tcp_dma_copybreak                 tcp_mtu_probing       tcp_timestamps
tcp_dsack                         tcp_no_metrics_save   tcp_tso_win_divisor
tcp_ecn                           tcp_orphan_retries    tcp_tw_recycle
tcp_fack                          tcp_reordering        tcp_tw_reuse
tcp_fin_timeout                   tcp_retrans_collapse  tcp_window_scaling
tcp_frto                          tcp_retries1          tcp_wmem
tcp_frto_response                 tcp_retries2          tcp_workaround_signed_windows
tcp_keepalive_intvl               tcp_rfc1337
tcp_keepalive_probes              tcp_rmem

.....................

To make changes on the fly, you can just simply echo the value and pipe it to the options. For example,

# echo 1 > /proc/sys/net/ipv4/ip_forward

Modifying users group on the fly

This is a simple entry but sometimes tend to forget until I do a man page. Adding a users to a group cannot be easier on Linux

If you are adding a user to a secondary group, use the flag -G

# useradd -d /home/users -g users -G g09 user1

If you are modifying a user from a secondary group, use the flag -G

# usermod -G g09 user1