Skip to content
Feb 5 15

asprom: assault profile monitor

by daimon

asprom is a firewall compliance scanner.

You define a profile of which services your network(s) should offer to users. The scanner automatically and regularly portscans your networks using nmap and reports any aberrations from the defined profile.

This functionality can be used to ascertain PCI-DSS, BSI-Grundschutz or DIN 27001 compliance of stateful firewalls.

Don’t be afraid – it is easily installed, very user-friendly and doesn’t require any knowledge besides basic tcp/ip concepts :-)

More info on its home page:


Feb 7 12

A transparent firewall for Intrusion Prevention and dDOS-Mitigation

by daimon

A customer was under heavy dDOS-Attack, specifically SYN-Flood.The service has become unavailable because his (stateful) firewall cannot handle more then 128k concurrent sessions and began dropping legitimate ones.

We configured his Juniper Firewall to protect the network from SYN-Flood by limiting the maximum amount of SYN-Packets per IP per second, the maximum number of open sessions per IP and by enabling SYN-proxying.

At first, the Juniper-Firewall handled the load easily, and service was restored. The amount of illegitimate SYN Packets hit a ceiling at about 40MBit/second. The number of sessions dropped down to a more manageable value, but the CPU Usage was rising because of the work involved in tracking the connections to mitigate the SYN Flood.

But the attack volume was increasing. At some point about 60MBit/second, the Juniper reached its limits again, this time the CPU usage peaked.

I wanted to put another system in front of the firewall to relieve the firewall of the cumbersome load. This is difficult without provoking downtime and cumbersome with a normal Layer 3-Firewall, because you need another routing hop and so you will be forced to renumber your network range. But after some recherche, i discovered that Linux iptables can filter at the bridge level, so this appliance doesn’t even need an IP address (only for management).

All you need to do to take this appliance productive is putting it physically in line with the uplink and the ordinary (routing) firewall.

read more…

Mrz 11 11

OCFS2 vs. NFS: Benchmarks and the reality

by daimon

Virtual infrastructure needs a shared storage for the virtual machine images, if you want to do live migration and minimize storage needs. Of course, this shared storage must support concurrent file access and deliver the utmost performance.

So, I set out to look for the ideal solution for my employer’s virtual infrastructure, which was decided to be based on Debian Squeeze, KVM and OpenNebula in an earlier step.

read more…

Dez 21 10

Xen to KVM (or physical, VMWare) Migration

by daimon

I will describe a way to migrate a XEN machine to kvm. XEN typically stores an image containing a single partition without kernel and bootloader, while KVM images are more resembling to physical machines, using a hard disk image with a partition table and an operating system with kernel and bootloader. read more…

Nov 26 10

How to shrink raw qemu / kvm images

by daimon

If you allocated to much hard disk space to your virtual machines and you’re running out of free space on your storage device, here’s how to reclaim space from your existing virtual machines. read more…

Nov 23 10

arp resolution failures in Debian / Ubuntu

by daimon

When trying to connect to a Linux Server with two interfaces in different Subnets, via multiple switches, under certain circumstances it may occur that the server is unreachable.

The problem has been identified as a faulty arp lookup. When querying the “wrong” interface (i.e. the interface wich is not en-route) of the linux server, you get an arp reply with the “wrong” mac address (i.e. the address of the interface wich is bound to the other subnet). read more…

Mai 17 10

HowTo Secure a php server for shared hosting environments – Part 1

by daimon


Today, every Linux distribution is easily configured to serve php/mysql pages. Normally, an apache 2.2 server is installed with mod_php, which gives you the best performance and a relatively low memory footprint. This is great, if you run your own Server – but in a shared hosting environment, there are some serious security implications:

  • The php-scripts are run under the context of the apache user. Therefore, php scripts from one user have complete access to other user’s webroots (safe_mode is broken, open_basedir is deprecated).
  • Because of this, the apache user has to have complete read/write access to all webroots. If your apache becomes compromised, so are all your user’s webroots. That, in return, becomes much easier through all the exposed applications of your users (undoubtedly ridden with security holes), which aren’t under your control.
  • For your users to be able to upload/change their files via ftp _and_ the apache user to have complete write access, you either have to use virtual users for ftp and in fact grant the ftp user full access to all webroots (chroot environments can be broken!) – or you have to assign ridiculous umasks (e.g. 000).

read more…

Mai 7 10

Resolving “STOP ERROR 0x0000007f” Windows 2003/2008 Guest on KVM

by daimon

When running Windows 2K3/2K8 guests on top of KVM Hypervisor, I experienced occassional bluescreen glitches. The guest operating system needed rebooting. This issue happens across different physical host environments, all of them enterprise-grade (i.e. RAM with ECC correction). It also happens across KVM Versions ranging from 72 (debian lenny default) to qemu-kvm 0.11.1 (ubuntu karmic default).

read more…