Syslog aka System Log

Leave a reply

In the last post we talked about how syslog is the central method for logging messages.  It really saves us from having to search all over the system for logs and it also lets the developer log messages without writing their own way of doing it.

Now for the big question, what does syslog do with all those messages?

That’s a good question, we still don’t want to be searching for those messages on our Linux® system.

Looking for the Logs in all the wrong places

Looking for the Logs in all the wrong places

Luckily for us, syslog has a configuration file that tells us everything we need to know.  That file is often in /etc/syslog.conf, but depending on your system, it might be somewhere else.  Check the man page for syslogd (that’s the actual program that does the logging) and it will tell you where the file is.  No matter where it’s located, it bas the same purpose.  To tell you where messages are put, based on the priority or the facility.

We know what the priority is, we saw that last time.  What’s the facility?  That’s the purpose of the program making the log message.  For example, if e-mail is logging, then the facility is mail.  If the Linux® kernel is logging, then the facility is kernel.

We know that emerg messages are ‘OH NO THE SYSTEM IS GOING DOWN’, so we probably want to see those on the screen, not shoved away to a log file.    The configuration that does that looks like:

*.emerg							/dev/console

What about mail messages?  Those we would like to put in a file.  It ‘s standard on most Linux® systems to put log messages in /var/log/.  So we’ll put all our messages from the mail system in one place.

mail.*                      /var/log/mail

You can get really complex with the configurations, you want to put mail.debug in one place, mail.alert somewhere else, then you can also put duplicates of everything in a third.  Or you can just stick them all in one place.  The person running the system usually decides this and often the decision is made to leave the defaults alone.  What are the defaults?  Those are the configurations that the system has when everything is first installed.

 

Logging

Leave a reply

I bet every time Iron Man does something in his suit, Jarvis makes a note of it.  ‘Shot a Chitauri out of the ski’, ‘did a flip’, ‘took Pepper on a flight’.  That way if something goes wrong, there’s a record of it.  In the computing world, this is called logging.

Making a note every time a computer does something interesting is a good thing.  If something breaks, you have notes that will hopefully let you figure out what happened.  If every program on your computer logged differently, that would be a nightmare, especially if they all put their logs in different places.  Troubleshooting would not be fun.

Instead, Linux® has a program that will do the logging for you.  You just tell syslog what you want to log and how important it is.  Then the syslog daemon will take care of everything for you.   The importance of a message, also known as the priority, has several defined meanings.

From the syslog man page, we can see the list:

  • LOG_EMERG system is unusable
  • LOG_ALERT action must be taken immediately
  • LOG_CRIT critical conditions
  • LOG_ERR error conditions
  • LOG_WARNING warning conditions
  • LOG_NOTICE normal, but significant, condition
  • LOG_INFO informational message
  • LOG_DEBUG debug-level message

A message logged with the level LOG_EMERG means ‘Danger!  Eek!  Fix me now!’ or ‘It’s too late, we’re going down Iron Man!’.  It can happen when the hard drive decides to fail dramatically.  The syslog can scream ‘Dead Hard drive ahead!’ then fall over dead.

That’s not exactly what happens, but it sounds fun!  My computer yelling ‘Dead Hard drive ahead!’ would certainly get my attention.

On the other end of the list is the LOG_DEBUG message.  Debug messages are usually used by developers, that is, the people who make the programs that run on your system.  The developers use them to debug, that is, find the bugs in their code.  These aren’t literal bugs, of course, but rather things that are unexpectedly happening that shouldn’t be.

Actual bug not found in computer

Actual bug not found in computer

Next time we’ll talk more about logging and syslog.

Public Key Cryptography

Leave a reply

We talked about how in cryptography you want your key to be complex so people can’t guess it.  Otherwise, why encrypt if they can figure out how to decrypt it easily?  We need another play to fix this. We’re going to talk about that other plan, it’s called Public Key Cryptography.

Public Key Cryptography means I have a public cryptography key.

Public Key

Public Key

I can use that to encrypt anything I want, but I can’t use it to decrypt anything.  It’s like having a key to your house that will only lock doors, but not unlock them.  I can lock the house up when I leave, but there’s no way for me to get back inside.  This means I can share the key because there’s no worry that someone will break in using it.  In Public Key Cryptography, I share my public key with the world and they can encrypt things they want to send me.

Private Key

Private Key

This is my private key, it’s purple because that’s my favorite color and this is my favorite key.  It’s the one I can use to unlock doors, or in encryption terms, I can use it to decrypt anything that’s encrypted with my public key.

This sounds pretty safe, right?  It’s actually used in something called Pretty Good Privacy so we’ll call it Pretty Safe Public Key Cryptography.  Well, not really, the real name doesn’t have Pretty Safe as part of it, but it’s still a good name.

It’s also used in web traffic.  If you go to a website using https:// rather than http://, you’re making a secure connection that encrypts your traffic.  That’s done using Public Key Cryptography, it’s just under the hood so you don’t see it.

Pretty cool, right?

 

Encryption and Cryptography

Leave a reply

Encryption and cryptography are two words we hear all the time. We want to hide our information from prying eyes. Cryptography is the math that makes it work, encryption is the process that does the work. We’re not going to talk math, I promise. We’ll talk encryption instead, that’s more fun.

Encryption and cryptography are two words we hear all the time. We want to hide our information from prying eyes. Cryptography is the math that makes it work, encryption is the process that does the work. We're not going to talk math, I promise. We'll talk encryption instead, that's more fun. <KEY/Lock> Let's start with two kinds of encryption. One way encryption and two way encryption. If I encrypt something with a one-way method, then I can't get it back. It's like locking a padlock then throwing away the key. That sounds silly, right? Why on earth would I lock a padlock and throw away the key? Well, this being computers it's not exactly like locking a padlock and throwing away the key. When you use one-way encryption, what you get back is a unique combination of characters that means eactly what you encrypted. You can't decrypt it to find out what it was to begin with, but you can encrypt a word and see if it matches that weird looking string of characters you have.

Lock and Key

Let’s start with two kinds of encryption. One way encryption and two way encryption. If I encrypt something with a one-way method, then I can’t get it back. It’s like locking a padlock then throwing away the key.

That sounds silly, right? Why on earth would I lock a padlock and throw away the key?

Well, this being computers it’s not exactly like locking a padlock and throwing away the key. When you use one-way encryption, what you get back is a unique combination of characters that means eactly what you encrypted. You can’t decrypt it to find out what it was to begin with, but you can encrypt a word and see if it matches that weird looking string of characters you have.

Sounds weird, right? It’s actually the method used for passwords. That way no one has any idea what your password is, they just know what the hash looks like. You type your password in, the system encrypts it and compares it to what they have on file. If it matches, then bingo, you’re in.

Here’s an example, suppose Tony Stark’s password is ShellHead. Then the password could look like:

$_OIhfVvnK$.UYVFlACkTI

That doesn’t look anything like ShellHead, does it? So figuring out what the password is just by looking at that is impossible.

Suppose I type in ShellHea instead of ShellHead. Then the password could look like:

$_jCoO/YKY$GeTermseGL2

That isn’t anything like ShellHead’s password, so I’m not getting in.

How do people break passwords then? It’s called a dictionary attack. They run through all the words in the dictionary in various combinations and encrypt each one. Then they compare it to the password string of characters and if it matches, they have your password.

That’s why choosing a good password is so important! You don’t want people breaking into your system, do you? Imagine the damage someone could do if they broke into Batman’s computer.

More DNS Records

Leave a reply

In the last post we talked about some common DNS records.  There’s more DNS records to talk about but we’re going to only talk about the common ones.  This is a good thing, because there’s 39 of them.  We could be talking about more DNS records for quite some time.

Suppose you have a domain, let’s call it rhodey.example.com.  We know that rhodey.example.com is always going to do what the domain tonystark.example.com does.  So if we change tonystark.example.com’s IP address, we have to and change the IP address for rhodey.example.com.

Rhodey and Tony Stark at work

Rhodey and Tony Stark at work

We’re lazy though, we don’t want to have to do that every time.  Plus, fumble fingers me could get the IP address wrong for rhodey.example.com.   Instead, I’ll use the CNAME record.  That’s the record that let’s one domain say ‘hey, what that domain over there is doing, I want to do.’

There’s no rule that a CNAME record has to exist.  We can find them using:

Alpha:~ computerlamp$ host -t CNAME google.com
google.com has no CNAME record

There’s nothing there!  Well, I said there’s no rule that something had to be there, and nothing’s there.  You should try it with some of your favorite domains and see if they have a CNAME.

The next record we’re going to talk about (and the final one, for now) is the TXT record.   That’s read as ‘text’.  It was meant for human readable information to be stored in DNS, but these days it’s most often used for machine readable information.  Which is kind of boring.

Let’s try one out:

Alpha:~ computerlamp$ host -t TXT akamaihd.net
akamaihd.net descriptive text "This" "is" "not" "the" "nameserver" "you" "are" "looking" "for."

Aww, and I was looking for Artoo Detoo.

TXT records aren’t required either.  Look what happens when I try:

Alpha:~ computerlamp$ host -t TXT theavengers.com
theavengers.com has no TXT record

 

DNS Records

Leave a reply

We know what MX records are, we know what SOA records are, so now we want to learn what other records are available. Every time you query DNS for something, you’re asking for a record and according to Wikipedia there are 39 record types.  Not all of these are commonly used, so let’s talk about the common ones.

When you ask a name server for an IP address for a domain, you’re asking for an A record.  The way to make this query is:

Alpha:~ computerlamp$ host -t A www.google.com
www.google.com has address 209.85.144.105
www.google.com has address 209.85.144.103
www.google.com has address 209.85.144.147
www.google.com has address 209.85.144.106
www.google.com has address 209.85.144.99
www.google.com has address 209.85.144.104

See that -t flag?  That tells the command host to look for the record type A.

We’ve discussed name servers before too.  How do I find out the name servers for google.com?  The DNS record to query for a name server is the NS record.  That means the query looks like:

Alpha:~ computerlamp$ host -t NS www.google.com
google.com name server ns1.google.com.
google.com name server ns2.google.com.
google.com name server ns3.google.com.
google.com name server ns4.google.com.

If you can ask for an IP address for a domain, can you ask for a domain if you have an IP address?  Well, yes, you can.  That’s a PTR record.  That’s pronounced pointer record, by the way.  It’s the reverse of an A record and is known as a reverse lookup.

And once again, you can look it up with the host command:

Alpha:~ computerlamp$ host -t PTR 209.85.144.105
105.144.85.209.in-addr.arpa domain name pointer qv-in-f105.1e100.net.

There’s a couple of weird things about that response.  First of all, I used an IP address from the responses for www.google.com, but I got a different domain back.  Which is actually just fine.  One IP address can have a lot of domains with A records for it, but only one reverse record.

Second, it reversed my domain!   You see that

105.144.85.209.in-addr.arpa

response?  That looks weird, doesn’t it?  Well, it’s one of the underpinnings of DNS that makes all things work nicely.  All PTR records are in the domain in-addr.arpa.  Remember, it’s the Domain Name System, so there has to be a domain. We take that IP address, reverse it so that instead of 209.85.144.105 we get 105.144.85.209 and stick it in front of that domain.  That’s what we’re actually querying for when we make a reverse lookup.

 

Back to the SOA Record

Leave a reply

In the past two posts we talked about the SOA record.  In this post, we’ll finish it.  The last parts of the SOA record are refresh, retry, and expire.  These are all numbers that note the number of seconds.  Each one does a different thing, but they all work together.

Refresh is the number of seconds the secondary name servers wait before asking the primary name server ‘do you have any updates for me?’.  You don’t want the primary to be drowned in requests of ‘got anything got anything got anything?’.  It’s like the two year old younger brother asking you constantly.  That’s annoying.  So we set the refresh of a domain.

The next number is the Retry.  Now suppose I ask my Mom ‘Can I have a new Xbox?’ and I don’t get a response.  How long should I wait so I don’t annoy her?  For a domain, that’s the ‘I didn’t get an answer from my primary name server, how long do I wait before asking again?’  Asking Mom repeatedly for an Xbox (especially if she doesn’t respond) is just going to make her mad.  Overloading a name server with repeated requests can do the same thing.

The Retry time must be less than the Refresh time.  Otherwise, I’m waiting longer than I should to re-ask than when I’d actually be doing my asking to begin with.

Now if my Mom doesn’t respond to me about the Xbox, how long should I wait until I give up on her ever responding?  (With my Mom, that’s infinity.  She’ll just ignore what she calls silly questions.) With domains, that’s Expire.  That tells the secondary server when to give up.  It’s usually a long time and the number has to be bigger than refresh or retry.  If it’s less than retry, then the secondary server is going to go ‘eh, why bother retrying, he’s dead Jim’.  Same with Refresh.  If it’s less than Refresh, then the secondary server is never going to bother trying.

Now for the last number, the TTL.  TTL stands for Time To Live.  This doesn’t actually anything to do with zone transferring.  Surprise!

It has to do with people querying the domain.  When I query a domain and get an IP address, the TTL tells me how long do I believe that response.  If it’s set to 300, then I believe that response for 5 minutes, at which time I have to query again.

It took us three posts, but we covered the SOA record!  In the next post, we’ll talk about other records used in DNS.

 

 

 

 

DNS and Serial Numbers

Leave a reply

In the last post we started talking about the SOA record in DNS and the serial number used in a zone file.  I promised that in this post we’d talk about why we use serial numbers.

Hint:  It’s to cut down on traffic.

Chaos in the Traffic

Chaos in the Traffic

These days it seems you can stream anything, play games, play music, and there’s always enough bandwidth to go around.  What’s bandwidth?  That’s the size of your connection to the Internet and connections within the Internet.  In the old days, the amount of bandwidth was really small.  You could sit at a terminal and type things on a connection far away and hit a key, wait for it to appear, hit the next key, wait for it to appear.

Slow typing

Slow typing

In other words, there wasn’t much bandwidth available.

People came up with tricks to reduce bandwidth usage and one of those tricks was a serial number.

An operation name servers use to share zone files amongst themselves is called a zone transfer.  You can imagine that some of these files get really big.  If there isn’t a lot of bandwidth, then constantly passing those files back and forth is a bad thing.

Instead, you have the serial number and you ask the other side ‘excuse me, has your serial number increased from the value I have here?’ and if the answer is ‘yes’, then the zone transfer occurs.  Otherwise, the zone file stays where it is.

This means that when the administrator makes any change to the zone file, he has to update the serial number in order for the transfer to happen.

Now for the obvious question:  Can everyone do zone transfers?

Well, the answer is no.  It’s a security problem if we do let everyone transfer.

Who can do transfers?  Like we said before, there’s a master name server listed in the SOA record.  We also know that most domains have more than one name server. For example, Google has four:

  • google.com name server ns3.google.com.
  • google.com name server ns1.google.com.
  • google.com name server ns2.google.com.
  • google.com name server ns4.google.com.

Imagine having to update the zone file on each one of those.  No thank you!  That’s what the master name server is for, you update that name server and then the other three can zone transfer your zone file from it, assuming the serial number has increased.  Those other three name servers are called slaves to the master name server or secondaries to the primary name server.  We’ll call them secondary or secondaries.  It’s an older term, but I like it.

DNS and SOA record

Leave a reply

We talked about DNS before and we talked about MX records and mail and DNS but now we’re going to talk about what else DNS can do.  Email uses the MX record type but there are a lot more record types for DNS out there than just mail.  In this post, we’re going to talk about one particular record, the SOA record.

Every domain has an SOA record, also known as a Start of Authority record.  Isn’t that a spiffy name?  Sounds like the delegation of authority in a business.  I shall start your authority here and here only!

I am your Start of Authority!

I am your Start of Authority!

Every domain has a zone file that’s created by the administrator.  The top of that zone file has the SOA record and the rest of the zone file has all the records for the domain.

The SOA record that defines information about the domain itself.  It includes the name for the master name server, that’s the names server that is the be-all and end-all of information for the domain. Think of it as the server that is always going to have the real and true information of the domain.

It also includes an email address for the administrator.  This looks like a domain.  Like:  hostmaster.example.com.  That doesn’t look like an email address, where’s the @ sign?  Well, the first information before the dot is the email address, everything after it is the domain where the email is sent to.  That means that hostmaster.example.com is the email address hostmaster@example.com.

It also has a serial number for the domain.  Every time you make a change in the zone file, you change the serial number.  In the next post, we’ll talk about why the creators of DNS used this.

 

Botnets

Leave a reply

A phrase often heard on the news is a botnet. That’s another scary name, like ransomware. It sounds like there’s lots of robots lurking on the Internet as a great big network of trouble.

That’s true and not so true. It is a scary sounding name but the truth is that a botnet is a collection of computers, all of which were infected by the same malware to do the same thing for a controller.

It would be more fun if there were actual robots on the Internet, but since the Internet is a network of information and there’s currently no way for robots to run around on it, instead we have infected computers.  Though imagining R2D2 and BB-8 running around on the Internet is awfully fun.

BB-8 and R2D2 are not part of a botnet

BB-8 and R2D2 are not part of a botnet

The main controller for these computers use botnets to do their bidding.  They send spam, attack with a DDOS, or any other way they can make money.

Your computer can be part of a botnet and you won’t even know it. That’s a dangerous thing. You become a part of a botnet when your computer  by you clicking on a link and downloading software that adds you to the botnet. The scary thing is that your computer can also be hit because it’s on the same network as an infected computer. If your sibling’s computer is part of the network, it’s going to try to infect yours and it might happen without you knowing it. A good firewall configuration can help.

There’s several famous botnets, they’re famous (or infamous) for the damage they’ve done or the size of them.  These include Grum, ZeroAccess, Windigo, Cutwail, Conficker and Kraken.  I have one question about these botnets… who names these things? I think if I named one I’d name it ‘TeamAwesome Botnet’.

There’s another famous one known as the Mirai botnet.  The reason it was so scary is that it wasn’t computers that were part of the botnet, it was the devices in your home that are on the Internet that were part of the botnet. Things like routers, heating controllers, refrigerators, and even lightbulbs. It was the first major attack that used these devices and it took down a lot of important websites.

So, in summary, there are no robots running amok on the Internet, but there are a lot of computers acting bad.