Sunday, October 25, 2015

Learning Java Eden Space

If you have been a java developer and you should came across java garbage collection that free the object created by your application from occupied all the java heap. In today article, we will look into java heap and particular into java eden space. First, let's look at the general java heap.

From this StackOverflow

Heap memory

The heap memory is the runtime data area from which the Java VM allocates memory for all class instances and arrays. The heap may be of a fixed or variable size. The garbage collector is an automatic memory management system that reclaims heap memory for objects.

Eden Space: The pool from which memory is initially allocated for most objects.

Survivor Space: The pool containing objects that have survived the garbage collection of the Eden space.

Tenured Generation: The pool containing objects that have existed for some time in the survivor space.

When you created a new object, jvm allocate a part of the heap for your object. Visually, it is something as of following.

                   |     |  
   <-minor gc->    v     v   <------------- major gc---------------------->  
   |            |     |     |                                              |             |
   | Eden       | S0  | S1  |  Tenure Generation                           | Perm gen    |
   |            |     |     |                                              |             |
    <---------------------jvm heap (-Xms -Xmx)----------------------------> -XX:PermSize  
    <-- young gen(-Xmn)---->                                                -XX:MaxPermSize  

When eden space is fill with object and minor gc is performed, survive objects will copy to either survivor spaces; s0 or s1. At a time, one of the survivor space is empty. Because the eden space are relatively small in comparison to the tenure generation, hence, the gc that happened in eden space is quick.  Eden and both survivors spaces are also known as young or new generation.

To understand into how young generation heap get free, this article provided detail explanation.

The Sun/Oracle HotSpot JVM further divides the young generation into three sub-areas: one large area named "Eden" and two smaller "survivor spaces" named "From" and "To". As a rule, new objects are allocated in "Eden" (with the exception that if a new object is too large to fit into "Eden" space, it will be directly allocated in the old generation). During a GC, the live objects in "Eden" first move into the survivor spaces and stay there until they have reached a certain age (in terms of numbers of GCs passed since their creation), and only then they are transferred to the old generation. Thus, the role of the survivor spaces is to keep young objects in the young generation for a little longer than just their first GC, in order to be able to still collect them quickly should they die soon afterwards.
Based on the assumption that most of the young objects may be deleted during a GC, a copying strategy ("copy collection") is being used for young generation GC. At the beginning of a GC, the survivor space "To" is empty and objects can only exist in "Eden" or "From". Then, during the GC, all objects in "Eden" that are still being referenced are moved into "To". Regarding "From", the still referenced objects in this space are handled depending on their age. If they have not reached a certain age ("tenuring threshold"), they are also moved into "To". Otherwise they are moved into the old generation. At the end of this copying procedure, "Eden" and "From" can be considered empty (because they only contain dead objects), and all live objects in the young generation are located in "To". Should "to" fill up at some point during the GC, all remaining objects are moved into the old generation instead (and will never return). As a final step, "From" and "To" swap their roles (or, more precisely, their names) so that "To" is empty again for the next GC and "From" contains all remaining young objects.

As you can observed based on the visual diagram above, you can set the amount of heap for the eden and survivor space using -Xmn in the java parameter. There is also -XX:SurvivorRatio=ratio and you can find further information here for java8. Note that in the diagram above, Perm gen has been removed in java8, hence always refer find out what java run your application and refer to the right version of java documentation.

If you want to monitor the statistics of eden , you can use jstats. Previously I have written an article about jstat and you can read here what is jstat and how to use it. You can also enable gc log statistics and so jvm will write the gc statistics into a file, you can further read more here.

Till then we meet again in the next article. Please consider donate, thank you!

Saturday, October 24, 2015

Study MongoDB security by setup and configure server and client on secure line

It's been a while since my last learning on MongoDB. The last learning on MongoDB was on administration. Today, we will learn another topic of mongoDB; MongoDB security. As a general for MongoDB security context, it means

Maintaining a secure MongoDB deployment requires administrators to implement controls to ensure that users and applications have access to only the data that they require. MongoDB provides features that allow administrators to implement these controls and restrictions for any MongoDB deployment.

This article is reference the official documentation which can be found here. As the security context is pretty huge, in this short article, we will focus how to setup mongdb server to use on ssl and how client will access the database resource securely.

First, make sure you have install the server and client package. If you are on deb package linux distribution, it is as easy as sudo apt-get install mongodb-clients mongodb-server. Once both packages are install, you can check in the log file at /var/log/mongodb/mongodb.log similar such as the following. So our mongodb version is 2.6.3 and it has support using openssl library.

 2015-09-27T16:04:48.849+0800 [initandlisten] db version v2.6.3  
 2015-09-27T16:04:48.849+0800 [initandlisten] git version: nogitversion  
 2015-09-27T16:04:48.849+0800 [initandlisten] OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014  

Next, let's generate a public and private key and a self sign certifcate.

 user@localhost:~/test1$ openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key  
 Generating a 2048 bit RSA private key  
 writing new private key to 'mongodb-cert.key'  
 You are about to be asked to enter information that will be incorporated  
 into your certificate request.  
 What you are about to enter is what is called a Distinguished Name or a DN.  
 There are quite a few fields but you can leave some blank  
 For some fields there will be a default value,  
 If you enter '.', the field will be left blank.  
 Country Name (2 letter code) [AU]:MY  
 State or Province Name (full name) [Some-State]:KL  
 Locality Name (eg, city) []:Kuala Lumpur  
 Organization Name (eg, company) [Internet Widgits Pty Ltd]  
 Organizational Unit Name (eg, section) []:Engineering  
 Common Name (e.g. server FQDN or YOUR name) []:Jason Wee  
 Email Address []  
 user@localhost:~/test1$ ls  
 mongodb-cert.crt mongodb-cert.key  

Now put everything into a file with extension .pem.

 user@localhost:~/test1$ cat mongodb-cert.key mongodb-cert.crt > mongodb.pem  

Now, stop mongodb instance if it is running. As we will now configured the server to use the certificate we generated previously.

 user@localhost:~/test1$ sudo systemctl status mongodb  
 ● mongodb.service - An object/document-oriented database  
   Loaded: loaded (/lib/systemd/system/mongodb.service; enabled; vendor preset: enabled)  
   Active: inactive (dead) since Sun 2015-09-27 16:13:34 MYT; 23min ago  
    Docs: man:mongod(1)  
  Main PID: 15343 (code=exited, status=0/SUCCESS)  
 Sep 27 16:04:48 localhost systemd[1]: Started An object/document-oriented database.  
 Sep 27 16:04:48 localhost systemd[1]: Starting An object/document-oriented database...  
 Sep 27 16:13:33 localhost systemd[1]: Stopping An object/document-oriented database...  
 Sep 27 16:13:34 localhost systemd[1]: Stopped An object/document-oriented database.  
 Sep 27 16:36:30 localhost systemd[1]: Stopped An object/document-oriented database.  
 user@localhost:~/test1$ sudo tail -10 /etc/mongodb.conf   
 # Size limit for in-memory storage of op ids.  
 #opIdMem = <bytes>  
 # SSL options  
 # Enable SSL on normal ports  
 sslOnNormalPorts = true  
 # SSL Key file and password  
 #sslPEMKeyFile = /etc/ssl/mongodb.pem  
 sslPEMKeyFile = /home/user/test1/mongodb.pem  
 #sslPEMKeyPassword = pass  

In the above output, as an example, I have set the file mongodb.pem to the configuration sslPEMKeyFile and also set sslOnNormalPorts to true. Now if you start mongodb instance.

 user@localhost:~/test1$ sudo systemctl start mongodb  

In the log file, noticed that ssl is enabled and no ssl related error.

 2015-09-27T16:46:41.648+0800 [initandlisten] options: { config: "/etc/mongodb.conf", net: { bindIp: "", ssl: { PEMKeyFile: "/home/user/test1/mongodb.pem", mode: "requireSSL" } }, storage: { dbPath: "/var/lib/mongodb", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongodb.log" } }  
 2015-09-27T16:46:41.788+0800 [initandlisten] journal dir=/var/lib/mongodb/journal  
 2015-09-27T16:46:41.797+0800 [initandlisten] recover : no journal files present, no recovery needed  
 2015-09-27T16:46:42.162+0800 [initandlisten] waiting for connections on port 27017 ssl  

On the server configuration and setup, it is now done. Now, we will focus on the mongdb client. If you connect to mongodb using its client, you will get error.

 user@localhost:~/test1$ mongo foo  
 MongoDB shell version: 2.6.3  
 connecting to: foo  
 2015-09-27T17:22:54.300+0800 DBClientCursor::init call() failed  
 2015-09-27T17:22:54.302+0800 Error: DBClientBase::findN: transport error: ns: admin.$cmd query: { whatsmyuri: 1 } at src/mongo/shell/mongo.js:146  
 exception: connect failed  
 user@localhost:~/test1$ mongo --ssl --sslPEMKeyFile mongodb.pem  
 MongoDB shell version: 2.6.3  
 connecting to: test  
 Server has startup warnings:   
 2015-09-27T16:46:41.647+0800 [initandlisten]   
 2015-09-27T16:46:41.647+0800 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.  
 2015-09-27T16:46:41.647+0800 [initandlisten] **    32 bit builds are limited to less than 2GB of data (or less with --journal).  
 2015-09-27T16:46:41.647+0800 [initandlisten] **    See  
 2015-09-27T16:46:41.647+0800 [initandlisten]   
 > show dbs  
 admin (empty)  
 local 0.078GB  

As you can read above, you need to specify parameter ssl and the pem file. That's it for this article, if you want to go the distance, try using tcpdump to listen to this port traffic. Good luck!

Friday, October 23, 2015

cracking wireless wep router encryption

Recently I noticed one of my neighbor router encryption is using WEP and I thought maybe to spend sometime to aircrack it. Googling shown many articles that teach you on how to gain access to wireless router that using WEP as the encryption standard. In this article, I mainly reference this article and running this on my linux workstation.

With that said, let's begin. Install aircrack-ng package that contain essentials applications that sniff the air traffic and crack it.

 root@localhost:~# apt-get install aircrack-ng  
 Reading package lists... Done  
 Building dependency tree      
 Reading state information... Done  
 The following packages were automatically installed and are no longer required:  
  libgee2 libmono-2.0-1 libmono-2.0-dev libmono-accessibility4.0-cil libmono-c5-1.1-cil libmono-cecil-private-cil libmono-codecontracts4.0-cil  
  libmono-compilerservices-symbolwriter4.0-cil libmono-cscompmgd8.0-cil libmono-custommarshalers4.0-cil libmono-db2-1.0-cil libmono-debugger-soft2.0a-cil  
  libmono-debugger-soft4.0a-cil libmono-entityframework-sqlserver6.0-cil libmono-entityframework6.0-cil libmono-http4.0-cil libmono-ldap2.0-cil  
  libmono-ldap4.0-cil libmono-management2.0-cil libmono-management4.0-cil libmono-messaging-rabbitmq2.0-cil libmono-messaging-rabbitmq4.0-cil  
  libmono-messaging4.0-cil libmono-microsoft-build-engine4.0-cil libmono-microsoft-build-framework4.0-cil libmono-microsoft-build-tasks-v4.0-4.0-cil  
  libmono-microsoft-build-utilities-v4.0-4.0-cil libmono-microsoft-build2.0-cil libmono-microsoft-build4.0-cil libmono-microsoft-visualc10.0-cil  
  libmono-microsoft-web-infrastructure1.0-cil libmono-microsoft8.0-cil libmono-npgsql2.0-cil libmono-npgsql4.0-cil libmono-opensystem-c4.0-cil  
  libmono-oracle2.0-cil libmono-oracle4.0-cil libmono-parallel4.0-cil libmono-peapi2.0a-cil libmono-peapi4.0a-cil libmono-profiler libmono-rabbitmq2.0-cil  
  libmono-rabbitmq4.0-cil libmono-relaxng2.0-cil libmono-relaxng4.0-cil libmono-sharpzip2.6-cil libmono-simd2.0-cil libmono-simd4.0-cil  
  libmono-system-componentmodel-composition4.0-cil libmono-system-componentmodel-dataannotations4.0-cil libmono-system-configuration-install4.0-cil  
  libmono-system-data-datasetextensions4.0-cil libmono-system-data-linq4.0-cil libmono-system-data-services-client4.0-cil  
  libmono-system-data-services2.0-cil libmono-system-data-services4.0-cil libmono-system-design4.0-cil libmono-system-drawing-design4.0-cil  
  libmono-system-dynamic4.0-cil libmono-system-identitymodel-selectors4.0-cil libmono-system-identitymodel4.0-cil  
  libmono-system-io-compression-filesystem4.0-cil libmono-system-io-compression4.0-cil libmono-system-json-microsoft4.0-cil libmono-system-json2.0-cil  
  libmono-system-json4.0-cil libmono-system-ldap-protocols4.0-cil libmono-system-ldap2.0-cil libmono-system-ldap4.0-cil libmono-system-management4.0-cil  
  libmono-system-messaging4.0-cil libmono-system-net-http-formatting4.0-cil libmono-system-net-http-webrequest4.0-cil libmono-system-net-http4.0-cil  
  libmono-system-net2.0-cil libmono-system-net4.0-cil libmono-system-numerics4.0-cil libmono-system-reactive-core2.2-cil  
  libmono-system-reactive-debugger2.2-cil libmono-system-reactive-experimental2.2-cil libmono-system-reactive-interfaces2.2-cil  
  libmono-system-reactive-linq2.2-cil libmono-system-reactive-observable-aliases0.0-cil libmono-system-reactive-platformservices2.2-cil  
  libmono-system-reactive-providers2.2-cil libmono-system-reactive-runtime-remoting2.2-cil libmono-system-reactive-windows-forms2.2-cil  
  libmono-system-reactive-windows-threading2.2-cil libmono-system-runtime-caching4.0-cil libmono-system-runtime-durableinstancing4.0-cil  
  libmono-system-servicemodel-activation4.0-cil libmono-system-servicemodel-discovery4.0-cil libmono-system-servicemodel-routing4.0-cil  
  libmono-system-servicemodel-web4.0-cil libmono-system-servicemodel4.0a-cil libmono-system-serviceprocess4.0-cil  
  libmono-system-threading-tasks-dataflow4.0-cil libmono-system-web-abstractions4.0-cil libmono-system-web-dynamicdata4.0-cil  
  libmono-system-web-extensions-design4.0-cil libmono-system-web-extensions4.0-cil libmono-system-web-http-selfhost4.0-cil  
  libmono-system-web-http-webhost4.0-cil libmono-system-web-http4.0-cil libmono-system-web-mvc1.0-cil libmono-system-web-mvc2.0-cil  
  libmono-system-web-mvc3.0-cil libmono-system-web-razor2.0-cil libmono-system-web-routing4.0-cil libmono-system-web-webpages-deployment2.0-cil  
  libmono-system-web-webpages-razor2.0-cil libmono-system-web-webpages2.0-cil libmono-system-windows-forms-datavisualization4.0a-cil  
  libmono-system-windows-forms4.0-cil libmono-system-windows4.0-cil libmono-system-xaml4.0-cil libmono-system-xml-serialization4.0-cil  
  libmono-tasklets2.0-cil libmono-tasklets4.0-cil libmono-webbrowser4.0-cil libmono-webmatrix-data4.0-cil libmono-windowsbase3.0-cil  
  libmono-windowsbase4.0-cil libmono-xbuild-tasks2.0-cil libmono-xbuild-tasks4.0-cil libmonoboehm-2.0-1 libmonoboehm-2.0-dev libmonosgen-2.0-1  
  libnunit-cil-dev libts-0.0-0 libts-0.0-0:i386 libupower-glib1 linux-image-amd64 mono-2.0-service mono-4.0-service mono-csharp-shell mono-jay mono-utils  
  mono-xbuild monodoc-base monodoc-browser monodoc-manual python-gtksourceview2 python3-packagekit tsconf  
 Use 'apt-get autoremove' to remove them.  
 The following extra packages will be installed:  
 The following NEW packages will be installed:  
  aircrack-ng ieee-data  
 0 upgraded, 2 newly installed, 0 to remove and 523 not upgraded.  
 Need to get 1,244 kB of archives.  
 After this operation, 5,914 kB of additional disk space will be used.  
 Do you want to continue? [Y/n] Y  
 Get:1 unstable/main aircrack-ng amd64 1:1.2-0~beta3-4 [435 kB]  
 Get:2 unstable/main ieee-data all 20141019.1 [809 kB]  
 Fetched 1,244 kB in 5s (228 kB/s)   
 Selecting previously unselected package aircrack-ng.  
 (Reading database ... 325525 files and directories currently installed.)  
 Preparing to unpack .../aircrack-ng_1%3a1.2-0~beta3-4_amd64.deb ...  
 Unpacking aircrack-ng (1:1.2-0~beta3-4) ...  
 Selecting previously unselected package ieee-data.  
 Preparing to unpack .../ieee-data_20141019.1_all.deb ...  
 Unpacking ieee-data (20141019.1) ...  
 Processing triggers for man-db ( ...  
 Setting up aircrack-ng (1:1.2-0~beta3-4) ...  
 Setting up ieee-data (20141019.1) ...  

okay, the package installed successfully. Next you need to turn the wireless interface to monitor mode and so the interface can intercept any wireless traffic nearby.

As you can read above, I have stop network-manager and so my interface will not automatically connect to my wireless router. In this example, I use one of my wireless interface for this learning adventure. Once the wireless interface is turned into monitor mode, you can start to dump the air traffic using the command airodump-ng .

Identify any wireless router that use WEP encryption protocol, and then start another terminal to write all these traffics into a tcpdump file. You can do that using the command airodump-ng -c 6 -w data-capture wlan0 .

Next, you can inject (send traffic) more packets to the identified router using aireplay . As you can see below, I experiment with a few aireplay parameter and you should too.

If your neighbour WEP wireless router is an active users, airodump-ng should be able to capture sufficient of initialization vectors(IVs) for your next aircrack command. I suggest you leave over few hours to collect maybe 10k of IVs and run this tcpdump capture with a powerful cpu.

That's it. Good luck, have fun and be good.

Sunday, October 11, 2015

How to install D-Link DWA-123 Wireless N 150 adapter in debian

Today I got myself a new wireless usb device. Pricing for D-Link DWA-123 wireless N 150 is very affordable and only at 17MYR (01 september 2015) in local computer store. So I got myself a unit and try out, and it's working fine after more than ten days. I will share with you how do I install this unit in linux debian.

If you are using kernel 4.0 or above, the module should come together with the kernel. You can identify below and you plug the device into the usb port.

 root@localhost:~# modinfo r8188eu  
 filename:    /lib/modules/4.0.0-2-amd64/kernel/drivers/staging/rtl8188eu/r8188eu.ko  
 version:    v4.1.4_6773.20130222  
 author:     Realtek Semiconductor Corp.  
 description:  Realtek Wireless Lan Driver  
 license:    GPL  
 srcversion:   A3DA328AE8853D31D90212F  
 alias:     usb:v0DF6p0076d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v2001p3311d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v2001p3310d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v2001p330Fd*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v07B8p8179d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v056Ep4008d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v0BDAp0179d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v0BDAp8179d*dc*dsc*dp*ic*isc*ip*in*  
 depends:    usbcore  
 staging:    Y  
 intree:     Y  
 vermagic:    4.0.0-2-amd64 SMP mod_unload modversions   
 parm:      rtw_ips_mode:The default IPS mode (int)  
 parm:      ifname:The default name to allocate for first interface (charp)  
 parm:      if2name:The default name to allocate for second interface (charp)  
 parm:      rtw_initmac:charp  
 parm:      rtw_channel_plan:int  
 parm:      rtw_chip_version:int  
 parm:      rtw_rfintfs:int  
 parm:      rtw_lbkmode:int  
 parm:      rtw_network_mode:int  
 parm:      rtw_channel:int  
 parm:      rtw_wmm_enable:int  
 parm:      rtw_vrtl_carrier_sense:int  
 parm:      rtw_vcs_type:int  
 parm:      rtw_busy_thresh:int  
 parm:      rtw_ht_enable:int  
 parm:      rtw_cbw40_enable:int  
 parm:      rtw_ampdu_enable:int  
 parm:      rtw_rx_stbc:int  
 parm:      rtw_ampdu_amsdu:int  
 parm:      rtw_lowrate_two_xmit:int  
 parm:      rtw_rf_config:int  
 parm:      rtw_power_mgnt:int  
 parm:      rtw_smart_ps:int  
 parm:      rtw_low_power:int  
 parm:      rtw_wifi_spec:int  
 parm:      rtw_antdiv_cfg:int  
 parm:      rtw_antdiv_type:int  
 parm:      rtw_enusbss:int  
 parm:      rtw_hwpdn_mode:int  
 parm:      rtw_hwpwrp_detect:int  
 parm:      rtw_hw_wps_pbc:int  
 parm:      rtw_max_roaming_times:The max roaming times to try (uint)  
 parm:      rtw_fw_iol:FW IOL (int)  
 parm:      rtw_mc2u_disable:int  
 parm:      rtw_80211d:Enable 802.11d mechanism (int)  
 parm:      rtw_notch_filter:0:Disable, 1:Enable, 2:Enable only for P2P (uint)  
 parm:      debug:Set debug level (1-9) (default 1) (int)  
 root@localhost:~# dpkg -S /lib/modules/4.0.0-2-amd64/kernel/drivers/staging/rtl8188eu/r8188eu.ko  
 linux-image-4.0.0-2-amd64: /lib/modules/4.0.0-2-amd64/kernel/drivers/staging/rtl8188eu/r8188eu.ko  

If you get the following message in your syslog,

 Sep 1 19:12:33 localhost kernel: [ 385.525522] r8188eu 1- firmware: failed to load rtlwifi/rtl8188eufw.bin (-2)  
 Sep 1 19:12:33 localhost kernel: [ 385.525530] r8188eu 1- Direct firmware load for rtlwifi/rtl8188eufw.bin failed with error -2  
 Sep 1 19:12:33 localhost kernel: [ 385.525534] r8188eu 1- Firmware rtlwifi/rtl8188eufw.bin not available  
 Sep 1 19:12:33 localhost kernel: [ 385.525539] MAC Address = 00:00:00:00:00:00  

What you need to do next is to install the firmware. The firmware is in the repository and you can install as easy as apt-get.

 root@localhost:~# apt-get install firmware-realtek  

Now the userspace application should be able to identify the device correctly. I am using gnome so, it is detected as USB Wi-FI. Note that I have an existing pci wifi as shown in the screenshot below.

Try out to device to retrieve the IP address etc. If you get your wireless to a funky name such as wlxc412f52da87d , then you can create a rule in the udev configuration file.

 # cat /etc/udev/rules.d/70-persistent-net.rules  
 # This file was automatically generated by the /lib/udev/write_net_rules  
 # program, run by the persistent-net-generator.rules rules file.  
 # You can modify it, as long as you keep each rule on a single  
 # line, and change only the value of the NAME= key.  
 # PCI device 0x0000:0x0000 (atl1c)  
 SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:00:00:00:00:00", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"  
 # PCI device 0x0000:0x0000 (brcm80211)  
 SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:00:00:00:00:0", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="wlan*", NAME="wlan0"  
 # USB device 0x0000:0x0000 (r8188eu)  
 SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:00:00:00:00:00", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="wlan*", NAME="wlan1"  

As you can see above, PCI device my existing device and you should add another line similar to the above. You need to replace ATTR{address} value to your device mac address. When the operating system bring up this device, it will be renamed to wlan1 instead of a random interface name next time.

Saturday, October 10, 2015

post mortem of anonymous vs najib on august 2015

When the video is circulating in the social media, it create additional sensational hype on the verge of incoming bersih 4.0 rally at the month end of august of 2015. Some said in the youtube comment this video above is fake, some news circulating even the IGP of malaysia has even commented on this.

Whether it is conspiracies from any parties or if this incident really happened, it has been weeks after the date set forth in the video. In this article, we will take a look at what actually had happened on 29 august 2015.

For a start, one things is ascertain, the sites that were identified by the anonymous groups in the video; on that day were all having ddos protections. Take a look at the screenshots below taken on 29 august 2015.

All the sites above have taken precaution steps to prevent denial of services from happening. From the norse map, as usual, ddos happen every time but nothing particulary on the time declared by the anonymous toward malaysia IPs.

However, sometime around 7.30pm, the royal malaysian police website cannot be access for duraiton of time. It could be just a minor glitch.

So today I take a look at the digital attack map on the day 29 and 30 august 2015. Nothing massive attack happened to malaysia IPs.

It definitely looks like there is no obvious denial of services happened on that two days. But why and what is the motive of the anonymous video was created for? Has anonymous failed in the attack given the additional security prevention has setup in placed? Well, I would say unlikely. It's a strange world indeed.

Friday, October 9, 2015

Mail server setup

“Why is legitimate email sent from my server rejected or flagged as spam?”

In the last eight years working as mail- and spam filter administrator I’ve had to answer this question many times. If you google it on the web, you’re often getting answers like “because you don’t have SPF/DKIM/DMARC”. This might be the reason in some cases, but most of the time the problem lies in the basic server hostname and DNS setup.

Many spam filters first try to find out, if the sending device was meant to send mail or if its just yet another hacked VPS / home PC  out there. So your job is to clearly tell them "yes, the administrator of this device and the ISP agree that this system should send mail".  And you tell them this by setting a distinctive SMTP HELO (which makes clear that the SMTP engine was set up by a mail administrator),
DNS A-record (which defines that IP address is the one meant send mail) and reverse DNS (which confirms that the owner of the IP adddress  agrees). If you get these three things right, chances are already pretty high that your legitimate mail will be accepted even without SPF and DKIM.  

System hostname / SMTP HELO

Most mail servers automatically use the system hostname as SMTP HELO - so this is the first thing that should be set correctly.
  • Configure a fully qualified domain name on your mailserver (something like ‘’, '', '' )
  • DO NOT actually use “” - we will use this domain as an example here, but you should not on your server. Whenever you read ‘’ below, replace it with the fully qualified hostname you’ve chosen in a domain under your control. (yes, I’ve seen people literally configure ‘’ on their servers. It’s a bad idea.)
  • DO NOT use hostname in a domain of your ISP/VPS Provider. Use your OWN domain.
  • DO NOT choose a hostname that looks auto-generated (based your IP address etc). 
  • DO NOT try to be cute and invent your own top level domain ("myserver.home", "exchange.lan") - your hostname should be publicly resolvable


  • Send mail from a static IP address. If you don’t have one, use a smarthost that does
  • If your IP address is listed on the Spamhaus PBL it is not meant to be used to send mail directly. Use a smarthost or ask your ISP for an IP in a different range.
  • if you have multiple static IP addresses available, configure a dedicated IP for your mail server which is not used as gateway by any other devices in your network. This reduces the risk of an infected device causing your mail IP to get blacklisted

Reverse DNS

  • Set the reverse DNS (PTR) entry to the your server’s hostname ( PTR
  • DO NOT set multiple PTRs. Your sending IP should have exactly one PTR. It does not matter if this server is hosting multiple domains for web / mail. The PTR is used to identify the sending server, not the domains it is hosting
  • DO NOT use generic PTRs from your upstream/IP/vps provider. (like Set this to a domain under your control.


  • Make sure there is an A record that maps the hostname used in your PTR back to your sending IP address (see FcRDNS)
  • if you used a different FQDN in your smtp HELO for any reason, add an A record for this  as well . Only extremely agressive spam filters will actually check if your helo is resolvable, but RFC 5321 states "Only resolvable, fully-qualified domain names (FQDNs) are permitted  when domain names are used in SMTP.", so better be safe than sorry.