Saturday, June 30, 2012

How to report an abuse to an ISP/SP

From time to time, you will have to report an abuse to an Internet Service Provider (ISP). Having been at both ends of this, I know it can be a frustrating task. As the person submitting the abuse report, you always end up having to feedback or a vague, generic e-mail that informs you that your report will be read and that, if needed, actions will be taken. In most of the case, this is the only response you will get. 

As the person receiving the abuse reports, you have to deal with incomplete or ambiguous information, people demanding the name of a subscriber, and from time to time, profanities and threats. Usually, that receiver gets the report from someone with no connection whatsoever to his service - understand by that "not paying anything" - on someone who gives him good money. That's a conflict of interest various laws tried to solve by imposing to the ISPs the obligation of notifying users of potential misconducts, as these may be unintentional, for instance in the case of machines infected by a virus.

In all cases, it is important to stay polite and courteous, after all, the person reporting the abuse is asking for help, but the person receiving the report may have a legal obligation in taking action.

A good report includes:

- The IP address of the machine that allegedly did the abuse;
- The IP address of the machine that was the target of the abuse;
- A description of the abuse, in factual terms - no elaboration or intents;
- The relevant entries from the logs with timestamps - the relevant entries only, no need to forward a 10MB log to show 2 lines;
- The timezone the machine is in.

In addition to these, I usually add a short note inviting the ISP to contact me should more information be needed.

Unless you are familiar with the language spoken by the ISP you are reporting the abuse to, English is a good bet to write the e-mail. If your logs are not in the same language, offer to provide a translation.

Here is an example of e-mail I would send:

Subject: potential abuse coming from x.x.x.x

My logs indicate that x.x.x.x tried several combinations of username/password on my SMTP server, with IP y.y.y.y.

Please find the logs below. All the times are EST.
Should you need more information or log, feel free to send me an e-mail.

Now comes the question: how to find the e-mail address to report an abuse.

The Whois service

All IP networks have been allocated by a regional Internet Registry. These operate over a geographic area and are responsible for assigning the IP networks, maintaining the technical and administrative contacts and providing some base information regarding the IP networks.

For the North America, the registry is ARIN. On the top right corner, there is a box called "Search WHOIS". This is were you will put the offending IP. The result may, or may not include an "abuse contact".

When it doesn't include such a record, I look to see if there is a link to another delegation: some ISPs have hundreds of networks and operate their own WHOIS. In that case, the best is to follow the link and to search for the information in the next database.

In the event there is no such delegation and no abuse contact, I usually go for the parent network, until I find an abuse contact.

Going to Justice

If the abuse costed you money or caused harm or damages, you may want to go to the police. In that event, the procedure depends on where you are and what jurisdiction applies. Contact your local authorities for more information.

In that case, it is important to preserve as much information as possible: if the abused machine is your desktop, don't use it anymore, disconnect it from the network and wait for instructions.

Happy Surging!

Monday, June 25, 2012

BIND9, Ubuntu and Apparmor

While configuring a slave DNS server with bind9 on Ubuntu, I had a few issues. Looking in the log, I spotted:

Jun 25 15:25:19 nyhdns01 kernel: [ 1249.991165] type=1400 audit(1340652319.705:7): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/named" name="/etc/bind/zones/tmp-aSrmPQ6y4K" pid=1776 comm="named" requested_mask="c" denied_mask="c" fsuid=106 ouid=106

The AppArmor profile for bind prevents writing under /etc/bind, however, my standard is to store all the zones under /etc/bind/zones. Editing  /etc/apparmor.d/usr.sbin.named to add


solved the issue.

Sunday, June 24, 2012

Citrix Receiver for Linux 64bits

Good news everybody, at least the everybody that uses Citrix on a daily basis: the 64bits version of Citrix Receiver is now available for Linux!

The Citrix Receiver is an application that allows one to connect to a Citrix presentation server, either to receive an application or a full desktop. For instance, I use it to connect to my work to access the Internal resources, as a alternative solution to a full blown VPN. In that scenario, the only things exchanged between my workstation and my corporate network are key presses, mouse clicks, screen refreshes and print jobs.

As I am running Linux 64bits, for the past 3 years, I had to go through the installation of the 32bits version, and all the supporting libraries. If it isn't a nightmare to do, nonetheless installing several 32bits libraries just to run one application is a bit of a waste.

But this is not longer needed: I found that Citrix has released a 64bits version of the Receiver, available both as a .deb or .rpm package.

The install is easy (.rpm in my case) and takes care of its own dependencies. The only step left was to associate the .ica files with the launcher (/opt/Citrix/ICAClient/wfica) in Firefox preferences and voila! Ready to rock.

Applications tab in Firefox preferences

Upgrade to Linux Fedora 17

Fedora 17 was released on May 29, 2012. As a regular user of Fedora Linux since version 12 (after a long past with Redhat until version 6.2, followed by a trip to FreeBSD, Debian and Ubuntu), I try to stay abreast of the new versions.

My computer is nothing extravagant, neither bleeding edge nor old crap: it is a decent quad core, with 8GB of RAM, an Asus Motherboard purchased in 2008 and a NVIDIA GeForce 9600 video card. Concerning this last item, I know this forces me to either use the buggy nouveau driver (nv) or use the binary installer provided by NVIDIA.

So I decided to upgrade my Fedora 16 to a shiny new 17. Looking at the support forums, I found that there is a method called preupgrade to perform an upgrade without downloading and burning a media. So I decided to give it a shot.

Unfortunately, I missed the not so fine prints: my /boot partition is around 128MB, and after spending almost an afternoon downloading all the packages, the installer told me that unfortunately, there are things that are not supposed to be. In this case, using preupgrade. DVD it is, downloaded and burned.

The first issue is related to my video card. From a few pages and messages found on Google, it seems that the nv driver shipped with the install has a few issues. Mine is that my screen goes completely dark and nothing reacts short of a hard power off. The solution is quite easy: chose to edit the boot line and add "xmode=vesa nomodeset". This will force a compatible mode to be selected, with the detriment that the screen are larger than the display and will scroll.

For the quick and observant, two error messages flashes: the first one concerning the floppy - the installer loads the module but I do not have a floppy drive anymore, and the second one that I can't even read. Not important and the installer boots just fine.

The install (1422 packages in my case) seems to stall with SELinux. On my machine, it took about 10 minutes to go through that package, during which restorecon was using 100% of a core. Going from one virtual terminal to another gives you some information, the 2nd VT even gives you a shell. But if you do that, your upgrade screen will be completely white, except for the mouse pointer. Passed SELinux, the install continues at a decent rate and goes to the reboot. There, I was a bit surprised as the installer did not eject the DVD. Also, there was no offer to add a repository to do all the upgrades during the install phase.

First boot, the Fedora logo fills and ... nothing. It hangs. Pressing num lock shows that the machine is not frozen, but nothing seems to happen. So reboot and edit of the boot line: at the "linux" line, I removed the "quiet" and added "single" to force Linux to stop at runlevel 1. As soon as the Fedora Logo appeared, I also pressed ESC to continue seeing the messages. It boots OK and drops me at a shell. It, however, took a very long time with a message informing that the lp module was loaded, but no device was found. I do not know if that module is the actual cause of the temporary freeze or if the next module is.  Let's head for runlevel 3, to compile a new NVIDIA driver and do some upgrades.

The NVIDIA script died as the version used to compile the kernel (4.6) is different from the installed version (4.7). Surprising. So, I decided to upgrade the whole system.

The first "yum update" failed with "Cannot retrieve metalink for repository", which I solved using "yum makecache". The following "yum update" succeeded, with the minor exception of a timeout while trying to retrieve the information from a mirror hosted at the Princeton University. But boy! The upgrade totals 1048 packages summing 1.8GB! I accept and look at the first messages. After a while, this gets old and I decide to leave the machine alone. My alarm clock is set to ring in two hours, approximately the time needed to transfer the upgrades.

Two hours later, back to the computer. It displays an invite asking whether I want to accept the PGP key using in two repositories. Okay, that's good. From there, two things:

  • Several packages are marked as duplicate of the same version ... for Fedora 16!
  • Several packages failed the install due to a missing required: xserver-abi(videodrv-11) >= ('0','0',None) (This is an actual bug)

A quick rpm -qa tells me that almost half of my packages are actually Fedora 16 (2251 packages installed, of which 1456 packages are marked as Fedora 17). Worse, I also found packages belonging to Fedora 15, 14, 13, 12 and even 11!

To try to go further, I followed the instructions in the bug report before trying another "yum update".  Of course, one of the instructions nukes the package cache, which means that all the packages need to be downloaded ... again!

Time for desperate measures.

*** Warning - I this can completely ruin your install  - Don't do it unless you know exactly what you are doing ***

There are two types of issues here -

  • Duplicate packages between FC17 and a previous release
  • Missing dependencies for a package from a previous release

The duplicates packages is the easiest: rpm -e --nodeps <complete package name>. This removes the packages.

For the missing dependencies, I found that installing the package (without the version) works fine in most of the cases: yum install <package>. For a few package, I had to remove the package first, then add it.

I ended with "yum update" that almost worked, except for a few broken dependencies for a few packages. Nothing is critical, so I removed them (yum erase). After the update, I added them back.

Conclusion -

I am still a fan of Fedora, but I must admit that the upgrade to version 17 stinks. If you know what you are doing and have a day to kill, this is for you, otherwise, stick to FC16 and wait for all the bugs to be corrected!

Edit 1 -

After the reboot, I added "single" in the boot line, to drop to runlevel 1. I moved to runlevel 3, stopped a few services using systemctl (powerful tool!), recompiled my nvidia driver. I then issued "init 5" to move to the graphic interface and voila! Fedora 17.

Saturday, June 23, 2012

Antivirus protection (some are free)

In a previous article, I mentioned that a better practice is to run an antivirus on each computer. But what is an antivirus?

This is an application that will scan your disks and check the objects against a list of known bad signatures. This latter is a sequence of bytes indicative of a certain strain of malware. Depending on the product, it may also scan these files and objects as they are moved in and out of the memory, from example copied from the network or from a website. Certain have additional protections, such as detecting known attacks coming from the network or trying to exploit bugs in products such as Internet Explorer or Adobe Acrobat.

The fact is, the antivirus is as smart as its database: something new will not be detected by a pure comparison. That is why certain commercial products have a "heuristic" scan: they will detect patterns that are a possible indication of a malware, but without doing an exact comparison with a database. In a number of cases, there will be false positives, or non malware pieces of code flagged as potentially nefarious.

Another fact to keep in mind is the size of the database. Even if there are very fast algorithms to perform searches and comparisons, the fact rests that the larger the number of signatures, the slower the scan. This may be particularly true and sensitive during real-time scanning.

A few criteria to chose an Antivirus solution:

The number of signatures present in the database - the more signatures, the more viruses detected, but at the same time, the slower the scan;

The frequency at which new signatures are made available - how many times per month/week/day are new signatures released? Are they released on a schedule or when ready?

How does the vendor follow the discovery of new malwares? - What is the average period between discovery and availability of a signature? Does the vendor have its own malware lab?

What are the features of the Antivirus solution? - besides scanning files at rest (called on-demand scanning), does the solution provide in-memory scanning? Activity scanning? Does it protect against network attacks?

What is the cost of the solution? - No explanation needed, does the solution cost something? If it does, what are the benefits? Is it a one-time fee or an annual subscription?

A few free solutions:

Some opensource and free solutions exist. In addition, some vendors have free versions for personal use, or for a use limited in time, such as scanning a computer.


This is a very good, opensource solution. For Windows, ImmuNet is available which runs the ClamAV engine. Initially, ClamAV was designed as an antivirus for e-mail gateways.

BitDefender, free version:

Although BitDefender is a commercial product, there is a free version which includes only the on-demand scanning.

F-Prot, Free for 30 days:

This is the full version, but with a limit of 30 days. After that, you have to either uninstall it or take a subscription.

There are plenty of other solutions to be found on the Internet. One word of caution though: beware of some fake antivirus, which are actually malware designed to scare you into installing it.

Happy Surfing!

Sunday, June 17, 2012

Better practices with Windows Operating Systems

Over the years, Microsoft has brought a significant number of improvements to Windows. However, there are still a few "shortcuts" taken, user or installation, that lower the security level of a Windows PC.

When Windows is installed, the only existing user is the local administrator, a user whose privileges include installing and removing applications, starting and stopping services (including anti-virus and security software) and modifying critical system files. A better practice consists in creating a non privileged user (normal user) and log on or use the run-as command as administrator only when needed. In that way, if a malware starts executing, it would inherit limited privileges and will potentially do less damages. Users are created in the management console: select "my computer", right-click, select "manage" and expand "Local users and groups".

By default, Windows comes with a lot of running services: Wireless network, Network discovery, various responders. In certain cases, none of them are really needed: for instance, if you have a desktop, there is little chance that machine has a wireless card. In that case, having the "Wireless service" is useless and it should be stopped. There are other examples, your mileage may vary but there are many services you could stop without having an issue. In many cases, this will free some memory and CPU for other tasks. Select "My Computer", right-click, select "Manage" and expand the "services" section. In order to prevent a service from starting when the computer boots, it has to be "manual" or "disabled". The former allows the service to be started by either another process or by an administrator. If the service is disabled, it cannot start at all.

If your computer is alone in your home network or if you are not sharing any files or printers using netbios, it is a better practice to disable it. In order to do so, go to your network interface, select "file and printer sharing" and disable it.

The Windows firewall is an important component of a system security. It prevents unauthorized connections to the system, but it can also filter outgoing connections. For instance, you may decide that outgoing SMTP connections only go to your provider's mail server (the one you have defined in Outlook). In the event a virus infects your computer, you will limit the quantity of spam sent. The configuration happens under the network interface. There is a tab for the network filter where you can define the traffic going in and out. Windows 2008 and 7 have a slightly different user interface that is more user friendly.

A hot topic is updates and upgrades. If Microsoft products are usually taken care of by the Windows Update Services - just remember it needs to be turned on - other applications such as Adobe Flash and Acrobat, Chrome Browser, Skype and so forth need to be updated by the users. Over the years, more and more of the developers have done a terrific job at adding auto-update functionality. I, however, recommend making sure that the latest version is installed by "checking for update", often found either in the "help" menu or in "about...". Be careful, however, of e-mails offering a patch: it is always best to use the application itself to check for updates, or to visit the vendor's website.

Last but not least, a good antivirus/antimalware is needed. Some are available for free, such as ClamWin or BitDefender. While this is not a silver bullet against all malwares, a good AV will help keep your machine clean.

Happy Surfing!