Kickstarting CentOS using PXE

Posted on 22/04/2012 by michael

There are many tutorials online for kickstarting a linux server, but they all cover part of the whole process. I’ll attempt to cover it all here.

First off, I’ll tell you my setup. I wanted to use PXE, kickstart and a local mirror to be able to install a lot of computers simultaniously. However, to be able to do this I tested the installation in Virtualbox with a virtual machine. Both my server and client are virtual. Second I would like to say that I’m a debian minded person. However, CentOS was required for this setup, so here we go.

One of the things I encountered was a VM which did not do any DHCP. The key here was that you need to select the right network adapter for the VM. I used the network bridge adapter which was virtualised as a PCnet-Fast III. Some others might work, but this one did it for me.

On your server you will need some software packages to be installed:

yum install httpd system-config-kickstart dhcp tftp-server syslinux

It’s possible that some are already installed. system-config-kickstart installes a gui kickstart editor. When your server doesn’t have a gui it’s useless. However, if it does, it’s easier to make a kickstart file with it.

As I also wanted a local yum repository I needed to sync a remote repository. This is not really neccesary, but when using this setup in an offline environment you’ll need it. Bear in mind that a repository for a single release is about 25GB.

rsync -avrt --delete --exclude "local*" --exclude "isos" \
rsync://mirrors.rit.edu/centos/6.2 /usr/local/share/CentOS/

This is going to take a while, but while it is syncing you can continue with the other configuration tasks.

As you’ve seen I use a directory in /usr/local/share. It’s also possible to use /var/www/html as that makes it simpler for your httpd configuration. If you use the /usr/local/share path make sure that httpd is allowed access to the directories by SELinux otherwise it’ll fail stating that the directory does not exist.

You can modify the SELinux settings using chcon -R command. Make sure it’s identical to the /var/www/html directory (view SELinux configuration with ls -la –context) I found it easier to disable SELinux entirely as you’ll run into it again later. However, if you’re building a production server it might not be te best idea to disable it.

If neccessary modify your httpd config so that it points to your mirror directory:

vim /etc/httpd/conf.d/repo.conf

<VirtualHost *:80>
ServerName repo.localhost
ServerAlias repo

DocumentRoot /usr/local/share/CentOS

<Directory "/usr/local/share/CentOS">
Option Indexes FollowSymlinks
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

Restart your httpd service:

service httpd restart

Now you need to configure your DHCPD. You can use your own subnet, it doesn’t really matter. Here’s mine:

option domain-name "localdomain.com";
option domain-name-servers 172.16.2.1;
option subnet-mask 255.255.255.0;

allow bootp;
allow booting;
next-server 172.16.2.1; #this one is required for PXE
filename "linux-install/pxelinux.0";

option ip-forwarding false;
option mask-supplier false;

subnet 172.16.2.0 netmask 255.255.255.0 {
 option routers 172.16.2.1;
 range dynamic-bootp 172.16.2.40 172.16.2.60;
}

When configured restart your DHCP server:

service dhcpd restart

Now it’s time to move some files to the tftp directory. If you’ve installed syslinux these files should be present on your system. You might be able to find them with find if they’re not on the same location as mine:

mkdir /var/lib/tftpboot/linux-install
cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot/linux-install
cp /usr/share/syslinux/menu.c32 /var/lib/tftpboot/linux-install
cp /usr/share/syslinux/memdisk /var/lib/tftpboot/linux-install
cp /usr/share/syslinux/mboot.c32 /var/lib/tftpboot/linux-install
cp /usr/share/syslinux/chain.c32 /var/lib/tftpboot/linux-install

If you’ve created a yum mirror you can find the following files on your system. Otherwise you should be able to find them on your CD or on the internet:

mkdir -p /var/lib/tftpboot/linux-install/images/centos/i386/6.2
cp /usr/local/share/CentOS/6/os/i386/images/pxeboot/* \
 /var/lib/tftpboot/linux-install/images/centos/i386/6.2/

Now you have to edit the xinetd superserver configuration so that it starts the tftp server. You do this by changing the line disabled = yes to disabled = no in the file /etc/xinetd/tftp. While you’re editing this file, please verify that the tftp path is the same as to which you copied all these files earlier.

Restart the xinetd superserver:

service xinetd restart

Now you can make a kickstart file. Use the kickstart editor found in the Gnome menu under system tools or edit one by hand.

Place the kickstart configuration file in the http directory. I placed it immediately in the root, but you can put it anywhere you like.

Now we’ll create the PXE configuration:

mkdir /usr/lib/tftpboot/linux-install/pxelinux.cfg/
vim /usr/lib/tftpboot/linux-install/pxelinux.cfg/default

default menu.c32
prompt 0
timeout 10

MENU TITLE PXE Menu
LABEL CentOS 6.2 i386
MENU LABEL CentOS 6.2 i386
KERNEL images/centos/i386/6.2/vmlinuz
append initrd=images/centos/i386/6.2/initrd.img linux ks=http://172.16.2.1/ks.cfg

Now you should be able to PXE boot your new systems. Some last takeaways:

  • Don’t forget your firewall. This blocks a lot by default, so you’ll have to open some ports
  • SELinux might be causing some problems. You can verify by disabling SELinux temporarily using the command setenforce 0.

Preparing for a Network Installation

Posted in Linux, Network | Tagged , , , , , , , | Leave a comment

$8 billion Ipod

Posted on 07/04/2012 by michael

The entertainment industries keep on claiming incredible losses due to music and video piracy. Are these losses really that great?? Cinema visits increase yearly, music revenues are going through the roof…

Sure, many people are downloading ‘illegally’. However, the question is, would these people have bought the CD or movie if it wasn’t for the Internet? I think not, but who am I to judge?

In the movie below Rob Reid introduces us to something called Copyright Math. It’s fun to watch and might open your eyes to their propaganda.

However, there is still a good reason to buy music or visit concerts; support your favorite artists!

Posted in Internet, News | Tagged , , , , , , | Leave a comment

Circumventing piratebay blockade

Posted on 17/03/2012 by michael

Although I’m not a big time user of torrents and the like, I do not like the BREIN imposed blockade of the piratebay. There are multiple reasons for this, but first and foremost is my opinion that the Internet should be a freely accessible medium. Blocking sites does not fit in that philosophy.

Therefore I installed squid on my server to act as a proxy for me. The installation is fairly straightforward:

  • Install squid3 (apt-get install squid3 squid3-common)
  • Configure security settings for squid:
    • Configure localnet to contain only your IP address (otherwise you’re making an open proxy, which might not be what you want)
    • Configure http_access to allow the localnet
    • Optionally change the default proxy port (which is security through obscurity, but if it makes you feel better it’s fine)
  • Restart squid

That’s it. Configure your pc to use the newly configured proxy and you should be able to bypass the blockade. Off course your server should not be behind a Ziggo or XS4ALL connection.

If you don’t want all your traffic to pass through the proxy you could use the Firefox plug-in called foxyproxy. You can use it to automatically use the proxy for some websites and not for others.

Posted in Internet, Security | Tagged , , , , , | Leave a comment

SOPA and PIPA

Posted on 23/01/2012 by michael

I know I’m late with this, but this video deserves sharing. Especially because SOPA and PIPA won’t be the last attempts of the entertainment industry to limit us.

The message is clear, we should all continue creating and sharing. I’m not saying we should boycott the entertainment industry as they produce marvelous things, but we should show them and encourage them to participate in the co-creation possibilities that exist on the Internet. Many people want to create entertainment, many people can create entertainment, many people can improve the entertainment industries.

 

Posted in Internet, News | Leave a comment

IPv6 security part 2, Duplicate Address Detection

Posted on 07/08/2011 by michael

DAD, or Duplicate Address Detection is a mechanism used by IPv6 autoconfiguring hosts to determine whether the IP address they want to use is available. This prevents IP address conflicts and ensures the proper functioning of the network.

DAD works as follows:

  • The host that wants to use address A sends a so called ‘DupAddrDetectTransmits’ message to address A.
  • The host wanting to use address A waits for a specific time before assuming that address A is available.
  • If the host does not receive a neighbor advertisement using address A within the specified time it begins using address A

The attack on DAD is a simple Denial of Service attack. When replying to every DAD packet saying you use the address you effectively shut out the system from the network. So what can be done to counter these kinds of attack? Once again SeND might offer a solution.

In the SeND implementation public key cryptography is used to verify the ownership of an IP address. How does this work?

As some of you might know, public key cryptography is based on a public and a private key. The public key is known to everybody whereas the private key is only known to yourself. In this case the IP address is the public key.

The process goes as follows:

  • PC A uses its private key to sign the NDP packet.
  • PC A sends the packet to PC B
  • PC B uses the IP address of PC A to verify the signature of the NDP packet
  • If the verification succeeds PC B knows for sure that PC A owns that IP address.

Unfortunately, as stated before SeND is not widely implemented, so we have to make do with other measures. One of these measures is using a DAD proxy. This should be implemented on the switch. The switch gleans into the traffic to determine where specific addresses reside. Depending on the switch’s settings it can do various things:

  • Report suspicious behavior
  • Block traffic on a specific port

DAD gleaning on a switch might best be compared to normal DHCP snooping in combination with mac address filters.

Posted in Internet, Network, Security | Tagged , , , , | Leave a comment

IPv6 Security part 1, Router Advertisements

Posted on 23/07/2011 by michael

This is the first part of a series on IPv6 security. As the IPv4 address space is nearly exhausted more and more companies are looking at IPv6. However, whenever a ‘new’ protocol is implemented there is a big chance of security issues arising. Moreover, as IPv6 is likely to be one of the most fundamental changes to the Internet and network world in the last 30 years and probably many years to come it is important to do it right.

IPv6 is not a new protocol. It has been defined in 1998 in RFC 2460. Back in 1998 some of the common attacks we see nowadays weren’t known. Therefore most of these attacks are applicable to IPv6 as well as IPv4.

In this first part I would like to discuss Router Advertisements (RA). To be able to understand the problem with RA you would first need to know what they are. A router advertisement is a message which is sent by the routers on the network. These messages contain vital information required by network hosts to be able to use the network. For example, a RA contains network information required by hosts to assign themselves an IP address. This is a method of configuring clients without the need for a DHCP server.

One of the most important features of a router advertisement is that it announces the router itself. Clients use this information to send data off-network, thus enabling them to participate in the bigger whole of the network and the Internet. In other words, a RA contains the default gateway for the network.

One of the biggest problems with router advertisements is that any host can send them, thus creating the possibility for a man-in-the-middle attack. When a bad person wants to inspect all the traffic you send over the Internet he can send a false router advertisement reconfiguring your computer to send all data to him. This is possible because router advertisements are not validated and the last received advertisement is assumed to be the correct one. (Note, this attack is nothing else than a rogue DHCP server on IPv4, with the exception that in the IPv4 case you need to be the first instead of the last)

So, what can we do about this? Well, the best way would be validating the router. When you can be sure the RA originated by the real and trusted router on the network you can trust it. In 2005 a standard was specified that achieves just that (among other things). It is called SeND (Secure Neighbor Discovery) and is defined in RFC 3971. It has been implemented by Cisco, but unfortunately nobody else. Another option is to implement the same techniques used to prevent rogue DHCP servers, configure on which switchport resides a router and allow router advertisements only from that specific port (called RA guard, documented in RFC 6105. This mitigates the possible attack on a wired lan and is currently implemented by most (but not all!) big network companies like Cisco.

However, this solution requires you to use a real switch with support for this option. Hubs are not allowed. This gives rise to another question, how do you protect wireless users from this attack? Unfortunately without SeND this becomes quite difficult. The thing you have to do is separating the clients from each other so that they can’t see each others traffic. However this is difficult in a wireless lan as it’s a shared medium. One could choose to create separate IPSec tunnels between the host and a trusted endpoint. In that case even if a hacker manages to insert itself as router in between the traffic flow, all traffic would be encrypted. Limiting the use the attacker has on the data.

Posted in Internet, Network, Security | Tagged , , | Leave a comment

Using D7000 as wireless flash commander

Posted on 26/05/2011 by michael

It is possible to use the D7000 as a wireless flash commander to remotely control your SB600, SB800 or SB900 flashlights. The required configuration for this is straightforward and simple. To be able to use this function you have to configure both your camera and flashlight. I’ll tell you how. As my configured language is dutch the names I use for the various menu items might not be correct, but at least it should come near.

 

D7000

  • Open the menu.
  • Go to the custom settings menu.
  • Go to e3, Flash cntrl for built-in flash
  • Set the option to Commander mode.
  • In commander mode select channel 3.
  • If you like you can disable the built-in flash, or configure it manually to flash at 1/125. ( The built-in flash will always fire, even when disabled. However it will only fire pre-flash, not on th eexposure itself)

The D7000 is now configured as flash commander.

 

SB600

I only have a SB600, so I won’t be able to tell you the settings for the SB800 and SB900, but I expect them to be roughly the same.

  • Press the Menu and – buttons simultaniously for a little while (CSM buttons)
  • In the csm menu select the wriggly arrow.
  • Set the option to enabled.
  • Exit the CSM menu.

Your flash should now be configured to slave mode. You can verify this in the display. It should say that it’s configured on channel 3 group A.

Posted in photography | Tagged , , | Leave a comment

Internet based elections

Posted on 04/03/2010 by michael

A few years ago many people in Holland were mobilized to do something against the voting computers. They were not safe it was said. Two of the commonest arguments to disallow voting computers were the following:

  • There was no guaranteed privacy of your vote
  • They could be modified to favour a specific party without anybody noticing (if done correctly)

Voting privacy

In Holland (and probably all democratic countries around the world), it is your right to keep your vote a secret. If you do not want to tell who you voted for you don’t have to. Nice, you would think, now I don’t need to be ashamed that I voted for party X. Some people think that hiding your vote is a way to keep face with your peers. However, this is not true. The right to keep your vote secret is not a tool to hide your political preference from your neighbor. It is a tool to prevent a totalitarian government. By keeping your vote secret from the government, the government can’t do anything about you. (Offcourse, once you have a totalitarian regime this would not stop them from arresting you, but thats another story). By ensuring that your vote can’t be traced back to you the government only has voting totals and not a list of who voted for whom.

The right to keep your vote a secret is a constitutional right and should be handled with the utmost care. We should not allow the government or anybody else to weaken this right, not by law or by peer pressure.

 

Fraude

With voting computers it became fairly simple to modify the elections outcome to suit your case. As a totalitarian party you might be inclined to change the outcome of the votings in such a way that you might gain seats in the government. If done on a clever way people might never notice untill it’s too late. In the ‘old’ days when voting was done using a pencil and paper, fraude on a large scale was much more complicated. Where modifying a few thousand voting computers requires only a few key people to be included in the complot, modifying an old fashined election becomes much more difficult as you have to bribe all the counters. This would increase the risk of your fraude getting known.

 

As I said earlier, Holland managed to disallow the current voting computers because they did not guarantee our constitutional rights. Now, during and after our first offlicial old fashioned election since the voting computer politicians, journalists and civilians alike are clamouring for internet voting. Did they already forget why the voting computers were disallowed? Voting via internet comes with the same problems as voting computers only a multitude more serious. Hacking the elections would require only one skilled person now, but thats not all. Voting via internet requires the electorate to sign in on the election website. The website needs a way to verify whether you are allowed to vote. However, if you’ve logged in it is only a simple matter to match the vote with the voter, nullifying our right of privacy.

 

Elections via the internet should not be allowed, not now or ever! Sure, anybody can see the benefits of internet elections. You don’t even have to leave the house, you can vote from your work etc. This would probably increase the number of voters, which is all a positive thing. However, people that are lazy enough not to vote when they have to walk a maximum of a few hundred meters should not vote at all. They do not have the interests of the country at heart, only their own.

Posted in Internet, News | Tagged , , , | 2 Comments

Privacy and its worth

Posted on 26/01/2010 by michael

What is privacy worth nowadays? The last few months many ‘important’ people have been quoted saying that the age of privacy is over. All accept the new reign of total control of your governments and more importantly the enterprises. All hail Big Brother!

 

 

Googles CEO Schmidt has been quoted saying “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”. Apparently Schmidt applies the companies credo with verve “Don’t be Evil”. Which obviously he isn’t because everybody is allowed to know everything about him. Or is it? As google blacklisted CNet for publishing private information about Schmidt such as his salary. Apparently Schmidt already forgot about this incident as he strives to minimize privacy.

 

Another recent example is Facebook. First changing their privacy policy “To comply with our customers wishes”. Then as protests emerge they block the suicide machine. (The suicide machine is a tool for committing virtual suicide, thereby removing all data from profile pages like on facebook and substituting it with standard information). Facebook has been quoted on the matter stating that the suicide machine is against the user agreement.

 

Nearly ten years have passed since the attacks on the twin towers. However, security ‘improvements’ are still being made at the expense of privacy. Airports now use full body scanners to detect bombs or otherwise unwanted luggage. These machines were rapidly introduced on several major airports after a failed attempt to blow up an airplane. However, the manufacturer of these machines was quoted saying that its machines would probably not have detected the explosives that the bomber was carrying.

 

So what good is privacy now? Is it all just an illusion? Is it justified to sacrifice privacy for security? Benjamin Franklin once said: “He who sacrifices freedom for security deserves neither.”. In fact what we are doing is sacrificing our liberty, our privacy to our governments so that they can control us even better. We lose our privacy and our liberty. Total safety and security is an utopia whereas the complete lack of privacy and therefore also security is a distopia. The disturbing thing about this is that an utopia is unattainable, however distopias are easily found. We are coursing rapidly toward the distopia George Orwell described. But hey, we’re lucky that it’s 2010 now, so he was off by at least 26 years.

 

However, as Facebook was saying, it is what people want. Look around on the internet, people are dying to get attention. If they can get attention by sacrificing privacy they’ll do it. It’s all about your Facebook buddies isn’t it? This blog is also a way to draw attention, it’s also a little part of selling my privacy. But what can I do?

 

One day we might all look back to the last millenium and wonder where that freedom and happiness went.

Posted in Internet, News, Security | Tagged | Leave a comment