Feb
23

Honeypot as a service

HaaS logoI’m currently working at CZ.NIC, Czech domain registry on project Turris which are awesome open source WiFI (or WiFi free) routers. For those we developed quite some interesting features. One of them is honeypot that you don’t run on your own hardware (what if somebody managed to escape) but you basically do man in the middle on the attacker and forward him to the honeypot we are running behind many firewalls. We had this option for quite some time on our routers. But because plenty of people around the world found the idea really interesting and wanted to join, this part of our project got separated, has its own team of developers and maintainers and you can now join with your own server as well! And to make it super easy, packages are available in Tumbleweed already and also in security repo where they are being build for Leap as well.

How to get started, how it works and what will you get when you join? First step is register on HaaS website. You can also find there explanation what HaaS actually is. When you log in, you can create a new computer and generate a token for it. Once you have a token, it’s time to setup software on your server.

Second step would be obviously to install the software. Given you are using the cool Linux distribution openSUSE Tumbleweed it is pretty easy. Just zypper in haas-proxy.

Last step is configuration. You need to either disable or mive to different port your real ssh. You can do so easily in /etc/ssh/sshd_config, look for Port option and change it from 22 to some other fancy number. Don’t forget to open that port on firewall as well. After calling systemctl restart sshd you should be able to ssh on new port and your port 22 should be free.

Now do you still remember the token you generated on HaaS website? You need to enter it into /etc/haas-proxy, option TOKEN. And that’s all, call systemctl enable haas-proxy and systemctl start haas-proxy and the trap is set and all you need to do is wait for your victims to fall in.

Once they do (if you have public ipv4 than you should have plenty after just a day), you can go to HaaS website again and browse through the logs of trapped visitors or even view some statistics like which country attacks you the most!

HaaS mapSo enjoy the hunt and let’s trap a lot of bad guys 🙂 btw. Anonymized data from those honeypot sessions are later available to download and CZ.NIC has some security researchers from CSIRT team working on those, so you are having fun, don’t compromise your own security and helping the world at once! So win,win,win situation 🙂

Jan
18

Running for re-election

As you might have noticed, I’m running for re-election. I served my first term as openSUSE Board member, learned a lot and I think I could represent you well for another two years. Although this years elections will be tough as we have in the end quite some strong candidates. So honestly, I have no worries regarding result of the elections as it can’t end badly. Compare it to real world politics and elections where the results can be either bad or even worse… But even though our elections are quite friendly, it is still competition. So what would I do if I get elected? Why should you vote for me? I’ll try to answer it in this post.

What does the board do?

I was a board member for two years. During that time, I learned more about what board actually does and would like to describe it at the beginning. Even if you decide not to vote for me, it can help you pick the best candidates. I believe that the following roles are the main responsibilities that board has.

Judge

Board is the last resort when there is some conflict. And there are some conflicts from time to time. Our task is to listen to the both sides of the story and help them to achieve some solution, peacefully if possible and deescalate things. Sometimes, there are quite some emotions and you might even know one or both parties of the argument. It could be sometimes hard staying objective and resolving stuff in a way that is defendable and if there are some consequences, it has to be be plainly visible what the cause was.

Budget keeper

We have a power to influence how SUSE spends money on openSUSE. Our responsibility is to help decide what to support and how. When there is a need for money, board asks SUSE and SUSE gives us money. Part of this role is being reasonable, if we start asking for Lamborghinis for everybody, they might start saying no. Also we need to be kinda predictable so SUSE can plan the budget for openSUSE. But lately part of that job was out given to Andrew – to keep our books.

Point of contact

We are single point of contact for people from outside of the project or for companies. Our task is to tell them how our community works. Also whenever they have interesting proposal to our community, put them in contact with the right people from our community. We are also in charge of our trademark – openSUSE name and logo. From time to time, somebody wants to do something with openSUSE label on top of it. Mostly it is producing merchandising, new cool spin-off, port openSUSE to some exotic architecture… In these cases, our task is to decide whether this would benefit openSUSE community or if it is an attempt to exploit it. Mostly, these requests are good ideas thought, and we just say yes.

Yes man

Last but one of the most import tasks that board has is to encourage people to do stuff. Board itself has no power over technical decisions. In openSUSE, who does the work, decides. But sometimes people still ask whether they can do something. Our job is to tell them that they can do it. Sometime people ask us to change something or implement something. Our job in that case is again to tell them that they can do it. We don’t have a pack of code monkeys to implement whatever whoever wishes. But we have power to encourage people to scratch their own itch and we can help to promote the idea and try to find more people to help.

How do I fit the board

So why should you vote for me in upcoming elections? I’m by nature calm person. It is really hard to upset or angry me. So if you ever get into conflict with somebody, you want me to be part of your jury as I will try to be as objective as possible. If you are a villain, you probably don’t want me there thought. Regarding budget, I’m quite frugal. I was a student for a long time and I learned to think twice before spending money. But I’m working on it and learning how to spend money. Instinctively I’m always thinking whether the goal justifies the expenses. So don’t expect those Lamborghinis for release parties.

Regarding communication, I worked in two big companies (one of them being SUSE) and I learned what is troublesome for those companies and what is easy. Quite often it is counterintuitive. Understanding how this works can help find a better deal for both sides. Regarding encouraging people to do stuff, I try to do it whenever I speak somewhere about openSUSE.

I think I would fit into board nicely but so would the others running for the board. Your task is to choose who do you think fits the best and who matches your our world view the most.

About me

For those who don’t know me, I’ll sum up who am I. As you probably noticed, I was openSUSE Board member last two years. Apart from that, I try to promote openSUSE whenever possible so you might have met me on some conferences and with Tomas Chvatal, we have lessons in local school teching kids Linux (on openSUSE). What I’m lately most known for is that I wrote a bot that tried to kick almost every eligible voter from openSUSE members. But even that bot was just and tried to kick people regardless whether I consider them my friends or whether I never heard about them. There was a bug, I found it and you can look forward to next round after the election. The goal is to know who is still around. It will help us to interpret how are people interested in elections. But in the future there might be some even more important things to decide. And if there ever will be need for some community wide decision that should be taken by majority of our contributors, we should know whether people just don’t care or whether the votes we got are representing roughly the people we still have and we just have too many late members. It can also help to decide whether package is still actively maintained – if it’s maintainer got kicked out, he probably is not around anymore to fix your issues and it’s time to step up. So it can be useful, but I’m sorry for all those falsely accusing mails. And it will be finished after elections regardless whether I get elected or not, so not voting for me will not stop it 🙂

What would I do if I get elected? Will I try to kick out more people? Probably not. I will represent you the best I can and given the power board has, I will encourage you to do whatever crazy projects you like. But I’m not going to promise to solve all the bugs or make you rich. That is not in boards powers.

Endorsements

Real world politics usually mention which famous artists are supporting them. I don’t have any and I think those doesn’t matter. What I would like to do instead is to endorse one of my competitors. Well, I could easily endorse all of them, but then you wouldn’t vote for me. With one endorsement, there is still the other seat 🙂 I would like to endorse Sarah. I know her for some time. During conferences you can find her on openSUSE booth promoting our awesome project. Between conferences helping with Leap releases and openSUSE infrastructure. I know she would represent openSUSE well (she already does) and I believe that as a board member she will always act in openSUSEs best interest.

Apr
04

Turris Omnia and openSUSE

About two weeks ago I was on the annual openSUSE Board face to face meeting. It was great and you can read reports of what was going on in there on openSUSE project mailing list. In this post I would like to focus on my other agenda I had while coming to Nuremberg. Nuremberg is among other things SUSE HQ and therefore there is a high concentration of skilled engineers and I wanted to take an advantage of that…

Little bit of my personal history. I recently join Turris team at CZ.NIC, partly because Omnia is so cool and I wanted to help to make it happen. And being long term openSUSE contributor I really wanted to see some way how to help both projects. I discussed it with my bosses at CZ.NIC and got in contact with Andreas Färber who you might know as one of the guys playing with ARMs within openSUSE project. The result was that I got an approval to bring Omnia prototype during the weekend to him and let him play with it.

My point was to give him a head start, so when Omnias will start shipping, there will be already some research done and maybe even howto for openSUSE so you could replace OpenWRT with openSUSE if you wanted. On the other hand, we will also get some preliminary feedback we can still try to incorporate.

Andreas Färber with Omnia

Andreas Färber with Omnia

Why testing whether you can install openSUSE on Omnia? And do you want to do that? As a typical end user probably not. Here are few arguments that speaks against it. OpenWRT is great for routers – it has nice interface and anything you want to do regarding the network setup is really easy to do. You are able to setup even complicated network using simple web UI. Apart from that, by throwing away OpenWRT you would throw away quite some of the perks of Omnia – like parental control or mobile application. You might think that it is worth it to sacrifice those to get full-fledged server OS you are familiar with and where you can install everything in non-stripped down version. Actually, you don’t have to sacrifice anything – OpenWRT in Omnia will support LXC, so you can install your OS of choice inside LXC container and have both – easily manageable router with all the bells and whistles and also virtual server with very little overhead doing complicated stuff. Or even two or three of them. So most probably, you want to keep OpenWRT and install openSUSE or some other Linux distribution inside a container.

But if you still do want to replace OpenWRT, can you? And how difficult would it be? Long story short, the answer is yes. Andreas was able to get openSUSE running on Omnia and even wrote instructions how to do that! One little comment, Turris Omnia is still under heavy development. What Andreas played with was one of the prototypes we have. Software is still being worked on and even hardware is being polished a little bit from time to time. But still, HW will not change drastically and therefor howto probably wouldn’t change as well. It is nice to see that it is possible and quite easy to install your average Linux distribution.

Why is having this option so important given all the arguments I stated against doing so? Because of freedom. I consider it great advantage when buying a piece of hardware knowing that I can do whatever I want with it and I’m not locked in and depending on the vendor with everything. Being able to install openSUSE on Omnia basically proves that Omnia is really open and even in the unlikely situation in which hell freezes over and CZ.NIC will disappear or turn evil, you will still be able to install latest kernel 66.6 and continue to do whatever you want with your router.

This post was originally posted on CZ.NIC blog, re-posted here to make it available on Planet openSUSE.

Apr
03

Shell calendar generator

Some people still use paper calendars. Stuff where you have a picture of the month and all days in the month listed. I have some relatives that do use those. On loosely related topic, I like to travel and I like to take some pictures in foreign lands. So combining both is an obvious idea – to create a calendar where pictures of the month are taken by me. I searched for some ready to use solution but haven’t found anything. So I decided to create my own simple tool. And this post is about creating that tool.

I know time and date stuff is complicated and I wasn’t really looking into learning all the rules regarding date and time and programing them. There had to be a simple way how I can use some of the tools that are already implemented. Obvious option would be to use some of the date manipulation libraries like mktime and write the tool in C. But that that sounded quite heavy weight for such a simple tool. Using Ruby would be an option, but still kinda too much and I’m not fluent rubyist and my python and perl are even rustier. I was also thinking what output format should I use to print it easily. As I was targeting some pretty printed paper LaTeX sounded like a good choice and in theory it could be used to implement the whole thing. I even found somebody who did that, but I didn’t managed to comprehend how it worked, how to modify it or even how to compile it. Turns out my LaTeX is rusty as well.

So I decided to use shell and powerful date command to generate the content. Started with generating LaTeX code as I still want it on paper in the end, right? Trouble is, LaTeX make great papers if you want to look serious and make some serious typography. For calendar on the wall, you probably want to make it fancy and screw typography. I was trying to make it what I wanted, but it was hard. So hard I gave up. And I ended up with the winning combo – shell and html. Html is easy to view and print and CSS supports various of options including different style for screen and print type media.

Html and css made the whole exercise really easy and I have something working now on GitHub in 150 lines of code where half of it is CSS. It’s not perfect, there is plenty of space for optimization, but it is really simple and fast enough. Are you interested? Give it a try and if it doesn’t work well for you, pull requests are welcome 😉

Jan
17

Getting to your PiDrive

ocipv6I wrote few times about my PiDrive already, this is continuation of the work in progress and I would like to share what I did since the last time.

Getting accessible

We need to address two problems regarding the accessibility of PiDrive. First one is actually not that you need to access your PiDrive from Internet, but something much simpler. Once you connect your PiDrive to your local network, you need to find out it’s local address first so you can set it up. There are various options, for example including avahi or netbios and configuring them to publish some recognizable name. I’m sure everybody has those in mind and I do as well. But I wanted to start first with something that might have escaped the others and what I consider quite simple but at the same time quite effective approach. On boot, I display ownCloud logo on HDMI attached display if there is one and bellow it address of the device. My PiDrive came with 90 degrees angle HDMI converter so it looked like it is expected that you will connect display to it. And reading what is written on HDMI is much simpler and reliable than anything you do on computer.

Other accessibility issue is getting to your PiDrive from Internet. I already prepared kinda solution (still need to implement tunnel option thought) for the Internet of tomorrow (IPv6), but as quite some people still live in the past, I extended my application and now it supports even UPnP. What it is and how does it work? If you have smart enough router that allows such kind of thing (most of them, although you probably need to enable it), you can instruct your PiDrive to open up a port on it and forward it to itself. Tricky part is that your router has to support it and you kinda need public IPv4 on the other side (otherwise it misses the point). So it doesn’t solve everything, but gives PiDrive accessible on IPv4 to at least some people. And Dynv6 I implemented previously while playing with IPv6 should be able to resolve to your public IPv4 as well. So you can get ready for the future, while still maintaining compatibility for people living in stone age.

Image

Both of the improvements mentioned above are installed into my image and also finally installed ownCloud on it. Although currently just a git snapshot. For final version, I’ll have to switch to packages I guess, but currently I have some dependency issues with them (and php7) that I need to solve first. You can now try improvements I mentioned by yourself. Just inspect my GitHub repo or you can still download my temporal binaries (now updated).

Older posts «