Sysadmin Documentation Documentation Release 1.0
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Freenas® 11.0 User Guide
FreeNAS® 11.0 User Guide June 2017 Edition FreeNAS® IS © 2011-2017 iXsystems FreeNAS® AND THE FreeNAS® LOGO ARE REGISTERED TRADEMARKS OF iXsystems FreeBSD® IS A REGISTERED TRADEMARK OF THE FreeBSD Foundation WRITTEN BY USERS OF THE FreeNAS® network-attached STORAGE OPERATING system. VERSION 11.0 CopYRIGHT © 2011-2017 iXsystems (https://www.ixsystems.com/) CONTENTS WELCOME....................................................1 TYPOGRAPHIC Conventions...........................................2 1 INTRODUCTION 3 1.1 NeW FeaturES IN 11.0..........................................3 1.2 HarDWARE Recommendations.....................................4 1.2.1 RAM...............................................5 1.2.2 The OperATING System DeVICE.................................5 1.2.3 StorAGE Disks AND ContrOLLERS.................................6 1.2.4 Network INTERFACES.......................................7 1.3 Getting Started WITH ZFS........................................8 2 INSTALLING AND UpgrADING 9 2.1 Getting FreeNAS® ............................................9 2.2 PrEPARING THE Media.......................................... 10 2.2.1 On FreeBSD OR Linux...................................... 10 2.2.2 On WindoWS.......................................... 11 2.2.3 On OS X............................................. 11 2.3 Performing THE INSTALLATION....................................... 12 2.4 INSTALLATION TROUBLESHOOTING...................................... 18 2.5 UpgrADING................................................ 19 2.5.1 Caveats:............................................ -
Privacy in the Domain Name System (DNS): DNS Privacy in Practice
Privacy in the Domain Name System (DNS): DNS Privacy in Practice Sara Dickinson [email protected] https://sinodun.com @SinodunCom TMA Jun 2019 DNS Privacy https://github.com/Sinodun/tma_phd_school Overview • First - lets look at your DNS queries! • Desktop DoT stub resolvers (client) (Stubby) • Set up your own DoT recursive (Unbound) - decrypt DoT • DoH - Clients & Browsers (Firefox) - decrypt DoH Firefox DoH Decryption is • Mobile Apps easier…. • DNS Libraries (getdns) • Routers TMA, Jun 2019 2 DNS Privacy dnsprivacy.org • DNS Privacy Clients • DNS Privacy Servers setup guides Reference material here • DNS Privacy Test and Public resolvers for most setups and recursive resolvers • DNS Privacy Monitoring • DNS Privacy Current work TMA, Jun 2019 3 DNS Privacy DNS Basics TMA, Jun 2019 4 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘nslookup’ is available on Windows order is important! TMA, Jun 2019 6 DNS Privacy DNS Basics -
Why Did We Choose Freebsd?
Why Did We Choose FreeBSD? Index Why FreeBSD in General? Why FreeBSD Rather than Linux? Why FreeBSD Rather than Windows? Why Did we Choose FreeBSD in General? We are using FreeBSD version 6.1. Here are some more specific features which make it appropriate for use in an ISP environment: Very stable, especially under load as shown by long-term use in large service providers. FreeBSD is a community-supported project which you can be confident is not going to 'go commercial' or start charging any license fees. A single source tree which contains both the kernel and all the rest of the code needed to build a complete base system. Contrast with Linux that has one kernel but hundreds of distributions to choose from, and which may come and go over time. Scalability features as standard: e.g. pwd.db (indexed password database), which give you much better performance and scales well for very large sites. Superior TCP/IP stack that responds well to extremely heavy load. Multiple firewall packages built in to the base system (IPF, IPFW, PF). High-end debugging and tracing tools, including the recently announced port of the Sun Dynamic Tracing tool, DTrace, to FreeBSD. Ability to gather fine-grained statistics on system performance using many included utilities like systat, gstat, iostat, di, swapinfo, disklabel, etc. Items such as software RAID are supported using multiple utilities (ata, ccd. vinum, geom). RAID-1 using GEOM Mirror (see gmirror) supports identical disk sets, or identical disk slieces. Take a look at the most stable web sites according to NetCraft (http://news.netcraft.com/archives/2006/06/06/six_hosting_companies_most_reliable_hoster_in_may.html). -
Truenas® 11.3-U5 User Guide
TrueNAS® 11.3-U5 User Guide Note: Starting with version 12.0, FreeNAS and TrueNAS are unifying (https://www.ixsystems.com/blog/freenas- truenas-unification/.) into “TrueNAS”. Documentation for TrueNAS 12.0 and later releases has been unified and moved to the TrueNAS Documentation Hub (https://www.truenas.com/docs/). Warning: To avoid the potential for data loss, iXsystems must be contacted before replacing a controller or upgrading to High Availability. Copyright iXsystems 2011-2020 TrueNAS® and the TrueNAS® logo are registered trademarks of iXsystems. CONTENTS Welcome .................................................... 8 Typographic Conventions ................................................ 9 1 Introduction 10 1.1 Contacting iXsystems ............................................... 10 1.2 Path and Name Lengths ............................................. 10 1.3 Using the Web Interface ............................................. 12 1.3.1 Tables and Columns ........................................... 12 1.3.2 Advanced Scheduler ........................................... 12 1.3.3 Schedule Calendar ............................................ 13 1.3.4 Changing TrueNAS® Settings ...................................... 13 1.3.5 Web Interface Troubleshooting ..................................... 14 1.3.6 Help Text ................................................. 14 1.3.7 Humanized Fields ............................................ 14 1.3.8 File Browser ................................................ 14 2 Initial Setup 15 2.1 Hardware -
BSD UNIX Toolbox 1000+ Commands for Freebsd, Openbsd
76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page i BSD UNIX® TOOLBOX 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iv BSD UNIX® Toolbox: 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD® Power Users Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-37603-4 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 Library of Congress Cataloging-in-Publication Data is available from the publisher. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permis- sion should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. -
Unbound: a New Secure and High Performance Open Source DNS Server
New Open Source DNS Server Released Today Unbound – A Secure, High-Performance Alternative to BIND – Makes its Debut within Open Source Community Amsterdam, The Netherlands and Mountain View, CA – May 20, 2008 – Unbound – a new open source alternative to the BIND domain name system (DNS) server– makes its worldwide debut today with the worldwide public release of Unbound 1.0 at http://unbound.net. Released to open source developers by NLnet Labs, VeriSign, Inc. (NASDAQ: VRSN), Nominet, and Kirei, Unbound is a validating, recursive, and caching DNS server designed as a high- performance alternative for BIND (Berkeley Internet Name Domain). Unbound will be supported by NLnet Labs. An essential component of the Internet, the DNS ties domain names (such as www.verisign.com) to the IP addresses and other information that Web browsers need to access and interact with specific sites. Though it is unknown to the vast majority of Web users, DNS is at the heart of a range of Internet-based services beyond Web browsing, including email, messaging and Voice Over Internet Protocol (VOIP) telecommunications. Although BIND has been the de facto choice for DNS servers since the 1980s, a desire to seek an alternative server that excels in security, performance and ease of use prompted an effort to develop an open source DNS implementation. Unbound is the result of that effort. Mostly deployed by ISPs and enterprise users, Unbound will also be available for embedding in customer devices, such as dedicated DNS appliances and ADSL modems. By making Unbound code available to open source developers, its originators hope to enable rapid development of features that have not traditionally been associated with DNS. -
Mullvad DNS Over HTTPS Server Audit
Report Mullvad DNS over HTTPS server audit Wictor Olsson, Emilie Barse, Benjamin Svensson, Johanna Abrahamsson Project Version Date MUL001 v1.0 2021-02-23 REPORT Project Version MUL001 v1.0 Date 2021-02-23 Executive summary Assured was tasked to perform a whitebox system audit of Mullvads DNS over HTTPS servers. The audit focused on configuration in regards to privacy, attack sur- face reduction and security best practices. The server deployment and config- uration displayed a good level of security in general. At the time of the au- dit, the exposed services were running at a good patch level, with no known vul- nerabilities. The most notable findings during the audit was related to a mis- configuration of the DNS service (Unbound), NTP service and iptables egress/ingress configuration, these issues were promptly resolved by the Mullvad team and ver- ified during the audit period. i REPORT Project Version MUL001 v1.0 Date 2021-02-23 Contents 1 Introduction 1 1.1 Background . 1 1.2 Constraints and disclaimer . 1 1.3 Project period and staffing . 1 1.4 Risk rating . 2 2 Scope and methodology 3 2.1 Scope . 3 2.1.1 Audit of Mullvad DNS over HTTPS servers . 3 2.2 Methodology . 3 2.2.1 System audit . 3 2.3 Limitations . 4 3 Observations 5 3.1 Mullvad DNS over HTTPS servers . 5 3.1.1 Low MITIGATED Unbound listening socket misconfigu- ration ......................... 5 3.1.2 Low FIXED Iptables should be more restrictive .. 6 3.1.3 Note FIXED Ntpd listening on all interfaces .... 7 3.1.4 Note Apparmor for exposed services . -
The Impact of Time on DNS Security
The Impact of Time on DNS Security Aanchal Malhotray, Willem Tooropz, Benno Overeinderz, Ralph Dolmansz and Sharon Goldbergy Boston Universityy, NLnet Labs, Amsterdamz [email protected], fwillem, benno, [email protected], [email protected] July 5, 2019 Abstract Time is an important component of the Domain Name System (DNS) and the DNS Security Extensions (DNSSEC). DNS caches rely on an absolute notion of time (e.g., “August 8, 2018 at 11:59pm”) to determine how long DNS records can be cached (i.e., their Time To Live (TTL)) and to determine the validity interval of DNSSEC signatures. This is especially interesting for two reasons. First, absolute time is set from external sources, and is thus vulnerable to a variety of network attacks that maliciously alter time. Meanwhile, relative time (e.g., “2 hours from the time the DNS query was sent”) can be set using sources internal to the operating system, and is thus not vulnerable to network attacks. Second, the DNS on-the-wire protocol only uses relative time; relative time is then translated into absolute time as a part of DNS caching, which introduces vulnerabilities. We leverage these two observations to show how to pivot from network attacks on absolute time to attacks on DNS caching. Specifically, we present and discuss the implications of attacks that (1) expire the cache earlier than intended and (2) make the cached responses stick in the cache longer than intended. We use network measurements to identify a significant attack surface for these DNS cache attacks, focusing specifically on pivots from Network Time Protocol (NTP) attacks by both on-path and off-path attackers. -
Bsdcan 2015 UCL Working Group
BSDCan 2015 UCL Working Group [email protected] Overview The goal of this working group is to develop a template for all future configuration files that is both human readable and writable, but is also hierarchical, expressive, and programmatically editable. Agenda ● Opening: What is UCL ● Presentation of work in progress: converting newsyslog and bhyve to UCL ● Discuss common requirements for configuration files ● Develop a common set of grammar/keys to work across all configuration files ('enabled' activates/deactivates each block, allows disabling default configuration without modifying the default files, ala pkg) Agenda (Continued) ● Discuss layering (/etc/defaults/foo.conf -> /etc/foo.conf -> /etc/foo.conf.d/*.conf -> /usr/local/etc/foo.conf.d/*.conf) ● Discuss required features for management utilities (uclcmd) ● Identify additional targets to UCL-ify ● Develop a universal API for using libucl in various applications, simplify loading configuration into C structs (libfigpar?) What is the Universal Configuration Language? ● Inspired by bind/nginx style configuration ● Fully compatible with JSON, but more liberal in what it accepts, so users do not have to write strict JSON ● Can Output UCL, JSON, or YAML ● Supports handy suffixes like k, mb, min, d ● Can be as simple or as complex as required ● Allows inline comments (# and /* multiline */) ● Validation and Schema support ● Supports includes, macros, and variables Why UCL is great -- all of this is valid param = value; key = “value”; flag = true; section { number = 10k string -
Free, Functional, and Secure
Free, Functional, and Secure Dante Catalfamo What is OpenBSD? Not Linux? ● Unix-like ● Similar layout ● Similar tools ● POSIX ● NOT the same History ● Originated at AT&T, who were unable to compete in the industry (1970s) ● Given to Universities for educational purposes ● Universities improved the code under the BSD license The License The license: ● Retain the copyright notice ● No warranty ● Don’t use the author's name to promote the product History Cont’d ● After 15 years, the partnership ended ● Almost the entire OS had been rewritten ● The university released the (now mostly BSD licensed) code for free History Cont’d ● AT&T launching Unix System Labories (USL) ● Sued UC Berkeley ● Berkeley fought back, claiming the code didn’t belong to AT&T ● 2 year lawsuit ● AT&T lost, and was found guilty of violating the BSD license History Cont’d ● BSD4.4-Lite released ● The only operating system ever released incomplete ● This became the base of FreeBSD and NetBSD, and eventually OpenBSD and MacOS History Cont’d ● Theo DeRaadt ○ Originally a NetBSD developer ○ Forked NetBSD into OpenBSD after disagreement the direction of the project *fork* Innovations W^X ● Pioneered by the OpenBSD project in 3.3 in 2002, strictly enforced in 6.0 ● Memory can either be write or execute, but but both (XOR) ● Similar to PaX Linux kernel extension (developed later) AnonCVS ● First project with a public source tree featuring version control (1995) ● Now an extremely popular model of software development anonymous anonymous anonymous anonymous anonymous IPSec ● First free operating system to implement an IPSec VPN stack Privilege Separation ● First implemented in 3.2 ● Split a program into processes performing different sub-functions ● Now used in almost all privileged programs in OpenBSD like httpd, bgpd, dhcpd, syslog, sndio, etc. -
Freebsd Foundation February 2018 Update
FreeBSD Foundation February 2018 Update Upcoming Events Message from the Executive Director Dear FreeBSD Community Member, AsiaBSDCon 2018 Welcome to our February Newsletter! In this newsletter you’ll read about FreeBSD Developers Summit conferences we participated in to promote and teach about FreeBSD, March 8-9, 2018 software development projects we are working on, why we need Tokyo, Japan funding, upcoming events, a release engineering update, and more. AsiaBSDCon 2018 Enjoy! March 8-11, 2018 Tokyo, Japan Deb SCALE 16x March 8-11, 2018 Pasadena, CA February 2018 Development Projects FOSSASIA 2018 March 22-25, 2018 Update: The Modern FreeBSD Tool Chain: Singapore, Singapore LLVM's LLD Linker As with other BSD distributions, FreeBSD has a base system that FreeBSD Journal is developed, tested and released by a single team. Included in the base system is the tool chain, the set of programs used to build, debug and test software. FreeBSD has relied on the GNU tool chain suite for most of its history. This includes the GNU Compiler Collection (GCC) compiler, and GNU binutils which include the GNU "bfd" linker. These tools served the FreeBSD project well from 1993 until 2007, when the GNU project migrated to releasing its software under the General Public License, version 3 (GPLv3). A number of FreeBSD developers and users objected to new restrictions included in GPLv3, and the GNU tool chain became increasingly outdated. The January/February issue of the FreeBSD Journal is now available. Don't miss articles on The FreeBSD project migrated to Clang/LLVM for the compiler in Tracing ifconfig Commands, Storage FreeBSD 10, and most of GNU binutils were replaced with the ELF Tool Multipathing, and more. -
Analysis of DNS Resolver Performance Measurements Author
Master in System and Network Engineering Analysis of DNS Resolver Performance Measurements Supervisors: Author: Yuri Schaeffer Hamza Boulakhrif [email protected] [email protected] Willem Toorop [email protected] July 13, 2015 Abstract The Domain Name System (DNS) is an essential building block of the Internet. Applica- tions depend on it in order to operate properly. Therefore DNS resolvers are required to perform well, and do whatever they can to provide an answer to a query. In this paper a methodology is devised to measure the performance of the Unbound, BIND, and PowerDNS resolvers. Measurements of these resolvers is required to be objective and not biased. Analysis is conducted on these performance measurements, where the implementations are compared to each other. Corner cases have also been identified and analysed. Acknowledgement I would like to thank NLnet Labs for providing this interesting Research Project. Also the support they provided throughout this project is really appreciated. Especially Willem Toorop and Yuri Schaeffer who answered all of my questions and guided me through this project. Thanks go also to Wouter Wijngaards who answered my questions related to DNS resolvers. The performed measurements during this project were carried out from the SNE lab, at the University of Amsterdam. I would also like to thank Harm Dermois for providing his server in the lab to perform these measurements. Special thanks also go to the SNE staff for their support and guidance. This does not only concern this project but the entire study. Hamza Boulakhrif 1 Contents 1 Introduction 3 1.1 Related Work . .3 1.2 Research Questions .