External 3.5 Hard Drive Enclosure

I previously wrote about my experiences using an external 2.5 HDD enclosure. Today I received my AMS Electronics Venus DS3 external 3.5 HDD enclosure. I liked this model because it supports Firewire and USB 2.0, has an on-off switch, and provides an internal fan to cool hotter drives. I found mounting the drive inside the enclosure very easy and the product itself seems sturdy. The on-off switch should have been a rocker switch and not a somewhat weaker toggle, but it works ok.

On my laptop, when attaching the DS3 to the Firewire port on my Adaptec Duo Connect Firewire/USB adapter, dmesg reports the following:

fwohci0: BUS reset

fwohci0: Async DMA Receive error err = 1f 

fwohci0: node_id=0xc000ffc1, gen=3, CYCLEMASTER mode

firewire0: 2 nodes, maxhop <= 1, cable IRM = 1 (me)

firewire0: bus manager 1 (me)

firewire0: New S400 device ID:0030e0f4e0204651

da0 at sbp0 bus 0 target 0 lun 0

da0:  Fixed Simplified Direct Access SCSI-4 device 

da0: 50.000MB/s transfers

da0: 4110MB (8418816 512 byte sectors: 255H 63S/T 524C)

(da0:sbp0:0:0:0): SYNCHRONIZE CACHE. CDB: 35 0 0 0 0 0 0 0 0 0 

(da0:sbp0:0:0:0): ABORTED COMMAND csi:ff,f,0,e0 asc:20,0

(da0:sbp0:0:0:0): Invalid command operation code

(da0:sbp0:0:0:0): SYNCHRONIZE CACHE. CDB: 35 0 0 0 0 0 0 0 0 0 

(da0:sbp0:0:0:0): ABORTED COMMAND csi:43,5f,5f,54 asc:20,0

(da0:sbp0:0:0:0): Invalid command operation code

(da0:sbp0:0:0:0): SYNCHRONIZE CACHE. CDB: 35 0 0 0 0 0 0 0 0 0 

(da0:sbp0:0:0:0): ABORTED COMMAND csi:ff,f,0,b0 asc:20,0

(da0:sbp0:0:0:0): Invalid command operation code

(da0:sbp0:0:0:0): SYNCHRONIZE CACHE. CDB: 35 0 0 0 0 0 0 0 0 0 

(da0:sbp0:0:0:0): ABORTED COMMAND csi:ff,f,0,40 asc:20,0

(da0:sbp0:0:0:0): Invalid command operation code

(da0:sbp0:0:0:0): Invalid command operation code

(da0:sbp0:0:0:0): SYNCHRONIZE CACHE. CDB: 35 0 0 0 0 0 0 0 0 0 

(da0:sbp0:0:0:0): ABORTED COMMAND csi:ff,f,0,70 asc:20,0

(da0:sbp0:0:0:0): Invalid command operation code

(da0:sbp0:0:0:0): SYNCHRONIZE CACHE. CDB: 35 0 0 0 0 0 0 0 0 0 

(da0:sbp0:0:0:0): ABORTED COMMAND csi:ff,1f,0,70 asc:20,0

(da0:sbp0:0:0:0): Invalid command operation code

(da0:sbp0:0:0:0): SYNCHRONIZE CACHE. CDB: 35 0 0 0 0 0 0 0 0 0 

(da0:sbp0:0:0:0): ABORTED COMMAND csi:ff,f,0,40 asc:20,0

(da0:sbp0:0:0:0): Invalid command operation code

I was successfully able to mount the hard drive and then copy large (~60 MB) files to and from the drive, verifying their integrity using md5. However, the kernel reported these errors:

sbp0:0:0 No ocb(cca634) on the queue

sbp0:0:0 No ocb(cca9dc) on the queue

sbp0:0:0 No ocb(cca01c) on the queue

sbp0:0:0 No ocb(cca154) on the queue

sbp0:0:0 No ocb(cca154) on the queue

sbp0:0:0 No ocb(cca154) on the queue

I tried disabling Tagged Queueing but the errors seemed to continue.

I found that attaching the device to the USB 1.1 port on the laptop itself worked, albeit with much slower transfer speeds. Here's how the kernel saw the device:

da0 at umass-sim0 bus 0 target 0 lun 0

da0:  Fixed Direct Access SCSI-0 device 

da0: 1.000MB/s transfers

da0: 4110MB (8418816 512 byte sectors: 255H 63S/T 524C)

I had better results attaching the external HDD enclosure via Firewire to my Dell 2300 server via Adaptec Duo Connect PCI card. I saw the same error messages beginning with SYNCHRONIZE CACHE but none of the 'queue' errors.

Now that FreeBSD has started the freebsd-usb mailing list, I believe USB support will improve. I've never had much luck with USB 2 support using the ehci driver, which isn't in the default GENERIC kernel and must be added in via recompiling the kernel.

Read More

Trying to Add Updated Packages on FreeBSD 5.3 RELEASE

If you're trying to add packages shipped with FreeBSD 5.3 RELEASE, it's fairly easy, as shown in my earlier post. As long as you're running FreeBSD 5.3 RELEASE, however, pkg_add will continue to install packages shipped with that version. To avoid building new software from source using the ports tree, you might want to update an application using a new precompiled package.

At the moment, however, the FreeBSD FTP sites are not offering newer packages for FreeBSD 5.3 RELEASE. They are only providing packages shipped with 5.3 RELEASE. Here is today's contents of ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386

lrwxrwxrwx    1 0    0    20 Jul 14 23:29 #cvs.cvsup-37462.728 -> packages-5.1-release
lrwxrwxrwx    1 0    0    15 Jul 14 23:29 packages -> packages-stable
lrwxrwxrwx    1 0    0    17 Jul 14 23:29 packages-4-current -> packages-4-stable
drwxrwxr-x   93 110  0  2048 Oct 16 07:18 packages-4-stable
drwxrwxr-x   92 110  0  2048 Oct 25 03:24 packages-4.10-release
drwxr-xr-x   92 110  0  2048 Oct 27 07:43 packages-5-current
drwxrwxr-x   90 110  0  2048 Oct 25 05:15 packages-5.2-release
lrwxrwxrwx    1 110  0    20 Jul 15 01:38 packages-5.2.1-release -> packages-5.2-release
drwxr-xr-x   92 110  0  2048 Nov 05 00:40 packages-5.3-release
drwxrwxr-x   92 110  0  2048 Oct 25 08:09 packages-6-current
lrwxr-xr-x    1 110  0    18 Oct 20 01:56 packages-current -> packages-6-current
lrwxrwxrwx    1 0    0    17 Jul 15 01:38 packages-stable -> packages-4-stable

The new FreeBSD 5.3 is officially a STABLE release. At the moment the packages-stable directory is a symlink to packages-4-stable. These packages are precompiled for FreeBSD 4.x. The packages-current directory is a symlink to packages-6-current. These packages are precompiled for FreeBSD 6.x.

There are packages precompiled for 5.x that are newer than those shipped with FreeBSD 5.3 RELEASE. They are in the packages-5-current directory. For example, the ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-current/www/ directory shows firefox-1.0.1.p_4.tbz, while the version shipped with FreeBSD 5.3 RELEASE appears in ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5.3-release/www/ as firefox-0.9.3_1.tbz. If you want to use packages in the packages-5-current directory, set your PACKAGESITE environment variable to something like ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-current/All/ .

I recommend those wishing to update software installed on FreeBSD 5.3 using precompiled packages wait until they see packages-stable pointing to packages-5-stable or a similar directory. Since the precomplied packages are updated weekly, I expect to see new packages in their proper packages-5-stable directory this weekend.

Read More

Answering the Mail

I've received several good comments and questions on recent Blog posts. Here are my public replies, in case you've had the same thoughts as those who have emailed me at taosecurity at gmail dot com.

A gentleman from Dallas was reading my book and wondered if I'd seen this document on building your own network taps. I am very suspicious of such devices, for the reasons I outlined in a post to focus-ids in February. I recommend re-reading that post for details. If you can verify that the device is working and you use it over short distances, it's probably acceptable. If you haven't verified how well it sees and passes traffic, I recommend doing so soon.

In response to my post on the Source Code Club, an engineer from the Arctec Group had this to say:

"If we accept the arguments from the closed source community about their products being more secure due to lack of availability of source, then once the source becomes available [like the releases we have seen recently] we have the worst case from both scenarios. Source available to the attackers, but which has not been audited by the community and is not patchable except through the vendor.

If we take the view that the publicly reported sources available represent the tip of the iceberg, then there are even more risks to running software which is only patchable and audit by a single, centralized source."

I agree with this sentiment. Other reasons I prefer using open source includes the ability to see just how a program works, the chance to modify a program to suit my needs, and the fact that individual programmers are held personally accountable when CVS and other systems track their code check-in actions. (I believe this promotes higher-quality code as opposed to a closed binary with no one's name on it other than the vendor's.)

Finally, another Blog reader asks:

"Have you ever thought to create a ISO boot CD with Sguil and BSD? People are creating all sorts of these things and they are very popular/effective. One example is the NST project. Any chance you might do this, or encourage one of your fans to pursue this project?"

If I have fans, I'd love for one of them to work on this. :) Actually I created a live CD using FreeBSD 5.2.1 and FreeSBIE in July but it remained very "alpha." Now that FreeBSD 5.3 is out I will probably try again. The live CD I made had the Sguil 0.5.0 client and other NSM tools. I haven't tried putting a full sensor - server - database - client installation on a live CD as it isn't practical to run something like MySQL entirely from RAM. It might be ok for demos though.

The guys who make Helix have the Sguil client on their live CD. Also keep an eye on the Sguil downloads for future developments.

If anyone else is interested in helping out the Sguil on FreeBSD cause, I would appreciate having a mentor guide me through the process of creating a FreeBSD port. The task is complicated by the lack of proper releases of software like Incrtcl, since I have to check out their code from CVS to build a proper client. Patching of code from Snort and soon Barnyard is also required. Anyone with the skill or interest please email me at taosecurity at gmail dot com.

Thank you for your feedback!

Read More

World's Simplest Ad Blocker

I've started using a simple technique to block the loading of some advertisements in my desktop Web browsers. Add the contents of Mike's Ad Blocking Hosts file to /etc/hosts on UNIX or c:\%WinRoot%\system32\drivers\etc\hosts and watch many ads disappear as you browse the Web. Mike keeps track of the host names for many popular ad servers and associates the localhost address (127.0.0.1) with each. This is simple and effective, as long as he maintains his list. Thanks Mike!

Read More

Ports vs Packages on FreeBSD

Many people know about the FreeBSD ports tree but complain that installing software via source code is time-consuming. Those people may not know about FreeBSD's precomplied packages that can be added with the following simple syntax: 'pkg_add -vr packagename'. For example:

orr:/root# pkg_add -vr tcpdstat
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
setting passive mode
opening data connection
initiating transfer
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-
 5.3-release/Latest/tcpdstat.tbz...x +CONTENTS
x +COMMENT
x +DESC
x +MTREE_DIRS
x bin/tcpdstat
tar command returns 0 status
 Done.
extract: Package name is tcpdstat-0.9
extract: CWD to /usr/local
extract: /usr/local/bin/tcpdstat
extract: CWD to .
Running mtree for tcpdstat-0.9..
mtree -U -f +MTREE_DIRS -d -e -p /usr/local >/dev/null
Attempting to record package into /var/db/pkg/tcpdstat-0.9..
Package tcpdstat-0.9 registered in /var/db/pkg/tcpdstat-0.9

If you want to avoid the potential load on the main FTP server, set an alternate package site:

orr:/root# setenv PACKAGESITE ftp://ftp2.freebsd.org/pub/FreeBSD/ports/
 i386/packages-5.3-release/Latest/

Now install the package as desired:

orr:/root# pkg_add -vr srm
looking up ftp2.freebsd.org
connecting to ftp2.freebsd.org:21
setting passive mode
opening data connection
initiating transfer
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5.3
-release/Latest/srm.tbz...x +CONTENTS
x +COMMENT
x +DESC
x +MTREE_DIRS
x bin/srm
x man/man1/srm.1.gz
tar command returns 0 status
 Done.
extract: Package name is srm-1.2.6
extract: CWD to /usr/local
extract: /usr/local/bin/srm
extract: /usr/local/man/man1/srm.1.gz
extract: CWD to .
Running mtree for srm-1.2.6..
mtree -U -f +MTREE_DIRS -d -e -p /usr/local >/dev/null
Attempting to record package into /var/db/pkg/srm-1.2.6..
Package srm-1.2.6 registered in /var/db/pkg/srm-1.2.6

Notice how the system retrieved the package from ftp2.freebsd.org, not ftp.freebsd.org as per the default settings.

Read More

Notes on Installing and Configuring FreeBSD 5.3 RELEASE on my Thinkpad

This weekend FreeBSD 5.3 was released. I decided to install both FreeBSD 5.3 and Windows 2000 on a new laptop hard drive. (Here is how I handled dual-booting.) I'm writing these notes to keep track of the little tweaks needed to get the system running as I want it to run. I did the same in January 2004 when I installed FreeBSD 5.2 on the same system.

Rather than wipe out my existing software installation, I bought a new 2.5 laptop hard drive. Whenever I decide to reinstall an operation system from scratch on an important system, I usually buy a new hard drive and place the old one in a safe place. Hard drives are very cheap compared to the data on them. Although I do back up my data to other systems, you never know what you might need off the old hard drive. I usually forget some item in the boot loader or some configuration script, neither of which are found in /home.

My typical partitioning strategy is a variation of the following:

/        2048 MB
swap     twice RAM
/usr     4096 MB
/var     10240 MB
/home    1024 MB (more for workstations, enough for servers)
/tmp     1024 MB
/nsm     remainder (if needed)

That strategy works well on a 20 GB HDD, which is comfortable in today's computing world.

When I installed FreeBSD 5.3, I didn't install any packages beyond the defaults. I didn't see bash3 in the list of available packages in the /stand/sysinstall menu, so I decided I would add that later. I am glad to be using bash3 and not bash2, as I noticed an infrequent problem with bash2 core dumping if I tried to cancel an operation and then quickly scroll back through the command history.

Before I install any software I like to run ntpdate to set the time on the system:

janney:/root# ntpdate clock.isc.org
Looking for host clock.isc.org and service ntp
host found : clock.isc.org
 8 Nov 16:28:24 ntpdate[1298]: step time
 server 204.152.184.72 offset -18014.552297 sec

These are the sorts of packages I installed immediately after the OS was ready. I ended up with a lot more software than listed here, because some of the applications (like gedit or gimp) require lots of supporting libraries.

- bash (which is bash3)
- fluxbox-devel (my no-nonsense window manager)
- firefox (Web browser)
- thunderbird (mail client)
- mutt (mail client, good for system mail)
- aterm (I like this client better than xterm)
- cmdwatch (dynamically watch shell command output, like ls -al)
- portaudit (security application to check for vulnerable installed applications)
- portupgrade (upgrade software installed via port or package)
- pkg_cutleaves (delete packages, starting from end "leaves" and moving toward the core)
- xv (simple image viewer)
- gtksee (more complex image viewer)
- gedit2 (good GTK text editor)
- gimp (image editor)
- cdrtools (CD burning application)

I was able to install all of these applications using precomplied packages. However, in some cases I had to install applications via port because the package was not available in the ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.3-release/Latest/ directory. Examples include mplayer, a media viewer, and screen, providing multiple screens within a single terminal.

I was able to use the basic xorg.conf file created by running 'startx', but had to tweak it. I saved an example of it at xorg.conf.orr. I actually built this file with xorgconfig and then modified it by hand. I uncommented the xtt and glx sections but found dri was broken. I also uncommented the TrueType and freefont Fontpaths. My .xinitrc for my user accounts has a single line:

exec startfluxbox

My .xserverrc enables 100x100 dpi and no listening X server:

exec X :0 -dpi 100 -nolisten tcp

I add the following to my .profile to give a prompt with present working directory for bash3 users:

PS1='`hostname -s`:$PWD$ '; export PS1

I replace the 'set prompt' in root's .cshrc with the following to show present working directory for csh users like root:

set prompt = "%m:%/# "

I also enable tab completion with this:

set autolist

To ensure I read important mail for the root user, like portaudit results, I edit /etc/aliases as shown:

# root: me@my.domain
root:   

I then run 'newaliases':

orr:/etc# newaliases
/etc/mail/aliases: 27 aliases, longest 23 bytes, 293 bytes total

I installed Sguil from CVS and tested the new install documentation I wrote.

Previously I avoided using acpi with FreeBSD 5.2. I am currently able to use acpi in this manner. To suspend the laptop I issue as root 'acpiconf -s 3'. I can resume the laptop by hitting the 'Fn' key. At this point moused is dead, so I have to 'killall -HUP moused' to bring it back. I also have to re-config the network interfaces. I've combined some of these actions into scripts I run upon resuming the laptop.

Read More

FreeBSD Offerings from FreeBSDMall.com

If you'd rather not download .iso files, and especially if you want to support the development of FreeBSD, I recommend purchasing a FreeBSD 5.3 four CD-ROM set from FreeBSDMall.com. I have a subscription that charges me each time a new release is available and ships CDs automatically. On the non-software front I recommend the polo shirt, which although somewhat pricey is well-made. FreeBSDMall.com also offers technical support contracts and will provide a new system administration course from 7-10 December in Phoenix, AZ.

Read More