April 2010 Archives

Standard tools in non-standard situations

Monitoring tools like IPHost Network Monitor provide a set of built-in monitor types to handle most routine tasks.

They are sufficient to handle the majority of monitoring needs; it is often necessary to make sure a given type of service is accessible without actual checking.

However, a number of tasks may require something, not present in the distribution. What is the beat approach in such a case

A real-life example: you would like to monitor users' inbox sizes and warn them, if those inboxes grow too large.

One of approaches could be to make a script that ssh's to the mail server, runs 'ls' program at a given mailbox and returns its size in whatever units required.

However, if mail inbox directory can be accessed as a network share, the task could be solved using built-in file size monitor type. Moreover, if the monitor is named after the mailbox user's part, the alert can be built in such a manner so that it could notify the mailbox' owner of the quota limit trespassed.

The wheel reinvented

There can be several solutions to a problem. For example, to check a given user's presence at a site we could analyse that user's profile page and look for a text pattern.

However, it would mean we stress not only the database the data are taken from, but a Web server as well. When monitoring a site it is often a good idea not to overwhelm the site with monitoring itself. Too fast loading Web pages may create an unnecessary stress on the site.

The above task could be solved by a slightly different means: monitoring a SQL database. If a proper SQL query is constructed, its first column returned is interpreted as a performance value. Thus, most of SQL-driven sites activity may be monitored just by creating the correct SQL query, able to return a numeric result.

To sum up: when monitoring task may be solved by checking files size, result of a SQL query, string found in HTTP(S) response - it's better to solve the task in that manner.

Custom scripts can be used when a task, not easily reduced to the cases above, must be solved. E.g., when a file of a given size, modification time and access permissions must be present in a known location.

And, finally, a good suggestion: if you are using a monitoring tool and failed to solve a task by available means, it's always worth contacting the developer(s) and suggesting a new monitor type.

How often could you encounter a network monitoring task when built-in means of the monitoring tool you are using aren't enough?

Are you secure?

To most people, security, when talking about Internet, is a list of what to install, what routine tasks to do, and what not to do under any circumstances.

There are interesting publications on that, for example Overdosing on computer passwords and security. Among other things, it is said value of the time users spend managing passwords, SSL certificates warnings (Secure Sockets Layer which encrypts data between web server and your browser) and phishing site identification is far greater than the damage done by computer criminals.

Allow me to disagree.

First, how could one compare the damage amount? Will you persuade a person having lost all the money from their bank account due to a phishing attack, that the damage inflicted is far less than the damage from hours uselessly (so it seems) spent on studying the principles of security?

Second, what is offered instead? What kind of security precautions can be neglected without exposing oneself to cyber-threats?

Security is a discipline of mind. A manner of thinking, not a list of cumbersome, irritating indecipherable actions. Security precautions should be made by experts; for an ordinary user, security means following several simple rules. The rules that assume they are applied to every given case in due manner.

Security is for minds

Security is for minds, not for hands, devices and other things not supposed to think.

We are taught security, in one sense or another, all our life. Many would agree that one shouldn't eat without washing one's hands first. What is the big difference between that rule and the piece of advice to never click on a link in an email message, if you aren't sure who's it from?

Security is the matter of trust. Every time you venture into an area of cyberspace, you trust the owners of that place. If you enter your name and password on a bank site to access your account, you trust that bank. Just as you trust a person if you allow them to enter your house.

Strong passwords can't be secure, if they are written on a piece of paper stuck to a monitor. Strong passwords aren't secure, if a bank can send them to you on request. Access to your private data can't be secure if it can be granted without you involved in the process.

Security is a discipline of mind. There are axioms of security, better not to be neglected. Just as washing one's hands shouldn't be neglected, in general.

Above the axioms, there are several simple rules of trust that one can use to tell dangerous areas of Cyberspace from relatively safe ones.

Security isn't obsession. It is but a set of cyber-reflexes trained to warn you of possible danger. Nothing else — use your mind to decide in every given case, what and how to do.

As for me, I believe in security. It exists, as long as I know what to do to avoid loss of control, leaking out my private data and other unpleasant things happening out there.

Do you? Do you believe in security?

Traffic under control

The traffic I am talking about isn't the one webmasters like so much. It's traffic in general, the one called bandwidth in hosting-related discussions.

There is no such thing as unlimited bandwidth, so the ability to control traffic flow and react to its surges or any predefined amounts consumed is very important.

In almost every situation the quicker is response to traffic consumption, the better. SNMP, or simple network management protocol, provides means to handle certain traffic-related tasks. Those that can be handled by using IPHost Network Monitor. Let's be more specific.

Counters and triggers

Traffic counters are provided by a number of SNMP-supporting devices related to networking. Those include routers, network adapters etc.

One of the typical tasks is to notice traffic surge and take measures — i.e., shut down the line preventing too much traffic consumed, and notify the administration.

The task is both simple and complex/ Although SNMP-enabled devices have the so-called traffic counters (OIDs looking like .1.3.6.1.2.1.2.2.1.10.N, for inbound counters and .1.3.6.1.2.1.2.2.1.16.N for outgoing ones), they have one significant feature: these counters, in general case, can't be reset by means of any API/software tool. They can only grow and wrap around a predefined value (depending on whether they ar 32- or 64-bit long).

However, a simple script, taking these counters and calculating an average/totals can be implemented quite easily, so we can use the following means to set up a simple traffic control.

First, we create such a script and call it periodically from the IPHost network Monitor, to receive an integer value indicating traffic consumption. The script posts a numeric string to a standard output indicating traffic consumption.

Second, we create a custom alerting rule, using «Set SNMP value» alert; since the field controlling a network interface state are read-write, we can effectively block all the traffic through an interface by means of a single SNMP value change.

Now we can shut down an interface.To re-enable it, we can create another rule played when the traffic state becomes normal (i.e., the script mentioned returns an acceptable value), where we set the mentioned flag value to a state when traffic flow is enabled.

Caveats

There are three versions of SNMP supported. Roughly speaking, the greater is the version, the more means of access control it provides. Please make sure proper authentication is performed before SNMP commands (such as «set value») are performed. Using SNMP v1 is strongly discouraged; anyone able to modify SNMP values will have the full control over device's adapters and access to a bunch of information about device's settings..

Also, do not forget to test all the scripts on a «sandbox» device, the one you can manage in whatever manner you like without affecting real-life data and/or devices.

You shouldn't shut down the interface you are using to connect to the device. After that, no control is possible, until you manage to connect through an another interface and/or reset the device.

Please note also that the case above is the simplest and not really useful example on hwo to control traffic flow. In real life a number of users uses a network device and selective actions are expected when a user exhausts the traffic quota assigned to them.

The realm of domains

Choosing domain name is an art, talent and magic, all in one. A good domain name may bring much profits by itself, it gets more and more expensive as time goes by — just like a good wine.

Domain names industry is one of most dynamic, even though the number of «good» names, those not yet taken, is very small.

However, owning domain means handling possible security issues associated with them.

Own email, own domain

Among other identification means, email is often used to gain control over domain name. It is used to identify the domain owner and perform, beyond sending important news and updates, a number of domain administration actions.

It is definitely a bad idea to use an email address hosted by a free email service as the domain's administrative contact(s). Free email providers may be lost, they may discard certain email messages. In case you lose control over a free email address (and that may happen easily), you might as well lose your domain name. Or, at least, you'll have hard time proving you are the legitimate owner of one.

It is definitely a bad idea to use the contact email address for purposes different from receiving technical/informative requests and newsletters related to domain name(s). Remember: he who owns the email address, owns the domain.

In cases when two or more email addresses may be specified as contact email in domain's WHOIS data, try to use several email addresses hosted at reliable, preferably commercial email services.

Welcome, Mr. X

Privacy was always an issue. WHOIS data of the majority of TLDs is open to everyone, thus your data provided for WHOIS will be seen by everyone.

There are several security concerns. First, your data may be used to register other domain names; if the latter are used for unlawful purposes, you could be in trouble.

Second, spammers' harvesters will gain your data and your contact means will inevitably become the aim of unsolicited messages.

Third, if you make use of any privacy-protection service (a number of registrars offers such a paid service), you could acquire a dubious reputation of a person hiding their whereabouts. It is not a secret that spammers are using those privacy protection schemes for their benefit.

Domain names: a short survival guide

After spending much time studying the domain names district of our reality, I have worked out several pieces of advice that could be of help to those looking for protection against cyber-threats.

Don't 'just look at' free domain name, only search for it if you are ready to buy it. Otherwise, you could witness an unpleasant situation: the domain you've found becomes taken very quickly. The rule is simple: first come, first take. Cybersquatters are monitoring such searches and can act quickly, if the domain looks attractive.

Be in control of all the contact data you provide. Make sure you can restore control over email address you have; if there's a least doubt the email will remain yours, replace it as soon as possible. The same applies to all the other contact means.

Never provide false personal info for WHOIS database. ICANN obliges most registrars to perform checks and if any contact data of your domain is found to be false, you can lose the domain (or all the domains you owned).

. If your email hosting for the domain fails for any reason, you lose the control over domain.