Fedora rawhide white hat playpen

Not_OlesNot_Oles Hosting Provider

Yesterday I spun up a rawhide box:

  • Xeon D-1521
  • 4 cores, 8 threads
  • 32 GB DDR4 ECC
  • 2 x 2 TB SATA
  • 250 Mbps symmetrical, unmetered
  • Montreal (OVH BHS)
  • Speed and latency tests (10 Gbps)
  • Minimal server version; wants more yummy dnf
  • Ephemeral (a few days, maybe longer, maybe not)
  • White hat only

What can I learn from you? What can we explore together?

Purveyor of fast-as-metal LXC VPSes
Old guy! Happy customer of OVH. Tom, not Oles! :-)

Thanked by (1)bigmac42
Tagged:

Comments

  • how much?
    B)

    Thanked by (1)Not_Oles
  • Not_OlesNot_Oles Hosting Provider

    @ehab said:
    how much?
    B)

    Free. But maybe better to say, "priceless," assuming that learning and community are sufficiently valuable as to be "beyond price." :)

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Good luck! Last time I tried to run Rawhide it lasted until I updated, which was about 5 minutes after install.

    Thanked by (1)Not_Oles
  • Not_OlesNot_Oles Hosting Provider

    @FlamingSpaceJunk said:
    Good luck! Last time I tried to run Rawhide it lasted until I updated, which was about 5 minutes after install.

    Haha! Last time I tried to upgrade a clean Fedora install to Rawhide, systemd's auto reboot failed. :)

    I imagined there might be a Rawhide cowgirl person here who might wanna show me something amazing. :)

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Free. But maybe better to say, "priceless," assuming that learning and community are sufficiently valuable as to be "beyond price." :)

    I admit curiosity, how does one signup?

    Thanked by (1)Not_Oles
  • Not_OlesNot_Oles Hosting Provider

    @tarasis

    Welcome!

    Please make an ed_25519 ssh key pair if you have not already done so. Please post the ed_25519 public key in this thread.

    It might take awhile, but your post eventually should be acknowledged and your login account magically will begin to function.

    If you need help making an ed_25519 ssh key pair, please look here.

    If you are concerned about posting your ed_25519 public key in public, please look here. If you remain concerned, please send me the key via PM.

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • @Not_Oles said:
    @tarasis

    Welcome!

    Please make an ed_25519 ssh key pair if you have not already done so. Please post the ed_25519 public key in this thread.

    Thank you

    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4VyxPSrgB66+a0vizoS8yyNBMOj0v1ln3eVlfb1nbk [email protected]

  • Not_OlesNot_Oles Hosting Provider

    Just sent you login info.

    My ssh public keys are in your .ssh/authorized_keys together with yours. If you don't want that, please feel free to remove my keys.

    Not much there yet. Just server base install. But we can add whatever we want.

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Not_OlesNot_Oles Hosting Provider

    Anybody else?

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Not_OlesNot_Oles Hosting Provider

    Thousands of kiddie login attempts daily. So I spent the morning messing with dnf, fail2ban, and friends. Preliminary testing suggests that I might have got fail2ban working since I now seem to be able to ban myself. :)

    I wonder whether anybody would be interested if I were to write up a post about the fail2ban installation and configuration.

    I want to change the server hostname to whitehat. Haha! :)

    Still more fun ahead with further work on sshd, fail2ban, firewalld, nftables. Then container + KVM fun begins. Or webserver. Or whatever.

    How about getting two or more users to share a screen session? Or some more contemporary method of getting folks together on the same terminal session?

    How come not more people are interested? Would more people be interested if we used Debian sid? What about OpenBSD-current? Something else?

    @tarasis What now for you, friend? :) What would you like? :)

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Not_OlesNot_Oles Hosting Provider

    So I succeeded in changing the name of the server to "whitehat" plus also exploring how systemd includes sshd within the systemwide crypto integration. I successfully disabled password authentication. However, it's not clear to me whether disabling password authentication might somehow break something in or relying on the systemwide crypto integration scheme. Plus there are a couple of environment variables the source of which (i.e., where they are set) I haven't found yet.

    Anybody else want in?

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Not_OlesNot_Oles Hosting Provider

    A bit more on Rawhide systemwide crypto policy as it impacts sshd_config:

    What Rawhide is doing to facilitate systemwide crypto policy seems to include having systemd start sshd with the -D option so sshd doesn't daemonize plus also calling various crypto schemes via the -o option so as to take precedence over whatever crypto schemes might be specified in sshd_config. Also, the config file is split into two files. sshd_config now has an include for a subdirectory. The permissions of the new subdirectory are set such that, without doing extra work, even root cannot cd into that directory.

    There is a comment in the new subdirectory config file, 05-redhat.conf, suggesting that the system might no longer pay attention to config file changes, but, when I first looked, before I checked systemd, the comment didn't seem fully clear to me about which parts of the config file still were being followed and which parts were no longer being followed.

    What I originally saw also included PasswordAuthentication set to yes both in the original config file and yet again in the new, extra config file in the subdirectory. It kinda looked like somebody really might be trying hard to keep PasswordAuthentication set to yes. :)

    The result of the use of command line options in the way systemd starts sshd plus also the lack of clarity resulting from setting PasswordAuthentication to yes two times in the two different files made me wonder if the system somehow really needed PasswordAuthentication set to yes. Moreover, the system, overall, is in a weird state where configuration files are partly used, and partly overridden, and where the only indication of the scope of the changes seems to be whatever command line options were used by systemd to start the ssh daemon as not-a-daemon.

    I can appreciate that systemwide crypto policy might be a very excellent idea. Also, I can appreciate that a huge problem with implementing a systemwide crypto policy is that various upstreams continue to release with configuration files that do not pay attention to downstream's version of what a systemwide crypto policy should look like. Additionally, there is the possibility that OVH might have, during the install, changed a configuration file from the default.

    It's important to me that I do not appear to be criticizing Rawhide. I appreciate that they are in a bit of a spot versus various upstreams as they implement what seems like a good idea of having a systemwide crypto policy.

    I ended up removing the "PasswordAuthentication yes" line from sshd_config and also setting it to "no" in the new, included configuration file from the subdirectory.

    The server seems to be running great for a few days now. So I am guessing I might not have totally busted it. Yet. :)

    Thanked by (1)vimalware

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Not_OlesNot_Oles Hosting Provider

    I've installed fio, and I've been playing with yabs.sh. I want to understand why yabs.sh seems to set 0 (zero) for the disk speed results when run inside a tempfs RAM disk.

    Haha, in a way, yabs.sh reporting 0 is exactly right when reading/writing from/to to memory while measuring what's happening on the spinning rust. But it seems I can't just run yabs.sh in the ramdisk and say, "My ramdisk is even faster than a solid state disk." :)

    On the other hand, bench.sh from bench.monster, when run from a tempfs RAM disk, seems to report the disk speed at the same values it reports for the RAM speed.

    The two scripts seem to test differently, so, eventually, I'll figure out the differences. Maybe somebody wants to spill the beans? @Mason @cybertech @vmalware Thanks, guys!

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Not_OlesNot_Oles Hosting Provider

    These days it's cool to be a data scientist. So maybe I will do that when I grow up. :)

    A couple of days ago, while googling around for something, I tripped across data36.com's tutorial Data Coding 101 – How to install Python, SQL, R and Bash (for non-devs). This 7 part tutorial is a few years old now, and it's written for Ubuntu 18.04, but its server-oriented approach seemed simple enough for me possibly to understand. I also imagined it might be fun to translate all the tutorial's suggested commands from Ubuntu into Rawhide.

    Today, I'm part way through the first of the 7 parts. Python, pip, python-dev, and Jupyter seem to be set up and working. Postgres seems to work too, via psql. Next up are pgAdmin, R and Rstudio. And maybe 6 more pages of tutorial.

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

    • Do something with cockpit
    • Honeyd
      Well i guess i has no better idea for rawhide
    Thanked by (1)Not_Oles

    3 - 2 - 1 - Backup!

  • Not_OlesNot_Oles Hosting Provider

    @mobile said:

    • Do something with cockpit
    • Honeyd
      Well i guess i has no better idea for rawhide

    @mobile Thanks for your ideas! Since Cockpit isn't terminal based I probably never would have thought of it if you hadn't mentioned it. The Cockpit project website says they released new version 219 a few days ago on 13 May.

    Honeyd is something I always thought might be fun, but I never tried it. The latest commit seems to be from 2013.

    Both Cockpit and Honeyd now are on my list for when I want a day off from Data Science 101. :)

    Do you know about Overthewire?

    Thanks again! Greetings from the Sonoran Desert!

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • vyasvyas OGContent Writer

    @Not_Oles said:

    @ehab said:
    how much?
    B)

    Free. But maybe better to say, "priceless," assuming that learning and community are sufficiently valuable as to be "beyond price." :)

    That was a nice answer. Kindness, payable by teaching.

    One is tempted to reply with the stock “$1, payable by Fatpal “Kind of statements...

    And on that note, best wishes with the project

    Thanked by (1)Not_Oles
  • @Not_Oles said:

    @mobile said:

    • Do something with cockpit
    • Honeyd
      Well i guess i has no better idea for rawhide

    @mobile Thanks for your ideas! Since Cockpit isn't terminal based I probably never would have thought of it if you hadn't mentioned it. The Cockpit project website says they released new version 219 a few days ago on 13 May.

    Honeyd is something I always thought might be fun, but I never tried it. The latest commit seems to be from 2013.

    It's still works so i guess it's something worth to try i guess. most of honeypots project are stalled 3-5 years ago too, from open source side at least.

    Do you know about Overthewire?

    Yes, i did a lot few years ago for CTF exercise. i stopped doing this after realizing most of my costumer are dumb and it's apparently enough at the point you grasp the concept of opcode/shellcode to exploit most of running systems. heck nowadays you can rip doublepulsar and eternalblue off github for free and still find some workstation easily break with it.
    who cares about patching windows xp anyway

    3 - 2 - 1 - Backup!

  • Not_OlesNot_Oles Hosting Provider

    @mobile said: most of honeypots

    Wow! That's an amazing honey list on Github! So many honey projects! And the second-to-last item on the list, the links to so many honey research papers! I had no idea!

    I also had to look up doublepulsar and eternalblue.

    Yes, whitehat is a sort of clean, non-blackhat term. But I'm still just a kid. :) I don't really qualify for any hat. :) Not even RedHat, since I haven't used it much. I kinda like this RawHide, though. It seems to work great!

    Thanks yet again for the additional comment, and especially for the Github link. I'll have to read up a bit on all this stuff when I get a chance.

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Not_OlesNot_Oles Hosting Provider
    postgres=> CREATE TABLE test(column1 TEXT, column2 INT);
    CREATE TABLE
    postgres=> INSERT INTO test VALUES ('Hello', 111);
    INSERT 0 1
    postgres=> INSERT INTO test VALUES ('World', 222);
    INSERT 0 1
    postgres=> SELECT * FROM test;
     column1 | column2 
    ---------+---------
     Hello   |     111
     World   |     222
    (2 rows)
    
    postgres=> 
    

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Not_OlesNot_Oles Hosting Provider

    Today's Rawhide didn't seem automagically to satisfy the TeX and LaTeX dependencies of the group packaged version of R, so I decided to compile the new R-4.0.0 myself.

    If anybody had waited to join me on this playpen server because there weren't compilers yet, well, there are compilers and development libraries now. :)

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

  • Not_OlesNot_Oles Hosting Provider
    edited May 24

    My fun today included reading Linux containers in 500 lines of code. This C code needs to be updated for newer kernels, but it looks really fun. The author has written newer stuff in Go.

    Purveyor of fast-as-metal LXC VPSes
    Old guy! Happy customer of OVH. Tom, not Oles! :-)

Sign In or Register to comment.