Xvfb, CentOS7, gdm, and x11vnc

Yep, the title says it all. This is based on the previous post regarding RHEL6, and it is pure geekdom.

Sometimes it is nice to have not only one X display start at boot, but two! My choice is to have the first display tied to hardware, and the second be software based. The latter can be accomplished with VNC, but it has been my preference to use the X Virtual Frame Buffer package (Xvfb), and let x11vnc do the translation to the VNC protocol.

CentOS makes it east to fetch the Xvfb package, which is not included in the DVD ISO image. You will need these two packages, from:

http://mirror.centos.org/centos/7/updates/x86_64/Packages/

The release versions may vary, but you get the idea:

xorg-x11-server-common-1.19.3-11.el7_4.1.x86_64.rpm
xorg-x11-server-Xvfb-1.19.3-11.el7_4.1.x86_64.rpm

The /etc/gdm/custom.conf file is pretty much empty. Change is and make sure you have these options in it:

# GDM configuration storage

[daemon]

[security]
AllowRemoteRoot=true
DisallowTCP=false

[xdmcp]
Enable=true
MaxSessions=30

[greeter]

[chooser]

[debug]

Then create the file /etc/systemd/system/Xvfb.service:

[Unit]
Description=X Virtual Frame Buffer Service
After=network.target

[Service]
ExecStart=/usr/bin/Xvfb :1 -screen 0 1824x1004x24 -pixdepths 24 -query localhost

[Install]
WantedBy=multi-user.target

Ensure your changes take hold:

chmod +x /etc/systemd/system/Xvfb.service
systemctl enable Xvfb.service
systemctl start Xvfb.service

To hook it to VNC, add your service in /etc/services:

vncserver       5901/tcp

Add your /etc/xinetd.d/vncserver file:

service vncserver
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /path/to/x11vnc/binary
        server_args     = -inetd -rfbport 5901 -forever -shared -q -skip_lockkeys -o /dev/null -display :1 -buttonmap 12345-123:Prior::Next: -buttonmap 12345-123:Up+Up+Up::Down+Down+Down:
        log_on_failure  += USERID
}

And restart xinetd. Voila! You now have GDM running, available via VNC. Cheers.

Thank you to the author of this web page, for reference:

https://gist.github.com/ypandit/f4fe751bcbf3ee6a32ca

The Cloud Is Not What You Think It Is

Companies today are selling smaller solid state hard drives with systems with the idea that one can simply use cloud storage to relieve storage constraints. This is simply not the case. The “Cloud” as sold, is in fact, a lie. Companies instead are relying on a vast peer to peer network to stuff bits of your data on every device that you own. While this provides more robustness and quicker response times, the reality of it is that this peer to peer network chews up storage, freaking out the customer, while hiding its true intention from you. It means that people, who once planned for the future, no longer have control, and bear the brunt of these decisions. All power rests in the hands of those who provide cloud storage. And, yes, I am referring to the elephant in the room.

More to come…

One Click Away

One thing I see over and over again is the e-mail from friends that obviously reveals that their e-mail addressbooks have been compromised. Blast, after blast, after blast. The consequences of having viruses, malware, trojans, or worms on your computer really don’t fully weigh in with most people. Botnets, ransomware, extortion – you name it. It’s all there. Your digital life is at someone else’s mercy.

While an undergraduate in the computer engineering department, we used an e-mail program called Pine. It is text based only, used for actually sending text (e-mail). It purpose was to display text, and allow you to reply with text. Pretty simple, right? I have always appreciated this elegance, subconciously ignoring its real power and value.

Fast forward to today. In many ways, people consume software like crows collect shiny things. We’re attracted to the latest bells, knobs, widgets, and features that a salesperson says we need. What has happened is that e-mail has turned from a messaging system with text, to a platform that is so integrated with your computer, that attacks and infestations are now trivial. People are happy to have these shiny things, and are willing to install incredibly complex and often weak security products to combat attacks via e-mail. Make no mistake, this industry has a lot of money involved, and it will *never* go away.

What I am about to say will, no doubt, will be laughable by most: dumb your e-mail down, and use a text only reader again – you will be better off in the end. The reason I say this is due to a recent e-mail I received. It was well crafted, appearing to be from a large social networking site, stating that my account had been locked due to a login from an odd computer (site redacted):

Date: Sat, 11 Feb 2017 08:20:00 -0500
From: [large socialmedia] no-reply@accounts.compromised.[large socialmedia].com
Subject: [large socialmedia] account compromised
Parts/Attachments:
   1 Shown     17 lines  Text (charset: ISO-8859-1)
   2          162 KB     {application/octet-stream}
   3 Shown      1 lines  Text
----------------------------------------

Dear [large socialmedia] user,

Your [large socialmedia] account was recently logged into from a computer,
mobile device or other location you've never used
before. For your protection, we've temporarily locked your account your
account until you can review this activity and make sure no one
is using your account without your permission.

Did you log into [large socialmedia] from a new device or an unsual location?

- If this was not you, please download attached file and follow the
instructions provided to help you control
your account information.


Thanks,
[large socialmedia] Security Team


    [ Part 2, {application/octet-stream}/UNKNOWN (Name: ]
    [ "COMPROMISED11022017.zip") 162 KB. ]
    [ Cannot display this part. Press "V" then "S" to save in a file. ]

    [ Part 3: "Attached Text" ]

Obviously this is an easy one, in the fact that it misspells unusual as unsual. But to people pay attention? I didn’t initially. I was just on the large social media company’s web site. Could this be real? Well, the simplest answer was to log back in, which I did. Guess what? It wasn’t locked.

Taking a look at the attachment using hexdump on Linux, and taking a look at the bits:

$ unzip COMPROMISED11022017.zip
$ hexdump -C COMPROMISED11022017.exe | less

I looked for the string “exe” and guess what pops up? Hand.exe. Doing a quick search of hand.exe yields this link:

http://www.threatexpert.com/files/hand.exe.html

The obvious is true: another attack via e-mail. The protection from a text based reader is that one cannot “click” on the attachment. It forces you to examine what you are doing, requiring extra steps. This is a small price to pay, one which I am happy to do. You should be too.

Cut/Paste with AutoCutSel

Recently, I have moved from supporting CentOS 5.7 in Amazon’s EC2 to CentOS 6.6. At the same time, VNC clients have moved from running on Windows 7 to Windows 10. A question came up, why does copy and paste not work any more?

It’s true. After these changes, there is no copy/paste from the VNC client’s system to the VNC server.

Quick rundown: the client runs the TightVNC client 2.7.10 on Windows 10. The server runs the Xvfb on CentOS 6.6, using x11vnc 0.9.13 to connect.

The answer turns out to be simple. Normally I attribute the solution to a web page that offers it, but unfortunately this time, I seem to have lost the URL. Sorry, person, who so graciously posted the comments about autocutsel!

If you compile and install the program “autocutsel”, then things become sane again. Adding to System -> Preferences -> Startup Applications, an application for “autocutsel” with the option of “-fork” solved this problem. In GNOME, this adds the file $HOME/.config/autostart/autocutsel.desktop, which will launch when the Xvfb is initiated as the user owning the Xvfb/x11vnc desktop.

Nice!

New Age of Firewalls

As the holiday season comes and goes this year, families will undoubtedly be inundated with new gadgets that hook into the home wifi network. We will marvel at our high technology prowess, and new found abilities and productivity. Yet, this is a cautionary tale, one that examines our path of no return.

Taking a trip down memory lane, when companies and families first started connecting to the Internet, a basic security measure was necessary: the firewall. All of these hard-wired devices sat behind it, with a path outbound, but no reverse path inbound. One of the first hoaxes on the Internet was the e-mail that warned of the “Good Times” virus. After all, how could one get a virus from ASCII text? Ha, ha, we thought. Simplicity of software would not allow such things to happen, rendering this time as the Golden Age of the Internet, yielding peace and harmony. The World Wide Web was born, and short were the days of dial-up services. Broadband became viable at the consumer level with the introduction of cable modems, and shortly thereafter, a protocol called 802.11, wireless ethernet. Pagers were replaced with cell phone technology. Domain names were snatched up, companies built web sites, and the hunger for content grew. And grew. And grew. And then, on January 9th, 2007, Apple announced the iPhone. It was a three way marriage of networking: phone company networks, wifi networks, and the Internet.

All the while, the firewall was deemed to be the most important part of Internet related computer security. After all it has been there protecting you all of this time, right? Wrong. What people forget is that as time passes, software becomes more and more complex, as do the licensing agreements that accompany them. Does anyone, really, read EULAs? No. And yet, it is in these agreements that the details of our very flawed thinking are revealed.

Moving to today’s commercialized world of techno-wizardry, from a computer security perspective, it is safe to say that we have moved from the Golden Age to the Iron Age, where we live an existence of toil and misery. Why? Well, it all comes down to the firewall. Most people have a firewall that protects their “home” network. A “home” network most likely includes personal, medical, and financial information that not only includes documents, but account access. Family photos and videos, music, movies – it’s all in the mix. And, the poor little firewall has to protect it all from out blazing fast upload speeds (or put another way, theft speeds). Not only does the firewall manage wired connections, but wireless ones as well. Smart phones today use “home” wifi to help save on the data plan tied to the phone provider. We all do this, we save money!

It is this one scenario that best describes the inherit weakness of today’s home based computer security. For example, a gift was given that requires an app to be installed on a smart phone. You click through the license agreement and off and running you are. What fun! It’s magic. In reality, because your smart phone is connected to your home wifi, and the app connects back to the manufacturer of the gift, you now have an attack vector right into the heart of your digital life. The unspoken assumption is that people who sell stuff have thought this through. This is not the case. If people who write operating systems for a living have a hard enough time to make things attack free, then what are the chances that a purveyor of anything trying to meet a market deadline will accomplish this? What about these free gaming apps that kids love to play? What about anything that is IoT? What about any piece of software on your computer? Anything you install today will connect back to some mother ship, and when this happens you are vulnerable. Not only from the mother ship itself, but from the software running at home – both sides.

The spirit of the firewall is dead. There is nothing that can be done. If you think otherwise, then you are living a delusional fantasy. Of course, people who sell sophisticated firewalls will tell you otherwise. After all, public companies have to report they are doing their due diligence to protect themselves, right? And how many attacks and public disclosures do we see a year? How much money was spent? To make matters worse, firewalls today also suffer from vulnerabilities. The Iron Age it is, indeed.

Is there anything that can be done? Yes, and it requires time, thought, discipline, and a willingness to accept complexity, all of which are incongruous with the “instant satisfaction” that we are so desirous of today. Here is a basic chart of what a modern home network should look like:

Firewall Architecture

Firewall Architecture

The hardware is a hypervisor, running virtual machines. The firewall itself is now virtual, managing traffic flows from other virtual machines and their respective networks. The firewall VM has a dedicated physical port, as does the hypervisor. In this example, there are three wireless networks, governed by three separate physical wireless ethernet bridges. There are three types of networks: personal, IoT, and anything else. On the personal network, the general assumption is that this is where all important data exist, data one would rather not see out on the Internet. Ideally, devices that do not phone home should exist here. Unfortunately, this precludes products from Apple and Microsoft. The IoT network should include all of the devices that manage household gadgetry – thermostats, sensors, security, etc. For obvious reasons, this network should not be affected by the personal or third network, the “other” network. This last network is where all of the bluray players, televisions, mobile devices, printers, and guest access should reside. While the IoT network phones home, it pales in comparison to the “other” network. This network is the wild west of security, and should not be considered safe.

Plainly, this installation is far from simple. One machine, five operating systems, five IP networks, ten ethernet bridges – eight virtual, three physical. There is no “instant on”. The machine will take minutes to power on, and should be placed on a UPS in case of power failure.

If this seems too technical, it is supposed to. People make very good salaries supporting such installations. How is a non-technical person supposed to enjoy the merits of such an installation? The sad answer is that they cannot. This is precisely the reason why so many large DDoS attacks can take place using hijacked machines, your hijacked machines.

AI

So here we go again. Lee Sedol is losing to Google’s AlphaGo. Man vs. machine. Jeopardy, chess, and now Go. The Internet is flooded with stories regarding the advancement of artificial intelligence based on this match. I will admit that it must be very complicated to write a program that can compete against the top tier player of a game such as Go. Is it intelligence?

This can be answered with a simple question. Can AlphaGo or Watson or whatever, create a game such as Go, Jeopardy, or chess? Until we reach that point, this AI we’re talking about is simply clever computer programming. That is all. Fluff, bragging rights, name it what you will. Will it have benefits in the future? Unequivocally yes. Is it intelligence? No.

To see how fallen human heroes opine on their loss, check this out:

Gary Kasparov: http://www.forbes.com/asap/1999/0222/071.html

Ken Jennings: http://www.slate.com/articles/arts/culturebox/2011/02/my_puny_human_brain.single.html

(and TBD, Lee Sedol’s thoughts).

Xvfb, RHEL6, gdm, and x11vnc

Yep, the title says it all. Pure geekdom. As the Gnome Display Manager ages, options that were available are no longer, taking away some awfully useful technology.

Sometimes it is nice to have not only one X display start at boot, but two! My choice is to have the first display tied to hardware, and the second be software based. The latter can be accomplished with VNC, but it has been my preference to use the X Virtual Frame Buffer package (Xvfb), and let x11vnc do the translation to the VNC protocol.

With Redhat 6, options in the /etc/gdm/custom.conf file are now simply ignored without any notice. It is (or was) pretty frustrating to get a system to boot with a VNC session that ran the Gnome Display Manager (gdm). That, combined with the fact the Xvfb no longer ships as a standard part of the operating system (only available through a subscription channel) makes it difficult at best to continue such functionality that was present in release 5.

Assuming you can get an official Xvfb package from Redhat, here is how to make the magic happen. The /etc/gdm/custom.conf file is pretty much empty. Make sure you have these options in it:

# GDM configuration storage

[daemon]

[security]
AllowRemoteRoot=true
DisallowTCP=false

[xdmcp]
Enable=true
MaxSessions=30

[greeter]

[chooser]

[debug]

Then create the file, /etc/init/xvfb.conf:

# Do not edit this file directly. If you want to change the behaviour,
# please create a file xvfb.override and put your changes there.

start on stopped rc RUNLEVEL=5

stop on starting rc RUNLEVEL=[!5]

console output
respawn
respawn limit 10 120
exec /usr/bin/Xvfb :1 -ac -screen 0 1440x900x24 -pixdepths 24 -query localhost

Ensure your changes take hold:

# initctl reload-configuration
# initctl list

To hook it to VNC, add your service in /etc/services:

vncserver       5901/tcp

Add your /etc/xinetd.d/vncserver file:

service vncserver
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /path/to/x11vnc/binary
        server_args     = -inetd -rfbport 5901 -forever -shared -q -skip_lockkeys -o /dev/null -display :1 -buttonmap 12345-123:Prior::Next: -buttonmap 12345-123:Up+Up+Up::Down+Down+Down:
        log_on_failure  += USERID
}

And restart xinetd. Voila! You now have GDM running, available via VNC. Cheers.

Time Capsule As a File Server

With so many Apple devices now interacting with my family, I made the decision to install a Time Capsule as the principal wifi presence. I have always believed in heterogeneous networks. Yet, other vendors of wifi routers have resulted in performance variability for the Apple products. So, now the onus is on Apple. Guess what? Apple clients work much better with the Time Capsule. Really I should not be surprised, but it does make me wonder what goes on behind the scenes that makes the difference. Hmmmm.

The Time Capsule (TC) has a USB 3 port on it, so we now have a 2TB external drive connected to it. This disk, apart from the internal drive on Time Capsule, is used for central storage. How can one access it via Linux? The TC shares this disk via CIFS, so Windows and Linux computers can utilize the export as well. To get a list of what is available on the TC:

# smbclient -U "USER NAME" -L IP ADDRESS|hostname
Enter USER NAME's password: 
Domain=[WORKGROUP] OS=[Apple Base Station] Server=[CIFS 4.32]

	Sharename       Type      Comment
	---------       ----      -------
	USER NAME       Disk      
	IPC$            IPC       
	Data            Disk      
	USB Drive       Disk      
Domain=[WORKGROUP] OS=[Apple Base Station] Server=[CIFS 4.32]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

And to mount it, the option that provides the secret sauce is the option “sec=ntlm”:

# mount -t cifs -o user="USER NAME",sec=ntlm --verbose //[IP ADDRESS|hostname]/"USB Drive" /path/to/mount

Now that the mount command can be issued manually, it can then be integrated with the Linux automounter. Now that Linux has access to the drive, the doors are open.