I’ve been using BackupPC as a backup system for my local computers. It has saved my ass a few times already. What I don’t really like is the “pull” approach it uses. You need to able it to access directly the files you want to backup from remote.
It supports SMB as well as SSH, but I barely use any kind of Windows system anymore.
Since some people have given Attic a try and were happy with it I decided to try it myself.
This is how I use it:
I have a backup server hosting all the repositories
I’ve shamelessly copied the automated backup script from Attic website
#!/bin/sh
REPOSITORY=attic@backup.server:pc1.attic
export ATTIC_PASSPHRASE="some awesome and long passphrase"
attic create --stats \
$REPOSITORY::pc1-`date +%Y-%m-%d` \
/etc \
/home \
/root \
--exclude '*.pyc'
# Use the `prune` subcommand to maintain 7 daily, 4 weekly
# and 6 monthly archives.
attic prune -v $REPOSITORY --keep-daily=7 --keep-weekly=4 --keep-monthly=6
Add this to some daily cron, then back on the backup server:
# su attic
$ attic init -v --encryption=passphrase pc1.attic
And feed it the same passphrase as the one from the previous script.
WARNING: be sure to save the passphrase somewhere else! In case of a failure on pc1, you’ll also lose the backup script, and the corresponding passphrase.
Jessie has just been released 2 days ago, time for some apt-get dist-upgrade and rejoice in all the sweet new features.
Except…
Except there’s a hitch, called Systemd. The Releases Notes’s biggest section is all about how the move to systemd will crush your soul if you don’t pay close attention. This just says how big a thing this is, and how careful you’ll have to be to maintain your sanity.
This will mainly be a rant post to help with anger management.
Install Systemd, lose your system.
Have a mount point in /etc/fstab that’s auto and not nofail ? Say bye to your server, systemd will bail out and stop starting services. No ssh no fun. I like how Debian people say “We need to sort this out before the release” … and leave as an open bug for 6 months.
Those are some nice Referer̀ and User-Agent. They are actually the same string and try to exploit CVE-2014-6271, the so called ‘Shellshock’ bug.
On an unpatched system, this exploit will:
Remove your stuff from /tmp/. It will actually leave files/dirs that start with a ‘.’
Make a script /tmp/Run.sh with the following content:
The udso file is ‘packed’ with UPX (strings, lol) and is actually a big (1.5M) statically linked executable.
It asks Google’s DNS at 8.8.8.8 for the IP of 2015.lnuxx.pw (which is currently 222.186.21.42 ), then connects to it on port 10991 and proceeds to send some info about the system it’s in, with some plaintext strings.
Most advanced !
## Mitigation
Keep your system updated
Don’t run CGI scripts on your webserver
Configure firewalls on your servers
Use your own DNS servers
Any one of those will protect you from the evil chinese-fu
My LAN firewall logs were showing weird connexions at night from my phone, connected by WiFi, so I decided to play around and check how I could log network connections from Android.
My phone runs ParanoidAndroid version 4.4.4, which fortunately ships with iptables and all the nices kernel modules so I could just do:
iptables -A OUTPUT ! -o lo -j NFLOG --nflog-prefix "NFLOG " --log-uid
and see that it was logging stuff when browsing the web from my favorite app :
which indeed looks like firefox. The only issue is this weird timestamp 264504 which would be ~3 days but my phone was up for more than 19 days, oh well.
#!/usr/bin/rubyrequire"resolv"require"pp"defload_app_ids(f)res={}File.read(f).each_line{|l|caselwhen/<package/name=l[/name="([^"]+)"/,1]suid=l[/sharedUserId="([^"]+)"/,1]uid=l[/userId="([^"]+)"/,1]ifnameifuidres[uid]=nameelseres[suid]=nameendendend}returnresend$appsid=load_app_ids("packages.xml")logfile=ARGV[0]res={}File.open(logfile,"r+").each_linedo|l|ifl=~/\[([.0-9]+)\] "{NL}"IN=([^ ]*) OUT=([^ ]+) SRC=([^ ]+) DST=([^ ]+) LEN=([^ ]+) .+ PROTO=([^ ]+) SPT=([^ ]+) DPT=([^ ]+) .* UID=([0-9]+)/entry={}entry["time"]=$1entry["ifin"]=$2entry["ifout"]=$3entry["ipsrc"]=$4entry["ipdst"]=$5entry["len"]=$6entry["proto"]=$7entry["spt"]=$8entry["dpt"]=$9entry["name"]=$appsid[$10]key="#{entry['ipdst']}:#{entry['dpt']}:#{entry['proto']}"(res[key]||=[])<<entry["name"]res[key].uniq!endendres.eachdo|k,v|ip=k[/^([^:]+):/,1]key=k.dupbeginname=Resolv.getname(ip)key.gsub!(ip,name)rescueResolv::ResolvError=>eend# Ignore 'normal' stuff# next if key=~/1e100.net:(80|443)/# next if key=~/mozilla\.(com|net):443/# if v.include?("org.mozilla.firefox") and key=~/(80|443):TCP/# next# end# next if key=~/239.255.255.250:1900:UDP/puts"#{key} => #{v}"end
the script gets started this way, once the phone is connected:
WTF is that app ?!! There is no source code to be found, it seems the APK is slammed into the AOSP repo. It looks like it’s been removed for the future 5.0 release of AOSPA, and from what I could read it’s just some weird app for Sprint telco company that does stuff…. the apk has like half of all the possible permissions and tries to connect to some OVH IP (which actually might be a ntp.org pool server). I don’t want that ! The solution is:
root@hammerhead:/ # pm disable com.lge.SprintHiddenMenu
Package com.lge.SprintHiddenMenu new state: disabled