Welcome to cron.weekly issue #53 for Sunday, November 6th, 2016!
The vim editor turned 25 years, we’ve got Docker horror stories and plenty of SSH honeypots to collect interesting hacking attempts. Surely enough to keep you all occupied for today, tomorrow & the week to come.
News
MITM on sync+emerge = root almost any gentoo system
Perhaps not so much news as an interesting vulnerability: the Gentoo package manager doesn’t validate any GPG keys, making it trivial to set up a man-in-the-middle proxy to intercept any packages served to the package manager.
Buttery Smooth Emacs
I’m not an emacs user myself, but I liked this story: since Emacs is so old, it couldn’t/didn’t use standards related to displaying windows/text. Only just now did it implement methods for smooth scrolling & displays. The joys of ancient software!
Debian 9 drops support for powerpc
As of Debian 9, there won’t be any support for the powerpc architecture anymore.
Let’s Encrypt crowdfunding campaign
If you like the free TLS certificates from Let’s Encrypt, now’s the time to show your support: the Let’s Encrypt team needs help filling the last donations to cover running costs. Embarrassingly, it only had ~600 backers in 4 days. For the world’s biggest Certificate Authority (or close to it), that should be a lot more!
Vim text editor turns 25
Quite an accomplishment, Vi-IMproved!
Tools & Projects
Datadog – Application monitoring done right
Get real-time, integrated statistics on your entire infrastructure: from Amazon stats on your servers to detailed numbers of your PostgreSQL, Elasticsearch, Node & other applications – all from a single, easy to use, interface. Sign up for a free trial to discover a better way to monitor your stack! (Sponsored)
fpm
Effing package management! Build packages for multiple platforms (deb, rpm, etc) with great ease and sanity.
concurrency-logger
HTTP logging middleware especially useful to unwind concurrent operations without losing the request context: log HTTP requests/responses separately, visualize their concurrency and report logs/errors.
sudo-touchid
A modified sudo binary that allows authentication via the new TouchID on Apple Macbooks.
yazvs
“Yet Another Zone Validation Script”: yazvs.pl is one of the utilities that Verisign uses daily to validate new versions of the root and arpa DNS zones before they are published to the distribution masters.
Chronos: A Replacement for Cron
This is a bit older already, but still sounds interesting: Chronos is the Airbnb replacement for cron. It is a distributed and fault-tolerant scheduler which runs on top of Mesos.
kpatch
kpatch is a Linux dynamic kernel patching infrastructure which allows you to patch a running kernel without rebooting or restarting any processes.
Minoca OS: A new open source operating system
Lots of attention for this project last week: Minoca OS is a general purpose operating system written completely from the ground up. It’s intended for devices looking to conserve power, memory, and storage.
cowrie
Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
sshesame
A fake SSH server that lets everyone in and logs their activity (aka: an SSH honeypot).
ocproxy
This is essentially a “per-application VPN”, instead of a system-wide VPN: ocproxy is a user-level SOCKS and port forwarding proxy for OpenConnect based on lwIP. When using ocproxy, OpenConnect only handles network activity that the user specifically asks to proxy, so the VPN interface no longer “hijacks” all network traffic on the host.
snoopy
Snoopy is a tiny library that logs all executed commands (+ arguments) on your system.
darling
Darling is a translation layer that allows you to run unmodified macOS binaries on Linux. In its nature, it is similar to the well-known Wine project.
BearSSL
BearSSL is an implementation of the SSL/TLS protocol written in C.
Portainer
Portainer is an open-source lightweight management UI which allows you to easily manage your Docker host or Swarm cluster.
Lynis
Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless and installation is optional.
systemd 232
Plenty of new features in this systemd release: ther’s now support for dynamically created users for the lifetime of a service, improved container support, cgroup limitations for swap usage, the introduction of systemd-mount & much more.
RHEL 7.3
Red Hat Enterprise Linux 7.3 has been released, which means we should see CentOS 7.3 soonish too: lots of package updates, many stability & security improvements.
Guides & Tutorials
Run Nginx proxy in Docker container for HTTP/2
Since you need a recent version of OpenSSL to support HTTP/2 for browsers like Chrome, running an HTTP/2 enabled proxy in a Docker makes sense. This guide covers an Nginx TLs proxy running inside Docker to support HTTP/2.
Service discovery at Stripe
At Stripe, they’re heavy users of consul. This post gives lots of insights to how it works at scale, how it got introduced and what it’s doing today.
How to run commands at shutdown on Linux
A good tip on using a script in _/etc/rc.d/rc3.d/ _to run commands on system shutdown.
NTP: I Need You to Go Ahead and Love It
This post is a good reminder on what NTP is and does, how it works and how to configure it.
Linux increase ip_local_port_range TCP port range
For heavy traffic network servers, like proxy servers or load balancers, you may need to increase the networking port range to create more source/destination ports for new TCP connections.
Current state of the Ansible inventory and how it might evolve
A very good introduction post to Ansible inventory, the current state and shortcomings and how those could be addresses in the future.
Docker in Production: A History of Failure
This is somewhere between a rant and a precautionary tale: beware of running Docker in production, learn from these folks.