Blog

The other day, I was so excited to have a working IRC server on my box at home that I kinda forgot how insecure IRC was. There is a big reason why IRC is banned at my web hosting employer, since it’s so easy to hack that it represents a serious botnet risk. One of my colleagues at work revealed to me how insecure IRC was, and that it was very well known that a hacker could break through the IRC daemon to the root system and do pretty much whatever. To help secure the daemon, he challenged me to place it into a chroot jail.

“What’s a chroot jail?” I asked.

He explained that it’s a way of changing the apparent root directory for an invoked command, such that the service running under that command is isolated from the rest of the system. It runs in a separate root on its own separate set of libraries. I didn’t get it at first, but I began to grasp the concept after a little while.

Basically, chroot is a core Linux command that will change the root that a command executes under. For something like IRCd, it will start the service using a separate root directory and a separate set of function libraries that the program needs to execute its code, and it will isolate the service from the rest of the system to keep the server secure.

What an interesting challenge to set up! I had to find out which function libraries IRCd used and copy them over to a chosen root directory for my chroot jail, move over all of the /bin/bash commands to the new root, place a passwd file in the new root so that it would recognize my user, and then try to run the service. To start, I began copying all of the libs over to a particular directory, and then decided to move it around a bit.

And then disaster struck…I moved the ENTIRE primary /lib/ directory by accident……

Just so you understand what this means, it’s like someone burned all the books in the library just as I was starting to research my bachelor’s thesis. My commands stopped working, because the programs that the commands use to run could no longer reference the functions in the /lib/ folder! I didn’t realize what I’d done at first, but then the reality slowly sank in that I’d horribly, horribly broken my server! I couldn’t even move the /lib/ folder back to where it belonged to get things working again! All that work and effort and blood and sweat came rushing right up to the forefront of my mind, and I was utterly horrified…

First, I tried to see if I could mount the server hard drive on my desktop Linux system so that I could rescue the server. No matter how I tried, I couldn’t get my desktop to recognize the device, and I eventually gave up on this option. And then I remembered that I still had the install DVD image, which comes with a rescue mode! I restarted the server, inserted the DVD, and then entered the rescue mode so that I could move the libs back to where they needed to be for the system to work properly. Thank God in Heaven that I was able to do this and largely resolve the issue without any serious pain!!

Very hard lesson learned, I then continued to set up the new chroot jail, and managed to successfully get the IRC working in it. After that, I set up a couple of shell scripts executable by the root user so that I could activate and deactivate the server without any serious trouble. I’ll gladly call that a night well spent, thank you!

Finally! At long last (a few days), I have finally confirmed that IRC is working correctly on my server!

Basically, I gave tech support a call and they set up my server to be in the DMZ. I’d already tried this a few times, but every time I configured the server to be in the DMZ, the router would say that the device was off. This time, however, I just rebooted the server so that the router would recognize that it was online, and after that everything just started to work exactly how I wanted it to. It was glorious!

Finally, I can set up my SSH and my IRC servers to be on non-standard ports and confirm that they are working exactly the say that they’re supposed to. And I don’t think that the server is less secure by all that much than it was previously.

This is all too cool! I now need to take some time to learn how iptables works so that I can have that extra bit of security if I need it.

So, I had a run at installing an IRC server to the box tonight, and that seemed to go pretty well. It was reasonably well documented, and the set up process wasn’t too difficult. It seems that a lot of systems that you have to compile from source are set up with some sort of configuration script that does most of the decision making for you.

Anyway, it’s up and running and listening, and I got the proper DMZ set up on the router, but for whatever reason I can’t seem to connect. I did a port scan on the server and found that the IRC port was being blocked still, so I’m unsure what the deal is. It’s a bit frustrating, because I feel like I should be able to resolve this on my own, but at the same time I feel like there is something else going on with the ISP.

Meh. The good news is that I can connect to the IRC server when I try to do so locally on the network. So it’s working that far, I think. Oh well! When I have a chance I may give support a call and see what they think.

So, something that had kinda been sitting on my mind for a little bit was installing a statistics program to the server to properly parse the access logs. Of course AwStats comes to mind, since that’s the most prominent statistics program at work.

I was able to download and install the package using YUM, and thankfully AwStats came with a configuration script that did most of the difficult stuff for me. After that, it was reading the documentation to figure out how to make the script visible on a web browser. It was a bit difficult to figure out how to do it right, but I eventually opted for having the program build an HTML file, which I symlink’d to the web root.

I figured out the appropriate sequence of commands, and then compiled it all into a simple alias that updates the AwStats database, builds the HTML file, and symlinks it to the webroot. This way, I can just type one word, view my stats, and then type my second alias that removes the symlink and the HTML file when I’m done. It works perfectly!

I’m thoroughly enjoying my new serverbox and all that I’m able to do with it. Given patience, I’m really getting the feeling that there’s very little that I can’t do with it. :3