Config Fun

I have came across Acronis True Image Server for doing the full images of the servers and I was really impressed with the speed of backup/restore as well as a comression rate - it did a full backup of server which had 18GB occupied on the drive in a 3GB image. The restore worked fine (using the boot CD). The only thing I am planning to test now is Acronis Universal Restore which claims of being capable to restore to the different hardware (even Windows) by adjusting the HAL drivers. If anyone have tried the universal restore, please leave a comment

Recently I had chance to “play” a little with an infected machine. I like it. For me cleaning infected machines is always fun. Malicious software (malware) uses all possible tricks to hide and you use all your knowledge and skills to find and remove it. So, here is few real world principles regarding malware.

Fundament principle – if machine is infected, it is infected. Ideally, you have to “nuke and pave” (reformat and reinstall everything). And ideally you should not use backups to restore it. Because it is impossible to prove that, after cleaning the machine (or backup) is clean. But our world is not ideal and security is not black and white. Security is always gray. So, if you understand and accept this risk you can make an attempt to clean the machine.

Do not rely only on an antivirus and do not trust it completely. First, despite developers’ claims antiviruses are simply not good yet with spyware. Over two years they improved dramatically but still they have some problems. The best antispyware solution is Windows Defender. If you hate Microsoft, free version of Ad-aware is good enough. Second, standard malware is good in defeating and fooling antiviruses. In my case, malware successfully fooled fully updated F-secure antivirus, Bit Defender and then Kaspersky.

The most effective protection is to use non-administrator account. It is more effective then just having antivirus. If you have to have admin rights use Software Restriction Policy to run at least browser and Email client as non-administrator. And do not allow your girlfriend/wife and your children to be administrators on your machine. I know it is hard. I know, they will call you tyrant and despot. I know, it is nearly impossible. But it have to be done.  

And last thing – for cleaning always run Windows in Safe mode. Almost everything will be disabled so malware will have lowest chances to fool antivirus scanner.

I’ve been working with RRDTool graphs a lot for the past few days and noted a couple of nice tips for myself which I want to share here:

Graphing Real Numbers as Integers

Sometimes your database contains number in real format (ex: 4.23) and you want to see only integer values on the graphs. For example the database keeps track of number of users sessions and computes AVERAGE, but since having 2.123 sessions number is not that nice (for me at least in this case), it is possible to round it up to integer and have 2 (or 3 if the original real number was more or equal to 2.5). For this, in the graph definition, you need to create a variable to store integer as follows (hate this postfix notation type):

CDEF:var_int=var_real,1,%,0.5,GE,var_real,CEIL,var_real,FLOOR,IF

In normal notation it would look like <code>var_int = (var_real % 1 >= 0.5) ? round_up(var_real) : round_down(var_real)</code> and would round the real var_real number to the upper or lower corresponding integer according to the value after the delimiter. So after such definition you can use var_int for graphing any shapes.

Graphing the Unknowns

It is a good practice to change the background of the graph parts where all variables are unknown. In order to graph such areas I first check if the all variables are defined and if not, I create two other variables, one with value from 0 to -unlimited and second from 0 to +unlimited and display them as AREAs of the same colors. So here we go:

CDEF:u=var1,var2,+,UN,INF,UNKN,IF creates a variable to indicate 0 to +unlimited if the sum of all actual variables is unknown

CDEF:u2=var1,var2,+,UN,NEGINF,UNKN,IF creates a variable for 0 to -unlimited under the same conditions as u.

AREA:u#FFFFB9
AREA:u2#FFFFB9

displays the AREAs with a color I like.

Examples

Let me just post couple of examples of graph definitions here:

<RRD::GRAPH firewall-Net:Traf-LAN.png -w 845 -s <RRD::CV period> -c BACK#FFFFFF -c SHADEA#FFFFFF -c SHADEB#FFFFFF -c FRAME#0000 00 -W 'IT Department' -v "Bits" --title="firewall - LAN Traffic"
DEF:up_rrd=firewall-Net\:Traf-LAN.rrd:up:AVERAGE
DEF:down_rrd=firewall-Net\:Traf-LAN.rrd:down:AVERAGE
CDEF:up=up_rrd,8,*
CDEF:down=down_rrd,8,*
CDEF:down_show=down,-1,*
VDEF:down_min=down,MINIMUM
VDEF:down_ave=down,AVERAGE
VDEF:down_max=down,MAXIMUM
VDEF:up_min=up,MINIMUM
VDEF:up_ave=up,AVERAGE
VDEF:up_max=up,MAXIMUM
COMMENT:' '
COMMENT:' Max'
COMMENT:' Ave'
COMMENT:' Min\n'
COMMENT:' \n'
AREA:down_show#00FF00:'Incomming '
GPRINT:down_max:'%8.2lf%Sb'
GPRINT:down_ave:'%8.2lf%Sb'
GPRINT:down_min:'%8.2lf%Sb\n'
AREA:up#0000FF:'Outgoing '
GPRINT:up_max:'%8.2lf%Sb'
GPRINT:up_ave:'%8.2lf%Sb'
GPRINT:up_min:'%8.2lf%Sb\n'
CDEF:u=up,down,+,UN,INF,UNKN,IF
CDEF:u2=up,down,+,UN,NEGINF,UNKN,IF
AREA:u#FFFFB9
AREA:u2#FFFFB9
>

The above definition is for traffic monitoring

<RRD::GRAPH firewall-Net:Conn.png -l 0 -w 380 -s <RRD::CV period> -c BACK#FFFFFF -c SHADEA#FFFFFF -c SHADEB#FFFFFF -c FRAME#000000 -W 'IT Department' -v "Connections" --title="firewall - Established TCP Connections"
DEF:total=firewall-Net\:Conn.rrd:total:AVERAGE
CDEF:total_show=total,1,%,0.5,GE,total,CEIL,total,FLOOR,IF
VDEF:total_min=total,MINIMUM
VDEF:total_ave=total,AVERAGE
VDEF:total_max=total,MAXIMUM
COMMENT:' '
COMMENT:' Max'
COMMENT:' Ave'
COMMENT:' Min\n'
COMMENT:' \n'
AREA:total_show#0000FF:'Connections '
GPRINT:total_max:'%10.0lf'
GPRINT:total_ave:'%10.0lf'
GPRINT:total_min:'%10.0lf\n'
CDEF:u=total,UN,INF,UNKN,IF
CDEF:u2=total,UN,NEGINF,UNKN,IF
AREA:u#FFFFB9
AREA:u2#FFFFB9
>

And this one is showing the number of established TCP connections.

Note that both graphs use the <RRD::CV period> as a definition of the beginning of the graph period. I use this when viewing the graph by supplying the ?period=-1h or similar to display the graphs for different time periods.