[svlug] Protecting and recovering from high system load?

[Tin Le]

On Tue, 29 Aug 2006, DzM wrote:

>> http://stromberg.dnsalias.org/~strombrg/fallback-reboot/
>
> This seems the ideal (well - nearly ideal) band-aid for me. But the docs are 
> crap and I'm confused.

Heh :-)

Yeah, it's not the best of docs.  But it's a pretty easy tool to setup and 
use though.

> It says that I can use Telnet to connect and instigate the reboot. But the 
> Telnet examples show it with a simple cleartext prompt. When I try to 
> duplicate I'm prompted with a RIPE-160 challenge and an expected hash in 
> response. I assume that the hash it wants is a RIPE-160 hash of the 
> configured password.
>
> Anyone have any clue how I generate this RIPE-160 hash that it wants? OR how 
> I can configure the thing to just use the cleartext password (I know - that's 
> bad; but right now I'm willing to accept it for a few days)?

Here's a quickie cookbook.

1. d/l, config, make and install binaries.
2. gen password by your favorite tool or use included gen-pas prog
3. put password in /.fallback-reboot-passwd
4. chown root.root /.fallback-reboot-passwd
5. chmod 0400 /.fallback-reboot-passwd
6. keep a safe copy of password (I put it on my usb fob)
7. create your own rc script or use included install-rc-script
8. start up fb daemon and test it via the fallback-reboot-client or telnet 
to host fb is running on.
9. if 8 works, then you are set.

NOTE: if you decide to use telnet, make sure you block access to telnet 
from the general public.  Recommend you only allow inbound telnet from 
only a few (1 is best) IPs that are under your control.

The way it work is that if you use the client, then communication with fb 
server is RIPE-160.  If you use telnet, it's plain text password.

I have not had to use fb for a while, not since the server from hell that 
kept hitting 100+ load randomly.  So this is all from memory.

Tin Le
-- 
http://tin.le.org
Tin Le - tin at le.org
Firewall and Security Consulting