xorl %eax, %eax

CVE-2013-1798: Linux kernel KVM IOAPIC_REG_SELECT Invalid Memory Access

xorl — Thu, 23 May 2013 19:44:32 +0000

This was very nice vulnerability reported by Andrew Honig of Google. The bug is triggered when a user specifies an invalid IOAPIC_REG_SELECT value which is reachable via read KVM I/O device operation as you can see below.

static int ioapic_mmio_read(struct kvm_io_device *this, gpa_t addr, int len,
			    void *val)
{
	struct kvm_ioapic *ioapic = to_ioapic(this);
	u32 result;
   ...
	switch (addr) {
	case IOAPIC_REG_SELECT:
		result = ioapic->ioregsel;
		break;

	case IOAPIC_REG_WINDOW:
		result = ioapic_read_indirect(ioapic, addr, len);
		break;
   ...
	return 0;
}
   ...
static const struct kvm_io_device_ops ioapic_mmio_ops = {
	.read     = ioapic_mmio_read,
	.write    = ioapic_mmio_write,
};

Additionally, if a user makes a read by invoking IOAPIC_REG_WINDOW it will result in calling ioapic_read_indirect(). Here is what this function does.

static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
					  unsigned long addr,
					  unsigned long length)
{
	unsigned long result = 0;

	switch (ioapic->ioregsel) {
  ...
	default:
		{
			u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
			u64 redir_content;

			ASSERT(redir_index < IOAPIC_NUM_PINS);

			redir_content = ioapic->redirtbl[redir_index].bits;
			result = (ioapic->ioregsel & 0x1) ?
			    (redir_content >> 32) & 0xffffffff :
			    redir_content & 0xffffffff;
			break;
		}
	}

	return result;
}

It calculates and initializes the value of ‘redir_index’ from the user controlled ‘ioapic->ioregsel’ variable and then uses it as an index to ‘ioapic->redirtbl[]‘ array. If this value is larger than IOAPIC_NUM_PINS it will result in invalid memory access. Here is how IOAPIC_NUM_PINS is defined in virt/kvm/ioapic.h header file.

#define IOAPIC_NUM_PINS  KVM_IOAPIC_NUM_PINS

And this is because it is architecture specific. For IA64 is defined in include/uapi/asm/kvm.h as 48 and for x86 in arch/x86/include/uapi/asm/kvm.h as 24. As you might have noticed there is an ASSERT() call to make this check but of course, this will only take effect in the debug builds.
The fix was to replace that ASSERT() call with a range check like this.

 			u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
 			u64 redir_content;
-			ASSERT(redir_index < IOAPIC_NUM_PINS);
+			if (redir_index < IOAPIC_NUM_PINS)
+				redir_content =
+					ioapic->redirtbl[redir_index].bits;
+			else
+				redir_content = ~0ULL;
-			redir_content = ioapic->redirtbl[redir_index].bits;
 			result = (ioapic->ioregsel & 0x1) ?
 			    (redir_content >> 32) & 0xffffffff :

CVE-2013-2074: KDE kdelibs Password Exposure

xorl — Wed, 22 May 2013 20:47:43 +0000

This was a low impact vulnerability reported by m.wege. The issue occurs on “internal server error” and triggers the below code located at kioslave/http/http.cpp.

/**
 * This function will read in the return header from the server.  It will
 * not read in the body of the return message.  It will also not transmit
 * the header to our client as the client doesn't need to know the gory
 * details of HTTP headers.
 */
bool HTTPProtocol::readResponseHeader()
{
   ...
    if (m_request.responseCode >= 500 && m_request.responseCode <= 599) {
        // Server side errors

        if (m_request.method == HTTP_HEAD) {
   ...
            if (!sendErrorPageNotification()) {
                error(ERR_INTERNAL_SERVER, m_request.url.url());
                return false;
   ...
    } else if (!isAuthenticationRequired(m_request.responseCode) && m_request.responseCode >= 400 && m_request.responseCode <= 499) {
        // Any other client errors
        // Tell that we will only get an error page here.
        if (!sendErrorPageNotification()) {
            if (m_request.responseCode == 403)
                error(ERR_ACCESS_DENIED, m_request.url.url());
            else
                error(ERR_DOES_NOT_EXIST, m_request.url.url());
            return false;
        }
   ...
}

Clearly, error() could be called passing the error number along with a string which in all of the above cases is the result of m_request.url.url().

void HTTPProtocol::error( int _err, const QString &_text )
{
  // Close the connection only on connection errors. Otherwise, honor the
  // keep alive flag.
  if (_err == ERR_CONNECTION_BROKEN || _err == ERR_COULD_NOT_CONNECT)
      httpClose(false);
  else
      httpClose(m_request.isKeepAlive);

  if (!m_request.id.isEmpty())
  {
    forwardHttpResponseHeader();
    sendMetaData();
  }

  // It's over, we don't need it anymore
  clearPostDataBuffer();

  SlaveBase::error( _err, _text );
  m_iError = _err;
}

The url() routine is part of kdecore/io/kurl.cpp file and it is being to used to dump the URL.

QString KUrl::url( AdjustPathOption trailing ) const
{
  if (QString::compare(scheme(), QLatin1String("mailto"), Qt::CaseInsensitive) == 0) {
      // mailto urls should be prettified, see the url183433 testcase.
      return prettyUrl(trailing);
  }
  if ( trailing == AddTrailingSlash && !path().endsWith( QLatin1Char('/') ) ) {
      // -1 and 0 are provided by QUrl, but not +1, so that one is a bit tricky.
      // To avoid reimplementing toEncoded() all over again, I just use another QUrl
      // Let's hope this is fast, or not called often...
      QUrl newUrl( *this );
      newUrl.setPath( path() + QLatin1Char('/') );
      return QString::fromLatin1(newUrl.toEncoded());
  }
  else if ( trailing == RemoveTrailingSlash) {
      const QString cleanedPath = trailingSlash(trailing, path());
      if (cleanedPath == QLatin1String("/")) {
          if (path() != QLatin1String("/")) {
              QUrl fixedUrl = *this;
              fixedUrl.setPath(cleanedPath);
              return QLatin1String(fixedUrl.toEncoded(None));
          }
          return QLatin1String(toEncoded(None));
      }
  }
  return QString::fromLatin1(toEncoded(trailing == RemoveTrailingSlash ? StripTrailingSlash : None));
}

Of course, this means that the same also applies when the URL includes username and password information such as http://username:password@example.com. To fix this the calls to url() were replaced by prettyUrl() with the following patch.

diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
index 2d139a9..129fc7b 100644
--- a/kioslave/http/http.cpp
+++ b/kioslave/http/http.cpp
@@ -3056,7 +3056,7 @@ try_again:
             ; // Ignore error
         } else {
             if (!sendErrorPageNotification()) {
-                error(ERR_INTERNAL_SERVER, m_request.url.url());
+                error(ERR_INTERNAL_SERVER, m_request.url.prettyUrl());
                 return false;
             }
         }
@@ -3072,9 +3072,9 @@ try_again:
         // Tell that we will only get an error page here.
         if (!sendErrorPageNotification()) {
             if (m_request.responseCode == 403)
-                error(ERR_ACCESS_DENIED, m_request.url.url());
+                error(ERR_ACCESS_DENIED, m_request.url.prettyUrl());
             else
-                error(ERR_DOES_NOT_EXIST, m_request.url.url());
+                error(ERR_DOES_NOT_EXIST, m_request.url.prettyUrl());
             return false;
         }
     } else if (m_request.responseCode >= 301 && m_request.responseCode<= 303) {

This routine among other things removes the password from the URL.

QString KUrl::prettyUrl( AdjustPathOption trailing ) const
{
  // reconstruct the URL in a "pretty" form
  // a "pretty" URL is NOT suitable for data transfer. It's only for showing data to the user.
  // however, it must be parseable back to its original state, since
  // notably Konqueror displays it in the Location address.

  // A pretty URL is the same as a normal URL, except that:
  // - the password is removed
  // - the hostname is shown in Unicode (as opposed to ACE/Punycode)
  // - the pathname and fragment parts are shown in Unicode (as opposed to %-encoding)
  QString result = scheme();
    ...
}

CVE-2013-1796: Linux kernel KVM MSR_KVM_SYSTEM_TIME Buffer Overflow

xorl — Wed, 22 May 2013 19:15:47 +0000

This is a really nice vulnerability killed by Andy Honig. It is particularly interesting because it allows host kernel memory corruption through guest GPA (Guest Physical Address) manipulation. If we have a look in arch/x86/kvm/x86.c we can see the following code.

int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
{
	bool pr = false;
	u32 msr = msr_info->index;
	u64 data = msr_info->data;

	switch (msr) {   
   ...
	case MSR_KVM_SYSTEM_TIME: {
		kvmclock_reset(vcpu);

		vcpu->arch.time = data;
		kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);

		/* we verify if the enable bit is set... */
		if (!(data & 1))
			break;

		/* ...but clean it before doing the actual write */
		vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);

		vcpu->arch.time_page =
				gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);

		if (is_error_page(vcpu->arch.time_page))
			vcpu->arch.time_page = NULL;

		break;
	}
   ...
	return 0;
}
EXPORT_SYMBOL_GPL(kvm_set_msr_common);

So by utilizing the ‘MSR_KVM_SYSTEM_TIME’ kvmclock MSR a user can set ‘vcpu->arch.time_page’ through gfn_to_page() call that uses the user derived ‘data’ information. As Andy Honig mentioned in his commit, the arbitrary write occurs when kmap atomic attempts to obtain a pointer to the time structure page and performing a memcpy() to it starting at the user controlled offset. The fix was to add a check that verifies that the provided value does not exceed the structure’s boundaries.

 		/* ...but clean it before doing the actual write */
 		vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
+		/* Check that the address is 32-byte aligned. */
+		if (vcpu->arch.time_offset &
+				(sizeof(struct pvclock_vcpu_time_info) - 1))
+			break;
+
 		vcpu->arch.time_page =
 				gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);

CVE-2013-1848: Linux kernel EXT3 ext3_msg() Format String

xorl — Tue, 21 May 2013 18:15:18 +0000

Recently Lars-Peter Clausen committed a change on Linux kernel that fixes a format string vulnerability in the EXT3 filesystem code. The susceptible code resides in fs/ext3/super.c but to better understand it we need to have a look on how ext3_msg() is defined first.

void ext3_msg(struct super_block *sb, const char *prefix,
                const char *fmt, ...)
{
        struct va_format vaf;
        va_list args;
 
        va_start(args, fmt);
 
        vaf.fmt = fmt;
        vaf.va = &args;
 
        printk("%sEXT3-fs (%s): %pV\n", prefix, sb->s_id, &vaf);
 
        va_end(args);
}

So, it should be called passing the following three mandatory arguments:
- Pointer to the super-block structure
- Prefix string
- Format string
And of course, any variables to be printed. As Lars-Peter Clausen noticed, there were two cases where there was no prefix defined. This makes the format string argument to be passed as prefix and any variables to be processed as the format string. Here are these two cases:

/*
 * Open the external journal device
 */
static struct block_device *ext3_blkdev_get(dev_t dev, struct super_block *sb)
{
  ...
fail:
        ext3_msg(sb, "error: failed to open journal device %s: %ld",
                __bdevname(dev, b), PTR_ERR(bdev));

        return NULL;
}

And…

static ext3_fsblk_t get_sb_block(void **data, struct super_block *sb)
{
        ext3_fsblk_t    sb_block;
  ...
        if (*options && *options != ',') {
                ext3_msg(sb, "error: invalid sb specification: %s",
                       (char *) *data);
  ...
        return sb_block;
}

The fix was to add the missing prefix argument to the function call like this.

@@ -353,7 +353,7 @@ static struct block_device *ext3_blkdev_get(dev_t dev, struct super_block *sb)
 	return bdev;
 fail:
-	ext3_msg(sb, "error: failed to open journal device %s: %ld",
+	ext3_msg(sb, KERN_ERR, "error: failed to open journal device %s: %ld",
 		__bdevname(dev, b), PTR_ERR(bdev));
 	return NULL;
@@ -887,7 +887,7 @@ static ext3_fsblk_t get_sb_block(void **data, struct super_block *sb)
 	/*todo: use simple_strtoll with >32bit ext3 */
 	sb_block = simple_strtoul(options, &options, 0);
 	if (*options && *options != ',') {
-		ext3_msg(sb, "error: invalid sb specification: %s",
+		ext3_msg(sb, KERN_ERR, "error: invalid sb specification: %s",
 		       (char *) *data);
 		return 1;
 	}

C Quiz No. 2

xorl — Sat, 18 May 2013 13:44:01 +0000

Continuing from the first one back in 2009, here is another that a friend of mine send me yesterday.

The concept is that you are free to put whatever you want in do_your_stuff() in order to make it print “win” from function do_my_stuff().

#include 
#include 
#include 
#include 

void 
do_your_stuff(void)
{
	// do whatever you want
}

void 
do_my_stuff(void)
{
	char c[100];
	unsigned int i, r_index;

	srand(time(NULL));
	for(i = 0; i<1000; i++)
		r_index = rand() % (sizeof(c) - 1);

	printf("c[%u] = %02x\n", r_index, c[r_index]);

	if (c[r_index] == 0x20)
		printf("win!\n");
	else
		printf("fail\n");
	
	return;
}

int 
main(void)
{
	do_your_stuff();
	do_my_stuff();
	return 0;
}

Instantly I came up with a quite simple solution that exploits the concept of uninitialized stack that it’s being used.

void 
do_your_stuff(void)
{
	char buf[2048]; int i;
	for(i=0; i

Which it works…


$ ./cquiz2
c[98] = 00
fail
$ ./cquiz2
c[81] = 7f
fail
$ gcc -Wall -Werror --std=c99 cquiz2.c -o cquiz_sol
$ ./cquiz_sol
c[43] = 20
win!
$ ./cquiz_sol
c[54] = 20
win!
$


I found it fun so if you have any other solutions feel free to comment on this post.

CVE-2013-1774: Linux kernel Edgeport USB Serial Converter NULL Pointer Dereference

xorl — Sat, 18 May 2013 13:14:40 +0000

This is a vulnerability fixed by Wolfgang Frisch and the buggy code resides in drivers/usb/serial/io_ti.c as you can see below.

static void chase_port(struct edgeport_port *port, unsigned long timeout,
								int flush)
{
	int baud_rate;
	struct tty_struct *tty = tty_port_tty_get(&port->port->port);
	struct usb_serial *serial = port->port->serial;
	wait_queue_t wait;
	unsigned long flags;
   ...
	remove_wait_queue(&tty->write_wait, &wait);
   ...
	tty_kref_put(tty);
   ...
}

If the equivalent /dev/ttyUSB device file is in use while the device is disconnected then any call to chase_port() (used to chase the port, close and flush it) will lead to NULL pointer dereference since there is no longer a ‘tty’ associated with it. The fix was to add a simple check for this case.

	unsigned long flags;
+	if (!tty)
+		return;
+
	if (!timeout)

CVE-2013-1819: Linux kernel XFS _xfs_buf_find() NULL Pointer Dereference

xorl — Sat, 18 May 2013 13:12:07 +0000

On 21 January 2013 Dave Chinner of Red Hat committed a change that fixes a NULL pointer dereference vulnerability in XFS filesystem. The below routine is located in fs/xfs/xfs_buf.c file.

/*
 *	Finding and Reading Buffers
 */

/*
 *	Look up, and creates if absent, a lockable buffer for
 *	a given range of an inode.  The buffer is returned
 *	locked.	No I/O is implied by this call.
 */
xfs_buf_t *
_xfs_buf_find(
	struct xfs_buftarg	*btp,
	struct xfs_buf_map	*map,
	int			nmaps,
	xfs_buf_flags_t		flags,
	xfs_buf_t		*new_bp)
{
	size_t			numbytes;
	struct xfs_perag	*pag;
   ...
	/* get tree root */
	pag = xfs_perag_get(btp->bt_mount,
				xfs_daddr_to_agno(btp->bt_mount, blkno));

	/* walk tree */
   ...
	return bp;
}

First of all, the xfs_addr_to_agno() C macro is the following as defined in fs/xfs/xfs_mount.h header file.

#define xfs_daddr_to_agno(mp,d) \
        ((xfs_agnumber_t)(XFS_BB_TO_FSBT(mp, d) / (mp)->m_sb.sb_agblocks))

As Dave Chinner pointed out, if we try to walk a filesystem and the extent map has corrupted block number (out of range address) the call to xfs_perag_get() above will trigger a NULL pointer dereference.

/*
 * Reference counting access wrappers to the perag structures.
 * Because we never free per-ag structures, the only thing we
 * have to protect against changes is the tree structure itself.
 */
struct xfs_perag *
xfs_perag_get(struct xfs_mount *mp, xfs_agnumber_t agno)
{
        struct xfs_perag        *pag;
        int                     ref = 0;
 
        rcu_read_lock();
        pag = radix_tree_lookup(&mp->m_perag_tree, agno);
        if (pag) {
               ASSERT(atomic_read(&pag->pag_ref) >= 0);
               ref = atomic_inc_return(&pag->pag_ref);
        }
        rcu_read_unlock();
        trace_xfs_perag_get(mp, agno, ref, _RET_IP_);
        return pag;
}

The radix_tree_lookup() call will use the invalid block number ‘agblocks’ (size of an allocation group) as an index key to the ‘mp->m_perag_tree’ radix tree.

The fix to this bug was to add a new variable to the susceptible routine:

 	xfs_buf_t		*bp;
 	xfs_daddr_t		blkno = map[0].bm_bn;
+	xfs_daddr_t		eofs;
 	int			numblks = 0;

And write a check for the block number not being larger than the end of the filesystem.

 	ASSERT(!(BBTOB(blkno) & (xfs_off_t)btp->bt_smask));
 
+	/*
+	 * Corrupted block numbers can get through to here, unfortunately, so we
+	 * have to check that the buffer falls within the filesystem bounds.
+	 */
+	eofs = XFS_FSB_TO_BB(btp->bt_mount, btp->bt_mount->m_sb.sb_dblocks);
+	if (blkno >= eofs) {
+		/*
+		 * XXX (dgc): we should really be returning EFSCORRUPTED here,
+		 * but none of the higher level infrastructure supports
+		 * returning a specific error on buffer lookup failures.
+		 */
+		xfs_alert(btp->bt_mount,
+			  "%s: Block out of range: block 0x%llx, EOFS 0x%llx ",
+			  __func__, blkno, eofs);
+		return NULL;
+	}
+
 	/* get tree root */

Book: Absolute OpenBSD (2nd Edition)

xorl — Sat, 18 May 2013 11:19:14 +0000

This is an excellent book for OpenBSD I recently had the opportunity to read. Let’s move on to my per chapter overview of the book.

Title: Absolute OpenBSD: UNIX for the Practical Paranoid
Author: Michael W. Lucas

Chapter 1: Getting Additional Help
A brief overview of the OpenBSD project’s support model along with the available resources (documentation, assistance, etc.).

Chapter 2: Installation Preparations
A very well written chapter for everything you might need before installing OpenBSD starting from hardware specifications, and moving on how to obtain OpenBSD, understanding partitioning, disklabels, etc.

Chapter 3: Installation Walk-Through
Once again the author starts from the very first steps such as configuring BIOS and goes through all the steps of the installer, disk configuration as well as some more advanced disklabel information.

Chapter 4: Post-Install Setup
In this chapter you can find information on all the basic configuration that usually takes place exactly after the installation process. This ranges from software configuration, timezone settings, networking to more advanced concepts like keyboard mappings, graphic console, etc.

Chapter 5: The Boot Process
Here after a description of the boot loader the author provides us with information on how to work in single-user mode, how to choose different kernel for booting, using serial console and of course, multi-user booting along with everything that comes with it.

Chapter 6: User Management
As the chapter’s title implies, this is a complete guide for user management on OpenBSD. Apart from all the common administration tasks (adding, editing, removing users) there is also a detailed section for login classes.

Chapter 7: Root, and How to Avoid It
This chapter could easily be renamed to “The complete guide to SUDO” since it includes all the required information to configure privileged accounts using SUDO.

Chapter 8: Disks and Filesystems
One of the most useful chapters to anyone moving from Linux to OpenBSD. It’s another detailed part of the book referencing everything that someone needs to know to have a very good understanding of disks and filesystems in the OpenBSD world. This includes partitioning, labeling, FFS (Fast Filesystem), etc. as well as information for managing disks and filesystems on OpenBSD.

Chapter 9: More Filesystems
The previous chapter was mostly focusing on the lower level of disks and filesystems while this one moves to a more in-depth approach on the filesystems. Herein you can find a lot of useful information for MFS (Memory Filesystem), foreign filesystems, NFS, etc.

Chapter 10: Securing Your System
This is a 10 pages chapter but with enough information to keep you researching for some time. It’s an introduction to all the security mechanisms offered by OpenBSD and suggestions on how to keep your system secure after its initial configuration.

Chapter 11: Overview of TCP/IP
Another introduction chapter this time for networking. It’s a very nice and well written part discussing all the basics of TCP/IP from theory to practice always having in mind the OpenBSD’s implementation of it.

Chapter 12: Connecting to the Network
All the essential steps to get your OpenBSD network connected having working Ethernet and DNS name resolution. Furthermore in this chapter there are sections for slightly more advanced topics like trunking, VLANs and over IPv6 tunneling.

Chapter 13: Software Management
Apart from the expected, detailed information on packages and port systems, here the reader can find information on customizing ports and sub-packages.

Chapter 14: Everything /etc
Literally this is the best title to describe what you can find in this chapter. It’s a brief overview of every single configuration file under /etc directory.

Chapter 15: System Maintenance
Here are some common administrative tasks separated by daily, weekly, monthly and custom maintenance tasks. Additionally, you can find information on system logging configuration and management, NTP, device drivers and hardware sensors configuration.

Chapter 16: Network Servers
A description of configuring and managing the most common network servers in OpenBSD. This includes LPD, DHCP, TFTP, SSH and SNMP.

Chapter 17: Desktop OpenBSD
Basically, this is everything you need to know to make your OpenBSD a working desktop environment. From the basic information on setting up X to working with CWM window manager and TMUX.

Chapter 18: Kernel Configuration
The first part of this chapter’s aim is to provide an introduction to understanding OpenBSD’s kernel from a system administrator’s point of view. The next sections deal with more advanced subjects such as kernel tuning via sysctl and custom kernel configuration with config or boot-time kernel configuration.

Chapter 19: Building Custom Kernels
Chapter starts by identifying the cautions of using custom kernels and after that it moves to the complete guide from configuring your own kernel, testing, building, installing and using it.

Chapter 20: Upgrading
Another in-depth chapter this time for the upgrading process in OpenBSD. The first sections provide information on OpenBSD versioning and upgrade process while the following ones discuss in detail all the required steps to upgrade your system with all the available methods.

Chapter 21: Packet Filtering
One of the main advantages of OpenBSD is the Packet Filtering (PF) system. This is an excellent introduction to it that includes all the basic information along with many different rules for various network protocols, configuration options and examples for sanitizing network traffic.

Chapter 22: Advanced PF
Continuing from the previous one, this is a more advanced view of PF. The reader can find more information on setting up packet filtering with subjects like tables, NAT, anchors, bandwidth management, logging, etc.

Chapter 23: Customizing OpenBSD
This last chapter is mostly comprised by ideas and small how-to sections for performing not-so-common tasks with OpenBSD. For example, here you can find information on virtualization, diskless setup, custom upgrades, etc.

This is definitely the absolute OpenBSD book since anyone, even with no experience with this operating system, can easily learn everything he/she needs to work with it. The chapters have a gradual level increase from completely basic to advanced so more advanced users can skip some of the initial ones and move on to the subject they want. Overall it’s an excellent, well written book providing great amount of information. However, the there is not a lot of knowledge for the most advanced users so in my opinion it is mostly focused on people that are starting or have recently started working with OpenBSD.

Admin Mistake: F5 Load Balancer SNAT IP Address Apache Logging

xorl — Fri, 28 Sep 2012 07:00:40 +0000

Background
Assume that you have a common three-tier architecture on a web farm with layers being web, application and database servers. The load balancing is performed by an F5 BIG-IP LTM 1600 load balancer and the logging takes place on the web farm that uses Apache web servers.

Problem
When you attempt to review the access logs of the Apache web servers the only IP address for all the requests is that of the F5 load balancer. Assuming that the load balancer address is 10.10.10.10, the log entries would always look like that:

10.10.10.10 - - [28/Sep/2012:15:06:18 +0000] "GET / HTTP/1.0" 200 228 "-" "Wget/1.12 (linux-gnu)"
10.10.10.10 - - [28/Sep/2012:15:06:31 +0000] "GET / HTTP/1.0" 200 228 "-" "Wget/1.12 (linux-gnu)"

Mistake
By default this F5 load balancer will perform SNAT (Source Network Address Translation) and this is why the requestor IP address is always the load balancer’s one.

Resolution
The solution is to utilize HTTP header field XFF. On the load balancer side you will first have to follow the below steps in the BIG-IP configuration utility:
- Go to “Local Traffic”
- Select “Profiles”
- On the “Services” menu choose “HTTP”
- Create a new profile by clicking on “Create”
- Activate “Insert X-Forwarded For” check box and select “Enabled” from the menu
- Finally click on “Update”
At last, you can use this new HTTP profile to the virtual servers you want to have the XFF HTTP header field.
Moving to the web server side you will have to create a new custom log format on the virtual hosts you want to have proper source IP address logging. So, here is an example custom log format that will include the XFF field.

LogFormat "%v %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" CUST_F5_XFF_LOG
CustomLog /somewhere/access_log CUST_F5_XFF_LOG

And assuming that the real IP address is 2.2.2.2 while the load balancer’s is 10.10.10.10, the log entries will be:

10.10.10.10 2.2.2.2 - - [28/Sep/2012:16:48:25 +0000] "GET / HTTP/1.0" 200 228 "-" "Wget/1.12 (linux-gnu)"
10.10.10.10 2.2.2.2 - - [28/Sep/2012:16:41:28 +0000] "GET / HTTP/1.0" 200 228 "-" "Wget/1.12 (linux-gnu)"

History: Ancient Athens – Hadrian’s Arch (Greece)

xorl — Thu, 27 Sep 2012 14:51:21 +0000

This post is part of a new category named “history” where I will be publishing quick overviews of historical locations (mainly in Greece) along with photographs and brief descriptions.

This first post will be about Hadrian’s Arch which is currently located at the center of Athens but it used to separate the new with the old city in ancient Greece. Below is a map of Ancient Athens I found here which is very convenient for this post.

And here is a photograph I took a couple of months ago.

In the above photograph, through the Hadrian’s Arch you can clearly see the Acropolis of Athens which we will discuss in another blog post.

History
Hadrian’s Arch was a triumphal arch made of Pentelikon marble in honor of Emperor Hadrian for his numerous benefactions in Ancient Athens. The arch was constructed in 131-132 A.D. and it has height of 18m and width of 13m. The monument was built using corinthian order (the upper part). The inscription of the West side says:
“ΑΙΔ’ΕΙΣΙΝ ΑΘΗΝΑΙ, ΘΗΣΕΩΣ Η ΠΡΙΝ ΠΟΛΙΣ” (This is Athens, the old city of Theseus)
While the East side has the below inscription:
“ΑΙΔ’ ΕIΣΙΝ ΑΔΡΙΑΝΟΥ, ΚΟΥΧI ΘΗΣΕΩΣ ΠΟΛΙΣ” (This is the city of Hadrian, and not of Theseus)
At this point something notable is that the arch can be easily separated in the lower and upper part where the lower has the Ancient Roman Arch design while the upper one has the previously mentioned Ancient Greek architecture (Corinthian Order). This was to honor both the Roman Hadrian as well as the mythical Greek founder of Athens, Theseus.

I can write huge blog posts for such subjects but the whole idea is to provide small overviews. You can continue the research on your own. :)
Below are a few additional photos.