Monthly Archives: February 2019

ASRock Rack EPYCD8-2T Makes For A Great Linux/BSD EPYC Workstation – 7-Way OS AMD 7351P Benchmarks

If you are looking to assemble an AMD EPYC workstation, a great ATX motherboard up for the task is the ASRock Rack EPYCD8-2T that accommodates a single EPYC processor, eight SATA 3.0 ports (including SAS HD), dual M.2 PCIe slots, dual 10 Gigabit Ethernet ports,and four PCI Express 3.0 x16 slots all within ATX’s 12 x 9.6-inch footprint. This motherboard has been running well not only with various Linux distributions but also DragonFlyBSD and FreeBSD.

I picked up the ASRock EPYCD8-2T several weeks back and it’s been working out very well as an EPYC 1P board and especially if you are looking more for a desktop/workstation-oriented EPYC build but can work just fine as a server board as well, this board has the common ASpeed AST2500 BMC controller. With the single SP3 socket are eight DDR4 memory slots to keep EPYC happy with its eight DDR4-2666 memory channels compared to four on Threadripper. For plenty of connectivity this motherboard has four PCI Express 3.0 x16 slots as well as three PCI Express 3.0 x8 slots. The PCIe slots and ATX size of the motherboard make this board practical should you be wanting a multi-GPU workstation for some scientific workloads that can also commonly leverage the eight memory channels of EPYC. For storage there are plenty of SATA 3.0 ports as well as two SAS HD headers and also two OCuLink ports for U.2 SSDs.

On the networking side there are dual 10 Gigabit RJ45 connections via Intel X550 controllers and the third RJ45 for the IPMI LAN port. It’s great having dual 10 Gigabit LAN on this board and its other feature set considering this ATX EPYC motherboard retails for just above $500 USD — not out of line with other single-socket EPYC motherboards retailing these days from just under $400 USD to $700 at major Internet retailers.

Rear I/O panel ports include serial, VGA for the ASpeed AST2500 controller, two USB 3.0 ports, and the three RJ45 jacks (dual 10 Gigabit, IPMI LAN). It could have been nice seeing more than two USB3 ports on the rear if you do intend for this board to be more of a workstation-style setup, but is certainly suffice for servers and there’s always USB hubs or utilizing one of the many PCIe slots for an extra adapter.

ASRock Rack officially supports this motherboard for Windows Server 2012/2016 as well as RHEL 6.9 / RHEL/CentOS 7, SUSE Linux Enterprise Server 11, and Ubuntu 16.04. Besides those enterprise Linux targets, the EPYCD8-2T works as well with other Linux distributions especially the many up-to-date Fedora, Ubuntu, Arch, and other releases. These days any Linux distribution released in the past year or two is working fine with AMD EPYC processors. I personally tested this ASRock EPYCD8-2T with Fedora Workstation 29, CentOS 7, Debian 9.8, Clear Linux 27910, and openSUSE Leap 15.0. The experience was pleasant and without any issues to report on the Linux side.

While Linux distributions work well with all the AMD EPYC tests we run at Phoronix, some of the servers/motherboards we have tested have run into various issues with the BSD operating systems. Fortunately, the EPYCD8-2T is also in good shape there: both DragonFlyBSD 5.4.1 and FreeBSD 12.0 booted up, installed, and subsequently run without any problems on this motherboard. It’s great to see all of the major operating systems running nicely on this EPYC ATX board!

Management Plane-as-a-Service: Moving Functions to the Cloud | IT Infrastructure Advice, Discussion, Community

Looking back on the last 12 to 18 months of product announcements from incumbent vendors highlights a trend for management services. Offering existing management services with a hosted option or new cloud-based management options are coming to market that can manage existing products.

The management plane is moving from its traditional location of an on-prem data center to cloud hosted environments. Before going further, I want you to ask yourself, what differentiates data centers from remote POPS?

AWS Outpost and Azure stack are arguably two of the best examples of products that move infrastructure management to the cloud. Details of AWS Outposts are not available in full, but there is enough information to make a reasonable comparison in this area.

The abovementioned products offer a predefined or tightly controlled hardware stack that the customer deploys at a specified location. Scaling for positive and negative growth is controlled by the vendor. The cloud management portal is used to manage and configure the deployed solution, making the solution an extension of the public cloud services you’re already consuming.

Managing a hardware solution as another zone within an existing cloud environment has several advantages, the primary use case is creating a unified management plane for infrastructure and workloads regardless of location. Developers can use the same code to deploy a workload regardless of the location.

Software-define infrastructure management

In the age of software-defined everything, infrastructure is not limited to bare metal solutions such as those mentioned above, and it can be a software platform. Software-defined infrastructure requires management just like its physical counterpart.

Often an opensource software-defined infrastructure solution can be managed by multiple different products, providing a range of options. Some of these management options are only available as a cloud service. Others provide options for the method of consumption. Kubernetes is a prime example of a project with many management solutions available. Kubernetes has an architecture that is well suited from management by a remote or cloud hosted solution.

There are two key areas that are helping push the management plane from the on-prem data center to cloud solutions; Trust and cheap redundant connections. Cloud service providers are maturing and proving themselves when it comes to security and reliability. Platform reliability and security are visible to the public and have been continually proven over time, providing tangible evidence. Businesses are seeing this evidence and trust is growing in the capabilities of cloud providers.

Vendors are using infrastructure from cloud providers to host their services for customers to consume. For this to occur, the vendors also must be trusting the capabilities of cloud providers more.

The role of SD-WAN

When planning remote data centers or POPs a consistent concern is how to operate the services if the connection to the primary data center fails. Some services require constant connectivity to a primary management service to function, and a service interruption can cause significant outages.

Reducing the risk of a link interruption between remote and primary sites is often an expensive task. Ideally, the solution involves redundant links from different providers where each link is either on a different media or different path. In the real world, this can be a challenge. What if there is only one provider or one path available?

SD-WAN solutions help address price and complexity issues for providing a site with redundant links. One of the core use cases for an SD-WAN solution is to create a secure tunnel between sites using multiple cheap internet links, translating to increased bandwidth with higher link redundancy and a lower price than a private circuit.

Another common feature provided by SD-WAN vendors is selecting the best path to hosted services, resulting in traffic between the management service and the infrastructure taking the most efficient path.

As time goes on, we are only going to see more management services offered as or with a hosted option. Businesses see the inherent complexity of managing management services, as their trust in cloud services increases so will their appetite to offload that complexity back onto the vendor.

Source link

B0r0nt0K Ransomware Threatens Linux Servers | Software

By Jack M. Germain

Feb 27, 2019 12:21 PM PT

A new cryptovirus called “B0r0nt0K” has been putting Linux and possibly Windows Web servers at risk of encrypting all of the infected domain’s files.

The new ransomware threat and the ransom of 20 bitcoins (about US$75,000) first
came to light last week, based on a post on Bleeping Computer’s user forum.

A client’s website had all its files encrypted and renamed with the .rontok extension appended to them, the forum user indicated. The website was running on Ubuntu 16.04.

The B0r0nt0K ransom note is not displayed in a text format or in the message itself, based on the report. Instead, the screen display on the infected system links to the ransomware developer’s
website, which delivers details of the encryption and the payment demand. The display includes a personal ID required for logging onto the site.

“The initial compromise vector in this incident is not yet known nor has a sample of the malware been obtained by researchers,” said Kent Blackwell, threat and vulnerability assessment manager at
Schellman & Company.

“Without a sample of the malware or other indicator of compromise, it is likely that most antivirus products — particularly those that rely on static signatures — will fail to prevent this infection,” he told LinuxInsider.

Payment Risky Business

After completing the logon to the ransomware developer’s website, a payment page appears that includes the bitcoin ransom amount, the bitcoin payment address, and the email to contact the developers.

The inclusion of contact information on one of the displayed message screens suggests that the developers are willing to negotiate the price, according to The word “Negotiate?” precedes the email address to reach the ransomware developers.

The ransom note is generated on the screen of a Web browser window. The virus developers encourage infection victims to pay the ransom in three days via the form on their provided website to avoid the permanent deletion of their files.

However, the alleged decryption key might never be delivered to victims who pay the huge ransom amount, warns on its website. The company recommends not paying the ransom since it gives no guarantee.

Hidden Damage

A cryptovirus like B0r0nt0k can disable security tools or other functions to keep running without interruption, warns The B0r0nt0k ransomware can alter more crucial parts of the computer if left untreated.

The asking price for this ransom is quite high and suggests a potential ulterior motive, according to Mounir Hahad, head of the Juniper Threat Labs at
Juniper Networks.

“Maybe the perpetrator is just testing his approach on a less prominent website before moving on to wealthier targets,” he told LinuxInsider.

It is not yet known how the ransomware was executed on the victim’s Web server, said Blackwell.

“Ransomware needs a way in,” said Josh Tomkiel, threat and vulnerability assessment manager at Schellman & Company.

“While it may not be currently clear how the B0r0nt0K ransomware was able to establish a foothold on the affected Linux servers in question, typically it comes back to server misconfigurations or from running out-of-date versions of software with known remote code execution vulnerabilities,” he told LinuxInsider.

Keep Your Guard Up

A persistent threat lurks with cryptoware, even if you succeed in decrypting your files, Tomkiel warned. Never assume that you are “out of the woods yet.”

A ransomware author easily can add a backdoor into that server for remote access at a later time, so restoring from a backup is really the only solution, he noted.

“Do not assume paying the ransom will allow you to decrypt your data. There is no guarantee that the ransomware author is going to uphold their end of the bargain,” said Tomkiel.

All that appears certain about the B0r0nt0k ransomware is that it is not a novel attack.

So far, the B0r0nt0K ransomware stands out only for to the ransom amount it seeks, Blackwell said.

“There is nothing particularly novel about this specific attack, although it looks not to have been triggered by clicking on an email,” Nathan Wenzler, senior director of cybersecurity at
Moss Adams, told LinuxInsider.

No Backups? Big Trouble

Ransomware attacks like B0r0nt0K prey on organizations that lack preparation. You may be in trouble if you don’t have a recent backup and have fallen victim to B0r0nt0k ransomware, warned Marc Laliberte, senior threat analyst at
WatchGuard Technologies.

“We don’t have a copy of the payload to analyze at this time because B0r0nt0K is so new, but we do know the ransomware uses strong encryption — likely an AES variant, which is the standard for ransomware these days,” he told LinuxInsider.

This means you should not bank on being able to decrypt your files without paying, Laliberte noted — but paying the ransom does not always guarantee you will get your files back.

“The only thing guaranteed by paying is that these threat actors now have more funding and incentive to launch further attacks. This is why having a backup and restoration process is critical for every organization,” he said.

Restoring backups after a ransomware attack is still a time-consuming process, though, which means you also should take steps to prevent the infection in the first place. Applying the latest security patches to your applications and servers is potentially the single most important step you can take to shore up your defenses, but it is not enough, Laliberte cautioned.

“Combating ransomware requires a multilayer defensive approach, including intrusion prevention services to block application exploits, and advanced malware-detection tools that use machine learning and behavioral detection to identify evasive payloads,” he said.

Employee training is critical too, as most traditional ransomware attacks start with a phishing email. Phishing awareness, paired with technical defensive tools, can go a long way toward keeping your organization safe from ransomware like B0r0nt0K, according to Laliberte.

What Else to Do

The most active way to prevent B0r0nt0K from entering your Linux server is to close the SSH (secure shell) and the FTP (file transfer protocol) ports, said Victor Congionti, CEO of
Proven Data.

“These are two of the main approaches … these hackers seem to be targeting to run the encryption scripts. The ransomware seems to use a base64 algorithm which converts characters to bits, which creates an extremely difficult decryption process to regain control,” he told LinuxInsider.

It is also possible that these attacks are being sent in through basic CMS (content management system) vulnerabilities. If users on Linux are utilizing a CMS to manage the content on their website, it is possible that this serves as a vulnerability in the security framework of the system, Congionti noted.

It is becoming more common for cybercriminals to find exposures in these seemingly secure applications, which allows them to make drastic changes to the security and permission settings of the network, he pointed out.

Most websites are deployed using a source version control system that can redeploy a clean version of the website in no time, noted Juniper’s Hahad.

“The only potentially permanent damage is to any content management system database if such a thing is used and is not backed up,” he said.

Don’t Pay – Do This Instead

Victims definitely should not pay the ransom. Instead, Hahad suggests the following:

  • Restore the site from source control or backups;
  • Change all admin passwords;
  • Audit the software stack for known vulnerabilities that could have allowed the attacker in, and patch as appropriate;
  • Audit the site’s configuration for any weak spots;
  • Disable services that are not critical, and close those open ports;
  • Ensure backups are operational; and
  • Conduct a penetration test of the Internet-facing network footprint.

One final suggestion is to assume a breach, said Darin Pendergraft, vice president at
Stealthbits Technologies.

“The best way to be prepared is to assume you will be breached, and then take steps to secure your servers and workstations accordingly,” he told LinuxInsider. “Assume an attacker is in your network and has control of a workstation. Then decide what data or IT resources they will want to steal or encrypt. Then take the extra steps to secure those resources.”

Top priority is to find your sensitive data, Pendergraft said. These include patient data, customer information and financial records. Make sure they are secured and accessible only by approved employees. Monitor those resources for unusual file behavior like bulk copy, delete or file encryption. Ensure you have an emergency plan in place to react within minutes.

“These steps won’t prevent an attack,” he acknowledged, “but they could mean the difference between a security incident and a full-blown breach.”

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.

Source link

Looking At Why Linux 5.0 Is Running Slower For Apache & PostgreSQL On Some Systems


Last week I reported on some slowdowns when running on the Linux 5.0 development kernel for both Intel and AMD systems. As a few days passed and the regression didn’t seem to be figured out and addressed by upstream, and several inquiries from Phoronix readers, I spent some time looking at some of the slowdowns encountered when running on this bleeding-edge code.

The slowdowns when encountered so far on a few different systems were some of the most sizable regressions since the Linux 4.14 to 4.15 transition when Spectre and Meltdown mitigations began rolling out. But with the 5.0 regressions, they haven’t been across the board and range from a few percent to about 10% or so.

With not being massive slowdowns to quickly and trivially rule out any fluctuation/noise and also not occurring for a large number of tests, it wasn’t quick to have it bisected, but with Linux 5.0 set to be released this weekend I decided to devote some time to having it bisected with the Phoronix Test Suite testing framework.

For my purposes, I was looking at the slowdowns occurring with the Apache web server (HTTPD) with testing via Siege and the PostgreSQL database server with pgbench. The Sockperf socket performance benchmark also seems to fall in the same boat, but haven’t had the time yet to look into all of the 5.0 cases of slower performance to see if there are multiple regressions at play or not… Well, at least for the network/socket-related workloads.

First, thanks to AMD for having sent out the Dell PowerEdge R7425 server a few months back. This server with dual EPYC 7601 processors for a combined 64 cores / 128 threads currently remains the most powerful server I have available locally and with 512GB of RAM and twenty SATA 3.0 SSDs in RAID can make light work out of building the Linux kernel and related tasks. The Dell PowerEdge R7425 worked out great and sharply speeds up the process of bisecting this Linux kernel regression.

From the bisecting, the preliminary cause appears to be net: allow binding socket in a VRF when there’s an unbound socket. Still running some follow-up tests and reverting to confirm, but appears to be the source at least of the Apache / PostgreSQL slowdowns spotted.

That work is part of this series that originally explained, “There is no easy way currently for applications that want to receive packets in the default VRF to be isolated from packets arriving in VRFs, which makes using VRF-unaware applications in a VRF-aware system a potential security risk. So change the inet socket lookup to avoid packets arriving on a device enslaved to an l3mdev from matching unbound sockets by removing the wildcard for non sk_bound_dev_if and instead relying on check against the secondary device index, which will be 0 when the input device is not enslaved to an l3mdev and so match against an unbound socket and not match when the input device is enslaved. Change the socket binding to take the l3mdev into account to allow an unbound socket to not conflict sockets bound to an l3mdev given the datapath isolation now guaranteed.” Though a developer there argued that it’s not an actual security risk.

I am not into the networking area that closely, so I’ll just leave these initial findings here and update when I’ve wrapped up some additional tests with any other findings.

Stadium Environments: From Tech-Free to IT Infused | IT Infrastructure Advice, Discussion, Community

Once made chiefly of concrete with steel benches, the original National Football League stadiums were nearly tech-free. Amenities included restrooms and some concession stands. You called and told your fan friends about the game and your experience after you got home hours later.

Fast forward to today’s tech-infused football venues. Stadium wireless lets attendees share photos and videos on social media during the game. Fiber backbones connect everything from wireless access points, ultra-high definition screens throughout, video camera networks and point-of-sale (POS) apps.

Many NFL teams have created team- and venue-specific apps to help fans do everything from find their seats to locating the bathroom with the shortest lines and buying merchandise from the pro shop. The smartphone apps provide gameday information, news updates, and video clips to better engage fans.

To team owners, data is the lifeblood that pumps through the body of the venue during football games, concerts, and other sporting events. It fuels focused marketing efforts and helps define the future infrastructure needs of the facility. And through data analytics, teams better understand how to connect with and monetize the fan.

Case in point: Mercedes-Benz Stadium in Atlanta

The last several NFL Super Bowls have been held in the newest stadiums, which have served double duty as showcases of advanced technology. Mercedes-Benz Stadium hosted the NFL’s crown jewel event, the Super Bowl, in January. Let’s take a close look at this working tech showcase.

The heart: At the heart of Mercedes-Benz Stadium’s IT infrastructure is a data center, which processes all data on game day, and backs that up to the vendor’s cloud that same day.

The backbone network: Originally used by telecom carriers to deliver triple-play service bundles to the home, a Gigabit Passive Optical Network (GPON) is used to connect a wide array of high-speed devices and systems to the data center. The Mercedes-Benz GPON uses 4,000 miles of fiber-optic cable.

The GPON architecture is tried and true in different use cases (e.g., carriers, hospitals, and campuses). Modern NFL stadiums already feature miles of fiber-optic cable installed to support high-speed data transfer.

The GPON platform also supports:

  • 15,000 Ethernet ports
  • Wi-Fi equipment
  • 700 POS devices
  • A security system
  • Key-card accessed doors

Wireless access: The creators of the Mercedes Benz Stadium tech blueprint chose to bring wireless connectivity in-house so to speak by designing space whereby telecom carriers could house their Distributed Antenna System (DAS) equipment in the facility–instead of farther away–to simplify connectivity.

Wireless service providers typically offer service through their own DAS. A DAS is a network of spatially separated antenna nodes connected to a common source that provides wireless service within a geographic area or structure.

A DAS is comprised of small cells, which are defined as low-powered cellular radio access nodes that operate in licensed and unlicensed bands. The coverage range varies from 10 meters to a few kilometers.

The stadium features over 2,000 fast wireless access points that enable fans to share videos and pictures using social media, communicate with those at home and tap resources using the mobile stadium app from their smartphones.

Video capture and transmission: To wow fans in the stands, at home, and after the game, over one-third of NFL venues have installed video technology that allows fans to view a play from multiple angles (and through the eyes of players). This immersive experience provided by these 3D replays redefines the game viewing experience.

The replays can be viewed via, the NFL app, the NFL channel on YouTube and other endpoints across the NFL and participating teams, said Intel.

Sights and sounds: What are fans to do when they need to hit a stadium concourse for concessions, or to visit the restrooms?  Mercedes-Benz Stadium in Atlanta features over 2,000 high-definition TV in its concourses, along with 3,200 speakers for throughout the venue.

The Bottom Line

A plan to spread the cost of installations and upgrades that elevate enjoyment and spending across a more crowded event calendar−along with sponsorships−looks to be just the ticket for those without recently christened stadiums.


Source link