Home Linux Community Community Blogs

Community Blogs

Configuring ESXi VDR FLR on SuSE Linux SLES 11 x86_64

I've written the following post as it took me a while to figure out how to get SLES Linux File based restore from within a VMDK on ESXi.


By default there is support for Debian Guest and RedHat, There is also a helpful article on the VMware forums that details implementation on OpenSuSE 32bit.


This is where my first problem arose, as the VDR FLR programs require 32bit libraries in order to run. The way I approached this was to use a 32bit Guest VM as a donor for the 32bit linker programs, that dont seem to get included in the same way when installing the 32bit runtime environment on SLES 11 x86_64. All of the documentation on the OpenSuSE sites seem to point to declaring runtime variable settings for the linker and compiler by using "-m32" as an argument. Whilst this 'Works" it fails to actually build the source objects that you require.


So I created a 32-bit guest and after a bit of debugging zipped down the /usr/i586-suse-linux directory and copied it over to and unzipped it on the 64-bit guest that I wanted to have VDR FLR running on. - This will give me a 32bit version of the linker program 'ld'.


I also found that running on a kernel anything earlier than failed to create the FUSE directories and files correctly under /tmp. So I ran a kernel update by grabbing these files from Novell's SLES site:


For the following to run successfully you will need to update module-init-tools first:




rpm -Fvh mod-init*.rpm

//This will use these files to update the module-init-tools.









//Next do the kernel update online


mkdir /usr/local/src/kernelmods

move the following files into /usr/local/src/kernelmods









cd /usr/local/src/kernelmods

//Next run the update

rpm -Fvh *.rpm



Use YaST to make sure that you have installed the 32bit runtime environment. - Note that some of the steps we are doing after this is to get around a problem that I found with the 64bit linker not seeming to accept "-m32".


Once this has finished, its best for you to do a reboot, just to make sure you are running everything that you should be.


Download VMware-vix-disklib from the VMware site. I used this version:VMware-vix-disklib-1.2.0-230216.i386.tar. Copy this to /usr/local/src and unpack and install by executing ./


Next follow the VDR instructions to get hold of the FLR program:VMwareRestoreClient.tgz. Copy this file to /usr/local/src on the 64bit guest, and unpack.


Next grab a source copy of FUSE from the FUSE site - I used 2.7.3. Here are the build instructions that worked for me:


./configure '--prefix=/usr/local/mattsfuse'  '--build=i386' 'CC=gcc -m32' 'LD=/usr/i586-suse-linux/bin/ld' 'AS=gcc -c -m32' 'LDFLAGS=-L/usr/local/mattsfuse/lib' '--enable-threads=posix' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--libdir=/usr/local/mattsfuse/lib' '--libexecdir=/usr/local/mattsfuse/lib' '--enable-languages=c,c++,objc,fortran,obj-c++,java,ada' '--enable-checking=release' '--with-gxx-include-dir=/usr/include/c++/4.1.2' '--enable-ssp' '--disable-libssp' '--disable-libgcj' '--with-slibdir=/usr/local/mattsfuse/lib' '--with-system-zlib' '--enable-__cxa_atexit' '--enable-libstdcxx-allocator=new' '--program-suffix=' '--enable-version-specific-runtime-libs' '--without-system-libunwind' '--with-cpu=generic' '--host=i586-suse-linux' 'build_alias=i386' 'host_alias=i586-suse-linux' --cache-file=/dev/null --srcdir=.


As you can see in the configure script I specified an absolute path to the 32-bit linker (ld) 'LD=/usr/i586-suse-linux/bin/ld', and used --build=i386 and manually set some other 32bit flags to instruct the compiler on what to do.


Once the configure has run, issue a 'make' and 'make install' if there are no problems shown in the 'make'.


You now have a 32-bit source version of FUSE running in on 64-bit SLES!


Almost there, all we need to do now is use 'ldd' to look at the VDR programs we need to run and see what libs it thinks are missing.


cd /usr/local/src/VMwareRestoreClient




you should see something like this: =>  (0xffffe000) => /lib/ (0xb7d72000) => /lib/ (0xb7d5c000) => /lib/ (0xb7d29000) => /lib/ (0xb7d17000) => not found => not found => /lib/ (0xb7bea000)

/lib/ (0x80000000)


The items showing 'not found' are the ones we need to move around.


cp -a /usr/local/mattsfuse/lib/libfuse.* /usr/lib

find / -name -print

cp -a* /usr/lib

run 'ldconfig'



--> This should now show you the locations of the missing files that have now been found: =>  (0xffffe000) => /lib/ (0xb7e4a000) => /lib/ (0xb7e34000) => /lib/ (0xb7e01000) => /usr/lib/ (0xb7def000) => /usr/lib/ (0xb7c98000) => /usr/local/lib/ (0xb7c7f000) => /lib/ (0xb7b53000)

/lib/ (0x80000000) => /lib/ (0xb7b4a000


Next you should be able to run"VdrFileRestore -a " As per VMware's instructions on the 64-bit guest.


Follow the onscreen instructions to select which backup day that you want to mount the filesystem for. You will then need to SSH onto the 64-bit guest. If you run 'df' you will see that there is a /tmp/xxxxxx file mounted in the list. - Do not try to use this as a file path to grab files from. Instead use the suggested /root/HOSTNAME-DAY mount point.


For a test I moved /etc/hosts /etc/hosts.myold and then copied /root/HOSTNAME-DAY/etc/hosts /etc/hosts, and checked that I could read it ok.


Hope that someone might find this useful. VDR is an amazing backup tool that is free with the Enterprise licence. You can either do a complete host restore, or use FLR as described above to restore single files from inside the machine image.



(c)   Matt Palmer 29 Jan 2012 -


Password guessing with Medusa 2.0

Medusa is my password forcer of choice! Mainly because of its speed. If you're hoping to try it on a Windows box, sorry you're out of luck. As far as I know, there is no Windows port. In which case you're next best alternative is Hydra. See last week's post found here. Medusa was created by the fine folks at, in fact the much awaited Medusa 2.0 update was released in February of 2010. For a complete change log please visit Medusa is a command line tool, as far as I know there is no GUI front end. But don't let that scare you, it's super simple to operate. The foo magic of compiling from source is the hardest part. Although if you're running Ubuntu, Medusa is in their repository. Starting with Ubuntu 10.10 Medusa packages were updated to latest 2.0 release. If you're a Fedora fan boy, good news; Medusa RPM is available. With Fedora 16 Medusa was updated to release 2.0. Anything prior will use Medusa 1.5. Other distros may have to compile from source. Compiling Medusa from source: 1. Download Medusa 2.0 source from 2. Decompress tarball tar -xvf medusa-2.0.tar.gz 3. Perform usual compile foo magic ./configure make make install One word of caution. During the ./configure process a module check is performed. If dependencies have not been met, Medusa will not support those modules. You'll have to ensure all dependencies are satisfied before running make and make install. Have a look here if you run into trouble Installing Medusa from Ubuntu Repository: 1. apt-get update 2. apt-get install medusa Basic password guessing with Medusa: If you'd like to see all Medusa options, execute medusa with no switches. If you'd like to see all supported modules execute medusa -d In its most basic form Medusa requires the following information: 1. Target host 2. User name or text file with user names 3. Password or text file with passwords 4. Module name For example; If I want to try a single password guess of abc123 against the Administrator account on a Windows box with an IP address of medusa -h -u Administrator -p abc123 -M smbnt In a Windows environment the Administrator account is special in that it is the only account which cannot be locked out. Although watch out, some environments remove this feature. Before you brute force accounts ensure you know the lockout policy. But let's pretend in this example the Administrator account does not lock out. This means I can attempt as many password guesses as I'd like. In this case I'd download a pre-compiled password list. Then, let Medusa loose and wait. medusa -h -u Administrator -P passwordlist.txt -M smbnt Depending on the latency between you and the target host, limiting concurrent attempts may be a good idea. This can be accomplished with -t or if you'd like Medusa to stop after first succesful username, password combination use -f Medusa is simple, fast and effective. I especially love the number of modules it supports, including web forms. How many times have you wanted to password guess a web site login? With Medusa it is possible, simply provide the proper URL. Medusa even supports SSL and if your target is using security through obscurity by using a non standard port, Medusa supports that too. Specify non standard ports with -n Administrators should be auditing passwords regularly. Weak passwords are your number one concern. If you allow users to generate a weak password they will. You're best bet is to implement a good password policy and enforce it. For more information please visit our blog at:

Making Bootable USB using Syslinux

Note Kindly check the following packages on your system: 1. syslinux if not installed then install it using yum yum install syslinux 2. qemu-system-x86_64 ( i am installin 64 bit fedora so to test the pen drive finally we need this Virt. machine) if not installed then install it using yum yum install -y qemu.x86_64 it will take some time Note if you dont want to test ur pen drive then you can skip the above step: Now we can start the process 1. Download the ISO image of the OS ( Linux) on you system and mount the same under some directory. e.g with the following command. mount -t iso9660 /home/harkamal/ISO/Fedora-16-x86_64-Live-KDE.iso /mnt/iso/ 2. use a pen drive which doesn't contain any files, it can have folders but not free files. and at least 1GB free space. Now find out where you pen drive has mounted automaticall it gets mounted on /media/HARKAMAL Note: HARKAMAL is the LABEL of my pen drive yours could be something else pl. note it. command to find out where your pen drive gets mounted are df -h or fdisk -l use the first one as root user or use sudo instead. in my case it was /deb/sdb1 pl note it too. 3. go to /mnt/iso with the command cd /mnt/iso ( here u have mounted the ISO img. in step 1 with mount cmd) 4 Now run cp * -rv /media/HARKAMAL/ note: pl change the LABLEL accordingly 5 now run the following command syslinux --install -d EFI/boot/ /dev/sdb1 6 Now go to the directory /media/HARKAMAL/EFI/boot cd /media/HARKAMAL/EFI/boot 7. here copy isolinux.cfg to syslinux.cfg command is: cp isolinux.cfg syslinux.cfg 8 Now we have to edit the file syslinux.cfg open it using vim and changes the very first stanza under the heading label linux0 consisting of the line: "append initrd=initrd0.img root=live:CDLABEL=Fedora-16-x86_64-Live-KDE.iso rootfstype=auto ro liveimg quiet rhgb rd.luks=0" now remove 'quiet and rhgb' entries from the above line and also remove root=live:CDLABEL=Fedora-16-x86_64-Live-KDE.iso change it to root=LABEL=HARKAMAL after making the above changes the line should finally look like: append initrd=initrd0.img root=LABEL=HARKAMAL rootfstype=auto ro liveimg rd.luks=0 Note there should not be any space between root,LABELand HARKAMAL Now our usb is ready to use we can test it by running the following command on Virtual machine. command to test the USB is: qemu-system-x86_64 -hda /dev/sdb1 -m 256 -vga std. if you virtual machine gets started with installing Fedora 16 option it menas ur USN+B is ready to use and install the ISO Enjoy))))))))))))))))) Keep Posted Regards Harkamal


Open Source Think Assistant

The key to intelligence must be memory. It would then be a good idea if one could use a computer program to aid the human rather low memory capacity in a simple yet powerful way. The program I had in mind is a simple add to existing open source FreeMind type programs. To expand and structure your thought process you could choose from a drop down list of certain keywords or sentences that progresses the solution further to a new innovative product or answer in a textbook exercise. The keywords and sentences come from different areas like physics, chemistry, biology, engineering, mathematics and more. They can describe useful reasons for solving the problem. You should also be able view examples where the key reasons are used so to compare them with your problem. I would like the program to be modular so that the community can add and collaborate new reasons to existing areas or create new areas. Apart from importing the modules in an open format maybe it would be good to have an HTML export function. Like Bookmarks in Firefox. In education you could use these kind of programs to solve exercises in a more structured way. In innovation or problem solving you can easily expand your imagination by trying key sentences like already written perspectives from different areas otherwise missed. Further you could expand the program to include crowd sourcing whereby sharing the problem sheet with others gives you answers to reasons you know are valid but have not yet come up with an answer to yet. The idea is meant for GPL licensed or for Free and Open Source Software to aid small innovation and education. Idea by Per Lindholm

Password guessing as an attack vector

Over the years we've been taught a strong password must be long and complex to be considered secure. Some of us have taken that notion to heart and always ensure our passwords are strong. But some don't give a second thought to the complexity or length of our password. Password guessing in my view is the oldest hack in the book, and unfortunatley some of us are making it too easy for the bad guys. From simple things like password equal to username (I still see this often) to blank passwords or super easy combinations like 'qwerty'. As a system Administrator it is our job to serve and protect. However, despite our best efforts users often give things away too easily. Therefore how do we know our users are doing the right thing and how can we audit poor or weak passwords. We could purchase a commercial password auditing tool, but in my view that is a waste of money. The open source community has many excellent tools for this job. Two that I personally know on a first name basis are THC-Hydra and Medusa. Both are excellent password guessing tools, which if used correctly can help eliminate weak passwords from your environment. While Hydra has been ported to Windows, Medusa at this time is Linux only. In fact the author has put out a call to the community. He said, "If anyone can compile Medusa under Cygwin I'll buy you a beer at the next Defcon." ~ so far no takers. If you want to learn more about each tool check them out here: Medusa - THC-Hydra - The coolest part about these tools is the fact they support a huge shopping list of protocols. From Windows LM to RDP, SSH, TELNET, HTTP, VNC, IMAP, POP and many others. While both are similar in function, Medusa is currently my top choice because it supports more protocols, including MS-SQL and has recently been updated to version 2.0. Medusa is fast, and because its available with my favourite distro its my tool of choice. As a penetration tester, once I let Medusa loose on your network I look for two to three things. 1. Accounts where password is equal to username 2. Accounts where password is blank 3. Accounts where passwords are simple dictionary words With Medusa, these are all easy, however with option 1, I typically see this with shared accounts, or accounts which are not used very often, typically some obscure low key service. Most often these accounts have regular user status in the domain, and that is exactly what I need. From a nobody to somebody in one step. Blank passwords are stupid easy, again shared accounts or really old accounts which were created under Windows NT 4 and were migrated from 2000, 2003 to 2008 over the years. I see this often in Manufacturing, where Windows 98 and DOS rules to this day. Lastly, the real power of Medusa or Hydra for that matter is Dictionary attacks. It can pump through a fairly large dictionary in minutes. And those of you believing a second language is more secure, think again. As long as its a dictionary word (in any language) you're done like dinner (as one of my students used to say).

Squid and Digest Authentication

This week I want to review Digest authentication, which is a step up from Basic proxy authentication, not the best choice but an improvement. Digest Authentication hashes the password before transmitting over the wire. Essentially it sends a message digest generated from multiple items including username, realm and nonce value. If you want to know more see (RFC 2617). Thing to remember is both Basic and Digest are on the weak end of the authentication security spectrum. If your only choice is Basic and Digest, the lesser of two evils is Digest. Digest is very similar to Basic from a configuration perspective. Squid uses an external helper program to facilitate the authentication process. From a Squid configuration perspective, the following pieces are required in the “OPTIONS FOR AUTHENTICATION” section of squid.conf auth_param digest program auth_param digest children auth_param digest realm auth_param nonce_garbage_interval auth_param nonce_max_duration auth_param nonce_max_count The following parameters are similar in nature to Basic authentication; auth_param digest program - provide location of external helper program auth_param digest children – number of spawned processes to facilitate user authentication requests auth_param digest realm – string presented to user when authentication appears on screen Digest authentication introduces the concept of a ‘nonce’ (number used once). This is a generated value (in this case generated by Squid). The client uses this value in conjunction with the password during the hashing process. Without nonce-salting, captured hashed passwords could be replayed. The ‘nonce’ value is regenerated at specified intervals to ensure its continual uniqueness. auth_param nonce_garbage_interval – Specifies how often Squid should clean up its nonce cache auth_param nonce_max_duration – Specified how long the nonce value remains valid auth_param nonce_max_count –Places a limit on how many time a nonce value may be used The last piece of this puzzle is a database of valid users and their associated password. Typically this information is in a hashed text file stored on the Squid server. You should know, Squid does not offer any capabilities for managing it, most users generate it manually or utilize scripts. On an Ubuntu based Squid server the Digest Helper program is located in the following location; /usr/lib/squid3/digest_pw_auth Given above configuration paramaters, the final product should look like this; auth_param digest program /usr/lib/squid3/digest_pw_auth –c /etc/squid3/password-file auth_param digest children 5 auth_param digest realm My Realm auth_param nonce_garbage_interval 5 minutes auth_param nonce_max_duration 30 minutes auth_param nonce_max_count 50 Don’t forget you must adjust Squid ACL’s. The procedure is identical to Basic Auth reviewed last week. Regarding the password file, it should be hashed to keep prying eyes off user passwords. By the way “-c” in above program parameter means you’re specifying the location of a hashed password file. This concludes Digest authentication, don’t forget to restart your proxy server. Next week I’ll talk about NTLM authentication, since most of you are using Windows networks. To find out more visit:

Squid and Basic Authentication

This is perhaps the easiest authentication helper to configure in Squid, but also the most insecure. The biggest problem with Basic is it transmits username and password in clear text, hence very susceptible to network sniffing or man in the middle type attacks. The only reason I’m writing about it is it’s a valid authentication mechanism in some limited circumstances. Secondly I want to show you how authentication has evolved over the years. Ultimately you want to Kerberos authentication with your Squid proxy, but before we got there we had basic. And here is how to configure it; First thing that requires out magic touch is Squid’s configuration. Locate and navigate squid.conf The first section you’ll come across is for configuring authentication. It’s called; # OPTIONS FOR AUTHENTICATION # ----------------------------------------------------------------------------- You’ll notice there are many comments in this section explaining all the different options. But let’s jump ahead to what we came here for… Locate the following lines; note they will be commented out. Enable them by removing the hash character ‘#’ auth_param basic program auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours If you haven’t noticed already the first parameter auth_param basic program configures the location of an external helper program. This helper program is named pam_auth and on an Ubuntu system is located in the /usr/lib/squid directory. In fact all authentication helpers are located in this directory. Therefore our first line should look like this; auth_param basic program /usr/lib/squid/pam_auth Next we have the children parameter. This configures the specified number of processes to handle incoming authentication reuqests. In above example pam_auth will spawn 5 separate processes to handle all authentication requests. Anywhere between 5-10 helper processes is a good starting point. If Squid runs into trouble, it will tell you in /var/log/squid/cache.log , monitor this file closely. Then we have a realm parameter. This is a string which is presented to the user when the authentication prompt appears on screen. With Basic authentication this is an arbitrary string value. You can use anything, like; “Welcome to my really cool Proxy Server. Enter your Username and Password” Lastly we have the credentialsttl parameter which dictates how long Squid caches authentication requests internally. Keep in mind a small value increases Squid load, while a larger value will reduce it. You may need to play with this if you notice your Squid box is really busy. The last piece to this puzzle is enabling Squid’s authentication ACL. This includes changing two additional parameters. ( ACL & HTTP_ACCESS). The default ACL bases access or no access on client subnets. ACL LOCALNET SRC is an example of one. To enable authentication, comment out above default ACL and replace with this; acl authenticatedusers proxy_auth REQUIRED Lastly enable above access list, named authenticatedusers http_access allow authenticatedusers That’s it. Restart Squid service and you should now be prompted for user name and password. You session will be authenticated until you close your browser.

KeePass Password Safe - Keep and manage multiple account passwords

I'm sure you've heard numerous times from many sources, web site logins should always be unique. Unfortunately few follow this rule and often reuse passwords among different Internet sites. Primarily because keeping track of unique passwords is a real hassle. Really! think about all the sites you use daily, then double that for occasional sites and before you know it you're managing 50 passwords or more. So What's the solution? You could keep a ledger, but then you'd have to photocopy it a few times for every computer in the house. You could spend money on commercial solutions like 1Password or let the Open Source community help. KeePass Password Safe is a great and easy to use alternative. Best of all, its cross platform and free to use. You can download KeePass from Installation is your typical Windows clicky-click. Installation has 3 options, Full Install, Compact or Custom. Full install maxes out at 5.4MB, compact just 2.8MB and custom anywhere in between. Full Install includes additional libraries, XML stylesheets and a number of optimizations, compact simply includes core KeePass libraries. After installation, the first required step is the creation of a KeePass database. Your encrypted database will store all recorded passwords and any other confidential information you'd like to keep safe. You have the option of encrypting your database with a master password, Key file, Windows user account or a combination of the three. KeePass uses AES/Rijndael 256bit encryption, so you can be confident encryption is strong. To improve database functionality and performance, tweaks are available in database settings. For example to reduce the chance of password type guessing attacks, AES/Rijndael encryption uses Key transformations. Default setting is 6000 times, but you can increase this value to whatever you like as long as you realize larger values increase database load time and a slight performance hit. Other options are available from a simple description to database compression to reduce file size. Once the database is created you're ready to add your first secret entry. More on that next week.

Corks? Or Screw Tops? Why the Experience Matters

I've noticed a disturbing trend amongst a few of the high quality wineries in my state. They have abandoned the cork to close their high-end wine bottles and turned to screw caps. This is good news to people who struggle with how to get a cork out of a wine bottle. 

Read more... Comment (0)

Building LFS( Linux From Scratch)

After struggling for nearly one day, the LFS, linux from scratch, is finally built. I would note something about the building process. 1. about ssh There is some time that I just want to copy the command in LFS book and execute it directly. since copy between host OS and guest OS would be troublesome, SSH would be a convenient way to copy, paste and execute. execute "/etc/rc.d/init.d/sshd start" to start ssh service in LFS, one may also need to configure network interface using ifconfig command. 2. about mount After compiling all packages and changing root directory, I try to execute grub-install, and it tells me that there is no hard disk. And I eventually figured out that "mount -v --bind /dev ${LFS}/dev" is very critical in installing grub boot loader. Without it, grub-install would not find hd0.

openSUSE Weekly News 192 is out!

I'm happy to announce the new "openSUSE Weekly News, Issue 192".



In this Issue:

  • openSUSE Conference 2011
  • Plasma Active Status Report
  • Beta Pizza Party

You can download it there:

We hope you enjoy the reading :-)

If you want to help us collecting interesting articles for the openSUSE Weekly News, so you can all your stuff into our new ietherpad:

Found Bugs? Please place it in our Bugtracker:

Features, Ideas and Improvements can placed in our Featuretracker:

Older content can be found there.

Page 19 of 138

Upcoming Linux Foundation Courses

  1. LFD320 Linux Kernel Internals and Debugging
    04 Aug » 08 Aug - Virtual
  2. LFD405 Embedded Linux Development with Yocto Project
    04 Aug » 07 Aug - Santa Clara, CA
  3. LFD312 Developing Applications For Linux
    18 Aug » 22 Aug - Virtual

View All Upcoming Courses

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board