Intro

One of the reasons I took a pause from reversing the Bratalarm Crackme and the Zender virus* is because I acquired a few goodies from a RadioShack that was closing up shop.

Among the many things I acquired at a fantastically-low price, I got an entire POS system. It’s an HP rp5700 with a Core 2 Duo, 1GB RAM and an 80GB WD Blue. It’s no powerhouse but I did get excited seeing the small form factor and the commensurate 240W power supply. It’s a bit hamstrung by the Core 2 Duo @ 2.13GHz and 1GB RAM – and the motherboard can’t take the Core 2 Quad I had laying around. At least it can run with 8GB RAM though so I picked that up on eBay for $30. The other desktop machine I have is that Core 2 Quad, 3-point-something-GHz, but the Gigabyte EP31-DS3L mobo is capped at 4GB and the architecture is a bit aged so it runs pretty warm and the four 120mm case fans are incredibly loud. Coupled with the FoxConn GeForce 9800GTX due to the lack of onboard video, it’s also not terribly conservative of electricity. It’s pretty much sat dormant for two years now. I’ve stuck with running multiple VMs on my very capable MSI GE70 with a Core i7. # Hardware

Anywho, my new server has gigabit ethernet onboard and I stuffed another dual gigabit NIC in there. With my Cisco 3550 MLS, I get two gigabit ports that make streaming VMs in my office nice and quick, at least as far as the network goes. The Core 2 Duo really is the biggest bottleneck for the parallel processing needs I have so I’ll upgrade eventually. This is my first venture into “serious” virtualization so I’ll play with this for a bit and browse eBay for a used Xeon server. Eventually, I plan to virtualize entirely and start saving some moola on laptop upgrades and those OEM Windows licenses. A $500 server streamed to an aging laptop will perform nearly as well as a native beastmachine for anything that’s not too demanding on video.

For my purposes, I pulled out the serial port PCI card and DVD drive to improve airflow. Along with that 8GB of RAM, I picked up a couple 300GB WD VelociRaptor 10K RPM drives on eBay for $20 a pop so the WD Blue in there now will run as the OS drive while the Raptors will be in RAID 0 to serve up my VMs.

I think the single gigabit lane will be more than enough 99% of the time but I plan to experiment with virtualized servers as well. I’m going to save my pennies and, whenever I upgrade to a real server, I’ll drop in a couple more drives and use it as a NAS, backup server and firewall.

Software

For the host HP, I was able to install 64-bit Debian Jessie (8.1.0) without any issues other than acquiring some Realtek firmware for the extra NIC I dropped in there.

While waiting on my Raptors, I copied over my VirtualBox “Malware Lab” VMs: a WinXP x64 VM for malware analysis and a Debian Wheezy VM for Inetsim. They run more than well enough for my purposes but they are noticeably sluggish compared to their performance on my laptop. It’s been getting near 90F here lately so I’m really pushing to reduce the heat stress on my laptop; my office faces west and reaches at least 90 from 12-5 every day.

A picture is worth at least a couple hundred words so here ya go. A three-screened laptop can be fun.

The top-left window is Putty, used to SSH into the server. Below that is my production Debian Jessie box and to the right are the Debian Inetsim server and WinXP malware analysis boxes.

First, I SSH in the server:

steve@debian:~$ ssh steve@192.168.1.99
The authenticity of host '192.168.1.99 (192.168.1.99)' can't be established.
ECDSA key fingerprint is b9:e2:da:52:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.1.99' (ECDSA) to the list of known hosts.
steve@192.168.1.99's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 30 18:14:16 2015 from 192.168.1.105
steve@debsrv:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  start_malware_lab.sh  Templates  Videos  virtualmachines  website_backup_20150627.tar.gz

On the server, I run run my VMs “headlessly”. That is to say their GUI is not shown on the host at all, only remotely. I don’t even run a GUI on the host.

steve@debsrv:~$ exec VBoxManage startvm "WinXP x64" --type headless
steve@debsrv:~$ exec VBoxManage startvm "Debian Inetsim" --type headless

Next Up

I have KVM installed as well but I’m waiting on the Raptors to arrive before I start with the rest of the setup.

I’ll have the 8GB of RAM and 2x300GB 10K RPM Raptors running a single-volume XFS filesystem. Coupled with a Type 1 hypervisor, the performance should improve enough to easily handle several low-end VMs. Here’s the current plan:

1. Linux Inetsim server: Right now, Inetsim is running on a full-fledged Debian install. It’s a 17GB footprint since it was a production box before I installed Inetsim; I decided I never wanted to trust the installation again and relegate it to malware. This will likely change to DamnSmallLinux (50MB) or the Debian netinst (280MB).

2. Windows XP SP2 analysis machine: I use SP2 due to all the stability and performance improvements that came with it even though a lot of the vulnerabilities are closed too. I use this for static and dynamic analysis with plenty of tools.

3. Debian Jessie: My production environment. I use this for development, working on this website and whatever else I need a trusty Linux box for.

4. Windows 7: This is a “throwaway” box. I use this primarily to acquire malware but it’s also a good way to visit those strange Eastern European websites for other untrusted downloads. I just restore the very first snapshot every time I shutdown.

5. Debian server: This will just be my “home server” for network file serving, and backup storage. I’m also looking at a DLNA server to stream my old iTunes purchases to the TV, a tinydns server because I’m tired of editing hosts files everywhere or remembering IPs and a web server because why not?

I haven’t yet decided how much of #5 I’m willing to move to the host. I’m hesitant for two reasons: 1) I often find ways to break my Linux installs and 2) I wouldn’t be able to migrate it when I upgrade to a real server.