Linux Tips

LDAP Authentication In Linux

2006-08-25T21:50:00.000-05:00

This howto will show you howto store your users in LDAP and authenticate some of the services against it.

LDAP authentication is nice.. but it can also cause problems.
Every time you do an "ls" you'll hit the ldap server to look up file ownership.
Every time your webserver goes to get a file, it'll hit the ldap server to check permissions.

Something tells me because it's called _Lightweight_ Directory Access Protocol that wont be a problem unless you're doing thousands upon thousands of lookups per second...and in any event, [open]ldap supports replication. It solves numerous more problems than it fixes.
That's why there is something called Name Switch Cache Daemon (nscd)

Authenticating systems to LDAP is great. Especially because there's so much possible versatility. For example, not only can you authenticate logins, but you can also setup AutoFS to pull automount information from LDAP, and even better, you can actually pull SUDO access rules from LDAP (to replace the sudoers file).

This makes it *so* much easier to remove direct root login, and force administrators to use sudo. It also makes it easier to selectively grant additional access to users.

MySQL Connection Management in PHP - How (Not) To Do Things

2006-08-20T08:10:00.000-05:00

OK, I think I see what he is explaining, he has a point on the wordpress constructor... they should create the resource static and check if it has been defined already... he focuses on the reuse of the DB object, so if you create a new DB object only use 1 connection. I was hoping for sharing DB connection between sessions.

Sharing a DB connection between PHP instances can be done with pconnect.. but it's not a good idea.

The problem with wordpress is that the connection is opened at the beginning of every page. Multiple times. (There's a separate connection for the body of the page, and the sidebar, and the individual includes in the sidebar, etc etc).

He solved this problem by only opening a connection if a page is actually going to make a request.

The other problem (which he didn't address), is that wordpress holds open a connection for too long, and does too many queries. Loading the frontpage of a standard configuration wordpress blog issues 27 queries over 3 separate connections. Basically, wordpress is a mess. They went include crazy (just look at how many different includes there are for the header alone.. he went 3 includes deep to find the mysql connection).

#####################
First off, Wordpress only uses one connection for everything. Really. Unless you have a plugin or some other code making its own connection, all Wordpress queries are handled through the same connection.

The way it works is that, at the beginning of the execution, an instance of the wpdb class is created. Every query Wordpress does is through this one instance. It has one connection and it maintains it for the life of the execution cycle (until you see the generated page, basically).

What he's talking about is "lazy loading". See, when the instance of this class is created, it connects to the database right then and there. If the rest of the code then goes on and never uses that instance, you wasted your time connecting, yeah? His solution is to wait to actually connect until you need that connection. Basically, his patch eliminates the connection from the class constructor and creates a separate connect() function. Then, the query function is modified to check that a connection exists, and if not, call the connect() function to build one.

The benefit here is that if your page never hits the database for anything, then it never connects at all. This is smarter than the current Wordpress code.

However, it's also unnecessary, really. With Wordpress in particular, it would be extremely difficult to imagine a scenario where it doesn't actually hit the database. Everything comes from the database. Posts, sidebar content, anything dynamic, it all hits it. So this really isn't saving you anything for your average blog. Yes, he is correct that making the connection lazy makes more sense. However, it's a poor example, because Wordpress virtually *always* uses that database connection. Several times.

He also goes on about caching, and yes, caching is good. He doesn't talk about caching with Wordpress, but there are caching hooks in there and plugins which can use them (WP-Cache, for example). This sort of thing implements caching in a very smart manner... smarter than what he's talking about in his code snippets there, certainly. The upshot is that if you use something like WP-Cache, you get everything he's talking about and then some, making Wordpress extremely quick indeed.

Takes some setup, but what doesn't?
##################

Anyone who uses func_get_args() like that needs to look at how they code. That's some seriously ugly code.

But the general concept is completely right and should be used my most apps.

#################
So now that we got the caching idea into our heads what would be the most effective medium for storing your cache?
Is it filesystem? or could we maybe use something like SQlite for it?

memcached from http://www.danga.com/memcached/ is what you're looking for. It's amazing. I'm doing about a billion cache look-ups a day with it on some older hardware. I'm doing with one old server what previously took four nice big new servers.

####################
Interesting - but he's failed on one minor problem - that his caching algorithm uses the file system - a bigger problem than the one he is solving - the only way that this will work efficiently is if the blocks he is including a very complex (either in the SQL queries used OR in the processing that is performed on the output)

It is admittedly easy to produce and reuse the files - but there are problems with large directories if the site is getting into the sort of traffic that requires this sort of caching...

On a test version of our work server we were using file caching (and having to store temporary images) - we managed to break the file system by creating millions of files overnight - the systems team worked out that it would be quicker to reformat the system disk - and re-install the operating system that deleting all the files with rm (calculated time was somewhere near 32 days to remove files created in 12 hours!)

Linux Printing with CUPS

2006-07-29T13:54:00.000-05:00

CUPS (Common Unix Printing System) version 1.2 was released last month, bursting with over 90 fabulous new features and improvements. Today we'll take a look at them and decide how fabulous they really are.

Push Windows Printer Drivers with CUPS
Today you shall learn how to use CUPS and Samba together to set up automagic client printer installations. That's right, my hardworking friends, none of this dashing about to individual workstations burdened with driver disks and Windows CDs. The goal here is to never leave your snug underground lair.

How To Test Your Linux Firewall

2006-07-29T13:45:00.000-05:00

This article shows how you can test your Linux firewall with a tool called FTester (Firewall Tester). With FTester you can check your firewall's filtering policies. The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). Furthermore, FTester also provides Intrusion Detection System (IDS) capabilities.

This has more akin to Tomahawk (mentioned above). People are just trying to flex their muscle by proving they know about one-or-two tools.

I use quite a few tools in my job including Tomahawk, Spike, THC-AMAP, Etherape, dsniff, TCP traceroute, aircrack/airsnort/airereplay/kismet (for wireless), ettercap, ethereal, fping, nemesis, driftnet, vomit, john the ripper, hydra, nikto, ngrep, ntop, arpwatch, dsniff, fragroute, nmap, nessus, nessus inline, cheops, metasploit (rarely), honeyd, firewalk, lids, tripwire, aide, stunnel, tcpdump/tcpreplay, bile, paketto, ISS scanner, eEye Retina, nCircle 360, SkyBox and more.

A direct comparison with nmap isn't really fair as nmap will not analyse the output or munge the packet properly to simulate a multi-network origin. If you've got an Enterprise firewall with 15,000 rules, going through the output of nmap is very difficult, plus you'll have to make the nmaps look like you're coming from multiple different locations. nmap is great as a single tool from a much larger toolbox.

This looks interesting, but a similar open source tool called Tomahawk (which is mainly used for testing IDS/IPS systems) has been around for a while - http://tomahawk.sourceforge.net/ - I have to admit a vested interest, I used to work for the company that started the original Tomahawk project. With the Tomahawk you can take pcaps using TCPDUMP/Ethereal and then reply them through a device and you can even amplify (capture 10 Mbps worth of traffic, but play out 1 Gbps worth of traffic) and munge source/destination packets.

The Tomahawk is designed for a different purpose than this tool, but if you're interested in this have a look at it. Like I said, this is another tool for the toolbox. Those that rely on one tool are only seeing/testing a very limited aspect of the network/host.

How to set up a mail server on a GNU / Linux system

2006-07-29T13:39:00.000-05:00

Easy to follow howto on setting up a mail server. Based on an Ubuntu distribution platform, but instructions are distro generic.

If you want to use the Debian way to a Postfix mail server, there is a guide here:
http://johnny.chadda.se/2005/04/30/postfix-howto/

Only PDF at the moment I'm afraid.

Here is a step by step on Debian that includes antivirus and spam filtering:
http://www.fatofthelan.com/articles/articles.php?pid=22

Zimbra includes all* this and makes install as simple as: "./install.sh".

http://www.zimbra.com

* AJAX UI rather than SquirrelMail
Internal IMAP rather than Courier

http://www.qmailrocks.org

The most comprehensive mail server setup guide for freebsd, linux, solaris, etc... Oh yeah Qmail is the fastest and most badass mail server no the planet. Google (gmail) runs a modified version of it, same with yahoo.

QmailRocks is good for most distro's, but for RPM Based distros, there is also the QmailToaster

http://digg.com/linux_unix/Qmail_Toaster_makes_mail_server_setup_easy

This project has made it very easy for any RPM based Linux distro to become a full functioning mail server, complete with webmail and imap-ssl.

Howto install a Debian GNU/Linux system onto a USB flash thumbdrive with the root partition encrypted

2006-07-29T12:19:00.000-05:00

How to Run Linux on a USB Drive

Simple instructions for anyone looking for a portable installation that they can easily carry with them for use as rescue media, system administration or as a private workstation. This site offers a great guide to booting a distribution of Damn Small Linux on a Lexar 512mb Jump Drive. It includes complete instructions with screenshots. Definitely worth a look!

For more information on LUKS (Linux Unified Key Setup) see: http://luks.endorphin.org/

I'm glad it's getting out to people. It's using device mapping encryption that will work with (just about) any linux box. If you have a 500mhz cpu there's no huge reason to not use encryption. And unlike windows crappy encryption, you can encrypt the entire root filesystem, not just non system files / folders

http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUK

"Does bartpe support ext2 filesystems?"

It does, but read-only: http://www.bootcd.us/BartPE_Plugin_Details/58/Explore2fs.html

irc.chatjunkies.org #linuxhelp if you need help setting it up lowkey hangs out in there

FTA:"NOTE: This howto will only work if your device has been detected as /dev/sda because of how mkinitrd.yaird works." ...."mkinitrd.yaird"? -Never heard of that.

I'm familiar with the original Debian how-to, what I have yet to find is a concise how-to for installing an OS on a *hard drive* encrypted at time of install. Not just the root, but the whole thing.

Yaird - Yet Another Mkinitrd
For more infor: http://yaird.alioth.debian.org/

I have found it useful to just install Knoppix onto a 1GB thumbdrive.

The 700MB CD-ROM image fits rather nicely, giving just under 300MB of free space remaining on the thumbdrive.

Knoppix doesn't use encrypted partitions, instead, it uses a large file that contains an encrypted filesystem. This actually works out better for installations designed to be portable, like USB keys. The reason is that device letters can often change on various computers, depending on what other drives are installed: for example, sda, sdb, sdc....

By using a file instead of a partition, Knoppix can just search for this file, on all devices it can see. It saves having to directly mount a device, and then having that mount fail because the location changed. Also, the size of this file can be changed without having to repartition/reformat!

Also, the main Knoppix CD-ROM data doesn't need to be encrypted, as there's no secrets there, and it remains read-only. So, you get a little better speed, as the entire USB key doesn't need to be encrypted.

Here's my writeup of how to get Knoppix nicely installed to a USB key:

http://www.knoppix.net/forum/viewtopic.php?t=23558

This is slightly different from the method described on the FAQ, for various reasons I mention in the forum.

If you want to support the development of Damn Small Linux you can purchase it on a bootable USB drive from here: http://damnsmalllinux.org/usb.html

http://www.ubuntulite.org/drupal/?q=node/1
UbuntuLite might be a good way to get Ubuntu on a smaller size USB drive.
Not too sure how far they've got with yet though, but it might be worth a try.

I prefer www.puppylinux.org

There are usb "sticks" available which run linux. I have the BlackDog (see http://www.projectblackdog.com) . Another would be Gumstix (http://www.gumstix.com)

Feather Linux, it's about 128MB but has way more functionality then DSL.
http://www.chipnick.com/thumbdrive-linux

Managing Linux Through Windows Active Directory

2006-07-28T19:19:00.000-05:00

A nice article about connecting Linux Authentication to Windows Authentication.

Check this how-to posted here a while back on Linux/AD Integration

http://thelazyadmin.com/index.php?/archives/381-LinuxUnix-Active-Directory-Authentication-Integration-Part-1.html

http://thelazyadmin.com/index.php?/archives/383-LinuxUnix-Active-Directory-Authentication

Not a complete authentication solution. Kerberos against a Windows ADS does work, but as laid out in the article, this does not present a SSO solution nor does it work for all authentication operations. It does get you about "80%" there, but there are holes. For one, if you managed all your users in ADS, you'll still need to create the users on each of the linux machines that the user(s) are allowed to use. You can work around this using samba and some user/group mappings, but it is something that anyone trying to manage users in one place should be aware of. Also, not all the linux modules use krb5. You may need to recompile or install the appropriate module with krb5 support and that still may not be enough. I can't recall if it's KDE or GNOME, but one of them let's you authenticate at login using kerberos against ADS, but if you then attempt to use the manager's "network explorer", the authentication fails (one of them fails silently and just denies you access, the other at least prompts you for you domain, username, and password even though you just entered the information at login). It is a starting point but these are probably better resources (even if not fully complete themselves):

http://redmondmag.com/columns/article.asp?EditorialsID=858
http://redmondmag.com/features/article.asp?EditorialsID=422

This should work at least 95% of the time when the service/program/etc uses PAM for authentication. Some can even use winbind directly, some (like GDM, etc) support kerberos directly but i have never had any real luck with them, tends to make more of a mess than anything.

As far as having to set up samba, you have to do that already for pam->winbind->AD to work. And you don't need to create the users/groups locally (winbind takes care of that, try getent passwd/groups or wbinfo -u/g after samba/winbind is configured), but you do need to script the creation of the home directory on the first login (from skeleton, or maybe even grab it from a roaming profile possibly? how to keep it in sync though...).

The whole process isn't trivial, but it isn't that hard either. Good tutorials/howtos are hard to come by (at least were 4 years ago when I first did this) but are getting better.

I set up our Linux boxes to authenticate to our Active Driectory domain using Samba's winbindd, pam_winbind and pam_mkhomedir. Works well and has reduced my management headache a fair bit. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html has all the related information.

Why stop there, integrate all of it, samba, ldap, mail, etc...
http://www.fatofthelan.com/articles/articles.php?pid=24

While the forum linked to in the post here seems valuable, here's the actual article link:

http://www.linux-watch.com/news/NS4820656867.html

Web app authentication is much better handled with a simple LDAP bind. If you're in PHP, for instance:

// Given $username and $passwd, try domain auth...
// DC = domain controller, yourdomain.local = domain name
$ad = ldap_connect("DC");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);

$bd = @ldap_bind($ad, "$username@yourdomain.local", $passwd);
if (!$bd) {
// bad username or password
} else {
// logged in
}

Single-Sign-On on Linux using LDAP with Active Directory

2006-07-28T19:13:00.000-05:00

This article discusses how you can integrate Linux into a Windows-based network by making it authenticate against an Active Directory server and having it get passwd and group information from Active Directory as well.

Also Note, Check your AD Schema version before trying to update using the LDF files listed. Windows Server 2003 R2 will have the attributes already integrated for Unix Support.

http://www.microsoft.com/windowsserver2003/r2/unixinterop/default.mspx

We use Quest's (formerly Vintela) VAS product to integrate the *NIX systems into AD. It offers other benefits founds in Windows systems, now on the Unix boxes (Cache'd logon most imporantly, Group Policy support,etc.)

LDAP IS NOT AN AUTHENTICATION PROTOCOL!

First of all, you are correct about LDAP not being an authentication protocol.

Kerberos is an excellent solution for many people wanting to maintain a single AD management system, except there is one problem that Kerberos can't solve for our solution. If you try and maintain a list of servers that users can and cannot log into.

So for example, in our domain, we have 3 machines, 1) AD running for a single realm 2) Linux machine with pam_krb5, which you wish to auth against the AD server, that allows everyone to access it (that has an account on the AD system), and 3) Linux machine with pam_krb5, which you wish to auth against the AD server, that you want a select few(er) people to access that also auth against the AD server.

Using Kerberos, computer 2 can auth against the AD server (1), and gain access to the machine, however, there is no way to maintain user access control for server 3 in this example.

The only real way to control access is to use an LDAP solution.

Firstly, Microsoft will support you even if you make schema changes, thats what the schemas is there for, to use, there are many products that reauire schema changes. But Microsoft support is a thing of wonder anyway, we've had to use it a few times and this last time for a cluster playing up they could only offer a solution where we build a whole new cluster.

For my enterprise I purchased Suns AD Sync identity managment product. It is very cheap as the JES directory server stuff is free anyway. It is supported by Sun so if it breaks you still have someone to call.

A job copies any new AD members to the Sun directory, and Unix boxen authenticate off that, it caches the encrypted password. No need for AD schema changes.

Maybe it's not SSO but at least you are using AD creds on Unix, and it is supported.

http://www.linuxjournal.com/article/8374

Better article with better scaling. Comes in 4 parts.

Turn your Linux web server into Fort Knox

2006-07-28T19:10:00.000-05:00

An in depth article on how to secure your Linux web server. Who says that security is ever "easy"? It's a must-have for anybody running a web server - even if it's at home.

I'm really surprised he didn't mention Denyhosts. Excellent program that prevents brute force SSH logins.
http://denyhosts.sourceforge.net/

Denyhosts has definitely helped out our production servers by keeping the load averages down by blocking abusive ssh denial of service attacks. With some of the hardening mentioned in the article applied alongside Hardened Gentoo Linux a server could withstand allot of abusive exploit attacks. By using a system which compiles binaries as position independent every binaries memory execution insertion address is randomized. While this can be something more suited to administrators with a moderate to advanced understanding of compilers and programming architecture when used alongside grsecurity framework execution of a binary uses a different hexadecimal memory address which enforces a policy akin to winning the lottery for any malicious cracker. Our production 64bit and 32bit servers all have been using hardened gentoo for years and to date we have never experienced a system compromise. http://hardened.gentoo.org

Anti-virus/Anti-malware/anti-rootkit items like chkrootkit or rootkit hunter are, unfortunately, pretty useless when it comes to security.

There is two reasons:
A. Because the rootkit writers have access to those tools also. So all they have to do to defeat them is setup a Linux server and run those programs. If they are detected, then they simply have to modify how thier program works so that they aren't detected anymore. It's almost trivially easy to defeat them with old fasion 'conventional' rootkits.

B. Also kernel module rootkits are popular nowadays anyways. These are kernel modules that modify how a kernel behaves in order to mask the rootkit itself. These are nearly impossible to detect.

BTW since Windows 2000 started having acceptable security kernel driver level rootkits for Windows have become popular.

The only realy effective way to detect a rootkit is to setup a program like Tripwire.

Tripwire is a program that you use to make checksums of all the files on your computer, then later you can run it to check the checksums. You have to store the checksums output on a secure computer or secure read-only medium (like a cdrom disk.). Also Tripwire is only usefull if you run it from a different operating system then the one your currently running (like say booted up in knoppix cdrom).. This is because it can be defeated by false reports created by a kernel module level rootkit.

OpenBSD folks are probably going to be the formost on things like this that don't require special propriatory stuff or charge you money for information and such things, and are stuff you can impliment yourself.
http://www.bytelabs.org/papers.html
Check out the paper Paper title: "Integration of Security Measures and Techniques in an Operating System (considering OpenBSD as an example)"

For Linux and GCC Redhat took a lot of work into rewriting ProPolice SSP (developed originally out of IBM's japan branch) and getting into the GCC release. I beleive it's in GCC 4.1.

Also introduced into the lifetime of the 2.6.x kernel release has been things like heap protection and support for the 'no execute' bit and such.

A example of this being used to protect a vunerable program is outlined in this Debian-Administrator.org article..
http://www.debian-administration.org/articles/408

And of course Wikipedia has a good article on it.
http://en.wikipedia.org/wiki/StackGuard

Other things for Linux (like he mentioned)
grsecurity http://www.grsecurity.net/
AppArmor (from Novell) http://www.novell.com/apparmor
SELinux (from the NSA (United States Government) and made workable by Redhat for their Enterprise Linux and Fedora Core stuff.

Insights for a quick and easy Ubuntu printer installation

2006-07-12T22:35:00.000-05:00

For a long time, setting up a printer in Linux has been somewhat challenging. But, it's been getting easier and easier. And today, setting up a printer in Ubuntu as simple as it gets - this article is firm evidence!

This also follows on previous printing advice found here.

We bought an Epson Stylus D68 today in fact, after searching for it in http://linuxprinting.org/printer_list.cgi and seeing that it worked. The description was that it "mostly worked" but we can't find what _doesn't_ work on it.

We weren't using Ubuntu, but stock Debian. Literally three clicks using the browser-based CUPS interface and it worked. not a single thing needed to be installed. Test prints work from Opera, Firefox, OpenOffice, Gimp, KPDF..

If you're thinking of buying a printer for your desktop, see this page: http://linuxprinting.org/suggested.html

Advanced Bash-Scripting Guide

2006-07-12T21:00:00.000-05:00

An in-depth exploration of the art of shell scripting

This is the BEST tutorial to learn bash scripting, which in turn is one of the best programming languages out there. I highly recommend it to anyone who uses linux. Bash scripting is at the heart of it all.

SSH tricks

2006-07-12T20:49:00.000-05:00

The article describes in a human language some of the powerful, yet very useful (even for total newbies) capabilities of OpenSSH, such as passwordless login, automatic execution of commands on a remote system or even mounting a remote folder using SSH.

Three problems with this article:
- Most people use SFTP, not SCP.
- It's easier to tunnel a Samba session (if you really need to) than to install and use SSHFS.
- They didn't mention the "-D" option, which in conjunction with tsocks allows you to tunnel any application through the encrypted connection, whether it has support for SOCKS or not.

SFTP is perhaps the next step for users that upgraded from FTP access to a hosted web server, but I suspect most ssh users have migrated from the r commands and are using scp in place of rcp.

Comparison...
http://winscp.net/eng/docs/protocols#protocol_comparison

My favorite tool though is rsync. While I use rsync over ssh, I never understood why ssync wasn't created to do this job...

SSH is great for tunneling BonJour/DAAP:
http://www.shokk.com/blog/articles/2006/02/06/getting-ipods-and-itunes-everywhere

Now, if only there were a light daap client so I could avoid starting up iTunes...

Ssh is also really neat as part of an ANT script - so you can use all these neatness for your java deployments and automation.
http://www.jcraft.com/jsch/index.html

Setup the SSH server to use keys for authentication « Raoul’s Land Reloaded!

2005-12-03T08:54:00.000-06:00

Raoul’s Land Reloaded! has a good tutorial on how to set up an SSH server to use keys for authentication. Good read and something to save for future reference.

SSH scanning continues, some simple advice

2005-11-16T19:09:00.000-06:00

The SANS Handler's Diary has a good overview of advice on their site. In a nutshell they say:
1 Run ssh on a non-standard port
2 Choose good passphrases
3 Monitor your logs
Their updates are well worth the read for anyone who is looking to.

ssh tunnel with mysql or other ways of securing port 3306

2005-11-08T20:21:00.000-06:00

ssh tunnel with mysqlAnother site I need to save and access at a later date

Wicked Cool Shell Script -- by Dave Taylor

2005-11-08T20:18:00.000-06:00

Shell Script Library :: Wicked Cool Shell Scripts: Unix, Linux, Mac OS X, Bash, Bourne Shell, scripting -- by Dave Taylor I've bought the book and this is an excellent site to go with the book

VNC & SSH

2005-08-17T19:53:00.000-05:00

Passivemode has a good tutorial on how to install an SSh server onto a Windows machine. Good job.

Remote SSH access and SSH tunneling with the WRT54G

2005-08-17T19:51:00.000-05:00

hetos.de has a good tutorial on how and why you would want to create a SSH tunnel to connect a couple of computers. The writer goes into some fairly good detail explaining what to to do connect between two systems. something to keep in mind when trying to set up a connection.

How do I create and use Public Keys with SSH?

2005-08-09T11:52:00.000-05:00

ask-leo.com has a series of quick tutorials about how to set up SSH and set up public keys to be used with SSH and the other different utilites that work with SSH. Like SFTP, SecureCRT, and psftp.

The Ask Leo site seems pretty good overall and worth the time to take a quick look through.

Tech jobs up in July

2005-08-08T13:14:00.000-05:00

CNET News.com carries their monthly strly regarding tech employment. In it they also reference a Hudson report which stated that the tech emplyment woes seems to have turned the corner last year and is improving steadily. Not much time to add anything to this today so you'll have to read it.

CVS Camcorder download alpha - not disposable anymore

2005-08-03T17:57:00.000-05:00

hackaday.com has the best review of the hack for the CVS disposable camcorder. MAKE: has an overview of the chronology of the hack. The sourcecode for the software can be found on sourceforge.net.

I bought one of the camcorders last week to take to a concert with me. One of the things I'll say is that the general video quality is pretty good. The audio from the concert didn't pick up so well though. I think the best use for this camcorder will be to use as an emergency camcorder, for use at parties when you want to get small groups of people together, or to give to children to play with.
Keep in mind these camcorders only work with the light that is available. I tried to record my trip home one night and it didn't record so well. The video from the concert that I took of the ladies walking around came out pretty good. It'll be fun to put together a cable and reuse these camcorders.

#########################################
MAKE has updated their site with the step by step tutorial.

Tattle

2005-07-18T13:01:00.000-05:00

Sodaphish.com has a nice script that attempts to automatically notify domain authorities of machines in their domain that are actively performing SSH brute-force attacks. A nice tool to have in your arsenal to protect your network.

Recent SSH Brute-Force Attacks

2005-07-18T12:56:00.000-05:00

Whitedust has a good article focusing on the recent rash of Brute Force attacks. The attacks haven't been an outbreak, but there has been someone trying to brute force their way into a good number of servers. The nice thing about this article is the solutions and conclusions that the authors provide. The solutions can be broken into denying Root Login, audit the logs for which names are beign used by the hackers, tracking down the domain authority from which an attack is being launched from, and finally changing the port number that someone uses.

How to install OpenSSH sshd server and sftp server on a Windows 2000 or Windows XP or Windows Server 2003

2005-07-16T14:30:00.000-05:00

How to install OpenSSH sshd server and sftp server on a Windows 2000 or Windows XP or Windows Server 2003. This looks like a pretty good step by step of how to install SSH on a Windows box and a Linux box. I haven't had much time to go through everything but I do want to mark this site to come back to at a later time.

WRT54G SSH tunneling tutorial

2005-07-11T17:40:00.000-05:00

hetos.de is carring a good basic tutorial for beginners to SSH tunneling locally and remotely using WRT54GS open source firmware. Putty/puttygen/pagent is used as client in demos and Sveasoft's Alchemy firmware config page is featured.

Some items to take note of are the Advantages and Limitations section. In the various SSH articles I've seen I don't remember anyone talking about the different limitations of SSH. These limitations seem to be focused on the limitations of SSH tunneling and not so much as general limitations.

ssh_blocker

2005-06-27T11:11:00.000-05:00

Another SSH Server Attack Denial Tool can be found on the blackshell.usebox.net site. I talked about similar tools with the DenyHosts application. The ssh_blocker is a shell script with similar functionality as the DenyHosts application, but written for OpenBSD. There is also a feature to block IP addresses from someone who is not authorized to be logging into the server.

To return to the main directory for the SSH tutorials.

Using openSSH to Securely Access Remote Systems

2005-06-23T10:31:00.000-05:00

NOVELL: Cool Solutions has a basic tutorial on setting up and using SSH. If you want a more detailed overview and look at the different option I would look at the SSH Tutorial I've been building throughout this site.

Security-SSH Tunnelling In Hotspots For Privacy

2005-06-06T18:38:00.000-05:00

ITT Knowledgebase has a good article on how to use SSH from a wifi hotspot for security. KevinDevin has ran a very good site for a long time and his ITT Knowledgebase is an excellent resource for any one involved in IT. A good place to stop by and go through when you have some free time.

DenyHosts, an SSH Server Attack Denial Tool

2005-06-06T13:36:00.000-05:00

Linux Voodoo has a nice tutorial on a new application called DenyHosts. The nice part of this application is it gives admins more control on what they want done if a failed SSH log in happens. One of the weak points of SSH is it doesn't limit the number of failed log ons taht can occur. This opens the SSH utility to a brute force attack. DenyHosts helps fix this problem.

The stable version of DenyHosts currently available is 0.60. some of the system requiremetns are to have python ver 2.1 or greater installed on the system, and ensure sshd is compiled with tcp_wrappers support.

Once DenyHosts has been installed there are a number of options available when a failed SSH log on occurs. Some of the options are what to do when a failed log on occurs, how many failed log ons must occur before any actions are taken, information that will be collected in case of a failed log on, and where to send the log to when a failed log on occurs.

This looks like a good utility to use on any system that you have to remotely log into.

X Factor - understanding the X window system

2005-06-02T10:55:00.000-05:00

Tectonic has a good overview of the X window system within Linux. Much of what I've read here I've seen covered in other LPI material for preparing for the LPI exam. good material.

Everything you ever wanted to know about APT

2005-06-02T10:53:00.000-05:00

The Open Source Weblog is carrying an article that links to three other articles which essentially cover everything about the Debian package manager - APT. The best one is the last article which focuses on optimizing Debian packages for your specific system.

A Quick and Dirty Intro to Nessus

2005-05-31T14:09:00.000-05:00

Iron Geek has a flash tutorial covering the basics of Nessus. I've seen very little on the interent regarding the use of Nessus and this appears to be a good tutorial.

Iron geek also has another tutorial called "Sniffing VoIP using Cain"

Multi-level 'su' access.

2005-05-23T16:58:00.000-05:00

COREHACKERS.COM has a very good article on how to configure mulitple levels of su access. From what the article says this works on slackware and other non-PAM distributions.

This option brings up a number of different opportunities that would be available for administering systems. The site overall is one that is well worth the time to go through once in a while to see what is new that they have written about.

Mobile SSH @ PhoneMag.com

2005-05-21T09:40:00.000-05:00

PhoneMag.com has a quick post about a program that Information Craft in Japan has created to set up an SSH connection form a cell phone to a server.

I couldn't find anything from a company called Infromation Craft, but I did find a download from a company called Idokorro Mobile. There is also a version 2.0 for the Blackberry that is available.

I haven't had an opportunity to use this application but it does open up some interesting ideas, along with other opportunities that might come along with encrypting a conversation through VoIP. If someone can encrypt a data connection form a cell phone to a computer system, then why not from one cellular device to another.

Protecting SSH using known_hosts Hashing

2005-05-10T14:00:00.000-05:00

NMS @ MIT CSAIL: has a good article about why hackers want to target a known_hosts file when they first hack into a system. Through an initial hack they can gain a secure access to other systems that they wouldn't normally have to do all of the work to hack into it.

The basic premis of the fix is to encrypt the known-hosts file either through a patch provided by the site or to upgrade to OpenSSH ver. 4.0. Some good things to remember when dealing with SSH.

################################
UPDATE
Bruce Schneier covers some of the implications from this type of a hack and Techworld also carries an article looking at similar ideas. The Techworld article covers some of the ahcks which have used this kind of attack, the most prominent has beent eh theft of Cisco source code along wiht hacks into major universities, corporations, national laboratories, super-computing centres and military institutions.

Review of the Slashdot discussion of CUPS

2005-04-23T12:58:00.000-05:00

The following is a review of a discussion which took place on the slashdot forum. I've summarized some of the postings into what I think is useful for working with CUPS.

I've been struggling with setting up a new laptop and getting it to talk to my print server, using Fedora Core 3, and nothing seems to have changed -- the admin items for adding a printer are exactly as Eric described them back then -- unclear, confusing, and no where near as friendly as their Win* equivalents. Definitely not something I'd expect my Aunt Ethel to be able to figure out. What's going on here?

For those who are still frustrated with the CUPS GUI, how would you improve it?

By using Mac OS X's interface to CUPS. [apple.com]

The hardest part of setting up a printer using CUPS under Debian was knowing that I had to point my browser at http://localhost:631/ [localhost]. After that, what's so hard about clicking on Printers, Add Printer, then select the make and model?

Mandr{ake,iva}'s printer admin thingie actually runs nmap to sniff your network and find all printers exported by all machines using any protocols it knows how to talk. It's pretty amazing, but it took 10 minutes or more to run on the building network here, during which time the GUI didn't repaint and appeared hung.

I would have killed it in disgust, thinking it really was hung, but first I did a "top" to see if I could tell what it was doing. Then my jaw dropped when I saw it running nmap and starting and stopping many other processes to try to connect to the open ports it was finding, so I let it finish and was fairly impressed. It really needs a progress bar, or better, to have printers pop up in the GUI as they are found.

Fedora's printer config dialog sucks -> Linux printing status: unfriendly.

I'm partial to the KDEPrint system [kde.org], and wish that it was half as easy to configure network printers in Windows as it is through the nice KDE GUI.

Not long ago, there was a Slashdot review [slashdot.org] of a certain book [oreilly.com], which included a chapter on CUPS that can be downloaded for free [oreilly.com] (can't beat that price!). It seems to demystify the entire process of administering CUPS.

The reason some printers work on OS X and not on Linux is because CUPS allows running binary print filters.

Many printer manufacturers use Carbon filters for OS X. Game over.

CUPS is a full featured RIP and postscript processor. It does support arbitrary binary printing, however, and this is exactly what happens when you print to cups from windows via samba. Please see the cups documentation [samba.org].

If cups is just a "dumb spooler", explain lease how the heck it can print pdf, jpeg, hp-gl, tiff, and hundreds of other formats directly to your postscript printer?

If you don't have a postscript printer, yes, you must use a ppd that calls a intermediary driver (e.g., hpijs) that cups just passes the job to.

forget the CUPS application tools, user http://localhost:631. The www interface at least works all the time.

Why Aren't More Distros Becoming LSB Certified?

2005-04-20T17:54:00.000-05:00

Slashdot has a good discussion on wether Linux needs a standards base or not and what the costs/benefits are. Good discussion.

setting up DNS Server Resolution & /etc/resolv.conf

2005-04-18T12:58:00.000-05:00

With Comcast's recent problems with their DNS servers and the spat of DNS server poisonings going around, I thought it would be a good idea to cover how to configure DNS servers within Linux and which files to configure.

DNS servers are what allow normal people to find web pages by typing in website names and having those anmes associated with an actual server located somewhere else in teh world.

The main file within Linus used for DNS resolution is the /etc/resolv.conf file. Servers that are checked for DNS settings are listed in this file. The format is similar to the following:
nameserver 208.164.186.1
nameserver 208.164.186.2
Each nameserver will be checked in the order they are listed here. The nameserver entry tells the IP address of the host to use for DNS queries. If it is set to 127.0.0.1 (which is the default) then the local name daemon is used that may use the /etc/hosts database to translate host names. The default nonamed name server can't look beyond the local network.

Here is a listing of DNS servers which you can plug in whenever you might be having problems:Some DNS servers I reccomend:
4.2.2.1 4.2.2.2 4.2.2.3
4.2.2.4 4.2.2.5 4.2.2.6
These are all DNS server addresses that resolve differently across the country.

dadkins See Profile adds these DNS servers:
SpeakEasy Nameservers
66.93.87.2 216.231.41.2 216.254.95.2
64.81.45.2 64.81.111.2 64.81.127.2
64.81.79.2 64.81.159.2 66.92.64.2
66.92.224.2 66.92.159.2 64.81.79.2
64.81.159.2 64.81.127.2 64.81.45.2
216.27.175.2 66.92.159.2 66.93.87.2

ORSC Public Access DNS Nameservers
199.166.24.253 199.166.27.253 199.166.28.10
199.166.29.3 199.166.31.3 195.117.6.25
204.57.55.100

Sprintlink General DNS
204.117.214.10 199.2.252.10 204.97.212.10

Cisco
128.107.241.185 192.135.250.69

SSH Security Warnings.

2005-02-22T20:51:00.000-06:00

Over at the Unix Admin Corner they have a quick tip on how to add an SSH MoTD when someone logs into a remote sytstem. Usually these messages are good to pass along warnings for someone trying to log into one of your remote systems.

The Main directory for the SSH tutorials can be found here

Disk Quotas

2005-02-03T17:31:00.000-06:00

Disk Quotas can be used for several Administrative tasks. The main goal on implementing quotas is to prevent a user, application or log file from overwhelming the system or taking up more space than whet they are allowed to use. Disk quotas are implemented on a per-file system basis and can be set at the user level or the group level.

There are three concepts to keep in mind when dealing with quotas; they are Hard Limits, Soft Limits, and Grace Periods. A Hard Limit is the maximum amount of used space that can be used. Once this limit has been reached, nothing else can be saved to this disk space. A Soft Limit is similar to a Hard Limit except that the user can still save files to the disk. Usually Administrators will set a soft limit to give the user warnings about reaching a limit on their use and then use a hard limit to put a maximum amount of space that the user or group can use. The final concept is Grace Period. A Grace Period is the time during which a soft Limit can be exceeded. This value can be expressed in seconds, minutes, hours, days, weeks, or months.

There are four main steps to follow when implementing quotas. They are edit /etc/fstab, remount the file systems, run quotacheck, assign quotas.

The first step is to open /etc/fstab in a text editor. There are six fields in the /etc/fstab and the field we are interested in is the fourth field which describes the different mount options. This field is formatted as a comma separated list of options. For our use today we are interested in adding the options usrquota or grpquota.

LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
LABEL=/home/home ext3 defaults,usrquota,grpquota 1 2
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda3 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0

If you want quotas to be implemented on only a certain area such as the home directory there has to be a listing for the home directory within /etc/fstab. I’ve shown in the listing above how the /etc/fstab should look after it has been modified. The next step is the save the changes and exit the text editor. Also, the directory you are going to add quotas onto should already be identified as a block device within the system. If it isn't then open up disk druid and repartition your hard drive to set up the /home directory as a separate partition.

The second step in setting up quotas is to remount the file systems which were changed when you edited /etc/fstab. You can either remount the file systems which were changed or reboot the system.

The third step is to run the quotacheck command. When quotacheck is ran it will examine each file system, build a table of current disk usage, and compare this table against that recorded in the disk quota file for the file system. By default user and group quotas are checked. Quotacheck checks the system for two files called .quota.user and/or .quota.group located at root’s filesystem. If quotacheck doesn’t find the files it will create them automatically.

The quotacheck command to be used is quotacheck –uagv. The option – u checks for user disk quota information, -a checks for all quota-enabled, locally-mounted file systems, -g checks for group disk quota information, and –v displays the information verbosely.

Once quotacheck has finished it will display the results in a table which will detail the quotas enabled for each user and group. Now we can start assigning quotas.

The final step is to assign quotas. The edquota program edits both user and group quotas. The edquota program uses a text editor to make changes. Any setting which is left at 0 implies there is no limit for that value or no quota for that setting. The command to use is edquota –u
Disk quotas for user Frank (uid 502):
Filesystem blocks soft hard inodes soft hard
/dev/hda3 24 0 0 7 0 0
Blocks are the amount of space in 1K blocks the user is currently using and inodes are the number of files the user is currently using. The soft and hard limits were explained earlier. Save and exit the file and your quotas are installed.

To monitor quotas you can use the repquota command which reports quota information for specified file systems, users or groups. Once again there are four options a user can use and they are the same ones as used for the quotacheck command.

Running the command quotacheck on a regular basis is a good administrative tool to ensure the tables are kept current. Adding the command quotacheck –uagv to a weekly cron file is the best option here.

Knowing Knoppix

2005-01-20T18:47:00.000-06:00

Knowing Knoppix Here is a free ebook on how to use Knoppix. If you are unaware of the knoppix version of Linux it is a bootable version of Linux which will boot your computer and run the Operating System straight from the cd, using only the cd and the other installed components on your computer. This is a great way to learn how to use Linux. The ebook is about 134 pages and it also includes a section on how to use Knoppix for Windows disaster recovery.

How NERDY are you?

2005-01-19T19:28:00.000-06:00

How NERDY are you? I just had to post this quiz to see what anybody else might think.

Also I've been rethinking the basic premise for this blog and I think I've come up with some ideas which might help me bring new content here on a regular basis. I'll let you know in the coming weeks what I decide.

Linux Security

2005-01-13T15:39:00.000-06:00

Securing Linux I've posted a variety of tips that people can use for securing their Linux systems in the past. Here is one of several good articles that Werner Puschitz has written in his series on how to secure a Linux system running Oracle on it. Obviously most people don't run Oracle on their home systems but his points are still valid for any Linux system.

When there is some spare time I want to go through his other articles concerning Oracle and Linux. He has a good site overall for working with both Linux and Oracle.

Customizing the Motorola Vxxx - A Guide to Hex Editing

2005-01-04T17:17:00.000-06:00

Customizing the Motorola Vxxx - A Guide to Hex Editing Sorry for anyone who thinks this is a Linux tip, but it aint!! It is a cool site which gives descriptions on how to hack into a Motorola phone, along with the software to make changes.

One possible use for this might be to open the bluetooth connection in Verizon phones to upload songs from a laptop. I still need to look further into this.

Fortunately/Unfortunately I left my cell phone out side over the weekend and with the dew I'm sure I only have a limited time for it to still keep working. A good idea is to try some of these tricks after I've bought my replacement phone. I'm sure T-Mobile will enjoy me voiding my warranty with them. Come to think of it the warranty ended about a year ago on this phone anyway.

I'll post my results when I finally hack into my cell phone.

Short Break

2004-12-16T16:36:00.000-06:00

I'm taking a short break from this weblog to make time for some other things, i.e. writing some articles, finishing some Finals and getting ready for school. Hopefully after the New Year I can start up some other topics I want to cover in this weblog, like configuring a kernel and init scripts.

So until next year have a Merry christmas and a Happy New Year.

Services which should be turned off

2004-11-18T13:39:00.000-06:00

Earlier in this blog I talked about services which should be turned off unless they were absolutely necessay for a system to run. The reason for turning these services off is that the less services that are running on a system means the less services that a hacker can use to break into your system. Linux is suppose to be a secure system and it's up to the administrator to keep it that way. Some of the services which should be shut off are as follows:

telenet, rlogin, rsh & rcp: these services allow a user to log in remotely and perform commands on the system from a remote location. The main problem with these services is the fact that they are not encrypted. Anyone can view a remote login session and see exactly what an administrator is doing as he is doing it. The more secure option is to use the SSH utilities.

FTP: Like the above services FTP is not an encrypted protocol. If FTP has to be ran on a system it is best to set the directory up as a separate partition. This way any access someone might have is to that particular partition and no further.

IMAP and POP: If the system is not set up to be an email server these services need to be shutdown. Once again running these services when you don't need to is offering up access to your system when you don't need to.

The chkconfig utility can be used to turn these services off. If you want ot ensure they stay off after a reboot make sure you comment out the lines in the start up scripts that turn these services on.
The key, as always, is to shut down any unneeded services on your system.

Introducing Novell Linux Desktop

2004-11-15T15:42:00.000-06:00

Introducing Novell Linux Desktop Free Web Seminar which covers Novell's new desktop and allows attendees to "learn more about a solution that brings Linux security, performance, and freedom to business desktops." It will be interesting to see which new products Novell will be bringing out for users and corporations next year.

umask settings for users

2004-11-09T08:33:00.000-06:00

Umask defines the default settings for user files on a system, the setting is stored in the standard shell configuration files (.profile, .bashrc, etc). The umask is used by the open system call to set initial file permissions on a newly-created file.

By default, the cp and ftp commands create files using the open system call. However, if a file of the same name already exists, the permissions of the existing file will be preserved (because no new file was created). The tar command, however, is a bit different. When extracting files, tar uses the permissions of each file (as the file was stored) as the base permission upon which to apply the umask.

The essential point here is that strict user settings should be used when setting up the umask for users. The strictest is setting the umask at 077. this means that files and directories created by users will not be readable by any other user on the system. The user still has the ability to change their umask to something which may be more apporpriate for them or changing the file permissions on the file after the fact with the chmod command.

The point still stands Linux is suppose to be a secure system, the best way to keep it secure is to ensure files that aren't suppose to be shared aren't shared across the network.

SSH Configuration Tips from SANS - Internet Storm Center

2004-11-05T05:25:00.000-06:00

The SANS Internet Storm Center has been keeping an eye on some SSH brute force attempts that appear to be from a script kiddie trying to break into systems. There also is a write up which is easier to get to detailing the attempt to break into a Honey Pot on their HoneyNet Analysis page.

One of the tips they offer up on their Internet Storm Center Diary page is with the SSHd configuration file. The main suggestions is to limit the accounts that can log in to SSHd and tighten up the other parameters so the time frame that someone can log in is limited, Their recommended settings are:
PermitRootLogin no
AllowUsers userA userB userC
Protocol 2
LoginGraceTime 20s
MaxStartups 5
Banner /etc/ssh/sshd_banner
also ensure your users use strong passwords.

A second tips is one which I've talked about before and that is to run SSH on a different port than normal, but you have to check that your users systems know where to look for SSH too. Currently it seems that the SSH scanning are on the standard port and are not going beyond that.

To return to the main directory for the SSH tutorials.

Group or World writeable Directories in root's PATH

2004-11-01T10:33:00.000-06:00

Start by typing echo $PATH. The results will tell you where the shell will search for executable files. A null entry in your PATH equates to the same thing as a dot. Including the current working directory either with a "." or by "::" makes it possible for a hacker to gain superuser privileges by forcing an administrator operating as root to execute a Trojan horse program.

The shell variable PATH defines the path and the order of priority for executable files on the system. Alternative paths are separated by a colon (:). The current directory can be specified by two or more adjacent colons, or by a period in between two colons. Path will search each directory in the order specified within the $PATH variable for an executable file that matches the name of the file you are trying to execute.

Limit users with UID 0 accounts to root only

2004-10-22T10:25:00.000-05:00

The ONLY superuser account on a machine should be root. Checking for the UID option in the /etc/passwd file. Somtimes when a hacker will attack a system they will try to leave a way for them to get back in at a later time. The easiest way is to leave a root account open for them to use from their system. The command: $grep :0: /etc/passwd will list everyone who has root access. The only user that should show up here is the root user.

Also, for mission critical systems, do not allow direct root logons except at the console. Only terminals marked as secure in the file /etc/ttytab file will allow any user with UID = 0 to logon directly. If you want you can also mark a terminal as being unsecure, this will force users to log on as their normal user and then su to root.

Setting account expiration parameters

2004-10-19T15:24:00.000-05:00

All active accounts should have an account expiration set on them. Because sys admins are not in the HR dept, when people leave the sys admin is not always told about employee turnover. Using account expirations is a simple way to help prevent any loose accounts from staying out there.

Also it is a good idea to force users to change their passwords on an account on a regular basis. How regular depends on how important the system they are working on, if a user is only on a read-only that is kept in a secure-area they should almost never have to change their password where as a sys admin who has to move from one machine to another machine should be changing their password often.

Finally, idle accounts should be expired. The less mess hanging around means fewer opportunities for someone to use to hack into your system.

You can set account expiration parameters either through the GUI or you can run a script to set the parameters. I will try & have a script set up to check this later this week.

Empty Password Field in /etc/shadow

2004-10-13T15:33:00.000-05:00

The next topic I want to cover is verifying that there are no empty passwords in the /etc/shadow file. Why is this important??

Well any account that has an empty password is open for anyone to log into. Part of the security within a Linux system is to ensure that all users are proper users and no one has any authorized access beyond what they need. Open user accounts are security risks that can be easily preventable. One way a hacker could use this is to set up a fake account that has root privileges through sudo. Then anytime they need to access your system they will log on through the fake account and they will never have to remember a password.

One way to check this is to go through the /etc/passwd file and look for any account that might have a blank password in the password space. Another is to use the command

awk -F: `($2 == "") { print $1 }` /etc/shadow

this command will return any user account that has an empty password. If there are no lines returned then your system is safe.

User Accounts tips

2004-10-11T13:19:00.000-05:00

For the next several posts I want to focus in on user accounts and the user environment. Most of what I want to cover is how to ensure that your system is safe from users going beyond what they are authorized to do within the system. Some of the tips will be ensuring that proper expiration paramters are set for user accounts other tips will help verify that users can't access other resources within a system that they don't have permissions to access.

The first tip is to go through the /etc/password file and verify that there are no user accounts that don't belong and system accounts are not being misused. There is one command that helps here: finger 'sort /etc/passwd | cut -f1 ":"' | less. The finger command displays information relating to the last time an account was used. This command lists each user ID and checks the last login time. Note the single quotes are back ticks. The back tick is found with the tilde (~).
The Linux system also has a utility which will display the last time someone logged in called lastlog that displays the last time a user logged in. The command to use this is simply lastlog.

These commands will list when the last time someone logged into an account, accounts which haven't been used should be checked into whether they still need to exist or not. Also system accounts should never show someone logging into them. If you do show system accounts with a log in the first thing to do is verify there is no shell available for system accounts and if there is change the shell to /dev/null. Changing a shell to /dev/null will prevent any user from using a system account to log into the system and be given root privileges.

Finally, the command pwck should be ran to check for basic integrity, such as ensuring the right number of fields are present and that each name is uniquely identified. For the group file, use grpck.

NETSTAT - checking network status

2004-09-30T13:59:00.000-05:00

I think the final tool I'm going to look into is the netstat command which is used to query TCP/IP about the network status of the local host. The netstat command will provide information on things like active TCP connections at the local host, the state of all TCP/IP servers on the local host and the sockets used by them, devices and links used by TCP/IP and the IP routing tables (gateway tables) in use on the local host.

Some of the command options from the man pages are:
-i Show the state of interfaces which have been auto-configured
(interfaces statically configured into a system, but not located at
boot time are not shown).
-a With the default display, show the state of all sockets; normally
sockets used by server processes are not shown.
-r Show the routing tables.
-p protocol, Show statistics about protocol, which is either a well-known
name for a protocol or an alias for it.
-b With the interface display (option -i, as described below), show
the number of bytes in and out.
-d With either interface display (option -i or an interval, as
described below), show the number of dropped packets.

The output from this command will tell you what your system is listening for and what is possibly open for someone to connect to. The first thing to do is look for services that you have no need to be open and the ensure they are firewalled off, in conjunction you can go in and kill the process and make sure the process doesn't start up form a boot prompt as well as automatically regenerate itself.

The Bigwebmast.com site has a good tutorial that starts at section 8.3 and offers more specifics as to what to be looking for with the different options. Also there is a Netstat Analyzer tool which will help analyze the results from the netstat command.

IOSTAT - Checking Disk Performance

2004-09-25T11:23:00.000-05:00

The iostat command is used for monitoring system input/output device loading by observing the time the physical disks are active in relation to their average transfer rates. It is similar both in format and in use to the vmstat command. The first line of iostat reflects a summary of statistics since boot time. Each subsequent report covers the time since the previous report. All statistics are reported each time the iostat command is run. The report consists of a tty and CPU header row followed by a row of tty and CPU statistics.

iostat 10 5

When this command is ran iostat will spend 10 seconds gathering data and reports a single line of statistics. This will continue 5 times. At least 5 seconds is needed for good accuracy.

extended disk statistics tty cpu
disk r/s w/s Kr/s Kw/s wait actv svc_t %w %b tin tout us sy wt id
sd0 2.6 3.0 20.7 22.7 0.1 0.2 59.2 6 19 0 84 3 85 11 0
sd1 4.2 1.0 33.5 8.0 0.0 0.2 47.2 2 23
sd2 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0 0
sd3 10.2 1.6 51.4 12.8 0.1 0.3 31.2 3 31

A description of the information reported is:

* disk: Disk device name.
* r/s, w/s: Average reads/writes per second.
* Kr/s, Kw/s: Average Kb read/written per second.
* wait: Time spent by a process while waiting for block
* (eg disk) I/O to complete. actv: Number of active requests in the hardware queue.
* %w: Occupancy of the wait queue.
* %b: Occupancy of the active queue with the device busy.
* svc_t: Service time (ms). Includes everything: wait time, active queue time, seek rotation, transfer time.
* us/sy: User/system CPU time (%).
* wt: Wait for I/O (%).
* id: Idle time (%).

With this information in hand an Admin can go about tuning the environment to better suit the needs of the business. There are some good tutorials on tuning and interpreting the results at the Princeton University site, Admins choice site, the softlookup site, and (I know this is for an AIX system but the same ideas will apply here as well) the AIX performance Tuning guide.

*********************************** UPDATE ********************
The systat home page can be found here. With this utility comes the iostat and some other utilities for monitoring Linux.

VMSTAT - Virtual Memory Statistics

2004-09-21T10:24:00.000-05:00

Sticking with the theme of performance monitoring, I'm going to cover some of the other utilities used to monitor a system's and network's performance. The vmstat utility gives a server-wide view of performance. vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity. The first report produced gives averages since the last reboot. Additional reports give information on a sampling period of length delay. The process and memory reports are instantaneous.

vmstat 10 5

When this command is ran vmstat will spend 10 seconds gathering data and reports a single line of statistics. This will continue 5 times. At least 5 seconds is needed for good accuracy. Example output(unfortuantly blooger doesn't format the table properly):

procs memory page faults cpu
----- ----------- ------------------------ ------------ -----------
r b avm fre re pi po fr sr cy in sy cs us sy id wa
1 0 22478 1677 0 0 0 0 0 0 188 1380 157 57 32 0 10
1 0 22506 1609 0 0 0 0 0 0 214 1476 186 48 37 0 16
0 0 22498 1582 0 0 0 0 0 0 248 1470 226 55 36 0 9

FIELD DESCRIPTIONS (These field descriptions came straight from the Man pages)
Procs
r: The number of processes waiting for run time.
b: The number of processes in uninterruptable sleep.
w: The number of processes swapped out but otherwise runnable. This
field is calculated, but Linux never desperation swaps.

Memory
swpd: the amount of virtual memory used (kB).
free: the amount of idle memory (kB).
buff: the amount of memory used as buffers (kB).

Swap
si: Amount of memory swapped in from disk (kB/s).
so: Amount of memory swapped to disk (kB/s).

IO
bi: Blocks sent to a block device (blocks/s).
bo: Blocks received from a block device (blocks/s).

System
in: The number of interrupts per second, including the clock.
cs: The number of context switches per second.

CPU
These are percentages of total CPU time.
us: user time
sy: system time
id: idle time

For CPU issues pay attention to the processes in the run queue (procs r), User time (cpu us), System time (cpu sy), & Idle time (cpu id). If the r column is higher than the number of CPU's in the machine adding some more CPU's would help out. From here you can find out what is using your CPU time with TOP.
For Memory Issues pay attention to the scan rate (sr). The scan rate is the pages scanned by the clock algorithm per second. If the scan rate (sr) is continuously over 200 pages per second then there is a memory shortage. Remember that the free column will dwindle down due to memory being used for I/O cache and buffers, this is normal.

These statistics will go a long way to giving you an idea as to how well your system is responding to requests and if there are any bottle necks it will help give clues as to where to start looking for the problem areas. Hopefully in the next couple of days I can also cover the iostat and netstat commands to help give you an overall look at a sytem and how well it is working.

Process Monitoring through TOP

2004-09-17T11:56:00.000-05:00

Top provides an ongoing look at processor activity in real time. It displays a listing of the most CPU-intensive tasks on the system, and can provide an interactive interface for manipulating processes. It's a good idea to leave top running in aterminal window on machines that are busy but that you are not logged into to help build a history of what is happening on the system.

There are several command line options which can be used to focus the TOP utility on specific things. The first is when starting top use the -d command to specify the type of delay for screen updates, the default is 2 seconds.

Once top is running there are several toggle commands that can be used to sort the display options. The first option is m, which sorts by Mem Statistics based on memory usage.
The i toggle command will cause top to ignore idle and zombie processes. The r toggle command will re-nice a process when you want to change the priority of a process. Some other commands are as follows: N sort tasks by pid, A sort tasks by age, P sort tasks by CPU usage, T sort tasks by time / cumulative time.

You can kill processes from within top with the k toggle command you will be prompted to select the PID you want killed and the signal you want sent to the process, either select 9 or 15.

The configuration files for top can be found at, /etc/toprc and ~/.toprc. The global configuration file may be used to restrict the usage of top to the secure mode for non-non-privileged users. The personal configuration file contains two lines. The first line contains lower and upper letters to specify which fields in what order are to be displayed. The letters correspond to the letters in the Fields or Order screens from top.

As always if you have any further questions the first place to start is the man pages.

Network Time Protocol NTP

2004-09-08T13:52:00.000-05:00

NTP is a utility program used to query NTP servers which hep format the current time and request changes to that time. Why is this important?? Having a constant time throughout a network helps with troubleshooting and gives the administrator a commonality when looking at problem spots within a network.

The first thing to do is download and install the NTP package. An RPM version can be found on the sh-linux.org web site. Once the file is downloaded run the command rpm -Uvh ~/ntp-4.1.1-1.src.rpm.

The /etc/ntp.conf file is the main configuration file for Linux's NTP where you put the IP addresses that you want to configure with. A listing of the servers with which to sync with can be found at the eecis.udel.edu site. After you have made your changes save the file and restart the NTP server with the command /etc/init.d/ntpd restart.

To test that the NTP server is running type pgrep ntpd you should get the process number for the NTP process. Also trying using the command ntpq -p if the result set shows no IP addresses this is a good telltale sign that the NTP server is not updating properly.

An issue to be aware of is in Fedore Core 2 file permissions are not set within the /etc directory and you will have to set the owner and group to be "ntp". Another issue is to be aware that NTP servers communicate using UDP through port 123 and sometimes a firewall will have this port blocked off. If you are having a problem communicating, check the firewall to see if it is allowing communication through this port.

************ Update
Linux.com has ran an article concerning this same subject through their Command Line Series.

Tuning IDE hard disks using hdparm

2004-09-02T12:29:00.000-05:00

As per the man page: hdparm provides a command line interface to various hard disk IO controls codes supported by the Linux device driver sub system. The command to get an idea of how well the sub system is working is hdparm -Tt /dev/hda. This will perform a buffer read and a disk read to help get a benchmark of how well your system is working currently. The command hdparm /dev/hda will tell how hdparm is addressing your drive. I've found two sites with some good info on working with hdparm. The first is the USA Linux Users group and the second is on the O'Reilly DevCenter.com site.

SSH Security through Obscurity

2004-08-30T08:41:00.000-05:00

The SANS site has a good writeup on SSH security through obscurity. Recently there have reports of SSH scanning and brute force attempts. The handler's diary entry for Aug 30th talks about moving the SSH port to a different port, which puts up a small speedbump when hacker's try to access your SSH server. They point out an important issue that if a script kiddie is doing a general scan they should pass over your SSH server and mark it as not being accessible. If a hacker is focusing on your individual system then they will most likely be doing a full scan of your system. The handler who posted these suggestions has his own site.

The first step is to open three SSH connections to the box. His reasoning for this is that if anything happens you still have some connections open to the remote server. Next edit the /etc/sysconfig/sshd file by adding the port number to the "OPTIONS" line (OPTIONS = '-p 1011')
The next step is to configure TSP wrappers and set the firewall to allow incoming connections on the new port.
The next command to type is to restart sshd by /etc/init.d/sshd restart
The primary daemon will restart and the existing connections will remain open for emergencies on the old ssh port 22.
The next step is to edit the ssh config file by adding the following line( Host mysshserver Port 1011)
Now connect to the server with the command ssh mysshserver
everything should work and you should be in, if not you can use one of the other open connections to trouble shoot things or revert back to the previous settings.
Thanks bill for the good tips

UPDATE******
Other users on the SANS site logged in on AUG 30th regarding additional security measures which can be used with SSH . Some of the additional suggestions are to use your firewall to restrict who is allowed to connect to the port. Also in the sshd_config file set "PermitRootLogin no" and "PasswordAuthentication no".

R00T access

2004-08-27T08:24:00.000-05:00

Gaining root access is one of the most important preventive actions an administrator can protect from. Obviously if the main system is ran in Admin mode this will prevent someone else from remotely logging into the system and gaining access, then the issue is how secure the physical premises.

If you have forgotten your root password though there are ways of dropping a system into a shell environment and resetting the root password in /etc/passwd. If LILO is used the first step is to try and boot into single user mode by typing LILO: Linux single. This should give you shell access to go into the passwd file and change the passwd for root. If LILO asks you for a passwd then you're working with a sharp admin whose password protected LILO. As a possibility try hitting ^C which might drop you to a root prompt, unless of course the same sharp admin has trapped the ^C access. In which case the last option to try is to go back into the LILO prompt and type LILO: Linux init=/bin/bash what you are telling the kernel is to give you a shell.

After gaining shell access it's possible that somethings can't be found due to being on a filesystem or disk which isn't mounted yet or it is on a read only mounted filesystem. These steps should help get around this:
mount -o remount, rw ' remount / readable and writable
mount -a ' mount all
mount ' show mounted filesystems
vi /etc/passwd ' clear the password for root
sync ' write buffers to disk
umount -a ' unmount filesystems
mount -o remount, ro / ' remount / read-only again

Ctrl Alt Del login: root ' login as root without a password

If you are using GRUB instead of LILO the RED Hat site has these steps which should work for you to gain a shell. At the selection menu highlight the linux entry and type e for edit. Arrow down to the line which starts the kernel and type e to edit the line. Go to the end of the line and either type single or type init 1 and hit enter to exit edit mode. back at the GRUB screen type b to boot up into the mode you selected. This should get you into a shell where you can vi into /etc/passwd and change the root passwd.

Troubleshooting

2004-08-23T14:16:00.000-05:00

The recent spat of SSH scans have been identified as a program called bruteSSHd which tries to brute force SSH passwords. Brute forcing passwords is simply a program which will try a combination of password retries until the right password is found. This is one of the security issues SSH has in that to the best of my knowledge there is no way to limit the number of failed logins under SSH.

Some other Troubleshooting tips are as follows (most can be found here):
If you get the error msg: "Secure Connection Refused" This is usually a configuration issue. Somewhere within the installation of SSH a wrong parameter was given which currently has SSH looking for an RSH parameter. The easiest thing to do is reinstall SSH.

SSH asks for passwords despite an .rhosts file. This error can be linked to a number of issues regarding the configuration files, whether they are readable or set up properly.

X11 Forwarding problems - check the command line you are using, the proper command line for X11 connections is ssh -f otherhost xclient. Also, check the configuration files on both sides to verify everything is configured properly.

To return to the main directory for the SSH Tutorials.

Security

2004-08-20T09:43:00.000-05:00

There have been several security issues identified with the SSH. Also Security web sites have noticed recently that hackers have been running scans searching the SSH service and trying to crack a login and password into systems. This brings up some all important issues when dealing with the SSH program.

First off the latest version of SSH should always be installed. As of this post the latest version of OpenSSH is 3.9 released Aug 17, 2004. The second thing to do is ensure your public and private keys are secured with proper file permissions.

These two steps fix the majority of the issues people have had with the SSH agent. Occasionally there are issues of password brute force attempts. Ensuring you use a strong password is the first step along with safeguarding your public and private keys.

The Network scanning site has identified several security issues with version 2.3.1, 2.5.x, 3.0.1 and port forwarding with 2.3.0.

I have also identified a security issue when you are using X11 Forwarding in that the connection is a two way connection and anyone you can connect to can connect back into you.
************************************* UPDATE **************************
Geekspeek.org has a post on some security steps to take when configuring SSH, the file which needs to be reconfigured is /etc/ssh/sshd_config. The one main difference which isn't covered in the configuration post is the line which reads: Protocol 2; if there is a 1 after the 2, remove the 1. This tells SSH which versions of SSH to run. there are too many security issues with the first version of SSH to even consider running. There is also a comment regarding the UsePrivilegeSeparation line which the only information I've been able to find is that this feature is not compatible with SSH version 3.2 or earlier.

To return to the main directory for SSH Tutorials.

Port Forwarding

2004-08-19T12:00:00.000-05:00

Port Forwarding can be used to encrypt email, web or any other traffic through the internet. Port Forwarding can also be used to bypass restrictive firewalls.

There are two types of Port Forwarding: Local and Remote. Local forwarding allows you to open a port on YOUR machine and associate it with a port on some remote network. such as User => port on user's box => ssh => linuxbox => mail port on email server. Remote forwarding work the same way, but backwards.

The ssh program can be told to listen on any port either on the remote or local computer, forward any service or data through the encrypted connection, and sent it to some other destination from the other end.

The main command will be ssh -f -N -L9999:mailhost:9999
-f switch tells ssh to run in the background
-N switch tells ssh to not actually run the command just do the forwarding
-L switch tells ssh which local machine to connect to. You can specify as many -L lines as you like
-C switch tells ssh to use compression

a good example is ssh -f remotesystem cat secretdata | lpr
which tells ssh to connect to remotesystem and send the information in secretdata to the printer.

Another example is to set your Linux box up to accept ssh connections and then connect to your box through an IE browser to bypass firewall restrictions. Descriptions for such a connection can be found on the buzzsurf web site.

To return to the main directory for SSH tutorials.

X11 Forwwarding

2004-08-18T09:50:00.000-05:00

X11 forwarding allows a user to connect to a remote machine and open a connection to the X11 interface on the remote machine.

Some uses for X11 forwarding are to set up VNC connections or for ethereal connections to capture packets.

Some security issues to remind users of are the fact that if you can see what is happening on someone else's machine through SSH, they can do the same to you. If you use weak file permissions this will allow someone to have access to your system. The Hacking Linux Exposed site covers this vulnerability. With this in mind let's look at how we can set up X11 Forwarding.

The guide can be found here.
Starting up an X11 connection is done through the command:
ssh -X

You also need to ensure X11 connections are enabled on the server you are conencting to.
On the machine you are going to connect to the sshd2_config file needs this line added:
AllowX11Forwarding yes

Also X11 forwarding needs to be enabled within your sshd_config file with the following line:
X11Forwarding yes

To return to the main directory for SSH tutorials.

SSH Compression

2004-07-26T17:49:00.000-05:00

This next section will cover when to use compression and when to not use compression with SSH connections.

The two biggest reasons to use compression are when you are connecting through a slow connection, similar to a dial-up or when you have to move a large amount of data form one machine to another machine and the compression will make the data transfer move faster.

There are some reasons not to use compression also, any time one of the systems has a slow processor you want to avoid compression due to the time spent uncompressing or compressing the data. Also if the data is already compressed, using compression will only add the time to compress and uncompress to the process.

SSH uses GNU ZLIB (LZ777) for compression. By default compression is turned off in the /etc/ssh/ssh_config file, but can be turned on at the command line with the command ssh +C username@hostname. additionally the user can request a compression level at the command line from anywhere 1 to 9, with 1 being the fastest and 6 is the default.

Two good sites for SSH compression are the ssh.com site and the University of Cambridge site.
I know this is a short piece this time but this pretty much covers the compression discussion, remember to look at your environment and what is actually happening before you enable cmpression due to the fact that it doesn't save time all the time.

To return to the main directory for the SSH tutorials.

SSH Configuration Files

2004-07-26T12:12:00.000-05:00

Continueing on the SSH topics, the next topic is to look at the configuration files for the SSH program. The global settings for the program can be found in the /etc/ssh directory. The two main files for global settings are /etc/ssh/ssh_config and /etc/ssh/sshd_config.

The ssh_config file allows you to set options to modify the client programs, some of the more important settings are as follows:

Forward Agent specifies which conection authentication agent if any should be forwarded default is no there are some nstances where this should be yes though.
Forward X11 automatically redirects x11 sessions to the remote machine, since this should be a server set up this should be left at the default of no.
Password Authentication specifies to use password authentication. For strong security this should be set to yes.
Batchmode used when scripts are used and you don;t want to be supplying a password through the script.
Compression controls wether compression is used or not, the default is NO.

The next file is the sshd_config file which allows you to set options which modify the behaviour of the SSH daemon.

PermitRootLogin specifies whether root can log in through SSH. This option should always be set to NO.
StrictModes specifies whetheter SSH should check the user's permissions in their home directory and rhosts files before accepting logins. this option should always be set to YES.
X11Forwarding specifies whether X11 forwarding should be allowed on the remote amchine, since this is a server this option should be set to NO.
Password Authentication specifies whetehr password authentication should be used. This should be set to YES.
PermitEmptyPasswords specifies wether the server will allow logging in with null passwords, if you will be using the SCP utility this option must be set to YES.
AllowUsers specifies which users are allowed to use SSH services, multiple users can be specified.

If you are interested in some of the other features which can be adjusted you can check the man pages which were referrenced earlier in this post.

To return to the main directory for the SSH tutorials.

SSH Public Keys

2004-07-25T10:16:00.000-05:00

Continuing on the SSH topics, the next topic is the use of public/ private keys to enable passwordless logins.

One of the benefits of SSH is the ability for passwordless logins. This is done through public key exchange. the ssh-keygen program can be used to generate either an RSA or DSA key. The -t option allows you to select either RSA or DSA encryption. The -b option selects the number of bits in the key to create, the default is 1024. The default location for the files created is in the ~Home/.ssh directory. Stick with the default directory due to the fact that other SSH tools will look for keys in this same directory.

After typing in the command ssh-keygen -t (rsa/dsa) you'll be given an option to select a password. The reason to use a password is to protect your key from theft from someone outside your network. If your system is in a protected environment usign a password can be tedious.

After the ssh-keygen program generates your key it will then ask you where to store the key, the default will be in the ~HOME/.ssh/ directory. Then it will ask you for a pass phrase, remember what kind of environment your system is in. Leaving the passphrase blank will leave the private key unencrypted so you have to secure the file from unauthorized access, on your local machine the permissions should be 0600. SSH is very strict about the file permissions which are used on your system and on the remote system.

When the ssh-keygen program completes, two new files will have been created ~HOME/.ssh/id_(rsa or dsa) and ~HOME/.ssh/id_(rsa or dsa).pub the exact file name will depend on wether you selected rsa or dsa encryption.

The final step is to get the keys to the remote system. the first step is to log back into the remote system and create an .ssh directory in your home directory and verify the file permissions are set up properly. The command ssh user@hostname "mkdir .ssh; chmod 0700 .ssh" does this. The next step is to copy the file ~HOME/.ssh/id_(rsa or dsa).pub to the remote sytem. The command scp .ssh/id_(rsa or dsa).pub hostname: .ssh/authorized_keys2 does this.

The next time you want to log into the remote sytem all that is needed is the command ssh hostname. This also works for the scp command.

If there are any problems check the file permissions on both ~HOME/.ssh/* and hostname:~HOME/.ssh.*. The id.(rsa or dsa) file should be 0600 and only on your local machine an everything else should be 0655 or better.

Kimmo Suominen has a good overview of the ssh process. Also the Deadman.org has a decent overview of the SSH agent.

To return to the main directory for the SSH tutorials.

SSH Secure Copy/ File Transfers

2004-07-20T12:44:00.000-05:00

This follows on the ideas I've been putting out about using SSH in the everyday environment of an Administrator. The next use for SSH is to transfer files across a network, either from a remote machine or to a remote machine. SCP (Secure Copy), the SSH version of rcp, can transparently and securly copy files over the SSH protocol. With SSH you can also cpy between two remote systems without having to go through the local machine.

A good reason to transfer files via SSH is to move log files or configuration files from one machine to another machine. A nice added feature of SCP is that jobs can be automated with a Cron job. A key feature of the automated option is that public keys needs to be set up which I'll cover in another day or two.

The basic command looks like this: scp user@remotebox:~/
This will transfer the file listed in file name from the remote box to the local box. The colon after the remote box tells scp where to copy the file to. The ~/ lists the destination on the local box where to copy the file to, the default is the home directory of the user signed in with SSH.

Changing the order of the command will give a different result. Changing the order as thus: scp user@remotebox: /tmp/special This command will copy the file from the user's home directory on the remote machine to the /tmp/special directory on the local machine.

Relative file names resolve differently on the local machine than on the remote machine. On remote machine the /HOME directory is assumed, on the local machine the current directoy is used.

Some common options are:
-p option preserves modification times, access times, and modes from the original file.
-r recursively copy directories

When you specify remote locations in the source and destination, scp will copy from the source to the destination without going through the local host.

To return to the main directory for the SSH tutorials.

SSH Overview

2004-07-19T10:40:00.000-05:00

SSH was created by Tatu Ylonen in 1995, OpenBSD picked up on the project in Dec 1999. SSH is intended as a complete replacement of the r utilities (rlogin, rsh, rcp, etc) and telnet. SSH focuses on securing network applications, such as terminal sessions.

SSHd is configured with the /etc/sshd_config file. This file can be used to configure such things as allow/deny hosts, idle timeout, and the type of authentication to be used. SSH reads the $HOME/.ssh/config file and the /etc/ssh_config when it starts up. Any configuration which needs to be done is accomplished with these three files, also the MAN pages will have more information about the SSH program.

The basic command to use SSH is:
ssh -l user@hostname

This will initiate the commands to log in. With SSH2, SSH splits the SSH functions into three separate protocolsusing the Transport Layer Protocol, Authentication Protocol, and the Connection Protocol. More information about the specifics of theses protocols can be found at the Information Security web site. This article has a good overview of the differences between SSH1 and SSH2.

Once a connection with the remote computer is established then commands can be executed and the results will be returned to the same terminal screen. This brings us to having a connection and being able to run commands remotely. The next couple of days I'll look at secure copying of files, authentication and using Public Keys.

To return to the main directory for the SSH tutuorials

SSH tutorial

2004-07-19T10:29:00.000-05:00

For the next couple of weeks I want to cover the different aspects of the SSH program, along with some different uses for SSH. The topics I want to cover are as follows:

Hopefully I can cover most of the uses of SSH for the average Sysadmin to uses SSh in their everyday environment.

Locking Down a Linux box part V (conclusion)

2004-07-15T13:14:00.000-05:00

This will be the final piece on this subject for the time being. In my look at the initial things to look at when securing a Linux box.

This post is going to follow-up on the find command which searched for setuid & setgid permissions. Vulnerabilities in the setuid/setgid binaries can often lead to root compromise, so they should only be used when necessary. Once again after running the find / -perm +6000 -type f ls command we will be given a list of the different files which are ran with root priveleges. The US-CERT site covers this topic as well as looking at the ncheck command.

The root privileges should be removed from unnecessary binaries with the chmod command using the -s flag.

Which permissions to remove this from are dependent on if your system has untrusted local users and which applications are required to run with system privileges from non-root users. In a future post I'll try and look at the different files which are given root privileges by default and wether they actually need the priviliges or not.

Locking Down a Linux box part IV

2004-07-14T13:23:00.000-05:00

Today I'm going to go back to the netstat command that I talked about a couple of days ago. Essentially it will show you all the sockets that are in the LISTEN state and the programs that are listening on each port. The big issue here is what services should this particular Linux box be listening for. If this box is being used as a Web server should there be a printer hooked up & should the box be running an lpd daemon in the back ground -- NO!! This is why it is important to only have essential services and daemons running on a Linux box.

There is a good article at the Techrepublic web site titled "Improve your Linux security: Stop unnecessary services". Which talks about the same issues. A sample of the /etc/initd.conf file can be found at the userlocal.com web site.

some other good sites with a good overview of the security implications are found on the Redhat site, YoLinux.com site, and the resnet.ubc.ca site.

Locking Down a Linux box part III

2004-07-12T09:39:00.000-05:00

In this third entry into my Locking down items I want to look at the commands which tell
the Linux box to run programs under a different user id or group id. The SETUID and SETGID commands are very powerful commands in that they allow a program to be ran under a different user id or group id. Why is this important - a program which doesn't need to be running on a server can be given ROOT privileges for no reason and can create a security hole that can be exploited. as any good admin knows the only services which should be running are those that need to be running on that particular box.

The fastest way to find these files is to use the FIND command with a few particular options. The command is find / -perm +6000 -type f ls what this command will do is search from the root partition for any file with permissions of 6000 or higher, is a file, and is executable. Obviously any executable file which runs with ROOT privileges should have the interest of the Administrator.

Locking Down a Linux box part II

2004-07-11T11:57:00.000-05:00

Continuing with my look at different tools to monitor a Linux box, the next command I want to look at is the netstat command. Before I look at the netstat cpmmand I want to look at the file which determines which services get started at boot time. This file is the /etc/initd.conf, this file manages all the incoming connections into the Linux box. When a connection is made, inetd starts a copy of the appropriate daemon for that port. These are the services which are running in the background and which can potentially be security risks on a system. Running the command cat /etc/initd.conf and looking for uncommented lines will show you which services are running.

netstat command
Prints network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. Essentially it will show you all the sockets that are in the LISTEN state and the programs that are listening on each port. Netstat prints information about the Linux networking subsystem.

OPTIONS

(none)
By default, netstat displays a list of open sockets. If you don't specify any address families, then the active sockets of all configured address families will be printed.

--route , -r
Display the kernel routing tables.

--interface=iface , -i
Display a table of all network interfaces, or the specified iface).

--verbose , -v
Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.

--numeric , -n
Show numerical addresses instead of trying to determine symbolic host, port or user names.

-p, --program
Show the PID and name of the program to which each socket belongs.

-l, --listening
Show only listening sockets. (These are omitted by default.)

-a, --all
Show both listening and non-listening sockets. With the --interfaces option, show interfaces that are not marked

Locking Down a Linux box

2004-07-10T10:26:00.000-05:00

I want to spend the next week looking at some of the different utilities used to lock down a Linux box and make it harder for someone to hack into it.

PS command
PS stands for process status. This command lists the current running processes on a system appropriate for the privilege of the user using the command and also their characteristics, when used with certain options. Used to check and minimize security breaches, unwanted accesses, and idle processes. If pid arguments are specified then only those processes are listed, otherwise all processes with the same effective user id and controlling terminal are listed.

Older versions of the PS program will return an error if the dash (-) is used. hence sometimes ps -aux will be shown as ps aux.

OPTIONS

-a, --interactive
List all processes associated with terminals.
-t, --terminals|ttys=tty...
List processes with controlling terminals in the tty list.
-T, --tree|forest
Display the process tree hierarchy in the COMMAND field list.
-u|U, --users=user...
List processes with real user id names or numbers in the user list.
-v, --verbose
List verbose error messages for inaccessible processes.
-x, --hex
List numeric entries in hexadecimal notation.

Useful Apt-Get commands

2004-07-09T09:37:00.000-05:00

Here are some useful Apt-Get commands that I've found.

apt-get install rdate
This will install the rdate program once it's installed then you can decide which time server to set your clock against. The two time servers I've found are the National Research Council, Ottawa, Canada or the NIST Laboratories, Boulder, CO. The respective commands to be used are either rdate time.nrc.ca or rdate time.nist.gov

apt-get install makepasswd
This will install the makepasswd utility for randomly generated passwords. The command after the makepasswd utility is installed is makepasswd --count=10 this would generate 10 passwords of various lengths.

apt-get -s (command) (package name)
The -s option tells apt-get to simulate the events that would occur if the command were actually ran. Simulate prints out a series of lines representing the command action, but does not actually change the system.

InstallShield X and Linux

2004-07-08T13:28:00.000-05:00

InstallShield has released a version of their popular Installation software for Linux.

Here is the Press Release with some of the features:

1. Easily create installations that will run on Linux using a dedicated
point-and-click interface
2. Compact Project Type for smallest footprint
3. Instantly Notify Users of Updates
4. Easily mark files that will always need to be overwritten at installation time
5. Mobile Device Support

Newsforge has an interview with Bob Corrigan, the product manager for InstallShield X, and Gerold Franke, InstallShield public relations, regarding their push into the Linux world.

One of the issues they've identified is the indivudual or corporation who are moving towards Linux and want an easy way to install software without having to get down and dirty with the install process. I think this is an important step in Linux making a move into mainstream use where users are focused on using the applications which can be used with Linux and not having users focus on specific installation processes.

********************* UPDATE

Linux Journal has a review of the Installshield utility for Linux. The following statement pretty much sums up what I talked aobut above, "in the Linux world, most of us are used to tweaking config files and compiling from source. This is not done in any other consumer OS. To be able to expand our user base, we need tools such as InstallShield X to make the experience of installing and upgrading as painless as possible."

Last command

2004-07-08T12:35:00.000-05:00

last, lastb - show listing of last logged in users

The Last command searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty's can be given, in which case last will show only those entries matching the arguments.

The Lastb command is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.

The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was created.

OPTIONS

-num
This is a count telling last how many lines to show.

-n num
The same.

-t YYYYMMDDHHMMSS
Display the state of logins as of the specified time. This is useful, e.g., to determine easily who was logged in at a particular time -- specify that time with -t and look for "still logged in".

-R
Suppresses the display of the hostname field.

-a
Display the hostname in the last column. Useful in combination with the next flag.

-d
For non-local logins, Linux stores not only the host name of the remote host but its IP number as well. This option translates the IP number back into a hostname.

-i
This option is like -d in that it displays the IP number of the remote host, but it displays the IP number in numbers-and-dots notation.

-o
Read an old-type wtmp file (written by linux-libc5 applications).

-x
Display the system shutdown entries and run level changes.