LDAP Authentication In Linux

This howto will show you howto store your users in LDAP and authenticate some of the services against it.

LDAP authentication is nice.. but it can also cause problems.
Every time you do an "ls" you'll hit the ldap server to look up file ownership.
Every time your webserver goes to get a file, it'll hit the ldap server to check permissions.

Something tells me because it's called _Lightweight_ Directory Access Protocol that wont be a problem unless you're doing thousands upon thousands of lookups per second...and in any event, [open]ldap supports replication. It solves numerous more problems than it fixes.
That's why there is something called Name Switch Cache Daemon (nscd)

Authenticating systems to LDAP is great. Especially because there's so much possible versatility. For example, not only can you authenticate logins, but you can also setup AutoFS to pull automount information from LDAP, and even better, you can actually pull SUDO access rules from LDAP (to replace the sudoers file).

This makes it *so* much easier to remove direct root login, and force administrators to use sudo. It also makes it easier to selectively grant additional access to users.

MySQL Connection Management in PHP - How (Not) To Do Things

OK, I think I see what he is explaining, he has a point on the wordpress constructor... they should create the resource static and check if it has been defined already... he focuses on the reuse of the DB object, so if you create a new DB object only use 1 connection. I was hoping for sharing DB connection between sessions.

Sharing a DB connection between PHP instances can be done with pconnect.. but it's not a good idea.

The problem with wordpress is that the connection is opened at the beginning of every page. Multiple times. (There's a separate connection for the body of the page, and the sidebar, and the individual includes in the sidebar, etc etc).

He solved this problem by only opening a connection if a page is actually going to make a request.

The other problem (which he didn't address), is that wordpress holds open a connection for too long, and does too many queries. Loading the frontpage of a standard configuration wordpress blog issues 27 queries over 3 separate connections. Basically, wordpress is a mess. They went include crazy (just look at how many different includes there are for the header alone.. he went 3 includes deep to find the mysql connection).

#####################
First off, Wordpress only uses one connection for everything. Really. Unless you have a plugin or some other code making its own connection, all Wordpress queries are handled through the same connection.

The way it works is that, at the beginning of the execution, an instance of the wpdb class is created. Every query Wordpress does is through this one instance. It has one connection and it maintains it for the life of the execution cycle (until you see the generated page, basically).

What he's talking about is "lazy loading". See, when the instance of this class is created, it connects to the database right then and there. If the rest of the code then goes on and never uses that instance, you wasted your time connecting, yeah? His solution is to wait to actually connect until you need that connection. Basically, his patch eliminates the connection from the class constructor and creates a separate connect() function. Then, the query function is modified to check that a connection exists, and if not, call the connect() function to build one.

The benefit here is that if your page never hits the database for anything, then it never connects at all. This is smarter than the current Wordpress code.

However, it's also unnecessary, really. With Wordpress in particular, it would be extremely difficult to imagine a scenario where it doesn't actually hit the database. Everything comes from the database. Posts, sidebar content, anything dynamic, it all hits it. So this really isn't saving you anything for your average blog. Yes, he is correct that making the connection lazy makes more sense. However, it's a poor example, because Wordpress virtually *always* uses that database connection. Several times.

He also goes on about caching, and yes, caching is good. He doesn't talk about caching with Wordpress, but there are caching hooks in there and plugins which can use them (WP-Cache, for example). This sort of thing implements caching in a very smart manner... smarter than what he's talking about in his code snippets there, certainly. The upshot is that if you use something like WP-Cache, you get everything he's talking about and then some, making Wordpress extremely quick indeed.

Takes some setup, but what doesn't?
##################

Anyone who uses func_get_args() like that needs to look at how they code. That's some seriously ugly code.

But the general concept is completely right and should be used my most apps.

#################
So now that we got the caching idea into our heads what would be the most effective medium for storing your cache?
Is it filesystem? or could we maybe use something like SQlite for it?

memcached from http://www.danga.com/memcached/ is what you're looking for. It's amazing. I'm doing about a billion cache look-ups a day with it on some older hardware. I'm doing with one old server what previously took four nice big new servers.

####################
Interesting - but he's failed on one minor problem - that his caching algorithm uses the file system - a bigger problem than the one he is solving - the only way that this will work efficiently is if the blocks he is including a very complex (either in the SQL queries used OR in the processing that is performed on the output)

It is admittedly easy to produce and reuse the files - but there are problems with large directories if the site is getting into the sort of traffic that requires this sort of caching...

On a test version of our work server we were using file caching (and having to store temporary images) - we managed to break the file system by creating millions of files overnight - the systems team worked out that it would be quicker to reformat the system disk - and re-install the operating system that deleting all the files with rm (calculated time was somewhere near 32 days to remove files created in 12 hours!)

Linux Printing with CUPS

CUPS (Common Unix Printing System) version 1.2 was released last month, bursting with over 90 fabulous new features and improvements. Today we'll take a look at them and decide how fabulous they really are.


Push Windows Printer Drivers with CUPS
Today you shall learn how to use CUPS and Samba together to set up automagic client printer installations. That's right, my hardworking friends, none of this dashing about to individual workstations burdened with driver disks and Windows CDs. The goal here is to never leave your snug underground lair.

How To Test Your Linux Firewall

This article shows how you can test your Linux firewall with a tool called FTester (Firewall Tester). With FTester you can check your firewall's filtering policies. The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). Furthermore, FTester also provides Intrusion Detection System (IDS) capabilities.

This has more akin to Tomahawk (mentioned above). People are just trying to flex their muscle by proving they know about one-or-two tools.

I use quite a few tools in my job including Tomahawk, Spike, THC-AMAP, Etherape, dsniff, TCP traceroute, aircrack/airsnort/airereplay/kismet (for wireless), ettercap, ethereal, fping, nemesis, driftnet, vomit, john the ripper, hydra, nikto, ngrep, ntop, arpwatch, dsniff, fragroute, nmap, nessus, nessus inline, cheops, metasploit (rarely), honeyd, firewalk, lids, tripwire, aide, stunnel, tcpdump/tcpreplay, bile, paketto, ISS scanner, eEye Retina, nCircle 360, SkyBox and more.

A direct comparison with nmap isn't really fair as nmap will not analyse the output or munge the packet properly to simulate a multi-network origin. If you've got an Enterprise firewall with 15,000 rules, going through the output of nmap is very difficult, plus you'll have to make the nmaps look like you're coming from multiple different locations. nmap is great as a single tool from a much larger toolbox.

This looks interesting, but a similar open source tool called Tomahawk (which is mainly used for testing IDS/IPS systems) has been around for a while - http://tomahawk.sourceforge.net/ - I have to admit a vested interest, I used to work for the company that started the original Tomahawk project. With the Tomahawk you can take pcaps using TCPDUMP/Ethereal and then reply them through a device and you can even amplify (capture 10 Mbps worth of traffic, but play out 1 Gbps worth of traffic) and munge source/destination packets.

The Tomahawk is designed for a different purpose than this tool, but if you're interested in this have a look at it. Like I said, this is another tool for the toolbox. Those that rely on one tool are only seeing/testing a very limited aspect of the network/host.

How to set up a mail server on a GNU / Linux system

Easy to follow howto on setting up a mail server. Based on an Ubuntu distribution platform, but instructions are distro generic.

If you want to use the Debian way to a Postfix mail server, there is a guide here:
http://johnny.chadda.se/2005/04/30/postfix-howto/

Only PDF at the moment I'm afraid.

Here is a step by step on Debian that includes antivirus and spam filtering:
http://www.fatofthelan.com/articles/articles.php?pid=22



Zimbra includes all* this and makes install as simple as: "./install.sh".

http://www.zimbra.com

* AJAX UI rather than SquirrelMail
Internal IMAP rather than Courier

http://www.qmailrocks.org

The most comprehensive mail server setup guide for freebsd, linux, solaris, etc... Oh yeah Qmail is the fastest and most badass mail server no the planet. Google (gmail) runs a modified version of it, same with yahoo.

QmailRocks is good for most distro's, but for RPM Based distros, there is also the QmailToaster

http://digg.com/linux_unix/Qmail_Toaster_makes_mail_server_setup_easy

This project has made it very easy for any RPM based Linux distro to become a full functioning mail server, complete with webmail and imap-ssl.

Howto install a Debian GNU/Linux system onto a USB flash thumbdrive with the root partition encrypted

How to Run Linux on a USB Drive

Simple instructions for anyone looking for a portable installation that they can easily carry with them for use as rescue media, system administration or as a private workstation. This site offers a great guide to booting a distribution of Damn Small Linux on a Lexar 512mb Jump Drive. It includes complete instructions with screenshots. Definitely worth a look!

For more information on LUKS (Linux Unified Key Setup) see: http://luks.endorphin.org/

I'm glad it's getting out to people. It's using device mapping encryption that will work with (just about) any linux box. If you have a 500mhz cpu there's no huge reason to not use encryption. And unlike windows crappy encryption, you can encrypt the entire root filesystem, not just non system files / folders

http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUK



"Does bartpe support ext2 filesystems?"

It does, but read-only: http://www.bootcd.us/BartPE_Plugin_Details/58/Explore2fs.html

irc.chatjunkies.org #linuxhelp if you need help setting it up lowkey hangs out in there

FTA:"NOTE: This howto will only work if your device has been detected as /dev/sda because of how mkinitrd.yaird works." ...."mkinitrd.yaird"? -Never heard of that.

I'm familiar with the original Debian how-to, what I have yet to find is a concise how-to for installing an OS on a *hard drive* encrypted at time of install. Not just the root, but the whole thing.

Yaird - Yet Another Mkinitrd
For more infor: http://yaird.alioth.debian.org/

I have found it useful to just install Knoppix onto a 1GB thumbdrive.

The 700MB CD-ROM image fits rather nicely, giving just under 300MB of free space remaining on the thumbdrive.

Knoppix doesn't use encrypted partitions, instead, it uses a large file that contains an encrypted filesystem. This actually works out better for installations designed to be portable, like USB keys. The reason is that device letters can often change on various computers, depending on what other drives are installed: for example, sda, sdb, sdc....

By using a file instead of a partition, Knoppix can just search for this file, on all devices it can see. It saves having to directly mount a device, and then having that mount fail because the location changed. Also, the size of this file can be changed without having to repartition/reformat!

Also, the main Knoppix CD-ROM data doesn't need to be encrypted, as there's no secrets there, and it remains read-only. So, you get a little better speed, as the entire USB key doesn't need to be encrypted.

Here's my writeup of how to get Knoppix nicely installed to a USB key:

http://www.knoppix.net/forum/viewtopic.php?t=23558

This is slightly different from the method described on the FAQ, for various reasons I mention in the forum.

If you want to support the development of Damn Small Linux you can purchase it on a bootable USB drive from here: http://damnsmalllinux.org/usb.html


http://www.ubuntulite.org/drupal/?q=node/1
UbuntuLite might be a good way to get Ubuntu on a smaller size USB drive.
Not too sure how far they've got with yet though, but it might be worth a try.


I prefer www.puppylinux.org

There are usb "sticks" available which run linux. I have the BlackDog (see http://www.projectblackdog.com) . Another would be Gumstix (http://www.gumstix.com)


Feather Linux, it's about 128MB but has way more functionality then DSL.
http://www.chipnick.com/thumbdrive-linux

Managing Linux Through Windows Active Directory

A nice article about connecting Linux Authentication to Windows Authentication.

Check this how-to posted here a while back on Linux/AD Integration

http://thelazyadmin.com/index.php?/archives/381-LinuxUnix-Active-Directory-Authentication-Integration-Part-1.html

http://thelazyadmin.com/index.php?/archives/383-LinuxUnix-Active-Directory-Authentication


Not a complete authentication solution. Kerberos against a Windows ADS does work, but as laid out in the article, this does not present a SSO solution nor does it work for all authentication operations. It does get you about "80%" there, but there are holes. For one, if you managed all your users in ADS, you'll still need to create the users on each of the linux machines that the user(s) are allowed to use. You can work around this using samba and some user/group mappings, but it is something that anyone trying to manage users in one place should be aware of. Also, not all the linux modules use krb5. You may need to recompile or install the appropriate module with krb5 support and that still may not be enough. I can't recall if it's KDE or GNOME, but one of them let's you authenticate at login using kerberos against ADS, but if you then attempt to use the manager's "network explorer", the authentication fails (one of them fails silently and just denies you access, the other at least prompts you for you domain, username, and password even though you just entered the information at login). It is a starting point but these are probably better resources (even if not fully complete themselves):

http://redmondmag.com/columns/article.asp?EditorialsID=858
http://redmondmag.com/features/article.asp?EditorialsID=422


This should work at least 95% of the time when the service/program/etc uses PAM for authentication. Some can even use winbind directly, some (like GDM, etc) support kerberos directly but i have never had any real luck with them, tends to make more of a mess than anything.

As far as having to set up samba, you have to do that already for pam->winbind->AD to work. And you don't need to create the users/groups locally (winbind takes care of that, try getent passwd/groups or wbinfo -u/g after samba/winbind is configured), but you do need to script the creation of the home directory on the first login (from skeleton, or maybe even grab it from a roaming profile possibly? how to keep it in sync though...).

The whole process isn't trivial, but it isn't that hard either. Good tutorials/howtos are hard to come by (at least were 4 years ago when I first did this) but are getting better.

I set up our Linux boxes to authenticate to our Active Driectory domain using Samba's winbindd, pam_winbind and pam_mkhomedir. Works well and has reduced my management headache a fair bit. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html has all the related information.

Why stop there, integrate all of it, samba, ldap, mail, etc...
http://www.fatofthelan.com/articles/articles.php?pid=24


While the forum linked to in the post here seems valuable, here's the actual article link:

http://www.linux-watch.com/news/NS4820656867.html


Web app authentication is much better handled with a simple LDAP bind. If you're in PHP, for instance:

// Given $username and $passwd, try domain auth...
// DC = domain controller, yourdomain.local = domain name
$ad = ldap_connect("DC");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);

$bd = @ldap_bind($ad, "$username@yourdomain.local", $passwd);
if (!$bd) {
// bad username or password
} else {
// logged in
}

Single-Sign-On on Linux using LDAP with Active Directory

This article discusses how you can integrate Linux into a Windows-based network by making it authenticate against an Active Directory server and having it get passwd and group information from Active Directory as well.

Also Note, Check your AD Schema version before trying to update using the LDF files listed. Windows Server 2003 R2 will have the attributes already integrated for Unix Support.

http://www.microsoft.com/windowsserver2003/r2/unixinterop/default.mspx

We use Quest's (formerly Vintela) VAS product to integrate the *NIX systems into AD. It offers other benefits founds in Windows systems, now on the Unix boxes (Cache'd logon most imporantly, Group Policy support,etc.)

LDAP IS NOT AN AUTHENTICATION PROTOCOL!

First of all, you are correct about LDAP not being an authentication protocol.

Kerberos is an excellent solution for many people wanting to maintain a single AD management system, except there is one problem that Kerberos can't solve for our solution. If you try and maintain a list of servers that users can and cannot log into.

So for example, in our domain, we have 3 machines, 1) AD running for a single realm 2) Linux machine with pam_krb5, which you wish to auth against the AD server, that allows everyone to access it (that has an account on the AD system), and 3) Linux machine with pam_krb5, which you wish to auth against the AD server, that you want a select few(er) people to access that also auth against the AD server.

Using Kerberos, computer 2 can auth against the AD server (1), and gain access to the machine, however, there is no way to maintain user access control for server 3 in this example.

The only real way to control access is to use an LDAP solution.

Firstly, Microsoft will support you even if you make schema changes, thats what the schemas is there for, to use, there are many products that reauire schema changes. But Microsoft support is a thing of wonder anyway, we've had to use it a few times and this last time for a cluster playing up they could only offer a solution where we build a whole new cluster.

For my enterprise I purchased Suns AD Sync identity managment product. It is very cheap as the JES directory server stuff is free anyway. It is supported by Sun so if it breaks you still have someone to call.

A job copies any new AD members to the Sun directory, and Unix boxen authenticate off that, it caches the encrypted password. No need for AD schema changes.

Maybe it's not SSO but at least you are using AD creds on Unix, and it is supported.

http://www.linuxjournal.com/article/8374

Better article with better scaling. Comes in 4 parts.

Turn your Linux web server into Fort Knox

An in depth article on how to secure your Linux web server. Who says that security is ever "easy"? It's a must-have for anybody running a web server - even if it's at home.

I'm really surprised he didn't mention Denyhosts. Excellent program that prevents brute force SSH logins.
http://denyhosts.sourceforge.net/

Denyhosts has definitely helped out our production servers by keeping the load averages down by blocking abusive ssh denial of service attacks. With some of the hardening mentioned in the article applied alongside Hardened Gentoo Linux a server could withstand allot of abusive exploit attacks. By using a system which compiles binaries as position independent every binaries memory execution insertion address is randomized. While this can be something more suited to administrators with a moderate to advanced understanding of compilers and programming architecture when used alongside grsecurity framework execution of a binary uses a different hexadecimal memory address which enforces a policy akin to winning the lottery for any malicious cracker. Our production 64bit and 32bit servers all have been using hardened gentoo for years and to date we have never experienced a system compromise. http://hardened.gentoo.org


Anti-virus/Anti-malware/anti-rootkit items like chkrootkit or rootkit hunter are, unfortunately, pretty useless when it comes to security.

There is two reasons:
A. Because the rootkit writers have access to those tools also. So all they have to do to defeat them is setup a Linux server and run those programs. If they are detected, then they simply have to modify how thier program works so that they aren't detected anymore. It's almost trivially easy to defeat them with old fasion 'conventional' rootkits.

B. Also kernel module rootkits are popular nowadays anyways. These are kernel modules that modify how a kernel behaves in order to mask the rootkit itself. These are nearly impossible to detect.

BTW since Windows 2000 started having acceptable security kernel driver level rootkits for Windows have become popular.

The only realy effective way to detect a rootkit is to setup a program like Tripwire.

Tripwire is a program that you use to make checksums of all the files on your computer, then later you can run it to check the checksums. You have to store the checksums output on a secure computer or secure read-only medium (like a cdrom disk.). Also Tripwire is only usefull if you run it from a different operating system then the one your currently running (like say booted up in knoppix cdrom).. This is because it can be defeated by false reports created by a kernel module level rootkit.


OpenBSD folks are probably going to be the formost on things like this that don't require special propriatory stuff or charge you money for information and such things, and are stuff you can impliment yourself.
http://www.bytelabs.org/papers.html
Check out the paper Paper title: "Integration of Security Measures and Techniques in an Operating System (considering OpenBSD as an example)"

For Linux and GCC Redhat took a lot of work into rewriting ProPolice SSP (developed originally out of IBM's japan branch) and getting into the GCC release. I beleive it's in GCC 4.1.

Also introduced into the lifetime of the 2.6.x kernel release has been things like heap protection and support for the 'no execute' bit and such.

A example of this being used to protect a vunerable program is outlined in this Debian-Administrator.org article..
http://www.debian-administration.org/articles/408

And of course Wikipedia has a good article on it.
http://en.wikipedia.org/wiki/StackGuard

Other things for Linux (like he mentioned)
grsecurity http://www.grsecurity.net/
AppArmor (from Novell) http://www.novell.com/apparmor
SELinux (from the NSA (United States Government) and made workable by Redhat for their Enterprise Linux and Fedora Core stuff.

Insights for a quick and easy Ubuntu printer installation

For a long time, setting up a printer in Linux has been somewhat challenging. But, it's been getting easier and easier. And today, setting up a printer in Ubuntu as simple as it gets - this article is firm evidence!

This also follows on previous printing advice found here.

We bought an Epson Stylus D68 today in fact, after searching for it in http://linuxprinting.org/printer_list.cgi and seeing that it worked. The description was that it "mostly worked" but we can't find what _doesn't_ work on it.

We weren't using Ubuntu, but stock Debian. Literally three clicks using the browser-based CUPS interface and it worked. not a single thing needed to be installed. Test prints work from Opera, Firefox, OpenOffice, Gimp, KPDF..

If you're thinking of buying a printer for your desktop, see this page: http://linuxprinting.org/suggested.html

Advanced Bash-Scripting Guide

An in-depth exploration of the art of shell scripting

This is the BEST tutorial to learn bash scripting, which in turn is one of the best programming languages out there. I highly recommend it to anyone who uses linux. Bash scripting is at the heart of it all.

SSH tricks

The article describes in a human language some of the powerful, yet very useful (even for total newbies) capabilities of OpenSSH, such as passwordless login, automatic execution of commands on a remote system or even mounting a remote folder using SSH.

Three problems with this article:
- Most people use SFTP, not SCP.
- It's easier to tunnel a Samba session (if you really need to) than to install and use SSHFS.
- They didn't mention the "-D" option, which in conjunction with tsocks allows you to tunnel any application through the encrypted connection, whether it has support for SOCKS or not.

SFTP is perhaps the next step for users that upgraded from FTP access to a hosted web server, but I suspect most ssh users have migrated from the r commands and are using scp in place of rcp.

Comparison...
http://winscp.net/eng/docs/protocols#protocol_comparison

My favorite tool though is rsync. While I use rsync over ssh, I never understood why ssync wasn't created to do this job...

SSH is great for tunneling BonJour/DAAP:
http://www.shokk.com/blog/articles/2006/02/06/getting-ipods-and-itunes-everywhere

Now, if only there were a light daap client so I could avoid starting up iTunes...

Ssh is also really neat as part of an ANT script - so you can use all these neatness for your java deployments and automation.
http://www.jcraft.com/jsch/index.html

Setup the SSH server to use keys for authentication « Raoul’s Land Reloaded!

Raoul’s Land Reloaded! has a good tutorial on how to set up an SSH server to use keys for authentication. Good read and something to save for future reference.

SSH scanning continues, some simple advice

The SANS Handler's Diary has a good overview of advice on their site. In a nutshell they say:
1 Run ssh on a non-standard port
2 Choose good passphrases
3 Monitor your logs
Their updates are well worth the read for anyone who is looking to.