Advance and Be Mechanized

- First things First

Probably one of the most frequent commands to be entered right after logging in is 'w'.

w not only tells you if there's somebody else logged in, but also the uptime and the load average.

To check the latest log-ins (say 10) we can do:

last -a -10

(Of course, to learn more about any of the commands mentioned here you can do man command or http://google.com/linux it).

- Processes

To get a quick idea of the services that a server is providing:
netstat -tlpn

This will give us a list of the programs accepting connections (listening) and their ports.

To get a list of all connections (this gives us an idea of current traffic) we can add the 'a' option:

netstat -talpn

If you have the network scanner nmap installed, then the list of open ports given above by netstat should coincide with the one by nmap:
nmap -p0-65535 localhost |grep 'open '

It's very important from a security standpoint to expose publicly only the services/ports that we really need and stop all other services.

To get a list of all the running processes in a nice tree-view:
ps auxf |less

This gives us interesting information like the % memory each process is using and its status (under the STAT column).

Check for processes in the D status, that means that it's waiting and it gives as a clue of a possible hard disk I/O bottleneck.

An alternative view of processes is given by the top utility which contains also current CPU utilization. For 'top' the status column is 'S'.

We can gather more advanced information with the all-powerfull lsof tool.
It tells us info about files opened by a process, user etc. Since in Unix almost everything is treated like a file (sockets etc) lsof yields a lot of useful information: who's accesing what, what's holding a resource etc.

To check what files are involved with a process:
lsof -p pid (where 'pid' is the process number we get from 'ps', 'top' or 'nstat')

Files open by a user:
lsof -u username

Port info:
lsof -i :portnumber

- Memory usage

There are several tools to check for memory usage, the simplest way is probably:

free -m

Where values are in MB.
Ignore the first line, since once Linux grabs memory it won't release it until the memory is needed, even if it's not using it (that's kind of the idea); this means we really have to look at the second line '-/+ buffers/cache' to know currently how much memory is used and how much is free (available).

The 'swap' line is interesting too; if there's any value used that means that at some point Linux ran out of RAM and used the disk ('swapped') as memory and this slows down the system. Resorting to some swap from time to time to deal with spikes in activity can be OK, but using it all the time is not.

Another handy tool to check the memory and CPU utilization is vmstat.
If we want to run it every second for example we can do vmstat 1. To see the changes in place we can use the cool 'watch' tool:
watch -n1 vmstat

If a program stopped responding or there's a general sluggishness it's possible the we have run out of memory before.

To check the number of times we've run out of memory recently we can do:
grep -i kill /var/log/messages |wc -l

or:

dmesg |grep -i kill | wc -l

The whole list (without the line count '| wc -l') will give us details of what processes were killed by the out-of-memory (oom) killer.

- Disk usage

To get disk space info we can use df or du:
df -h

The biggest (for example 5) directories (this command and the next may take a while):
du -mxS / | sort -n | tail -5

Or for the detailed files (credit Rimuhosting support):
du -a --max-depth=3 / | sort -n | awk '{ if($1 > 102400) print $1/1024 "MB" " " $2 }'

Note that sometimes 'du' and 'df' can report different disk usage; this is because they count space for deleted files that are open differently. (Not that you need to but a reboot would get rid of this discrepancy).

If you ran out of space you can delete some unneeded files (like logs perhaps), purge packages for programs you are not using or compress files with gzip.

For example to archive a directory into one file and also compress it with the tar utility:
tar cvfz dir.tar.gz dir

Here's a couple of tips to safely reclaim some disk space in an emergency situation.

- For Debian-like systems (like Ubuntu) with the 'apt' package management we can clear out the local repository of retrieved package files with:
apt-get clean, the equivalent for the yum updater is yum clean.

- The ext2 and ext3 file systems have by default 5% capacity of partition reserved to root (to check if your filesystem is ext2 or ext3 see for ex: df -T or mount)
We can free up that reserved space in case of emergency and leave just 1% with:

tune2fs -m1 /dev/hda1

, where /dev/hda1 is an example of a disk partition (use 'df' for example to get the name in your case).

We could also set the reserved % value ('m' option) to zero but perhaps that's not a very good idea; in case the disk becomes full we still want to be able to get in (as root) to do maintenance, that's the whole idea of the 5% reserve in the first place.

- Logs

Logs are a sysdamin's best friend. Look at logs at the /var/log directory like /var/log/messages etc. To look at large files we can use 'tail' to see the last lines like: tail -20 /var/log/secure.
If the file keeps growing fast we see the instant changes with tail -f file

Another option to see the end of a file is use 'less' and then press the '>' key to go to the end, this way we can go back up.

Other navigation control for 'less' are 'b' to scroll up and space bar to scroll down or enter to move down a line. We can also look for keywords in 'less' by typing the forward slah / followed by the keyword.

Most logs print a timestamp; check with the date command what the server thinks the current time is.

Also very useful for systems where more than one user uses the same account is the history utility to see previous entered commands for the current account.
For other users see the file: /home/username/.bash_history or similar.

I think it's a good idea to add a timestamp to the command history, this is done by setting the HISTTIMEFORMAT like for example:
HISTTIMEFORMAT="%h/%m - %H:%M:%S "

- Scheduled jobs

For problems that appear only at certain times check users with cron jobs with: ls /var/spool/cron/ and then to see the cron jobs for a user (for example 'maiman'): crontab -u mailman -l

- Network Settings

Very basic commands are ifconfig and route.

A couple of important files are:
/etc/resolv.conf, this file lists the DNS servers. If the server cannot access a hostname or url in the Internet, check if it's accesible by IP address and it that's the case this indicates a problem with domain name resolution.

In this case yry inserting in the /etc/resolv.conf file well-known solid DNS servers (instead of the ones provided by your ISP) like the ones by OpenDNS ( 208.67.222.222, 208.67.220.220) or the easy to remember 4.4.4.1, 4.4.4.2.

/etc/hosts: in this file we can tie a hostname with an IP address, bypassing resolution through DNS servers.
A source of problems is when the entry 127.0.0.1 localhost is missing from this file (to test: doing a ping localhost would fail).
Many programs (database access, mail servers etc) rely on this mapping so they would fail because of this.

In a server networking review is important too to check if we have firewall rules (redirections etc) with:

iptables -L; iptables -t nat -L

Note that the rules for the 'nat' table are not displayed with just 'iptables -L'.

- Software installed and their versions

For many popular programs to get its version it's sometimes small v, sometimes big V and sometimes it's 'version' ; sometimes one dash and sometimes two:

python -V
perl -v
httpd -v
java -version
mysql --version

For Linux kernel and distro version:

uname -a
cat /proc/version

(There are lots of information under /proc , many commands just read from this pseudo file system and it's a matter of knowing where to look and how to interpret the info).

To get a list of installed packages:

For rpm-based distros: rpm -qa
For dpkg (debian): dpkg --get-selections

- Finding stuff

This is just one of my favorite Linux command combinations:

Say you need to find all the instances of a keyword that can be in one or more files under a directory structure (say /etc ), this can be done with:
find /etc |xargs grep keyword

Here are some notes about installing Linux (in particular CentOS 5, but that shouldn't matter, it could be Ubuntu etc) on an Intel-based system running Mac OS X 10.4.11 "Tiger", in my case a MacBook but this should be the same for other Macs.

The summary for the impatient is:

0) Preparation: Get the DVD / CD-ROMs of the Linux distribution you want to install and backup the data in your computer.

1) Re-partition the hard drive to make space for the new operating system. I used Apple's Boot Camp which can be downloaded.

2) Install a boot loader or boot manager, I used the open source rEFIt.

3) Install Linux on the newly made partition, make sure that GRUB goes in the 1st sector of the boot partition, not Master Boot Record (MBR).

Now the details.

0) Backing up my up disk. I have an external (USB) hard drive: "Maxtor OnetTouch III Mini Edition". The OneTouch software is a disappointment; both the synchronization and the backup failed, the first one choked on one file and crashed but I only found out after looking at the logs; the GUI kept showing the same thing. For the backup method, it just kept saying "Completed back up. 0 items were updated" and again it the logs there was some cryptic problem that prevented the program from starting.

1) Apple is including Boot Camp as part of his new OS version "Leopard", and they took out Boot Camp 1.4 from their web site. I couldn't find it online so I got Boot Camp 1.3 instead.

After installing and running it I see that the smallest new partition you can create is 5GB. Boot Camp formats the new partition with the Windows file format but we don't care because we are going to re-format it. There's also an option regarding Windows drives that we can ignore.

When I tried to re-partition the disk I kept getting an error from Boot Camp: "Your disk cannot be partitioned because some files cannot be moved", and it suggested to start all over: to copy all my data from the MacBook, reformat the disk, reinstall OS X etc. No Way.

It was worth a shot to try and delete some big files. I couldn't find any free defragmentation tool. I downloaded Disk Inventory X, which is a nifty tool that shows you graphically how big the files in your disk are.

I deleted a bunch of unneeded big files and I also found a big "sleepimage" file (as big as your RAM) that is used for hibernation and followed these instructions on how to delete sleepimage.

Basically (just in case the link disappears):

$ sudo pmset -a hibernatemode 0
$ sudo nvram "use-nvramrc?"=false

reboot and $ rm -f /private/var/vm/sleepimage

After this I was able to run Boot Camp successfully. Note that if you're getting the "cannot move files" error with a bigger partition if you make it smaller (down to 5GB) you increment the chances that the "unmovable" files are not in the smaller partition.

2) I downloaded and installed rEFIt, the rEFIt 0.10 Mac disk image.

With this rEFIt version for Mac there's no need to manually run the install script and move its folder.

At this point with the bootable Linux DVD (or CDROM), if you restart the Mac you'll get rEFIt's boot menu first of all, where you can choose if you want to start OS X or from disc.

3) Once we have made space for Linux and we got the boot manager we can just proceed an install Linux from disc as normally, we only have to be careful in the format/partition section of the installation to use the space we created (it will show as FAT32) and not to format or use the shrunk HFS partition used by Mac OS. We can safely delete that partition and use the free space to create our Linux partitions.

The other thing to be careful is to Install GRUB (or LILO, the Linux boot manager ) in the 1st sector of the boot partition (that would be 'root' or / if you don't make a /boot partition) , not onto the Master Boot Record (MBR). Red Hat and CentOS have this option by default.

That's all. I'll just comment that I found CentOS 5 bloated; I tried a minimal installation by unselecting almost everything (but with KDE) but still after installation I takes over 3GB. There are lots of gnu packages and even 300MB of an openoffice core file even if I unselected all office applications. After the first reboot I also unselected SELinux but then I had lots of SE services running, among with sendmail, cups and many others.

So just 11 days ago there were new Wordpress releases: 2.1.1 and 2.0.9 , which included security fixes and less than a day ago we got the announcement WordPress 2.1.1 dangerous, Upgrade to 2.1.2, where we learnt that the previous release may include a security exploit that was added by a cracker. Gotta update wordPress.

Oh well, things happens but I guess I'm closer to getting my site un-php-fied and using Python or Ruby on Rails intead (yes, I fall for fads, especially when they involve better programming languages).

Anyways, to upgrade WordPress there are good instructions at the official site wordpress.org, but if you use the Linux command prompt things can be simplified a little, like making a copy of the database without need of a GUI, getting the new version without having to download it first to your desktop and then to your server or overwriting the old WordPress files automatically without having to delete them first.

Unless you've had WordPress for a while most likely you already have the minimum requirements for PHP and MySQL but it won't hurt to test; WordPress requires PHP version 4.2 or greater, and MySQL version 4.0 or greater, we can check with:

# php -v
# mysql --version

It's also recommended that from your wordpress' administration dashboard you deactivate your plug-ins.

Now, we go to the parent directory that holds the WordPress directory, for instance something like:

# cd /var/www/mywebsite/public_html

or

# cd /home/mywebsite/public_html

This will change if you are in a shared hosting environment.

Let's backup the database and the WordPress directory:

# mysqldump -u root -p --add-drop-table --extended-insert --quote-names database_name > wordpress_back.sql

This will prompt for your root password. If you have no root privileges (like in shared hosting), replace 'root' with your user name. Replace also database_name with the name of your wordpress database.
Do a minimum check with # less wordpress_back.sql to verify that your data is indeed there.

Making a tar backup of the current wordpress files:

# tar -cf wordpress.tar ./wordpress

check the tar file by printing its contents:

# tar -tf wordpress.tar

OK, so now let's get the newest WordPress package and deploy it:

# wget http://wordpress.org/latest.tar.gz
# tar -xzvf latest.tar

There's no need to delete any previous files since tar overwrites them.

The tar file extracts a 'wordpress' directory and files within it; if your current installation uses another directory name (or it's at the document root) you'll have to delete the old directory and rename the 'wordpress' directory: # mv wordpress old_directory_name

Now when you browse back to your site you'll be prompted to update by clicking in a link (pretty much like an interface with a big red button that Dilbert created once). And that's it for the update.

You can also check in your administrator's dashboard that you have the latest version (at the very bottom) and reactivate your plug-ins.

Installation instructions at: http://drupal.org/node/260

Here are some extra tips and gotchas.

1) Check versions of php and mysql, you need php 4.x and mysql 4.1 or 5.0
# php -v
# mysql --version

2) Create database and user / password
You can use phpmyadmin, the mysql module in webmin or the mysql client from the command prompt.

3) Get Drupal and extract it (latest versions in: http://drupal.org/project/Drupal+project ):
# cd /tmp
# wget http://ftp.osuosl.org/pub/drupal/files/projects/drupal-5.1.tar.gz
# tar xzvf drupal-5.1.tar.gz

3) move the Drupal directory
# cd your_public_html_directory
# mv /tmp/drupal-5.1/* .
# mv /tmp/drupal-5.1/.htaccess .

At this point you should see with your browser the Drupal installation page at your site's url.

4) Get the three database pieces of information (database name, username and password) into the settings.php file
edit the $db_url line in ./sites/default/settings.php with the values for the database user, password and database name created earlier:
$db_url = 'mysql://db_user:password@localhost/db_name';

or easier without editing: just change the permissions for the settings.php file so the installer can set these values:
#chmod 777 ./sites/default/settings.ph
then run the Drupal installer by going to your site's url and then change the permissions back:
#chmod 644 ./sites/default/settings.ph

5) Create the administrator user
Run the install.php script by going with your browser or refreshing your url and create the administrator user.
You'll see a warning about the missing "files" directory and missing cron jobs.

6) Make a "files" directory and give ownership to the apache user:
# mkdir files
# chmod 770 files
# chown apache:apache files

If the apache user or group are not "apache", look in the /etc/paswd file or in the running processes (ps aux|grep httpd) for its name (www-data?)

Drupal will install a .htaccess file in this directory for protection when you go to "administer > site configuration.

And the installation is done!

I didn't like having the install.php and update.php in the public directory, so I moved them out of the way and I just can move them back if I need them.

The installation is pretty minimal, so you'll have to activate modules and permissions from the administration panel.

Installing themes:
To customize with a theme, just grab the theme tar file and extract it in the themes directory, for example:
# cd themes
# wget http://ftp.osuosl.org/pub/drupal/files/projects/aberdeen-5.x-1.4.tar.gz
# tar zxvf aberdeen-5.x-1.4.tar.gz

and the theme will automagically appear in the admin control panel.

A tip from a Drupal especialist: 2bits.com:

It is best if you install your own add on modules and themes under the sites/all/modules and sites/all/themes directory. This separates the contrib stuff from core Drupal and makes upgrades easier.

Some troubleshooting tips:

If you get in the web page an error message regarding permissions, and especially if the Drupal install is the first thing that is going into the web server, check that the 'sites' directory has enough permissions (chmod 755).

If you get an error mentioning that the database is unsupported or it's the wrong version, it may be simply that the database instance hasn't been created.

There’s a security problem in Webmin that affects all versions previous to the latest one (1.290) : the Artbitrary remote file access.

In short, anyone can grab any file from your server and in particular the passwords file /etc/shadow . Once a cracker has this file, he can run a brute force or rainbow attack to get the original Linux user passwords, so he could have login privileges including root and therefore fully compromising the server.

Do I run Webmin?

This is the easy part. Webmin is a web server that runs by default in port 10000, so you can see if it’s running by looking at https://yourip:10000 or http://yourip:10000 (Usermin from Webmin runs at port 20000)

Inside the server you can test if Webmin is running for instance with: ps aux|grep webmin or /etc/init.d/webmin status

To see if you have Webmin installed at all you can do a locate webmin (if locate complaints you can do a updatedb first) or just:
find / -name webmin

To see the version of webmin you have: cat /etc/webmin/version
If the version is earlier than 1.290 and webmin is running then your server is vulnerable.

Have I been compromised?

To check if somebody has taken a file from your server using this exploit, you can see the webmin log for unauthenticated access with:
grep unauthen /var/webmin/miniserv.log | grep -v jpg

(the –v jpg is to disregard the display of an icon). Credit to Peter at Rimuhosting.

if you get any result, the end of each line will tell you which file has been taken away:

w.x.y.z - - [23/Jul/2006:02:51:36 -0500] "GET /unauthenticated/..%01/..%01/
%01/..%01/..%01/..%01/..%01/..%01//etc/shadow HTTP/1.1" 200 32

In this case we see that the cracker has copied the /etc/shadow password file (if you get a 404 instead of a 200 "OK" at the end that's http for "not found" and you're lucky), and we also get a timestamp and the ip of the intruder (w.x.y.x here to protect the guilty, in this day and age you never know who sues who).

What do I do if I’ve been compromised?

This is just the short answer but basically:

1. Stop webmin if it’s running: service webmin stop or /etc/init.d/webmin stop
Confirm that it’s not running with ps aux|grep webmin

2. Change all your Linux user passwords.
Look at the users with passwords (for instance with less /etc/shadow); the file has fields separated by colons :, the second field is the encrypted password and you will only see root and the users you created with a long string after their name, the rest have an asterisk * in that field, for instance:

root:$1$Jn3xi7Tp7$7jc0T725mD4eXLWh0wA581:13371:0:99999:7:::
bin:*:12821:0:99999:7:::
daemon:*:12821:0:99999:7:::

So change the password of all the Linux users with: passwd username

Now, if you plan on using again Webmin, you have to upgrade to the latest version, do so by downloading from http://webmin.com/ and installing it.

It's also a good idea to harden Webmin by changing the port it listens to and using IP Access Control, both options are in the Webmin configuration module.

If you are using only a few modules of webmin you can check if there are safer alternatives, for instance phpmyadmin for administration of MySQL databases or Squirrelmail as a web mail client.

You also have to check if the cracker already logged in with one of the usernames and passwords stolen, you can see this with the ‘last -a’ command and looking for unrecognized login locations since the date the passwords were stolen.

This vulnerability is yet another reason to use ssh only with key pairs only, in which case the cracker wouldn’t be able to log in (but other problems like compromised email accounts would persist).

The purpose of this new project I started is to have a security level management tool similar to Mandriva's msec.

Ubuntu page: Ubuntu Security Levels. Everybody is welcome to join.

The idea is to harden (and monitor/log) the security of Ubuntu by having well-known states or levels that are easy to understand and manage by users and sysadmins.

• Easy, like in Mandriva, by typing just "msec 3" we go to a level deemed appropriate for desktops connected to the Internet. No need to go through screens answering difficult questions like with Bastille Linux.


• System administrators will be aware that the systems are in a particular well-known configuration regarding basic aspects of security ("this web server is level 4, that critical server is level 5"). The caveat of course is to have a false sense of security.


• The proposed difference in philosophy with Mandriva's msec is that the users won't be able to customize (at least easily) the directives for the levels; the simpler the better

There are several Linux Live CDs that are specialized in network security tools like:

L.A.S.
Trinux
PHLAK
Knoppix STD

I like Knoppix STD; it's a very complete infosec toolkit. (First time users: remember to right-click with the mouse once you're on the desktop).

I've been getting involved in Ubuntu and a project I just started is the Ubuntu Security LiveCD, an Ubuntu LiveCD remastered with many security tools.

The security live CD I put together works pretty well and I intend to publish the iso file once I polish it a little more.

I attended on October 24th the FOSS symposium organized by Seneca college in Toronto . If you want to play "find Waldo", I'm in this picture taken in one of the presentations.

The gathering is aimed at educators and “other interested parties” to talk about Open Source in an educational or research context. About 80 More than 120 people attended.

The organizers did a good job, no big complaints here. There was one or two presentations that started late but it was the presenter’s fault. Technical staff were helpful assisting the speakers.

The symposium fee was $20 (plus $14 parking), and for that you get a 99% cotton t-shirt of your desired size with the penguin logo, lunch and one beer. So not bad at all. Besides there was coffee and cookies first time in the morning and in the evening. At registration time they also give you a sheet of paper with the agenda of the day and another one with the plan of the building.

The Stephen E. Quinlan building is beautiful by the way, with lots of glass and a central court with trees and water. From the second level I could see down below a modern floor full of computer stations with some scattered young people sitting at them. Looking at these youngsters I had some nostalgia and “envy of the past” (surely there must be a German word for that). Did I mention that my first “computer” was the Sinclair ZX Spectrum? (not counting HP and Casio programmable calculators, circa 1981). On one side of this computer hall there’s a library, so computers and books side by side, a geek’s paradise! Maybe I should come teach here some day.

Here’s the agenda for the presentations, it’s a total of 8 back-to-back hours plus one for lunch, so it was a little tiresome. And I didn’t take notes, so don’t quote me for accuracy.

OpenSource 101: Introduction to Collaboration, by Marcus Bornfreund

The first speaker was Marcus Bornfreund, from Creative Commons Canada . And probably the only person at the whole event wearing a necktie. Copying and pasting from this web site: Marcus is a part-time Professor at the University of Ottawa Faculty of Law, the Manager of uOttawa's Law & Technology Program and an Associate of the Canadian Internet Policy and Public Interest Clinic (CIPPIC). He sits as a member of the CIPPIC internal advisory board, and is also a member of the Law Society of Upper Canada, Electronic Frontier Canada, and the Free/Open Source Research Community at MIT. Marcus is responsible for the Canadian translation of the popular Creative Commons licence and a prominent figure in the Canadian open source community.

This was the most intellectual or abstract presentation and it made me think.

A central point of his presentation was that there’s no open source software but open source licenses.

He was on purpose very “politically correct”, he didn’t want o use “loaded” words like not more free and less free. He encouraged us not to think in terms of good and bad but to think “what’s good for you”. This non-belligerent approach had a reply when two other speakers (Jesse Hirsh and Stephen Downes) based their presentations in trying to be the opposite: the belligerent, “us vs. them” (open source vs. closed licences) thesis.

He quoted Isaac Newton (a “plagiarist”) and his “If I have seen further it is by standing on the shoulders of Giants”. And then he showed the same quote (wording slightly different) by somebody like a century before Newton. Then he showed a previous quote and then like one or more two earlier. This was in the discussion of creativity: chicken or egg?

Marcus made his presentation with an Apple iBook “because I find it to fit my needs, but you should boo me” (or something like that). He gave out stickers of creativecommons.ca

Now there were three tracks, and I chose:

Python Power – Learning, Teaching and Doing with the World’s Easiest Programming Language, by George Belotsky.

The speaker works at Open Light Sofware and this was just a brief overview of what Python is. Not much more besides two interesting examples of what you can do with very few lines of code. One of the examples made use of a Python physics and 3-D visualization library to simulate a bouncing ball in a few lines of code; very good for teaching physics.

He made the presentation with some light-weight X Window manager (fvwm?), he showed the code in Emacs.

The Open Source Service-Centric Business Model, by Jesse Hirsh

This was my favorite non-technical presentation. Jesse Hirsh is the president and founder of Openflows, and open source consultancy firm in Toronto. By the way, the logo of Openflows looks like the one for Ubuntu, only this time there’s a fourth guy falling back (what!? I’m the one to get stuck with the Windows machine? Aaaah!).

Jesse is a very enthusiastic and vibrant speaker of strong convictions; he tells things bluntly as he sees them. He talked was about his personal life journey from a political activist living in his parents house to a business man (still political).

On New Year's Eve, 1993 the Zapatista Army made an uprising in Chiapas, Mexico. The news of this rebellion reached all the World and all of the Internet thanks to mailing lists, but it wasn’t the commercial listserv program the one spreading the news, but majordomo, an open source mailing list. Jesse had some sort of an epiphany when he realized the power of a “few lines of Perl”.

He identified other key open source applications; first Slashdot and then Drupal.

At some point he wanted to make a living, so he funded Openflows with the idea of giving expertise in open source software. His first important client was US Today. They wanted a Slashdot type of application and when they approached the creators of it, they referred them to Jesse’s company. They maintained a good relationship; although they reported bugs in Slashdot the Slashdot people didn’t want somebody else to write code, and they didn’t want to make business implementing it at companies either.

Jesse educates prospective clients with the advantages of open source and he stressed the “no lock-in” factor and the fact that firms can fire them easily and get another software developer to work on the existing open code. (He actually mentioned one case when this happened). He also lamented that this education was a very uphill battle, fighting against the marketing budgets of Microsoft and the likes, but he welcomed a debate in a leveled field.

Some quotes: “I hate Microsoft”. “We are not dwarves standing on top of giants, we’re dwarves standing on top of dwarves standing on top of dwarves etc” (I like that one). “ I don’t want to be rich, I want to make a living”. “When your expectations are low, it’s easy”.

He made the presentation with a paper with some notes and the lecture hall’s computer to show Openflows’ web site. The room’s computer runs on SuSe.

LTSP – Changing the Rules of the Desktop World, by Jim McQuillan.

This was my favorite technical presentation. Jim is the founder and leader of the Linux Terminal Server Project and he came from Detroit to gave a very good introduction of what LTSP is, what it does, where it’s used and where it’s headed. It included a live demo of a small terminal booting from the network (his laptop) and being up and running in a few seconds.

He made the presentation and demo with Ubuntu 5.10 (“my favorite distro”) and he explained how it’s the first Linux distribution to incorporate LTPS (yai!). He received a call (or email?) from Mark Shuttleworth, the philanthropist behind Ubuntu, and after 9 months (if I remember correctly) the implementation was finished. Mark says that South Africa (his native country) is going to show Brazil how LTSP is done. (Brazil and particularly Sao Paolo is a place where LTSP is being widely deployed).

I love it when presentations have just the right level (not too simple, not lost in technical details) and you actually learn things. Jim really knows his stuff; before someone would finish a question he was already giving a precise answer.

An overview of OpenOffice 2.0, by Marcel Gagne.

Good presentation by well-known Marcel Gagne (although for me it was the first time I saw him in person). The new version of OpenOffice has just been released and there are some very good improvements in terms of GUI and Microsoft Office compatibility. One of the most important points about this new release is the adoption of the Open Document Format that made the news (or Slashdot at least) recently because the state of Massachusetts in the US wants to adopt open standards for electronic communication and Microsoft doesn’t like it a bit.

Marcel showed (with “unzip” from command line) how the file format is actually one zipped file with everything inside. He also mention the one click “clik” Linux installation project. (Where’s the link to it?).

Marcel gave his presentation with Mandriva Linux.

Open Solaris by Daniela Malea

This was a good overview of the open source version of Solaris. Daniela’s title is “engagement architect” but she was quick to say that she wasn’t into the wedding business, that she was a pre-sales engineer.

Daniela was pretty candid about he company, that’s something you don’t see so often in a public conference. For instance she recognized that Sun’s decision to stop development of the i386 version of Solaris when it was version 9 was “ a big, big, big mistake” (or did she say “terrible, terrible mistake”?) but now Sun is committed to Open Solaris, they are going full-speed ahead with it because they have realized the value of the low-end market.

I was a little surprise that people in the audience weren’t aggressive to the only commercial (or not open source) company in the symposium. She explained the license Sun is using for Open Solaris (CDDL, a derivative of the Mozilla incense) and how they don’t like GPL because it’s “sticky” or “viral”; “if you use a piece of GPL code in your product, then you have to release everything as GPL”. This is not strictly true; INAL but if the code is modularized it somehow escapes the imposition, otherwise there would be no Linux distributions with applications that are not GPL.

Sun Microsystems was a sponsor of the event by the way. I don’t remember what Linux Daniela used for the presentation (Open Solaris?). Her slides were the best of the symposium though. (Here’s a tip to other speakers: don’t use dark green and red in fonts over a black background with red and white lines).

She also explained how people could try Open Solaris and contribute finding bugs.

I was also glad that she mentioned Xen , a project that I have in my hair cross; they also have a hypervisor technology in Solaris 10. She also mentioned some of the other advanced and cool features of the new Solaris, like the ZFS file system or the dynamic tracing utility (Dtrace).

Ruby, Blackboard and the Challenge for Open Source, by Stephen Downes

This was the strangest presentation and the one which made people laugh the most (including myself).

According to his own web site, Stephen Downes lived and worked across Canada before joining the National Research Council as a senior researcher in November, 2001. Currently based in Moncton, New Brunswick, at the Institute for Information Technology's e-Learning Research Group, Stephen has become a leading voice in the areas of learning objects and metadata as well as the emerging fields of weblogs in education and content syndication.

At the beginning of the talk he spent some 10 minutes trying to get his MP3 player to record his voice (I think). Then he presented two unrelated topics that would support his final thesis. If I got it, his thesis is: “the Russians are coming!”, how “they” (the bad guys, not the Russians) are closing up the Internet.

The first topic was how he was unable to install Ruby on Rails on his Linux machine; he spent two weeks (24 full hours) frustrated. He didn’t want to draw any conclusions of this though, he was just setting up a stage. He admitted that one problem he was having is because he didn’t know about “kill -9”. For this in particular I’d say that the problem is not that he’s not a Linux expert or that Linux should be made easier or whatever; the problem is with the product (Ruby on Rails) installation or the installation documentation. He fully documented the whole ordeal for others to see, what else can you ask of a user?

The second stage was how Blackboard and WebCT merged (apparently one ate the other) and the danger in that. Both companies have products for eLearning or CMS for universities and colleges. Stepehen argued that both products suck, they are expensive and they have almost a monopoly of the market. He mentioned some alternatives like Moodle (there was a presentation about this application), but not aTutor, developed by the University of Toronto and the system I’ve used.

Finally he made the case of “us vs. them” like in “closed vs. open”, “something or the other vs. distributed content” and so on.

I had a great time but I’m not sure of what his message was.

Stephen presented using a web browser in the hall's computer.

Update:

Stephen Downes links to this article even if I call his presentation "strange". Thank you. He posted the slides of his presentation.

Behdad Esfahbod also posts his account of the symposium. We pretty much agree on the comments about the presentations that we both attended.

I just needed a simple web picture gallery application to manage my family’s photos and until now I was using a blog because a couple of years ago I thought we’d be posting cute things about our kid but it turned out that no, we’re just posting pictures for family and friends to see.

There are many of these photo album programs (389 today in Hotscripts ), it seems that nowadays the CMS and photo gallery applications are like the video store applications in the times of DOS, where every computer enthusiast had one made by themselves.

So for the “standards” I looked into the Fantastico package that the web hosting companies offer (a point-and-click collection of scripts). If an application is there it means that is more or less popular and relatively easy to install and maintain. So I see three photo album programs: 4Images, Coppermine and Gallery.

4Images: It’s hard to distinguish the English from the German text in their web site (couldn’t they have used two font colors or two different pages?). Their license is more restricted than the typical open source: “4images may be used and modified free of charge for personal and non-profit use. Commercial use must purchase a Licence.”.

Coppermine and Gallery licenses are GPL, so I’m picking one of them.

Coppermine: Uses the GD image library (that is usually built-in in PHP) and MySQL

Gallery uses NetPBM and ImageMagick image manipulation packages instead of GD. That means one more thing to install but according to the Gallery developer those packages are superior to GD, although the problem of the thumbnail quality has been resolved in GD2 (from GD1). Gallery doesn’t use MySQL.

The features of Coppermine and Gallery may be different but I don’t care because all I needed is a simple photo album manager so I went with Gallery because I liked the simpler design better, although both have enough crazy skins or templates.

There’s a little problem with Gallery (besides the unfortunate name that is so common that is impossible to find the site in a web search) in its downloads or rather in the instructions for them.

For starters, the main download link directs to an empty file list in the sourceforge repository. I selected “show all” and downloaded gallery-1.5-pl1.tar.gz, but the confusion is that there are two sets of the NetPBM binaries for Linux, one with the .zip extension and another one that is tar-ed and gzipped. There’s no indications of which one to use, so of course I went with the gzipped one. Wrong.

The installation wizard (that is very nice by the way) when it was building the config file (last step), complaint that it couldn’t find either the pnmcomp or the pamcomp file and it wouldn’t let me pass that point. So as it happens, none of them are in the gzipped package I downloaded (!). I Searched in Gallery’s forums and it turns out that it’s a very common confusion.

The solution was simple after trying the zipped package; one of the needed PBM executables was there.

It’s worth mentioning that in terms of security Gallery does a good job after installation, because it not only tells you to change the configuration file ownership settings and to delete the installation file, but it provides with a little shell script that will do it for you. I just evaluated another LAMP application that left the critical configuration file (with the MySQL password) world-readable.

So I had my application installed, logged in as Admin and created some albums, everything was OK. The last little problem was that I was using previously just one user and password to protect the blog, so I only need to give this password to friends and family and the rest of the people unfortunately don’t get to see the cutest kid in the world. So I created one Gallery user, but when I direct people to the front page of Gallery, since they are not logged in they are presented with a bleak page that says “no albums, no images” and has a little login icon at the right top corner.

I didn’t want my users to have to figure out that there are already pictures there and they have to log in, so I could have written the instructions, but what I did was a little hack in the login.php file: after the log in has been successful (line 48) I added the redirection to the albums.php page (see below), and instead of presenting this albumspage as the main one, I use the login.php as front page.

print("<html><head>");
print("<meta content = \"0;url=http://www.danielduran.com/gallery/\" http-equiv = \"refresh\">");
print("</meta></head></html>");

The Problem

The problem is malicious people trying dictionary attacks against an SSH server.

We can detect the attack in the /var/log/secure file, for instance:

Apr 5 18:09:54 testguest sshd[1220]: Invalid user andres from ::ffff:218.54.172.190
Apr 5 18:09:57 testguest sshd[1220]: Failed password for invalid user andres from ::ffff:218.54.172.190 port 2446 ssh2
Apr 5 18:10:00 testguest sshd[1222]: Invalid user barbara from ::ffff:218.54.172.190
Apr 5 18:10:02 testguest sshd[1222]: Failed password for invalid user barbara from ::ffff:218.54.172.190 port 2583 ssh2
Apr 5 18:10:06 testguest sshd[1224]: Invalid user adine from ::ffff:218.54.172.190
Apr 5 18:10:08 testguest sshd[1224]: Failed password for invalid user adine from ::ffff:218.54.172.190 port 2720 ssh2
Apr 5 18:10:11 testguest sshd[1226]: Invalid user test from ::ffff:218.54.172.190
Apr 5 18:10:13 testguest sshd[1226]: Failed password for invalid user test from ::ffff:218.54.172.190 port 2860 ssh2
Apr 5 18:10:16 testguest sshd[1228]: Invalid user guest from ::ffff:218.54.172.190
Apr 5 18:10:19 testguest sshd[1228]: Failed password for invalid user guest from ::ffff:218.54.172.190 port 3001 ssh2

Summary / Best Bang for your Buck

• Change the port sshd is listening to. Edit the sshd config file (/etc/ssh/sshd_config for instance) and change the value of Port to something other than 22 and restart the sshd server (/etc/init.d/sshd restart). This will reduce dramatically the number of attacks you'll get.


• Use strong passwords for all your Linux users (long, mixing lower and upper case, symbols and numbers) or use ssh keys that will make the whole ssh attack pointless (but you have the keys to manage now)

Let's take a look at several approaches to protect ourselves from these attacks.

Somebody must have written a script about this

Yes, there are several scripts out there, like Tattle - Automatic Reporting Of SSH Brute-Force Attacks (Perl), sshd_sentry (Perl) and DenyHosts (Phyton)

Banning guilty IP addresses

Another option is to ban the ip address from the attackers that are recorded in the previous log by using iptables.

So here's a little shell script I wrote as an exercise that will parse the /var/log/secure file for the guilty IP addresses and then will reject any incoming packets from them by inserting a drop rule in the INPUT chain before its two last rules of our current iptables (the one to accept incoming SSH connections and the last default deny all). To check the before and after effect: # iptables -L -n

# Fernando Duran, August 2004
# Ban ssh brute-forcing IP addresses with iptables

#!/bin/bash
# delete old ip bans, restart iptables
# /etc/init.d/iptables restart
/sbin/service iptables restart

# bad login lines
ssh_line=/tmp/ssh_line
touch $ssh_line

# all ip addresses, duplicated after each script execution
all_ip=/tmp/blacklist
touch $all_ip

# intermediary merge (old + new ips) file
merge_ip=/tmp/blackmerge
touch $merge_ip

# list of unique banned ip addresses
black_ip=/var/log/blacklist
touch $black_ip

# extract guilty ip addresses (Red Hat, other distros may vary the format)
grep sshd /var/log/secure | grep Failed | grep invalid > $ssh_line
cut -d : -f 7 $ssh_line | cut -d \ -f 1 | sort | uniq > $all_ip

# get rid of duplicates
echo -n "" > $merge_ip
cat $all_ip | sort | uniq > $merge_ip
cat $black_ip | sort | uniq >> $merge_ip
cat $merge_ip | sort | uniq > $black_ip

# insert all unique ips into iptables
lines=`/sbin/iptables -L INPUT -n | wc -l`
rules=`expr $lines - 3`
file=`cat $black_ip`
for ip in $file; do
/sbin/iptables -I INPUT $rules -s $ip -j DROP
#echo " $ip banned"
done

The way to restart iptables and the format of /var/log/secure will have to be adapted to your Linux distro.
The script is meant to be ran periodically in order to add new bad IPs to our black list, for example we can run it as a cron job every hour for instance.

The problem is that the script doesn't solve much. The attacker can try hundreds of user/passwords until the script is fired, and we'd be placing more burden on the system if we'd run it frequently, like every minute or so.

Limiting the rate of connections

Netfilter's iptables is very powerful, and one of its features allows us to mitigate brute force attacks and DoS attacks by limiting the rate of packets matching a rule.

So for instance we can append these rules:

/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 --syn -j DROP

The effect is that the firewall will only admit two (for example) incoming new SSH connections per minute (it will reset the "burst" counter every minute).

So this will be enough to discorage those idiots right?
No, actually it may make things worse because we can lock ourselves out if we want to log in with SSH and at the same time there's an attack going on; then iptables will be preventing any incoming SSH connection (including ours).

If the previous shell script to ban ip addresses is used then this problem is less severe since we'll "only" have to wait for the cron job to run the script and ban the bad ip address so that later iptables can let us in. Another thing we can do is to place before those rules one that will grant SSH access to our (known) ip.

Using SSH keys

A way to get rid once and for all of the SSH brute force attacks is to allow SSH logins only with encryption keys. The price to pay is that we have to create the keys first (not a problem unless we have many users) and we have to take care of the private keys (have secure copies of them).

Basically we have to create a pair of public and private key in the client computer and copy the public key in the server.

- Linux:

# ssh-keygen -t rsa

(We can also use dsa encryption instead of dsa)
If we enter a passphrase then we'll have to enter it every time that we wan to connect to the server using SSH.

The private key is generated into $HOME/.ssh/id_rsa, and the public key into $HOME/.ssh/id_rsa.pub
It's the public key that we have to append to the server's .ssh/authorized_keys file, located in the home directory of the user we want to authenticate.

- In Windows, if we are using Putty we can use puttygen to create the pair, then save the private key to the local computer (we can protect the file with a passphrase) and similarly copy the public key to the same file in the server. The formats of the keys in Putty are different that the ones generated with OpenSSH, but if we already have an OpenSSH one puttygen can convert it to its format.

At the server, if there's no .ssh or authorized_keys file for that user, we can create them when running as that user:

$ cd ~
$ mkdir .ssh
$ touch .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys

After testing that we can log in with the keys, we can change the SSH server configuration file so that sshd will only accept keys as form of authentication.

Edit /etc/ssh/sshd_config and set:

PasswordAuthentication no

It's also a good idea to restrict the accepted version of SSH:

Protocol 2

If we use the "no password" setting it's very important to keep one or more copies of our private keys in removable media like a flash USB thumb drive or similar, so we can access the server in case we have not access the hard drive of the client computer.

After the changes the SSH server has to be restarted:

# service sshd restart
(or # /etc/init.d/sshd restart in Debian System-V style)

Let's take a look at a
Screenshot of beginning of SSH session

Taken with Ethereal and using Ubuntu Linux both in the client and the server, as can be seen in the first packet, along with the SSH version.

Note the declaration of supported algorithms in the client-server "Key Exchange Init" packet.

Ubuntu Linux comes with the SSH client by default (ssh-client). The server package openssh-server is easily installed with Synaptic or using the "apt-get install" command. The SSH server can be run with no further configuration; to get it started just do: /etc/init.d/ssh start.

The keys and configuration are under the /etc/ssh directory (both in client and server):

# ls -l /etc/ssh/
total 140
-rw-r--r-- 1 root root 111892 2004-10-07 14:29 moduli
-rw-r--r-- 1 root root 1185 2004-10-07 14:29 ssh_config
-rw-r--r-- 1 root root 1743 2005-06-15 18:54 sshd_config
-rw------- 1 root root 668 2005-06-15 18:54 ssh_host_dsa_key
-rw-r--r-- 1 root root 602 2005-06-15 18:54 ssh_host_dsa_key.pub
-rw------- 1 root root 887 2005-06-15 18:54 ssh_host_rsa_key
-rw-r--r-- 1 root root 222 2005-06-15 18:54 ssh_host_rsa_key.pub

SSH2 tries to authenticate in one of three ways (and in this order): 1) hostbased method (the server has a file of which hosts to trust) 2) public key (the client user generates a public/private key pair and the server knows the public key) and 3) sending the encrypted password of an existing user in the server, like in our case.

SSH also supports challenge-response authentication.

On the client side, the SSH server is added as a known host:

ls ~/.ssh/
known_hosts
# cat ~/.ssh/known_hosts
192.168.0.100 ssh-rsa AAAAB3NzaC...(rest of the server's public key)

If we make a second SSH connection, the server is authenticated if there's a mathing entry in this file.

Links:

Drink from Da source
Man pages and Internet Drafts
Wikipedia entry
OpenSSH Notes / Unix
Presentation

nmap is an excellent open source network scanner tool that is used for gathering network information in the form of hosts and services enumeration.

Here's an snippet of nmap discovering the open ports of one of my servers:

# nmap 127.0.0.1

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-05-30 23:23 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http

But when nmap sees a port open it just names the standard service that usually runs in that (well-known) port, as listed for example in /etc/services .

Let's check this by changing the port that the target web server is listening to. In my case I'm running Apache2, so I edit the file /etc/apache2/ports.conf, and I change the "80" with "8888" for example. Then I restart the server: /etc/init.d/apache2 restart

Let's run nmap again:

# nmap 127.0.0.1

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-05-30 23:29 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
8888/tcp open sun-answerbook

So as we can see, nmap finds port 8888 open but declares the wrong server running in that port.

Amap to the rescue. (We'll forget about more complex vulnerability assessment tools like Nessus etc).

So I downloaded Amap,and installing is the standard "untar, configure and make" routine. Let's see what Amap has to say now:

./amap 127.0.0.1 8888
amap v5.0 (www.thc.org/thc-amap) started at 2005-05-30 23:34:14 - MAPPING mode

Protocol on 127.0.0.1:8888/tcp matches http
Protocol on 127.0.0.1:8888/tcp matches http-apache-2

Unidentified ports: none.

amap v5.0 finished at 2005-05-30 23:34:20

Amap is able to correctly identify the right service (and version!) running on the unconventional port. It uses signatures of the server responses to identify the right services. It's a fast scanning tool and complements nmap by using nmap's output as its input: Amap's README.

Since I have this server running (conveniently) http and smtp, let's see how we can gain more information by telneting into these services.

For the mail server:

# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 localhost.localdomain ESMTP Postfix (Ubuntu)

So right away the mail server tells me what application is and even the Linux distribution.

We can now pass SMTP commands to the server. For example if we want to know if there's an user called "fernando":

vrfy fernando
252 fernando

It said "yes". Finally we disconnect:

quit
221 Bye
Connection closed by foreign host.

For the web server:

We telnet into its port (80 or to the one we changed) :

# telnet 127.0.0.1 8888
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

and pass some garbage:

blah
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found< </h1>
<p>The document has moved <a href="http://localhost.localdomain/apache2-default/">here</a>.</p>
<hr />
<address>Apache/2.0.50 (Ubuntu) PHP/4.3.8 Server at localhost.localdomain Port 80</address>
</body></html>
Connection closed by foreign host.

The web server returns an error page with lots of information about itself.

Another service that we can apply this technique of telneting plus passing commands is an FTP server; in this case we can try the SYST command to get information about the system.

I installed Ubuntu Linux in a second system, a $75 barebone refurbished with components from a failed Asus Pundit that was very cute but it will shut down every now and then and lately it wouldn't even boot. By the way, the barebone is an MSI MBOX P4MAM-V, just to confirm that it's Linux-compatible.

I updated some multimedia issues in my previous Ubuntu post. The problems with Totem (DVD playing) is a legal issue: Multimedia support
The no sound problem with Totem was solved again with:
# apt-get remove totem-gstreamer
# apt-get install totem-xine

The way Ubuntu manages the root account is a non-standard Unix arrangement, made for simplified desktop use and somehow controversial.
The root account is disabled by deafult and administrative usage is encouraged through the sudo command; the first user has root powers, as explained in this FAQ answer. It's just a bit confusing because usually when you su or sudo in a Unix system you do it from an unprivileged account, and so you enter the password for root, but in this Ubuntu setup the first user account created after or at installation has administrative rights, so in Ubuntu when doing sudo you enter the user's password, not root's.

Some commands and graphical control applications are missing when compared with other distributions like Red Hat / Fedora. For instance, there's no command like chkconfig to view what services would be started at boot time. The Debian equivalent is update-rc.d, but this command is limited to the installation or removal of the initialization scripts, it won't summarize the current status of the /etc/rc?.d directories. The tool that we can use is rcconf, that is not packaged in Ubuntu by default but can be easily installed with the usual "apt-get install rcconf".

There's no firewall (netfilter/iptables) configuration tool, and this was a conscious decision made by the Ubuntu team as explained in this FAQ answer. Again, it's easy to install a firewall configuration program with the powerful Debian package system, for instance: apt-get install firestarter and voila, the firewall wizard is installed under Applications -> System Tools.

ubuntu

I just installed Ubuntu "Warty" in my Dell Inspiron 8200 laptop on top of my old Red Hat 8.
The summary: it gets an 8 out of 10; I'm keeping Ubuntu, bye bye Red Hat.

I've been working with Linux for over 6 years but mainly in the server side. I had a dual boot in my laptop with WinXP Pro and Red Hat 8 that I was using mainly for some security tools like Nessus. Since Red Hat branched its distribution in the paid version and the "amateur" Fedora project, I was wanting to look elsewhere and specially to a Debian distribution and its apt package management. My version of Red Hat was getting old; it couldn't recognize my (crappy D-Link) wireless card, and Firefox wouldn't install because of some missing libraries.

Yesterday I took the plunge and installed Ubuntu from a single downloaded CD image to my old Red Hat partition.
As a nice surprise, the Nvidia video card was recognized and the video settings and everything just worked fine into the great 1600x1200 native resolution (before I had to download and install an rpm from Nvidia). The other nice thing is that my wireless card was also recognized, although it didn't work at first.

After some troubleshooting, I got the wireless working only by disabling the WAP encryption. Anyways, because I'm a security paranoic, I had a MAC address filter in my access point among other measures, so it should be still somehow secure, or at least someone war driving would pick first any of the other 6 wireless open networks from my neighbors. I read in Ubuntu's FAQ about typing the key with dashes like: 1234-5678-9A, but that didn't work either.
The networking setting dialog is kind of weak though. And when both wireless and regular eth are connected, the connectivity is lost.

I found that some dialogs don't have the OK button, just the "Close" one and changes are kept, but it's not consistent (besides, some have an "Apply" instead of "OK").

I showed the desktop to someone who has never seen any Linux desktop before and she immediately clicked the world icon to browse the Internet and she said she liked the desktop (I chose the Ocean Blue theme).

Firefox works great and with Gaim I don't need to install the Yahoo messenger client.

OK, now on to try the apt-get thingy. What? there's no nmap? no Nessus? OK, I just did an initial "apt-get update" , "apt-get upgrade" and then I could grab both "apt-get install nessus", "apt-get install nmap". So that's really great. Actually there's a GUI for apt (Synaptic). But first you have to uncomment the repository sources in /etc/apt/sources.list . I don't know why this is not done by default.

I couldn't listen to any music or watch a DVD movie, but then (San Google) I discovered that there's some IRQ allocation conflict in my laptop between sound and parallel printer, and the whole thing (at least the sound, haven't checked is printer) is solved by adding "acpi_irq_isa=7" to the boot command in /boot/grub/menu.lst

So now I could play music, but the Totem DVD wasn't working yet (actually I was able to crash the system). After searching the Ubuntu forums I tried uninstalling totem-gstreamer and installing totem-xine, and now it showed the FBI warning at the beginning, but then it crashed (I'm getting closer). I know if I read a little more documentation and I apt-install the right program/codecs whatever it would eventually work, but the point is, viewing DVDs in Ubuntu it's not ready for your mother yet. Update:The issue of (not) playing DVDs has to do with encryption and licenses fees for the media players. Commercial Linux versions like Xandros and Linspire (previously Lindows) have an incorporated licensed media. There are free / open source programs that break this encryption but their legal standing is not good or unclear in some countries (amazing but true).

This multimedia stuff is not ready yet from the default Ubuntu installation; I wanted to burn a CD with family pictures but the only program available is a music ripper. Update: I don't know how I missed it, but upon inserting a blank CD a new window for the burner opens, I just dragged-and-dropped the folder I wanted to copy to the CD and that's all!

Another thing I couldn't do in Red Hat 8 was to mount my Windows ntfs partition. Now it worked without any problems. I added a line in /etc/fstab to mount automatically:
/dev/hda2 /home/fernando/win ntfs auto,rw,exec,user,umask=000 0 0

OpenOffice seems to work fine, and Evolution looks great, who needs Outlook?

My flash thumbdrive was really plug-and-play; I plugged it in the USB slot in the back and when I moved my head back the new icon of the drive was already in my desktop. By the way, maybe it would be a good idea to add some basic icons to the desktop in the default distribution, like "home" and "disks". For example when my Windows partition is mounted its icon is shown on the desktop but it's alone.

The root privileges are treated differently than standard Unix, I guess as not to confuse novice users.

So there's some post-installation issues, and some of them are addressed in the Ubuntu documentation and forums, like: http://www.ubuntuforums.org/showthread.php?t=3713&highlight=mp3
The Ubuntu Guide: http://www.ubuntuguide.org/ and the Debian reference documentation: http://www.debian.org/doc/manuals/reference/reference.en.html are some excellent sources.

Besides the package management (apt versus rpm and maybe yum) the other noticeable difference is the initialization runlevel scripts. In Red Hat there's also the "service" command, like in "service network restart" that basically calls the network script (/etc/rc.d/init.d/network) but in Debian style it's /etc/init.d/networking

Another good point is that I only needed one single CD for the installation of Ubuntu, instead of the three usually required in Red Hat. The installation process itself is not as graphical as Anaconda or YasT, but I don't particularly care; the crucial steps to me are the partition and the video detection and in Ubuntu it was explained better in the first case and it worked better in the latter. Since Ubuntu is aimed at desktop users, it doesn't have package selection options at installation time, so this step is simplified. (hey, it doesn't even come with gcc by default!).

There's no iptables firewall rules by default, but there are no listening ports after installation either. Red Hat always had something open that you have to close after the first install, although in every new version they reduce the number of open services.

OK, that was my experience of one day with Ubuntu Linux, so far I'm keeping it. It's a a nice general desktop distro.

I have a customer with several web sites hosted on a dedicated server.

The server uses qmail as MTA and I wanted to install SpamAssassin to filter out spam.

Aftert a little search, I didn't find a clear documentation of how to connect SpamAssassin with qmail. Two useful pages I found were:
How to use Spamassassin together with Qmail and SpamAssassin with qmail / Vpopmail



I wanted to filter on a per-account basis and I was having some problem with the recipe from the 1st page. So basically I adapted the information and here's what it worked for me:

1. I installed SpamAssassin, more or less like explained in the 2nd page


2. I edited the file /etc/mail/spamassassin/local.cf


3. I checked with a spam example (save a spam email with full headers) that it works from the command line: spamc < spam.txt
4. I downloaded and installed safecat (contains the maildir tool)
   by the way, it gives an error warning when maildir is executed but it works.


5. As mail user ("popuser") I edited the .qmail file of the account ("webmaster") located at /var/qmail/mailnames/domainhere.com/webmaster/.qmail with the following:
   
   | spamc |maildir ./Maildir/


6. I checked that it was working: cat spam.txt | spamc |maildir ./Maildir/


7. I (re)started SpamAssassin: /etc/init.d/spamassassin restart

DB2 Linux Installation Notes
These notes are for the manual installation and configuration of IBM DB2 Enterprise Edition v.8.1.1 on Linux, particularly with the 2.4.20 kernel and Red Hat 9.0.

Part 1: Program Installation
Run everything as root.

If you get errors, see the /tmp log files created by db2, and you can also write the output errors to a file like in: # command 2> command.err

• Unzip the installation file if you don't have the CD-ROM. (in our case in /opt)


• Run the installation program:

• cd (intallation_path)


• # ./db2install


• Choose installation option, for example DB2.EXE DB2.ADMCL

Create users and groups:

• # groupadd -g 999 db2iadm1


• # groupadd -g 998 db2fadm1


• # groupadd -g 997 db2asgrp


• # useradd -g db2iadm1 -m db2inst1 -p password


• # useradd -g db2fadm1 -m db2fenc1 -p password


• # useradd -g db2asgrp -m db2as -p password

Create an Administration Server (DAS)

• /opt/IBM/db2/V8.1/instance/dascrt -u db2as

Create an Instance

• /opt/IBM/db2/V8.1/instance/db2icrt -u db2fenc1 db2inst

1

Create links

• /opt/IBM/db2/V8.1/cfg/db2ln

Install license key

• (NOTE: the trial version lasts for 90 days)


• /opt/IBM/db2/V8.1/adm/db2licm -a /opt/009ESE_LNX_32_NLV/db2/license/db2license.lic

Part 2: Test

• Login as db2inst1 (for example from root: # su db2inst1 -)


• Start the database: $ db2start


• Create the "sample" database: $ db2sample


• List existing database(s): $ db2 list database directory


• Check the sample database

• $ db2 connect to sample


• $ db2 list tables


• $ db2 "select * from employee"


• $ db2 connect reset

Part 3: Create Users and Database Instances

• Add to the /etc/profile file the db2 profile environment with: (note: you are "sourcing", there's a dot at the beginning of the line)
  . /home/db2inst1/sqllib/db2profile


• To create the users we use a script genesis.sh, to run as root:

  (NOTE: afterwards each password must be set manually with # passwd password# genesis.sh : Script that creates users with www directory
  # usage: ./genesis.sh username
  # then 2) password must be set manually
  # and 3) run /home/db2inst1/createdb.sh as db2inst1
  #
  # The opposite script to delete user and database is: nuke username
  #
  # Fernando Duran , Oct 2003
  #

  #!/bin/bash
  useradd $1
  mkdir /home/$1/www
  chown $1 /home/$1/www
  chgrp $1 /home/$1/www
  chmod 711 /home/$1
  chmod 755 /home/$1/www



• To create the database instances for the users we use a script createdb.sh, to run as dbinst1:

  (NOTE: the name of the database is the same that the Linux login name for that user.
  /home/db2data is an arbitray directory)# createdb.sh : Script that creates users' databases
  # usage: ./genesis.sh username
  #
  # The opposite script to delete user and database is: /root/nuke.sh username
  #
  # Fernando Duran , Oct 2003
  #

  #!/bin/bash

  db2 "create database $1 on /home/db2data"
  db2 "connect to $1"
  db2 "grant dbadm on database to user $1"
  db2 "revoke connect on database from public"
  db2 "connect reset"



• To delete a user and the associated database we run a script nuke.sh as root:# nuke.sh: script to delete user and his/her /home directory and database
  # usage: ./nuke.sh username
  #
  # Fernando Duran , Oct 2003
  #

  #!/bin/bash
  #
  userdel -r $1
  SQL="drop database $1"
  su -l -c "db2 $SQL" db2inst1

Part 4: Optional Configurations

• To restart the db2 server automatically when Linux starts, add:
  su db2inst1 -lc /home/db2inst1/sqllib/adm/db2start
  to the end of the /etc/rc.local file