Archive for April, 2005

Bastille – a pretty cool tool…

April 27th, 2005

My brother turned me onto this tool for securing Linux boxes called Bastille. Bastille is an incredibly easy tool to install and use for Fedora. It sports the following features:

  • Automatic configuration of your IP Chains firewall
  • Removes setuid root from some tools that don’t need it
  • Controls where root can shell in from, including tty ports
  • Checks services and asks if they truly need to be running
  • Checks services to ensure they’re running in their chroot jails

I was able to download and install this tool in about 15 minutes. It involved downloading and installing the RPM and adding the TK-Perl libraries (so I could run it in X from my remote station). I then executed the script and let it do its thing.

One of the really awesome parts of the tool is that it allows you to revert back to your previous configuration in case you botch your system up by locking it down. When configuring the IPChains portion, that becomes crucial in case you forget to list a port you need open.

Along with the script, some very good recommendations come with it. For instance, when it asks you whether you want a particular feature enabled or disabled, it gives a recommendation and some information as to why you would want to enable the security setting or leave it disabled. Considering that I am pretty much a wanna-be when it comes to Linux and O/S security, I found this information to be extremely valuable.

You can download the tool at:

http://www.bastille-linux.org

There’s also a screenshot of the X interface at:

http://www.bastille-linux.org/bastille1.jpg

– Scott Keoseyan – 27 APR 2005

Comments Off »

Posted in Operating Systems, Security, Technology

I shot the solaris… but I didn’t shoot the debian…

April 12th, 2005

So, I stayed up late last night and ripped apart my old Sun Ultra 10 workstation. I ended up rebuilding it as a debian Linux box. I downloaded all 7 disks, although I only ended up needing the first two to create the system since I was really going for a workstation build, not a server.

Debian reminded me a lot of my original slackware experiences back in the mid-90s… text-menu driven install and system configuration. I was going to put FreeBSD on the box… downloaded the boot-only disk and started to build, but I had a lot of trouble with the text output on the install menus and the Sun display. I couldn’t find an emulation that allowed the Sun keyboard to work. I finally got it installed and decided I was making things too hard on myself because I didn’t understand how services were controlled, I couldn’t get X set up right because I didn’t have the hardware specs for my old Sun box, and because I am sometimes lazy.

I managed to shut down everything I didn’t want. I miss chkconfig… had to figure it out manually. I also managed to get the station to act as an LDAP client. Strange thing going on with it now is that the prompt, when you shell in as a user that doesn’t have a local account is that it displays something like “no name!@pippin>” or something like that. When I create the local user of course this goes away. Permissions and all work fine, it’s just the user prompt that’s hosed.

I also noted that the users are cached somewhere besides the passwd and group files… I used their userdel script and it didn’t completely delete the user account… when I went back to add the user it said that the user already existed. Weird. I guess I have more to learn. I know on my Fedora boxes I simply yank the entries out of group and passwd and delete the homedir and I am set. I am unsure what debian is writing the user info to in addition and why their script doesn’t completely whack the user.

I might rip it apart and rebuild it two or three times just for the experience… tough thing is not every Linux distro is supported on Sparc platforms. I was thinking of trying Gentoo since it apparently has a Sparc port. The last free Redhat distro was 6.2, so I am not wasting my time with that. I wish they’d port Fedora. I’ve heard rumblings of it, but it’s not a reality yet as far as I can tell.

nuff for now…

–Scott Keoseyan – 12 APR 05

Comments Off »

Posted in Operating Systems

TV… it’s just TV

April 9th, 2005

Quote of the day… “You don’t stop a homocidal sociopath by chatting him up.”

I saw this on television today while I was working from home and thought, “wow… just good old homespun wisdom like that can keep me whole. Good thing I have TV to get it to me, otherwise I might try something stupid like that!”

Does anyone with a brain actually think that television’s worth watching any more? Let’s look at what’s on.

Reality TV – ever notice that “reality TV” is the worst of human behavior? I mean, come on! No one is like these people they find for these shows, not even them. It’s all an act! It’s a joke to call it reality… who’s reality is this? I think it’s the network’s reality of selling you a boatload of garbage and convincing you it’s for real while they laugh all the way to the bank.

Special Interest Channels – well, we have a military channel, a health channel, an extreme sports channel (I guess watching skateboarding is almost as good as doing it???), a history channel, a biography channel, and a myriad of other special interest television channels… all filled with the same content over and over and over and over… First, they played Biography on A&E, then when it appeared that it was a little popular, they decided to dedicate a whole stinking television channel to it! Now, I don’t know about you (this is my rant, remember?), but I guess you’d really really really have to care about the biographies they do to even flip to this channel. I mean, come on! How many times to we need to hear about Tom Hanks and his struggle to be taken seriously after Bosom Buddies???

So, add in the all-news, all-the-time channels – We have CNN, CNN Headline News, Fox News Channel, CNBC, MSNBC, ESPN-News… ugh, how many different takes do we need from talking heads on Prince Charles’ wedding, or the death of the Pope??? On top of this, we have a local all-news channel too! Imagine the news-pool they have to draw from in a place like Charlotte NC. TV news organizations are important, I mean after all, look how good they’ve covered the last two presidential elections. Oh, and their stunning and powerful coverage of everything from the OJ Simpson trial to the Kobe Bryant debacle… the term “media circus” keeps popping up in my head and I can’t make it stop. I will actually give kudos here one time… the coverage of Ronald Reagan’s funeral last year was actually pretty good. But that class of journalism is so rare to see, it makes TV news intolerable… I am sticking to newspapers and online publications.

Then we go to the specialty sports channels – Golf, tennis, racing, regionalized sports… why don’t we have a chess channel or a lawn-darts channel too? They’re just about as exciting as some of the others. I guess I should be careful here. People get darned religious about their sports.

Don’t forget about the other strange channels that really don’t fit into anything – channels like Trio and Bravo. How do you describe these channels? Artsy-Fartsy? Froo-Froo? I saw some really bizzare programming on Trio the other night, and apparently they spend a lot of time on the weekends showing programs with a gay slant. Wassup with that? So now, to make sure we don’t offend anyone who likes to have abnormal sex, we’re going to air it on TV. Man, good thing TV’s around to make us all one big happy family. Then they have another show called “Good Clean Porn” where they’ve apparently taken out all the actual pornography out of 70s porn films and left just the “drama”. How nice of them to clean it up for us. Given the original intent, I can’t see the point here… it’s as if the statement is being made that there’s more to these films than just what their original intent was. Yeah, right, whatever… this stuff is really the bottom of the barrel, and thankfully no one in the house has asked about it yet because it’s hard to explain away garbage like that to my kids. They always want to know why anyone would want to watch it.

Finally we have the original 3, (plus FOX) networks – oh how the mighty have fallen. Might as well lump in TNT, USA, TBS, WGN, and all the other superstations and their spin-offs here too, because all they do is regurgitate the crap that was shoved in front of us to begin with 6 months after it originally aired. People rave about network television… the reality shows, sit-coms, and dramas, but I can’t get the attraction. Outside of a sporting event, or special coverage of a news event, every time I watch a sit-com, I walk away thinking “well, there’s 30 minutes of my life I’ll never get back…” Every once in a while, something quality comes out of the networks… like The Simpsons, or, Seinfeld. For the most part, however, this pablum they feed us is little more than a pathetic attempt to keep us hooked long enough to keep their sponsors happy.

And I guess that’s what it all boils down to – people need to figure out that television isn’t there for us. It’s there for the sponsors to sell to us. We’re not the customers, we’re the product. The advertisers are the customers, and the television producers are the wholesalers… selling us to the highest bidder. If you don’t think this is true, open your eyes and take a look around you. When Jennifer Aniston got a gadget, or wore something on “Friends”, you can bet there was a whole segment of society went out to buy it. You didn’t see a product on a show like this unless the product manufacturer paid for it… Don’t believe me? If it’s not true, why do people on sit-coms drink soft-drinks out of a can marked “Cola” instead of a Coke or Pepsi can? Everyone knows it’s gonna be one or the other, right? But the producers aren’t going to give anyone a free ride by letting us see Jennifer Aniston, or Ray Ramano drinking their favorite beverage and turning us onto it.

All of this makes me glad I don’t have to work from home all the time…

– Scott Keoseyan – April 09 2005

Comments Off »

Posted in Personal

LAMPS – An Overview

April 6th, 2005

LAMPS

LDAP | APACHE | MYSQL | PHP | SSL

LAMPS is a popular combination of operating-system, and infrastructure software designed to deliver information and services. Many people refer to LAMPS as Linux, Apache, MySQL, PHP, and SSL… or LAMPs, meaning that the SSL component isn’t present. I am unsure of the proper component mix for a LAMPS system, but I think the ‘L’ should stand for LDAP, as it is the most effective way to scale the management of users, groups and other components. I suppose if it stood for Linux, the intimation would be there that one could replace the ‘L’ with a ‘W’, as in Windows, and build a ‘WAMPS’ system. Since that would most likely turn into a complete disaster, I prefer to assume that Linux is the O/S, and that ‘LAMPS’ refers to the components running on top of it.

LAMPS is used for a lot of different service and information delivery roles. One of the most popular roles is as a Content Management System, or CMS, platform. A CMS is normally built around a MySQL database, and delivered via PHP into a web-browser.

  • LDAP
    • What is it? - Lightweight Directory Access Protocol
    • What is it used for? - LDAP is a database used to
      collect, manage, and distribute information regarding containers or
      groups, organizational-units, and people.
    • Why is it important? - LDAP is an open-standards
      way of collecting information in a single directory system for your
      organization and providing that information to applications, systems,
      and other users so that it can be used. Typical applications for LDAP
      include E-Mail directories and single-sign-on systems for platform-wide
      authentication.
  • Apache
    • What is it? - Apache is an HTTP, or web, server
      designed with open-platform support in mind. Apache runs on just about
      every major operating system in existence today, including Linux,
      Solaris, and Windows.
    • What is it used for? - Delivering server-based web
      content via the Hyper-Text Transfer Protocol through a server-side
      daemon process answerable on standard TCP ports (80 and 443) or custom
      server-defined port numbers.
    • Why is it important? - Without Apache, we would
      have to rely on Microsoft Internet Information System server, Netscape
      server, or other commercial proprietary server software packages to
      deliver content via HTTP. Because an open-source non-proprietary system
      like Apache exists, the continued growth of information availble on the
      Internet is ensured.
  • MySQL
    • What is it? - MySQL is an open-source database
      system that relies on SQL for processing and communication with regards
      to the data in a database.
    • What is it used for? - MySQL is most commonly used
      for web and embedded applications and has become a very popular
      alternative to proprietary database systems, such as Microsoft’s SQL
      server, because of its speed and reliability. MySQL can run on UNIX,
      Windows and Mac OS.
    • Why is it important? - MySQL provides an
      open-source alternative to proprietary database solutions that
      interoperates with the SQL standards-based query-language, data-format,
      and communications modes.
  • PHP
    • What is it? - Hypertext Preprocessor, an open
      source, server-side, HTML embedded scripting language used to create
      dynamic Web pages.
    • What is it used for? - In an HTML document, a PHP
      script is enclosed in PHP tags similar to a C or Perl script. Because
      PHP is embedded within tags, the author can jump between HTML and PHP
      without of having to count on heavy amounts of code to output HTML. 
      Due to the fact that PHP is executed on the server, the client cannot
      view the PHP code.  PHP is able to perform any task that a CGI
      program can, but its strength lies in its compatibility with many types
      of databases, especially MySQL. PHP can also talk across networks using
      a variety of protocols.
    • Why is it important? - PHP allows database content
      to be dynamically presented through a a web interface, thus allowing
      things like content management systems to use a more effective method of
      both storing and presenting information though a web-interface. Without
      PHP, proprietary data-presentation formats would need to be relied on to
      allow dynamic content to be presented.
  • SSL
    • What is it? - Secure Sockets Layer, which is a
      method for securing transmission of data and information over a public
      network infrastructure.
    • What is it used for? - Secured Sockets Layer is a
      protocol that transmits your communications over the Internet in an
      encrypted form. SSL ensures that the information is sent, unchanged,
      only to the server you intended to send it to.
    • Why is it important? - Without SSL, the integrity
      and confidentiality of your data communications cannot be ensured by
      either the server or yourself. Communication transmissions could be
      intercepted, altered, copied, or disrupted without knowledge of the
      sending or receiving party. By using SSL, the integrity of a
      data-communications session between two end-points, can be ensured
      because SSL demands end-point identification. By using SSL, the
      confidentiality of a two-way communications-session can be ensured
      because when the two end-points identify each other, they may choose to
      encrypt their transmission using the credentials provided to one-another
      during their identity exchange.

Links

I found these links helpful when I built my systems:

Beyond the infrastructure level components, there are several very
helpful components that support additional applications such as mail and content
management. These include:

  • Cyrus -IMAPD – delivers mail to users via IMAP, which, IMO, is preferable
    to POP.
  • PostFIX – a sendmail replacement. I found this easier to set-ip, secure,
    and configure.
  • SquirrelMail – an IMAP-compliant webmail interface with lots of add-ons
  • Nuke-PHP – a really well-supported and well-packaged content management
    system that leverages PHP and MySQL.
  • TWiki – If you’re reading this, you’re using it… TWiki is a
    topic-based content system that leverages the Wiki concept of open editing
    and content control.
  • Webmin – a web-based server admin tool… it helps in some respects, but
    not all.  It might be more of a security risk than a useful tool if
    it’s not configured correctly and adequately protected.

    I will post these links to a permanent page when I get the time and continue to add to them and expand them…

    Future Topics:

    LDAP web authentication
    Self-signed SSL certs

    If you have more suggestions… add them to the comments and I will see what I can do about getting something posted… if I used it, then it’s probably not going to be an issue.

    –ScottKeoseyan – APR 06 2005

Comments Off »

Posted in Operating Systems, Technology