Archives for posts with tag: linux

 

Excellent laptop for having a wireless chip which is compatible with stock Debian and FreeBSD installation! This is one of the first hardware I have come across where the OS detected the wireless chip during installation.

Next, I used UEFI based dual boot installation and had to manually add the Debian entry in the BIOS setup. FreeBSD EFI partition got detected out of the box, sweet!

The hardware list from lspci on Debian:

00:00.0 Host bridge: Intel Corporation Broadwell-U Host Bridge -OPI (rev 09)
00:02.0 VGA compatible controller: Intel Corporation Broadwell-U Integrated Graphics (rev 09)
00:03.0 Audio device: Intel Corporation Broadwell-U Audio Controller (rev 09)
00:04.0 Signal processing controller: Intel Corporation Broadwell-U Camarillo Device (rev 09)
00:14.0 USB controller: Intel Corporation Wildcat Point-LP USB xHCI Controller (rev 03)
00:16.0 Communication controller: Intel Corporation Wildcat Point-LP MEI Controller #1 (rev 03)
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection (3) I218-LM (rev 03)
00:1b.0 Audio device: Intel Corporation Wildcat Point-LP High Definition Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #1 (rev e3)
00:1c.3 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #4 (rev e3)
00:1c.4 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #5 (rev e3)
00:1d.0 USB controller: Intel Corporation Wildcat Point-LP USB EHCI Controller (rev 03)
00:1f.0 ISA bridge: Intel Corporation Wildcat Point-LP LPC Controller (rev 03)
00:1f.2 SATA controller: Intel Corporation Wildcat Point-LP SATA Controller [AHCI Mode] (rev 03)
00:1f.3 SMBus: Intel Corporation Wildcat Point-LP SMBus Controller (rev 03)
01:00.0 SD Host controller: O2 Micro, Inc. SD/MMC Card Reader Controller (rev 01)
02:00.0 Network controller: Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)

 

On Debian everything works fine, but you might want to remove the intel xorg driver(xserver-xorg-video-intel), as that is for hardware older than 2007, with the old driver installed the graphics were not that smooth and the CPU utilization increased.

Other than this I was unable to suspend to RAM when HT was disabled. Enabling HT in BIOS would solve this.

On FreeBSD, the integrated GPU is not yet supported :(, so just command line for now).

Will consider Dell again for my computing.

Just a list of ideas for securing the servers.

I try to make sure that the first line of defense is not breached, if the attacker can breach that, then he is determined and can overcome any other defense you may have. Most of the “spray and pray” attacks on the internet are not that complicated and kiddies try to attack the nodes which do not patch known vulnerabilities or lack basic protection, like having easy to guess passwords.

Another point to be aware is that the more restrictive security measures we have(SELinux, etc), it may work against us, when we try to troubleshoot, implement a feature, or some software might not work etc.

Only you can decide what level of protection you need and what is at stake. Following are the absolute minimum which are highly effective, use other software(IDS, HIDS) on top of this if you can afford to spend time and effort

* Keep the server patched at regular intervals, like weekly/bi-weekly. This is very important, helps to plug any application level vulnerabilities.

* Setup a firewall allowing access to ports that are needed, like TCP:80/443 for HTTP/s, UDP:53 for DNS, etc.

* Do a netstat query on the node to check if any other services are active, either disable them permanently using /etc/rc.conf on BSD, chkconfig on CentOS, update-rc.d on Debian. Reboot the node and check whether they are disabled.

* Do not expose database services over public internet, restrict them to local network, or better yet to restrict which local IPs can connect.

* SSH access can be limited to a particular network/subnet/IP at firewall level, like only from company network, admin team, etc.

* Prefer to have non root based SSH login and then user using sudo/doas to perform actions which require root privileges.

* If direct root based SSH is required, then set “PermitRootLogin without-password” in sshd_config and restart the SSH daemon, this ensures that users having a key can connect as root. Also make sure select people have key to login as root, it makes them responsible, accountable.

* If you want to monitor the login attempts, health, use something like logwatch.

* If password based authentication is necessary to be exposed to public(which is not recommended) use a tool like fail2ban or SSHGuard. This delays the brute force attack. If the incorrect attempts are indefinitely blocked along with password expiration(+ password complexity like diceware) then brute attacks can be stopped.  As this involves many variables which can go wrong this is not recommended.

* Do not block ping unless you have experienced flood attacks, ping is necessary to troubleshoot.

The aim of having security measure is to frustrate a prospective attacker to give up, not frustrate the Admin. 😉

The other day(some months ago!) I had a task to store old Apache logs instead of discarding them.

Logrotate is a utility to rotate logs in a manageable size.  Depending upon the options logs can be rotated at a fixed interval on size, age of log, etc

There were two options:

  1. Either increase the old log retention period in logrotate
  2. Copy the logs to a separate location and archive them, with the default log retention period which removes old log files

In the first option the default log directory will get cluttered because of old logs, in the second option, however, the directory stays neat and you have a different location where you would be dumping old logs.

In this post I will be editing file under /etc/logrotate.d/httpd, I won’t be modifying the default settings in /etc/logrotate.conf, which is recommended.

Contents of /etc/logrotate.conf:

###START-of-config###

# see "man logrotate" for details
 # rotate log files weekly
 weekly

# keep 4 weeks worth of backlogs
 rotate 4

# create new (empty) log files after rotating old ones
 create

# use date as a suffix of the rotated file
 dateext

# uncomment this if you want your log files compressed
 #compress

# RPM packages drop log rotation information into this directory
 include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
 /var/log/wtmp {
 monthly
 create 0664 root utmp
 minsize 1M
 rotate 1
 }

/var/log/btmp {
 missingok
 monthly
 create 0600 root utmp
 rotate 1
 }

 

###END-of-config###

And the default contents of /etc/logrotate.d/httpd:

###START-of-httpd###

/var/log/httpd/*log {
 missingok
 notifempty
 sharedscripts
 delaycompress
 postrotate
 /sbin/service httpd reload > /dev/null 2>/dev/null || true
 endscript
 }

###END-of-httpd###

After modification the file will be:

###START-of-NEW-httpd###

/var/log/httpd/*log {
 missingok
 notifempty
 sharedscripts
 delaycompress
 postrotate
 /sbin/service httpd reload > /dev/null 2>/dev/null || true
 /usr/bin/rsync -a /var/log/httpd/* /srv/backup/
  /usr/bin/rsync -a /var/log/httpd/* /srv/backup/
 endscript
 }

###END-of-NEW-httpd###

As you can see, I have used rsync to move the files, using rsync is necessary as this will skip overwriting the files which were already copied.

In India some of the IT companies, universities have restrictive firewalls and you are forced to use a proxy server which they maintain.

As a system admin/engineer you might want to connect to servers, but this will be not be possible from such networks.

Sites like youtube, gmail, etc are blocked. I have been in networks which block even technical blog sites which apparently are harmless/helpful for the company. This might not be a problem if you are using it for entertainment, but platforms like edx,make use of youtube and blocking an educational platform works against you. Blocking technical blogs does not help employees.

I am writing this post which might help you to have private access. Use the following steps at your own risk, as every company has its own policy, you might want to check it once, and if they are sane enough or have provision for exceptions, you might want to talk to them and ask them to relax the unnecessary restrictions than bypassing.

Ok,  first, we need following prerequisites:

1) A server running BSD or GNU/Linux on an external network with a public IP address.

2)  The above server running ssh on port 443.

3) SSH client + tunnel software application on your PC which is on the restricted network allowing at least 443(https). On BSD/Linux you will have openssh, proxytunnel, corkscrew, on Windows use Putty.

Without the above, the following steps in this post won’t work for you. There are multiple ways of achieving a tunnel, but the post focuses on specific way.

==Get a remote server==

You will need a remote server running ssh, you can get one from digitalocean or vultr, both of them offer VPSs with Unix-like operating systems on which you can configure ssh.

==Configure ssh to listen on port 443 on remote server==

Now that you have this server, configure ssh, which by default listens on port 22, make it to listen on both 22, 443.

In file “/etc/ssh/sshd_config”, look for line “Port 22”, and add  “Port 443”.

You will need to have:

Port 22

Port 443

Once this is edited restart the ssh daemon after checking for possible errors in the config file.

As a privileged user run “sshd -t” and fix any error it outputs, then restart the service, using “service sshd restart”. If you restart when there are errors, you risk loosing connection to the server. If necessary, check and change firewall settings to let port 443 be accessible.

==Configure and create a tunnel on FreeBSD client PC ==

Install tunneling software like proxytunnel, corkscrew, httptunnel along with openssh client.

shell> pkg install proxytunnel

Configure proxytunnel to use http proxy for connecting to the remote ssh server running on port 443. For this edit the “~/.ssh/config” file which your ssh client uses.

And add:

Host <ip_address_of_remote_server_here>

ProxyCommand proxytunnel -p http.proxy.server.here:port_number_here -d remote_server_ip_here:443

ServerAliveInterval 60  #Optional, ensures the connection stays alive when connection is not being used.

GSSAPIAuthentication no  #Optional, speeds up the authentication.

For instance it could be following,

Host 1.2.3.4

ProxyCommand proxytunnel -p proxy.example.com:8080 -d 1.2.3.4:443

What this does is, when you issue the command “ssh user@1.2.3.4” it reads the config file and applies the directives for this particular host/ip. Which in this case directs to use the “proxytunnel” command to tunnel your connection over the proxy mentioned with “-p” and to the destination mentioned using “-d“.

It works, as the remote destination is listening on port 443 and  the restrictive proxy allows 443, which now thinks that you are initiating an https connection.

With this you can now ssh to the remote host 1.2.3.4.

If you have a proxy which requires authentication, use -P option of proxytunnel, like:

ProxyCommand proxytunnel -p proxy.example.com:8080 -P user_name:password_here  -d 1.2.3.4:443

==Create a socks poxy==

When you can create a ssh connection, with openssh you can take it further to create a socks proxy which can be used by applications which support socks, like web browsers. Before following open canihazip.com in your browser and note down the ip address you currently have.

Next, from the command line on shell

“ssh -D localhost:8888 <remote_server_ip>:443”

With this ssh now listens on localhost (which is 127.0.0.1) on port 8888, all communication on this port will be passed/originate through the remote_server_ip on port 443.

Now change the proxy settings of the application to use this tunnel. With a browser set the socks proxy and open canihzip.com, your IP must be different.

Limitations:

This might not work,

If the network is using a packet analyzer and they actively block ssh packets.

If the http proxy does not support connect method.

If https is not supported over the proxy.

These are unlikely to happen, as this cripples the network access for normal usage and unless you have a paranoid admin.

An application running on client must support socks. Or you can configure a http proxy which uses socks proxy, for this you need privoxy, proxychains, polipo, etc.

Further reading:

https://wiki.archlinux.org/index.php/HTTP_tunneling

https://wiki.archlinux.org/index.php/Privoxy

There are a few compelling reasons why I switched from Debian/Ubuntu to FreeBSD 10.x. This was written after using FreeBSD 10.1 for more than 3 months, and is now on my production PC/workstation.

Software:

Debian stable comes with a large tested repository with regular security updates, but a bit old software, same case is with Ubuntu LTS the software starts getting a little old. FreeBSD on the other hand packages (credit volunteers) the most recent software possible, the current number of packages on FreeBSD stands around ~24k, which is comparable to Debian. Debian splits every application into binaries, documentation, *-devel so the number looks bigger on Debian/Ubuntu.

Stability:

One of the reason to use Debian over Ubuntu and any other GNU/Linux distribution is its stability. You deploy an application and it runs without much maintenance, FreeBSD is also know for its stability. So its a tie.

Documentation:

Now this is where FreeBSD stands out, with an impressive manual which covers most necessary things a user might require. The other projects which can compete are Arch and Gentoo. Debian falls short here.

Package management:

Debian is known for its  package manager apt-get/aptitude(dpkg), Arch’s new pacman is also a good contender. FreeBSD was lacking one until version 9 or 10 when it started including pkg. This is another reason which made me try FreeBSD, or, I was reluctant to use a distribution where the primary way to install applications was compiling them from source. pkg is good enough with room for improvement, behaves like apt-get but with a single command like yum. No more apt-cache, apt-get,dpkg for different things, makes my life simple.

Enterprise Features:

Some of the features like BSD jails, zfs, boot environment really impressed me. Why? Because I have seen enterprise Unix/Linux teams struggle with virtualization, storage management with VMware, KVM, veritas volume manager, etc Then I saw how Solaris 10 solved it with zones, ZFS, and boot environments.

This made me wonder how do CentOS/Debian stack up?

For containers – we have Linux containers(LXC) but they are not as robust as OpenVZ containers, but OpenVZ is not supported in the mainline kernel, you have to install a custom vzkernel. Some kernel space applications don’t work with a modified kernel and modifying the default setup voids warranty! You don’t get support if you are not using the stock kernel.

GNU/Linux still does not have a default go to container virtualization, I don’t consider Docker here, as its just LXC with enhancements(at the time of writing), it also follows a different path, I prefer the Unix way. There are no plans to include OpenVZ support into the mainline kernel.

On Storage front GNU/Linux has ZFS on Linux(zol) but it is not native yet, still under development and missing features. Btrfs is new, struggles with performance. I wonder why does not Oracle license ZFS on a bi/tri license like Mozilla, instead of developing yet another file system.

What about LVM? – Why do you need another layer of management when the file systems acts as both filesystem, vloume manager ?  Use ZFS!

Both FreeBSD and Solaris have boot environment support. This makes it easy to upgrade your production servers and switch back if you face any issues with the new environment. Updating servers is fun!

GNU/Linux equivalent is not robust yet.

Other goodies:

There are some other reasons to choose FreeBSD, like managing services with rc.conf, compare this with CentOS 6 where you use chkconfig, on Debian update-rc.d. CentOS chkconfig is pretty easy to get used to but Debian’s update-rc.d feels like it is still under development.

Unlike GNU/Linux which uses SysV init, there are no run levels in FreeBSD, only user modes like single, multi and other states like reboot, halt. I still could not understand the rationale behind run levels and why do we need them.

Conclusion:

Debian is known for its stability, large repository of applications. However it does fall short in other spheres.

Arch and Gentoo though having good documentation, large software application support, still fall behind in areas like package management, stability and ease of use, like the core repository of Arch is not large enough, the security advisory support is not reliable and things tend to break. Gentoo expects you to compile. I can’t, and I prefer to use package mangers.

FreeBSD becomes a good alternative in such comparison. However, FreeBSD still needs to improve on drivers and laptop support(FreeBSD cannot be at fault, vendors!), and it will, as the user base increases, it can come on par with any GNU/Linux distribution. I have seen how Ubuntu evolved release after release and how it improved.

Personally, I am getting old and just need a cozy comfortable environment and consistent way of managing things, FreeBSD provides that.

Think I have got something right/wrong? Comment below with references and links. If you are a new user to FLOSS world, I recommend starting with something easier like PC-BSD or GhostBSD. If you prefer GNU/Linux try Linux Mint. If you are an experienced user, try running FreeBSD on a spare machine or in a virtual machine(for example using Oracle VirtualBox).

 

Free magazines which you can download in pdf and epub formats.

##BSD magazine

http://bsdmag.org/

 

##Inclined mostly towards Ubuntu

http://fullcirclemagazine.org/

 

##By the PCLinuxOS community

http://pclosmag.com

 

##Bonus: Free programming and tech books.

https://github.com/vhf/free-programming-books/blob/master/free-programming-books.md

Share others in the comments!

Its been long since I posted about the first offline friendly GNU/Linux distro which I discovered- Debian.

I have now come across two more FLOSS operating systems, which a user who lacks broadband connection can use.

The first one is PC-BSD.

http://www.pcbsd.org/

PC-BSD has a new way of packaging applications- called the PBI which stands for “Push button Installer ” or the “PC-BSD installer”. A PBI is a self contained package like Mac’s .dmg package or windows MSI(MS Installer).

In my opinion, this is a killer feature of PC-BSD which Linux distros lack.  I am planning to write an entire post about PC-BSD as it has lot of other exciting features.

##More about PBI –

http://wiki.pcbsd.org/index.php/PBI9_Format

##Where to download pbi’s

http://pbibuild64.pcbsd.org/

This makes it simple to download and transport. There  are may other desirable advantages of such method. However, here I am focusing on ease of download and use.

There is a caveat though, the size of the package increases. But disk space being cheap nowadays, this can be overlooked. [Only if you have enough disk space and you have means to download large packages from someone or somewhere 😉 ]

Note:

PC-BSD is not Linux! they are different, though they belong to the same class/family -Unix

Nevertheless they have similarities too as they use many FLOSS applications.

As of version 9.2 they have dropped 32 bit version. But still, if you want you can “convert” your FreeBSD OS to PC-BSD. Refer the wiki for how to do this.

http://wiki.pcbsd.org/index.php/Turn_FreeBSD_into_PC-BSD%C2%AE

Speaking of disk space, the other one is meant for old PCs with limited resources- SliTaz

http://www.slitaz.org/en/

As of version 4 they have the small install image(35MB!) and another disk image having all the software.  Sweet! 🙂

I have used the small image on VMs, and I was pretty impressed. It has all the “basic” tools save office software(Openoffice).

Now, I highly  recommend PC-BSD,  As the packing is dead simple and you don’t have to download large software disc. You have to download the individual packages separately.

Next is Slitaz if your machine is old or has less RAM and processing power, and you want to download a software disc which has most of the applications.

Or if you can get large AND many discs(first 3 DVD’s will suffice ) then go with Debian.

You may find downloading and maintaining Debian’s disc set heavy or too large. If yes, then the former two are your options.

A note to those who are new to FLOSS community:

Always check the reviews  and information of distros on [ http://distrowatch.com/ ] before you try out things. They track and update the changes very regularly.

A post/blog might have outdated information, so rely on the latest news.

Read the system requirement of any OS/software you are planning to use. This saves lot of frustration in case if your hardware is not supported or upto the mark.

If anything confuses you or you are unfamiliar with the new words or terminologies, then search on the web. It helps you to learn new things 🙂

Update on 14 August 2015:

Since March/April I have moved to using FreeBSD 10, it now features a nice package manager – pkg. The installation image provided(DVD1) has all the necessary packages to have a GNOME/KDE desktop. You don’t need internet unless you need some thing else which is not included on the disc.

Ok, quick steps on how to use the DVD1 for installing the applications provided on FreeBSD:

  1. Install FreeBSD, download dvd1, any other image(disc1, bootonly) provided will not have these applications.
  2. Mount the disc on /dist, create /dist as root “mkdir /dist”, it has to be /dist
  3. As root “mount -t cd9660 /dev/cd0 /dist”
  4. Check whether it was mounted by running “mount” or “df -h”
  5. Bootstrap pkg csh/tcsh ” env REPOS_DIR=/dist/packages/repos pkg bootstrap”
  6. or on sh, “export REPOS_DIR=/dist/packages/repos; pkg bootstrap”
  7. After this bootstrapping, you can install the available packages from the disc.

In case you have access to some FreeBSD machine which is connected to internet, you can use = > https://kgibran.wordpress.com/2016/01/12/downloading-freebsd-packages-for-offline-installation/