Leong

Here are a few tips for hardening your Debian/Ubuntu server.

SSH key based authentication

Only allow logins using public SSH keys. This way we prevent brute force attacks. Create private and public keys using the ssh-keygen command. First copy the public key from your pc to the server using:

$ ssh-copy-id -i .ssh/id_rsa.pub user@host

Test if you can login with your public key. The public key is stored in .ssh/authorized_keys. So if you add a new user ask them their pub key and copy this into authorized keys.

Change /etc/sshd_config to disable password based logins:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Filesystem permissions

The default user permission has umask 022 where other/world user also have access. Using umask 007 the owner en group has rw access, other/world hasn’t got any access.

Change default umask 022 to 007:

/etc/profile/
/etc/login.defs

Mounted volumes must have proper permissions

Add two mount options in /etc/fstab for partitions that have no suid programs and no device nodes.

Example:

/dev/sda5       /tmp            ext3    defaults,nosuid,nodev        0       2
/dev/sda6       /var            ext3    defaults,nosuid,nodev        0       2
/dev/sda7       /data2          ext3    defaults,nosuid,nodev        0       2

Dedicated group for su

Only allow users in adm group to become root using pam_wheel.

In /etc/pam.d/su uncomment this line and add group part.

auth       required   pam_wheel.so group=adm

Separate temp directories for users

Using a pam tmpdir modules each user has a separate tmp dir. So instead of using /tmp each user gets /tmp/user/USERID. A user cannot see the temp files of other users.

Install the tmpdir pam module:

apt-get install libpam-tmpdir

Add the following line to /etc/pam.d/common-session

session    optional     pam_tmpdir.so

Do a security audit for the system

Lynis is an excellent tool to audit the system. Download the latest tarball, decompress and run. Lynis is an auditing tool which tests and gathers (security) information for *nix based systems.

There are many services to store your data online. I’m using Dropbox to store and exchange files with others. It’s a pretty good online storage service with a client to sync the files. But with this and with similar (free) services you a have limited amount of storage. You can pay for the extra space but there’s a better and cheaper way to storing your files in the cloud.

Amazon S3 storage

Amazon is offering a wide array of cloud services. The storage service is called Amazon S3 (simple storage services). The storage is really cheap, approximately  $0.15 per GB/month for storage and $0.10 GB/month for data transfer. Dropbox and Ubuntu One are using S3 as storage facility, Twitter and Slideshare are using S3 to host images.

Using S3 as online storage isn’t that hard, it takes a bit more effort than using a service like Dropbox. But you’ll get unlimited storage for a bargain. Amazon isn’t offering a client to mount S3 storage on your computer. It provides an interface for developers, allowing connection to the storage. Luckily others have done the heavy lifting and there is software available to use the S3 storage on your computer. I don’t know the specific clients for Mac or Windows, google is your friend. I’m using FuseOverAmazon (this specific fork for EU buckets) on Ubuntu Linux.

So sign up for Amazon S3 and do some googling which client you need for your operating system. Now I only need a faster internet connection so I don’t have to wait when uploading gigabytes of photo’s to S3!

This year I’m attending the Plone Conference 2009 in Budapest. Today is the second day and as always with Plone conferences the vibe is great and it’s interesting to see the different talks.

Together with my collegue Kees Hink we gave a presentation about Hardening Plone.

For a customer who needed a DMS to exchange documents with third parties we hardened the Plone stack. Several highlights of the hardening part are modifcations in the OS,� two technical audits, a process audit and adding some extra products in Plone. Here’s is the recorded stream of the presentation: http://www.ustream.tv/recorded/2446265. Here are the slides:

This weekend I’ve upgrade my laptop to Ubuntu Karmic Koala. The upgrade was easy and Karmic looks and runs smoother than the previous version. I encountered one small problem with Python setuptools and subversion.

I use Setuptools 0.6c9 to create Python eggs. It happens that the latest Setuptools won’t play well with subversion 1.6 (shipped with Karmic).

When creating an egg with:

python setup.py bdist_egg

I got this error:

subversion unrecognized .svn/entries format

You can fix this by running a patch from the setuptools team, download the most recent patch from the issue page. Find out where setuptools lives in your site-packages and apply the patch. More details here if you’re not familiar with site-packages and applying patches.

Update 25 May 2010 – This information is outdated. Please refer to this page on the XDA Developers forum:

http://forum.xda-developers.com/showthread.php?t=529062

Here are the steps to the how-to’s to get root access to your HTC Magic and load a custom ROM. I took me some time to find all the needed info to do the job. So I’m hapy to share it. There’s a lot of (cluttered) info but most of it is found in multiple page forums. Really great that there lot’s of people developing and using this stuff but a forum isn’t the right place for documentation.

Note 30-03-2010, the information below is outdated. Please look at the following wiki’s for more up to date info:

http://wiki.xda-developers.com/index.php?pagename=HTC_Sapphire_Hacking

http://wiki.cyanogenmod.com/index.php/Main_Page

Got root?

Getting root access on the Magic isn’t so hard. Just install the SDK and USB drivers and push the images to the phone. In the last step is to install haykuro’s SPL update. This is the bootloader (correct?) and has a very usefull back-up option. It’s called nandroid and creates back-up images of the system. After this you have root access from the android debugger on your computer.

http://android-dls.com/wiki/index.php?title=Magic_Rooting

The second step is enabling root access from the phone. This allows you to su from the phone. Needed for installing rooted apps. It opens a security risk as mentioned in the how-to. But there a sudo-like app SuperUser whitelist to prevent unwanted root access (preinstalled on most custom roms). :

http://android-dls.com/wiki/index.php?title=Magic_Root_Access

Custom ROMS

So now you’ve got full access to the Magic but stuck with a stock rom from your provider. There are lots of roms floating around for Android but most of them are for the HTC Dream (G1). I found out the hard way by installing a G1 rom, WiFi and other hardware functions aren’t working. Not so strange with a different kernel etc…

These are the ROMs that are available at the moment:

• Google/HTC original stock rom
• Hero Rom. Android with an updated ui. Shiney and new but it’s slow and laggy
• Google ION rom. ION is a developer phone. Customized rom available.
• Haykuro’s Rom. Haykuro’s roms are excellent but it seems that he has stopped developing.
• Smartphone France (translation). Customized ION rom, available in EU languages.

Sending a rom is really easy, just like in the rooting process with an update.zip on the SD card. Always take care when installing a new rom. Better safe than sorry and check if it works on your Magic/Sapphire/ION. The last thing you want is a bricked phone…

I tried the Google ION rom and it works well. The benefits of this custom rom are; it’s faster, rooted, voice commands and more!� This is a good rom but there’s a HTC soft keyboard instead of Google’s. I didn’t like it and replaced it. Instructions here, you’ll need a specific rom (for extracting system files) or it won’t work!

I’m now using the Smartphone France version. The main advantage between above ION rom is this one is, tethering works and a higher version update rate. You won’t notice anything of the French language (beside a few small apps on the rom).

Also check out my Android bookmarks!

Last week I finished a Django project and needed to put the django app behind Apache. During the development in Django we used buildout. Buildout allows you to create a recipe to get the Django framework and dependencies on other python parts. It supports version pinning and allows you to download your dependencies thru pypi eggs or subversion.

If you want try buildout for Django try this how-to.

Buildout is well known in the Zope/Plone world and can be used in both development and production stages. Because a production mod_python/Django setup is a bit different them I’m used to (using Zope behind Apache), I decided to use buildout to generate a Apache virtual host config.

You can follow these these steps on this wiki for a buildout with mod_python:

https://tracpub.yaco.es/djangobuildout/ (warning! just click thru the SSL errors)

Vandaag is Ubuntu 9.04 uitgekomen. Deze release is ook bekend als ‘Jaunty Jackalope’. Op donderdag 7 mei 2009 is er een release party georganiseerd door NN-Open. Vanaf 16:00 gaan de deuren open. Kom langs voor een borrel!

Release party in agenda NN-Open met locatie details.

At the office we have a saying what we use as a funny insult,

And your dog too…

This weekend I decided to register the domain name. Ha ha ha, www.andyourdogtoo.com

Today the release candidate of Ubuntu Jaunty came out. Ofcourse I want to use the latest and greatest Ubuntu! After running ‘updatemanager -d’ to do a dist-upgrade I got a warning that fglrx (ATI proprietary driver) wouldn’t work. Pff so what, I want to upgrade…

Dist-upgrading to Jaunty didn’t go smooth. But who said this is a easy road when you try beta stuff. First I had to run the upgrade from the terminal with ‘do-release-upgrade’. When it was finished (to early..) I ended with a broken upgrade. Fortunately I succeeded to upgrade after booting into recovery mode with the option ‘fix dpkg’.

Hmm all seemed well after booting but I endedup with all strange lines on my laptop screen. No login screen, even when I tried the open source ATI driver. Seems the flgrx driver interferes with the radeon driver…

See: https://wiki.ubuntu.com/X/Troubleshooting/FglrxInteferesWithRadeonDriver

Fixed it with:

  sudo /usr/share/ati/fglrx-uninstall.sh  # (if it exists)
  sudo apt-get remove --purge fglrx*
  sudo apt-get remove --purge xserver-xorg-video-ati xserver-xorg-video-radeon
  sudo apt-get install xserver-xorg-video-ati
  sudo apt-get install --reinstall libgl1-mesa-glx libgl1-mesa-dri xserver-xorg-core
  dpkg-reconfigure xserver-xorg

Now Jaunty is running like a crazy kralting using open source ati drivers. Compiz works great even with a dual head setup. There one flaw when playing 3D games (like Nexuiz) Ubuntu freezes…

As usually I was doing a search on Google and saw that the found page were marked as offensive. Perhaps not so strange but it in the search results normal sites were found with no strange stuff on it. It turns out that every site is marked as offensive… You search for bunnies, Google says offensive.. Search for Google:

It says in Dutch: This site can be harmfull for your computer. Seems like a little bug in the search, lol.