De PyGrunn ‘Python and friends’ conferentie is gehouden in Het Paleis in Groningen en is bezocht door ruim 80 personen. Voorafgaand aan de conferentie was er een masterclass van Armin Ronacher. De conferentie is gericht op de Python programmeertaal en verwante technologie. Met sprekers uit Nederland en het buitenland was de Python-community goed vertegenwoordigd op PyGrunn. Vanuit Goldmund, Wyldebeast & Wunderliebe heeft Kim Chee Leong een presentatie gegeven over buildout, dit is een tool voor het uitrollen van applicaties.

Goldmund, Wyldebeast & Wunderliebe en Paylogic hebben de conferentie georganiseerd. Vanwege het grote success zal PyGrunn er ook volgend jaar weer zijn.

Here are a few tips for hardening your Debian/Ubuntu server.

SSH key based authentication

Only allow logins using public SSH keys. This way we prevent brute force attacks. Create private and public keys using the ssh-keygen command. First copy the public key from your pc to the server using:

$ ssh-copy-id -i .ssh/id_rsa.pub user@host

Test if you can login with your public key. The public key is stored in .ssh/authorized_keys. So if you add a new user ask them their pub key and copy this into authorized keys.

Change /etc/sshd_config to disable password based logins:

ChallengeResponseAuthentication no
PasswordAuthentication no

Filesystem permissions

The default user permission has umask 022 where other/world user also have access. Using umask 007 the owner en group has rw access, other/world hasn’t got any access.

Change default umask 022 to 007:

/etc/profile
/etc/login.defs
/etc/init.d/rc

Mounted volumes must have proper permissions

Add two mount options in /etc/fstab for partitions that have no suid programs and no device nodes. Options are called nosuid and nodev.

Example:

/dev/sda5       /tmp            ext3    defaults,nosuid,nodev        0       2
/dev/sda6       /var            ext3    defaults,nosuid,nodev        0       2
/dev/sda7       /data2          ext3    defaults,nosuid,nodev        0       2

Dedicated group for su

Only allow users in adm group to become root using pam_wheel.

In /etc/pam.d/su uncomment this line and add group part.

auth       required   pam_wheel.so group=adm

Add sysadmins to adm group

usermod -a -G adm [username]

Separate temp directories for users

Using pam tmpdir modules each user has a separate tmp dir. So instead of using /tmp for everyone, each user gets a /tmp/user/USERID directory. A user cannot see the temp files of other users.

Install the tmpdir pam module:

apt-get install libpam-tmpdir

Add the following line to /etc/pam.d/common-session

session    optional     pam_tmpdir.so

Know when security updates are available

Keep the packages on the server up to date. Use the mail* to functionality in crontab to get a automated warning when an update is available. It saves the hassle for checking manually. It’s not recommended to run the updates unattended.

Add this script in /usr/local/bin/check_security.sh

#!/bin/sh
apt-get update -qq -s > /dev/null 2>&1
 
LISTFILE=$TMP/check_security.lock
UPGRADE_CMD="apt-get upgrade -qq -s"
MACHINE=`hostname`
LIST=""
 
for package in `$UPGRADE_CMD | grep -e '^Inst' | awk '{ print $2 }'`;
do
  LIST="$LIST $package"
done
 
if [ -z "$LIST" ]; then
  if [ -e $LISTFILE ]; then
    rm -f $LISTFILE
  fi
  exit 0
else
  if [ ! -e $LISTFILE ]; then
    echo $LIST > $LISTFILE
    echo "Please run security updates on ${MACHINE}!"
    echo "=========================================="
    echo $LIST
  fi
fi

Add the script to crontab for root user.  Enter your e-mail address in the mailto variable. Add the script to crontab. Check each hour is an update is available:

MAILTO='me@domain.com'
5 * * * * /usr/local/bin/check_security.sh

Install the nullmailer and  mailutils package to allow mail relaying. Enter the hostname and smtp server in install dialog.

apt-get install nullmailer mailutils

Clean old files/dirs in temp directory

Remove files and directories older than 30 days. The tmp dir is for temporary files!

Add a shell script in /usr/local/bin/clean_tmp.sh

#!/bin/bash
# GW20e - KC
# Clean tmp directory, we don't want files/dirs older
# than 30 days.
find /tmp/* -type f -mtime +30 -exec rm -f {} \;
find /tmp/* -type d -mtime +30 -exec rm -rf {} \;

Add the script in crontab so it’s executed every night:

0  5 * * * /usr/local/bin/clean_tmp.sh > /dev/null

Only a minimal set of network services must be provided

Only run the network services that are needed. Each service can bring in a security risk. Configure the network services so they only listen on specific interfaces.
Run netstat to check which service is listening on what interface. Example:

server:~# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 91.194.xxx.xxx:18080    0.0.0.0:*               LISTEN      9544/python2.6
tcp        0      0 91.194.xxx.xxx:5666     0.0.0.0:*               LISTEN      3515/nrpe
tcp        0      0 127.0.0.1:111           0.0.0.0:*               LISTEN      9035/portmap
tcp        0      0 192.168.3.45:8080       0.0.0.0:*               LISTEN      3876/python2.6
tcp        0      0 192.168.3.45:28080      0.0.0.0:*               LISTEN      3875/python2.6
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3714/apache2
tcp        0      0 192.168.3.45:8081       0.0.0.0:*               LISTEN      3877/python2.6
tcp        0      0 192.168.3.45:22         0.0.0.0:*               LISTEN      3505/sshd
tcp        0      0 127.0.0.1:761           0.0.0.0:*               LISTEN      3553/famd
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3714/apache2
udp        0      0 127.0.0.1:111           0.0.0.0:*                           9035/portmap

Disable network services or bind  the service to a specific interface. Normally portmap is listening on all interfaces.

Bind portmap to localhost loopback

In the above example portmap is only listening on the localhost loopback. Bind the portmap service to localhost, edit ”/etc/default/portmap”. Uncomment this line:

OPTIONS="-i 127.0.0.1"

Disable IPv6

If you’re not using IPv6, disable it to prevent possible vulnerabilities. Add the following file /etc/modprobe.d/00local

alias net-pf-10 off
alias ipv6 off

Apache webserver

Don’t allow directory indexes by disabling autoindex module

a2dismod autoindex
/etc/init.d/apache2 restart

Apache has a separte config file for security. Edit /etc/apache2/conf.d/security and change the following settings:

# Don't give away info about OS and compiled in modules
ServerTokens Prod
# Don't show server version in server-generated pages
ServerSignature Off
# Disables HTTP trace, only used for debuging purposes. Potential security vulnerability.
TraceEnable Off

This article has good tips for securing the Apache webserver: MDLog:/sysadmin – Apache Tips & Tricks.

Do a security audit for the system

Lynis is an excellent tool to audit the system. Download the latest tarball, decompress and run. Lynis is an auditing tool which tests and gathers (security) information for *nix based systems.

If you want to be on the safe side, and be sure your server is secure, hire an independent company for a security audit.

Together with my collegue Kees Hink we gave a presentation about Hardening Plone.

For a customer who needed a DMS to exchange documents with third parties we hardened the Plone stack. Several highlights of the hardening part are modifcations in the OS,� two technical audits, a process audit and adding some extra products in Plone. Here’s is the recorded stream of the presentation: http://www.ustream.tv/recorded/2446265. Here are the slides:

I use Setuptools 0.6c9 to create Python eggs. It happens that the latest Setuptools won’t play well with subversion 1.6 (shipped with Karmic).

When creating an egg with:

python setup.py bdist_egg

I got this error:

subversion unrecognized .svn/entries format

You can fix this by running a patch from the setuptools team, download the most recent patch from the issue page. Find out where setuptools lives in your site-packages and apply the patch. More details here if you’re not familiar with site-packages and applying patches.

Update 25 May 2010 – This information is outdated. Please refer to this page on the XDA Developers forum:

http://forum.xda-developers.com/showthread.php?t=529062

Here are the steps to the how-to’s to get root access to your HTC Magic and load a custom ROM. I took me some time to find all the needed info to do the job. So I’m hapy to share it. There’s a lot of (cluttered) info but most of it is found in multiple page forums. Really great that there lot’s of people developing and using this stuff but a forum isn’t the right place for documentation.

Note 30-03-2010, the information below is outdated. Please look at the following wiki’s for more up to date info:

http://wiki.xda-developers.com/index.php?pagename=HTC_Sapphire_Hacking

http://wiki.cyanogenmod.com/index.php/Main_Page

Got root?

Getting root access on the Magic isn’t so hard. Just install the SDK and USB drivers and push the images to the phone. In the last step is to install haykuro’s SPL update. This is the bootloader (correct?) and has a very usefull back-up option. It’s called nandroid and creates back-up images of the system. After this you have root access from the android debugger on your computer.

http://android-dls.com/wiki/index.php?title=Magic_Rooting

The second step is enabling root access from the phone. This allows you to su from the phone. Needed for installing rooted apps. It opens a security risk as mentioned in the how-to. But there a sudo-like app SuperUser whitelist to prevent unwanted root access (preinstalled on most custom roms). :

http://android-dls.com/wiki/index.php?title=Magic_Root_Access

Custom ROMS

So now you’ve got full access to the Magic but stuck with a stock rom from your provider. There are lots of roms floating around for Android but most of them are for the HTC Dream (G1). I found out the hard way by installing a G1 rom, WiFi and other hardware functions aren’t working. Not so strange with a different kernel etc…

These are the ROMs that are available at the moment:

• Google/HTC original stock rom
• Hero Rom. Android with an updated ui. Shiney and new but it’s slow and laggy
• Google ION rom. ION is a developer phone. Customized rom available.
• Haykuro’s Rom. Haykuro’s roms are excellent but it seems that he has stopped developing.
• Smartphone France (translation). Customized ION rom, available in EU languages.

Sending a rom is really easy, just like in the rooting process with an update.zip on the SD card. Always take care when installing a new rom. Better safe than sorry and check if it works on your Magic/Sapphire/ION. The last thing you want is a bricked phone…

I tried the Google ION rom and it works well. The benefits of this custom rom are; it’s faster, rooted, voice commands and more!� This is a good rom but there’s a HTC soft keyboard instead of Google’s. I didn’t like it and replaced it. Instructions here, you’ll need a specific rom (for extracting system files) or it won’t work!

I’m now using the Smartphone France version. The main advantage between above ION rom is this one is, tethering works and a higher version update rate. You won’t notice anything of the French language (beside a few small apps on the rom).

Also check out my Android bookmarks!

Release party in agenda NN-Open met locatie details.

Dist-upgrading to Jaunty didn’t go smooth. But who said this is a easy road when you try beta stuff. First I had to run the upgrade from the terminal with ‘do-release-upgrade’. When it was finished (to early..) I ended with a broken upgrade. Fortunately I succeeded to upgrade after booting into recovery mode with the option ‘fix dpkg’.

Hmm all seemed well after booting but I endedup with all strange lines on my laptop screen. No login screen, even when I tried the open source ATI driver. Seems the flgrx driver interferes with the radeon driver…

See: https://wiki.ubuntu.com/X/Troubleshooting/FglrxInteferesWithRadeonDriver

Fixed it with:

  sudo /usr/share/ati/fglrx-uninstall.sh  # (if it exists)
  sudo apt-get remove --purge fglrx*
  sudo apt-get remove --purge xserver-xorg-video-ati xserver-xorg-video-radeon
  sudo apt-get install xserver-xorg-video-ati
  sudo apt-get install --reinstall libgl1-mesa-glx libgl1-mesa-dri xserver-xorg-core
  dpkg-reconfigure xserver-xorg

Now Jaunty is running like a crazy kralting using open source ati drivers. Compiz works great even with a dual head setup. There one flaw when playing 3D games (like Nexuiz) Ubuntu freezes…