SSH key based authentication

Only allow logins using public SSH keys. This way we prevent brute force attacks. Create private and public keys using the ssh-keygen command. First copy the public key from your pc to the server using:

$ ssh-copy-id -i .ssh/id_rsa.pub user@host

Test if you can login with your public key. The public key is stored in .ssh/authorized_keys. So if you add a new user ask them their pub key and copy this into authorized keys.

Change /etc/sshd_config to disable password based logins:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Filesystem permissions

The default user permission has umask 022 where other/world user also have access. Using umask 007 the owner en group has rw access, other/world hasn’t got any access.

Change default umask 022 to 007:

/etc/profile/
/etc/login.defs

Mounted volumes must have proper permissions

Add two mount options in /etc/fstab for partitions that have no suid programs and no device nodes.

Example:

/dev/sda5       /tmp            ext3    defaults,nosuid,nodev        0       2
/dev/sda6       /var            ext3    defaults,nosuid,nodev        0       2
/dev/sda7       /data2          ext3    defaults,nosuid,nodev        0       2

Dedicated group for su

Only allow users in adm group to become root using pam_wheel.

In /etc/pam.d/su uncomment this line and add group part.

auth       required   pam_wheel.so group=adm

Separate temp directories for users

Using a pam tmpdir modules each user has a separate tmp dir. So instead of using /tmp each user gets /tmp/user/USERID. A user cannot see the temp files of other users.

Install the tmpdir pam module:

apt-get install libpam-tmpdir

Add the following line to /etc/pam.d/common-session

session    optional     pam_tmpdir.so

Do a security audit for the system

Lynis is an excellent tool to audit the system. Download the latest tarball, decompress and run. Lynis is an auditing tool which tests and gathers (security) information for *nix based systems.

Together with my collegue Kees Hink we gave a presentation about Hardening Plone.

For a customer who needed a DMS to exchange documents with third parties we hardened the Plone stack. Several highlights of the hardening part are modifcations in the OS,� two technical audits, a process audit and adding some extra products in Plone. Here’s is the recorded stream of the presentation: http://www.ustream.tv/recorded/2446265. Here are the slides:

I use Setuptools 0.6c9 to create Python eggs. It happens that the latest Setuptools won’t play well with subversion 1.6 (shipped with Karmic).

When creating an egg with:

python setup.py bdist_egg

I got this error:

subversion unrecognized .svn/entries format

You can fix this by running a patch from the setuptools team, download the most recent patch from the issue page. Find out where setuptools lives in your site-packages and apply the patch. More details here if you’re not familiar with site-packages and applying patches.

Update 25 May 2010 – This information is outdated. Please refer to this page on the XDA Developers forum:

http://forum.xda-developers.com/showthread.php?t=529062

Here are the steps to the how-to’s to get root access to your HTC Magic and load a custom ROM. I took me some time to find all the needed info to do the job. So I’m hapy to share it. There’s a lot of (cluttered) info but most of it is found in multiple page forums. Really great that there lot’s of people developing and using this stuff but a forum isn’t the right place for documentation.

Note 30-03-2010, the information below is outdated. Please look at the following wiki’s for more up to date info:

http://wiki.xda-developers.com/index.php?pagename=HTC_Sapphire_Hacking

http://wiki.cyanogenmod.com/index.php/Main_Page

Got root?

Getting root access on the Magic isn’t so hard. Just install the SDK and USB drivers and push the images to the phone. In the last step is to install haykuro’s SPL update. This is the bootloader (correct?) and has a very usefull back-up option. It’s called nandroid and creates back-up images of the system. After this you have root access from the android debugger on your computer.

http://android-dls.com/wiki/index.php?title=Magic_Rooting

The second step is enabling root access from the phone. This allows you to su from the phone. Needed for installing rooted apps. It opens a security risk as mentioned in the how-to. But there a sudo-like app SuperUser whitelist to prevent unwanted root access (preinstalled on most custom roms). :

http://android-dls.com/wiki/index.php?title=Magic_Root_Access

Custom ROMS

So now you’ve got full access to the Magic but stuck with a stock rom from your provider. There are lots of roms floating around for Android but most of them are for the HTC Dream (G1). I found out the hard way by installing a G1 rom, WiFi and other hardware functions aren’t working. Not so strange with a different kernel etc…

These are the ROMs that are available at the moment:

• Google/HTC original stock rom
• Hero Rom. Android with an updated ui. Shiney and new but it’s slow and laggy
• Google ION rom. ION is a developer phone. Customized rom available.
• Haykuro’s Rom. Haykuro’s roms are excellent but it seems that he has stopped developing.
• Smartphone France (translation). Customized ION rom, available in EU languages.

Sending a rom is really easy, just like in the rooting process with an update.zip on the SD card. Always take care when installing a new rom. Better safe than sorry and check if it works on your Magic/Sapphire/ION. The last thing you want is a bricked phone…

I tried the Google ION rom and it works well. The benefits of this custom rom are; it’s faster, rooted, voice commands and more!� This is a good rom but there’s a HTC soft keyboard instead of Google’s. I didn’t like it and replaced it. Instructions here, you’ll need a specific rom (for extracting system files) or it won’t work!

I’m now using the Smartphone France version. The main advantage between above ION rom is this one is, tethering works and a higher version update rate. You won’t notice anything of the French language (beside a few small apps on the rom).

Also check out my Android bookmarks!

Release party in agenda NN-Open met locatie details.

Dist-upgrading to Jaunty didn’t go smooth. But who said this is a easy road when you try beta stuff. First I had to run the upgrade from the terminal with ‘do-release-upgrade’. When it was finished (to early..) I ended with a broken upgrade. Fortunately I succeeded to upgrade after booting into recovery mode with the option ‘fix dpkg’.

Hmm all seemed well after booting but I endedup with all strange lines on my laptop screen. No login screen, even when I tried the open source ATI driver. Seems the flgrx driver interferes with the radeon driver…

See: https://wiki.ubuntu.com/X/Troubleshooting/FglrxInteferesWithRadeonDriver

Fixed it with:

  sudo /usr/share/ati/fglrx-uninstall.sh  # (if it exists)
  sudo apt-get remove --purge fglrx*
  sudo apt-get remove --purge xserver-xorg-video-ati xserver-xorg-video-radeon
  sudo apt-get install xserver-xorg-video-ati
  sudo apt-get install --reinstall libgl1-mesa-glx libgl1-mesa-dri xserver-xorg-core
  dpkg-reconfigure xserver-xorg

Now Jaunty is running like a crazy kralting using open source ati drivers. Compiz works great even with a dual head setup. There one flaw when playing 3D games (like Nexuiz) Ubuntu freezes…