Favourite blogs for ChrisBlog

My favourites » Joe's blog

September 22, 2006

Concerning Security on a Fedora system

This is continuing in my paranoid theme (and the theme of not spell checking), this should hopefully be good advice for anyone who wants to is concerned about security, and especially for those who are overly concerned…

First things first, don’t run as root for day to day operations, try not to login as root in the graphical interface at all – do it through the terminal, it’s far easier to control and not to get caught out by.

Alright, now we have the problem of rootkits. This is something which can be put down in your system to allow control over any number of things and is easily one of the top security threats you can face. Firstly you will want to make sure that your root password is strong, ie. make it take a few thousand years to brute force. Have a password which is ideally over 8 characters long, and has non standard characters in it – like !”£$%^ etc. and numbers and letters. This should halt most random attempts, but there are always other ways to get infected. A classic is installing something which is untrustworthy – because of this I only install open source software from the official (and livna) repos. (I know it seems a bit extreme, but at least it’s safe).

So lets assume that you have done that but want to check every now and again to get a little tick or “OK” sign to make you feel happy, you could do;

yum install rkhunter

This is a program to check for rootkits and gives you a nice green “OK” if it is. There shouldn’t be any red “WARNING” ones, but you might get one yellow (I do and after looking deeper I think it’s ok). Once it is installed to run it log in as root and type;

rkhunter -c

Chkrootkit is another which can be installed and always seems ok to me, although it can take a little bit of effort to find out what each warning means (for example it highlights your internet connection in the same way it would a rootkit. Chkrootkit is run just with the command;


Right, so that is done, but rkhunter will no doubt show up with one or two red warnings relating to ssh allowing remote root login. I would say only allow remote root login if you really know what your doing and really are sure you need to.
I wish that they would disable it as a default but, hey ho, they don’t.
Open up a terminal, log in as root, then type;

gedit /etc/ssh/sshd_config

You’re now looking for a section which will look like this;
.#LoginGraceTime 2m
.PermitRootLogin yes
.#StrictModes yes
.#MaxAuthTries 6

There will not be that dots before it (damn blog formatting) and the “PermitRootLogin yes” might have a hash before it, I don’t remember, but you want it to look like this;

.#LoginGraceTime 2m
PermitRootLogin no
.#StrictModes yes
.#MaxAuthTries 6

(again ignore the dots at the start of the lines) This will stop people loging in remotely and hammering your system.

Right, that’s all I have time for now, later I’ll go through firewall settings (firestarter is great). Untill then some really useful website which you can look at are;

http://forums.fedoraforum.org/ (that’s a forum which if you register you can ask specific questions and get help… also I use it, so if you get really lucky… you might get someone competant to answer you questions)

http://www.fedorafaq.org/ (that has some good advice about getting stuff working and what have you – although I think they tend to play with selinux a lot when I’m not sure that it’s needed)

and as always if you post on here I might be able to help you, and failing that, you can always search in Google for your answer, I’m sure someone else will have had your problem, maybe on a forum and they often have answers… though sometimes don’t :S

September 21, 2006

Using clamav in Fedora, in detail

I’ve just read a post on my blog which was asking for more information about clamav in fedora, what might be good whilst installing it etc. so I thought I might as well try and lay down some advice.

This is a continuation of a post I made in April about setting up repositories in fedora, where I made a general comment about clam but I really was going to update it, but you know how things are… they often move slowly

Firstly I was asked about clamav, so that’s what I’ll turn to now,

The clam modules which I have installed (and will recomend) are;


you should be able to install these with the usual yum commands of;

su -
.root password.
yum install (name of package from above^)

it should sort out the dependencies for you on these – There is a way to install more than one package at once but strangely I’ve never used it, I think it is just one package name after another with spaces but no other divide… but I’m not sure. Still, doing it one by one won’t hurt.
Now one more thing, you will need to go to the file /etc/freshclam.conf and edit it. You’ll need to be root to do this so just don’t log out after you installed the stuff from above. To get to the file type in the terminal;

gedit /etc/freshclam.conf

This opens up the text editor (the default one for GNOME on Fedora, if you would rather you can use vi just with the command “vi /etc/freshclam.conf”) you need to go down to the lines which say:

.# Uncomment the following line and replace XY with your country
.# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
.# Default: There is no default, which results in an error when running freshclam
.#DatabaseMirror db.XY.clamav.net
(Ignore the dots before it – thats just what it takes to stop the formatting from kicking in and making it numbering)

Commented refers to a hash symbol being infront of it, this means that that line is not read by the computer when the document is read (sorry if that sounds patronising but I like to avoid too much technical language). All you need to do here is go to the website which is in the list and look for your country code and then change the last line so it looks something like;

DatabaseMirror db.UK.clamav.net

Without a # and the XY changed to UK (obviously the country code for the UK)

Right, now that should have clam up and running. To use it go to the terminal, login as root (with “su -” like above) and type;

freshclam (this will update your clam database – everything should work ok)

Then you can run a scan by typing in the terminal;


this will scan your home directory, if you are root it’ll do all the hidden files and everything in there. This is good but maybe not exactly what you’d want, you will want to add options (typing “man clamscan” will give you a whole host of options to customise how you scan). What I would run to do a full system scan is;

clamscan / -r—quiet
(that’s; clamscan “space” slash “space” “hyphen r” “space” “two hyphens quiet”... I had to do that because the blog system likes to use really random language and hyphens make the text strikethrough)

The clamscan is the program, the ”/” is the start of your file tree (or at least it is by default and if you know how to change that then you’ll not need this – if it’s even possible), the “-r” means recursive, which means it scans through sub-folders until there is no where left to go
The “—quiet” means it will only tell you about viruses or errors – so it looks blank unless there is a problem… one that I have is it not being able to access ”/proc” but I don’t worry about it ; )
-if you leave off the—quiet then it’ll show you each file in turn and then say “ok” after, this is ok (you know how far it is along) but the final report won’t give you specifics if you do have an infected file… so you would need to scan again with—quiet to find out where it is

Right, that might have been a bit long winded but at least it was comprehensive!
- Tomorrow I’ll try and write about how to scan for rootkits (using rkhunter and chkrootkit) and how to shut off root access to ssh (which should be closed by default but strangely isn’t… :S). I’ll also stick down some really good websites for learning and the best forum in the world (because it’s the one I go on). But for now, night night

May 12, 2006

blog update

So I've been going through old posts and trying to get some stuff up to date, still not too much done about the fedora install howto though, but with exams and the like it'll have to be put off… you can hash together a pretty good idea using the official website's advice ( link - you can also download fedora from one of the mirrors there) and the fedorafaq (link), both are really helpful; although I think that they may make assumptions about the level of knowledge which people have and I'm desperately trying to over come this. The future of open source will depend upon our ability to get people with no technical knowledge involved and learning.

I know there has been some debate about how to further open source (see Tim's blog: link to a reply I made on my blog here: link), but I'll be happy if even one person decides that they might now try some open source software; or at least be receptive to it.

May 11, 2006


need to update more… still, I'm trying to keep stuff going along on the ica blog, check it out!

May 07, 2006

Warwick University – "an affiliate of M$"?

So I got looking through the IT services summer 2006 guide to training which is offered to students on the subject of computing. Well, I say computing, what I mean Microsoft branded computing. There are no less than 18 references to Microsoft products on one side of the A4 pamphlet. Why is it that our university seems to go out of its way to indoctrinate all students into their (proprietary) way of doing things? There are alternatives to M$ software out there… why doesn't the university consider Open Office… or Koffice (if they want to go all out for the open source and use KDE aswell… I'm a GNOME man myself)

Further; why do they insist on wasting so much money on buying the rights to use M$ software when they could get one source software, which would be more secure, faster and more stable for far less money. The FAA in America saved $15 million by migrating to Linux (see link). How many extra books could be bought for our library if we made that move within the IT services dept.?

May 06, 2006

Registered Linux user, but no cigar?

So I actually became a registered Linux user last night (# 416286!), although I feel a little like I'm cheating because at the time I was suspiciously without a kernel. On Thursday I updated my system which included getting FC5 kernel 2107, a mistake I can now see because it was incapable of starting X. Because of this I felt that it would be sensible to get rid of the un–working kernel, but in my zeal I got rid of all kernels. The only way I could find to get it back (with help from the nice chaps at fedoraforum.org – one of whom lives in Coventry so is probably at the uni) was to boot with the DVD then use

Linux rescue

Yes to having the network connection and used the default settings

Chroot /mnt/sysimage
Yum install kernel

the only problem now is that I need to update grub because it's been going wrong and has lost fedora, mightily silly. I'll update when I figure out how… and I might even get round to finishing the install how to… that one is scheduled for after the exams when I put it on a friends system (whether he wants it or not ; ))

Update: I ended up re–installing Fedora completely. It was my fault for uninstalling the kernels in the first place so I'm not going to judge fedora too harshly because of it – that is just the chance you take with a bleeding edge distro… I might one day try ubuntu… I'll wait and see before I make any move. As someone pointed out to me on the forum; bordeux (core 5) is less than a month old, it needs some time to bed down. I remember the problems we had with the first release of Win 98, they make this seem so minor in comparison.

April 22, 2006

HOWTO get extra space on partition containing Fedora Core 5

Abstract: I had created a partition to hold Fedora Core 5, this was about 4GB, as the OS extended and grew I needed more space, i went on Windows and used Partiton Magic to take some space off the windows partition, that space became unused space… this is how I allocated this space in Fedora Core 5 so that it could be used by the Fedora OS.

[(works for me in Fedora core 5, might work in others – but I have not tested it – use at your own risk, no guarantee, no warranty, your milage may vary- might solve all your problems, might blow up your computer and cause a turnip to fall on you head at an unfortunate moment – you might want to look at other sources to ensure that this is right or help with any other problems you might have). Don't type the square brackets or what's in them. The situation here is based on when I needed more disk space… firstly I went into windows and then used partition magic to create some free space on my disk (10G), this tracks through what I did, some of the things here are based on advice I got from other, so thanks for the advice.]

[Log on as root in terminal]
[type:] fdisk -l
[then:] fdisk /dev/hda

[Now options will appear, you only need to enter in the letter and press enter]

n [this option means 'new']
[Now select] p

[it may do the number automatically, if it hasn't select one which wasn't used when you typed 'fdisk -l']

[it should automatically do the start and end position – if it doesn't then you will need to look at the fdisk -l values and select the first cylinder as one after your last partition before the gap and the last one as one before the next partion after the gap]

[type:] t

83 [this is a linux partion; assuming you want an ext2/3]

w [this writes – so make sure you are happy]

[you might need to restart now…(I did)]

[now go back into terminal after restart, log on as root again…] mkfs.ext2 /dev/hda4

pvcreate /dev/hda4

vgextend VolGroup00 /dev/hda4


[so now your new partition should be there and registering in the pvdisplay (physical volume display)]

[now type] lvm

[This is the logical volume manager]

[type:] vgs [this will show you the status of your logical volumes]

[this will show you the current volume groups. The default volume group is VolGroup00, this is what mine was set at, and probably yours too…]

[it may look like this]

VG #PV #LV #SN Attr VSize VFree
VolGroup00 1 2 0 wz—n- 5G 32.00M

[OK, so when we used 'pvcreate /dev/hda4' above we created it as a physical volume, this now needs to be put in the volume group…type in]

vgextend VolGroup00 /dev/hda4

[to check back and make sure it's all cool type in:]


[Look at this against the first time you used vgs, it should now show another volume and the 'VFree' should have increased by the size of the new partition you put on earlier: /dev/hda4]

VG #PV #LV #SN Attr VSize VFree
VolGroup00 1 2 0 wz—n- 5G 10.32G

[Now we resize the volume groups so that the free space can actually be used!... I added 10G in this example (and about that in real life) so now we need to get on it…]


lvextend -L +10G /dev/VolGroup00/LogVol00 /dev/hda4

[it'll now tell you that it's gone ok (I hope), if you type in:] vgs [then the free space amount should have been reduced, if it has, brill!]

[df results will be the same as before we started, so to get to the space so we can see it we need to go to the 'core'... get it?]

[Stick in the installation DVD, or if you used CDs I think you'll need the first one, boot with the cd/DVD… you might need to access your BIOS settings and make sure that the cd/dvd drive is what it boots to first – I don't know because thats the setting I have as a default anyway – if this is the case, and I think it might then you might be able to just press F12 and select it – although thats not supported on all systems I don't think]

[Press:] F5
[Then type:] linux rescue

[Select your language, I'll assume english will work if your reading this, and the keyboard system you want to use]
[you will now need to aviod mounting disks and systems so select "skip" because you want to avoid mounting or booting]

[a command line should now be in front of you]

[now type:]
lvm vgchange -a y VolGroup00


lvm lvchange -a y /dev/VolGroup00/LogVol00

[Then check everything is cool by using the next command, this will take a little while, but let it run:]

e2fsck -f /dev/VolGroup00/LogVol00

[Then type:]

resize2fs /dev/VolGroup00/LogVol00

[take out the cd and reboot. It should all be working now, free space should be viewable in your home folder and everything should be great :), hope it helped]

April 19, 2006

Fedora Core 5 repositories

I want to set down some clear and simple advice on what the best way to get going on Fedora core 5 (bordeux). There are lots of good sites out there already which deal with this subject matter but I often find that there is an implicit assumption that you know how to get from one step to the next. To this end I want to try and make a complete little how-to, perhaps even a series of them…

Firstly by way of a preamble Fedora core 5 is the latest fedora release. Fedora being a distribution of linux which is free (beer and speach – although thats sometimes doubted). Fedora works within the Red Hat project and it is also a nice place to start on linux. Unfortunately Fedora does not contain inbuilt support for many things which would be useful (like mp3) because they only support open formats.
After installing Fedora on your computer (a good how to can be found at this link as well as the download iso) you will be taken through a walk through about getting some set-up things done (oh, and if you use windows DON'T set it to use UCT). I have a widescreen laptop and this created some difficulty, what I found it best to do was set the resolution of the screen as if it was 1024×768 and then it seems to work. When I set it to the true widesceen format the text looked disjointed and was hard to read…

*don't type what is in square brackets…

Anywho, with that done you'll want to update your yum configuration, to do that open up a terminal (its under accessories at the top left) and type: su – [then press enter]
[enter your root password]
[you should now be as root, type:] yum update

This should update all of your softaware that you have put on, either in the installation or since

now would be a good time to add another repository (this is a really easy place to get software from)

go to the terminal again, become (if you are not already) root (with the 'su -' command)

[type] rpm -ivh http:/ /rpm.livna.org/livna-release-5.rpm
[I had to put in a space because otherwise it just came up as 'link', obviously copy this into terminal and just delete the space in the '..://rpm…']

this shoudl install the livna repository without any problems, if it asks you is it is ok to proceed, just press 'y' then enter

ok, now it might be a good idea to install anti virus software, so type in terminal, as root:

yum search 'clamav'
[will continue later when I can actually be bothered to look up the specific commands, if you know how to use terminal, clamav is great…..]

April 01, 2006

New society?

I am thinking of trying to get together some kind of society where people can share open software and what have you, does anyone think this is a good idea? I got thinking about it because I was wanting to download Slackware but the thought of downloading 4.7 gig is a little daunting on a connection this slow (also I can't make use of the official torrent). Maybe some kind of message board system where people say what iso's or dvd's etc. they have that they could share. Could also spread the open source message round campus. It's currently just an idea, but as I say, any thoughts?

(or does this already exist within a computer society?)

AJAX Sketch

Writing about web page http://www.ajaxsketch.com/

Another week, another XML based program.

AJAX sketch is from the same people who brought you AJAX write and is based on the same principles, it uses an open format in a free (beer!) way. Use it to create interesting pictures, although the extent to which you can do anything too impressive at the moment is debatable. The first splash screen looks impressive, but I don't seem to be able to get a similar level of functionality out of it. It feels a little sluggish and the selection method can be a hassle. I would have preferred something similar to One Note in the selection method, which is to say clicking and dragging a box over what you wish to select. That said this too is a “0.9” version release, so there could well be better things to come. Better still you don't need to update because it's all based on–line so you always get access to the newest version. Give it a go. Try AJAX Write. They might not replace your current applications that you use at the moment, but if this is the future (the “web 2.0” – if there ever will be such a clear division) then it is at least a good omen.

March 26, 2006

SLAX – the end of traditional OS?

Writing about web page http://slax.linux-live.org/

First things first, SLAX is a Live distro of Linux. That means that it is an operating system which runs from the CD with no need to even have a hard drive. SLAX is the live “version” of slackware Linux and uses KDE. It's available from the URL above as an iso. For those of you who might not know how to use them but really want to give Microsoft the boot I'll give a brief explanation. “.iso” is a file format (it's a CD image), in order to use it you need to download it, then open it in a program that supports iso burning like Alcohol 120% (I think you might be able to get a free trial version of that somewhere) then you just need to go to the image burning wizard, open the file and tell it to burn to a CD. It sounds complicated but it's rather quite easy. The you simply need to put the CD in the CD drive of your computer, boot it up, go into the BIOS and then change the boot preference so that it automatically boots from CD before hard–drive.
When that stage is done (which is the hardest part of it all) you can boot up SLAX. Boot options are got to through F1, although unless you have any problems you probably won't need this too much. When I tried on my very old laptop I had to tell it to bypass hotplug, pcmcia and agp, on my new laptop it all worked perfectly. You might want to try using the boot options to load the CD to the RAM, I think this might make it work faster (as its loads easier to access than a CD); although I've not tried bench–marking anything. I think the boot option is something like “SLAX boot2ram” (it's in the list that comes up when you got to that section anyway).
When it's booted up to what you might call the main page there are some options there. You need to login (I don't know why) with name “root” and password “toor”, then you can use the “startx” command to open the more familiar looking environment, or you can have a look at “midnight commander” using “mc”... there are some other options which you can try at your leisure. When you use the “startx” command you get into KDE. This gives you a very pleasing set up, complete with nice graphics and pretty much everything that you would want as a home user (although unfortunately no pre–installed Open Office). The lack of an office suite could be seen as a bit of a problem; not too much considering AJAX office is getting up and running, to effectively work as a live office (see entry below on AJAX write). The GUI could easily be a replacement to windows, and even if you decide not to use it then all you have to do is take the CD out and you can go back to using whatever you did before. You don't need a hard–drive to use it, although obviously you'll need some form of non–volatile memory if you want to save anything permanently. I'd stick this on the Hard Drive. Browser is Konquerer. System seems stable; I've not had any problems on my laptop.
Of course it is far more secure than something like Windows with regard to viruses and spyware. Even if there was a virus written for this (which I'm not sure there is) you would need to download it, then run it, and even then you can fix the problem by simply switching it off and on again, because the OS is loaded each time anew. SLAX is also far smaller than your average OS, the iso is only about 187 MB, this means that it doesn't have all the bloat of bigger OSs and as such seems more stable and faster (there's less to go wrong). Using a hard drive simply as a way to store your information separate of the OS seems to work well. On the downside you have to extract the OS to the RAM each time, or load the CD up to a suitable point.
So would I recommend? Yes, it's free to download and you don't have to get rid of any other OS on your computer, so it is worth a try independently of whether or not your looking for a full time replacement. I would say it could easily be used as a full time replacement for another OS… which is what I might do.

Update: I ended up going with a somewhat regular OS, being Fedora core 5… SLAX is still worth trying as a way to decide if you like KDE, and if you were to boot it using a USB key into RAM then it would be really quick (still, it's best to have over 1 gig of RAM so that you can store enough data). I've also tried Damn Small Linux (it's so small – 50 meg!) it works really well on old laptops and has enough useful stuff to keep you working happily : )

March 24, 2006

RFID, Biometrics and the flaws of both

RFID and biometrics are two of the most important features behind both the new passports and the new identity cards which we will be forced to have in the UK. They extend beyond just the UK though and they are being introduced the world over as an attempt to “crack down on terrorism” and “make transport quicker and safer”. I never really had a problem with ID cards on a civil liberties point (although I'm sure you're aware of the objections from that camp). What has been increasingly worrying me, on practical points, is the fact that it seems like they might actually make the job of killing people easier for terrorists and make us all less safe. The first I saw of this is from a Cambridge professor of maths who claims that if you use two methods of biometrics to attempt to verify someone's identity, where one is “stronger” than the other, the result is less sound. Basically; if you verified someone's identity by using their retina scan (strong) and a fingerprint scan (week) then the results on average would be less accurate than using just the retina scan… unfortunately there seems to be plans to use both to see who someone is.
The second, and perhaps more worrying of the two items that I saw on this topic over the last week has been the discovery that RFID chips (we have these in our library cards and they will be in the new passports/identity cards of a lot of countries) can be hacked from a distance AND can get viruses. The ability to hack means that (and this has been proven to work) is that if you are within 10 meters of someone you could download all the information from their passport and steal it. This information would be more than enough to steal their identity and then a significant amount of their money. On RFID being able to get a virus this might seem less worrying. It's not. What this means is that you could have your passport infected, at the same time as “they” are stealing your identity, and then whenever you used your card it could infect the machines and the databases it is used with. This becomes more worrying when you consider that airports are beginning to use RFID chips in order to let frequent flyers get through security faster “because they'd never be a terrorist”... A virus could be used to delete all the information on an airports computer system. Again this might not seem too big of a problem. The airport stops for a while whilst the backups are run and then it all starts again. But if someone wrote a virus that made the RFID chip think that the person called, say, “John Smith” wasn't a terrorist, when he was, he would be able to walk through the security checks far easier and be on his way to killing thousands of people… all this because the government is trying to make us “more safe”... shurely shome mishtake?

link biometric flaws
link RFID Virus

The Golden Rule

Coin collecting is somewhat of a hobby of mine. I've been doing it a little while now and am specialising in hammered coinage of England. As I have previously written about in other places there is perhaps one golden rule which stands out more than any other on the subject of coin collecting and it is this: don't clean them. Ever. Perhaps the previous sentence was a little zealous there, obviously if you have just dug it up then use clean, cool water to wash off excess dirt, but nothing else. Today I decided to break that rule, taking a Henry III voided long cross penny and giving it a jolly good go at cleaning it. After this I have discovered that the golden rule is golden for a reason… it is a good one. Anyway, after spending a long time using some soft kitchen roll and cold water I decided to have a go with the big guns. Cilit Bang and hot water. This may sound stupid and I know that a copper coin would clean differently to a solid silver on; but I thought I'd press on. Cilit Bang didn't seem to do anything, the heavy black coating on the coin remained and not a lot changed. Hot water was my next weapon, and this produced a rather unexpected result. It did clean some of the dirt off, but it also gave the silver a “burnt” look. Perhaps this was due to the rapid oxidisation caused when it was brought out of the water due to the heated silver, perhaps it was due to the Cilit Bang which might have still been working its way through. I don't know. Still the situation seemed a little bleak, although the rest of the silver had taken on a somewhat nice golden hue, so its not all bad. I decided to leave it there and left it to dry. When checking back on it dry and moving it to be with the rest of my collection it did seem to have got a little better, perhaps that was just the worse light. Either way, I now can state 100% that the golden rule is a good one… in the future I might follow my own advice.

AJAX Write 0.9

Writing about web page http://www.ajaxwrite.com/

I recently discovered a new program called AJAX Write. Cunningly enough this uses AJAX. The general idea is that they wanted to create an alternative to Microsoft office which would be usable by anyone at any time over the Internet. They seem to have done a fairly good job with it, it can apparently open a variety of file types; .odt, .pdf .txt rich text format which gives it a good sense of functionality. It doesn't seem to have a spell-check function, which is a shame, nor does it seem to have a grammar checker. All in all, it is only a 0.9 release, and I hope that it can have a good long life. They are going to be releasing a new program every Wednesday which is aimed at rivalling “Office”. I would like to see a conjunction with open office though to try and make the open document type a new standard; but I doubt I'll get that. Currently I am struggling to make the save function work though…

Opening time: approx. 6 seconds
Size: 400k
Cost: FREE! (free beer – for all you /.'ers)
also, you never need to update it… which is nice

Check it out at ajaxwrite.com