Concerning Security on a Fedora system

This is continuing in my paranoid theme (and the theme of not spell checking), this should hopefully be good advice for anyone who wants to is concerned about security, and especially for those who are overly concerned…

First things first, don’t run as root for day to day operations, try not to login as root in the graphical interface at all – do it through the terminal, it’s far easier to control and not to get caught out by.

Alright, now we have the problem of rootkits. This is something which can be put down in your system to allow control over any number of things and is easily one of the top security threats you can face. Firstly you will want to make sure that your root password is strong, ie. make it take a few thousand years to brute force. Have a password which is ideally over 8 characters long, and has non standard characters in it – like !”£$%^ etc. and numbers and letters. This should halt most random attempts, but there are always other ways to get infected. A classic is installing something which is untrustworthy – because of this I only install open source software from the official (and livna) repos. (I know it seems a bit extreme, but at least it’s safe).

So lets assume that you have done that but want to check every now and again to get a little tick or “OK” sign to make you feel happy, you could do;

yum install rkhunter

This is a program to check for rootkits and gives you a nice green “OK” if it is. There shouldn’t be any red “WARNING” ones, but you might get one yellow (I do and after looking deeper I think it’s ok). Once it is installed to run it log in as root and type;

rkhunter -c

Chkrootkit is another which can be installed and always seems ok to me, although it can take a little bit of effort to find out what each warning means (for example it highlights your internet connection in the same way it would a rootkit. Chkrootkit is run just with the command;

Chkrootkit

Right, so that is done, but rkhunter will no doubt show up with one or two red warnings relating to ssh allowing remote root login. I would say only allow remote root login if you really know what your doing and really are sure you need to.
I wish that they would disable it as a default but, hey ho, they don’t.
Open up a terminal, log in as root, then type;

gedit /etc/ssh/sshd_config

You’re now looking for a section which will look like this;
.#LoginGraceTime 2m
.PermitRootLogin yes
.#StrictModes yes
.#MaxAuthTries 6

There will not be that dots before it (damn blog formatting) and the “PermitRootLogin yes” might have a hash before it, I don’t remember, but you want it to look like this;

.#LoginGraceTime 2m
PermitRootLogin no
.#StrictModes yes
.#MaxAuthTries 6

(again ignore the dots at the start of the lines) This will stop people loging in remotely and hammering your system.

Right, that’s all I have time for now, later I’ll go through firewall settings (firestarter is great). Untill then some really useful website which you can look at are;

http://forums.fedoraforum.org/ (that’s a forum which if you register you can ask specific questions and get help… also I use it, so if you get really lucky… you might get someone competant to answer you questions)

http://www.fedorafaq.org/ (that has some good advice about getting stuff working and what have you – although I think they tend to play with selinux a lot when I’m not sure that it’s needed)

and as always if you post on here I might be able to help you, and failing that, you can always search in Google for your answer, I’m sure someone else will have had your problem, maybe on a forum and they often have answers… though sometimes don’t :S

: 22 Sep 2006 13:10 |  Comments (0) |  Close comments |  Report a problem

Using clamav in Fedora, in detail

I’ve just read a post on my blog which was asking for more information about clamav in fedora, what might be good whilst installing it etc. so I thought I might as well try and lay down some advice.

This is a continuation of a post I made in April about setting up repositories in fedora, where I made a general comment about clam but I really was going to update it, but you know how things are… they often move slowly

Firstly I was asked about clamav, so that’s what I’ll turn to now,

The clam modules which I have installed (and will recomend) are;

*clamav
*clamav-update
*clamav-lib

you should be able to install these with the usual yum commands of;

su -
.root password.
yum install (name of package from above^)

it should sort out the dependencies for you on these – There is a way to install more than one package at once but strangely I’ve never used it, I think it is just one package name after another with spaces but no other divide… but I’m not sure. Still, doing it one by one won’t hurt.
Now one more thing, you will need to go to the file /etc/freshclam.conf and edit it. You’ll need to be root to do this so just don’t log out after you installed the stuff from above. To get to the file type in the terminal;

gedit /etc/freshclam.conf

This opens up the text editor (the default one for GNOME on Fedora, if you would rather you can use vi just with the command “vi /etc/freshclam.conf”) you need to go down to the lines which say:

.# Uncomment the following line and replace XY with your country
.# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
.# Default: There is no default, which results in an error when running freshclam
.#DatabaseMirror db.XY.clamav.net
(Ignore the dots before it – thats just what it takes to stop the formatting from kicking in and making it numbering)

Commented refers to a hash symbol being infront of it, this means that that line is not read by the computer when the document is read (sorry if that sounds patronising but I like to avoid too much technical language). All you need to do here is go to the website which is in the list and look for your country code and then change the last line so it looks something like;

DatabaseMirror db.UK.clamav.net

Without a # and the XY changed to UK (obviously the country code for the UK)

Right, now that should have clam up and running. To use it go to the terminal, login as root (with “su -” like above) and type;

freshclam (this will update your clam database – everything should work ok)

Then you can run a scan by typing in the terminal;

clamscan

this will scan your home directory, if you are root it’ll do all the hidden files and everything in there. This is good but maybe not exactly what you’d want, you will want to add options (typing “man clamscan” will give you a whole host of options to customise how you scan). What I would run to do a full system scan is;

clamscan / -r—quiet
(that’s; clamscan “space” slash “space” “hyphen r” “space” “two hyphens quiet”... I had to do that because the blog system likes to use really random language and hyphens make the text strikethrough)

The clamscan is the program, the ”/” is the start of your file tree (or at least it is by default and if you know how to change that then you’ll not need this – if it’s even possible), the “-r” means recursive, which means it scans through sub-folders until there is no where left to go
The “—quiet” means it will only tell you about viruses or errors – so it looks blank unless there is a problem… one that I have is it not being able to access ”/proc” but I don’t worry about it ; )
-if you leave off the—quiet then it’ll show you each file in turn and then say “ok” after, this is ok (you know how far it is along) but the final report won’t give you specifics if you do have an infected file… so you would need to scan again with—quiet to find out where it is

Right, that might have been a bit long winded but at least it was comprehensive!
- Tomorrow I’ll try and write about how to scan for rootkits (using rkhunter and chkrootkit) and how to shut off root access to ssh (which should be closed by default but strangely isn’t… :S). I’ll also stick down some really good websites for learning and the best forum in the world (because it’s the one I go on). But for now, night night

: 21 Sep 2006 21:12 |  Comments (9) |  Close comments |  Report a problem

blog update

So I've been going through old posts and trying to get some stuff up to date, still not too much done about the fedora install howto though, but with exams and the like it'll have to be put off… you can hash together a pretty good idea using the official website's advice ( link - you can also download fedora from one of the mirrors there) and the fedorafaq (link), both are really helpful; although I think that they may make assumptions about the level of knowledge which people have and I'm desperately trying to over come this. The future of open source will depend upon our ability to get people with no technical knowledge involved and learning.

I know there has been some debate about how to further open source (see Tim's blog: link to a reply I made on my blog here: link), but I'll be happy if even one person decides that they might now try some open source software; or at least be receptive to it.

: 12 May 2006 20:39 |  Comments (0) |  Close comments |  Report a problem

edit

need to update more… still, I'm trying to keep stuff going along on the ica blog, check it out!

: 11 May 2006 22:25 |  Comments (0) |  Close comments |  Report a problem

Warwick University – "an affiliate of M$"?

So I got looking through the IT services summer 2006 guide to training which is offered to students on the subject of computing. Well, I say computing, what I mean Microsoft branded computing. There are no less than 18 references to Microsoft products on one side of the A4 pamphlet. Why is it that our university seems to go out of its way to indoctrinate all students into their (proprietary) way of doing things? There are alternatives to M$ software out there… why doesn't the university consider Open Office… or Koffice (if they want to go all out for the open source and use KDE aswell… I'm a GNOME man myself)

Further; why do they insist on wasting so much money on buying the rights to use M$ software when they could get one source software, which would be more secure, faster and more stable for far less money. The FAA in America saved $15 million by migrating to Linux (see link). How many extra books could be bought for our library if we made that move within the IT services dept.?

: 07 May 2006 23:03 |  Comments (46) |  Close comments |  Report a problem

Registered Linux user, but no cigar?

So I actually became a registered Linux user last night (# 416286!), although I feel a little like I'm cheating because at the time I was suspiciously without a kernel. On Thursday I updated my system which included getting FC5 kernel 2107, a mistake I can now see because it was incapable of starting X. Because of this I felt that it would be sensible to get rid of the un–working kernel, but in my zeal I got rid of all kernels. The only way I could find to get it back (with help from the nice chaps at fedoraforum.org – one of whom lives in Coventry so is probably at the uni) was to boot with the DVD then use

Linux rescue

Yes to having the network connection and used the default settings

Chroot /mnt/sysimage
Yum install kernel
y

the only problem now is that I need to update grub because it's been going wrong and has lost fedora, mightily silly. I'll update when I figure out how… and I might even get round to finishing the install how to… that one is scheduled for after the exams when I put it on a friends system (whether he wants it or not ; ))

Update: I ended up re–installing Fedora completely. It was my fault for uninstalling the kernels in the first place so I'm not going to judge fedora too harshly because of it – that is just the chance you take with a bleeding edge distro… I might one day try ubuntu… I'll wait and see before I make any move. As someone pointed out to me on the forum; bordeux (core 5) is less than a month old, it needs some time to bed down. I remember the problems we had with the first release of Win 98, they make this seem so minor in comparison.

: 06 May 2006 10:54 |  Comments (2) |  Close comments |  Report a problem

HOWTO get extra space on partition containing Fedora Core 5

Abstract: I had created a partition to hold Fedora Core 5, this was about 4GB, as the OS extended and grew I needed more space, i went on Windows and used Partiton Magic to take some space off the windows partition, that space became unused space… this is how I allocated this space in Fedora Core 5 so that it could be used by the Fedora OS.

[(works for me in Fedora core 5, might work in others – but I have not tested it – use at your own risk, no guarantee, no warranty, your milage may vary- might solve all your problems, might blow up your computer and cause a turnip to fall on you head at an unfortunate moment – you might want to look at other sources to ensure that this is right or help with any other problems you might have). Don't type the square brackets or what's in them. The situation here is based on when I needed more disk space… firstly I went into windows and then used partition magic to create some free space on my disk (10G), this tracks through what I did, some of the things here are based on advice I got from other, so thanks for the advice.]

[Log on as root in terminal]
[type:] fdisk -l
[then:] fdisk /dev/hda

[Now options will appear, you only need to enter in the letter and press enter]

n [this option means 'new']
[Now select] p

[it may do the number automatically, if it hasn't select one which wasn't used when you typed 'fdisk -l']

[it should automatically do the start and end position – if it doesn't then you will need to look at the fdisk -l values and select the first cylinder as one after your last partition before the gap and the last one as one before the next partion after the gap]

[type:] t

83 [this is a linux partion; assuming you want an ext2/3]

w [this writes – so make sure you are happy]

[you might need to restart now…(I did)]

[now go back into terminal after restart, log on as root again…] mkfs.ext2 /dev/hda4

pvcreate /dev/hda4

vgextend VolGroup00 /dev/hda4

pvdisplay

[so now your new partition should be there and registering in the pvdisplay (physical volume display)]

[now type] lvm

[This is the logical volume manager]

[type:] vgs [this will show you the status of your logical volumes]

[this will show you the current volume groups. The default volume group is VolGroup00, this is what mine was set at, and probably yours too…]

[it may look like this]

VG #PV #LV #SN Attr VSize VFree
VolGroup00 1 2 0 wz—n- 5G 32.00M

[OK, so when we used 'pvcreate /dev/hda4' above we created it as a physical volume, this now needs to be put in the volume group…type in]

vgextend VolGroup00 /dev/hda4

[to check back and make sure it's all cool type in:]

vgs

[Look at this against the first time you used vgs, it should now show another volume and the 'VFree' should have increased by the size of the new partition you put on earlier: /dev/hda4]

VG #PV #LV #SN Attr VSize VFree
VolGroup00 1 2 0 wz—n- 5G 10.32G

[Now we resize the volume groups so that the free space can actually be used!... I added 10G in this example (and about that in real life) so now we need to get on it…]

[Type:]

lvextend -L +10G /dev/VolGroup00/LogVol00 /dev/hda4

[it'll now tell you that it's gone ok (I hope), if you type in:] vgs [then the free space amount should have been reduced, if it has, brill!]

[df results will be the same as before we started, so to get to the space so we can see it we need to go to the 'core'... get it?]

[Stick in the installation DVD, or if you used CDs I think you'll need the first one, boot with the cd/DVD… you might need to access your BIOS settings and make sure that the cd/dvd drive is what it boots to first – I don't know because thats the setting I have as a default anyway – if this is the case, and I think it might then you might be able to just press F12 and select it – although thats not supported on all systems I don't think]

[Press:] F5
[Then type:] linux rescue

[Select your language, I'll assume english will work if your reading this, and the keyboard system you want to use]
[you will now need to aviod mounting disks and systems so select "skip" because you want to avoid mounting or booting]

[a command line should now be in front of you]

[now type:]
lvm vgchange -a y VolGroup00

[Then:]

lvm lvchange -a y /dev/VolGroup00/LogVol00

[Then check everything is cool by using the next command, this will take a little while, but let it run:]

e2fsck -f /dev/VolGroup00/LogVol00

[Then type:]

resize2fs /dev/VolGroup00/LogVol00

[take out the cd and reboot. It should all be working now, free space should be viewable in your home folder and everything should be great :), hope it helped]

: 22 Apr 2006 13:46 |  Comments (5) |  Close comments |  Report a problem

Fedora Core 5 repositories

I want to set down some clear and simple advice on what the best way to get going on Fedora core 5 (bordeux). There are lots of good sites out there already which deal with this subject matter but I often find that there is an implicit assumption that you know how to get from one step to the next. To this end I want to try and make a complete little how-to, perhaps even a series of them…

Firstly by way of a preamble Fedora core 5 is the latest fedora release. Fedora being a distribution of linux which is free (beer and speach – although thats sometimes doubted). Fedora works within the Red Hat project and it is also a nice place to start on linux. Unfortunately Fedora does not contain inbuilt support for many things which would be useful (like mp3) because they only support open formats.
After installing Fedora on your computer (a good how to can be found at this link as well as the download iso) you will be taken through a walk through about getting some set-up things done (oh, and if you use windows DON'T set it to use UCT). I have a widescreen laptop and this created some difficulty, what I found it best to do was set the resolution of the screen as if it was 1024×768 and then it seems to work. When I set it to the true widesceen format the text looked disjointed and was hard to read…

*don't type what is in square brackets…

Anywho, with that done you'll want to update your yum configuration, to do that open up a terminal (its under accessories at the top left) and type: su – [then press enter]
[enter your root password]
[you should now be as root, type:] yum update

This should update all of your softaware that you have put on, either in the installation or since

now would be a good time to add another repository (this is a really easy place to get software from)

go to the terminal again, become (if you are not already) root (with the 'su -' command)

[type] rpm -ivh http:/ /rpm.livna.org/livna-release-5.rpm
[I had to put in a space because otherwise it just came up as 'link', obviously copy this into terminal and just delete the space in the '..://rpm…']

this shoudl install the livna repository without any problems, if it asks you is it is ok to proceed, just press 'y' then enter

ok, now it might be a good idea to install anti virus software, so type in terminal, as root:

yum search 'clamav'
[will continue later when I can actually be bothered to look up the specific commands, if you know how to use terminal, clamav is great…..]

: 19 Apr 2006 14:20 |  Comments (2) |  Close comments |  Report a problem

New society?

I am thinking of trying to get together some kind of society where people can share open software and what have you, does anyone think this is a good idea? I got thinking about it because I was wanting to download Slackware but the thought of downloading 4.7 gig is a little daunting on a connection this slow (also I can't make use of the official torrent). Maybe some kind of message board system where people say what iso's or dvd's etc. they have that they could share. Could also spread the open source message round campus. It's currently just an idea, but as I say, any thoughts?

(or does this already exist within a computer society?)

: 01 Apr 2006 23:35 |  Comments (1) |  Close comments |  Report a problem

AJAX Sketch

Writing about web page http://www.ajaxsketch.com/

Another week, another XML based program.

AJAX sketch is from the same people who brought you AJAX write and is based on the same principles, it uses an open format in a free (beer!) way. Use it to create interesting pictures, although the extent to which you can do anything too impressive at the moment is debatable. The first splash screen looks impressive, but I don't seem to be able to get a similar level of functionality out of it. It feels a little sluggish and the selection method can be a hassle. I would have preferred something similar to One Note in the selection method, which is to say clicking and dragging a box over what you wish to select. That said this too is a “0.9” version release, so there could well be better things to come. Better still you don't need to update because it's all based on–line so you always get access to the newest version. Give it a go. Try AJAX Write. They might not replace your current applications that you use at the moment, but if this is the future (the “web 2.0” – if there ever will be such a clear division) then it is at least a good omen.

: 01 Apr 2006 23:33 |  Comments (0) |  Close comments |  Report a problem