Rootkit Hunter

With the current onslaught of hacking and cracking about, I’d like to write a few articles about basic security for your Linux box at home (although most of the stuff I’ll be posting on security is equally if not even more appropriate for corporate servers). We Linux users think we are pretty safe from all sorts of mallware and virusses. And it’s true most of the crap out there is focussed on Windows boxes (and more and more on the Mac), but that doesn’t mean any Linux user should sit back and watch the carnage amongst the other operating systems. There is stuff out there you don’t want on your system, and if you don’t keep an eye out for it, it might end up on your box without you knowing about it, and someone could be using your gear for evil deeds.

One thing that you might want to check for is rootkits, software designed to gain root access and create backdoors to your Linux machine.  One of the more populair applications that looks for the telltale signs of well-known rootkits is rkhunter. Once installed, you might need to take a moment to set it up. Some distro’s (like Ubuntu) place a script in /etc/cron.daily so rkhunter is run every single day. If your distro doesn’t do that, you might consider using the following script (/etc/cron.daily/rkhunter):

 #!/bin/sh

RKHUNTER=/usr/bin/rkhunter

test -x $RKHUNTER || exit 0

# Update RKHUNTER
$RKHUNTER –update > /dev/null 2>&1

# Check the system
OUTFILE=$(mktemp) || exit 1
$RKHUNTER –cronjob –report-warnings-only –appendlog > $OUTFILE
if [ -s "$OUTFILE" ]; then
(
echo “Subject: [rkhunter] $(hostname -f) – Daily report”
echo “To: $REPORT_EMAIL”
echo “”
cat $OUTFILE
) | /usr/sbin/sendmail $REPORT_EMAIL root@localhost
fi
rm -f $OUTFILE

And don’t forget to use chmod 700 /etc/cron.daily/rkhunter to make it executable! Of course, you can use any email adress you like in stead of root@localhost, as long as your system is configured to be able to email to the outside world in any way, shape or form.

Automatic login for MySQL

Do you ever get tired from having to type a long line of code whenever you log into MySQL? Do you have scripts that access MySQL, but you hate having to store the MySQL password in the script itself?

The easiest solution to these sort of problems is to create a file in your home directory named .my.cnf. Give it the following contents:

# MySQL login file
[client]
user=root
password=reallysafepassword
database=somedatabase

The ‘database’ line is optional by the way, and you can use any user you want (using ‘root’ might not be a good idea in most cases, especially production environments. Once you have this in place, simply type ‘mysql’ and WHAMMO! You got yourself your MySQL prompt. If you use mysql in a script, you can leave out stuff like “-uroot -hlocalhost -p”. You also gain the advantage that you no longer have to remember passwords to your database, so you can harden your MySQL with a complicated password which is hard to crack (48 character random string for instance).

Do make sure your $HOME/.my.cnf file is set to chmod 600 (meaning – rw- — —) so other users won’t be able to read your password anymore. Don’t forget to do that, otherwise anyone with access to the .my.cnf file will be able to access your MySQL account as well.

Linux… Heaven for gamers

Some of you may think Linux is an OS that sucks if you’re into gaming. On the contrary; I think it kicks ass big time. You see, every gamer wants one single thing: to use every single piece of resource their kit has to be allocated to the game they are playing at that moment, so it runs smoothly, at maximum resolution and with the graphic settings pumped up full. Generally, that takes some tweaking, especially if your base-OS is hogging precious resources for stuff you’re not using when gaming. Enter Linux.

Now, I play plenty of (native) games on my regular system user account, like Nexuiz, Sauerbraten, Freeciv, and Wesnoth). I can also play a multitude of Windows-based games through Wine, but many of these (EVE-Online, World of Warcraft, etc) require some hefty system resources if you want to play with all the graphics at full. But I have all these programs and other things using memory and cpu running on my regular system user desktop. So what I do to give the game all the resources I can spare, I simply create a new user account specifically for playing a specific game.

For instance, I create a user named ‘azeroth’, and set things up so when logging in as ‘azeroth’, I’ll get a nice clean LXDE desktop. I’ve installed World of Warcraft in a default .wine directory (using wine, of course) and set a WoW wallpaper as my background image. Now, if I want to play, I have a little more resources for the game to use. Anyone can use a similar (or even better) setup to tweak a specific login to use as little resources as possible. And if you wish to remove the user and the entire (wine) game from your computer?

# userdel -r azeroth

Linux… Gamers should love it!

Combining LZMA2 compression with tar

Here’s a short post on the way to create or extract .txz (tar.xz) archives.

This way you’ll create a .txz file:

$ tar cvJf nameofarchive.txz directory_with_files\

And that way, you extract a .txz archive:

$ tar xvJf nameofarchive.txz

Easy huh?

Doing php script the silly way

For the second time in a few months, I noticed a customer doing this on their server (I work at a hosting provider):

curl –silent –compressed http://www.somewebsiteblablabla.com/cron.php

You see stuff like that in crontab sometimes, and it surprises me that someone who knows enough about php to write scripts in it, doesn’t seem to know that it’s a rather inefficient way of executing php code. Here’s what you’re doing:

• You let the server execute a command within a shell (often through cron).
• The command opens up a connection to a website through the NIC that is used for internet connectivity, to use to internet to access a website hosted on the same server… again, by using an internet connection.
• The (local) web server gains an open connection (you, requesting the cron.php page) and handles the request.
• The web server runs the php code. If there is any output, it sends this back to the shell that executed the request… over the internet.

Doesn’t this sound like going from your kitchen to your livingroom by walking out the door, getting into your car, driving three blocks around your house, parking it next to the front door, ringing the bell and (after your partner lets you in), and walk into the livingroom.

Easier way? Yes there is. If you wish to execute a php script (for example from the crontab), use /usr/bin/php. If it’s not on your server, install php-cli (or a package named something similar to that) or ask your sysadmin to do it for you. How do you run the script? Something like this:

/usr/bin/php -f /var/www/somewebsiteblablabla.com/cron.php

The php command line interface (PHP CLI) has plenty of interesting options, so don’t neglect to read the manual page (man php). This way, it’ll execute the same code, but it won’t use your internet connection and your web server to do it, so it’ll be a bit quicker, and you’ll prevent unnecessary load on your web server. As an added bonus, you don’t need to make the script accessable to everyone through the webserver. You can place the script somewhere on the server where it is not hosted through the web server.

Sudo and numbers in usernames

I ran into a sudoers file that gave me a syntax error I couldn’t explain. I first needed to find the line of code responsible for the syntax error, which was line 80. But since visudo wasn’t displaying line numbers on the bottom of the screen, I forced visudo to use vim.

export EDITOR=$(which vim)

After that I located line 80, which read something like

#5berry ALL=(ALL) ALL

All the vi colours were setup properly, everything looked fine. Adding the user ‘tomcat6′ didn’t work either, the text turned from red (used for usernames in sudoers) to white the second I added the ’6′ at the end. After a little Googling, I learned one could add users by using their uid, like so:

User_Alias TOMCAT = #500
Cmnd_Alias WEBSERVICES = /etc/init.d/tomcat, /etc/init.d/apache2
TOMCAT ALL = WEBSERVICES

That should work, but didn’t. Then it hit me; sudo was interpreting “#5berry ALL=(ALL) ALL” as “uid 5 berry ALL=(ALL) ALL”, while vi was interpreting it as a comment line. So I changed it to “##5berry”, although “# 5berry” probably also would work.

So, as you can see, weird things can happen once you combine usernames that contain numbers with a sudoers file.

Update: W.T. Fawkes figured out that “5berry” or “tomcat6″ (enclosed in double quotes) should also work… and it does. Thanks for the info.

If you ever wanted to start using Blender, the time is now!

Today, the Blender Foundation released Blender 2.57a, the first stable release of the new 2.5 branch of this popular (and free) 3D package. It’s new, improved, rewritten, had lots of new features and will blow the socks off anyone glaring at your creations. So if you ever wanted to get into CGI, you might as well give it a try now, with Blender.

You might want to check out BlenderNation, Blender Artists and BlenderArt magazine for inspiration and information.

Open Libre Office

Earlier this week, every Arch user that synchronized their packages saw OpenOffice.org being replaced with Libre Office. A forum post was inevitable, and opinions where exchanged on the matter. What happened, why did it happen and what now?

Basically, in the fall of 2010, core members of the OpenOffice.org development team decided to start up the Document Foundation and create a fork of the project so they could improve the office suite in ways their big boss Oracle, didn’t allow. Many where excited about this move, and the devs where even kind enough to give Oracle the chance to participate. Oracle – famous in my book for creating a bulky database, screwing over the PostgreSQL team when they bought Sun and killing OpenSolaris, told the devs to quit their fork immediately, or else…

The devs refused, and Libre Office was born. It has the support of Canonical (sponsors of Ubuntu), Novell and Red Hat, and as I stated above; Arch Linux. I’m sure many other flavors of Linux are gathering behind Libre, dropping OpenOffice.org from their default repositories. Libre Office 3.3 is already an improvement over OpenOffice 3.3:

• SVG image import.
• Lotus Word Pro and MS Works import filters.
• Improved WordPerfect import.
• Dialog box for title pages.
• Navigator lets one heading be unfolded as usual in a tree view.
• “Experimental” mode that allows unfinished features to be tried by users.
• Some bundled extensions, including Presenter View in Impress.
• Colour-coded document icons.

And much cooler stuff is on the way, like reduced Java reliance and improved memory usage.

So what are we to do? Well, the positive side of having freedom of choice is that you can keep on using OpenOffice.org like you used to do, but you can also get on with Libre Office, and work with an office package that is constantly improved again; something OpenOffice.org isn’t anymore. Show Oracle what you think of their attitude towards open source, free software and healthy competition: remove their office suite from your system, and download and install Libre. I’m sure you’ll never look back regretting your decision.

Update (18-4-2011): Oracle gives up on OpenOffice after community forks the project

Security… why people are slacking I don’t know…

As a system administrator for a large dutch Hosting Provider, security, patching and hacking-prevention are things I deal with on a daily basis. I’m not going to post anything truly work-related on this blog (work ethics, contracts and security considerations prevent me to do this), but I can speak in general terms. Here’s some basic stuff you might consider to at least have some basic security on your servers.

• Easy passwords. Prevent having them, anywhere on your servers. Make sure they are at least a string of 8 random characters. This will make dictionary and brute force attacks more difficult.
• Local firewall on the server. IPtables rocks. Even if you have a firewall between you and the internet, setting up iptables on your server to only allow the traffic needed from only certain locations is wise. Don’t even trust internal network traffic.
• Easy tooling. Install rkhunter, fail2ban and other simple tools that may prevent someone getting in, or spotting them quickly if they did. Keep an eye on your logs. Install logwatch and read the email it creates with care.
• Updating and patching. Keep your OS (ANY OS!) up-to-date. If there are security patches; update. If there is a new major version out; upgrade to it. Nothing worse than getting pwned through a gap in security that has been around for a year or more.
• Use the best software for the job. If you are running a simple website, why run it on Apache2 with dozens of modules activated that you’re not using. Either disable the unnecessary modules, or run another product. Cherokee is a good alternative to Apache2 if you don’t need al those fancy modules for your site, and so is Hiawatha (which has an extra focus on security in build-in countermeasures). If you have a website that has a lot of hits and static content, consider Lighttpd or Nginx. Apache2 is an old friend, but also a well-known one to intruders.

Anything to add to this list? Feel free to share them in the comments.

And also, read this article over at Ars Techna about the HBGary hack and learn more about how NOT to handle security for your company.

Vanity IPv6 addresses

Now that IPv6 is no longer that thing we’re postponing because it’s too much of a hassle, since no one will be able to get an ipv4 address during the course of the next few months, people are starting to learn that besides vanity domain names, you can now have vanity ipv6 names! A few examples:

www.leaseweb.com: 2001:1af8:3100:1:0:b00b:babe:cafe

www.tokyotosho.info: 2001:470:27:4f7::b00b:babe

www.fedoraproject.org: 2610:28:200:1::fed0:2

Check out the progress of ipv6 domains and ip’s at http://bgp.he.net/ and feel free to post any other real vanity ipv6 addresses in the comments!