JDPFu.com 2013

The 7 Uncommon Uses of iptables over at linuxaria shows fairly easy to use solutions for the following:

1. Block known dirty hosts from reaching your machine; block spammers and other known bad networks
2. unlock a pre-determined port, once someone “knocks” ; ie "port knocking_
3. use a restricted externally, but a high port on the server – port forwarding
4. use your proxy only for external access, not in the local LAN – I’ve done this with PAC files
5. Limit the number of ssh connections to 10
6. Limit ssh to have just 1 session every 15 seconds
7. Give multiple directives with a single command

Fail2ban can be used to address some concerns, but you may need to limit the connection count and rate from some IP addresses that could be considered system abusers.

The BBC is reporting that internet connectivity with Burma (Myanmar) has been effectively shut down in advance of the first elections held there in 20 years.

Only 200 PCs Needed

If the BBC report is true, it would only take 200 relatively low speed internet connected PCs to take the country of Burma off line. Let me explain. In the BBC story about Burma, it is stated the entire country is connected to the internet over a 45Mbps link, that’s a DS3 to the network and telecom people. It isn’t much bandwidth for an entire country.

To take any network or servers off line, all that any attacker needs to do is effectively cause your network to be too busy for user connections to get through. Just like a busy signal on your telephone. Doing that’s isn’t very hard.

Only 15 PCs connected with common home bandwidth could take down the country of Burma. That isn’t many PCs is it. Even the slowest broadband connections have 256 Kbps, which means only 200 PCs are needed with that upstream connectivity to take Burma effectively off line. If a botnet controller wanted to attack an IP and they have 100,000 PCs, that translates to 25 Gbps. Most companies, even with large pipes like a Fortune 100 company has, would be taken off line. 200 PCs is a small number and could be quickly blocked, which is why botnet owners have 100,000 – 5M PCs.

If you want to learn something about Linux, there are a wide range of learning materials available out there.
Much is for beginners, but there are some intermediate and advanced course materials available too.

The best place to begin is with the documentation from your distribution.

• CentOS Docs
• Redhat Docs
• Debian Docs
• Ubuntu Docs

Internet search engines will find lots of documentation for other distros too, but knowing that Distro-Z is based on Distro-Y means that the documentation for Distro-Y probably works for Distro-Z too. A concrete example – Ubuntu is based on Debian, so if you use Ubuntu and can’t find the document under Ubuntu, look for it under Debian.

Eventually, you will want know something that isn’t in those documents. To address this, each major distro also has forums and email-list-servers.

• CentOS
• Debian
• Ubuntu
• Fedora

Be certain to spend at least 45 minutes searching the forums for your question and answer before you post. Read the Acceptable Use Policies for each forum too. Basically, if you are on-topic, respectful and cordial, then you won’t have any issues.

Some general information about Linux and HowTos also exist.

• Linux Documentation Project – All things Linux (How Tos, Guides, etc)
• HowToForge.com – Famous for Perfect Desktop X and Perfect Server Y how-tos.
• Atlanta Linux Enthusiasts – find your local LUG (Linux Users Group)
• Linux Hardware Compatibility List Not all hardware is happy with Linux
• LPI Practice Exams and Tutorials
• Linux Certification Documentation Project
• Linux Professional Institute Tutors
• GNU/Linux Manuals Claims to be suitable for LPI Exam Prep

Because Linux is very much like UNIX, much of the information and techniques used and documented for UNIX systems over the last 30+ years will work on Linux. Don’t be afraid to read UNIX How-To Guides that you find out there.

Books – I find that anything written in a book is out of date by the time it gets published. That doesn’t mean you don’t want a classic like UNIX System Security in your collection, just that the details of an implementation covered in the book are probably out of date. The architecture coverage is probably just fine.

Just because you can do something doesn’t mean it is a good idea and doesn’t impact your security. When you read any online information that tells how to do something – ask yourself how it impacts your privacy and system security.

We just published a new permanent article on Security Settings for Web Browsers that may be interesting to some readers. It lists 23 things you can do to be more secure while surfing the web on the internet.

These are the things that I do. Some will be difficult for people who spend 4+ hrs a day on the internet to use, but not impossible.

The article provides a list of what your should set, not how you should make those settings in your browser. A little internet searching or checking the Help for your browser will let you easily make most of the settings.

This Saturday (tomorrow) I’ll be presenting to the DC404 crowd how to get system monitoring working on Linux in 5 minutes. Sadly, the presentation is running about 30 minutes because I really only need 5 minutes to show a complete install. Come and check it out, say hello.

There isn’t really much to it because SysUsage is really easy to setup and run. It works on desktops, laptops and servers, but there is no GUI for setup so you will need to use a terminal or console. With newer releases (OS or SysUsage) the dependencies may change, but it is still really easy to setup. This is so simple there really isn’t any excuse NOT to have performance graphs for all your Linux machines.

In a recent study, it turns out that about 1/3rd of all companies with 1,000+ users experience data loss or data leaks The study says this number is probably low, since it is self reported. The data loss can be from stolen laptops or misplaced flash drives or non-working backups. We all know that we should protect the data better, but for some reason it is determined to be too much hassle.

Then your company looses or inadvertently releases some sensitive data. That data was worth a few million or more.

Now you’re working a plan to encrypt all portable devices and trying to ensure no data get release without appropriate approvals first. Yes, it is too late, but this is a prophylactic for the next time.

Every laptop should probably be full drive encrypted. You know that already, now you just need to do it. Here’s how I did it – a compromise solution.

For the last few years, I’ve heard powershell for scripting by IT professionals in the MS-Windows community. Never looked at it until a few days ago. See, I confused cscript with PowerShell scripting. I couldn’t get the hang of cscript and wasn’t able to get it to accomplish what I needed the last time I tried. In June, I actually wrote some .BAT scripts for a client. If I knew then what I know now about PowerShell, I’d have been much happier and written those scripts in PowerShell, assuming it is pre-installed on Win2003 Server.

In my limited time with PowerShell, here are my impressions.

• UNIX has text processing, MS-Windows uses object processing – sorta like the difference between PERL and Ruby scripting.
• Most of the syntax is Perl-like – with some differences. Get used to $var.action calls.
• Pipes work like you’d expect from UNIX, except ….
  • generally, we don’t use `grep`, rather, the regex is used as part of the prior command
  • | `wc -l` becomes action.count – basically, if you want to get a count of something.
  • functions are Perl/Bash-like, except the argument passing is C-like (int x, int y). That is better than Perl, IMHO.
• Objects mean access to the registry, COM, and WMI. That’s a plus AND a minus. How to query a GUI program? That’s the problem.
• As usual, rather than reuse existing commands, Microsoft decided to use, longer, more complex commands. `ls` is `get-selections`, but they did include aliases in the tool. That means that many of the normal UNIX commands used in shell scripts have aliases, but those are not the preferred method name to be used.

As long as you don’t need to press a button inside a GUI, PowerShell can probably be useful.

Mindset Change

To me, the main limitations of PowerShell really aren’t with the language, rather, it is with my mindset and having to change from UNIX/File processing to object processing. Also, the tools on UNIX/Linux systems tend to support command line options to get things done. In MS-Windows, command line options to GUI programs are usually extremely limited – next to worthless. In Linux/UNIX, there are hundreds and hundreds of small applications and tools that come with the system suitable for script use.

References

A few years ago, PowerShell was called msh, Microsoft Command Shell. Here’s an overview.

Here’s a PowerShell Tutorial if you are interested in going further.

Read where someone is porting PowerShell to UNIX/Linux systems. Yep, it is called Pash. According to the project page, it is 40-50% complete and running on Windows, Linux, Mac and Windows Mobile platforms.

VMware is using PowerShell (they call it PowerCLI) as an interface into their ESX virtualization system.

Summary

In summary, it seems that Microsoft has been working hard for years to remove some of the biggest complaints against their systems – the lack of real, usable scripting. Seems they could advertise it a little more widely. Personally, I’d prefer a Perl library that encapsulated all this and for Perl to be included with MS-Windows installations so I don’t need to learn yet another language. Still, msh/psh/pash or whatever they call it this year is a step in the right direction.

Get the free ebook/PDF from Microsoft’s site about being secure online Microsoft is sponsoring the ebook, it is not written by them.

The first download in the list appears to be the complete ebook, so there’s no need to grab each chapter. It is in PDF, so be certain you have a non-Adobe PDF reader program. We don’t like Adobe stuff here due to security concerns.

People new to Linux or UNIX often don’t understand that built into the GUI system is a way to remote into pretty much any server in the world and have a program running on the remote machine, but displayed back on your Linux desktop. It is built in and has been for 30+ year of X/Windows. It doesn’t matter if you use Ubuntu, Redhat, Solaris, AIX, or if you use Gnome, KDE, XFCE, MWM, TWM – this solution is at a lower level. If you have a GUI on Linux or UNIX, it is built in and actually works really, really well.

Remote Applications over the WAN

I’m guilty of oversimplification. We all are. I say that I run Linux. That isn’t really accurate, but it is short and only people in the know really understand what that means. Below I’ll attempt to compare a few well known operating systems to an automobile and the parts inside it.

OS to Vehicle Comparison

I’ve picked 1 specific version of a vehicle, Linux OS and Windows OS to use for comparison.

Part              Vehicle                  Linux                         Windows

Total Name        Ford F-150 Truck         Ubuntu 10.04 x32 Desktop      Microsoft Windows7
                                                                         x32 Home Premium

Engine            Ford V8 4.4L Diesel      Linux Kernel 2.6.24-28        Kernel.xyz build 
                                            No direct access to the      number xxxx. No 
                                            kernel without helper        direct access to  
                                            programs.                    the kernel without 
                                                                         helper programs. 
                                                                         The kernel 
                                                                         provides services
                                                                         to other programs.

Outside Bling     Paint, chrome, flashers  Gnome 3.x, customized GUI     Windows Desktop 
                                           running on top of X/Windows   Program / Explorer 
                                           and a _Window Manager_ like   (1st instance only)  
                                           xfce, fvwm, Icewm ... *wm     This is the GUI - 
                                           Other examples of _Desktop    Start Menu, etc.
                                           Environments_: Gnome, KDE, 
                                           LXDE, XFCE. DEs are a 
                                           convenience and not 
                                           necessary.

Raw Controls      N/A, but directly        GNU CLI programs - ls, df     CMD.EXE and a 
                  controlling the throttle  du, and thousands of         limited set of 
                  with a pair of pliers is  others. Example UNIX         programs - dir, 
                  an example.               "Shells" are bash, sh, csh,  scandisk, chkdsk, 
                                            tcsh, ash, zsh, etc...       nslookup, net use, 
                                                                         route. Any program 
                                                                         that doesn't have 
                                                                         a GUI.

User Control Sytm Steering wheel,          CLI interface                 CLI interface 
                  instruments, peddles,    OR                            (mostly unused) - 
                  gear shifter, radio, etc GUI xfaces                    the old DOS-style 
                                                                         interface
                                                                         OR
                                                                         GUI controls like 
                                                                         Control Panel