Blog Mysterious ramblings Linux 101 Top tips for the aspiring young Linux padawan learner Linux 102 More what you might call intermediate tips, as it were Security Thoughts on Linux server security Catalan Catalan language for beginners .. like me

Andy Booth's Blog

OpenBSD upgrade

2011-06-22

OpenBSD's upgrade path involves booting an instance of the newer OS and letting it copy the new system files to your old partition. You can do this by several methods for instance booting from a CD burnt from an ISO or copying the new version of the ramdisk kernel to your root and booting that. I chose this method as it seemed the simplest, installing wget, FTP'ing the bsd.rd file directly in and rebooting. At initial boot there's a five second wait which allows you to change the boot parameters to boot your new shiny ramdisk kernel and start the upgrade. Except on OpenBSD 4.8 hppa, there is no delay. It took me a lot of searching about to come up with a solution and it reminded me that weird architectures (like HP PA-Risc in this case) plus DIY OSes (any BSD, a number of the more geeky Linux distros) should come with a notice saying "here be dragons", just in case you might have forgotten from the last time :)

In the end the answer was to create and edit the file /etc/boot.conf and add the parameters :
set image bsd.rd
and then follow the instructions, installing the sets, etc. At the end of the upgrade process, you are dumped at a prompt with a recommendation to reboot. Instead I went to /mnt/etc and deleted my boot.conf as I had visions of endlessly rebooting into my ramdisk kernel. It worked for me.

---

On Gnome and Unity

2011-05-05

I understand that big software projects, particularly ones that provide desktop environments, have the need from time to time to renew themselves, reinvent the wheel and in the process break everything. And so it has come to pass that both Gnome and Canonical have reached that very point of critical mass, perhaps inevitably, at the same time. Alas I personally don't feel the need to participate directly in either of their brave new adventures, at least not just yet. My Gnome 2 desktop has lots of features that I've come to rely on, launching apps with Gnome-do, finding files with Gnome Activity Journal (Zeitgeist), using the "expose" feature of compiz to find that missing window .. all things that are incorporated in different ways into both new projects. Don't get me wrong the new Gnome 3.0 and Unity are splendid grand projects to admire, it's just that .. well they're new and they are big software projects and things get left out or break and I want my main desktop to "just work" because I have things to do. So I've reverted to using Debian on the desktop, after 6 years or so of Ubuntu, no great shakes, I'll return to the fold at some point, no hurry. Six months down the line and both of these new desktop environments will go through another release, rough corners will be smoothed off and community developers will have added compelling features, progress will put things right, the customisable usability I desire will return. I'll bide my time and enjoy Debian, I've set aside a partition for testing Unity or Gnome 3.0 and also I have a netbook for further experimentation, it's an exciting time for the Linux desktop.

---

Making use of rootkit hunter

2011-04-20

I've been using Rootkit Hunter on my servers for a while now and am aware that perhaps I don't use it to its full extent. So I took the trouble to investigate. It's a path-based rootkit detector, so it's mostly looking for file/directory names & strings that it deems as evil but it also does a bunch of other stuff. Its purpose is not to protect my servers against attack but to ring alarm bells when the attacker has got in. The alarm arrives as an e-mail and it does take a bit of tweaking to weed out the false positives.
I suppose I shouldn't be surprised but certainly Ubuntu's rkhunter package lags behind someway version-wise, I would have thought "anti-virus"-type apps get the full update treatment, especially as newly-detected rootkits are introduced in new versions, but hey ho, installation from upstream is a cinch.
You can get the latest rkhunter from the official site and installation is as easy as running a script. It adds such things as a man page, a logrotate script and cron-jobs which saves you a lot of work. Make sure you have binutils and unhide packages installed (we're talking debian-based); roll on the project to match package names across distributions.
You also may want skdet which you can build from source or easier (for me!) convert the provided rpm using alien into a deb file and just install that.
The config file is found at /etc/rkhunter.conf although as suggested in the docs I create a local config file rkhunter.conf.local this makes it easier to copy the config elsewhere and be aware of you changes. Here's a few choice morsels :

PKGMGR=DPKG
ENABLE_TESTS="all"
DISABLE_TESTS="os_specific apps trojans"
STARTUP_PATHS="/etc/init.d /etc/rc.local"
SYSLOG_CONFIG_FILE=/etc/rsyslog.conf
SCAN_MODE_DEV=THOROUGH
UNHIDE_TESTS="sys proc procfs reverse"


PKGMGR Despite warnings in the Ubuntu-package rkhunter.conf the DPKG option doesn't seem to extend the test immeasurably so I change it from NONE because the most annoying false positives are those related to packages that you've updated the day before. However the built-in file properties check is far more thorough in its search for file changes than the dpkg version so this is a trade-off you might not like to make.
DISABLE_TESTS "os_specifics" is out for me because it's looking for kernel modules and none of my servers use them. The "apps" test is out because I already use cron-apt to make sure that the machine pesters me 'til I update it. The "trojans" test looks for an Apache backdoor (I use Cherokee as a web-server) and also looks for inetd/xinetd which are not installed by default and I wouldn't dream of installing (less services provided the better!).
STARTUP_PATHS You need to add in /etc/init.d on an Ubuntu system.
SYSLOG_CONFIG_FILE This is rsyslog again on an Ubuntu system, not syslog.
UNHIDE_TESTS This adds tests other than the default sys. NB. I get false positives with the brute option. Note also I don't have unhide.rb on my system beacuse I don't want to install Ruby (KISS). The Ruby version is a rewrite of the original and is allegedly quicker and more descriptive once it finds something.
OK, that's all for now, here's hoping for only false positives!

---

Of browser wars and plug-ins

2011-03-16

I'm a long-term Firefox user having switched from Opera (it ran beautifully on Sparc Linux!) what feels like decades ago. At the time it was the evangelism that caused me to switch, the idea that making that choice personally could change the iniquitous state of the world (or at least a very small part of it) and between us we did it, the world changed. Now there's other interesting browsers to choose from, I do use Epiphany for a few light-weight tasks when I want a minimal GUI and occasionally I use Chrome just to check it out and coo at the new enhancements and its rapid development. Chrome is faster than Firefox, at least for me, so you'd think it was a no-brainer if it wasn't for one key thing that keeps Firefox ahead .. plugins. Mozilla calls them add-ons and I can't do without them. I'm particularly enamoured of No Script, apart from the unmatched security aspects which I hope I can judge with my reasonable understanding of the subject, it's a splendid ad-blocker as most of them use javascript or flash. It also gives me a grasp of what is actually linked to the page I am on and I like to be aware. In fact maybe too much; another add-on WorldIP shows the ISP, country and AS name of the site that I'm on and the Header Spy add-on is configured to tell me what sort of web-server it is. Does this enhance my browsing security? Not especially, I suppose I can wonder why Slashdot is suddenly hosted in Romania, but that's never happened. Is this a bit too geeky? Yes, of course but who cares? It keeps me entertained.

.. and yes I know Chrome has plugins but it doesn't have anything that goes as deep as No Script, when it does maybe then I'll switch.

---

First Post and Utterson

2011-03-15

Here we all are. So I've decided to implement this blog using Utterson which is a script-based framework for formatting posts. Basically I just want something to handle pagination, RSS, permalinks etc and I want it to produce static pages (mainly because I'm a security wonk and I don't want to worry about it). Utterson's simple only once it's set up, but for my purposes it was just a case of filling out utterson.cfg and then hacking the CSS & XHTML templates to fit in with my site's look. I've still got a little work to do, some of the author's CSS is lurking about and I think some typos are giving me malformed XHTML but basically the job's done and my blog is "Proudly powered by Utterson :-)

---