Linux

University of Utah gets hit by conficker worm

Over 700 computers were hit by the most recent release of the conficker worm at the University of Utah. Computers included those at the University’s three hospitals.

The worm was first detected on Thursday on some of the school’s computers. By Friday it had hit the school’s computers at the three hospitals, medical school, and colleges of nursing, pharmacy and health.

University officials don’t believe that any patient data or medical records were compromised. According to officials those are protected “in a deeper way”. That begs the question of what exactly does that mean? Is that the only data that is virus protected? Is it on Linux or Unix?

The IT staff at the school shut off internet access for up to 6 hours Friday in an effort to isolate the worm. The staff worked over the weekend to cleanup the damage caused by the outbreak. Kind of gives real meaning to the saying “An ounce of prevention is worth a pound of cure” doesn’t it?

Mindy Tueller of the university’s office of information technology said all faculty and students should take steps to make sure they are protected. The virus does not infect Macs.

Or Linux, Unix or any other OS besides Windows

“It can do a lot of bad things,” Tueller said. “Every university member should be concerned about this if they’re using Windows-based devices.”

Interesting. Ms. Tueller and school officials apparently recognize that the problem is the OS but apparently don’t want to do anything about it. How much does that attitude cost the school?

-j

Does the Operating System really matter?

After reading this article I started asking myself if the Operating System really does matter for most users. I finally reached the conclusion that it does. Here’s why.

For my own vote I asked myself if I would switch from Linux to Windows or Mac. After giving this some thought I decided that I would not switch.

First of all I am a firm believer in voting with my wallet. Now while I might be tempted to buy a Mac no such temptation exists with Windows. Quite simply I just do not like Microsoft as a company. Hence I have no desire to use any of their products let alone the way to expensive Windows operating system. I really, really, don’t like having to purchase the associated software that runs on Windows that I have to purchase to get the operating system to do what I want..

I like having the ability to choose which distribution of Linux and the associated open source applications that I like and downloading them via yum, zypper, Yast or what have you. I have a choice without spending a dime. Free as in freedom to choose and free as in beer. I have a choice to support the software that I use, financially or helping in some way with the project. No such choice exists with either Mac or Windows.

The article points out that most users are only concerned with web browsing, writing and generally getting their work done. From purely a corporate standpoint I agree. However I think most users today expect more out of their computers at home.

I believe multimedia is a big one. Whether it’s creating video, listening to mp3s or editing pictures most people at some point are going to do one at least one of the three.

Another point that I agree with in the article is that Windows 7 is not much more than a face lift. Users are told that it will be better than Vista and so they believe that it will. That belief alone will make it better whether or not it really is. (What administrator among us hasn’t faced this dilemma with users who thought something was “slow” and so it was slow - regardless of whether or not it was?)

The big question is this: If what they say is true that all users want to do is browse the web, write documents and generally get their work done why are they not demanding a lower cost from Microsoft or, better yet, demanding Linux from the hardware vendors or downloading and installing it themselves?

I think the operating system does matter on some level to just about everyone. Sure there are users out there that only use email, browse the web and write documents without giving any more thought to the operating system. I don’t however think that they are in the majority.

-j

And you thought conficker was dead

The conficker worm that infected millions of computers starting last October was believed to be at bay. Not so according to Vincent Weafer, vice president of Symantec’s security response group.

Computers infected with this worm are being updated with a stronger variant. The variant is designed to sidestep security measures attempting to cut the connection between infected machines and it’s hacker controllers. An estimated 20 technology companies, including Microsoft, have joined together to try and counter the stronger variant.

They are attempting to stop the worm by pre-registering domains that they believe the worm will use. According to Symantec and others in the group the worm can register up to 50,000 domain names a day. The domains are used to band together the infected computers and route the worm to other computers for infection.

The new worm is also better at resisting eradication. “It’s turning off a variety of security services,” Weafer said, as well as tools often used by security companies to dig into malware.

Weafer also believe that the number of infected computers has peaked. “The number of infected machines is constantly dropping, so we’re dealing with a much smaller pool [of devices] that are potentially getting this update,” Weafer said.

There is bright side to all of this. Linux users don’t have to worry about this. We don’t need to download Microsoft’s patch to fix our machines. What is really glaring is that so far as I know there are no open source companies joined to the group to protect the Windows computer. Maybe they should consult with them and teach them how to write software that is not so susceptible to attacks like this.

This whole thing started because of a security vulnerability in the Microsoft OS. When are Microsoft users and companies going to wake up and realize how expensive it is to continue using this brain dead OS? FWIW my definition of brain dead is an OS that has users, administrators and anyone else who uses the machine pointing and clicking to set up the OS and not knowing what they just did. No wonder that OS gets attacked so much.

If you have a Microsoft machine that is infected what you need is the MS08-067 security update. You’ll have to look it up yourself - I have no need for it. You can read more about this fiasco here.

I’ll stick with my Linux and Open Source software thank you very much.

-j

Protect your ssh server with DenyHosts

If you have an SSH server that is accessible from the internet then you should look at the DenyHosts application to protect your servers and networks.

DenyHosts protects your servers by parsing your ssh log for failed attempts at ssh login. The log where this is recorded varies by distribution. On Red Hat it is /var/log/secure and /var/log/auth.log on Mandrake. You should have one of these log files on your system

DenyHosts works by monitoring these logs for failed ssh login attempts. It also tracks which user accounts are targeted. When it finds a repeated failures from the same IP address it inserts these into your /etc/hosts.deny file effectively blocking the offending crackers.

Like any security measure this one can be shored up by implementing complementary measures. These would include disallowing root logins, using a port number other than 22 and disabling password logins. All of these can be set in your /etc/ssh/sshd_config file. Your ssh daemon must be restarted after making these changes.

You can download DenyHosts here.
-j

Maybe you shouldn’t use the ext4 file system

Users of the Kubuntu recently suffered data loss while using the new ext4 file system. It happens when there is a power loss or a system failure. Note that this is not specific to Kubuntu. The Kubuntu users were just the first to try out the new file system.

I’m not talking about data that you’ve just written to a document or application. These failures are returning 0 byte files on any application that has a write to a file. That is to say that your data is completely gone, not just the unsaved part.

Developer of the ext4 file system, Ted Ts’o, has joined into discussions to explain what is going wrong. He has this to say: “The short answer is (a) yes, I’m aware of it, (b) there is a (partial) solution, (c) it’s not yet in mainline, and as far as I know, not in an Ubuntu Kernel, but it is queued for integration at the next merge window, after 2.6.29 releases, and (d) this is really more of an application design problem more than anything else.”

The problem is a write commit issue. The ext3 file system committed writes within 5 seconds. In an effort to enhance security and speed Ts’o increased the data commit to 60 seconds on the ext4 file system.

So far as the application design comment he apparently is asking developers to redesign their applications to deal with the 60 second delay. While this may happen over time it is certainly not going to be something that happens in the immediate future.

My advice is to leave the ext4 file system alone until it becomes mainstream and matures. There is obviously quite a bit of work still to be done before it is production ready for servers or workstations.

-j

SLED 11 RC 4 first glance

For everyone who is looking for the next release of the SuSE Linux Enterprise Desktop SLED 11 RC 4 is available here. While I usually prefer CentOS my current contract is to support SLES and SLED.

It has some pleasant surprised compared to recent releases of Ubuntu and and even openSuSE 11.*. Sound and sound recording work out of the box for the snd_hda_intel sound module. I’m referring here mostly to Skype users who have suffered numerous problems with the microphone and recording when using this module. I installed the Skype static application, adjusted the settings in Skype and it hasn’t failed.

This version also includes Moonshine, the Windows Media player for Linux. This makes it incredibly easy to play your WMV files for those of you who suffer people sending you files in that format to play.

What is not included are the development files for many of the applications. gcc and make are installed by default just not the development files. Working around this is simply a matter of adding the openSuSE 11 or 11.1 repository. You should then be able to get the *-devel files that you need. Note that you might need to downgrade the base application and minor version number. I haven’t broken anything doing this though.

In summary you are probably going to like this version of SLED particularly if you are a heavy multimedia user. I know it has certainly solved a few of my problems in that area.

Have fun!

-j

Learn something new
Unlearn the obsolete

Using SSL and a password to connect Sendmail to your ISP

Many ISPs are requiring SSL and a password to connect and send mail. This how to shows how to set up your sendmail server to use SSL with a password for connecting and sending mail through your ISP.

I set this up on a CentOS 5.2 virtual machine. You should have the following packages installed:
sendmail
sendmail-cf
cyrus-sasl
cyrus-sasl-lib
cyrus-sasl-plain
openssl

First let’s generate our self signed certificate. Be sure and use the FQDN of your server for the machine name.

cd /etc/pki/tls/certs
make sendmail.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > test.pem ; \
echo “” >> test.pem ; \
cat $PEM2 >> test.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
……..++++++
…………………………++++++
writing new private key to ‘/tmp/openssl.wc3819′
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:AZ
Locality Name (eg, city) [Newbury]:Tempe
Organization Name (eg, company) [My Company Ltd]:Self
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:mail.home.local
Email Address []:myself@yahoo.com


Next we need to make some edits to the sendmail.mc file. cd to /etc/mail and open the file with your favourite editor. The following lines should be edited or added to match your configuration and/or connection information to your ISP. Note that dnl at the front of a line indicates a comment. This should be removed from the beginning of any lines that are edited.

define(`SMART_HOST’, `smtp.att.yahoo.com’)dnl <==put your ISP’s smtp server here

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl <==uncomment this line


Now we need to set up the login information for your ISP’s smtp server. In the /etc/mail directory perform the following:

mkdir auth
chmod 700 auth
cd auth
vi client-info

Add the following line to the client-info file:

AuthInfo:your.isp.net “U:root” “I:user” “P:password”

Repace user with your ISP username and password with your smtp password. Save and close the file and perform the following:

makemap hash client-info < client-info
chmod 600 client-info*
cd ..

Now issue the following command so that everything is compile as sendmail likes it:

make -C /etc/mail

Last edit the following file and make sure that it contains the following two lines:

vi /usr/lib/sasl2/Sendmail.conf
pwcheck_method:saslauthd <==make sure that these two lines are in the file
mech_list: plain login


If you are using tcpwrappers as I have suggested in the past add the following line to hosts.allow. Change the ip configuration to match your setup:

vi /etc/hosts.allow
sendmail: 172.16.

Now it’s time to test. Make sure that the correct services are running:

/etc/init.d/sendmail start
/etc/init.d/saslauthd start


After starting check the log at /var/log/maillog. If you find any errors that contain `starttls’ then either something is wrong with the sendmail.pem file that you created or the saslauth daemon is not started. I had a situation once where something happened to the sendmail.pem file and recreating it solved the problem. Beyond that check your firewall, syntax in the sendmail.mc and hosts.allow and hosts.deny files.

Once everything is started cleanly open up your mail client. I used evolution for testing. Edit the preferences and use the settings for your sendmail server. For mine I used the IP address of the sendmail server, check “Server requires authentication”, set “Use secure connection” to SSL encryption and entered the user name that I use to login to the sendmail server. Note that this is not your ISP username.

Now you should be able to send a test message out through the internet and receive it back through your ISP’s pop server.

Enjoy!

-j

Red Hat and Microsoft enter virtualization support agreement

Red Hat and Microsoft have entered into a virtualization agreement. The agreement is designed so that Red Hat and Microsoft customers using virtualization from both companies can get support from either group.

Red Hat and Microsoft both emphasize that this agreement is not the same as the agreement that Microsoft has with Novell. That agreement covers such things as intellectual property, code indemnification and licensing.

Red Hat and Microsoft still very much remain competing platform vendors. Red Hat’s GM of virtualization Mike Neil emphasizes that “these agreements do not include any patent or other IP licensing rights.” The agreement with Novell is more of a partnership agreement where Microsoft gives it’s customers coupons to purchase SuSE Linux Enterprise Server from Novell.

Red Hat and Microsoft will enter into each other’s validation phases for their respective virtualization technologies. The results of these tests will be posted throughout the year on the Red Hat and Microsoft websites.

With the base of heterogenous hosts and virtual guests I suspect this is not the only agreement like this that we will see.

-j

Linux security basics aka don’t do this!

I mention Linux security in the title but these best practices apply to any operating system.

There are many excellent 3rd party security tools out there for you to install on your system. Prior to installing these though you should review the tools that are already on your system. There is probably already a package included with the system that will accomplish what you need.

Why not use these tools? The major Linux distributions have gone to considerable expense to test these tools and make sure that they will not break anything on your system. When you consider the many 3rd party applications that are certified for a distribution such as Lotus Domino and JBoss this becomes even more critical. These applications are generally installed because they are mission critical. You don’t want to install a non certified security application only to find that it breaks or creates a security flaw in your certified mission critical application. Don’t do this.

A pet peeve of mine has always been the idea of “point and click and know not what I just did” that many administrators perform. While this seems to be more prevalent in the Windows world it exists in the *nix world as well. Generally the idea of text configuration files can overcome this but not always. Take, for example, the website securecentos.com (not affiliated with CentOS). One of the things that they want you to do is patch your kernel with a patch from http://www.grsecurity.com/. Doing something like this should raise a red flag immediately. Do you know what the patch is fixing and/or how it is making your machine more secure? If you can’t answer yes to this then don’t do it with this or any other patch except one from your vendor.

Aside from that when your vendor releases a kernel update you are going to have to go and redo the whole process again. This can quite quickly become heavy with administrative costs. If your machines are duplicated across the network now you have to go and install this on all of them. And again when you run a kernel update. Don’t do this.

You should never download a configuration file that affects the core of your machine without knowing exactly what it does. Using the same site above they have many configuration files that they want you to download and put into production on your machine(s). There is even a sysctl.conf file which affects many core processes of your machine and how they operate. At the time of this post comments in this file are non existent. This amounts to the notion of “point and click and know not what I just did” mentioned above. Don’t do this.

I don’t mean to single out securecentos.com. It just happens to be the one that I ran across today among the many out there asking administrators to do some things that they should think twice about.. I’m sure that they mean well. If I got out my sysctl manual I could find out what each of those changes would to do to my machine. However I’m not going to..if they want me to use their product/advice then those should be clearly documented either in the file or with a url embedded in the file that leads to that information.

Be smart with your machines! Don’t go putting configuration files in service, clicking on buttons that affect the security or core services of your machine or installing 3rd party applications that may already have the equivalent tested on your machine without knowing exactly what other files and applications they are going to affect.

-j

CentOS prepares to release 5.3

Following their mandate to be binary compatible with Red Hat, CentOS is preparing to release version 5.3.

Red Hat released version 5.3 on January 21st of this year. The CentOS developers generally follow with a CentOS release about 3-5 weeks after Red Hat. This should put the release as generally available around March 1st.

We can expect to see some very nice feature enhancements on this release. NetWorkManager and wpa_supplicant have a whole host of updates listed. This means improved wireless security and better driver support. For those of us using Broadcom wireless drivers the b43 driver from linuxwireless.org has been backported. Following the links on that page should lead you to the proper firmware as well.

The new ext4 filesystem is also incuded in the new release. Laptop users like myself will be glad to know that anaconda now supports encrypted block devices during installation. Red Hat continues their commitment to Xen and has released many updates for virtualizaton including support for up to 126 CPUs in the x86_64 Xen-based hypervisor (up to 32 CPUs per virtual server) and support for up to 1TB memory per host on x86_64 (up to 80GB per virtual server).

Other enhancements include 802.1q VLAN tagging support for kickstart, iSCSI installation and boot support, ability to install Xen and KVM guests and for fibre channel users Emulex FCoE HBA support through the lpfc driver and QLogic FCoE HBA support through qla2xxx driver. See a full list of new features here.

With all of these new enhancements desktop users and server administrators are sure to be pleased.

-j