Apr 13 2009 12:58AM GMT
Posted by: John Little
procurment,
government,
laptop,
desktop,
server,
marine corps
The Marine’s are looking for a few good vendors that want to sell them computers. They will even let you help develop the procurement procedure according to this request for information.
The Marine Corps plans on creating a contract vehicle for procuring desktops, laptops and servers. The plan will include procuring rugged and non-rugged computer in an efficient and cost effective way. The plan is to establish a common set of hardware platforms and the method in which those systems will be procured. Sounds like whoever helps establish the procurement procedure will be selling the Marines some hardware..
Not to be left out of environmental concerns computers must be manufactured and operate in environmentally friendly way. Whoever sells them the computers must also provide an efficient method of returning old and broken equipment.
The Marine Corps will hold an industry day conference to discuss the contract at 9:00 a.m. on April 16. The Marine Corps Systems Command in Quantico, Va., will host the conference at the Jacobs Building, Quantico Center 1, 3850 Fettler Park Drive, Dumfries, Va.
All vendors interested in participating in the conference must notify Judy Campbell at 703-432-5096 or Theresa Minton at 703-432-5104 by 4 p.m. on April 13.
All submissions must be entered by April 30.
-j
Mar 27 2009 6:55PM GMT
Posted by: John Little
Security,
Microsoft,
Conficker,
downadup,
Linux,
open source
The conficker worm that infected millions of computers starting last October was believed to be at bay. Not so according to Vincent Weafer, vice president of Symantec’s security response group.
Computers infected with this worm are being updated with a stronger variant. The variant is designed to sidestep security measures attempting to cut the connection between infected machines and it’s hacker controllers. An estimated 20 technology companies, including Microsoft, have joined together to try and counter the stronger variant.
They are attempting to stop the worm by pre-registering domains that they believe the worm will use. According to Symantec and others in the group the worm can register up to 50,000 domain names a day. The domains are used to band together the infected computers and route the worm to other computers for infection.
The new worm is also better at resisting eradication. “It’s turning off a variety of security services,” Weafer said, as well as tools often used by security companies to dig into malware.
Weafer also believe that the number of infected computers has peaked. “The number of infected machines is constantly dropping, so we’re dealing with a much smaller pool [of devices] that are potentially getting this update,” Weafer said.
There is bright side to all of this. Linux users don’t have to worry about this. We don’t need to download Microsoft’s patch to fix our machines. What is really glaring is that so far as I know there are no open source companies joined to the group to protect the Windows computer. Maybe they should consult with them and teach them how to write software that is not so susceptible to attacks like this.
This whole thing started because of a security vulnerability in the Microsoft OS. When are Microsoft users and companies going to wake up and realize how expensive it is to continue using this brain dead OS? FWIW my definition of brain dead is an OS that has users, administrators and anyone else who uses the machine pointing and clicking to set up the OS and not knowing what they just did. No wonder that OS gets attacked so much.
If you have a Microsoft machine that is infected what you need is the MS08-067 security update. You’ll have to look it up yourself - I have no need for it. You can read more about this fiasco here.
I’ll stick with my Linux and Open Source software thank you very much.
-j
Mar 21 2009 11:38PM GMT
Posted by: John Little
Security,
search engines,
malware,
malicious web sites,
malicious code,
Browsers,
web browsers
Crackers are increasingly attempting to influence the behavior of search engines to get them to misdirect users to malicious sites says security firm Marshal.
Unknowing users are asked to download an anti-malware application to protect their computers. The malware program then installs it’s malicious code onto the users computer.
Microsoft has attempted to help users with it’s Internet Explorer browser by using what they call a Smartscreen filter. The filter scans servers that have downloads to determine if those servers have a history of giving out malicious content. It if does the user is warned that they may be on a malicious web site.
Crackers also add links to bad websites in the comments. Posting links to such sites is known as blog spamming. When a user goes to one of these sites the cracker has automated tools that help gain entry into the users computer.
Unfortunately there is no firewall rule to prevent the foolishness of people visiting such sites. Once they are there bad things happen. Updated browsers, proxy servers and black and white lists certainly help. Still the best prevention for eliminating problems is educating users what to avoid along with the aforementioned methods.
-j
Mar 14 2009 4:36PM GMT
Posted by: John Little
sled 11,
skype,
suse,
desktop,
suse linux enterprise desktop,
Sound,
recording
For everyone who is looking for the next release of the SuSE Linux Enterprise Desktop SLED 11 RC 4 is available here. While I usually prefer CentOS my current contract is to support SLES and SLED.
It has some pleasant surprised compared to recent releases of Ubuntu and and even openSuSE 11.*. Sound and sound recording work out of the box for the snd_hda_intel sound module. I’m referring here mostly to Skype users who have suffered numerous problems with the microphone and recording when using this module. I installed the Skype static application, adjusted the settings in Skype and it hasn’t failed.
This version also includes Moonshine, the Windows Media player for Linux. This makes it incredibly easy to play your WMV files for those of you who suffer people sending you files in that format to play.
What is not included are the development files for many of the applications. gcc and make are installed by default just not the development files. Working around this is simply a matter of adding the openSuSE 11 or 11.1 repository. You should then be able to get the *-devel files that you need. Note that you might need to downgrade the base application and minor version number. I haven’t broken anything doing this though.
In summary you are probably going to like this version of SLED particularly if you are a heavy multimedia user. I know it has certainly solved a few of my problems in that area.
Have fun!
-j
Learn something new
Unlearn the obsolete
Feb 18 2009 12:01AM GMT
Posted by: John Little
red hat,
Microsoft,
Virtualization,
support
Red Hat and Microsoft have entered into a virtualization agreement. The agreement is designed so that Red Hat and Microsoft customers using virtualization from both companies can get support from either group.
Red Hat and Microsoft both emphasize that this agreement is not the same as the agreement that Microsoft has with Novell. That agreement covers such things as intellectual property, code indemnification and licensing.
Red Hat and Microsoft still very much remain competing platform vendors. Red Hat’s GM of virtualization Mike Neil emphasizes that “these agreements do not include any patent or other IP licensing rights.” The agreement with Novell is more of a partnership agreement where Microsoft gives it’s customers coupons to purchase SuSE Linux Enterprise Server from Novell.
Red Hat and Microsoft will enter into each other’s validation phases for their respective virtualization technologies. The results of these tests will be posted throughout the year on the Red Hat and Microsoft websites.
With the base of heterogenous hosts and virtual guests I suspect this is not the only agreement like this that we will see.
-j
Feb 17 2009 10:40PM GMT
Posted by: John Little
Security,
Linux,
red hat,
centos,
solaris,
windows,
sysctl
I mention Linux security in the title but these best practices apply to any operating system.
There are many excellent 3rd party security tools out there for you to install on your system. Prior to installing these though you should review the tools that are already on your system. There is probably already a package included with the system that will accomplish what you need.
Why not use these tools? The major Linux distributions have gone to considerable expense to test these tools and make sure that they will not break anything on your system. When you consider the many 3rd party applications that are certified for a distribution such as Lotus Domino and JBoss this becomes even more critical. These applications are generally installed because they are mission critical. You don’t want to install a non certified security application only to find that it breaks or creates a security flaw in your certified mission critical application. Don’t do this.
A pet peeve of mine has always been the idea of “point and click and know not what I just did” that many administrators perform. While this seems to be more prevalent in the Windows world it exists in the *nix world as well. Generally the idea of text configuration files can overcome this but not always. Take, for example, the website securecentos.com (not affiliated with CentOS). One of the things that they want you to do is patch your kernel with a patch from http://www.grsecurity.com/. Doing something like this should raise a red flag immediately. Do you know what the patch is fixing and/or how it is making your machine more secure? If you can’t answer yes to this then don’t do it with this or any other patch except one from your vendor.
Aside from that when your vendor releases a kernel update you are going to have to go and redo the whole process again. This can quite quickly become heavy with administrative costs. If your machines are duplicated across the network now you have to go and install this on all of them. And again when you run a kernel update. Don’t do this.
You should never download a configuration file that affects the core of your machine without knowing exactly what it does. Using the same site above they have many configuration files that they want you to download and put into production on your machine(s). There is even a sysctl.conf file which affects many core processes of your machine and how they operate. At the time of this post comments in this file are non existent. This amounts to the notion of “point and click and know not what I just did” mentioned above. Don’t do this.
I don’t mean to single out securecentos.com. It just happens to be the one that I ran across today among the many out there asking administrators to do some things that they should think twice about.. I’m sure that they mean well. If I got out my sysctl manual I could find out what each of those changes would to do to my machine. However I’m not going to..if they want me to use their product/advice then those should be clearly documented either in the file or with a url embedded in the file that leads to that information.
Be smart with your machines! Don’t go putting configuration files in service, clicking on buttons that affect the security or core services of your machine or installing 3rd party applications that may already have the equivalent tested on your machine without knowing exactly what other files and applications they are going to affect.
-j
Feb 12 2009 1:19AM GMT
Posted by: John Little
network,
breach,
harden,
hardening,
Security,
secure,
attack,
dos
In my last post I referred to an article about the number of security breaches in networks across the U.S. This has caused economic losses of an estimated trillion dollars.
As I mentioned in that post my home network certainly doesn’t rank with those mentioned in the article but it did give me pause to consider the security of my network. In that post I outlined some things that I wanted to harden on my network as follows:
1. Disallow ssh root logins
2. Disallow su to root except for certain users
3. Disallow internal ssh logins to any machine on the network. These logins must come from the “jump” machine
An overview of my network: I have a 1u server running Centos 5.2 using the native virtualization. All of the servers on the machine are para-virtualized and run Centos 5.2 with the exception of the NAS fronted. This is from the Openfiler project at rpath. These include file, web, a NAS frontend, database, dns, dhcp and a firewall. A NIC is imported to the firewall machine which is directly connected to the internet. All of the machines share a common NFS mount. Service requests inbound from the internet are forwarded to the appropriate machine based on the port number.
I disallowed ssh root logins by editing the /etc/ssh/sshd_config file as shown below.
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no <==changed this to no
MaxAuthTries 2 <==changed this to 2
PasswordAuthentication yes
ChallengeResponseAuthentication yes <==changed this to yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
The above is the stock sshd_config file with the noted changes made.
I disallowed su to root by removing the comment on a line in /etc/pam.d/su. This file is shown below.
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the “wheel” group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the “wheel” group.
auth required pam_wheel.so use_uid <==uncomment this line
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
After making this change I added my account to the wheel group so that I could su to root as necessary. I also modified the sudoers file and added the following line so that I could use sudo and not have to su to root for short administrative tasks:
jlittle ALL=(ALL) ALL
Again all of these files are the stock CentOS files except for the changes.
I then edited the tcpwrappers files, /etc/hosts.allow and /etc/hosts.deny, so that the machines would only except ssh connections from the “jump” machine in the internal network.
hosts.allow:
sshd: 172.16.0.201
hosts.deny:
ALL: ALL
If you want to check to see if a binary is tcpwrappers aware such as sshd use the following command:
[root@fw0 ~]# ldd `which sshd` |grep libwrap
libwrap.so.0 => /usr/lib/libwrap.so.0 (0×00ddf000)
[root@fw0 ~]#
Substitute the binary that you want to check for sshd.
To speed the changes along I copied all of the modified files to the shared NFS mount. I then created a script to replace the existing files, add my username to all of the machines and enter my ssh public key into ~/.ssh/authorized_keys. All I had to do at this point was login to each machine and run the script to make the changes. The script follows. Make sure that you adjust it to fit your needs if you want to use it.
cp -af /srv/secure/hosts.* /etc
cp -af /srv/secure/dist.su /etc/pam.d/su
cp -af /srv/secure/sshd_config.root /etc/ssh/sshd_config
cp -af /srv/secure/sudoers.jlittle /etc/sudoers
useradd jlittle
usermod -a -G wheel jlittle
passwd jlittle
[ -d /home/jlittle/.ssh ]
if [ $? -ne 0 ]; then mkdir /home/jlittle/.ssh; fi
cat /srv/secure/id_rsa.pub.jlittle >> /home/jlittle/.ssh/authorized_keys
chmod -R 600 /home/jlittle/.ssh && chown -R jlittle:jlittle /home/jlittle/.ssh
service sshd restart
There you have it. An hour of two of work and I have hardened my network a little more. This coupled with strong passwords goes a long way in securing your network from inside and outside attacks.
-j
Jan 25 2009 1:22AM GMT
Posted by: John Little
korn shell,
bash,
Linux,
unix,
scripting
My current consulting gig requires that I use the Korn Shell and modify Unix scripts so that they will work with Linux. While the Korn Shell has many comparable characteristics of BASH there are some distinct differences-or at least ones that I’ve never seen in BASH.
The first difference that I noticed is tab completion. For example let’s say that I issue the command
ls /home/jlittle
and hit the tab key to see the files and directories. The output that you see will be in this format
ls /home/jlittle/
1) CentOS-5.2-x86_64-bin-DVD/
2) Desktop/
3) Documents/
4) Video call snapshot 8.png
5) bin/
6) ffmpeg.cfg
At this point you can either choose a number and hit the tab key or type in the first couple of letter of what you want to see or do. The complete output when using the number would look like this
ls /home/jlittle/<tab>
1) CentOS-5.2-x86_64-bin-DVD/
2) Desktop/
3) Documents/
4) Video call snapshot 8.png
5) bin/
6) ffmpeg.cfg
ls /home/jlittle/Desktop/<2tab>
Project-timeSheet.ods Skype.desktop
Typing 2 tab and the tab completion gives us the listing of the /home/jlittle/. Kind of a cool way of doing tab completion don’t you think?
You should also not use the “test” built-in that is available in bash. In bash the test built-in is the same as the “[" built-in. In other words don't use
if test $# -gt 0; then
instead use:
if [ $# -gt 0 ]; then
The korn shell also prefers the use of double brackets syntax “[[ ]]” instead of single brackets. This adds additional operators such as && and ||:
if [[ $# -gt 0 && $? -eq 0 ]]; then
You can use && and || to construct shorthand for an “if” statement in the case where the if statement has a single consequent line:
[ $# -eq 0 ] && exit 0
The Korn Shell is a powerful tool that can make your job easier. Since it’s creation several features have been added while maintaining backwards compatibility with the Bourne shell. The Korn shell can also be used as a programming language which gives it a distinct advantage of typical Unix and Linux shells.
Give ksh a whirl. I haven’t even scratched the surface of what the Korn shell can do for your scripting. If you are used to scripting with Bash then learning the Korn shell should only have a mild learning curve while presenting you with additional scripting power and speed.
-j
Jan 24 2009 7:42PM GMT
Posted by: John Little
skype,
opensuse 11.1,
Sound,
mic,
microphone,
pulseaudio,
libpulse0,
alsa
As I’ve alluded to in previous posts Skype, OpenSuSE 11.1 64 bit and sound capture (the microphone) have not been playing nice with each other on OpenSuSE 11.1. Sound generally worked but if you wanted to talk, well, good luck with that.
I think maybe I’ve found a solution though. There are some things to to keep in mind here. The first is that Skype is a 32bit program, OpenSuSE uses pulseaudio, and that I am using a 64 bit system on an HP laptop nx6325 that uses the ATI Technologies Inc IXP SB4×0 High Definition Audio Controller. The module the sound card uses is snd_hda_intel. If you are using that module then this should work for you but ymmv.
Go ahead and install Skype. Open up the Install Software module in the OpenSuSE menu and under Installed Programs type pulseaudio. Uninstall all of it except for libpulse0. That will leave you the pulseaudio client interface for any 64 bit programs which have pulseaudio as a dependency. MPlayer comes to mind here. Conversely it may break 32 bit programs that have pulseaudio as a dependency.
Now reboot your machine. Open up the Sound module in the Yast Control Center. Adjust your sound settings so that the top 3 are Autodetect. The fourth one should read HDA ATI SB AD198x Analog (ALSA) and the last one HDA ATI SB (Alsa Mixer).
Now open Skype and try a test call. You may have to play around with your Skype settings. Mine are all set to default. If your machine becomes unresponsive hard boot it and it should be ok on the next boot. Strange I know, but it happened to me..shades of Windows 
With any kind of luck you should be able to use your microphone. I use the built in microphone on my laptop. If everything seems to be working properly but your not getting playback on your external mic open up the volume control from the speaker in your task bar and make sure that you have the external mic enabled.
Good luck!
-j
