windows

University of Utah gets hit by conficker worm

Over 700 computers were hit by the most recent release of the conficker worm at the University of Utah. Computers included those at the University’s three hospitals.

The worm was first detected on Thursday on some of the school’s computers. By Friday it had hit the school’s computers at the three hospitals, medical school, and colleges of nursing, pharmacy and health.

University officials don’t believe that any patient data or medical records were compromised. According to officials those are protected “in a deeper way”. That begs the question of what exactly does that mean? Is that the only data that is virus protected? Is it on Linux or Unix?

The IT staff at the school shut off internet access for up to 6 hours Friday in an effort to isolate the worm. The staff worked over the weekend to cleanup the damage caused by the outbreak. Kind of gives real meaning to the saying “An ounce of prevention is worth a pound of cure” doesn’t it?

Mindy Tueller of the university’s office of information technology said all faculty and students should take steps to make sure they are protected. The virus does not infect Macs.

Or Linux, Unix or any other OS besides Windows

“It can do a lot of bad things,” Tueller said. “Every university member should be concerned about this if they’re using Windows-based devices.”

Interesting. Ms. Tueller and school officials apparently recognize that the problem is the OS but apparently don’t want to do anything about it. How much does that attitude cost the school?

-j

Linux security basics aka don’t do this!

I mention Linux security in the title but these best practices apply to any operating system.

There are many excellent 3rd party security tools out there for you to install on your system. Prior to installing these though you should review the tools that are already on your system. There is probably already a package included with the system that will accomplish what you need.

Why not use these tools? The major Linux distributions have gone to considerable expense to test these tools and make sure that they will not break anything on your system. When you consider the many 3rd party applications that are certified for a distribution such as Lotus Domino and JBoss this becomes even more critical. These applications are generally installed because they are mission critical. You don’t want to install a non certified security application only to find that it breaks or creates a security flaw in your certified mission critical application. Don’t do this.

A pet peeve of mine has always been the idea of “point and click and know not what I just did” that many administrators perform. While this seems to be more prevalent in the Windows world it exists in the *nix world as well. Generally the idea of text configuration files can overcome this but not always. Take, for example, the website securecentos.com (not affiliated with CentOS). One of the things that they want you to do is patch your kernel with a patch from http://www.grsecurity.com/. Doing something like this should raise a red flag immediately. Do you know what the patch is fixing and/or how it is making your machine more secure? If you can’t answer yes to this then don’t do it with this or any other patch except one from your vendor.

Aside from that when your vendor releases a kernel update you are going to have to go and redo the whole process again. This can quite quickly become heavy with administrative costs. If your machines are duplicated across the network now you have to go and install this on all of them. And again when you run a kernel update. Don’t do this.

You should never download a configuration file that affects the core of your machine without knowing exactly what it does. Using the same site above they have many configuration files that they want you to download and put into production on your machine(s). There is even a sysctl.conf file which affects many core processes of your machine and how they operate. At the time of this post comments in this file are non existent. This amounts to the notion of “point and click and know not what I just did” mentioned above. Don’t do this.

I don’t mean to single out securecentos.com. It just happens to be the one that I ran across today among the many out there asking administrators to do some things that they should think twice about.. I’m sure that they mean well. If I got out my sysctl manual I could find out what each of those changes would to do to my machine. However I’m not going to..if they want me to use their product/advice then those should be clearly documented either in the file or with a url embedded in the file that leads to that information.

Be smart with your machines! Don’t go putting configuration files in service, clicking on buttons that affect the security or core services of your machine or installing 3rd party applications that may already have the equivalent tested on your machine without knowing exactly what other files and applications they are going to affect.

-j

Inventory tracking with the Sun Inventory Application

Sun has a unique application on their web site called Sun Inventory that will track hardware, software and operating systems. It is unique in that it is, more or less, a cloud application. You can access your inventory anywhere that you have internet access.

The Sun Inventory application tracks these items by installing a small application on the machine that you want to inventory. Initially it will report back the hardware and operating system. As qualified applications are installed the agent will report these back to the Sun Inventory application without any interaction on your part.

Getting started is simple. Go here to get started. If you don’t have a Sun account go ahead and sign up. Once you are signed in it is a 3 step process to get started.

Step one is to download what are known as service tags. This is the application that you will install to “tag” your inventory so that it can be put into the application. Tags are available for Red Hat Enterprise Linux, Suse Enterprise Linux, Solaris and Windows. Download the appropriate tag for your operating system and install it on the machine on which you want to inventory. The tagging also works on Virtualized Machines from Red Hat Virtualization and from VMs using Virtual Box. I didn’t check any other virtualization applications.

Steps two and three are discovering and registering your “gear” as Sun calls it. This downloads a small java program onto your machine to help in finding and registering tag ready machines. With this application you can find your machines in various ways such as hostname, subnet and ip address. Below is a screen shot of the information that you can use to find your tagged your machines.

Once you have done this a screen will pop up showing the gear that the registration client found. You will then login to your Sun Account and choose which products that you want to register. Once they are registered what you will see is like the following screen shot.

As you can see I have my 1u server tagged along with the host and virtual operatings systems. The OpenSolaris machine is running on Virtual Box. The OpenOffice application was installed after I tagged and registered the machine. Since the tag runs as a service it picked up the OpenOffice application and registered it as part of the OpenSolaris machine.

This is a great way to get your machines and related software inventoried and get control of it.

-j

Use UNetbootin to install Linux or BSD

I ran across UNetbootin after pulling out my old tablet pc and found the Windows OS full of viruses, malware and whatever someone could put on there.

After looking around for the most viable distribution to install on a tablet pc I landed on Ubuntu 8.10. I realised while I was downloading it that I would have to use a usb drive to get it installed. Enter UNetbootin. Which by the way stands for Universal Netboot Installer.

It took me all of five minutes to read the instructions and I was off and away! I downloaded UNetbootin for Windows to get started. I plugged in my 1GB usb stick and formatted it to FAT 32. I doubled clicked on the UNetbootin installer, pointed it to the Ubuntu iso file that I had downloaded, made sure it was installing to my usb stick and started the install.

Here is an image of the UNetbootin installer from their web site to set up and kick off your installation:
r

After Ubuntu was installed to the usb stick I rebooted and chose the usb stick as my boot media. Up pops the normal menu that you normally see from running a live cd. I chose the default option to run from the usb. One thing I noticed is that a live cd runs considerably faster from usb than it does from cd.

The nice thing about UNetbootin is that they did a thorough job on everything that needed to be done. You can install virtually any Linux or BSD distribution with this application. You can see a list of the built in Linux and BSD applications here. They also have a list of supported distributions here.

UNetbootin provides a Linux and Windows installer so that you can use whatever OS that you have available to create your live usb stick. It will work on almost any version of Windows or Linux.

UNetbootin is a very impressive application. Because of it’s ease of use and wide range of distributions that it will install without any fuss I am writing this post from my newly installed Ubunty on my tablet pc. Start to finish UNetbootin took about 10 minutes to install to the usb stick. Another 30-40 minutes and here I am typing this post.

Try out UNetbootin on a distribution for which you’ve been wanting to try. Download time plus about 10 minutes and you should be playing with the live usb stick version.

-j

Virus shuts down sales of ASUS eee PC’s in Japan

The virus known as recycled.exe was put on the D: drive at the factory. When the user booted the ASUS eee PC the first time the virus copied itself to the C: drive. According to ASUSTEK there were 4500 of the eee PCs made for Japan and only about 300 sold.

Now for me this begs the question…did this ever happen with all of the eee PCs sold and shipped with Linux? While I don’t officially know the answer my guess is that it did not.

That then brings myself and all Linux users to the next question…why do manufacturers insist on putting Windows on their machines rather than Linux? Market share or translated it’s what everybody has.

So let’s discuss the vaidity “everybody has it” and see if we can get some of you users to switch to desktop Linux. Yes I know all of the usual answers of why you don’t want to. It won’t do what I want it do. It doesn’t have software that allows me to do thus and such. I may have to use the command line. yadayadayada.

What exactly does it not do that you want it to do? It edits photos, plays music, plays DVDs, browses the internet and…wait for it…will even send and receive email. If you are a regular desktop user the chances that you are going to have to use the command line are about as great as the chances are that you will need to edit the Windows registry. In fact I would say that you would have to edit the registry before you would ever need to use the command line.

If you are a little more aggressive with the use of your desktop you already edit the registry. I can assure you that using the command line is much easier than editing the registry. Think about the fact that a lot of the configurations of any application that you run on Windows resides in the registry. Compare that to all of you configurations for any application that you use in Linux are text files and reside in the /etc directory. I know from experience that editing a text file is considerably easier than editing the registry.

So what then is the problem? Are you afraid to learn something new? It costs you absolutely nothing to try or buy so it can’t be the cost. If you are reading this then you have the intelligence to learn and run Linux.

Go ahead think about it. Stop buying licenses that don’t even let you own the software let alone install it on as many machines as you need to.

Download an easy to use distribution such as Ubuntu or CentOS and find the freedom of using and installing software on as many machines as you need. No cost to you unless you opt to buy a pre-burned set of CD’s for about $5. Ubuntu is more for a regular user and CentOS is more for an Administrator or Power User type who need stability and likes to run servers and experiment with software on their local machine.

When it is all said and done you will be glad that you did.

-j

VIM Shortcuts

I like the VIM text editor. Yes, VIM took some getting used to. Yes, VIM requires that you use a keyboard although there is now a graphical VIM for Windows and Linux which is pretty cool as well.

I am writing this so that maybe you will begin to like the VIM editor. Once you get used to the keyboard it becomes quick and easy to edit your text files. You may even get to avoid Carpel Tunnel Syndrome.

Ok so let’s get to it shall we?

Saving a file
To close a file without saving type ctrl +q. To save a file type ctrl + w. To save and close a file type ctrl + wq or ZZ (yes those are caps).

Ok, all of that was straight forward and anyone who has used VIM knows these things.

Let’s try a few more.

To open a file at a given line number type vim + <line number> . To open a file at the first instance of a word type vim +/<word to find> .

Ok let’s do some work inside of a file.

Basics
To undo text that you have entered type u and to undo all changes to a line type U. Typing :e! will revert back to the last saved copy of a file if you really mess up. To create a new line below the cursor type o and to create a line above the cursor type O. For searching a string use /<string to find> to search to the right of the cursor and ?<string to find> to the left of the cursor.

Deleting text
To delete a line place the cursor on the line and type dd. To delete several lines type <number of lines to delete>dd. For instance 3dd would delete the line where the cursor is and the next two lines. To delete all text from the cursor to the end of the line type D. For deleting all the text from the beginning of the line to the cursor type d. To delete all of the lines from the cursor to the end of the screen type dL and to delete all text from the cursor to the end of the file type dG. To delete all of the text from the cursor to the beginning of the file use d1G. If you want to delete all text from the cursor position to a given line number type d#$ where # is the line number of the specified line.

Changing text
If you want to change a word move the cursor to the beginning of the word and type cw. Note that the cursor will only remove up to any special character, punctuation or space. If you want to change the current sentence type cs. To change the current line type c$ or C. Note that preceding the command here with a number, as in most VIM commands, will change that number of words, sentences or lines.

Copying and pasting
To copy a line or lines type yy on the line with the cursor. To copy several lines from the location of the cursor down type <number of lines to copy>yy. For instance 5yy would copy the line where the cursor is and the next 4 lines. To paste those lines below the cursor type p and P to paste them above the cursor.

Ok now let’s have some fun!
How about finding and replacing a word or group of words in a file? Easy and fast. Let’s say we want to replace the word module with the words kernel module. At the VIM prompt type:
:%s/module/kernel module/
That would replace the first instance of module with kernel module. But what if you want to replace all instances? Simply add a g at the end of the line:
:%s/module/kernel module/g
If you want confirmation each time before the replace add a c to the end of the above:
:%s/module/kernel module/gc

How about opening another file from which you want to copy something into your current file? This is quite a simple operation and with VIM’s tab completion, which works much the same as bash tab completion, it is really a snap. Ok let’s say we have two files, a sample file in /home/jslittl/sample.txt and a config file in /etc/myapp/app.conf.

Let’s open the application file:
vim /etc/myapp/app.conf
Now open the sample file. Remember we have tab completion so you can use that. In the file that you just opened type:
:split /home/jsl<tab>/samp<tab>
Now the sample file is open and your cursor is in the sample file. Move the cursor to the line that you want to copy and type:
yy
and then:
ctrl w
to move into the app.conf file. Move the cursor to the line above where you want to paste and type;
p
Easy stuff huh?

The real beauty of an application like VIM starts to shine when you telnet or ssh into a remote machine and have to edit a configuration or ini file.

I hope that you picked up a pointer or two from this that will help make your work quicker and easier. I know I became more efficient when I learned some of these shortcuts.

-j

Netbooks, Notebooks, Windows and Linux

Most of us have heard of the Netbook. You know, the small 7″ screen Linux powered EeePC from ASUS. Of course Dell, Acer and MSI have joined in the fray. That’s fine. Competition is a good thing.

For one reason or another, probably because ASUS did not set reasonable expectations about what a netbook is capable of, or more to the point what it is not, they had a 35% return rate according to some sources. You see people bought the netbook with the idea in mind that it was a cheap notebook. They bought it wanting to hook up printers, cameras and other devices to their shiny new cheap computer. They were disappointed. Things happen.

What really gripes me though are articles like this one. This writer alludes to the idea that the problem was not the lack of capabilities of the the netbook, but instead that it was because the netbook had Linux installed as the operating system. He then goes on to extol the virtues that the netbook will have when the manufacturers begin to install Windows XP and Windows Vista Home.

Now don’t misunderstand me. I think people should have choice. If someone wants to use Windows that is their choice. I can and do use and administer both. It’s just that my preference is to use Linux because I find it easier use as a workstation and in many cases as a server. But when I read an article like the one mentioned above, that among other things, states that the netbook is an underpowered computer, and then goes on to say that it will zing with a bloated operating system like Windows Vista, I have to question the validity and purpose of such an article.

It seems to me the article was written, at least in part, to take a shot at Linux. Maybe, maybe not. I don’t know. What do you think?

-j

Squid proxy server quick start

Here is a quick start plan for installing the squid-cache.org proxy server. Squid is a caching proxy server that uses HTTP, HTTPS and FTP for caching web pages from the internet. By caching web pages locally the squid server helps you save on bandwidth and increases page response time for web surfing.

When you first open the squid configuration file it can be overwhelming with over 4000 lines. Many of these are comments but there are still hundreds of configuration choices. I am going to reduce these down to a solid foundation which will get you up and running quickly. This will give you some time to study the other configuration choices that may be necessary for your use. For most people some form of the configuration entries that we use here will be enough to control and proxy your web access.

Squid can be installed on Linux, Unix or Windows. For our purposes here we are installing on Centos 5.x.

Let’s get started:

Install the Squid package
yum install squid

cd to the configuration directory
cd /etc/squid

The default squid config file contains over 4000 lines. Remove the comments so that the file
is a workable size
Copy the squid.conf file to dist.conf.squid to preserve the comments for reference
cp squid.conf dist.squid.conf
The following sed command edits the squid.conf file in place removing comments and empty lines
sed -i.tmp '/^#/d; /^$/d' squid.conf
This will produce a file that contains the following entries:


http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid


After doing this you will need to add some lines to the squid file for your environment

vim squid.conf
visible_hostname
acl our_networks src / /
as in 192.168.1.0/24 192.168.2.0/24
http_access our_networks

Save your changes and exit the squid.conf file.

Create the squid cache directories in /var/spool/squid
quid -z

Set squid to start on reboot
chkconfig squid on

Start squid
service squid start

This should work out of the box after pointing the clients to the correct proxy server and port.

Additional configuration directives can be issued through the /etc/sysconfig/squid file and the /etc/init.d/squid script.

I hope this helps you get squid up and running quickly. Enjoy!

-j

To gmail or yahoo..

Do you like gmail? I don’t. I first started using gmail a few months ago when it looked like Microsoft had a good chance of purchasing Yahoo. I’ve had a Yahoo account for over ten years. I’ve since gone back to Yahoo.

No, not because Microsoft didn’t buy them. I just don’t like gmail. You can’t create folders in which to store your mail. Instead you have to label it. Then, to *start* finding it you have to click on the All mail link. Then you have to find one of the mails labeled with the subject. After that you do a More actions and click of filter more messages like these. What a mess. What a waste of time.

You can’t highlight mail that you want to delete by holding down the control key. Oh no, that would be too easy. You see, gmail has single click like a web link. I despise that in Windows and the Linux KDE desktop and I don’t like it here either. At least in Windows and on the KDE desktop you have the option to turn it off. So with gmail you have to click select all and then go through and deselect the mail that you don’t want to delete.

Yes I still have mail going into my gmail account. I did change some of it for my RHEL and Sun accounts. Maybe a few others. But, at the end of the day, I still prefer Yahoo mail over gmail.

And yes, the new Yahoo has it’s share of problems as well. I don’t know what is with the Yahoo developers that they can’t seem to develop something that at least either works on Firefox or Opera. Or maybe it’s the Firefox and Opera developers. The chicken and egg thing. But that’s a rant for another day.

-j

Script repetitious tasks in a GUI with AutoIT

Do you find yourself wanting to script repetitious tasks in a GUI? Wish there was a way to automate it? There is now.

Unlike shell scripting where many tasks can be automated this is generally more difficult in a GUI. You have mouse clicks and keyboard entries to make in a GUI. AutoIT is the answer to your problem. AutoIT is designed to script repetitious tasks in a GUI, specifically the Windows GUI and Windows applications.

AutoIT is freeware - not open source - designed to automate the Windows GUI and perform other general scripting tasks. I use it at work for setting up users in Active Directory and Lotus Notes. The Active Directory part I send to the Windows command line. The Notes part is done inside the Notes client. I even have it send the New User documentation over to my Linux workstation via SCP. There I have a Bash script convert the documents to PDF to be sent to HR. Pretty cool. It saves me hours of work every Friday. Which is why I can write this post and tell you about it

The AutoIT download comes with a lite version of the SciTe IDE. You can download a full blown version customized to work with AutoIT here. With the IDE you get syntax highlighting, script tidying, debug, the ability to compile the script to an .exe file and more. AutoIT even integrates into the right click text menu so that right clicking on the script gives you the ability to run, compile or edit the script.

If you need to send your scripts out to users, for instance to have them perform some task or installation on their machine, the compile function is a real life saver. We use it to compile the script that installs and sets up the VPN and then send it to remote users. Just burn it to a CD along with the necessary files so that it will autorun and Voila!..no more trying to do it over the phone. Or you could just send all of the files zipped up in an email and have them put it in a folder for running..but that does require relying on the user to do something.

AutoIT also provides AU3Info. AU3Info is a tool that will help you find window titles, mouse coordinates and much more window information that will help in writing your script. You need the active window titles and mouse coordinates so that AutoIT knows when a certain window is active. Once the window is active you tell the script where to place the mouse, left or right click if necessary and what keystrokes to send.

AutoIT comes with a full complement of everything required to write any sort of script whether you need to manipulate a GUI or something that you need to run from the command line. These include datatypes, functions, macros and many others.

The documentation is excellent and very easy to understand. The forums are active and friendly to new users. So if you’re tired of doing that repetitious Windows task why not give AutoIT a spin! It’s a great tool for any administrator.

Full disclosure: I am in no way associated with AutoIT other than being a satisfied user.