This
page
is in Japanese, but you get the idea.. we had one of these at an old company. Basically it's a big whiteboard with the writing surfaces on rollers that can pass by a scanning element, which prints it out. It was called a "boardfax" or somesuch. Granted, this one sounds neater:)
rdesktop is a nifty linux terminal server client. That would save you client costs on each terminal (replacing them with windows terminal server licensing costs probably).
right click the image, "block images from this server". You can go into the prefs and add sites/remove them, probably just a text file, so you could also seed it as you describe
The most common security problems have to do with
default services, things that are installed with
little or no user intervention to promote ease of
use
Microsoft typically will give you the kitchen sink,
everything runs even if you need very little. RedHat linux does a similar thing, if you install "Everything" it also starts all the daemons.
If you don't spend 30-45 minutes turning off unwanted services, portscanning your machine, and looking up patches/updates at CERT/RedHat/SANS etc, forget it.. your system will probably get
compromised in a matter of days. This goes for *ANY* operating system, you simply have to test it and make sure you are running the minimum necessary to do the job.
The main reason you hear more news about microsoft systems getting infected is simply that there are many more of them, and many more are running the simple default configurations. Linux machines are really just as vulnerable IF YOU DON'T PATCH AND TEST THEM
Here's a little guide
to turning off unwanted services on a redhat box, and how to audit your systems with a portscanner
Being able to secure a machine that has a network connection is not trivial, regardless of the OS. If you are a first-time installer of either windows or a popular linux distribution, you are almost certainly putting up a remotely-rootable machine.
Making a machine secure is a process of very careful testing, updating, and maintaining a machine. From a stock install of a distribution like RedHat, you have to
first shut down services you don't want to run, verify that you have shut them down with a portscanner, install updated kernels, daemons, local tools & programs to avoid *local root* exploits, modify MANY default configuration files to make the system more secure, and subscribe to mailing lists at various security sites to test things out.
Quite honestly, you probably need to get cracked a few times to really learn this lesson correctly. Setting up a publicly networked Linux server is not a job to be taken lightly, especially if you don't want to donate your system resources to crackers!
This isn't really the point. The reason all those Microsoft worms are so prevalent is simple, default out-of-the-box configurations sitting on DSL connections or Cable modems are perfect launchpads for DDOS attacks.
Why isn't this happening on linux boxes? IT IS! *ANY* operating system that is hooked up 24/7 to an internet connection is a target, INCLUDING linux. The fact that it CAN be secured doesn't mean it WILL be.. the number of people who don't patch their OS when ssh, bind, wu-ftpd, ptrace expoits, etc are discovered is probably around 99%.
DDOS attacks originating from cracked linux boxes are going on already, there really are just fewer of these in use in the DSL/Cable Modem scenario compared to Microsoft machines running IIs.
If you think *you* are safe, go check out CERT for exploits on
any outside-facing services you are running. The
older SSH protocol has a widely publicized flaw
that results in many machines being rooted. You can only keep yourself safe through constant maintenance & vigilance.
The IIS holes in 2K that allowed CodeRed to spread and the uPnP holes in XP which, luckily so far, have been pretty much unexploited were both buffer overrun holes which caused, or had the potential to cause, v.serious work outbreaks.
Did Linux have anything on this scale?
Yes actually, if you're running an unpatched older
distribution that had either the bind, wu-ftpd, ssh, lpr, or a couple other bugs, I bet you'll find some odd net connections and irc bots on your system.. the activity level of probes looking for
linux holes (just like the automated IIs worms) is increasing dramatically. Check CERT for the details
Campaign finance is the best way to address the meta-problem that is causing most of the "ugly legislation" lately.
My father was a local goverment county supervisor, and a big telco came wanting to put up cell phone
towers. A few local residents came in against the
plan for various reasons, and the big company was
sent packing.
I'd like to see this happen on the national level.
The people in the USA too often are way behind the corporations for input on public policy simply because the big corporations make elections happen with big donations. Take away the candy they tease our lawmakers with, and you make issues & an informed electorate more important in the political landscape.
The laws of the country lately certainly don't reflect the views of the public so much as they do the views of the corporations, and they are only getting worse. I think that Campaign finance reform is really the SINGLE important issue, and an emergency to get in place before more damage is done!
I think it's important to make sure that legislation punishes offenders who do real damage to systems, but I prefer not to have laws against probes and scans etc, as it makes me think twice about testing my own systems. I manage firewall/ security for a silicon valley comapny with about 80 people, and 500+ systems (computer labs) on the network. It's vital for me to be able to run portscans on my own networks to validate security, just like it's important for me to have access to exploit code to see if my systems are vulnerable.
I think it's important to realize that there the legitimacy of cracker tools made public is that the white hats can test & lock down their systems, and that no legislation should limit their use in ways that would inhibit my ability to test & secure my systems
This shows you what daemons are auto-started:
#/sbin/chkconfig --list | grep:on
man NAME_OF_THING_YOU_DONT_KNOW_WHAT_IT_IS
#/sbin/chkconfig --del THING_YOU_DONT_WANT
get the latest nmap from freshmeat.net.
do this:
# nmap -sS -P0 YOURIPORHOSTNAME
do you see any ports you weren't expecting?
Turn off the services!
Install portsentry + ipchains on a firewall,
or if you don't have more than one box, your
own box! Set portsentry to listen on bind to
catch a lot of automated attackes from a RH6.2
bug. Move your ssh (2.X or greater!!) daemon
to a non-standard port (edit/etc/ssh2/ssh2d),
then set the normal ssh port as a portsentry
tripwire.
Very active attacks right now:
Bind
ftp
finger
telnet
ssh
port 59 (anyone know wtf that is?)
wu-ftpd had an *earlier* vulnerability that
was causing increased scan activity too!
Subscribe to the cert.org mailing list, and
"grep for linux".
you have to take an active role and pay attention
to all security bulletins out there, because
you will literally be attacked within an hour
of bringing up a new DSL/T1 server anywhere in
the wild. I've seen portscans on newly installed
lines in less than 5 minutes!
If you are working at a startup, you can do it all
yourself (hardware, design, code, maintenance, etc).
The age-old conflict is the IT people want it
maintainable, always up, and conservatively
designed, marketing wants to do things on the
seat of their pants without advance notice..
I separate the server maintenance from the updates. I manage a colo, server, backups, and the cgi parts of the server, the contractor of the week does the design & updates. The tools I have built are all designed to have no ongoing maintenance from me (IT reporting).
If you can make that clear from the outset,
you can co-exist well with a marketing department
or a PR branch etc that needs an effective
publishing platform. These boundaries sometimes
result in conflict:
Do it quick
Do it stable/well
but rarely does it become catastrophic if you
work with good people.
I have an english degree, 1 intro CS class, some math, some philosophy in my "official" background.
The only class I took that had direct relevance or
utility was a class that was taught by an old "systems analyst" professor about the history of human agriculture!
The real stuff that got me here was having an apple ][+ as a kid and lots of pirated games with no documentation. You learn how to apply the formal scientific method (ie fart around systematically until you figure out all the controls!) with a good carrot hanging in front of your nose that way..
I was alway using some kind of terminal/elm/pine
setup for email in collect (late 80s, early 90s) before guis were big, so I needed to know how to get around.
The point I'm getting to is that good systems administration skills come largely from experience. The important experience is rarely
taught, you need to accidentally hose some files to learn to make backups. You have to have a box
or two cracked to learn how to do security. You need to install linux on 10 different PCs to be able to figure out why it isn't working on the new laptop, etc. I recommend installing linux on your
home pc, re-installing windows, making dual boots, changing distributions of linux a lot, trying BSD & intel solaris, asking anyone you can get shell accounts from for shell accounts, setting up apache, playing with sendmail, installing networks at lan parties, etc.
It's not hard if you have the right attitude, basically that "I am a generalist and a problem solver", and that no problem can withstand a good
debugging technique. You may find something is unfixable, but at least you'll be confident it is "definitively unfixable".
If you can find books by C West Churchman (_The
Systems Approach_), that's probably the only academic-style text I'd recommend. Learn to see things as systems that interact with each other, and how to view feedback & control loops..
_Unix Power Tools_ by ORA is a great almanac-style book. It does basically contain answers to just about any "how do I" questions, with the warning that if you're 5 minutes off the turnip truck you won't know how to ask the questions.
Go to users groups, install fests, read freshmeat everyday, install & maintain (and depend on) your own servers..
Using SSL IMAP got us away from exchange. I still
don't have a calendaring solution (which hurts
really!). Outlook will do IMAP, but with a fairly
large (microsoft admits) bug in the implementation
where a thread collision occurs between the
automatic polling of the server for updates and
the manual send-recieve button.. it's a lockup.
Anyway, my smtp/imap server has 400 days uptime
on it now.
A very good way to assuage the fears that you
are irreplacable (you probably are!) is to make
your own RPMS. get source rpms for the stuff
you use, modify the conf files included, rebuild.
I keep a repoisotory of them which are basically
my modifications against RH62 (older servers) or
rh71 (newer ones). This makes disaster recovery
also very easy (which you should have anyway! the
admin leaving the company is also a disaster!).
If you're working on the latest, check out https://sourceforge.net/project/?group_id=4190
several unresolved issues with the z505hs still ongoing, they also have winmodems! I have sound (oss) display (1024x768) netcard (eepro100) usb touchpad
working, but I don't have everything working nicely with power management etc. Hoonis
I managed a reasonably big site (16cgi hits/sec) using mod_perl, php, mysql, and LOTS OF RAM. Your single best optimization, as listed above, is LOTS OF RAM to cache with. mod_perl has some other great tricks- if you're using templates, put a BEGIN{} block at the top of a module that is a PerlRequire in httpd.conf, and assign templates or other file-IO portions of scripts to globals. They stay in ram then (but you bought LOTS OF RAM, right?).
Put mysql's data partition in a) it's own partition or better yet DISK b) on it's own scsi controller
If mysql is your bottleneck, run oracle. make lots of index tables. run benchmarks on your queries. with mysql, avoid table joins if you can, it's much faster without them. Optimize the Sh#t out of your tables for query speed.
don't run heavy cpu junk like log analysis on the box that needs to serve dynamic content
use squid cache or another cache, or even plain old ramdisks to hold your static stuff, remember that IO is a huge bottleneck. Try to put eveything in ram.
don't run 4 quake3 servers and one unreal tournament server on the box when you are anticipating heavy load:)
Cache anything you can (did I mention that?) take slashdot pages for example- every time someone posts a comment, you should take a dump of the dynmamic page to flat html. When the next person requests the page, give 'em the dump if there are no new comments (saves hitting mysql every time!). Of course, you cached that html page in your LOTS OF RAM, right?
Imagine you need to serve a lot of file download requests. Apache has a built-in maxclients limit of 250, but you can modifiy that in the source. A dual p3/600 + 1gb ram can easily saturate a t3 with static content..
More stuff.. don't open lots of filehandles if you don't have to. Optimize out any calls that open a new shell (don't use $var = `pwd`; in perl, for example, use built-in function that don't require a new shell). Modify your linux kernel to allow more open file descriptors, max user processes. Nuke any unwanted ulimit directives in your start-up scripts.
Remove daemons you don't need on the box. Don't run anything you don't absolutely need running.
Run more than one instance of Apache- one compiled with mod_perl or mod_php, another just flat. This saves some of your LOTS OF RAM by using the cache only in the daemons that need it. You can even combine multiple daemons per ip/domain, but use squid to make it look like one.
Slashdot Mirror
This page is in Japanese, but you get the idea.. we had one of these at an old company. Basically it's a big whiteboard with the writing surfaces on rollers that can pass by a scanning element, which prints it out. It was called a "boardfax" or somesuch. Granted, this one sounds neater :)
Actually it's this: (no pictures though)
google cache
rdesktop page
It's very easy, of course, to set up linux as a thin client. X -query someserverhere works well.
right click the image, "block images from this server". You can go into the prefs and add sites/remove them, probably just a text file, so you could also seed it as you describe
Solicit the opionions of random bubbleheads on slashdot!
Microsoft typically will give you the kitchen sink, everything runs even if you need very little. RedHat linux does a similar thing, if you install "Everything" it also starts all the daemons.
If you don't spend 30-45 minutes turning off unwanted services, portscanning your machine, and looking up patches/updates at CERT/RedHat/SANS etc, forget it.. your system will probably get compromised in a matter of days. This goes for *ANY* operating system, you simply have to test it and make sure you are running the minimum necessary to do the job.
The main reason you hear more news about microsoft systems getting infected is simply that there are many more of them, and many more are running the simple default configurations. Linux machines are really just as vulnerable IF YOU DON'T PATCH AND TEST THEM
Here's a little guide to turning off unwanted services on a redhat box, and how to audit your systems with a portscanner
for a lot of TV and also mostly likely to be running peer-to-peer file sharing stuff.
So yes, this will probably cause the broadcast industry a lot of grief.
Making a machine secure is a process of very careful testing, updating, and maintaining a machine. From a stock install of a distribution like RedHat, you have to first shut down services you don't want to run, verify that you have shut them down with a portscanner, install updated kernels, daemons, local tools & programs to avoid *local root* exploits, modify MANY default configuration files to make the system more secure, and subscribe to mailing lists at various security sites to test things out.
Quite honestly, you probably need to get cracked a few times to really learn this lesson correctly. Setting up a publicly networked Linux server is not a job to be taken lightly, especially if you don't want to donate your system resources to crackers!
Why isn't this happening on linux boxes? IT IS! *ANY* operating system that is hooked up 24/7 to an internet connection is a target, INCLUDING linux. The fact that it CAN be secured doesn't mean it WILL be.. the number of people who don't patch their OS when ssh, bind, wu-ftpd, ptrace expoits, etc are discovered is probably around 99%.
DDOS attacks originating from cracked linux boxes are going on already, there really are just fewer of these in use in the DSL/Cable Modem scenario compared to Microsoft machines running IIs.
If you think *you* are safe, go check out CERT for exploits on any outside-facing services you are running. The older SSH protocol has a widely publicized flaw that results in many machines being rooted. You can only keep yourself safe through constant maintenance & vigilance.
Did Linux have anything on this scale?
Yes actually, if you're running an unpatched older distribution that had either the bind, wu-ftpd, ssh, lpr, or a couple other bugs, I bet you'll find some odd net connections and irc bots on your system.. the activity level of probes looking for linux holes (just like the automated IIs worms) is increasing dramatically. Check CERT for the details
My father was a local goverment county supervisor, and a big telco came wanting to put up cell phone towers. A few local residents came in against the plan for various reasons, and the big company was sent packing.
I'd like to see this happen on the national level. The people in the USA too often are way behind the corporations for input on public policy simply because the big corporations make elections happen with big donations. Take away the candy they tease our lawmakers with, and you make issues & an informed electorate more important in the political landscape.
The laws of the country lately certainly don't reflect the views of the public so much as they do the views of the corporations, and they are only getting worse. I think that Campaign finance reform is really the SINGLE important issue, and an emergency to get in place before more damage is done!
I think it's important to make sure that legislation punishes offenders who do real damage to systems, but I prefer not to have laws against probes and scans etc, as it makes me think twice about testing my own systems. I manage firewall/ security for a silicon valley comapny with about 80 people, and 500+ systems (computer labs) on the network. It's vital for me to be able to run portscans on my own networks to validate security, just like it's important for me to have access to exploit code to see if my systems are vulnerable.
I think it's important to realize that there the legitimacy of cracker tools made public is that the white hats can test & lock down their systems, and that no legislation should limit their use in ways that would inhibit my ability to test & secure my systems
This shows you what daemons are auto-started: /sbin/chkconfig --list | grep :on
/sbin/chkconfig --del THING_YOU_DONT_WANT
/etc/ssh2/ssh2d),
#
man NAME_OF_THING_YOU_DONT_KNOW_WHAT_IT_IS
#
get the latest nmap from freshmeat.net.
do this:
# nmap -sS -P0 YOURIPORHOSTNAME
do you see any ports you weren't expecting?
Turn off the services!
Install portsentry + ipchains on a firewall,
or if you don't have more than one box, your
own box! Set portsentry to listen on bind to
catch a lot of automated attackes from a RH6.2
bug. Move your ssh (2.X or greater!!) daemon
to a non-standard port (edit
then set the normal ssh port as a portsentry
tripwire.
Very active attacks right now:
Bind
ftp
finger
telnet
ssh
port 59 (anyone know wtf that is?)
wu-ftpd had an *earlier* vulnerability that
was causing increased scan activity too!
Subscribe to the cert.org mailing list, and
"grep for linux".
you have to take an active role and pay attention
to all security bulletins out there, because
you will literally be attacked within an hour
of bringing up a new DSL/T1 server anywhere in
the wild. I've seen portscans on newly installed
lines in less than 5 minutes!
So how long now until some intrepid soul gets
linux working on the xbox?
If you are working at a startup, you can do it all
yourself (hardware, design, code, maintenance, etc).
The age-old conflict is the IT people want it
maintainable, always up, and conservatively
designed, marketing wants to do things on the
seat of their pants without advance notice..
I separate the server maintenance from the updates. I manage a colo, server, backups, and the cgi parts of the server, the contractor of the week does the design & updates. The tools I have built are all designed to have no ongoing maintenance from me (IT reporting).
If you can make that clear from the outset,
you can co-exist well with a marketing department
or a PR branch etc that needs an effective
publishing platform. These boundaries sometimes
result in conflict:
Do it quick
Do it stable/well
but rarely does it become catastrophic if you
work with good people.
The real stuff that got me here was having an apple ][+ as a kid and lots of pirated games with no documentation. You learn how to apply the formal scientific method (ie fart around systematically until you figure out all the controls!) with a good carrot hanging in front of your nose that way..
I was alway using some kind of terminal/elm/pine setup for email in collect (late 80s, early 90s) before guis were big, so I needed to know how to get around.
The point I'm getting to is that good systems administration skills come largely from experience. The important experience is rarely taught, you need to accidentally hose some files to learn to make backups. You have to have a box or two cracked to learn how to do security. You need to install linux on 10 different PCs to be able to figure out why it isn't working on the new laptop, etc. I recommend installing linux on your home pc, re-installing windows, making dual boots, changing distributions of linux a lot, trying BSD & intel solaris, asking anyone you can get shell accounts from for shell accounts, setting up apache, playing with sendmail, installing networks at lan parties, etc.
It's not hard if you have the right attitude, basically that "I am a generalist and a problem solver", and that no problem can withstand a good debugging technique. You may find something is unfixable, but at least you'll be confident it is "definitively unfixable".
If you can find books by C West Churchman (_The Systems Approach_), that's probably the only academic-style text I'd recommend. Learn to see things as systems that interact with each other, and how to view feedback & control loops..
_Unix Power Tools_ by ORA is a great almanac-style book. It does basically contain answers to just about any "how do I" questions, with the warning that if you're 5 minutes off the turnip truck you won't know how to ask the questions.
Go to users groups, install fests, read freshmeat everyday, install & maintain (and depend on) your own servers..
I got that on 2 boxes here as well, had to turn
it off to get a clean build
I like Russ. He's the only genuinely & clearly
principled member of the Senate I know of. Thanks
Russ!
Using SSL IMAP got us away from exchange. I still
don't have a calendaring solution (which hurts
really!). Outlook will do IMAP, but with a fairly
large (microsoft admits) bug in the implementation
where a thread collision occurs between the
automatic polling of the server for updates and
the manual send-recieve button.. it's a lockup.
Anyway, my smtp/imap server has 400 days uptime
on it now.
A very good way to assuage the fears that you
are irreplacable (you probably are!) is to make
your own RPMS. get source rpms for the stuff
you use, modify the conf files included, rebuild.
I keep a repoisotory of them which are basically
my modifications against RH62 (older servers) or
rh71 (newer ones). This makes disaster recovery
also very easy (which you should have anyway! the
admin leaving the company is also a disaster!).
Great stuff, thanks for posting it (and thanks
to nathan too!)
http://www.rainfinity.com/scripting_fix.jpg
the new macafee datfiles also successfuly fix it (we tested, their first one didn't work!)
Mame cabinets are really fun. Seeing as you can
pick up a duron 900 for $50 or so these days,
they're also cheap!
http://www.beimborn.com/mame
is my project, soon to be linuxed
Any specs on the new machines? sub 3-pound is nice, but what about clock speeds etc? I wonder if all the OEM hardware will also be linux friendly
If you're working on the latest, check out
https://sourceforge.net/project/?group_id=4190
several unresolved issues with the z505hs still
ongoing, they also have winmodems! I have
sound (oss)
display (1024x768)
netcard (eepro100)
usb
touchpad
working, but I don't have everything working nicely with power management etc.
Hoonis
I managed a reasonably big site (16cgi hits/sec) using mod_perl, php, mysql, and LOTS OF RAM. Your single best optimization, as listed above, is LOTS OF RAM to cache with. mod_perl has some other great tricks- if you're using templates, put a BEGIN{} block at the top of a module that is a PerlRequire in httpd.conf, and assign templates or other file-IO portions of scripts to globals. They stay in ram then (but you bought LOTS OF RAM, right?).
:)
Put mysql's data partition in
a) it's own partition or better yet DISK
b) on it's own scsi controller
If mysql is your bottleneck, run oracle. make lots of index tables. run benchmarks on your queries. with mysql, avoid table joins if you can, it's much faster without them. Optimize the Sh#t out of
your tables for query speed.
don't run heavy cpu junk like log analysis on the box that needs to serve dynamic content
use squid cache or another cache, or even plain old ramdisks to hold your static stuff, remember that IO is a huge bottleneck. Try to put eveything in ram.
don't run 4 quake3 servers and one unreal tournament server on the box when you are anticipating heavy load
Cache anything you can (did I mention that?) take slashdot pages for example- every time someone posts a comment, you should take a dump of the dynmamic page to flat html. When the next person requests the page, give 'em the dump if there are no new comments (saves hitting mysql every time!). Of course, you cached that html page in your LOTS OF RAM, right?
Imagine you need to serve a lot of file download requests. Apache has a built-in maxclients limit of 250, but you can modifiy that in the source. A dual p3/600 + 1gb ram can easily saturate a t3 with static content..
More stuff.. don't open lots of filehandles if you don't have to. Optimize out any calls that open a new shell (don't use $var = `pwd`; in perl, for example, use built-in function that don't require a new shell). Modify your linux kernel to allow more open file descriptors, max user processes. Nuke any unwanted ulimit directives in your start-up scripts.
Remove daemons you don't need on the box. Don't run anything you don't absolutely need running.
Run more than one instance of Apache- one compiled with mod_perl or mod_php, another just flat. This saves some of your LOTS OF RAM by using the cache only in the daemons that need it. You can even combine multiple daemons per ip/domain, but use squid to make it look like one.
Did I mention to get LOTS OF RAM?