howtos

10 straightforward but proven ways to harden your LAMP servers

Over the years I have had to harden a great number of LAMP boxes, I have found some methods work for better than others. I will now share with you all my favorite 10 along with methods to implement them on Debian/Ubuntu.

10. Lock SSH access right down. I do this by disabling root logins, disabling password authentication and using denyhosts.

To disable root logins do this: vi /etc/ssh/sshd_config and look for the following line: PermitRootLogin yes and change it thus: PermitRootLogin no

To disable password authentication (you will have to use public/private keys) do this: vi /etc/ssh/sshd_config and look for the following line: #PasswordAuthentication yes (note its commented out) and change it thus: PasswordAuthentication no

To install denyhosts do this: apt-get install denyhosts once installed it shouldn't need any configuration, but you can tweak the settings if you wish in /etc/denyhosts.conf

9. Always use Sudo for root access, This is one of the things Ubuntu does really well and its about time other distros did the same.

Building Debian FreeRadius package with EAP/TLS/TTLS/PEAP support

Debian's FreeRadius package is built without support for EAP/TLS/TTLS/PEAP because of the licensing problems of the OpenSSL library. But, if you want to implement 802.1x network authentication with strong security, you'll need it. This is a short tutorial that explains how to build Debian (sid aka unstable) package linked to libssl and with EAP/TLS/TTLS/PEAP support compiled in.

First, download the newest source package (orig.tar.gz), Debian diffs (diff.gz) and description file (dsc) from the freeradius package page. The version I tested the procedure with is 1.1.7-1.

How to cleanup your GNOME registry?

The other day I stumbled upon this neat tool that helps cleanup your GConf registry, called GConf Cleaner. While GNOME registry size isn't nowhere near the size of Windows registry, and thus shouldn't slow your computer too much, it's still nice to have a tool that cleans unused and obsolete entries.

Meet GConf Cleaner

The tool is still in early stages of development (version 0.0.2), but I've successfully run it on my desktop and was amazed how many old entries it found. Typically, if you install some GNOME application, play with it a little bit and later decide to delete it, it's configuration settings will remain in the GConf database. So your registry will only grow in time.

Replaying terminal sessions with scriptreplay

OK, this is so cool and sexy, I really don't understand how I didn't find about this earlier. Possibly because it's the recent add-on to the well known script utility?

So, I suppose you all know about script. You type script, do your work, type exit, and you have your complete session logged in the file named typescript. Quite handy if you want to log everything you did in the shell for whatever reasons.

What you might not know is that script has an interesting switch which allows you to also save the exact timing data of the screen output you're capturing. And an additional utility called scriptreplay which can later replay your session in real-time. Like a movie. With perfect timing.

How to flash motherboard BIOS from Linux (no DOS/Windows, no floppy drive)?

You've finally made the move to a Windows-free computer, you're enjoying your brand new Linux OS, no trojans/viruses, no slowdown, everything's perfect. Suddenly, you need to update the BIOS on your motherboard to support some new piece of hardware, but typically the motherboard vendor is offering only DOS based BIOS flash utilities. You panic! Fortunately, this problem is easy to solve...

Step 1: Download FreeDOS boot disk floppy image

FreeDOS, a free DOS-compatible operating system, is up to the challenge, no need for proprietary DOS versions. So, all you need is a bootable floppy disk image with FreeDOS kernel on it. We are fortunate that guys at FDOS site have prepared one suitable for us. Use the OEM Bootdisk version, the one with just kernel and command.com, because it leaves more free space on disk for the flash utility and new BIOS image. You can also find a local copy of this image attached at the end of this article. After you download the image, you need to decompress it. In other words:

Soft scrollback for the Linux VGA console

If you're a heavy user of the Linux VGA console, you'll like this feature. Recent 2.6 kernels have added support for soft scrollback. This feature enables you to have much bigger scrollback buffer than the standard console has, at the price of slightly slower console output.

The scrollback buffer of the standard VGA console is located in VGA RAM. This RAM is fixed in size and is very small. To make the scrollback buffer larger, it must be placed instead in System RAM. We call this soft scrollback.

The feature and the size of the buffer are enabled/configured through kernel config options, during kernel compilation. Beside consuming kernel memory, enabling this feature will slow down the console by approximately 20%.

The flash plugin and X.Org 7.0 (X11R7) font problems

If you are lucky to have fresh X11R7 on your desktop with all its new features and nice filesystem layout you might have noticed that some things have compatibility problems with it. Namely, if you have flash plugin installed you might not see text in flash content displayed properly, depending on how your Linux distribution handled the upgrade.

Having already had trouble with that (for other reasons I'll explain later) this time fix for the problem was a no brainer. The reason for problems is that the official flash plugin does some font handling of it's own, not using system font file server or X server itself. But it still depends on some filesystem paths and configuration to be in place so it can find font files it needs. By doing strings libflashplayer.so and carefully skipping over lots of uninteresting text, you can find that flash plugin looks for /usr/X11R6/lib/X11/fs/config file which is the configuration file of the font server. Next it parses "catalogue = " line in it to find all available fonts on the system. The trouble is that new release of X.Org server got rid of /usr/X11R6 system path in favour of putting binaries and other files in the more appropriate places in the filesystem, just like the other linux applications do.

Oracle10g on Debian Linux HOWTO

Is running Oracle10g on Debian Linux possible? Oh yes, definitely! And it runs great, really. It's even easier to install than the older versions of Oracle as there are no problems with incompatible libc library & other bugs. You need to make just two simple preparations before you can enjoy your new development database.

Important note: I tested this only on the Debian unstable distribution and only with the 2.6 kernel, as that's what I'm running. I believe that most of you that are running Debian unstable are also running the newest stable kernel, so that shouldn't be a problem, right? Let's go step by step...

Syndicate content