LINUX NEWS
Resources & Links From Cramsession.com
Thursday, June 20, 2002
TABLE OF CONTENTS
1) Sean’s Notes
2) Linux News
Mandrake on WalMart PCs
Slackware 8.1 Released
Apache Security Advisory
Linux And Healthcare
3) Linux Resources
Templates Compared
Database Performance Tuning
Spam Prevention With Postfix
Handy Use of Diff
It's the Latency, Stupid
4) App o’ the Week
~~~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~
Try Our IT Certification Courses FREE! SmartCertify Direct gives you classroom-quality IT training at a fraction of the cost of traditional courses. You’ll get 24-hour online mentoring from certified advisors, hands-on interactive exercises, the popular Test Prep exams and more! Choose from MCSE, Cisco, A+, CIW, Linux, and many other courses. Click below to try them all FREE and register to WIN a state of the art Dell PC!
http://ad.brainbuzz.com/?RC06&AIS89
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For information on how to advertise in this newsletter please contact mailto:adsales@CramSession.com or visit http://cramsession.com/marketing/default.asp
1) Sean’s Notes
It’s a situation you’re going to run into at least once in your life – you’ve got a Linux box, and you don’t know what the root password is. Short of trying to crack into your own machine (but you’re up on your patches, aren’t you?), you won’t be able to get that password back.
Fortunately, you can get back in by booting to single user mode. In single user mode, you’re logged in as root automatically, and you can change root’s password. (Note, you can’t recover the old password since it was hashed. All you can do is change it).
Booting to single user mode is pretty easy, all you do is pass “single” to the kernel. In LILO, this is usually as easy as typing “linux single” at the LILO prompt. With the newer GRUB, you have to hit ‘e’ to edit the boot entries, and add in “single” by hand before booting. It’s all documented here:
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guid e/s1-rescuemode-booting-single.html
The only security in this, though, is that you have to be at the console to do it. Get the procedure down pat, and it only takes about a minute. One minute for someone to walk into your server room and have root level access to your computer, either by changing the password or adding a new root level user. Something has to be done about it.
The solution is to lock down the options you can pass to your kernel. Doing so means that if anyone wants to change the way the kernel is booted, then they’ll need a password.
LILO is pretty easy to do. In /etc/lilo.conf, simply add:
password=secret restricted
to the top and then run /sbin/lilo to rebuild the boot sector.
That will make “secret” the password to boot into Linux. Adding “restricted” only makes the password apply if options were passed to the kernel. If the box were rebooted for some reason, then “restricted” will let it boot without a password. However, if someone tries to type “linux single”, then they’ll need to provide that password.
One thing to note about LILO is that the password is stored in clear text. chmod 700 /etc/lilo.conf to prevent anyone from snooping that password!
GRUB is just as easy. It uses MD5 password hashes, meaning that the password is never stored in the file, just a one-way representation of it. If someone snarfs grub.conf, then the password hash won’t help them.
First, run /sbin/grub to enter the grub shell. At the grub> prompt, enter the command “md5crypt”, and then give it your password as follows (I used “secret” if you’re following along)
grub> md5crypt
Password: ****** Encrypted: $1$xDuOL/$DM8lVGaSRqltmiUxQJhc..
In /etc/grub.conf, add the following line:
password –md5 $1$xDuOL/$DM8lVGaSRqltmiUxQJhc..
Save the file, and you’re done (that’s one thing I like about GRUB–you don’t have to rebuild the boot sector every time.)
Reboot, and you’ll notice that the “press e to edit the command line” is replaced with something like “press p to enter a password and access advanced options”. Without that password, you can’t pass options to the kernel.
GRUB has a lot more security features, you can read about them here:
http://www.gnu.org/manual/grub-0.90/html_chapter/grub_toc.html
Protecting your boot manager is only half the story. Someone with a few more minutes on their hands could use a boot disk (either floppy or CD) with their own boot loader or kernel. For PCs, the best thing to do is protect against this at the BIOS level. Make the hard drive the first bootable device, and protect the BIOS settings with a password.
Of course, proper physical security of your servers is a necessity. The measures I described above will make a lot of hassle for someone sitting at your console to get in, but the best way to do it is to prevent them from getting there in the first place.
Finally, write down the boot manager and BIOS passwords, and keep them in a safe place. If you lose those, it isn’t going to be any fun getting back into your system. A sealed envelope in a locked area is a good choice.
We spend so much time worrying about network based attackers that we forget about the damage that people can do with their hands. Protecting your system from a console-based attacker is relatively painless, and goes a long way toward better security.
Long live the Penguin,
Sean mailto:swalberg@cramsession.com
2) Linux News
Mandrake on WalMart PCs
As you’ve probably heard from other sources, WalMart is selling PCs without an OS in their stores. Mandrake will soon become an option for these. Lindows, which promises Microsoft Windows integration on a Linux platform, was also recently announced as an option.
http://newsforge.com/article.pl?sid/06/19/1519219
Slackware 8.1 Released
Slackware is the oldest distribution of Linux, known for its bare bones approach to the installation process. The latest release, 8.1, features JFS and XFS filesystems, the latest GUIs, and a revamped package manager. Also of note is ZipSlack, a 38MB .ZIP file that promises to let any FAT partition be up and running with Linux in 5 minutes (no GUI, but all the networking is there). It also fits on a ZIPdisk, to make your Linux box portable.
http://www.slackware.org/
Apache Security Advisory
Incorrect parsing of some invalid requests leads to some problems. On most platforms it leads to the child process dying, but on 64-bit UNIX platforms, it could possibly be exploited to execute arbitrary code. Pick up 1.3.26 or 2.0.39 depending on which stream you’re following.
http://httpd.apache.org/info/security_bulletin_20020617.txt
Linux And Healthcare
The modularity of Linux makes it a natural fit for embedded applications. This time, a medical device was developed using Linux called EasyDose. It is “a unit that monitors, displays and manages X-ray exposure data automatically through hospital networks.” It also supports standards like DICOM, which is handy to have when linking different hospital systems together.
http://zdnet.com.com/2100-1104-935737.html
3) Linux Resources
Templates Compared
Templates let you build web pages more efficiently, either by embedding some logic on the server side, or reusing code. Not surprisingly, there is a lot of template software out there. This document compares some of the better ones with an eye to how they are built, and the relative performance you can expect.
http://perl.apache.org/features/tmpl-cmp.html
Database Performance Tuning
Here is another article from SUN, this time it is on database tuning. Again, it’s for Solaris, but many of the things in the article still apply.
http://www.sun.com/solutions/blueprints/0602/816-7191-10.pdf
Spam Prevention With Postfix
This article is the first in a three-part series on spam prevention using Postfix. Postfix is a sendmail alternative that is gaining popularity because of its focus on security and simplicity. This installment looks at using some of the static maps to filter out undesirable sites. Future articles will deal with procmail to perform context based filtering.
http://online.securityfocus.com/infocus/1593
Handy Use of Diff
diff is a utility I’ve written about before that reports the differences between versions of files. This article shows a pretty interesting way of using it to make changes to multiple files, which looks a bit easier than using patch.
http://linux.oreillynet.com/pub/a/linux/lpt/33_06.html
It’s the Latency, Stupid
The difference between “bandwidth” and “latency” is rarely well understood. This piece tries to point out the ill effects of latency on a network connection. It’s a bit dated (it’s rather funny to see his predictions on cable modems), but the concepts are sound.
http://www.stuartcheshire.org/rants/Latency.html
4) App o’ the Week
I’m always on the lookout for cool groupware applications, especially those that take advantage of the web. This one is a group calendaring system. Its big draw is that it only requires Perl, which means you’ll be up and running in no time at all.
http://www.math.utexas.edu/webcalendar/
(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.
This message is from CramSession
You are currently subscribed to the following list Hottest Linux News and Resources as: sean@ertw.com
To un-subscribe from this newsletter by e-mail, send a blank email message to: mailto:leave-linuxnews-3825955Y@list.cramsession.com
To subscribe to this newsletter and many others visit our site at: http://newsletters.cramsession.com/signup/default.asp