Cramsession Linux Newsletter

home

May 23 2002

                    LINUX NEWS
     Resources & Links From www.CramSession.com
              Thursday, May 23, 2002

TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

This Just In... Reuters to Offer Linux
"Our Software Sucks So Bad It Must Be Kept Secret"
QCumber Returns From Bootcamp
Are You A Linux Waif?

3) Linux Resources

VMWare: /tmp out of space?
An Introduction to Linux Scheduling
Conducting Virtual Meetings With Linux
Daemon Monitoring Daemons
IPTables Usage

4) App o’ the Week

~~~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~

Get your certification now. Pay later! If you want to learn more about Intense School’s No money down and No payments for one year financing, go to our website or call toll free 1-800-330-1446 to speak to an Intense School Specialist.

http://ad.brainbuzz.com/?RC06&AIS04

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For information on how to advertise in this newsletter please contact mailto:adsales@CramSession.com or visit http://cramsession.com/marketing/default.asp

1) Sean’s Notes

People who’ve been on this list for a little while will probably remember that I’ve got a Linux gateway on my cable modem connection. Handy little thing, does a bit of email and web, in addition to providing gateway services for the handful of computers I’ve got laying around.

The only snag is that sometimes there are problems, and things need to be done from the command line. Like today, where my IP address was changed, and I had to renew my IP address. Hard to do when you’re at work and the box isn’t on the ‘Net anymore. If I suspect something is wrong with the connection, I’ve also got to take care of the basics before calling tech support. When I’m at work, this involves calling my wife, walking her through all the commands, and so forth. What I’d like is a simple web interface she could use that gives her relevant information, and the opportunity to reset the network cards. Failing that, she reads off what’s on the screen, and I’m able to call the support line.

Normally, this would be a job for some CGI. I’m going to do it a different way for two reasons:

1) Most of the commands will have to be executed as root, and doing it from a web server that runs as an unprivileged UID is just painful.

2) It’s not as fun as the way I’m going to show you.

To accomplish this task, we’re going to write a simple web server. “What language?”, you ask. “Bourne shell, of course!”

The big thing we’re going to rely on is xinetd. Recall that xinetd listens on the given port, and upon connection, calls the appropriate program. The input and output of the program is converted to network calls, which means that our simple shell script won’t need to know anything about networking.

First, we’ve got to choose a port number. “911” is appropriate, so I’ll add the following line to /etc/services to map the service name to the port number.

diag 911/tcp # diagnosis web server

Then, set up xinetd:

/etc/xinetd.d/diag:

service diag { port = 911 socket_type = stream wait = no only_from = 192.168.1.0/24,127.0.0.1 bind = 192.168.1.10,127.0.0.1 user = root server = /usr/sbin/911.sh log_on_failure += USERID disable = no }

The only thing different about this one is that I’ve used only_from as an IP based ACL, and “bind” to only bind this port to my internal IP and to the loopback. This will prevent outside people from accessing our little web server. Restart xinetd to make the script take effect.

The “server” line above specifies the program that gets called when a connection comes in. So, without further ado, let’s edit /usr/sbin/911.sh:

———-CUT————-

!/bin/bash

Read in the request

IN=”blah” while [ -n “$IN” ]; do read IN # Strip EOL chars IN=echo $IN | tr -d '\r' echo $IN » /tmp/webserver done

Push out the header

echo “HTTP/1.0 200 OK” echo “Content-type: text/html” echo echo ”<b>Here I am!</b>”

———-CUT————-

The HTTP protocol is nice and simple. The web server answers the client’s call. The client sends headers, followed by a blank line. The server returns a response code, headers, a blank line, and then the raw data. The important header to return is “Content-type”, which lets the client know what’s coming. In this case it’s text/html (HTML), but it could just as easily be an image (image/gif).

So, the first thing we do in the script is enter a loop. Each go around the loop, we’ll read in something to the IN variable. So that the first one goes through, we’ll set it to “blah”.

Within the loop, read in one line from the input (read IN). The line will also have an end of line character attached, which has to be removed. Anything within backticks ( ) is executed by the shell, and replaced by the output. In this case, IN is assigned the result of “echo $IN | tr -d ‘\r’“. tr is the TRanslate command, -d means “delete the following characters”, specifically ‘\r’, which is the end of line. This is then dumped into /tmp/webserver for inspection. In the event that the user gave us a blank line, $IN is zero length, the -n (non zero length string) fails, and we know we’re done with the headers.

If all works out, you’ll be able to hit

http://localhost:901/

and “Here I am!” should show up. If not, is 911.sh executable? (chmod +x 911.sh). Is the /etc/xinetd.d/diag file correct?

Turning our attention to /tmp/webserver, you can see what the client sent. Here’s the first couple of lines of mine:

GET / HTTP/1.1 Host: 192.168.1.10:911 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020513

That first line is the one we’re interested in, since it tells us what the client is requesting. Hit

http://localhost:901/foo?something

and see what shows up in /tmp/webserver

GET /foo?something HTTP/1.1

There is no rule saying a file has to be there, so we’ll use this as a way to send commands to the web server.

Right before the “done” from the while loop, add the following

[ -z $URL ] && URL=echo $IN | awk '/^GET/ {print $2}'

That’s a mouthful! Stuff between [ ] means that you’re testing, in this case “-z $URL” means “Is $URL zero length?”. If that evaluates to “true”, meaning we haven’t assigned anything else to it, then the code on the right hand side of the && gets executed.

Again, we’ll use backticks to transform the input line, this time using AWK. The general form of an AWK command is

/pattern/ { action }

This AWK says “If the string starts with GET, then output the second column (the URL)”. Feel free to add “echo $URL” to the end of your script, and try again:

Here I am! You accessed /foo?something

To make things easier, we’re going to make two assumptions about this little application.

1) The action we’re specifying is an alphanumeric string, the tree is only one level deep. In this case, the action is “foo”.

2) The parameters, if any, are passed as a single string, not MIME encoded, and appear after the question mark. In this case, we’re passing “something”

(Those that have programmed CGI will likely shudder at the thought of encoding and decoding all those %XX in shell script, so we’ll avoid it entirely).

Right after the while loop to read the headers is finished is where the URL will be split up.

ACTION=echo $URL | awk -F \/ '{print $2}' | awk -F \? '{print $1'} PARAM=echo $URL | awk -F \? '{print $2}'

Please excuse the inelegance, it would have been a lot more compact in PERL. Passing -F to AWK specifies the delimiter (normally it’s space or tab). Again, $N returns the N’th column. To get the action, awk strips off anything after the first /, also removing the optional question mark. The PARAM is simply anything after the question mark.

The rest is all downhill from here. Now that we have an action and an optional parameter, it’s pretty easy to execute the appropriate command.

case $ACTION in ping) /bin/ping -c 5 $PARAM | awk -F, ‘/packet loss/ {print $3}’ ;; ifconfig) echo ”<pre>”; /sbin/ifconfig -a; echo ”</pre>” ;; reset) echo ”<pre>”; /sbin/network restart; echo ”</pre>” ;; *) echo “Whatchew talkin’ ‘bout, Willis?” esac

A case statement allows you to execute different actions based on a single variable. Here, if the action is ping, we ping, only returning the packet loss stats. If it’s ifconfig, then give ‘em an ifconfig. If it’s reset, then do that. A bit of well placed HTML, and we have a menu.

The script, in it’s entirety:

———-CUT————-

!/bin/bash

Read in the request

IN=”blah” while [ -n “$IN” ]; do read IN # Strip EOL chars IN=echo $IN | tr -d '\r' echo $IN » /tmp/webserver [ -z $URL ] && URL=echo $IN | awk '/^GET/ {print $2}' done

ACTION=echo $URL | awk -F \/ '{print $2}' | awk -F \? '{print $1'} PARAM=echo $URL | awk -F \? '{print $2}'

Push out the header

echo “HTTP/1.0 200 OK” echo “Content-type: text/html” echo echo ”<b>Unauthorized users will be executed</b><br>” echo ”<a href=/ping?www.cramsession.com>Test remote connectivity</a><br>” echo ”<a href=/ifconfig>Interface Status</a><br>” echo ”<a href=/reset>Reset NICs</a>”

case $ACTION in ping) /bin/ping -c 5 $PARAM | awk -F, ‘/packet loss/ {print $3}’ ;; ifconfig) echo ”<pre>”; /sbin/ifconfig -a; echo ”</pre>” ;; reset) echo ”<pre>”; /sbin/network restart; echo ”</pre>” ;; *) echo “Whatchew talkin’ ‘bout, Willis?” ;; # default case esac ———-CUT————-

Not bad for 30 lines of shell script!

To summarize, we used xinetd to handle all the networking – the input and output of our script goes directly to the web browser. The request from the browser was stripped apart, which tells us the action the user wanted to perform, and any optional parameters. Depending on the action, the script runs certain commands. Security is handled by restricting who can access the script.

The next time something happens to my cable modem, I don’t have to walk my wife through the command line. In the browser she’s already got open, I can have her do all the troubleshooting I need.

Long live the Penguin,

Sean mailto:swalberg@cramsession.com

2) Linux News

This Just In… Reuters to Offer Linux

“News and information provider Reuters Group Plc said on Thursday it would offer customers the alternative of running its market-data delivery system on Linux, in a bet that banks and brokerages will shift trading to the upstart Linux software.” The announcement includes a mention that they’ll be enlisting the help of Red Hat and HP/Compaq.

http://www.reuters.com/news_article.jhtml?type=technologynews&Story ID3874

“Our Software Sucks So Bad It Must Be Kept Secret”

Well, that’s not exactly what was said, but it’s a good summary. Microsoft is now claiming that any move to open up their APIs or software would harm national security. I don’t know where to begin on this one.

http://www.eweek.com/article/0,3658,s%253D701%2526a%253D26875,00.as p

QCumber Returns From Bootcamp

No, he hasn’t joined the Army! Cramsession employee QCumber took The Training Camp’s seven day Linux bootcamp, and came back a lean, mean, Linux using machine (and he’s certified to prove it). Thinking of some intense Linux training? Maybe this is the choice for you.

http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID88

Are You A Linux Waif?

Are you living with a Linux user? Here are some signs that you might be affected by someone else’s Linux habits.

http://www.linuxjournal.com/article.php?sidX68

3) Linux Resources

VMWare: /tmp out of space?

If you’re like me, your disks are partitioned, and programs don’t have the luxury of storing several hundred megs in /tmp. Normally, this isn’t a problem except for VMWare. Here’s how to get it to use temporary space in the directory of your choosing.

http://www.vmware.com/support/linux/troubleshooting/disk_mem_ts_lin ux.html

An Introduction to Linux Scheduling

It’s the scheduler’s job to dole out time on the CPU to all the processes you’ve got running. It’s really an interesting part of the OS, since there are many tradeoffs that have to be made for efficient operation. This article goes through some of the basics of task scheduling in Linux.

http://www.monolinux.com/modules/news/article.php?storyid8

Conducting Virtual Meetings With Linux

What happens when a simple conference call can’t handle your needs? Need to share slides or a desktop? Allow hundreds of people to listen in? This series of articles looks at how it can be done under Linux.

http://www.linuxplanet.com/linuxplanet/tutorials/4199/1/

Daemon Monitoring Daemons

This is a good explanation of a common technique where programs on a system watch over other processes. If Apache died in the middle of the night, wouldn’t you rather have your computer try starting it up again than be paged? Daemon Monitoring Daemons will help you out.

http://linux.oreillynet.com/pub/a/linux/2002/05/09/sysadminguide.ht ml

IPTables Usage

This article is about NAT and the IPTables features in the 2.4 kernel. The author makes use of some interesting features, such as filtering on the content of the packet. Well worth a read.

http://www.linuxjournal.com/article.php?sidX39

4) App o’ the Week

This week’s App is another game. I remember having an Air Traffic Controller game for DOS some time ago that was very addictive. Can’t find it any more, but this game seems to be quite close.

http://airtraffic.sourceforge.net/

(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.

     This message is from CramSession.com.

You are currently subscribed to the Hottest Linux News and Resources as: sean@ertw.com

To un-subscribe from this newsletter by e-mail: send a blank email message to: mailto:leave-linuxnews-3825955Y@list.cramsession.com

To Subscribe to this newsletter by e-mail: send a blank email message to:

mailto:join-linuxnews@list.cramsession.com

From - Received: from list.brainbuzz.com (host14.bbz.tpf.qwest.net [63.146.189.62]) by poochie.ertw.com (8.11.6/8.11.2) with SMTP id g4UJJ7P19080 for <sean@ertw.com>; Thu, 30 May 2002 14:19:07 -0500 X-Mailer: ListManager Web Interface Date: Thu, 30 May 2002 15:04:23 -0400 Subject: Linux News - May 30, 2002 To: sean@ertw.com From: CramSession <listboss@list.cramsession.com> List-Unsubscribe: <mailto:leave-linuxnews-3825955Y@list.cramsession.com> Reply-To: “CramSession List Help” <listboss@list.cramsession.com> Message-Id: <LISTMANAGERSQL-3825955-6042-2002.05.30-15.06.31–sean#ertw.com@list.cramsession.com> Content-Type: text/plain; CHARSET=US-ASCII X-Evolution-Source: imap://sean@poochie/ Mime-Version: 1.0

                    LINUX NEWS
     Resources & Links From www.CramSession.com
             Thursday, May 30, 2002

TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

Setting Up Hacker "Tripwires"

3) Linux Resources

Ximian CDs to Include Star Office
Linux vs SUN... Round N
Distros To Join Forces Against Red Hat
Linux Networks Much Cheaper Than Windows
X Clients, Servers, and Desktops, Oh My!

4) App o’ the Week

~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~~

Linux Administration Resource Kit: This $119.97 value is available for just $9.99. Learn about installing Linux on one PC or an entire network, integrating Linux into any network topology and troubleshooting installation, configuration and networking glitches.

Click for details! http://ad.brainbuzz.com/?RC06&AIS20

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For information on how to advertise in this newsletter please contact mailto:adsales@CramSession.com or visit http://cramsession.com/marketing/default.asp

1) Sean’s Notes

Many admins are good about turning off the services that they don’t need, so that script kiddies don’t take over their computer a scant six hours after it is first plugged into the Internet. Somewhat fewer make use of ipchains/iptables, and TCP wrappers, to only allow trusted hosts to connect. Fewer yet monitor for updates to software, and apply them (this latter number is likely getting better now that distros are getting better about notifying users). However, protecting your computer is only half the security equation. We spend so much time preparing for the inevitable attack that we forget to make a plan to deal with those that are successful.

Periodic auditing goes a long way toward ensuring that you haven’t been the victim of a successful attack. The same auditing procedures are also helpful in determining the extent of the attack.

One program that is a lifesaver when it comes to auditing is Tripwire (http://www.tripwire.org/). Tripwire takes a snapshot of your system by storing checksums of critical files. If anything about those files changes, it’ll be flagged the next time you run a check.

If your distribution doesn’t include Tripwire, you can get it from the link above.

The basic steps in using Tripwire are:

  1. Set up your keys and files you want to monitor
  2. Initialize the database
  3. Periodically check for changes
  4. Update database with approved changes, or act on unapproved ones

The last point bears mentioning – Tripwire only tells you that files have changed, it’s up to you to figure out if it was a legitimate change or not. If it was, Tripwire has the facilities to update the main database.

When you install Tripwire, it gives you a shell script called “twinstall.sh” (check /etc/tripwire/). When you run it, the first thing it will do is prompt you (twice) to enter a password for your site. After that, it prompts you to enter a local keyfile passphrase (twice again). The difference between them will soon be apparent. Make ‘em difficult to guess. At least 8 characters, use numbers and capitals too! Then, write them down, and keep them in a safe place. If you read what it spits out carefully, it suggests that you delete the two .txt files (twcfg.txt and twpol.txt). You can do so safely; we’ll see soon how to retrieve them.

By default, Tripwire comes with a comprehensive list of files that it monitors, so we’ll jump over to initializing the database.

tripwire –init

Your system will get quite busy for a few minutes as tripwire goes through your system and calculates checksums for the files (checksums are one way functions, such that if you change any of the input, such as the file, the output changes. Since a checksum is usually around 20 bytes, it’s a lot easier to store than a copy of the file itself)

If you look in /var/lib/tripwire, you’ll see a .twd file in there. That’s your Trip Wire Database. Between that, and the files in /etc/tripwire, you’ve got a snapshot of your database.

Time to run our first check of the system:

tripwire –check

The report that gets spit out is quite comprehensive. For example, I ran the following:

cd /sbin

cp hdparm hdparm.tmp

echo a »hdparm

That made a copy of hdparm, and then modified the original to have an ‘a’ at the end. Look what Tripwire found:

Rule Name: User binaries (/sbin)

Severity Level: 66

Added: “/sbin/hdparm.tmp”

Modified: “/sbin”

Rule Name: File System and Disk Administraton Programs (/sbin/hdparm)

Severity Level: 100

Modified: “/sbin/hdparm”

There’s no fooling Tripwire!

You’ll also notice that a lot of files were missing. That’s the trouble of going with defaults. The policy file is what tells Tripwire what it’s supposed to check. However, we erased the plaintext version after running twconfig.sh, which means we’ll have to retrieve it first:

twadmin –print-polfile > twpol.txt

vi twpol.txt

twadmin –create-polfile twpol.txt

Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol

“twadmin” is used to manage policy files and the like. –print-polfile prints the current policy to STDOUT, which I’ve redirected to twpol.txt. Second line, I edit it to remove the lines I don’t want, or to add more. Then, I create the new policy file. You’ll notice I’m being prompted for the site password – all configuration files are signed by the site key, so that no one can alter the list without your knowledge. By contrast, the local key is used whenever you need to make changes to the database. If a cracker were to think he were smart by modifying the database, that change would be noticed. Again, there’s no fooling Tripwire!

If you want to update the policy and the database at one go, you can use

tripwire –update-policy twpol.txt

instead of the last step. Otherwise, reinitialize the database with –init.

After the –check, you’ll see that /var/lib/tripwire/report has a .twr (Trip Wire Report) file in there. In order to update the database, we’ll need that.

tripwire –update –twrfile \

/var/lib/tripwire/report/FILENAME.twr

You’ll be presented with a copy of the report, along with

[X]

next to every change. If the X is left there, the change will will be written to the database once you exit the editor (and provide your local password, of course). Take it out, and it won’t be written to the database. Simple, eh?

Even though the complex system of signing databases and configuration files will prevent against tampering, it doesn’t help the files from being deleted by a frustrated cracker. Sure, you know you’ve been hacked, but you still don’t know what was changed. Therefore, keep a copy of all your keys on a CD. Keep another copy of the database somewhere in case the signature doesn’t check out.

Using Tripwire is an effective way of making sure nothing has been changed without your knowledge. Run the check every so often (Red Hat puts it as a daily cron job).

Red Hat also gives some good instructions on how to use Tripwire:

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/c h-tripwire.html

Security is all about diligence. Some time spent at the onset can save you a lot of time later on.

Long live the Penguin,

Sean mailto:swalberg@cramsession.com

2) Linux News

Ximian CDs to Include Star Office

For a mere $60, you’ll be able to get a CD with both Ximian GNOME, and Star Office. This is part of a recent partnership announced earlier by Ximian and SUN. Solaris users also will find that Ximian Connector will soon be available, allowing you to connect to an Exchange 2000 server from your SUN workstation.

http://ximian.com/about_us/press_center/press_releases/soffice_6.ht ml

Linux vs SUN… Round N

I’m always interested in the way that the Linux community interacts with the commercial heavyweights such as SUN. Dr. Tormasov for SWSoft has responded to SUN propaganda earlier, and his latest letter is incisive.

http://www.sw-soft.com/en/news/id%2c1111

Distros To Join Forces Against Red Hat

We’re expecting that today Caldera, Conectiva, SuSE and Turbolinux will announce that they’re joining up forces to work on a single distribution that can hopefully compete against Red Hat. I’m not exactly thrilled by this, as SuSE might come out on the short end of the stick. I’ll be looking forward to seeing the final announcement.

http://newsforge.com/newsforge/02/05/29/138258.shtml?tid=3 http://www.eweek.com/article/0,3658,sp1&a’405,00.asp

Linux Networks Much Cheaper Than Windows

“The study (which looked at purchasing and operating costs) aimed to benchmark TCO for an organisation with 250 users, over three years. The costing models included staff costs, application licences, maintaining servers and workstations and networking, as well as miscellaneous systems costs.”

http://www.theregister.co.uk/content/5/25148.html

3) Linux Resources

X Clients, Servers, and Desktops, Oh My!

One of the things I’ve always found confusing about X-Windows is the relationship between clients, servers, window managers, desktop environments, and whatever else is needed to make it all work. Here’s a great explanation, along with other useful stuff such as how to change your desktop environment… or is that window manager?

http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/s 1-x-clients.html

Cramsession Security Newsletter

Security has always been a great topic, which is why I’m happy to see that Cramsession (the guys that bring you this newsletter) have started up a security newsletter. First issue has already gone out, so subscribe before you miss any more!

http://newsletters.cramsession.com/signup/default.asp

Need Some Case Studies

Linux guru and frequent poster “linux_boy” has posted his list of case studies and industry reports dealing with Linux. Quite a bit of stuff here!

http://boards.cramsession.com/boards/vbm.asp?mV3625

K-12 Linux Terminal Server Project

Here’s some great information on how one school used the K-12 LTSP to cut costs and increase productivity in their computer labs. Information on costs and other functionality can be found here.

http://www.linuxplanet.com/linuxplanet/reports/4216/2/

Linux and Aviation

“This document is intended to provide pointers to software packages that run under the Linux operating system and are useful to private, commercial, or military pilots. The ultimate goal is to enable pilots to use the Linux operating system for all their aviation related computing needs, totally eliminating the need for other operating systems. I want to encourage pilots who are already using Linux to contribute to this document, either by providing pointers to existing software, or by writing new applications for Linux.”

http://ibiblio.org/fplan/Aviation-HOWTO/Aviation-HOWTO.html

4) App o’ the week

lbnamed is a name server written in perl. The difference is that instead of reading from static files, requests can be handled by perl code. For example, you might normally do round robin DNS for a web farm. With lbnamed, you could have it always return the server that has the lowest load average.

http://www.stanford.edu/~riepel/lbnamed/

(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.

     This message is from CramSession.com.

You are currently subscribed to the Hottest Linux News and Resources as: sean@ertw.com

To un-subscribe from this newsletter by e-mail: send a blank email message to: mailto:leave-linuxnews-3825955Y@list.cramsession.com

To Subscribe to this newsletter by e-mail: send a blank email message to:

mailto:join-linuxnews@list.cramsession.com

github.com/swalberg
twitter.com/seanwalberg