The Fix!!!

sudo !!

Typing that will execute the last command, but it will execute it as if you had typed sudo at the beginning. This is a huge time saver.

[user@host ~]$ ls /home
user
[user@host ~]$ cd !*
cd /home
[user@host home]$ 

Enjoy!

Internet Based:

• Dropbox – This application allows me to share files between all of my platforms. It works very similar to how subversion works, but commits the files automatically after they have been added to the directory. They are stored encrypted on the Dropbox servers so the information is safe from prying eyes.
• Twitter – I never got the whole twitter thing for a long time, but it is nice to know what my friends are up to.
• Facebook – Probably the only decent social networking site out there
• LinkedIn – Business social networking.
• del.icio.us – Social bookmarking.
• Pownce – Similar to twitter, but does more for media sharing.

On the Desktop:

• Eclipse with Pydev – I have done a lot of switching of IDEs, I sometimes go back to Komodo Edit, but for the most part I have found Pydev to be one of the best IDEs for Python development
• Textmate – For a lot of things I hate Textmate. For a long time I was against code completion, but lacking drop down code completion is something I dislike a great deal about Textmate. I have found Textmate to be great for editing JSON by hand, and for a quick edit on pretty much any type of source. It also happens to be the best “notepad” alternative on the Mac. What I use Textmate for most of all is notes. I have a few directories and I run “mate” on it giving me a great environment for keeping notes.
• Zend Studio for Eclipse – I use Zend Studio for almost all of my PHP development. It is a fantastic product and the only times I don’t really use it are when I have a quick edit to make. In those cases I usually pick Textmate (on the Mac) and UltraEdit (on Windows)
• UltraEdit – UltraEdit doesn’t have drop down completions or a lot of other fancy IDE features, for it is a super powerful editor and I have been using it for about 6 years now and don’t plan on stopping. It took time getting used to it, but once I did I find myself using it for more than I ever thought I would.
• TortoiseSVN – The best subversion client you can find. I have tried a lot of the ones for Mac and Windows and I really haven’t found on that works as well or gives just the right features as TortoiseSVN.
• FlashFXP – I rarely use FTP, but when I do FlashFXP is my choice. I wish it included SFTP/SSH support, but hopefully they will do a rewrite at some point and it will be included.
• Beyond Compare – Probably the best text comparison tool I have ever used. In addition to comparing file contents you can do various checks on file themselves, which helps when comparing directories full of files.
• AnalogX Capture – I use this to capture website designs that motivate me or inspire me.
• Windows XP – My primary desktop runs Windows, and while so many have so much to say about an operating system they know very little about tuning and maintaining I still enjoy using Windows for many tasks.
• Mac OS X, Leopard – My work laptop is a Mac Book Pro running Leopard, and I enjoy using it more than any other system so I find myself doing a decent amount of work on it.
• Ubuntu – As for a Linux desktop I use Ubuntu since it saves time getting things setup and there is a lot of software available for the distro.
• Firefox – One of the best browsers, and super awesome on Mac OS X.
• VLC – Video player that handles playing DVD ISOs directly and supports virtually any format.
• Vienna – Feed reader for Mac OS.
• Things – Todo list application with a lot of features.
• iTerm – Terminal application for Mac OS.
• AdiumX/Pidgin – Multi service chat clients
• XChat/XChat Aqua – One of the best IRC clients, and the Mac OS port of it.
• sshfs/MacFUSE – sshfs is one of the greatest tools, you’ll never need a sftp client again.
• Twitterific – Mac OS twitter client
• screen – Essential tool for anyone working on Unix/Linux systems. Allows you to detach a session and disconnect while keeping your session active on the system.
• bash – No explanation needed
• Transmission – Bit torrent client for Mac OS. Supports IP block lists.
• VMware Fusion – Virtualization software for Mac OS.
• ssh/scp/sftp – Remote terminal, file transfer.

On the Server:

• memcached – A high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.
• Apache – Web server that has stood the test of time and handles significant traffic.
• Subversion/mod_dav_svn – Popular revision control
• Django/mod_python – Python web framework and the Apache module that can handle heavy work load.
• PHP – Don’t need to explain this one
• MySQL – Or this one.
• Solr – Lucene based index software. Very fast, and fairly easy to configure and use.
• screen, bash, ssh, and sftp are also used on the server.

Planned for the Future:

• PostgreSQL – PostgreSQL is a powerful, open source relational database system. It has more than 15 years of active development and a proven architecture that has earned it a strong reputation for reliability, data integrity, and correctness.
• pgAdmin III – The most popular and feature rich Open Source administration and development platform for PostgreSQL
• Varnish – Varnish is a state-of-the-art, high-performance HTTP accelerator. It uses the advanced features in Linux 2.6, FreeBSD 6/7 and Solaris 10 to achieve its high performance.
• Fabric – Fabric is like the Python capistrano
• Capistrano – Capistrano is a tool for automating tasks on one or more remote servers. It executes commands in parallel on all targeted machines, and provides a mechanism for rolling back changes across multiple machines.
• Pound, Perlbal, and Nginx – Reverse proxy load balancer and web servers
• mod_wsgi – What appears to be a better what to run Django in Apache
• ActiveMQ – Popular and powerful open source Message Broker and Enterprise Integration Patterns provider.
• Solaris and OpenSolaris – Unix-based operating system introduced by Sun Microsystems in 1992 as the successor to SunOS.
• Django Debug Toolbar – The Django Debug Toolbar is a configurable set of panels that display various debug information about the current request/response.
• Git – Open source version control system designed to handle very large projects with speed and efficiency, but just as well suited for small personal repositories
• ShellEd – ShellEd is a superb shell script editor for Eclipse. The great benefit of this plugin is the integration of man page information for content assist and text hover.
• Erlang – Erlang is a programming language designed at the Ericsson Computer Science Laboratory.

Recently someone on the SoCal LinuxUsers mailing list was asking for information, a checklist or sorts on procedures to lock down your Linux box when putting it on the big bad internet. I will probably collect a lot more of these and make a real checklist, but this will get you started. Note that some of the configuration directives for OpenSSH are already set by default, I prefer to make the change in the config file anyway to ensure those things are set. You never know when an error might occur in an update and something could have been maliciously changed in the code or an accident happened.

• Install and Configure DenyHosts

  DenyHosts will add hosts to your /etc/hosts.deny file based on criteria you set and if you like it can download a file which is updated with hosts currently violating DenyHosts policies on other machines. For a lot of services you have to run them in xinetd or inetd for TCP wrappers to work, without TCP wrappers being involved in the daemon hosts.deny/hosts.allow will do nothing for you. The alternative to xinetd and inetd being involved is support for the libwrap library, which most OpenSSH packages have built in when compiled. You can check if a daemon has libwrap support by following the guide on ducea.com ((How to find out if a daemon was build with TCP Wrappers support)).

  All about Linux has a good post explaining how to use TCP wrappers to secure Linux ((All about Linux: Using TCP Wrappers to secure Linux)).

• Remove root access via ssh

  You really shouldn’t be logging in as root anyway, but there are times when ’sudo command‘ just is annoying. If you really don’t need the audit trail ’sudo su’ will give you root access, but that should only be used when you have a large numbers of commands that need to be run as root and when you don’t need the audit trail. You should never give someone the opportunity to brute force your root password, so adding this to /etc/ssh/sshd_config will disallow root from ever logging in through ssh.

  PermitRootLogin no

• Set LoginGraceTime and MaxAuthTries

  These are good to add, but I feel with a lot of other things we are doing they aren’t a must.

  LoginGraceTime
       The server disconnects after this time if the user has not suc-
       cessfully logged in.  If the value is 0, there is no time limit.
       The default is 120 seconds.
  
  MaxAuthTries
       Specifies the maximum number of authentication attempts permitted
       per connection.  Once the number of failures reaches half this
       value, additional failures are logged.  The default is 6.
  

  LoginGraceTime 2m
  MaxAuthTries 3

• Set MaxStartups

  Prevent the number of concurrent unauthenticated connections, this would slow down a brute force attack

  MaxStartups
       Specifies the maximum number of concurrent unauthenticated con-
       nections to the SSH daemon.  Additional connections will be
       dropped until authentication succeeds or the LoginGraceTime ex-
       pires for a connection.  The default is 10.
  

  MaxStartups 3

• Set PermitEmptyPasswords

  It isn’t impossible for there to be a user with a blank password, mistakes happen, but this will prevent someone from logging in with that user.

  PermitEmptyPasswords no

• Set AllowUsers/AllowGroups in sshd_config

  By specifying what users are allowed to connect you are locking down the possibility of a successful brute force or dictionary attack on ssh, but this also helps prevent system access via a known internal username/password that really doesn’t need access via ssh. An example would be if you had a user that services were running under and had permissions to certain things, but nobody really needed to directly login as that user. So you can now add a user, say ‘johndoe’ to AllowUsers and give him the password to another user say ’sysadmin’, who happens to have the ability to sudo commands. You have now just made it so that an attacker would have to gain access to two accounts to run a sudo command as the sysadmin user. There are of course other things that an attacker could do to gain root/sudo access, but this is creating another layer of protection. If you use the AllowGroups method you can have a group of users that can access the server via ssh, and just add and remove users as you need to without having to update and reload the sshd_config.

  When specifying AllowUsers you can have a single username or a username and host.

  AllowUsers johndoe janedoe@10.10.10.1

  Specifying addresses will really help to secure who can login and where they can login from. For my Endian box at home I have a user account linked to an IP address at work and separate non-privileged user with the IP address of a remote VPS. I also have it linked to two IP addresses that are local to the machine. You may ask why go through the trouble, but what this does for me is it allows me to login directly from my desktop and laptop while at home, and from my laptop while I am at work, but if I am at a remote location, say a friends house, I must first login to a VPS. As we add a few more configuration changes to locking down the machine you will see how when these are combined it really helps prevent someone accessing the machine.

• Turn on Public Key authentication for ssh

  The article I wrote for this was moved to this site, the title is SSH Public Key Authentication ((SSH Public Key Authentication))

• Configure the firewall

  I avoid setting up mail as much as I can so my firewall rules are pretty limited. I block drop all traffic except traffic on ports 22, 80 and 443. If I have anything else running on the inside I access it using tunnels

• Setup remote logging via syslogd

  If you have another server you can setup remote logging via syslogd or its variants. The benefit of this is that if a machine was compromised the attacker would then have to compromise the server receiving the logs to remove the entries showing his attack on the machine.

• Install Logwatch

  Install and enable logwatch and set it to the highest level of detail. This will send you an email with login attempts, denyhost log entries, and a lot of good system information. If someone breaks in the logs will be useless if they are good, but it is nice to receive an email letting you know what people are attempting to do and what is going on.

• Setup various password rules.

  Ubuntu has a guide regarding user management ((User Management)), which will tell you how to setup password length rules and password expiration rules.

• Check for rootkits

  Two really good tools for checking rootkits and some other various things on systems are chkrootkit and rkhunter. I prefer rkhunter.

There are tons of articles on securing systems all over the internet and I recommend you do some research on more methods of locking down a server it would be very hard for me to list everything you should/could do. Intrusion detection, setting up jails, and so much more will help you secure your system, but don’t forget about the physical access to machines. If someone has physical access to a machine they will most likely gain access to the system if they know what they are doing.

Before beginning the following should be set on the remotemach in /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

On the local machine type the following

ssh-keygen -t rsa -b 2048

This will create a 2048bit RSA key. It will ask you where you would like to put these keys, in Linux the default is ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub

We now need to copy this key to the remote server, remotemach.

ssh-copy-id user@remotemach

What this does is log into the remote machine and add the key to /home/user/.ssh/authorized_keys. I am going to skip the password part for now so we don’t lock ourselves out. If you do not have ssh-copy-id on your machine you can cat the “.pub” file and copy that to the ~/.ssh/authorized_keys on the remotemach

The next thing you want to do is run the following commands on the localmach.

exec ssh-agent /bin/bash
ssh-add

If you changed the name of the file from id_rsa you will need to specify which identity you want to add for ssh-add. With ssh-agent running and the identity added you should now be able to login without a password.

ssh user@remotemach

If you were able to login without the use of a password, you can proceed to editing the /etc/ssh/sshd_config. If you were not able to login without a password repeat the procedure and see if you are able to fix it. I did have trouble once or twice and repeating it fixed whatever was wrong.

Open /etc/ssh/sshd_config and find the PasswordAuthentication configuration directive and make sure it is set to no and uncommented.

PasswordAuthentication no

You can now run the following command to commit the changes to the current sshd process

sudo /etc/init.d/sshd reload

What does all this do?

1. Removes the ability to login to the server with a password, you can only login to the server using a public key.

2. Limit the machine that you can login from. The remotemach must have the key for the localmach in the authorized_keys file before authentication can be performed.

If you chose to enter a password when creating your key and you did not setup ssh-agent and ssh-add you will be prompted for a password to decrypt the key. Do not confuse that with a standard password based login, which you are probably used to.