« December 2005 | Main | February 2006 »

January 31, 2006

SELinux: Fix HTTPD 'Access Denied' Problem

I reconfigured the httpd service and changed DocumentRoot. However each time when I tried to visit the web site, I always got an 'access denied' error. Checking the error log under /var/log/httpd, I got lines like:

[Mon Jan 30 20:01:09 2006] [error] [client 127.0.0.1] (13)Permission denied: access to / denied

As I believed the permissions on the DocumentRoot are correctly set (0755, which is quite standard), I suspected the bad-famed SELinux was doing its trick again. This time I was just doing the "brutal" job: disable SELinux protection on httpd completely:
setsebool -P httpd_disable_trans 1, and
/sbin/service httpd restart.

Then... exactly as what I expected, the "access denied" error disappeared.

Now what an ironic story: I initially wanted to secure my whitebox with SELinux, yet I finished with completely disabling it on ftp, samba, and http services. I really wonder how many end-users are really utilizing SELinux in a serious way...

Posted by Ji He at 2:28 PM |

January 29, 2006

Stop SSH Brute Force Attack: Limit SSH Login Accounts

Since the whitebox's SSH, FTP and HTTP services are exposed to the internet, it received a large number of brute force login attempts. tail -100 /var/log/secure gave me a lot of warnings like below:

Jan 29 08:21:01 whitebox sshd[4414]: Failed password for nobody from 218.24.139.109 port 35958 ssh2
Jan 29 08:21:06 whitebox sshd[4417]: Invalid user patrick from 218.24.139.109
Jan 29 08:21:08 whitebox sshd[4417]: Failed password for invalid user patrick from 218.24.139.109 port 40135 ssh2
Jan 29 08:21:11 whitebox sshd[4419]: Invalid user patrick from 218.24.139.109
Jan 29 08:21:14 whitebox sshd[4419]: Failed password for invalid user patrick from 218.24.139.109 port 43318 ssh2
Jan 29 08:21:19 whitebox sshd[4422]: Failed password for root from 218.24.139.109 port 46797 ssh2
Jan 29 15:36:11 whitebox sshd[6282]: Did not receive identification string from 65.18.181.235
Jan 29 15:41:24 whitebox sshd[6303]: Failed password for root from 65.18.181.235 port 1150 ssh2
Jan 29 15:41:28 whitebox sshd[6305]: Failed password for root from 65.18.181.235 port 1654 ssh2

BTW, you really should take a look at your /var/log/messages and /var/log/secure, you will be surprised with the number of failed logins from nowhere.

As the first attemp to fight against brute force attacks, I would like to limit the accounts that could login through SSH. My practice is to create a hard to guess account id with a very strong password for SSH login only. Once get in, I may su as other users for some user specific work. Hopefully, this could reduce the chance of brute force break in.

( Read more for details... )

1. Edit file /etc/pam.d/sshd, add the following line as the first line:
auth required pam_listfile.so sense=allow item=user file=/etc/ssh/ssh_allow_users onerr=fail

2. Create a new file /etc/ssh/ssh_allow_users, in which put the user id that is allowed for SSH login. -- You may actually put multiple user ids in this file, each in a separate line, for example:
jihe
lucy

Edit 10/26/2007: My thanks to Eric Rideough for pointing out a typo on the filename above. I mis-typed the filename as ssl_allow_users in my previous post.

3. Do /sbin/service sshd restart. Test SSH login with allowed accounts above, SUCCESSFUL. Test SSH login with other system accounts not in the whitelist above, FAILED. ALL DONE.

Posted by Ji He at 10:07 PM |

January 26, 2006

Enable File Sharing (Samba) Service

Task: Share a folder to be read/write by other home network computers. This also enables other computers to access the whitebox by its name instead of its IP address.

A. Open ports for SMB and NMB

A.1) SSH to whitebox, su
A.2) Do /usr/sbin/lokkie, then "Customize", append "137-139:udp 445:tcp" to allowed other ports. Save and exit.
A.3) Do /sbin/iptables -L and see: ...

(More...)

[root@whitebox ~]# /sbin/iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW udp dpt:xdmcp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:x11
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

which is GOOD.


B. Configure SMBD Service

B.1) Edit /etc/samba/smb.conf, made the following changes

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = HomeNetwork
# allow home network connection only (from 192.168.2.* and 127.*.*.*)
hosts allow = 192.168.2. 127.
#Password file
smb passwd file = /etc/samba/smbpasswd
# Unix users can map to different SMB User names
username map = /etc/samba/smbusers
# Cause this host to announce itself to local subnets
remote announce = 192.168.2.255
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
wins support = yes
# share /opt as "share" to be fully accessible by UNIX user "admin_opt"
[share]
comment = Public File Farm
path = /opt
writeable = yes
printable = no
create mask = 0755
browseable = no
valid users = root

Save changes. Do
testparm
to test samba settings. All passed.


B.2) Edit /etc/samba/smbusers, append line
# Remote windows user name jhe is mapped to local user name "\opt
root = jhe

B.3) Initialize the samba password file, do
grep root /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
Check the content of /etc/samba/smbpasswd, and see
#
# SMB password file.
#
root:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UD ]:LCT-00000000:
which is GOOD.

B.4) Set opt's password for samba, do
smbpasswd root
and set the new password.
Check file /etc/samba/smbpasswd and see the line is updated to:
root:500:[long encoded password string]
which is GOOD.

B.5) Set samba service to be automatically start upon reboot, do
/sbin/chkconfig --level 345 smb on

B.5) Start service, do
/sbin/service smb start
Services smb and nmbd both started successfully.

B.6) Test netbios name resolving, in windows dos command, do
ping whitebox
got the ip address resolved. Also visit
http://whitebox
and got the default "Fedora Core Test Page" web page loaded.

B.7) Test samba connection, in windows explore, try to access "\\whitebox" through windows explorer -- was asked for login id/password. Type the windows user name (jhe) and corresponing samba password set in B.3. REJECTED. Check system message by
tail -100 /var/log/messages
and see errors like:

Jan 26 19:25:20 whitebox smbd[5420]: [2006/01/26 19:25:20, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(279)
Jan 26 19:25:20 whitebox smbd[5420]: startsmbfilepwent_internal: failed to set 0600 permissions on password file /etc/samba/smbpasswd. Error was Permission denied
Jan 26 19:25:20 whitebox smbd[5420]: .Unable to open passdb database.

Checked the permission of /etc/samba/smbpasswd and found it was correct (0600). Suspected this is related to SeLinux again. So I did a google search with the above error string. Unfortunately there were not many discussions on this problem besides this.

B.8) Tried the below:
touch /.autorelabel
reboot
After reboot, check the contents under / and found that the file .autorelabel disappeared and a new file .autofsck was created. This still remains a mystery to me.

Then retry step B.7). Suprisingly this time I was able to browse the contents of the server and the shared folder, and copy files FROM the shared folder. However, I was NOT able to write files or create new folders TO the shared folder.

I still suspect there is some unresolved SeLinux issues.

Update Jan 28, 2006
B.9) As I suspect there was still some problem with the SELinux, I did more Google search and got this email archive. I then tried
man samba_selinux
and understood I need further deal with the FILE_CONTEXTS. Following the mannual, I did the following configurations:
a) Do chcon -t samba_share_t /opt
b) Create a new file /etc/selinux/targeted/contexts/files/file_contexts.local, with the following line:
/opt(/.*)? system_u:object_r:samba_share_t
c) Do setsebool -P samba_enable_home_dirs 1, and then
d) /sbin/service smb restart

Then I tried to access the shared folder from a Windows box and create file/folder. I was able to create a new file/folder under the shared foler "/share" (i.e. /opt), however, I was NOT able to create a new file/folder under any sub-folder of /share.

My guess was that I need to further change the regular expression in file_contexts.local. However I am running out of time today. So I decided to temprarily bypass SELinux protection on the samba service -- after all, my samba servers allow connections from homenetwork (102.168.2.x) only. So I did
/usr/sbin/setsebool -P smbd_disable_trans 1
and then
/sbin/service smb restart

All writing problems seem to be gone, which is both good and bad -- remember my samba is not protected by SELinux now...

[ Reference ]

Posted by Ji He at 8:23 PM |

January 19, 2006

Automobile Claim Filing Tips

When filing a claim on your automobile insurance, you should take the following steps:

1. Always report an incident to the police, regardless of how minor it seems. What looks like a small dent or scratch could actually cost you several hundred dollars to repair.

2. Make sure the police officer gives you a copy of the drivers' information-exchange form.

3. Write down names, addresses and phone numbers of any witnesses in case you need them later.

4. Call your insurance agent and company immediately for further instructions. The insurer may deny payment of your claim if you do not report the accident.

5. Make sure that you include all information on your insurance application. If you withheld information which would have caused the insurance company to deny coverage originally, they may void your policy from its effective date and refuse to pay a claim.

6. Make sure that your insurance company agrees to pay before you start any repairs.

7. Check all repairs afterwards. Check them at the shop and then again at home.

8. Get a copy of the itemized repairs on a form printed with the repair shop's name and address.

9. Your insurance company may send an adjuster to inspect your automobile before you obtain any necessary repairs, or it may instruct you to obtain a specified number of estimates for the work. Find out from your insurance company what to do about supplemental damage in case the repair shop finds something caused by the accident but not on the original estimate.

10. You may choose which repair shop you want to fix your vehicle after an accident, unless otherwise stated in the policy. Some companies require policyholders to use auto-repair shops approved by the company. These companies usually offer a premium discount in exchange for your agreement to this provision.

Source: Yahoo Auto

Friends of Ji: Don't worry, I am all good. No, not, none accident happened on me. This post is just for educational purpose.

Posted by Ji He at 11:50 AM |

January 16, 2006

What Powers the Growth of China and India?

post_grow.gifThese two countries are setting the stage for the greatest period of discovery, invention, and technological change the world has ever known. PhD Jeremy Siegel wrote a column article at Yahoo finance, and expressed his look at what is driving the transformation -- growth of knowledge; historically high density of population which led to increased communication, greater specialization, and the discovery of better techniques for food production; and the new economy that encourages the access to the knowledge and accelerates discovery.

All in all, this article still falls to the old topic of "knowledge economy", yet well-written and worth reading.

Yahoo finance has the full story.

Posted by Ji He at 8:47 AM |

January 13, 2006

Edit Firewall Settings to Enable XDMCP Access

Problem: Could not make XDMCP connection to whitebox

Cause: The built-in firewall blocks XDMCP traffic

Fix: Open XDMCP related ports

1. SSH to whitebox, su
2. Do
/usr/sbin/lokkit
Select "Customize", in "Other Ports" field, append
xdmcp:udp x11:tcp
3. Save settings
4. Try again with X-Win32 connection, SUCCESS

Posted by Ji He at 6:52 PM |

Fix vsftpd User Cannot Upload Problem

Problem: with vsftpd running, user can make connection, list directory contents, and download files, yet cannot upload file or create new directory.

Procedure:

1. Checked user home directory and made sure the user has the right permission to write files/directories.
2. Did intensive search online, found this is related with SELinux. Most online discussions suggest disabling SELinux, which is not what I want.
3. More search revealed that this can be fixed by altering SELinux policies. Tried:
setsebool -P ftpd_disable_trans 1
/sbin/service vsftpd restart
and logged back to ftp. PROBLEM FIXED.
4. Further discovered this is essentially to create a file
/etc/selinux/targeted/booleans.local
and append line
ftpd_disable_trans=1

Posted by Ji He at 1:03 PM |

Disable Anonymous FTP Login (vsftpd)

Task: For security consideration, disable anonymous ftp login

1. SSH to whitebox, and su
2. Edit file /etc/vsftpd/vsftpd.conf, find line
anonymous_enable=YES
change to
anonymous_enable=NO
3. Do /sbin/service vsftpd restart
4. Try ftp to whitebox with anonymous login, rejected -- GOOD.

Posted by Ji He at 12:15 PM |

January 12, 2006

Disable Root Login through SSH

Task: For security consideration, disable SSH login as root

1. SSH to whitebox with root login
2. Create a new user for further SSH login
3. Edit file /etc/ssh/sshd_config
4. Find line like
Protocol 2
Make sure it is just Protocol 2, not Protocol 2,1.

More...

5. Find line
#PermitRootLogin yes
Uncomment it and change to
PermitRootLogin no
6. do
/sbin/service sshd restart
7. Log out, and try log in with root again, FAILED
8. Try log in with the new user id, SUCCESSFUL!

Posted by Ji He at 10:25 PM |

8888-Leading Dollar Note for Year of Dog

post_8888_dollar.jpgTo cellebrate the Chinese Spring Festival and the coming of the year of dog in Chinese lunar calander, the America's Bureau of Engraving and Printing has uncirculated $1 US notes with a serial number beginning with "8888" for sale throught its official web site. The note is beautifully packaged to bring you good fortune and prosperity in the New Lunar Year. Also available is the $5 note.

Posted by Ji He at 12:02 PM |

January 11, 2006

My First Linux Whitebox

post_linux_whitebox.gifHardware Purchases:

* Biostar M7VIG 400 Socket A mATX MB w/Athlon XP-M 2600+ CPU ($94.99 from Geeks.com).

* 4-Bay Silver mATX Case w/230-Watt Power Supply ($27.50 from Geeks.com).

* Combined shipping cost of above two items + $17 = $139.49.

* gigaram 512MB 184-Pin DDR SDRAM System Memory - OEM ($33.99 from NewEgg.com + $4.81 shipping = $38.80).

* Reused an old 120G IDE hard disk and an old 52x CD-RW drive -- considered $0.00.

* No monitor, no keyboard/mouse -- used LCD TV and another set of wireless keyboard/mouse during installation.

* Total investment so far: $139.49 + $38.80 = $178.29.

[ Read more for hardware specifications and initial installation... ]



Hardware Specifications:

* MB / RAM / HDD: Socket A 266M FSB; 512M DDR 400 CLS 3 running at 333M; 120G 7200RPM 8M buffer IDE at UDMA 133.

* [root@whitebox ~]# cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 6
model : 10
model name : AMD Athlon(tm) XP 2600+
stepping : 0
cpu MHz : 1992.098
cache size : 512 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 mmx fxsr sse syscall mp mmxext 3dnowext 3dnow
bogomips : 3947.33

* [root@whitebox ~]# cat /proc/meminfo
MemTotal: 483196 kB
MemFree: 129536 kB
Buffers: 15596 kB
Cached: 188728 kB
SwapCached: 0 kB
Active: 253132 kB
Inactive: 68744 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 483196 kB
LowFree: 129536 kB
SwapTotal: 1574328 kB
SwapFree: 1574328 kB
Dirty: 68 kB
Writeback: 0 kB
Mapped: 149540 kB
Slab: 23700 kB
CommitLimit: 1815924 kB
Committed_AS: 238192 kB
PageTables: 2692 kB
VmallocTotal: 540664 kB
VmallocUsed: 3876 kB
VmallocChunk: 535080 kB
HugePages_Total: 0
HugePages_Free: 0
Hugepagesize: 4096 kB



OS Installation:

Default Fedora core 4 installation CDs with customized server installation options, SeLinux and GNOME. VGA, ethernet and sound cards detected correctly during installation. By default using DHCP client. Firewall turned on during installation, allowing http, ftp and ssh traffics.

After installation, turned on XDMCP through GNOME's Desktop -> System Settings -> Login Screen. Shutdown. Unplugged mouse, keyboard and monitor. Relocated the whitebox besides my router and connected to home network with ethernet cable. Power on again.

On another computer, checked router's DHCP client list and found the whitebox was assigned with IP address 192.168.2.6. SSHed whitebox through putty. Logged in with root. Everything looks fine. Leaned back a peace of mind ;)

post_whitebox.jpg

The whitebox seating with the DSL modem and the wireless router.

Posted by Ji He at 7:10 PM |

Lottery: Wrong Way to Build Your Wealth

post_lottery.jpgAbout one out of five Americans believe that winning the lottery is the most practical way of attaining personal wealth. Among Americans with salaries of $25,000 or less, 38 percent believe the lottery is the way to go, although they know that the odds of winning the lottery are ridiculously remote -- approximately one in a gazillion.

Financial experts like Barbara Whelehan however advise that expecting to get rich by winning the lottery is just not realistic, and those who do win the lottery do not always achieve lasting financial security. Among the many other practical wealth-building strategies, optimistic planning is the key.

This article on BankRate extends the analyst and introduces the concept of personal financial ratios towards an elegant road map to financial health and retirement -- worth your five minutes.

Posted by Ji He at 4:14 PM |

The Best Jobs to Have in 2006

post_job.jpgExperts predict 2006 will be a good year for job candidates who possess desirable skills. Demand for these skilled workers could mean fatter paychecks. Yahoo Finance has a guide to 16 careers that could do well -- and why. Plus, links to where you can get more information.

Posted by Ji He at 1:44 PM |

January 10, 2006

Apple Unveils New Macs Using Intel Chips

post_imac.jpgApple Computer Inc.'s historic shift to Intel Corp. microprocessors came months earlier than expected as CEO Steve Jobs on Thursday debuted personal computers based on new two-brained chips from the world's largest semiconductor company.

The first Macs to deploy Intel's Core Duo processors will be the latest iMac desktop, whose circuitry is all built into the display, and the MacBook Pro laptop. When it announced the massive switch in June, Apple said it expected to begin making the transition by mid-2006. Jobs said its entire Mac line will be converted to Intel by the end of this calendar year.

Yahoo Finance has the full story.

Posted by Ji He at 2:08 PM |

January 9, 2006

Unlocker: Program You May be Looking for with Your Whole Life Time

Ever had such an annoying message given by Windows?

It has many other flavors:
* Cannot delete file: Access is denied
* There has been a sharing violation.
* The source or destination file may be in use.
* The file is in use by another program or user.
* Make sure the disk is not full or write-protected and that the file is not currently in use.

Unlocker is an explorer extension that allows you with a simple right-click of the mouse on a file or folder to get rid of this error message!

Download the tool here.

Posted by Ji He at 12:23 PM |

Free DNS Server and Free Web Hosting Service

post_hosting.jpgZoneEdit.com offers free DNS server for up to five domains, with which you may host your own web sites at home. They also have an open-source program that automatically updates your DNS records with your (typically) dynamic IP address obtained from your Cable/DSL internet provider. A DNS server is essential in helping the visitors to visit your web site's physical machine (your PC at home in this case) according to your web site's name (such as www.jihe.net).

For hobby web site owners that care less about technical issues, you may additionally choose MemeBot for free web hosting. The catch is, in order to get the free hosting, the web site needs to be smaller than 30MB on disk and the monthly bandwidth (amount of data transfered from/to the web site) needs to be below 100MB.

Posted by Ji He at 12:04 PM |

January 7, 2006

Google to Launch Online Video Download Service

post_dvd.jpgGoogle Inc. said on Friday the company is expanding into two new fields with an online video store and a computer maintenance service, moves that mark stepped-up challenges to its biggest computer and media rivals, including Apple, Microsoft and Yahoo.

Google Co-founder and President Larry Page said the video marketplace would offer free programming, low-cost rentals and outright purchases of premium entertainment and sports shows ranging from episodes of 'Star Trek' to every National Basketball Association league game online, for the first time ever.

Bill Gates of Microsoft, in a previous campus talk, predicted that DVD media will eventually disappear and will be replaced by online services. His prediction unfortunately is being realized by one of his biggest competitors.

CNN Money has the full story.

Posted by Ji He at 2:42 PM |

January 6, 2006

Home Theater Viewing Distance Calculator

Thinking about buying a new HDTV, projector, or TV set and wondering what size to get? Ever wonder if your TV is placed too close to your sofa? homestead.com has a simple yet effective viewing distance caculator to assists your viewing room design.

Posted by Ji He at 3:53 PM |

Finding Low Price-To-Earinings Ratio (P-E) Stocks is Easy

post_money.jpgIt's hard to resist a bargain. And when it comes to bargains on Wall Street, a low P-E catches many investors' attention. There is sound reason for that. The price-to-earnings ratio of a stock tells you how much investors are willing to pay for every $1 a company generates in profit. The lower the P-E, the less investors are paying in order to yield the same earnings.

Yahoo Finance elaborates this concept, and recommend the Intraday Stock Screener at USATODAY for low P-E stock screening. In the same page is a Mutual Fund Finder that highlights mutual funds with high performance. HTH!

Posted by Ji He at 3:38 PM |