Main

March 23, 2006

Installing NVIDIA Driver for Fedora Core 5, with TV as Primary Display

post_nvidia.jpgI have recently installed a NVIDIA TNT2 M64 video card with TV out on the whitebox and have successfully configured an old APEX TV as the primary monitor for both console and xwindows. The work involved installing a "close source" driver avialable via NVIDIA's official web site and manually editing the xorg.conf file (see attached as the extended entry).

However, once I upgraded the Fedora distribution to Core 5, the NVIDIA driver does not work any more. Further studies revealed that this is the "fault" of both Fedora and NVIDIA. Firstly, the initial release of Fedora Core 5 used a wrong kernel distribution which prevented non-GPL modules from being loaded (full story at OS News, and the new kernel release). And secondly, the latest "official" NVIDIA driver needs to be patched in order to work on Fedora Core 5 (NVNews Discussions).

Apparently, I am not the only one who encountered the same problem. And thankfully there are already some detailed instructions on how to make it work. I just followed this instruction and I am a happy camper again!

Continue reading "Installing NVIDIA Driver for Fedora Core 5, with TV as Primary Display" »

Posted by Ji He at 2:51 PM |

January 31, 2006

SELinux: Fix HTTPD 'Access Denied' Problem

I reconfigured the httpd service and changed DocumentRoot. However each time when I tried to visit the web site, I always got an 'access denied' error. Checking the error log under /var/log/httpd, I got lines like:

[Mon Jan 30 20:01:09 2006] [error] [client 127.0.0.1] (13)Permission denied: access to / denied

As I believed the permissions on the DocumentRoot are correctly set (0755, which is quite standard), I suspected the bad-famed SELinux was doing its trick again. This time I was just doing the "brutal" job: disable SELinux protection on httpd completely:
setsebool -P httpd_disable_trans 1, and
/sbin/service httpd restart.

Then... exactly as what I expected, the "access denied" error disappeared.

Now what an ironic story: I initially wanted to secure my whitebox with SELinux, yet I finished with completely disabling it on ftp, samba, and http services. I really wonder how many end-users are really utilizing SELinux in a serious way...

Posted by Ji He at 2:28 PM |

January 29, 2006

Stop SSH Brute Force Attack: Limit SSH Login Accounts

Since the whitebox's SSH, FTP and HTTP services are exposed to the internet, it received a large number of brute force login attempts. tail -100 /var/log/secure gave me a lot of warnings like below:

Jan 29 08:21:01 whitebox sshd[4414]: Failed password for nobody from 218.24.139.109 port 35958 ssh2
Jan 29 08:21:06 whitebox sshd[4417]: Invalid user patrick from 218.24.139.109
Jan 29 08:21:08 whitebox sshd[4417]: Failed password for invalid user patrick from 218.24.139.109 port 40135 ssh2
Jan 29 08:21:11 whitebox sshd[4419]: Invalid user patrick from 218.24.139.109
Jan 29 08:21:14 whitebox sshd[4419]: Failed password for invalid user patrick from 218.24.139.109 port 43318 ssh2
Jan 29 08:21:19 whitebox sshd[4422]: Failed password for root from 218.24.139.109 port 46797 ssh2
Jan 29 15:36:11 whitebox sshd[6282]: Did not receive identification string from 65.18.181.235
Jan 29 15:41:24 whitebox sshd[6303]: Failed password for root from 65.18.181.235 port 1150 ssh2
Jan 29 15:41:28 whitebox sshd[6305]: Failed password for root from 65.18.181.235 port 1654 ssh2

BTW, you really should take a look at your /var/log/messages and /var/log/secure, you will be surprised with the number of failed logins from nowhere.

As the first attemp to fight against brute force attacks, I would like to limit the accounts that could login through SSH. My practice is to create a hard to guess account id with a very strong password for SSH login only. Once get in, I may su as other users for some user specific work. Hopefully, this could reduce the chance of brute force break in.

( Read more for details... )

Continue reading "Stop SSH Brute Force Attack: Limit SSH Login Accounts" »

Posted by Ji He at 10:07 PM |

January 26, 2006

Enable File Sharing (Samba) Service

Task: Share a folder to be read/write by other home network computers. This also enables other computers to access the whitebox by its name instead of its IP address.

A. Open ports for SMB and NMB

A.1) SSH to whitebox, su
A.2) Do /usr/sbin/lokkie, then "Customize", append "137-139:udp 445:tcp" to allowed other ports. Save and exit.
A.3) Do /sbin/iptables -L and see: ...

(More...)

Continue reading "Enable File Sharing (Samba) Service" »

Posted by Ji He at 8:23 PM |

January 13, 2006

Edit Firewall Settings to Enable XDMCP Access

Problem: Could not make XDMCP connection to whitebox

Cause: The built-in firewall blocks XDMCP traffic

Fix: Open XDMCP related ports

1. SSH to whitebox, su
2. Do
/usr/sbin/lokkit
Select "Customize", in "Other Ports" field, append
xdmcp:udp x11:tcp
3. Save settings
4. Try again with X-Win32 connection, SUCCESS

Posted by Ji He at 6:52 PM |

Fix vsftpd User Cannot Upload Problem

Problem: with vsftpd running, user can make connection, list directory contents, and download files, yet cannot upload file or create new directory.

Procedure:

1. Checked user home directory and made sure the user has the right permission to write files/directories.
2. Did intensive search online, found this is related with SELinux. Most online discussions suggest disabling SELinux, which is not what I want.
3. More search revealed that this can be fixed by altering SELinux policies. Tried:
setsebool -P ftpd_disable_trans 1
/sbin/service vsftpd restart
and logged back to ftp. PROBLEM FIXED.
4. Further discovered this is essentially to create a file
/etc/selinux/targeted/booleans.local
and append line
ftpd_disable_trans=1

Posted by Ji He at 1:03 PM |

Disable Anonymous FTP Login (vsftpd)

Task: For security consideration, disable anonymous ftp login

1. SSH to whitebox, and su
2. Edit file /etc/vsftpd/vsftpd.conf, find line
anonymous_enable=YES
change to
anonymous_enable=NO
3. Do /sbin/service vsftpd restart
4. Try ftp to whitebox with anonymous login, rejected -- GOOD.

Posted by Ji He at 12:15 PM |

January 12, 2006

Disable Root Login through SSH

Task: For security consideration, disable SSH login as root

1. SSH to whitebox with root login
2. Create a new user for further SSH login
3. Edit file /etc/ssh/sshd_config
4. Find line like
Protocol 2
Make sure it is just Protocol 2, not Protocol 2,1.

More...

Continue reading "Disable Root Login through SSH" »

Posted by Ji He at 10:25 PM |

January 11, 2006

My First Linux Whitebox

post_linux_whitebox.gifHardware Purchases:

* Biostar M7VIG 400 Socket A mATX MB w/Athlon XP-M 2600+ CPU ($94.99 from Geeks.com).

* 4-Bay Silver mATX Case w/230-Watt Power Supply ($27.50 from Geeks.com).

* Combined shipping cost of above two items + $17 = $139.49.

* gigaram 512MB 184-Pin DDR SDRAM System Memory - OEM ($33.99 from NewEgg.com + $4.81 shipping = $38.80).

* Reused an old 120G IDE hard disk and an old 52x CD-RW drive -- considered $0.00.

* No monitor, no keyboard/mouse -- used LCD TV and another set of wireless keyboard/mouse during installation.

* Total investment so far: $139.49 + $38.80 = $178.29.

[ Read more for hardware specifications and initial installation... ]

Continue reading "My First Linux Whitebox" »

Posted by Ji He at 7:10 PM |