Pages

A Prelude to better things – Open Source and IDS

A recent number of attempted break-ins to a few machines I manage has had me thinking again about the overall security of the machines, and how to get a better handle on what’s going on. This isn’t something new – anyone managing internet-facing systems ought to be aware of the dangers, and how to mitigate them. As with many things related to open source, there are a plethora of tools out there aimed at providing alerting based on network activity.

I’d wager that many people have heard of Snort, and what it does. For those who aren’t familiar with it, it’s an open source¬†intrusion¬†detection system (IDS)/intrusion prevention system (IPS). In a normal configuration, Snort monitors traffic and alerts based on predefined rules for such things as port scans and maliciously-crafted HTTP requests. It’s an extremely powerful tool that is also highly configurable, and with an excellent community that provide custom rules for a wide variety of situations. But alerting is one thing – being able to make sense of those alerts is something else.

→ Continue reading ‘A Prelude to better things – Open Source and IDS’…

RedHat, NFS and static ports

Using NFS between two machines on the same network is usually free of hassle, so the default behaviour – on Linux, at least – is fine and can be left as it is. However, in a commercial setting (such as the ones I manage in my day job) it’s often the case that the machines might not be on the same network – or even in the same location, for that matter. It’s likely that there’s a number of network devices in between the machines, and the way NFS uses portmap can sometimes make things frustrating.

Luckily, it’s really easy to fix.

→ Continue reading ‘RedHat, NFS and static ports’…

PXE booting a Debian Squeeze install

Update: I’ve not tested myself, but the comment from Sombunall below points out that package names for the TFTP server and the DHCP server have changed since I wrote this post!

It’s often the case that there’s no easy way of installing a machine that doesn’t have any removable media. For instance, I have an old Compaq Deskpro EN that’s too old to support booting from USB, so using something like UNetbootin is out of the question. Luckily, there’s an an alternative, which is to PXE boot an installer over the network.

→ Continue reading ‘PXE booting a Debian Squeeze install’…

iproute2: Life after ifconfig

The standard network tools ifconfig, netstat and route will be familiar to anyone with more than a passing interest in UNIX or any of its derivations. Linux is no exception, and if you hop on to your nearest Linux machine, you’ll find these installed. However, for the past few years ifconfig and its ilk (often collectively referred to as net-tools) have been deprecated in favour of the iproute2 suite.

→ Continue reading ‘iproute2: Life after ifconfig’…

Fixing Likewise startup scripts on Debian Squeeze

Just a quick one, this…

If you install Likewise Open on Debian Squeeze, you may notice that it doesn’t start on boot-up. The reason is because the new dependency-based boot sequence doesn’t like the init scripts Likewise provides.

Luckily, it’s pretty easy to fix. First, make sure you have chkconfig installed (apt-get install chkconfig if not), change into your /etc/init.d directory and do this:-

for INIT in lsassd lwiod eventlogd dcerpcd netlogond lwregd srvsvcd; do \
   echo "Fixing '${INIT}'..."; \
   sed -i -e 's/^#LWI_STARTUP_TYPE_SUSE#/#/g' \
      -e 's/Default-Start: 3 5/Default-Start: 2 3 4 5/g' \
      -e 's/Default-Stop: 0 1 2 6/Default-Stop: 0 1 6/g' ${INIT}; \
done
for INIT in lsassd lwiod netlogond eventlogd dcerpcd; do \
   echo "Disabling ${INIT}..."; \
   chkconfig -d ${INIT}; \
done
for INIT in dcerpcd eventlogd netlogond lwiod lsassd; do \
   echo "Re-enabling ${INIT}..."; \
   chkconfig -a ${INIT}; \
done

This uncomments the SUSE parts of the init scripts, which chkconfig wants. It then calls chkconfig to first delete each entry, and then re-add it to make sure everything’s okay. Reboot, and you should have working domain authentication without having to manually start it up.

IPv6 for a Linux generation

IPv6 is nothing new – it was finally standardised back in 1998 in RFC 2460, and virtually all operating systems have supported it now for at least 5 years, so most people are in a position to give it a try.

If you’re one of the lucky ones, your ISP might provide native IPv6 connectivity (like AAISP), but for most of us, the main way to get connected to the rest of the IPv6 Internet is to use something we’ve already got – IPv4. And we’re going to tunnel over it.

→ Continue reading ‘IPv6 for a Linux generation’…

Authenticating Active Directory users on Linux with Likewise Open

Historically, if you wanted to use Active Directory to authenticate users on a UNIX box, you were pretty much limited to using LDAP. This works fine for some people, but it’s not particularly elegant – especially if you’re having to create users home directories all the time, which negates some of the point of centralising authentication to begin with.

I’m from a UNIX (mostly Linux) background, so I’m more at home using UNIX-alike platforms. That said, there’s a few things that Microsoft do that are particularly useful, and in my opinion AD is one of them (quiet at the back, there). Handily, there’s a project that can marry the two, and it goes by the name of Likewise.

→ Continue reading ‘Authenticating Active Directory users on Linux with Likewise Open’…