The World of a Penguin

Afraid of hackers, spammers, script kiddies will take over your Web-site? Want to be a bit safer? In Ubuntu there is an Apache module called mod_defensible who's aim is to block well know attacking sites to reach your web server. The module locks up every host that access your site and check if it is in a blocking database on the net. If thats the case the host will get Error 403 Forbidden, i.e. your server can not be reached. I have been using a similar tool for ssh for a while called deny host . I did not know about mod_defensible until today when I saw a how to for Debian on the how to forge. There are some small differences installing it between Debian and Ubuntu 8.04 (Hardy Heron). The main difference is that it is included in universe. So here is a quick instruction how to install mod_defensible. Login to your webserver and become root using sudo -s Install mod_defensible: apt-get install libapache2-mod-defensible Activate the module: a2enmod defensible Create a configfil...

I have observed that I haven't written in this blog for nearly a month. Not much has happened in the area of this blog. Some more colleges has start using Linux on their desktop. Currently I am developing an "failsafe" system for emergency handling in Java/JEE/Spring. I am now working on the second generation. I have updated a lot of crypto keys as a follow up to the nasty openssl-bug in Debian/Ubuntu. Today I listened to a talk by Martin Fowler and Jim Webber about middleware and Enterprise Service Buses (ESB). A talk well worth listen to if you are working in or close to the SOA world.

I am thinking about the art of combining security and usability which in most cases does not exist. Security experts are trying to do everything so secure that nobody can use it or wants to use it since it to complex. If people use it they does everything they can to find workarounds which tends to create new security holes. On the other side of the ring are the usability experts that totally ignores the need for security. What most people miss is that these two types of experts need to cooperate. The usability experts can hep the security experts to design usable secure solutions and vice versa. A usable secure solution is much more secure than a non usable secure system. The usable system will help the user to do the right thing and not encourage them to use their energy to find unsecure workarounds. Which side of the ring will take the initiative?

I have now walked throw all sites where I had the same password and changed them to individual passwords. Yes I know I had been a bad boy using the same password on several places. At the same time I changed password for some systems where the password was pretty old. To remember my passwords I use Revelation and the complementary Revelation Gnome Taskbar app to make it easy to get a password when I need it. What I miss with Revelation is a Java application for my mobile phone which I can sync my passwords to from my Ubuntu laptop.

I have for several years had a kerberos/ldap Single-Sign-On (SSO) solution active on my home computer network. One part that had not been integrated is my Apache httpd web-server. I started to take a look on activate this at Christmas. It was easy to get Kerberos working for the webserver on my Ubuntu server. This assumes you have ssl working on your web-server for the area you want to password protect. Install the libapache2-mod-auth-kerb from Universe. Activate the module with the command: sudo a2enmod auth_kerb Add the following to the directory configuration in apache you want to protect using kerberos. AuthName "Realm" AuthType Kerberos KrbAuthRealms MYREALM Krb5Keytab /etc/apache2/http.keytab Require principal@MYREALM KrbServiceName HTTP/www.MYDOMAIN.org Require valid-user Change MYREALM and MYDOMAIN to values that fits you. Connect to the kerberos admin server and create a new principal and a keytab including this principal. If you use MIT Kerberos, do like this. S...

As I wrote the other day I have visited the Swedish conference Open Source Forum . It was a talk about buying the right thing after lunch the first day. All he said were things that everybody knows; focus on the functionality you need, do not buy a lot of extra functionality, more expensive is not better etc. It is always good to repeat those things. I still wounder why so many organizations pay for extra functionality they do not need. The IT manager of the small city Osby then told us that they have converted their organization to Open Office. Those who needs the MS Office functionality can get it but its become more and more rare. Unfortunately the big suppliers of applications to governmental organizations integrates very close to MS Office and are unwilling to change that. I have talked to several cities that want it to change, but failed. The second day became more technical focused with talks about PostgresSql /EnterpriseDB, Ubuntu, Thin clients based on Ubuntu, Security and In...

The day continued with seminar from Sun about new things in Java. They talked about JavaFx as a alternative for Adobe Flash. Then they showed robots controlled by Linux and, of course, Java. The question is how to convince my boss that we need one to make better weather forecasts. Next talk was about Scrum and agile methods, with focus on CMMI 5 certified companies. It gave a very good overview of Scrum and a lot of figures that it is good for productivity (up to a factor 10). I am personally pro to Agile methods, but I question if the figures can is that good. The speaker Jeff Suunerland also mentioned a new study that to gain the most of a programmer, it should work 16 hours a week. I doubt I can convince my boss that I work 16 hours a week with the same salary. Back to more Java specific topics and two talks about Spring. One about a new batch processing framework and one about security functionality. The Security part looks very promising. I still wounder why and when to choose J2E...

This is another reason to not use proprietary software. It's much better to do it the Open Source way. Take a look an all the places you can download Ubuntu from. These are independent and you will be up and running without the single point of failure I feel sorry for all the people that have to call daddy Bill for an OK to take another "beer."

Yesterday I got to annoyed on all the brute force attacks against my computers ssh-server. I know that I am definitely not alone. To prevent brute force attacks on ssh I installed denyhosts. Denyhosts log all login attempts logged in /var/log/auth.log and blocks IP-addresses that tries to login but fails repeatedly. To install denyhosts on ubuntu you have to activate universe and then just select the denyhosts package. Then you are ready, the package starts the application automatically. No configuration needed. But, denyhosts have a nice feature that you can upload your blocked IP-addresses to a server on the net and download what addresses other blocks. This feature is not activated by default. To activate it remove the #-char from the line in /etc/denyhosts.conf: #SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 Then restart the server: sudo /etc/init.d/denyhosts restart 24h later denyhosts block more than 1400 IP-addresses.

In this final part we will add our own root CA certificate to Ubuntus pre-installed certificates. (Part 1 , Part 2 ) Copy your root CA certificate, that we exported in the previous part, to /usr/share/ca-certificates/. Add the file name to /etc/ca-certificates.conf and run the command: sudo update-ca-certificates Most of your services will now be able to find your root CA certificate. To bring your root CA certificate to your friends, just copy the exported root certificate-file to a USB-memory. Using your own CA you can now add support SSL to different services like CUPS, postfix(AUTH SMTP), dovecot (IMAP) etc. You can also create certificates to sign and encrypt your e-mails.

In part one of this series we created a root CA, a sub-CA and a certificate for our web site All certificates are stored in TinyCA2 s configuration. In this part we will: export the root CA:s certificate import the root CA:s certificate into Firefox export the certificate for the web site configure our web server to use the web site certificate To be able to import the root CA certificate to Firefox we must export it from TinyCA2. In the main window of TinyCA2, open the CA-menu and select Open CA. Select your root CA. Select Export CA Certificate in the toolbar, which is the second icon from the right. You may change the file name. Press Save when ready. Start Firefox, select the Edit-menu and Preferences. Click the Advanced icon and then the Encryption tab. Select View certificates and then the Authorities tab. You can see all the CA:s you trust. Click Import and select the file with your exported root certificate. You can in the Downloading Certificate window control what purpo...

A Certificate Authorities (CA) issues certificates to people and organization that gives us the possibility to know that we surf to the right web site and not a phising site. This concept can be nice to use on your private sites too, but you may not want to spend a lot of money to get a certificate for your site. Most common when one installs a web-mail server at home is using a self signed certificate. When one surf to the web-mail server from a friends computer one can not be sure that nobody listens to the traffic if one not verifies the signature of the self signed certificate. Maybe an easier and definitely a more scalable solution to this is to create ones own CA structure. When we are ready with this how to you will have installed a certificate on your web server, installed the root certificate into your Firefox, and you will have the root certificate stored on a USB-memory stick. First time you want to read your mail from a friends computer you install the root certificate f...

I am setting up my own CA (Certificate Authority) for all my services using SSL on my machines. Yesterday I wanted to import the Root-certificate into Firefox. Thats easy, if it is for a single user. Just click on the root certificate. But if you have a lot of users and computers? One do not want to force each user to do this manually. I want the root CA should be installed on each computer by the administrator and automatically work for the users. This is not possible with Firefox. The Root-CA:s certificates are compiled into the Firefox binaries and then at first start each user get its own certificate database. There are no central certificate database that Firefox looks into too. Ubuntu and Debian has a nice functionality where all CA-certs are stored in one place and then used by all well written applications, but not Firefox. I hope this will change in Firefox 3.0.

I am playing with TinyCA on Ubuntu. Selected help and got this message.

The small amount of time I have spent on Apparmor to day have been to merge my and Kees Cooks work. Then I updated to the latest subversion revision. Now I run into problems with dpatch , which I never have used before. I have to spend some time to look into more details, but it have to be another day. I have not released any new packages to day, but Kees uploaded his packages to revu a few days ago. I will soon watch on Jamie Oliver on TV.

As I wrote yesterday I am packaging AppArmor for Ubuntu. When I got home from work today I continued my packaging. I have fixed so the kernel modules are loading at boot. Kees was kind to provide me a module-assistant enabled package for the kernel modules. That saved med a lot of work and time, since I never had packaged kernel modules before. Further, I added some dependencies, did some testing and packaged the documentation. You can find the packages here . They are built for Ubuntu Feisty. Normally when building packages from a project you take one tar.gz-file and build one or several packages. With AppArmor it is a bit different. The project provides snapshots of the Subversion tree in several tar.gz-files. As a beginning I build one package from each of the provided tar.gz-files. Later, I hope AppArmor starts to do regular normal releases. I will then revamp the packages to build all packages from one tar.gz-file.

Last summer I did an effort to build packages of AppArmor ( project page ) to Ubuntu. Unfortunately, I needed at that time patch and recompile the kernel. That took a lot of work and time. I did not manage to spend all that work to maintain the packages. A few days ago I got a mail from Crispin Cowan that Kees Cook had told him that patching the kernel is not necessary any more. Yesterday and today I have spent some time to refresh my packages. The last snapshot of AppArmor from October last year did not compile in Feisty. Instead I took the last subversion revision. The status looks not to good for that either, some of the Perl scripts refers to an undefined variable. I hope I will get some help from the AppArmor guys.

I run into an online version of the book Advanced Linux Programming . It is a good book when you are interested in start writing programs with inter process communication and threading. From my perspective is it not advanced in those topics. Even if you are not into these areas of programming you should read chapter 10 Security if you are doing any programming on any kind of system; Unix, Windows, embedded, what ever. It points out some important stuff that you need to know. Learn to avoid buffer overrun, symbolic link race conditions, etc. Remember, always validate the input you get to your program.