Minggu, 16 Desember 2012

How to configure Dynamic Host Configuration Protocol (DHCP) in Linux


Dynamic Host Configuration Protocol (DHCP) Lease Process

The process of leasing an IP address occurs in the following four phases:
• Discovery (Message from DHCP client to DHCP Server): The DHCP client broadcasts a DHCP discover message on the network containing its MAC address to find a DHCP server running in the network.
• Offer (Message from DHCP server to DHCP client): Each DHCP server on the network that receives the request responds with a DHCP offer message. An offered IP address is included in the message.
• Request (Message from DHCP client to DHCP Server): When a DHCP client receives a DHCPOffer packet, it responds by broadcasting a DHCPRequest packet that contains the offered IP address, and shows acceptance of the offered IP address. If multiple DHCP servers respond, the client selects the first offer it receives and broadcasts a DHCP request for the IP address. The message is broadcast on the network because the client has not yet been assigned an IP address; it has only been offered one.
• Acknowledge (Message from DHCP server to DHCP client): The DHCP server responds with a DHCPACK (acknowledgment) granting the client's request to use the IP address. The DHCPACK also contains information about any DHCP options that have been configured on the server (such as the IP address of the DNS server).

Dynamic Host Configuration Protocol (DHCP) configuration file (/etc/dhcpd.conf)

A sample Linux dhcpd.conf file is copied below.
ddns-update-style interim;
ignore client-updates;
subnet 192.168.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
# option nis-domain "domain.org";
option domain-name "omnisecu.com";
option domain-name-servers 192.168.1.1;
# option time-offset + 19800; # Eastern Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
# range dynamic-bootp 192.168.0.128 192.168.0.254;
range 192.168.1.210 192.168.1.220;
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
# host ns {
# next-server marvin.redhat.com;
# hardware ethernet 12:34:56:78:AB:CD;
# fixed-address 207.175.42.254;
# }
}
• ddns-update-style interim: Confirms Dynamic DHCP.
• ignore client-updates: This setting don't allow users on client computers to change their host names.
• subnet 192.168.0.0 netmask 255.255.255.0 Describes a network with an address of 192.168.0.0 and a subnet mask of 255.255.255.0. This allows the local DHCP server to assign addresses in the range 192.168.0.1 to 192.168.0.254 to different computers on this network. If you've configured a different network IP address, you'll want to change these settings accordingly.
• option routers: Lists the default router.
• option subnet-mask: Specifies the subnet mask for the local network.
• option nis-domain: Specifies the NIS domain name
• option domain-name: Domain name for the network
• option domain-name-servers DNS Server for the network
• option time-offset: Lists the difference from Greenwich Mean Time.
• option ntp-servers Network Time Protocol (NTP) servers
• option netbios-name-servers: WINS (Windows Internet Name Servers) Servers. Used for NetBIOS name resolution.
• range dynamic-bootp: BOOTP range
• default-lease-time: Specifies the lease time for IP address information, in seconds.
• max-lease-time Specifies the maximum lease time for IP address information, in seconds.
• next-server: Boot server for network computers
Linux Dynamic Host Configuration Protocol (DHCP) leases file is /var/lib/dhcpd/dhcpd.leases.

Sabtu, 08 Desember 2012

Essential Tricks

Checking your bandwidth
Imagine this: Company A has a storage server named ginger and it is being NFS-mounted by a client node named beckham. Company A has decided they really want to get more bandwidth out of ginger because they have lots of nodes they want to have NFS mount ginger's shared filesystem.
The most common and cheapest way to do this is to bond two Gigabit ethernet NICs together. This is cheapest because usually you have an extra on-board NIC and an extra port on your switch somewhere.
So they do this. But now the question is: How much bandwidth do they really have?
Gigabit Ethernet has a theoretical limit of 128MBps. Where does that number come from? Well,
1Gb = 1024Mb; 1024Mb/8 = 128MB; "b" = "bits," "B" = "bytes"
But what is it that we actually see, and what is a good way to measure it? One tool I suggest is iperf. You can grab iperf like this:
# wget http://dast.nlanr.net/Projects/Iperf2.0/iperf-2.0.2.tar.gz
You'll need to install it on a shared filesystem that both ginger and beckham can see. or compile and install on both nodes. I'll compile it in the home directory of the bob user that is viewable on both nodes:
tar zxvf iperf*gz
cd iperf-2.0.2
./configure -prefix=/home/bob/perf
make
make install

On ginger, run:
# /home/bob/perf/bin/iperf -s -f M
This machine will act as the server and print out performance speeds in MBps.
On the beckham node, run:
# /home/bob/perf/bin/iperf -c ginger -P 4 -f M -w 256k -t 60
You'll see output in both screens telling you what the speed is. On a normal server with a Gigabit Ethernet adapter, you will probably see about 112MBps. This is normal as bandwidth is lost in the TCP stack and physical cables. By connecting two servers back-to-back, each with two bonded Ethernet cards, I got about 220MBps.
In reality, what you see with NFS on bonded networks is around 150-160MBps. Still, this gives you a good indication that your bandwidth is going to be about what you'd expect. If you see something much less, then you should check for a problem.

Essential tricks

Poking a hole in the firewall
Poking a hole in the firewall

Here's how to proceed:
  1. Check that what you're doing is allowed, but make sure you ask the right people. Most people will cringe that you're opening the firewall, but what they don't understand is that it is completely encrypted. Furthermore, someone would need to hack your outside machine before getting into your company. Instead, you may belong to the school of "ask-for-forgiveness-instead-of-permission." Either way, use your judgment and don't blame me if this doesn't go your way.

  2. SSH from ginger to blackbox.example.com with the -R flag. I'll assume that you're the root user on ginger and that tech will need the root user ID to help you with the system. With the -R flag, you'll forward instructions of port 2222 on blackbox to port 22 on ginger. This is how you set up an SSH tunnel. Note that only SSH traffic can come into ginger: You're not putting ginger out on the Internet naked. You can do this with the following syntax:
    ~# ssh -R 2222:localhost:22 thedude@blackbox.example.com
    Once you are into blackbox, you just need to stay logged in. I usually enter a command like:
    thedude@blackbox:~$ while [ 1 ]; do date; sleep 300; done
    to keep the machine busy. And minimize the window.
  3. Now instruct your friends at tech to SSH as thedude into blackbox without using any special SSH flags. You'll have to give them your password: root@tech:~# ssh thedude@blackbox.example.com .
  4. Once tech is on the blackbox, they can SSH to ginger using the following command: thedude@blackbox:~$: ssh -p 2222 root@localhost
  5. Tech will then be prompted for a password. They should enter the root password of ginger.

Jumat, 07 Desember 2012

Kubuntu 12.10 is Released


 Kubuntu




The Kubuntu community is proud to announce the release of 12.10, the Quantal Quetzal. This is the first release to burst free from the limits of CD sizes giving us some more space for goodies on the image.
It also does away with the alternate installer images, adding advanced partitioning options to the desktop image.
Built on Ubuntu's core and polished with KDE’s applications and workspaces, Kubuntu 12.10 is a grand example of friendly, fast and beautiful software. We recommend it as the perfect OS for casual users, students, Linux gamers, software developers, professionals and anyone interested in a free, open platform that is both beautiful and useful.
For a more technical overview see the Kubuntu 12.10 Release Notes

Getting Kubuntu 12.10

Upgrading from Previous Versions

To upgrade to Kubuntu 12.10 from 12.04 LTS, follow the Upgrade Instructions.

Download a Disk Image

Instructions for burning the image to a DVD or USB flash drive can be found on the Burning ISO Howto or Installation for USB Stick.
We recommend you learn how to check your image file to ensure it has downloaded correctly. Compare your MD5 checksum with the correct ones found alongside the images.


The Official Cyber Criminals Most Wanted Website at ccmostwanted.com

The Official Cyber Criminals Most Wanted Website at ccmostwanted.com

Internet Scams Section at ccmostwanted.com

Internet Scams Section at ccmostwanted.com

Quantum Mechanics video

Demystifying the Chinese Hacking Industry: Earning 6 Million a Night

Good Morning to you all! this is from the Linux security website, I just wanted to Share it with you. when you do hacking please be a white hacker I am not responsible for your actions, Take care !


An Interview with a Member of the Chown Group (COG) about the billion dollar hacking business in China "My friend earned 6 million Yuan a night by socalled Shuaku – or data server intrusion, and he bought a racing car the next day to show up in front of us", said Liwrml, one of the initiators of China's first hacker organization named Green Regiment.

According to Liwrml, Shuaku is among the coolest hacking technologies, and is also among the topmost hacking industries as well. "Although I admit that every body is envious in heart, but I will never do like that, for people shall maintain the moral bottom line", he added.

Liwrml also disclosed that the Chinese hacking industry was worth more than 10 billion Yuan RMB, and driven by the money desire, the Chinese Internet is challenged with the possibility of out of control.

In 2008, Chinese hackers found that hacking was a profitable business, and since then, they started to do non-core business, the socalled Black Industry Chains. Before that, their activities were centered around IT technology sharing.At that time, people who are not respected in the society, found themselves like God in the Internet, doing whatever they wanted and then also started with the socalled Black Industry. The booming period of this business was between 2004 and 2005, when there was no regulations. But now the majority have already retreated from doing that because they have earned enough already.

The Chinese hackers can be divided into three classes: the black hackers doing Black Business, the grey hackers for grey industry and the white hackers with government background.

The Grey Industry is not the same as the Black Industry, in that the former is making middleware, or the socalled gangster software. This type of software is embedded into the computer memory and is a sort of forced advertisement. This kind of advertisement module can be sold at RMB 80 per piece. One well-known media playing software once earned RMB 600 000 a day of playing, while another software company started up with pirating Windows operation system has sucked in a 7-digit Yuan income in its first month of operation, which was even unexpected by the boss of the company himself.

But there are still differences between Grey Hackers and Black Hackers, with the later doing things in direct violations of laws. The most notorious example is the "Big Miss" Trojan code decrypted in 2008.

The "Big Miss" hacker system has managed a strict franchising system, from the general gold agent to general regional agent. During the making of Trojan codes, there were again job organization. For example, a big trojan code has 12 smaller trojans, each of them is able to bypass the active protection of the game software operators. The makers of trojans earn one part, the sellers the other part and yet the account stealer also some parts.

Insiders of the hacking industry called stealing of accounts "Envelop". At the best time each "envelop" can be sold at 100 Yuan, and it was as easy as a game to earn more than 100 000 a night. Once the stealing is finished, next came the "envelop washing or cleansing", that is, to load the device of the stolen accounts into the small accounts, and then cleaned up the unlawful money through the underground bank systems. There is flowing band operation.

The "prosperous" development of the hacking industry has put the Internet into virtually out of control. The power of the hackers, the inability of the security companies and the distorted market development, all have contributed to the booming of the hacking business.

It is popularly known that people in the security industry earn much less than those in the hacking business, although both of them own the same skills. This forces a considerable number of security professionals to turn to hacking business, or to do partime hacking job. According to an employee of a security company, about 1/3 to 1/4 of the security engineers are involved in the Black Industry. Their incomes out of this bybusiness are fluctuating very much, among them, the best can earn RMB 200 000 a month.

What's ironicly it that the hackers and the security companies have established a close relationship, as the continuously improved skills of the hackers are pushing the security industry to upgrade their own technologies in a battle to defend the Internet and computer systems.

There is also a general trend among the hackers – the trends towards younger age. Much of the hackers are born after the nineties, and they have plenty of time either.

The author: Mr Chen Minghua, CEO of HeliosLab (www.helioslab.org) is a senior consultant in several major technology areas. He is an invited and frequent author of several online magazines and media.

Rabu, 05 Desember 2012

Kernel Tunable Security Parameters

The following list shows tunable kernel parameters you can use to secure your Linux server against attacks. follow the directions, You shouldn't have a problem if you are and advance Gnu/Linux User.

Thanks for stopping by.

For each tunable kernel parameters I will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots. To activate the configured kernel parameters immediately at runtime, use:

# sysctl -p


Enable TCP SYN Cookie Protection

A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.tcp_syncookies = 1


Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_source_route = 0


Disable ICMP Redirect Acceptance

ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_redirects = 0


Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.rp_filter = 1


Enable Ignoring to ICMP Requests

If you want or need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_echo_ignore_all = 1

This cannot be done in many environments.

Enable Ignoring Broadcasts Request

If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_echo_ignore_broadcasts = 1


Enable Bad Error Message Protection

To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_ignore_bogus_error_responses = 1


Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.log_martians = 1



Selasa, 04 Desember 2012

TOR

What is Tor?

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis

Inception

Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and many others.
Overview

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.

Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor's hidden services let users publish web sites and other services without needing to reveal the location of the site. Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.

Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they're in a foreign country, without notifying everybody nearby that they're working with that organization.

Groups such as Indymedia recommend Tor for safeguarding their members' online privacy and security. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Which locations have employees working late? Which locations have employees consulting job-hunting websites? Which research divisions are communicating with the company's patent lawyers?

A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

The variety of people who use Tor is actually part of what makes it so secure. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected.
Why we need Tor

Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you're travelling abroad and you connect to your employer's computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.

How does traffic analysis work? Internet data packets have two parts: a data payload and a header used for routing. The data payload is whatever is being sent, whether that's an email message, a web page, or an audio file. Even if you encrypt the data payload of your communications, traffic analysis still reveals a great deal about what you're doing and, possibly, what you're saying. That's because it focuses on the header, which discloses source, destination, size, timing, and so on.

A basic problem for the privacy minded is that the recipient of your communications can see that you sent it by looking at headers. So can authorized intermediaries like Internet service providers, and sometimes unauthorized intermediaries as well. A very simple form of traffic analysis might involve sitting somewhere between sender and recipient on the network, looking at headers.

But there are also more powerful kinds of traffic analysis. Some attackers spy on multiple parts of the Internet and use sophisticated statistical techniques to track the communications patterns of many different organizations and individuals. Encryption does not help against these attackers, since it only hides the content of Internet traffic, not the headers.
The solution: a distributed, anonymous network
How Tor works

Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination. The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it's going.

To create a private network pathway with Tor, the user's software or client incrementally builds a circuit of encrypted connections through relays on the network. The circuit is extended one hop at a time, and each relay along the way knows only which relay gave it data and which relay it is giving data to. No individual relay ever knows the complete path that a data packet has taken. The client negotiates a separate set of encryption keys for each hop along the circuit to ensure that each hop can't trace these connections as they pass through.

Tor circuit step two

Once a circuit has been established, many kinds of data can be exchanged and several different sorts of software applications can be deployed over the Tor network. Because each relay sees no more than one hop in the circuit, neither an eavesdropper nor a compromised relay can use traffic analysis to link the connection's source and destination. Tor only works for TCP streams and can be used by any application with SOCKS support.

For efficiency, the Tor software uses the same circuit for connections that happen within the same ten minutes or so. Later requests are given a new circuit, to keep people from linking your earlier actions to the new ones.

Tor circuit step three
Hidden services

Tor also makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Using Tor "rendezvous points," other Tor users can connect to these hidden services, each without knowing the other's network identity. This hidden service functionality could allow Tor users to set up a website where people publish material without worrying about censorship. Nobody would be able to determine who was offering the site, and nobody who offered the site would know who was posting to it. Learn more about configuring hidden services and how the hidden service protocol works.
Staying anonymous

Tor can't solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use Torbutton while browsing the web to withhold some information about your computer's configuration.

Also, to protect your anonymity, be smart. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.
The future of Tor

Providing a usable anonymizing network on the Internet today is an ongoing challenge. We want software that meets users' needs. We also want to keep the network up and running in a way that handles as many users as possible. Security and usability don't have to be at odds: As Tor's usability increases, it will attract more users, which will increase the possible sources and destinations of each communication, thus increasing security for everyone. We're making progress, but we need your help. Please consider running a relay or volunteering as a developer.

Ongoing trends in law, policy, and technology threaten anonymity as never before, undermining our ability to speak and read freely online. These trends also undermine national security and critical infrastructure by making communication among individuals, organizations, corporations, and governments more vulnerable to analysis. Each new user and relay provides additional diversity, enhancing Tor's ability to put control over your security and privacy back into your hands.

Red Hat Enterprise Linux

This is the New Red Hat Release, follow the Link Below for The Red Hat website to download the system. The Information is directly from The Red Hat Team.

Thanks for Visiting www.extremelinuxcomputers.com Blog.

Red Hat is the leader in development, deployment, and management of Linux and open source solutions for Internet infrastructure - ranging from embedded devices to secure Web servers. Red Hat was founded in 1994 by visionary entrepreneurs Bob Young and Marc Ewing. Open source is the foundation of our business model. It represents a fundamental shift in how software is created. The code that makes up the software is available to anyone. Developers who use the software are free to improve the software. The result: rapid innovation. Red Hat solutions combine Red Hat Linux, developer and embedded technologies, training, management services, technical support. We deliver this open source innovation to our customers via an Internet platform called Red Hat Network. Red Hat is headquartered in Raleigh, North Carolina, USA.



Latest Beta Release of Red Hat Enterprise Linux 6 Now Available
December 4, 2012
Red Hat Enterprise Linux Team

Today, we are pleased to announce that the next beta release for Red Hat Enterprise Linux 6 – Red Hat Enterprise Linux 6.4 – is now available. The beta release includes a broad set of updates to the existing feature set and provides rich new functionality in the areas of identity management, file system, virtualization, and storage as well as productivity tools.

Through collaboration with partners, customers and the open source community, we are committed to delivering technology that is tested and stable – including in the beta phase of development. Red Hat Enterprise Linux 6.4 demonstrates this commitment and has been designed for optimized performance, stability and flexibility to cater to today’s diverse workloads running in physical, virtual and cloud environments.

Key new features and enhancement details include:

Identity Management

System Security Services Daemon (SSSD) enhancements improve the interoperability experience with [Microsoft Active Directory] by providing centralized identity access control for Linux/Unix clients in a heterogeneous environment.


File system

pNFS (Parallel NFS) client (file layout only) remains in technology preview, however now delivers performance improvements with the addition of Direct I/O for faster data access. This drives particular performance benefits for I/O intensive use cases including database workloads.


Virtualization

Red Hat Enterprise Linux 6 now includes the Microsoft Hyper-V Linux drivers, which were recently accepted by the upstream Linux community, improving the overall performance of Red Hat Enterprise Linux 6 as a guest on Microsoft Hyper-V.

Installation support for VMware and Microsoft Hyper-V para-virtualization drivers. This new feature enhances the user deployment experience of Red Hat Enterprise Linux as a guest in either of these virtualization environments.

In this release, KVM virtualization virtio-scsi support, a new industry storage architecture, provides industry leading storage stack scalability.


Management

The use of swap functionality over NFS enables more efficient read/write tradeoffs between local system memory and remote disks. This capability increases performance in very large, disk-less server farms seen in ISP and Web hosting environments.

Enhancement in c-groups delivers the ability to migrate multi-threaded applications without errors.

Optimized perf tool for the latest Intel processors


Storage

New system log features identify mapping from block device name to physical device identifier – allowing an administrator to easily locate specific devices as needed.


Productivity Tools

Microsoft interoperability improvements with Microsoft Exchange and calendar support in Evolution. Productivity functions, such as calendar support with alarm notification and meeting scheduling is improved.

Customers such as animation studios and graphic design houses now have support for the newer Wacom tablets.


Through this next beta release of Red Hat Enterprise Linux 6, Red Hat is proud to deliver the highest quality open source enterprise platform. We look to the community and our partners and customers for feedback to ensure Red Hat Enterprise Linux 6.4 follows this path. Access to the beta release of Red Hat Enterprise Linux 6.4 is available here: https://rhn.redhat.com/rhn/software/channels/Beta.do.

German govt comes out against Trusted Computing and Secure Boot



Trusted Computing and Secure Boot, especially Secure Boot, are supposed to boost the security of devices that you own. Yes, devices that you own! However, judging from the manner that Secure Boot has been implemented, it sure feels like you do not own that device you bought with your money. Hence the phrase Restricted Boot is more apt.

And since corporations now run the government, a corporation with enough power (and money… the power comes from the money) can dictate what you can do on and with that device that you own. Microsoft’s ability to dictate to hardware vendors, and by proxy, dictate to you, how secure boot can be implemented, is a very good example.

So far, who has challenged Microsoft? Other than dissenting voices from the Free Software and Open Source community, nobody.

But the German government has made an official statement on Secure Boot (and Trusted Computing). Since it’s just a position statement, it does not count as a legal challenge to Microsoft, but it’s s start. The Free Software Foundation Europe was the first to report on this German government statement.

Here are key points that they made:

3. Complete control by device owners
Device owners must be in complete control of (able to manage and monitor) all the trusted computing security systems of their devices. As part of exercising control over their devices, device owners must be able to decide how much of this control to delegate to their users or administrators. Delegating this control to third parties (to the device manufacturer or to hard- or software components of the device) requires conscious and informed consent by the device owner (i.e., also with full awareness of possible limits on availability due to measures taken by the third party to whom control options were delegated).

With Restricted Boot, you are no longer in charge of your device, especially a computer preloaded with a Microsoft Windows 8 operating system.

4. Freedom to decide
When devices are delivered, trusted computing security systems must be deactivated (opt-in principle). Based on the necessary transparency with regard to technical features and content of trusted computing solutions, device owners must be able to make responsible decisions when it comes to product selection, start-up, configuration, operation and shut-down. Deactivation must also be possible later (opt- out function) and must not have any negative impact on the functioning of hard- and software that does not use trusted computing functions.

I agree. Give me all the fancy security features, but let me decide whether I want to turn any on or not. Even when enabled by default, make it easy for me to disable them.

6. Private use
The Federal Government explicitly calls on makers of trusted computing devices and components (both hard- and software) to offer devices and components also to private users which allow owners complete control over the trusted computing security system at all times.

Senin, 03 Desember 2012

How to password protect GRUB



To password protect grub from illegal access, first create an MD5 hash for the password using the command grub-md5-crypt. Enter the password and again retype the password when prompted.

[root@localhost ~]# grub-md5-crypt
Password:
Retype password:
$1$4Onh4/$5TkWggMpA2u17k7IOA5Hi1
[root@localhost ~]#

Copy the hash generated by "grub-md5-crypt" command and use it in the grub.conf file as shown below.

### Beginning of grub.conf ###

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda2
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
password --md5 $1$4Onh4/$5TkWggMpA2u17k7IOA5Hi1
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu

#####First Operating System#####

title Red Hat Enterprise Linux Server (2.6.18-8.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-8.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-8.el5.img

#####Second Operating System#####

title RedHat Operating System 2
root(hd1,0)
kernel /vmlinuz-2.6.18-8.el5 ro root=/dev/sdb2 rhgb quiet
initrd /initrd-2.6.18-8.el5.img

### End of grub.conf ###

When you boot the machine next time, press "p" at the grub menu to enter the password and edit the grub menu.

Minix3



MINIX





MINIX 3 is an open-source operating system that can be used as a base for research projects but also for commercial (embedded) systems where microkernel systems dominate the market. Much of the focus on the project is on achieving high reliability through fault tolerance and self-healing techniques.

MINIX is based on a small (about 10K lines of code) microkernel that runs in kernel mode. The rest of the operating system runs as a collection of server processes, each one protected by the hardware MMU. These processes include the virtual file system, one or more actual file systems, the memory manager, the process manager, the reincarnation server, and the device drivers, each one running as a separate user-mode process.

One consequence of this design is that failures of the system due to bugs or attacks are isolated. For example, a failure or takeover of the audio driver due to a bug or exploit can lead to strange sounds but cannot lead to a full takeover of the operating system. Similarly, crashes of a system component can in many cases be automatically and transparently recovered without human intervention. Few, if any, other operating systems are as self-healing as MINIX 3.

Many questions from people new to MINIX 3 are answered in the FAQ. One question that is very frequently asked is about the logo, the raccoon. It was chosen because raccoons are small, agile, clever, friendly, and eat bugs.
Source Code and Licensing

For many companies and individuals two key questions about any piece of software are availability of the source code and the license. MINIX 3 is open source. The entire source code is available for anyone to use and modify as they see fit, for academic, personal, or commercial purposes. In particular, companies may use MINIX 3 in whole or in part in products. Furthermore, it is completely free of charge. Support is available for a fee. Companies should contact us at info@minix3.org for pricing.

MINIX 3 is available for free under a BSD-type license, which may be attractive to companies since it does not require them to publish changes they make to the system as the GPL does (e.g., for Linux).
History of MINIX 3

MINIX has a long history. It goes back to 1987 when the first edition of the book Operating Systems: Design and Implementation by Andrew S. Tanenbaum was published. The first version of MINIX was intended for teaching and it became very popular very quickly. One of the early users was a Finnish student, Linus Torvalds, who learned all about operating systems from reading the book and modifying the system. Eventually he went on to write his own operating system, Linux. In 2004, a man named Ken Brown accused Torvalds of copying MINIX verbatim, but that was quickly refuted in a statement published 20 May 2004 by Andrew Tanenbaum.

A second edition of MINIX (and a second edition of the book, coauthored by Albert S. Woodhull) was released in 1997. This version was greatly improved from the first version but was still aimed at teaching operating systems to a large extent.

It was only with the third version, MINIX 3, and the third edition of the book, published in 2006, that the emphasis changed from teaching to a serious research and production system, especially for embedded systems. A few of the many differences between MINIX 2 and MINIX 3 are given here.

Going forward, we are making a serious effort to turn MINIX 3 into an industrial-grade system with a focus on the embedded market, especially for those applications that need high reliability and availability.

LibreOffice 3.3 Download





LibreOffice is the power-packed free, libre and open source personal productivity suite for Windows, Macintosh and GNU/Linux, that gives you six feature-rich applications for all your document production and data processing needs: Writer, Calc, Impress, Draw, Math and Base. Support and documentation is free from our large, dedicated community of users, contributors and developers.


There are three ways to install LibreOffice: source, packaged installer, repository. The repository route is easier than the other two but also doesn’t allow for any customization that you might want to do during a compilation. For this demonstration, repository and packaged distribution are shown.

Note: If you have OpenOffice.org installed, you should uninstall* it before installing LibreOffice.

For the packaged installer method, go to the LibreOffice Download page, select your system’s architecture (x86 or x64), package type (deb or rpm), and download the two packages that will appear. The installer, as it’s called, is really a gzipped tarball of rpm or deb packages. The helppack is a single package file.

Once downloaded, ungzipped, and untarred, cd into the install directory and install all of the packages listed.

$ sudo dpkg -i *.deb

Or, for rpm-based systems,

$ sudo rpm -i *.rpm

This installation will take several minutes. When it’s finished, cd to the desktop-integration directory and install the desktop integration package so that the menu items and launchers can be added to your Applications menu.

Debian-derived distribution users can install via a LibreOffice repository by using the following method. First, add the repository.

$ sudo add-apt-repository ppa:libreoffice/ppa

$ sudo apt-get update

Second, run an update to update package indexes from your /etc/apt/sources.list. Finally, install the LibreOffice packages from the repository.

$ sudo apt-get install libreoffice libreoffice-gnome language-support-en

If you use KDE instead of GNOME, use libreoffice-kde in place of the libreoffice-gnome package.

After your installation completes, find your LibreOffice suite under the Applications->Office menu. See Figure 1.

Figure 1: LibreOffice Applications in the GNOME Office Menu
Figure 1: LibreOffice Applications in the GNOME Office Menu

Using LibreOffice

Using LibreOffice is no different than any version of OO.o that you’ve seen in the past two, three, or maybe more, years. The apps work the same. The icons and general features are all fairly standard fare. If you’ve seen OO.o or any derivative, you’ve seen LibreOffice. The new green color scheme is refreshing but you won’t find many other surprises waiting for you.

If you’d like to see a list of LibreOffice unique fixes and features, go to the New Features and Fixes page. It’s expected that future versions will diverge more significantly from its OO.o upstream parent. The addition of Go-oo’s improvements will further diverge LibreOffice and distinguish it from OO.o.

Some of the significant improvements to look forward to are: faster application startup and response, better interoperability with commercial office suites, and some functionality improvements covering multimedia integration, extended language capabilities, and mathematical enhancements.

Kamis, 29 November 2012

Airsnarf - A rogue AP setup utility

Airsnarf - a rogue AP setup utility
Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots.  Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots--snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP.

  HotSpotDK checks for changes in ESSID, MAC address of the access point, MAC address of the default gateway, and radical signal strength fluctuations. Upon detecting a problem, HotSpotDK notifies the user that an attacker may be on the wireless network. Currently HotSpotDK runs on Mac OS X and Windows XP.

Airsnarf has been tested with (i.e. probably requires) the following:

Red Hat Linux 9.0 - http://www.redhat.com/
kernel-2.4.20-13.9.HOSTAP.i686.rpm - http://www.cat.pdx.edu/~baera/redhat_hostap/
iptables - Red Hat 9.0 CD 1
httpd - Red Hat 9.0 CD 1
dhcp - Red Hat 9.0 CD 2
sendmail - Red Hat 9.0 CD 1
Net::DNS Perl module - http://www.cpan.org/

Install & run Airsnarf with the following commands:

tar zxvf airsnarf-0.2.tar.gz
cd ./airsnarf-0.2
./airsnarf

How does it work?  Basically, it's just a shell script that uses the above software to create a competing hotspot complete with a captive portal.  Variables such as local network, gateway, and SSID to assume can be configured within the ./cfg/airsnarf.cfg file.  Optionally, as a command line argument to Airsnarf, you may specify a directory that contains your own airsnarf.cfg, html, and cgi-bin.  Wireless clients that associate to your Airsnarf access point receive an IP, DNS, and gateway from you--just as they would any other hotspot.  Users will have all of their DNS queries resolve to your IP, regardless of their DNS settings, so any website they attempt to visit will bring up the Airsnarf "splash page", requesting a username and password.  The username and password entered  by unsuspecting users will be mailed to root@localhost.  The reason this works is 1) legitimate access points can be impersonated and/or drowned out by rogue access points and 2) users without a means to validate the authenticity of access points will nevertheless give up their hotspot credentials when asked for them.

So what's the big deal?  Well, with a setup like Airsnarf one can obviously create a "replica website" of many popular, nationally recognized, "pay to play" hotspots.  That's as simple as replacing the index.html file Airsnarf uses with your own custom webpage that still points its form field variables to the airsnarf.cgi.  Combined with sitting at or near a real hotspot, hotspot users will associate and unknowingly give out their username and password for the hotspot provider's network.  The usernames and passwords can then be misused at will to utilize other hotspots of the same provider, possibly anywhere in the nation, leaving the original duped user to pay the bill.  Should the user be charged per minute usage, they may recognize something is terribly wrong when they get their next bill.  If the user pays a flat rate for unlimited usage, the user may never realize their credentials have been captured and are being misused.

Wireless hotspot operators should consider the following:  stronger authentication mechanisms, one-time authentication setups, monitoring the existence and creation of APs, and perhaps just giving away hotspot access for free to remove any user service theft risks.

Watch Out for those SCAMMERS ONLINE!


Look before you Shop!



Gone are the days when Ramu had to visit the grocery store to fetch everything from a cricket ball to packaged goods. It’s so medieval in this age of online banking and shopping. Now Ramu can sit in the comfort of his air conditioned room and order some exquisite things from remote corners of this world just with a click of the mouse. ClichĂ©! Isn’t? Indeed just a click of mouse is all it takes. Life is better in 2011.
Online shopping has revolutionized the way we shop, and it’s no wonder that its popularity is soaring by the day. There are advantages like shop any time and from anywhere and of course no cash payment is required. Money transfer from a bank account online or a credit card would do! Tempted? Eh! You’re easy to lure! Maybe you are the best man to work for me. 
How about I make a phishing attack and steal your credit card information the next time you pay, or what if your ordered product never gets delivered… as they would say ‘Lost in translation!’ Scared baby?! Awww… Don’t worry dear! Main hoon na…
Your robin hood aka I will give you some simple yet effective tips to secure your hard looted money!
Before going for online shopping, install updated Anti-Spyware, Anti-Virus, and firewall and set your web browser security to the highest level.
Intensively research about the website you intend to buy from. There are various means to do that, check out customer reviews or note the physical address and telephone number of their help centers. Since most hackers try to trap with websites that only look legitimate, make sure you choose wisely and go with popular websites.
Before making transactions, check if the website is secured. Is there https or padlock on the browser address bar?
After finishing transactions, take a print out of details of purchase like price, confirmation receipt and conditions of sale.
Immediately check the credit card statements after making the payment, make sure they debit only the said amount. If any discrepancies are encountered report to bank authorities.
After finishing online shopping, clear the web browser cookies and turn off the PC as the spammers and phishers will be looking for the systems connected to net and try to send spam e-Mails or install malware into your system to leak out personal information.
Beware of e-Mails demanding you to confirm the payment by entering product details and credit card number after the purchase has already been made. Legitimate people never send e-Mails asking for confirmation.
Follow these simple common leads to save embarrassment! 

Using SmartOS as a Hypervisor - 1

Rabu, 28 November 2012

Don't Let Our Right to Privacy Expire


Internet freedom means different things to different people. But for most of us it boils down to this: the freedom to read, do and say what we want online — and in private.
This Thursday, that freedom could come under attack. The Senate Judiciary Committee wants to update the Electronic Communications Privacy Act (ECPA) — a bill passed in 1986, before most of us had even heard of the Internet — to bring it into the 21st century.
A good update to ECPA is in the works. It would ensure that our online activity is given the same privacy protections as snail mail and wired phone calls.
But a bad update is in the works, too. Sen. Chuck Grassley is pushing an amendment that would allow government agencies to snoop — without a warrant — on our email, our texts and any documents we have stored in the “cloud.”
The Judiciary Committee is voting this week on how to move forward with this important bill — either by strengthening privacy protections or getting rid of them. The Free Press Action Fund has joined a coalition of groups at VanishingRights.com to make sure the Senate moves to protect our right to online privacy.
Each day we communicate more and more online — where there's little protection against government snooping. We can fix this. Take action now to protect our online privacy and stand up for our Internet freedom.

Don’t Let Verizon ‘Edit’ the Internet

Think you have the right to speak freely via cellphones, websites and social media?
Well, Verizon doesn’t. In fact, the telecom giant is now claiming that the First Amendment gives it the right to “edit” you and everyone else on the Internet.
The company is twisting our most fundamental free speech right to assert that it can control the Internet and your content — just as a newspaper editor picks and chooses the articles that go to press.
In the first brief filed in its lawsuit to overturn the Federal Communications Commission’s Net Neutrality protections, Verizon argues that the First Amendment gives the company the right to block all digital communications that cross its wires, from photographs of your cousin’s backyard barbeque to YouTube videos of human rights violations in Syria. It’s a preposterous claim — and it shows just how far the company is willing to go to control what you do online.
Send this letter to top Verizon executives Lowell McAdams and Ivan Seidenberg. All Internet users must raise the alarm on behalf of free speech online and draw a line in the sand against any powerful entity that seeks to censor us.

SOPA

The Stop Online Piracy Act seemed destined for passage when it first surfaced in the House of Representatives in 2011. Intended to discourage illegal copyright violations, SOPA would have given private entities the power to blacklist websites at will. It would have violated the due process rights of thousands of users who could have seen their sites disappear from the Internet. And it would have allowed banks to freeze financial deposits to the accounts of website owners, potentially forcing falsely accused Internet enterprises out of business.
Supporters claimed that SOPA was the only way to effectively fight online piracy. If it had passed, corporations (with the help of the courts) would have become the arbiters of what is and isn't lawful online activity, with millions of Internet users swept in their nets as collateral damage.
But on January 18, 2012, thousands of websites went dark to protest SOPA and its companion bill in the Senate, the Protect IP Act. Wikipedia, Reddit, BoingBoing, Free Press and Save the Internet were among the many participants in the protest, which created such a backlash that both bills were shelved.
This remarkable turn of events demonstrated the power of Internet organizing. But SOPA likely won't be the last time that powerful Hollywood studios and media companies use their Washington connections to try to slip through legislation that threatens the open Internet.

Please Help protect Our Internet Freedom.

Thanks

Anonymous - You, ITU, & Internet Censorship

Selasa, 27 November 2012

SpamAssassin

The Open Source Solution to SPAM


 The Open Source Solution to SPAM




 Problems with Spam? Then this is the book for You. ( I didn't get paid to say This)




The annoyance factor for individual users whose email is crammed with pitches for pornography, absurd moneymaking schemes, and dubious health products is fierce. But for organizations, the cost of spam in lost productivity and burned bandwidth is astronomical. While society is grappling with a solution to the burgeoning crisis of spam proliferation, the pressure is on system administrators to find a solution to this massive problem in-house. And fast.
Sys admins can field scores of complaints and spend months testing software suites that turn out to be too aggressive, too passive, or too complicated to setup only to discover that SpamAssassin (SA), the leading open source spam-fighting tool, is free, flexible, powerful, highly-regarded, and remarkably effective. The drawback? SpamAssassin's lack of published documentation.
SpamAssassin by Alan Schwartz, is the only published resource devoted to SpamAssassin and how to integrate it effectively into your networks. This clear, concise guide clarifies the installation, configuration, and use of the SpamAssassin spam-checking system (versions 2.63 and 3.0) for Unix system administrators using the Postfix, Sendmail, Exim, or qmail mail servers, helping administrators make the right integration decision for their particular environments.
It covers concrete advice on how to:
  • Customize SpamAssassin's rules, and even create new ones Train SpamAssassin's Bayesian classifier, a statistical engine for detecting spam, to optimize it for the sort of email that you typically receive
  • Block specific addresses, hosts, and domains using third-party blacklists like the one maintained by Spamcop.net.
  • Whitelist known good sources of email, so that messages from clients, coworkers, and friends aren't inadvertently lost.
  • Configure SpamAssassin to work with newer spam-filtering methods such as Hashcash (www.hashcash.org) and Sender Policy Framework (SPF).
Sys admins, network administrators, and ISPs pay for spam with hours of experimentation and tedious junk email management, frayed user tempers, and their sanity. SpamAssassin, together with this essential book, give you the tools you need to take back your organization's inboxes."Detailed, accurate and informative--recommended for spam-filtering beginners and experts alike." --Justin Mason, SpamAssassin development team

Keep Linux up to date. Never reboot

Eliminate disruptive reboots
        by
updating your systems with Ksplice.

With rebootless updates, you can:

 
 
 

   
      Save time and pain by updating in seconds, while your systems are running.
      Avoid downtime.
      Prevent disastrous security incidents by making it easy to stay up to date.
   
   
    Linux distributions require a reboot about once a month to stay
    up to date with important kernel security updates. Ksplice Uptrack
    allows you to apply the same updates published by your Linux
    vendor, without rebooting.
   

   
    Reboots required for kernel updates by major Linux distributions