Begin Linux Blog

Linux Distro Releases and News

Archive for May, 2008

« Previous Entries

RAID, LVM and ACLs on Ubuntu 8.04

Posted by beginlinux on May 30, 2008

Ubuntu is trying to break into the server market.  Indeed as I talk with companies moving to Linux on a weekly basis over 50% of them want to move to Ubuntu as the server of choice.  If Ubuntu 8.04 is the server of choice of so many and if Ubuntu wants so desperately to move into the server market then you would expect Ubuntu to have server quality options easily available on the Ubuntu install. What I cannot understand then is why RAID tools are not available, why Logical Volume Management version 2 is not installed and why Access Control Lists for the file system are also not installed on the server.  All of these can easily be installed and upgraded but my question is …why not default?

Note: With 8.04.1 some of these issues like LVM2 have been updated, the original install DID NOT have LVM2.

RAID
If you want to create RAID on Ubuntu you will need to install RAID tools before you can do so.  Now I am talking about software RAID.  You do have access to tools to install RAID during installation but the mdadm program is not installed by default.  So if you want to install RAID after the installation you need to add it so you have the tools.

sudo apt-get install mdadm

If you would like to see a tutorial on installing RAID on Ubuntu CLICK HERE.

Install LVM2 on Ubuntu

Ubuntu does not have LVM2 installed by default…why?  If Ubuntu wants to move to the server market why not have lvm2 intalled by default like RHEL 5 or CentOS 5? Now it can easily be upgraded with this command:

sudo apt-get install lvm2

If you want to see a tutorial on how to install and configure LVM2 on Ubuntu 8.04 CLICK HERE.

Access Control Lists
Access Control Lists (ACLs) allow you to provide different levels of access to files and folders for different users. The Red Hat Enterprise 5 / CentOS 5 have implemented ACLs in the file system by default. This new feature will allow you to set a file where one user can read, other users cannot read and yet other users are able to read and write to the same file. This was not possible previously.

sudo apt-get install acl
If you would like to see a tutorial on installing and configuring acls CLICK HERE.

Summary:
If Ubuntu really wants to break into the server market, they will need to install by default features that the server market really wants to use, specifically RAID tools, LVM2 and acls.  Until they make this transition many will not take them seriously in the server arena.

Posted in Server Admin | Tagged: , , , , , , , | 5 Comments »

Protecting Joomla: Part 2

Posted by beginlinux on May 29, 2008

Joomla Security

It is important, like all software, to update Joomla when a new version is released. These usually consist of important security fixes. CentOS 5 still uses PHP 4 but the security patches have been fixed for PHP 4 so you will also need to update your CentOS distribution.

Joomla file permissions should be 644.

Joomla folder permissions should be 755. The only exceptions are the cache directory and the temporary directories which must be writable.

Delete the installation directory completely as this represents a major security issue. Change the permissions of the configuration.php to 644 as well once you have completed the setup.

Change the administrator name to something else so it is more difficult to guess and create an excellent password as users will attempt to guess this on a regular basis.  On the Joomla sites I run one of the most often visited pages is the administrator login…because people are trying to hack it. Create GOOD Passwords!!!!   Passwords must include case differences, include symbols and numbers and be at least 8 characters long.

Created a Restricted Folder for Administrator

One of the most effective ways to protect Joomla is to create a restricted folder with Apache so that only administrators can get access to the folder.

CLICK HERE for a tutorial on how to create restricted access to the administrator login.  This will be one the best decisions you make!

Get a Server Manual That Explains it All

Restrict Scripting Injection Attacks
Edit your /etc/php.ini file to turn off register globals.

register_globals = off

You can also force SQL inject attacks to bounce by adding this information to the php.ini file.

allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

The first line disables URL-aware fopen wrappers that enable accessing URL object like files. The second one disables a lot of PHP functions:

* shows_source — an alias of highlight_file() which provides syntax highlighting for files;
* system — allows execution of external programs;
* shell_exec — allow execution of commands via a shell;
* exec — allow execution of commands;
* passthru — similar to the exec() function, allows execution of commands;
* phpinfo — outputs PHP information that could be used by potential intruders;
* popen — opens a pipe to a process being executed by a certain command;
* proc_open — similar to popen() but provides better control over command execution.

This may cause you some problems so you need to test, however, in initial testing it seemed to work OK.

Posted in Uncategorized | Tagged: , , | Leave a Comment »

Protecting Joomla: Part 1

Posted by beginlinux on May 28, 2008

Joomla is a very popular content management program that uses PHP and MySQL. It does have a history of security issues so these series of articles will focus on how to protect Joomla from many of these attacks. The first article is about using a Reverse Proxy Server to stop attempts to inject SQL strings into the database to create a compromise.

Joomla 1.5.1 was developed to allow reverse proxy protection. It now has an optional livesite parameter to facilitate the reverse proxy so that all features work properly.

Squid
“Squid can be placed in front of an insecure web server to protect it from the outside world: not merely to stop unwanted clients from accessing the machine, but also to stop people from exploiting bugs in the server code”  Squid-cache.org

Using a Simple Reverse Proxy
There are many things you can do with Squid to provide additional security for your Joomla install, but this first article will just provide the basics which actually do a great deal to protect your web server with Joomla content. The Reverse Proxy with Squid is a separate box placed in front of your Joomla server. The Reverse Proxy will have a cache that will store the static content from your Joomla site and provide that cache for those who make requests. The advantage is a speed enhancement as the content is delivered from the cache not your Joomla server. The other real security advantage is that the SQL attacks will often be done on the cache content on the reverse proxy, not on the actual Joomla server. This one factor provides a real advantage to stopping many, not all, attacks on your server. The Reverse Proxy will basically minimize cross-site scripting exploits that are common.

CLICK HERE to see the details on setting up a Reverse Proxy with Squid.

Examples of Security Issues
SANS Consensus Security Vulnerability Alerts

Here are a few that are mentioned in the Vulnerability Alerts
8.08.28 – Joomla! MCQuiz Component “tid” Parameter SQL Injection
08.08.29 – Joomla! PAXXGallery Component “userid” Parameter SQL Injection
08.08.30 – Joomla! and Mambo “com_quiz” Component “tid” Parameter SQL Injection
08.08.32 – Joomla! and Mambo “com_smslist” Component “listid” Parameter SQL Injection
08.08.33 – Joomla! and Mambo “com_activities” Component “id” Parameter SQL Injection
08.08.34 – Joomla! and Mambo “com_sg” Component “pid” Parameter SQL Injection
08.08.35 – Joomla! and Mambo “faq” Component “catid” Parameter SQL Injection
08.08.39 – Joomla! and Mambo “com_salesrep” Component “rid” Parameter SQL Injection
08.08.40 – Joomla! and Mambo “com_lexikon” Component “id” Parameter SQL Injection
08.08.41 – Joomla! and Mambo “com_filebase” Component “filecatid” Parameter SQL Injection
08.08.42 – Joomla! and Mambo “com_scheduling” Component “id” Parameter SQL Injection
08.08.44 – Joomla! and Mambo “com_galeria” Component “id” Parameter SQL Injection
08.08.45 – Joomla! and Mambo “com_jooget” Component “id” Parameter SQL Injection
08.08.47 – Joomla! and Mambo Quran Component SQL Injection
08.08.49 – Joomla! and Mambo Portfolio Manager Component “categoryId” Parameter SQL Injection
08.08.50 – astatsPRO com_astatspro Component “id” Parameter SQL Injection
08.08.51 – Joomla! and Mambo com_profile Component “oid” Parameter SQL Injection
08.08.52 – Joomla! and Mambo com_detail Component “id” Parameter SQL Injection
08.08.56 – Joomla! and Mambo com_downloads Component “cat” Parameter SQL Injection
08.08.59 – Joomla! and Mambo “com_pccookbook” Component “user_id” Parameter SQL Injection
08.08.63 – Joomla! and Mambo “com_team” Component SQL Injection
08.08.64 – Joomla! and Mambo com_iigcatalog Component “cat” Parameter SQL Injection
08.08.65 – Joomla! and Mambo com_formtool Component “catid” Parameter SQL Injection
08.08.67 – Joomla! and Mambo com_genealogy Component “id” Parameter SQL Injection
08.08.68 – iJoomla com_magazine Component “pageid” Parameter SQL Injection

Posted in Server Admin | Tagged: , , , , | Leave a Comment »

Importance of Updates

Posted by beginlinux on May 20, 2008

How important are updates?  Well, it is illustrated by the recent disaster with Debian based distros and the problem with the encryption key random generator. What was mistakenly done was that the keys were not random enough. As a result at total of 32,767 possible keys were available which meant that a key could be hacked in as little time as 1 hour, at least according to some assessments. This has been vulnerable for two years!!!!!!!

What this means is that you thought you had encrypted communication for the last two years but it may have compromised during that time.

Real Life Example:
I recently had a consulting job to set up a mail server on a remote host. An organization had set up the box two weeks prior to my notification with Ubuntu 8.04. They had done no updates and had made a basic LAMP install. When I logged in with SSH I noticed a user connected using SSH. I had been given the list of IPs that were legitimate and this was not one. Worse yet a quick check of the logs, this person was repeatedly attempting to gain root access. A check of their IP and it showed they were using a proxy, a bad indication. What it looks like is that the SSH key had been cracked and they were attempting root access.

A quick use of tcp_wrappers and they were denied access. The root password was immediately changed and all updates to fix the SSH problem were completed. This does illustrate not only the need to keep on top of updates but also the need for organizations to use multiple layers of security in case one fails. If this organization had used tcp_wrappers in the first place the issue would not have been an issue.

Debian News

Ubuntu Security Announcement

Posted in Uncategorized | Tagged: , , , | Leave a Comment »

Apache in Ubuntu 8.04

Posted by beginlinux on May 13, 2008

Apache 2.28 is the current version that ships with Ubuntu 8.04.  There are several meaningful changes.  One of those changes is a much smaller apache2.conf configuration file.  When you look at the apache2.conf you will see one of those changes is that this file now contains only the Global Configuration options.  The config file is only 298 lines as you can see in the example.

291 # Include of directories ignores editors’ and dpkg’s backup files,
292 # see README.Debian for details.
293
294 # Include generic snippets of statements
295 Include /etc/apache2/conf.d/
296
297 # Include the virtual host configurations:
298 Include /etc/apache2/sites-enabled/

Ubuntu 8.04 Training CLICK HERE

Note the modular support, which was available in the past as well, but now is more important to understand.  The include statements will help fill out the configuration file with the options in /etc/apache2/conf.d/  provided so applications can add features to apache without directly modifying the file.  Also note that the configuration for virtual servers is found in /etc/apache2/sites-enabled.  These actually have symbolic links to files that you modify in sites-available.

For a tutorial on how to configure Virtual Hosting on Ubuntu 8.04 CLICK HERE.

The apache2.conf file also contains include statements that impact the ports that can be used by the web server and modules which can be used.  The mods-enabled directory contains those modules that have been made available for the web server.  The httpd.conf file is for compatibility with configurations that you may have had with Red Hat or CentOS based distros.

For a tutorial on CentOS Virtual Hosting CLICK HERE.  This will give you a good comparision of the different ways to set up apache.

184 # Include module configuration:
185 Include /etc/apache2/mods-enabled/*.load
186 Include /etc/apache2/mods-enabled/*.conf
187
188 # Include all the user configurations:
189 Include /etc/apache2/httpd.conf
190
191 # Include ports listing
192 Include /etc/apache2/ports.conf

The other include line you see is to set the ports that are available to the Web Server.  Looking at the file you can see the default is port 80 and the other SSL option is 443.

Listen 80

<IfModule mod_ssl.c>
Listen 443
</IfModule>

Multi-Processing Modules
The MPM (multi-processing modules) are an additional feature for the modular design of apache to make it more flexible for various operating systems and for scalability for servers.  The prefork MPM is the default for Ubuntu 8.04 and provides basic settings that can be modified to help your server scale to whatever load you will need to work with.   Your apache web server will start with 5 web servers running by default.  Each user that comes to your server will need an instance of apache to be able to view your site.  That is why 5 are started immediately so that when users come there are severs already in memory to speed up the process for people to see your site.  If 10 people came at the same time, five new servers would have to be started which will take time, and be noticeable by those trying to view your site.  This is part of the scalability issues is that you need to decide how many people will be on your site at one time.  Just remember that each instance of apache takes resources from your hardware especially in the area of RAM so have sufficient RAM for the machine.  If you site in not very busy you could reduce the “StartServers” number to 3 and save on resources. If it was very busy you may need to increase to 20, etc.  You will need to modify the Minimum and Maximum numbers as well for you server.  The whole idea is to provide excellent scalability for your particular needs.

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
StartServers          5
MinSpareServers       5
MaxSpareServers      10
MaxClients          150
MaxRequestsPerChild   0
</IfModule>

Posted in Server Admin | Tagged: , , , | 2 Comments »

« Previous Entries