Recently I've been administering my first Ubuntu machine and I already feel a bit perplexed about its security setup.
The issue is that by default, the root account password is locked in Ubuntu and you are encouraged never to use root, but rely on sudoers for system administration.
I've read the rationale on Ubuntu's wiki and I agree on some points, but their mindset is totally biased towards a desktop setup.
Let's consider these points from their site:
Benefits of using sudo: Users don't have to remember an extra password.
This is cool for Average Joe, but don't tell me that it's an advantage on a serious server: it's actually a downside, see the next point.
Every cracker trying to brute-force their way into your box will know it has an account named root and will try that first. What they don't know is what the usernames of your other users are. Since the root account password is locked, this attack becomes essentially meaningless, since there is no password to crack or guess in the first place.
Sure, the attack on root becomes useless, too bad that SSH brute-force attacks usually try lots of different usernames. If the manage to break a single account of a sudoer, they automatically have control of your machine. If you had to remember a different password to su your way, it would make their life a bit harder.
Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from groups, while not compromising the root account.
err... what does "not compromising the root account" actually mean? If I get admin rights, I can do whatever I want, including compromising any account. Unless I get authorisation just to run a limited set of commands through sudo, but that's not the point of this post.
The root account password does not need to be shared with everybody who needs to perform some type of administrative task(s) on the system.
ok, but what problem does it solve? (apart from avoiding people shouting the root password when they shouldn't )
If I want to remove a person from the admin group, I need to trust her not to have planted any malicious program (rootkits, backdoors...) or rebuild the system if I'm paranoid, if I really want to be on the safe and paranoid side.
IMHO, it's just the same as changing the root password when one is gone, or even better, periodically.
I'm not convinced. I still prefer the common su approach typical of almost all the other distributions...
mod_tunnel is a simple Apache module that can be used to create TCP tunnels using your Web server. It is useful to expose services which can be reached through a proxy, bypassing firewalls.
After only 4 years since the previous version, you can now download version 2.0 which works with Apache 2.2.x (and maybe 2.0.x, but I haven't tested it).
// quickest and dirtiest way to execute a query in PHP ;-) exec("echo 'SELECT r.* " . "FROM get_new_referrers() r " . "LEFT JOIN search_engines se ON ( r.referrer ~* se.pattern AND r.referrer ~* se.query_pattern )" . "WHERE se.id IS NULL' | /usr/local/pgsql/bin/psql -U logminer -At logminer", $lines);
The query above grabs the referrers for every site available in the DB, filtering requests coming from known search engines to reduce the level of "noise".
This script is finally invoked by the cron job that processes the logs:
referrers_report.php | mail -s 'New referrers report' email@example.com
I've just installed the latest Mandriva 2008.1 RC on this fine Asus barebone.
Everything went fine, except that the output of sensors showed too many ALARM messages for my taste... so, here's how I've modified the pre-installed sensors.conf to set some min/max values closer to reality and to hide useless lines:
# Winbond W83627EHF configuration originally contributed by Leon Moonen # This is for an Asus P5P800, voltages for A8V-E SE. chip "w83627ehf-*""w83627dhg-*"
# +12V is in1 and +5V is in6 as recommended by datasheet compute in1 @*(1+(56/10)), @/(1+(56/10)) compute in6 @*(1+(22/10)), @/(1+(22/10)) set in1_min 12.0*0.9 set in1_max 12.0*1.1 set in6_min 5.0*0.95 set in6_max 5.0*1.05
set in4_min 1.6*0.9 set in4_max 1.6*1.05 set in9_min 1.6*0.9 set in9_max 1.6*1.05
# Set the 3.3V set in2_min 3.3*0.95 set in2_max 3.3*1.05 set in3_min 3.3*0.95 set in3_max 3.3*1.05 set in7_min 3.3*0.95 set in7_max 3.3*1.05 set in8_min 3.3*0.95 set in8_max 3.3*1.05
I've just committed a function to easily purge old data from LogMiner's database, useful to prevent it from growing too much.
It'll appear in the next version, but since its release might still be far from now, here's the code for those who need it:
CREATEORREPLACEFUNCTION cleanup( _site int8, _upToDate date ) RETURNS INT AS $body$ BEGIN
DELETEFROM accesses WHERE req_time < _upToDate AND site = _site;
ALTERTABLE accesses DROP CONSTRAINT accesses_request_fkey; ALTERTABLE accesses DROP CONSTRAINT accesses_search_fkey; ALTERTABLE accesses DROP CONSTRAINT accesses_referrer_fkey;
DELETEFROM requests WHERE id NOTIN(SELECTDISTINCT request FROM accesses );
DELETEFROM search_referrals WHERE id NOTIN(SELECTDISTINCT search FROM accesses );
DELETEFROM referrers WHERE id NOTIN(SELECTDISTINCT referrer FROM accesses );
For instance, if you want to keep only the last six month of data, you can set up a cron job which runs at the first day of every month executing the command:
# supposing 1 is the id of your site echo"SELECT * FROM cleanup( 1, CAST( date_trunc( 'month', now() ) - interval '5 months' AS date ));" | psql -U logminer logminer
Recently I needed to gather some statistics about the distribution of the different Mac OS X versions installed by users of a certain application.
Since the application has an update-check feature, I thought I'd use the web server logs to infer the data I was interested in. The only thing I could use was the User-Agent string sent by the application when requesting the file containing the update information.
After some digging in Darwin's build plists and a bit of googling, I came up with this list of patterns:
OS | user agent pattern
--------------------------+---------------------------------------------------
Mac OS X 10.2 | ^CFNetwork/1\.1$
Mac OS X 10.3.2-10.3.8 | ^CFNetwork/1\.2\.1$
Mac OS X 10.3.9 | ^CFNetwork/1\.2\.[2-6]$
Mac OS X 10.4 | ^CFNetwork/128$
Mac OS X 10.4.10 | ^CFNetwork/129\.21$
Mac OS X 10.4.11 | ^CFNetwork/129\.22$
Mac OS X 10.4.2 | ^CFNetwork/128\.2$
Mac OS X 10.4.3 | ^CFNetwork/(129\.5|10\.4\.3)$
Mac OS X 10.4.4 | ^CFNetwork/(129\.(9|10)|10\.4\.4)$
Mac OS X 10.4.5 | ^CFNetwork/129\.11$
Mac OS X 10.4.6 | ^CFNetwork/129\.13$
Mac OS X 10.4.7 | ^CFNetwork/(129\.16|4\.0)$
Mac OS X 10.4.8 | ^CFNetwork/129\.1(8|9)$
Mac OS X 10.4.9 | ^CFNetwork/129\.20$
Mac OS X 10.5 | ^CFNetwork/21[7-9]$
Mac OS X 10.5.1 | ^CFNetwork/220$
Mac OS X 10.5-prerelease | ^CFNetwork/1[4-9][0-9](\.[0-9])?|20[0-9]|21[0-9]$
They might not be 100% correct, but they're good enough.
Born in Guastalla the 14th of February, 1978; since I was a child I've always enjoyed disassembling (and re-assembling, often succesfully) everything I could put my hands on.
Eventually I ended up disassembling and re-assembling software... it's not exactly the same thing as dismantling toys, but it can be equally funny
Nota per i connazionali: la maggior parte di questo sito è in inglese, in modo da poter essere compreso dalla maggior parte delle persone che passano di qui.
)
