Website hosting mac, affordable, php5, plesk - linux experts blog

Chapter 13: Where to Now? Overview Over the

sales — Fri, 02 Feb 2007 04:12:17 +0000

Documentation Resources This is just an example. Go ahead and search for other software that you may be interested in; you will be pleasantly surprised at how much software you will find. In addition to Freshmeat.net, you can also search for software at its sister site, SourceForge.net, and also at the GNOME and KDE project web sites at http://www.gnome.org/softwaremap/list and http://apps.kde.com. Documentation Resources If you’re looking information on how to perform a particular task (say, how to set up a Wireless LAN or how to implement software RAID), then you can do worse than visit the Linux Documentation Project (http://www.tldp.org). Here you will find documents referred to as HOWTOs - each HOWTO contains concise, to-the-point instructions on how to perform a particular task. Here are a few examples of HOWTO documents: Document Description Cable-Modem Answers basic questions on how to connect your Linux box to cable modem or cable Internet provider Diskless Describes how to set up a diskless Linux box Infrared Provides an introduction to Linux and infrared devices, and how to use the software provided by the Linux/IrDA project KickStart Briefly describes how to use the RedHat Linux KickStart system to rapidly install large numbers of identical Linux boxes Software-RAID Describes how to use Software RAID under Linux Wireless Explains how to setup Wireless in Linux, compatibility problems, something about geographic requirements and more As you acquire more and more of these resources, whether software or documentation, you will find that most of them are governed by some form of license. So, let’s take a look at some of the more common licenses. Open Source Licenses For all of the advantages of open source software - such as freely available source code and reduced cost of ownership - the licensing requirements sometimes seem to get in the way. The problem is that there are so many open source licenses out there that it is difficult to keep track of them all. 435

Hint: If you are looking for very good and affordable webspace to host and run your j2ee hosting application check Sandzak.com j2ee web hosting services

Chapter 13: Where to Now? Overview Over the

sales — Fri, 02 Feb 2007 04:12:16 +0000

Chapter 13: Where to Now? Overview Over the course of this book, we have examined the Linux operating system in detail, covering everything from its history and installation to everyday administration and even an introduction to programming in Perl. But that’s not all! Linux has much more to offer; we have only scratched the surface of what is possible. There are hundreds upon hundreds of open source applications that are able to run on Linux. Whether it is exciting games, office productivity applications, or sophisticated development tools, you will be able to find software that meets your needs. Therefore, our main goal in this chapter is to get a taste of this vast frontier of the open source movement. We will break this chapter into three sections: In the first section, we’ll give a brief snapshot of where to look for resources online, what you will find, and a summary of widely used licensing schemes. In the second section, we will discuss several administration applications that we can use on a daily basis to monitor and optimize our Linux system. The third section will be of particular interest if you are interested in development. It looks at a number of programming languages, development utilities, and database engines that can be used effectively with Linux. For each of the applications covered in this chapter, we will examine the reason for using the application, where to obtain it, and how to install it properly on your system. Before we take a hard look at the applications themselves, we’ll start with some references and background information about helpful documentation and online resources that you can use to find applications and utilities that may interest you. Online Resources and Licensing Schemes It seems that more than ever these days, there is a proliferation of information on Linux and open source - discussions on the open source initiative, articles on whether open source is good or bad, and references to the success of Linux. However, the best resources on Linux arguably can be found at the Open Source Development Network (OSDN). OSDN is a network of a number of web sites, including the famous Slashdot.org, SourceForge.net, and Freshmeat.net. Software Resources Suppose you are in the mood to play a game of Battleship - the game where you try to sink your opponent’s ships - but you are not sure if a version exists for Linux. How do you find out? Just head on over to Freshmeat.net and search for Battleship, and see what you get. Or better yet, take a look at the figure below: 434

Hint: If you are looking for very good and affordable webspace to host and run your j2ee hosting application check Sandzak.com j2ee web hosting services

Security Awareness security newsletter, and find links to

sales — Thu, 01 Feb 2007 15:38:05 +0000

Security Awareness The most important points for you to try and remember are: Choose strong passwords Avoid using insecure protocols like telnet and FTP if possible Do use secure protocols like ssh and sftp wherever possible Disable network services that are not required Configure Tripwire to monitor the integrity of your system on a regular basis If you can do all of these things, then you can confidently use your Red Hat Linux 9 system on the Internet, knowing that you’re as secure as you reasonably can be, and that all but the most determined hackers will go and find an easier target. 433
Note: If you are looking for best hosting provider to host and run your tomcat application check Astra tomcat hosting services

Security Awareness security newsletter, and find links to

sales — Thu, 01 Feb 2007 15:38:03 +0000

Security Awareness security newsletter, and find links to other, security-related, resources. Computer Emergency Response Team (CERT) The CERT Coordination Center is run by the Software Engineering Institute of Carnegie Mellon University. Their Web site, http://www.cert.org/ provides a wealth of up-to-date information about security problems. You can also subscribe to a mailing list so that you receive security alerts by e-mail. Bugtraq Bugtraq is a mailing list for the detailed discussion of computer security issues. You can access the Bugtraq archives at http://www.securityfocus.com/, and find several mailing lists to which you can subscribe. Click on the Mailing Lists button on the toolbar, and then click on info against the mailing list of interest. A popup window will appear which includes instructions on how to subscribe. Mailing lists you might want to check out include bugtraq focus-linux linux-secnews Logging out It is vital that whenever we leave a computer system that we logged in to (such as our Red Hat Linux server, or our online banking Web site), we log out again. If we do not, there is a risk that someone else can come along and take over our connection, accessing the system as ourselves without having to go to the trouble of cracking passwords or intercepting network traffic. Checking site certificates, signatures, checksums, and so on With increasing awareness of security issues, more and more online resources (Web sites, RPM downloads, etc.) are authenticated in some way. When we access these resources, we may have an opportunity to verify their authenticity. This may be a pop-up window from our Web browser, or a checksum for an RPM. Whatever mechanism exists, we should always use it to check that the Web page we are accessing, or the RPM package we are about to install, is the genuine article, and has not been tampered with by anyone else. Where to find out more The Official Red Hat Linux Security Guide can be downloaded from https://www.redhat.com/docs/manuals/linux/. This is a good read for people who need a deeper understanding of security issues surrounding their Red Hat Linux systems. There are also lots of good Linux HOWTOs that cover security related topics. Check out the Security-HOWTO and Firewall-HOWTO, for starters. Summary Security is largely a matter of common sense. Different people value different things, so there is no one security configuration that will be exactly suited to everyone. However, Red Hat Linux does a pretty good job “out of the box”, so most security work will be in fine tuning your setup to meet particular requirements, rather than urgent actions required to fix glaring security holes. 432
Note: If you are looking for best hosting provider to host and run your tomcat application check Astra tomcat hosting services

Firewalls the policy on the INPUT chain to

sales — Thu, 01 Feb 2007 05:23:55 +0000

Security Awareness (We need to replace nameserver with the TCP/IP address of our nameserver.) Now our name server queries should work again. Here’s what our rules look like: # iptables -L -v Chain INPUT (policy DROP 26 packets, 2276 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp — eth0 any 192.168.10.0/24 anywhere tcp dpt:http 0 0 DROP tcp — any any 192.168.1.57 anywhere tcp dpts:ftp-data:ftp 0 0 ACCEPT tcp — any any 192.168.1.0/24 anywhere tcp dpts:ftp-data:ftp 0 0 ACCEPT all — any any nameserver anywhere tcp dpts:domain Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1190 packets, 430K bytes) pkts bytes target prot opt in out source destination Once we’ve configured our rules, we need to make sure that they work as expected. In this example, we’d try ftp and Web server access from different hosts to see that they were allowed or blocked as required. Once we’re happy with the rules, we need to save them so that they will be reactivated if the machine is rebooted. We do this with the following command: # service iptables save Security Awareness The final part of this chapter deals with “softer” security concerns, such as maintaining awareness of security issues. Security Alerts Security problems with software are found and fixed on an almost daily basis. It is important to be aware of any security vulnerabilities that affect software you have running on your system as soon as they are discovered. Perhaps the easiest way to do this is to subscribe to a security alert service. Red Hat provide their own through the Red Hat Network, we mentioned earlier, and its is very useful because you will be notified only of problems that affect the RPMs that you have installed on your system. You’ll also get notified immediately if there’s an update to a Red Hat supplied RPM that you’ve just installed. As well as the Red Hat Network, there are many Web sites offering useful security information. Here are just a few of them. Red Hat Errata Web Site Red Hat provides another Web site that you can use to check out security related fixes for the packages that you have installed. The URL for this site is http://www.redhat.com/apps/support/errata/. From this page, you can access Security Alerts, Bug Fixes and Enhancements for all currently supported releases of Red Hat Linux. There’s also a link to the Red Hat Security Resource Center, where you can subscribe to a monthly 431
Note: If you are looking for good and quality webspace to host and run your java application check professional java hosting services

Firewalls the policy on the INPUT chain to

sales — Thu, 01 Feb 2007 05:23:54 +0000

Firewalls the policy on the INPUT chain to DROP is: # iptables -P INPUT DROP As soon as we type that in, all incoming network packets are dropped, so before we do so, we’d better make sure that we’re logged in to the machine on the console. If not, then we’ll lose our connection to the machine and won’t be able to get it back! Note We could also have used REJECT instead of DROP as the policy. This would result in a message being sent back to the sender of a blocked packet informing them that the port is not reachable. This is polite, and could prevent a hapless user from continually retrying a connection attempt that will never work. However, it also confirms our presence to a would-be hacker. The policy of DROP silently discards the incoming packet, so our would-be hacker won’t even know there’s anything listening at our IP address. Of course, this is only valid if we never respond to any requests - once you’ve responded to one, you’ve given the game away. Now, we need to allow machines with IP addresses on the 192.168.10/24 network access to the Web server. This is listening on TCP port 80. We’ll add a rule that says accept any packet arriving on interface eth1 from a machine in the 192.168.10/24 network that is destined for port 80. The syntax for this is: # iptables -A INPUT -p tcp -s 192.168.10/24 -i eth1 –dport 80 -j ACCEPT Here: -A INPUT means append the rule to the INPUT chain -p tcp means match packets for the TCP protocol -s 192.168.10/24 means match packets with a source address in the 192.168.10/24 network - i eth1 means match packets on the eth1 interface - -dport 80 means match packets with a destination port of 80 - j ACCEPT means jump to the ACCEPT target (that is, allow the packet through) Note We don’t have to specify the network interface, but doing so would prevent someone spoofing an IP address on the wrong network from gaining access. Our second requirement is to allow ftp access to hosts in the 192.168.1/24 network attached to eth0, except 192.168.1.57. We’ll have to do this as a pair of rules; the first is a specific rule to block ftp access from 192.168.1.57 and the second is a more general rule that allows the others in. Since packets are passed to rules in order, we want to place our more restrictive rules first to ensure that they match. So, our two new rules are created with: # iptables -A INPUT -p tcp -s 192.168.1.57 –dport 20:21 -j DROP # iptables -A INPUT -p tcp -s 192.168.1/24 -i eth0 –dport 20:21 -j ACCEPT If we view our tables with the following command, we’ll see our rules… eventually: # iptables -L -v If DNS is configured on our machine, we’ll find that all the DNS queries time out because we’ve blocked all the DNS traffic! So, we need to add some more rules to allow important network traffic through: # iptables -A INPUT -p all -s nameserver –dport domain -j ACCEPT 430
Note: If you are looking for good and quality webspace to host and run your java application check professional java hosting services

Firewalls When we press the OK button, the

sales — Wed, 31 Jan 2007 17:28:50 +0000

Firewalls iptables Important This section is a brief introduction to setting up customized security beyond what is possible with the GUI tools provided by Red Hat. It’s not meant to be comprehensive, as everyone’s needs are different, and it’d be impossible to cater to them all. However, hopefully it’ll give you a taste of the tools available. Blocking and allowing traffic based on direction (i.e. incoming or outgoing) and port number gives some degree of control over network traffic, but there are situations when we need finer control. For example, we may want to run a Web server that can be accessed only from machines within our department, and not from machines elsewhere. Or we may want to prevent users on certain machines from being able to FTP files from our machine while allowing others to do so. The firewalling code in Red Hat Linux 9 is perfectly able to cope with these situations, and far more complex ones, but we have to roll up our sleeves and configure it from the command line. This is where the iptables command comes in. It is used to manipulate the kernel’s packet filtering tables, so we can fine tune the firewall settings to our environment. Let’s see how to implement a concrete example. Imagine our Red Hat machine has two network interfaces: eth0 has the IP address 192.168.1.1 and eth1 has the IP address 192.168.10.1. Both interfaces have netmasks of 255.255.255.0. We’re running a Web server listening on port 80, and an FTP server that uses ports 20 and 21. We need to allow machines with IP addresses starting with 192.168.10 access to the Web server, but nobody else. We also need to allow all machines in the 192.168.1.0 network access to the FTP server, except 192.168.1.57. How do we configure this? The first thing to do is look at the existing firewall configuration. Log on to the machine and switch to the root user. Run the following command to get a verbose listing of the current firewall rules: # iptables -L -v Rules are grouped together into chains. There are three default chains: INPUT, which handles incoming network packets destined for processes on the local machine OUTPUT, which handles outgoing network packets produced by the local machine FORWARD, which handles packets that arrive on one interface and leave on another (i.e. the local machine is forwarding them). There may be other user defined chains too. To set up our machine to meet the above specification, we’ll clear out (or flush) the existing rules with the following command: # iptables -F Note We can use this command to delete the named user-defined chain: # iptables -X name We’re going to be dealing only with packets coming into our machine in this example, so we’ll be configuring rules in the INPUT chain. Our first step is to configure the default behaviors - or Policy - for the INPUT chain so that if it receives a packet that doesn’t match any rules, it drops (discards) it. This is the most security conscious approach, as it means that everything is blocked unless we explicitly allow it. The command to set 429
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra j2ee hosting services

Firewalls When we press the OK button, the

sales — Wed, 31 Jan 2007 17:28:48 +0000

Firewalls When we press the OK button, the firewall configuration is updated and saved so that the machine will reboot with the new configuration in place. Lokkit There is another tool that we can use to configure the firewall on our Red Hat Linux systems. It’s called Lokkit (installed from the gnome-lokkit RPM). It is a simple to use configuration tool that asks a series of simple questions and configures the firewall according to the answers you supply. It’s not as versatile or powerful as the method we’ve just discussed, so we’ll make no more mention of it here. Note Note that Lokkit is not meant for custom firewall configuration and has fewer options than the Red Hat redhat-config-securitylevel tool. There is one significant drawback with using the Security Level Configuration or Lokkit applications to configure our packet filtering firewall; both configure only rules that selectively block incoming network traffic. Outgoing traffic and traffic that is forwarded (that is received on one network interface and sent out on another) by our Red Hat system are not checked in any way. This means that, should you have a system behind your firewall that has been compromised (hacked or maybe infected by a virus), it is free to transmit whatever it likes through your firewall. It is a good idea to configure your firewall to block selected outgoing and forwarded traffic too. For example, you may want to force all Internet access for machines behind the firewall to be handled by secure proxy servers. This can be done by blocking outgoing Internet access for all machines except the proxy servers. More detailed firewall configuration like this is done with the iptables command, so let’s look at how to do that. 428
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra j2ee hosting services

Firewalls SYN, SYN+ACK, ACK packets at the start

sales — Wed, 31 Jan 2007 06:06:56 +0000

Firewalls say, port 8080. If we select No firewall as the security level, then the firewall is disabled. If we find that the default firewall rules do not meet our requirements, then we can select the Customize radio button. This enables the remaining options on the window: If we check the box against a network interface in the Trusted devices section, this configures the firewall to allow all traffic to and from that interface (because we trust all the machines connecting via that interface). However, can we be sure that one of these machines has not been compromised and that the packets coming from it are the work of a hacker? The other options on the dialogue enable us to allow incoming connections on a selection of well-known ports for different services. For example, let’s pretend that our example machine will be running a Web server, and we’ll need remote access via ssh for administration, so the WWW and SSH boxes need to be checked. This ends up looking like this: 427

Hint: If you are looking for high quality and reliable webspace provider to host and run your jsp hosting application check Sandzak jsp web hosting provider

Firewalls SYN, SYN+ACK, ACK packets at the start

sales — Wed, 31 Jan 2007 06:06:54 +0000

Firewalls SYN, SYN+ACK, ACK packets at the start of the connection, but with UDP, there is no connection, so incoming and outgoing simply refer to the direction of the packet. Configuring the Red Hat Linux Firewall Configuring the Red Hat Linux firewall is very straightforward. Start the Security Level Configuration application by choosing Main Menu | System Settings | Security Level, or by typing redhat-config-securitylevel at the command prompt. If you are not logged on as root, and you haven’t recently supplied the root password to enable you to update system wide settings, you’ll be prompted to do that before the Security Level Configuration starts. When it does, you’ll see this window. Under the Security Level: drop-down list, the options are High, Medium, and No firewall: The High setting configures the firewall to reject all incoming TCP connections (by blocking TCP packets that have the SYN flag set, and ACK cleared), and reject all incoming UDP packets, with the exception of replies to DNS queries on port 53 that come from the name servers we told Red Hat Linux about when we configured the network settings. (If the DNS replies were blocked, then we would be unable to resolve any host names that aren’t defined in the local /etc/hosts file, which would make using the Internet very tedious.) Important Note that, since incoming connections are blocked, we can’t run a Web server or any other kind of server behind such a firewall. The Medium setting configures the firewall to reject all incoming TCP connections to ports in the range 0 to 1023, and also incoming UDP packets for these port numbers. NFS and X11 traffic are also blocked. The significance of the ports in the range 0 to 1023 is that these are “privileged” ports, and a program has to be running with root authority in order to open sockets on them. However, this does not mean that ports with numbers 1024 to 65536 can only have unprivileged programs opening sockets on them. It is quite possible to set up a Web server running with root authority listening on, 426

Hint: If you are looking for high quality and reliable webspace provider to host and run your jsp hosting application check Sandzak jsp web hosting provider