Linux Security - Hardening your System

The number of Linux new users is growing every day. More and more home users are discovering Linux Desktop. People are moving to Linux for many reason, such as:

• Linux is an Open Source and Free OS, you can get the kernel or a distribution full of packages (Debian, for instance, has over 15490 packages) and customise/modify them to your needs
• Linux is also in many cases free of charge. You can get very stable, well supported (an worldwide user community to help you for free), constantly updated and, new hardware and software additions are a constant under Linux. Refer to Debian, Ubuntu, Fedora, gNewSense, Gentoo, Suse. For a complete list of Linux Distribution, please, follow this link.
• Stability. Linux is rock solid and does not crash often.
• Security. Linux is very secure. There are no viruses, worms or Trojan horses for Linux.

I could add many other reasons why people move to Linux. However, to the interest of this article, I will stop here and, concentrate my discussion in the last two items, Linux is stable and secure.

The concept that Linux is a secure OS per se, in my opinion, is a very dangerous assumption. And, why do I consider it a dangerous assumption? Because as in any software Linux and the softwares that run on it have bugs and vulnerabilities, which can be exploited by a hacker trying to break into your system. And, most distributions are not enough hardened to be connected to the Wild (Internet). Most distributions don't have at least a Firewall, anti-virus, IPS (intruder prevention system) set up and running by default. And, in some cases there unnecessary services up and listening to connections. And, to worsen the situation the user starts installing programs that he/she doesn't know are listening for external connections. To conclude my line of thought, in spite of Linux being a secure OS it does not mean that someone should simply download a distribution, install it and start "surfing" the Internet, or the Wild as prefer to call it, without ever hardening the system and keeping it updated. This is true specially to the home user. Corporate user, normally, has or should have a security personnel in charge of information system and network security.

Therefore, I intend to write a series of articles to help Linux new users (or not so new either) to harden their system and keep it secure. The first article in this series will be "Installation and Set up of Linux Firewall and Anti-virus". In sequence, I will discussion and introduce quick fixes for some common deadly sins: weak and default passwords, open network ports, old software versions, insecure and badly configured programs, insufficient resources and misplaced priorities, stale and unnecessary accounts. Furthermore, I'll present secure tunnels to protect your outgoing network connections, how to protect your email, how to protect your files, intrusion detection and prevention. And, if you've read the articles in this series too late, you will benefit from the articles in the series Recovery and Response.

I'll release the first article on Saturday, Jan. 20th and I'll always announce the article that will follow.

I hope those articles will help you keep your system secure and contribute to your joy of using Linux.

Tweaking your Firefox

You get to work early and, start your day by checking your e-mail, reading some news and writing some posts on your blog.

Most of the above mentioned activities are done on your web browser. An essential tool nowadays. However, your day is just starting. You're eager to write a new post on your blog, but the browser is taking an eternity to load your blog web page. And, your gmail page is still "Loading...".

How many of us haven't faced this situation so often? Probably, too many.

However, with a few tweaks you can improve the performance of your firefox and, load page faster than usual. Here are some tips and tricks to get you started.

First of all, you should back up the entiry firefox profile directory. Under Linux it is located in your home directory, something like that:

~/.mozilla/firefox/[some_numbers_and_letter].default

Back up the whole directory as follows:

cd ~/.mozilla/firefox

tar -cjvf firefox-prof-bak.tar.bz2 [some_numbers_and_letter].default

Now, you're able to stat tweaking your Browser.

Open your browser, if it is not opened and, follow these steps:

1. Type about:config in your address bar. This will open Firefox built in configurator;
2. In the filter bar type http. This filter the options and only displays http flags;
3. Change: network.http.pipelining to true by double clicking;
4. Change: network.http.pipelining.maxrequests to 8 by double clicking then entering the new value in the box;
5. Change: network.http.proxy.pipelining to true by double clicking
6. Change: network.http.max-persistant-connections-per-proxy to 8
7. Change: network.http.max-persistant-connections-per-server to 8
8. Change: network.http.max-connections to 48
9. Right-Click anywhere in the configurator and add a new integer. The name of this must be nglayout.initialpaint.delay and a value of 0
10. Restart Firefox by closing all windows and tabs and then reopening Firefox for the changes to become effective.

Now, your browser should load pages faster than before. In fact, what it is doing is open many connections to the server and dowloading contents in parallel instead of opening just one connection per server and downloading the entire content within one connection.

The meaning of the parameters you have just changed are:

network.http.pipelining [Boolean] (True) - If set to True, this setting uses the new HTTP Pipelining feature supported by some servers and proxies. This can improve browsing speeds, however because the feature is not supported by all servers you may experience problems. I recommend setting this to True and only disabling it if you experience such problems as refused connections or unusual behavior.

network.http.pipelining.maxrequests [Integer] (8) - This setting determines the maximum number of requests to send when using the HTTP Pipelining feature (see above). The default is 4, and the maximum possible is 8 (higher values are ignored). I recommend setting this to 8 and only reducing it back to 4 if you experience any problems with the Pipelining feature.

network.http.proxy.pipelining [Boolean] (True) - If set to True, this setting enables the HTTP Pipelining feature (see network.http.pipelining above) for proxy servers. This can improve browsing speeds, however because the feature is not supported by all proxies you may experience problems. I recommend setting this to True and only disabling it if you experience such problems as refused connections or unusual behavior.

network.http.max-persistent-connections-per-proxy [Integer] (8) - If you are connected to a proxy, this setting determines how many connections to keep alive at any time. The default is 4, however you can attempt a higher value such as 8 to improve browser speed. As mentioned in the settings above, raising this to a very high value will put additional stress on the proxy server and may ultimately result in slower browsing for everyone on the proxy and/or a refused connection.

network.http.max-persistent-connections-per-server [Integer] (8) - If you are not connected to a proxy, this setting determines how many connections to a single server to keep alive at any time. The default is 2, however you can attempt a higher value such as 8 to improve browser speed. As mentioned in the settings above, raising this to a very high value will put stress on the particular website server you are connected to and will either result in a refused connection, or slower response times from the web page for every person trying to connect to it. Do not raise this value to one which is very high as it is inconsiderate and counter-productive if everyone does so.rong.

network.http.max-connections [Integer] (48) - This setting determines how many simultaneous HTTP connections can be made by Firefox. The default is already 24, however for most people on moderate to fast Internet connections you can try raising this to a value like 48 or even 96 to allow for more open connections, thereby speeding up browsing multiple pages. The maximum is 65535, but remember that by raising this setting you are only raising the maximum possible number of connections. You aren't forcing Firefox to increase the actual number of connections it makes every time; if your system actually attempted to force 300 connections to open at once for example it would likely slow down to a crawl.

nglayout.initialpaint.delay [Integer] (0) - This setting determines how many milliseconds Firefox should way before it starts to display the page contents. This brief delay allows Firefox to load and arrange the various page components as correctly as possible. The default is 250 milliseconds which isn't very long, however I recommend you set this to 0 to provide the earliest possible viewing of web content and improve the responsive feel of Firefox.

If your the hacker style, here are some links that will help go deeper in your tweaking:

http://www.tweakguides.com/Firefox_9.html

http://www.tweakfirefox.com/tweaks.php

http://kb.mozillazine.org/About:config_entries#Extensions..2A

http://firefox.stealthsettings.com/advanced-tweaking-firefox-20.html

Happy browsing,

Itzhak

Cross-Compiling GDB on Linux for Powerpc Platform

I'm a Software Engineer working with Embedded Systems. Currently, I'm working with Powerpc SoC Processor - AMC-440EP.

When I first started working in this project I built my Development Environment, which includes PowerPC toolchain, Linux Kernel and root file system plus some extra libraries I need in my project. However, at this stage I forgot to build with my toolchain a PowerPC Debugger. Thus, I have to cross-compile gdb (http://www.gnu.org/software/gdb/) and gdbserver for remote debugging.

The steps to cross-compile GDB are:

Download the latest GDB version from http://www.gnu.org/software/gdb/download/

Decompress the tarball you have just downloaded:

tar -xjvf gdb-6.6.tar.bz2

cd gdb-6.6

Run the configuration script as follows:

./configure --target=powerpc-linux --enable-sim-powerpc \

--enable-sim-hostendian=little \

--with-solib-absolute-prefix=/path/to/libdir \ (to ensure it'll use the right libraries)

--prefix=/path/to/the/installation/of/toolchain

make

make install

Then, change directory to:

cd ./gdb/gdbserver

Run the configuration script for gdbserver:

export CC=powerpc-440-linux-gnu-gcc

./configure --host=powerpc-linux \ --prefix=path/to/the/installation/of/toolchain

make

make install

That's all. No, you have a functional powerpc cross-compiled gdb and gdbserver. You can start debugging your powerpc embedded application.

Cheers,

Itzhak

Drupal 5.0 Released

The Drupal team has just released a new version of the popular CMS.

Read the full story here and check out what's new on Drupal.