1. Login to your shell
2. mv blog blog_old
3. mkdir blog_new && cd blog_new && svn co http://svn.automattic.com/wordpress/tags/2.7 .
4. cd ~/blog_old/
5. cp -p wp-config.php .htaccess ../blog_new && cp -rpf wp-content/* ../blognew/wp-content
6. cd ~/blog_new/ && svn sw http://svn.automattic.com/wordpress/tags/2.7/ .
7. mv blog_new blog
   
8. go to http://<you_url>/wp-admin/upgrade.php and perform the update process

And thats it! Put it in the hoven for 10 minutes and leave to rest! After that go enjoy your new and upgraded blog! Oh, by the way, each time a new version comes out, just go inside your blog dir and do a:

• svn sw http://svn.automattic.com/wordpress/tags/2.7/ .

Pretty sweet! =)

UPDATE: in fact you can forget step 2, and just move your old directory in the end, when about to go live. Perform the all the steps in the recipe, than at the end, just change blog to blog_old (or some other name you might have) and change blog_new to blog. This way you now point to you new SVN install, and you old stuff is safeguarded. Enjoy!

Since I’m not a big windows user, except for a desktop that his only purpose is to download Linux distros using bit torrent protocol, I was not fully aware of this limitation.

So I did some quick research and realized that this limitation was not a Windows problem, but a hardware problem! You see, 32-bit systems have a limit of memory that they can use. Normally this is 4GB minus the total ammount of memory in the Video Card, the BIOS and everything inside you machine that has memory. So most of the users that now buy 4Gib ram to use with their brand new Vista machine, get stucked at 3 ou 3,5 Gib.

Even thouhg Linux also suffers from the same limitations, it is able to handle higher memory installed, since it uses correctly the PAE… What is PAE you might ask? PAE, or Physical Address Extension is a feature that allows the use of more than 4Gib of physical memory, given apropriate operating system support for this feature.

There are some things you might do to enable PAE in 32-bit Vista, but I haven’t tryed yet this.. maybe in the future…

Here are some places you can go, to read a little bit more and try for yourself:

• Enabling PAE in Vista
• Wiki on PAE
• Microsoft on PAE in Vista

In the future, this limitation will be overcome, since the use of 64-bit systems sets the memory limit much higher. If you want 4Gib, with no hassle just switch to a superior operating system like GNU/Linux or Mac OS X =)

1. Download Putty to you desktop
2. Change the name of the file, from putty.exe to ssh.exe
3. Move this file to your Windows directory (should be on you drive C:\)
4. Press Windows Key + R (shortcut for run command)
5. Type ssh user@remote.example.com (use your own user and server)

If you got everything right, you now will be asked for your user password.. You can do it even smarter, and use public key authentication, which I love so much, and no more typing would be necessary.

Very cool right? No more fiddling for Putty.exe, no more clicks, no more hassle.. Just “RUN+ssh+options” and this will get you there! Like I said, SSH on Windows… The smart way!

Enjoy!

• Changed default listen port (default is 22)
• Only allow SSH protocol 2 (there are 2 versions of SSH, version 2 is far more secure)
• Disabled root login
• Allowed only some users to login
• Disabled password login
• Set up a private/public key method for authentication
• Set a a firewall rule for those script kiddies who like to knock on my server doors

These were the steps, and believe me, it’s not that big a deal to go through them. Let’s now describe each one!

Default Listen Port
By default, the Open SSH server comes with listen TCP port set to 22. Not trying to make security by obscurity, if you change this default behavior, at least those script kiddies, who scan your port 22, and hammer you with the defaults logins, will be dropped, and your bandwidth will be spared. So head to /etc/ssh (the default directory, most distros) and edit your sshd_confing. On the line: “Port 22“, change this to something else, higher than 1024, because usually port scanners don’t go higher than this by default; for example, use port 2222. When connecting to you server, don’t forget to specify the port number (in the command line this goes by ssh -p 2222 hostname).

SSH protocol 2
In the present, there are 2 versions of SSH protocol. It’s better to go with the latest, since it’s far more secure. So, in the same file you made your port changes, the line which contains the word “Protocol“, put a lonely “2” (probably there is already one there, or 2,1) in front. Save your changes.

Disable root login
Normally for administration purposes, we use the super user (root), but it’s not safe to remote login with this user. If something gets compromised, the attacker will have full power to change anything in your system. So, force logins with other user than the root, and then when you are logged in, su to become root. Believe me, it’s safer this way. So in the same file, when it says “PermitRootLogin“, put a “no” in front. Thats it!

Allow only some users to login
Ok, you now have disabled root login, but any user account on your system will be authorized to remote login. This brings a lot of issues, because more users, means more distributed logins, more chances to security issues (imagine one of your users being kidnapped by a alien, you never know). So authorize one user (you), and if needed, other users, but only if needed. I hope you never left sshd_config, because now we have to search for the line “AllowUsers”. If this line doesn’t exist, add it, in the “#Authentication” part of the file, and specify the users you want to allow login. Example: “AllowUsers user1 user2“. Easy right? Let’s continue.

Password logins
By default, you authenticate in your remote host, by using a combination of user/password. Passwords, by it’s nature are unsafe, so why use them? Next we will set up a digital key authentication, so disable passwords for now. In the same configuration file, change “PasswordAuthentication yes” to “PasswordAuthentication no”. And we are done regarding passwords.

Private/Public key authentication (using DSA)
In the past I explained this (link to previous post). You can use a combination of private/public key to authenticate yourself in a remote host, so use this. Go through that post, and set everything up. Its just a matter of following the steps: (1)ssh-keygen -t dsa; (2)cat ~/.ssh/id_dsa.pub (3)put the output of step (2) in remote ~/.ssh/authorized_keys (chmodded to 600). After making this, edit the lines inside sshd_config, “RSAAuthentication yes”, “PubkeyAuthentication yes” and “AuthorizedKeysFile %h/.ssh/authorized_keys”. And your done here.

Firewall Rule
Would it be great if your firewall detected if someone was knocking on your firewall door? Well, you can use a fully blown intrusion detection system, like Snort (link to snort), but by using simple rules in iptables, we can accomplish some security on the number of times someone tries to login. If you don’t know what iptables are, ignore this step, else, add this rules to your firewall (run this in the CLI or add it to your firewall scripts):

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –set –name SSH

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

The ${WAN} part of the rule, is the network interface you use to connect to your ssh server. I normally export LAN and WAN in a bash script, so I always know what is going where. In the future we will discuss firewall/iptables in detail, for those who do not know about the subject.This simple 2 rules will limit to 8, the number of ssh logins your host will permit in a minute. Thats a huge improvement (only 8 against unlimited attempts).And thats it! This were the steps I made to improve security on my remote host. Combined with a good firewall script, you will get a very tight system, believe me! There are other stuff you can make, like using TCP wrappers, but in my case, I login from a changing IP addres, and this method is not very useful if your IP address changes a lot.Oh, one last thing you can do! If all this methods fail, and someone is able to login using ssh to your server, edit again the /etc/ssh/sshd_config, and in the line “Banner” add in front put “/etc/sshbanner.txt“. Now edit (create) the file /etc/sshbanner.txt and put this inside (copy/paste):

————————————————————————————————————–
WARNING! THIS IS A PRIVATE SSH SERVICE, NOT TO BE USED BY A STRANGER. IF YOU HAVE GAINED ILLICIT ACCESS ON THIS SYSTEM, A CURSE WILL BE SET UPON YOU, AND YOU WILL HAVE A SERIOUS RASH ON YOUR PRIVATE PARTS, AND SUFFER IN AGONIE! YOU HAVE BEEN WARNED!
—————————————————————————————————————

Now, each time a user logs in, he will see this message. If it’s a unwanted user, he will be so scared, that he will log off immediately! =)

Please post back comments, on more things we can use to improve security on our servers!

PS: Don’t forget, when all changes are made, to restart your ssh server (ex: /etc/init.d/ssh restart).

I came up with a name for this project, and the cool thing, is that I can use my domain as an acronym. So DBUGS stands for Digital Backup Using Gmail Storage.

So, what do I have in mind? Well, I came across some weeks ago, with Richard Jone s’s project, the GmailFS. This project, and using his words, provides a mountable Linux filesystem which uses your Gmail account as its storage medium. I read the entire site, and several other sites on the web, only to find out, that although this already can be achieved, some problems still need to be fixed, but since my project for now, exists only on paper, I hope that in the future, a more robust GmailFS, can be used.

What I propose here, is, to combine some cool open source technologies, to obtain a big, expandable online backup, but things like cost and reliability also come to my mind. Now it’s possible to create your own Gmail account for free, and all the tools I suggest using are open-source, so the cost factor, it’s only regarding your Internet connection, which by all means, must be broadband!

So, since it’s possible to mount GMail accounts locally, I started imagining the possibility, to use 2 accounts in a RAID1 setup (mirror), where Gmail_account1 would be the mirror of Gmail_account2. This way, data would be backed up twice, in two different locations. If one dies, the other remains alive, while we add a new one to the array. When I say 2 accounts (arrays), I mean n arrays, since, for RAID1 you can use 2+n arrays, this way, data is mirrored against several locations.

The next step in my theory would be size. Google already offers almost 3GB of storage, and rumors are that they will increase this for 9GB+, but what about if you want more? My thoughts went straight to a LVM setup, for the extra layer of complexity! Now we would have 2+n arrays, each made by LVM volumes, which
would be created using several (1 + N) accounts. Confused? I am! This way, each of the RAID1 array would be stripped across different accounts, and in the future, if we wanted to expand the size of our online backup disk, it was just a matter of creating new accounts, and adding those to each of the LVMs, so our RAID1 array would get bigger.

I also thought of security, and the best to do this, is using disk encryption. Another layer is added to the already tricky setup, but this is not important in the beginning, since for testing, I would not use sensitive data.

To perform the backups, I really think it’s a good idea to use some sort of rsync+cp+mv solution that performs incremental backups, without taking too much space. You can find many options for this online, but one my favorites is RSnapshot. A good source of information for this type of backup is Mike Rubel’s site on the subject.

And that’s it! Several problems must be addressed, and that’s why I started this post. I don’t know if it is either a very stupid idea, or if it can be accomplished and become a cool project. I’m working on some solutions, and I really hope I can post something on the subject anytime soon. Why should I even try this? Because I really think this is a cool idea, and perhaps I will not achieve what I intend, but in the process of failing, lies a path of learning… get it? =)

Please feel free to drop comments on this subject, with suggestions, critics or your help for the project. I’m more than happy to welcome you aboard. Let’s get this one off the paper, and make it work!

Here I will cover both the Mac and Linux, because, well, in fact they are almost the same, command line speaking I guess.

So, let’s skip the romantic part of the post, and let’s cut to the chase! =)

First go to your favorite command line client, and create or own set of digital keys. It’s very simple, don’t worry, just type ssh-keygen -t dsa (this generates a digital key, using DSA as security algorithm). It will prompt you the destination for the key, which normally resides inside folder .ssh at your home folder, and if you want to use a passphrase each time you use the keys (let’s keep it simple for now and say no). Now if you take a look inside .ssh folder, you will now see 2 files or more, but the important ones are id_dsa and id_dsa.pub. This is the pair of keys, one which is public, and the other you keep it for yourself.

Now if you look inside your id_dsa.pub, you will see a bunch of characters, which don’t mean anything to you. But copy everything to clipboard, for use in your remote server. My looks like this:

(this is all in a single line)

There is no problem on showing my public key, because, well, it’s public. You can learn more why here.

Now, login to your server, go to directory .ssh on you home folder, and edit or create the file authorized_keys; paste your public key inside, all in one line! That’s it, your done. If you use Dreamhost I found out that both .ssh folder and authorized_keys file must have 700 permissions set.

Now logout, and login again, and the remote server will match your public key, with your local private key, and if everything goes smoothly, you are in! No passwords, no hassle, no nothing!

It’s also possible to make your sftp client to use your keys, just define this in the login options, and check the “Use public keys authentication” or something similar, and choose your private key, not your public one. Next time you login, again, no passwords will be asked. Cool eyn?

I did not cover ssh inside Windows systems, but you can do the same using Putty and all the tools available. Go here to learn more about ssh authentication inside Windows, using Putty, but also for a more precise explanation on ssh authentication.

In the future it also should be important for you to set a passphrase with your keys, for extra security. But for now this is enough, so enjoy!
Oh, by the way, in case you did not understand the romantic vs chase part of this post, take a look here…

Update: By the way, this post refers to Dreamhost, but you can use this with any server you wish, just make the same steps discribed.

The basic command to change ownership is chown. You use it, giving a general syntax example, by typing chown -option_flags user:group object. Between the user and group, you can use either a . or : (user:group or user.group, both are acceptable).

There are a few option flags you can use, read the man page for chown to learn them. I think the most important one is the -R (Recursively change ownership of directories and their contents), but this, I leave you to decide.

Chown accepts different methods for setting permissions, and you can see that they are easy to remember:

• owner – it only changes the object’s owner
• owner: – changes the owner, and, automatically changes the group to the login or primary group of the user
• owner:group – it changes both the group and the owner at the same time
• :group – it only changes the group, leaving alone the user ownership

Now let’s go through a few examples…
Imagine you are user spider and you have the primary group users. When you create a file, default permissions are set (-rw-r- -r- -) and the file gets spider ownership and group users ownership. If you want to give that file to someone outside the users group, it will be able to read it, but not modified it, because the world trio bit (the others) is only readable.
Let’s say that the user you give the file to is ladybug, and her primary group is ladybug. You could use chown ladybug object1 and this will leave the file object1, with the ownership of ladybug.
Let’s say, both spider and ladybug belong to dbugs group. You could chmod 660 objec1 (user and group = read and write), and then chown spider:dbugs object1, leaving the file with user ownership unchanged but the group ownership set to dbugs. Since spider and ladybug have secondary group dbugs, they both can read and change the contents for object1. Getting the big picture by now?

The chown command, like I said can be used both in files and directories, and you can use it to change full directories and its contents. Just use the -R option, on a directory as target, and both the directory and everything inside it, will get the ownership you set. Example: chown -R spider:dbugs /pictures, will change directory pictures and everything inside to user spider and group dbugs.

That’s it! Practice a little, so you get the hang of it. Like everything in Linux, you will find it a lot easier with time and practice, to do things around the command line. Master these easy steps and you are in your way to proficiency! Have phun!

Like I said, there are two modes to use the chmod command:

• NUMERIC

This one is the most common, and the one you will be using almost exclusively. There are differente ways to do some things, but sometimes you stick with the better one, right? Well, you decide…
When using numeric mode, you simply do, for example, chmod 666 object1. This would, like you learned before, change the permission of the owner, the group and the rest of the world to read/write/not-execute (4=read/2=write/0=not-execute).

You can use combination of numbers to obtain what you intend. For example, its also possible to change permissions in a bunch o files, like you would do when copying, using wildcards or file extensions. You even can change permissions on everything inside a given directory, but not the directory itself; you can choose to follow child directories, affecting everything on the way. Now do you see why I keep saying CLI is the power?
Like any Linux Command, you have some options flags you can add. Today I’ll just steal the man page for chmod and present you with that:

POSIX OPTIONS
-R Recursively change permissions of directories and their contents.

– Terminate option list.

GNU OPTIONS
-c, –changes
Verbosely describe the action for each file whose permissions actually changes.

-f, –silent, –quiet
Do not print error messages about files whose permissions cannot be changed.

-v, –verbose
Verbosely describe the action or non-action taken for every file.

-R, –recursive
Recursively change permissions of directories and their contents.

Not to many right? The other chmod mode is:

• SYMBOLIC

In this mode, you pretty much do the same, that when you choose numeric mode, but some people find it more simple to use this one.
In symbolic mode you use letters to identify the trio bits, which are: u = user, g = group, o = others and a = all. You also use in combination to letters, qualifiers, which are the +, - and =, and on the top of the cake you use the good old letters you know for permissions, read, write and execute.
A simple example is chmod u=rwx, g=r, o=r object1. This will change for object1 permissions for the owner user (read/write/execute), the owner group (read) and the rest of the world (read). Simple, and you could do it just for a specific permission trio, like chmod g=rw object1. Its also possible to set an object permission, without really knowing what permissions it already has. You just use the modifier + instead of the =, so you get chmod a+x object1, and this will add execute permission to everyone (a=all, remember). There is a small trick in this last example.. you can drop the a and just use the +x, like chmod +x object1 (since no group is specified, all are changed).
One last modifier, the minus (-); this is the same with the plus modifier, except it takes, instead of giving… simple right?

Train this a little bit, and find out for yourself which mode is more comfortable to you. Keep in mind that this aims to be simple and effective, so keep training until you do it automatically (I’ll guess… a couple of minutes).
Cya soon for the last part on filesystem security.

LINKS: man chmod

Well the first bit, is the type bit the first of ten permission bits. It can be different, depending on the type of the object.

• - = This is used for normal files
• d = it’s used for directories
• l = used in symlinks (objects that point elsewhere, to other objects)
• b= used for special block devices files
• c = used for special character device.

The next bits (nine actually) are what we call the three permissions trios. Each single trio, is composed by 3 bits, in which, depending on the values (0 or 1) are either set, or unset. Each trio corresponds to a specific “group”: the first permission bit, is the “user” trio, and affects the owner of the object, or, simply speaking, if the user owns the file, this is his affecting trio; the second trio, is the “group” one, and only affects the object’s group. If the the user does not own the object, his primary and secondaries groups are checked, and the “group” permission trio kicks in. For the last we have the “Others” trio bits, that affect everyone else that neither is the owner or belongs to a group that owns the object…. The rest of the world!

Like I said, depending if those trios are on or off (1 or 0) you will get the corresponding permissions. If you have 1 (ON) you get a letter, and if you get 0 (OFF) you get a -. When we talk of files, the first bit of the trio, corresponds to the READ permission, meaning if it let’s you view the files contents. The second bit, corresponds to the WRITE permission, and this decides if you can change that file’s contents, but also his permissions, ownership and everything else. The last, but not the least, corresponds to the EXECUTE bit, which need to be set ON, if you want for example run a script (in fact, scripts also need the READ bit).

And so on for the three separate trios, I think its simple!

In binary code, 111 corresponds to the decimal number 7, because the first bit corresponds to the decimal number 4, the second to 2 and the third to 1. It’s important to know this small logic behind binary numbers, because we need to master this so we can set or modify permissions in files (later in a new article). So for example to set a read/write/not-execute permission, you will use the 6 decimal number (4+2+0). For just reading you use only the 4 (4+0+0). Simple right?

If you take one last look at the example above you will see extra stuff… Look at part where it says “mgarces mgarces“. This is the owner and the group for that object, correspondingly. In this case, since I’m user mgarces, if I try to access to misc.txt, only the first permission trio will be checked, because I’m the owner for that file. I have the read and the write permission, but not the execute one… Cool =)

Thats it! No more theory. Tomorrow I’ll promise we will get our hands dirty using permissions on our system. Understand this and you will not have any problems manipulating your files. Cya soon!

Has you probably found out, you need a combination of a user name and a password, to login to you system. Normal behavior is this security model, but there are distributions that automatically log you in. I believe this is not giving a damm about security, but that’s just me.
When you create a new user, you are provided with a User ID (uid) and a Group ID (gid). This is what is used to control acess to files and directories, and also running processes. Every single file created in your system, is owned by a specific user, and associated with a certain group. The same goes for processes (running programs), each one of them is controlled by a user and a group, and only the user or users associated with the group, can control the system resources assigned to this process.

USERS
Like I said before, each new user is assigned with a unique User ID (uid). You can check yours by typing id in the cli. It will output your uid, your gid and the groups that you belong to. Normally when you create a user, you are assigned also with a home directory (/home/<user>), and a program that is run when you login, most of the times this is the shell (ie: /bin/bash).
Users own the files and directories that they create, and cannot read or access other users files/directories. If you want to take a look which users exist on your system, poke trough /etc/passwd; here you can see all the usernames and uid .
Your home is right that, yours! You can create, destroy, move, copy… Whatever suits you! Organize it the way you want it, store everything you need. The only limitation to this is either disk space, or system quotas. In a safe Linux system, your user, besides his home, will share the /tmp directory with the rest of the world, and nothing else.You could sa, what about programs, aren’t this also shared? Yes, but later I’ll explain how this works.

GROUPS
Following the same philosophy, groups in your system are assigned a unique Group ID (gid), ant these are stored inside a special file, the /etc/group. Each user is assigned with his own private group (the same name as the username), and normally this is their primary group. Users can belong to several groups, and normally these are secondary group affiliations. Now, you might be asking what are the primary and secondary groups? Primary group, defines the creation mode, so files and directories created by the user, will inherit the primary group affiliation. If you intend to create something with a different group mode, user the newgrp <groupname>. From now on, everything will have the group that was chosen, until you type exit or CTRL+D .

Thats it for now! The ability a user has, to use certain directories or access certain files, is determined by his permissions (that comes along with uid and gid). This will be discussed later, so stay tuned =)