I have been working a lot with Linux lately, special with the RedHat derivatives (CentOS, Fedora) , since this is almost mandatory at my work.

This last week, I spent all the time in this new workstation, with a Fedora 14 fresh install, and like all fresh installs, the system does not quite meet all my customizations and needs.

Java from Sun (or Oracle or something like that, I don’t keep track anymore) it’s the best choice when it comes to using Java, but like all things not fully OpenSource, it’s not 100% integrated into the system… (to be fair, even OSS tend not to integrate itself)! To had to the confusion of open VS closed software I use in my workstation, I am using Chrome (and not Chromium), because I like it better (better video support, among other stuff).

Long story, short, this quick tutorial is what I did to have Java running inside Chrome. I am going to skip the part where you install Chrome, Java and of course, Fedora 14, and go straight to solution!

Here it is:

#mkdir /opt/google/chrome/plugins
#cd /opt/google/chrome/plugins
# ln -s /usr/java/jdk1.6.0_22/jre/lib/amd64/libnpjp2.so .

And that’s it! Restart Chrome and you are up and running! Oh, by the way I am using a 64 bits distro, so if you are stuck in 32 bit retro, go ahead and adapt the path of libnpjp2.so.

Now you can make nice worldes of your log files! Have fun!

Here is how you do it:

• First, with you device (iPhone or iPod) go to bit.ly/eduroam_ualg (my UAlg’s student homepage). You have got to do this with your 3G connection, or other WiFi network.
• Download the eduroam_UAlg.mobileconfig file to your device
• A dialog will appear, asking to install a new profile. Click Install and after that,  Install Now (it will say that this procedure will change setting on your device)
• Once the new profile is installed and verified, a new dialog asking for your username, will appear. Input your UAlg’s credentials (normally it is your e-mail, in the form of aXXXXX@ualg.pt), and then click Next
• The next dialog will say in green Verified, you just have to click Done
• Once you are inside the campus, go to your WiFi Networks in system preferences, and click on the eduroam access point, that now shows up.
• Your e-mail should now show up, and you should insert your password.
• When joining for the first time, you have to accept the certificate, by clicking the Accept button.
• After this, you can start surfing! No need to configure proxy settings!

I hope this helps everyone to stay connected without problems. If you are having difficulty with some of the steps, leave a comment, and I will be happy to help you sorting this out. Also, if it keeps asking for the password, tell me. I think I solved this problem, but you never know….

Here are the steps necessary, this time, with some screenshots:

[Show as slideshow]

At the beginning, it was very hard to let go the few coding know-how I had, but then I got things rolling, and now I can only say this is a very cool programming language to learn.

My post tonight, is just to leave a big prop to a guy who made a entire website dedicated to teaching Haskell, but doing it in a fun way! I even leave here a pdf made of prints from the website, which is licenced as Creative Commons. It’s still a beta site, but don’t get it wrong! It’s the best Haskell tutorial I have found, including books and so!

Hope you can enjoy his work! Please leave comments if you find this has helped you in some way! Have fun!

1. Login to your shell
2. mv blog blog_old
3. mkdir blog_new && cd blog_new && svn co http://svn.automattic.com/wordpress/tags/2.7 .
4. cd ~/blog_old/
5. cp -p wp-config.php .htaccess ../blog_new && cp -rpf wp-content/* ../blognew/wp-content
6. cd ~/blog_new/ && svn sw http://svn.automattic.com/wordpress/tags/2.7/ .
7. mv blog_new blog
   
8. go to http://<you_url>/wp-admin/upgrade.php and perform the update process

And thats it! Put it in the hoven for 10 minutes and leave to rest! After that go enjoy your new and upgraded blog! Oh, by the way, each time a new version comes out, just go inside your blog dir and do a:

• svn sw http://svn.automattic.com/wordpress/tags/2.7/ .

Pretty sweet! =)

UPDATE: in fact you can forget step 2, and just move your old directory in the end, when about to go live. Perform the all the steps in the recipe, than at the end, just change blog to blog_old (or some other name you might have) and change blog_new to blog. This way you now point to you new SVN install, and you old stuff is safeguarded. Enjoy!

Not only are they doing a great job, by providing us with the tools we need to licence our creative work (or not so creative), but they also do everything they can to help everyone. My own site uses a CC licence, so I can only be proud of talking about them.

In their own words:

Creative Commons provides free tools that let authors, scientists, artists, and educators easily mark their creative work with the freedoms they want it to carry. You can use CC to change your copyright terms from “All Rights Reserved” to “Some Rights Reserved.”

I’m doing a presentation at my University, in a discipline regarding communications techniques, and I decided to speak about Creative Commons. I wanted to give something to my audience, so I’ve contacted CC, requesting some flyers or any merchandise they could send me, so I could do a better interactive work with everyone.

They were so great, and answered really fast! In six days I received a mail order with a lot’s of stickers and some postcards, all Creative Commons related.

I think everyone, should follow their example, and be professional like this!

Once again, THANK YOU Creative Commons, I will do anything at my power to spread the word! Keep up the good work!

Since I’m not a big windows user, except for a desktop that his only purpose is to download Linux distros using bit torrent protocol, I was not fully aware of this limitation.

So I did some quick research and realized that this limitation was not a Windows problem, but a hardware problem! You see, 32-bit systems have a limit of memory that they can use. Normally this is 4GB minus the total ammount of memory in the Video Card, the BIOS and everything inside you machine that has memory. So most of the users that now buy 4Gib ram to use with their brand new Vista machine, get stucked at 3 ou 3,5 Gib.

Even thouhg Linux also suffers from the same limitations, it is able to handle higher memory installed, since it uses correctly the PAE… What is PAE you might ask? PAE, or Physical Address Extension is a feature that allows the use of more than 4Gib of physical memory, given apropriate operating system support for this feature.

There are some things you might do to enable PAE in 32-bit Vista, but I haven’t tryed yet this.. maybe in the future…

Here are some places you can go, to read a little bit more and try for yourself:

• Enabling PAE in Vista
• Wiki on PAE
• Microsoft on PAE in Vista

In the future, this limitation will be overcome, since the use of 64-bit systems sets the memory limit much higher. If you want 4Gib, with no hassle just switch to a superior operating system like GNU/Linux or Mac OS X =)

Today I received a e-mail from a good friend of mine, to make a test to know how likely would I eat my friends in case of emergency. The website is called “Would You Eat Your Buddies in a Blizzard?”. Here I post my results, and invite you to take the test and post back your results in the comments… I want to know with who I would arrange my vacations!!!

54%

1. Download Putty to you desktop
2. Change the name of the file, from putty.exe to ssh.exe
3. Move this file to your Windows directory (should be on you drive C:\)
4. Press Windows Key + R (shortcut for run command)
5. Type ssh user@remote.example.com (use your own user and server)

If you got everything right, you now will be asked for your user password.. You can do it even smarter, and use public key authentication, which I love so much, and no more typing would be necessary.

Very cool right? No more fiddling for Putty.exe, no more clicks, no more hassle.. Just “RUN+ssh+options” and this will get you there! Like I said, SSH on Windows… The smart way!

Enjoy!

• Changed default listen port (default is 22)
• Only allow SSH protocol 2 (there are 2 versions of SSH, version 2 is far more secure)
• Disabled root login
• Allowed only some users to login
• Disabled password login
• Set up a private/public key method for authentication
• Set a a firewall rule for those script kiddies who like to knock on my server doors

These were the steps, and believe me, it’s not that big a deal to go through them. Let’s now describe each one!

Default Listen Port
By default, the Open SSH server comes with listen TCP port set to 22. Not trying to make security by obscurity, if you change this default behavior, at least those script kiddies, who scan your port 22, and hammer you with the defaults logins, will be dropped, and your bandwidth will be spared. So head to /etc/ssh (the default directory, most distros) and edit your sshd_confing. On the line: “Port 22“, change this to something else, higher than 1024, because usually port scanners don’t go higher than this by default; for example, use port 2222. When connecting to you server, don’t forget to specify the port number (in the command line this goes by ssh -p 2222 hostname).

SSH protocol 2
In the present, there are 2 versions of SSH protocol. It’s better to go with the latest, since it’s far more secure. So, in the same file you made your port changes, the line which contains the word “Protocol“, put a lonely “2” (probably there is already one there, or 2,1) in front. Save your changes.

Disable root login
Normally for administration purposes, we use the super user (root), but it’s not safe to remote login with this user. If something gets compromised, the attacker will have full power to change anything in your system. So, force logins with other user than the root, and then when you are logged in, su to become root. Believe me, it’s safer this way. So in the same file, when it says “PermitRootLogin“, put a “no” in front. Thats it!

Allow only some users to login
Ok, you now have disabled root login, but any user account on your system will be authorized to remote login. This brings a lot of issues, because more users, means more distributed logins, more chances to security issues (imagine one of your users being kidnapped by a alien, you never know). So authorize one user (you), and if needed, other users, but only if needed. I hope you never left sshd_config, because now we have to search for the line “AllowUsers”. If this line doesn’t exist, add it, in the “#Authentication” part of the file, and specify the users you want to allow login. Example: “AllowUsers user1 user2“. Easy right? Let’s continue.

Password logins
By default, you authenticate in your remote host, by using a combination of user/password. Passwords, by it’s nature are unsafe, so why use them? Next we will set up a digital key authentication, so disable passwords for now. In the same configuration file, change “PasswordAuthentication yes” to “PasswordAuthentication no”. And we are done regarding passwords.

Private/Public key authentication (using DSA)
In the past I explained this (link to previous post). You can use a combination of private/public key to authenticate yourself in a remote host, so use this. Go through that post, and set everything up. Its just a matter of following the steps: (1)ssh-keygen -t dsa; (2)cat ~/.ssh/id_dsa.pub (3)put the output of step (2) in remote ~/.ssh/authorized_keys (chmodded to 600). After making this, edit the lines inside sshd_config, “RSAAuthentication yes”, “PubkeyAuthentication yes” and “AuthorizedKeysFile %h/.ssh/authorized_keys”. And your done here.

Firewall Rule
Would it be great if your firewall detected if someone was knocking on your firewall door? Well, you can use a fully blown intrusion detection system, like Snort (link to snort), but by using simple rules in iptables, we can accomplish some security on the number of times someone tries to login. If you don’t know what iptables are, ignore this step, else, add this rules to your firewall (run this in the CLI or add it to your firewall scripts):

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –set –name SSH

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

The ${WAN} part of the rule, is the network interface you use to connect to your ssh server. I normally export LAN and WAN in a bash script, so I always know what is going where. In the future we will discuss firewall/iptables in detail, for those who do not know about the subject.This simple 2 rules will limit to 8, the number of ssh logins your host will permit in a minute. Thats a huge improvement (only 8 against unlimited attempts).And thats it! This were the steps I made to improve security on my remote host. Combined with a good firewall script, you will get a very tight system, believe me! There are other stuff you can make, like using TCP wrappers, but in my case, I login from a changing IP addres, and this method is not very useful if your IP address changes a lot.Oh, one last thing you can do! If all this methods fail, and someone is able to login using ssh to your server, edit again the /etc/ssh/sshd_config, and in the line “Banner” add in front put “/etc/sshbanner.txt“. Now edit (create) the file /etc/sshbanner.txt and put this inside (copy/paste):

————————————————————————————————————–
WARNING! THIS IS A PRIVATE SSH SERVICE, NOT TO BE USED BY A STRANGER. IF YOU HAVE GAINED ILLICIT ACCESS ON THIS SYSTEM, A CURSE WILL BE SET UPON YOU, AND YOU WILL HAVE A SERIOUS RASH ON YOUR PRIVATE PARTS, AND SUFFER IN AGONIE! YOU HAVE BEEN WARNED!
—————————————————————————————————————

Now, each time a user logs in, he will see this message. If it’s a unwanted user, he will be so scared, that he will log off immediately! =)

Please post back comments, on more things we can use to improve security on our servers!

PS: Don’t forget, when all changes are made, to restart your ssh server (ex: /etc/init.d/ssh restart).

Once inside Disk Utility, just press the “New Image” button.

After this, put the settings that you see in the picture. Here I choose the image’s name secure, the syze 100mb (choose more if you want) and the important thing, in “Encryption“, choose AES-128. If you want to know more about this encryption, read some stuff.

Now, it’s important to choose a strong password, this can be tested by pressing the little key in the next window. This will show you a green bar, that grows, when password gets stronger. If you prefer, let the utility pick a strong password for you. One final thing to take in account: do not remember password in the Keychain, for improved security! So just uncheck that… Click OK, and you are all done!


Now eject the image, and move the secure.dmg inside your pen drive, or anywhere you want! Anytime you want to put new files, just mount the image (double click secure.dmg).

Very easy right? Enjoy simple encryption!