Search the web with Google

Android install

Android installation weblog


Enter your email address:


Jeroen´s weblog

Ubuntu install

Ubuntu installation weblog


Monday, June 29, 2009

Commercial NTFS driver for Linux for free

On the site of paragon they offer their proprietary linux NTFS driver for free. Download it here.
Nota that this software is developed using reverse engenering, and without any help of Microsoft.

Saturday, June 27, 2009

Linux as a Bastion host

On cybercity I found an interesting article on how to make a dedicated linux box as a bastion host (super firewall) for your entire network.

read all about it here.

Here is the text for the case the above link wouldn't work.

Configure Linux As Bastion Host

What is bastion host? How do I configure bastion host under Linux? How do I create a firewall for a bastion host under any Linux distribution?

A bastion host is high risk host on your network. It can be a dedicated Linux running netfilter or OpenBSD box running PF or a Cicso PIX device. This device is designed to protect your network from external threats.

The Internet
\\
\\
Bastion Host
//
//
Your Network

Usually bastion host placed outside your corporate firewall or in the DMZ itself.

The Internet
\\
+---------------+
| Bastion Host | <--- Outside firewall +---------------+ // +---------------+ | DMZ | <---- Inside firewall +---------------+ \\ || +---------------+ | LAN1 LAN2 | +---------------+

In most cases it has access from the Internet or untrusted parties / computers. In some case a bastion host can be a:

  1. Web server
  2. DNS Server
  3. FTP Server
  4. Proxy Server
  5. Honey pots
  6. Email Server etc
WARNING! These examples needs a dedicated Linux box.You MUST know how to install programs on your computer, how to navigate file system, list open ports, configure iptables, write a firewall script and other advanced admin tasks.

Bastion Host and Screened Subnet

Bastion host adds an extra layer of security to the screened host architecture. It isolate your internal network form the Internet. The end result is that your bastion host is the primary target of Internet attacks. If someone beaks into the bastion host, your internal hosts are safe as the bastion host is isolated by the perimeter network. The bastion host firewall configuration has more security. Usually following is done on bastion hosts:

  1. Firewall works in close all ports and opened required port mode only.
  2. Intrusion detection system (IDS/IPS) such as as snort.
  3. Security settings to avoid Denial of Service (DoS), spoofing, and flood attacks.
  4. Undergo regular auditing.
  5. Runs upto date software.
  6. May run special kernel security patches.
  7. All user accounts are locked down except admin account.
  8. Encryption used for logging (ssh) or disk storage.
  9. Remove all end user software and other network servers such as Apache, MySQL and so on.
  10. TCP/IP stack tuned for network traffic including network buffers.
  11. /etc/sysctl.conf customized to improve server security

Usually, the bastion host does act as proxy server. It allows and denies connection as created by your security policy.

How Do I Build Linux As a Bastion Host?

A Linux based bastion host can be build using the following steps:

  1. Grab Debian / CentOS CD or your favorite Linux distribution.
  2. Install minimum operating system. Avoid installing desktop software or other apps such as MySQL, Apache and other software.
  3. Reboot the server.
  4. Patch server.
  5. Install grsecurity kernel patch and reboot the system.
  6. Install additional software such as snort IDS and configure it.
  7. Install Advanced Intrusion Detection Environment (AIDE) Software.
  8. Make sure all security patches are installed.
  9. Disable all network services except ssh.
  10. Disable all other daemons.
  11. Network tuning vis sysctl.conf
  12. Configure firewall (see sample script below).
  13. Remove centralized authentication such as LDAP.
  14. Remove as many utilities and system configuration tools as is practical for your setup. No need to have gcc compilers and other unwanted tools. Use rpm/yum and dpkg command to list all packages.
  15. Logging of all security related events and turn on auditing.
  16. Write protect all log files and only allow them in append only mode using chattr command (e.g. chattr +a /var/log/messages or chattr +i /etc/shadow).
  17. Encrypt all database passwords including file systems if possible.
  18. Create system recovery DVD or tape.

Above all are generic and recommended steps to configure bastion host.

Sample Linux Iptables Bastion Host Rules

You need at least two network interface one is connected to the Internet via public IP and another private to your Lan.

#!/bin/sh
# The bastion host firewall for bhost.lan.nixcraft.net.in
# The bastion host is also:
# (a) Mail server to relay mail to postfix.lan.nixcraft.net.in
# (b) DNS server send zone trasfer to ns1.lan.nixcraft.net.in and ns2.lan.nixcraft.net.in
# (c) Allow incoming ssh / http / https to bhost.lan.nixcraft.net.in from LAN SUBNET sothat
# we can manage bhost.lan.nixcraft.net.in via ssh, and read snort stats via ACID web interface.
#---------------------------------------------------------------------------------------------------
### Set vars ###
IPT=/sbin/iptables
SYSCTL=/sbin/sysctl
### Set interfaces ###
EXT_IF="eth0" # The Internet
LAN_IF="eth1" # Lan
LOOP_BACK="lo"

### Block RFC 1918 private address space range ###
### Block reserved Class D and E IP ###
### Block the unallocated address range et all ###
SPOOFDIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"

### Set Lan Subnet ###
LAN_SUBNET="192.169.1.0/24"

### Set DNS Server IPs ###
NS1_SERVER_IP=192.168.1.130
NS2_SERVER_IP=192.168.1.131

### Set Postfix Server IP ###
SMTP_SERVER_IP=192.168.1.132

### Set port numbers ###
SSH_PORT=22
SMTP_PORT=25
HTTP_PORT=80
HTTPS_PORT=443
DNS_PORT=53

### Clean out old fw ###
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

### Turn on SYN flooding protection ###
$SYSCTL -w net/ipv4/tcp_syncookies=1

### Block out eveything ###
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

### Allow full access to loopback ###
$IPT -A INPUT -i ${LOOP_BACK} -j ACCEPT
$IPT -A OUTPUT -o ${LOOP_BACK} -j ACCEPT

### Block the RFC 1918 private address space ranges ###
for rfc in $SPOOFDIP
do
$IPT -A INPUT -i ${EXT_IF} -s ${rfc} -j LOG --log-prefix " SPOOF DROP "
$IPT -A INPUT -i ${EXT_IF} -s ${rfc} -j DROP
done

### Drop bad stuff ###
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j DROP
# FIN-Only
$IPT -A INPUT -p tcp --tcp-flags FIN FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# FIN
$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP

# NULL packets
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# XMAS
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Fragments
$IPT -A INPUT -f -j DROP

# sync
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

### Allows the bastion host to query remote DNS servers ###
$IPT -A INPUT -i ${EXT_IF} -p udp --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${EXT_IF} -p tcp --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p udp --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p tcp --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT

### Allow internal DNS i.e. zone trasfer between the bastion and 2 LAN ns1 & ns2 ###
$IPT -A INPUT -i ${EXT_IF} -p udp -s ${NS1_SERVER_IP} --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${EXT_IF} -p udp -s ${NS2_SERVER_IP} --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${EXT_IF} -p tcp -s ${NS1_SERVER_IP} --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${EXT_IF} -p tcp -s ${NS2_SERVER_IP} --dport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT

### Allow outgoing DNS and Zone transfers btw the bastion host and two 2 LAN ns1 & ns2 ###
$IPT -A OUTPUT -o ${EXT_IF} -p udp -d ${NS1_SERVER_IP} --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p udp -d ${NS2_SERVER_IP} --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p tcp -d ${NS1_SERVER_IP} --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p tcp -d ${NS2_SERVER_IP} --sport ${DNS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT

### Allow LAN workstation to get into the bastion host via SSH but no access from the Internet ###
$IPT -A INPUT -i ${LAN_IF} -p tcp -s ${LAN_SUBNET} --dport ${SSH_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${LAN_IF} -p tcp -d ${LAN_SUBNET} --sport ${SSH_PORT} -m state --state ESTABLISHED -j ACCEPT

### Allow LAN workstation to get into the bastion host via HTTP to read SNORT stuff via web interface but no access from the Internet ###
### Read ACID stats ###
$IPT -A INPUT -i ${LAN_IF} -p tcp -s ${LAN_SUBNET} --dport ${HTTP_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${LAN_IF} -p tcp -d ${LAN_SUBNET} --sport ${HTTP_PORT} -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${LAN_IF} -p tcp -s ${LAN_SUBNET} --dport ${HTTPS_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${LAN_IF} -p tcp -d ${LAN_SUBNET} --sport ${HTTPS_PORT} -m state --state ESTABLISHED -j ACCEPT

### External SMTP Rules ###
$IPT -A INPUT -i ${EXT_IF} -p tcp --dport ${SMTP_PORT} -m state --state NEW,ESTABLISHED - j ACCEPT
$IPT -A OUTPUT -o ${EXT_IF} -p tcp --sport ${SMTP_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT

### Internal SMTP Rules ###
$IPT -A INPUT -i ${LAN_IF} -p tcp -s ${SMTP_SERVER_IP} --sport ${SMTP_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${LAN_IF} -p tcp -d ${SMTP_SERVER_IP} --dport ${SMTP_PORT} -m state --state NEW,ESTABLISHED -j ACCEPT

### Add your other rules below ###

### End no editing below ###

### Log ###
$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix " INVAID DROP "
$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -i ${EXT_IF} -j LOG --log-prefix " INPUT DROP "
$IPT -A OUTPUT -o ${EXT_IF} -j LOG --log-prefix " OUTPUT DROP "

Above script is basic and can be modified as per your requirements. You can also use firewall distributions such as pFsense or IPcop to automate lost of stuff.

Fig.01: pFsense in Action

Fig.01: pFsense in Action (click to enlarge)

References:

  1. Thinking about firewalls
  2. An overview of network Firewall
  3. Linux DMZ tutorial using iptables
  4. Snort - A free lightweight network intrusion detection system for UNIX and Windows.
  5. Refer your Linux distribution documentations to perform required steps.
  6. man page sysctl, and iptables

Sunday, June 14, 2009

Open Virtual Desktop

Although not a ubuntu issue, I found an interesting project at Ulteo.com. The Open Virtual Desktop. Their main website and downloads are found on this site.

There is another program that allows you to run linux applications in windows. It's calles Andlinux and is based on CoLinux. An article about is is found here. The direct download site here.

Saturday, June 13, 2009

UbuntuEEE is now EasyPeacy


You can download a netbook version of Ubuntu on the site of Easy Peacy.

Tuesday, June 9, 2009

Firewire troubles

here, you find a manual for connecting firewire to a ubuntu of mint machine

mind that the file /dev/raw1394 should be read write for you too.

sudo chmod 777 /dev/raw1394


If you experience Firewire problems, please follow these steps:
Which firewire stack is installed ?

GNU/Linux recent kernels may be compiled with an old or a new firewire stack. To understand which firewire stack is installed, query the list of loaded modules

lsmod | egrep 'firewire|1394'

This is the old firewire stack:

ohci1394 37040 0
ieee1394 306104 2 sbp2,ohci1394

This is the new firewire stack:

firewire_sbp2 15152 0
scsi_mod 163832 5 firewire_sbp2,sg,sr_mod,sd_mod,libata
firewire_ohci 23140 0
firewire_core 39492 2 firewire_sbp2,firewire_ohci
crc_itu_t 2288 1 firewire_core

Old firewire stack

Make sure to load modules at boot time:

sudo gedit /etc/modules

add these lines:

raw1394
video1394
dv1394

Fix udev permissions

sudo gedit /etc/udef/udef.conf

add these lines:

# ieee1394 devices
KERNEL=="dv1394*", NAME="dv1394/%n"
KERNEL=="video1394*", NAME="video1394/%n"

If you still cannot capture from firewire, there may be a bug in udev permission.

change these lines into

KERNEL=="dv1394*", MODE=”0666″, NAME="dv1394/%n"
KERNEL=="video1394*", MODE=”0666″, NAME="video1394/%n"

New firewire stack

Write a custom udev script and store it in /etc/udev/rules.d/z95_firewire.rules:

# /etc/udev/rules.d/z95_firewire.rules

# Set GROUP="video" for some IEEE 1394 device types, driven by the new firewire stack.
# We cannot use the GROUP directive because the significant device type attributes
# live in child devices. So change the group after the fact with chgrp.

# IIDC devices: industrial cameras and some webcams
KERNEL=="dv1394*|video1394*|raw1394*|fw[0-9]*", GROUP="video"

# libraw1394 older than v2.0.1 and some special-purpose applications also need
# access to the local node(s). Alas there is no simple way to tell local nodes apart
# from remote ones; here is a simple hack.

SUBSYSTEM=="firewire", ATTR{vendor_name}=="Linux Firewire", GROUP="video"
# Or if your application needs access to all nodes, simply use:

SUBSYSTEM=="firewire", GROUP="video"

Debug and test using dvgrab

Your username should be part of the video group:

sudo adduser username video

Reboot your system for rules to apply. After reboot, run dvgrab in interactive mode:

dvgrab -i

Type h for help.

You should be able to rewind and play your camcorder.

If this is the case, enter "q" for quit dvgrab.

Kdenlive should now be able to acquire video.

KDENlive video editor

Op maketecheasier I found this post:

For many years, editing digital video in Linux was not an easy task. Linux users have long sought a nonlinear video editing solution that was both powerful and easy to use. Kdenlive is the first video editor for KDE to combine both of these critical aspects into one package. Its easy drag and drop functionality combined with powerful features make Kdenlive the number one video editor for KDE and arguably the most complete, user-friendly video editor for Linux.

Getting Started

Getting started with Kdenlive depends on your distribution. Precompiled packages are available for Ubuntu, Debian, Gentoo, Mandriva, OpenSUSE, FreeBSD, Fedora, and possibly others. Their web site also includes a builder wizard that builds the dependencies and main packages automatically for you. Once it is installed, you should be able to start editing videos right away, but you will want to go through the Config Wizard to make sure you have all of the components you will need.

The Config Wizard will show you which video codecs are supported. If, for example, you intend to make portable web videos in an mpeg4 format, you must have the right encoder. Ubuntu includes a guide for installing most of the standard codecs, and other distributions provide similar methods.

Importing Videos




If your recorded video is on a DV camera, you must import it using a firewire cable. Click View in the menu and check the Record Monitor button. If it is already checked, click on the appropriate tab to bring up the window. It will ask you to plug in your camcorder and press the connect button. Ideally, this should work automatically. My experience, however, has never been ideal.

If it does not immediately detect your camera, you may need to adjust the permissions for your device. Run this simple command as root or with sudo:

chmod 777 /dev/raw1394

The default setting in Ubuntu is for /dev/raw1394 to be read-only, so you will most likely need to execute the above command with it and similar distributions. You should now be able to view both recorded and live video from your camera in the Record Monitor window. Kdenlive relies on dvgrab, a product of the Kino project, to capture video. You should have it installed if you made it through the Config Wizard successfully.

At this point, you can begin recording. Kdenlive can be configured to detect clips. Whenever it thinks a scene has been stopped, it will start a new clip. If this will not work for your video, you can setup time intervals for your clips or manually start and stop recording for each one.

In addition to importing from a DV camcorder, you can also record from a webcam or record your desktop with Screen grab. Additionally, you can import all supported video formats as clips.

Adding Photos

There are two ways to add photos to Kdenlive: individually or as a slideshow. To add a single image, click on Project –>Add clip. If you want to create an entire timed slideshow in a single clip, click Add Slideshow Clip and follow the onscreen instructions. Because of the KDE integration, you can also drag a photo from your file manager directly into the Project Tree. By default, each photo will display for 5 seconds. You can change this and the picture size in clip properties.


Editing your video

At this stage, you are ready to create a timeline. Once all of your clips are in the Project Tree, begin dragging them to the timeline in whichever order you prefer. It is really that easy. Clips can even be shortened simply by dragging the end of the clip to the left, just like resizing a window.

You can also add effects by simply dragging items from the Effect List onto your video clips. The Effect Stack will show you which effects are enabled on your clips. At any time, you can use the Project Monitor to see how your finished video will look. Kdenlive also has an Undo History so that you can see every step that you have made if you need to go back and undo something.

To add a title, click on Project –> Add Title Clip. You can add background images and shapes in addition to just text, or you can have the text overlay video.

To add audio clips, click Add Clip and then insert your Mp3 or other file as you would a video clip. There are special tracks on the default timeline just for video. You can also add audio effects.

The Finished Product


When you have your video edited exactly the way you want it, all that remains is creating the finished product. Kdenlive has a DVD wizard built into it, but it requires DVDAuthor, an external program. Simply click on File and DVD Wizard to begin making a DVD.

If you intend to make any other type of file format, click the Render button. There are numerous file formats to choose from, as long as you have those codecs installed. For this example, we will choose Theora and then choose 720×480 format. Select Full project to export the entire timeline that you created.

When you have all of the settings you want, click Render to File. It will start creating your video and show you the progress. Depending on the size of your video and the speed of your computer, rendering can take minutes to hours.

This is only a brief introduction to a powerful video editing tool. While it is still under heavy development and far from perfect, it looks like a very promising video editing application. The Kdenlive site has documentation, video tutorials and an active forum if you want to learn more. I have found that nothing beats hands-on experience. Make a few test videos and learn all of the features, and after you have mastered them, you can begin creating your future award-winning productions.

Monday, June 8, 2009

jauntu network problem

Solution: Add on the Ubuntu-machine in /etc/hosts the IP-number and hostname of the Windows-machine (sudo gedit /etc/hosts). restart

Alas this doesn't work for dynamically assigned IPadresses on your network. I'm still looking for other solutions. Any Idea? Please give me a reaction in this blog.

Saturday, June 6, 2009

Google maps

manual for taking google maps into your site

Wednesday, June 3, 2009

Networkprinter problems in Ubuntu 9.04 jaunty Jackalope

For Ubuntu 9.04 and linux Mint 7
copy this version of pdftops in /usr/lib/cups/filter
in a terminal:
cancel -a
sudo chmod 755 /usr/lib/cups/filter/pdftops