I have planned to start a computer lab and a library with a study hall for poor children. The facilities will be available for children 24X7. The facilities will be totally free for poor children and children from well to do families have pay a fee and use the facilities. The library will have books on various topics for children as well as teenagers. The computers can be used for writing codes, creating new software, listening to audio CDs. Reading e-books, surfing the internet. But to start a center like this requires a lot of investment on a regular basis. Hence I would like to invite you all out there to contribute your might in making this dream come true. If you want to volunteer, you can very well join me. Waiting for your comments and feedbacks.
Krish
Since Big Money Matt opened up his summer reading list today, let me offer praise to a book, or rather a series of books, that could really change the world.
It’s O’Reilly’s Head First series, and it makes the Dummies series read like they were written for Einstein.
Tim O’Reilly has taken everything he and his company have learned training people in programming for two decades and condensed it into the format of this series. Even I can learn with it.
While I’ve been writing about programming and programmers for decades, I’ve never been able to actually do it. I’m like the sportswriter who can’t hit.
But with the Head First Java book I was actually able to compile something, and comprehend the language’s basics on one reading. With a baseball book like this Rick Reilly could get himself some scratch hits off a real pitcher.
One of the biggest problems in computing today is the shortage of young programmers, and one of the chief reasons for that is a shortage of readable, basic guides which can act as textbooks in high schools.
This is the first series of programming books I’ve ever seen which could actually be used for that. You could even use it in middle schools. It’s that accessible.
The format is the key. There are lots of pictures, lots of puns, lots of white space, and the text is in small, accessible chunks. Then there are a collection of tests at the end of each chapter to emphasize the lesson.
As with any good teacher, the O’Reilly series attacks the material from a variety of angles. If you know it, or you’re a quick learner, you can breeze right through. If you’re like me they try everything possible to make things comprehensible.
I’ve got educators on both sides of my our family, teachers on my side and administrators on my wife’s. Both sides would be very proud of what O’Reilly has achieved here. Any school with interest in putting together some programming classes would be wise to make this series their first-choice text.
Krish
Linux is not Windows, and although there are some similarities, you must realise that there may be a few "new ways of doing things" to learn before you can be comfortable in Linux. Linux is an open-source clone of UNIX, a secure operating system (OS) that predates DOS and Windows and is designed for multiple users. The items in the following list generally apply to any UNIX-based *nix system, such as Linux and the various BSD's. For the purposes of this article, assume that it's all Linux.
Here are the 10 things to know:
1. File hierarchy
Unlike some other OS's that have a file tree for each drive, the Linux file system is one big tree. At the top you have / (Root) and every folder, file, and drive branches off of this Root.
For example, say that you have two hard drives (named a and b), one floppy drive, and one CD-ROM. Let's say that the first hard drive has two partitions (named a1 and a2). In Windows, it would look like this:
+ hard drive a, partition one (hda1): C DriveIn Linux, you have one file system, not the five listed in the Windows example. Each drive is mounted onto the tree and acts just like a folder. The drives could be placed like this:
+ hda1: / (our Root)Unlike the "tower" OS's from Microsoft, where everything is interconnected and depends on each aspect of the system, the Linux OS is spread out like a Market: everything works together for the common good, but vendors (independent parts of the OS) can be excluded, and the OS will still function. Don't want a Media Player or File Manager? Take it out! Your OS will not fall like a broken tower.
This modularity is the reason for so many distributions of Linux (commonly called distros); any person or company can mix and match the programs they find most useful and slap a name on that collection. RedHat, Xandros, SimplyMEPIS, and Suse are all examples of distros.
Some of the larger distros have copycats that use their settings, but change the included programs. This is the Linux way, and the mix-and-match approach gives users more choice in the long run. DistroWatch.com currently lists over 350 distributions of Linux. Many on the list are specialised to serve a specific group of people, but all can be altered to run the same programs.
Because programs are interchangeable, the Graphical User Interface (GUI) is no exception. GUI's give you the look and feel of a modern OS with the mouse, program icons, menus, etc. Any Linux system (well, one that is running on a real computer, not a phone) can run one of many different GUI's, just like it can run many web browsers or different email client programs.
Want your system to look like Windows? Use FVWM with the XP theme. Want it to be fast? Try IceWM. Want it to be more "full featured"?; try GNOME or KDE. All of these GUI's have benefits and drawbacks, but they all present the user with an interface that can be manipulated with a mouse. Although this may result in every Linux screen looking different, all of the GUI's are still doing the same behind-the-scenes work for you; just use your eyes and often it is not hard at all.
3. Hardware, software, and everything in betweenOne thing that Linux doesn't yet have going for it is vendor support. If you really like Intuit's QuickBooks, for example, you cannot natively run it in Linux. There are projects to make Windows programs run in Linux, such as CrossOver Office and Wine, but these work with varying success, depending on the Windows program. Until software companies decide to port their programs to Linux, you will not be able to run them natively.
Not all is lost, however. Open Source software has upward of 15,000 of programs that run natively in Linux. Because these programs are (usually) free of charge, they vary in quality, but the majority of programs are wonderfully written and constantly improved. These programs can import and export non-native file types as well. GNUCash can read those Quickbooks files just fine, and OpenOffice.org can read MSWord *.doc files. If you dislike GNUCash, don't despair. There are other similar programs also available for free, and more and more software companies are releasing Linux versions of their software.
These same issues apply to hardware. Just as you cannot expect just any piece of hardware off the shelf to work with an Apple computer, the same can be said for Linux machines. Most standard hardware works perfectly; hard drives, RAM, flash drives, motherboards, NIC's, and digital cameras usually have little trouble under Linux. Newer, cutting edge hardware is a different story. Until hardware vendors choose to support Linux, the drivers needed to work these pieces of hardware must be written by the Linux community for free and in the community members' spare time.
Therefore, there is a lag behind Windows support since hardware companies often work directly with Microsoft to ensure compatibility, and tend to let Linux volunteers figure out the Linux hardware support on their own. Laptops are notorious for their non-standard hardware; it can be a challenge to map special keys in Linux. The good news here is that vendor support for Linux hardware, like software, is changing for the better as more and more companies see their future in Linux.
Everything in between the hardware and the software in a Linux machine is the kernel. This kernel is what connects the hardware to the software, and an updated kernel is made available via Internet every few weeks; the most current is 2.6.14. If you have hardware that isn't currently supported, there is a chance that a newer kernel could help you out. Installing this kernel yourself isn't always easy, however; that's where Package Managers come into play.
4. Package Managers - Program installation made easy(er)These PM's usually have an on-line repository for their programs. Installing an application is as easy as searching through the program repository and clicking Install. Can't find IceWM or MPlayer in your Package Manager's list? There is always a way to add a new on-line repository that will have what you are looking for. Some examples of Package Managers include Synaptic (based on dpkg and Apt) for Debian (and derivatives); Yum for RedHat (and derivatives); YaST2 for SuSE (and derivatives); and Emerge for Gentoo.
5. PermissionsEach user belongs to one or more groups, and a user can set their file/folder permissions so that others in the group can read but not write the files, or any other combination of R/W/X. These are Group permissions. For example, Joe and Susan are both in Accounting. They can allow the Accounting group access to each other's files, but they can restrict that access from those in the Sales group.
The Others permissions can allow or deny access to these files for anyone outside the Group. These permissions are for the safety of the overall system, as well as for each user's data. Most home users are fine to leave the default permissions alone on their files. The Root user (not to be confused with the / Root of a file system), as the Administrator, has rights to all files and is the only user who can alter system-wide settings. The Root user has their own password, which is used for system maintenance. This distinction prevents a regular user from installing harmful spy ware on the system or deleting important files.
6. Home directory
Windows has My Documents, but where do you put files that aren't documents? Usually on the Windows Desktop! Linux can clutter the desktop too, but each of our users also has a Home directory, usually located at /home/user. Within that Home directory you often have Documents (/home/user/documents), program links, music (/home/user/Music), or whatever we want. We can create files and folders here, and organise or disorganise them as much as we want, just like it was our own personal Home. Depending on how our permissions are set, we can allow or prevent any other user access to these files (except the Root user). 7. Default installation differences
There are a few differences between Linux distributions, such as where some files are kept or what some of the default programs are named. Just knowing that the file system might be a bit different between RedHat and SuSE is a great start. Most users don't need to know what those differences are, but they should be aware that the internal file systems can be a bit different. When asking for help, make sure to let others know which distribution you are running. If you don't have troubles in your system or don't care to set up complex behind-the-scenes operations, don't worry too much about this. 8. CLI, or "how to run"
From the Start-type menu, the xterm program (also called Console) brings you to a Terminal, which looks a bit like a DOS window, but it actually predates and out-powers DOS. This is the Command Line Interface (CLI), the origin of our favorite OS which is present in every Linux distribution. We won't get into the finer details, which can fill books, but the CLI a powerful tool often needed to troubleshoot your computer. If you ask for help on the Internet and someone asks you to run lspci, they want you to start xterm, type lspci, hit enter, and then provide the screen's response.
When you start an xterm, you are your regular user-self with limited powers. To get into Root User mode (see Permissions above) in an xterm, type su [enter], then type the Root password [enter]. Now you have a lot of power so be nice. The Root user can destroy anyone's data, including the system files needed to run Linux. To leave an xterm or su mode, type exit [enter].
9. Ctrl-alt-escape
Ask a network administrator in any large organisation to compare Linux with network operating systems like Windows NT or Novell Open Enterprise Server, and chances are he'll admit that Linux is an inherently more stable and scalable solution. Chances are he'll also admit that when it comes to securing the system from outside attack, Linux is possibly the most difficult of the three to work with.
This perception is not an uncommon one -- many network administrators new to Linux find it hard to transition from a point-and-click security configuration interface to one based on editing complicated and hard-to-locate text files. Most administrators are well aware of the need to manually put in roadblocks and obstacles to trip up would-be hackers and ensure that your company's data stays secure; it's just that in the unfamiliar Linux world, they're not completely sure of their bearings or where to start.
That's where this document comes in. It outlines some easy things administrators can do to make their Linux server more secure and significantly reduce the risk they face. This tutorial lists seven such items.
1. Protect the root account
The root, or superuser, account on a Linux system is like a backstage pass at a Stones concert -- it allows you access to anything and everything. For this reason, it's well worth taking extra steps to protect it. Start by setting a hard-to-guess password for this account with the passwd command, change it on a regular basis, and restrict knowledge of the password to a few (ideally, only two) key people in the organisation.
Next, restrict the terminals that can be used for root access, by editing the file /etc/securetty. To avoid users leaving a root terminal "open", set a timeout for inactive root logins by setting the TMOUT local variable, and ensure that the root command history file (which might contain sensitive information) is disabled by setting the HISTFILESIZE local variable to 0. Finally, enforce a policy of using this account only to perform specific administrative tasks, and discourage users from logging in as root by default.
Tip: Once you've closed these holes, the next step is to require that every normal user account must have a password and ensure that passwords do not use easily-recognisable heuristics such as birthdays, user names or dictionary words.
2. Install a firewall
A firewall lets you filter data packets travelling in and out of your server and ensures that only those packets matching pre-defined rules are permitted to enter or exit. A number of excellent firewalls are available for Linux, and firewall code can even be compiled directly into the kernel. Begin by defining input, output and forwarding rules for packets leaving and entering your network, using the ipchains or iptables commands. Rules may be specified on the basis of IP addresses, network interfaces, ports, protocols or combinations of these attributes; these rules also specify what action (accept, reject, forward) to take when a match occurs. Once the rules are installed, test the firewall extensively to ensure that no holes exist in it. A good firewall is your first line of defence against common attacks like the distributed denial of service (DDoS) attack.
3. Use OpenSSH for network transactions
An important issue in client-server architecture involves the security of data being transmitted over the network. If network transactions take place in plaintext, it is possible for a hacker to "sniff" the data packets being transmitted and thus gain access to sensitive information. You can close this hole by using a secure shell utility like OpenSSH to create a secure encrypted "tunnel" for your data to pass through. Encrypting your connections in this manner makes it extremely hard for unauthorised users to read the data going back and forth between network hosts.
4. Disable unwanted services
Most Linux systems are installed with a wide variety of different services enabled, such as FTP, telnet, UUCP, ntalk and so on. In most cases, these services are rarely used and leaving them active is like leaving your windows open for a burglar to slip in. You can disable these services by commenting them out in the /etc/inetd.conf or /etc/xinetd.conf files and then restarting the inetd or xinetd daemon. Additionally, some services (for example, database servers) may start up by default during the boot process; you can disable these by editing the /etc/rc.d/* directory hierarchy. Many experienced administrators disable all system services, only leaving SSH communication ports open.
5. Use a spam and anti-virus filter
Junk e-mail and viruses annoy your users and can sometimes cause critical network failures. Linux is surprisingly resistant to viruses, but client machines running Windows may be more susceptible. Therefore, it's a good idea to install a spam and virus filter on your mail server itself, to "defang" suspicious messages and reduce the risk of a chain of collapses.
Begin by installing SpamAssassin, a leading open-source tool that uses a combination of different techniques to identify and flag spam; the program also supports user-based whitelisting and graylisting for greater accuracy. Next, install procmail for user-level filtering based on regular expressions; this tool allows automatic filtering of received email into mailboxes, at both a user and system level. Finally, install Clam Anti-Virus, a free anti-virus toolkit that integrates with sendmail and SpamAssassin and supports on-access scanning of email attachments.
6. Install an intrusion detection system
Intrusion detection systems (IDS) are early warning systems that let you know if changes occur on your network. They're a great way to identify (and prove) attempts to break into your system, although at the cost of increased resource consumption and potential red herrings. There are two fairly well-known IDS' you can try: tripwire, which tracks file signatures to detect modifications; and snort, which use rules-based directives to perform real-time packet analysis and search and identify attempts to probe or attack your system. Both packets can generate e-mail alerts (among other actions) and are useful when you suspect your network is being compromised but need definitive proof.
7. Perform regular security audits
When it comes to securing your network, this final step is possibly the most important. Here, you put on a black hat and do your best to circumvent the defences you erected in the previous steps. Doing this provides you with an immediate and objective assessment of how hard your system really is, and identifies potential vulnerabilities that you should fix.
A number of tools are available to help you in this audit: you can attempt to hack your password files using password crackers like Crack and John the Ripper; you can use nmap or netstat to look for open ports; you can sniff the network using tcpdump; and you can try exploiting publicised holes in your installed programs (Web server, firewall, Samba) to see if they offer a way in. If you do manage to find a way past your obstacles, rest assured that others will too; take immediate measures to close the openings.
Protecting your Linux system is an ongoing task, and so you shouldn't rest easy once you've done the steps above. Visit the Linux security forums for more security tips, and be proactive in monitoring and updating the security of your system. Good luck!
Krish
This article lists the 10 steps you should take to set up a VPN server in a Redhat distribution of Linux.
I am assuming you are using a Redhat or Redhat-like distribution. Some of these packages can be grabbed via yum. However, I'm going to have you install them via RPM as you cannot get all of them via yum. If you are not, you will need to get the proper packages. For Debian you can use aptget or search for the .deb. For SuSe you can use Yast or find the distro specific RPMs.
1) Install the DKMS packagerpm --install dkms-1.12-2.noarch.rpm
http://prdownloads.sourceforge.net/poptop/dkms-1.12-2.noarch.rpm
This is dynamic kernel module support. You need this to simplify setup and configuration at the kernel level. This will make almost everything transparent to the user during setup.
2) Install the ppp kernel modulerpm --install kernel_ppp_mppe-0.0.4-2dkms.noarch.rpm
http://prdownloads.sourceforge.net/poptop/kernel_ppp_mppe-0.0.4-2dkms.noarch.rpm
Point to Point Protocol to setup your "modem" or whatever your connection consists of. This is the portion for your kernel.
3) Make sure ppp is workingmodprobe ppp-compress-18 && echo James Garvin has saved me from a life of Windows
Ok, so that is a bit of fun, but what does that command mean? Well, if on success of the modprobe command, I execute the echo command. Modprobe adds the module to the Linux kernel, while echo simply writes what ever you say back to the terminal.
4) Upgrade ppprpm --upgrade ppp-2.4.3-0.cvs_20040527.4.fc2.i386.rpm
http://prdownloads.sourceforge.net/poptop/ppp-2.4.3-0.cvs_20040527.4.fc2.i386.rpm
This is the ppp for the user. The kernel module for ppp has been installed and this is for the user.
5) Get the PPTP clientrpm --install pptp-linux-1.5.0-1.i386.rpm
http://prdownloads.sourceforge.net/pptpclient/pptp-linux-1.5.0-1.i386.rpm
This is the "VPN Client," so to speak. This is the GUI client in which you can setup VPN connections and various options.
6) Get phppcntlrpm --install Getphp-pcntl php-pcntl-4.3.8-1.i386.rpm
http://prdownloads.sourceforge.net/pptpclient/php-pcntl-4.3.8-1.i386.rpm
This is to help the GUI work.
7) Get the phpgtkmodulerpm --install php-gtk-pcntl-1.0.0-2.i386.rpm
http://prdownloads.sourceforge.net/pptpclient/php-gtk-pcntl-1.0.0-2.i386.rpm
This file also helps make the GUI work.
8) Get pptpconfig installedrpm --install pptpconfig-20040722-0.noarch.rpm
http://prdownloads.sourceforge.net/pptpclient/pptpconfig-20040722-0.noarch.rpm
This command installs the Point to Point Tunneling Protocol. This is so the VPN can actually create the tunnel from A to B. VPNs can use two protocols, L2TP and PPTP. L2TP is Layer 2 Tunneling Protocol and does just what it says. It works at Layer 2 in the OSI model, the Data Link Layer.
9) Now at the command line typepptpconfig
This command will popup a spiffy GUI for you to use.
10) Configure your connection
In the Server Tab we need to configure some basics:
|> Name: The name of the connection. You can call it anything you want
|> Server: The server you are connecting to, either the IP or name of the server. eg: 64.233.187.99 or google.com
|> Domain: A domain, if any, that the VPN is connecting to
|> Username: Your login username for the VPN or the intranet
|> Password: The login password for the VPN or the intranet
In the Routing Tab we need to make sure it is setup properly. Typically we need to send All to Tunnel.However, this can and will vary from VPN to VPN. Check with you local administrator on what radio button you need to choose.
The DNS Tab is usually quite simple; it will be either automatic, or we will have to enter some basic DNS information and any optionswe may need to include.
The Encryption Tab is a sticky point. We have a number of choices:
|> Require Microsoft PointtoPoint Encryption
|> Refuse 40bit Encryption
|> Refuse 128bit Encryption
|> Refuse Stateless Encryption
|> Refuse to Authenticate with EAP
You need to talk to your administrator and understand what your VPN requires. A typical setup will check box Require Microsoft PointtoPoint Encryption (for MS VPNS), Refuse 40bit Encryption, and Refuse Stateless Encryption. However, talk to your administrator to be sure.
The Miscellaneous Tab is our final tab. We shouldn't have anything to do here. The default setup should work just fine in many cases.
We now click the Addbutton and highlight our new connection and choose Start. We have now created a VPN connection to a remote host! Congratulations for using Linux and sticking with a slightly frustrating task.
Krish
1: Your purpose
Linux, like Microsoft Windows, is simply a computer operating system. When I talk to friends or co-workers who are embarking on the Linux experience for their initial time, this is the first point I stress. Linux in itself is not a magic wand that can be waved and make all sorts of computing problems disappear. While Windows has its own set of problems, so too does Linux. There is no such thing as a perfect or completely secure computer operating system. Will the machine be a desktop computer or a server; purpose is a key to understanding how to initially install and configure your Linux PC.
2: Installation
Unlike Windows, Linux does not present itself as a "server" version or as a "desktop" version. During a typical installation of Linux the choice is yours as to exactly what software you wish to install and therefore exactly what type of a system you are constructing. Because of this, you need to be aware of the packages that the installation program is installing for you. For example, some distributions will configure and start a Samba server or a mail server as part of the base install. Depending upon the purpose of your Linux PC and the security level you are prepared to accept, these services may not be needed or desired at all. Taking the time to familiarize yourself with your distributions' installer can prevent many headaches and/or reinstalls down the road.
3: Install and configure a software firewall
A local software firewall can provide a "just in case" layer of security to any type of network. These types of firewalls allow you to filter the network traffic that reaches your PC and are quite similar to the Windows Firewall. The Mandriva (http://wwwnew.mandriva.com/) package called Shorewall (http://www.shorewall.net/) along with a component of the Linux kernel called Netfilterprovides a software firewall. By installing and configuring Shorewall during the installation process, you can restrict or block certain types of network traffic, be it coming to or going out from your PC.
To access and configure your firewall for Mandriva simply run the mcc (or Mandriva Control Center) command from a command prompt or, depending upon your graphical environment, you may be able to access the Mandriva Control Center from your base system menu. In the security options, select the firewall icon and you will be presented with a list of common applications that may need access through your firewall. For example, checking the box for "SSH server" will open port 22 needed by the Secure Shell server for secure remote access. There is also an advanced section which will allow you to enter some less commonly used ports. For example, entering "8000/tcp" will open port 8000 on your PC to TCP-based network traffic.
Blocking or allowing network traffic is one layer of security, but how do you secure a service that you do allow the Internet or your intranet to connect to? Host based security is yet another layer.
4: Configuring the /etc/hosts.deny and /etc/hosts.allow files
In the preceding section we looked at the example of opening the Secure Shell service to network traffic by opening port 22 on our firewall. To further secure this server from unwanted traffic or potentially hackers, we may wish to limit the hosts or computers that can connect to this server application. The /etc/hosts.deny and /etc/hosts.allow files allow us to do just that.
When a computer attempts to access a service such as a secure shell server on your new Linux PC the /etc/hosts.deny and /etc/hosts.allow files will be processed and access will be granted or refused based on some easily configurable rules. Quite often for desktop Linux PC's it is very useful to place the following line in the /etc/hosts.deny file:
ALL: ALLThis will deny access to all services from all hosts. It seems pretty restrictive at first glance, but we then add hosts to the /etc/hosts.allow file that will allow us to access services. The following are examples that allow some hosts remote secure shell access:
sshd: 192.168.0.1 #allow 192.168.0.1 to access sshThese two files provide powerful host based filtering methods for your Linux PC.
5: Shutoff or remove non-essential services
Just like Windows there can be services running in the background that you either don't want or don't have a purpose for. By using the Linux command chkconfig you can see what services are running and turn them on and off as needed. Services that are not running don't provide security holes for potential hackers and don't take up those precious CPU cycles.
6: Secure your required services
If your new Linux PC has some services that will receive connections from the Internet make sure you understand their configurations and tune them as necessary. For example, if your Linux PC will receive secure shell connections make sure you check the sshconfig file (for Mandriva it is /etc/ssh/sshd_config) and disable options like root login. Every Linux PC has a root user so you should disable root login via ssh in order to dissuade brute force password crack attempts against your super-user account.
7: Tune kernel networking security options
The Linux kernel itself can provide some additional networking security. Familiarize yourself with the options in the /etc/sysctl.conf file and tune them as needed. Options in this file control, for example, what type of network information is logged in your system logs.
8: Connect the PC to a router
A hardware router is a pretty common piece of household computer hardware these days. This is the front line security to any home or business network and provides multiple PC's to share one visible or external Internet address. This is generally bad news for any hacker or otherwise malicious program that may take a look at your new Linux PC as it blocks any and all network traffic that you don't specifically allow. Home networking routers are just smaller versions of what the big companies use to separate their corporate infrastructure from the Internet.
9: Update
Always keep the software on your computer up to date with the latest security patches should you be running Linux, Windows, BSD or WhoKnowsWhat. Your distribution will release regular security patches that should be applied and are available off the Internet. As with Windows, this should always be your first Internet destination.
10: Other software
Your second Internet stop may be to install some other hardening or system monitoring software.
Bastille-Linux (http://www.bastille-linux.org/) is a program that can be used to "harden" or secure certain aspects of your new Linux PC. It interactively develops a security policy that is applied to the system and can produce reports on potential security shortcomings. On top of that it is a great tool to use for learning the in and out of securing your Linux PC.
Tripwire (http://sourceforge.net/projects/tripwire) is a software package that monitors your system binaries for unauthorized modifications. Often a hacker may modify system binaries that may be useful in detecting a system intrusion. The modified programs would then report false information to you allowing the hacker to maintain his control over your system.
Krish
Most Linux distributions come with Snort, so it's simply a matter of installing Snort via urpmi, apt-get, or yum. Snort can write its collected information to a variety of different sources for later analysis, be it flat files or a database such as PostgreSQL or MySQL. As well, Snort can be used as a simple packet logger, sniffer, or a full-blown NIDS.
Once Snort is installed, it can be used right away. Simply executing:
# snort -v
will put Snort into packet sniffing mode; traffic will be scrolled on the screen showing what packets Snort is seeing. To exit, hit CTRL-C and you will see a brief analysis of what Snort detected. To see even more information -- like you might with tcpdump -- use the -vd option instead.
To have Snort log data, simply tell it where to log the information. In the next example, Snort will log information to the /usr/local/log/snort directory, so make sure it exists first.
# snort -l /usr/local/log/snort -d
Snort will log packets in a binary file, such as /usr/local/log/snort/snort.log.1199665001. To view the log, use the -r option with Snort in order to replay the captured data.
# snort -r /usr/local/log/snort/snort.log.1199665001
Using Snort as an NDIS takes a little more work; you must configure Snort appropriately, using the configuration file /etc/snort/snort.conf. Be warned, this configuration file can be quite hefty! Some of the rules available on the Snort Web site may be packaged with Snort, depending on the Linux distribution.
The Snort rules can be downloaded from http://www.snort.org/pub-bin/downloads.cgi. The community rules are available for anyone to use and are most likely to be bundled with any prepackaged vendor-supplied copies of Snort. You can also subscribe to receive updated rules from Sourcefire on a regular basis.
Once you have downloaded a rules package, such as the Community-Rules-CURRENT.tar.gz file, unpack it on the system with Snort installed in the directory where the Snort configuration is:
# cd /etc/snort
# tar xvzf Community-Rules-CURRENT.tar.gz
The new rules will now be in the rules/ directory.
To enable them, edit snort.conf and add:
var RULE_PATH rules
include $RULE_PATH/sql.rules
include $RULE_PATH/icmp.rules
...
Include whichever rules you like. Snort can now be started to load the configuration file /etc/snort/snort.conf , which will, in turn, load the downloaded rules:
# snort -c /etc/snort/snort.conf
Snort will then print information about its initialisation to the screen and then start logging packets that match the defined rules. The rules will determine what Snort will log and what it will ignore, so unlike running Snort as a sniffer, the generated logs will be much smaller as only packets "of consequence" will be logged. These logs will be stored, by default, in /var/log/snort/ and can be analysed by Snort using the -r option as noted previously.
Out of the box, a Linux desktop is far more secure than most others.
However, this level of security is not necessarily attained through typical security-focused software or techniques. Sometimes, the easiest means to security are those that are the easiest to forget.
You might find these suggestions to be pure common sense, but maybe you'll see a means of security you never thought of before. If you're a new Linux user, these tips are a great place to start to ensure that your Linux experience is a good one.
Here are 10 steps you can take to secure a Linux desktop.
1. Locking the screen and logging out is important
Most people forget that the Linux desktop is a multi-user environment. Because of this, you can log out of your desktop and others can log in. Not only does that mean that others could be using your desktop, it also means you can, and should, log out when you're finished working.
Of course, logging out is not your only option. If you are the only user on your system, you can lock your screen instead. Locking your screen simply means that a password will be required to get back into the desktop. The difference here is that you can leave applications running and lock the desktop. When you unlock the desktop, those same programs will still be running.
2. Hiding files and folders is a quick fix
In "Linux land", files and folders are hidden by adding a "." before the name; so, for example, the file "test" will appear in a file browser, whereas ".test" will not. Most people don't know that running the command "ls-a" will show hidden files and folders.
So, if you have folders or files you don't want your co-workers to see, simply add the dot to the beginning of the file or folder name. You can do this from the command line like so: mv test .test.
3. A good password is a must
Your password on a Linux PC is your golden key. If you give that password out or if you use a weak password, your golden key could become everyone's golden key.
And if you're using a distribution like Ubuntu, that password will give users much more access than, say, Fedora. To that end, make sure your password is strong. There are many password generators you can use, such as Automated Password Generator.
4. Installing file-sharing applications is a slippery slope
I know many Linux users are prone to file-sharing. If you want to run that risk at home, that's your call. But, when at work, you not only open yourself, or your company, up to lawsuits, you open your desktop machine up to other users who might have access to sensitive data on your work PC. So, as a rule, do not install file-sharing tools.5. Updating your machine regularly is wise
Linux isn't Windows. With Windows, you get security updates when Microsoft releases them, which could be many months away. With Linux, a security update can come minutes or hours after a security flaw is detected. With both KDE and Gnome, there are update applets for the panel. I always recommend having them up and running so you know when updates are made available. Don't put off security updates. There is a reason they come out.6. Installing virus protection is actually useful in Linux
Believe it or not, virus protection in Linux has its place. Of course, the chances of a virus causing problems on your Linux machine are slim to none. But those emails you forward to others' Windows machines could cause problems. With a good virus-protection tool, such as ClamAV, you can ensure that email going out of your machine doesn't contain anything nasty that could come back to haunt you or your company.
7. SELinux is there for a reason
SELinux (Security-Enhanced Linux) was created by the US National Security Agency. It helps lock down access control to applications, and does so very well.
Certainly, SELinux can sometimes be a pain. In some cases, it might take a hit out of your system performance, or you might find some applications a struggle to install. However, the security comfort you gain by using SELinux (or AppArmor) far outweighs the negatives. During the Fedora installation, you get the chance to enable SELinux.
8. Creating /home in a separate partition is safer
The default Linux installation places your /home directory right in the root of your system. This is fine but, firstly, it is standard, so anyone gaining access to your machine knows right where your data is; and, secondly, if your machine goes down for good, your data might be gone.
To solve this problem, you can place /home on a different hard drive or partition altogether (making it a partition in and of itself). This is not a task for the weak of heart, but it is one worth undertaking if you're very concerned about your data.
9. Using a non-standard desktop is worth its weight in gold
Not only do the alternative desktops (Enlightenment, Blackbox, Fluxbox, etc) give you a whole new look and feel for your PC, they offer simple security from prying eyes you may never have considered.
I have deployed Fluxbox on kiosk machines when I wanted a machine that could do one thing: browse the network. This can be easily achieved. Create a single mouse menu (or desktop icon) for the application you want to use. Unless the user knows how to get back to the command line (by logging out or hitting ctrl-alt-f*, where * is a desktop other than the one you are using), they will not be able to start up any application other than the one offered.
Since most users have no idea how to move around in these desktops anyway, they aren't going to have the slightest idea how to get to your files. It is simple pseudo-security.
10. Stopping services is best
This is a desktop machine. It's not a server. So why are you running services like httpd, ftpd, and sshd? You shouldn't need them and they only pose a security risk, unless you know how to lock them down. So don't run them. Check your /etc/inetd.conf file and make sure that all unnecessary services are commented out. It is a simple but effective method.
Krish
To this end new versions of the operating system are being endowed with a "tickless" kernel that forsakes traditional computer time-keeping in an effort to keep the processor in a somnolent, low-power state.
The tickless kernel isn't the only effort under way. Intel released software called PowerTop in May that makes it easier to find out what software is needlessly keeping a computer's processor on high alert.
"It makes a lot of sense," Illuminata analyst Gordon Haff said of the power-saving work. "Raw, flat-out horsepower is less and less what the game's about -- especially on laptops, which are becoming more common."
Some Linux developments take years to arrive, but the tickless kernel is now making its way into the Linux mainstream.
"The re-engineering has mostly been done," said Linux leader Linus Torvalds of the new kernel. And for higher-level software, PowerTop has been "invaluable, he added. "A lot of people and (Linux) distributions are actually interested in this, so the user applications do seem to be getting fixed."
There's more work to be done, but the progress has been measurable, said Arjan van de Ven, a longtime kernel programmer now working at Intel. "What we see in our lab today is that Linux on a laptop consumes 15 percent to 25 percent less power during idle than a code base of about three months ago," he said.
Cutting chip power
Processors, though not the only power drain in a computer, slurp a lot of electrical power -- more than a 100 watt lightbulb in many cases. Worse, even more electricity is consumed by fans that blow waste heat out of a computer, and more still by air conditioning in datacenters.
But in recent years, chipmakers have given microprocessors the ability to drop down into lower-power states when they don't need to run full throttle. The chip's internal frequency slows, voltage levels drop, and electrical consumption tapers down.
Obviously, processors can go into these power-saving states when a user commands a computer into standby mode. But a lot more can be done. Because gigahertz-frequency processor cycles last less than a billionth of a second, though, chips can actually enter and leave low-power states many times in the interval between two keystrokes of a fast typist.
But an operating system kernel -- the core software that handles basic tasks such as scheduling processes and communicating with hardware -- isn't always good at avoiding busywork. For one thing, software often needlessly prods the kernel into alertness. For another, the kernel itself can waste energy twiddling its thumbs when it could just as well be lowering its blood pressure and dozing off.
Intel's software helps uncover examples of the first problem. The tickless kernel helps with the second.
Going tickless
Version 2.6.21 of the Linux kernel, which Torvalds released in April, includes the tickless option. It was incorporated into Fedora 7, Red Hat's free hobbyist version of Linux.
"In terms of power, it's a huge savings," van de Ven said.
A typical Intel processor for mobile computers consumes a maximum of 1.2 watts in its deepest power-saving state, he said. "The gotcha is that if you wake up every millisecond, you hardly get past the shallow power saving mode," van de Ven said. "The end effect is that tickless gets you into the maximum power save modes, saving significant power and extending battery life."
The tickless kernel still keeps track of time, but in a different way. Instead of checking frequently for work to be done -- literally 1,000 times a second in the case of Linux, with each millisecond-long tick of the kernel's clock -- the kernel schedules the hardware to interrupt it when it knows a future job will require its attention.
The tickless kernel provides another indirect benefit when it comes to power efficiency: It enables better use of virtualisation, technology that lets multiple operating systems run simultaneously on the same computer, by replacing numerous idle machines with fewer, more efficiently used ones.
Tickless kernels mean that the virtualisation software that underlies all those operating systems isn't unduly taxed with needless interruptions. So theoretically, administrators can consolidate servers more aggressively.
"If you have a server running 50 virtualised guests, and each guest has a timer tick 1,000 times per second, that is 50 thousand ticks per second, without even doing any work yet," van de Ven said. "With tickless, you go from 1,000 to maybe 10, and suddenly it becomes manageable to do 50 guests."
Michael Larabel, editor of the Phoronix site that tests Linux hardware performance, found the tickless kernel can cut power consumption from 28 watts to 26 watts in IBM's Pentium M-based ThinkPad R52 running Fedora 7.
"A tickless kernel, in conjunction with (processor-based) power-saving technologies, can go a long way in extending the life of the battery and reducing the heat output," Larabel said.
Peeking with PowerTop
A tickless kernel isn't much good if higher-level software requires the kernel to schedule frequent wakeup calls. That's where PowerTop comes in.
"A typical Linux distribution has many components that wake the processor up frequently for no good reason," van de Ven said in an announcement of the software. "PowerTop will provide an indication of which ... software components are the biggest offenders in slurping up your battery time."
Scrutiny with PowerTop has uncovered power-draw culprits. The Gvim text editor's blinking cursor wakes up the kernel. Evolution e-mail software needs to check for new jobs to do 10 times a second. The GAIM (now called Pidgin) instant-messaging software checks every 5 seconds to see if it should set itself as "idle".
As well as fixing these sorts of issue, the Linux kernel itself needs to be spruced up to better support its own "ticklessness".
"Even though the kernel itself now has all the fundamental timer-handling knowledge, most of the kernel subsystems use some timers for their own handling, and tuning that usage will probably go on for some time," Torvalds said.
And other frontiers need work, van de Ven said. Device drivers -- the software modules that let the kernel communicate with hardware such as network cards or keyboards -- need to be revamped to better handle power issues.
Another issue is developing power-related policy management software that governs a computer's behavior based on what its user is doing. And yet another thorny one is supporting laptop suspend-resume abilities better so laptop computers can hibernate gracefully.
"On the suspend/resume side there will be a lot of rearchitecting needed, especially for suspend-to-disk," van de Ven said. "It's an ongoing discussion topic in Linux."
But much of that work can take place on a newly tickless foundation. "The heavy lifting is mostly done," Torvalds said.
Krish.
India Means Civil Liberties,
Dear Educated Indians,
We daily use different means of public transport to move across the city. We are grateful that our government is providing us these facilities. We are not like the economically and financially backward countries. Thank God!
But are we ensuring proper care for the public places and public transports? Foreigners refer to our cities and our country as dirty. Do not blame them because it we who are to be blamed.
We do not take care of our country. We throw all kinds of waste out in the public places. We have polluted our country to the core. The country has done a lot of things to us. But we have failed to do the same to her.
If the above sentences has made you think then read further, else throw this paper in the dust-bin and not anywhere else. Please that’s a request.
Things to do to stop our city from getting dirty:
You need not clean the public places as there are workers to do that job.
All you need to do is stop making it dirtier.
Stop throwing papers, used tickets, cigarettes buds, and used match sticks.
Please do not spit on the roads, other public places and transport means.
Ask your children are other kids to throw the chocolate wrappers into the dustbin
Do not reproduce this document, instead just spread the message.
I am not from any government agency; I am a citizen of India who wants a cleaner and greener Chennai and hence cleaner and greener India. Let the foreigners see a different India soon.
Thanks for reading this document.
Krish.
