Security-Related Bug in Ubuntu 7.10

Create a ‘Shared’ folder in /home/username
Create a ‘Shared 192.168.1.100’ folder in /home/username

Right click ‘Shared’ and go to ‘Share Folder’. Add a NFS share with no allowed IP addresses.
Right click ‘Shared 192.168.1.100’. Add a NFS share with no allowed IP addresses.

Go to ‘System’ – ‘Administration’ – ‘Shared Folders’

You will now see only one share, ‘/home/will/Shared’, that allows 192.168.1.100 to access this folder.

This does change the /etc/exports file, and I believe it may be a security vulnerability.

Doing this with a folder with three words (two spaces) adds each word after the space to hosts allowed to access (read-only) the share.

Seems like it would be important for users to share a folder with spaces in it, especially for everyday desktop use.

st0rage.org outages

I figured I’d post some information here about recent outages.

I plan on moving st0rage.org over to a new server soon, and there are going to be some changes (user quotas for the first time ver, yay!). I’ll also be offering a paid service, along with an increased free service.
It’s been a lot of work, and has caused some downtime (usually less than 30 minutes). People using irssi I’m sure havn’t been happy. 😉

Sorry about all the trouble, things will be much nicer soon (moving to a much more stable connection).

Lock Screen on Laptop Lid Close

This used to work on one of my old laptops, but ever since I started buying Dell laptops the screen wouldn’t lock when I closed the laptop lid.

To have your screen be locked when you close your lid, open a Termina and run gconf-editor

/apps

/gnome-power-manager

/lock

[x] blank_screen

Make sure that ‘Blank Screen’ is selected in Power Management Properties.

Vostro 1400 Wireless Problems (ipw3945)

A problem with Debian and Ubuntu (and possibly other distros) is that the ipw3945 module fails after a large amount of activity.

The solution is very simple, but it took a lot of work to find it.

Edit /etc/modules and put the following in there

iwl3945

Edit /etc/modprobe.d/blacklist and add

blacklist ipw3945

That’ll do it. The iwl3945 module performs just as well on sftp transfers, and I havn’t noticed any problems with it.

Windows Mobile 2003

I’ve recently been trying to get my hands on a H4100 series iPAQ to put Linux on. The one I bought on ebay turned out to be the wrong model, but in the meantime I’ve been using Windows Mobile 2003.

My biggest complaint is the backwards way you have to switch between program; aparently you need to open up the Memory manager and ‘activate’ programs.

Frequent wireless drops are common too. I installed PortaPuTTy on the PDA, to use screen and irssi on the go. Wireless networks don’t seem to like the iPAQ however. Even with a strong single I get dropped fairly often.

The lack of multimedia support is very noticable. You are unable to listen to Icecast streams with WMP, nor can you play anything but WMV movies.

The Pro version I’m using has remote desktop support for Windows clients, which is nice (although mostly unusable at such a low resolution compared to the other machine).

You rely on the touchscreen to interface with the keyboard. Unfortuantely, the keyboard cannot be moved around the screen so it covers up some applications (like PortaPutty) so you cannot see what you are typing. This is a very big annoyance with me.

There is not much open source software ported to the iPAQ for Windows; many applications either don’t work (well or at all) or require payment after 30 days.

Windows Mobile 2003 has been a horrible experience, and I look forward to being able to use mplayer and firefox on my new H4155 iPAQ.

I look forward to trying Linux on my new iPAQ; after I do, I”ll be sure to post about my experience there.

Debian/Ubuntu Apache2 + PHP5 + Mysql + SSL

First let’s grab the packages we need for a basic LAMP setup:

apt-get install apache2 php5-cgi libapache2-mod-php5 mysql-server php5-mysql php5-common apache2.2-common ssl-cert

If using Ubuntu, be sure to install libapache2-mod-auth-mysql

apache2.2-common and ssl-cert are needed to generate a ssl cert

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf apache.crt
mkdir /etc/apache2/ssl
mv apache.crt /etc/apache2/ssl

cd /etc/apache2/mods-enabled
ln -s ../mods-available/ssl.conf ssl.conf
ln -s ../mods-available/ssl.load ssl.load

Make sure /etc/apache2/ports.conf is listening on 443

Listen *:443

In your 000-default file in /etc/apache2/sites-enabled (or where ever your VirtualHosts are managed) Change:

NameVirtualHost *
<VirtualHost *>

to

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>

Add a site for SSL:

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/wwws
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/wwws>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>

/etc/init.d/apache2 restart

By default, the User/group is www-data so make sure all your website files are owned by this user/group.

chown -R www-data:www-data /var/wwws/

Will accomplish this

All website files should be located in /var/www and /var/wwws (you can choose different directories, of course, like /home/www but make sure you change the config)

Debian Spamassassin/SquirrelMail

Updated Jan 24, 2008

Try the following crontab entries

0 0 * * * /usr/bin/find /home/*/Maildir/.Spam/cur/ -type f -mtime +7 | xargs rm -f 1> /dev/null
0 1 * * * sa-learn –spam /home/youruser/Maildir/.Spam/cur/* 1>/dev/null

The first line will check for spam older than 7 days and delete it. This is a very useful (and fast!) way to save diskspace.

Change ‘youruser’ to your actual user. Anything put in your spam folder on squirrelmail will be marked as spam.

Thanks to WastedMemory for helping me with this.

This assumes you’ve already set up a functioning MTA and have imap/pop working.

apt-get install spamassassin squrirelmail

Edit /etc/default/spamassassin and set ENABLED=1

Create a file called /etc/procmailrc

MAILDIR=$HOME/Maildir
DEFAULT=$HOME/Maildir/cur
DROPPRIVS=YES
:0fw
| /usr/bin/spamc

:0:
* ^X-Spam-Status: Yes
$HOME/Maildir/.Spam/cur

To set up squirrelmail, edit /etc/apache2/sites-enabled/000-default (or whatever site you want to use) and add:

Alias /mail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Restart apache2, squirrelmail

/etc/init.d/apache2 restart && /etc/init.d/spamassassin restart

As a normal user (su – user), do:

maildirmake (or maildirmake.courier) ~/Maildir

Go to http://your-ip/mail and log in as the user you created Maildir with. Log in, and send a test email to another address.

Back as your user, do:

cd ~/Maildir

cp -rp .Sent .Spam

It might be a good idea to have all new users have this directory created.

cp -r /home/user/Maildir /etc/skel

If you have many users that already exit, you can do this:

for x in `ls /home`; do

cp -r /etc/skel/Maildir /home/$x

chown -R $x /home/$x/Maildir

done

Spam will now go to their Spam folder. They can check this by subscribing to INBOX.Spam in squirrelmail (Folders)

You can change the sensitivity of Spamassassin by editing /etc/spamassassin/local.cf

required_score 1.0

Ban an IP using IP Tables

I’ve been doing this several different ways over the past few years, but I’ve found this works the best for banning an IP address. Remember, if you see a weird domain in netstat you can resolve the IP using traceroute.

A simple script (/usr/bin/ban) that I can use to ban IP addresses quickly and easily.

#!/bin/bash
iptables -I INPUT -s $1 -j DROP
echo $1 was banned

If you wished to make an ‘unban’ script, use the same script and replace -I with -D