IRC-ing on AIX with EMACS ERC

Emacs ERC (M-x erc) is a IRC client built into newer releases of EMACS.

To build this you need the bos.adt sets and a compiler (gcc or xlc will do just fine).



Remember to set TERM=dtterm for colors :-).

OpenBSD Web Portal server (Drupal)

Configuring an OpenBSD Web Portal server Running Drupal on chrooted Apache + MOD_SSL + PHP + MySQL or PostgreSQL

Final goal: Drupal Web portal with TinyMCE JavaScript editor, Unicode and Locales support running on OpenBSD 4.3.

1. Installing and configuring OpenBSD – read the FAQ, partition.

a. You can install OpenBSD via cdrom (install43.iso or cd43.iso for netinstall) or netboot via TFTP / BOOTP / DHCPD. Read diskless(8) for details. On Windows, you can use TFTPD32 for DHCP/TFTP.

b. Partition the disk (read the FAQ on partitioning). Example partitioning scheme:

Partition	Mount location	Filesystem	Mount options
/dev/sd0a	/	ffs	rw,softdep	1 1
/dev/sd0b	swap	swap
/dev/sd0c	Whole disk
/dev/sd0d	/tmp	ffs	rw,softdep,nodev,nosuid	1 2
/dev/sd0e	/var	ffs	rw,softdep,nodev,nosuid	1 2
/dev/sd0f	/usr	ffs	rw,softdep,nodev	1 2
/dev/sd0g	/home	ffs	rw,softdep,nodev,nosuid	1 2

c. Disable non-critical services (like ident, time, daytime, etc.) from /etc/inetd.conf. Just comment out the lines you don’t want with a #.

d. Make sure you enable Soft Updates (softdep) mounts – they increase the Filesystem performance tenfold when it comes to writing a lot of small files. This is done by adding “softdep” to mount options in /etc/fstab.

e. Add a regular user account. You can use the useradd(8) script. Make sure you add the user to the wheel group to allow su – root.

f. For added security configure „sudo” by running visudo(8). You can permit all users in the wheel group to sudo root: %wheel ALL=(ALL) NOPASSWD: SETENV: ALL

i. It’s usually best to disable root logins and use “sudo” for root access (sudo –i or su – if you need a root sheel). Edit /etc/ssh/sshd_config. You can also change the default ssh port from 22 to some random port to mitigate against brute force attacks. Keeps them from filling out your logs with junk. Consider using ssh keys also.

ii. Port 6969

iii. PermitRootLogin no

iv. Restart the OpenSSH daemon: „pkill –HUP sshd”

g. Configure your user profile to use a ftp mirror. Add the following to your ~/.profile: (or whatever shell you’re using, eg: .bashrc, .zshrc): PKG_PATH=ftp://ftp.su.se/pub/OpenBSD/4.3/packages/i386/; export PKG_PATH

h. Restart the system (to mount softdep, etc.).

i. Install some “critical” packages:

i. pkg_add -vi mc zsh screen elinks zip unzip bzip2

j. Install ports

i. cd /usr
sudo ftp ftp://ftp.su.se/pub/OpenBSD/4.3/ports.tar.gz
sudo tar zxf ports.tar.gz

k. Unpack the OpenBSD source code (src and kernel – sys) – these are required for patching OpenBSD:

i. cd /usr/src
sudo ftp ftp://ftp.su.se/pub/OpenBSD/4.3/src.tar.gz
sudo ftp ftp://ftp.su.se/pub/OpenBSD/4.3/sys.tar.gz
sudo tar zxvf src.tar.gz
sudo tar zxvf sys.tar.gz

l. Apply OpenBSD security patches. You download patches from http://www.openbsd.org/errata43.html and you apply them using the instructions in the patch headers:

i. ftp ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3.tar.gz
You can put 001_openssh.patch, 002_openssh2.patch and the following patches in /usr/src and apply them. Read the header for the patches for instructions.

% head -11 001_openssh.patch
Apply by doing:
cd /usr/src
patch -p0 < install ="="> lib
===> ssh
install -c -s -o root -g bin -m 555 ssh /usr/bin/ssh
install -c -o root -g bin -m 444 ssh.cat1 /usr/share/man/cat1/ssh.0
install -c -o root -g bin -m 444 ssh_config.cat5 /usr/share/man/cat5/ssh_config.0
/usr/share/man/cat1/slogin.0 -> /usr/share/man/cat1/ssh.0
/usr/bin/slogin -> /usr/bin/ssh
===> sshd
install -c -s -o root -g bin -m 555 sshd /usr/sbin/sshd
install -c -o root -g bin -m 444 sshd.cat8 /usr/share/man/cat8/sshd.0
install -c -o root -g bin -m 444 sshd_config.cat5 /usr/share/man/cat5/sshd_config.0
===> ssh-add
install -c -s -o root -g bin -m 555 ssh-add /usr/bin/ssh-add
install -c -o root -g bin -m 444 ssh-add.cat1 /usr/share/man/cat1/ssh-add.0
===> ssh-keygen
install -c -s -o root -g bin -m 555 ssh-keygen /usr/bin/ssh-keygen
install -c -o root -g bin -m 444 ssh-keygen.cat1 /usr/share/man/cat1/ssh-keygen.0
===> ssh-agent
install -c -s -o root -g _sshagnt -m 2555 ssh-agent /usr/bin/ssh-agent
install -c -o root -g bin -m 444 ssh-agent.cat1 /usr/share/man/cat1/ssh-agent.0
===> scp
install -c -s -o root -g bin -m 555 scp /usr/bin/scp
install -c -o root -g bin -m 444 scp.cat1 /usr/share/man/cat1/scp.0
===> sftp-server
install -c -s -o root -g bin -m 555 sftp-server /usr/libexec/sftp-server
install -c -o root -g bin -m 444 sftp-server.cat8 /usr/share/man/cat8/sftp-server.0
===> ssh-keysign
install -c -s -o root -g bin -m 4555 ssh-keysign /usr/libexec/ssh-keysign
install -c -o root -g bin -m 444 ssh-keysign.cat8 /usr/share/man/cat8/ssh-keysign.0
===> ssh-keyscan
install -c -s -o root -g bin -m 555 ssh-keyscan /usr/bin/ssh-keyscan
install -c -o root -g bin -m 444 ssh-keyscan.cat1 /usr/share/man/cat1/ssh-keyscan.0
===> sftp
install -c -s -o root -g bin -m 555 sftp /usr/bin/sftp
install -c -o root -g bin -m 444 sftp.cat1 /usr/share/man/cat1/sftp.0
===> scard
install -c -m 444 -o root -g bin Ssh.bin /usr/libdata/ssh

• 2. Restart the system to apply patches (or just the affected services by using pkill –HUP for example if you didn’t patch the kernel).

3. Installing additional OpenBSD filesets if required by say php5-gd: (if you skipped this at install). You can read the FAQ, but this is basically it:

a. % cd / && sudo ftp ftp://ftp.su.se/pub/OpenBSD/4.3/i386/xbase43.tgz
% sudo tar xzvphf xbase43.tgz

% sudo ldconfig -m /usr/X11R6/lib

4. Install PHP 5 (and various libraries for image manipulation, database access and Unicode support):

a. % sudo pkg_add -vi php5-core php5-mysql php5-curl php5-mbstring php5-gd
Ambiguous: choose package for php5-gd
0:
1: php5-gd-5.2.5
2: php5-gd-5.2.5-no_x11
Your choice: 1
parsing php5-gd-5.2.5

b. Activate PHP modules by creating the various symbolic links:

i. % sudo ln -s /var/www/conf/modules.sample/php5.conf /var/www/conf/modules

ii. % sudo ln -fs /var/www/conf/php5.sample/curl.ini /var/www/conf/php5/curl.ini

iii. % sudo ln -fs /var/www/conf/php5.sample/gd.ini /var/www/conf/php5/gd.ini

iv. % sudo ln -fs /var/www/conf/php5.sample/mbstring.ini /var/www/conf/php5/mbstring.ini

v. % sudo ln -fs /var/www/conf/php5.sample/mysql.ini /var/www/conf/php5/mysql.ini

5. Install, configure and secure the MySQL database:

a. % sudo pkg_add -vi mysql-server

b. Installing the default database

i. % sudo /usr/local/bin/mysql_install_db

c. Starting the MySQL service:

i. % sudo /usr/local/bin/mysqld_safe&
[1] 32390
% Starting mysqld daemon with databases from /var/mysql

d. Secure the installation (delete anonymous users, the test database and set a root password). PS: don’t use # in your password, there’s a bug in the script. Set that manually if you want.

i. % sudo /usr/local/bin/mysql_secure_installation

e. Tune some sysctl parameters for MySQL:

i. Edit /etc/sysctl.conf:
kern.shminfo.shmall=32768
kern.maxfiles=8192

ii. Apply the changes
% sudo sysctl kern.shminfo.shmall=32768
kern.shminfo.shmall: 8192 -> 32768
% sudo sysctl kern.maxfiles=8192
kern.maxfiles: 3580 -> 8192

iii. Add a mysql login in /etc/login.conf:
mysql:\
:openfiles-cur=1536:\
:openfiles-max=3096:\
:tc=daemon:

iv. % sudo cap_mkdb /etc/login.conf

6. Configure SSL (Secure Sockets Layer) for Apache mod_ssl (https). Generate a self signed certificate (or sign one) by reading ssl(8).

a. % sudo openssl genrsa -out /etc/ssl/private/server.key 1024
% sudo openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
% sudo openssl x509 -req -days 365 -in /etc/ssl/private/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt

b. Test SSL support (lynx is ssl enabled):
% sudo apachectl startssl
% lynx https://localhost

7. Configure the Apache webserver:

a. Edit the Apache configuration file and setup PHP and server details /var/www/conf/httpd.conf
AddType application/x-httpd-php .php
ServerAdmin cmihai@website
DirectoryIndex index.html index.php
ServerName hostname(fqdn)

b. Configure PHP:

i. Edit the PHP config /var/www/conf/php.ini
upload_max_filesize = 12M

c. Test PHP:
ed /var/www/htdocs/index.php
a

Test PHP:
.
w
q
% lynx http://localhost/index.php

d. Configure Sendmail for supporting the Apache chroot[1]
% sudo pkg_add -vi mini_sendmail-chroot
parsing mini_sendmail-chroot-1.3.6p0
mini_sendmail-chroot-1.3.6p0: complete

% sudo mkdir -p /var/www/usr/sbin/
% sudo ln /var/www/bin/mini_sendmail /var/www/usr/sbin/sendmail
% sudo cp /bin/sh /var/www/bin

8. Configure services to start at boot (Apache and MySQL):

a. % sudo ed /etc/rc.conf
httpd_flags="-DSSL"

b. % sudo ed /etc/rc.local
if [ -x /usr/local/bin/mysqld_safe ] ; then
su -c mysql root -c '/usr/local/bin/mysqld_safe >/dev/null 2>&1 &'
echo -n ' mysql'
fi
# Crearea unui link pentru socketul MySQL in chrootul Apache
mkdir -p /var/www/var/run/mysql
sleep 5
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock

c. Reboot to test changes.

9. Crate a database for Drupal and a user. Grand permissions:

a. % sudo mysql -u root -p
CREATE USER drupal IDENTIFIED BY 'password';
CREATE DATABASE drupal CHARACTER SET utf8;
GRANT ALL PRIVILEGES ON drupal.* to USER drupal@localhost IDENTIFIED BY 'password';

10.Install Drupal and modules:

a. % sudo pkg_add -vi drupal5-tinymce drupal5-link-to-content drupal5-imce drupal5-image drupal5-backup-migrate drupal5-autolocale drupal5-token drupal5-securelogin ImageMagick

11.Optionally configure .httauth for security:

a. % cd /var/www
% sudo htpasswd -c htpasswd username

Add .htaccess to /var/www/htdocs
AuthName "Nu este permis accesul"
AuthType Basic
AuthUserFile ../htpasswd
require valid-user

b. Add “Add AllowOverride All” în /var/www/conf/httpd.conf.

c. Restart Apache (apachectl stop && apachectl startssl).

You can now configure Drupal and the various modules. Be sure to setup a backup schedule. You can use the Drupal database backup and restore module.

You can also install Apache mod_security for additional security:
% sudo pkg_add -vi modsecurity-apache
% sudo /usr/local/sbin/mod_security-enable
% sudo apachectl stop && sudo apachectl startssl

Make sure you read /usr/local/share/doc/mod_security/modsecurity-manual.pdf

You should also keep an eye on your webserver. For monitoring, I recommend top(1), vmstat, (8), sysctl hw, pftop and mytop.

% sudo pkg_add -vi mytop pftop
% sudo /usr/local/sbin/pftop

To use mytop you'll need a ~/.mytop file (and set proper permissions on it). You can add something like:

prompt=1
pass=
user=drupal
db=drupal
delay=5
port=3306
socket=
batchmode=0
header=1
color=1
idle=1

% mytop


MyTOP in Action

You'll also want to setup Packet Filter. Read the PF User's Guide, pf.conf(5) and the example rulesets in /usr/share/pf/examples. Enable pf in /etc/rc.conf (pf=YES).

---

[1] Read chroot(2) ssl(8) afterboot(8), etc.

Marian Vanghelie - Bucharest Mayor's Site hacked

Marian Vanghelie, mayor of Bucharest's personal website:



You see this sort of thing more and more these days..



And again, that's what people get for running something like Apache/2.0.51 (Fedora) PHP/4.4.7 mod_ssl/2.0.51 OpenSSL/0.9.7a and probably some ancient SQL with a badly coded website. Please, stop letting children write your website in PHP...

It also looks like it's been like this for quite some time... heh.

GNS3 - Cisco Virtual Lab with Dynampis, Dynagen, Idle-PC, PEmu,

GNS3 - Graphical Network Simulator - is a Cisco router and firewall simulator based on ns 3 and Dynamips for Windows, Linux, UNIX and MacOS systems.

It contains a complete Cisco lab solution, including Dynamips, Dynagen, Idle-PC, PixEMU and a graphical design tool.



It can be used to design home labs and training for CCNA, CCNP, CCIP or CCIE certifications or testing configurations.

Mounting Linux NFS shares in Solaris 10

First, export a filesystem on your Linux box (add it to the exports file, and exportfs). Make sure the kernel-nfs server service is started.

# /etc/init.d/nfs-kernel-server start

Edit your exports file:

# ed /etc/exports
i
/home/cmihai 192.168.1.13/24(rw,no_root_squash,subtree_check,async)
w
q

Export the filesystem:

# exportfs
/home/cmihai 192.168.1.13/24

# showmount -e
Export list for loonix:
/home/cmihai 192.168.1.13/24

On your Solaris 10 box, run:

# showmount -e loonix
export list for loonix:
/home/cmihai 192.168.1.13/24

It should give you results consistent with the results you got on your Linux machine.
Trying to mount the share as NFSv4 will fail (Linux NFSv4 isn't compatible with Solaris NFSv4).

# mount loonix:/home/cmihai /storage
nfs mount: mount: /storage: Not owner

So we're going to mount the share as NFSv3:

# mount -o vers=3 loonix:/home/cmihai /storage

# mount
/storage on loonix:/home/cmihai remote/read/write/setuid/devices/vers=3/xattr/dev=4840010 on Tue Mar 18 14:59:06 2008

SeamlessRDP - Using Two Systems and the Same Time - Solaris and Vista

Here is a demo of SeamlessRDP, using tsclient on Solaris to connect to a Vista desktop machine.



This is the Blastwave package. A simple "/opt/csw/bin/pkg-get install rdesktop" will do the trick.

Communigate Pro - Mail and Communications on OpenVMS

Communigate Pro is by far one of the best communications suite, and can easily replace even an Exchange / LCS / OCS suite (Unified Communications and all that). It can do clustering, VoIP, interface with Windows phones and has integrated WebMail, mailing lists, and so on.

The installation is pretty straight forward too. First, disable OpenVMS POP3 and IMAP services, and make sure nothing is running on port 8010 and 8100. Then unzip and proceed to install the POLYCENTER package.

$ PRODUCT INSTALL CGatePro

Once the installation is over, start CommuniGate Pro services and login to the administrative interface withing 15 minutes. Enjoy.

@SYS$COMMON:[CommuniGate]STARTUP.COM START



The WebMail is pretty nice too:



It also has Calendar function and a few themes (the XCHANGE one looks like OWA from Exchange).



By default, CommuniGate Pro supports the following features:

+ Mail + POP + IMAP + PWD + ACAP + WebMail + WebSite + Relay + Mobile + FTP
+ MAPI + TLS + S/MIME + LDAP + WebCAL + RADIUS + SIP + PBX + XMPP + XIMSS

Here's a screenshot of the WebMail SSL (HTTPS) interface with the XCHANGE skin:



So now you can have a fully encrypted, secure, highly available enterprise communications suite with E-Mail and VoIP features on your OpenVMS cluster :-).

HP OpenVMS Secure WebServer (Apache)

Now that we've tested WASD, we can also try HP Secure WebServer (ex Compaq WebServer). It's basically Apache + SSL and OpenVMS patches.

FTP upload or download or get the packages on the server.

$ DIR SYS$SYSROOT:[SYSMGR.hpweb]

Directory SYS$SYSROOT:[SYSMGR.hpweb]

CPQ-AXPVMS-CSWS-V0201-1-1.PCSI_SFX_AXPEXE;1

Total of 1 file.
$ SET DEF SYS$SYSROOT:[SYSMGR.hpweb]


$ RUN SYS$SYSROOT:[SYSMGR.hpweb]CPQ-AXPVMS-CSWS-

V0201-1-1.PCSI_SFX_AXPEXE;1
UnZipSFX 5.42 of 14 January 2001, by Info-ZIP (Zip-

Bugs@lists.wku.edu).
inflating: CPQ-AXPVMS-CSWS-V0201-1-

1.PCSI$COMPRESSED
inflating: CPQ-AXPVMS-CSWS-V0201-1-

1.PCSI$COMPRESSED_ESW


$ DIR/SIZE

Directory SYS$SYSROOT:[SYSMGR.hpweb]

CPQ-AXPVMS-CSWS-V0201-1-1.PCSI$COMPRESSED;1
24952
CPQ-AXPVMS-CSWS-V0201-1-1.PCSI$COMPRESSED_ESW;1
18
CPQ-AXPVMS-CSWS-V0201-1-1.PCSI_SFX_AXPEXE;1
19887


$ PRODUCT INSTALL
_Product name (* to show list): *
The following product has been selected:
CPQ AXPVMS CSWS V2.1-1 Layered Product


Once the package is installed, configure it:

@SYS$MANAGER:APACHE$CONFIG

Now you can start apache:

$ @SYS$STARTUP:APACHE$STARTUP.COM

$ TELNET deimos 80
GET / HTTP/1.1
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2008 10:20:05 GMT
Server: Apache/2.0.52 (OpenVMS)


Let's say we'd like to patch our webserver instead, using Web Server Suite Software Patch Kits.

Stop Apache:

$ @SYS$STARTUP:APACHE$SHUTDOWN.COM

$ RUN CPQ-AXPVMS-CSWS211_UPDATE-V0100--4.PCSI_SFX_AXPEXE;1
UnZipSFX 5.42 of 14 January 2001, by Info-ZIP (Zip-Bugs@lists.wku.edu).
inflating: CPQ-AXPVMS-CSWS211_UPDATE-V0100--4.PCSI$COMPRESSED
inflating: CPQ-AXPVMS-CSWS211_UPDATE-V0100--4.PCSI$COMPRESSED_ESW
$ PRODUCT INSTALL
_Product name (* to show list): *

The following product has been selected:
CPQ AXPVMS CSWS211_UPDATE V1.0 Patch (remedial update)

[...]

The following product has been installed (and a recovery data set created):
CPQ AXPVMS CSWS211_UPDATE V1.0 Patch (maintenance update)

CPQ AXPVMS CSWS211_UPDATE V1.0: Functional update for CSWS V2.1-1

Post-installation tasks are not required.

Now you can start the webserver:

$ @SYS$STARTUP:APACHE$STARTUP

You can now just drop stuff in SYS$COMMON:[APACHE.HTDOCS]

SSH X11 Redirection on OpenVMS and Using XMing and putty for Windows Clients

Wanna run some graphical OpenVMS applications? ssh -x or use Putty + MingW :-). X11 Forwarding is simple and easy to use. Just enable SSH on your OpenVMS box (UCX ENABLE SERVICE SSH) and make sure you've got proper keys generated.



You can also just start individual applications.

VPNC - Open Source client for Cisco VPN Contentrator

Got an ASA, a PIX or some other VPN Concentrator (or even Juniper NetScreen)? Well, you'll run into some troubles sooner or later. The Cisco VPN Client doesn't support 64 bit Windows clients, x86 Solaris clients and is just a pain to use on Linux.

VPNC doesn't require any kernel modules. Just put the IPSec gateway IP, IPSec ID, IPSec secret and XAuth username into /etc/vpnc/default.conf and start vpnc. It should work instantly :-). No fuss, no mess.

It will work just fine on Solaris, Linux, MacOS X or BSD machines. You can even get it running on your Windows box (Cygwin libs).

Tunneling over ICMP, DNS, HTTP and HTTPS proxies

Stuck beyond a firewall, captive portal or proxy and need your ssh (or any other service)? Here's a few ways to tunnel out:

• PTunnel - Tunnel TCP using ICMP echo request and reply packets (PING), includes authentication, allows for multiple connections.
• Iodine - tunnel IPv4 data through a DNS server, allows for authentification.
• NSTX - Tunneling network packets over DNS.
  
• Corkscrew - tunneling SSH through HTTP proxies.
• httptunnel - bidirectional virtual data connection tunnelled in HTTP requests.
• gotthard - ssh through https proxy tunnel

I've already mentioned Shared Shell and such too :-).

Solaris, Serial Consoles, Cisco Firewalls and TFTP

Using a serial console + tftp server on Solaris:

% screen /dev/term/b 9600

or

% cu -s 9600 -l /dev/term/b

or

% tip hardwire

Where you have hardwire defined in /etc/remote:

hardwire:\
:dv=/dev/term/b:br#9600:el=^C^S^Q^U^D:ie=%$:oe=^D:

Configuring a TFTPD server in Solaris 10:

# mkdir /tftpboot
# echo "tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot" > /etc/inetd.conf
# /usr/sbin/inetconv
# svcs network/tftp/udp6
# svcadm restart network/tftp/udp6

Now we can dump some new images in the ftpdir, and upgrade our firewall :-).

# copy tftp: flash:

Address or name of remote host []? 192.168.21.35

Source filename []? asa803-k8.bin

Destination filename [asa803-k8.bin]?

Accessing tftp://192.168.21.35/asa803-k8.bin

14635008 bytes copied in 32.260 secs (457344 bytes/sec)


# copy tftp: flash:

Address or name of remote host [192.168.21.35]?

Source filename [asa803-k8.bin]? asdm-603.bin

Destination filename [asdm-603.bin]?

Accessing tftp://192.168.21.35/asdm-603.bin

Windows Home Server - A simple Media and Backup Server

Windows Home Server is a new Microsoft "family" friendly media and backup server. 120 trial available, so worth a check out for setting up a _very_ simple to use server you can't afford to administer or support yourself (like for a non-technical family member or friend).

It's got an interesting feature called "addons". They are like "packages" for various servers (or templates): DHCP, uTorrent, Wake on LAN, iTunes streaming, etc.

http://www.wegotserved.co.uk/windows-home-server-add-ins/

Using GNU screen as a terminal emulator for serial null modem connections

Don't have tip / cu / minicom / kermit / hyperterminal / securecrt / an old vt100 / whatever around or just love GNU Screen? Here's a cool tip:

Start a screen session on the serial console at 9600baud:

$ screen /dev/ttyS0 9600

Too slow and your setup can handle it? Use 115200 baud:

$ screen /dev/ttyS0 115200

So, how do you send a break? C-a B. Just use Ctrl-a ? for help.

Free Veritas Cluster Server (VCS) Simulator

Veritas Cluster Server (VCS) is a High Availability (HA) cluster software for Linux, UNIX and Windows systems.

Symantec (they have bought Veritas) offers a freely available VCS emulator software that lets you train your skills :-).

You can also use the freely available documentation. Here is the Solaris Veritas Cluster Server (VCS) manual.

Of course, you could just grab the trial and run 2 Solaris (or Linux) virtual machines in VMware Server :-).

Sun Secure Global Desktop (Tarantella) - Enterprise Remote Desktop

Sun Secure Global Desktop (aka Tarantella) provides secure access (SSL - HTTPS) to centralized UNIX, Windows, Mainframe and Midrange applications from a wide range of popular client devices, including Microsoft Windows PCs, Solaris OS Workstations, thin clients and mobile devices.

Tarantella is a competitor to Terminal Services from Microsoft and Citrix software, but it's much more interesting (It's got Windows and Citrix connectors, Thin Client stuff, etc). It's basically like GNU Screen (you can resume sessions and easily migrate between machines), but for X and via your web browser :-).



If you want to try this baby out, you'll need a Solaris or Linux machine. Download Tarantella from http://www.sun.com/software/products/sgd/get.jsp

The fun part is, with Solaris 10 you can simply install Tarantella in a Zone (Solaris Container).

Before you install SSGD you must define (and secure) the users:

• The user names must be "ttaserv" and "ttasys".
• Both must have their primary group set to "ttaserv".
• You can use any UIDs and GID you want.
• The ttaserv/ttasys users must have a valid shell, for example /bin/sh.
• We recommend that you lock the ttaserv/ttasys user accounts (passwd -l).
• The users must have a valid home directory too, so if you're using /export/home (/home is the home of the automounter) make sure you do it right.
  

One quick way to do that is:

# groupadd ttaserv

# useradd -g ttaserv -s /bin/sh -d /export/home/ttaserv ttaserv
# mkdir /export/home/ttaserv
# chown ttaserv:ttaserv /export/home/ttaserv
# passwd -l ttaserv

# useradd -g ttaserv -s /bin/sh -d /export/home/ttasys ttasys
# mkdir /export/home/ttasys
# chown ttasys:ttaserv /export/home/ttasys
# passwd -l ttasys

Check if the user accounts are setup correctly:

# su ttaserv -c "/usr/bin/id -a"
uid=101(ttaserv) gid=100(ttaserv) groups=100(ttaserv)
# su ttasys -c "/usr/bin/id -a"
uid=102(ttasys) gid=100(ttaserv) groups=100(ttaserv)

Install the SSGD package:

# cp tta-4.40-907.sol-x86.pkg.gz /tmp; cd /tmp; gunzip tta-4.40-907.sol-x86.pkg.gz
# pkgadd -d /tmp/tta-4.40-907.sol-x86.pkg

To complete the installation and select options (port, etc), run /opt/tarantella/bin/tarantella start - configuration may take a while...

Once SSGD is installed (I chose installing it /opt by default) you can use:

# /opt/tarantella/bin/tarantella status
# /opt/tarantella/bin/tarantella start
# /opt/tarantella/bin/tarantella stop
# /opt/tarantella/bin/tarantella security start

The security start requires a valid security license and a SSL certificate (you can create a self signed certificate using OpenSSL then import with SSGD).

To add license keys, type:

/opt/tarantella/bin/tarantella license add

Once SSGD is installed and started, just navigate any Java enabled browser to http://yoursite.yourdomain:selectedport and you're good to go :-). Use "Administrator" and the root password to login. (Use regular system accounts for non-administrative purposes. Oh, and secure SSGD by using Zones).



Be sure to check the documentation on docs.sun.com:
http://docs.sun.com/app/docs/coll/SSGD_4.2

Cool April RFCs - RFC 1149 - IP datagrams on avian carriers - Pigeon and OCR Implementation

A couple of cool April 1st RFC's:

RFC 1149:Standard for the transmission of IP datagrams on avian carriers
RFC 2549: IP over Avian Carriers with Quality of Service

Of course someone "wrote" an implementation...
http://blug.linux.no/rfc1149/index.html
Pictures from the worlds first RFC 1149 implementation. (IP datagrams printed, transmitted via pigeon messages, scanned, OCR-ed and re-assembled).

Karl Magnus with a test packet:



PS: the bloke in the Red Hat [SIC] is Alan Cox, Linux kernel developer.

Mapping a FTP/sFTP site as a drive in Windows

Mapping a FTP drive in Windows:

1. Add the IP to the LMHOSTS file (it's in %systemroot%\system32\drivers\etc)

1. Purge the name table cache: nbtstat -R

1. net view \\YOURSITE

1. net use * \\YOURSITE /user:ftp

That's it :-).

Lazy? Try fDrive, it does this for you.

Need WebDav support also? Try Novell NetDrive - you can map FTP and WebDav as drives from Windows.

Paranoid? Try sFTPDrive - you can map your files via SSH (kind of like SSHFS via FUSE on Linux/BSD).

Don't want to map, just use? Try WinSCP - a cool SCP/SFTP/FTP client for Windows.

What about NFS? Try Microsoft SUA / SFU (Services for UNIX). It's integrated just like SMB.

SANS TOP-20 Security Risks for 2007

SANS Institute TOP-20 Security Risks - 2007 Annual Update

We have seen significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications. These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets.



Executive summary:

"Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year."

UNIX Deployment Tools - JumpStart, IgniteUX, NIM, KickStart, AutoYaST, FAI

Bare metal recovery and mass deployment tools for UNIX and UNIX-like systems:

On Windows there's RIS, WDS or tools like Ghost, on UNIX platforms we have tools like JumpStart, IgniteUX, NIM, FAI, KickStart, etc. to help with massive deployment of operating systems.

UNIX:

• Sun Solaris - Custom JumpStart and Advanced Installations - The custom JumpStart installation method is a command–line interface that enables you to automatically install or upgrade several systems, based on profiles that you create. The profiles define specific software installation requirements. You can also incorporate shell scripts to include preinstallation and postinstallation tasks. You choose which profile and scripts to use for installation or upgrade. The custom JumpStart installation method installs or upgrades the system, based on the profile and scripts that you select. Also, you can use a sysidcfg file to specify configuration information so that the custom JumpStart installation is completely hands-off.
• Sun Solaris - JumpStart Enterprise Toolkit: provides a framework to simplify and extend the JumpStart functionality provided within the Solaris Operating System.
  
• Sun Solaris Flash Archives (flar) - can be used with JumpStart technology to automate and speed up deployment or disaster recovery.
  
• HP HP-UX Ignite-UX - is an administration toolset that allows: Simultaneous installation of HP-UX on multiple clients, The creation and use of custom installations, The remote recovery of clients, The creation of recovery media.
• IBM AIX mksysb/mkcd/mkdvd: The mksysb command creates a backup of the operating system (that is, the root volume group). You can use this backup to reinstall a system to its original state after it has been corrupted. If you create the backup on tape, the tape is bootable and includes the installation programs needed to install from the backup.
• IBM AIX NIM - Network Installation Management - is an excellent feature of the AIX operating system and is very important for teams or companies that have a need to install or upgrade many RS/6000 machines with the same images at the same time. NIM supports the use of mksysb images. Performing a NIM mksysb installation is faster than performing a NIM rte installation, and with mksysb, you can optionally include other installed software. You can use a mksysb image to install the nodes of a CSM cluster.

Linux:

• RedHat Linux Kickstart provides automation of Linux installation that uses a single kickstart file to install the system on multiple machines.
• SUSE Linux AutoYaST - Automatic Linux Installation and Configuration with YaST2. AutoYaST allows unattended and automated installation. With AutoYaST, administrators can create a consistent baseline configuration for new installations in large or expanding deployments. In addition to AutoYaST, other installation methods include PXE Boot, CD-ROM, NFS, CIFS/SMB, HTTP, FTP, and the Service Location Protocol (SLP), which allows autodetection of install servers. ALICE, SuSEs former auto-installation system was a system built around the auto-installation features that were available with YaST1. In order to be able to use existing ALICE configuration files and resources, a special option is provided in the configuration system will let you convert ALICE configuration files into a control file readable by AutoYaST.
• Debian GNU/Linux FAI - Fully Automatic Installation - is an automated installation tool to install or deploy Debian GNU/Linux and other distributions on a bunch of different hosts or a Cluster. FAI can also be used for configuration management of a running system.
  

BSD:

• Automatic OpenBSD Installation - Jumpstart-style procedure for installing OpenBSD servers
• FreeBSD "JumpStart" Guide - This article