SavvyAdmin.com

If you’re interested in learning Oracle, you’ll be pleased to know that you can install a free version of it called Oracle Database Express Edition (XE); and it’s available for Debian and Ubuntu! This is great for anyone looking to learn one of the most popular enterprise databases in the world, without hurting the wallet. You can also freely distribute and develop against this platform, so it’s definitely worth giving it a try.

Visit their site for more details, and instructions for installing it via Oracle’s very own repository:
http://www.oracle.com/technology/tech/linux/install/xe-on-kubuntu.html

Here’s my own paraphrase of the installation procedures.

Add Repository and Install:

$ echo "deb http://oss.oracle.com/debian unstable main non-free" | \
sudo tee -a /etc/apt/sources.list
$ wget http://oss.oracle.com/el4/RPM-GPG-KEY-oracle -O- | sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install oracle-xe

Configure and Start Database:

$ sudo /etc/init.d/oracle-xe configure

Get Started:
Applications -> Oracle Database 10g Express Edition -> Get Started

For a great tutorial on how to start using Oracle, be sure to check out the book “Hands-On Oracle Database 10g Express Edition for Linux“, (ISBN: 007226327X). You can find it at your local book store or on the web.

Oracle also has a free online tutorial located on their website:
http://st-curriculum.oracle.com/tutorial/DBXETutorial/index.htm

• Comments (0)

DenyHosts is a project that adds a protective layer to an SSH server by automatically blocking malicious hosts that use brute force or dictionary attacks. If you have SSH services enabled and accessible from the internet, you will likely have thousands of failed login attempts from several sources within a very short period of time. DenyHosts monitors all login attempts, and based on a customizable rule-set can block hosts from making further connections if an attack pattern is matched.Using tcp_wrappers, the DenyHosts service elegantly manages entries in the /etc/hosts.deny file, adding and removing hosts when thresholds are crossed. i.e. Three failed logins with unknown user accounts; Three failed logins with root account; Five failed logins with known user accounts; Unblock host after a set period of time; etc. You can also specify whether DenyHosts blocks access to SSH or ALL services, thereby mitigating any other attack vectors the offender might try next.A most valuable feature that makes DenyHosts even more attractive is the optional centralized reporting system. The service can be configured to report all abusive hosts to the DenyHosts collection server, and automatically import a list of IP addresses that others have reported. This network of intelligence gathering and incident response helps to thwart a large number of attacks before they happen, because the attackers (most of which are automated bots) are blocked before they have a chance to move on to other protected servers.Other useful features include email notification when hosts are blocked, and counter resets after successful authentication to prevent accidental blacklisting caused by fat fingered admins. :-)

For those of you using Ubuntu 7.04 (Feisty Fawn) and above, it is available in the Universe repository:

$ sudo apt-get install denyhosts

Edit and customize /etc/denyhosts.conf for your desired options, and restart the service:

$ sudo /etc/init.d/denyhosts restart

Ubuntu 6.06.1 LTS will need a manual installation, as it is not included in the repositories.

Be sure to check out the project at http://denyhosts.sourceforge.net.

• Comments (0)

If you would like to make it easier to visually spot what you are looking for when using “grep”, try out the “–color” flag. This option highlights any matches in the output of your search, giving you an upper hand when trying to visually scan through complicated or cumbersome sequences.

For example, if you were looking for any IP address in your /etc/hosts.deny file that has the number “209″ in it, issue the following command:

$ grep --color 209 /etc/hosts.deny

Here is the comparison of the same output, with and without the color option.

As you can see, one might find it very easy to miss the fact that there are some IP addresses that have multiple octets with the value of 209. The color flag really comes in handy.

• Comments (2)

Ubuntu Studio, released in May of 2007, is one of the latest flavors of the Ubuntu family cropping up these days aimed at sound, video and graphics enthusiasts and professionals alike. Sporting the same clean installation one would expect from a standard Ubuntu install, Ubuntu Studio offers a polished desktop, and a slew of open source multimedia applications. If content creation is your cup of tea, check out Ubuntu Studio 7.04 at www.ubuntustudio.org.

• Comments (0)

Stumbled across a very cool Firefox extension called FireGPG. It adds a much needed feature to the Gmail web interface for those of us that use PGP encryption regularly.

Here’s a screenshot of the buttons that are added to the composition page in Gmail.

Be sure to check it out at: http://firegpg.tuxfamily.org/

• Comments (0)

Updated (11/21/2007): I’ve added an updated version of this How-to on the community supported Ubuntu documentation site. The new document can be found at: https://help.ubuntu.com/community/SinglePacketAuthorization.

Single Packet Authorization (SPA) using “fwknop” is probably one of the coolest recent innovations in server and network access control technology. Just what is SPA, you ask? SPA is a method of limiting access to server and network resources by cryptographically authenticating users before any type TCP/IP stack access is allowed.

In it’s simplest form, your Linux server can have an inbound firewall rule that by default drops all access to any of it’s listening services. Nmap scans will completely fail to detect any open ports, and zero-day attacks will not have any effect on vulnerable services since the firewall is blocking access to the applications.

The server however has a nifty trick up it’s sleeve. An authorized user sends a single encrypted UDP packet that is passively sniffed and analyzed by the fwknopd service running on the server using pcap. If successfully authenticated, fwknopd dynamically creates an iptables firewall rule, granting the source IP address of the authorized client access to the service for a defined period of time (default is 30 seconds). Pretty frickin’ cool, eh?

Okay, so here’s how to get it working in Ubuntu 7.04.

• Continue reading or Comments (3)

If you have a large number of passwords, it would be a good idea to write them on a sticky pad and put them on your monitor or secretly under your keyboard. ;-)

Or better yet, you can use a nifty password manager for the Linux platform call Revelation. It’s written for tight integration with the Gnome desktop environment.

Home page: http://oss.codepoet.no/revelation/

The passwords are stored in an encrypted XML file, protected by AES encryption and of course a master passphrase.

It has most of the core functionality one would expect from a mature password manager, including a nice internal directory structure to organize your data, copy and paste, and customizable viewing options.

Definitely worth checking out. Ubuntu 7.04 universe repositories have the latest version available for download.

$ sudo apt-get install revelation

Launch it from Applications -> Accessories -> Revelation Password Manager.

• Comments (0)

An OpenSSH server can be used as a SOCKS compliant proxy, allowing one to tunnel virtually any type of traffic via the SSH protocol. This is very useful when surfing the web on untrusted networks such as hotel internet services and wireless hotspots. You just never know who’s snooping in on your data.

All you need is external access to a trusted OpenSSH server, perhaps the one you have at home, work, etc. If you’re using your laptop to surf the internet at your local coffee shop, you’ll simply need to establish a connection to that external SSH server using the appropriate client variables, and configure your web browser’s proxy settings to connect to a locally defined TCP port.

• Continue reading or Comments (0)

UPDATE (11-03-2008): These instructions are no longer applicable to Ubuntu version 8.10 and higher. The latest versions of Ubuntu allow you to use a blank password for your keyring, which will allow user accounts automatically logged in by GDM to access the keyring.

If you are not using the the GDM auto login feature, simply make sure your keyring password is the same as your login password, this way it is automatically unlocked for you. The keyring passwords are now easy to change from “Applications… Accessories… Passwords and Encryption Keys… Edit menu… Preferences… Password Keyrings.” Highlight the “login” entry, and use the “Change Unlock Password” button.

The original instructions below ONLY apply to versions previous to Ubuntu 8.04.

ORIGINAL POST:
If you would like to avoid having to type in a password to access your gnome keyring, then you are in luck. To quote from the authors web site, “PAM_KEYRING is a pam module that launches the gnome-keyring-daemon and then unlocks a keyring using your login password.”

In Ubuntu 7.04, this comes in handy when using Network Manager to connect to your wireless network. Typically users are prompted for the “master” password to their keyring manager immediately after logging on to gnome, and this can become tedious. Installing and configuring PAM_KEYRING is a snap.

1. Install libpam-keyring from universe repositories.

$ sudo apt-get install libpam-keyring

2. Add the pamkeyring module to /etc/pam.d/gdm

$ echo "@include common-pamkeyring" | sudo tee -a /etc/pam.d/gdm

UPDATED: (10/25/2007)
With the release of Ubuntu 7.10 Gutsy, libpam-keyring is no longer needed, as this feature has been built by default in with the package “libpam-gnome-keyring”.

UPDATED: (04/21/2008) - For GDM Auto-Login Users

Sorry for not updating this post sooner. I helped someone else with this offline a while back. Here’s an excerpt from my email. It works well with Ubuntu 7.10 Gutsy, and “should” work with Hardy, unless there’s been some major changes with the libpam-gnome-keyring package that I don’t know about.

The auto login feature of GDM relies on the GDM processes ability to run Gnome as your user account, but it does not have to know the password, as it’s using an “su” command to accomplish the magic.

There lies the problem. The keyring uses the password supplied by the user to unlock itself, and being that no password is supplied to pam, it cannot unlock the keyring.

From a useful bug report, one fellow outlined how he has always done it previously using a login script. He used a tool called “pam-keyring-tool” included with the libpam-keyring package. The new libpam-gnome-keyring package does not include this binary, so in order for this to work, you need compile it from source.

I’ve successfully got it working using the following procedures:

Step 1: Download latest pam_keyring source code. I like to place all source code in /usr/src/:

cd /usr/src/
sudo wget http://www.hekanetworks.com/opensource/pam_keyring/pam_keyring-0.0.9.tar.gz

Step 2: Unpack source code

sudo tar zxfv pam_keyring-0.0.9.tar.gz

Step 3: Install prerequisites

sudo apt-get install build-essential libglib1.2-dev libglib2.0-dev
sudo apt-get install libtool libgnome-keyring-dev libpam0g-dev

Step 4: Compile and Install

cd /usr/src/pam_keyring-0.0.9
sudo ./configure --prefix=/usr
sudo make
sudo cp src/pam-keyring-tool /usr/bin/

Note: I’m not doing a “make install” because I only want this binary to be installed and nothing else)

Step 5: Test binary

/usr/bin/pam-keyring-tool --help

If you get a nice usage menu, you’ll see what the tool options are, and your compilation is complete.

Step 6: Create login script called “unlock-keyring.sh”.

Since the file will contain your password in clear text, you’ll want to keep it in your home folder, readable only by your user. Yes… I know this is lame.

mkdir ~/scripts
sudo chmod 750 ~/scripts
touch ~/scripts/unlock-keyring.sh
sudo chmod 750 ~/scripts/unlock-keyring.sh
sudo gedit ~/scripts/unlock-keyring.sh

Add the following to the script:


#!/bin/bash
echo "PASSWORD_HERE" | /usr/bin/pam-keyring-tool -u -s

Step 7: Add the script to your gnome session startup scripts

System -> Preferences -> Sessions

Under Startup Programs, add a new entry that will appear first in the list. e.g. “1-unlock-keyring”

The command will be:
“/home/USERNAME_HERE/scripts/unlock-keyring.sh”

Step 8: Ensure your /etc/pam.d/gdm-autologin is set to it’s defaults. This was the default Gutsy 7.10 version for reference.

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_permit.so
@include common-account
session required pam_limits.so
@include common-session
@include common-password

Step 9: Restart GDM or simply reboot.

I really hope this helps you guys out.

• Comments (21)