Get Java Plugin to work with FreeBSD with this link

Found this link on the web, for getting the java plug-in to work with FreeBSD. I have not tried it out yet but I may need this in the future as I have had problems getting the java plug-in to work in the past:

URL: http://archive.pilgerer.org/mharc/html/freebsd-stable/2004-07/msg00280.html

VIM takes forever to start!

Wow!! I just made several changes to my .cshrc file and later found out that for some strange reason, VIM was taking its own time to start. Apparently, VIM was trying to connect to the X server to get additional information.

After searching on Google I found that the -X options to vim would fix this delay and it did. Now vim starts up lightening fast like it used to.

It was probably enabling the DISPLAY variable in .cshrc, which triggered this slow effect.

Ruby, please stop Core Dumping...

It has been a while since I last ran cvsup on my ports collection. To my surprise I ran into a bit of a jam when I ran: cvsup -g -L 2 /etc/stable-supfile. I received a hideous error which looked something like this:

root@:/usr/ports> portupgrade -ar
[Updating the pkgdb in /var/db/pkg ... - 472 packages found (-1 +0) (...)/usr/local/lib/ruby/site_ruby/1.8/pkgdb.rb:467: [BUG] Segmentation fault
ruby 1.8.2 (2004-07-29) [i386-freebsd4]

Garance Alistair Drosehn made a post to lucky.freebsd.ports newsgroup, which in my opinion was the best result I found after searching for solutions to this fix. This post was as follows:

Try adding the following two
lines to /usr/local/etc/pkgtools.conf :

ENV['PKG_DBDRIVER'] = "bdb_hash"
ENV['PORTS_DBDRIVER'] = "bdb_hash"

Add them down where other environment variables are set, such as
ENV['PORTSDIR'] ||= '/usr/ports'

I must also mention that issuing:

root@:/usr/ports> pkgdb -fu

worked wonders and fixed the problem, now no more core dumps on portupgrade. I wonder what caused this problem.

Two editors deleted, another blog created! :)

I should have done this first, create a separate blog for OOD instead of adding my partners to my blog. This will just save a lot of headaches in the future.

Instead I created oodwithbaliga.blogspot.com and invited my two partners, Dave and Steven. :)

Two Editors added for OOD

I would like to humbly welcome Steven Peterson, and David Grochowski to My Almost Daily Blog (MADB). These individuals were added as a result of group formations for Object Oriented Design for Fall 2004. We are to use this blog to keep track of our projects logs, including the first project. In addition, since I will also be using the blog to keep track of what I learn as it pertains to computers I extend this option for you two as well. Feel free to post information of your daily learnings.

Fo' Shizzle

Yo.

List the 10 largest files in a directory

Taken from "BSD Fortune".
du /partition_or_directory_name | sort -rn | head
-- Dru

Free Virus Protection for Windows

http://www.pandasoftware.com/activescan/
http://www.grisoft.com/us/us_index.php
http://www.avast.com/

Desktop Printing w/ FreeBSD

Whew! It is getting late and I need some sleep. I will read this article either tomorrow or within the next week. Since my LPT port is broken I will have to try out the examples in this article on another computer. Petes computer will be the best pick since more computers are networked to the server I setup. This will come in very hand when it is set up.

The article URL: http://www.ofb.biz/modules.php?name=News&file=article&sid=321

Encrypt GAIM Conversations

This works with Gaim-0.81 and provides transparent RSA using NSS.
More information on this later after using it for some time.
URL: http://gaim-encryption.sourceforge.net/

Brief Notes from Poul -Henning Kamp on GBDE

I am new to this GBDE (GEOM Based Disk Encryption) for now so I am just going to jot down information I find interesting or did not know about for later personal research.

These notes are from http://phk.freebsd.dk/pubs/bsdcan-04.slides.gbde.pdf

GEOM - The framework for classes which perform transformations on disk I/O:
- was developed under DARPA/SPAWAR.
- Is filesystem independent and works at the disk level. The good thing is that these encrypted disk/partitions look just like any other disk. Better yet, GEOM works with UFS1/2. Since I am using FreeBSD-4.10 Stable I may have to upgrade to 5.x if I want to use GBDE. I am really comfortable with 4.10 right not, but I know eventually I will upgrade. For now I will just read up on GBDE.
- Many other filesystems can be used with GEOM, including but not limited to FAT, NTFS, ISO9660 and many more.

How Good is GEOM?:
Well, it is said that unless AES is broken GEOM can not be cracked! That sounds good to me.

Another Good News Source

http://www.newsforge.com/ I found while reading a Slashdot post on the new GBDE-GEOM Based Disk Encryption for FreeBSD. This is something I will look into later.

Protect the USB PenDrive at all Cost!

This is something I fear most. Losing my USB pendrive! Not only will my data be gone, but who ever comes across it will have my data. Why not just encrypt it?

This article from BSDNews.org talks just about that.

Convert to Hex in VIM

Just recently, I realized my favorite Open Source Editor (OSE), VIM, has a built-in "hex editor". Well, it is not really a Hex editor, but rather a conversion option. I realized this while playing with the pull-down menus in VIM for windows.

While in VIM issuing the following will convert the current screen to hex:

$> %!xxd

To convert back do:

$> %!xxd -r

I thought this was pretty neat!

Hotmail in FreeBSD (gotmail)

Found a new toy, gotmail (/usr/ports/gotmail). This is a console application which downloads mail from hotmail.com or msn.com to either a local folder or it can be configured to forward mail to another email address like gmail!.

1and1 Linux Hosting Setup

A client of mine just purchased hosting services from 1and1.com and wants me to do web development for him. Initially he signed up for the MS package, but I requested that he change to Linux. The MS package was nice, it came with .NET and all that good stuff, but I am on the go most of the time and every machine I sit at will not have VS.NET waiting for me. The ability to SSH is avaliable on most computers I do work on. This for me will be the best option for now as I can just ssh from where I am and do updating.

Manually I had to transfer all the files from the MS host (the initial service) to my machine which will be transerfed to the Linux host (the new service) once I have my ssh account customized the way I need it.

I need the following files:
- .cshrc
- .vimrc
- .screenrc

I need the following directories:
- phpMyAdmin/
- Backups/
- home/

Just realized this is going to be annoying!!! I HATE how this HOST does not allow you to change their cryptic usernames! I have to use usernames like 34asfa243asf! And their passwords look just the same!

Created one out of three databases to make sure database creation works like I expect. The same problem here even the names of the database created look like password and cannot be changed. The best thing for me to do is just create a log file on the server and document which database I am using and for what reason/application.

-Downloaded phpMyAdmin to work with the one out of three databases only.
-created an .htaccess to protect the database

Setting up Apache2/mod_php/mod_ssl ....

Excellent Guide: http://www.bsdguides.org/guides/freebsd/webserver/apache_ssl_php_mysql.php

Post Notes on Apache (2.0.50):

Since 2.0.49_2, to run apache www server from startup, add apache2_enable="YES"
in your /etc/rc.conf.
Available variables you add/set to /etc/rc.conf.
- apache2_enable (bool): Set to "NO" by default.
Set it to "YES" to enable apache2.
- apache2ssl_enable (bool): Set to "NO" by default.
Set it to "YES" to start apache with SSL
(if exists in httpd.conf).
- apache2limits_enable (bool):Set to "NO" by default.
Set it to yes to run `limits $limits_args`
just before apache starts.
- apache2_flags (str): Set to "" by default.
Extra flags passed to start command.
- apache2limits_args (str): Default to "-e -C daemon"
Arguments of pre-start limits run.

Apache2 Installed OK and I added the following to /etc/rc.conf
### Start-up Options for Apache2 ############
apache2_enable="YES"
apache2ssl_enable="YES"

Manually creating the directories for SSL if they do not already exists:

$> mkdir /usr/local/etc/apache2/ssl.key
$> mkdir /usr/local/etc/apache2/ssl.crt
$> chmod 0700 /usr/local/etc/apache2/ssl.key
$> chmod 0700 /usr/local/etc/apache2/ssl.crt

Installing MySQL (mysql-server-4.0.20)
$> cd /usr/ports/databases/mysql40-server
$> make install WITH_OPENSSL=yes distclean

Added group "mysql".
Added user "mysql".

# Personal Note: Remember to change the password for mysql user root.

Next I will install mod_php4 and mod_php5
Note: Make sure to check the OpenSSL box and leave the rest of the
default values alone.

$> cd /usr/ports/www/mod_php4
$> make install distclean
$> cd /usr/ports/lang/php4-extensions
$> make install distclean

I just realized that I can not install both mod_php4 and mod_php5 because of the following error:
===> mod_php5-5.0.0_2,1 conflicts with installed package(s):
mod_php4-4.3.8_2,1

They install files into the same place.
Please remove them first with pkg_delete(1).
*** Error code 1

Stop in /usr/ports/www/mod_php5.
*** Error code 1

Stop in /usr/ports/www/mod_php5.


So, for now I'll just stick with mod_php4 and its extensions

$> cd /usr/ports/www/mod_php5
$> make install distclean
$> cd /usr/ports/lang/php5-extensions
$> make install distclean

Edit Apache's configuration file after all the "LoadModule" lines:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps


Certificate Creation:
----------------------

Change to root's dir and issue the following:

$> mkdir SSLCertificates
$> cd SSLCertificates
$> opensll genrsa -des3 -out server.key 1024

From the above key we created we then need to make a certificate signing Request (CSR)
from the keys we just created.

$> openssl req -new -key server.key -out server.csr

After the above command use the same password used during CSR
Fill out all neccessary information required.

Now we need to sign our certificate
$> openssl x509 -req -days 365 -in server.csr signkey server.key -out server.crt

The above signs and makes our certificate valid for 365 days. Now the files need to be
copied to the appropiate directories.

$> cp server.key /usr/local/etc/apache2/ssl.key/
$> cp server.crt /usr/local/etc/apache2/ssl.crt/

$> chmod 0400 /usr/local/etc/apache2/ssl.key/server.key
$> chmod 0400 /usr/local/etc/apache2/ssl.key/server.crt




The following windows were open with these links before I rebooted!
http://bsdvault.net/sections.php?op=viewarticle&artid=78
http://bsdvault.net/sections.php?op=viewarticle&artid=82
http://bsdvault.net/sections.php?op=viewarticle&artid=105
http://www.tao.ca/

Use Blowfish for user password not MD5!

It just came to me understanding and attention that I was not using the strongest encryption scheme to encrypt my user passwords. This article from "BSDVault explains how to change the default DES encryption on FreeBSD to Blowfish. By default DES is used when users are added with "adduser" to produce a cipher, which in turn goes through the MD5 function to produce a hash.

Blowfish is said to be extermely strong and that it has yet to be cracked! Here are the procedures I used as I was following the article on BSDValut.net:

$> vim /etc/login.conf
Changed: password_format=md5
To: :passwd_format=blf:$> cap_mkdb /etc/login.conf


$> vim /etc/auth.conf

Added: crypt_default = blf

$> Checking /etc/master.passwd I see:

blowfishuser:$2a$04$tZ8kRFQJ4YU50c9cEYccIu7Z6BtmwB5fpwsE.kl7ogbEwNyQCgG16:

Nice!

Note the "$2a$", which denotes blowfish encryption is being used. This time around the hash in much longer than MD5. So, now when password is use the password will be encrypted with blowfish.

Nice little checklist for FreeBSD

http://www.sddi.net/FBSDSecCheckListaslist.html

This Check list is going to come in handy if I reinstall my FreeBSD system. I have made so many changes over the years and I can use this to add to when I think of something. The below checklist was slightly modified to suit my needs.

FreeBSD Security Checklist as a List



Location of this document: http://www.sddi.net/FBSDSecCheckListaslist.html



Location of the full version: http://www.sddi.net/FBSDSecCheckList.html



Installation

____ 	separate slices for /(500MB), /tmp(400MB), /usr(33G), /usr/home(2G), /var(400MB), /storage(34G)

____ 	no inetd.conf, nfs or ntp

____ 	list ntp servers to use:________________ ________________

____ 	add /sysutils/rdate-1.0 & /security/chkrootkit-0.36

____ 	add non-privileged user account in wheel group

Users

____ 	vipw and remove toor user, rename Charlie&, change shells

____ 	in /etc/group, and add ssh:*:0:sshusergroup

motd

____ 	cp /etc/motd /etc/motd.old

____ 	rm /etc/motd

____ 	touch /etc/motd

____ 	vi /etc/motd and create

____ 	cp /etc/motd /etc/issue

/etc/ssh/sshd_config

____ 	port 22

____ 	protocol 2

____ 	#Hostkey /etc/ssh/ssh_host_key

____ 	PermitRootLogin no

____ 	MaxStartups 5:50:10

____ 	X11Forwarding no

____ 	PrintLastLog yes

____ 	SyslogFacility auth

____ 	LogLevel VERBOSE

____ 	PasswordAuthentication no

____ 	Banner /etc/issue

____ 	AllowGroups sshusers

/etc/ssh/ssh_config

____ 	ForwardAgent no

____ 	ForwardX11 no

____ 	PasswordAuthentication no

____ 	CheckHostIP yes

____ 	Protocol 2

DSA Key Generation (as opposed to passwd)

____ 	su - {nonprivuser} as root

____ 	ssh-keygen -d

____ 	accept default /.ssh/id_dsa

____ 	enter passwords twice

____ 	cd .ssh

____ 	cat id_dsa.pub > authorized_keys2

____ 	copy key to floppy, and confirm

____ 	delete key from server

rc.conf

____ 	inetd.conf="NO"

____ 	syslogd_enable="YES"

____ 	syslogd_flags="-ss"

____ 	icmp_drop_redirect="YES"

____ 	icmp_log_redirect="YES"

____ 	clear_tmp_enable="YES"

____ 	portmap_enable="NO"

____ 	icmp_bmcastecho="NO"

____ 	fsck_y_enable="YES"

____ 	update_motd="NO"

____ 	tcp_drop_synfin="YES"

____ 	log_in_vain="YES"

login.conf & auth.conf

____ 	vi /etc/login.conf

____ 	:passwd_format=blf:____ 	:passwordtime=52d:____ 	mixpasswordcase=true:____ 	:minpasswordlen=9:____ 	:idletime=32:____ 	cap_mkdb /etc/login.conf

____ 	confirm with vipw that password field starts with $2

____ 	confirm shells for users

____ 	vi /etc/auth.conf

____ 	crypt_default=blf

sysctl.conf

____ 	vi sysctl.conf

____ 	net.inet.tcp.blackhole=2

____ 	net.inet.udp.blackhole=1

____ 	kern.ps_showallprocs=0

fstab

____ 	vi /etc/fstab

____ 	/tmp to rw,noexec

____ 	/usr/home to rw,nosuid,noexec

____ 	/floppy to rw,noauoto,noexec,nosuid,nodev,noatime

____ 	/cdrom to ro,noauto

crontab

____ 	chmod 600 /etc/crontab

____ 	touch /var/cron/allow and add users who can change cron jobs

____ 	chmod 600 /var/cron/deny

____ 	vi /var/cron/deny and add users to disallow

____ 	add 0 2 * * * root /usr/libexec/locate.updatedb

____ 	add 0 2 * * * root /usr/local/sbin/rdate {ntpserver}

____ 	add 1 3 * * * root /usr/local/sbin/chkrootkit

Kernel Changes /usr/src/sys/i386/conf/{kernelname}

____ 	#pseudo-device bpf

____ 	options SC_NO_HISTORY

____ 	options SC_DISABLE_REBOOT

____ 	options SC_DISABLE_DDBKEY

____ 	options TCP_DROP_SYNFIN

____ 	options RANDOM_IP_ID

____ 	options ICMP_BANDLIM

____ 	confirm settings in /usr/src/sys/i386/conf/LINT

____ 	rebuild kernel and reboot

File Permissions

____ 	chmod 700 /root

____ 	chmod 600 /etc/syslog.conf

____ 	chmod 600 /etc/rc.conf

____ 	chmod 600 /etc/newsyslog.conf

____ 	chmod 600 /etc/hosts.allow

____ 	chmod 600 on /etc/login.conf

____ 	chmod 700 /usr/home/*

Network Time Protocol

____ 	vi /etc/ntp.conf

____ 	restrict default ignore

TCP Wrappers

vi /etc/hosts.allow

____ 	sshd : localhost : allow

____ 	sshd : x.x.x.x, x.x.x.x : allow

____ 	sshd : all : deny

____ 	ftpd : ALL : deny and so on for unused services

Console Access

____ 	vi /etc/ttys

____ 	first line: console none unknown off insecure

____ 	on insecure for each tty

Bash Shell

____ 	vi /usr/share/skel/.bash_logout

____ 	clear

chflags

____ 	list files to sappnd & schg

Clean-up

____ 	sockstat -4

____ 	tcpdump -xX

Sguil Installation Guide v 0.5.0_03

Richard Bejtlich just updated the Sguil Installation Guide. I have been telling myself to read this, but haven't yet gotten to it. I am determined to read it within the next week and try out Sguil on my box. The URL: http://sguil.sourceforge.net/sguil_guide_latest.txt