linux

Linux (/ˈlɪnəks/ LIN-uks or, less frequently used, /ˈlaɪnəks/ LYN-uks) is a Unix-like and mostly POSIX-compliant computer operating system assembled under the model of free and open-source software development and distribution. [read more at http://en.wikipedia.org/wiki/Linux]

  • FaF File Anomaly Finder

    FaF (File Anomaly Finder) is a wrapper for the *nix 'find' utility. It generates audit reports for data matching specific characteristics; such data as setgid/setuid, unowned, and more. The objectives are simply to create a simple anomaly finder that identifies common flawed permissions or otherwise suspicious file system characteristics.

    The main features of FaF are:
    • simplistic and to the point audit reports
    • easy setup and configuration
    • audits emailed to customizable address or user
    • ideal for web servers or general purpose workstations
    • audits of setgid/setuid, hidden, unowned, & world writable data
    • very portable
     http://www.r-fx.org/faf.php # wget http://www.r-fx.ca/downloads/faf-current.tar.gz
    # tar xvf  faf-current.tar.gz

    # cd faf*
    # ./install.sh

    Install path:     /usr/local/faf/
    Config path:     /usr/local/faf/conf.faf
    Executable path: /usr/local/sbin/faf


    Why do you need such tool?
    Never trust anyone, including sometimes yourself ;-) this tool correctly used just insured You that You will never forget any files with too much permissions. It may also reveal a hacker, putting some new files under the user nobody...

    What to do with the output?

    You'll have to react differently for each occurrence in the report....

    SUID/SGID Binaries

    Sticky bit was used on executables in linux (which was used more often) so that they would remain in the memory more time after the initial execution, hoping they would be needed in the near future. But since today we have more sophisticated memory accessing techniques and the bottleneck related to primary memory is diminishing, the sticky bit is not used today for this. Instead, it is used on folders, to imply that a file or folder created inside a sticky bit-enabled folder could only be deleted by the creator itself. A nice implementation of sticky bit is the /tmp folder,where every user has write permission but only users who own a file can delete them. Remember files inside a folder which has write permission can be deleted even if the file doesn't have write permission. The sticky bit comes useful here.

    SUID or SetUID bit, the executable which has the SUID set runs with the ownership of the program owner. That is, if you own an executable, and another person issues the executable, then it runs with your permission and not his. The default is that a program runs with the ownership of the person executing the binary.

    Consider also reading:
    What are the SUID, SGID and the Sticky Bits?

    You can find them also manually by entering:
    # find / -type f \( -perm -04000 -o -perm -02000 \;
    The SGID bit is the same as of SUID, only the case is that it runs with the permission of the group. Another use is it can be set on folders,making nay files or folders created inside the SGID set folder to have a common group ownership.

    files in/srv  (http root folder)
       You should accept NO files with SUID/SGID in http root folder. Remove them all 
            # find /srv -type f \( -perm -04000 -o -perm -02000 \) -exec  chmod \;

    No Owner/Group
    May also be an indication an intruder has accessed your system...
    Can also be found manually by typing:
    # find / \( -nouser -o -nogroup \) -print
    files in/srv (http root folder)

    Permissions and ownership are linked together to make your server work peacefully. The basic idea is always to give the minimum rights to the file.

    A rule for thumbs would be:
    read only for all file, r--r--r-- or r---------
    read, execute for all directory r-xr-xr-xor r-x------
    The problem is that apache and PHP also run under their own user...

    A very informative article explaining the problem on a concrete example (Gallery2) can be found at  http://codex.gallery2.org/Gallery2:Security

    At least (worst),when apache run as wwwrun user in www group, in your HTTP directory
    # chown -R wwwrun .
    # chgrp  -R www .
    then all files has to be  rw- --- --- and directory r-x------
    Advantages:you can use Joomla! administrator panel
    BUT: any bug in PHP code, attack can read or overwrite any files! -> highly insecure

    Better would be for all files/dir in your HTTP directory to changes accordingly to the right web user!
    # chown -R cedric .
    # chgrp  -R psacln  .
    Change all files/directories that has to be written  by apache (cache directories) to
    # chown -R wwwrun cache
    # chgrp  -R www cache
    Advantages: a bug in apache/php, or attack can not touch any of your files.
    BUt: if PHP do not run under your user, the Joomla! panel wont be usable, as Apache/PHP wont be able to install any new components/images.

    Files in /must generally only be available to root
    # chown -R root /etc
    #chgrp  -R root /etc
    # find /etc -f -exec chmod 600 {} /;

    World Writable

    files in/srv
    must be avoid at any costs! This line remove the world writable bit to  all files in /srv
    # find /srv -f -exec chmod o-w {} /;
    This line remove the world writable bit to  all directories in /srv
    # find /srv -d -exec chmod o-w {} /;
    Files in /
    You should ignores /proc files, /dev files (hundreds of these are correctly world writable),
    Symbolic (soft) links (which should have mode 777), directories with the sticky (save text) bit on, and
    sockets, as that is relatively safe.
    Hidden Files/Paths

    You should normally have no such files! try to understand why (look in google), open them and/or move/delete them
  • How Linux Could Overthrow Microsoft

    2 interesting articles...

    For as long as most technologists can remember, there has been "Wintel," the $250 billion industry dominated by Microsoft's Windows operating systems and Intel's microprocessors. But "Lintel," or the Linux operating system and Intel, is now encroaching on this empire, and behind it is the entire open-source software movement, which threatens to overthrow the Windows industry. Faced with this challenge, Microsoft is showing classic symptoms of "incumbents' disease." Rather than remaking itself, Microsoft is using legal threats, short-term deals, and fear, uncertainty, and doubt to fortify its position. But this strategy probably won't work. The Linux operating system and the open-source model for software development are far from perfect, but they look increasingly likely to depose Microsoft....By Charles Ferguson. Read more HERE at www.technologyreview.com

    and the feature article column  ("Linux vs. Windows: Why Linux will win" ) of www.librenix.com

  • 1 week of mod_evasive some nasty bots get blacklisted

    This are my mod_evasive settings:
     
    LoadModule evasive20_module     /usr/lib/apache2/mod_evasive20.so
    <IfModule mod_evasive20.c>
      DOSHashTableSize 3097
      DOSPageCount 5
      DOSSiteCount 100
      DOSPageInterval 2
      DOSSiteInterval 2
      DOSBlockingPeriod 600
      DOSEmailNotify This email address is being protected from spambots. You need JavaScript enabled to view it.
    </IfModule>

    And this is a small documentation I've forget to add in the previous article:

    • DOSHashTableSize: is the size of the table of URL and IP combined. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.
    • DOSPageCount: is the number of same page requests from the same IP during an interval that will cause that IP to be added to the block list.
    • DOSSiteCount: is the number of pages requested of a site by the same IP during an interval which will cause the IP to be added to the block list.
    • DOSPageInterval:  Interval for the 'DOSPageCount' threshold in second intervals.
    • DOSSiteInterval:Interval for the 'DOSSiteCount' threshold in second intervals.
    • DOSBlockingPeriod: is the time the IP is blacked (in seconds
    • DOSEmailNotify: can be used to notify by sending an email everytime an IP is blocked
    • DOSSystemCommand: is the command used to execute a command when an IP is blocked. It can be used to add a block the user from a firewall or router.
    • DOSWhiteList: can be used to whitelist IPs such as 127.0.0.1
    So if anybody on my homepage request 5 times the same page in less than 2 seconds, it will get blacklisted.
    If anybody try to make more than 100 requests of my homepage in less than 2 seconds, it will get blacklisted.  
        
    In less than a week, the following Bots get blacklisted.

    84.80.211.6      Unknown Country
    62.226.126.102   Germany
    202.64.146.221   Chinese (Hong Kong)
    88.152.174.86    Unknown Country
    84.30.174.179    Dutch (Netherlands)
    84.154.17.72      GERMANY (DE) City: Muenchen Latitude: 48.15 Longitude: 11.5833
    70.225.166.33    United States
    202.63.102.211   Country: INDIA (IN) City: Hyderabad Latitude: 17.3833 Longitude: 78.4833
    69.148.83.2      UNITED STATES (US)
    195.38.6.181      Swedish (Sweden)
    81.242.199.145   BELGIUM (BE) City: Tournai Latitude: 50.6 Longitude: 3.3833
    217.120.138.11   NETHERLANDS (NL) City: Harlingen Latitude: 53.1833 Longitude: 5.4167
    195.145.98.50    GERMANY (DE) City: Heinsberg Latitude: 51.0333 Longitude: 8.15
    195.4.181.237    GERMANY (DE)
    80.166.87.34      DENMARK (DK)
    84.87.167.10      Dutch (Netherlands)
    81.208.83.238    ITALY (IT) City: Roma  Latitude: 41.9 Longitude: 12.4833
    66.249.66.199    UNITED STATES (US) City: Mountain View, CA Latitude: 37.402 Longitude: -122.078 GOOGLE
    84.137.16.79      GERMANY (DE)
    86.83.255.147    Dutch (Netherlands)
    66.249.65.99     UNITED STATES (US) City: Raleigh, NC Latitude: 35.8219 Longitude: -78.6588

     
     
  • 2nd Swiss Unix Conference September 2-4 2004, Technopark Zurich

    SUCON is a emerging conference focused on topics related to the Unix operating system. Our goal is to bring together developers, system administrators and users in the field of Unix to foster projects, ideas and the knowledge of every individual.
    SUCON'04
    Programme - Captured Talks - Speakers -
  • A desktop review

    This page was last modified on Mon, 16 Aug 2004 17:06:24 GMT

    SUSE 9.0
    a desktop review
    My experience installing Linux and some throughts...
    When you finish this article, You may want to read the round 2 HERE

    GNU Free Documentation License - Copyright (c) 2003 Walter Cédric.

    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License, Version 1.2
    or any later version published by the Free Software Foundation;
    with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
    Texts. A copy of the license is included in the section entitled
    "GNU Free Documentation License".

    -> this page is getting bigger and bigger with the time, I will also start soon a SUSE section and divide this page into smaller sections.

    I decide to buy the professional edition instead of downloading all cd from ftp.suse even if I have a 2MB internet line. You must support company like Suse or Mandrake which develop linux distributions and buy their package. All versions or patchs can be acquire freely and download from their FTP or HTTP mirror..

    If you still hesitate about Linux, I would recommend You to try a Live Eval of Linux. A live eval is a set of applications and a fully functionnal Linux (nearly 2Gb) compressed on 1 CD and It does not require a hard disk to start!

    * Knoppix live cd, the fastest and first version, highly recommended since Divx, DVD, NTFS drive are recognized as default.
    "KNOPPIX is a bootable CD with a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used as a Linux demo, educational CD, rescue system, or adapted and used as a platform for commercial software product demos. It is not necessary to install anything on a hard disk. Due to on-the-fly decompression, the CD can have up to 2 GB of executable software installed on it." fromwww.knoppix.net

    You can use knoppix and have a home on USB disk. K, Knoppix, Configuration, Create Persistent home dir, then boot with the option:
    knoppix home=scan

      *Gnoppix live cd
    "Gnoppix is a linux live cd based upon Debian GNU/Linux 3.0 (woody). It can be compared to Knoppix but GNOPPIX uses GNOME as desktop environment." from
    http://www.gnoppix.org/faq/index.html
    * Suse live cd which did not convince me at all, this bootable cd take too much time and user interaction to initialized itself: more than five minutes are required. Moreover NTFS drive are not recognized.
    * Mandrake Move live cd was developed to work with a USB stick to save user data permanently. This is another step for Linux, you can take any PC in the world, insert this CD, restart it and have a runnable Linux system and tools you're familiar with.
      * Pclinux review
    "PCLinuxOS 2K4 Preview 4 is a live Knoppix style cd based on Mandrake 9.2 that runs entirely from a bootable CD. Data on the CD is uncompressed on the fly, allowing up to 2 GB worth of system and programs on one CD
    including a complete X server, KDE 3.1.4 and Gnome 2.4, and large packages like OpenOffice 1.1final and Mozila 1.5 plus plugins. Since it runs solely off the CD, PCLinuxOS makes an excellent portable Linux demo or system rescue disk, but its completeness makes it a good general purpose desktop as well. PCLinuxOS should work on most modern computer hardware. Recommended memory to run is 256mb or more."
      * GeeXbox turns your PC into a dedicated media player. It boots a version of the Linux kernel, and then uses the popular mplayer to allow you to play DVDs, VCDs, or regular audio CDs. It also allows you to play pretty much any multimedia file from your hard drive, and can mount Samba shares as well. Best of all, the ISO is a mere 4.3 megabytes...
    Download it HERE
      After knoppix...welcome flonix
    "a linux system that can reside on a USB key!!!! (use less than 60Mo). It is based on knoppix and let you start linux everywhere if you can boot on USB!
    You can:
    - play dvd, burn CD, watch and edit pictures, scan, browse internet,
    word processing, sync a Palm PDA,
    read PDF files, start a webserver and more....
    read more here:
    http://linuxdocs.tuxfamily.org/flonix/doc/wakka.php?wiki=EnPresentation

    * can be download freely

    Test system:

    One more time, here is my system, The Linux experience you will have is very depending on hardware (and also drivers).....

    Mainboard Nvidia Nforce 2 ASUS A7VN8X deluxe
    2 integrated ethernet card
    6 USB - 2 Firewire
    On Board soundcard
    Harddisk IBM 120Go UDMA 133 (primary master)
    Harddisk IBM 80Go UDMA 133 (primary slave)
    CDR/RW 16x IDE noname
    Geforce FX 5600 256Mb MyVivo Athlon XP 1700 overclocked at 3200 with my watercooling
    512Mb DDR Dual Channel mode PC3200 (new)
    SUSE Linux 9.0 and the KDE 3.1.4 desktop  

    My Background:

    Can be read HERE and my experience with Linux? I am using Cygwin with ssh at work to connect to the HPUX development system, deployment, release management is done with ANT and bash scripts.So I am only a user but I use to write some FAQs in the past when I was using Linux at highschool (a small part is reproducedHERE, sorry it is in french ).

    My collegues ofXDreamTeam have installed a SUSE on a dual AMD64 Opteron server, and they will write a review soon.

    Some sentences you may hear about Linux:

    Linux user interface is ugly, Xp is better!
    Who can still says this?, look at this KDE 3.2 pictures

    (click to enlarge). KDE default user interface for Ark Linux, Conectiva, Knoppix, Lindows,
    Lycoris, Mandrake Linux, SUSE Linux, TurboLinux and Xandros.

    Moreover you can choose another desktop manager, instead of KDE, a lot of people prefer Gnome. If you still can't live without Windows, try this windows manager under linux http://www.xpde.com/index.php

    Suse (or Linux in general) is difficult to use!
    Not so much, in fact the tool YAST: "Yet Another Setup Tool" do a great job when dealing with the configuration of your computer, softwares and hardware can be configured in a hierarchical control panel. I found it even better than the equivalent of "Windows world". What can be disturbing is the organisation of files and program on disk. I would say that someone who never use Windows before will have the same learning curve and encounter more or less the same difficulties with linux, the only drawback I see is that no so much friends can help you (and give you tools for which you have no licence ;-) ) since Linux as a desktop is not so much floating around. Now if you are a Windows user like me (since 10 years), you will encounter some difficulties, I prefer to say "forget some bad Windows habits", like

    • Windows make no differences between upper and lower case filename, but Linux does! which is normal because we also make this distinction when we write letters and office documents.
    • Windows use drive letter and this is a pain to maintain especially when you need to configure software, Linux use a directory base mapping, symbolic links can be created on files or directories. Example: 2 documents folders can have different name but point to the same folder:
      For example you have a website which is located in a directory "MywebsiteV1.12" and you want to have only one reference in all program that use your homepage (typically in configurations files), all you have to do is to open a terminal and type:
      ln -s MywebsiteV1.12 httpdocs

      and use everywhere httpdocs instead of the path to MywebsiteV1.12in configuration files. The same apply if you want to alias office documents or media files (reference the same file under different names but always use the same target)
      this is a lot more powerful than the Window's shortcuts.

    • Windows has a limited command line size, and limited number of subdirectories.
    • Even on XP, you must sometimes restart your PC because the program XX has freeze and can not be terminate.
      Bill Gates said in an interview: "instability do not come from Windows itself, but merely from applications installed" For Me, a good OS must protect the user/itself from system crashing, XP isn't good at this, Linux is a little better.
      On Unix a # kill -9 pidProcess has a lot of chance to succeed and you can even restart some part of the system, without restarting the whole (restart the network server or the soundcard). Try also CTRL-ALT- ESC to kill graphically a process!

    Why choosing Linux now?

    http://www.mandrake.tips.4.free.fr/switchsuccess.html A very good article, how you can switch with success and what your motivation can be

    Here are the personal reasons why I am switching to Linux, You may find a lot of website which may present You better arguments:

    • Suse (replace with any Linux distribution) come with a lot of applications (= packages) to do almost everything, not all of them are of the same qualities, or can be compared to commercial applications, but in linux world they do not require any licences! (some of them are freeware, giftware, shareware through)
    • I want to live in a world where, I can search and solve problems instead of restarting the machine which is for me not a solution....(I am a developer and like challenges, restarting is like loosing a race fsor me) yeah as today 16.12.2003 I am FREE with LINUX, even if this freedom will have a cost (a relative complexity in usage at the beginning)
    • Virus threat, less virus are living in Unix world. At least till today.
    • You can still run Windows and Linux together thank to a great multi boot menu (no System commander, Partition Magic, old text based LILO required)
    • Real Multi users system, program are running with user right privileges.
    • Linux is gaining market place, I do not want to loose connection with the market reality.
    • The community is extraordinary! they develop at a speed never seen before, even If I am convince that too much project are started and do the same things with more or less success . Look at Mono (.NET platform on Linux) which already support 99% of .NET ASP. Ximian (acquired at the beginning of 2003 by Novell and Suse) will continue to support the effort of Mono development.
    • Linux is modular, there is like 120 distributions, 30 are dying per year and are replace instantly. Look at Flonix (Linux on a USB stick 64Mo, burning, browsing internet, webserver, GUI), or Knoppix ("From zero to GNU linux in five Minutes") this is great. Linux can be start on nearly all plattform (portability) and does not require good machine (Windows Longhorn will require 1Gb of memory (dixit Microsoft) so understand 2Gb to work flawlessy).
      Linux was first developed for 32-bit x86-based PCs (386 or higher). These days it also runs on Compaq Alpha AXP, Sun SPARC, Sun UltraSPARC, Motorola 68000, PowerPC, PowerPC64, ARM, Hitachi SuperH, IBM S/390, MIPS, HP PA-RISC, Intel IA-64, DEC VAX, AMD x86-64 , CRIS architectures. This includes Handled, celullar phone, gaming station like Xbox, Dreamcast.
    • Everything is free, thanks to the open source community: Apache is the best/most used webserver, Tomcat the best servlet runner. Of course, the open source community has to find now a economical model. I am convince that developing is like speaking, you can not stop people to talk or think.
    • Each days, I enjoy the use of CygWin under windows (for developing or maintaining this homepage), combining unix tools like: grep, sed, awk, and others...using ssh is now natural and I am feeling sad when I must start the poor Windows command.com terminal.
    • I am using products from the open source coomunitysince 3 years now, at work: mainly the Apache Fundation and their frameworks, at home a lot of tools: virtual dub, videolan, GIMP,... and this all under Windows 2000. I am totaly satisfied by these tools, so why not replacing also windows by a totally free and open source system.
    • I can install Suse Linux everywhere (on all PC I have, currently 3 desktop) and has no annoying licence scheme or registration process and even give it to friends as long as I give it for free.
    • There is a difference between "choice" and "apparence of choice", before choosing an OS (Operating System) was easy:

    - On one side Windows, which cover more than 90% of the market, is shipped with new PC, has many softwares of good qualities. All your friends (normal users not geek), companies or your office, are certainly running under Windows. This is good but you do not install Windows because it is your choice, you install it because it is common to install it.

    - On the other side, alternatives OS: Mac, Linux, BeOS (I am also a big fan of BeOS) are installed by people who want to try something different, (remember the moto "think different" from Mac corp). Geek users accept some instabilities because they want to improve the system, or even help at the source code level. End users give a try or installed it at home because they discover it at their universities.

    This was before, before mean "Linux without good support of hardware ( I remember installing Mandrake 9.0 and fighting 10 minutes to find a USB driver for my Microsoft mouse), without good desktops manager (Now this time is over thanks to KDE and Gnome), without a huge base of applications" Now this is slowly changing, On the server side, there is already a big change, HP, IBM and major actors are now committed to Linux and that is great. Now you have the choice, because now you can hesitate between Linux and Windows and/or even dual boot both (It has never been so easy as today because dual boot is integrated in many Linux distributions)

    SUSE home for the version 9.0 is http://www.suse.com/us/private/products/suse_linux/i386/index.html
    SUSE has a page which present 10 reasons to choose Linux Suse http://www.suse.com/us/private/products/suse_linux/i386/10_reasons.html
    SUSE has also a FAQ (Frequently Asked Questions) page here: http://www.suse.com/us/private/products/suse_linux/i386/faqs/index.html

    Choose a file system
    ext2 or ext3 or ??? a good articles can be found here:http://www.linux-mag.com/cgi-bin/printer.pl?issue=2002-10&article=jfs

    Installation

    Great menu everywhere for installing the OS, 10s after having insert the CD (and choosing a resolution with F2 - default is 1280x1024), the linux Kernel is loaded and guide you through the installation process.

    Personnaly what I dislike is the number of "package" (understand application, with strange name and strange revision number) given, like 10 tools to do the same task...I know I do not want to see any new Microsoft take the advantage under linux, but why the open source community does not concentrate on GUI. A user will remember that the GUI was horrible even if the program has done its job. That is my point of view. As a developer, I do not care but as an end user....

    I decide to install everything, this take nearly 3 Gb of hard disk, Yes it is much but do not forget that XP take alone 1.2Gb without any office, photoshop, and so on. In this case the installation took 37 minutes, too long? You can also send complaint to hard disk manufacturer!

    The partition manager compute the best option depending on your configuration, in my case I reserved 80Gb for Suse but on my secondary disk. By default linux want to modify the primary disk (and move windows data if needed), I switch to manual mode and only say click on "use everything" of the second disk. YAST then install then a small graphical boot manager on disk 1. This allow me at boot to start Windows if it is needed.

    One page display a resume of all settings choosen, you may change the value of each section by clicking on the topic title. No technical words at all, You must only choosing some options in selection boxes.

    Due to the huge number of Linux tools, you must also deal with 5 cd or one double face DVD, each disk may copy data during 15 minutes depending on options you have selected. (I forget to say that my CD drive is an old 16X). The estimated time to complete installation is quite accurate.

    After completing the first disk the system restart and continue on CD2, a windows show you the list of package copied in realtime, you must just wait (Suse is made of more than 7000 packages or programs).

    The system asks then for the root password, You can use the whole keyboard layout (letters, numbers, special characters) except accent (éà è) and umlaut (öüë), I choose a highly complex root paswword and write it down, till I have time learn it. Some word about security, program on unix system are running under user privileges, that mean that a potential virus MAY only destruct your data, and no data of others users (most of Unix virus try to replace some binary executable to gain a higher level access or may install a trojan horse)

    The 2 integrated networks card were detected automatically (mainboard ASUS nforce 2 desluxe has a 3COM and Nvidia 100MB network card),

    The system then ask if you want to download new packages and security upgrades from internet. This is higly recommended. No compagny in the world can ship a perfect code, this is True even in Linux world. I am pretty convince bugs handling is better in opensource paradigm, because nearly all users can see the source code (OK, I admit NO all users are developers, but there is a lot of great skilled developer which in their spare time review code, not to speak about university students which may have a lot of time :-) ). On the other side, take any business compagny:

    • They first try to reproduce the bugs and know how many users are affected (which is OK),
    • Worse, They try to minimize effects resulting of a bug (to avoid some political problems with clients, but correct the bug as fast as possible in the background),
    • They speak about money all the time (but I am happy to get paid as a developer ;-) ), can we ship in delay? can we not correct this for the next release?

    In opensource world, Linux developer consider this as a hobby and may try to correct everything or at least move the delivery date.

    Back to the installation, I choose stand alone, because I do not want to use this linux box as a server. In Mandrake, this is a little better, since you can choose the security level: (Mandrake install may activate the firewall for You during the install), or block installation of some packages which can help a hacker (like ssh, webserver, VNC).

    I strongly recommend You to deactivate auto login, security come always at a cost, I do not want that somebody simply restart the computer to gain access to my data and read private documents: Yes you will have to enter your password at each restart. Password is limited to 8 characters...which is somehow strange The password length is limited to 8 character because the default password encryption methd is set to DES (most compatible but SUSE also allow md5 or blowfish which have no length limit but at the cost of more cpu power and the loss of backward compatibility across other systems or old software). You can change this underYast - Security and Users Password settings

    Finally the release note of suse 9.0 is displayed, You can read it to be sure that nothing has changed since the manual printout.

    YAST, then dectect hardware and set a graphical resolution.

    ATTENTION, always use the test button to validate any refresh rate and resolution before applying changes, otherwise you may have a black screen at the next logon! If it ever happen, the only way is to reboot and choose "safe mode", logging as root, go to /etc/X11 and open the file X86Config....or rename the previous backup done by YAST (backup named X86Config.YAST). I have also done this mistake

    Choose "safe mode" in booting menu
    logging using user root
    # cd X11/etc
    rename the old X86Config to X86Config.old
    # mv X86Config X86Config.old
    then restore the YAST backup if it exist
    # mv X86Config.YAST X86Config
    CTRL-D
    or type Exit
    restart the PC

    Manual upgrade of all drivers to the their latest status
    In my case I went to www.nvidia.com and download all latest rpm (rpm are like setup.exe in windows world),

    To resume: Suse has now a very good and reliable installation system. YAST is now mature, detection of most hardware is good (at least on my system). I think it is even easier to install SUSE than an equivalent Windows system, mainly because partiioning is better support in YAST

    How to install RPM

    There is many ways to install RPM. In facts, choose the one you prefer. Note that you must be loogged as root to install any application.

    Method 1: With Konqueror: click on RPM filename and after the download completion right click and choose "install packet with YAST"
    Methhod 2,3,4,5 can be found on this page http://portal.suse.com/sdb/en/2002/04/wessels_packageinst.html

    Install divx codecs and drivers

    For some legal issues, SUSE can not deliver Divx drivers in the distribution, but they can be download at www.divx.com/divx/linux/
    This internet page propose binary version of all major Linux program http://packman.links2linux.org

    One of the best player can be found at www.xinehq.de , Caffeine (installed as default) is only a frontend GUI and use the runtme libs from Xine.

    Emulation

    You can use one of the following to use some of your windows applications: www.winehq.comand for directX games www.transgaming.com (even without recompiling the game!!!) and this even without installing Windows! Vmware www.vmware.com is a commercial alternative but required a fully licensed windows images. MORE TO COME...

    Killer apps

    These applications are installed as default,
    Open Office (OO), which can open nearly all Microsoft office documents, GUI is not as good as MS Office but it do the job. Some powerpoint made with MS Office have some strange alignment, but MS Office represent correctly document created with OO.
    GIMP a program for manipulating 2D images (like photoshop), run also on Windows because of the porting of GTK (open source 2D library)

    from www.gimp.org in about the GIMP

    This is only a very quickly thrown together list of GIMP features. This is only the tip of the iceberg.

    Full suite of painting tools including Brush, Pencil, Airbrush, Clone,etc.
    Tile based memory managent so image size is limited only by available disk space.
    Sub-pixel sampling for all paint tools for high quality anti-aliasing
    Full alpha channel support
    Layers and channels
    A Procedural Database for calling internal GIMP functions from external programs as in Script-fu
    Advanced scripting capabilities
    Multiple Undo/Redo (limited only by diskspace)
    Virtually unlimited number of images open at one time
    Extremely powerful gradient editor and blend tool.
    Load and save animations in a convenient frame-as-layer format.
    Transformation tools including rotate, scale, shear and flip.
    File formats supported include gif, jpg, png, xpm, tiff, tga, mpeg, ps, pdf, pcx, bmp, and many others.
    Load, display, convert, save to many file formats.
    Selection tools including rectangle, ellipse, free, fuzzy, bezier and intelligent.
    Plug-ins which allow for the easy addition of new file formats and new effect filters.
    Over 100 plugins already available.
    Supports custom brushes and patterns
    Much, much more!


    Playing DVD, MP3, all tasks can de done under Suse without having any licence!!!! I recommend you to donate some money to the authors if you like their programs (so that they can pay their homepage hosting at least)
    Opera Opera is a religion. All those features, mouse gestures, keyboard shortcuts, embedded mail client, drag-around panels, skins, GREAT standards-support, it's so fast, easyness of bookmarking, the "magic-wand"... and the list goes on and on...It is not open source but I like it so much.

    Files manager

    I am a big fan since 1991 of Norton Commander (I was using NC 1.0 on floppy disk), In windows I am usingWindows Commander a lot to order million of files.
    http://www.rmonet.com/commander/ This page contains nearly all file commander clones of Norton Commander.
    http://www.xnc.dubna.su/ XNC 5.0
    http://krusader.sourceforge.net/

    Forums and Help

    French
    www.linuxfrench.net
    www.linuxquestion.org

    English
    http://librenix.com/ news site on linux
    Great forums

    Others reviewsyou can submit me a new linkHERE

    http://www.unixreview.com/documents/s=8925/ur0310l/
    http://www.arstechnica.com/etc/linux/index.html
    http://madpenguin.org/modules.php?op=modload&name=News&file=article&sid=503
    http://www.newsforge.com/article.pl?sid=03/11/11/1929234
    http://www.osnews.com/story.php?news_id=5157
    http://www.linuxnetmag.com/de/issue9/m9rh_suse1.html Suse vs Redhat
    http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=17300233

    How to/tutorials

    http://www.usalug.org/phpBB2/viewtopic.php?p=8161 Step by step install of SUSE 9.0 using FTP (non need to download and burn the iso's)
    http://homepages.ulb.ac.be/~secollet/ Linux on HP Compaq NX7000 (that's my notebook at work)

    Links

    http://distrowatch.com/index.php?language=EN "This site is an attempt to provide a basic feature list and a package comparison table of major, minor and regional Linux distributions"

    Links with reference to this article

    When you finish this article, You may want to read theround 2 HERE

  • A desktop review

    SUSE 9.1
    a desktop review
    installing and/or migration to Linux SuSE 9.1

    WORK IN PROGRESS, running SuSE 9.1 since tuesday 11 May 2004....
    SuSE 9.1 soon running on compaq nx7000 notebook

    GNU Free Documentation License - Copyright (c) 2004 Walter Cédric.

    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License, Version 1.2
    or any later version published by the Free Software Foundation;
    with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
    Texts. A copy of the license is included in the section entitled
    "GNU Free Documentation License".

    Test system:

    One more time, here is my system, TheLinux experience you will have is very depending on hardware (and also drivers).....

    Mainboard Nvidia Nforce 2 ASUS A7VN8X deluxe
    2 integrated ethernet card
    6 USB - 2 Firewire
    On Board soundcard
    Harddisk IBM 120Go UDMA 133 (primary master)
    Harddisk IBM 80Go UDMA 133 (primary slave)
    CDR/RW 16x IDE noname
    Maxtor USB/Firewire onetouch 250Gb
    Geforce FX 5600 256Mb MyVivo Athlon XP 1700 overclocked at 3200 with my watercooling
    512Mb DDR Dual Channel mode PC3200 (new)
    SUSE Linux 9.1 and the KDE 3.2.2 desktop  

    What does SuSE 9.1 brings?

    I wont go through the list of changes and goodies shipped in this release sinceSuSE itself has also a great pageHERE (professional edition) andHERE (personal edition). Note that SuSE is selling at a very attracting price the personal edition (49$) with limited server capabilities and no commercial programs.

    beautifulDesktop.jpg
    beautifulDesktop.jpg

    Migration from 9.0 to SuSE 9.1

    This time I retrieve the SuSE professional DVD from colleague and did not buy it, as I prefer to wait for another major release. But wait this is a major release ofLinux, I think that the release number is really not so well adequate and do not reveal the number of changes does both in kernel (2.6) and desktop (kde 3.2)

    If you copy the DVD, You will get no support from SuSE directly (but you will always find help on internet), also a great help section is provided in electronic format, downside it wont be readable without a working SuSE.. FTP online update is due around the 6 June 2004....

    Since I have a running version of
    Linux, I decide this time to update the previous SuSE 9.0 through the YaST menu (Boot and choose Update System), after 21 min update, I was booting into my new desktop with my old settings. The boot time seems to take forever, it "SEEMS" to me that it is a loooot slower.

    With this version, SuSE and Novell are now showing us their commitment to the open source community and have alsoGNU their famous configuration tool: YaST. This is also a strategical move since they want that the maximal number of third companies develop new modules for it (IBM,....). That is a good news since a lot of people always complains on the licensing scheme of YaST. In the meantime, YaST is now a lot more polished...understand the ubiquity of the YaST logo and eye candy colors. Even the installation process has been redesigned with fancy graphics.

    YouInPaleBlue.jpg
    YouInPaleBlue.jpg

    Coming from Windows?

    - In order to help users to make the transition to Linux, drives (in Linux world, it is better to say devices) are a now stored under the famous icons "My Computer" and mount a lot more faster than under the 9.0. I only regret that the system choose so bad name as default (Is it needed to display a cryptic UUID in the name of devices????).

    myComputer.jpg
    myComputer.jpg

    - Dual Booting Windows and SuSE is as easier as before, and has not changed. the boot loader grub with its fancy colors is a lot better than M$ one. That should at least convince You to make a try ;-)

    - SuSe is now earlier hiding, during the boot, all ouput statements done by the kernel. I must agree that nearly no one can understand all barbarians technical terms, I still recommend to press sometimes the key 'F2' to newbies, seeing if a devices did not init. may be valuable under certains conditions. (mainly hardware crash)

    - the most disturbing things for a newcomer is that you do not need to double click on folder or file to do an action, to approach the windows phylosophy, go the KDE control panel, in  "peripherals", "mouse", and checked the radio button "Double-click to open files and folders (select icons on first click)". Maybe SuSE should set this as default...

    - During installation, the auto login feature is checked as default. Forget this bad windows habit. If SuSe is already login the system automatically, start YaST, in "security", "Edit and create groups", select your user and click on button "Expert Options" and select "login settings", uncheck "auto login". Remember security come at a cost.

    What I dislikes

    • I was one more time catch by the death black screen, (I must be really dumb because that is the second time ) the autodetection of monitor (my SAMSUNG 191N was detected as SAMSUNG 4N) lead to a black screen, Maybe SuSE, should always test (with SAX2, the graphical display adapter cntrol panel of course) what it has autodetect and ask the user to confirm the detected settings.
    • Icons in the taskbar are a little bit oversized as default, bigger and it look like a desktop for kids who need to click on big icons in order not to click beside :-)
    • DVD playback is still not working (but in Knoppix, and Lindows it is), one more time You will have to hunt for the library libdvdcss2 (packman is no more providing binary rpm, you must compile them now due to a change in germany).
      Here you can find a tutorial and ALL library for XINE (with libdvdcss2) Daily xine RPMS
    • Since SuSE is a big supporter of Reiserfs, why not providing a graphical tool for repairing devices? with a expert system? one more time typing some cryptic commands may discourage a lot of users.
    • Impossible to write on NTFS drive, I have not found any captive rpm for SuSE 9.1.
    • Packages conflicts....why not embeding apt-rpm? or providing always package statically compiled in order to avoid dependancies?

    What I like

    controlPanel.jpg
    controlPanel.jpg

     

    patchUpdate.jpg
    patchUpdate.jpg

    What I like/dislikes

    • The default install provide a lot less user choice: only one chating system (Kopete) instead of the plethore in SuSE 9.0
    • No 3D hardware installation as default, you need to complete the installation and then in YaST grab the latest proprietary Nvidia/ATI drivers. It is only annoying.
    • YaST warn You of conflicts and dependancies but do not propose a "real" alternative, either "do not install" or "continue with risk of instability", why not:
      • Adding a third possibility: "download the missing dependancy now" or
      • Propose a UUID link on which user can click to locate the ressource (through a UDDI server), normal users don't want to write down the name of some library libdvdcss2 -1.0.6.7 p23.rpm is a pain to retain !
      • Export the list of dependancies to resolves in a new windows to shows You which library are missing, or has been installed in realtime
      • Do nothing an find a better approach...
    • The only "GOOD" repositories of RPM are not given by SuSE. (understand full of rpm not approved by companies : dvd support, win32 codecs,....) but I think this is common to all distributions: without volunteers building rpm, it will be quite difficult to live in a wwhole linux world, or at least at the beginning since not all users want to know how to compile sources versions of their favorite programs.

    What I would like to see

    • The ability to download any program through YaST (even non free or non supported: codecs,aMule and others), why not like ineclipse having internet page providing a XML descriptor for installing new packages and that YaST can understand?. I mean this can be a great step forward for the average user.

    • Better commitments ofNvidia,Linux can be a great playing plattform if hardware manufacturer develop or give some technical help to the community for improving drivers.

    Exploring Multimedia capabilities:

    • Noatun is no more installed as default, Kaffeine (another interface to the famous XINE multimedia engine) is present but no interesting codecs are installed. Multimedia is, at least for me, UNUSABLE, and you need to quickly install MPLAYER/Kplayer with the full range of codecs if you want to read any DIVX, XVID, Indeo contents... I was searching Kplayer in /opt/kde3/bin/ and in YaST installer, but didnt find it. That's bad! You can find the latest version at sourceforge
      www.sourceforge.net/kplayer

    mplayerRunning.jpg
    mPlayer running with a special skins

    • Inserting a blank CD and K3b pop up and propose You to do your compilation

    • Gimp 2.0 is also included with SuSE Linux Professional, this version 2.0 has a new GUI and nicer icons.

    preliminaryConclusions

    WORK IN PROGRESS, running SuSE 9.1 since tuesday 11 May 2004....

    With SuSE 9.1, you get a high quality distributions, and even if all thecons and drawbacks apply to this new release. It is definitelyworth the update! Suse is getting even better with every release. Novell buying them has it seems already a positive affect with how the applications are running.

    Even if this release is nearly filling all my expectations I am already excited about the future of SuSE, when will the version 10.0 be shipped?

    Links

    http://linux01.gwdg.de/apt4rpm/ how to set up atp 4 rpm for SuSE.

    RPM
    http://packman.links2linux.org/
    http://rpm.pbone.net/
    http://www.suserpms.cjb.net/
    http://guru.linuxbe.org/

     

  • A linux cluster using XBOX

    1400$ electricity yearly!!!!
    "A few weeks ago, we started investigating the possibility of putting Linux on an XBOX. We played with some ideas in our heads, a render farm, a cheap office computer or a distributed crypto platform, just to start. The idea required a little bit of elbow grease, a mod chip, Linux and a bunch of free time. " MORE on Anandtech


  • Add-on PlayStation 3 HDD will run Linux!!!

    sony_playstation_ps3

    Ken Kutaragi reveals the console's hard drive will use alternate OS, hints that it will ship separately and will come in more than one model.
    Since E3, Sony Computer Entertainment president Ken Kutaragi has been calling the PlayStation 3 an "entertainment supercomputer" rather than a gaming console. Now, he's revealed a new plan to make sure that it's acknowledged as one. In an interview with Impress PC Watch, Kutaragi disclosed that he plans to install the Linux operating system on the PS3's hard disc drive (HDD) so it will be recognized as a computer, rather than a mere console.

    Read more HERE at www.gamespot.com

  • Adding mod_security to better protect your webserver

    ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.from http://www.modsecurity.org/
     
    Installing mod_security as DSO is easier, and the procedure is the same for both Apache branches. First unpack the distribution somewhere (anywhere will do, I copy the .c files in my home),

    # cd
    # wget http://www.modsecurity.org/download/mod_security-1.9.4.tar.gz
    # tar -zxfv mod_security-1.9.4.tar.gz
    # cd mod_security-1.9.4/apache2

    and compile the module with:

    apache1apache2
    /usr/local/psa/admin/bin/apxs  -cia ~/mod_security.c/usr/sbin/apxs2  -cia ~/mod_security.c

    First problem that may occur is the absence of
    • GccThe GNU Compiler Collection (usually shortened to GCC) is a set of programming language compilers produced by the GNU Project. It is free software distributed by the Free Software Foundation (FSF) under the GNU GPL, and is a key component of the GNU toolchain. It is the standard compiler for the open source Unix-like operating systems, and certain proprietary operating systems derived therefrom such as Mac OS X. [WikiPedia]
    • apache-dev: contains the apxs tool, and required pache heder to compile a module
    Both can be installed via YaST2...

    Tips: if your apxs2 is not located at /usr/bin/apxs2, you can search it by typing # find / -name apxs2

    # /usr/sbin/apxs2  -cia ~/mod_security.c
    /usr/share/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -march=i586 -mcpu=i686 -fmessage-length=0 -Wall -g -fPIC -Wall -fno-strict-aliasing -D_LARGEFILE_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -DAP_DEBUG -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -pthread -I/usr/include/apache2  -I/usr/include/apache2   -I/usr/include/apache2   -c -o /root/mod_security.lo /root/mod_security.c && touch /root/mod_security.slo
    /usr/share/apache2/build/libtool --silent --mode=link gcc -o /root/mod_security.la  -rpath /usr/lib/apache2 -module -avoid-version    /root/mod_security.lo
    /usr/share/apache2/build/instdso.sh SH_LIBTOOL='/usr/share/apache2/build/libtool' /root/mod_security.la /usr/lib/apache2
    /usr/share/apache2/build/libtool --mode=install cp /root/mod_security.la /usr/lib/apache2/
    cp /root/.libs/mod_security.so /usr/lib/apache2/mod_security.so
    cp /root/.libs/mod_security.lai /usr/lib/apache2/mod_security.la
    cp /root/.libs/mod_security.a /usr/lib/apache2/mod_security.a
    ranlib /usr/lib/apache2/mod_security.a
    chmod 644 /usr/lib/apache2/mod_security.a
    PATH="$PATH:/sbin" ldconfig -n /usr/lib/apache2
    ----------------------------------------------------------------------
    Libraries have been installed in:
       /usr/lib/apache2

    If you ever happen to want to link against installed libraries
    in a given directory, LIBDIR, you must either use libtool, and
    specify the full pathname of the library, or use the `-LLIBDIR'
    flag during linking and do at least one of the following:
       - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
         during execution
       - add LIBDIR to the `LD_RUN_PATH' environment variable
         during linking
       - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
       - have your system administrator add LIBDIR to `/etc/ld.so.conf'

    See any operating system documentation about shared libraries for
    more information, such as the ld(1) and ld.so(8) manual pages.
    ----------------------------------------------------------------------
    chmod 755 /usr/lib/apache2/mod_security.so
    apxs:Error: Config file /etc/apache2/httpd2-prefork.conf not found.

    Do not take care of the error in blue, since the resulting shared library (mod_security.so) has been automatically copied into /usr/lib/apache2

    Copy then the desired rule set (modsecurity-general.confor modsecurity-php.conf) into /etc/apache2

    Edit /etc/apache2/httpd.confand add the following lines at the end of file, it is also recommended to use the rules from www.GotRoot.com

    LoadModule security_module /usr/lib/apache2/mod_security.so
    SecFilterEngine On
    Include /etc/apache2/modsecurity_rules/modsecurity-general.conf
    Include /etc/apache2/modsecurity_rules/modsecurity-hardening.conf

    #rules set found at http://www.gotroot.com/tiki-index.php?page=mod_security+rules
    Include /etc/apache2/modsecurity_rules/gotroot/apache2-rules.conf
    Include /etc/apache2/modsecurity_rules/gotroot/badips.conf
    Include /etc/apache2/modsecurity_rules/gotroot/blacklist2.conf
    Include /etc/apache2/modsecurity_rules/gotroot/blacklist.conf
    Include /etc/apache2/modsecurity_rules/gotroot/exclude.conf
    Include /etc/apache2/modsecurity_rules/gotroot/jitp.conf
    Include /etc/apache2/modsecurity_rules/gotroot/proxy.conf
    Include /etc/apache2/modsecurity_rules/gotroot/recons.conf
    Include /etc/apache2/modsecurity_rules/gotroot/rootkits.conf
    Include /etc/apache2/modsecurity_rules/gotroot/rules.conf
    Include /etc/apache2/modsecurity_rules/gotroot/useragents.conf

    BUT be carefull with modsecurity-hardening.conf
    1. This fle has to be tuned  for your server: logs files location, advanced rulesets, read carfeully and uncomment TODO if needed
    2. As default mod_security is in learning mode: it log and let the request  pass through (line SecFilterDefaultAction "pass, log"), recommended as soon as You have a good rulesets SecFilterDefaultAction "deny,log,status:500"
     Restart Apache2 by typing
    # /etc/init.d/apache2 restart

    Now it is time to check if mod_security is running       

    # tail -f /var/log/apache2/error_log
    [Mon Aug 21 18:43:38 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
    [Mon Aug 21 19:01:56 2006] [notice] caught SIGTERM, shutting down
    [Mon Aug 21 19:01:57 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
    [Mon Aug 21 19:01:57 2006] [notice] mod_security/1.9.4 configured
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations

    links
  • Address space layout randomization in Vista

    Windows Vista  includes a new defense against buffer overrun exploits called address space layout randomization. ASLR. is just a way to hide insecure code, and make harder automated attacks on millions of machine except if....but I will come on that later

    Address space layout randomization (ASLR) is a computer security technique which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.[WIKIPEDIA]

    In Vista, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a 1/256 chance of getting the address right. In short, this reduce the number of successful exploits. Vitsa address-space layouts are randomized only at boot time. Ae You safer with Vista? YES! and NO!

    On a 32 bits machine, this protection is not working, simply because some smart people, have already worked on a way to circumvent ASLR, so a Linux PC  will be more or less 216 seconds longer safe!
    Google when typing ASLR give a second link (sic) this handy white paper: On the Effectiveness of AddressSpace Randomization
    we demonstrate a derandomization attack that will convert any standard buffer-overow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as theoriginal exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system.
    http://www.stanford.edu/~blp/papers/asrandom.pdf

    Why it take so much time? because they have decide to translate the buffer overflow issue in the translated address space.. and brute forcing till success. In Apache, the famous opensource webserver,  that mean 2^16 = 65; 536 probes at worst and 32,768 probes on the average....Vista has only 256 slots for a dll or exe...so how much time would it take?  For all reader which like to play with pointer, the white paper is worth reading...

    Vista has also long pointer obfuscation, long living address being encrypted and decrypted at runtime when needed...this long pointer values will have particularities like a high  entropy values so easily reperable in memory even if they move then periodically or randomly from place to place (Like PGP caching keys in memory).

    Implementation which randomizes the base address of the stack, heap, and code segments and adds random padding to stack frame and malloc() function calls. Since for sure the obfuscation algorithm is secret, it will break quite fast, as security by obscurity has always be known to failed.

    What would I like to say? first that this technology is nothing special, it is one technique among others, and will be broken quite fast depending on how informations the Operating system leak or how it was implemented Moreover, it is existing since a long time.
    • In OpenBSD since year (BSD 4.0),
    • In Linux since Kernel 2.6.12  (17 Jun 2005) or as an addon http://pax.grsecurity.net
    • Third party company are selling addons for windows here are some: BufferShield (since 1998 forXP, 2000, 2003, NT4),  WehnTrust (XP, 2000, 2003), StackGuard (compiler Canary and ASLR)
    Canaries are not implemented in Vista but are also worth mentionning:

    StackGuard is a modified compiler which places canaries (the term canary can be used interchangeable with our use of the term cookie) around the return pointer in function. A buffer overflow will modify the canary on its way to overwriting the adjacent return pointer. If the function epilog detects a dirty canary, it rightly infers that an exploit has occurred, it logs the exploit and it aborts the program.

    Nothing will replace a well written code, that mean architecturally reviewed,  with an open code, open to see, open to critics. Open Source IS the future. 
  • Advanced Oracle Weblogic start/stop script

    oracle_logo3

    The Oracle WebLogic 11g application server product line is the industry's most comprehensive Java platform for developing, deploying, and integrating enterprise applications. It provides the foundation for application grid, which is an architecture that enables enterprises to outperform their competitors while minimizing operational costs.

    Some notes

    This script may look unsecure (and it is)

    Since password are store inside (admin server login: admin and password is admin), by doing so I can restart Oracle Weblogic in a cron job since stopping wont query the console for the login and password: feel free to remove these lines in blue

    I always recommend to install web process in its own user group and use a dedicated user to mitigate any securities issues:

    # groupadd weblogic
    # useradd -g weblogic-c weblogicuser for weblogic' -m weblogic
    # su – weblogic

    Install then weblogic in /home/weblogic

    Respect the order of component for starting

    1. Start Weblogic Node Manager,
    2. Start WebLogic Admin server,
    3. Start all Managed Server in any order.

    and stopping components

    1. Stop the Node Manager
    2. Stop all Managed WebLogic server
    3. Stop WebLogic

    Names of the managed server

     managed server names are in the script so add remove start and stop command for them

    Logs files of start and stop operations

    are written in 2 files, that use timestamp, see WLS_LOG_START and WLS_LOG_STOP

    /etc/init.d/weblogic file

    Create a new file as root in /etc/init.d/weblogic

    # vi /etc/init.d/weblogic

    and paste inside the following

    #!/bin/sh
    # description: webLogic adminServer and managedServer start script
    #

    # customized below to your likings
    WLS_DOMAIN=mytestdomain
    WLS_BASE=/home/weblogic/
    WLS_HOME=${WLS_BASE}/bea/user_projects/domains/$WLS_DOMAIN
    WLS_NODE_HOME=${WLS_BASE}/bea/wlserver_10.3/server/bin
    WLS_OWNER=
    weblogic
    WLS_ADMIN_PORT=7001
    WLS_ADMIN_LOGIN=admin
    WLS_ADMIN_PWD=admin
    WLS_LOG_START=${WLS_BASE}/logs/start.`date '+%d%m%y'`.log
    WLS_LOG_STOP=${WLS_BASE}/logs/stop.`date '+%d%m%y'`.log
    WLS_MANAGED_SERVER1=dev
    WLS_MANAGED_SERVER2=test
    JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.management.username=${WLS_ADMIN_LOGIN}"
    JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.management.password=${WLS_ADMIN_PWD}"

    export JAVA_OPTIONS

    if [ ! -f $WLS_HOME/startWebLogic.sh ]
    then
        echo "WebLogic startup: cannot $WLS_HOME/startWebLogic.sh "
        exit
    fi

    startWeblogic()
    {
    su - $WLS_OWNER -c "nohup $WLS_NODE_HOME/startNodeManager.sh > ${WLS_LOG_START} 2>&1 &"
    sleep 10
    su - $WLS_OWNER -c "nohup $WLS_HOME/startWebLogic.sh >> ${WLS_LOG_START} 2>&1 &"
    sleep 10
    su - $WLS_OWNER -c "nohup $WLS_HOME/bin/startManagedServer.sh >> ${WLS_LOG_START} 2>&1 &"
    sleep 10
    su - $WLS_OWNER -c "nohup $WLS_HOME/bin/startManagedServer.sh >> ${WLS_LOG_START} 2>&1 &"
    return 0
    }

    stopWeblogic()
    {
    su - $WLS_OWNER -c "nohup $WLS_NODE_HOME/stopNodeManager.sh > ${WLS_LOG_STOP} 2>&1 &"
    sleep 10
    su - $WLS_OWNER -c "nohup $WLS_HOME/bin/stopManagedWebLogic.sh $WLS_MANAGED_SERVER1t3://localhost:$WLS_ADMIN_PORT ${WLS_ADMIN_LOGIN} ${WLS_ADMIN_PWD} >> ${WLS_LOG_STOP} 2>&1 &"
    sleep 10
    su - $WLS_OWNER -c "nohup $WLS_HOME/bin/stopManagedWebLogic.sh $WLS_MANAGED_SERVER2 t3://localhost:$WLS_ADMIN_PORT  ${WLS_ADMIN_LOGIN} ${WLS_ADMIN_PWD}>> ${WLS_LOG_STOP} 2>&1 &"
    sleep 10
    su - $WLS_OWNER -c "nohup $WLS_HOME/bin/stopWebLogic.sh >> ${WLS_LOG_STOP} 2>&1 &"
    return 0
    }

    case "$1" in
        'start')
            startWeblogic
            ;;
        'stop')
            stopWeblogic
            ;;
        'restart')
            stopWeblogic
            startWeblogic
            ;;
        *)
            echo "Usage: $0 start|stop|restart"
            exit 1
            ;;
    esac

  • alternative to ACDSEE under Linux

    Want to have an alternative toACDSEE under your favorite free OS (Linux Suse for ex)? tryXnView, a software to view and convert graphic files, really simple to use ! and It's a free software! (a commecial version exist with more possibility for $39HERE)
    • Windows 3.x, Windows 9x/NT/2000/ME/XP, MacOS X
      Linux x86, Linux ppc, FreeBSD x86, OpenBSD x86, NetBSD x86
      Irix mips, Solaris sparc, Solaris x86, HP-UX,AIX !!!
    • Import about 400 graphic file formats
    • Export about 50 graphic file formats
    • Multipage TIFF, Animated GIF, Animated ICO support
    • IPTC, EXIF
    • Resize, Copy/Cut/Crop
    • TWAIN support (Windows only)
    • Print support (Windows only)
    • Drag & Drop support (Windows only)
    • 44 languages support (Windows only)
      And many many other things...
    • Adjust brigthness, contrast...
    • Modify number of colors
    • Apply filters (blur, average, emboss,...)
    • Apply effects (lens, wave,...)
    • Fullscreen mode, Slide show
    • Picture browser
    • Batch convert
    • Thumbnail create
    • Screen capture
    • Contact Sheet create
    • Multi-page file create (TIFF, DCX, LDF)


  • Android how to delete system application and remove unwanted MyTaxi on Galaxy S3

    I use the hard way, free but a bit more difficult as it require a rooted device, I personally use “Android Terminal Emulator” with granted root permissions (after typing su a prompt will appear)

    Android how to delete system application

    su (enter)
    mount -o rw,remount /system (enter)
    rm -r /system/app/FILE-NAME-HERE.apk (enter)

    How to remove this SHIT of myTaxi – Passenger Taxi App on Samsung Galaxy S3

    This application got installed without my knowledge by a Samsung update as a System App that CANNOT BE UN INSTALLED!

    First before I forgot: Go to hell Samsung andIntelligent Apps GmbH

    If either of you continue in that direction, installing software without my prior permission, the next update to my Samsung Galaxy S3 will be CyanogenMod 10

    Back to the removal of MyTaxi,  Samsung did hide taxi.android.client_v2.5.1.apk under the name /system/app/samsung_ch.apk

    To remove it

    su (enter)
    mount -o rw,remount /system (enter)
    rm -r /system/app/samsung_ch.apk (enter)
  • Announcing openSUSE 10.3 GM

    The openSUSE team is proud to announce the release of openSUSE 10.3. Promoting the use of Linux everywhere, the openSUSE project provides free, easy access to the world’s most usable Linux distribution, openSUSE. openSUSE is released regularly, is stable, secure, contains the latest free and open source software, and comes with several new technologies.

    openSUSE 10.3 will be supported with security and other serious updates for a period of 2 years.

    This version contains new beautiful green artwork, KDE 3.5.7 and parts of KDE 4, SUSE-polished GNOME 2.20, a GTK version of YaST, a new 1-click-install technology, MP3 support out-of-the-box, new and redesigned YaST modules, compiz and compiz fusion advances, virtualisation improvements, OpenOffice.org 2.3, Xfce 4.4.1, and much more! Read on for details of what is new and available in openSUSE 10.3, and for all the necessary download links

    Screenshots are available here 

    Download Download Download Download Download!

    • 1 DVDcontaining OSS and NonOSS software (torrents for: i386, x86_64, ppc). Languages supported: English, Portuguese, French, Italian, Spanish, German, Chinese (Simpl. & Trad.), Japanese, Russian, Czech, Hungarian, Polish, Finnish, Danish, Swedish, Dutch
    • 1 CD with a default KDE installation (i386, x86_64, not for ppc, English only)
    • 1 CD with a default GNOME installation (i386, x86_64, not for ppc, English only)
    • 1 AddOn CD with only NonOSS packages (i386 or x86_64, ppc)
    • 1 AddOn CD with language packages that are used for extra languages (i386, x86_64, ppc, only to be used with DVDs!)

     

  • Apache Maven BEA Weblogic 10.3 remote deployment

     apache_maven

    In this small post I will show you how to deploy automatically some artifacts of your build into bea_logo1Weblogic 10.3 by using the weblogic-maven-plugin

    This plugin will support various tasks within the Weblogic 8.1 and 9.x environment. Such tasks as deploy, undeploy,clientgen,servicegen, and appc are supported as well as many others. The plugin uses exposed API's that are subject to change but have been tested in 8.1 SP 4-6 and 9.0 - 9.2 MP3. There are two versions of the plugin to support the two environments based on differences in the JDK. The 9.x version is currently being refactored to support the standard JSR supported deployment interface

  • Audigy 2 ZS notebook under Linux


    I've aquire this card for running my HPTC (notebook dell 9400, NAS) either under windows xp, or Linux

    The Sound Blaster Audigy 2 ZS Notebook also provides encompassing 7.1 surround sound for Dolby® Digital EX as well as DTS-ES™ supported DVD movies; any DirectSound3D games and CMSS 3D virtualized 7.1 stereo music. Gamers will love the hardware accelerated EAX® 4.0 ADVANCED HD™ that not only brings games to life, but delivers maximum performance! Musicians will also enjoy true 24-bit recording and low latency ASIO support for the ultimate audio recording platform.

    if youre are using windows, i strongly recommend You to install all tools from the cd, instead of jumping directly to the website of creative to download the latest drivers: a lot of tools are not available in support section!!! speaker settings, THX console...for naming a few

    If You're using Linux, You will be happy to hear that Creative is supporting and hosting a page on their server for open source system: http://opensource.creative.com

    Creative has also create a project on sourceforge: emu10k1

    I am pretty sastified with the quality of this card, especially if you use the optical output (not so much cables floating around). I will have to test it further (under windows)

    Links:


  • Automatic refresh of Joomla! demo site the easy way

    joomla_logo

    These are the script I use to maintains all my 3 demo Joomla! sites:

    These scripts increased security and are trying to standardized how to create, update and maintain Joomla! demo site. Feel free to submit, send me ideas how to improve them or ask for help.

     

    This project is hosted at http://forge.joomla.org/gf/project/demosite/ under a GPL v3.0 license and the latest documentation can be found in my WIKI

    Architecture

    • 1 script (snapshotit.bat ) per Joomla! instance to create snapshots (files+ database) and save the result in a zip file.
    • 1 generic scripts (renew.sh) that renew an instance of Joomla! (files+ database) and secure it at the same time

    Prerequisites

    1. An access to a Linux bash on your server, ideally as root
    2. The possibility to define new crontab entries

    Locally

    On your desktop or reference server, install preferably in xampp/htdocs as much version of Joomla! as needed. These directories are containing Joomla versions . In these versions you will be able to install, remove configure your extensions. I personally have them  in XAMPP

    demo-joomla-1.0/
    demo-joomla-1.5/
    demo-joomla-1.6/

    In each of these Joomla! installation, copy this file snapshotit.bat inside and configure the variables accordingly. The file is well documented to not describe these variables here.

    This small batch file is making a snapshot of all files and database and create a new file demo-joomla-1.5.zip for example.

    Consider while installing Joomla!

    1. To not choose as a default for table name the prefix jos_ but something longer and more random, something like gZ45dF_ to mitigate SQL injection
    2. Do not name your admin user admin, but choose something longer and more random, Fdhtz56df_Gdte34 to reduce risk of brute forcing the administrator login/sql injection

    On the server

    Copy now this file demo-joomla-1.5.zip to your server, using FTP, SSH

    Copy also renew.sh to your server, using FTP, SSH

    Setup crontab

    Add to your crontab for each of your demo site the following big line, I renew demo site every 30 minutes

    $ crontab -e

    add this line

    30      *       *       *       *       locationOf_renew.sh locationOf_zip locationof_httpdocs dbuser dbpassword dbtablename unixuser unixgrp

    where

    • locationOf_renew.sh fully qualified path to renew.sh
    • locationOf_zip  fully qualified path of zip file (containing Joomla! and .sql file)
    • locationof_httpdocs fully qualified path of the httpdocs directory where this zip file content will be extracted
    • dbuser : database user that is used by Joomla!
    • dbpassword : database user password that is used by Joomla!
    • dbtablename: database schema name that is used by Joomla!
    • unixuser: unix user that is supposed to own all files in httpdocs, for example cedric
    • unixgrp: unix user that is supposed to own all files in httpdocs, for example psaserv

    Renew.sh

    This script renew.sh is doing the following with the zip file

    1. Delete all files in locationof_httpdocs removing all potential security threat and settings changes by visitors of your demo site
    2. Lock the demo site by adding an htaccess and htpasswd files temporary
    3. Unzip all file in demo-joomla-1.5.zip  to locationof_httpdocs
    4. Restore the database with the file demo-joomla-1.5.sqlfound in demo-joomla-1.5.zip
    5. Change user and usergrp to the right one (unixuser, unixgrp)
    6. Change all files and directory to the minimum required set of permissions (555 for directory and 444 for files)
    7. Make the cache directory of Joomla! read write for the owner unixuser
    8. Delete the file  demo-joomla-1.5.sql
    9. It remove potentially dangerous components from demo site, among others
      1. com_media Removing the users the right to upload, alter or delete files
      2. com_config Removing the users the right to change configuration
      3. com_installer Removing the users the right to install extensions
      4. it remove installation or installation.old if present
    10. Unlock the demo site by removing the htaccess and htpasswd files, and restoring the one from the zip files

    All in all and thanks to this development, my 3 demo site are now online, update will be a lot easier and I will keep them more often up to date Smile

    Joomla! 1.0 tricks

    In Joomla! 1.0 configuration.php I use the following trick to not have any stage dependent values.

    $mosConfig_absolute_path = dirname(__FILE__);
    $mosConfig_cachepath = dirname(__FILE__).'/cache';
  • AutoMySQLBackup, do not save backup on your server...

    One of the most important rule is to always backup your data with multiple tools on different medium, just in case of.

    Just imagine 5 minutes that you lose everything, what you have done in the last 3 months on your homepage..ok still not crying? you loose hundred of hours of work, nightly debugging, customizations, hours of Gimp/Photoshop, lengthy and good written articles...  

    With Joomla! and now with nearly all CMS, the most important thing to backup is the database. I recommend a daily backup at least!

    And now my solution: AutoMySQLBackup

    A script to take daily, weekly and monthly backups of your MySQL databases using mysqldump.

    Features

    • Backup mutiple databases 
    • Single backup file or to a seperate file for each DB
    • Compress backup files
    • Backup remote servers
    • E-mail logs
    • Backup mutiple MySQL databases with one script. (Now able to backup ALL databases on a server easily. no longer need to specify each database seperately)
    • Backup all databases to a single backup file or to a seperate directory and file for each database.
    • Automatically compress the backup files to save disk space using either gzip or bzip2 compression.
    • Can backup remote MySQL servers to a central server.
    • Runs automatically using cron or can be run manually.
    • Can e-mail the backup log to any specified e-mail address instead of "root". (Great for hosted websites and databases).
    • Can email the compressed database backup files to the specified email address.
    • Can specify maximun size backup to email.
    • Can be set to run PRE and POST backup commands.
    • Choose which day of the week to run weekly backups.

    Just download the file, save it somewhere, and configure automysqlbackup with your editor of choice (25 first line of file). To test if everything work,  just run the file.

    Note:

    automysqlbackup  require Mutt 

    # yast2 -i mutt
    Mutt (http://www.mutt.org) is a small but very powerful text-based mail client for Unix operating systems. It is used by the script automysqlbackup (sourceforge.net/projects/automysqlbackup/) to cut mail in part (automysqlbackup do ot use mail in that case)

    automysqlbackup send daily email with database content, so data are not on host in case of crash or on ftp. You may create 2 emails account and forward the result of the backup to 2 different free email hoster (Gmail and Hotmail for example)

  • Backup Your Ubuntu/Debian Server Automatically

    backup_debian_ubuntu_server

    I am using ReoBack for this duty

    REOBack (pronounced "ray-o-back") is a backup solution designed for Linux users and system administrators. It is designed to be simple to set up, and easy to use. It is great as a quick solution for those who procrastinate about backups. It supports automatic full/incremental backups of files you define, remote backups via NFS or FTP, as well as auto deletion of old backups.

    And here is my how to install for Debian /Ubuntu distribution taken from my notes

    Download Reoback 1.0.3, convert it into a Debian package with alien and install it

    wget http://puzzle.dl.sourceforge.net/sourceforge/reoback/reoback-1.0-3.noarch.rpm
    apt-get install alien
    alien reoback-1.0-3.noarch.rpm
    dpkg -i reoback_1.0-4_all.deb

    Configure ReoBack by editing the file settings.conf

    vi /etc/reoback/settings.conf
    Here is a sample configuration file to save your backup to a remote FTP server (but it could be also a NFS share)
    host            = myhostname.com
    backupdays      = 7
    files           = /etc/reoback/files.conf
    tmpdir          = /var/lib/reoback/tmp/
    datadir          = /var/lib/reoback/data/
    localbackup     = /var/lib/reoback/backups/
    keeplocalcopy   = 1
    remotebackup    = 1
    rbackuptype     = FTP
    localmount      = /mnt/server/
    remotehost      = xxxxxxxxx
    remotepath      = /reobackup/
    ftpuser         = xxxxxxxxx
    ftppasswd       = xxxxxxxxx

    Specify which files on your server  need to be saved by editing the file files.conf

    vi /etc/reoback/files.conf

    Here is a sample, I exclude some files that are changing all the time since they are maintained by the Linux kernel or some processes

    File: homes
    /home/
    
    File: var
    /var
    Skip: /var/run/*
    Skip: /var/lib/mysql/*
    Skip: /var/lib/reoback/*
    
    File: mysql
    /var/lib/mysql
    /tmp/mysql.sock
    Skip: /var/lib/mysql/mysql.sock
    Skip: /var/lib/mysql/mysqld.pid
    
    File: plesk
    /opt/psa
    /etc/psa
    /usr/local/psa

    Adapt the location path of these 2 files (files.conf / settings.conf) in  run_reoback.sh

    vi /etc/reoback/run_reoback.sh

    content of file

    # Location of the configuration file.
    config="/etc/reoback/settings.conf"
    
    # Change to reflect where REOBack is installed
    reoback="/usr/bin/reoback.pl"
    
    # Do not modify this line.
    $reoback $config

    Finally you can now test your backup

    /etc/reoback/run_reoback.sh

    or place this command in crontab

    * 19 * * * /etc/reoback/run_reoback.sh > backup.txt ;
    mail -s "automatisches Backup" This email address is being protected from spambots. You need JavaScript enabled to view it. < backup.txt

    Tips

    Depending where you visitor come from (America or Asia or Europe) it may be recommended to not start your backup during peak of visits, You can also nice the process to a lower priority

    * 19 * * * nice –19 /etc/reoback/run_reoback.sh > backup.txt ; 
    mail -s "automatisches Backup" This email address is being protected from spambots. You need JavaScript enabled to view it. < backup.txt
  • Basic operations with XEN server: export, import of VM templates and guests

    xenserver_logo_lg

    More and more I am using XEN at work, and here is a small how to of some very common operations.

    Citrix® XenServer® is a complete, managed server virtualization platform built on the powerful Xen® hypervisor. Xen technology is widely acknowledged as the fastest and most secure virtualization software in the industry. XenServer is designed for efficient management of Windows® and Linux® virtual serversand delivers cost-effective server consolidation and business continuity.

    By the way if you succeed installing XEN server on a Strato.com dedicated Linux server with a minimal downtime, contact me I am interested!

    Basic operations

    Determine the XEN guest uuid

    This uuid is required to identify XEN guest.

    # xe vm-list
    uuid ( RO)           : 99bb0e42-0616-6f02-ed41-be48bb338280 
         name-label ( RW): server01
        power-state ( RO): running

    Determine the XEN sr-uuid of a disk storage

    A sr-uuid identify a storage resources attached to a XEN server, this unique id is required for some operations as it allow you for eample to import XEN guest into it.

    Run as root, in the XEN server console


    # xe sr-list
    uuid ( RO)                : 99f191c4-4563-8672-7d8e-4602850fbeb0
            name-label ( RW): Local storage
            name-description ( RW): 
            host ( RO): xen01
            type ( RO): lvm
            content-type ( RO): user

    Identify the locale storage by looking at the name-label and copy the uuid

    Export XEN Guest

    1. You need to stop the XEN guest prior to any operations
    2. You need to determine the XEN guest uuid (see basic operations)
    3. Mount a NFS / CIFS / Samba share if you want to move from one XEN server to another as the filename can be located anywhere.

    Run as root, in the XEN server console

    # xe vm-export vm=99bb0e42-0616-6f02-ed41-be48bb338280  filename=server01.xva

    Import XEN Guest

    1. You need to determine the XEN guest sr-uuid (see basic operations) : the storage unique id
    2. Mount a NFS / CIFS / Samba share if you want to move from one XEN server to another as the filename can be located anywhere.

    Run as root, in the XEN server console

    # xe vm-import filename=server01.xva  sr-uuid=99bb0e42-0616-6f02-ed41-be48bb338280 

    Export a XEN template to disk

    1. Log to the XEN server where this template is located, and list all templates
    2. Mount a NFS / CIFS / Samba share if you want to move from one XEN server to another as the filename can be located anywhere.

    # xe template-list

    If there is too much templates, you can filter with grep or by using name-label

    # xe template-list  name-label="myTemplate label”
    uuid ( RO) : c4962b6b-5678-a72b-85cd-e33f01b1320a
    name-label ( RW): mytemplate label
    name-description ( RW):

    To export, run

    # xe template-export uuid=c4962b6b-5678-a72b-85cd-e33f01b1320afilename=myTemplate.xva

    You can see the export progression in tab “logs“ of that template in XEN-Center

    Import a XEN template to a new XEN Server

    1. Log to the XEN server where you want to import the new template
    2. You need to determine the XEN guest sr-uuid (see basic operations) : the storage unique id

    To import, run

    # xe vm-import filename=myTemplate.xva  sr-uuid=99bb0e42-0616-6f02-ed41-be48bb338280 

    TO be continued…

  • Beagle: the desktop search engine for linux

    Since Google desktop is still not existing for Linux, You can also try to use Beagle:
    Beagle is a search tool that ransacks your personal information space to find whatever you're looking for. Beagle can search in many different domains."
    Beagle is supporting the following filetypes, and has a nice interface which also act like a previewer of all files found. Installed as default under Suse 9.3 and originally developed for Gnome desktop, it is running perfectly in KDE.
    The latest version is now indexing not only Your HOME directory but also all disks. Acuracy is quite good, and the interface is responsive enough. Written in .NET framework but running under Mono, it is a brillant demonstration of what open source has to give.    
  • Become a supporter of KDE!

    BecomeaSupporterOfKDE.08
    YOU WANT

    Beautiful, flexible, functional Desktop Software.
    The Freedom to use, share, and modify your software.
    Full control over your data and privacy.
    All This and more isdone by KDE.

    Become a supporter of KDE

     

     

    BecomeaSupporterOfKDE.01BecomeaSupporterOfKDE.04 
    BecomeaSupporterOfKDE.03  BecomeaSupporterOfKDE.05 BecomeaSupporterOfKDE.02BecomeaSupporterOfKDE.06 
      BecomeaSupporterOfKDE.07

  • Benchmarking your LAMP server

    apache

    The acronym LAMP refers to a solution stack of software, usually free and open source software, used to run dynamic Web sites or servers. It stand for:

    • Linux, for the operating system;
    • Apache, the Web server;
    • MySQL, the database management system (or database server);
    • Perl, Python, and PHP, the programming languages.

     ab is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server. It is designed to give you an impression of how your current Apache installation performs. This especially shows you how many requests per second your Apache installation is capable of serving.
    Apache-utils package contains utility programs for webservers and some add-on programs useful for any webserver. These include:

    • ab (Apache benchmark tool)
    • Logresolve (Resolve IP addresses to hostname in logfiles)
    • htpasswd (Manipulate basic authentication files)
    • htdigest (Manipulate digest authentication files)
    • dbmmanage (Manipulate basic authentication files in DBM format, using perl)
    • htdbm (Manipulate basic authentication files in DBM format, using APR)
    • rotatelogs (Periodically stop writing to a logfile and open a new one)
    • split-logfile (Split a single log including multiple vhosts)
    • checkgid (Checks whether the caller can setgid to the specified group)
    • check_forensic (Extract mod_log_forensic output from apache log files)

    This package Apache-Utils can be install through apt or YaST depending if you are using a Debian base distro or OpenSuse

    Prerequistes

    • Define realistic objectives, do not create too much virtual clients if you do not have usually that kind of user traffic..
    • For example an objective could be: number of users served, or percentage of the requests served within a certain time
    • This tool ab do not simulate realistic user behavior, it just hit a page without being able to simulate a complex workflow (like login, navigate and do things users usually do)
    • Try to monitor at the same time the CPU/Memory consumed in order not to make false assumption on apache settings (use top d 1)

    Attention

    It is an iterative process!

    1. Benchmark,
    2. Change settings and
    3. Restart benchmark.

    It is very important to only change a setting a time in order to better identify what is really bringing something! By changing only one settings at a time, you can:

    • Better see the influence on CPU, memory (you must look also at resources, a server swapping to disk is never good)
    • There is not so much universal settings bringing a speed kick (except DNSlookup off, keep alive small), some settings are depending on your Linux kernel version, CPU class, disk speed, network latency

    Other components

    mysql While tuning apache, you will see that most of the time is used in PHP/MySQL, for MySQL recommend to run at the same time tuning-primer.sh, read more here


    Usage

    ab [ -A auth-username:password ] [ -c concurrency ] [ -C cookie-name=value ] [ -d ] [ -e csv-file ] [ -g gnuplot-file ] [ -h ] [ -H custom-header ] [ -i ] [ -k ] [ -n requests ] [ -p POST-file ] [ -P proxy-auth-username:password ] [ -q ] [ -s ] [ -S ] [ -t timelimit ] [ -T content-type ] [ -v verbosity] [ -V ] [ -w ] [ -x <table>-attributes ] [ -X proxy[:port] ] [ -y <tr>-attributes ] [ -z <td>-attributes ] [http://]hostname[:port]/path

    Options

    -A auth-username:password
    Supply BASIC Authentication credentials to the server. The username and password are separated by a single : and sent on the wire base64 encoded. The string is sent regardless of whether the server needs it (i.e., has sent an 401 authentication needed).
    -c concurrency
    Number of multiple requests to perform at a time. Default is one request at a time.
    -C cookie-name=value
    Add a Cookie: line to the request. The argument is typically in the form of a name=value pair. This field is repeatable.
    -d
    Do not display the "percentage served within XX [ms] table". (legacy support).
    -e csv-file
    Write a Comma separated value (CSV) file which contains for each percentage (from 1% to 100%) the time (in milliseconds) it took to serve that percentage of the requests. This is usually more useful than the 'gnuplot' file; as the results are already 'binned'.
    -g gnuplot-file
    Write all measured values out as a 'gnuplot' or TSV (Tab separate values) file. This file can easily be imported into packages like Gnuplot, IDL, Mathematica, Igor or even Excel. The labels are on the first line of the file.
    -h
    Display usage information.
    -H custom-header
    Append extra headers to the request. The argument is typically in the form of a valid header line, containing a colon-separated field-value pair (i.e., "Accept-Encoding: zip/zop;8bit").
    -i
    Do HEAD requests instead of GET.
    -k
    Enable the HTTP KeepAlive feature, i.e., perform multiple requests within one HTTP session. Default is no KeepAlive.
    -n requests
    Number of requests to perform for the benchmarking session. The default is to just perform a single request which usually leads to non-representative benchmarking results.
    -p POST-file
    File containing data to POST.
    -P proxy-auth-username:password
    Supply BASIC Authentication credentials to a proxy en-route. The username and password are separated by a single : and sent on the wire base64 encoded. The string is sent regardless of whether the proxy needs it (i.e., has sent an 407 proxy authentication needed).
    -q
    When processing more than 150 requests, ab outputs a progress count on stderr every 10% or 100 requests or so. The -q flag will suppress these messages.
    -s
    When compiled in (ab -h will show you) use the SSL protected https rather than the http protocol. This feature is experimental and very rudimentary. You probably do not want to use it.
    -S
    Do not display the median and standard deviation values, nor display the warning/error messages when the average and median are more than one or two times the standard deviation apart. And default to the min/avg/max values. (legacy support).
    -t timelimit
    Maximum number of seconds to spend for benchmarking. This implies a -n 50000 internally. Use this to benchmark the server within a fixed total amount of time. Per default there is no timelimit.
    -T content-type
    Content-type header to use for POST data.
    -v verbosity
    Set verbosity level - 4 and above prints information on headers, 3 and above prints response codes (404, 200, etc.), 2 and above prints warnings and info.
    -V
    Display version number and exit.
    -w
    Print out results in HTML tables. Default table is two columns wide, with a white background.
    -x <table>-attributes
    String to use as attributes for <table>. Attributes are inserted <table here >.
    -X proxy[:port]
    Use a proxy server for the requests.
    -y <tr>-attributes
    String to use as attributes for <tr>.
    -z <td>-attributes
    String to use as attributes for <td>.


    Some real examples

    time /usr/sbin/ab2 -n 500 -c 30 http://www.waltercedric.com
    This will make 500 requests on them and hammering localhost for 30 seconds

    After tuning Before tuning
    Benchmarking www.waltercedric.comCompleted 100 requests
    Completed 200 requests
    Completed 300 requests
    Completed 400 requests
    Finished 500 requests
    Server Software:        NOYB
    Server Hostname:        www.waltercedric.com
    Server Port:            80
    Document Path:          /index.php
    Document Length:        45532 bytes
    Concurrency Level:      30
    Time taken for tests:   38.576375 seconds
    Complete requests:      500
    Failed requests:        19 
       (Connect: 0, Length: 19, Exceptions: 0)
    Write errors:           0
    Total transferred:      23000106 bytes
    HTML transferred:       22762106 bytes
    Requests per second:    12.96 [#/sec] (mean)
    Time per request:       2314.582 [ms] (mean)
    Time per request:       77.153 [ms] (mean, across all concurrent requests)
    Transfer rate:          582.25 [Kbytes/sec] received
    Connection Times (ms)
                  min  mean[+/-sd] median   max
    Connect:        0    8  36.9      0     207
    Processing:   394 2239 345.3   2237    6223
    Waiting:      379 2197 340.9   2190    6173
    Total:        397 2247 344.2   2239    6223
    Percentage of the requests served within a certain time (ms)
      50%   2239
      66%   2294
      75%   2327
      80%   2357
      90%   2457
      95%   2560
      98%   2973
      99%   3341
    100%   6223 (longest request)
    real    0m38.617s
    user    0m0.024s
    sys     0m0.240s

    Benchmarking www.waltercedric.com
    Completed 100 requests
    Completed 200 requests
    Completed 300 requests
    Completed 400 requests
    Finished 500 requests

    Server Software:        NOYB
    Server Hostname:        www.waltercedric.com
    Server Port:            80

    Document Path:          /index.php
    Document Length:        45532bytes

    Concurrency Level:      30
    Time taken for tests:   108.897481 seconds
    Complete requests:      500
    Failed requests:        19
       (Connect: 0, Length: 19, Exceptions: 0)
    Write errors:           0
    Total transferred:      23000106bytes
    HTML transferred:     23000106bytes
    Requests per second:    4.59 [#/sec] (mean)
    Time per request:       6533.849 [ms] (mean)
    Time per request:       217.795 [ms] (mean, across all concurrent requests)
    Transfer rate:          178.41 [Kbytes/sec] received

    Connection Times (ms)
                  min  mean[+/-sd] median   max
    Connect:        0  114 478.9      0    2276
    Processing:   336 6186 1665.2   6108   16189
    Waiting:    -5148 5982 1982.8   6066   16009
    Total:        391 6301 1580.2   6120   17093

    Percentage of the requests served within a certain time (ms)
      50%   6120
      66%   6453
      75%   6778
      80%   7046
      90%   7861
      95%   8516
      98%  10110
      99%  12418
    100%  17093 (longest request)

    real    1m48.905s
    user    0m0.024s
    sys     0m0.152s

     

    time /usr/sbin/ab2 -kc 10 -t 30 http://www.waltercedric.com
    This will open 10 connections, using Keep-Alive on them and hammering localhost for 30 seconds


    Same tests but without mod_security

    • Mod_security is a module for Apache which act like a software firewall
    • Depending on the number of rules, can greatly affect through output speed


    time /usr/sbin/ab2 -kc 10 -t 30 http://www.waltercedric.com
    This will open 10 connections, using Keep-Alive on them and hammering localhost for 30 seconds

    real    0m39.040s
    user    0m0.020s
    sys     0m0.208s

    Nearly one second more with mod_security gotroot rules, worth the added security!

    If you want to know more options and how to use apache ab check the apache ab/ab2 man page click here for this man page

    How to optimize Apache/Joomla/PHP

    I forward You to some of my previous articles:

    And more ideas here Secure, Safe, Fast Linux Hosting

  • Best nginx configuration for Joomla

    Nginx-logo

    nginx (pronounced “engine-x”) is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. It is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, AIX and Microsoft Windows [WikiPedia]

    These are my reusable settings for any Joomla hosting, these are the most secure, and fastest settings to the best of my knowledge.

    Configuration files are provided using Gist  and are CONSTANTLY updated for added security and speed. Gist is a simple way to share snippets and pastes with others. All gists are git repositories, so they are automatically versioned, forkable and usable as a git repository. I recommend you to starred them to stay up to date.

    Joomla.conf for nginx

    Create a new directory nginx/conf to be able to place reusable nginx settings:

    mkdir -p /etc/nginx/conf

    vi /etc/nginx/conf/joomla.conf

    Edit or create joomla.conf, you can find the latest joomla.conf documented version in one of my Gist at https://gist.github.com/1620307

    Adding a new Joomla Site to nginx

    Create required directory anywhere on your disk, here is an example with a domain www.example.com

    mkdir -p /var/www/vhosts/example.com/httpdocs
    mkdir -p /var/www/vhosts/example.com/logs

    Set the right permission to the user and group you have defined in nginx.conf

    chown -fR www-data:www-data /var/www/vhosts/example.com/httpdocs

    Copy the nginx template and adapt to your liking

    cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example
    vi /etc/nginx/sites-available/example

    Edit or create example, you can find the latest file example documented version in one of my Gist at https://gist.github.com/1620307

    this file include Joomla.conf to avoid duplicating nginx settings

    Activate the new domain

    ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example
    service nginx restart
  • Broken download when downloading zip files

    A lot of people have tried numerous times to download files from my download section without
    success, the error message was always the same

    Unrecoverable error "PCLZIP_ERR_BAD_FORMAT (-10)"

    Also, Some tried to unpack the zip file locally using stuffit/Winrar/7Zip and get an error suggesting
    that the archive is damaged.

    Only Internet Explorer users were having issues, this is because of Internet explorer not able to handle
    compression of all file types. I solved the issue by changing my mod_deflate.conf which now look like the following:

    <Location />
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript

    # Make sure proxies don't deliver the wrong content
    Header append Vary User-Agent env=!dont-vary
    </Location>

    I found that I had to use application/x-javascript instead of application/javascript to actually get javascript files on my
    server to be served compressed.

    mod deflate documentation: http://httpd.apache.org/docs/2.0/mod/mod_deflate.html