February 03, 2006

Reverse Proxy with httpd

This image is the basis of a coming blog entry or guruguide

snip1.png

Posted by dcarter at 04:42 PM | TrackBack

October 31, 2005

Updated VIM Goodies

I took the time to update the movement table to use the new GuruLabs KeyCaps font. Check it out
here

Posted by dcarter at 10:41 PM | TrackBack

October 24, 2005

Keep your pants on

Understanding the initialization process of your Linux distro is quite important, as the boot sequence is where the majority of problems occur. It's also very useful to know and understand how to create or modify a System-V init script for dealing with starting and stopping of services.

For this reason, I've taken the Pants script originally written by one Conrad Parker and updated and improved it.

I've updated the script to be the 'best practice' on a Red Hat Enterprise Linux or Fedora Core system running RHEL3/4 or FC3/4 respectively.

Here are some of the various improvements I've made:

There are various other small improvements that I may have missed, if so I'll update this page later listing them.

NEWS!
Pants script just been released. Find the rpm package here.
Find the spec file here.
And the script itself here.

Posted by dcarter at 08:38 PM | TrackBack

October 07, 2005

VIM freebies

VI or VIM... there is a name which will inspire hope or despair in the hardiest of the command line jockies. I have adopted as my goal to teach the layperson the beneifits of learning the big VIM monster, and here are some of the tricks and tools I've come across

To begin, lets first talk about the ULTIMATE of all VIM resources: VIM.org. This website is the holy grail for all things VI / VIM. You can find scripts, tips & tricks, and various other tools. Quite a resource.

The second and third resources I want to talk about are a VIM cheat sheet created by Laurent Grégoire. And a VIM movement table created by your's truly. The cheat sheat card is relased under the GPL and is avalible in a variety of formats including pdf txt and others. Find this cheat sheet here.
The movement table was created as a guide to use as I'm teaching the GL120 Intro to Linux course. I provide it here as little more than a "here ya go". Basicly it's the commands you can use to move in specific directions. Here's the movement table:
vim_movement_table.gif

And finally, the ULTIMATE VIM learning tool would be to take our GL120 course. There isn't much better than an instructor led, lab task re-enforced learning experience.

Enjoy. And don't forget to defend your editor of choice to the death :) VIVA EL VIM!!!

(edit) updated picture with keycaps version

Posted by dcarter at 05:08 PM | TrackBack

September 21, 2005

Lock Down

Host security is a very important topic. You want to keep your machine as secure as possible. One security principle that most overlook is the "Principle of Least Privilege." This principle states that you should only give sufficent security access to a user to allow them to get their job done, but no more. There have been many different tools, ideas, and practices created to help stick to this principle. (eg su, sudo, PAM etc) I'm going to show you two very powerfull tools/ideas that will vastly improve your security by limiting certian accounts, while still maintaining sufficent access as to not restrict functionality. I'm first going to introduce you to scponly. Then I'll demonstrate a cool PAM trick to create a "su only" user.

First SCPonly. Many protocols have been created to replace the aging protocols of yesteryear. (FTP Telnet RSH RCP etc...) SSH is one of the more popular. SecureSHell or SSH allows one to remotely connect to a shell while the traffic between hosts is encrypted. Many of the plain-text protocols have been replaced by ssh. To emulate an FTP only server, (eg an account without an interactive shell, which can still upload and download files) you can use tools such as scponly. SCPonly is a restricted shell that only allows scp traffic and denys any interactive shell traffic.

I've created some rpms of scponly and they are located here and here the scponly-chroot package enables the chrooted shell which doesn't allow a user outside of their home directory.

There's also a package named SCPjailer that will assist you in creating the chroot jails for the chrooted version of SCPonly.

I'm currently working on some tools to make creating users with these two programs much simpler, so watch this space for news on the upcomming scponly-tools.

I've also recently come up with a PAM trick which will allow you to create a user which can only be accessed via the su command. Thats right, no direct login at all! Here's how you accomplish this:

  1. Create a new user who will only be accessable via su 
     # useradd kyle
  2. Restrict the new user account from all access by modifying the file /etc/pam.d/system-auth by adding the pam_listfile.so line as shown: 
    auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so


    account     required      /lib/security/$ISA/pam_unix.so
    
account     required     /lib/security/$ISA/pam_listfile.so sense=deny onerr=succeed item=user file=/etc/suonlyusers
    
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
    
account     required      /lib/security/$ISA/pam_permit.so
    


    password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
    
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
    
password    required      /lib/security/$ISA/pam_deny.so
    


    session     required      /lib/security/$ISA/pam_limits.so
    
session     required      /lib/security/$ISA/pam_unix.so


  3. After editing that file, create the file /etc/suonlyusers and add a single line with the username of whomever you are trying to restrict (in our case: kyle)

  4. Unrestrict the same user when using the su command.
    edit the file /etc/pam.d/su and add the pam_listfile.so line as shown:

    
auth       sufficient   /lib/security/$ISA/pam_rootok.so
    
# Uncomment the following line to implicitly trust users in the "wheel" group.
    
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
    
# Uncomment the following line to require a user to be in the "wheel" group.
    
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
    
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
    
account    sufficient     /lib/security/$ISA/pam_listfile.so item=user sense=allow onerr=succeed file=/etc/suonlyusers
    
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
    
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
    
# pam_selinux.so close must be first session rule
    
session    required     /lib/security/$ISA/pam_selinux.so close
    
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
    
# pam_selinux.so open and pam_xauth must be last two session rules
    
session    required     /lib/security/$ISA/pam_selinux.so open multiple
    
session    optional     /lib/security/$ISA/pam_xauth.so


Try giving your user a password, loggin in directly, or accessing the user account via su.
Quite a trick.
(ranks a 4.3 out of 5 in my book)

Posted by dcarter at 04:24 PM | TrackBack

July 27, 2005

Concurrent GUI Logins

Ever wanted to do multiple concurrent GUI logins ala "fast user switching" in Windows XP? It's really not that hard.

These instructions assume you are using GDM as your display manager. The file paths are written assuming that you are using a RedHat based distro.

The first step is to make sure you are using the GDM display manager. Edit the file /etc/sysconfig/desktop and make sure the DISPLAYMANAGER= looks like this:

DISPLAYMANAGER=GDM

The other lines can be left with their default settings.

Now to move on to configuring GDM to start mutiple X servers both offering a login screen, one bound to tty7 and the other bound to tty8. The remaining edits should all take place in the file /etc/X11/gdm/gdm.conf and can be made all at once.

We must change the default greeter from the pretty-looking graphical greeter to the more utilitarian standard greeter. I've found this offers better stability as the graphical greeter was prone to dying if called more than once. Locate the following lines towards the beginning of the file:

# Greeter for local (non-xdmcp) logins. Change gdmgreeter to gdmlogin to
# get the standard greeter.
Greeter=/usr/bin/gdmgreeter

Change the Greeter= line so that it looks like this:
# Greeter for local (non-xdmcp) logins. Change gdmgreeter to gdmlogin to
# get the standard greeter.
Greeter=/usr/bin/gdmlogin

To avoid the haphazard placement of our X servers we enforce them to start allocating terminals at tty7. Locate the lines:

# Automatic VT allocation. Right now only works on Linux. This way
# we force X to use specific vts. turn VTAllocation to false if this
# is causing problems.
#FirstVT=7
#VTAllocation=true

Un-comment the two setting lines like so:
# Automatic VT allocation. Right now only works on Linux. This way
# we force X to use specific vts. turn VTAllocation to false if this
# is causing problems.
FirstVT=7
VTAllocation=true

Configure an additional server that will always be started. The number at the first of the line is used as the display number when calling the corresponding X commmand. In the section shown here:

[servers]
# These are the standard servers. You can add as many you want here
# and they will always be started. Each line must start with a unique
# number and that will be the display number of that server. Usually just
# the 0 server is used.
0=Standard

Add another server line with the server number incremented. You can add as many as you like. The entry should look like this:
[servers]
# These are the standard servers. You can add as many you want here
# and they will always be started. Each line must start with a unique
# number and that will be the display number of that server. Usually just
# the 0 server is used.
0=Standard
1=Standard

Save and exit the gdm.conf file you've been editing. Reboot, or switch to runlevel 3 and back to 5, or send GDM a HUP signal. This will reload GDM and make it read the newly modified file.

Now for the magic part... When your displays come back up you will have a graphical login avalible on tty7 and tty8. Switch between them by using the keystroke CTRL-ALT-F7 and CTRL-ALT-F8.

There ya have it. A cheap-O way to multiple GUI logins. Instructions on configuring KDM and XDM are in the works so watch this space for more.

Posted by dcarter at 03:38 PM | TrackBack

July 14, 2005

Multi-Line sed

Lets say you want to add "disable = yes" after specific two lines in a file.

For example, the two lines:

service finger
{

The "N" command to sed tells it to read another line into the "input buffer" you can stack multiple "N"s if you need more than 2 lines.

So, the answer is:

sed -i -e N -e "s/service finger\n{/service finger\n{\n\tdisable = yes/g" /path/to/file-to-be-edited

To read 3 lines you would do something like:

sed -i -e N -e N -e N -e "s/changethis/tothis/g" /path/to/file-to-be-edited

Posted by dcarter at 11:38 AM | TrackBack

May 13, 2005

Catching up

These Guru Labs blogs where created to allow us instructors to share information that was historically shared via internal mailing lists. There has been a large number of very interesting and powerful tips/tricks, as well as funny/usefull websites. I have personally combed the archives of these mailing lists and have compiled quite a list of URLS.

These URLS are classified into 5 categories which include: HowTo's, Articles, Misc Info, Cool Stuff, and General Geek

HowTo's

Red Hat anti UCE HowTo -- This page walks through the steps to help secure postfix against Unsolicited Commercial Email or SPAM.

Real-Life ps memory output -- This howto deals with getting the "real" world memory usage, as the output from the ps command shows shared memory.

As a Linux instructor I have found useful many different pages that help with giving talks and doing presentations.
Giving Lightning Talks and Conference Judo

Creating Your Own YUM Repo -- YUM is an extremely exciting package management tool. Now you can create your own repo of packages you have.

Udev Rules -- Udev can be confusing, having your /dev directory re-aranging itself on you can cause headaches. This howto helps in the creation of udev rules.

IP addresses + sort -- Ever had a flat file with ip addresses in it? Wanted to sort those ip addresses? forget perl/python/awk or some other programming language. GNU sort can handle this just fine.

Articles

Linux Code Red -- In an interesting article in the Salt Lake City Weekly, Guru Labs' own Dax Kelson was quoted while talking about the ongoing SCO lawsuit.

Fedora Core 4 Plans -- It's almost too late to post this, but seeing as how FC4 has yet to be released I thought I'd go ahead. LWN shows us what is upcomming in the new release of Fedora Core.

Intel & Centrino -- Some long awaited news that would allow Linux to become a Centrino certified OS. Really good news for those laptop vendors that have Linux as an option for the OEM OS. *hint hint*

Fedora Extras -- Other great news! Fedora Extras, packages that aren't shipped with the default distribution yet are still quite popular, have been made available for download via YUM enabled repositories.

Misc Info

RHCT & RHCE Exam Prep -- Straight from the horse's mouth you have an exam prep guide to help prepare you for the RHCT and RHCE exams. These guides are about the best you can come by.

RHCE FAQ -- Because the RHCT and RHCE exams can be pretty stressfull there are many questions you may have. Because of the confendical nature of the exams many of the specifics cannot be shared. This url is a FAQ for the RHCE exam which tries to answer as many questions as possible.

Raid Levels -- Ever wondered what the difference between RAID-7 and RAID-5 is? This url does a pretty decent job of explaining RAID in simple to understand terms.

Cool Stuff

Google SMS -- Google is only as far away as your SMS enabled phone. How cool is that?

Music Plasma -- Locate music based on style, just plug in one of your favorite band's names and a graphical representaion of the relationships of diffent groups shows up on your screen. This service has recently been updated to work with movies as well.

Tovid -- DVD authoring available to a linux user.

Infrared Webcam -- How to make your webcam see in the dark. (well somewhat)

DHTML Lemmings -- A lemmings clone done in javascript and DHTML. Impressive indeed!

Generic Geek

Caffiene High Help -- I'm the first to admit that I have a caffiene addiction. Any of you who know me can vouch for that. When I found this article which talks about ways of extending your caffiene high, I was in heaven. Now I am almost never seen without a bottle of bawls and a grapefruit on deadline days.

Choice of Distro -- What your choice of distro tells about you. I'm a Fedora Core user, make your own assumptions as to the truth of this article.

Sleeping in Airports -- Ok, so
this one isn't really a "geek" link. It is however something that I've gotten used to. The budget traveler's guide to sleeping in airports. Why not?


This concludes the catching up entry to Goozbach's techtips, have a safe trip home and don't forget to tip your waiter/waitress. Goodnight!

Posted by dcarter at 01:13 PM | TrackBack

May 12, 2005

You TWIT!

Don't get alarmed, I'm not being demeaning. TWIT is just an acronym. An acronym that has made me all sorts of (howdy Brent) excited!!! Why am I excited? Well let me tell you. TWIT stands for This Week In Tech. A podcast which talks about many different aspects of technology today. This podcast features guests that share their views, a site of the week, and have a generally geeky good time. You may be wondering, "Why then is this such a good podcast?" or thinking, "I've heard of a miriad of podcasts like this." Let me explain my overjoyment.

This is no ordinary podcast. This podcast features four of the guys that are Gods in the technology world. Leo Laporte, Patrick Norton, Kevin Rose, Robert Heron, and others. YES! that is the old screensavers crew!!! Now you can see why I'm so excited.

For those of you who aren't really superbigjumbo geeks like myself. The ScreenSavers was an awesome tech related show that was on the old TechTV network. Since G4's buyout of TechTV the show has somewhat changed formats and gotten rid of much of the beloved talent. The great programming that was once TechTV has now become a sad shadow of what it once was.

So I was extremely excited when I stumbled across an entry on Leo's blog that stated that he was working on this podcast. I have since listened to all four episodes of the weekly podcast and I am enjoying them immensly. Hopefully, with the listeners support, they'll keep it up.

goozbach out!

Posted by dcarter at 07:49 PM | TrackBack

March 08, 2005

Archatecting a Plot

For some time now I've been writing code, doing web development, creating documents, etc... I've learned that the more of this you do the more important a good RCS (revision control system for you laypersons out there) can be. The bigger a project gets the more important source code control becomes.

In the past, CVS has been the de-facto standard of the RCS's out there, I don't think there's been a programmer who hasn't at least heard of it. CVS makes it very easy to keep track of the sourcecode and who's doing what with it.

There are a few downsides to CVS however, and it's starting to show it's age. One of the biggest problems to CVS and it's way of doing things is the open source paradigm (I'm gonna take what you've done, and make it better). Commonly known as a distributed repository. It's difficult to say the least to accomplish this with CVS.

Enter arch, or more correctly tla arch. It gives you the ablilty to break off of the main repository and work on a branch yourself, commiting changes and the whole nine yards. You can also merge these changes back into the main branch at any time in a smart fashion.

Now, I am, by no stretch of the imagination, an arch master/guru/demi-god, I just do realitively simple source code control. I therefore refer to a mailing list post that very well defines an arch "sucess story."

There are quite a few resources out there for learning about arch, not least of which is the arch wiki (link posted above). However there are many command-line options and commands that go into making arch a robust program, so it can be kind of disarming to get into arch with no previous knowlege of a RCS or transitioning from CVS. Brett Rasmussen (author of the above mailing list post) was kind enough to make up a little cheat sheet for those of us who don't really like digging through the wiki or the online help. And I thank him for letting me post it here.

Hopefully this info is of use to you, I know that I've benefited from it quite a bit.

derek

Posted by dcarter at 04:54 PM | TrackBack

March 01, 2005

New Guru Guide::Router on a stick

I just created my first guruguide:
Router on a Stick

Check it out.
neato tricko

derek

Posted by dcarter at 05:20 PM | TrackBack

February 28, 2005

Mo:blog to your heart's content

This post sent from my treo650 using Mo:blog
I love technology.
Watch for more awesome posts in the near future.

Posted by dcarter at 04:49 PM | TrackBack

Security/Insecurity

Have a heterogenious network?
Use a bunch of different network appliances?
Think things are as secure as possible?
Like using default settings?
You might be in for a rude awakeing...

you want this link:

Default passwords and logins

enjoy, and secure those systems...
you're only as strong as your weakest link.

derek

Posted by dcarter at 09:34 AM | TrackBack