OpenSUSE Linux Rants

Tell me you haven’t always wanted to do this.

¡Por fin! It’s about time they did something like this with OpenSUSE Linux. Uses for this are infinite. What a fantastically cool concept.

From the site, “Novell has launched a new service called SUSE Studio that makes it easy to build software appliances. Ars gives it a spin and find it’s an excellent tool for building virtual appliances.”

Now honestly, who couldn’t use that?

Check this out: “Novell has launched a new Web service called SUSE Studio that simplifies the process of building Linux-based software appliances. It provides a convenient interface for creating custom versions of Novell’s SUSE Linux distribution with specialized configurations. The service is part of Novell’s broader SUSE Appliance Program initiative.”

“Enterprise software deployment comes with a lot of serious technical challenges. Getting a complex piece of server software up and running on backend infrastructure often requires system administrators to wrestle with dependencies and configuration issues. Software appliances are increasingly viewed as a compelling solution to this problem.”

“A software appliance is a preconfigured stack that includes a software program and its dependencies bundled with a minimal operating system image that can get the program up and running with the smallest possible resource footprint. This concept is often referred to as “Just Enough Operating System” (JeOS).”

“SUSE Studio allows users to build software appliances on top of SUSE Enterprise Linux or OpenSUSE. It offers several templates that can be used as a starting point, including a minimal JeOS template, a server template, a minimal X11, KDE, and GNOME templates. After selecting a base template, users can customize it and add additional software.”

The versatility of Linux never ceases to blow my mind. I mean, to each their own, but if you are looking for the X-11 of consumer-level operating systems, Linux stands up to the test, tell you what (tell your mom, too).

Enough of my yammering about this new OpenSUSE project. Take a look at the screen shots and full story:

Linux appliances made easy with SUSE

When you have the level of paranoia that I do, being able to generate ultra-secure passwords is a very nice thing.

My bash prompt is also something I take great pride in. Not only that, I really like it.

Well guess what, folks… you can do both with the same file. This would be your .bashrc file. Here’s a basic look at my prompt:

[1850][scott@laptop:~]$

It shows me the time, the account with which I am logged in, the hostname of the local machine, and the present working directory. All handy things to know.

Now, for the password generation thing, check this out:

[1855][scott@laptop:~]$ genpasswd 64
(#b-p>yi>ojSw@oS6PN,uo_A`;.}DuyfG{levk[Q$UgfrmAkE^t|&)dZb!Nry;
[1855][scott@laptop:~]$

You can make rainbow tables ’til the end of time, and let John the Ripper go on the /etc/shadow file with that password in it, and you ain’t gonna be cracking that password.

If this is interesting to you, or you have other suggestions of a similar nature, please, let’s have ’em.

That all said, here’s the .bashrc file that makes this prompt and password generator possible:

# /etc/skel/.bashrc:                                          
# This file is sourced by all *interactive* bash shells on startup.  This
# file *should generate no output* or it will break the scp and rcp commands.

# colors for ls, etc.
eval `dircolors -b /etc/DIR_COLORS`
alias d="ls --color"
alias ls="ls --color=auto"
alias ll="ls -al --color"

# Change the window title of X terminals
case $TERM in
        xterm*|rxvt|Eterm|eterm)
                PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/$HOME/~}\007"'
                ;;
        screen)
                PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/$HOME/~}\033\\"'
                ;;
esac

##uncomment the following to activate bash-completion:
#[ -f /etc/profile.d/bash-completion ] && source /etc/profile.d/bash-completion


function proml {
local       BLUE="\[\033[0;34m\]"
local        RED="\[\033[0;31m\]"
local  LIGHT_RED="\[\033[1;31m\]"
local      WHITE="\[\033[1;37m\]"
local LIGHT_GRAY="\[\033[0;37m\]"
case $TERM in
    xterm*)
        TITLEBAR='\[\033]0;\u@\h:\w\007\]'
        ;;
    *)
        TITLEBAR=""
        ;;
esac

PS1="${TITLEBAR}\
$BLUE[$RED\$(date +%H%M)$BLUE]\
$BLUE[$LIGHT_RED\u@\h:\w$BLUE]\
$WHITE\$$LIGHT_GRAY "
PS2='> '
PS4='+ '
}

proml

alias ifconfig="/sbin/ifconfig"

genpasswd() {
        local l=$1
        [ "$l" == "" ] && l=20
        tr -dc A-Za-z0-9\-_~\!@#$%^\&*\(\)\\\`\+\[\{\]\}\|\;:\",\<.\>/?\= < /dev/urandom | head -c ${l} | xargs
}

Hope that's as useful for you as it has been for me.

Linux has so many marvelous tools. The great part about this is that you can combine the tools to make new tools. As you may know, there have been previous postings about a tool called ‘sup’ which tells you some useful information about the linux box into which you are logged. Having so many terminal windows open, and screen sessions going, it’s easy to get lost in the labyrinth of connections and sessions. This tool clears all that up for you really quick.

Since the last version, the most significant change is the ability to determine which version of which Linux distribution you are using.

Here is some sample output:

<=== SYSTEM ===>
  Distro info:  Welcome to openSUSE 11.1 - Kernel \r (\l).
  Kernel:       Linux laptop 2.6.27.19-3.2-pae #1 SMP 2009-02-25 15:40:44 +0100 i686 i686 i386 GNU/Linux
  Uptime:        9:20am  up   0:47,  1 user,  load average: 0.64, 0.54, 0.38
  Memory:       Total: 1986Mb   Used: 730Mb     Free: 1256Mb
  Swap:         Total: 4180Mb   Used: 0Mb       Free: 4180Mb
  Architecture: i686
  Processor:    0 : Intel(R) Core(TM) Duo CPU T2250 @ 1.73GHz
  Processor:    1 : Intel(R) Core(TM) Duo CPU T2250 @ 1.73GHz
  Date:         Tue Jul 21 09:20:09 MDT 2009

<=== USER ===>
  User:         scott (uid:1000)
  Groups:       users www
  Working dir:  /home/scott
  Home dir:     /home/scott

<=== NETWORK ===>
  Hostname:     laptop
  IP (lo):      127.0.0.1/8
  IP (lo):      127.0.0.2/8
  IP (eth0):    10.245.106.6/24
  Gateway:      10.245.106.1
  Name Server:  10.45.106.10

I don’t like it when people try and hack my web servers. To make myself aware of people trying to access my ssh daemon, I wrote me a little script. Yup, I’m certainly aware of DenyHosts. Notwithstanding, in the hopes that this script may find use elsewhere, I post it here. Behold, enjoy, and chuckle a bit at how much better you could write it. Then, let me know how you’d improve it:

#!/bin/sh
LOGFILE=/root/hack_attempts
IFS=$'\n'
PATTERN="^"`date --date="1 minute ago" "+%b %e %H:%M:"`""
tail -n 1000 /var/log/messages | grep ""$PATTERN"" | grep sshd | grep -i "invalid user" | grep " from " > "$LOGFILE"
if [ $(stat -c%s "$LOGFILE") -gt 0 ] ; then
	echo "See the attached log for details" | mailx -a "$LOGFILE" -s "Possible hack attempt" YOUREMAIL@YOURDOMAIN.COM
fi
rm "$LOGFILE"

Copy it to your /root folder. Name it something cool like ‘ssh_foghorn’, and chmod +x it to make it executable. Put it in your /etc/crontab file to run once every minute. Make sure you set the system log to whatever your distro uses. And change the email address to your own. Doesn’t cure cancer, but for 8 lines of code, it does what it needs to.

Again, I’m sure there are better ways to do this, so let’s hear ’em!

Once in awhile, it’s nice to block hostile machines on the kernel level. Specifically, this is done with iptables or ipchains. Iptables if you are living in this millenium.

If a specific host is known to be hostile, execute the ‘whois’ command on the ip address. This will give you the IP range of the organization assigned the ip block to which the offending ip belongs. If it is outside of the country and you only service clients inside your country, it doesn’t hurt to block the whole ip range. So, we’re going to block a hostile block from China. As root, run the following command:

iptables -I INPUT -s 125.71.214.0/24 -j DROP

Why not REJECT instead of drop? This adds a rule to the firewall that simply drops the packets. This is more annoying to the other end because they never get a response. If you explicitly reject the packets, they get a message to the effect instantaneously. You want them to have to wait. It slows them down, which is bad for them.

To list the rules in the INPUT chain:

iptables –line-numbers -L INPUT

To delete a rule from the INPUT chain:

iptables -D INPUT [line number]

ex. iptables -D INPUT 1

Would delete the first rule in the INPUT chain.

Cool subnet calculator at : http://www.subnet-calculator.com/

Helpful comments with more useful or better commands welcome.

This came in my email…. 🙂

Sucks to be a Windows user.

IT: Korean DDoS Bots To Self-Destruct on Thursday July 09, @11:41PM
Posted by timothy on Thursday July 09, @11:41PM
from the someone-needs-a-little-hanging-before-bed dept. security tsu doh nimh writes “Several news sources are reporting that the tens of thousands of Microsoft Windows systems infected with the Mydoom worm and being used in an ongoing denial of service attack against US and S. Korean government Web sites will likely have their hard drives wiped of data come Friday. From The Washington Post’s Security Fix blog, the malware is ‘designed to download a payload from a set of Web servers. Included in that payload is a Trojan horse program that overwrites the data on the hard drive with a message that reads “memory of the independence day,” followed by as many “u” characters as it takes to write over every sector of every physical drive attached to the compromised system.’ ChannelNews Asia carries similar information.”

Right you are, my good man.

“I told you so” just doesn’t even come close. The London Stock Exchange was running Windows, crashed, and is now switching to Linux. Go figure.

Excerpt:

“Anyone who was ever fool enough to believe that Microsoft software was good enough to be used for a mission-critical operation had their face slapped this September when the LSE (London Stock Exchange)’s Windows-based TradElect system brought the market to a standstill for almost an entire day. While the LSE denied that the collapse was TradElect’s fault, they also refused to explain what the problem really was. Sources at the LSE tell me to this day that the problem was with TradElect.”

“TradElect runs on HP ProLiant servers running, in turn, Windows Server 2003. The TradElect software itself is a custom blend of C# and .NET programs, which was created by Microsoft and Accenture, the global consulting firm. On the back-end, it relied on Microsoft SQL Server 2000. Its goal was to maintain sub-ten millisecond response times, real-time system speeds, for stock trades.”

Read “London Stock Exchange to abandon failed Windows platform”