Vim tips: The basics of search and replace

Vim beginners may be puzzled when it comes to doing search and replace operations in Vim. The syntax can be a bit arcane, but after you've practiced, it becomes second nature. Let's take a look at how easy it can be.

Let's start by looking at searches and doing search and replace operations within Vim. You can do a search in normal mode by using /searchstring . This will search forward through the file for searchstring . Likewise, running ?searchstring will search backwards through the file.

After running a search once, you can repeat it by using n in command mode, or N to reverse direction.

When you want to search for a string of text and replace it with another string of text, you can use the syntax :[range]s/search/replace/. The range is optional; if you just run :s/search/replace/, it will search only the current line and match only the first occurrence of a term.

Most of the time, that's not sufficient, so you can add a range like so:

:8,10 s/search/replace/g

In that example the range is from line 8 to line 10. I've also added the "global" option, which tells Vim to replace every occurrence on a line, and not just the first occurrence. Without adding g, your search will match only the first instance of a string in any given line.

Another way to specify the range is to enter visual mode and select the lines that you want to search, and then press : to enter command mode. To enter visual mode from normal mode, press v to select regular visual mode, or V for line selection, or Ctrl-v for block selection. Then select the range in visual mode and press :, followed by the search command you wish to use.

If you want to search an entire file, you can use % to indicate that as the range:

:%s/search/replace/g

You may also wish to be asked for confirmation before Vim makes a substitution. To do this, add the confirm (c) option to the end of the search and replace command: :%s/search/replace/gc. When you run this search, Vim will give you a prompt that looks something like this:

replace with foo (y/n/a/q/l/^E/^Y)?

The "y" and "n" are self-explanatory, but what about the rest? To tell Vim to go ahead and replace all instances of the matched string, answer with a. If you realize that you don't really want to make the changes, you can tell Vim to quit the operation using q. To tell Vim to make the current change and then stop, use l, for last.

^E and ^Y allow you to scroll the text using Ctrl-e and Ctrl-y.

Where you land

Searches in Vim put the cursor on the first character of the matched string by default; if you search for Debian, it would put the cursor on the D. That's usually fine, but Vim has a few options for offsetting the cursor placement from the beginning of the matched string.

To land on the last character in the matched string, rather than the beginning, add an /e to your search:

/Debian/e

That will place the cursor on the n rather than the D. Vim also allows you to specify a cursor offset by line, or from the beginning or end of the string. To have the cursor land two lines above a matched string, for example, use /string/-2. To place the cursor two lines below the string, use /string/+2.

To offset from the beginning of the string, add a /b or /s with the offset that you want. For example, to move three characters from the beginning of the search, you'd use /string/s+3 or /string/b+3 -- "s" for "start" or "b" for "begin." To count from the end of the string, use /e instead, so /string/e-3 will place the cursor on the third character from the last character of the matched string.

Read More

Setting up DNS

When it comes to DNS setup Ubuntu doesn’t differ from other distributions. You can add hostname and IP addresses to the file /etc/hosts for static lookups.

To cause your machine to consult with a particular server for name lookups you simply add their addresses to /etc/resolv.conf.

sudo vi /etc/resolv.conf

enter the following details

search microsoft.com
nameserver 192.168.5.1

Read More

Setting your ubuntu stytem hostname

Setting up your hostname upon a ubuntu installation is very straightforward. You can directly query, or set, the hostname with the hostname command.

As an user you can see your current hostname with

sudo /bin/hostname

Read More

Configuring Static IP address for your network card

sudo vi /etc/network/interfaces

The primary network interface

auto eth0
iface eth0 inet static
address 192.168.3.90
gateway 192.168.3.1
netmask 255.255.255.0
network x.x.x.x
broadcast x.x.x.x

If u need 2nd one

auto eth0:1
iface eth0:1 inet static
address 192.168.1.60
netmask 255.255.255.0
network x.x.x.x
broadcast x.x.x.x
gateway x.x.x.x

Read More

RT - Installation Guides

Generic installation guide

* ManualRequirements - software and knowledge you need to install RT.
* ManualInstallation - general overview of installation process and first time configuring.
* DevelopmentInstallation - HOWTO setup RT to run from a development directory

Platform-specific installation guides
Source installation

* CygwinInstallGuide
* Debian GNU/Linux:
o DebianEtchSourceInstallGuide
o DebianStableInstallGuide
* Fedora:
o FedoraCore1InstallGuide
o FedoraCore2InstallGuide
o FedoraCore4InstallGuide
o Fedore Core 5 and greater have packages, see below
* MacOSXServerInstallGuide
* OpenBSD38InstallGuide
* RHEL4InstallGuide
* SlackwareInstallGuide
* SolarisInstallGuide
* SuSE:
o OpenSuSE103InstallGuide
o OpenSuSE101InstallGuide
o SuSE93InstallGuide
o SuSEOracleInstall

Packaged RT systems

* Rhel5InstallGuide
* CentOS5InstallGuide
* DebianInstallGuide
o Portuguese translation: GuiaInstalacaoDebian
* Fedora:
o FedoraCore5InstallGuide
o FedoraCore6InstallGuide
o FedoraCore7InstallGuide
* FreeBSDInstallGuide
* GentooInstallGuide
* MandrivaInstallGuide
* RPMInstall
o (RHEL/CentOS/WBEL, updated for v3.4.5. Includes how to get mod_perl2 running)
* SolarisBlastwaveInstallGuide
* SuSE:
o OpenSUSE103InstallGuide
* Ubuntu:
o UbuntuInstallGuide
o UbuntuInstallGuide2 (Ubuntu 6.06 / RT 3.6 / mysql)
o UbuntuHardyInstallGuide (Ubuntu 8.04 / RT 3.6 / mysql)
* WindowsOSInstallGuide

Database Specific Notes

* OracleSetup
* RT with OracleText

Web Server Specific Notes

* LighttpdFastCGIGuide

Upgrading

* MigrateToNewServer
* UpgradingFrom3011To344OnSolaris9

Other

* CompilingPerl
* ManualApache
* InstallMailgateOnly

Next Steps

* ItsFinallyInstalledNowWhat

Deployment guides

Documents which explain why and which way, rather than how.

* The MITProjectNotebook, especially the Documentation page, which includes a 15 page PDF User's Manual.

This wiki software sucks. This text has to be here for the bullet point above to render correctly.

Read More

How To Install And Use gDesklets On Ubuntu 8.04

Installation
sudo apt-get install gdesklets gdesklets-data

Read More

User Authentication HOWTO

New versions

When I get my domain up running properly, you'll be able to find the newest version of this document there. Until then, http://www.linuxdoc.org/ will have to suffice.
Feedback

Comments, corrections, suggestions, flames, and flying saucer sightings can be sent to petehern@yahoo.com.
Version History

v0.1 (May 13, 2000) first version (not released).

v0.3 (May 14, 2000) revised (not released).

v0.5 (May 15, 2000) added section on securing pam, added resources section (not released).

v0.7 (May 15, 2000) revised; ready for release.
Copyrights and Trademarks

(c) 2000 Peter Hernberg

This manual may be reproduced in whole or in part, without fee, subject to the following restrictions:

*

The copyright notice above and this permission notice must be preserved complete on all complete or partial copies
*

Any translation or derived work must be approved by the author in writing before distribution.
*

If you distribute this work in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.
*

Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given. Exceptions to these rules may be granted for academic purposes: Write to the author and ask. These restrictions are here to protect us as authors, not to restrict you as learners and educators. Any source code (aside from the SGML this document was written in) in this document is placed under the GNU General Public License, available via anonymous FTP from the GNU archive.

Acknowledgements and Thanks

Thanks to my family for putting up with me for 18 years. Thanks to the Debian folks for making such a sweet distro for me to play with. Thanks to CGR for paying me to be a geek. Thanks to Sandy Harris for his helpful suggestions. Finally, I'd like thank the makers of ramen noodles, because I don't know how I'd live without them.
Assumptions about the reader

For the purpose of this document, it is assumed that the reader is comfortably with executing commands at the command line and editing text configuration files.
How User Information is Stored on Your System
/etc/passwd

On almost all linux distributions (and commercial *nixes as well), user information is stored in /etc/passwd, a text file which contains the user's login, their encrypted password, a unique numerical user id (called the uid), a numerical group id (called the gid), an optional comment field (usually containing such items as their real name, phone number, etc.), their home directory, and their preferred shell. A typical entry in /etc/passwd looks something like this:

pete:K3xcO1Qnx8LFN:1000:1000:Peter Hernberg,,,1-800-FOOBAR:/home/pete:/bin/bash


As you can see, it's pretty straight-forward. Each entry contains the six fields I described above, with each field separated by a colon. If this were as complex as user authentication got, there would be no need for this HOWTO.
Shadow passwords

Looking at your /etc/passwd, it's likely that you actually saw something like this:

pete:x:1000:1000:Peter Hernberg,,,1-800-FOOBAR:/home/pete:/bin/bash


Where did the encrypted password go? Before I tell you where it went, a bit explanation is required.

The /etc/passwd file, which contains information about all users, including their encrypted password, is readable by all users, making it possible for any user to get the encrypted password of everyone on the system. Though the passwords are encrypted, password-cracking programs are widely available. To combat this growing security threat, shadow passwords were developed.

When a system has shadow passwords enabled, the password field in /etc/passwd is replaced by an "x" and the user's real encrypted password is stored in /etc/shadow. Because /etc/shadow is only readable by the root user, malicious users cannot crack their fellow users' passwords. Each entry in /etc/shadow contains the user's login, their encrypted password, and a number of fields relating to password expiration. A typical entry looks like this:

pete:/3GJllg1o4152:11009:0:99999:7:::


/etc/group and /etc/gshadow

Group information is stored in /etc/group. The format is similar to that of /etc/passwd, with the entries containing fields for the group name, password, numerical id (gid), and a comma-separated list of group members. An entry in /etc/group looks like this:

pasta:x:103:spagetti,fettucini,linguine,vermicelli


As you can see from the "x" in the password field, group passwords can be shadowed as well. Although groups almost never have their own passwords, it is worth noting that shadowed group password information is stored in /etc/gshadow.
MD5 encrypted passwords

Traditionally, unix passwords were encrypted with the standard crypt() function. (For more information on the crypt() function, see the crypt(3) manpage.) As computers grew faster, passwords encrypted with this function became easier to crack. As the internet emerged, tools for distributed the task of password-cracking across multiple hosts became available. Many newer distributions ship with the option of encrypting passwords with the stronger MD5 hash algorithm. (For more information on the MD5 hash algorithm, consult RFC 1321.) While MD5 passwords will not eliminate the threat of password cracking, they will make cracking your passwords much more difficult.
Sifting through the mess

As you can see, there are a number of different ways user authentication information can be stored on your system (shadow passwords without MD5 encryption, /etc/passwd passwords with MD5 encryption, etc.). How do programs like login and su know how to verify your password? Worse yet, what if you wanted to change the way passwords are stored on your system? How will programs that need your password know that passwords are stored differently? PAM is the answer.
PAM (Pluggable Authentication Modules)

Pluggable authentication modules are at the core of user authentication in any modern linux distribution.
Why

Back in the good old days of linux, if a program, such as su, passwd, login, or xlock, needed to authenticate a user, it would simply read the necessary information from /etc/passwd. If it needed to change the users' password, it would simply edit /etc/passwd. This simple but clumsy method presented numerous problems for system administrators and application developers. As MD5 and shadow passwords became increasingly popular, each program requiring user authentication had to know how to get the proper information when dealing with a number of different schemes. If you wanted to change your user authentication scheme, all these programs had to be recompiled. PAM eliminates this mess by enabling programs to transparently authenticate users, regardless of how user information is stored.
What

Quoting from the Linux-PAM System Administrator's Guide: "It is the purpose of the Linux-PAM project to separate the development of privilege granting software from the development of secure and appropriate authentication schemes. This is accomplished by providing a library of functions that an application may use to request that a user be authenticated." With PAM, it doesn't matter whether your password is stored in /etc/passwd or on a server in Hong Kong. When a program needs to authenticate a user, PAM provides a library containing the functions for the proper authentication scheme. Because this library is loaded dynamically, changing authentication schemes can be done by simply editing a configuration file.

Flexibility is one of PAM's greatest strengths. PAM can be configured to deny certain programs the right to authenticate users, to only allow certain users to be authenticated, to warn when certain programs attempt to authenticate, or even to deprive all users of login privileges. PAM's modular design gives you complete control over how users are authenticated.
Distributions that support pam.

Nearly all popular distributions have supported PAM for some time. Here's an incomplete list of distributions that support PAM:

*

Redhat since version 5.0
*

Mandrake since 5.2
*

Debian since version 2.1 (partial support in 2.1 -- complete support in 2.2)
*

Caldera since version 1.3
*

Turbolinux since version 3.6
*

SuSE since version 6.2

This list is certainly incomplete and possibly inaccurate. I'd appreciate it if you sent any corrections or additions to this list to .
Installing PAM

Installing PAM from scratch is long process, beyond the scope of this HOWTO. If PAM isn't installed on your system, you're probably running such an old version of your distribution that there are many other reasons to upgrade. If you really want to do it yourself, then you're certainly not the sort of person who needs any help from me. For all these reasons, I'm going to assume that you already have PAM installed.
How

Enough talk, let's dig in.
PAM configuration files

PAM configuration files are stored in the /etc/pam.d/ directory. (If you don't have /etc/pam.d/ directory, don't worry, I'll cover that in the next section) Let's go over there and take look.

~$ cd /etc/pam.d
/etc/pam.d/$ ls
chfn chsh login other passwd su xlock
/etc/pam.d/$


Your system may have a few more or a few less files in this directory, depending on what's installed on your system. Whatever the details, you probably saw a file for each of the programs on your system that authenticate users. As you probably already guessed, each file contains the PAM authentication configuration for the program it's named after (except for the other file, which we'll talk about in a little bit). Let's take a look the PAM configuration file for passwd (I've condensed the file for the sake of simplicity):

/etc/pam.d/$ cat login
# PAM configuration for login
auth requisite pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so nulok
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
password required pam_unix.so nullok obscure min=4 max=8


Before dig into this file, I must mention a little something.
A little something

A small percentage are probably thinking, "Oh no! I don't have a /etc/pam.d directory! Your list of distributions says that my distribution includes PAM, but I can't find that directory. Without PAM, my life is empty and meaningless! What can I do?" Don't worry, all is not lost. If you know that your distribution includes PAM, but you have no /etc/pam.d/ directory, then your PAM configuration is stored in /etc/pam.conf. Rather than being spread across several files, all your PAM configuration is stored in a single file. This adds a little twist to PAM configuration, but the proper adjustments are pointed out in section 3.3.4.
Configuration syntax

PAM configuration files have the following syntax:

type control module-path module-arguments


Using the login configuration file (see above) as an example let's take a look a the syntax for PAM configuration files:

PAM configuration tokens

type

The type token tells PAM what type of authentication is to be used for this module. Modules of the same type can be "stacked", requiring a user to meet multiple requirements to be authenticated. PAM recognizes four types:

# account

Determines whether the user is allowed to access the service, whether their passwords has expired, etc.
auth

Determines whether the user is who they claim to be, usually by a password, but perhaps by a more sophistcated means, such as biometrics.
password

Provides a mechanism for the user to change their authentication. Again, this usually their password.
session

Things that should be done before and/or after the user is authenticed. This might included things such as mounting/unmounting the user home directory, logging their login/logout, and restricting/unrestricting the services available to the user.

In the login config file, we see at least one entry for each type. Since this the program that allows user to login (hence the name :), it's understandable that it needs to access all of the different types of authentication.
control

The control token tells PAM what should be done in if authentication by this module fails. PAM recognizes four control types:

# requisite

Failure to authenticate via this module results in immediate denial of authentication.
# required

Failure also results in denial of authentication, although PAM will still call all the other modules listed for this service before denying authentication.
sufficient

If authentication by this module is successful, PAM will grant authentication, even if a previous required module failed.
optional

Whether this module succeeds or fails is only significant if it is the only module of its type for this service.

In the configuration file for login, we see nearly all of the different control types. Most of the required modules are pam_unix.so (the main authentication module), the single requisite module is pam_securetty.so (checks make sure the user is logging in on a secure console), and the only optional module is pam_lastlogin.so (the module that retrieves information on the user's most recent login).
module-path

The module-path tells PAM which module to use and (optionally) where to find it. Most configurations only contain the module's name, as is the case in our login configuration file. When this is the case, PAM looks for the modules in the default PAM module directory, normally /usr/lib/security. However, if your linux distribution conforms to the Linux Filesystem standard, PAM modules can be found in /lib/security.
module-arguments

The module-arguments are arguments to be passed to the module. Each module has its own arguments. For example, in our login configuration, the "nulok" ("null ok", argument being passed to pam_unix.so module, indicating the a blank ("null") password is acceptable ("ok").

pam.conf configuration

If your PAM configuration is stored in /etc/pam.conf rather than /etc/pam.d/, PAM configuration lines are a bit different. Rather than each service having its own configuration file, all configurations are stored in /etc/pam.conf with the service name as the first token in a configuration line. For example, the following line in /etc/pam.d/login:

auth required pam_unix.so nulok


would become the following line in /etc/pam.conf:

login auth required pam_unix.so nulok


Except for this minor difference, all the rest of the PAM syntax applies.
Getting more information

For more information on configuring PAM and complete PAM module reference, consult the Linux-PAM System Administrator's Guide. This guide serves as a thorough and up-to-date reference on PAM configuration.
Securing User Authentication

Many linux distributions ship with user authentication that is not adequately secure. This section discusses some of the ways you make user authentication secure on your system. While doing these things will make your system more secure, do not be so naive as to think they make you invulnerable.
A strong /etc/pam.d/other

All of the files in /etc/pam.d/ contain the configuration for a particular service. The notable exception to this rule is the /etc/pam.d/other file. This file contains the configuration for any services which do not have their own configuration file. For example, is the (imaginary) xyz service attempted authentication PAM would look for a /etc/pam.d/xyz file. Not finding one, authentication for xyz would be determined by the /etc/pam.d/other file. Since /etc/pam.d/other is the configuration to which PAM services fallback, it is important that it is secure. We will discuss two secure configurations of /etc/pam.d/other, one which is quite nearly paranoid and which is gentler.
A paranoid configuration

A paranoid configuration of /etc/pam.d/other is as follows:

auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so


With this configuration, whenever an unknown service attempts to access any of the four configuration types, PAM denies authentication (via the pam_deny.so module) and then logs a syslog warning (via the pam_warn.so module). Short of a bug in PAM, this configuration is brutally secure. The only problem with that brutality is it may cause problems if your accidentally delete the configuration of another service. If your /etc/pam.d/login was mistakenly deleted, no one would be able to login!
A kinder configuration

Here's configuration that isn't quite so mean:

auth required pam_unix.so
auth required pam_warn.so
account required pam_unix.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_unix.so
session required pam_warn.so


This configuration will allow an unknown service to authenticate (via the pam_unix.so module), although it will not allow it to change the user's password. Although it allows authentication by unknown services, it logs a syslog warning whenever such a service attempts authentication.
Choosing a /etc/pam.d/other

I would strongly reccomend that you implement the first /etc/pam.d/other configuration unless you have a very good reason not to. It always a good idea to be 'secure by default'. If you ever do need to grant a new service authentication privileges, you can simply create a PAM configuration file for that service.
Disabling logins for user with null passwords

On most linux systems, there a number of "dummy" user accounts, used to assign privileges to certain system services like ftp, webservers, and mail gateways. Having these accounts allows your system to be more secure, because if these services are compromised, an attacker will only gain the limited privileges available to the dummy account, rather than the full privileges of a service running as root. However, allowing these dummy account login privileges is a security risk, as they usually have blank (null) passwords. The configuration option that enables null passwords is the "nullok" module-argument. You'll want remove this argument from any modules of 'auth' type for services that allow login. This is usually the login service, may also include services like rlogin and ssh. Hence, the following line in /etc/pam.d/login:

auth required pam_unix.so nullok


should be changed to:

auth required pam_unix.so


Disable unused services

Looking at the files in /etc/pam.d/, you'll probably see configuration files for a number of programs you don't use and maybe even a few you've never heard of. Although allowing authentication to these services probably won't open any huge security holes, you're better off denying them authentication. The best way to disable PAM authentication for these programs is to rename these files. Not finding the file named after the service requesting authentication, PAM will fallback to the (hopefully) very secure /etc/pam.d/other. If you later find that you need one of these programs, you can simply rename the file to its original name and everything will work as it was intended.
Password-cracking tools

While password-cracking tools can be by attackers used to compromise a system, they can also be used by system administrators as proactive tool to ensure the strength of passwords on their system. The two most commonly used password-cracking tools are "crack" and "John the Ripper". Crack is probably included in your facorite distribution. John the Ripper can be obtained from http://www.false.com/security/john/index.html. Run the tools against your password database and you'll probably be surprised with what they come up with.

Additionally, there is a PAM module which utilizes the crack library to check the strength of a users password whenever it changed. When this module is installed, the user can only change their password to one which meets the minimum password strength.
Shadow and MD5 passwords

As was discussed in the first section of this document, Shadow and MD5 passwords can make your system more secure. During the installation procedure, most modern distributions will ask whether you want to install MD5 and/or Shadow passwords. Unless you have a good reason not to, you should enable these. The process of converting from non-shadowed/non-MD5 passwords is a complicated process, and is beyond the scope of this document. The Shadow Password HOWTO is outdated, but it might be of some help.
Tying it all together

In this section, I'll give a simple example which ought to help tie together what's in the previous section.
Apache + mod_auth_pam

As our example, we'll install and configure mod_auth_pam, an Apache module that allows you to use authenticate users of your webserver using PAM. For the purpose of this example, I'll assume you have apache installed. If it's not installed already you should be able find installation packages from your distributor.
Our example

Our goal will be to configure a restricted area of our webserver, a family/ directory, to authenticate users via PAM. This directory contains private family information, and should only be accessible to members of the user group family.
Installing mod_auth_pam

First, you'll want to download mod_auth_pam from http://blank.pages.de/pam/mod_auth_pam/. The following commands will compile mod_auth_pam (you must be logged in as root):

~# tar xzf mod_auth_pam.tar.gz
~# cd mod_auth_pam-1.0a
~/mod_auth_pam-1.0a# make
~/mod_auth_pam-1.0a# make install


If you have any trouble installing the mod_auth_pam module, make sure you've installed your distributions apache-dev package. After you've installed mod_auth_pam, you'll need to restart apache. Apache can usually by restarted by typing the following command (again, you must be root):

~# /etc/init.d/apache restart


Configuring PAM

PAM configuration for Apache is stored in /etc/pam.d/httpd. The default configuration (which was installed when you installed mod_auth_pam) is secure, but it uses a module (pam_pwdb.so) which may not be available on many systems. (Besides, configuring it from scratch will be fun!) So delete the /etc/pam.d/httpd file, and let's start fresh.
Deciding how to configure PAM

If we're going to configure how PAM deals with Apache's authentication requests, we need to figure out exactly what we need PAM to check for. First, we want PAM to make sure the user's password matches their password in the standard unix password database. This sounds like the 'auth' type and the pam_unix.so module. We'll want the module's control type to be set to 'required', so authentication will fail without a correct password. Here's what the first line of our /etc/pam.d/httpd looks like:

auth required pam_unix.so


Secondly, we must make sure that the users account is valid (i.e. their password has not expired or any such nastiness). This is the 'account' type and is also provided by the pam_unix.so module. Again, we'll set this module's control type to 'required'. After adding this line, our /etc/pam.d/httpd configuration looks like this:

auth required pam_unix.so
account required pam_unix.so


It's not terribly sophisticated, but it does the job. It ought to be a good start for learning how to configure PAM services.
Configuring Apache

Now that PAM is configured to authenticate apache's requests, we'll configure apache to properly utilize PAM authentication to restrict access to the family/ directory. To do so, add the following lines to your httpd.conf (usually stored in /etc/apache/ or /etc/httpd):


AuthPAM_Enabled on
AllowOverride None
AuthName "Family Secrets"
AuthType "basic"
require group family



You may need to replace /var/www/ with the default location of web documents, which is often /home/httpd/. Wherever that is, you'll need to create the family directory.

Before we test our setup, I'll to take a moment to explain the Apache configuration you just entered. The directive is used to encapsulate configuration data for this directory. Inside this directive, we've enabled PAM authentication ("AuthPAM_enabled on"), turned off any overriding of this configuration ("AllowOverride none"), named this authentication zone "Family Secrets" ("AuthName "Family Secrets""), set the http authentication (not the PAM authentication) type to the default ("AuthType "basic""), and required the user group family ("require group family").
Testing our setup

Now that we've got everything setup up properly, it's time to revel in our success. Fire up your favorite web browser and head over to http://your-domain/family/ (replacing your-domain with, well, your domain). You are now an uber-authenticator!

Read More

Kaspersky Internet Security 2009

Kaspersky Internet Security 2009 – the all-in-one security solution that offers a worry-free computing environment for you and your family. Kaspersky Internet Security 2009 has everything you need for a safe and secure Internet experience.

Essential Protection

* Protects from all types of malware and spyware
* Scans files, email messages and Internet traffic
* Protects instant messengers (ICQ, MSN)
* Updates automatically

Extended Protection

* Two-way personal firewall
* Safe Wi-Fi and VPN connections. New!
* Intrusion prevention system

Preventive Protection

* Intelligent application management and control. New!
* Proactive protection from unknown threats
* Scans OS and applications for vulnerabilities. New!
* Disables links to malware sites. New!

Identity Theft Protection

* Disables links to phishing websites
* Virtual keyboard for safe entry of logins and passwords. New!
* Prevents theft of data via secure connections (HTTPS / SSL). New!
* Blocks unauthorized dial-up connections

Content Filtering

* Parental control
* Antispam protection


(If any one of you unable to download this key inform to me.)

Read More

Save Electricity

Read More

Active FTP vs. Passive FTP, a Definitive Explanation

Contents:

* Introduction
* The Basics
* Active FTP
* Active FTP Example
* Passive FTP
* Passive FTP Example
* Other Notes
* Summary
* References
* Appendix 1: Configuration of Common FTP Servers


Introduction

One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. Hopefully the following text will help to clear up some of the confusion over how to support FTP in a firewalled environment.

This may not be the definitive explanation, as the title claims, however, I've heard enough good feedback and seen this document linked in enough places to know that quite a few people have found it to be useful. I am always looking for ways to improve things though, and if you find something that is not quite clear or needs more explanation, please let me know! Recent additions to this document include the examples of both active and passive command line FTP sessions. These session examples should help make things a bit clearer. They also provide a nice picture into what goes on behind the scenes during an FTP session. Now, on to the information...

The Basics

FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

Active FTP

In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

* FTP server's port 21 from anywhere (Client initiates connection)
* FTP server's port 21 to ports > 1023 (Server responds to client's control port)
* FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
* FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)

When drawn out, the connection appears as follows:
In step 1, the client's command port contacts the server's command port and sends the command PORT 1027. The server then sends an ACK back to the client's command port in step 2. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.

The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked.

Active FTP Example

Below is an actual example of an active FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

There are a few interesting things to consider about this dialog. Notice that when the PORT command is issued, it specifies a port on the client (192.168.150.80) system, rather than the server. We will see the opposite behavior when we use passive FTP. While we are on the subject, a quick note about the format of the PORT command. As you can see in the example below it is formatted as a series of six numbers separated by commas. The first four octets are the IP address while the last two octets comprise the port that will be used for the data connection. To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total. Thus in the example below the port number is ( (14*256) + 178), or 3762. A quick check with netstat should confirm this information.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PORT 192,168,150,80,14,178
200 PORT command successful.
---> LIST
150 Opening ASCII mode data connection for file list.
drwx------ 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.


Passive FTP

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

* FTP server's port 21 from anywhere (Client initiates connection)
* FTP server's port 21 to ports > 1023 (Server responds to client's control port)
* FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
* FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

When drawn, a passive mode FTP connection looks like this:
In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client's data port.

While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. See Appendix 1 for more information.

The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.

With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.

Passive FTP Example

Below is an actual example of a passive FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

Notice the difference in the PORT command in this example as opposed to the active FTP example. Here, we see a port being opened on the server (192.168.150.90) system, rather than the client. See the discussion about the format of the PORT command above, in the Active FTP Example section.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (192,168,150,90,195,149).
---> LIST
150 Opening ASCII mode data connection for file list
drwx------ 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.


Other Notes

A reader, Maarten Sjouw, pointed out that active FTP will not function when used in conjunction with a client-side NAT (Network Address Translation) device which is not smart enough to alter the IP address info in FTP packets.

Summary

The following chart should help admins remember how each FTP mode works:

Active FTP :
command : client >1023 -> server 21
data : client >1023 <- server 20

Passive FTP :
command : client >1023 -> server 21
data : client >1023 -> server >1023

A quick summary of the pros and cons of active vs. passive FTP is also in order:

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.
References

An excellent reference on how various internet protocols work and the issues involved in firewalling them can be found in the O'Reilly and Associates book, Building Internet Firewalls, 2nd Ed, by Brent Chapman and Elizabeth Zwicky.

Finally, the definitive reference on FTP would be RFC 959, which sets forth the official specifications of the FTP protocol. RFCs can be downloaded from numerous locations, including http://www.faqs.org/rfcs/rfc959.html.

Read More

Kodak introduces HD media hub

Kodak has announced today that is has launched a networked media hub dubbed the Theater HD, joining an ever crowding market.

The set-top box will be able to stream music and HD video up to 720p from any computer on the same Wi-Fi network. Just like its competitors, the box can also stream Internet radio, play YouTube videos, listen to podcasts, and view complete photo galleries from Flickr or Kodak Gallery. A few web sites can also be accessed through the TV in "a TV-optimized format."

A more interesting feature is that of "Kodak Picture Mail." A USB port and an SD card in the box allow users to view content right from their cameras as well as upload the pictures to photo websites directly from the box. With built-in Wi-Fi, the Theater HD can stream the photos to nearby Kodak digital photo frames.

Amazon, Best Buy, and Kodak's own online store will begin selling the Theater HD for $300 USD beginning in September.

Read More

BitNami Alfresco Stack 2.1.0.7

Enterprise Content Management (ECM) system featuring Document Management

BrothersoftEditor, BitNami Alfresco Stack is an easy to use installer for Alfresco, which is an Enterprise Content Management (ECM) system featuring Document Management, Web Content Management, Collaboration Management, Records Management and Image Management.

The BitNami Project was created to help spread the adoption of freely available, high quality, open source web applications. BitNami aims to make it easier than ever to discover, download and install Open Source software such as document and content management systems, wikis and blogging software.

The BitNami Alfresco Stack is an installer that greatly simplifies the installation of Alfresco and runtime dependencies. It includes ready-to-run versions of Apache-Tomcat, MySQL and Java(tm) runtime. Alfresco Stack is distributed for free under the Apache 2.0 license. Please see the appendix for the specific licenses of all Open Source components included.

Read More

User Management

User management is a critical part of maintaining a secure system. Ineffective user and privilege management often lead many systems into being compromised. Therefore, it is important that you understand how you can protect your server through simple and effective user account management techniques.


Where is root?

Ubuntu developers made a conscientious decision to disable the administrative root account by default in all Ubuntu installations. This does not mean that the root account has been deleted or that it may not be accessed. It merely has been given a password which matches no possible encrypted value, therefore may not log in directly by itself.

Instead, users are encouraged to make use of a tool by the name of sudo to carry out system administrative duties. Sudo allows an authorized user to temporarily elevate their privileges using their own password instead of having to know the password belonging to the root account. This simple yet effective methodology provides accountability for all user actions, and gives the administrator granular control over which actions a user can perform with said privileges.

*

If for some reason you wish to enable the root account, simply give it a password:

sudo passwd

Sudo will prompt you for your password, and then ask you to supply a new password for root as shown below:

[sudo] password for username: (enter your own password)
Enter new UNIX password: (enter a new password for root)
Retype new UNIX password: (repeat new password for root)
passwd: password updated successfully

*

To disable the root account, use the following passwd syntax:

sudo passwd -l root

*

You should read more on Sudo by checking out it's man page:

man sudo

By default, the initial user created by the Ubuntu installer is a member of the group "admin" which is added to the file /etc/sudoers as an authorized sudo user. If you wish to give any other account full root access through sudo, simply add them to the admin group.
Adding and Deleting Users

The process for managing local users and groups is straight forward and differs very little from most other GNU/Linux operating systems. Ubuntu and other Debian based distributions, encourage the use of the "adduser" package for account management.

*

To add a user account, use the following syntax, and follow the prompts to give the account a password and identifiable characteristics such as a full name, phone number, etc.

sudo adduser username

*

To delete a user account and its primary group, use the following syntax:

sudo deluser username

Deleting an account does not remove their respective home folder. It is up to you whether or not you wish to delete the folder manually or keep it according to your desired retention policies.

Remember, any user added later on with the same UID/GID as the previous owner will now have access to this folder if you have not taken the necessary precautions.

You may want to change these UID/GID values to something more appropriate, such as the root account, and perhaps even relocate the folder to avoid future conflicts:

sudo chown -R root:root /home/username/
sudo mkdir /home/archived_users/
sudo mv /home/username /home/archived_users/

*

To temporarily lock or unlock a user account, use the following syntax, respectively:

sudo passwd -l username
sudo passwd -u username

*

To add or delete a personalized group, use the following syntax, respectively:

sudo addgroup groupname
sudo delgroup groupname

*

To add a user to a group, use the following syntax:

sudo adduser username groupname

User Profile Security

When a new user is created, the adduser utility creates a brand new home directory named /home/username, respectively. The default profile is modeled after the contents found in the directory of /etc/skel, which includes all profile basics.

If your server will be home to multiple users, you should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users home directories. This may not be suitable for your environment.

*

To verify your current users home directory permissions, use the following syntax:

ls -ld /home/username

The following output shows that the directory /home/username has world readable permissions:

drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username

*

You can remove the world readable permissions using the following syntax:

sudo chmod 0750 /home/username

[Note]

Some people tend to use the recursive option (-R) indiscriminately which modifies all child folders and files, but this is not necessary, and may yield other undesirable results. The parent directory alone is sufficient for preventing unauthorized access to anything below the parent.

A much more efficient approach to the matter would be to modify the adduser global default permissions when creating user home folders. Simply edit the file /etc/adduser.conf and modify the DIR_MODE variable to something appropriate, so that all new home directories will receive the correct permissions.

DIR_MODE=0750

*

After correcting the directory permissions using any of the previously mentioned techniques, verify the results using the following syntax:

ls -ld /home/username

The results below show that world readable permissions have been removed:

drwxr-x--- 2 username username 4096 2007-10-02 20:03 username

Password Policy

A strong password policy is one of the most important aspects of your security posture. Many successful security breaches involve simple brute force and dictionary attacks against weak passwords. If you intend to offer any form of remote access involving your local password system, make sure you adequately address minimum password complexity requirements, maximum password lifetimes, and frequent audits of your authentication systems.
Minimum Password Length

By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password, which is outlined below.

password required pam_unix.so nullok obscure min=4 max=8 md5

If you would like to adjust the minimum length to 6 characters, change the appropriate variable to min=6. The modification is outlined below.

password required pam_unix.so nullok obscure min=6 max=8 md5

[Note]

The max=8 variable does not represent the maximum length of a password. It only means that complexity requirements will not be checked on passwords over 8 characters. You may want to look at the libpam-cracklib package for additional password entropy assistance.
Password Expiration

When creating user accounts, you should make it a policy to have a minimum and maximum password age forcing users to change their passwords when they expire.

*

To easily view the current status of a user account, use the following syntax:

sudo chage -l username

The output below shows interesting facts about the user account, namely that there are no policies applied:

Last password change : Jan 20, 2008
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

*

To set any of these values, simply use the following syntax, and follow the interactive prompts:

sudo chage username

The following is also an example of how you can manually change the explicit expiration date (-E) to 01/31/2008, minimum password age (-m) of 5 days, maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after password expiration, and a warning time period (-W) of 14 days before password expiration.

sudo chage -E 01/31/2008 -m 5 -M 90 -I 30 -W 14 username

*

To verify changes, use the same syntax as mentioned previously:

sudo chage -l username

The output below shows the new policies that have been established for the account:

Last password change : Jan 20, 2008
Password expires : Apr 19, 2008
Password inactive : May 19, 2008
Account expires : Jan 31, 2008
Minimum number of days between password change : 5
Maximum number of days between password change : 90
Number of days of warning before password expires : 14

Other Security Considerations

Many applications use alternate authentication mechanisms that can be easily overlooked by even experienced system administrators. Therefore, it is important to understand and control how users authenticate and gain access to services and applications on your server.
SSH Access by Disabled Users

Simply disabling/locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication. They will still be able to gain shell access to the server, without the need for any password. Remember to check the users home directory for files that will allow for this type of authenticated SSH access. e.g. /home/username/.ssh/authorized_keys.

Remove or rename the directory .ssh/ in the user's home folder to prevent further SSH authentication capabilities.

Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found.

Restrict SSH access to only user accounts that should have it. For example, you may create a group called "sshlogin" and add the group name as the value associated with the AllowGroups variable located in the file /etc/ssh/sshd_config.

AllowGroups sshlogin

Then add your permitted SSH users to the group "sshlogin", and restart the SSH service.

sudo adduser username sshlogin
sudo /etc/init.d/ssh restart

External User Database Authentication

Most enterprise networks require centralized authentication and access controls for all system resources. If you have configured your server to authenticate users against external databases, be sure to disable the user accounts both externally and locally, this way you ensure that local fallback authentication is not possible.

Read More

How do I unzip tarballs with the 'bz2' extension?

First, you need the bzip2 package. Get it from your favourite FTP site if you haven't already got one. Next, to view the contents, simply do this:

$ bzip2 -cd files.tar.bz2 | tar tvf -

To extract, do this instead:

$ bzip2 -cd files.tar.bz2 | tar xvf -

Of course, you can also use something like:

"tar --use-compress-program bzip2 -xvf files.tar.bz2"

Read More

DELON - Unstoppable

Dynamic, Cultured, Passionate, Captivating. With the ability to draw the masses like Will Smith, get them to dance like Pitbull, and make them cry like Tupac; Ceylon Records would like to introduce to you the "New Revolution" in Hip-Hop music, DeLon! A true rarity in rap music, DeLon, infuses his multi-cultural background with catchy lyrics to formulate a sound and image that cannot be compared or duplicated in the rap game today. As the first Sri Lankan to ever chart on the US Billboard Charts (twice!), with numerous awards and great International recognition, DeLon is poised to take Hip-Hop by storm. This is a New Movement. This is a New Revolution. This is DeLon!

http://en.wikipedia.org/wiki/Delon

Read More

DIACAP

The DoDI 8510.01, Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) Instruction is currently effective as of November 28, 2007 - ARE YOU READY? Lunarline, Inc. is ready to help you transition from DITSCAP or initiate the DIACAP on your product (Automated Information System - AIS / Telecom), service (DoD Outsourced), or facility (Enclave).

No matter where your AIS, Enclave, or Outsourced service/information system is in the System Life Cycle (SLC), the Mission Assurance Category (MAC), or Confidentiality Level (CL) - Lunarline, Inc. has the trained / certified personnel, to ensure you meet or exceed DoD and Federal compliance requirements such as FIPS 140-2, FIPS 200, FIPS 201, FISMA, HIPAA, OMB, NIST, NSA, and DCID. For more information or a free quote on DIACAP consulting, DIACAP training, or DIACAP testing call 202-429-5533 or email DIACAP@lunarline.com.

Read More

TechnoSNACK: a new aggregator for visibility of your blog!

The main objective of this project is creation of a "virtual dashboard" of posts coming from many specialized blog and information about Computers & Internet world, with news about Linux, Windows, Mac, Open sources, Security, Graphics, Symbian and more on...

The key feature is that news come directly from blogosphere. We wish to show a preview of posts, with a link "Read more..." to signed blogs. If users are interested in news, they are redirected to your blog and can read entire post directly from your blog!

So, the different signed blogs can increase their visibility and reach more visitors, all over the world!

Read More

Learn about GanttProject

What is it all about?

It is all about project scheduling. GanttProject is a tool for creating a project schedule by means of Gantt chart and resource load chart. We assume that you know what do these words mean. If you don't, the following links may help you to start:

Read More