Mayank Sharma is a contributing editor at the Open Source Technology Group (OSTG), a division of VA Linux, and publishes mainly on OSTG's NewsForge and Linux.com . Also, he contributes a monthly column for Packt Publishing. In addition, he teaches courses on open source topics at the Indian Institute of Technology, Delhi, as guest lecturer.

EFF educates users on Comcast's packet forging activities

The Electronic Frontier Foundation (EFF) has come to the aid of Comcast customers after it was reported that the ISP was forging specific data packets, in a bid to discourage users from using Peer-to-Peer or P2P services like BitTorrent.

The EFF yesterday released software that'll help users detect these deliberate traffic tampering. Several ISPs world-wide use various techniques like blocking traffic over specific ports to discourage users from using the file sharing networks. "Protocol-specific discrimination gives ISPs a tremendous amount of power over the kinds of new applications and services that can be deployed by innovators and competitors. To the extent that practices like those employed by Comcast change the "end-to-end" architecture of the Internet, those practices jeopardize the Internet's vibrant innovation economy," explains the EFF press release.

EFF's "Test Your ISP" Project collects EFF's white papers, software tools, blog entries, and other materials relating to Comcast's discrimination. There's an in-depth whitepaper with technical details on the Comcast forgery "efforts". Also of interest is the hands-on whitepaper on detecting packet injections.

Fedora 8 has impressive security features

The latest release of the free-as-in-freedom Fedora distribution, Fedora 8, released not too long ago, has some pretty impressive security features.

First of all there is SELinux which is one of the best mechanisms of securing your Linux distribution. SELinux in Fedora has matured through the releases to the point where I'd actually advise users to leave it enabled during installation. F8 also packs an additional Kiosk policy that can be used for a login terminal with minimal privileges to be used in public places like airports, banks, libraries, etc. F8 also packs tools to create your own custom policies.

One security enhancements that users will run into is the all-new Firewall configuration tool (system-config-firewall). It's easier to use and has a polished interface compared to the old tool (system-config-securitylevel). You can also now securely manage your virtual machines from a remote host since the libvirt Xen and KVM management API in F8 use SSL/TLS encryption and x509 certificates for client authentication.

GCC and GLIBC's C library both have a feature called FORTIFY-SOURCE. To quote from their documentation, "The idea behind FORTIFY_SOURCE is relatively simple: there are cases where the compiler can know the size of a buffer (if it's a fixed sized buffer on the stack, as in the example, or if the buffer just came from a malloc() function call). With a known buffer size, functions that operate on the buffer can make sure the buffer will not overflow." FORTIFY_SOURCE in F8 has now been enhanced to cover C++ in addition to C. Furthermore, glibc will also recognize SHA256 and SHA512 passwords in addition to DES and MD5.

Fedora 8's Security Features page has more details.

Letting down the armor

I don't look at Novell's recent move to layoff key AppArmor developers as a positive move. If you are running Novell's Linux desktop solutions in your enteprise you shouldn't either.

While the company has declined to specifically comment on the layoffs, they say job cuts are part of its restructuring efforts. In the News.com article, Novell spokesman Bruce Lowry is quoted as saying that the company is looking at "improving our product development process". Does that go well with firing key technical product leads?

I think one of two things could happen. Ofcourse now that AppArmor is Open Source and is used by other distributions as well, including Mandriva and Ubuntu, one thing that could happen is that the AppArmor community will come forth and take upon itself to develop AppArmor further. It could. But then again, it couldn't. If it doesn't and neither does Ubuntu or Mandriva, Novell too could switch over to SELinux!

Don't forget Novell too has buddied up with Microsoft and the deal hasn't worked out too well for another Linux distribution vendor, Linspire.

Stay tuned to this one.

Build and Deploy safe and secure enterprise-grade email system

If you in-charge of IT infrastructure in your enterprise, imagine walking into your office, logging into the company ticketing system and finding zero tickets! But you're not surprised. After all the secure multi-site, scalable, mail transfer agent Postfix you've deployed is delivering corporate email to everyone using encrypted protocols, even to employees on the move. The system flushes all spam messages before delivering them to their new offline mail client or their AJAX-based web mailboxes. In fact, what you do get are a couple of "Thank You" notes from people who are in love with the voicemail solution that you've integrated with the email system to allow them to read emails via a telephone!

Sounds too good be true? But it really isn't! Not only is it all very possible, you can put together such a system without spending a single dollar. It's all about Open Source honey :)

Allow me to briefly plug the o3 Magazine here that I am involved with as Editor-in-Chief. Note: I am no longer associated with o3 magazine. But I rather not. All I'll do is point you to our current issue, Issue 8, which helps you put together the enterprise-grade email system that I just described above and my task is done :)

This issue looks at how to build secure SMTP appliances with Postfix, moves on to using Dovecot to provide IMAP and POP3 and then looks at RoundCube to provide a web-mail solution, followed up with an article on deploying DSPAM with ClamAV for anti-spam / anti-virus protection. The issue then looks at Encrypting email protocols, integrating Voicemail with Email systems, and finally at MobilityEmail as a replacement for Outlook on Windows clients. Also don't miss the Voicemail / Email integration with Asterisk article, and we pushed the envelope a little to do voicemail to text translation with Julius, a real-time speech recognition project.

Go check it out! Please stop by the forums and drop us a note.

Want a secure server, try EnGarde Secure Linux

According to DistroWatch, "EnGarde Secure Linux is a server-oriented open source operating system that provides services like web, DNS and email simply and securely while eliminating the need for time-consuming "hardening" by the user. EnGarde offers integrated intrusion detection, advanced kernel and network security features, and graphical auditing and reporting - all controlled through Guardian Digital WebTool, a simplified browser-based management system." Sometime back Scott Ruecker from LXer interviewed Dave Wreski CEO of Guardian Digital, makers of EnGarde Secure Linux.

What I love about Engarde is its management interface. Guardian Digital WebTool (GD WebTool) is a secure, user-friendly web-based administration utility with which you can administer a Engarde server with a browser and control every aspect of the system.

In the LXer interview Wreski explains how Engarde is different from other Open Source security distros "that bolt-on security" and what it means to be "explicitly designed with security in mind from the outset".

To understand what the differences are, it’s important to recognize that security is often a comprehensive process of engineering and maintenance. Simply adding spamasssassin (for example) to a distribution doesn't make it effective and enterprise capable - not by a long shot. Part of a secure posture requires engineering these multiple applications, in such a way that each one is secure through its use and scalability, in that specific environment.

This is what EnGarde Secure Linux provides, along with our portfolio of secure applications and managed services: A comprehensive and complete solution for all aspects of enterprise network security, in a manageable interface for proxy cache filtering, Content and Policy Enforcement, Anti-Virus, Anti-Spam, Anti-Phishing protection, Web and DNS services, Intrusion Detection and Prevention, secure remote monitoring and more.

Like many specialized (and some non-specialized) Linux distros, EnGarde is available in both community and paid editions. Wreski highlights the differences in the two offerings and I have to admit that the professional version does look more appealing. The other highlight of the distro and my personal favorite is the tons of freely available documentation available on the site. So next time you're out hunting for a secure server, take a look at EnGarde. You might find what you're looking for.

Police your network with IPCop

The IPCop Linux distribution turns a box into a simple to manage firewall appliance. It's a stateful firewall, which is to say, it inspects passing packets and examines their state. Only packets matching a pre-defined connection state are allowed and the rest are rejected. The distribution intercepts packets thanks to the hooks provided by the netfilter framework in the Linux kernel.

Techtarget's security section has a nice overview of IPCop.

The IPCop firewall supports multiple network segments -- trusted, un-trusted and semi-trusted -- for wireless networks and DMZ. It runs very well off old 486 hardware or can be bulked up to handle gigabit-speed networks. IPCop is stable, has an easy-to-use graphical interface, and since it is based on Linux under the hood, it's free.

IPCop is a breeze to install: download the software and create a boot disk. The installer creates a complete, hardened system that has the option of running completely off of a flash memory card. Like many gateway routers, IPCop handles DHCP leases, DNS and network time protocol, plus it has several extras that make it stand out.

Extra's like its graphical user interface to keep track of the firewall, monitor active connections, track network's status, and plot usage and traffic charts. IPCop also bundles the Snort IDS (Intrusion Detection System), VPN support, built-in web proxy, traffic shaping and content caching. If you haven't looked at IPCop before, now's the time.

Block malware via blacklists

As administrator would break a sweat at the mention of malware. Malware are intrusive software that install on a computer without the user's consent. And obviously they don't do so for a productive reason. But administrators rejoice. Blocking malware is pretty simple irrespective of the MTA you are using.

The Malware Block List project does exactly what it sounds like. It maintains a list of URLs known to be infiltrated with viruses, worms, trojans, and the works. Since different MTA use different formats to keep track to blacklists, the malware list is available in several formats. You'll find lists that you can use with Postfix, Squid, SpamAssassin, MailWasher, etc.

Using the list with your MTA is fairly easy. All you need to do is pull in the list manually or automatically via a cron job, and edit your MTA's configuration file to check against this block list. If there's a match, mark it as malware and reat it as you want to -- delete it outright or mark it as spam. To further help admins, the project also hosts HOWTOs for using the blocklist on popular MTAs like Postfix, Squid, and the others mentioned earlier.

Who will secure Linux from inside the kernel?

Jonathan Corbet, in an editorial over at TechWorld, wonders whether a simpler approach than SELinux make it into the mainstream kernel. Describing the Linux Security Module (LSM) API as "controversial", Corbet writes that LSM has failed in its purpose to enable the development of competing approaches to hardened Linux system. Discarding SELinux, which as per Corbett, is the only significant in-tree security module.

Meanwhile, the LSM interface is easily abused; since it allows the insertion of hooks into almost any system operation of interest, it can be used by other modules to provide non-security functionality. The LSM symbols are mostly exported GPL-only, but it is still possible for binary-only modules to abuse the LSM operations - and, apparently, some have done so.

SELinux hacker James Morris has been pondering this issue recently; he has also noticed that the in-tree security modules (SELinux and the small module implementing capabilities) cannot be unloaded. So, he asked, why implement a modular interface at all? He has posted a patch which turns LSM into a static API with no exported symbols. With this patch applied, any needed security "modules" must be built into the kernel; there is no longer any way to add them at run-time.

But what about out-of-tree security modules such as Novell's AppArmor? Corbet notes that AppArmor has been left out due to its use of a pathname-based mechanism for policy enforcement -- something a majority of developers aren't too hot about. Corbet notes that the issue had almost been resolved at the 2006 kernel summit, concluding with Linus Torvalds remark.

At the 2006 summit, Linus took a clear position that the use of pathnames for security policies seemed reasonable to him. Given that, along with the fact that AppArmor is being widely distributed, and it seems that, sooner or later, this module should find a home in the mainline - even if it is no longer in modular form.

It still remains to be seen which approach makes it into the kernel. Stay tuned.

No takers for Microsoft's Vista superior security claims

If the heading sounds weird, it's not because of the odd-choice of words. It's because Microsoft suddenly realized that its Vista operating system was the most secure OS out there. Why? Because Vista had the least number of vulnerabilities in its 6 months of availability. Too bad non-Microsoft security experts don't agree.

This "analysis" claiming Vista's superiority over Mac's OS X and Linux distributions (in all matters security), came from Jeff R. Jones, a Security Strategy Director in Microsoft's own Trustworthy Computing group. It seems the only people praising Microsoft these days are Microsoft employees themselves. But wait. I don't need to be so cynical, when others can do much better.

Fact wise though, Kristian Hermansen at Full Disclosure has debunked the report in detail. The crux of the matter is what it always is. First, Microsoft compared plain vanilla Vista with a fully-loaded competition (and we *know* how vanilla a Microsoft OS can get). RHEL cannot be held responsible for the 100+ vulnerabilities in software such as PostgreSQL, MySQL, mailman, squid, and emacs, which aren't even installed by default. Second, Mr Jones fails to mention the Microsoft policy of not disclosing vulnerabilities that were patched before anyone in the public noticed them.

Bah, humbug!

Authenticating Windows ADS users on Linux using Samba 3.0

One of the highlights of the Samba 3.0 release is its Active Directory Service (ADS) mode. With ADS turned on, Samba 3.0 join an ADS realm operate as a member server and authenticate users using LDAP/Kerberos.

In simpler terms, if you turn on ADS mode in Samba, you save yourself the trouble of creating separate Samba user accounts on the Linux server for your Windows users to access the Samba shares. Howtoforge has a tutorial on setting up and configuring Samba 3.0 to use the ADS mode.

If you want general Samba documentation, you'll find everything you need in the Samba-3 by Example Guide and the SAMBA HOWTO collection.

Companies blame poor security for slow virtualization adoption

DarkReading reports of another study that says several companies aren't jumping on to virtualization because of concerns about security. According to the email survey conducted by emedia, "half of IT organizations are either using virtualization today or planning to do so within the next 18 months. More than half (52 percent) say the technology introduces some new security challenges."

The chief security concerns of 32 percent of the respondents of the emedia survey were about virtualization patching and updates. 27 percent were afraid of guest-to-guest attacks, while 22 percent feared the addition of new host software.

To combat these threats 51 percent companies would train their staff, 38 percent will concentrate their efforts on patching and hardening servers, while 25 percent would separate networks/subnetting/routing.

The folks behind my favorite virtualiation software, VMware, seem to take security pretty seriously.

Roll your own blackholes that suck spam

I don't need to tell you the importance of getting rid of spam. The author of this article on Linux.com runs a Postfix-based mail server. In the article he describes his setup of getting the hundreds of spam messages that land up on his server everyday. He uses Realtime Blackhole Lists and Distributed Checksum Clearinghouse clients on Postfix and SpamAssassin to reduce the impact of spam.

An RBL is simply a collection of IP addresses known to be used by spammers. There are several RBLs available. The article has more details on using the RBL system alng with Apache's SpamAssassin spam filter.

But spammers are a curious bunch. On the one hand, they are smart enough to move from one server to another, exploit vulnerabilities in software to mask their IP address. On the other, they still use the same old spam message. DCC helps track down such non-evolving bulk messages by their checksum. Again the article briefs on using DCC with SpamAssassin.

Encrypt Linux partitions to secure data

I've often heard admins discuss this over lunch breaks. But securing partitions on servers isn't enough. Encrypting partitions on laptops and desktop of users throughout the network, sounds preposterous. But take a deep breath and consider the repercussions of your CFO loosing his laptop. Gah! I'm sorry to scare you.

LinuxPlanet has a tutorial which partitions the disk using the cryptsetup-luks utility. It's easy to setup and use and requires virtually no configuration. There's a more detailed tutorial on using the cryptsetup-luks tool on its website, as well as on on feraga.

You can also use Cryptsetup-luks in innovative ways. For example, you can use it to encrypt a particular partition and then in a move straight-out of a Hollywood flick, use a USB stick as the key.

And once you've exhausted space on the encrypted partition you can easily resize it. but before you start using cryptsetup-luks, take a look at its FAQ.

Security on the go

Haven't all heard that before? With people (and their computing hardware) moving in and out of secure corporate networks, the idea of security on the go is becoming more relevant.

If you know what I'm talking about, you should look at the Yoggi Pico Pro device. The Linux-based appliance packs in several security applications protect people moving about with their laptops. ZDNet has a positive review of the $199 device that has an easy to use interface, though it only works on a Windows operating system.

Auto-updating Firewall rules

LinuxQuestions.org is a fantastic Linux forum board that'll help you find solutions to your Linux-related problems. I often browse its forums looking for issues that people have with a particular software, since I cannot replicate all possible scenarios.

Yesterday I ran across this interesting problem.

I have a situation. I have these IP addresses that are attacking my box. They are trying to log into ssh with a user and password and it fails. What I want to do is block them after a certain IP fails to log in after 3 tries. However, I do not want to lock the user because they are attacking my user, etc. Is this possible?

The solution suggested to him was this wonderful utility called Fail2ban.

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

The FAQ has more details.

Oh, the possibilities!