Linux Blimp

mod_auth_token is a apache module that can be used to sign URLs, using this it can create time based urls that expire after a certain amount of time. It will prevent hot linking as the URLs will expire. This is particularly useful with video and image sharing.

To get started you will need to have an Apache installation already present. If you need to set this up please set Compile Apache 2.4 From Source.

Install mod_auth_token:

First ssh into the server and get the required packages:

cd /usr/src; wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/mod-auth-token/mod_auth_token-1.0.5.tar.gz

Un-compress the archive:

tar xfvz mod_auth_token-1.0.5.tar.gz

Go into the directory

cd mod_auth_token-1.0.5

Configure it:

./buildconf && ./configure

Install It:

make && make install

Restart Apache to make sure it loads without a error:

service httpd restart

Make sure the module is loaded:

# httpd -M 2>&1|grep auth_token
auth_token_module (shared)

You should see auth_token_module in the results

Configure Apache for mod_auth_token

You will need to edit the apache configuration and add the following to the domain you want protected by mod_auth_token:

<Location /download/>
# Secret key, can be anything random
AuthTokenSecret “randomstring”
# directory to protect
AuthTokenPrefix /protected/
# Timeout length, this is in seconds
AuthTokenTimeout 300
# limit requsts by IP
AuthTokenLimitByIp off
</Location>

Restart Apache again:

service httpd restart

To test that it is working create a php file to generate a URL

<?PHP

$secret = “randomstring”; // AuthTokenSecret
$directory = “/[protected/”; // AuthTokenPrefix
$hexTime = dechex(time()); // Time in Hexadecimal
$url = “http://www.example.com”; // Replace this with the domain
$filename = “/$filename”; // Filename

$token = md5($secret . $filename. $hexTime);

$url = $domainname . $protectedPath . $token. “/” . $hexTime . $filename;
print $url;

?>

Go ahead and run that php script and it will output the URL, if you are able to access it. The module is working correctly. You can read more about mod_auth_token on code.google.com

Source

Last updated October 23, 2018

If you’ve been waiting for a stable (and longterm) Kernel release now, Kernel 4.19 is here. As mentioned on the Linux Kernel’s mailing list webpage, it is not a big Kernel release – but it is meant to be a longterm release. Which means that this release will be supported for a few years at least.

Probably you are aware of the changes in the Linux Code of Conduct and Linus Torvalds taking a break to work on his behavior towards other developers. We have some good news about it along with the new Kernel release as well.

Greg KH, who was handling the kernel maintenance indicated that Linus Torvalds is coming back to lead the Linux Kernel:

“And with that, Linus, I’m handing the kernel tree back to you. You can
have the joy of dealing with the merge window :)”

What Kernel 4.19 is all about?

He also mentioned about the Linux Kernel 4.19 changes as an overview of what it actually is:

“While it was not the largest kernel release every by number of commits, it was larger than the last 3 releases, which is a non-trivial thing to do. After the original -rc1 bumps, things settled down on the code side and it looks like stuff came nicely together to make a solid kernel for everyone to use for a while. And given that this is going to be one of the “Long Term” kernels I end up maintaining for a few years, that’s good news for everyone.

A small trickle of good bugfixes came in this week, showing that waiting an extra week was a wise choice. However odds are that linux-next is just bursting so the next -rc1 merge window is going to be bigger than “normal“, if there is such a thing as “normal” for our rate of development.”

Let’s list the major new features in this new release:

• Alternate mode driver for USB Type-C/DisplayPort Type-C support
• Support for Nintendo guitar and drum accessories
• Better support for Intel’s Low Power Subsystem (LPSS)
• Plenty of 64-bit ARM improvements
• Support for Qualcomm Adreno 600 series hardware
• Initial support for Intel Icelake graphics
• DRM improvements
• Improved power management
• Touchscreen improvement
• Initial support for the 802.11ax WLAN
• Various Filesystem improvements

For the complete changelog details, you should check out OMG Ubuntu or the official announcement.

Greg on the recent issues in the Linux community over the ‘Code of Conduct’

Greg also utilized the opportunity of this Kernel release to shed some light on the recent issue on Linux code of conduct – by explaining how we can improve the community:

“These past few months has been a tough one for our community, as it is our community that is fighting from within itself, with prodding from others outside of it. Don’t fall into the cycle of arguing about those “others” in the “Judean People’s Front” when we are the “We’re the People’s Front of Judea!” That is the trap that countless communities have fallen into over the centuries. We all share the same goal, let us neverloose sight of that.

So here is my plea to everyone out there. Let’s take a day or two off, rest, relax with friends by sharing a meal, recharge, and then get back to work, to help continue to create a system that the world has never seen the likes of, together.”

What do you think about the latest Linux Kernel release?

Source

ModSecurity is an open source monitoring system for web applications. It has powerful rule sets that allow you to protect applications from attacks. View the project for more details. It provides a ton of features such as:

More than 16,000 specific rules, broken out into the following attack categories:
* SQL injection
* Cross-site Scripting (XSS)
* Local File Include
* Remote File Include

User option for application specific rules, covering the same vulnerability classes for applications such as:
* WordPress
* cPanel
* osCommerce
* Joomla

Install ModSecurity

To get started you will need to have Apache installed. If you do not yet, please see Compile Apache 2.4 From Source

Install the required dependencies:

yum install -y libxml libxml-devel

Get the software package:

cd /usr/src; wget https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.1/modsecurity-2.9.1.tar.gz

Un-compress the archive:

tar xfvz modsecurity-2.9.1.tar.gz

Go in to the directory:

cd modsecurity-2.9.1

Configure it:

./configureInstall:make && make install

You will need to edit /etc/httpd/conf/httpd.conf and load the module:

LoadModule security2_module lib/apache/mod_security2.so

For each domain you want to enable it for add the following:

SecEngine On

Restart Apache to load it:

service httpd restart

Verify it is loading in Apache:

httpd -M 2>&1|grep security

You should see the following returned:

security2_module (shared)

Configure ModSecurity

Get a starting ruleset. View the github project for more details.

Download the ruleset:

cd /usr/src;wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.0.tar.gz

Un-compress the archive:

tar xfvz v3.0.0.tar.gz

Make a configuration directory

mkdir /etc/httpd/conf/modsecurity.d

Enter the directory:

cd owasp-modsecurity-crs-3.0.0

Move the rules directory into place:

mv rules/ /etc/httpd/conf/modsecurity.d

Move and rename the main configuration:

mv crs-setup.conf.example /etc/httpd/conf/modsecurity.d/crs-setup.conf

Review crs-setup.conf and remove comments for any applicable lines.

Edit /etc/httpd/conf/httpd.conf once again and add the following:

<IfModule security2_module>
Include /etc/httpd/conf/modsecurity.d/crs-setup.conf
Include /etc/httpd/conf/modsecurity.d/rules/*.conf
</IfModule>

Restart Apache once more to load the base configuration. That is it for the base installation. There are numerous ways you can configure it to protect your server from web based attacks and proactively monitor your server.

May 4, 2017LinuxAdmin.io

Source

An “incorrect command-line parameter validation” vulnerability in X.Org server makes it possible to escalate privileges as well as overwrite files. The problem affects Linux and BSD distributions using the open source X Window System implementation.

The vulnerability has been present for a couple of years, but has been brought to light by security researcher Narendra Shinde. Unpatched system can be exploited by non-root users if X server is running with elevated privileges.

See also:

• Linux-friendly company System76 shares more open source Thelio computer details
• System76 releases Ubuntu-based Pop!_OS 18.10 Linux distribution
• Linus Torvalds is back in charge as Linux kernel 4.19 is released

A security advisory posted to the X.Org mailing list explains that: “Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user)”.

The vulnerability has been assigned CVE-2018-14665, and Bleeping Computer — saying it is “trivial to exploit” — explains how it works:

Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option.

Although the exploit is not a major security issue in itself, in combination with other exploits it could prove highly problematic. The X.Org mailing list post says:

The commit https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which first appeared in xorg-server 1.19.0 introduced a regression in the security checks performed for potentially dangerous options, enabling the vulnerabilities listed above.

Overwriting /etc/shadow with -logfile can also lead to privilege elevation since it’s possible to control some part of the written log file, for example using the -fp option to set the font search path (which is logged) and thus inject a line that will be considered as valid by some systems.

A patch was added to the xserver repository on this week, but X.Org adds:

If a patched version of the X server is not available, X.Org recommends to remove the setuid bit (ie chmod 755) of the installed Xorg binary. Note that this can cause issues if people are starting the X window system using the ‘startx’, ‘xinit’ commands or variations thereof.

X.Org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed setuid.

Source

Last updated October 28, 2018

IBM and Red Hat have inked the deal. IBM is acquiring Red Hat for approximately $34 billion in order to become the number one hybrid cloud provider in the world.

If you think open source projects doesn’t make money, it’s time to think again. A few months back Microsoft bought GitHub for $7.5 billion. SUSE Enterprise Linux was sold for $2.5 billion. Today IBM announced that it is buying Red Hat for approximately $34 billion.

Red Hat, the first billion dollar open source company is one of the strongest players in the containers and the cloud game. IBM has been lagging behind the likes of Microsoft and Google in the trillion dollar cloud market. So to strengthen their position in this field, IBM is acquiring Red Hat.

IBM will acquire all of the issued and outstanding common shares of Red Hat for $190.00 per share in cash, which is approximately $34 billion.

The deal was facilitated by JPMorgan from IBM side and Guggenheim Partners from Red Hat side.

Red Hat will join IBM’s Hybrid Cloud team as a distinct unit. It will continue to be led by Jim Whitehurst and the current Red Hat management team.

“The acquisition of Red Hat is a game-changer. It changes everything about the cloud market. IBM will become the world’s #1 hybrid cloud provider, offering companies the only open cloud solution that will unlock the full value of the cloud for their businesses.”

Ginni Rometty, IBM Chairman, President and Chief Executive Officer

Red Hat is obviously excited about the deal:

Joining forces with IBM will provide us with a greater level of scale, resources and capabilities to accelerate the impact of open source as the basis for digital transformation and bring Red Hat to an even wider audience – all while preserving our unique culture and unwavering commitment to open source innovation

Jim Whitehurst, President and CEO, Red Hat

As per the announcement, “IBM will remain committed to Red Hat’s open governance, open source contributions, participation in the open source community and development model, and fostering its widespread developer ecosystem. In addition, IBM and Red Hat will remain committed to the continued freedom of open source, via such efforts as Patent Promise, GPL Cooperation Commitment, the Open Invention Network and the LOT Network.”

This deal makes IBM the number one player in the cloud market. It will be interesting to see if other players Microsoft and Google make similar moves.

SUSE has already been sold to EQT and Debian is a community owned project so that leaves Ubuntu. Can Ubuntu be the next acquisition target, perhaps by Microsoft? Only time will tell.

What are your views on IBM-Red Hat deal? Will it impact the open source projects by Red Hat? Do you see the recent trend of acquisition of Open Source companies as a ‘threat to the open source culture’? So share your views in the comment section.

Source

Ubuntu Server is a Debian-based distribution crafted to perfection and engineered to define the unwritten laws of server-oriented systems.

Availability, supported platforms, boot options

The project is distributed as multiple ISO images that can be written to USB flash drives or CD discs. These bootable medium can be later used to turn personal computers into powerful and unstoppable server systems.

Among the supported hardware platforms, we can mention 32-bit (i386), 64-bit (amd64), 64-bit Mac (amd64 for Macintosh systems), PowerPC (PPC), as well as PowerPC64 (PPC64) Little Endian.

From the boot prompt, users can install the Ubuntu Server operating system on a single machine, as well as on multiple server systems simultaneously, using Canonical’s MAAS (Metal as a Service) project.

In addition, you can use the ISO images to rescue a broken operating system, boot an existing OS installed on the first disk drive, run a memory diagnostic test, as well as to check the disc for defects (only if using a CD media).

Straightforward installation procedure

Installing Ubuntu Server on a single machine, using the first option on the boot installer is quite easy and straightforward, as you will need to select your favorite language for the installation process, select your location, configure the keyboard, set up the network, add a new user, and configure the home directory.

In addition, you must partition the disk drive(s), configure the package manager, set up tasksel to automatically or manually install updates, as well as to manage the system with Canonical’s Landscape service, and choose which server packages to install.

Bottom line

In conclusion, Ubuntu Server is an astonishing product that provides users with one of the best and easy to install server operating systems that use the stable and reliable base of the award winning Debian GNU/Linux distribution.

Source

Oct 27, 2018, 18:00

Source

MariaDB is a fork of MySQL that was created from some of the original developers of mysql after MySQL was purchased by Oracle. Upgrading to MariaDB offers a range of benefits and is a relatively simple upgrade. It has more active development then MySQL currently and is just developed by Oracle support as MySQL is. It has more storage engines and better performance. Offering a 3-5% performance gain over using MySQL. It has active-active clustering. It is compatible and easy to upgrade. While this upgrade is for CentOS 6, you can get all off the different repositories here .

Take a backup of all the MySQL databases:

You can do this one of two ways

mysqldump –all-databases > all.sql

Or just copy all of the MySQL raw files:

cp -R /var/lib/mysql /var/lib/mysql.back

This will allow you to revert if there are any issues.

Upgrade to MariaDB 5.5

Shut down MySQL

service mysqld stop

Create a new repo /etc/yum.repos.d/MariaDB55.repo and add the following:

# MariaDB 10.0 CentOS repository list – created 2017-05-06 01:14 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.0/centos6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Remove mysql:

yum remove -y mysql mysql-devel mysql-libs mysql-server

Make a note of any other other dependencies you may have installed as those will need to be re installed after version 10 has been installed.

Install version 5.5

yum install mariadb mariadb-server mariadb-devel mariadb-lib

Start services

service mariadb start

Upgrade the databases

mysql_upgrade

Ugprade to MariaDB 10.1

First shutdown 5.5

service mariadb stop

Remove the old version

yum remove -y mariadb mariadb-server mariadb-devel mariadb-lib

Create a new MariaDB 10.1 repository /etc/yum.repos.d/MariaDB101.repo and add the following

# MariaDB 10.1 CentOS repository list – created 2017-05-06 01:20 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Install MariaDB 10.1 packages:

yum install mariadb mariadb-server mariadb-devel mariadb-lib

Start services:

service mariadb start

Upgrade the databases:

mysql_upgrade

If you are running PHP built from source, you will need to recompile PHP against the new version of MariaDB after the upgrade for it to work properly.

That is it, you should now be running 10.1. All of the old options in you my.cnf should work after the upgrade. You can now use the Aria Storage engine for internal temporary files instead of MyISAM. Set aria-pagecache-buffer-size to the same value as you have for key-buffer-size. If you have a lot of connections(>100) you can setup a thread pool to increase performance.

Source

WordPress is a popular open source blogging platform and content management system (CMS). It’s easy to set up and has a thriving community of developers building websites and creating themes and plugins for others to use.

Although getting hosting packages with a “one-click WordPress setup” is easy, it’s also simple to set up your own on a Linux server with only command-line access, and the Raspberry Pi is a perfect way to try it out and learn something along the way.

The four components of a commonly used web stack are Linux, Apache, MySQL, and PHP. Here’s what you need to know about each.

Linux

The Raspberry Pi runs Raspbian, which is a Linux distribution based on Debian and optimized to run well on Raspberry Pi hardware. It comes with two options to start: Desktop or Lite. The Desktop version boots to a familiar-looking desktop and comes with lots of educational software and programming tools, as well as the LibreOffice suite, Minecraft, and a web browser. The Lite version has no desktop environment, so it’s command-line only and comes with only the essential software.

This tutorial will work with either version, but if you use the Lite version you’ll have to use another computer to access your website.

Apache

Apache is a popular web server application you can install on the Raspberry Pi to serve web pages. On its own, Apache can serve static HTML files over HTTP. With additional modules, it can serve dynamic web pages using scripting languages such as PHP.

Installing Apache is very simple. Open a terminal window and type the following command:

sudo apt install apache2 -y

By default, Apache puts a test HTML file in a web folder you can view from your Pi or another computer on your network. Just open the web browser and enter the address http://localhost. Alternatively (particularly if you’re using Raspbian Lite), enter the Pi’s IP address instead of localhost. You should see this in your browser window:

This means you have Apache working!

This default webpage is just an HTML file on the filesystem. It is located at /var/www/html/index.html. You can try replacing this file with some HTML of your own using the Leafpad text editor:

cd /var/www/html/
sudo leafpad index.html

Save and close Leafpad then refresh the browser to see your changes.

MySQL

MySQL (pronounced “my S-Q-L” or “my sequel”) is a popular database engine. Like PHP, it’s widely used on web servers, which is why projects like WordPress use it and why those projects are so popular.

Install MySQL Server by entering the following command into the terminal window:

sudo apt-get install mysql-server -y

WordPress uses MySQL to store posts, pages, user data, and lots of other content.

PHP

PHP is a preprocessor: it’s code that runs when the server receives a request for a web page via a web browser. It works out what needs to be shown on the page, then sends that page to the browser. Unlike static HTML, PHP can show different content under different circumstances. PHP is a very popular language on the web; huge projects like Facebook and Wikipedia are written in PHP.

Install PHP and the MySQL extension:

sudo apt-get install php php-mysql -y

Delete the index.html file and create index.php:

sudo rm index.html
sudo leafpad index.php

Add the following line:

<?php phpinfo(); ?>

Save, exit, and refresh your browser. You’ll see the PHP status page:

WordPress

You can download WordPress from wordpress.org using the wget command. Helpfully, the latest version of WordPress is always available at wordpress.org/latest.tar.gz, so you can grab it without having to look it up on the website. As I’m writing, this is version 4.9.8.

Make sure you’re in /var/www/html and delete everything in it:

cd /var/www/html/
sudo rm *

Download WordPress using wget, then extract the contents and move the WordPress files to the html directory:

sudo wget http://wordpress.org/latest.tar.gz
sudo tar xzf latest.tar.gz
sudo mv wordpress/* .

Tidy up by removing the tarball and the now-empty wordpress directory:

sudo rm -rf wordpress latest.tar.gz

Running the ls or tree -L 1 command will show the contents of a WordPress project:

.

├── index.php

├── license.txt

├── readme.html

├── wp-activate.php

├── wp-admin

├── wp-blog-header.php

├── wp-comments-post.php

├── wp-config-sample.php

├── wp-content

├── wp-cron.php

├── wp-includes

├── wp-links-opml.php

├── wp-load.php

├── wp-login.php

├── wp-mail.php

├── wp-settings.php

├── wp-signup.php

├── wp-trackback.php

└── xmlrpc.php

3 directories, 16 files

This is the source of a default WordPress installation. The files you edit to customize your installation belong in the wp-content folder.

You should now change the ownership of all these files to the Apache user:

sudo chown -R www-data: .

WordPress database

To get your WordPress site set up, you need a database. This is where MySQL comes in!

Run the MySQL secure installation command in the terminal window:

sudo mysql_secure_installation

You will be asked a series of questions. There’s no password set up initially, but you should set one in the second step. Make sure you enter a password you will remember, as you’ll need it to connect to WordPress. Press Enter to say Yes to each question that follows.

When it’s complete, you will see the messages “All done!” and “Thanks for using MariaDB!”

Run mysql in the terminal window:

sudo mysql -uroot -p

Enter the root password you created. You will be greeted by the message “Welcome to the MariaDB monitor.” Create the database for your WordPress installation at the MariaDB [(none)]> prompt using:

create database wordpress;

Note the semicolon at the end of the statement. If the command is successful, you should see this:

Query OK, 1 row affected (0.00 sec)

Grant database privileges to the root user, entering your password at the end of the statement:

GRANT ALL PRIVILEGES ON wordpress.* TO ‘root’@’localhost’ IDENTIFIED BY ‘YOURPASSWORD’;

For the changes to take effect, you will need to flush the database privileges:

FLUSH PRIVILEGES;

Exit the MariaDB prompt with Ctrl+D to return to the Bash shell.

WordPress configuration

Open the web browser on your Raspberry Pi and open http://localhost. You should see a WordPress page asking you to pick your language. Select your language and click Continue. You will be presented with the WordPress welcome screen. Click the Let’s go! button.

Fill out the basic site information as follows:

Database Name: wordpress
User Name: root
Password: <YOUR PASSWORD>
Database Host: localhost
Table Prefix: wp_

Click Submit to proceed, then click Run the install.

Fill in the form: Give your site a title, create a username and password, and enter your email address. Hit the Install WordPress button, then log in using the account you just created. Now that you’re logged in and your site is set up, you can see your website by visiting http://localhost/wp-admin.

Permalinks

It’s a good idea to change your permalink settings to make your URLs more friendly.

To do this, log into WordPress and go to the dashboard. Go to Settings, then Permalinks. Select the Post name option and click Save Changes. You’ll need to enable Apache’s rewrite module:

sudo a2enmod rewrite

You’ll also need to tell the virtual host serving the site to allow requests to be overwritten. Edit the Apache configuration file for your virtual host:

sudo leafpad /etc/apache2/sites-available/000-default.conf

Add the following lines after line 1:

<Directory “/var/www/html”>
AllowOverride All
</Directory>

Ensure it’s within the <VirtualHost *:80> like so:

<VirtualHost *:80>
<Directory “/var/www/html”>
AllowOverride All
</Directory>
…

Save the file and exit, then restart Apache:

sudo systemctl restart apache2

What’s next?

WordPress is very customizable. By clicking your site name in the WordPress banner at the top of the page (when you’re logged in), you’ll be taken to the Dashboard. From there, you can change the theme, add pages and posts, edit the menu, add plugins, and do lots more.

Here are some interesting things you can try on the Raspberry Pi’s web server.

• Add pages and posts to your website
• Install different themes from the Appearance menu
• Customize your website’s theme or create your own
• Use your web server to display useful information for people on your network

Don’t forget, the Raspberry Pi is a Linux computer. You can also follow these instructions to install WordPress on a server running Debian or Ubuntu.

Source

Published October 28, 2018

Source