Friday, August 19, 2016

HOWTO : Oracle Ksplice on Ubuntu 16.04 LTS

Oracle Ksplice provides kernel updates on Ubuntu and Fedora Linux without reboots free of charge. Ksplice is working properly on Desktop and Server versions as it has graphic and command line interfaces.

This guide shows you how to install Ksplice on Ubuntu 16.04 LTS (Desktop or Server version)

Step 1 :

sudo apt-get install libgtk2-perl consolekit iproute libck-connector0 libcroco3 libglade2-0 libpam-ck-connector librsvg2-2 librsvg2-common python-cairo python-dbus python-gi python-glade2 python-gobject-2 python-gtk2 python-pycurl python-yaml dbus-x11

Step 2 :

wget https://ksplice.oracle.com/uptrack/dist/xenial/ksplice-uptrack.deb

sudo dpkg -i ksplice-uptrack.deb

Step 3 :

sudo nano /etc/uptrack/uptrack.conf

Change the following as is :

autoinstall = yes

Step 4 :

Usages on CLI :

sudo uptrack-upgrade -y

Reference

User Guide

That's all! See you.


Thursday, August 18, 2016

HOWTO : Hardening and Tuning Ubuntu 16.04 LTS

This guide will lead you to hardening and tuning your Ubuntu 16.04 in a few steps without any expense. As an Information Security Enthusiast, my Ubuntu box is setting up like the following and I use the box every day.

Kernel Hardening and Tuning

Make sure you enabled the "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI.

sudo nano /etc/sysctl.conf

To make it looks like the following :



To reload it :

sudo sysctl -p

ARP Spoofing

One of the common attacks is Man In The Middle attack. It can use with browser attack too. This guide will help to protect your Ubuntu from being spoofing. Meanwhile, make sure to set ARP related settings in your router if the feature is available. Most home routers have no such feature.

HOWTO : ArpON on Ubuntu 16.04 LTS

Anti-Malware

Most Linux users (including advanced users) misunderstand that Linux will never and impossible to infect with malware. However, it is not true. Almost all operating systems are facing to the threats.

HOWTO : ClamAV 0.99 on Ubuntu 16.04 LTS

This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand".

Storage Performance Tuning

(A) SSD

Verify TRIM is supported :

sudo hdparm -I /dev/sda | grep TRIM

If the output is similar to the below which is supported :

* Data Set Management TRIM supported (limit 1 block)

If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :

cat /etc/lvm/lvm.conf | grep issue_discards

If the output is similar to the below which is enabled :

issue_discards = 1

Then set the following to "deadline" if it is not done yet.

cat /sys/block/sda/queue/scheduler

noop [deadline] cfq

If not, set it :

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

You can add "scsi_mod.use_blk_mq=1" to kernel parameter, such as "/etc/default/grub".

(B) Hard Drive

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

Firefox Hardening and Tuning

Most malicious attacks nowadays are via browsers. Therefore, we need to protect ourselves even we are using Linux.

(A) Apparmor For Firefox

AppArmor is a Linux Security Module implementation of name-based access controls.

sudo apt-get update
sudo apt-get install apparmor-utils apparmor-profiles


To make it looks like the following and it is compatible to Firefox 51.0.1 or later :



sudo rm /etc/apparmor.d/disable/usr.bin.firefox

Reload the rules :

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

(B) Firefox Add-ons

NoScript

Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.

uBlock Origin (Optional)

Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)

WebRTC Control

Have control over WebRTC (disable or enable) and protect your IP address.

BetterPrivacy

Remove or manage a new and uncommon kind of cookies, better known as LSO's.The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others...

HTTPS Everywhere

Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.

Speed Tweaks (SpeedyFox)

This extension provides a list to almost all the settings that you may need to alter in order to enhance Firefox's speed.

(C) Optional

(1) Firefox Add-ons :

User-Agent Switcher

The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser.

Youtube High Definition

YouTube High Definition is a powerful tool that will let you automatically play all YouTube videos in HD (High Definition), turn off annotations, change video player size, auto stop videos, auto mute videos, control embedded videos and much more.

Youtube Flash-Html5

Play YouTube Videos in Flash or HTML5 Player.

(2) Browse with "New Private Window" feature

Finally, you may consider to use Intrusion Detection and Prevention System (IDPS) to protect your network. My project "Almond Croissants" which is an IDPS that can deploy to your network (in front or/and behind the router). Or, you may also consider to use TOR to protect your privacy with my project "NightHawk".

Reference

WebRTC IPS

IP Leak

That's all! See you.


HOWTO : ClamAV 0.99 on Ubuntu 16.04 LTS

Clam AntiVirus (ClamAV) is a free and open-source, cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses.

This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand". It is also target to Desktop usage only.

The current version at this writing is ClamAV 0.99.

Step 1 :

sudo apt-get install clamav clamav-freshclam clamav-daemon libclamunrar7

Step 2 :

sudo nano /etc/clamav/clamd.conf

To make the entries looking like the following. Make sure to replace "samiux" with your username.


cd ~
mkdir quarantine


Step 3 :

sudo nano /etc/clamav/freshclam.conf

To make the entries looking like the following.



sudo systemctl enable clamav-daemon
sudo systemctl restart clamav-daemon
sudo freshclam


Remark :

Download or copy will not trigger the ClamAV scan but browsing or executing (or etc) will. If any malware or virus (no matter it is for Windows, Linux or Mac OSX) is detected, it will be moved to "quarantine" directory. You can also check the log at "/var/log/clamav/clamav.log". Be aware that ClamAV may produce a lot of false positive warning in Linux.

Testing :

You can install NO harm virus testing files for testing.

sudo apt-get install clamav-testfiles

The NO harm virus testing files are located at "/usr/share/clamav-testfiles".

Reference

AppArmor Wiki

That's all! See you.


HOWTO : ArpON on Ubuntu 16.04 LTS

ArpON (ARP handler inspection) is a portable handler daemon that make ARP protocol secure in order to avoid the Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

Step 1 :

sudo apt-get update
sudo apt-get install arpon


Step 2 :

sudo nano /etc/default/arpon

Uncomment the DARPI and RUN, makes sure it is looking as :

DAEMON_OPTS="-q -f /var/log/arpon/arpon.log -g -D"
RUN="yes"

Step 3 :

sudo systemctl enable arpon
sudo systemctl restart arpon


That's all! See you.


VirtualBox 5.0.x Headless with PHPVirtualBox 5.0.x

VirtualBox is a virtual machine which can be running on desktop and server. We can running VirtualBox as server (Headless mode) with PHPVirtualBox as front end. PHPVirutalBox can be running with Apache flawlessly. However, I would like it to be running on Hiawatha. There is no database required for the Headless mode.

Part A - Hardware

Motherboard : ASRock Rack C2750D4I server board
CPU : Intel Atom C2750
RAM : 4 x 8GB (32GB) DDR3-1600
Hard Drive : 2 x Western Digital 4TB WD4000F9YZ

Western Digital 4TB WD4000F9YZ is not certified by ASRock, so, it cannot boot from SATA3 ports. The SATA2 ports are used in this case.

The performance of C2750 is similar to Xeon E3-1220L. Please the comparison page at here.

The power consumption of this setup is between 30W to 80W.

Make sure you have enabled "Virtualization" (VT-x) in the BIOS.

Part B - Software

Operating System : Ubuntu Server 16.04.1 LTS
Virtual Machine : VirtualBox 5.0.30
Front End : PHPVirtualBox 5.0.5
Web Server : Hiawatha
RAID : Software RAID 1

Part C - Installation

Part C.1 - Operating System and Software RAID 1 Installation

RAID 1 requires two hard drivers for the installation. When you are installing Ubuntu Server 14.04.2 LTS, you are required to do the partitioning. Select "Automatically partitioning" for each drive. The partitions will be (1) 1MB for "biosgrub"; (2) Free Space for root directory; and (3) Free Space for SWAP.

Then select "Configure Software RAID" to configure the Software RAID 1 on Free Space for root directory and Free Space for SWAP partitions. Do not RAID the "biosgrub" partitions. Set the "Free Space for root directory" to be mount at "/" and use as "Ext4 jouraling file system". Set the "Free Space for SWAP" to be used as "SWAP".

Finally, you should select to install "OpenSSH" when asked.

After the installation, your box can be booted up as expected. You can check the status of Software RAID 1 by the following commands :

cat /proc/mdstat

mdadm --detail /dev/md0
mdadm --detail /dev/md1


Part C.2 - VirtualBox Installation

After the Ubuntu Server 16.04.1 LTS is installed, you can install VirtualBox on it.

sudo nano /etc/apt/sources.list.d/vbox.list

Append the following line to it :

deb http://download.virtualbox.org/virtualbox/debian xenial contrib

Save it.

wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -

sudo apt-get update
sudo apt-get install dkms unzip
sudo apt-get install virtualbox-5.0


wget http://download.virtualbox.org/virtualbox/5.0.30/Oracle_VM_VirtualBox_Extension_Pack-5.0.30-112061.vbox-extpack

sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.0.30-112061.vbox-extpack

To uninstall Extension Pack :

sudo VBoxManage extpack uninstall "Oracle VM VirtualBox Extension Pack"

Part C.3 - Hiawatha Web Server Installation

sudo apt-get install php-common php7.0-cli php7.0-common php7.0-curl php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-readline php7.0-xml php7.0-zip php7.0-pgsql php7.0-sqlite3 php7.0-fpm php-apcu mysql-server mysql-client php7.0-cgi apache2-utils php7.0-soap

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget http://www.cmake.org/files/v3.6/cmake-3.6.2.tar.gz
tar -xvzf cmake-3.6.2.tar.gz
cd cmake-3.6.2
./configure
make
sudo make install


wget http://www.hiawatha-webserver.org/files/hiawatha-10.4.tar.gz
tar -xzvf hiawatha-10.4.tar.gz
cd hiawatha-10.4/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_10.4_amd64.deb


sudo systemctl enable hiawatha

sudo nano /etc/php/7.0/fpm/php.ini

Make changes as is.

zlib.output_compression = On
zlib.output_compression_level = 6
cgi.rfc2616_headers = 1


Append the following to the php-fpm.conf.

sudo nano /etc/php/7.0/fpm/php-fpm.conf

[www]
user = www-data
group = www-data
listen.mode = 0666
listen = /var/run/php/php7.0-fpm.sock
pm = static
pm.max_children = 100
chdir = /


sudo nano /etc/hiawatha/hiawatha.conf



sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites


sudo nano /etc/hiawatha/enable-sites/vbox.local



Make sure to change the "Hostname" to your IP address.

Part C.4 - PHPVirtualBox Installation

sudo adduser --ingroup vboxusers vbox

Enter password when prompted. Make sure you use a simple password as symbols do not accepted by VirtualBox.

wget "http://downloads.sourceforge.net/project/phpvirtualbox/phpvirtualbox-5.0-5.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fphpvirtualbox%2F&ts=1476606079&use_mirror=ncu" -O phpvirtualbox-5.0.5.zip
sudo unzip phpvirtualbox-5.0.5.zip -d /var/www/
sudo mv /var/www/phpvirtualbox-5.0.5/ /var/www/vbox
cd /var/www/vbox
sudo cp config.php-example config.php
sudo nano config.php


Change "$username" to "vbox" and "$password" to the password you just entered.

Change "$consoleHost" to your IP address, such as "192.168.1.120"

Uncoment (remove "#" in the front) "$enableAdvancedConfig = true;" and "$startStopConfig = true;"

sudo nano /etc/default/virtualbox

Append the following line to the empty file :

VBOXWEB_USER=vbox
VBOXWEB_HOST=127.0.0.1


sudo cp /var/www/vbox/vboxinit /etc/init.d/vboxinit
sudo update-rc.d vboxinit defaults


sudo systemctl enable vboxweb-service
sudo systemctl start vboxweb-service


Now, you can browse to http://[your-server-ip]/index.html, e.g. http://192.168.1.120/index.html.

Log in with "admin' as username and 'admin" as password.

You can copy the iso files to /home/samiux/iso for example by scp command.

Make sure you have installed "Guest Additions" to the all virtual desktop guests. Meanwhile, you need Flash to run the guest VNC.



If you want to browse with http://[your-server-ip]/ only, you need to do the following :

sudo cp /var/www/vbox/index.html /var/www/vbox/index.php

Troubleshooting

For phpvirtualbox login error when php7.0 is updated :

sudo /etc/init.d/php7.0-fpm restart

For phpvirtualbox guest vm showing "saved" or "poweroff" :

sudo systemctl restart vboxweb-service

Before upgrading VirtualBox, make sure all your virtual machines (guests) have been shut down. Then, stop the VirtualBox :

sudo systemctl stop vboxdrv
sudo systemctl stop vboxweb-service


If the Linux kernel is updated but the Virtualbox kernel module was not compiled by DRM properly, you need to run :

sudo /sbin/rcvboxdrv setup

If you encountered "Uninstalling old VirtualBox DKMS kernel modulesError! Could not locate dkms.conf file." when upgrading, you need to delete the source file of previous version :

sudo rm -rf /var/lib/dkms/vboxhost/[previous version]

e.g. /var/lib/dkms/vboxhost/5.0.28

dkms status

After that, run the following commands or reboot the box.

sudo systemctl start vboxdrv
sudo systemctl start vboxweb-service


Then, start all virtual machines in web interface.


That's all! See you.

Friday, August 05, 2016

HOWTO : Cooler CPU on Kali Linux 2016.1

In general speaking, more powerful CPU generates more heat. However, cooler CPU may provide better performance in some situations. The following guide is for Kali Linux 2016.1 or Debian Linux.

Step 1 :

apt-get install linux-cpupower cpufrequtils thermald

Step 2 :

cpupower frequency-set -g powersave

Step 3 :

nano /etc/rc.local

Place the following line right before "exit 0".

cpupower frequency-set -g powersave

Remarks :

(1) To check the result :

watch -n 1 -d sensors

(2) To reset to "performance" or "ondemand", you just replace "powersave" to "performance" or "ondemand".

That's all! See you.