Setting up a secure Ubuntu LAMP server

47 Replies

Disclaimer: This article is provided for your information only, and simply following this guide will not make your server “secure”. As the server administrator you are ultimately responsible for its security!

Intro

Having recently been through the process of setting up a few Ubuntu LAMP (Linux, Apache, MySQL, PHP) servers lately I thought I’d make an article out of my notes and provide a starters guide to setting up the LAMP stack on Ubuntu.

It goes without saying that the only truly secure computer is one with no network connection, no ports or input devices and is locked in a bank vault, but such a machine is not terribly useful. Regretfully, compromises must be made to allow functionality! Besides presuming insecurity, there are a lot of things you can do to make your server more secure and keep out the vast majority of would-be hackers running port scans, meta-exploit scripts and dictionary attacks.
Continue reading

Changes

Leave a reply

I made a small change recently – I’ve moved from WordPress.com hosting to a self-hosted server.

The main reason for this is education – I want to learn more about e-commerce and running my own site, which is a bit difficult when WordPress.com places adsense ads on your site (and not on your behalf!). This way I get to keep any adsense revenue, although to be honest if it covers even the small costs of running this site I will eat my hat, shorts and tshirt.

An unfortunate side effect of this is that WordPress.com accounts can no longer comment and you need to manually enter details each time, so I expect comments will drop. But for those that do I appreciate the feedback!
Continue reading

A quick look at Unity in Ubuntu 11.04

9 Replies

I usually jump on the latest Ubuntu release before it hits the final release stage, but this time it was with a bit more trepidation than usual. You see they’ve replaced the shell with a completely new one – Unity. And to say that not everyone likes it would be a minor understatement.

The good news is that Unity is undoubtedly a step forward in practical user interface terms. The classic Gnome panel is really showing its age, and doesn’t lend itself to wide screen formats due to having panels on both the top and bottom of the screen. SUSE addressed this by created a start menu like launcher, but it was always a bit clunky and barely an improvement over Windows XP.

So how is Unity different? It is perhaps more informative to talk about how it is similar…
Continue reading

Recovering a RAID5 mdadm array with two failed devices

34 Replies

Update 1/11/2019

If you’ve reached this article by Googling how to recover a RAID array, I suggest you don’t use this guide. The Linux RAID wiki has much more correct, complete, and authoritative information. In retrospect I was very lucky not to destroy the data, but this article is an interesting account of how I did it.

Update

Before reading this article you should know that it is now quite old and there is a better method – ‘mdadm –assemble –force’ (it may have been there all along). This will try to assemble the array by marking previously failed drives as good. From the man page:

If mdadm cannot find enough working devices to start the array, but can find some devices that are recorded as having failed, then it will mark those devices as working so that the array can be started.

I would however strongly suggest that you first disconnect the drive that failed first. If you need to discover which device failed first, or assemble doesn’t work and you need to manually recreate the array, then read on.

I found myself in an interesting situation with my parents home server today (Ubuntu 10.04). Hardware wise it’s not the best setup – two of the drives are in an external enclose connected with eSATA cables. I did encourage Dad to buy a proper enclosure, but was unsuccessful. This is a demonstration of why eSATA is a very bad idea for RAID devices.

What happened was that one of the cables had been bumped, disconnecting one of the drives. Thus the array was running in a degraded state for over a month – not good. Anyway I noticed this when logging in one day to fix something else. The device wasn’t visible so I told Dad to check the cable, but unfortunately when he went to secure the cable, he must have somehow disconnected the another one. This caused a second drive to fail so the array immediately stopped.

Despite having no hardware failure, the situation is similar to someone replacing the wrong drive in a raid array. Recovering it was an interesting experience, so here I’ve documented the process.
Continue reading

Quick analysis of a phishing attack

Leave a reply

Twice in three days I have received emails purporting to be from ASB and ANZ Bank. Both are New Zealand banks, and the fact that I’ve received two of them clearly indicates that my email address is on a spam database somewhere and geographically tagged New Zealand. Easy enough – my .co.nz domain uses it as the registration address, and it has a New Zealand residential address on it.

I see these all the time, but the execution of this particular attack struck me as unusually slick however, hence the blog post.

The email

The ANZ email subject was “Please remove your Online Banking Limitation! Last warning!”, whereas the ASB email was titled “Online banking suspension warning!”. Both are clearly designed to panic the user into clicking the link and entering their banking details. The ANZ subject has a hint of ESOL and the grammar in the emails is sub-standard, I suspect the origin is a country where English is not the first language.
Continue reading

Splitting files with dd

13 Replies

We have an ESXi box hosted with Rackspace, it took a bit of pushing to get them to install ESXi it in the first place as they tried to get us to use their cloud offering. But this is a staging environment and we want something dedicated on hardware we control so we can get an idea of performance without other people’s workloads muddying the water.

Anyway, I’ve been having a bit of fun getting our server template uploaded to it, which is only 11GB compressed – not exactly large, but apparently large enough to be inconvenient.

In my experience the datastore upload tool in the vSphere client frequently fails on large files. In this case I was getting the “Failed to log into NFC server” error, which is probably due to a requisite port not being open. I didn’t like that tool anyway, move on.

The trusty-but-slow scp method was also failing however. Uploads would start but consistently stall at about the 1GB mark. Not sure if it’s a buffer or something getting filled in dropbear (which is designed to be a lightweight ssh server and really shouldn’t need to deal with files this large), but Googling didn’t turn up much.
Continue reading

The Search for an Android News Reader

Leave a reply

Seriously you’d think this would be easy. FeedingIt on the N900 wasn’t amazing but it did the job and was totally free. I don’t think my requirements are unreasonable here:

  • RSS support – not just via Google Reader
  • Ethical developer – i.e. supports the app and doesn’t demand excessive permissions for advertising purposes
  • White text on black background (for better battery life on AMOLED)
  • A decent user interface (NewsRob is great)
  • Offline cache, configurable sync schedule – I don’t want it to update constantly during the day and chew my battery, just download articles twice daily before I jump on the tube.
  • A reasonable price (yes I am prepared to pay)

Seriously if anyone can find one that fits these criteria please enlighten me, because I sure can’t. The ones I’ve considered so far:

  • NewsRob
    • The current frontrunner. Ad-supported and paid versions, user interface is nice and clean. I’m currently using the ad-supported version (gasp), until I find another. The problems? No black background (discovered the pro version actually does have a night theme), sync is partially configurable but can’t set specific times, based on Google Reader.
  • Feedr
    • Looked perfect and was apparently one of the better ones, but is no longer updated. Rumour has it that the developer is also behind RssDemon…
  • RssDemon
    • From what I can gather from the reviews on the marketplace, the developer of this app prefers to release a new app so everyone has to buy it again rather than improve the original. The app demands location permissions which is totally unnecessary for a news reader, and according to one reviewer purchasing the elite license does not properly remove the ad components. Strike.
  • BlueRSS GR
    • Developer seemed to have a good thing going with BlueRSS then inexplicably threw all that away by removing the old version and starting again with a new “GR” version that is not getting good reviews. There is no option for a black interface, but I didn’t like it anyway – 3D icons very 1998. Absolutely zero reasons to use this over NewsRob.
  • eSobi
    • Poor reviews, expensive (free is only trial), bloated, too many permissions. Again, zero reasons to use this over NewsRob.

Yes I’m picky but this seriously should not be that hard. News reading on Android – fail.

Google Nexus S – the AL4 review

3 Replies

In a moment of weakness I went and signed up to a 24-month contract on O2 a month ago, with the main attraction being the “free” Nexus S that was part of the deal. I did the math, and assuming my current rate of £15 per month spent on pre pay would continue, it worked out cheaper than buying the phone outright by a significant margin. Even after the post-xmas price drop.

My previous device is a Nokia N900, with the result that my standards for usability are rather low, but my standards for functionality are extremely high. There really is nothing the N900 can’t do with enough knowledge, but compared to the Nexus S it is slow and unwieldy for even the most basic functions such as email and calendaring.

As per usual, in this review I make no attempt to provide a complete or even unbiased review. These are my impressions, nothing more, and the review will be of most interest to you if you’re currently an open-source friendly N900 user in their 20s living in London. Yeah, it’s basically the comparison that I would have wanted to read before I switched.
Continue reading

Likewise Open – problems rejoining domain after upgrade

Leave a reply

There seems to be a common problem with Likewise open not gracefully upgrading on Ubuntu, e.g. – upgrading a system from the distribution supplied Likewise-open 5 in Ubuntu 10.10 to the latest packages from the Likewise website (Likewise 6.0 at the time of writing).

The system in this case was an old Ubuntu 9.10 server using Likewise Open 5. After some patching and an update to the current vmware tools it started failing to authenticate domain users, so I decided to upgrade to the latest version. However after the upgrade I was getting an error when trying to join the domain:

Error: ERROR_FILE_NOT_FOUND code 0x00000002

The obvious solution is to remove all likewise packages and purge the config, however that didn’t seem to work either. What DID work, was removing & purging the config, manually removing a few directories that were not empty, purging a few other seemingly related packages which were marked as no longer required after the uninstall, and finally reinstalling.
Continue reading

Google Search from the command line

Leave a reply

I won’t go into the details of why you would want to do this, suffice to say that I do and searched for a wee while on the best way to do it. Bizarrely Google’s own CLI tools don’t include search.

The only 3rd-party solutions I could find open the results in a web browser, which isn’t really what I wanted. So I wrote a REALLY ugly one-line script, but it works for me, so why not share. Maybe it will inspire someone with more talent!

It requires curl and vilistextum which aren’t in a default Ubuntu install, for more barebones OS’s you may need to install awk as well.

#!/bin/bash

curl -A "Mozilla/4.0" "http://www.google.com/search?q=$1%20$2%20$3" | vilistextum -k - - | awk 'NR > 23' | less

Then chmod +x it, install the script in /usr/bin and you can search from the commandline by typing [nameOfScript] [search terms]. e.g. to search for “testing 123” I type:
g testing 123

Yes there’s a lot wrong with this, for a start if you want more than 3 search terms you’ll have to add another argument (%20$4) after the q= string. I’m sure there’s a more elegant way of doing it by using $@, or $# to get the number of arguments and combining them all in a loop. But then it becomes a 5-line script rather than 1.

Also the result is not exactly pretty, but if you use a graphical terminal such as gnome-terminal all the links will be clickable and will open in your default browser.

Alternatively you could pipe the result to lynx, which actually parses html properly, but then any links would open in lynx which is not what I wanted:

#!/bin/bash

curl -A "Mozilla/4.0" "http://www.google.com/search?q=$1%20$2%20$3" | lynx --stdin

.