Posts Tagged ‘ubuntu’

Insecurity by Non-Obscurity

I was a bit shocked and disheartened tonight to discover that my WordPress version was being broadcast to the world without me knowing it. It’s something that I hadn’t ever really given much thought to, mostly because I always assumed that a piece of information like that wasn’t being given out. What was even more disheartening to me was what I discovered as the method for disabling this broadcasting of my version number. The easiest way, by far, was to just install the Secure WordPress extension (or I could dive into a bit of their PHP code and have to make the change with each upgrade, not so much fun). Not so long ago, there was a huge ordeal about a vulnerability in WordPress 2.8.3 that allowed an attacker to reset an admin password very easily. No wonder they urged us to upgrade so quickly – your vulnerability was being broadcast.

The sad part is, broadcasting this version number isn’t something that can be disabled using the built-in settings. I don’t know what the rationale is, but one either has to edit the functions.php file in WordPress directly, or install the plugin mentioned above.

Anyway, this got me thinking about plenty of other open source softwares that I’ve disguised over the years.. For instance, perform a fresh install of Ubuntu 8.04 with the LAMP stack and you’ll see the version listed in the headers as detailed as this:

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch Server

Yup, there it is, script kiddies. Bust out Metasploit and eat your hearts out. In this case, if one leaves the defaults enabled, the server major version, minor version, PHP version, OS, and WordPress version all are exposed. That leaves a pretty nice little attack vector.

Of course, hiding these things doesn’t mean that anything is secure. On the contrary, one must go far deeper than that. I am just disappointed in so many open source projects that cut down the time needed for any script kiddies to start playing with my public services.

Related Posts Related Websites

Tags: , ,
Filed under Tech Trends : Comments (0) : Jan 18th, 2010

Running LAMP Applications Using Nginx

While playing with WordPress on nginx for my last post, I discovered that a majority of the how-tos out there on running PHP/MySQL applications using nginx left a bit to desired. Here’s the steps that I took to get my application (WordPress, specifically) working.

Install nginx, MySQL, and PHP
First, let’s install nginx and PHP along with a few PHP libraries:
sudo apt-get install php5-mhash php5-mysql php5-odbc curl php5-curl php5-gd php5-imap nginx php5-cgi php5-cli php5-common

If you didn’t already have MySQL installed on your server, you’ll need that too:
sudo apt-get install mysql-server
The installer will prompt you to enter a root password. Make sure it’s a fairly good password, but also be sure to record it as you’ll need it later.

Install spawn-fcgi
Spawn-fcgi used to be included with lighttpd, but has been moved to its own project, so it can be downloaded separately. Unfortunately, the spawn-fcgi project is not in the Ubuntu repositories, so it has to be installed separately. First, download the tarball from the spawn-fcgi project page. As of this writing, it’s on version 1.6.2. For this particular version, run the following from a directory your user can download to:
wget http://www.lighttpd.net/download/spawn-fcgi-1.6.2.tar.gz

Untar it:
tar zxf spawn-fcgi-1.6.2.tar.gz

Make sure you have the compilation tools:
sudo apt-get install build-essential

Now, navigate into the spawn-fcgi download directory and compile:
cd spawn-fcgi-1.6.2
./configure
make

Now, let’s install it into /usr/bin:
cd src
sudo cp spawn-fcgi /usr/bin/

Now, let’s make the init script. Copy the following example into /etc/init.d/fastcgi:

#!/bin/bash
PHP_SCRIPT=/usr/bin/php-fastcgi
RETVAL=0
case "$1" in
'start')
$PHP_SCRIPT
RETVAL=$?
;;
'stop')
killall -9 php5-cgi
RETVAL=$?
;;
'restart')
killall -9 php5-cgi
$PHP_SCRIPT
RETVAL=$?
;;
*)
echo “Usage: php-fastcgi {start|stop|restart}”
exit 1
;;
esac
exit $RETVAL

Next, let’s create the script to launch the PHP CGI process. Copy the following example text into /usr/bin/php-fastcgi:

/usr/bin/spawn-fcgi -a 127.0.0.1 -p 9000 -C 5 -u www-data -g www-data -f /usr/bin/php5-cgi

Make sure the new scripts are executable:

chmod +x /usr/bin/php-fastcgi /etc/init.d/fastcgi

You should be able to start up your fastcgi process now with the following:
/etc/init.d/fastcgi start

Make the fastcgi process start at boot:
sudo update-rc.d fastcgi defaults

Setup nginx site
I used the following as my site file. A majority of it was taken from the default site and parts from other how-tos. You can rewrite the /etc/nginx/sites-available/default with this templated page (in my example, I assumed that the site is called site.com and that you are using WordPress at /var/www/wordpress). Be sure to change the “root” and “SCRIPT_FILENAME” lines.

server {
listen 80;
server_name site.com;
access_log /var/log/nginx/localhost.access.log;
location / {
root /var/www/wordpress;
index index.php;
if (-f $request_filename) {
expires 30d;
break;
}
if (!-e $request_filename) {
rewrite ^(.+)$ /index.php?q=$1 last;
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/nginx-default;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME /var/www/wordpress$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
}

Before restarting nginx, make sure everything is cool with the config and correct any errors:
sudo nginx -t

Now, restart nginx with the new changes:
sudo /etc/init.d/nginx restart

Install your application
You can now install your application as you normally would using Apache. In this example, you can download the WordPress packages to /var/www/wordpress and install from there, making sure that the files are owned by the www-data user.

Related Posts Related Websites

Tags: ,
Filed under How-Tos / Tips : Comments (0) : Aug 29th, 2009

Linux Vendors: United They Will Stand?

Ever since reading OStatic’s article about how Linux netbook returns really aren’t the problem with Linux market share, I can’t seem to quite get over the conclusion. They make an excellent point. Microsoft has lots of money and can afford to throw a lot of it at marketing. And Linux vendors? Not so much. To ‘requote’ (RQ?) Joe Brockmeier from Novell:

“If you took the marketing budgets of all the Linux vendors combined, and then doubled that figure, and then added a zero, you might start approaching what Microsoft spends on marketing Windows. Maybe.”

Wow. That’s one heck of a deficit to overcome. The funny thing about the software business is that as long as your technology is ‘good enough’, often that’s all it takes. From there it’s marketing. It’s sad, but true. It’s not that one has to match dollar-for-dollar, but that’s certainly not a difference that’s easily compensated for.

Okay, so there’s a problem. What’s the solution? Let’s read on in Brockmeier’s quote:

“The ad councils for various industries have the right idea — it’s a good idea to pool your money to grow the market when you’re jointly competing with another industry.”

This is where I have to disagree. Pooling money for marketing from Canonical, Red Hat, and Novell (and perhaps some lesser-known Linux vendors) for the benefit of whom? Linux? What Linux? Ubuntu? Red Hat? SUSE? If I were a Red Hat shareholder, I wouldn’t exactly appreciate my dollars being spent marketing ‘Linux’. While I like Linux, Red Hat needs to market Red Hat.

Is this what Linux has come to? A charity that vendors can pool their money into with the hopes of getting something out of it? Now, it is true that these vendors rely upon Linux upstream to have a product to sell, but as long as there are differences in distributions, there will be different marketing strategies. And that’s for good reason. Ubuntu is popular on desktops and laptops. Red Hat is not. In fact, Red Hat appears to not even care about the desktop market. SUSE fits somewhere in the middle there.

Can the three combine marketing strategies? Maybe. While I definitely like the idea of Linux dominating both the server and client operating system market shares, I would hate to see tension created between vendors because advertising doesn’t help out each equally. That would just serve to hurt all three. As a community, Linux vendors can’t even agree on a sound subsystem, let along a marketing strategy.

Related Posts Related Websites

Tags: , , , ,
Filed under Tech Trends : Comments (0) : Aug 16th, 2009

2X App Server Client on 64-bit Ubuntu

Today I got to replace my aging Ubuntu desktop with a new machine. We’ve been using 2X for some time to run Windows apps on our Macs and I was pumped a few months ago to figure out that they had packaged a new version of their client for Ubuntu (well, Debian but it works on Ubuntu).

When I got up and running, I went to install the 2X client again:
wyatt@host:~$ sudo dpkg --install 2XClient.deb
[sudo] password for walterw:
dpkg: error processing 2XClient.deb (--install):
package architecture (i386) does not match system (amd64)
Errors were encountered while processing:
2XClient.deb

Wrong architecture. Dang.

Not to worry! 2X also distributes the binaries in a tarball so, using the 32-bit libraries, one can just run the binaries.

First, download the tarball. You can download it using your browser from their downloads page, or from the terminal via:
wget http://www.2x.com/downloads/AppServer-LoadBalancer/2XClient.tar.bz2

Untar it:
tar jxf 2XClient.tar.bz2

Copy the contents to /opt:
sudo cp opt/2X /opt/

Install the ia32libs:
sudo apt-get install ia32-libs

You can then create a launcher within the Gnome menu or whatever desktop manager you want.

To create the launcher, the command to start the client is:
/opt/2X/Client/bin/2XClient

Create 2X Client Launcher

Create 2X Client Launcher

That’s it! The 2X client should launch and run beautifully.

Related Posts Related Websites

Tags:
Filed under Uncategorized : Comments (0) : Aug 12th, 2009

More Tab Complete Awesomeness on Ubuntu 9.04

It’s a slightly older post, but after I read Workswithu’s report on the four features that they believed set Ubuntu apart, I had to agree whole-heartedly with the fourth one regarding implementation of auto-complete on the shell. As I was reading, I constantly dropped to the shell to discover new tab-complete features that I didn’t know about, including apt-get that I really didn’t notice but used every day. Anyway, today I discovered yet another.

This kind of defeats the purpose of DNS, but I discovered that if you put a host into the /etc/hosts file on a Ubuntu 9.04, then both SSH and rsync tab-complete for you when you start typing the hostname. I’m not sure about scp, but I’m sure it works the same way.

Extending this functionality further, it would be awesome if I could tab-complete from my known_hosts file, but that doesn’t seem to work.

Anyway, if you find yourself SSHing or rsyncing files to a host or set of hosts all the time, this trick can be very time-saving. Perhaps not quite as time-saving as being able to SSH with the click of a mouse, but often its not very convenient to leave the keyboard just to save a few keystrokes at the shell.

Related Posts Related Websites

Tags: ,
Filed under How-Tos / Tips : Comments (0) : Aug 5th, 2009

« Older Entries