Sunday, August 24, 2008

(Followup) Solved: Fedora 9 default settings for shared memory /tmp

Context:
Using Fedora 9's default installation configuration, the "temp directory" (using another OS's terms) is utilized as /tmp. This special directory is a shared file system and resides in memory known as tmpfs.

Problem:
The default settings for a tmpfs is half of the available memory.

Constraints:
Fedora 9's default set up uses an in-memory solution for /tmp.


Details:
My system has 2 gigabyte of memory. However, the average usage for /tmp on my machine is less than one 1 megabyte. So, more then 1023 megabytes of memory was allocated and never used.

Solution:
I needed to control the size of the /tmp. This is mounted at boot time using the description in /etc/fstab. After a forum search, I looked at the man page for the mount command to determine the need to use the size option during mount /tmp. I decided to try only having 2 megabytes for /tmp.

Original /etc/fstab:
tmpfs    /dev/shm    tmpfs    defaults    0 0
New fstab:
tmpfs    /dev/shm    tmpfs    defaults,size=2097152    0 0

After making these changes as super user or root, I rebooted my system to get th e settings to become active.

References:

Note:
The other options for providing /tmp are:
  1. disk based /tmp, mounting (via /etc/fstab) a disk partition at boot time (preferred)
  2. directory based /tmp on the boot root partition (not preferred for security reasons)

Disclaimer:
This solution worked for me. It may or may not work for you. I am not responsible for your actions nor the your results of your actions should you act on what you read here. I do not claim expertise in this very specific area and only convey my experience. There is no warranty on this (and most) free information.

Followup (July 26, 2009):
A simpler way to control the /tmp size through the /etc/fstab is using a percentage:

In fstab:
tmpfs /dev/shm tmpfs defaults,size=10% 0 0

Saturday, July 12, 2008

(Followup) Solved: Fedora 9, Skype for Linux 2.0x and the Microphone

Context:
Using Fedora 9's new sound system Pulse, some sound-centric applications like Skype need to be configured differently from their default sound settings.

Problem:
Immediately after installation, Skype for Linux 2.0.x was able to connect to my account and I was able to hear the test calls with reliable clarity.

However, using the Skype Test Call, my microphone sound was very distorted with static, digitalization, and gaps. Enabling the "Display technical call info", showed very high "jitter" and some "cor" (assuming this means corruption) but a reliable connect speed.

As I was able to use Skype for Windows before moving to Fedora 9, I was able to remove the router as the cause of the problem. See the "jitter" for details if you think this might be your problem.

Constraints:
Fedora 9 uses the "Pulse" sound daemon. Skype is a closed ("black box") software application so it's constraints are vastly unknown.

Details:
While I was able to use my microphone without significant issue (the volume was a little low) with other applications ( Sound Recorder ), Skype did not provide a clean and clear sound processing from the microphone. I tried various solutions (listed below) before finding the correct one for me:
Note: After trying each of these solutions and each failed to solve the problem, I reversed most of changes before starting the next solution. I believe I left some of the solutions from the first reference in place.

Solution:

The solution what worked for me came in two parts:
Enhancing the Microphone Volume

Takes from the second post here:
"A. Right click at the volume control, choose preference.
B. File - Change Device - (OSS Mixer), which is the second one.
C. Below the microphone volume- click on the "microphone icon" until there is no cross on it.
D. File - Change Device - (Alsa Mixer), which is the first one.
E. Edit - preference - scroll down - click Mic Boost (+20 dB)
F. Click "Switches", which is next to Playback. Then click Mic Boost (+20 dB)"
This will result in a louder microphone for all of Fedora 9's sound applications using the microphone. If you find that it's too loud, you can unselect the microphone boost on the "Switches" panel of the sound mixer.

Setting the Hardware Microphone in Skype

Taken from the here:
"Firstly, add these lines:
default-fragments = 8
default-fragment-size-msec = 5

at the end of "/etc/pulse/daemon.conf"

Then, edit "~/.asoundrc" and add the following lines if they do not exist:

pcm.pulse { type pulse }
ctl.pulse { type pulse }

Finally, open Skype. Set the "Ringing" and "Sound Out" devices to "pulse", then set the "Sound In" to the plughw device of your microphone."

While the article has more steps, these are the only steps I executed from this reference.
  1. I added the first modifications to /etc/pulse/daemond.conf as shown. I am uncertain exactly what these settings do.
  2. I did not have a ~/.asoundrc file. I created on in my home directory but I do not think it added to the finally solution.
  3. I believe the key part of the solution was the last step (possibly the only step needed): "set the 'Sound In' to the plughwd device of your microphone." The Skype "Sound In" settings are found on the Options dialog under "Sound Devices". Using the drop down box "Sound In", I did a bit of "trail and error" to find the correct setting and required a restart of X when I selected some of the incorrect options. In the end, my correct setting was "Intel ICH5 (hw:ICH6,0)" and yielded a very clear voice using the Skype Test Call" service. Your setting will probably be similar but different.
  4. From other experimentation, I set the "Sound Out" and "Ringing" to "pulse".
References:

Disclaimer:
This solution worked for me. It may or may not work for you. I am not responsible for your actions nor the your results of your actions should you act on what you read here. I do not claim expertise in this very specific area and only convey my experience. There is no warranty on this (and most) free information.

Followup (July 26,2009):

Based on experiences with Fedora 10 and Fedora 11, the above suggestions are not absolute. In fast, they only highlight the "control points" but generally will not solve the problem. During subsequent testing, I found that a change in configuration required a reboot to truly get a definitive result. For Fedora 11, I finally gave up and configured directly against the hardware layer and not with PulseAudio.

Monday, June 23, 2008

Solved: Restoring the Master Boot Record (MBR) to the boot drive

Context: Missing or corrupted Master Boot Record (or MBR) can and usually will prevent booting a computer.


Problem: Having botched a Linux installation, the Master Boot Record (MBR) was destroyed. To recover and boot the computer again, the MBR must be restored to work order.


Constraints:
  1. No floppy drive
  2. BIOS doesn't support USB booting
  3. CD ROM limited on ability to read different CDs
  4. Windows booted from the MBR directly so I could not use Microsoft's fdisk
  5. Lilo was not found on the Fedora 9 Live CD
  6. Grub-install on the Fedora 9 Live CD did not function according to expectation

Details: Installing Fedora 9 Live CD to an Dell Latitude C600, I didn't allow enough room for the Live CD install (I misremembered options for a selective install.) Additionally, a previous GRUB installation on the Master Boot Record was not clean off before installation started. Near the end of the installation, an error occurred (out of space.) The result was a damaged MBR record. The exact cause of the damage was not known.


Solution: Restore MBR from

  1. Boot Fedora 9 Live CD
  2. Confirm presents of file usr/lib/syslinux/mbr.bin
  3. Open a Xterm or other shell
  4. Log in as root or superuser
  5. Umount the targeted drive partition. In my case:
    • umount /sda1
  6. Write the replace MBR to the drive:
    • dd if=/usr/lib/syslinux/mbr.bin of=/dev/sda bs=1
  7. reboot

Note!: This was a "long shot" action on my behalf and thus a risk on anyone following these instructions. The contents of the file mbr.bin were a guess on my part as was the correct use and application of dd. While this works, you should know that your results may vary greatly. Use these instructs only as a last resort! Please read the disclaimers section.


References:

Disclaimer:
This solution worked for me. It may or may not work for you. I am not responsible for your actions nor the your results of your actions should you act on what you read here. I do not claim expertise in this very specific area and only convey my experience. There is no warranty on this
(and most) free information.

Sunday, June 22, 2008

Solved: Adding NVidia Support to Fedora 9

Context: Installing correct, high performance NVida drivers for Fedora 9.


Problem: The default video drivers provided by the Fedora project work fine. However, enhancements such as 3D Desktop are only available with updated drivers. If you do not have an NVidia video card, this blog entry may not assist you with video card concerns.


Details: The Fedora project is stated that is wishes to avoid any contentious software, either from ownership or patent concerns. NVidia is a privately own company and thus their video drivers appear to fall under this concern. See the first link in the reference section for more details.


Solution: Add an additional third-party repository to your "Update Sources":
  1. Do a full system update with existing installed software
  2. Go to http://rpm.livna.org/rlowiki/
  3. Download Fedora 9 repository RPM and install it
  4. Perform an "Update System", search, and install "akmod-nvida-xx", where xx is the latest (or last known good) version of the drivers.
  5. Follow the directions after the installation. I usually reboot after large installations since Fedora 9's update mechanism does not seem to be notifying or enforcing reboot-needed rules.

Note: the Livna source provides other package updates that Fedora 9's default repository sources do not provide.

Note: In general, adding additional repository sources is a security risk and should be under taken with this in mind.

Note!: I would advise that you limit the inclusion of software from third-party sites to only those specific items you want and only if they are well separated from other elements of your operating system. You can easily have conflicts between different built libraries which can cripple your operating system in the matter of a few button clicks. Know what you are installing, where it's from and how it will (or won't) "Play Nice" with other elements.


References:

Disclaimer:
This solution worked for me. It may or may not work for you. I am not responsible for your actions nor the your results of your actions should you act on what you read here. I do not claim expertise in this very specific area and only convey my experience. There is no warranty on this
(and most) free information.

Saturday, June 21, 2008

Solved: Booting Fedora 9 Live CD on Dell Latitude C600

Context: Booting Fedora 9 Live CD on Dell Latitude C600

Problem: split screen into 2 or three panels at 800x600.

Details: Fedora 9 Live CD detects built-in video card as "ATI Rage 128 M 2G and display type as "Autoconfigured".

Solution:

Note: this solution requires you to "deal with" the incorrect video settings for a brief period of time.

  1. Boot from Fedora 9 Live CD and log in to default login

  2. If the the screen is divided into sections and generally not working, continue. If it's perfect, you're done. Don't make any changes based on what I say in this blog entry.

  3. Move Application panel to left hand side. This will allow you to see more of the menus. Do this by clicking in the grey area next to the mail icon, click and drag to the left side of the screen.

  4. Go to menus "System | Administration | Display", then the "Hardware" tab. Make the following changes:

    • Display: "LCD Panel 800x600"
    • Video Driver: "Vesa -Generic VESA-compliant video cards"
    • Press Ok to commit these changes

  5. Press keys CTRL ALT BACKSPACE to restart the X Window System only.
    • Do not reboot - any changes made will be lost during a reboot as they only reside in memory.
After you log in again, I was (you might be) able to see the screen correctly.

Note: I tried "LCD Panel 1024x768" the first time with no positive results.

References:
I located some information, ideas, clues or inspiration from the following locations. I am not responsible for external content nor it's availability:
  1. http://ubuntuforums.org/archive/index.php/t-769002.html

Disclaimer:
This solution worked for me. It may or may not work for you. I am not responsible for your actions nor the your results of your actions should you act on what you read here. I do not claim expertise in this very specific area and only convey my experience. There is no warranty on this
(and most) free information.

Monday, April 21, 2008

When SELinux bites, tell SELinux to go bite it's self

SELinux is a rather impressive, if not annoying efficient process and access-based security system for Linux. I currently enjoy the warm, affectionate glow of alerts on Fedora 8.

As useful as SELinux can be, there are easy ways to make it squeal like a stuck pig (i.e. complain frequently.) My last "stuck pig episode" included a few 25M log files of nothing but squealing. At issue, was a mislabeled file that sendmail wanted to access. After causing my internal email to queue up more than 4000 messages, I decided to work on it.

If I had the specific path to the offending object(s) listed in the alert message, I could have solved this problem with something like:
# Fedora 8: tell SELinux to restore
# default security labels to a file
# or directory:
/sbin/restorecon 'services'
/sbin/restorecon -R '.'

Common net-thinking is that the default labels are occasionally fouled when some updates occur. They are most likely fouled more frequently by users editing in their home directory and promoting them into a new location on the file system without handling the security labeling (which is actually the point of this kind of security: know what you are doing and tell the OS what is and isn't OK to do.)

After trying to use the alert system's recommendation, I finally looked for a more blunt instrument (the alert needed to have an absolute path for the offending element so that I could have a change to locate and fix it.)

So, I went to my friend, my buddy, my pal: Google. Google told me (indirectly) to look here for this pearl of wisdom:
# Fedora 8: tell SELinux to restore
# security labels to all files:
touch /.autorelabel
reboot
This operation asks SELinux to reapply the default security labels to all files on the file systems after a reboot. This "relabel them all and let Root sort them out" approach may have solved more problems than I knew.

Note: I am not running any custom policies yet so there wasn't a conflict for me.

Monday, April 7, 2008

Using SSH and SOCKS to access the web [via Firefox] from remote computer

Source(s)
Information provided in this post was originally located here:
Description
Occasionally, it is necessary to "web surf from afar". Less about security than about originating IPs, I found a need to create a secure connection so I may web surf as if I were on a different computer.
Use Case 1: Some corporations do not want access to popular or potentially harmful web sites.

Use Case 2: Some websites do not service users from some IP ranges, i.e. from out of the country of hosting.

Setup
SSH Tunnel
In this solution, will will use an encrypted connection between the local computer and a remote computer that you have access and is running and ssh daemon. This solution will create a local computer port that will allow anything sent to this port to be transported to the remote computer and on to it's destination as if it had originated from the remote computer.

On the local computer:
ssh -N -C -D 9999 USER_NAME@IP_ADDRESS

  • -N : do not open an interactive console on the remote computer [optional]
  • -C : use compression [optional]
  • -D : use SOCKS 5 [required]
  • 9999 : local computer port to uses to access the SOCKS proxy [a port # is required, not necessarily 9999]
  • USER_NAME@IP_ADDRESS : the user name and remote computer information [require most likely]
Note: This connection will persist until the computer is rebooted or you find and kill the associated ssh task in the process list. That being said, be careful not to start more than one ssh tunnel to the same computer.

FireFox Proxy
  1. Use menus Tools | Options
  2. Click on Advanced icon
  3. Select Network tab
  4. Press Settings button
  5. Select Manual Proxy Configuration radio button
  6. Enter localhost and port 9999 on the SOCKS Host and Port.
  7. Press Apply/OK until all extra dialog boxes are closed.
  8. You are now ready to web surf though the remote computer.
Note: I recommend using a proxy switcher extension so you can enable and disable the use of the proxy without needing to go though the menus and dialogs, as shown above. Here is one for example.

Tuesday, March 11, 2008

How to create a Strong(er) password

Generating a strong password is critical in today's highly networked societies. Yet, I often find that people don't use good passwords. They use a plain name of a person or a series of numbers, apparently thinking "it doesn't matter much." Having just spend 2 days looking at a friends computer because of problems related to a "break in" and untold information theft, I can tell you that security definitely matters.

Microsoft was it's own ideas about how to create strong passwords of course and so does Wikipedia. You can even find password strength checkers online like this one here.

Another problem is that most people "think predictably". I mean, its hard to "think randomly." In truth, I have the same problem. And it was impacting my ability to create a truly random and strong(ish) password without letting a machine create one for me. Following is a common technique I use for creating a "random and strong password".


The Problems

First, what are the top problems I encountered with creating new passwords, especially strong passwords? Here's my list:
  1. hard to remember and so they usually end up short in length
  2. based on words I could remember and so they could be broken easier
  3. need of multiple passwords and so I tended to reuse the same password and write them down on the computer I was sitting in front of.

The Risks

Each one of these is in fact a security risk:
  1. Short passwords take very little time to determine
  2. Passwords based on words are very easy to determine
  3. Once a system is compromised, that password can be tested at other target-related sights
These were the problems I wanted to solve and the best way to solve them is to avoid them all together.


The Key

The hardest thing for me was to not write my passwords down and referring to them often. Human memory isn't always perfect. So, my initial challenge was how to associate a strong password with something I would remember and, later, make it scale up for both small passwords and longer passwords. The key was "context".

The Process

By establish a context for password use, I was able to a "play ground" for creating stronger passwords. So what is a context? It's the name of the situation or object that best describes a group of elements which are relate to each other.

Example: chairs, table, plates, forks, spoons, stove, refrigerator = a context called "kitchen"


So, here is the basic process:

Note: this process is more easily done with a simple text editor on the computer than with pen and paper.

The Steps
With the context in mind:
  1. Create a list of that are related to the context. Proper nouns are best, followed by obscure verbs.
    • Note: Each entry should be on it's own line. This is important.
  2. Between every word, insert a blank line.
  3. Between every other word, add a number related to the context. I there are no numbers associated with the context, apply 3 or 4 digit "random numbers."
  4. Between every other word that has a blank line, add a number (as before) while holding the SHIFT key down. This will result in non-number characters of course.
  5. Somewhere in the middle of the list, insert one or more words about how you feel about this context or other descriptive words. You might even use a random and unrelated word, number or series of characters.
  6. Now, take the first character of each line and type them on a line. This is your random password.
    • If you run out of characters on a line, just skip that line from now on and continue with the next line.
    • Also skip spaces too as they can accumulate too quickly. One space in a password is OK but not recommended.
    • When you get to the bottom of the list, start again at the top with the next character.
  7. Once you have more than 8 characters, you should have a medium strong password and 10 or more should be a stronger password. The longer the password word, the better.
Example:

As I said, context is the key. Let's pick a silly context for this example. Let's say we need a password for the refrigerator in the kitchen (apparently there is a midnight bandit eating the extra pieces of pie!) So, kitchen refrigerator is the context and I want a very strong password, 10 or more characters strong.

Note: Below, I have used an exaggerated list to show the idea behind using a context for strong and memorable password generation. A shorter list will work just as well or better.

  1. list of words related to the context
    1. house
    2. Franklin
    3. refrigerator
    4. Whirlpool
    5. kitchen
    6. last piece of mom's apple pie
    7. Midnight Invader
  2. add blank lines
    1. house

    2. Franklin

    3. refrigerator

    4. Whirlpool

    5. kitchen

    6. last piece of mom's apple pie

    7. Midnight Invader
  3. add numbers between every second word
    1. house
    2. 3391
    3. Franklin

    4. refrigerator
    5. 19
    6. Whirlpool

    7. kitchen
    8. 4
    9. last piece of mom's apple pie

    10. Midnight Invader
    11. 2
  4. add more numbers with the SHIFT key held down
    1. house
    2. 3391
    3. Franklin
    4. ##(!
    5. refrigerator
    6. 19
    7. Whirlpool
    8. $
    9. kitchen
    10. 4
    11. last piece of mom's apple pie
    12. ^%&-)
    13. Midnight Invader
    14. 2
  5. Insert a random word
    1. house
    2. 3391
    3. Franklin
    4. ##(!
    5. refrigerator
    6. 19
    7. Whirlpool
    8. $
    9. kitchen
    10. 4
    11. last piece of mom's apple pie
    12. ^%&-)
    13. Rotten Bastard
    14. Midnight Invader
    15. 2
  6. Create your strong passwords:
    1. 8 character, short and strong password: h2F#r1W$
    2. 11 character, medium and strong password: h2F#r1W$k4l
    3. 14 character, longer and stronger password: h2F#r1W$k4l^RM
Now, how is h3Fs#r1W more memorable? Well, no and yes. I found the more efforts I made into constructing the password, based on a context, the more likely I was to remember it.

The Variations

You can also add your own steps to the process: maybe you take two characters from line instead one each time; maybe you add a character from another language (Greek, Russian?)


Summary

Password security is becoming increasingly important and should be treated as important as what you do with your computer (or other mechanisms.) Because if you choose to ignore good password policies and "make it simple", chances are that whatever you are weakly protecting will be used by others with or without your permission and knowledge.