Mandriva 2008.1 Package Manager

Mandriva Spring 2008.1 is no doubt a great distribution. It has good collection of default software, has excellent hardware detection, has proprietary drivers and software and an overall great out of box experience.

People, including me, often complain about its Package manager. With 2008.1, Mandriva has greatly improved RPMDrake. Its fast, has good number of packages and beautifully handles dependencies.
Lets have a little detailed look.

We start it with the nifty "Install and Remove Software".
It first opens to a welcome screen and confirms if we want to use the tool, want to add media source, if update only or full sources,


After this it presents the list of servers for us to select the appropriate one and proceeds to add media.


Finally we are presented with the RPMDrake GUI.


I like the layout, we can either search through the search box or select depending upon the groups. I selected libopenmotif and Applied to start installation.


NOTE:: RPMDrake does not displays information like percentage install complete or size of remaining packages to be downloaded. However, after "some time" the packages get installed successfully.

One funny thing is that if I search for Quanta Plus there is no KDE 3 package for it. However, we do have a KDE 4 package. Searching kdewebdev displays KDE3 package which has quanta as one of the files to be installed. Not sure why Mandriva chooses to list quanta as a KDE4 only package when it is also part of kdewebdev in KDE3.


Coming to the Update Manager.
When an update is available, a red colored icon displays in the KDE task bar. On clicking again it takes you through numerous questions and answers, however, again at the end you have a fully updated system.








Finally, If we play a clip in Totem for which we do not currently have a codec installed, Codenia automatically detects the correct codec for it and gives an option to either install the Fluendo package ( Paid) or install the freely available codecs from PFL repos. Luckily I do not stay in the US of A, so I am not compelled to pay for Fluendo package, I can do away with free codecs.



RPMDrake presents a nice looking interface and performs its job well. I never faced even a single dependency problem.
However, it does not give enough information regarding install progress. I mean I would like to be told that the install will go on for X more minutes and still X Mb of data needs to be downloaded. One more problem I faced is that RPMDrake and its Updater cousin ask too many unnecessary questions during first time startup.
Imagine it asking is it OK to continue in the welcome screen -- Dude I have started this application, so I really want it to continue. This will only give me a GUI, if I dont want I can anytime close it. I can understand that this is to deter a user who does not know about pacakge manages and has unknowingly clicked the icon, however, Clicking OK 10 times before a pacakge manager GUI starts is a little overkill.

Read The full Article..

Ubuntu servers still down

Ubuntu is the most popular Linux distribution, hence, when the latest and the greatest Ubuntu was getting released, I was expecting heavy load on Ubuntu servers. I thought that even Ubuntu people expected this. However, I was not exactly right.
The heavy load took its toll on Ubuntu servers and they were un-reachable. I tried after 5 minutes and the servers are un-reachable. I am sure that Canonical will bring them up in no time -- but dude its already been 5 minutes.

When I try I get this message

Service Temporarily Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Apache/2.2.8 (Ubuntu) Server at www.ubuntu.com Port 80




Update:: Ubuntu Servers are up now.

Read The full Article..

Good morning from Ubuntu 8.04 LTS

Very good morning, a morning made better by the release of long awaited Ubuntu 8.04 LTS.
People always look out for Ubuntu releases, this one being a Long Term Support (LTS) is even more sought after.

It was nice to see the shining Ubuntu homepage with 8.04 release announcement. Check out some of the screen shots of the release pages.



One issue I had, there is no torrent for 8.04. Now I love torrents and believe that they relieve pressure off the servers. The absence of torrent was slightly disappointing, specially when they provide the torrents for 6.06 and 7.10.



So I went back to the default download page and used KGet to get the iso for me.



Here you can see KGet (KDE 4 version) performing its job beautifully and I have already downloaded 30% of the iso.

The download will be over in 2-3 hours and Iĺl then enjoy the shining new Ubuntu. Till then bye.

EDIT::
Like Ubuntu, its KDE cousin Kubuntu is also released.

However, the Kubuntu team believes in a torrent and have a torrent for their KDE3 release ( Hardy)


Looks Like Ubuntu people saw this blog :). They have now released a torrent.

Read The full Article..

Flash in Firefox 3 in Linux

As a continuation of my article on Flash in Firefox 3 in Windows.
I tried Flash in Mandriva 2008.1 Spring.

Firefox 3 for linux comes as a tar.bz2 compressed file.
All I had to do was to uncompress it using

mkdir /home/abhay/Download/Firefox3/
cd /home/abhay/Download/Firefox3/

tar -jxvf firefox.tar.bz2


This creates a directory called "firefox".
the -"j" option on tar command tell that the compressed file is compressed with bzip2 and we need to use bunzip2 to uncompress it.

Next step was to install Flash plugins in Firefox3.
This was trivial. I went to the Firefox3 plugins directory.

[abhay@localhost plugins]$ pwd
/home/abhay/Download/Firefox3/firefox/plugins

and just linked Flash library from my previous installation of Firefox 2.

ln -s /usr/lib/mozilla/plugins/libflashplayer.so .

One single step and I had flash working beautifully in Firefox 3.

Happy Flashing with Firefox --- IN LINUX

Read The full Article..

Flash on Firefox 3 Beta 5

Firefox 3 Beta 5 is the latest and the greatest version of Firefox. It has many improvements over Firefox 2.
Despite being in Beta, Firefox 3 is so stable now that the most popular Linux distribution Ubuntu is shipping with Firefox 3 Beta pre-installed.
OK enough praising Firefox 3 Beta, lets come to the most common problem one might face when we install Firefox 3 Beta.


I tried Firefox 3 Beta on Windows XP Professional and discovered that I cannot install Adobe Flash on it. whenever I tried I get some weird error saying

"Firefox could not install this item because
"install-3lw..rdf" (provided by the item) is not well-formed or does not
exist. Please contact the author about this problem."


I wanted to make Firefox 3 Beta my primary browser, but without Flash -- its a big NO. What I did is a hack, but hey it works for me. Luckily I still have Firefox 2 installed on my system. I have it installed at
"C:\Program Files\Mozilla Firefox".
I went to the plugins directory

"C:\Program Files\Mozilla Firefox\plugins".

and copied these four files

1. flashplayer.xpt
2. npnul32.dll
3. NPSWF32.dll
4. NPSWF32_FlashUtil

Then I copied these files to the directory where Firefox 3 Beta 5 is installed

"C:\Program Files\Mozilla Firefox 3 Beta 5\plugins".

While copying I got a warning saying that npnul32.dll is already present in Firefox 3 Beta 5 plugins directory, so I did not copy it. That's it.
These four ( actually three) files ensured that I have Flash working in Firefox 3 Beta 5.

I am sure that similar hacks exist for Linux too, will try tonight at home.

Happy Flashing with Firefox.

Read The full Article..

Countdown to Ubuntu Hardy Heron 8.04

Ubuntu is undoubtedly the most popular Linux distribution. It's meteoric rise has made Linux accessible to normal users.
With computer manufacturers like Dell offering Ubuntu pre-installed on their Laptops and desktops, Ubuntu is destined to rise further.
The 8.04 or the Hardy Heron release of Ubuntu is a LTS Release, which makes its very attractive for users who look for a stable release, with very few bugs and Long Term Support (read three years) for it. This release is also touted to catapault Ubuntu in the commercial business server and desktop environment.



Counter:

Lets check some of the features which make Ubuntu 8.04 Hardy Heron a great release.

1. Latest Firefox 3 (Beta 5). Though in Beta, Ubuntu devs have extinsively tested and and found to be very stable on Ubuntu.
   
2. Enhanced F-spot photo manager. F-spot enables downloading of photos from digital cameras and mobile phones. It also aloows the users to perform basic editing functions like removing red-eye, crop etc, manage the photos, print photos, tag them and to upload them to various web sites like Flickr.
   
3. Latest version of Gnome 2.22.1 along with latest Nautilus.
   
4. Policy Kit. Ubuntu devs have integrated Policy Kit with the "Network", "Users and Groups", "Services", "clock applet", "gnome-mount" and "Time and Date" tools; enabling tighter ocntrol over user acces levels.
   
5. Basero DVD burning application. This is by far the best Gnome DVD burner.
   
6. Transmission bit torrent Client. Thanfully we are free from the very basic gnome-bittorrent client.
   
7. Would clock applet
8. Totem with capabilities to play from youtube and digital TV brodcasts.
   
9. Wubi installer. This will be a great boon to Windows users who want to install Ubuntu from the comfort of their Windows environment.
10. Latest Xorg server and Pulse Aduio and finally
11. Long Term Support for three years.

Not just Ubuntu, but also its KDE cousing Kubuntu has great features. Unlike Ubuntu, Kubuntu does not come as LTS.
Kubuntu comes in two flavous

1. Based upon KDE 3.X. This is the latest version of the KDE stable branch 3.X and will enjoy support from Canonical for 18 months.
   
2. Based on Cutting edge KDE 4.0. KDE 4.0 is the active development branch of KDE, however, it is still not considered production ready. People are hoping that KDE 4.1 will be a stable release. For the enthusiasts who would love the cutting edge feel, Kubuntu offer a KDE 4.0 based edition too.

LTS or not, users are waiting eagerly for both the Ubuntu variants.
I am one of them :).

Read The full Article..

Mandriva Spring 2008.1 - Part 2

Mandriva has just released their 2008.1 spring edition.

Continued from Part 1.

Multimedia & Browser Support:
Mandriva has many open source and proprietary codecs. Kaffeine on the ONE (KDE) edition and the FREE (KDE) edition handle Ogg, MP3, AVI, WMA, MPEG 1, MPEG 2, and Quicktime files out-of-the-box.
However, for no apparent reason Totem is the default Movie player even in KDE version. Question -- What is Totem doing in a KDE distribution, when Kaffeine can perform better?
The presence of all this media support by default does not make Mandriva a codec GOD, still many codecs like win32-codecs, gstreamer-ugly (for real media support) etc needs to be installed from the PLF repository. PLF is like a merge between Official and Unofficial repositories and can be easily configured using easyurpmi.
Again sun java or java-plugins are not installed by default ?? No idea why this is so, thankfully they can easily be installed from the repositories.
Firefox comes pre-configured with Flash and it works beautifully. However, with Konqueror, flash works but till the time video is over, I cannot do anything else. It's like the desktop and mouse freezes and only thing working is flash video, though I can still kill the XServer using CTRL+ALT+BKSPC, but this is hardly a solution. No other issues with Konqueror, which I found to occupy less Memory and CPU than the hungry Firefox.

The next generation of sournd server Pulse Audio is used by default. Quoting from Mandriva Site

"The release comes with the PulseAudio sound server installed and enabled by default in all new installations and upgrades performed via the official installer. PulseAudio's benefits include much improved handling of multiple sound cards, the ability to control the audio outputs of different applications separately, and advanced network capabilities. We have worked hard to ensure that the widest possible range of applications works correctly with PulseAudio. However, it is possible that some users may wish to disable it. Some of the known drawbacks of using PulseAudio are:

• PulseAudio uses a higher quality but more CPU-intensive resampling algorithm than ALSA. If your sound hardware is incapable of playing certain sampling rates natively, PulseAudio will resample the audio before sending it to the card. Resampling is also necessary when you are playing two audio streams with different sampling rates at once (for instance, playing a CD - 44.1KHz - and a DVD - usually 48KHz). When resampling is needed, PulseAudio will use around two to three times as much CPU power as ALSA would in the same situation. On most reasonably modern systems this will not be noticeable, but on older systems in can represent a significant percentage of available CPU power.
• PulseAudio is not really compatible with the JACK server used for professional audio applications. If you need to use JACK, you should disable PulseAudio first.
• There may still be some applications that do not work correctly with PulseAudio, despite out efforts to minimize the likelihood of this.

You can easily disable PulseAudio via Mandriva's sound hardware configuration tool, draksound."

A special Mention to Elisa. Quoting Again :

"Elisa is a sleek, cutting-edge media center based on the Gstreamer media framework. Elisa concentrates on presenting an attractive, sleek and simple to use interface that makes it both easy and visually appealing to watch videos, listen to music, and browse pictures from a dedicated interface. Elisa has a heavy emphasis on internet integration, with support for media sharing services like last.fm, Flickr, Youtube and more all built in. Its architecture makes it easily extensible through the use of plugins. Mandriva Linux 2008 Spring's /contrib repository includes the latest version of Elisa, 0.3.5, and its associated plugins, making it easy to try out, and new versions of Elisa will be made available following 2008 Spring's release through Mandriva's extensive /backports repository system."

Personally speaking, I have tested it very briefly and was able to view a slide show of the pictures in my Pictures folder. For videos It only displays videos which are in videos folder, Videos in all other folders cannot be accessed.

Graphics:
Mandriva come loaded with graphic applications.

1. GIMP,
2. ShowFoto,
3. Ksnapshot, and
   
4. Digikam
   

We can transfer the images from digital camera using Digikam and perform normal editing like red-eye reduction, white balance etc in showFoto. showFoto also servers as image organizer. For users who require more advanced editing, Mandriva offers GIMP.

Office:

Mandriva comes installed with OpenOffice.org 2.4, which comes with improved integration to the desktop and packaging. Now the different OpenOffice.org components are separated in several packages. OpenOffice.org 2.4 features many improvements like:

• impressive OpenGL based 3D transitions
• improved multi language support in the documents
• block selection mode
• ability to show bars side by side and many others improvements to the charts module
• ability to convert text to columns in Calc
• improved performance

Further information about new OpenOffice.org features (with images) can be found on OOoninja.com website, or on Openoffice.org wiki

Finally:
After having spent two weeks with Mandriva, here is my list of Pro´s and Cons
Pro:

1. Excellent Hardware detection
2. Out-of-box support for NVIDIA binary drivers
3. Flash works by default in Firefox.
4. Very light memory footprint. The desktop always feels snappy. I can open 30 tabs in Firefox and have RPMDrake open, still OpenOffice will open instantaneously. I just have 512 MB RAM.
5. KDE Theme well integrated into all applications including Firefox.
6. Good set of applications serving almost all my needs.
7. Excellent Configuration GUI
8. Fast package Manager
9. easyurpmi makes adding PLF repository as easy as clicking a button. PLF repos has a huge number of packages
10. Very stable, never had a full freeze or a crash.
    
11. Parental Control.
    

Cons:

1. No Java by default
2. No Ktorrent by default, now this one surprised me.
   
3. Kaffeine is not default Movie player. Totem opens when I click on video file.
   
4. Flash does not work properly in konqueror.
   
5. sudo not installed by default.
   
6. Elisa sounds good, but is not user friendly.
   
7. Too much user intervention sought during LiveCD boot
8. Package Manager has basic capabilities, nothing fancy like YAST.
   
9. Presence of Join Mandriva and Upgrade to Power icons. I know I can just delete them, still its not good to suggest user to shift to paid version. Look as OpenSUSE or Ubuntu, they also have paid siblings but never prompt user to ¨upgrade¨.
   

Conclusion:
If you are a new Linux user, blindly go for Mandriva Spring 2008.1. It hand holds you and you would not require to open the dreaded command line for any normal task. Till now I have not opened it, except for my programming work. It has great artwork and a friendly community too.
This release has all the bells and whistles to impress all. Windows users will find the interface very similar to XP. Actually when it comes to installing XP ( with all associated drivers and applications) a new user will find Mandriva much easier and much - much faster.
Don´t believe me -- Give Mandriva a try.

NOTE:
Many screenshots have been shamelessly copied from The coding studio and HowToForge. I would be thankful to them if they allow me to use use the screenshots; else I might have to remove them.

Read The full Article..

Mandriva Spring 2008.1

Mandriva has just released their 2008.1 spring edition.

This release promises a lot, some of its new features are

1. Parental control utility. This can be very useful for people having young kids who do not want their kids to access ¨improper content¨ .
   Now I read this as pornographic sites and sites which deal with excessive violence. An added feature is to limit the time of computer usage.
2. Elisa multimedia center - A one stop tool to manage photos, music and videos.
3. PulseAudio- Well most new distributions now come with Pulse Audio.
   
4. Codeina Framework - For our US based friends who want to pay for the codecs. Thankfully I am not in US, and like Linux, codecs are also free for me :).
   
5. Improved Package manager
6. Enhanced KDE.
   
7. Coherence - A media server that allows sharing video and audio.
8. KDE 4.02 ( now 4.03 is available) in repositories.
   
9. Full support to Asus EeePC. Now this is rather remarkable. A general purpose distribution having out-of-box support for the latest Linux based ultra mobile Laptop -- amazing.
10. Synchronization with Windows based and Nokia Mobile phones.
11. Out of box support for Flash, MP3 and NVIDIA and ATI binary graphic drivers.
12. NTFS write enabled by default.
    

Mandriva has really tried hard to make this release an extremely user friendly one. They provide three different editions

1. Free - This does not include any non-open source software. Purist might find it to their taste, I would pass it.
   
2. One - The edition for normal user. It is designed to provide out of box functionality for most common computing tasks.
3. Power - Its like One, but you would have to pay for it :)

I tried the Mandriva One KDE edition and am very impressed with it.

The LiveCD:
The Live CD presents a beautiful looking grub screen with only one entry to boot Mandriva. It would be nice to have an option to boot in safe mode or to add any kernel argument.


While booting the LiveCD asks too many questions like choosing the language, country, keyboard layout, desktop effects type ( Compiz, Mettise or no Effects), date and timezone setting and accepting the Mandriva License. Why can't they ask these stupid questions while installing. I think the LiveCD should just boot with the default options - a la Ubuntu. LiveCD should just boot and leave the customizations for later part.


At the same time I was really impressed by the superb hardware detection. My graphics card (NVIDIA 6200), usb mouse and an obscure web-cam was correctly detected and configured. They had also put up a decent screen resolution (1200 X 800), which I have changed to 1280 X 960.

Mandriva developers have made KDE beautiful; look at the default KDE screen on boot-up.

I would have preferred if they did not have the icons for ¨Join Mandriva¨ and ¨Upgrade to power¨. I normally check the user friendliness of any LiveCD and I must say that Mandriva Spring 2008.1 topped my list. Come on, with out-of-box support for my graphics card and thereby compiz-fusion, I had the most beautiful LiveCD experience. Flash plugins for Firefox are enabled by default, so that I can watch youtube videos while the LiveCD installs to hard disk and I get the all the easy to use GUI configuration menu that I am used to of (courtesy PCLinuxOS).

The install to hard disk could be described in one word - Fast. It was a very normal hard disk installation, which we are used to of courtesy PCLinuxOS, Ubuntu and Mint etc. The installer asks for Super User password and creates a Normal user too.

Hard Disk Boot:
The grub with the hard disk boot, thankfully had the boot to safe mode option


There was a First Time run wizard ( a rip-off from Linux Mint ??) which welcomed me and asked me to register with Mandriva, participate in a survey and lastly Contribute to Mandriva.



Unlike OpenSUSE, Mandiva does not gives the option to enable auto-login of a user during install, so we have to do it manually in the Mandriav Control Center. Trivial things that makes life easier for a single user desktop.
Once past the KDM we are greeted with a professional looking desktop, good icons and beautiful looking wallpaper. Again wish the icons for joining Mandriva or to upgrade to power were not there. The welcome screen gives an overview of all three editions of Mandriva.



Mandriva still employs the default KDE Menu, unlike most other distributions which have shifted to the new SUSE Kickoff Menu.



Configuration:
I have always liked the Control Center of PCLinuxOS. Its a great tool and provides for easy GUI configurations. People at Mandriva also acknowledge this and are proud to state that the Control Center was developed by Mandriva. Mandriva Control Center is a pleasure to work with.



Parental Control:
Within the Mandriva Control Center we can enable Parental Control.

Here I have added ¨sex.com¨ to the banned list and enabled Parental Control.
It requires two packages to be installed squid and dansguardian.

On Clicking OK the packages are automatically downloaded and installed.


Finally when I try to access the site sex.com from Firefox, I get this error.

Pretty neat and easy. I think many parents would love this feature.

Package Management:
Mandriva is not famous for its package manager, however, its not bad either. Actually I liked the GUI of RPMDrake, Its very similar to most common package managers like Synaptic and YAST ( from a casual user point of view -- they might be hugely different otherwise).
I found it to be reasonably fast and performing its function well. Though I would have loved to have RPMDrake indicate the actual time and size of remaining install. But I am still OK with RPMDrake.

Multimedia and Conclusion in Part-2.

NOTE:
Many screenshots have been shamelessly copied from The coding studio and HowToForge. I would be thankful to them if they allow me to use the screenshots; else I might have to remove them.

Read The full Article..

Countdown To OpenSUSE 11.0

Read The full Article..

Firefox 3 Beta 5 on OpenSUSE

Firefox 3 Beta 5 is released and the binaries are available for Linux, Windows and OS X.
Check out the screenshot showing the latest Firefox running on OpenSUSE with KDE 4.



Quickpost this image to Myspace, Digg, Facebook, and others!

EDIT:
An easy way to install Flash on Firefox 3 Beta 5 ( on Windows). Will post the Linux version tonight.

Read The full Article..

Intrusion detection with Tripwire

Its so heartening to know that its not only me who is concerned about Home Network security and intrusion detection.

I have written two articles about it.
1) Setting up a Firewall and
2) Setting up Intrusion detection.

Now even FOSSwire has come up with an article on Intrusion detection with Tripwire.
Trpiwire rworks in a similar fashion as SNORT and allows to setup policies. It then periodically monitors those policies.

It’s most useful in server environments, where you have services running all the time and where they are at risk of intrusion. It’s also not the be all and end all, and you certainly shouldn’t assume that it will be able to catch everything, but it is an essential tool in my opinion for people running servers in many environments that help you limit the damage that can be caused by the bad guys.

Read the Full article at FOSSwire.

Read The full Article..

Home Network Security- Part2 SNORT

The first part of my article on Network security dealt with setting up a firewall in OpenSUSE.
Continuing with the same, lets discuss the Security cameras in OpenSUSE. The Intrusion prevention system (IPS) form the security watchdogs and monitor the system for any security breach. SNORT is the most common IPS in Linux.

SNORT is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect a variety of attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts, amongst other features. The software is mostly used for intrusion prevention purposes, by dropping attacks as they are taking place. Snort™ can be combined with other software such as SnortSnarf, sguil,OSSIM, and the Basic Analysis and Security Engine (BASE) to provide a visual representation of intrusion data.
I tried Snort on OpenSUSE using the official SUSE install guide. The guide helps enable sort and mysql integration. This way the logs from snort are saved in mysql and I can review them from other systems ( on my local network) using a easy to use web GUI for mysql. Similar guides are available for RedHat also.

SNORT is governed by Signatures. Signatures consist of specific attack characteristics embodied into rules within the IDS internal database that permit statistical analysis of data relating to network operation, i.e. server CPU utilization, specific types of network traffic, and other numeric characteristics easily measurable and likely to be affected by an intrusion. SNORT is mainly a signature analysis tool, but can be configured for some statistical functionality. There are three run modes for Snort: Sniffer, Packet Logger, or NIDS (Network IDS).

Snort’s strength is its high degree of comparability. Its main weakness is its dependence on (sometimes poor) signatures. As with all signature-based IDSes, Snort can be defenseless against unknown or “zero-day” attacks until a signature becomes available. Another problem with Snort is that some of the signatures -- no doubt designed to identify older attacks -- look for benign words (such as “TOP”) in the payload to determine whether a packet is malicious. As a result, an initial ruleset from the Snort project gave us several hundred false positives. Snort developers have addressed this drawback by allowing you to comment out rules that you do not want to use on your network. The problem with this is, anytime you update your rules with the newest set from Snort.org, you’ll have to comment them out again.

Limitations apart, SNORT does a wonderful job of detecting intrusions and logging them. I can then simply modify my firewall rules and disable access to possible intruders. Above all it gives me the feeling that if someone breaks in, I'll have an information about the break-in and some details about the culprit. I can thus check my data for integrity and immediately change all my passwords. Not sure but maybe I can also use the logged information as a legal evidence against the attacker or help the experts catch him.

P.S:
There is also a windows port of SNORT ( for the poor souls who have to live with VISTA).
As always, thanks to various websites for providing me information about SNORT and helping me install it.

Read The full Article..

Home Network Security in OpenSUSE

As part of my job, I had to undergo a mandatory training on Network security. I went there with an odd feeling that why should I be attending a network security session. I mean I am a software developer and security is the job of some Unix System Admin. The first half an hour made me realize that it is the unsecured software, that we developers write, that makes the job of SA's difficult. The presenter gave a very simple example of buffer overflow that I almost always forget to cover.

Now that he had my attention, he started describing cases where small security holes lead to big problems, notably bank frauds.
He gave an analogy; Banks keep their money in heavy stainless steel vaults. However, their security measures do not end here, they also employ security camera to monitor and have armed guards to thwart any illegal access to the vaults. When it comes to software, the vaults are the firewalls, the security cameras are the intrusion detection tools and the security guards are the software/ System Admin’s who actually take counter action.

In today’s world, it is not only the big banks with huge amount of money who need to secure themselves; even a home computer needs to protect itself of the numerous hackers trying to steal or important data like the credit card numbers, bank login/passwords, personal details ( date of birth, social security number etc) and contact lists. If you think these are trivial things, ask a man who has just lost $20,000 on his Credit card to a hacker or whose lifetime savings is now comfortably resting in a bank somewhere in Somalia or a person who has been a victim of identity theft. Network security is essential for all, having said this lets see a few measures to protect ourselves while on internet.

FIRST and the foremost is to have a personal firewall and ensure that no port is open to outside world. Most common Linux distribution closes all ports by default. However, we cannot rely on just a firewall. For the smartass hackers we need to employ Security cameras. In the first part I will discuss installing and configuring a Firewall in OpenSUSE 10.3.

Linux firewall is implemented through netfilter/iptables. Netfilter is a framework that provides a set of hooks within the Linux kernel for intercepting and manipulating network packets. The best-known component on top of netfilter is the firewall which filters packets. iptables is the name of the user space tool by which administrators create rules for the packet filtering (both inbound and outbound) and NAT modules. iptables is a standard part of all modern Linux distributions.
Main Features:
• listing the contents of the packet filter ruleset
• adding/removing/modifying rules in the packet filter ruleset
• listing/zeroing per-rule counters of the packet filter ruleset
• stateless packet filtering (IPv4 and IPv6)
• stateful packet filtering (IPv4 and IPv6)
• all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 only)
• flexible and extensible infrastructure
• multiple layers of API's for 3rd party extensions
• large number of plugins/modules kept in 'patch-o-matic' repository

What can I do with netfilter/iptables?
• build internet firewalls based on stateless and stateful packet filtering
• use NAT and masquerading for sharing internet access if you don't have enough public IP addresses
• use NAT to implement transparent proxies
• aid the tc and iproute2 systems used to build sophisticated QoS and policy routers
• do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header

[As per the Redhat Guide] Traffic moves through a network in packets. A network packet is collection of data in a specific size and format. In order to transmit a file over a network, the sending computer must first break the file into packets using the rules of the network protocol. Each of these packets holds a small part of the file data. Upon receiving the transmission, the target computer reassembles the packets into the file.
Every packet contains information which helps it navigate the network and move toward its destination. The packet can tell computers along the way, as well as the destination machine, where it came from, where it is going, and what type of packet it is, among other things. Most packets are designed to carry data, although some protocols use packets in special ways. For example, the Transmission Control Protocol (TCP) uses a SYN packet, which contains no data, to initiate communication between two systems.

The Linux kernel contains the built-in ability to filter packets, allowing some of them into the system while stopping others. A packet may be checked against multiple rules within each rules list before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address or set of addresses when using a particular protocol and network service.

Regardless of their destination, when packets match a particular rule on one of the tables, they are designated for a particular target or action to be applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a REJECT target, the packet is dropped, but an error packet is sent to the packet's originator.
Every rule has a default policy to ACCEPT, DROP, REJECT, or QUEUE the packet to be passed to user-space. The iptables command allows to configure these rule lists, as well as set up new tables to be used for your particular situation.

OpenSUSE 10.3 comes with SuSEfirewall2, a tool which generates iptables rules from configuration stored in the /etc/sysconfig/SuSEfirewall2 file. Though SuSEfirewall2 could be configured by YAST, however SUSE recommends using command line to be able to configure all options. It is recommended to start the firewall at bootup, but a manual start could also be configured.
We can setup Allowed Services, a list of services that the firewall allows through network. Some common services include DHCP client/server, HTTP client/server, mail server, LDAP, Remote Administration and ssh. We can also set IPSec or the Internet Protocol Security. IPSec helps when we want to remotely administer the server.

SuSEfirewall2 has three different zones:
EXT - External (untrusted, Internet) FW_DEV_EXT
INT - Internal (trusted) FW_DEV_INT
DMZ - Demilitarized FW_DEV_DMZ

Assign your network interfaces to particular zones according your needs. If you have only one network interface it is a good choice to assign it to the External zone. Network interface is assigned to a zone by adding the interface name to the variable.
Every firewall zone can allow four types of services
TCP - FW_SERVICES_EXT_TCP, FW_SERVICES_INT_TCP, FW_SERVICES_DMZ_TCP
UDP - FW_SERVICES_EXT_UDP, FW_SERVICES_INT_UDP, FW_SERVICES_DMZ_UDP
RPC - FW_SERVICES_EXT_RPC, FW_SERVICES_INT_RPC, FW_SERVICES_DMZ_RPC
IP - FW_SERVICES_EXT_IP, FW_SERVICES_INT_IP, FW_SERVICES_DMZ_IP
TCP and UDP services can be entered by the port number, port name (current assignment can be found in /etc/services file on your system) or a port range defined as two port numbers with a colon in between.

Finally:
Now I am not an expert at Security and have written this guide with the help of various online documentations, however, having configured a firewall I feel that I have put a layer between my home data and the prying eyes of hackers. Also note that a firewall never prevents anyone from giving his details in an IM session :).
In the next part of the series I’ll discuss the Security cameras or the Intrusion detection tools, SNORT, available in OpenSUSE ( or any Linux for that matter).

Read The full Article..