Roachys Weblog

Well, the time has come to say goodbye to Ubuntu.  It’s been a fun relationship, but alas it’s time for it to end.  That’s not to say that the problem I have is with Ubuntu – it’s actually with a variety of circumstances that have caused me a MAJOR headache.

The problem lay within Debian and the OpenSSL project.  It seems that the package maintainers for Debian fixed a bug in OpenSSL without passing the fix upstream to the OpenSSL maintainers to check.  This fix has resulted in a major insecurity in a vast number of packages that depend on OpenSSL for any distribution that sits downstream of Debian.

http://www.technologyreview.com/Infotech/20801/

While there is now an official resolution for this problem, it’s shaken my confidence in the way the Debian package maintainers apply bugfixes in their haste to get new releases out the door.

For those interested, the official resolution page on the Debian site is here.

Bear in mind that I run 5 Ubuntu machines (desktops and servers, work and home) each running some of the affected programs…..it’s a phenomenal headache for me.  Now picture those with hundreds (even thousands) of servers and workstations.   I can’t begin to imagine the trauma they are going through….

It’s because of this break of confidence that I have decided to cease using Ubuntu.  If the Debian package maintainers have disregarded policy in order to add value to their distribution in this case, where else have they fixed issues that may or may not have significant consequences…

I’ve played with Fedora previously – quite liked it as a distro, but preferred the user friendliness of Ubuntu – easy to use, but with all the benefits associated with most other Linux distributions.  I could do a Ubuntu install in 15 minutes that would be suitable for most people, with full hardware support – but for more intensive server applications, all the boxes were ticked too.

So, I’m now in the process of my Fedora migration….starting with this laptop.

Ok, well I’ve just had my first unpleasant surprise with Ubuntu Gutsy. Just checked my IPtables rules as i’m at home effectively outside my firewall just testing my security, and it seems that by default, the ruleset is set to allow all traffic…..I’m pretty shocked….. when stacked side by side with Fedora, which i’ve been using at work, which is downright agressive about security from the word go. Ubuntu by it’s very nature is aimed at making Linux more accessible, and from reading the Ubuntu forums the majority of new users wouldn’t even consider checking…

I appreciate that most people seem to think that a firewall is unnecessary on a Linux box, as no daemons are running on a default install – but suppose (as I do) you then install an SSH server, and you want Windows machines on your network to access files….and a plethora of other bits and pieces – eventually you end up with loads of holes.  I’d rather find out an application doesn’t work until I open corresponding ports than have data visible from the public internet…

My untouched IPtables config looked like this:

roachy@roachy-laptop:~$ sudo iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Then after modification (yes I cheated and used Firestarter!)

roachy@roachy-laptop:~$ sudo iptables –list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp — 192.168.2.1 anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp — 192.168.2.1 anywhere
ACCEPT 0 — anywhere anywhere
ACCEPT icmp — anywhere anywhere limit: avg 10/sec burst 5
DROP 0 — anywhere 255.255.255.255
DROP 0 — anywhere 192.168.2.255
DROP 0 — BASE-ADDRESS.MCAST.NET/8 anywhere
DROP 0 — anywhere 224.0.0.0/8
DROP 0 — 255.255.255.255 anywhere
DROP 0 — anywhere 0.0.0.0
DROP 0 — anywhere anywhere state INVALID
LSI 0 -f anywhere anywhere limit: avg 10/min burst 5
INBOUND 0 — anywhere anywhere
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere LOG level info prefix `Unknown Input’

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp — anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere LOG level info prefix `Unknown Forward’

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp — 192.168.2.11 192.168.2.1 tcp dpt:domain
ACCEPT udp — 192.168.2.11 192.168.2.1 udp dpt:domain
ACCEPT 0 — anywhere anywhere
DROP 0 — 224.0.0.0/8 anywhere
DROP 0 — anywhere BASE-ADDRESS.MCAST.NET/8
DROP 0 — 255.255.255.255 anywhere
DROP 0 — anywhere 0.0.0.0
DROP 0 — anywhere anywhere state INVALID
OUTBOUND 0 — anywhere anywhere
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere LOG level info prefix `Unknown Output’

Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp — anywhere anywhere state RELATED,ESTABLISHED
LSI 0 — anywhere anywhere

Chain LOG_FILTER (5 references)
target prot opt source destination

Chain LSI (2 references)
target prot opt source destination
LOG_FILTER 0 — anywhere anywhere
LOG tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound ‘
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound ‘
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp — anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound ‘
DROP icmp — anywhere anywhere icmp echo-request
LOG 0 — anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound ‘
DROP 0 — anywhere anywhere

Chain LSO (1 references)
target prot opt source destination
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ‘
REJECT 0 — anywhere anywhere reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp — anywhere anywhere
ACCEPT tcp — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp — 192.168.2.11 anywhere tcp dpt:www
ACCEPT udp — 192.168.2.11 anywhere udp dpt:www
ACCEPT tcp — 192.168.2.11 anywhere tcp dpts:netbios-ns:netbios-ssn
ACCEPT udp — 192.168.2.11 anywhere udp dpts:netbios-ns:netbios-ssn
ACCEPT tcp — 192.168.2.11 anywhere tcp dpt:microsoft-ds
ACCEPT udp — 192.168.2.11 anywhere udp dpt:microsoft-ds
ACCEPT tcp — 192.168.2.11 anywhere tcp dpt:https
ACCEPT udp — 192.168.2.11 anywhere udp dpt:https
LSO 0 — anywhere anywhere

Quite a significant difference…..

I frequently flit between using a laptop and a desktop for work (both Ubuntu),

and I use a lot of files on the go. I’ve always just copied the files across from the

laptop when I returned to the office, but it’s not really efficient, as I had to either

a) copy all data – which could be several GB

b) select individual files, of which there were often loads.

I just stumbled across a small application called Unison though, and it’s pretty easy toinstall and configure. Potentially using this method, you could even sync securely over the web, as it uses SSH

First install OpenSSH server

$sudo apt-get install openssh-server

Then install unison :

$ sudo apt-get install unison unison-gtk

You then need to modify the profile (you can either set up a new one or modify the default) in ~/.unison

$sudo pico default.prf

Under the profile, you should have the local root path, remote (SSH) root path, and then any paths that you want to include, followed by any paths to exclude:

# Unison preferences file

root = /home/roachy/ root = ssh://roachy@10.204.4.35/ path = work/ path = Music/ ignore = Path work/archive/*

Save the file and either run the GUI version

$unison-gtk

or the command line version

$unison

Just been rebuilding my Ubuntu Gutsy box after it had really started to crawl – mainly due to me playing with too many bits of software trying to learn new things. The advantages of hosting a separate partition for /home have saved me loads of time and effort as all my data is separate to the OS, so a quick format and within 10 mins I have a shiny new system.

Anyway, one of the things I find essential now on a desktop is AWN (Avant Window Navigator) – it adds that nice Mac dock at the bottom of the screen. The steps to install are as follows:

First add the repository containing AWN:

$sudo pico /etc/apt/sources.list

Add the following lines:

## Avant Window Navigator

deb http://download.tuxfamily.org/syzygy42/ gutsy avant-window-navigator

deb-src http://download.tuxfamily.org/syzygy42/ gutsy avant-window-navigator

Download/install/remove the reaocard

$wget http://download.tuxfamily.org/syzygy42/reacocard.asc

$sudo apt-key add reaocard.asc

$rm reaocard.asc

Install Avant Window Navigator

$sudo apt-get install avant-window-navigator-bzr

For extra applets, just add

$sudo apt-get install awn-core-applets-bzr

Done