mainesysadmin.com

Here are a couple of really good reasons on why you need to secure your server’s boot loader regardless if you’re using GRUB or LiLo. In this article I am only going to cover how to configure GRUB.

• Preventing Access to Single User Mode — If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.
• Preventing Access to the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the use the GRUB editor interface to change its configuration or to gather information using the cat command.

• ssh to your server host with root access
• type: grub to enter the grub console
• type: md5crypt to create a md5 encrypted password (document your password unencrypted and encrypted versions)
• open your favorite editor or download the files via your favorite ftp app. We need: menu.lst and grub.conf they’re located here: /boot/grub
• Add the below line to the top of menu.lst and grub.conf:
  password –md5 “your_encrypted_password” 
• Now add “lock” below each titled o/s choice that you want to prevent from booting without a password.

The method I described above will prevent modification of grub boot options AND only allow you to boot those items that were not password protected with the “lock” command.

I went ahead and manuallly modified menu.lst and grub.conf.

Here is an example of a sample file that you can use as a guide. Replace “your_encrypted_password” with the md5 hash that you generated earlier with the md5crypt command.

grub.conf

I found the following sites useful while writing this article:

http://ubuntuguide.org/wiki/Ubuntu:Edgy/Security

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-wstation-boot-sec.html#S2-WSTATION-BOOTLOADER

http://www.linux.com/feature/53569

• SSH over to the ESX server required.  You’ll need sudo or root access to complete the following.
• To view the file:  cat /etc/syslog.conf
• To modify the file:  vi /etc/syslog.conf (google for vi help if required, i = insert.  esc = exit insert mode)
• Move to the bottom of the file and add the line in the next step if you want ALL the logs to be sent over to your syslog server.
• #syslog server setup
  *.*    @syslogsrv.mydomain
• The first line in the above line is commented out by the # sign, the second line tells all the log files to be sent to “syslogsrv.mydomain”.  Use an ip address for the syslog server if you want this to work when your DNS server goes down.
• service syslog restart (restarts the syslog service)
  
• esxcfg-firewall -o 514,udp,out,syslog (opens the local firewall to allow remote syslogging)
  
• esxcfg-firewall -l (reloads the new firewall configuration)

My previous posting is no longer valid.  Gnome has removed the tab for the sounds menu where you can use the gui to disable the system beep.  Here’s how you can disable this from the CLI.

sudo rmmod pcspkr

Done deal.  If you want your system beep back, well first off…curse you if I sit next to you.  Type in the following to enable it:

sudo modprobe pcspkr

got this from:  lifehacker (per usual)

I love lifehacker.com.  I always find usefull posts like this one below.

http://lifehacker.com/5057484/remove-u3-to-speed-up-your-flash-drive

This is very useful for us Linux users.  It’s so annoying to plug a u3 drive into a linux o/s.  Anyhow download the utility and clean up your U3 enabled usb thumb drive here:  http://www.u3.com/uninstall/default.aspx

There is so much great software available for ubuntu. This weekend I ran into subsonic, an excellent music streaming website you can host from your own PC. This can be used over LAN or WAN (be careful with security).

I followed the following url’s excellent instructions, but I’ll include them for future usage.
http://ubuntuforums.org/showthread.php?t=920178

URL: http://subsonic.sourceforge.net

Step1: Dependencies

sudo apt-get install tomcat5.5

cd; wget http://prdownloads.sourceforge.net/subsonic/subsonic-3.4.zip

Step2: Modify Init For Tomcat & Start

sudo nano /etc/init.d/tomcat5.5

Change TOMCAT_SECURITY=yes to TOMCAT_SECURITY=no

sudo /etc/init.d/tomcat5.5 start

Step3: Unzip/Install Subsonic

unzip subsonic-3.4.zip

mv subsonic.war /var/lib/tomcat5.5/webapps/

mkdir /var/subsonic

chown tomcat55:nogroup /var/subsonic

Step4: Test

firefox http://127.0.0.1:8180/subsonic

Browsing around lifehacker.com I ran across an article on how to create a bootable linux usb thumbdrive. This is by far the easiest method that I’ve run across.

• Download the utility.
• Open the utility and download one of the supported linux iso’s.
• Plug your usb thumb drive into your computer (utility is linux or windows, so you can do this from either)
• Point the utility at the iso you downloaded and the correct usb thumb drive.
• execute, wait and reboot off of your newly created bootable thumb drive.

article with better detail on process:
http://tombuntu.com/index.php/2008/08/27/create-a-bootable-usb-drive-or-memory-card/

direct link to the utility download page:
http://unetbootin.sourceforge.net/

I’ve been saving this link to zdnet to check out for later usage.  I need to format a usb drive and set this up, looks very useful….

http://blogs.zdnet.com/hardware/?p=1873&tag=nl.e539