Thursday, September 4, 2008

Install LFS Linux on file

Create a 2GB disk image

# heads: 255
# sectors per track: 63
# cylinders: 261
dd if=/dev/zero of=disk.img bs=512 count=4194304

Create disk partitions

There are two ways: A. fdisk can partion a file directly.

fdisk -H 255 -S 63 -C 261 disk.img

B. Associate disk.img file with a loopback device

/sbin/losetup -o 0 /dev/loop7 disk.img
fdisk -H 255 -S 63 -C 261 /dev/loop7

Select 'n' for new partion. Choose number 1. First cylinder 1. Last 261. Select 'a' to set active boot partion. Choose number 1. Select 'w' to write partion data. Select 'q' to quit.

Could now use this disk image in Bochs. Add these lines to bochsrc file:

ata0-master: type=disk, path="disk.img", mode=flat, cylinders=261, heads=255, spt=63
ata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14
boot: disk

Create filesystem

Run mkfs on either disk.img file or on /dev/loop7. Running it on a file will give a warning, but seems to work

mkfs.ext3 disk.img


mkfs.ext3 /dev/loop7

Mount the filesystem

Use either loop device or loop option on mount

/sbin/losetup -o 0 /dev/loop7 disk.img
/bin/mount /dev/loop7 /mnt/loop

Set LFS environment variable. This is use many places during the build process.

export LFS=/mnt/loop

Local vs. UTC Time for Linux

The first and most important question you'll have to answer is whether you
want to store the time in your machine in either UTC or local time format. UTC
(Universal Time Coordinated) is the same as GMT (Greenwich Mean Time). Local
time is the time that is displayed on a clock hanging on a wall near you. Each
format has its own advantages and disadvantages, but both of them are
discussed in this hint.

Traditionally, all POSIX machines (i.e. Solaris, BSD, UNIX) have their
system time in UTC format. The more stupid OS's (mainly the Microsoft ones)
require their users to configure their machines for local time. Fortunately,
Linux can handle both the normal UTC machines and the machines suffering from
Microsoft diseases that have their system time in local format.

At this point, you'll have to decide what it's gonna be; local or UTC time.
Some guidelines: If you're running Windows and Linux together on 1 box, I
recommend you use local time. If you have Windows but you hardly use it or if
you don't have Windows at all, it's a good idea to store your time in UTC
format. Once you've decided, edit /etc/sysconfig/clock. Use UTC=0 for local
time and UTC=1 for UTC (GMT) time.

Tuesday, September 2, 2008

Disable SELinux for FTP Daemon

SELinux is preventing the ftp daemon from writing files outside the
home directory (pure-ftpd).

Detailed Description
SELinux has denied the ftp daemon write access to directories
outside the home directory (pure-ftpd). Someone has logged in via your
ftp daemon and is trying to create or write a file. If you only setup
ftp to allow anonymous ftp, this could signal a intrusion attempt.

Allowing Access
If you do not want SELinux preventing ftp from writing files
anywhere on the system you need to turn on the allow_ftpd_full_access
"setsebool -P allow_ftpd_full_access=1"

The following command will allow this access:
setsebool -P allow_ftpd_full_access=1

Securing SSH access in Redhat Fedora Core 9

SSH is a powerful tool for administration of your Linux computer. However, that makes the SSH services a target for wannabe hackers. Port 22 is the commonly used and targeted port for SSH services. I changed my SSH configuration to use a non-standard port to throw off these lazy hackers.
Securing SSH in Red Hat Fedora Core 9

* vi /etc/ssh/sshd_config
* Add Port 6940 under where is says #Port 22

#Port 22
Port 6940
#AddressFamily any

* Only Protocol 2 is enabled by default, you should not use Protocol 1 because it is insecure.
* Uncomment PermitRootLogin yes
* Change to PermitRootLogin no

#PermitRootLogin yes
PermitRootLogin no

You will get an SELinux error when you restart the sshd service after these changes. SSH will no longer accept connections on any port. Oddly enough, your existing SSH connection should still work until all these steps are completed.

* /usr/sbin/semanage port -a -t sshd_t -p tcp 6940
* /etc/rc.d/init.d/sshd restart
* audit2allow -M local -l -i /var/log/audit/audit.log > local.te

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp


#============= sshd_t ==============
allow sshd_t self:tcp_socket name_bind;

* The contents of my local.te file are shown above. Do not create this file by hand. It will not work. There is another binary file called local.pp that goes with it. I don’t know what you should do if you have other entries besides what is shown above. I would clear all the SELinux warnings through GNOME, restart sshd again and rerun the audit2allow command shown above.
* /usr/sbin/semodule -i local.pp
o To import new SELinux settings.
* /etc/rc.d/init.d/sshd restart