How to shape ADSL traffic with linux. .:H A T E B R E D:.

 

So you have gotten a dsl connection setup with your linux box, now what?

 

The basics:

 

Your ADSL connection is broken down like this: ADSL (Asymetric Digital Subscriber Line) Digital communication over telephone lines, as the term PPPOE (point to point protocol (dial-up) over ethernet)). Asymetric means that one side is greater than the other, ie your modem will download faster than it will upload.

On adverage a dsl upload is 128KB/s and a large packet is considered to be 1500 bytes. In essence this means you can upload 128Kbit/sec / 8*1500byte = 10 packets/sec. That sucks already huh? DSL modem buffers packets in a fifo that can hold 4K or 8K of data, or between a quarter to half a second of data.The reason for this is to handle short bursts without dropping packets. When packets get dropped it requires resending the packet, this in turn will create more network traffic than needed as well as prolonging the end of the session. The problem is that the dsl modems do no reordering within this large buffer. Packets are sent up the telephone line in the order they are received from the ethernet. A large upload keeps the buffer filled with its packets, and any new packet (the TCP ACK needed to continue a download, or the TCP data containing the ssh or telnet keystroke) must first fight for a space in the upload buffer, and once there wait a quarter second or more to be transmitted. Effectively every packet sent up the DSL line gets a non-negligable chance of being dropped, and if it isn't, a quarter second or more delay.

 

The way to fix this is to shape the upload traffic before it hits the modem. How do i do that? With linux & IP forwarding of course!

 

How to implement this:

 

Step 1: Install 2 NICs on the linux box

 

Step 2: Place this box between you lan and modem.

 

Step 3: Have it send gratuitous ARP packets claiming it is the gateway.

 

This tricks the rest of the machines in the lan into sending it their packets destined for the outside world as long as they keep receiving the GARPs. If the linux box is down,the GARPs don't come, the ARP entries time out, the hosts send ARP requests and receive a reply from the router. This way if the linux box is down the internet connection switches over automatically. Providing you have a router connected to the modem.

With this GARP trick, packets being sent from anywhere in the lan to an outside destination take an extra hop through the linux traffic shaper, while packets between hosts in thelan and packets from outside into the lan go directly to their destinations.

 

Setp 4: Install a 2.4.18 or better kernel, and the dsniff and iproute packages (or the equivalent on other linux distributions). The dsniff package supplies /usr/sbin/arpspoof, and iproute /sbin/tc.

 

Step 5: create a 3-band priority shaper, and then completely override the default priority filtering by adding filters. The 1st band receives in-lan traffic. The 2nd band receives small and interactive (ssh) packets destined for outside the lan, and the 3rd band the rest.

 

Step 6: Add a rate limiter to the 3rd band to limit it to less than 128kbit/sec.

 

The rate limiter is enough to prevent the upload buffer in the DSL modem from containing more than one large packet (the one currently being sent). This allows small packets fromthe 2nd band to get ahead of the large ones, and fixes the slowdown of downloads and interactive sessions caused by a large upload.

 

Step 7: Add this to your start-up

 

#!/bin/sh

 

 

case "$1" in

start)

# configure eth0 so that there is a bandwidth cap on large packets going up the DSL line

# and then garp advertising the true gateway's IP, so that other hosts use us rather than it

 

# enable ip forwarding

echo 1 >/proc/sys/net/ipv4/ip_forward

 

# disable sending of icmp redirects (after all, we are deliberatly causing the hosts to use us instead of the true gateway)

echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects

echo 0 >/proc/sys/net/ipv4/conf/eth0/send_redirects

 

# clear whatever is attached to eth0

# this can fail if there is nothing attached, btw, but that is fine

/sbin/tc qdisc del dev eth0 root 2>/dev/null

 

# add default 3-band priority qdisc to eth0

/sbin/tc qdisc add dev eth0 root handle 1: prio

 

# add a <128kbit rate limit (matches DSL upstream bandwidth) with a very deep buffer to the bulk band (#3)

# 99 kbit/s == 8 1500 byte packets/sec, so a latency of 5 sec means we will buffer up to 40 of these big

# ones before dropping. a buffer of 1600 tokens means that at any time we are ready to burst one of

# these big ones (at the peakrate, 128kbit/s). the mtu of 1518 instead of 1514 is in case I ever start

# using vlan tagging, because if mtu is too low (like 1500) then all traffic blocks

/sbin/tc qdisc add dev eth0 parent 1:3 handle 13: tbf rate 99kbit buffer 1600 peakrate 120kbit mtu 1518 mpu 64 latency 5000ms

 

# add fifos to the other two bands so we can have some stats

#/sbin/tc qdisc add dev eth0 parent 1:1 handle 11: pfifo

#/sbin/tc qdisc add dev eth0 parent 1:2 handle 12: pfifo

 

# add a filter so DIP's within the lan go to prio band #1 instead of being assigned by TOS

# thus traffic going to an inlan location has top priority

/sbin/tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 match ip dst 192.168.168.0/24 flowid 1:1

 

# multicasts also go into band #1, since they are all inlan (and we don't want to delay ntp packets and mess up time)

/sbin/tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 match ip dst 224.0.0.0/4 flowid 1:1

 

# ssh packets to the outside go to band #2 (this is harsh, but I can't tell scp from ssh so I can't filter them better)

# (actually I could tell ssh from scp; scp sets the IP diffserv flags to indicate bulk traffic)

/sbin/tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip sport 22 0xffff flowid 1:2

 

# small IP packets go to band #2

# by small I mean <128 bytes in the IP datagram, or in other words, the upper 9 bits of the iph.tot_len are 0

# note: this completely fails to do the right thing with fragmented packets. However

# we happen to not have many (any? icmp maybe, but tcp?) fragmented packets going out the DSL line

/sbin/tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match u16 0x0000 0xff80 at 2 flowid 1:2

 

# a final catch-all filter that redirects all remaining ip packets to band #3

# presumably all that is left are large packets headed out the DSL line, which are

# precisly those we wish to rate limit in order to keep them from filling the

# DSL modem's uplink egress queue and keeping the shorter 'interactive' packets from

# getting through

# the dummy match is required to make the command parse

/sbin/tc filter add dev eth0 parent 1:0 prio 3 protocol ip u32 match u8 0 0 at 0 flowid 1:3

 

# have the rest of the lan think we are the gateway

# the reason I use arpspoofing is that I want automatic failover to the real gateway

# should this machine go offline, and since the real gateway does not do vrrp, I hack

# the network and steal its arp address instead

# It takes 5-10 seconds for the failback to happen, but it works :-)

/usr/sbin/arpspoof -i eth0 192.168.168.1 >/dev/null 2>&1 &

echo $! >/var/run/shapedsl.arpspoof.pid

;;

stop)

/sbin/tc qdisc del dev eth0 root 2>/dev/null

if [ -r /var/run/shapedsl.arpspoof.pid ]; then

kill `cat /var/run/shapedsl.arpspoof.pid`

rm /var/run/shapedsl.arpspoof.pid

fi

;;

restart)

$0 stop

$0 start

;;

*)

echo "Usage: $0 [start|stop|restart]"

exit 1

esac

 

exit 0

i wrote this,

 

read it ! it was the world's first EVER review of Red Hat 9.

 

cheers

 

anyweb

 

OSNEWS review of Red Hat 9 - by anyweb

here is a Fedora Core Release 1 review on OSNEWS.

 

Funny thing is, I wrote it :-)

 

 

enjoy !

 

text below :/

 

cheers

 

anyweb

 

 

---------------------------------------

 

 

Getting to Know Fedora Core 1

 

By Niall C. Brady - Posted on 2003-11-07 09:12:12

at OSNews [http://www.osnews.com/]

 

I have installed Fedora Core 1 (Yarrow) to see what has changed between it and Red Hat Linux 9 and to get a feel for this new and powerful Linux operating system. For some people, the name Fedora will not be a familiar name, for others (Red Hat Linux or OS enthusiasts), Fedora could (In some ways) be considered to be the 'new' Red Hat Linux 9.x or 10 release, the not so long awaited sequel to Red Hat Linux 9, which came out in late March 2003. However, Fedora Core 1 is not Red Hat Linux 10 (as I try to explain below), and to quote from the front page of the Fedora Project website [:

 

Intro and installation

Introduction

 

'The Fedora Project is a Red-Hat-sponsored and community-supported open source project. It is also a proving ground for new technology that may eventually make its way into Red Hat products. It is not a supported product of Red Hat, Inc.'.

 

In short, Red Hat has decided to focus strongly on the Enterprise market (follow the money, there is nothing wrong with that) and as a result has discontinued marketing or producing new versions of what many considered to be its 'home user' freely downloadable versions of Linux, but all is not lost, not by a long shot. Red Hat has not abandoned the home users (or free OS down-loaders like me), not at all, it is providing some of its expertise in OS development, tools and financial sponsorship to the Fedora Project (http://fedora.redhat.com).

 

I do think it's a shame that Red Hat isn't doing any obvious marketing for Fedora, even the recent 'end of support' emails that was sent from Red Hat to RHN subscribers recently announcing imminent EOL of support for many of RH's 7.x,8.x etc. OS's did not mention Fedora even once, not even a URL. If you go to [/url]http://www.redhat.com you will see a graphical link on the main page to the Fedora Project, but it's certainly not prominent.

 

To simplify things as much as I can, Red Hat does offer stable, corporate Desktop versions of Red Hat Linux (http://www.redhat.com/software/rhel/ws/) which are available at cost, but come with phone based/web based support options, Fedora on the other hand is freely downloadable, will change often (every few months) and will have much more limited support options (for companies) due to its' price tag and quickly evolving nature (think latest gizmos, latest add-ons). However, Fedora is already a strong community with IRC channels, forums and web-based support, so I think (and hope) it will be around for a long time to come.

 

Installing Fedora

 

I'd recommend that before installing Fedora Core 1, that you do a media check on your CDs, most people will ignore this and go ahead with the install, but you could be unlucky like me and end up half way through CD 2 only to get a file copy error which can slow your installation right down to a snails pace and which basically means you have to either download the ISO again or burn the ISO to cd again. Doing the media check will tell you at the beginning of the installation phase if your CDs are ok and gives you a bit more confidence in your media.

 

I'd also recommend that you take a look at the Release-Notes, to see if there are any known issues with whatever hardware that you are using, and if you are planning on upgrading Red Hat Linux 8.x, 9 to Fedora, then please do check http://fedora.redhat.com/docs/release-notes/ and read the section which explains some post-installation issues for Ximian GNOME amongst other things.

 

Installing Fedora is a breeze, and it is so similar to Red Hat 8.0 and 9 installations that Red Hat users will feel right at home, featuring very easy to follow GUI screens that guide the in-experienced or experienced users from start to finish with ease. I chose to do the standard CD based installation, there are now graphical based FTP and HTTP installs, but I guess they would be more suited to people with fast internet connections, or lan based installations.

 

The CDs available for download are still 6 in total, although most of us will get by with just downloading the first 3 CDs only (thankfully) in order to install and setup Fedora. The last three are source CDs and you can easily distinguish that fact by the CD file name, for example yarrow-SRPMS-disc1.iso is the 1st Source CD and not needed for the 'general' user, instead download the following three cds from here or from your nearest mirror

 

http://download.fedora.redhat.com/pub/fedo...ore/1/i386/iso/

 

yarrow-i386-disc1.iso

yarrow-i386-disc2.iso

yarrow-i386-disc3.iso

 

When I installed Fedora Core 1, I picked the 'custom' option on the installation type screen, this allows me to choose 'everything' which as its' name implies, installs everything included on the 3 CDs. It takes longer to install (approx 1-2 hours, depending on the speed of your computer) and takes more space on your hard disc (5.8 GB or so) but, I would recommend this option for new users, because it helps to avoid dependency or other errors at a later stage when compiling programs or installing various rpms. You can of course uninstall any of the packages you don't require easily in 'add/remove applications' once the installation is done.

 

You can easily install Fedora as dual boot on your computer (just like previous versions of Red Hat Linux) if it has another operating system on it, just make sure that if you do decide to go this route, that first you must have the other OS installed, and second that you have enough space on a free unformatted partition for Fedora, and third, that you are happy to allow GRUB to take control of your boot sequence. You can also update previous installations of Red Hat Linux using the automatic update feature during the installation phase (it will auto-detect your previous install), however I have only tested this functionality on Red Hat Linux 9, so I cannot comment on earlier versions such as 7.x.

 

Usage

The Default Install - What is it like?

 

Booting Fedora Core 1 will at first look like any normal Red Hat Linux boot, you'll see the kernel initialising but then, instead of being presented with a whole bunch of onscreen status initialization messages, you get a rather nice GUI screen with a computer icon and a status bar that shows the percentage of completed tasks in easy to understand format. That is a nice change and a welcome one, you can also, see all of the standard messages within this front-end by clicking on the 'show details' link. Very nicely done, and I only have two minor gripes about it, firstly, how about having the entire boot done in this graphical format (with the option for text based messages for those that want to see them), and secondly, do we really need to give Kudzu 30 seconds to 'scan for new hardware' on every boot? after all it does delay the boot process by 30 seconds especially if you have not added any new hardware, perhaps 5 seconds would be more appropriate. I'm sure some people will jump in here and say that Kudzu itself can be disabled or adjusted so that it doesn't take 30 seconds, but that's not my point. I just think a faster boot time would be more appropriate. Also, how about adding the extra gui functionality to the shutdown portion in Fedora Core 1 (it is still text based).

 

Once the system has booted, unless you specifically chose the text login option during the installation phase you'll get a nice out of box experience (firstboot) which effectively asks you for user name(s) and to test sound output and so on, until after a few questions, you are presented with a very blue graphical login screen using Red Hat's Bluecurve graphical greeter. It is nicely done, and has a clean polished professional look to it. After you have logged in, you will see what looks like a standard Red Hat 9 desktop in GNOME (gnome-desktop-2.4.0-1) with the bluecurve theme and with the little Red Hat clearly visible in the menu. However, you don't have to look far for some of the newer changes under the hood. First off there is the new color scheme for the Bluecurve theme, I think it is gorgeous, and secondly if you click on the Red Hat and choose preferences, you'll see a brand new option (to Red Hat Linux default install users at least) called 'screen resolution' and this little application allows you to change resolution in real-time on your desktop without needing to restart x. Very nicely done, but (there's always a but) why couldn't this screen resolution application be included as a listed function when you right-click on the desktop (alongside change desktop background for example), that would be very convenient and user friendly. In my tests I was easily able to change the LCD resolution on my laptop from 1400x1050 down to 1024x768 and vice versa with no display issues.

 

Still on the display theme, by clicking on the Red Hat and choosing system settings, and then 'display', I now have some new tabs listed in my display settings, Dual Head is now an available option for this ATI Radeon Mobility M6 video card, and that's very cool, it sure wasn't there in Red Hat 9. However, this added bonus, requires you to restart x in order to see the changes. That's a shame, especially seeing as the screen resolution application mentioned above did not require this restart of x. So I pressed CTRL+ALT+BACKSPACE to restart x and logged back in again to see the changes, all i noted was that the second monitor was showing exactly what was on my LCD so I went back into the display settings/dual head TAB and spotted a drop down menu. That drop down menu gave me the option of Individual Desktops or Spanning Desktops. As the Individual Desktops didn't seem to do anything for me I chose 'Spanning Desktops' and applied my settings, once again, I had to restart x for the changes to be seen. So I did, and nothing interesting happened. I kept playing with these settings for about 15 minutes and could not get 'spanning' or for that matter 'individual' desktops to work, perhaps it was just me or perhaps I messed up my installation, or perhaps my particular configuration was just not yet ready for this. Pity though, I was really looking forward to seeing this in action. I tried this on two different laptops, one with ATI Radeon Mobility M6 and the other with ATI Radeon Mobility M9, and I had the exact same problem with both.

 

If you chose to install everything like me, then you'll have lots of applications, games, web browsers and various odds and ends to entertain you. You have apache version 2 to serve web pages, you have samba to access windows shares, you have CUPS to organise your printers for you. Mozilla is still the default web browser and is now version 1.4.1, which is very nice and easy to use. It doesn't have plugins installed, so you will need to install JAVA (Mozilla 1.4.1 Java plugin HOWTO here - http://anyweb.kicks-ass.net/linux/tips/tip13.html), shockwave and so on, yourself. OpenOffice (the Office suite) is included and is version 1.1.0. Email handling is handled by Ximian Evolution version 1.4 and there's even GNUCash to handle your financial needs. All in all lots of Office Software to keep you working away quite happily.

 

On the entertainment side, you have XMMS version 1.2.8 to play your audio files (winamp clone), and it does not have the MP3 plug-in loaded (a popup window explaining patent licence issues preventing the inclusion of the plug-in is loaded the first time you try and play an MP3 with XMMS), so you'll need to fix that also. To fix the MP3 'problem' you'll need to get this file from here [http://img.osnews.com/files/xmms-mp3-fc1.tar.gz] or here [http://www.osnews.com/files/xmms-mp3-fc1.tar.gz]. Once you have downloaded the file, expand it by typing tar -zxvf xmms-mp3-fc1.tar.gz and you will now have three files. Copy the two lib files (as root) to /usr/lib/xmms/Input/. Restart xmms and all should be good.

 

Fedora has also bundled something called Rhythmbox version 0.5.3 to play radio station music and other types (vorbis). I fired it up and tried to connect to Digitally Imported (Netherlands) but it popped up an error 'failed to create spider element, check your installation'. So I checked the properties for that stream, and they were listed as [url=http://213.73.255.244:8000/]http://213.73.255.244:8000/, I copied and pasted that address into Mozilla and it showed me a U ShoutCast D.N.A.S Status page saying the stream was up and with 43 of 300 users listening, so why couldn't I hear anything. It quickly dawned on me that once again I needed a plug-in to listen to these online radio installations, the help files included with Rhythmbox stated that the player plays MP3, FLAC or OGG/Vorbis files, but didn't mention where I could add the ability to play MP3 streams. It would be useful if Rhythmbox included a message like the one in XMMS detailing that this MP3 support is not included, rather than having users trying to figure out what a 'spider element' is.

 

DVD playback software is also nowhere to be found on the entertainment (Sound and Video) menu, in fact there wasn't one video capable player included in this menu, and that's quite ironic considering it's title. This was the same in Red Hat 9, and 8.0, and can be fairly easily solved by installing either xine or mplayer or both (once they are updated to work with Fedora).

 

Internet applications are abundant and there are lots to choose from, web browsers include Mozilla, Konqueror and Epiphany. You can chat online using GAIM (which even works with msn messenger after you have enabled the included plug-in), Xchat, Ksirc or Licq, you can remotely admin your other computers using rdesktop or using the vnc client (vncviewer). You can even install vncserver locally and remotely admin your Fedora box and it works very well. It's nice to see this powerful software included by default (by choosing Custom install and manually installing it or choose everything as suggested earlier).

 

A basic Firewall application is included and it's called lokkit (you can run it from the console as root, or click on the Red Hat menu, choose system settings, security level) and it allows you to Enable or Disable the firewall, plus to trust certain well-known services like WWW (http). To Customise ports you can start lokkit in a console and choose the customise option. There is no Internet Connection Sharing application included in Fedora, but that can be done manually by using iptables and a bit of know how.

 

There is a new login screen (Happy Gnome with browser) which some people will like, its similar to Windows XP's user list (with photos) so you can impress your buddies with it, but by default this login screen is not picked (Bluecurve is the default), you have to manually set it up and it's very easy to do so (system settings, login screen, graphical greeter).

 

Conclusion

Is Fedora Core 1 right for me?

 

If like me, you want to see how new and exciting Linux releases are doing, then you'll probably go ahead and install Fedora as soon as you have downloaded it. Its fun and new and worth looking at, and I have tried it on 4 different machines so far, two of which are laptops. The laptops both installed fine but I was disappointed to see that ACPI support is still not turned on by default in this release, I guess it must be too buggy. What that means is that some new laptops with ACPI only BIOS's will not report any battery levels in Fedora or show advanced power management features, you'll have to read the Release Notes (check the kernel notes section at the end of the notes) to enable that functionality. APM based laptops will not have any problem displaying battery status.

 

The third system I tried it on has a Promise Raid SATA controller with an OS already on it, when I tried to install Fedora, it complained that it couldn't find any hard drives, so I googled and found a Red Hat Linux 9 driver for the promise card, but.... that didn't work with Fedora, seems I need to re-compile that driver within Fedora to get it to work. This was not because Fedora couldn't handle SATA (it can) it was because it could not talk to my raid card and I didn't have time to continue with it.

 

I even attempted to upgrade an existing installation of Red Hat Linux 9 on one system, and the upgrade went as smooth as silk. After the installation was completed I got a message in gnome telling me that my old desktop was linked via a shortcut on my new desktop. I did notice that upgrading Red Hat Linux 9 to Fedora Core 1 does not configure it to use the graphical boot feature, but a quick glance again at the release-notes tells you that you have to must install the rhgb package, and add the rhgb boot-time parameter to your bootloader configuration. To test this I went into system settings, add/remove applications, and selected the X windows system package details. Adding the rhgb (Red Hat Graphical Boot) package was not so simple, once I clicked on update it prompted for CD 1. I inserted CD1 and it popped up an error 'Error Installing Packages - There was an error installing packages, exiting'. Clicking ok closed the Package Manager so I browsed the CD manually (/mnt/CDROM/Fedora/RPMS) and found the rpm (rhgb-0.11.2-1.i386.rpm). I copied that RPM locally and tried to manually install it. I logged in as su - and did rpm -Uvh rhgb-0.11.2-1.i386.rpm and it installed. Then I used vi to edit /boot/grub/grub.conf and added rhgb after the line that reads:

 

kernel /vmlinuz-2.4.22-1.2115.nptl ro root=LABEL=/ hdc=ide-scsi

 

so that it now reads

 

kernel /vmlinuz-2.4.22-1.2115.nptl ro root=LABEL=/ hdc=ide-scsi rhgb

 

saved that file with :wq and rebooted, and voila graphical boot

 

If you do attempt to upgrade an existing installation of Red Hat Linux, then please back up your data first, I personally have not lost any data from doing an upgrade to Linux, however you don't want to be the one who has to explain where the data went if something goes wrong.

 

For users who want MP3 functionality or video playback out of the box, Fedora Core 1 disappoints in this regard (much like Red Hat Linux 8/9 did), I would suggest that you uninstall the included XMMS version 1.2.8 and install the older 1.2.7 version (which has plug-ins freely available on the internet for MP3 support) until someone releases an updated plug-in for the new version. As regards xine (which I did attempt to install) your results may vary, but it complained about xine-libs dependency problems (wanted GLUT and SPEEK, and in turn GLUT wanted OPENGL which wanted......), so I gave up. I have not yet tested nVidia drivers (accelerated) yet but will do soon, I'm confident that nVidia will release Fedora Core drivers shortly.

 

Bluetooth hardware support has been updated but I didn't have a bluetooth device to test so no comment. The kernel (2.4.22-1.2115.nptl) has been updated to include NPTL (as you will notice in the GRUB boot screen) and in Fedora's own words 'Fedora Core 1 includes the Native POSIX Thread Library (NPTL), a new implementation of POSIX threads for Linux. This library provides performance improvements and increased scalability' so I guess that new kernel will delight some and bore others.

 

I can summarise my experience with Fedora as being a mixed bag of emotions, in some cases it surprises pleasantly (resolution changing for one, and the half-gui boot up) but in other cases there is nothing obviously apparent about this release that hits you in the face with that WOW factor (GNOME looks essentially the same as it did since Red Hat 8.0 came out more or less). Yes there is the ability for up2date to use Yum and APT repositories but for users unfamiliar with that technology then is that really something to go 'hey look what this can do?' The very act of updating software is usually to fix something that is broken or to add new features or to apply a security update, if the use of Yum could/can fix the lack of MP3 functionality (for example) then I'll give it my thumbs up, if not, then big deal.

 

Please don't get me wrong, I am not criticising Fedora, far from it, I really really like this distribution, I think it is very professionally done and worthy of a download and installation, however, there are going to be a lot of Linux newbies disappointed initially by the lack of included MP3 functionality and DVD/Video playback, and adding that functionality back will not be straightforward for those people (until clear and easy to follow HOWTO's start popping up on the internet).

 

If you like to experiment with the latest cool stuff on the Linux scene then get downloading now. I'm sure that you will not be disappointed especially if you are an experienced Linux user from the Red Hat stable. If you are new to Linux then perhaps this is a good distro for you to play with, but I guess you'll need to do some research on IRC and Google to get things working the way you want.

 

It's up to you to decide Fedora's future. I hope it's a bright one.

 

Fedora Core 1 screenshots here [http://www.dark-hill.co.uk/yarrow/index.html] and here [http://www.osnews.com/story.php?news_id=5057].

 

by Niall C. Brady

Yes can someone help me i need a list of commands for irc through linux? From user status like being idle to changing font color. Basically everything if you could help out

updated some of the other categories with new topics,

 

feel free to be the first to post something useful in these now blank areas :)

 

cheers

 

anyweb

this tutorial was written with securing xp in mind, especially if you are using IIS.

 

it is very detailed and 'works' if you follow the steps.

 

if you follow this, chances are you wont have to even worry about things like msblast

 

:)

 

have a look

 

[/url]http://anyweb.kicks-ass.net/SecureXP/

 

the link above has all the screenshots and embedded links, below is the text from the article I co-wrote.

 

cheers

 

anyweb

 

 

-----------------------------------------------------------------------

 

 

 

Checklist for Securing a Windows XP IIS 5.1 Webserver

by Greg Thatcher, MCSE, CCNA and Niall Brady, CNA.

 

 

This document was inspired by the need for Windows XP Professional IIS 5.1 administrators to have a checklist available for them which clearly explains how to secure their Web Server from the many Worms and script kiddies who will inevitably target them. Windows XP Professional includes IIS 5.1, it is not installed by default, you have to physically install it as an optiontal extra. By default, XP will install several folders, help files, ASP files, remote web support and more. If you are reading this document and already have a running XP Pro IIS Webserver then you should consider backing it up first. XP includes a backup feature for IIS and it is explained below. If however, you are just installing IIS for the first time, read this first, then go ahead and install everything (we're going to remove or disable most of it anyway).

 

Before implementing any of these changes on your XP machine, it is strongly recommended that you backup your system (including the "System State") and also backup IIS. Click here for examples of how to do this.

 

* 1.) Verify that Automatic Updates are set to install automatically. This utility is built into Windows XP and keeps you notified of Critical Updates and Service Packs. Most hacker attacks target machines that DO NOT have the latest Service Packs and Hotfixes installed on them. To see how to set this up click here. Alternatively you can manually update your system by going to Microsoft at http://windowsupdate.microsoft.com

 

* 2.) Disable and Audit the following files: ftp.exe, tftp.exe, command.com, cmd.exe, telnet.exe, wscript.exe, and cscript.exe. Regardless of the mechanism a hacker uses to break into your machine, the goal is the same: to execute the hacker's code on your machine. The above mentioned programs can be used by hackers to install hacker software, and also run code of the hackers choice.

 

By disabling and auditing a file, you prevent the hacker from doing damage, and also audit the hacker's activities in Event Viewer so that you can detect the attacks.

 

It is not recommended that you Delete or Rename any of these files. Windows XP includes a feature called "Windows File Protection" which will automatically replace some of these files (e.g. cmd.exe) if they are deleted or renamed.

 

If you need access to one of these programs, it is recommended that you make a copy of the program with a different name (e.g. "cmdsafe.exe" or "ftp99.exe") -- don't forget to update any shortcuts to these files. This way, the hacker will not likely be able to find it (only you will know the name).

 

o Click here to learn how to disable a file.

o Click here to learn how to audit a file.

 

 

* 3.) Rename the Administrator account and disable the Guest account.

By default, winXP creates two accounts that many hackers look for on your machine, "Guest" and "Administrator". If your machine is a member of a domain, you will need to do this twice: Once on your machine, and once in Active Directory (Active Directory is beyond the scope of this article).

 

Click here to see an example of disabling the Guest account, and renaming the Administrator account.

 

* 4.) Use strong Account Policies:

 

The easiest way for a hacker to break into your network is via weak passwords and account policies. Using "Local Security Settings" (or Group Policy if you are using Active Directory), you should set the following:

 

o Password Policy (these make it hard for hackers to guess passwords)

+ Enforce password history: 24 passwords remembered

+ Maximum password age: 42 days

+ Minimum password age: 2 days

+ Minimum password length: 8 characters

+ Passwords must meet complexity requirements: Enabled

+ Store passwords using reversible encryption: Disabled (this may create problems for Macintosh or RAS users in your network)

 

o Account policies (these make it hard to run dictionary attacks against your machine)

+ Account lockout duration: 60 minutes

+ Account lockout threshold: 3 invalid logon attempts

+ Reset account lockout counter after: 60 minutes

 

 

Note that these account lockout policies do not apply to the Administrator account. It is very important to rename the Administrator account, as hackers will often run dictionary attacks against the Administrator account.

 

Click here to see an example of setting account policies.

 

 

* 5.) Auditing Windows XP Pro allows you to audit your machine through several mechanisms:

 

o IIS Logs: You should enable IIS Logging on all websites your machine hosts. You should periodically review these log files for hacker attempts. Specifically, search these files for failed (e.g. 404) requests, and also for the following words: echo, copy, rename, dir, del, format, cmd.exe, command.com, tftp.exe, ftp.exe, and in general, any .exe, .com, .bat or other file extension which your web users should not be using. The IIS Log files will also include the IP address of the attacker. You can use the Whois Tool included with InternetPeriscope to find out information about the hacker and his ISP from this IP address.

 

Click here to see how to setup IIS logging.

 

o Event Viewer -- Security Log: Windows XP Pro comes with a tool called Event Viewer (available under the Programs-Administrative Tools menu.) This tool logs Application, System, and Security Events. Unfortunately, the default installation of winXP does not enable any Security logging; you must turn on Security Auditing manually.

 

It is recommended that you configure the following using "Local Security Policy" or Active Directory Group policy (if your machine is a member of a domain.)

 

+ Audit account logon events: Failure

+ Audit account management: Success/Failure

+ Audit logon events: Failure

+ Audit object Access: Failure

(Note: This allows you to audit failed access to files. In addition to enabling this policy, you must also explicitly configure the file or directory for auditing. Click here to see an example of this.)

+ Audit policy change: Success/Failure

+ Audit privilege use: Failure

+ Audit system events: Success/Failure

 

 

Of course, it is very important to periodically review the Event Viewer Security log. It is strongly recommended that you backup ALL log files and set Event logs to "Do not overwrite events (clear log manually)".

 

Click here to see an example of setting up Audit Policy.

 

* 6.) Disable unnecessary services/drivers

 

o Disable Ftp Service: Ftp sends passwords in cleartext. This makes it easy for a hacker to "snoop" on traffic to your machine, and obtain your passwords. If you must run an ftp service on your webserver, it is strongly recommended that you disable "Write" access (Click here for info on how to do this.) If you must enable ftp write access, it is strongly recommended that you use IPSec to encrypt ftp traffic between your ftp server and clients. IPSec is beyond the scope of this article.

o Disable SNMP: Recently, many flaws have been found in the implementation and specification of SNMP. In addition, the default installation of SNMP allows hackers to obtain information on your server via the "Public" Community string.

 

Click here to learn how to determine if your machine is running an SNMP agent, and how to remove it.

o Disable Indexing Service: This indexing service allows you (and hackers) to quickly search for files on your system. Unless your webserver is using the Indexing Service to create a "Site Search" of your website, it is strongly recommended that your remove this service (More on this later.)

 

Click here to learn how to remove the Indexing Service.

o Disable Simple TCP/IP Services: These services are not installed by default, but many Sys Admins install them because they include such fun services as "Quote of the Day" and "Daytime". These services have been favorite targets of attackers for many years.

 

Click here to learn how to determine if your machine is running these services.

o Disable Network Monitor Driver. This driver is used by "Network Monitor" and/or SMS to analyze traffic on your machine.

 

* 7.) Default winXP Installation Directories.

 

Many hacker scripts depend on the default installation of Windows to work. For example, a hacker may, through a variety of mechanisms, attempt to run the following command from inside your Web directory: ..\..\windows\system32\cmd.exe /C del c:\*.*

 

This command would successfully delete the files on your C drive provided that:

o A.) Your website was installed in the c:\Inetpub\wwwroot directory.

o B.) Windows is installed in the c:\windows directory.

 

 

When installing ANY software on your machine, it is very important that you not choose the default installation directory. When installing Windows XP, don't install it in the default c:\windows (or c:\winnt) directory. Instead, install it in the j:\winXP10 directory (or something else that's hard to figure out). When creating a website, don't install it in c:\inetpub\wwwroot, instead, install it in m:\internet\websites\public directory.

 

Most hackers are running scripts that were written by someone else. These scripts often make default assumptions about how your server was installed. By not using the default partitions (or volumes) and directories, you can "fool" their scripts.

 

* 8.) IIS Server Configuration

 

o a.) Remove FrontPage Extensions. There are a number of exploits against FrontPage. It is strongly recommended that you remove this. Click here to learn how.

o b.) Remove Remote Desktop Web Connection (TSWEB). By default, IIS includes a website that enables you to administer the computer hosting IIS via a website. Typically that would show up as a url such as [url=http://www.yoursitename.com/tsweb]http://www.yoursitename.com/tsweb. Click here to learn how to remove this.

o c.) Remove unused App Mappings from Web Server. IF YOU DO NOTHING ELSE, AT LEAST DO THIS!

 

IIS includes a number of "Application Mappings" that invoke various programs when a web page with a certain file extension (e.g. .asp or .pl) is called. Even if you don't have a file in your website with one of these extensions, your server may still be vulnerable to an exploit against one of these file types -- and there are MANY exploits against various Application Mappings.

 

It is strongly recommended that you remove all unused Application mappings. "IIS Security Audit" can help you determine which Application Mappings you need to remove.

 

Specifically, you should remove the following: .cer .cdx .asa .htr .idc .shtm .shtml .stm .printer plx

 

In addition, if you are not using .asp or Perl files, you should remove the following application mappings: .asp, .pl

 

Click here to learn how to remove Application Mappings.

 

Click here to learn more about vulnerabilities against various App Mappings.

 

* 9.) Website Configuration

 

o a.) Disable the "Default Web Site" and delete all of its files. Hackers look for this configuration -- get rid of it. Create your own website, and don't put it in the c:\inetpub\wwwroot directory.

 

o b.) Turn off "Index this resource" on ALL websites. If you want to create a "Site Search" for your website, use a 3rd party tool that does not index the SOURCE CODE of your server-side scripts.

 

o c.) Turn off "Directory browsing" on ALL websites and virtual directories. Don't allow hackers to "browse" through your files.

 

o d.) Delete the "AdminScripts", "IISSamples" and "Scripts" directories. Hackers know of these default directories, and know of many exploits against the files that are installed in these directories in a default installation of IIS. Get rid of these directories, and never name your directories with these names.

 

o e.) Remove any residual FrontPage directories. Frontpage installs a bunch of directories that begin with the "_" character. Delete all of these directories and files, and get rid of any files or directories that your website is not using.

 

o f.) Make sure that none of your websites have the "Write" Permission turned on.

 

To learn how to configure an IIS website, click here.

 

* 10.) Enable auditing on Web and Ftp directories for Write, Delete, and Change Permissions.

 

Remember that to enable auditing, you must perform two steps:

o A.) Turn on "Audit object access" in "Local Security Settings" or "Group Policy".

o B.) Enable auditing for individual files and directories.

 

 

You should only enable auditing on files and directories that do not change often. Do not enable auditing on your mail directories (e.g. mailroot), or web directories that are generated periodically by log analysis programs (like Analog).

 

Be sure to check the Event Viewer - Security log periodically for hacker attempts.

 

* 11.) Check all open TCP/IP ports.

 

First, check to see which ports your machine has open, and figure out which services the ports map to. For the former, you can use "netstat -an" from a DOS prompt. Many users may find the Port Scan feature of InternetPeriscope easier to use, as it tells you which services are commonly used by which ports. Install and run InternetPeriscope ON your server for this first test.

 

Next, perform a Port Scan on your server from a machine that is OUTSIDE of your firewall. Again, InternetPeriscope can help you to do this. This will give you an idea of what ports the hacker's see when they scan your system.

 

If you see any services on your machine that you do not need, you should remove them to further "harden" your server's security.

 

* 12.) Miscellaneous Tasks

 

o A.) winXP Servers include a "Security Configuration and Analysis Tool". Unfortunately, this tool is well hidden in a default installation. Click here to learn how to use this tool.

 

o B.) Disable "Enumeration of SAM accounts and Shares (by anonymous users)". Depending on your configuration, Hackers can sometimes get a list of the usernames and share names on your machine using a "Null Session Vulnerability". This information can help the hacker to more easily crack passwords or take advantage of an unsecured share.

 

Click here to learn how to turn off "Enumeration of SAM accounts and Shares (by anonymous users)".

 

* 13.) Disable Remote Data Services (RDS)

RDS is known to be vulnerable to hacker attacks that enable a hacker to run files on your machine. Most websites do not use RDS, so RDS can be safely disabled. "IIS Security Audit" can help you determine if your machine is vulnerable to an RDS attack.

 

Click here to learn more about the RDS vulnerability.

 

* 14.) Disable ODBC Shell Access Vulnerability

IIS is vulnerable to an attack via the Jet Database Engine that can enable a malicious user to execute programs on an IIS Server. "IIS Security Audit" can help you determine if your machine is vulnerable to an ODBC Shell Access attack.

 

Click here to learn more about the ODBC vulnerability.

 

* 15.) Check Startup Files for Hacker Software

Windows has a number of methods for automatically launching software when a machine first boots or when a user first logs in. If your machine is attacked by hackers or infected by a Trojan, it is very likely that malicious software will be installed that uses one of these "auto-starting" mechanisms.

 

It is recommended that you periodically check and document which software is configured to "auto-start" on your server. If you believe your machine has been compromised, it is important that you check for "auto-starting" software before you reboot your machine.

 

"InternetPeriscope" can help you check for "auto-starting" software on your machine.

 

Click here to learn more about the "auto-starting" methods used by hackers.

 

* 16.) Use NTFS permissions to block Write Access

For many companies, the most horrifying danger posed by hackers is the modification of their web or ftp site. Specifically, they don't want hackers to deface their web pages or install trojan software on their ftp site. Fortunately, this is easy to prevent using NTFS.

 

NTFS allows you to specify which users can read or write specific directories and files. Unfortunately, the group "Everyone" is given the "Full Control" permission by default. This means that anyone who gains access to your web directory can write to it through a variety of hacks.

 

It is strongly recommended that you either "Deny" or remove the "Write" permission from the "Everyone" Group on your web and ftp directories. This way even if a hacker gains access to your system, it very unlikely that he will be able to modify your web or ftp files, causing your company great embarrasment.

 

Click here to learn how to change NTFS permissions.

 

* 17.) Remove Remote Access capability to your Windows XP computer.

 

Click here to learn how to change your Remote Access capability via Microsoft Terminal Services.

I really like apt-get and was wondering how exactly it works. for exmple i wanted mplayer so all i did was type apt-get install mplayer. How did that work ? is mplayer included in apt and i was just lucky or will this work with other programs too? Does it have a list of programs somewhere ?

Need to rename some directories with spaces in the names? Here is a little perl script to do just that. You will need to edit the $startpath.

 

// Begin Script

#!/usr/bin/perl

use File::Find;

 

$startpath="/path/to/dir";

do {

$flag=0;

find sub {

my $foo=$File::Find::name;

if (-d $foo && $foo=~/ /) {

($foo2=$foo)=~s/ /_/g;

rename($foo, $foo2);

$flag=1;

}

},$startpath;

} until ($flag==0);

exit;

 

// End Script

Hi,

 

My nick is K0rnz and I've only been using Linux for about 8 days now. I decided to switch over from Windows XP Pro as a new year's resolution. I do have another computer in my home that has Windows XP Pro but it belongs to my wife and I try to avoid it like the plague.

 

I initially started off with an old Redhat 8.0 CDs which I had downloaded and burned many moons ago but never got to install them. Then I installed Redhat 9.0 and was told in the #redhat EFNET IRC channel to get Fedora Core 1 which I am now running with no problems.

 

Only problems I've run into is the up2date feature fails to connect sometimes.

 

Thanks,

K0rnz

I joined this forum on jan 1st and asked a question or 2 everyday since joining...

cept for today. today i actually have everything I love up and running properly,

and i owe it all to you guys. Your patience and yer guidance have been invalueable(i hope thats the right word) and i appreciate all o you takin the time to help me out. You guys have a great forum goin here and im glad i found this place so early in the development of it.

More ubernoob questions to come tommorow im sure but for today I am silenced.

You guys kick ass

have fun

[img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img] -tek- [img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img]