Inexpensive Web Hosting, Comcast Web Hosting Java Blog

451Chapter 18Running Bootable Linux Distributions .Using and analyzing encryption techniques Many tools enable you to useencryption techniques to protect your data and find when others have triedto compromise it. GNP privacy guard (gpg) is used for verifying the authentic- ity of computers and people. For setting up virtual private networks, there arestunnel and super-freeSWAN VPNs. You can find images (giffshuffle, stegbreakand stegdetect) and music (mp3stego) that contain hidden messages from atechnique called steganography. .Managing a firewall Bring a firewall up quickly or assess what s happeningon a running firewall. The blockallscript can block all inbound TCP traffic, flushallflushes your firewall rules, and fwlogwatchcan monitor firewalllogs. The firestarterand floppyfwutilities offer quick ways to start upafirewall. Tools for managing iptables firewalls include gtk-iptablesandshorewall. These tools only touch the surface of what you can do with Knoppix-STD. Go totheproject s Tools page (www.knoppix-std.org/tools.html) to find out aboutmore feature in the project. Or, go to the download page (www.knoppix-std.org/ download.html) to download and try it yourself. The Inside Security Rescue ToolkitINSERT (Inside Security Rescue Toolkit) is another KNOPPIX derivative that includesfeatures from Damn Small Linux as well. It bills itself as a disaster recovery and net- work analysis system. It contains a more compact set of tools to fit on a bootablebusiness card (about 50MB). Check it out at www.freshmeat.net/projects/ INSERT/. The INSERT CD image is included on the CD that comes with this book. Refer toAppendix A for information on copying and burning INSERT to CD. The Fluxbox window manager offers some docked system monitors for monitoringCPU, network traffic, memory and swap use, and battery (if you are on a laptop). Another applet displays the Matrix screen saver (double-click it to launch a Terminalwindow). The mount applet lets you step through the CD, floppy, and hard-disk partitions on your computer. Click the key button on that applet (so it turns green), and you can double-click it to mount and open that device or partition. Right-click the desktop to see a menu that lets you select from a handful of graphicaltools for troubleshooting your computer and network, most of which will run fromthe shell. Figure 18-1 shows the INSERT desktop. You can find what s in INSERT from the List of Applications page on the InsideSecurity site (www.inside-security.de/applicationlist.html). On theCD-ROM25_
Note: If you are looking for cheap webhost to host and run your apache application check Vision jboss web hosting services

450Part IIIChoosing and Installing a Linux DistributionWhen you use a rescue CD to change a master boot record, fix partition tables, orclean viruses from a system, you risk doing irreparable damage to your computersystem. Remember that GPL software comes with no warranty, so you use thatsoftware at your own risk. KNOPPIX Security Tools DistributionThe Knoppix-STD goes lightweight on the window manager to go heavyweight onthe diagnostic tools. The distribution contains hundreds of security tools that canbe used for repairing and assessing computer and network security (see http:// knoppix-std.org/tools.html). Instead of a full GNOME desktop, Knoppix-STD uses Fluxbox window manager. Itwill run on lesser machines, but you ll get a usable GUI on almost any Pentium-classmachine with at least 64MB of RAM. With at least 640MB of RAM, you can run theentire distribution from RAM (type knoppix toramto boot it to run entirely fromRAM). With Knoppix-STD running in RAM, the system operates faster and your CDor DVD drive is available for other purposes. Ways of using Knoppix-STD tools include (but aren t limited to): .Assessing vulnerability Knoppix-STD has literally dozens of tools for assess- ing vulnerabilities. There are tools to let you scan shared Windows SMB folders(nbtscan), NetWare servers, CGI scripts (nikto and screamingCobra), the com- puter s ports (nmap), as well as scan for viruses (clamAV). You can also check ifsomeone has used a rootkit to replace critical system files (chkrootkit) or use ascanner dispatch (warscan) to test any exploit you like across lots of machines. .Running forensics on Windows machines If you believe a Windows systemhas been compromised, there are many tools you can use to find problemsand correct them. You can recover Internet Explorer cookies (galleta), convertOutlook Express dbx files to mbox format (readdbx and readoe), check systemintegrity with (ftimes), and check the Windows recycle bin (rifiuti). .Recovering data If a Windows or other operating system won t boot or isotherwise impaired, you can get data off that computer. You can copy filesover the network (using rsync, scp, or others) or back up to local CD or tape(cpio, tar, or others). You can selectively recover file types from disk images(foremost) or check and recover lost partitions (testdisk). .Dealing with intruders Tools like Snort (www.snort.org) let you analyzenetwork traffic in real time, as well as log and analyze data as attacks are hap- pening. Honeypots let you watch intruders moves as it leads them to believethey ve compromised your system. Honeypots in Knoppix-STD include honeyd(http://honeyd.org), thp (www.alpinista.org/thp). Kill zombies fromDDoS attacks with zz. Caution25_
Note: In case you are looking for affordable webhost to host and run your servlet application check Vision ecommerce web hosting services

449Chapter 18Running Bootable Linux Distributions .DistroWatch.com DistroWatch keeps a list of CD-based Linux distributionsand live Linux CDs (distrowatch.com/dwres.php?resource=cd). Its sitealso contains information and links to hundreds of distributions. Because these distributions are based on open source technology, they rely onmany of the same components in their basic technology. The SYSLINUX Project(http://syslinux.zytor.com) is responsible for the boot-loader technologyused in most Linux distributions. Hardware detection is often based on Kudzulibraries created by Red Hat Inc. and enhanced by the KNOPPIX project. If a graphi- cal interface is included, all but the most compact distributions use the X Windowsystem (www.x.org), with space requirements dictating the exact window managerused with it. If you have trouble running any bootable Linux distributions, try adding options tothe boot prompt. Because so many of the distributions are based on KNOPPIX, referto the KNOPPIX boot options (also called cheat codes) described in Chapter 11 tohelp get your Linux distribution to start up the way you would like. View these codesonline at www.knoppix.net/docs/index.php/CheatCodes. This book comes with several bootable Linux distributions, and these are noted asyou read through the descriptions later in this chapter. You can get more recent ver- sions of distributions that interest you (some are updated quite often) by followinglinks from sites that were just mentioned. Most bootable Linux distributions are created by individuals and should still beconsidered as experimental in nature. The quality can vary widely and sometimesthe controls are not as stringent as they would be for commercial Linux systems, such as Red Hat or SUSE. You can limit your risks by doing such things as mount- ing all hard disk partitions read-only (as is usually done by default), but rememberthat this software is distributed with no warranty. Booting Rescue DistributionsRescue CDs are not a new concept. Nearly every commercial operating systemcomes with a CD that lets you boot your computer if the hard disk fails. But theavailability of a wide range of high-quality open source software for diagnosing andfixing problems on a computer or network have made Linux-based rescue CDs thechoice of many professional IT troubleshooters. Popular Linux rescue CDs that illustrate very well how many tools you can get on asingle CD include the Knoppix-STD and the Inside Security Rescue Toolkit (INSERT) rescue CDs. Caution25_
Note: If you are looking for cheap and reliable webhost to host and run your mysql application check Vision mysql hosting services

448Part IIIChoosing and Installing a Linux Distributionbe inaccessible, bootable rescue CDs or DVDs can literally save damaged orinfected computers. Rescue CDs often come with a wide range of tools formonitoring Linux or Windows systems, scanning for viruses, and debuggingnetworks. .Multimedia Some bootable Linuxes are tailored specifically to let you playmovies, music, and images. Most let you play whatever content you have onyour hard disk or can point to from the Internet. Many run in a small enoughamount of memory to let you remove the bootable DVD or CD containingLinux and insert your own content (like a music CD or movie DVD) to play. .Tiny desktops A small CD, shaped in the form of a business card, can fit inyour wallet. A USB pen drive can hang from your keychain. There are wholebootable Linux distributions that let you boot up a desktop with which youcan connect to the Internet, browse the Web, play music, send and receivee-mail, do instant messaging, write documents, and work with spreadsheets. And they can do all that in about 50MB of space on a removable medium. CD business cards are really just regular CDs that have been cut into the shape of abusiness card. Depending on the one you choose, it can hold from 40MB to 52MBof data. A mini-CD can hold about 180MB of data. You can purchase these CDs inbulk from many locations that sell regular CDs, and you can play them in any CDdrive. (However, it s best to use these CDs in trays that have a mini-CD inset, because have been known to fly loose and break CD drives.) There are also some neat bootable special-use Linux servers that are designed toserve up particular types of content or provide special services. For example, thereare distributions that serve up photo albums or Web pages, as well as dedicatedfile- and print-servers that can serve the content on your Windows computers whilecompletely bypassing the Windows operating system. Many bootable Linuxes these days are either based on KNOPPIX or the BootableBusiness Card project (www.lnx-bbc.org). I know of several Linux Users Groupsthat have tailored their own bootable business card projects from the lnx-bbc.orgBBC project to hand out to represent their groups. Many bootable Linux distribu- tions for media larger than business-card-size tend to be based on KNOPPIX. There are several places you can look for bootable Linux distributions: .Knoppix Customizations The Knoppix Customizations page (www.knoppix. net/docs/index.php/KnoppixCustomizations) lists several distributionsbased on KNOPPIX. .LinuxLinks.com This site has a list of minidistributions, many of which arebootable Linux systems. The page that contains this list is www.linuxlinks. com/Distributions/Mini_Distributions. Note25_
Note: If you are looking for high quality webhost to host and run your jsp application check Vision jsp web hosting services

RunningBootable LinuxDistributionsThere are now dozens, and probably will soon be hundreds, of bootable Linux distributions (also called live CDs). Bystuffing removable media (CDs, DVDs, floppies, and even USBpen drives) with a select mix of open source software, bootableLinuxes enable you to bypass the hard disk completely andhave a special Linux distribution running on almost any com- puter within minutes. If you are willing to build your own bootable distribution, theconcept of bootable Linux distributions can be extended anyway you like. Your bootable business card or CD can carry allthe applications you are used to having, so you can use themanywhere from a handy PC. But it can also hold your presenta- tions, documents, mail-server settings, address books, favoritebackgrounds and screen savers, personal photos, and anyother kinds of data you want as well. This chapter describes a variety of available bootable Linuxdistributions. Exploring Bootable LinuxesAlthough the most popular bootable Linux (KNOPPIX) and acool example of a firewall Linux on a floppy disk (Coyote Linux) have already been covered in this book, I d like to spark yourimagination about more ways of using a bootable Linux. Here sa list of some ideas that others have had: .Rescue CD Rescuing broken systems and diagnosingnetwork problems are among the most popular uses ofbootable Linuxes. At a point where your hard disk might1818CHAPTER …In This ChapterExploring bootableLinuxesBooting rescuedistributionsBooting multimediadistributionsBooting tiny desktopdistributions …
Note: If you are looking for cheap and reliable webhost to host and run your web application check Vision coldfusion web hosting services

446Part IIIChoosing and Installing a Linux DistributionUsing Other Firewall DistributionsCoyote Linux was chosen for this book to illustrate how small, yet still really usefula Linux distribution can be. It also uses the iptables facility, which, once you learnhow to use it, is useful in all recent Linux distributions. There are, however, many other bootable firewalls available today. I strongly recom- mend that you check some of these other distributions if you want more or differentfeatures than those offered by Coyote Linux. The Sentry Firewall CD is a very nice bootable CD firewall. Sentry Firewall CD takesadvantage of the extra space on its CD to provide many extra tools for managing andwatching your network. You can create a virtual private network connection usingFreeS/WAN, manage SNMP services with net-snmp, and set up a variety of servers(using Apache, sendmail, bind, and others). Sentry Firewall supports many different types of IDE and SCSI hardware (so you arenot limited to PCI Ethernet cards and modems). It offers both a shell and Web inter- face for managing your firewall. For a list of some additional firewall/router distributions, see the DistroWatch.comsite: www.distrowatch.com/dwres.php?resource=firewalls. SummaryNo computer should be connected to the Internet or any public network withouteither being behind a firewall or being configured as a firewall itself. All of the latestLinux systems have iptables built right into the kernel to offer excellent firewall fea- tures (earlier Linux systems included ipchains or ipfwadm). Desktop Linux systems often offer simplified, graphical tools for configuring a fire- wall. Every Linux system, however, enables you to use the iptables command directlyto change the rules in your running Linux system. There are also tools to save andrestore your firewall rules. Coyote Linux illustrates how a Linux distribution with many valuable features canfit on a medium as small as a floppy disk. You stepped through creating the firewallfloppy, booting it, and configuring the running firewall. …
Note: If you are looking for reliable webhost to maintain and run your java application check Vision java hosting services

445Chapter 17Running a Linux Firewall/RouterFigure 17-3:Administer Coyote Linux from your Web browser. Enter the password (that you added from your Web interface as just described) andyou are taken to the following Configuration menu: Coyote Linux Gateway — Configuration Menu1) Edit main configuration file 2) Change system password3) Edit rc.local script file 4) Custom firewall rules file5) Edit firewall configuration 6) Edit port forward configurationc) Show running configuration f) Reload firewallr) Reboot system w) Write configuration to diskd) Dial PPP connection h) Hangup PPP connectionq) Exit Menu l) Logout———————————————————————- Selection: Select the letter of the configuration item you want to change. Type qwhen youaredone and you are left at a regular Linux shell prompt. At that point, you canuseCoyote Linux as you would any (somewhat limited) Linux system from a shell. (Type menuif you want to return to the menu interface.) As previously noted, the first time you open the browser interface to Coyote Linux, change the root password. As for basic administrative tasks, you want to read thesystem log on occasion and back up your configuration changes (which you havemade in RAM) so they are copied back to the floppy. To use ssh from a Windows machine to get to your firewall, or to get to any otherLinux system for that matter, many people use the putty utility. You can get puttyfrom its development home page: http://chiark.greenend.org.uk/~ sgtatham/putty/. Note24_
Note: If you are looking for reliable webhost to maintain and run your java application check Vision java hosting services

444Part IIIChoosing and Installing a Linux DistributionRunning the Coyote Linux Floppy FirewallTo start up your firewall, simply insert the floppy disk into your firewall computerand reboot. The firewall should come up as you configured it to run. There is nodirect shell interface from the firewall s console once it s up and running. In fact, you don t even have to have a monitor on the firewall because you won t see a loginprompt anyway. Any administration of the firewall should be done over your LAN. If you configured it as just described, your firewall is now: .Offering addresses to the computers on your LAN using DHCP. .Launching a dial-up connection from your firewall to your ISP as soon anyonefrom your LAN or the firewall itself tries to access the Internet. .Allowing traffic from your LAN to the Internet. .Offering login (sshd) and Web administration service to you from your LAN. If the firewall is not behaving as you would like it to, go to the next section to fur- ther tune it. Managing the Coyote Linux Floppy FirewallWith the firewall up and running, you almost surely will want to manage it further. There are a couple of ways to access your running firewall so that you can changeits configuration, with a Web interface or a remote login. Before you can use theremote login, however, you must change the system (root user) password, and thatcan only be done through the Web interface. Using a Web InterfaceThe Coyote Linux Web Administrator can be run from any browser on your LAN toview and change your firewall configuration. It is available from that machine onport 8180. To access the site you configured in the preceding example, you d typethe following in the location box on your browser: http://192.168.0.1:8108. The first thing you want to do is click the System Password button in the main menuand add a password for the root user. Figure 17-3 shows the Internet configurationthat was set up to dial out to the Internet in the previous section. Using a Remote LoginThe firewall floppy was configured to run the sshd daemon, enabling you to log inover your LAN (using the ssh command) to access your Coyote Linux firewall fromthe shell. In the example, you could type: # ssh -l root 192.168.0.1root@192.168.0.1 s password: *******
Note: If you are looking for best quality webspace to host and run your tomcat application check Vision virtual web hosting services

443Chapter 17Running a Linux Firewall/Routerdon t have unless it s a much older machine, you need to add IO and IRQinformation. Enter the module name for your local network card: 8139tooEnter IO address (Leave blank for PCI cards): Enter IRQ (Leave blank for PCI cards): Checking module dependencies… 8139too deps = miiBuilding package: etcBuilding package: localBuilding package: modulesBuilding package: rootBuilding package: dhcpdBuilding package: webadmin18.Insert a blank floppy into the floppy drive and press Enter to build yourfloppy-disk Coyote Linux distribution: Make sure that you have a floppy in the first floppy drivein this system and press enter to continue… Formatting /dev/fd0u1440Double-sided, 80 tracks, 18 sec/track. Total capacity 1440kB. Formatting … doneVerifying … donebin/mkdosfs 2.2 (06 Jul 1999) Installing boot loader… Copying files… cp: omitting directory `floppy/config `floppy/dhcpd.tgz -> `mnt/dhcpd.tgz `floppy/etc.tgz -> `mnt/etc.tgz `floppy/linux -> `mnt/linux `floppy/local.tgz -> `mnt/local.tgz `floppy/modules.tgz -> `mnt/modules.tgz `floppy/root.tgz -> `mnt/root.tgz `floppy/syslinux.cfg -> `mnt/syslinux.cfg `floppy/SYSLINUX.DPY -> `mnt/SYSLINUX.DPY `floppy/webadmin.tgz -> `mnt/webadmin.tgz `floppy/config/coyote.cfg -> `mnt/config/coyote.cfg `floppy/config/fireloc.cfg -> `mnt/config/fireloc.cfg `floppy/config/firewall.cfg -> `mnt/config/firewall.cfg `floppy/config/hosts.dns -> `mnt/config/hosts.dns `floppy/config/portfw.cfg -> `mnt/config/portfw.cfg `floppy/config/qosfilt.cfg -> `mnt/config/qosfilt.cfg `floppy/config/reserve.cfg -> `mnt/config/reserve.cfg 19.After the floppy is created, you are asked if you want to create another floppydisk. Type yif you want another floppy disk and insert another floppy disk tocreate it. Otherwise, just type nand you are done: Would you like to create another copy of this disk [y/n]? nNow you re ready to try out your Coyote Linux floppy disk firewall.
Note: In case you are looking for affordable and reliable webhost to host and run your j2ee application check Vision j2ee hosting services

442Part IIIChoosing and Installing a Linux Distribution12.Type nto not send clear-text passwords during login. You may need to changethis to yif your ISP requires CHAP or PAP authentication. If you enable this, your password will be sent in cleartext over the line. Say yes here only if despite havingverified everything, you still cannot connect to your ISP. Login during chat? [y/n]: n13.Because this example firewall will provide IP addresses to the other computerson the LAN, it needs to be enabled as a DHCP server (y). Then list the range ofaddresses it can assign to those computers. If you plan to have 100 or fewercomputers on your LAN, the address range in this example should work finefor you: Do you want to enable the coyote DHCP server? [y/n]: yEnter DHCP range starting IP [192.168.0.100]: 192.168.0.100Enter DHCP range ending IP [192.168.0.200]: 192.168.0.20014.A DMZ is a way of further shielding your local network from the outside worldif you want to have a Web server protected by the same firewall. In this case, you could add another Ethernet card to the firewall, connect that to the Webserver, and then allow incoming requests for Web services to go through tothe Web server. This enables you to still block all incoming traffic to the desk- top systems on your LAN. For this example, I just chose N. If you don t know what a DMZ is, just answer NOWould you like to configure a De-Militarized Zone? [Y/N]: N15.Set the domain name with which this firewall is associated, and enter the IPaddress(es) of the DNS server(s) it will use to resolve addresses (probablyprovided by your ISP, unless you are running your own DNS server): Enter Domain Name: example.comEnter DNS Server 1: 123.45.68.799Enter DNS Server 2 (optional): 123.45.68.800If you have a syslog server on your LAN you want Coyote tosend its syslog data to, you can specify the address here. If unsure or you do not have a syslog server, leave thisentry blank. 16.You can have Coyote log its activities to another server on your network. Thiscan be very handy, in that it removes logs from the firewall (so someone can ttamper with them) and enables you to centrally administer logs on your net- work. Before you can use this feature, you need to configure support for remotelogging on your logging computer. To do this, I recommend reading the syslogdaemon man page (man syslogd) on most Linux systems. Look for the Supportfor Remote Logging section. To disable the feature, as in this example, justpress Enter to continue. Syslog server address: 17.Coyote Linux supports a nice range of Ethernet cards. You must know thename of the Ethernet driver module for each Ethernet card on your firewalland enter it here. (You should already have this information if you followedthe Caution at the beginning of this section.) For ISA cards, which you probably24_
Note: In case you are looking for affordable and reliable webhost to host and run your j2ee application check Vision best web hosting services