Agila and Berdugo Back

IMS guys came this morning and fixed the connection at Gusaling Andres Bonifacio (GAB) and both buildings of the College of Arts and Sciences (CAS) are now back online! The servers agila and berdugo are also back online. Although network access is still jittery, probably due to the fact that communication medium is radio linking CAS to the main UPM server at PGH. Radio links are prone to external interference, but overall, the network speed is acceptable.

Network Restoration for CAS

At last, network connectivity has been restored in Rizal Hall of the College of Arts and Sciences! Network connection for GAB has not yet been restored but probably it’s going to be online by tomorrow. IMS guys were unable to fix it because the library where the main switch is located, is closed today due to the class suspension.

For now, CAS is connected to the main UPM network via a wireless radio link. Fiber optic cable is supposed to be repair by Maynilad and will be back online probably in a month time. Yahoo!!!

Network Disruption in CAS

Thanks to Maynilad’s water pipe repair along Padre Faura St! They successfully destroyed the fiber optic link that connects the Faura buildings of UP Manila (CAS, CAMP, OUR, LRC, SWF, ILC, OSA) from the central node of the UPM network which is at the University Library. The CAS doesn’t have internet for one month already. Most of the people here are calling the life we have as “jurassic” era. It might even take a year before internet is restored at CAS. For the meantime, the CAS IT office is already applying for DLS connection for Rizal Hall and Gusaling Andres Bonifacio, but unfortunately, connections can’t be make yet. For two reasons,

1. no payment has been made yet to BayanTel
2. because the conduit and the tube where the wires will run has not been setup yet and it might even take eternity to ask the CPDMO to have them in place. So much bureaucratic steps.

Securing Linux Server with IPKungfu

Ipkungfu or linuxkungfu is an iptables firewall script. With ipkungfu, you can easily configure as to which port of the server will be opened for connection, restrict who can access the server plus other security features. You can refer to the website of ipkungfu at http://www.linuxkungfu.org/ for the list of complete features.

Ipkungfu is available a the Ubuntu repositories. To install ubuntu,

# aptitude install ipkungfu

Ipkungfu should now be working.

After installing ipkungfu, type

# ipkungfu

to configure ipkungfu and answer “yes” if you are prompted.

At this point, if you connecting remotely via ssh, make sure you are not disconnected because by default, ipkungfu is blocking all incoming connections. If you are working directly at the terminal, then there’s no problem. Open the file /etc/ipkungfu/services.conf, and append ACCEPT beside the port that you want to open.

# Service Names and Protocols are lowercase, Targets are UPPERCASE.
#
# Example:
# ssh:22:tcp:ACCEPT
ftp-data:20:tcp
ftp:21:tcp
ssh:22:tcp:ACCEPT
telnet:23:tcp
smtp:25:tcp
domain:53:tcp
bootps:63:tcp
http:80:tcp:ACCEPT
pop3:110:tcp
auth:113:tcp
ntp:123:tcp
imap:143:tcp
https:443:tcp
imaps:993:tcp
pop3s:995:tcp
socks:1080:tcp
# Add your services below. The rule is:
# ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)] # extra comments
#

The, save the file. In the example, I have allowed connection for ports 22 (SSH) and 80 (HTTP). Open the file /etc/ipkungfu/ipkungfu.conf and configure it based on your server’s setting and your preferred setting.

# =========================================================================
# $Id: ipkungfu.conf 57 2005-11-02 17:04:20Z s0undt3ch $
# =========================================================================
# Please read the README and FAQ for more information
# Some distros (most notably Redhat) don't have
# everything we need in $PATH so we specify it here.
# Make sure modprobe, iptables, and route are here,
# as well as ordinary items such as echo and grep.

# Default is as shown in the example below.
#PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin

# Set the path to ipkungfu's runtime error log.
# Default: /var/log/ipkungfu.log
#IPKUNGFU_LOG=

# Your external interface
# This is the one that connects to the internet.
# Ipkungfu will detect this if you don't specify.
EXT_NET="eth0"
#EXT_NET="eth1"
#EXT_NET="ppp0"

# Your internal interfaces, if any.  If you have more
# than 1 internal interface, separate them with
# spaces.  If you only have one interface, put "lo"
# here. Default is auto-detected.
#INT_NET="eth0"
#INT_NET="eth1"
#INT_NET="lo"

# IP Range of your internal network.  Use "127.0.0.1"
# for a standalone machine.  Default is a reasonable
# guess. Separate multiple ranges with spaces.
#LOCAL_NET="192.168.0.0/255.255.0.0 10.0.0.0/255.0.0.0"

# Set this to 0 for a standalone machine, or 1 for
# a gateway device to share an Internet connection.
# Default is 1.
GATEWAY=0

# TCP ports you want to allow for incoming traffic
# Don't add ports here that you intend to forward.
# This should be a list of tcp ports that have
# servers listening on them on THIS machine,
# separated by spaces. You can add port ranges
# delimited by hyphens, such as "20-22". Default
# is none.
#ALLOWED_TCP_IN="22 80"

# UDP ports to allow for incoming traffic
# See the comments above for ALLOWED_TCP_IN
#ALLOWED_UDP_IN=""

# Temporarily block future connection attempts from an
# IP that hits these ports (If module is present)
# Hits to these ports will be logged as "BADGUY" hits
# regardless of log.conf settings.
FORBIDDEN_PORTS="135 137 139"

# Drop all ping packets?
# Set to 1 for yes, 0 for no. Default is no.
BLOCK_PINGS=0

# Possible values here are "DROP", "REJECT", or "MIRROR"
#
# "DROP" means your computer will not respond at all. "Stealth mode"
#
# "REJECT" means your computer will respond with a
# message that the packet was rejected.
#
# "MIRROR", if your kernel supports it, will swap the source and
#   destination IP addresses, and send the offending packet back
#   where it came from.  USE WITH EXTREME CAUTION! Only use this if you fully
#   understand the consequences.
#
# The safest option, and the default in each case,,  is "DROP". Don't change
# unless you fully understand this.
# What to do with 'probably malicious' packets
#SUSPECT="REJECT"
SUSPECT="DROP"

# What to do with obviously invalid traffic
# This is also the action for FORBIDDEN_PORTS
#KNOWN_BAD="REJECT"
KNOWN_BAD="DROP"

# What to do with port scans
#PORT_SCAN="REJECT"
PORT_SCAN="DROP"

# How should ipkungfu determine your IP address? The default
# answer, "NONE", will cause ipkungfu to not use the few
# features that require it to know your external IP address.
# This option is good for dialup users who run ipkungfu on
# bootup, since dialup users rarely use the features that
# require this, and the IP address for a dialup connection
# generally isn't known at bootup.  "AUTO" will cause
# ipkungfu to automatically determine the IP address of
# $EXT_NET when it is started.  If you have a static IP
# address you can simply enter your IP address here.
# If you do port forwarding and your ISP changes your IP
# address, choose NONE here, or your port forwarding
# will break when your IP address changes. Default is
# "NONE".
#GET_IP="NONE"
#GET_IP="AUTO"
GET_IP="202.92.148.101"

# If the target for identd (113/tcp) is DROP, it can take
# a long time to connect to some IRC servers. Set this to
# 1 to speed up these connections with a negligible cost
# to security.  Identd probes will be rejected with the
# 'reject-with-tcp-reset' option to close the connection
# gracefully. If you want to actually allow ident probes,
# and you're running an identd, and you've allowed port
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0.
#DONT_DROP_IDENTD=0
# Set this to 0 if you're running ipkungfu on a machine
# inside your LAN.  This will cause private IP addresses
# coming in on $EXT_NET to be identified as a spoof,
# which would be inaccurate on intra-LAN traffic
# This will cause private IP addresses coming in on
# $EXT_NET to be identified as a spoof. Default is 1.
#DISALLOW_PRIVATE=1

# For reasons unknown to me, ipkungfu sometimes causes
# kernel panics when run at init time. This is my
# attempt to work around that.  Ipkungfu will wait
# the specified number of seconds before starting, to
# let userspace/kernel traffic catch up before executing.
# Default is 0.
#WAIT_SECONDS=5

# This option, if enabled, will cause ipkungfu to set
# the default policy on all builtin chains in the filter
# table to ACCEPT in the event of a failure.  This is
# intended for remote administrators who may be locked
# out of the firewall if ipkungfu fails.  A warning to
# this effect will be echoed so that the situation can be
# rectified quickly.  This is the same as running
# ipkungfu with --failsafe.  Default is 0.
#FAILSAFE=0

# Configurable list of kernel modules to load at runtime.
# If no list is provided, the default and needed ones,
# ip_nat_irc, ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc,
# will still be loaded.
#MODULES_LIST=""

The EXT_NET="eth0" is you the active network interface. GATEWAY=0 because I’m configuring a standalone server. I have also set the forbidden ports
FORBIDDEN_PORTS="135 137 139"
I don’t block pings
BLOCK_PINGS=0 because the ping tool is an effective use to test for the connectivity of the server.
For suspected, bad ports and port scan, I drop the packets.
SUSPECT="DROP"
KNOWN_BAD="DROP"
PORT_SCAN="DROP"

If you have a static IP address, set GET_IP to your IP address.
GET_IP="202.92.148.101"

The save the file. Restart by ipkungfu

/etc/init.d/ipkungfu restart

usability shit not part of the objectives

Below is an excerpt of the pm I received from one of the BSCS student doing his SP on UPM.

I’m not used to foul languages but I would assume that BS = B***s***.

Well, some people are just simply like that. Too bad, this student is talented and has a lot of potential to excel in the field of computer science and IT. Sometimes, when a person is good, he thinks of himself as god with no flaws, always correct and perfect. He rejects all the views of others (even his sp panel members’) as insignificant and useless and only his ideas are correct. I didn’t reply anymore to this student but allow me to share some points:

1. Don’t look to yourself as god. A lot of people out there are better than you. It’s only by accepting criticisms and views from other person that you can be a better person.
2. In softwares, usability is a very important aspect, just like security. A software’s success is determined by its power (what it can do) and usability (how fast the user learn to use it). Linux has now caught up to Windows because it now addresses usability which Windows is undoubtedly better than Linux in the past.
3. In IT, objectives (milestones) written in the proposal are not “true contracts”. Things change overtime. Client’s demand changes overtime.That’s why we have Extreme Prgramming (XP) and agile development. These software engineering techniques are created precisely to handle this type of scenario.
4. If you list down the functionalities which your software should have now, don’t expect that more than 1 year from now, those functionalities are still valid. Technology changes very fast.
5. If a software is being developed for more than 1 year, and it’s just a software meant for a mobile device that stores records and do some simple arithmetic computation……. I think a Software eng’g student can do the same product in 1 semester time.
6. UPM’s comsci is still better than some other schools offering CS but I would say it’s still not the best when you compare it to UPD, UPLB, DLSU and Ateneo, but still, UPM still does not accept crappy software for an SP.

Deleting Users in Linux

One of the Linux commands that I was looking for is how to be able to delete several users at the same time. There’s a users command for adding more than one user but I can’t find any command to delete more than one user. To solve this problem, I just downloaded a shellscript from nixCraft shell script collection (NSSC) that reads a file and outputs it line by line, edit it so that instead of outputting line by line, it considers each a line as one user and deletes it. The complete shell script is below. To use this, just run

./deluser.sh userfile.txt

where the userfile.txt contains the list of users to be deleted. Each line contain one username.

#!/bin/bash
# -----------------------------------------------
# Copyright (c) 2005 nixCraft
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# -------------------------------------------------------------------------
# User define Function (UDF)
processLine(){
  line="$@" # get all args
  deluser --remove-all-files $line
}### Main script stars here ###
# Store file name
FILE=""
# Make sure we get file name as command line argument
# Else read it from standard input device
if [ "$1" == "" ]; then
   FILE="/dev/stdin"
else
   FILE="$1"
   # make sure file exist and readable
   if [ ! -f $FILE ]; then
  	echo "$FILE : does not exists"
  	exit 1
   elif [ ! -r $FILE ]; then
  	echo "$FILE: can not read"
  	exit 2
   fi
fi

# read $FILE using the file descriptors
exec 3<&0
exec 0<$FILE
while read line
do
 # use $line variable to process line in processLine() function
 processLine $line
done
exec 0<&3
exit 0

Ubuntu 7.10 Released

Ubuntu 7.10 is now finally released!!! I’m already trying to download the iso image of the server version. During the sem break, I will try to reformat agila and berdugo. Agila’s machine is AMD64 and I installed a 32-bit OS on it!!! It’s not running optimally!!! How could I forgot about this thing??? With Berdugo, the OS is quite old, kubuntu 6.10 if I’m not mistaken. It needs updating. Then I’ll try to update the LDAP server and the machines in the lab. By the start of the 2nd sem, hopefully all of them will be running under Ubuntu 7.10. I hope that the flashdisk mounting problem for LDAP/NFS users will finally be resolved this time. One of the unresolved problem that I have with Ubuntu 7.04 is the inability of LDAP/NFS users to mount their flash disks but mounting is working perfectly for local accounts.