ClamAV - The free Anti Virus solution for Windows on Linux

ClamAV is an open source antivirus engine designed to detect Trojans, viruses, malaware and other malicious threats. It is multi-platform and works on Linux, Windows, and Mac OS X.

ClamAV leaverages the power of the command line by providing tools which you can execute using scripts and, from within terminals. It is popularly used to scan emails passing through mail gateways.

Find the speed of your Ethernet card in Linux

For logging on to the net or for attaching as a node on a LAN, your computer needs a network card. The network card forms the interface between your computer and the network. There are different kinds of network cards available in the market depending on its speed and other features. Here is a tip to find out the characteristics of your network card.

If you want to find what type of network card is used, its speed, on which IRQ it is listed, and the chip type used, you use the following command :

# dmesg |grep eth0

Here eth0 is the first network card. If you have additional cards, it will be named eth1, eth2 and so on. And here is the output of the above command :

divert: allocating divert_blk for eth0
eth0: RealTek RTL8139 at 0xd800, 00:80:48:34:c2:84, IRQ 9
eth0:  Identified 8139 chip type 'RTL-8100B/8139D'
divert: freeing divert_blk for eth0
divert: allocating divert_blk for eth0
eth0: RealTek RTL8139 at 0xd800, 00:90:44:34:a5:33, IRQ 9
eth0:  Identified 8139 chip type 'RTL-8100B/8139D'
eth0: link up, 100Mbps, full-duplex, lpa 0x41E1
eth0: no IPv6 routers present
...

Please take a closer look at the above listing. The output data identifies my Ethernet card is a RealTek RTL8139 chipset based card on IRQ 9 (Interrupt Request). Its speed is 100 Mbps and is a full-duplex card. And the link is up.

mii-tool

As is the philosophy of Linux, there is more than one way of finding the same information. Linux also comes with a cute sounding tool called mii-tool which can also be used to get the same information about your network card.

# mii-tool -v eth0

eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode:   autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD
             10baseT-HD
...

Here -v is verbose mode. From the above listed output, one can see that the Ethernet card is working as a 100baseTX, FD (Full Duplex) card which can work in the following modes :

• 100 Mbps Speed (Full duplex or half duplex ) or
• 10 Mbps speed (Full duplex or half duplex).

And it uses auto-negotiation to bring up the link. You can call the above device as a 10/100 NIC.

mii-tool is obsolete. Valid media are only 100baseT4, 100baseTx-FD, 10baseT-FD, and 10baseT-HD ethernet cards. You are encouraged to use the more useful ethtool instead.

ethtool

ethtool is a more powerful cousin to mii-tool. The following is a simple use of ethtool.

# ethtool eth0

You get an output as shown below.

Settings for eth0:
  Supported ports: [ TP MII ]
  Supported link modes:   10baseT/Half 10baseT/Full
                          100baseT/Half 100baseT/Full
  Supports auto-negotiation: Yes
  Advertised link modes:  10baseT/Half 10baseT/Full
                          100baseT/Half 100baseT/Full
  Advertised auto-negotiation: Yes
  Speed: 100Mb/s
  Duplex: Full
  Port: MII
  PHYAD: 32
  Transceiver: internal
  Auto-negotiation: on
  Supports Wake-on: pumbg
  Wake-on: p
  Current message level: 0x00000007 (7)
  Link detected: yes

In the output above, full duplex, half duplex and auto-negotiation have the following meanings.

Full Duplex - Logic that enables concurrent sending and receiving. This is usually desirable and enabled when your computer is connected to a switch.

Half Duplex - This logic requires a card to only send or receive at a single point of time. When your machine is connected to a Hub, it auto-negotiates itself and uses half duplex to avoid collisions.

Auto-negotiation - This is the process of deciding whether to work in full duplex mode or half duplex mode. An Ethernet card supporting auto-negotiation will decide for itself which mode is the optimal one depending on the network it is attached to.

Bash Shell Scripting - 10 Seconds Guide

This Bash shell scripting guide is not a detailed study but a quick reference to the BASH syntax. So lets begin...

If you like this 10 seconds guide, don't forget to read -

• Bash Shell Shortcuts
• Special Shell Variables

Common environment variables

PATH - Sets the search path for any executable command. Similar to the PATH variable in MSDOS.

HOME - Home directory of the user.

MAIL - Contains the path to the location where mail addressed to the user is stored.

Make your bash scripts user friendly using - Dialog

Dialog is a command line tool that allows you to create professional looking Dialog boxes and other GUI controls using any shell scripting language.

You can easily master shell scripting in just 10 seconds!!

Dialog supports 8 types of GUI controls namely -

1. Menu boxes
2. Input boxes
3. Message boxes
4. Radio lists
5. Text boxes
6. Checklist boxes
7. Info boxes, and
8. Yes / No boxes.

Creating a dialog is very easy. The following examples will throw light on its usage.

Input boxes

Input boxes allow the user to enter a string. After the user enters the data, it is written to standard error . You may also redirect the output to a file.

$ dialog --title "Ravi's Input Box" --inputbox "Enter the parameters..." 8 40

As you can see, the options are self explanatory. The last two options 8 and 40 are the height and width of the box respectively.

And this is how the resulting input box looks on your terminal.

Fig: Inputbox

Text box

A text box takes a file as the parameter and shows the file in a scrollable box.

$ dialog --title "textbox" --textbox ./myfile.txt 22 70

... it shows the file myfile.txt in a textbox.

Fig: Textbox displaying the file.

Check list

A checklist presents the user with a list of choices. The choices can be toggled ON or OFF individually using the space bar.

$ dialog --checklist "Choose your favorite distribution:" 10 40 3 1 RedHat on 2 "Ubuntu Linux" off 3 Slackware off

In the Dialog command shown above, 10 is the height of the box, 40 - width, 3 is the number of choices, and the rest are the choices numbered 1,2 and 3.

Radio list

A radio list displays a list containing radio buttons. The user can choose only a single option from the set of options.

$ dialog --backtitle "Processor Selection" --radiolist "Select Processor type:" 10 40 4 1 Pentium off 2 Athlon on 3 Celeron off 4 Cyrix off

10 and 40 are the height and width respectively. 4 denotes the number of items in the list, followed by the items.

Info box

An info box is useful for displaying a message while an operation is going on. As an example, see the code below:

$ dialog --title "Memory Results" --infobox "`echo ;vmstat;echo ;echo ;free`" 15 85

Fig: Information box - listing the vmstat and free listing.

Message box

And the following is a message box.

% dialog --title "Message" --msgbox "You are PROHIBITED from rebooting your machine!!" 8 30

Fig: Message box

Dialog is usually used inside a script which gives the script a degree of user friendliness.

There is another package called Xdialog which gives the same features for scripts executed in X Windows. Xdialog utility also has additional functionality not found in the dialog utility.

To know more in using the Dialog command line tool in Linux, check its manpage.

Designing a firewall using Iptables for the Home User

In the previous post on iptables , I had given an introduction about iptables - the firewall installed by default in all Linux distributions. Here I will explain how to go about designing a firewall keeping in mind the needs of a home user. I am assuming that the typical home user will be having a single computer connected to the internet via a cable, DSL, Dialup or ISDN connection. There is no hard and fast rule in designing a firewall. What is good for one situation may not be good for another. But you can arrive at a common ground on certain things.

Here I will explain how you can make your home machine which is connected to the internet , which I am giving the name 'my_machine', more secure. First let us see what are the services that are running on the home machine (my_machine). Usually when you install Linux on your machine, you will be having some default services.

They are as follows:

• sshd - Secure Shell server
• portmap - Which is used by file services like NFS
• httpd - Apache web server
• ftp server - File Transfer Protocol server. This is not usually running on a home machine but just make sure about it by checking. In RedHat, you can check by running the command:
  

  # chkconfig --list |grep ftp

  If you have nmap installed on your machine, you can run the command :
  

  # nmap -sS your_ip_address

  ...to find all the open ports on your machine. The output for my_machine are as follows:
  

  
  Starting nmap 3.50 ( http://www.insecure.org/nmap/ )
  at 2005-10-19 09:41 IST
  Interesting ports on my_ip_address:
  (The 1653 ports scanned but not shown below
  are in state: closed)
  PORT      STATE SERVICE
  22/tcp    open  ssh
  80/tcp    open  http
  111/tcp   open  rpcbind
  3306/tcp  open  mysql
  6000/tcp  open  X11
  32774/tcp open  sometimes-rpc11
  
  Nmap run completed -- 1 IP address (1 host up)
  scanned in 1.205 seconds

  As seen above, I have apache webserver (http) , ssh, mysql server, X Server and rpcbind open to the outside world. rpcbind is used by NFS for mounting a remote drive. Usually a stand alone machine in our case my_machine need not open these services to the internet - except maybe ssh server which you might need to say - connect to your machine from a remote location - that too only if you have a static IP address, which is quite rare.
  

So lets get a pen and paper and decide how much or how little we want to open up our machine to the outside world. This is what I have decided:

1. I want full access to my_machine locally. That is all the services should be available for the localhost or IP address 127.0.0.1 .
2. New connections originating from a remote machine to Portmap, ssh, webserver and X server has to be blocked.
3. Established and related connections to my_machine has to be allowed. Here I would like to deviate from the topic to explain the terms 'new','established' and 'related'.For that you have to look at how TCP works. TCP is a connection-oriented protocol. Connection-oriented means that it makes sure all the packets reach the destination without any packet loss in transit. If a packet is lost, it re-sends the lost packet. This it achieves by using a set of flags. The flags are called SYN (Synchronize) and ACK (Acknowledge).
   
   When you click on a link in your web browser, your machine sends a SYN packet to the remote server which hosts the link. This process is called initiating a connection and is represented as NEW connection. When the remote server receives your request which has the flag SYN set, it sends a acknowledgment back to your machine by setting the SYN-ACK flag. And this is called a related connection.
   
   Once your machine receives the SYN-ACK packet, it responds with a final ACK packet which tells the remote machine that we have indeed received the packet. Then the connection is said to be established. This is called the three way handshake.
4. Restrict anyone initiating a new connection to my_machine from a remote location.
5. Allow all outgoing connections originating from my_machine.
6. Restrict all other incoming connections.
   

Now that we have jotted down what we want to achieve, let us write rules for achieving it.

I usually write the rules in a script file and then execute the file. This allows me to keep everything organized. Also if I make a mistake, I just have to go back and edit the script and re-execute it. One other thing though - all allow rules must precede the deny rules.

Iptables Rules:

Allow localhost access to everything

iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT

Allow all related and established tcp connections to my_machine.

iptables -A INPUT -p tcp -m state
        --state ESTABLISHED,RELATED
        -j ACCEPT

Allow all outgoing connections from my_machine.

iptables -A OUTPUT -j ACCEPT

... now start writing the deny rules.
Deny all new tcp connections from remote machines. And log the same.

iptables -A INPUT -p tcp -m state --state NEW -j LOG
iptables -A INPUT -p tcp -m state --state NEW -j DROP

Block the apache port on my_machine. See the nmap command listing above. Also log the traffic.

iptables -A INPUT -p tcp -s 0/0 --dport 80 -j LOG
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j DROP

Note: LOG rule must precede the corresponding filter rule.

Block ssh to my_machine. Also log the traffic.

iptables -A INPUT -p tcp -s 0/0 --dport 22 -j LOG
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j DROP

Finally Deny everything else.

iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

Now execute the script to load the rules into kernel space. That is it. Now we have got a robust firewall in place. You can check the results by re-running the nmap command listed above.

iptables - The poor man's robust firewall for Linux

A firewall is a software which is used to control the movement of network traffic according to a set of rules. Linux ships with an excellent GPLed firewall called iptables. Here I will explain the rudimentary concepts in using iptables.

Iptables is a packet filter which supersedes the erstwhile ipchains. It forms the first point of contact for packets that flow into or out of your network. In fact the packets are checked in the following order when it reaches your computer.

+-----------+
| Incoming  |
|  packet   |
+-----------+
 |
 |
 v
+-----------+
| Iptables  | --> Block
+-----------+
 | Pass
 |-------> Forward to another system
 |
 |                Kernel Space
----------------------------------------
 |                User Space
 |
 v
+--------------+
| TCP Wrappers | --> Block
+--------------+
 | Pass
 |
 v
+--------------------+
| xinetd based rules | --> Block
+--------------------+
 | Pass
 |
 v
Onward journey
of the packet

As you can see in the above diagram, iptables works in the kernel space.

Here I will give a simple introduction to this very useful and powerful but cryptic form of securing ones network.

If you are using kernel 2.4 and above, you will be using iptables. Iptables functionality is directly compiled into the Linux kernel as a module (netfilter). The policies are checked at the layers 2, 3 and 4 of the OSI Reference Model. That is 'Datalink', 'Network' and 'Transport' layer. It is very fast because only the packet headers are inspected. There is a wonderful tutorial on configuring firewalls using iptables at Netfilter.org. But if you are lazy (like me :) ) to plod through over 130 pages of the tutorial, then read on ...

Netfilter is divided into tables which in turn are divided into chains. And each chain can have different targets.

Netfilter tables :
There are three inbuilt tables. They are as follows:

1. filter - This is the default table if no table name is specified in the rule. The main packet filtering is performed in this table.
2. nat - This is where Network Address Translation is performed. For example, if you are using your machine as a router or sharing your internet connection with other machines on your network, you might use the NAT table in your rule.
3. mangle - This is where a limited number of 'special effects' can happen. This table is rarely used.
   

Netfilter chains :
I said above that each table has a number of inbuilt chains. These are as follows:
For filter table

1. INPUT - Handles packets destined for the local system, after the routing decision.
2. OUTPUT - This chain handles packets after they have left their sending process and before being processed by POSTROUTING (applicable to nat and mangle) chain.
3. FORWARD - This chain handles packets routed through the system but which are actually destined for another system on your LAN.
   

For the nat table

1. OUTPUT - see explanation above.
2. PREROUTING - This is the entry point of packets on their arrival. All packets first pass through this chain before even passing through the routing decision.
3. POSTROUTING - If PREROUTING is the first chain that a packet encounters, POSTROUTING is the final point of contact for any packet before it leaves the system.
   

For mangle table

• The mangle table contains a union of all the chains in the filter and nat tables.

Note: Over and above the builtin chains, you can also have custom user defined chains too. Usually you use a custom chain to group a series of actions together before passing it to one of the inbuilt chains.

Rule targets :

As I said above, each chain can have different targets. They are broadly classified into builtin and extension targets. The target names must be preceded by the option -j . -j as in jump. These are the targets:

Builtin targets

• DROP - As the name indicates, discards the packet. No message is relayed back to the sender of the packet.
• ACCEPT - Allows the packet to pass through the firewall.
• RETURN - This is a built in target which is created for convenience. Because most targets do not return. That is if a packet matches a rule, the checking of that packet ceases and the chain is exited.
  

Extension targets

• LOG - This is used to log messages to your system of offending or blocked packets. Usually, control is passed to the syslog facility which logs the message to the file /var/log/messages and then returns the control back to the iptables.
• REJECT - If this target is used, a notice is sent back to the sender. Like for example "you are denied access to this service" message.
• DNAT - Used for destination NAT ie rewriting the destination IP address of the packet.
• SNAT - Used for rewriting the source IP address of the packet.
• MASQUERADE - This is used to do either SNAT or DNAT. Basically this target is used to set up internet connection sharing in your network.
  

Note: All extension targets are usually implemented in special-purpose kernel modules. To know which all modules are loaded on your system, execute the command:

# lsmod |grep ipt

ipt_limit               1792  8
iptable_mangle          2048  0
ipt_LOG                 4992  8
ipt_MASQUERADE          2560  0
iptable_nat            17452  1 ipt_MASQUERADE
ipt_TOS                 1920  0
ipt_REJECT              4736  1
ipt_state               1536  6
ip_conntrack           24968  5 ipt_MASQUERADE,
iptable_nat,ip_conntrack_irc,ip_conntrack_ftp,ipt_state
iptable_filter          2048  1
ip_tables 13440 9 ipt_limit,iptable_mangle,ipt_LOG,
ipt_MASQUERADE,iptable_nat,ipt_TOS,ipt_REJECT,ipt_state,
iptable_filter

These are the modules that are loaded on my system. As you can see, all modules that start with the name 'ipt_' are extension modules. So in the above listing, iptable_nat module uses a extension module called ipt_MASQUERADE . And to use the LOG extension target, you should have loaded the ipt_LOG extension module. So on and so forth :) .

A few examples to whet your appetite

# iptables -t filter -A INPUT -p tcp -s 192.168.0.5 -j DROP

The above rule can be read as follows. In the filter table (-t), append (-A) to the INPUT chain the rule that, all packets using the protocol (-p) tcp and originating (-s) from the remote machine with IP address 192.168.0.5 should be dropped (-j DROP).

# iptables -A FORWARD -s 0/0 -p TCP -i eth0 -d 192.168.5.5  
        -o eth1 
        --sport 1024:65535 --dport 80 -j ACCEPT

This rule reads as follows: Append (-A) to the FORWARD chain, the rule that all packets coming from anywhere (-s 0/0) using the protocol (-p) TCP and using unreserved ports (--sport 1024:65535), incoming (-i) through the interface eth0 , and destined (--dport) for port 80 on address (-d) 192.168.5.5 and outgoing (-o) through the interface eth1 should be accepted.

# iptables -L

List (-L) all the rules in the iptables.

# iptables -F

Flush (-F) all the rules from iptables. Now you can start afresh.

# iptables -A OUTPUT -j LOG
# iptables -A INPUT -j LOG

Log all incoming and outgoing rules in the filter table to the file /var/log/messages.

I hope you have got the drift ;) . Iptables is a very powerful and flexible tool and can be used to block anything or everything that comes into or goes out of your computer.

Wait there is one more thing ...

Usually the commands that you executed above will reside in memory but will not persist across rebooting. Which means, once you reboot, all your rules are lost and you have to start all over. So to avoid this, you save your rules into a file which is read by the OS when you reboot your machine.

In RedHat/Fedora, the iptables rules are saved in the file /etc/sysconfig/iptables . You save it using the programs iptables-save as follows:

# iptables-save > /etc/sysconfig/iptables 

or do the following :

# service iptables save 

There is another script called iptables-restore which can be used to load the rules from a file into memory.

How to disable a user account in Linux

This article explains how to lock or disable a user account in Linux.

There are different methods of locking a user account in Linux. Each method is explained below.

Editing the /etc/passwd file by hand

This is the crudest form of disabling a user account in Linux.

Open a terminal and run the following command.

# vipw

This command will open the /etc/passwd file in your default editor which is usually Vi if you haven't explicitly set the EDITOR variable.

My /etc/passwd file is as shown below (truncated for brevity).

#FILE: /etc/passwd
...
ravi:x:500:500:Ravi Kumar:/home/ravi:/bin/bash
...

To disable a user's account - for example user 'ravi' - replace shell '/bin/bash' with '/sbin/nologin'.

#FILE: /etc/passwd
...
ravi:x:500:500:Ravi Kumar:/home/ravi:/bin/nologin
...

Now save and close the file.

Alternately, you can also enter a '!' (bang) or '*' (asterisk) just before the 'x' in the second field as shown below.

#FILE: /etc/passwd
...
ravi:*x:500:500:Ravi Kumar:/home/ravi:/bin/bash
...

Save and exit the file.

A disabled user can still login through the network using SSH which is the vulnerability of the above method.

Use chage command

The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.

The trick to disabling a user account in Linux using chage is to set the expiry of the user account to a date previous to the current one.

So for example, if today's date is October 13 2005, you can lock a user account by setting the expiry date to October 12 2005 or earlier.

# chage -E 2005-10-01 ravi

... where the date is in YYYY-MM-DD format.

You can re-enable the user's account by running the same command but changing the date to a value more recent than the current date.

Use the passwd command

This is by far the easiest way of locking or disabling a user account in Linux. To lock a user account, open a terminal and enter the following command.

# passwd -l <username>

Continuing with our previous example to lock out the user 'ravi', do the following as root / superuser.

# passwd -l ravi

And to unlock the account,

# passwd -u ravi

Check the logs for failed logins

All failed logins will be audited and logged to the file /var/log/faillog. To see who all have unsuccessfully tried to login to their account, try the following:

# faillog -a 

The above command will read the /var/log/faillog file for any failed login attempts by users. It contains a history of all failed login details. This file is used when you use PAM (Pluggable Authentication Modules) for enforcing password policies.

You can change the default password policies by editing the file '/etc/login.defs'. But any changes will be applicable to only to those user accounts created after the modification of the file.