ebook img

Linux Journal 2015 01 PDF

8.1 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Linux Journal 2015 01

™ SPONSORED BY Since 1994: The Original Magazine of the Linux Community JANUARY 2015 | ISSUE 249 | www.linuxjournal.com SECURITY PERFORM AN INTERNAL SECURITY REVIEW PROVIDE ACCESS CONTROL WITH SQUID PROXY + TECHNIQUES FOR SECURING Getting Started SERVERS with IN RISKY Vagrant ENVIRONMENTS WATCH: ISSUE OVERVIEW Detect and Block Hackers (cid:86) LJ249-Jan2015.indd 1 12/16/14 1:51 PM The Only DLP Software Offering LINUX ENDPOINT SUPPORT “Digital Guardian’s advanced capabilities supporting both Linux and OS X desktops are unique in this market.” - Gartner With millions of active agents deployed worldwide, Digital Guardian is the leading platform for data loss prevention. It (cid:83)(cid:85)(cid:82)(cid:68)(cid:70)(cid:87)(cid:76)(cid:89)(cid:72)(cid:79)(cid:92)(cid:3)(cid:70)(cid:79)(cid:68)(cid:86)(cid:86)(cid:76)(cid:262)(cid:72)(cid:86)(cid:3)(cid:68)(cid:81)(cid:71)(cid:3)(cid:87)(cid:68)(cid:74)(cid:86)(cid:3)(cid:92)(cid:82)(cid:88)(cid:85)(cid:3)(cid:80)(cid:82)(cid:86)(cid:87)(cid:3) sensitive data and automatically enforces data protection policies on Linux-based servers and endpoints. Download a complimentary copy of Gartner’s Content-Aware DLP Magic Quadrant Report. DLP Magic Quadrant Leader Visit www.DigitalGuardian.com Content-Aware DLP Magic Quadrant, 2013 LJ249-Jan2015.indd 2 12/16/14 1:51 PM LINUX JOURNAL ARCHIVE DVD 1994–2014 NOW AVAILABLE Save $10.00 by using discount code DVD2014 at checkout. Coupon code expires 1/15/2015 www.linuxjournal.com/dvd LJ249-Jan2015.indd 3 12/19/14 9:54 AM CONTENTS JANUARY 2015 ISSUE 249 FEATURES 64 How to Perform an Internal Security Review Be prepared. Be proactive. Take the time to review. Jeramiah Bowling 78 Flexible Access Control with Squid Proxy Database-driven access control for Squid. Mike Diehl 88 Security in s Three Ds: n o r y H Detect, Decide c. / n and Deny o I t o h Detect hackers k P c o and block them Interested in joining our St n with DenyHosts. Reader Advisory Panel for 2015? Ca © Federico Kereki Please send a brief e-mail e: g a m explaining why you’d be a good r I e v fit to [email protected]. o C 4 / JANUARY 2015 / WWW.LINUXJOURNAL.COM LJ249-Jan2015.indd 4 12/16/14 1:52 PM COLUMNS Reuven M. Lerner’s 34 At the Forge Users, Permissions and Multitenant Sites Dave Taylor’s 44 Work the Shell The find|xargs Sequence 48 Kyle Rankin’s 20 Hack and / Secure Server Deployments in Hostile Territory Shawn Powers’ 52 The Open-Source Classroom Vagrant Simplified Doc Searls’ EOF 98 Hats Off to Mozilla IN EVERY ISSUE Current_Issue.tar.gz 8 Letters 10 16 UPFRONT 26 Editors’ Choice 32 New Products 60 Advertisers Index 101 ON THE COVER (cid:139)(cid:3)(cid:55)(cid:76)(cid:89)(cid:77)(cid:86)(cid:89)(cid:84)(cid:3)(cid:72)(cid:85)(cid:3)(cid:48)(cid:85)(cid:91)(cid:76)(cid:89)(cid:85)(cid:72)(cid:83)(cid:3)(cid:58)(cid:76)(cid:74)(cid:92)(cid:89)(cid:80)(cid:91)(cid:96)(cid:3)(cid:57)(cid:76)(cid:93)(cid:80)(cid:76)(cid:94)(cid:19)(cid:3)(cid:87)(cid:21)(cid:3)(cid:29)(cid:27) (cid:139)(cid:3)(cid:55)(cid:89)(cid:86)(cid:93)(cid:80)(cid:75)(cid:76)(cid:3)(cid:40)(cid:74)(cid:74)(cid:76)(cid:90)(cid:90)(cid:3)(cid:42)(cid:86)(cid:85)(cid:91)(cid:89)(cid:86)(cid:83)(cid:3)(cid:94)(cid:80)(cid:91)(cid:79)(cid:3)(cid:58)(cid:88)(cid:92)(cid:80)(cid:75)(cid:3)(cid:55)(cid:89)(cid:86)(cid:95)(cid:96)(cid:19)(cid:3)(cid:87)(cid:21)(cid:3)(cid:30)(cid:31) (cid:139)(cid:3)(cid:59)(cid:76)(cid:74)(cid:79)(cid:85)(cid:80)(cid:88)(cid:92)(cid:76)(cid:90)(cid:3)(cid:77)(cid:86)(cid:89)(cid:3)(cid:58)(cid:76)(cid:74)(cid:92)(cid:89)(cid:80)(cid:85)(cid:78)(cid:3)(cid:58)(cid:76)(cid:89)(cid:93)(cid:76)(cid:89)(cid:90)(cid:3)(cid:80)(cid:85)(cid:3)(cid:57)(cid:80)(cid:90)(cid:82)(cid:96)(cid:3)(cid:44)(cid:85)(cid:93)(cid:80)(cid:89)(cid:86)(cid:85)(cid:84)(cid:76)(cid:85)(cid:91)(cid:90)(cid:19)(cid:3)(cid:87)(cid:21)(cid:3)(cid:27)(cid:31) (cid:139)(cid:3)(cid:43)(cid:76)(cid:91)(cid:76)(cid:74)(cid:91)(cid:3)(cid:72)(cid:85)(cid:75)(cid:3)(cid:41)(cid:83)(cid:86)(cid:74)(cid:82)(cid:3)(cid:47)(cid:72)(cid:74)(cid:82)(cid:76)(cid:89)(cid:90)(cid:19)(cid:3)(cid:87)(cid:21)(cid:3)(cid:31)(cid:31) (cid:139)(cid:3)(cid:46)(cid:76)(cid:91)(cid:91)(cid:80)(cid:85)(cid:78)(cid:3)(cid:58)(cid:91)(cid:72)(cid:89)(cid:91)(cid:76)(cid:75)(cid:3)(cid:94)(cid:80)(cid:91)(cid:79)(cid:3)(cid:61)(cid:72)(cid:78)(cid:89)(cid:72)(cid:85)(cid:91)(cid:19)(cid:3)(cid:87)(cid:21)(cid:3)(cid:28)(cid:25) 64 LINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 395, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue. WWW.LINUXJOURNAL.COM / JANUARY 2015 / 5 LJ249-Jan2015.indd 5 12/16/14 1:52 PM Executive Editor Jill Franklin [email protected] Senior Editor Doc Searls [email protected] Associate Editor Shawn Powers [email protected] Art Director Garrick Antikajian [email protected] Products Editor James Gray [email protected] Editor Emeritus Don Marti [email protected] Technical Editor Michael Baxter [email protected] Senior Columnist Reuven Lerner [email protected] Security Editor Mick Bauer [email protected] Hack Editor Kyle Rankin lj@greenfly.net Virtual Editor Bill Childers [email protected] Contributing Editors (cid:41)(cid:66)(cid:82)(cid:65)(cid:72)(cid:73)(cid:77)(cid:40)(cid:65)(cid:68)(cid:68)(cid:65)(cid:68)(cid:115)(cid:50)(cid:79)(cid:66)(cid:69)(cid:82)(cid:84)(cid:44)(cid:79)(cid:86)(cid:69)(cid:115)(cid:58)(cid:65)(cid:67)(cid:75)(cid:34)(cid:82)(cid:79)(cid:87)(cid:78)(cid:115)(cid:36)(cid:65)(cid:86)(cid:69)(cid:48)(cid:72)(cid:73)(cid:76)(cid:76)(cid:73)(cid:80)(cid:83)(cid:115)(cid:45)(cid:65)(cid:82)(cid:67)(cid:79)(cid:38)(cid:73)(cid:79)(cid:82)(cid:69)(cid:84)(cid:84)(cid:73)(cid:115)(cid:44)(cid:85)(cid:68)(cid:79)(cid:86)(cid:73)(cid:67)(cid:45)(cid:65)(cid:82)(cid:67)(cid:79)(cid:84)(cid:84)(cid:69) (cid:48)(cid:65)(cid:85)(cid:76)(cid:34)(cid:65)(cid:82)(cid:82)(cid:89)(cid:115)(cid:48)(cid:65)(cid:85)(cid:76)(cid:45)(cid:67)(cid:43)(cid:69)(cid:78)(cid:78)(cid:69)(cid:89)(cid:115)(cid:36)(cid:65)(cid:86)(cid:69)(cid:52)(cid:65)(cid:89)(cid:76)(cid:79)(cid:82)(cid:115)(cid:36)(cid:73)(cid:82)(cid:75)(cid:37)(cid:76)(cid:77)(cid:69)(cid:78)(cid:68)(cid:79)(cid:82)(cid:70)(cid:115)(cid:42)(cid:85)(cid:83)(cid:84)(cid:73)(cid:78)(cid:50)(cid:89)(cid:65)(cid:78)(cid:115)(cid:33)(cid:68)(cid:65)(cid:77)(cid:45)(cid:79)(cid:78)(cid:83)(cid:69)(cid:78) President Carlie Fairchild [email protected] Publisher Mark Irgang [email protected] Associate Publisher John Grogan [email protected] Director of Digital Experience Katherine Druckman [email protected] Accountant Candy Beauchamp [email protected] Linux Journal is published by, and is a registered trade name of, Belltown Media, Inc. PO Box 980985, Houston, TX 77098 USA Editorial Advisory Panel Nick Baronian Kalyana Krishna Chadalavada (cid:34)(cid:82)(cid:73)(cid:65)(cid:78)(cid:35)(cid:79)(cid:78)(cid:78)(cid:69)(cid:82)(cid:115)(cid:43)(cid:69)(cid:73)(cid:82)(cid:36)(cid:65)(cid:86)(cid:73)(cid:83) (cid:45)(cid:73)(cid:67)(cid:72)(cid:65)(cid:69)(cid:76)(cid:37)(cid:65)(cid:71)(cid:69)(cid:82)(cid:115)(cid:54)(cid:73)(cid:67)(cid:84)(cid:79)(cid:82)(cid:39)(cid:82)(cid:69)(cid:71)(cid:79)(cid:82)(cid:73)(cid:79) (cid:36)(cid:65)(cid:86)(cid:73)(cid:68)(cid:33)(cid:14)(cid:44)(cid:65)(cid:78)(cid:69)(cid:115)(cid:51)(cid:84)(cid:69)(cid:86)(cid:69)(cid:45)(cid:65)(cid:82)(cid:81)(cid:85)(cid:69)(cid:90) (cid:36)(cid:65)(cid:86)(cid:69)(cid:45)(cid:67)(cid:33)(cid:76)(cid:76)(cid:73)(cid:83)(cid:84)(cid:69)(cid:82)(cid:115)(cid:52)(cid:72)(cid:79)(cid:77)(cid:65)(cid:83)(cid:49)(cid:85)(cid:73)(cid:78)(cid:76)(cid:65)(cid:78) Chris D. Stark Advertising (cid:37)(cid:13)(cid:45)(cid:33)(cid:41)(cid:44): [email protected] URL: www.linuxjournal.com/advertising (cid:48)(cid:40)(cid:47)(cid:46)(cid:37)(cid:26)(cid:11)(cid:17)(cid:23)(cid:17)(cid:19)(cid:13)(cid:19)(cid:20)(cid:20)(cid:13)(cid:17)(cid:25)(cid:21)(cid:22)(cid:69)(cid:88)(cid:84)(cid:14)(cid:18) Subscriptions (cid:37)(cid:13)(cid:45)(cid:33)(cid:41)(cid:44): [email protected] URL: www.linuxjournal.com/subscribe MAIL: PO Box 980985, Houston, TX 77098 USA LINUX is a registered trademark of Linus Torvalds. LJ249-Jan2015.indd 6 12/16/14 1:52 PM AArree yyoouu ttiireerde do fo df edaelianlgin wgi twhi tphr opprroieptraieryta srtyo rsatgoera?ge? ® (cid:57)(cid:37)(cid:50)(cid:196)(cid:52)(cid:77)(cid:72)(cid:198)(cid:68)(cid:67)(cid:196)(cid:50)(cid:83)(cid:78)(cid:81)(cid:64)(cid:70)(cid:68) zStax StorCore from Silicon ZFS Unified Storage - From modest data storage needs to a multi-‐tiered production storage environment, zStax StorCore zStax StorCore 64 zStax StorCore 104 The zStax StorCore 104 is the flagship of the The zStax StorCore 64 utilizes the latest in dual-‐processor Intel® Xeon® platforms and fast zStax product line. With its highly available SAS SSDs for caching. The zStax StorCore 64 configurations and scalable architecture, the platform is perfect for: zStax StorCore 104 platform is ideal for: (cid:135)(cid:3)(cid:86)(cid:80)(cid:68)(cid:79)(cid:79)(cid:16)(cid:80)(cid:72)(cid:71)(cid:76)(cid:88)(cid:80)(cid:3)(cid:82)(cid:73)(cid:73)(cid:76)(cid:70)(cid:72)(cid:3)(cid:73)(cid:76)(cid:79)(cid:72)(cid:3)(cid:86)(cid:72)(cid:85)(cid:89)(cid:72)(cid:85)(cid:86)(cid:3) (cid:135)(cid:3)(cid:69)(cid:68)(cid:70)(cid:78)(cid:72)(cid:81)(cid:71)(cid:3)(cid:86)(cid:87)(cid:82)(cid:85)(cid:68)(cid:74)(cid:72)(cid:3)(cid:73)(cid:82)(cid:85)(cid:3)(cid:89)(cid:76)(cid:85)(cid:87)(cid:88)(cid:68)(cid:79)(cid:76)(cid:93)(cid:72)(cid:71)(cid:3)(cid:72)(cid:81)(cid:89)(cid:76)(cid:85)(cid:82)(cid:81)(cid:80)(cid:72)(cid:81)(cid:87)(cid:86) (cid:135)(cid:3)(cid:86)(cid:87)(cid:85)(cid:72)(cid:68)(cid:80)(cid:76)(cid:81)(cid:74)(cid:3)(cid:89)(cid:76)(cid:71)(cid:72)(cid:82)(cid:3)(cid:75)(cid:82)(cid:86)(cid:87)(cid:86) (cid:135)(cid:3)(cid:80)(cid:76)(cid:86)(cid:86)(cid:76)(cid:82)(cid:81)(cid:3)(cid:70)(cid:85)(cid:76)(cid:87)(cid:76)(cid:70)(cid:68)(cid:79)(cid:3)(cid:71)(cid:68)(cid:87)(cid:68)(cid:69)(cid:68)(cid:86)(cid:72)(cid:3)(cid:68)(cid:83)(cid:83)(cid:79)(cid:76)(cid:70)(cid:68)(cid:87)(cid:76)(cid:82)(cid:81)(cid:86) (cid:135)(cid:3)(cid:86)(cid:80)(cid:68)(cid:79)(cid:79)(cid:3)(cid:71)(cid:68)(cid:87)(cid:68)(cid:3)(cid:68)(cid:85)(cid:70)(cid:75)(cid:76)(cid:89)(cid:72)(cid:86) (cid:135)(cid:3)(cid:68)(cid:79)(cid:90)(cid:68)(cid:92)(cid:86)(cid:3)(cid:68)(cid:89)(cid:68)(cid:76)(cid:79)(cid:68)(cid:69)(cid:79)(cid:72)(cid:3)(cid:68)(cid:70)(cid:87)(cid:76)(cid:89)(cid:72)(cid:3)(cid:68)(cid:85)(cid:70)(cid:75)(cid:76)(cid:89)(cid:72)(cid:86) TalkT awlkit hw iathn aenx pexeprte rtto tdoadya:y 8: 68666-‐3-‐35522-‐-‐11117733 -‐-‐ hhttttpp::////wwwwww..ssiilliiccoonnmmeecchhaanniiccss..ccoomm//zzssttaaxx LJ249-Jan2015.indd 7 12/19/14 9:55 AM Current_Issue.tar.gz Security: SHAWN POWERS a Method, Not a Goal The Security issue of Linux Journal With multiple users accessing the always makes me feel a little same program, security is crucial, and guilty. It turns out that although Reuven helps us design intelligently. I have a fairly wide set of technology Dave Taylor follows with a very helpful skills, I’m not the person you want in tutorial on using the find command charge of securing your network or your with xargs. The find command is systems. By default, Linux is designed incredibly powerful, and with the with a moderate amount of security in ability to feed it into another program, mind. For that, I am incredibly grateful. it’s indispensable. Dave walks through If you struggle with maintaining not only the how, but the why as well. security in your environment, this issue Kyle Rankin gets serious about hopefully will encourage and educate security this month with a practical as opposed to making you feel guilty. walk-through on the basics of running My goal this year is to learn and be (cid:65) (cid:83)(cid:69)(cid:67)(cid:85)(cid:82)(cid:69) (cid:83)(cid:69)(cid:82)(cid:86)(cid:69)(cid:82) (cid:73)(cid:78) (cid:84)(cid:72)(cid:69) (cid:67)(cid:76)(cid:79)(cid:85)(cid:68)(cid:14) (cid:37)(cid:35)(cid:18) encouraged by the Security issue, not instances are commonplace in almost just feel bad. Please, join me! every company’s infrastructure, but Reuven M. Lerner starts us out having your server run completely in with a continuation on last month’s the open is a dangerous endeavor multitenant programming, this time without a very serious look at security. dealing with users and permissions. I go in the opposite direction from Kyle this month and discuss spinning up servers locally. Specifically, I talk VIDEO: (cid:86) Shawn Powers runs about Vagrant. We’ve covered Vagrant through the latest issue. in the past, but it’s one of those 8 / JANUARY 2015 / WWW.LINUXJOURNAL.COM LJ249-Jan2015.indd 8 12/16/14 1:52 PM CURRENT_ISSUE.TAR.GZ One of the biggest problems with securing a network is knowing where to start. technologies that always has confused on securing Web traffic with Squid. me. This month, I break it down and (cid:37)(cid:86)(cid:69)(cid:82)(cid:89) (cid:79)(cid:82)(cid:71)(cid:65)(cid:78)(cid:73)(cid:90)(cid:65)(cid:84)(cid:73)(cid:79)(cid:78) (cid:72)(cid:65)(cid:83) (cid:68)(cid:73)(cid:70)(cid:70)(cid:69)(cid:82)(cid:69)(cid:78)(cid:84) (cid:78)(cid:69)(cid:69)(cid:68)(cid:83) explain how it works, what it does when it comes to a Web policy, and for and how you can get the best use out Mike, he does the same sort of thing of it in your environment. If you’ve for his home. Whether you’re looking ever been frustrated by Vagrant, or to lock down your corporate Internet just avoided it altogether, I urge you access, or want to protect your family to read my column. from various Internet topics, Mike’s One of the biggest problems with process is very educational. securing a network is knowing where Like many things in the Linux world, to start. It’s a lot easier to figure security isn’t a thing you “do”, it’s a out that starting point if you know “way” you do things in general. Rather how secure your network right now. than set up your system and network, Jeramiah Bowling describes the and then try to secure it as an process of doing an internal security afterthought, thinking with a security- review to identify problems. This is focused mindset from the beginning is great for finding holes in your existing key. This issue offers some great insight security, but it’s also great if you’re on security matters, and hopefully, it just starting to create your plan. It’s sparks an interest for further change easier to get started when you can in your network. At the very least, find the starting line! Federico Kereki this issue should force you to take a follows Jeramiah with an article on look at your own security practices. detecting bogus login attempts and As for me? I’m going to read mitigating the threat they represent. Jeramiah’s article and do a security Having a good password is key to review of my own systems!(cid:81) keeping hackers out, but if they have unlimited guesses, eventually your Shawn Powers is the Associate Editor for Linux Journal. system might succumb to the attacks. He’s also the Gadget Guy for LinuxJournal.com, and he has Federico shows how to set up a an interesting collection of vintage Garfield coffee mugs. banning system to disable logins when Don’t let his silly hairdo fool you, he’s a pretty ordinary guy someone tries and fails over and over. and can be reached via e-mail at [email protected]. Finally, Mike Diehl has a great tutorial Or, swing by the #linuxjournal IRC channel on Freenode.net. WWW.LINUXJOURNAL.COM / JANUARY 2015 / 9 LJ249-Jan2015.indd 9 12/16/14 1:52 PM letters talking about the PDF version, or if you are referring to all the digital formats. Although the PDF does visually resemble the print magazine more than the other formats, EPUB and Mobi are often the better choice for reading the content, especially on smaller devices. With the Mobi version, it’s possible to read Linux Journal on an E Ink Kindle, for instance. Either way, I’m sorry the experience has been unpleasant for you. Hopefully in the future, some combination of hardware and format Renewal will bring you back.—Shawn Powers Sorry guys, I just can’t hack reading PDF files. When you switched, you EdgeRouter Lite effectively stopped me from renewing It’s great that you sing the praises of when my subscription finally ran out. (cid:84)(cid:72)(cid:69) (cid:37)(cid:68)(cid:71)(cid:69)(cid:50)(cid:79)(cid:85)(cid:84)(cid:69)(cid:82) (cid:44)(cid:73)(cid:84)(cid:69) (cid:84)(cid:79) (cid:89)(cid:79)(cid:85)(cid:82) (cid:82)(cid:69)(cid:65)(cid:68)(cid:69)(cid:82)(cid:83)(cid:12) My eyes are worn out from sitting in but be ready to point them to the front of a computer ten hours a day community-provided fix when it and spending another hour or more stops working. [See Shawn Powers’ reading the PDF just doesn’t cut it. I’ll (cid:104)(cid:37)(cid:68)(cid:71)(cid:69)(cid:50)(cid:79)(cid:85)(cid:84)(cid:69)(cid:82) (cid:44)(cid:73)(cid:84)(cid:69)(cid:118) (cid:80)(cid:73)(cid:69)(cid:67)(cid:69) (cid:73)(cid:78) (cid:84)(cid:72)(cid:69) go to purchasing a CD every couple (cid:47)(cid:67)(cid:84)(cid:79)(cid:66)(cid:69)(cid:82) (cid:18)(cid:16)(cid:17)(cid:20) (cid:53)(cid:80)(cid:38)(cid:82)(cid:79)(cid:78)(cid:84) (cid:83)(cid:69)(cid:67)(cid:84)(cid:73)(cid:79)(cid:78)(cid:14)(cid:61) years instead, thank you very much. I realize it probably saved the mag and Part of the cost-saving has been increased revenue, but I am just not achieved through using a poor quality cut out to be a subscriber to a PDF. It USB stick as the Flash memory. Many, won’t stack up on my shelf and allow including mine, start to die after a me to thumb through it. year of read/write operations. When it —Doug Glenn does, it is a simple fix, but you need to get yourself a serial cable, a new I’m not sure if you are specifically USB drive of the correct size and head 10 / JANUARY 2015 / WWW.LINUXJOURNAL.COM LJ249-Jan2015.indd 10 12/16/14 1:52 PM

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.