INFOSEC SPECIAL ISSUE www.linuxuser.co.uk L IN U X U S E R & D E V E L O P E R IS S THE ESSENTIAL MAGAZINE U E FOR THE GNU GENERATION 1 7 4 L O C K •Intruder detection•Threat analytics•Malware screening D O W N Y MONITOR SERVERS UNDERSTAND O U R EXPLOITS S USING MUNIN Y S T E Discover vulnerabilities on your machine M Keep tabs on networks, servers and services MAKE POWER UP GRAPHS WWIITTHH SSHHEELLLL YOUR PI DISC SCRIPTS MISSING? ASK YOUR RETAILER GGGeeettt mmmooorrreee fffrrrooommm yyyooouuurrr GGGPPPIIIOOO pppiiinnnsss nnnooowww BEST w UIUNSS HEEEowR EFFrlaLnUUgA dNNefNineCCs GfuTTncIItioOOns,NN SS TBTBTBHHHRRREEEOOO WWWSSSEEERRR 5.99 £PRINTED IN THE UK 327074> 27002 w atoms, tuples and more RRREEEVVVEEEAAALLLEEEDDD 41- 3 w 20 1 .linuxu MPMPIIAA GGKKAAEEMM AAEE WWWhhhiiiccchhh ooopppeeennn sssooouuurrrccceee bbbrrrooowwwssseeerrr iiisss ttthhheee bbbeeesssttt??? ISSUE 174 ISSN 77204 s 9 e r.c ALSO INSIDE o .u CCCooodddeee yyyooouuurrr ooowwwnnn eeegggggg dddrrroooppp gggaaammmeee » Inside Guinnux k wwwiiittthhh ttthhheee PPPiii aaannnddd ttthhheee SSSeeennnssseeeHHHAAATTT »»» UUUssseee yyyooouuurrr PPPiii aaasss aaa wwwaaarrrrrraaannnttt cccaaannnaaarrryyy LUD 174 Cover.indd 1 20/12/2016 17:07 Full Page.indd 1 19/12/2016 14:37 Welcome THE MAGAZINE FOR THE GNU GENERATION to issue 174 of Linux User & Developer Future Publishing Ltd Richmond House, 33 Richmond Hill Bournemouth, Dorset, BH2 6EZ ☎ + 44 (0) 1202 586200 Web: www.linuxuser.co.uk This issue www.greatdigitalmags.com www.futureplc.com Editorial Editor April Madden [email protected] » Lock down your system ☎ 01202 586218 Senior Art Editor Stephen Williams » Power up your Pi Designer Rebekka Hearl Editor in Chief Dave Harfi eld » Understand exploits Photographer James Sheppard Contributors » Erlang explained Dan Aldred, Mike Bedford, Joey Bernard, Toni Castillo Girona, Sanne De Boer, Nate Drake, Tam Hanna, Oliver Hill, Phil King, Kushma Kumari, Jack Parsons, Swayam Prakasha, Richard Smedley, Jasmin Snook, Nitish Tiwari and Mihalis Tsoukalos Advertising Welcome to the latest issue of Linux User & Developer, Digital or printed media packs are available on request. Head of Sales Hang Deretz the UK and America’s favourite Linux and open source ☎ 0 1202 586442 [email protected] magazine. We all worry about security. As Linux users Account Manager Luke Biddiscombe [email protected] we have less chance of our personal machine being co- International opted into a botnet, but that doesn’t mean that if it picks Linux User & Developer is available for licensing. Contact the International department to discuss partnership opportunities. something up it can’t merrily forward it on to its Windows- Head of International Licensing Cathy Blackman ☎ + 44 (0) 1202 586401 based brethren. Then there are the risks inherent to [email protected] networks and to the Internet of Things, many based on Linux but Subscriptions For all subscription enquiries: made up of mixed architectures. We can’t rely on Windows, Android [email protected] ☎ 0 844 249 0282 or even Apple devices to look after themselves; we know how easy it ☎ O verseas +44 (0)1795 418661 Look for Head owfw swub.ismcarigpitnioenssu bSsh.caor.ounk Todd isosnu 9e F 1e7b5 coaf lno bcked toow cinr caunmd vtehnet t tehsetiinr gp rtootoelcst wioen ns.e Oendl tyo L aincuhxie ovfef ear rse tahseo dneagbrleee CC iirrccuulla☎attioi o0 n1n D20ir2e c5t8o6r 2D0a0rren Pearce WSauntb its scoorinbere? level of security for our machines, networks and data. We take an Production today! in-depth look at these tools and at pro techniques for using them P roduc☎tio 0 n1 D20ir2e c5t8o6r 2J0a0ne Hawkins on p18, and you’ll also fi nd them on the disc that accompanies the magazine (digital edition readers can fi nd them on our FileSilo repo). Management Finance & Operations Director Marco Peroni Meanwhile on p58 we’ll show you how to power up your Pi with Creative Director Aaron Asadi Editorial Director Ross Andrews some clever interfacing and electronic tricks. You’ll learn how to Printing & Distribution get more from your GPIO pins and how to work around power limits William Gibbons, 26 Planetary Road, Willenhall, West Midlands, WV13 3XT safely to supercharge your Pi projects. Plus the rest of the issue is Distributed in the UK, Eire & the Rest of the World by Marketforce, 5 Churchill Place, Canary Wharf, London, E14 5HU packed with tutorials on security, programming, admin and more. ☎ 0 203 787 9060 www.marketforce.co.uk Enjoy the issue! Distributed in Australia by Gordon & Gotch Australia Pty Ltd, 26 Rodborough Road, Frenchs Forest, New South Wales 2086 April Madden, Editor ☎ + 61 2 9972 8800 www.gordongotch.com.au Disclaimer The publisher cannot accept responsibility for any unsolicited material lost or damaged in the post. All text and layout is the copyright of Future Publishing Ltd. Get in touch with the team: Nothing in this magazine may be reproduced in whole or part without the written permission of the publisher. All copyrights are recognised and used specifi cally for the purpose of criticism and review. Although the magazine has endeavoured to ensure all information is correct at time of print, prices and availability may [email protected] change. This magazine is fully independent and not affi liated in any way with the companies mentioned herein. If you submit material to Future Publishing via post, email, social network or any other means, you automatically grant Future Publishing an irrevocable, perpetual, Buy online royalty-free licence to use the material across its entire portfolio, in print, online Facebook: Twitter: and digital, and to deliver the material to existing and future clients, including but not limited to international licensees for reproduction in international, Linux User & Developer @linuxusermag licensed editions of Future Publishing products. Any material you submit is sent at your risk and, although every care is taken, neither Future Publishing nor its employees, agents or subcontractors shall be liable for the loss or damage. © 2017 Future Publishing Ltd Visit us online for more news, opinion, tutorials and reviews: ISSN 2041-3270 www.linuxuser.co.uk www.linuxuser.co.uk 3 003_LUD174.indd 3 21/12/2016 11:29 Contents Subscribe & save! 32 C gUchraSeena cc tksu n usoebtuowstm c ooruefibfrres er ! on page 56 Reviews 81 Web browsers Is Chrome still the cream of the crop when it comes to web browsing? 18 Lock down your system Master InfoSec skills to secure and test systems and networks Midori Chrome OpenSource Tutorials 08 News 34 Bash masterclass: Combine shell T he biggest stories from scripts and charts Firefox QupZilla the open source world Transform your textual information into attractive diagrams with gnuplot and Bash 12 Interview 86 Solwise PL-1200AV2-PIGGY John Eigelaar on the 38 Analyse, adjust and run exploits Does this Powerline adaptor give you Guinnux distro in a controlled environment the internet speeds it promises? Learn how exploits work and how you can use 16 Kernel column this knowledge against them 88 Fedora 25 The latest on the Linux Can Fedora’s latest update turn the kernel with Jon Masters 42 Monitor your network with Munin tables on the competition? Learn how to install and confi gure Munin on 90 Free software a Linux system to monitor networks Richard Smedley recommends some 46 Program in Erlang: excellent FOSS packages for you to try Functions Discover Erlang functions and basic Erlang data types 52 Manage user accounts in Ubuntu Learn how to effectively manage user accounts, permissions, groups and more Features 18 Lock down your system Learn and apply essential 57 Practical Raspberry Pi InfoSec techniques Learn how to get more from your GPIO pins, build a Pi air drum, code an egg-drop 58 Secrets of Pi interfacing 96 Free downloads game, set your Pi up as a tweeting warrant Get more from your GPIO pins Find out what we’ve uploaded to our canary and set up a Pi photo frame and power up your Pi secure repo FileSilo for you this month Join us online for more Linux news, opinion and reviews www.linuxuser.co.uk 4 004_LUD174.indd 4 21/12/2016 12:20 DOMAINS | MAIL | HOSTING | eCOMMERCE | SERVERS STOP SHARING! 4 1&1 VIRTUAL SERVER CLOUD 99 £ . from /month* excl. 20% VAT Trusted Performance. Intel® Xeon® processors. NEW 1&1 eliminates the "noisy neighbour effect": Ideal for beginners as a web and mail server, but also for more demanding projects like database applications, the new 1&1 Virtual Server Cloud is 100% yours to use! Take advantage now of the latest cloud technology. ■ No shared resources ■ Maximum security through VMware virtualisation ■ Best price-performance ratio ■ Full root access ■ 24/7 expert support ■ SSD storage ■ Choice between Linux/Windows ■ Unlimited traffi c ■ Plesk ONYX ■ High performance 1 1 1 CALL CLICK CERTAINTY SPEAK TO UPGRADE OR FAIL SAFE AN EXPERT DOWNGRADE 0333 336 5509 * 1&1 Virtual Server Cloud S: £4.99/month. Billing cycle 1 month. Minimum contract term 12 months. No setup fee. Following the offer period, subsequent periods will 1and1.co.uk be charged at the renewal price. Prices exclude 20% VAT. Visit 1and1.co.uk for full product details, terms and conditions. Windows® and the Windows® logo are registered trademarks of Microsoft® Corporation in the United States and/or other countries. 1&1 Internet Limited, Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. Full Page.indd 1 20/12/2016 15:51 Open Source On the disc On your free DVD this issue Load DVD Find out what’s on your free disc To access software and tutorial files, simply insert the disc into Welcome to the Linux User & Developer about threats and how to counter them. your computer and double-click DVD. This issue we’re all about InfoSec as we Inside our live booting distros you’ll also be the icon. help you to test your security, lock down your able to access all the FOSS from our InfoSec Live boot systems and networks, and even explore feature and keep your systems and data a deliberately vulnerable VM to learn more completely watertight. To live-boot into the distros supplied on this disc, insert the Featured software: disc into your disc drive and reboot your computer. Please note: • You will need to ensure that your computer is set up to boot from disc (press F9 on your computer’s BIOS screen to change Boot Options). • Some computers require you to press a key to enable booting from disc – check your manual or the manufacturer’s website to fi nd out if this is the Kali Linux IPFire case on your PC. • Live-booting distros are read The ultimate security testing distro for Linux users will A professional and hardened Linux fi rewall distribution from the disc: they will not be help you to make your system and network watertight. that is secure, easy to operate and has great installed permanently on your Use it to access the software in our InfoSec feature and functionality. Please note that you will need to install computer unless you choose to test your systems and networks for the ultimate in IPFire from the live booting disc, so ensure that you to do so. secure computing. Please note that the default login have backed up all of your data and partitioned your for the live boot edition of Kali Linux is username: root; drive before installing, to avoid losing any of your For best results: password: toor. information or partitions. This disc has been optimised for modern browsers capable of rendering recent updates to the HTML and CSS standards. So to get the best experience we recommend you use: • Internet Explorer 8 or higher • Firefox 3 or higher • Safari 4 or higher • Chrome 5 or higher Problems with the disc? Send us an email at linuxuser@ imagine-publishing.co.uk Metasploitable Please note however that if you are having problems using the Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, programs or resources provided, test security tools, and practice common penetration testing techniques. As it is deliberately insecure, please make then please contact the relevant sure that you don’t store any of your sensitive or personal data on a partition or VM running Metaspoitable. software companies. 6 006-007_LUD174.indd 6 21/12/2016 12:21 Disclaimer Important information Check this before installing or using the disc For the purpose of this disclaimer statement the phrase ‘this disc’ refers to all software and resources supplied on the disc as well as the physical disc itself. You must agree to the following terms and conditions before using this ‘this disc’: Loss of data In no event will Future Publishing accept liability or be held responsible for any damage, disruption and/or loss to data or computer systems as a result of using ‘this disc’. Future Publishing makes every effort to ensure that ‘this disc’ is delivered to you free from viruses and spyware. We do still strongly recommend that you run a virus checker over ‘this disc’ before use and that you have an up- to-date backup of your hard drive before using ‘this disc’. Hyperlinks: Future Publishing does not accept any liability for content that may appear as a result of visiting hyperlinks published in ‘this disc’. At the time of production, all hyperlinks on ‘this disc’ linked to the desired destination. Future Publishing cannot guarantee that at the time of use these hyperlinks direct to that same intended content as Future Publishing has no control over the content delivered on any of these hyperlinks. Software Licensing Software is licensed under different terms; please check that you know which one a program uses before you install it. • Shareware: If you continue to use the program you should register it with the author • Freeware: You can use the program free of charge • Trials/Demos: These are either Live boot time-limited or have some Distros functions/features disabled Insert the disc into your computer and Distros can be live booted so that you • Open source/GPL: Free to use, reboot. You will need to make sure that can try a new operating system instantly but for more details please visit your computer is set up to boot from disc without making permanent changes to https://opensource.org/licenses/ your computer gpl-license FOSS Explore Unless otherwise stated you do not Free and open-source software needs to have permission to duplicate and be installed via the distros or by using the Alternatively you can insert and run the distribute ‘this disc’. disc interface disc to explore the interface and content wwwwww..lliinnuuxxuusseerr..ccoo..uukk 77 006-007_LUD174.indd 7 21/12/2016 12:21 08 News & Opinion | 12 interview | 96 Filesilo RaspbeRRy pi Raspberry Pi gets a serious speed boost Connectivity improvements could usher in a new wave of IoT developments above LTE connectivity will soon be a major part of the Pi We all know that the Raspberry pi has long developments in LTE chipsets, many of which Pi and IoT devices even further. Also touted to be been heralded as the best single board have been implemented into everyday items. showcased in the chipset will be an advanced computer made for public use, partially due “We are dedicated to providing low-cost, high- power management unit, a low power CPU to the continuous updates that have been performance computers to connect people, subsystem and integrated DDR memory with a implemented into it and its wallet-friendly enable them to learn, solve problems and have strong security framework. price tag. One of the caveats, however, has long fun,” said Eben Upton, CEO of Raspberry Pi “The integration of Altair’s LTE chipset with been its reliance on Wi-Fi connectivity, a speciic (Trading) Ltd. “Altair has long been regarded as Raspberry Pi makes it one of the most portable, problem for those looking to start developing an LTE connectivity leader, and we are pleased affordable, and practical connectivity solutions for the Internet of Things. However, in a recent to collaborate on this trial, which is the irst of its on the market,” said Eran Eshed, co-founder update, it has been announced that Raspberry kind. Users will only beneit by having the choice and VP of worldwide sales and marketing at Pi 3 owners will soon even be able to take full of using BT, Wi-Fi or LTE.” Altair. “More than 10 million Raspberry Pis have advantage of LTE connectivity on their units. Due to the limitations involved with Wi-Fi now been sold to date, and we’re pleased to It will soon be able to handle low-throughput networks, the addition of Altair’s LTE chipset debut this proof-of-concept to extend its range cellular communications, a massive boost for should help provide wider and more lexible and value.” development practices. coverage. When implemented correctly, users The integration of the chipset is said to be a Developing the chipset is Altair will be able to stream high-deinition video from gradual process, but if history is anything to go Semiconductor, previously known for its anywhere, while also establishing connections by, we can expect all units to be shipping with with other applications and home automation this option readily available in the irst half of Raspberry Pi 3 owners products. The new chipset features downlink 2017. It’s likely we’ll also see the development speeds of up to 10Mbps and offers extremely of LTE brought forwards into all future models will soon even be able to low power consumption, which blends in well of the Raspberry Pi. If you’re not one of the 10 take full advantage of with the Pi’s low-resource demands. It’s also million owners of a Pi unit, you can head across completely software upgradable, with updates to www.raspberrypi.org for all pricing and LTE connectivity expected to help bridge the connection between shopping options. 8 008-011_LUD174.indd 8 21/12/2016 10:44 top five Best distros for ethical hacking practices 1 Kali Linux Although it lies under the radar, Kali Linux comes with over 600+ pre-installed pen testing tools that majorly enhance your security toolbox. Tools are highly lexible and many are being updated regularly. Best of all, they can be easily implemented into different platforms, including DEVELopMENt both ARM and vMware. Compiling code 2 Pentoo Linux Based on Gentoo, Pentoo can be cleverly used on top of any existing Gentoo installation. its array just got easier of tools vary from exploits to database scanners, equipping you with everything you need to put your security to the test. The Red Hat Developer Toolset gets a major update Getting that combination of stable operating Other new additions include the appearance system with the latest developmental tools of the Redis 3.2 and MySQL 5.7 open-source is never an easy feat, so it’s testament to Red databases, as well as a new JvM monitoring Hat’s endeavours that its Developer toolset tool in Thermostat 16. eagle-eyed users will is reaching its sixth major update. for those also ind included the latest stable version unaware, the Red Hat Developer Toolset’s of eclipse Neon, an ideal solution for those 3 Parrot Security OS primary aim is to help streamline application interested in the latest tools within the eclipse development by enabling developers to get integrated development environment. One of the best things about Parrot is just how lightweight it is, making it a viable choice for those hands on with the latest open-source C++ and C Toolset-speciic updates are also in running old or slow hardware. it doesn’t skimp on compilers proiling tools. abundance in order to really take this toolkit features, however, and you’re bound to ind every Through these tools, developers can then above and beyond what the competition penetration tool you could possibly need. compile applications and deploy them across offers. Both the GNU Compiler Collection and multiple versions of Red Hat enterprise Linux. GNU Project Debugger have been updated 4 DEFT Linux A key part of this sixth update is its expansion to their latest versions, while numerous As far as digital forensics go, you can’t look past into even more architectures. These include toolchain components and performance DefT Linux. it comes with a staggering amount of Red Hat enterprise Linux on x86 systems, RHeL tools, namely Dyninst and valgrind, have both forensic tools, which are particularly tailored for for z systems and the ARM Developer Preview been enhanced. penetration testers. it’s also based on Ubuntu, of RHeL as well. in its current state, the toolset is available to which helps in its customisation. Avid users will ind new tools and updates all members of the Red Hat Developer Program, 5 Caine to take advantage of that form the basis of the as well as those who currently have a select Developer Toolset and subsequent Red Hat RHeL subscription. Later this year, a free RHeL Caine is the best on this list when it comes to Software Collection. The likes of PHP, Python, developer subscription will also be included to combining everyday distro applications, such as Ruby and MongoDB have all seen signiicant those who have yet to make the plunge, but at a browser and email client, with a highly complex updates, while Git 2.9, the open-source version the time of writing, it’s unknown what sort of forensic suite. it performs both functions well and can control system, makes its debut in the toolset. terms this will be available under. be run from either live or hard disk. www.linuxuser.co.uk 9 008-011_LUD174.indd 9 21/12/2016 10:44 OpenSource Your source of Linux news & views SteamOS SteamOS 2.97 ixes Steam Controller compatibility woes This latest updates provide essential bug fixes for gamers Valve has recently launched the stable SteamOS 2.97 maintenance update, almost five months since its previous release, SteamOS 2.87. Behind the scenes, SteamOS is still in the development phase when it comes to being synchronised with the Debian stable repositories, but the latest 2.97 update bridges the gap further with the inclusion of BIND9, cURL and GStreamer Bad Plugins 1.0. Having both SteamOS and Debian in full sync will help guarantee that the gaming client will receive the newest security ixes that are also being implemented in the above The Steam Controller now works flawlessly in SteamOS Debian operating system at the same time. put the issue to rest. A newly implemented X.Org packages have been re-introduced, which has In recent updates, Linux forums have been server now ignores joystick devices, which in helped the unattended upgrade functionality rife with compatibility issues regarding the turn prevents controller and mouse inputs being lourish once again. It was a sorely missed Steam Controller, but new additions should help confused for one another. Initial public feedback feature in previous beta updates, so we’re glad has shown this to be a big help for those to see it back in action. Valve has gone on record Full sync will help suffering from the issue found in the previous to say that it highly recommends users update beta clients. their SteamOS client to the latest 2.97 version guarantee that the gaming Under the hood, SteamOS 2.97 ships with an as soon as possible. Those looking to update client will receive the array of security updates for the libxslt, tsdata should head across to the Steam Universe group and GNU Tar packages, providing each with the over at steamcommunity.com for all necessary newest security ixes latest in ixes and plugs. Lastly, irmware-ralink installation images. OPeN SOURCe microsoft and Google make open source commitments although in recent months microsoft has been praised for publishing source code Steering Group. Despite Google’s interests in upped its game when it comes to supporting repositories, a big step up from a few years Java, the move is seen as a way for it to help the world of open source, and to some degree ago, but even more impressive is its work when improve .NET support for its own Google Cloud Linux, it’s come to pass that it’s now oficially collaborating with the open source community. platform. Going forward, it’s unknown how the latest high-proile member of the Linux Recently it has been seeking community Google will be able to help move .NET forward Foundation. Despite its long history in closed- consensus in many key development projects, with its plans, especially when it comes to source software, members of Microsoft have with consumer feedback helping to shape their Google’s investments in the heavily Java-based gone on record to say that the partnership will open-source future. Android platform. Could we expect to see Visual help the Redmond giant develop and deliver Just as surprising to some will be the Studio make it over to Android at some point? new mobile and cloud experiences to more announcement of Google joining the .NET Who knows… people than ever before. Microsoft has recently Foundation as part of the ever-increasing Both Microsoft and Google’s announcements may come as a surprise, but it’s testament to the Even more impressive is its work when collaborating developments in the open-source community that have helped pave the way for these mergers with the open source community to take place. 10 008-011_LUD174.indd 10 21/12/2016 10:44