0

Ubuntu Desktop Still not Pro Level

Last year I wrote a few posts about trying out Ubuntu Desktop. After many frustrating weeks, I gave up on Ubuntu Desktop. I didn’t post why.

Ubuntu Desktop let’s you log in, and fairly easily download things from the app-store, and browse the internet. It manages to come close to feeling like you are “looking at a Mac”. But that’s it. Once you start using it, nothing is smooth, it doesn’t make a lot of sense. Configuration options you might want to change are just not available in the GUI so you have to drop to the console to run commands or edit files in a text editor. Apps you might want to use, like photo editing, or document writing, just don’t compare with the features in commercial products.

So, yes, you can install an email client, a Word-like program, something that works kind of like spreadsheet software. But I’ll be damned if any of them opened any existing documents or files without conversion errors. And anything I made could not be shared without errors. Calendaring was abysmal. You’d have to be hard pressed to choose GIMP over Photoshop.

Which means that, for me, Ubuntu Desktop might work for someone’s mom to check Yahoo! mail, or to browse Facebook. But it does not work the way a business professional would need it to. It won’t work in an enterprise environment that is Microsoft heavy.

Maybe some startups, or small groups of people could make it work. But, I suspect those folks are all using a Mac. Which *does* work, with just about everything I’ve ever needed it to do.

 

There are some Unix tools I like to use, which become very hard to run on Windows. But, they generally run on a Mac. And, for those times where you can’t use a Unix tool on Mac or Windows, I use VirtualBox to keep an Ubuntu Desktop install accessible. It actually works extremely well as a virtual instance full-screened on a second monitor and I no longer “hate using it” because it’s there as another tool I can use, not as an obstacle keeping me from doing every minor task I need to do.

 

 

0

Heartbleed Testing

With all the attention Heartbleed is getting right now, I wanted to test out my client’s servers and network devices. One of the easiest ways to check hosts and networks for vulnerabilities is with nmap. There is a new script for scanning for Heartbleed, but it requires LUA scripts, and a recent nmap version. 

Here is how to get everything working on an out-of-the box Unbutu 12.04 Desktop.

If you don’t have Ubuntu 12.04 Desktop, download it and install it using one of these methods:

  • Dual boot your computer
  • Replace your OS
  • Install to flash drive
  • Install on VirtualBox (my preferred solution, be sure to install the VirtualBox Extensions for both the host and guest)

If you don’t have a recent nmap, download requirements and install nmap from svn:

sudo apt-get update

sudo apt-get dist-upgrade

sudo reboot

sudo apt-get install build-essential autoconf checkinstall

sudo apt-get install subversion

svn co https://svn.nmap.org/nmap

cd nmap

./configure

make

sudo checkinstall

 

If you have a recent nmap, you can try to just download the latest requirements and heartbleed script

cd [install-path]/nmap/nselib/
sudo wget https://svn.nmap.org/nmap/nselib/tls.lua
cd [install-path]/nmap/scripts/
sudo wget https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse
sudo nmap –script-updatedb

 

Run nmap with the Heartbleed script:

nmap –datadir [install-path] -sV -p 443 –script ssl-heartbleed [server/network]

 

Example of a vulnerable system:

[snip]
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| Description:
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://cvedetails.com/cve/2014-0160/
| http://www.openssl.org/news/secadv_20140407.txt
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

 

 

0

Linux Transparent Bridge + Firewall

I was called in to help secure a network in pinch. This called for some quick action, with very little resources. No time to purchase a firewall, or drastically redesign the network. We needed something now.

The clients network had their printers, desktops, servers, SANS, and switches all on one subnet, publicly accessible to the internet, with no hardware firewall. Hackers were exploiting NTP bugs, trying default accounts and passwords, and trying to brute force their way into everything. Without having a complete understanding of the infrastructure, and what renumbering and redesigning the entire network might impact, I decided to implement a quick fix while a firewall was ordered and careful redesign steps could be planned for.

This quick fix was to create a transparent bridge and move all the vulnerable devices onto a private VLAN, while allowing the transparent bridge to firewall and secure all of these devices.

First, I had to reclaim an old Dell R310 server. Nobody knows the BIOS passwords for any of the servers, so after a quick BIOS password clear and reboot, I installed Ubuntu 12.04LTS using basic settings, and updates. After consulting with my Cisco experts, we configured two ports:

interface gi 1/0/1
switchport mode access
switchport access vlan 24

interface gi 1/0/2
switchport mode access
switchport access vlan25

On the server I setup bridge networking by installing bridge-utils

apt-get install bridge-utils

and adding these lines to /etc/network/interfaces

auto br-vlan25
iface br-vlan25 inet dhcp
bridge_ports eth0 eth1
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
up /sbin/ifconfig $IFACE up || /sbin/true

When I brought up the interfaces the bridge started forwarding Spanning Tree Protocol (STP) packets, and the switch immediately killed one of the interfaces to prevent a loop.

My solution was to install the ebtables package

sudo apt-get install ebtables

And add the following rules

ebtables -P INPUT DROP
ebtables -P FORWARD DROP
ebtables -P OUTPUT DROP
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p arp -j ACCEPT
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p arp -j ACCEPT
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p arp -j ACCEPT

And then modify /etc/default/ebtables so that all the “no” settings were “yes”, that way the rules would preserve on reboot or interface reset

I now had a functioning bridge, but no firewall, so I added these rules to iptables to only allow locally sourced traffic through

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables  -I FORWARD -s X.Y.Z.o/24 -j ACCEPT
iptables -I FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

And then installed the iptables-persistent package to save iptables rules across reboots and interface resets

apt-get install iptables-persistent

The next step was to look at all the switch ports, identify all the devices that needed to be secured, and move them to the new private vlan.

show int status

find all the vulernable device ports

conf t
int gi 1/0/X
switchport access vlan 25

Then I went to the vCenter and looked at all the guests that needed to be secured, including the esxi hosts themselves, and changed them to the new private vlan.

Now an NMAP scan from on site has access to their equipment, and an NMAP scan from offsite shows just a collection of desktops, printers, and public facing servers. No more free access to esxi hosts, equallogic storage, video cameras, environmental sensors, etc…

0

Awesome mini wireless keyboard + trackpad

Looking at making a server crash kit and found this little gem…

A miniature keyboard and trackpad over at adafruit.com

Image

“Add a miniature wireless controller to your computer project with this combination keyboard and touchpad. We found the smallest wireless USB keyboard available, a mere 6″ x 2.4″ x 0.5” (152mm x 59mm x 12.5mm)! It’s small but usable to make a great accompaniment to a computer such as the Beagle Bone or Raspberry Pi. The keyboard itself is battery powered (there’s a rechargeable battery inside that you charge up via the included USB cable). The keyboard communicates back to the computer via 2.4 GHz wireless link (not Bluetooth) 

The keyboard can only be used with a USB-host such as a computer. Its not intended to be used with an Arduino or Basic Stamp, etc. We tested it with the Raspberry Pi and it works great: uses only one USB port for both mouse and keyboard.”

0

I’m not dead yet

I haven’t fully stopped trying to use Ubuntu as a desktop replacement yet. But, I am using Windows again right now because I found LibreOffice was not reading Office documents correctly, and embedded visio diagrams do not work. Which forced me into Windows to do some quick work.

I also have a VirtualBox image on my Windows box with a dev environment, and needed to use it for some quick work and did not have time to get it running under Ubuntu.

The reason I’m making this blog post is to point out where Windows is winning.

At least in a Windows vs Ubuntu test. At this point I may just buy myself a Mac and use this Dell laptop as a fishtank.

 

0

Dropbox wins over Google Drive

This isn’t really a fair fight. Google Drive doesn’t even have a Linux client.

My real preference is sshfs, though.

For work files, I use sshfs to mount a folder on our secure server to my laptop. Policies frown on sticking sensitive files in the cloud. I’d like to play with services like OwnCloud, or some others, but sshfs works fine for now.

0

Empathy wins over Pidgin

I tried installing Pidgin to connect to our jabber server. I had alternating trouble getting Pidgin to authenticate, and when I say alternating, I mean it. With no changes it would login, or it would fail. And when it would log in there would be an empty Pidgin buddy list. So empty that clicking on it registered as the desktop, and not the Pidgin app. Purging and reinstalling didn’t help.

Then I noticed that Empathy (the little envelope on Ubuntu’s system bar) had detected Pidgin was installed and was asking to import my Pidgin settings. I gave it a shot, and was able to log in with zero hassles. Yes, it imported my settings from a non function Pidgin, and Empathy worked.

I’m going to test out Empathy and see if there are any features that it doesn’t have that would warrant figuring out how to get Pidgin (or another client) to work.

0

Thunderbird instead of Outlook

It looks like Thunderbird has come a long way in the last couple of years. I was able to install Lightning 1.9.1 and the Exchange 2007/2010 Calendar and Tasks Provider 1.8.5, and have access to my email and calendar.

I ran into some issues with the email address not matching the account name, and Thunderbird keeping some settings locked away in its memory somewhere even though I had changed them in the GUI (the account name kept the gmail.com value I had type, before correcting it to my work address). I also had to delete the account several times before finally figuring out that it was defaulting to GSSAPI authentication, even though I am not doing GSSAPI authentication.

The address book was a snap to configure. At first I thought I’d have to know the OU and Bind DN, but just putting in the ldap server name was sufficient to search for people.

Calendaring was also a snap. After installing the Exchange 2007/2010 Calendar and Tasks Provider add on I spent some time trying to figure out how to access the calendar and finally figured out there was a teeny tiny calendar and task icon in the top right corner. Clicking on them opens a Calendar and Task tab, and they appear to work quite nicely.

So, now I won’t be late for meetings, and I can edit work documents.

0

Ubuntu Desktop LibreOffice

Compared to previous attempts at using an open source Office suite (such as KOffice, OpenOffice, and others), LibreOffice actually works enough to use it (sorry other guys).

Setting up the printer was as easy as hitting Add and Find, and then clicking on the awkwardly named “Forward” button. Slightly less awkward than naming the button “Progress”, but if we’re going to depart from the traditional “Next” button, I’d like to go with something more fun, like “Onward Ho!”, or “I Dare You”.

I was relieved to see LibreOffice was able to open most of my documents with a reasonable level of accuracy. The weirdest thing I saw was a Visio diagram saying it was in Portrait mode, but the page dimensions themselves were landscape oriented. When I went to print, the printer thought the page should have been portrait, so it was only going to print a corner of the diagram.

I do find bulk property editing flawed. For example, the font used on the Visio diagram did not exist in LibreOffice, but when I tried to change just the font, it changed all of the font properties, including font size, et al, so the whole document was a jumbled up mess.

But, I can work with this, at the moment.

0

Rhythmbox High CPU Load

I thought my next post would be about chat clients, but then I noticed my fan was running loud, and a glance at the processes showed Rhythmbox was running at 200% streaming some internet radio.

A Google search showed other users complaining about CPU load reading music from their hard drive, so I’m going to have to move this app into the “does not work out of the box” group as well.

So, I’m four hours in and have four apps that don’t work. (Pidgin, BitchX, Spark, and Rhythmbox).

Maybe I’ll try some productivity apps just to see if I am wasting my time trying to get Ubuntu to work as a desktop replacement.