NetGeeks.org

Feb 16

Apache 2 – Password protecting a directory using .htaccess

Recently I was asked to set up a small e-commerce website and I wanted to ensure certain directories could only be accessed by those who needed to. One of those pages was phpmyadmin which if brute forced, could cause a lot of damage. Despite having a strong password for phpmyadmin, it only makes sense to hide it further behind a password prompt using .htaccess.

To begin with this was added to the .htaccess file in the directory we wish to protect.

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /location/of/.htpasswd
Require valid-user

After which a .htpasswd file was generated. I chose to generate this file in a directory not accessible to the web.

htpasswd -c /location/of/.htpasswd username_of_choice

At this point you will be prompted to enter a password, and to then repeat that password. This may be repeated for as many users as you require, if more users are added bear in mind the -c switch clears the file each time, so consider removing it for subsequent users.

As always a lot more information on this is available on Apache documentation as well as in your terminal:

man htpasswd

Feb 21

Warning! Linux Mint – Multiple hacks.

The Linux Mint blog announces that the project’s web site was compromised and made to point to a backdoored version of the distribution. It is advised that if you did download an ISO on the 20th, then you avoid using it.

If you are a forum user it is advised that you change your passwords, especially if it is a shared password on other sites.

The following information was posted on the Linux Mint blog with regards to hacked ISOs:

Beware of hacked ISOs if you downloaded Linux Mint on February 20th!

I’m sorry I have to come with bad news.

We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

Does this affect you?

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

How to check if your ISO is compromised?

If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).

The valid signatures are below:

6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.

What to do if you are affected?

Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.

If you installed this ISO on a computer:

Put the computer offline.
Backup your personal data, if any.
Reinstall the OS or format the partition.
Change your passwords for sensitive websites (for your email in particular).
Is everything back to normal now?

Not yet. We took the server down while we’re fixing the issue.

Who did that?

The hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com.

Both lead to Sofia, Bulgaria, and the name of 3 people over there. We don’t know their roles in this, but if we ask for an investigation, this is where it will start.

What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.

If you’ve been affected by this, please do let us know.

The following information was posted on the Linux Mint blog with regards to the compromised databases:

All forums users should change their passwords.
It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.

The database contains the following sensitive information:

Your forums username
An encrypted copy of your forums password
Your email address
Any personal information you might have put in your signature/profile/etc…
Any personal information you might written on the forums (including private topics and private messages)
People primarily at risk are people whose forums password is the same as their email password or as the password they use on popular or sensitive websites. Although the passwords cannot be decrypted, they can be brute-forced (found by trial) if they are simple enough or guessed if they relate to personal information.

Out of precaution we recommend all forums users change their passwords.

While changing your passwords, please start with your email password and do not use the same password on different websites.

Nov 22

Xfce compositing and compton keyboard shortcut toggle

In a previous post we addressed a simple way of enabling and disabling compositing in Xfce using a shell script. In this post we discuss how to do the same with compton, as well as some additions made to the original script.

So, without further ado, the relevant code:

For compton:

#!/bin/sh
if [ `pidof compton` ]; then
	# Comment the line below to disable notifications
	notify-send -t 400 'Disabled compton' --icon=video-display
	# Kill compton
	killall compton
else
	# Comment the line below to disable notifications
	notify-send -t 400 'Enabled compton' --icon=video-display
	# Start compton as a daemon
	compton -b
fi
exit

The difference here is that it will send a message to the notification daemon. This line may be commented out (or deleted) by those who wish not to have that feature.

To achieve the same for XFWM4 compositing, we must change our old script to the following:

#!/bin/sh
status=$(xfconf-query -c xfwm4 -p /general/use_compositing)
xfconf-query -Tc xfwm4 -p /general/use_compositing
# Comment the lines below to disable notifications
if [ $status = "false" ]; then
	notify-send -t 400 'Enabled compositing' --icon=video-display
else
	notify-send -t 400 'Disabled compositing' --icon=video-display
fi
exit

As before, name the file whatever you wish (I named mine compositing.sh), mark it executable with chmod u+x compositing.sh and assign it as a keyboard shortcut.

Apr 24

Dropping Dropbox

I’ve been a Dropbox user since 2008. I’ve enjoyed using Dropbox over the years, with native linux support and native android support I was able to back up what I wanted to back up (i.e. phone, desktop and server contents) with ease and without having to think about it.

Alas, the time has come for me to give up using Dropbox. Dropbox made a decision this month to appoint Condoleezza Rice, the former secretary of state, to the company’s board of directors. Condoleezza Rice is no friend of privacy. Anyway, I could go on but this issue has been covered in the media enough. For more info visit drop-dropbox.com.

Basically, I cannot trust my data with a company who has an advocate of wire tapping in their board of directors. I was hoping Dropbox would change their minds amidst all the concerned customers raising their voices, but they are standing by their decision.

For now I am considering switching to ownCloud while my data is rsynced to my backup server for the time being.

Mar 31

Hosting woes

As a result of much downtime with our old hosting provider, we’ve now decided to take up a VPS with Linode (Our affiliate link). After much testing over the course of 4 months, we were quite happy with the performance and stability. Apologies for any issues you may have had accessing the site (Although judging by the site stats there was none!). We had considered setting up a failover system, but it’s just not worth it for the number of visitors we get! From henceforth things should be better.

Jan 22

1 Comment

Xfce – Set a keyboard shortcut for compositing toggle

I use Xfce as my primary desktop environment, and recently, I found the need to disable and enable compositing on a regular basis. This led to my search for a way to do this via keyboard shortcuts, as it was quite inconvenient to have to open the Window Manager Tweaks GUI each time to simply toggle a check box.

So, I discovered xfconf-query, and upon some further reading, came to this as the quickest possible way of doing it via the command line:

xfconf-query -Tc xfwm4 -p /general/use_compositing

Create file compositing.sh using the editor of your choice, with the following content:

#!/bin/sh
xfconf-query -Tc xfwm4 -p /general/use_compositing

Make the file executable:

chmod u+x compositing.sh

Now open Menu > Settings > Keyboard > Application shortcuts > Add

Voila! Enjoy switching compositing on and off as and when you need to.

Nov 18

Linux Voice – Crowd funding

Linux Voice – A new magazine currently seeking crowd funding.

As a long time reader of the Linux Format magazine, a brilliant read, I was quite shocked to find out that some key members of this magazine had left. They also had a pretty entertaining podcast on TuxRadar.com, where they made their announcement to leave linux format on the last episode of their podcast there.

However, do not despair! Those that did leave decided to start a new magazine/podcast, called Linux Voice, which has been a very pleasant surprise. The guys are currently running a crowdfund on their Indiegogo page, any pledges will be welcome I’m sure.

The project sounds good to me, considering the magazines in the past had shareholders and bosses to please, this new format should give them more freedom and we should see even better content. I personally can’t wait and wish the guys success in this project.

Find out more on their website and their Indiegogo page, both of which are linked above.

Oct 6

Steve Jobs (1955-2011)

Apple has announced that the company’s co-founder Steve Jobs has died. He was 56 years old.

In a statement, the company said: “We are deeply saddened to announce that Steve Jobs passed away today.

“Steve’s brilliance, passion and energy were the source of countless innovations that enrich and improve all of our lives. The world is immeasurably better because of Steve.

“His greatest love was for his wife, Laurene, and his family. Our hearts go out to them and to all who were touched by his extraordinary gifts.”

The homepage of Apple’s website now displays a full-page image of Jobs with the text: “Steve Jobs 1955-2011.”

A dedicated webpage then reads: “Apple has lost a visionary and creative genius, and the world has lost an amazing human being. Those of us who have been fortunate enough to know and work with Steve have lost a dear friend and an inspiring mentor. Steve leaves behind a company that only he could have built, and his spirit will forever be the foundation of Apple.”

There is no denying that Steve Jobs and Apple have changed the world we live in today with smartphones and tablets now common in every household. May he rest in peace and our condolences to his family.

Aug 16

Google acquires Motorola Mobility

Google Inc. (NASDAQ: GOOG) and Motorola Mobility Holdings, Inc. (NYSE: MMI) yesterday announced that they have entered into a definitive agreement under which Google will acquire Motorola Mobility for $40.00 per share in cash, or a total of about $12.5 billion, a premium of 63% to the closing price of Motorola Mobility shares on Friday, August 12, 2011. The transaction was unanimously approved by the boards of directors of both companies.

The acquisition of Motorola Mobility, a dedicated Android partner, will enable Google to supercharge the Android ecosystem and will enhance competition in mobile computing. Motorola Mobility will remain a licensee of Android and Android will remain open. Google will run Motorola Mobility as a separate business.

Larry Page, CEO of Google, said, “Motorola Mobility’s total commitment to Android has created a natural fit for our two companies. Together, we will create amazing user experiences that supercharge the entire Android ecosystem for the benefit of consumers, partners and developers. I look forward to welcoming Motorolans to our family of Googlers.”

Sanjay Jha, CEO of Motorola Mobility, said, “This transaction offers significant value for Motorola Mobility’s stockholders and provides compelling new opportunities for our employees, customers, and partners around the world. We have shared a productive partnership with Google to advance the Android platform, and now through this combination we will be able to do even more to innovate and deliver outstanding mobility solutions across our mobile devices and home businesses.”

Andy Rubin, Senior Vice President of Mobile at Google, said, “We expect that this combination will enable us to break new ground for the Android ecosystem. However, our vision for Android is unchanged and Google remains firmly committed to Android as an open platform and a vibrant open source community. We will continue to work with all of our valued Android partners to develop and distribute innovative Android-powered devices.”

The transaction is subject to customary closing conditions, including the receipt of regulatory approvals in the US, the European Union and other jurisdictions, and the approval of Motorola Mobility’s stockholders. The transaction is expected to close by the end of 2011 or early 2012.

Source

Google now have in their hands a hardware manufacturer. Google have reiterated that they remain committed to the android platform and hope to continue working with their partners, as seen in this statement from Larry Page (CEO of Google) on the official google blog:

This acquisition will not change our commitment to run Android as an open platform. Motorola will remain a licensee of Android and Android will remain open. We will run Motorola as a separate business. Many hardware partners have contributed to Android’s success and we look forward to continuing to work with all of them to deliver outstanding user experiences.

No doubt this acquisition will be worrying for hardware manufacturers who are part of the open handset alliance, it will definitely be interesting to see how this acquisition will affect Android’s hardware partners.

This acquisition also means that Google will have access to more intellectual property thus strengthening their patent portfolio. It is probable that the main reason for this acquisition was to obtain defensive patents rather than Google’s interests in manufacturing hardware for the android platform.

Thus the patent war continues.

Jul 26

The Humble Indie Bundle #3 Is Live

The Humble Indie Bundle #3 is officially live.

You can get 5 classic indie games: Crayon Physics Deluxe, Cogs, Hammerfight, VVVVVV and And Yet It Moves for whatever price you want while helping the Child’s Play Charity and the Electronic Frontier Foundation.

The games being cross-platform mean that they work natively on Linux Mac OS X, and Windows. All games are DRM free, so you can install them as many times as you like and even redeem them on Steam and Desura.

So what’s stopping you? Get your hands on some games and support some good causes in the process.