Friday, 9 October 2020

How to secure your Linux

How to secure your linux? (easily)

Now days computer security is on the top trending topics for several reasons, the pandemic confiment also boosted the search for this topic. So you have a linux, is it secure? Most likely yes, is it vulnerable, even if daily updated (also see how to speed up apt-update ) due to default values of some configurations.

An easy way to enhance Linux security or hardening Linux? Using lynis (also works on OSX)
What's hardening?  Basically is just tunning and configuring some features that by default might allow someone to exploit or use that as a vulnerability. (not just one feature per se, but some combined might create something exploitable)

How to install lynis on Linux?

There are two instalation methods, easy and easiest. The main difference is  the version you download from the Lynis site is always the latest one where the apt-get version might take sometime to get to the lastest. 
An example is allowing access to compilers, an intruder can pass a bunch of string and in the end compile them and there you go, someone uploaded some string and created an executable on your machine. Another example is not enforcing secure password, 1234, Joe, and Password aren't exactly secure passwords, but if the system won't allow anything rather than ex: JustATinny123Pass**Again is virtual impossible to guess or crack.
 
In ubuntu/mint lynis installation (easiest):
  • sudo apt install lynis
In ubuntu/mint lynis installation (easy):
  1. Go to Lynis webpage and download the rar
  2. Unrar-It
  3. Done  

How to run Lynis on your Linux machine?

Previous Note: You should always run it as root user 
  • If the installation was done via apt-get the just type "lynis audit system" else, just go to the directory where you extracted Lynis and run "./lynis audit system".
This might take a while depending on our system ( 40sec plus). 

What do you get? Whell for start you get a score! 0-100points... if you use a default ubuntu 20 LTS from scratch you'll get around 65points depending on installed packages.

Lynis score



There's a list of issues to be solved, their solution (if possible in your system), solve one by one and in the end run it again. In the end you improve your score and harden your system.
Examples which I focus a LOT, since some of my machines are only accessible by network: sshd connections hardening.

Lynis recommendations


Thursday, 8 October 2020

Remote Desktop Playing @Home

Remote Desktop Gaming

Yes codding rocks, scripts make you smile and git is the new winamp but once in a while it's nice to play a bit.

Most people now days have laptops, company laptops or personal laptops, which in general, aren't suitable for gaming nor you want to risk your working tool by overheating it. Installing games on work computers isn't also the brightest idea in the world. There's also the physical part of it, you don't want to move to your desk or across the living room to play. 

Desktop's aren't exactly portable


Alternatively you can get a gaming laptop, but those are a bit more expensive than usual, also a bit bigger and with less battery life, certainly your company won't get you one and sometimes they're a bit flashy... not ideal for a formal meeting.

Care to take it to a formal meeting?

Solution: get a cheap desktop, put a GPU on it (I did it with my dell T1600 cheap homeserver) and do all the gaming on it remotely How? With a program called Parsec. The principle is very simple: 

  • Install Parsec on Desktop and laptop (or all the computers you want to interact with)
  • Create an account (FREE)
  • Login on all computers
  • Connect to one of your logged In computers
  • You're IN (literally, you're inside a remote desktop on that computer)

    parsec
    Pick one of your computers!
So you get the following: You -> Laptop -> Gaming Desktop nice

So why Parsec? Because it was developed with gaming in mind it's low latency software allows you to run games as if it was on your laptop. 

Remote Desktop

Basically it comes to this, you use a remote desktop client to play games but don't forget it's a remote desktop so it can be used for programing, for server maintenance, remotely viewing videos etc

Requirements for remote desktop gaming @home

Assuming your Desktop has a decent/recent CPU/CPU/SSD you'll pretty much run every game out there, the main requirements are just two:
  • Network speed - The higher the resolution and FPS the higher bandwith you'll need. So if possible network cable attached to the DESKTOP and pick a nice spot for your wifi-router.

Having said this, i can play with almost no lag at 1920*1080 in the same room with a 2.4Ghz 1000Gbit ISP router. 

Parsec will even show you statistics of your network performance and bottlenecks.

parsec


 

Dell T1600 cheap home server

My home server needs

All the stuff on the laptop is great, but sometimes I need something with a little bit more power (not Dual core but Quad-Core and more RAM), also I'd like to have something always running and available (dockers for example) and that's not doable with laptops.  

So my requirements would be quad-core, expansible RAM up to 32gb, GPU expandable, SILENT, CHEAP, and CHEAP. After some time browsing the net I've found a Dell T1600 for 50$ !!!

Dell T1600 home server specs

So for 50$ (plus shipping) what does one get? E3-1225 CPU (quad-core 4threads and GPU integrated), 4GB Ram (1066Mhz Dual Channel), GPU NVIDIA Quadro2000, PUS 320W 90%Power Efficient, 500GB HDD and a not so pretty chassis (but will be hidden so no issue here).
The CPU and Chassis fan (on the back below the PSU) are very quite by default so at present time no need to change them.
dell t1600
T1600 chassis

dell t1600
2 HDD Bays ready to get SSD on it!

Upgrades to T1600

What stays what goes and what to enhance? 
  • Clean it properly, blow out all the dust, clean the fans
  • CD-ROM disconnected, don't need it, less noise, less stuff, SATA and power cables out, yet it's still there until I get front bay cover. (if ever!)
  • 500GB HDD Swap for an SSD, my pick was a 480GB lower brand SSD laying around, had to get a 3.5 to 2.5 cage converter to fit the blue brackets.
  • Change thermal paste! This is critical, don't know for how long (if ever!) the thermal compound has been changed and this is a 95w CPU so it will get HOT. Used the Grizzly  Kryonaut.
  • The NVIDIA Quadro 2000 is OK, but for projects which use CPU/CUDA cores (and maybe some light gaming) swapped it for an MSI AERO TI 1050 . This GPU is small form designed for ITX, not that's needed, and will get all the power from the PCI-E slot. Notice dell T1600 PSU DOES NOT HAVE GPU connector. Also this new GPU has HDMI output which is a lot easier to use than caring and using DVI adapters.
  • RAM 2*2gb 1066Mhz, used some dimms from friends and got it 2*2 + 4*4  (1333Mhz)= 12gb in dual channel. Still at 1066 which will change soon to 1333Mhz on all the dimms

To do Upgrades to Dell T1600 

  • RAM from 12gb to 16gb or 24 or 32 all 1333Mhz. Specs say 16gb RAM tops but has been proved that it will take up to 32gb ram
  • Upgrade CPU to 4core 8thread E3-1270 or 1280. These ones have double the E3-1225 threads, have higher MHZ and lower TWP (80watts) since they do not have an integrated GPU.

Drawbacks and limitations of the Dell T1600 you should know

  • PSU's ( 265W or 320W) don't have a GPU power connector. So with standard PSU you're limited to PCI-E powered GPU's. Note also that the 320W PSU won't be enough for mid-range GPUs 
  • CPU fan connector, and case connectors are DELL proprietary. If you plan to change the default fans you'll need and an PWM 5 to 4 pin adapter, like this one here again the fans by default are quite enough.

What happened to my Dell T1600

I's alive and kicking! Handles full load for 2/3hours without throttling and with reasonable temperatures 62 Degrees Celcius full load (for this CPU and keep in mind it's on tight space). The CPU also handles high loads pretty well AND VERY SILENTLY! It has been always on, a true workhorse. I actually also started to play some games (new games not 90's graphic games) on it remotely and it's still very capable being the GPU the bottleneck.

Update 10-2020:

Due to powerline low bandwithd added an PCI-E wifi card, TP-LINK Archer T4E which speeded up by 2 (yes TWO double speed). Internet speed a lot faster and I can play with Parsec remotley at home even better due to low lag. 

Update 11-2021:

Swapped it ! Got an (offered) Lenovo m92p SFF and had to swap the Dell for it. This one is a newer generation and it's more compact. (downgrading on the GPU though).

Wednesday, 7 October 2020

Python Static Code Analysis

Python static code analysis with Prospector and Bandit

Not going to talk about the "why should one use code analysis tools", if you read it up to the end you'll get it!

Which code analysis tools?

Let's talk about Code Analysis in Python, what to use, why to use, experience on using it.

Currently I use only 2, and for me it's the limit of code analysis tools to use at the same time without much overhead.  Prospector & Bandit. Why two?

Well one, Bandit,  focus specifically on security on your Python code, the other has a wider range focusing on potential errors, complexity and convention violations . Both overlap in some way, with Prospector replacing Pylint, pep8 and McCabe complexity, endoing: you'll get more than enough code analysis, sometime more than you can handle. (I'll get to that latter on)

 

How to Install Bandit and Prospector?

Installation is very strait forward on both of them.

Installing Bandit is as simple as:

pip install bandit
or 
pip3 install bandit 

Installing Prospector isn't much harder:

pip install prospector[with_everything]
or 
pip3 install prospector[with_everything]

 

Running of Bandit and Prospector?

First you need your python file. In this case I've used an example one just for the sake of example, let's call it tst.py


It's a very simple program with one function, user input and screen output. Let's run first Bandit, how? Simple:

    bandit tst.py

Here's the result:

Looks like we've got a potential issue with the "input" , since we're using python3 won't be a problem but lets assume that it is. Go to the link and read the explanation, so if we're on Python2 let's swap input() with raw_input() else it's all alright.

Now running prospector, the -s flag points the profiles used, from veryhigh to verylow, in here you can opt to choose, if you don't use the flag medium shall be used, for sake of example let's go for the veryhigh :

    prospector -s veryhigh tst.py

 

 

As you can see LOTS of warnings are issued in the veryhigh (30 vs 6 on the medium profile) so use the veryhigh and high with come caution because most of the warnings in veryhigh are related to syntax and indentation aspects (pep8).

So if you apply most of the changes/fix all the warnings how will the code look like? ( DO keep in mind that sometimes you can't actually apply all the changes due to legacy code/ code dependencies, and sometimes your editor my leave some spaces/tabs between the lines which will conflict with the "veryhigh" settings)

Now your code is a bit safer and cleaner. This was a simple and silly example, try to run it on your own scripts/programs and see the differences, again in prospector don't rush into the "veryhigh" profile.