How to secure your Linux ?

Get Started

There are four common and useful methods for you to secure and check your Linux.

• Port Scan
• Firewall
• Update Security package
• Antivirus

Port Scan

You can check your system by scanning your port number. Once you find out some ports that are open and not used, remember to close them and stop their related services accordingly.

• Install port scan tool
  sudo install nmap
  
• Execute Port Scan command to scan Port from 1 to 65535
  nmap -p 1-65535 -T4 -A -v [Target IP]
  

Firewall

The fundamental rule to improve the security of your Linux is your system merely opens necessary and required ports for your services. I strongly recommend you to set up restrictions on port 22 to avoid being attacked by SSH Brute Force. Hopefully, DenyHost is a smart firewall that can automatically parse SSH Log and detect malicious IPs to setup block rules for you. 

• Install DenyHost

Update Security package

Update your system with latest security packages automatically.

Install this package if it isn't already installed using
sudo apt-get install unattended-upgrades

To enable it type
sudo dpkg-reconfigure unattended-upgrades

and select "yes".

AntiVirus

Scan and check your system regularly with the following antivirus software.

• Install Virus
  sudo apt-get install clamav
  
• Update Virus code
  sudo freshclam
  
• Scan system
  sudo clamscan --remove=yes -i -r ./
  

Apache Problem due to (24)Too many open files - Solution

After running web services on Apache for few years, my web suddenly could not be accessed because of given an error "HTTP WARNING: HTTP/1.1 403 Forbidden".

When checking the Apache Error log, I found an error message as shown below.

(24)Too many open files: /var/www/html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

The solution to this problem is to increase the maximum number of open files and user processes by the following settings.


vim /etc/security/limits.conf 
root soft nofile 32768 
root hard nofile 32768 
root soft nproc 4096  
root hard nproc 4096

How to Build an Android Project using Cocos2d-x 3.6 with Eclipse ?

1.Install

Download and install the following libs and SDKs.

    JDK   

        http://www.oracle.com/technetwork/java/javase/downloads/index.html

    Android SDK  

        http://developer.android.com/sdk/installing/index.html?pkg=tools

    Android NDK 10e

        http://dl.google.com/android/repository/android-ndk-r10e-darwin-x86_64.zip

    Apache Ant 

        http://ant.apache.org/bindownload.cgi

2. Configure settings using Eclipse 

Goto Eclipse --> Preference --> C/C++ --> Build --> Environment 

Edit the following settings as shown below.

ANDROID_SDK_ROOT

/Users/User/Applications/Android/sdk

ANR_ROOT

/Users/User/Desktop/cocos2d-x/apache-ant-1.9.7/bin

COCOS_CONSOLE_ROOT

/Users/User/Desktop/cocos2d-x/cocos2d-x-3.6/tools/cocos2d-console/bin

NDK_ROOT

/Users/User/Desktop/cocos2d-x/android-ndk-r10e

PATH

/usr/bin:/bin:/usr/sbin:/sbin:/Users/User/Desktop/cocos2d-x/cocos2d-x-3.6/tools/cocos2d-console/bin

Edit NDK location 

3. Import Cocos2d-x Lib

3.1 In Package Explorer, click import button --> Android --> Existing Android Code Into Workspace 

3.2 Select Cocos2d-x-3.6 --> cocos --> platform --> android --> java

4. Import Source Codes

4.1 Click import button --> Android --> Existing Android Code Into Workspace  --> select your android source codes project 

4.2  Check your project have a link to Cocos2d-x lib

Select your project --> Properties --> Android --> Library 

 

5. Run Configuration 

5.1. Goto Run --> Configurations --> Android Application  --> Tab Android

Name   :  Your Name 

Project :  Click Browse button and select the path of your Source Code

5.2. Goto Run --> Configurations --> Android Application  --> Tab Target 

Run on Android devices 

Check option - Launch on all compatible devices/AVDs

Run on Simulator 

Check option - Automatically pick compatible device : Always uses preferred AVD if set below, launches on compatible device/ AVD otherwise.

5.3. Execute Run button

How to setup a TURN Server for your WebRTC application ?

Get Started 

Developing a WebRTC application is easy, but solving the issue of NAT could be a difficult task. If you want to build your WebRTC environment without using any 3rd Party cloud solutions, I think you should take a look at an open source lib -  rfc5766-turn-server. Because it not only supports TURN, but also STUN. 

In this tutorial, you will learn how to set up a STUN & TURN server.

1.Download rfc5766-turn-server package

$ wget http://ftp.cn.debian.org/debian/pool/main/r/rfc5766-turn-server/rfc5766-turn-server_3.2.4.4-1_amd64.deb

2. Install

$ sudo apt-get update

$ sudo apt-get install gdebi-core

$ sudo gdebi rfc5766-turn-server_3.2.4.4-1_amd64.deb

Refer to docs in folder /usr/share/doc/rfc5766-turn-server

vim /opt/etc/turnserver.conf.default

3. Configuration

$ sudo vi /etc/turnserver.conf

// Setup IP address - listening-ip and external-ip are required to set up on EC2 of AWS.

listening-ip=172.31.4.37

external-ip=54.223.149.60

// If TURN server is used for WebRTC，please set long-term credential mechanism as shown below.

lt-cred-mech

// Add a user

user=weishihhsun:mypassword

// Setup realm

realm=mycompany.org

4. Start TURN Server

sudo turnserver -c /usr/local/etc/turnserver.conf --daemo

5. Setup TURN Server`s IP address

"iceServers": [{

   "url": "stun:stun.l.google.com:19302"

}, {

   "url": "turn:54.223.149.60",    // Your Server

   "username": "weishihhsun",  //  your Account

   "credential": "mypassword"   //  Your Password

}]

6. Open firewall`s ports

TCP 443

TCP 3478-3479

TCP 32355-65535

UDP 3478-3479

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 3478:3479 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 32355:65535 -j ACCEPT

iptables -A INPUT -p udp -m tcp --dport 3478:3479 -j ACCEPT

How to solve a network problem ?

Have you ever had a network problem due to packet lost or some unknown issues in your routers ? How could you find out those issues may be caused by your routers or Internet Service Provider ?

The following instructions will guide you how to figure it out.

// 1. Download mtr

http://rudix.org/packages/mtr.html

// 2. Execute the following command to check whether or not there is a packet lost problem in your network node.

sudo mtr -c 100 -r [target IP]

// 3. Then execute traceroute

traceroute [target IP]

You will know that the network node is shown in IP address or Domain Name.

If it is IP address, it probably could be the router; if it is the domain name, it might be your ISP`s network devices.

// 4 Download nmap
https://nmap.org/download.html

// 5. Dump router`s info and you can find out what your router is, so as to fix it.

nmap -A -T4 router IP

Ex:

EricWeis-MacBook-Air:~ EricWei$ nmap -A -T4 192.168.11.1

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-07 23:33 JST

Stats: 0:01:47 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan

Service scan Timing: About 80.00% done; ETC: 23:35 (0:00:27 remaining)

Nmap scan report for buffalo.setup (192.168.11.1)

Host is up (0.027s latency).

Not shown: 995 closed ports

PORT      STATE SERVICE VERSION

53/tcp    open  domain  (status request not implemented)

80/tcp    open  http    Buffalo AirStation http config

| http-auth:

| HTTP/1.0 401 Unauthorized

|_  Basic realm=AirStation

|_http-title: UNAUTHORIZED

2601/tcp  open  zebra   Quagga routing software

2602/tcp  open  zebra   Quagga routing software

49152/tcp open  upnp    Intel UPnP reference SDK 1.2 (Linux 2.4.20; UPnP 1.0)

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port53-TCP:V=7.12%I=7%D=7/7%Time=577E6838%P=x86_64-apple-darwin13.4.0%r

SF:(DNSVersionBindReq,20,"\0\x1e\x02G\x81\x85\0\x01\0\0\0\0\0\0\x07version

SF:\x04bind\0\0\x10\0\x03")%r(DNSStatusRequest,E,"\0\x0c\x02H\x90\x84\0\0\

SF:0\0\0\0\0\0");

Service Info: OS: Linux; Device: WAP; CPE: cpe:/o:linux:linux_kernel:2.4.20

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 141.69 seconds

Tutorial (2) : How to send Push Notifications to iPhone using Java ?

Generate aps_developer.p12 for JavaPNS

Download and Upzip openssl-0.9.8k_WIN32.zip

Goto windows dos command mode

// Convert aps_developer.cer to aps_developer.pem

openssl x509 -in aps_developer.cer -inform DER -out aps_developer.pem -outform PEM 

// Generate Push_Noenc.pem from PushChatCert.p12

openssl pkcs12 -nocerts -out Push_Noenc.pem -in PushChatCert.p12

// Output aps_developer.p12 for JavaPNS

openssl pkcs12 -export -in aps_developer.pem -inkey Push_Noenc.pem -certfile PushChat.certSigningRequest -name "aps_developer" -out aps_developer.p12

Obtain Device token from iOS

Add the following code in the method of AppDelegate.didFinishLaunchingWithOptions

IOS Code:

[[UIApplication sharedApplication] registerForRemoteNotificationTypes:(UIRemoteNotificationTypeAlert | UIRemoteNotificationTypeSound | UIRemoteNotificationTypeBadge)];  

To setup registerForRemoteNotificationTypes for app to receive notification message.

To extract device token by the following codes:

IOS Code: 

 - (void)application:(UIApplication *)app didRegisterForRemoteNotificationsWithDeviceToken:(NSData *)deviceToken {   
    NSString *token = [NSString stringWithFormat:@"%@", deviceToken];
    NSLog(@"My token is:%@", token);
}

- (void)application:(UIApplication *)app didFailToRegisterForRemoteNotificationsWithError:(NSError *)error {    
    NSString *error_str = [NSString stringWithFormat: @"%@", error];
    NSLog(@"Failed to get token, error:%@", error_str);
} 
 

iOS device needs to implement two features: one is to register app as receiving notification type, the other is to send its token to backend JavaPNS via HTTP or TCP protocol.

Setup JavaPNS Sample code

Please add the following .jar library in your project:

1. bcprov-jdk15-146.jar

2. log4j-1.2.15.jar

3. JavaPNS_2.2.jar ( unzip JavaPNS_2.2_complete.zip )

4. Compile the source code : PushTest.java

(PS: Or simply import the testSample code by eclipse and run it)

  

JavaPNS needs certificate aps_developer.p12, and iOS token id to accomplish the function of sending Push Messages. The following codes below detail how to make it work.

public static void main(String[] args) {

                       

                        // iOS Private key as a p12 file exported by MAC

                        String keynotePath = "aps_developer.p12";

                       

                        // iOS developer certificate password exported by MAC

                        String password = "Your Pasword";

                       

                        // iOS device Token id

                        String token = "Your Device Token";

                       

                        // Test environment: Production or Sandbox(simulation)

                        String environment = "simulation";

                       

                        // Push message mode: Simple or complex or thread

    // Simple: Simple msg, complex: complex message, thread: Add multiple threads support

                        String pushMode = "complex";

                       

                        // Number of received devices

                        String deviceNum = "1";

                       

                        // Number of sender threads

                        String threadNum = "1";

                       

                        /* Initialize Log4j to print logs to console */

                        configureBasicLogging();

                        /* Push an alert */

                        try {

pushTest(keynotePath, password, token, environment, pushMode, deviceNum, threadNum);

                                   

                        } catch (CommunicationException e) {

                                    e.printStackTrace();

                        } catch (KeystoreException e) {

                                    e.printStackTrace();

                        }

            }

How to generate iOS development certificate for Push Server ?

// For Development Environment
// Convert aps_developer.cer to aps_developer.pem
openssl x509 -in aps_development.cer -inform DER -out aps_developer.pem -outform PEM

// Generate Push_Noenc.pem from PushChatCert.p12
openssl pkcs12 -nocerts -out Push_Noenc.pem -in PushChatCert.p12   // Input your password

// Output aps_developer.p12 for JavaPNS
openssl pkcs12 -export -in aps_developer.pem -inkey Push_Noenc.pem -certfile Push.certSigningRequest -name "aps_developer" -out aps_developer.p12

How to generate iOS Production certificate for Push Server?

// For Production
// Convert aps_developer.cer to aps_developer.pem
openssl x509 -in aps_production.cer -inform DER -out aps_production.pem -outform PEM

// Generate Push_Noenc.pem from PushChatCert.p12
openssl pkcs12 -nocerts -out Push_Noenc.pem -in PushChatCert.p12 

// Output aps_developer.p12 for JavaPNS
openssl pkcs12 -export -in aps_production.pem -inkey Push_Noenc.pem -certfile Push.certSigningRequest -name "aps_production" -out aps_production.p12

Next  - Tutorial(1) : How to send Push Notifications to Android using Java ?